PowerShell for Pentesters
What is Powershell?
Powershell is a powerful built-in CLI or "shell" also task-orientes scripting language
Mostly used by admins
Built on top of .NET
Scripts end with ".ps1"
Version 5.0 onward introduce some hurdles regarding logging and restrictive modes
Powershell 6.0 is available MacOS and Linux also as Docker image
Fundamentals
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
where exe files of powershell stays. for 64-bit it stays under system32 directory. C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe for 32-bit it stays in C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
You can learn detail with command below
Execution Policy
EncodedCommand: Used to executed base64 command
Like Man pages you can reach Get-Help section of all commands
Get-Help Get-Help
Get-Help Get-Process -Full
Gives full result regarding that commandGet-Help Get-Process -Examples
you can learn examples of that commands You can updata man pages with Update-Help command
You can learn commands by tunning the command so you don't need to memorize alll.
Get-Commands -Name *Log*
Cmdlets
You can change formats of command results
For ex.
Get-Childitem | Format-List *
After learning all these commands you can pipe them to get objects
For ex.
Get-Childitem | Sort-Object -Unique | Select-Object Basename
Redirection works as same like in other OS {<,>}
You can use different format also
Get-Process notepad | Format-List Path
or even
Get-Process notepad | Format-List Path,Id,ProcessName
Get-WmiObject -class win32_operatingsystem | Select -Property *
We can use
fl
as alias toFormat-List
If you want to you create csv file you can use Export-Csv
Get-WmiObject -Class win32_service | Select-Object Name, ProcessID | export-csv C:\Users\public\Documents\try.csv
In order to see Registry hives
cd HKLM:\
Select-String is important command
Select-String -Path C:\Users\public\Documents\*.txt -Pattern yoursearch*
Get-Content
cat = Get-Content
To learn servises which are running and available
Get-Service
Get-Service | Select-Object Name
Get-Service "n*" | Sort-Object status -Descending
Modules
Modules can contain powershell scripts and code files. And they are in directories.
Modules are importet powershell session.
To obtain list currently imported modules
Get-Module
Get-Module -ListAvailable
we can learn all modules that we can import.In order to import module
Import-Module .\new_module.psm1
$Env:PSModulePath
should include the module that we need to importYou need to create a directory inside one of these paths and upload all files in that directory.
After uploading these files in that directory run basically
Import-Module ModuleName
and confirm itGet-Module
Then you can learn module commands by running
Get-Command -Module AADInternals
To Learn one command
Get-Help Add-AADIntEASDevice
Scripts
Intro for Scripts
PowerShell Scripts end with .\ps1
1 refer not to a version but PowerShell engine itself
In order to run script just
.\script.ps1
That script takes an argument and later write content of it. or you can put a variable inside that parameter like $file= try.txt
Get-Content $file
Loop Statements
for()
foreach()
while()
do {something}while()
do {something}until)()
Learn details with
Examples
Foreach()
Where-Object
it gives you ability to find values
Get-ChildItem C:\Users\ | Where-Object {$_.Name -match "public"}
Objects
We can learn objects
Get-Process | Get-Member -MemberType Method
Get-Process -Name "chrome" | Kill
Also with
New-Object
creating .Net Framework object or COM object is possibleCreating new object based on .NET class
Here webclient is a class from .NET class and that class Download file method works with two variable.
Offensive PowerShell
Downloading and Executing
There are two ways of downloading and executing files in PowerShell, .Net classes and Com objects
one which is downloaded to disk
second is run in within PowerShell process memory without touching the disk
Net.WebClient DownloadString Method
Word.AppIication COM Object
Net.WebClient DownloadData Method
nternetExplorer.Application COM Object
Net.WebCIient OpenRead method
MsXmI2.Servee
.NET [Net.HttpWebRequest] class - Certutil.exe w/ -ping argument
Excel.Application COM Object
Disk-Based Execution Net.Webclient DownloadFile method BITSAdmin.exe Certutil.exe w/ -urlcache argument
Some Methods
Net.WebClient DownloadString Method
Same command from shell
or you can part it
Here we downloading and running it inside powershell memory so not putting it any disk. Even file extension will be different from ps1 like gif for ex, powershell will run it ps1 file.
It is possible to create headers in Net.WebClient
Net.WebClient DownloadFile Method
This method will download your executable to disk. If you are trying to be stealthy not recommended.
Net.WebRequest
For downloading and executing in memory we can use it.
System.Xml.XmlDocument
you can run commands by serving xml in attacker computer.
Com O?bject Download scripts
We can use as one liner these codes with semicolon ;
ExecutionPolicy Bypass and Hidden Window
This will hide our scripts from enduser.
Here is a download cradle link
Obfuscation
You can directly download the master from here.
After putting that file into modules directory, find module path with that command $env:PSModulePath
Then run that command Import-Module Invoke-Obfuscation
. If you get some error please be sure all files are extracted. Real time protection in windows can be blocked all files to be extracted.
Here there are some commands that you can use.
First SET SCRIPTBLOCK
After saying the invoke-obfuscate the things that we want to obusficate we need to select STRING
method, 3 will make it reverse.
Here we can take the result section and run that in powershell. It will execute it.
There is also other sections in the tool.
By using encoding section ENCODING/7
We are taking really long obfuscated command. We should take the result and run in the machine it self. In CMD you should use powershell -Command "<RESULT>"
There is also LAUNCHER
module too.
Here you can use based on which launcher you can choose yours.
Information Gathering and Recon
PowerSploit is one of tools that we can use on that purpose.
After downloading it inside module directory, you can run portscan command.
Get-HttpStatus
we can learn about sub directories of webserver
Post-Exploitation with PowerShell
Nishang
We should upload that module to our attacker system.
There are some modules in that tool.
Gather
That Module will attempt to copy SAM database using VSS service, NTDS.dit and system registry files will be tried to copied by tool.
Also inside Gather module there is lots of command that you cant use.
Or you can directly try to download from github repository.
or you can run Mimikatz on that machine
In windows machines sometimes it can be problem to create reverse shells, but in that tool it is possible to create by Invoke-PowershellTcp
PowerSploit
PrivEsc
After downloading the powersploit into machine you can go to PrivEsc directory and
Empire
Empire is a post-exploitation framework.
Basic usage of Empire
After that we should go to stager module
after running commands on victim machine we should have a active agent
We can do privilege escalation control after that.
After pushing entering
Some Commands that you will use during powershell-Metasploit Usage
Last updated