This post is inspired by a twitter debate I observed between a pentester and a defender. It's characteristic of several such debates I've seen on this topic.

The debate goes something like this:

• Defender: "Blocking powershell.exe is good"
• Pentester: "Nah. I can get around a PS block. Plus my attacks evade AV, so...".
• Defender: "So? Just because *you* can get around it, doesn't mean it's not still a good idea."
• Pentester: "But it's not a good idea if I can just work around it..."
• Defender: "But even if it blocks one attack, it's still good"
• Pentester: "<analogy>"
• Defender: "<wittyresponse>"
• Pentester: "You need to read more"

And on and on. Here's my take on it. I'm a pentester, but was also a defender for many years at a F500. This response will not please everyone. That's fine, it's just an opinion. =)

They are both right. 

Lemme splain....

Defender's Perspective

Defenders do not view the world of infosec through the eyes of a determined, skilled attacker. They view the world through the quantity and quality of tickets generated by their SIEM (if they have one). It is true that a determined, skilled attacker (read and understand that) can work around a correctly implemented PowerShell block. One such method is to drop an exe to disk call a dlls. While there are tools to aid an attacker, this process is substantially harder to pull off. As a result, this extra effort is more likely to raise more alarms. Is it possible? Yes. Is it just as easy as landing with a call to powershell.exe? No. This has the effect of forcing the attacker to work harder and be yet more determined to compromise the org.

However, the benefit is still fully realizeable simply by taking a look at PowerShell based malware samples from say John Lambert or Security Doggo. If they use PowerShell, they are generally making a call to powershell.exe. If that is blocked, payload doesn't fire, the day is saved. There is merit to this argument because the environment is inherently more protected via by the inability to execute code via powershell.exe. Additionally, the vast majority of users have no use for it, with obvious exceptions for orgs that use it in their loginscript, which you can simply whitelist with applocker.

Bottom line: The environment is more secure without powershell.exe than with it. It is not perfect security, but that's why we have defense in depth. To suggest that it doesn't work in a pentester's edge use case is simply throwing the baby out with the bathwater and is not a good excuse for not considering the blocking of powershell.exe as a defensive control.

Pentester's Perspective

I can work around a block of powershell.exe, therefore there's no reason to block it. This is blunt way to put it, but generally the crux of the argument. It's absolutely true that PowerShell code can be run without powershell.exe and this attack is able to be pulled off in most environments (albeit with more work and plumbing in your attack). Additionally, it is well known that Microsoft is basically pushing all apps to use and/or support PowerShell. Server 2016, Nano, etc. are all heavily managed via PowerShell. That's a great convenience for defenders as well as attackers. Additionally, Microsoft is effectively ditching cmd.exe in favor of powershell.exe in future releases of Windows 10 (yes, I know, cmd.exe will still be available, but the point is undeniable: PowerShell is the future of Windows administration).

Finally, PowerShell v5 (with Windows 10) security enhancements are substantial. From advanced event logging to controls like Device Guard and JEA, along with ConstrainedLanguageMode (available since PSv3), the use of powershell.exe can be configured to make it difficult for attackers to execute their payload, while still allowing use for end users if necessary, plus like I said, we can just work around your block anyways...

Bottom Line: Don't block powershell.exe. It's a waste of time because my attacks are so 1337 that I can run PS without PS. Plus, even if you did block it, you'll have to remove the block eventually for new versions of Windows cuz you'll cripple yourself.

So What Should I Do?

While both arguments have merit, here is what I tell my clients: If you are running a Win7 shop with PSv2 as your default with little to no hope for upgrading in the future, then configure Applocker or SRP to block powershell.exe for non-administrators (Good instructional article on Applocker). I agree with pentesters that this control can be worked around and is not perfect, but you will block attacks, dangerous attacks, by blocking powershell.exe. Generally these attacks will be executed by Bob the sales bro who 'Enables all the Content' in every spreadsheet he opens. Hopefully, Bob is not a system administrator (RIGHT???). If powershell.exe is blocked, you may just save the day.

However, do so with the understanding that this will not work forever and you will have to change tactics before long, especially after you upgrade to a current OS. Also, do so with the understanding that you should still layer this with other controls (e.g. blocking macro-enabled docs from the internet) and not rely on it completely to keep you out of the news.

This is, and always will be, a cat and mouse game. The minute we become stuck in a way of thinking, we are simply fast-tracking our own irrelevance. Shift and move your environment as necessary, not letting the drive for tomorrow's perfect security get in the way of today's good security.

@curi0usJack

TL;DR

This build doesn't require any "black magic" or hours of frustration like desktop components do. If you follow this blog and its parts list, you'll have a working rig in 3 hours. These instructions should remove any anxiety of spending 5 figures and not knowing if you'll bang your head for days.

The Goal

Upgrade our current rig from 6 gtx 970s to 8 gtx 1080. Don't blow a fuse.

Parts list

Hardware

• Chassis & Motherboard - Tyan Ft77C-B7079 (P/N: B7079F77CV10HR-N)
• CPU - 2 Xeon E5-2620V3 LGA2011 (dont purchase one CPU, 2 are required to control all PCIE slots)
• Memory - 2 32g DDR4 PC2400 288pin LRDIMM
• Hard drive - 1tb Samsung SSD 850 EVO
• GPUs - 8 EVGA gtx1080 founders edition (whatever you get, make sure its a founders edition. Sometimes called a reference card/edition)

Software

• Ubuntu - 14.04.3 server (x64)
• hashcat - www.hashcat.net
• hashview - www.hashview.io

Assembly

Nowadays building mid-grade to high-end password crackers is like playing with legos, albeit expensive legos.

We did a time lapse of the build:

Build notes

There are few things we learned during the purchasing and assembly.

1. You don't need to purchase a separate heatsink and fan for your CPUs. The Tyan chassis will come with them.
2. Tyan chassis comes with brackets that screw into the back of you GPUs to secure them in place. These may not be needed if you never move the box, but it doesn't hurt to install them. We did.
3. Rails are included with the Tyan.
4. This chassis doesn't appear to have a onboard hardware raid. I just assumed it would 🙁
5. BIOs didn't require any modifications or flashing. Came fully updated as of January 2017.
6. We disabled the system speaker because it will scream at you if you don't have all three power supplies plugged in.

In the image below you can see the brackets that attach to the rear of the GPU for added support. Probably not needed but if you were to ship this rig I'd install them. This thing is HEAVY!

Software Install

We had no hardware issues but we installed one GPU, booted the system, and once we verified it could POST with no issues, we started installing the OS. Once Ubuntu finished installing, we later reinstalled all GPUs. Since things went so smoothly, next time I'd just fully install all GPUs and fire it up. Nothing to worry about.

Install Ubuntu 14.04.3 Server (x64)

Not going to cover this in detail. But here are few things we considered.

1. Use LVM
2. We chose not to encrypt whole disk or home directory. We generally make an encrypted volume later.
3. Choose 'OpenSSH Server' from software selection screen (one less step post install)

Once OS is installed, verify GPUs are detected by OS:

lspci | grep VGA

Update and install dependencies for drivers and hashcat

sudo apt-get update && apt-get upgrade
sudo apt-get install gcc make p7zip-full git lsb-core

Download and install Nvidia drivers and Intel OpenCL runtime

Download Nvidia drivers. Nvidia 375.26 was current at the time of this build (January 2017).

UPDATE 4/10/2017 - If using 1080 Ti, use driver 378.13

wget http://us.download.nvidia.com/XFree86/Linux-x86_64/375.26/NVIDIA-Linux-x86_64-375.26.run
chmod +x NVIDIA-Linux-x86_64-375.26.run
sudo ./NVIDIA-Linux-x86_64-375.26.run

If you get warning messages about x86 you can ignore them. Here's an example of one:

WARNING: Unable to find a suitable destination to install 32-bit compatibility libraries. Your system may not be set up for 32-bit compatibility. 32-bit compatibility files will not be installed; if you wish
to install them, re-run the installation and set a valid directory with the --compat32-libdir option

Install OpenCL runtime (not required but why not, use those CPUs too)

wget http://registrationcenter-download.intel.com/akdlm/irc_nas/9019/opencl_runtime_16.1.1_x64_ubuntu_6.4.0.25.tgz
tar -xvf opencl_runtime_16.1.1_x64_ubuntu_6.4.0.25.tgz
cd opencl_runtime_16.1.1_x64_ubuntu_6.4.0.25
./install.sh

Install hashcat - www.hashcat.net

wget https://hashcat.net/files/hashcat-3.30.7z
7z x hashcat-3.30.7z
cd hashcat-3.30

Test hashcat by running a benchmark...at 341 GH/s!!!!

meatball@kraken3:~/hashcat-3.30$ ./hashcat64.bin -m 1000 -b
hashcat (v3.30) starting in benchmark mode...
OpenCL Platform #1: NVIDIA Corporation
======================================
* Device #1: GeForce GTX 1080, 2028/8113 MB allocatable, 20MCU
* Device #2: GeForce GTX 1080, 2028/8113 MB allocatable, 20MCU
* Device #3: GeForce GTX 1080, 2028/8113 MB allocatable, 20MCU
* Device #4: GeForce GTX 1080, 2028/8113 MB allocatable, 20MCU
* Device #5: GeForce GTX 1080, 2028/8113 MB allocatable, 20MCU
* Device #6: GeForce GTX 1080, 2028/8113 MB allocatable, 20MCU
* Device #7: GeForce GTX 1080, 2028/8113 MB allocatable, 20MCU
* Device #8: GeForce GTX 1080, 2028/8113 MB allocatable, 20MCU
Hashtype: NTLM
Speed.Dev.#1.....: 42896.1 MH/s (62.48ms)
Speed.Dev.#2.....: 42604.1 MH/s (62.97ms)
Speed.Dev.#3.....: 42799.0 MH/s (62.57ms)
Speed.Dev.#4.....: 42098.9 MH/s (63.68ms)
Speed.Dev.#5.....: 42871.5 MH/s (62.57ms)
Speed.Dev.#6.....: 42825.0 MH/s (62.64ms)
Speed.Dev.#7.....: 42848.9 MH/s (62.54ms)
Speed.Dev.#8.....: 42449.8 MH/s (63.16ms)
Speed.Dev.#*.....:   341.4 GH/s
Started: Mon Feb 13 17:54:12 2017
Stopped: Mon Feb 13 17:54:31 2017

Install hashview - www.hashview.io

Install dependencies

sudo apt-get update
sudo apt-get install mysql-server libmysqlclient-dev redis-server openssl
mysql_secure_installation

Optimize the database

vim /etc/mysql/my.conf

Add the following line under the [mysqld] section:

innodb_flush_log_at_trx_commit  = 0

Restart mysql

service mysql restart

Install RVM - (commands below are from https://rvm.io/rvm/install)

gpg --keyserver hkp://keys.gnupg.net --recv-keys 409B6B1796C275462A1703113804BB82D39DC0E3
\curl -sSL https://get.rvm.io | bash -s stable --ruby

Download and setup Hashview

git clone https://github.com/hashview/hashview
cd hashview

Install gems (from Hashview directory)

rvm install ruby-2.2.2
gem install bundler
bundle install

Setup database connectivity

cp config/database.yml.example config/database.yml
vim config/database.yml

Create database

RACK_ENV=production rake db:setup

In another terminal or screen session, kick off resque

RACK_ENV=production TERM_CHILD=1 QUEUE=* rake resque:work

note: In production mode no output will be displayed until a job has started

Run Hashview

RACK_ENV=production ruby hashview.rb

Crack Hashes

Start a job and start cracking!

Then intensely watch analytics in realtime while sipping on your favorite cocktail

Stay tuned...

We just bought our second 8 GPU rig! In a future post we'll show you how to easily support distributed cracking using Hashview.

@caseycammilleri