Modules
A module, in simplest terms, is a set of PowerShell functionalities grouped together in the form of a single file that will typically have a “.psm1” file extension.
Modules are typically comprised of several components. However, not all components are necessary for the functionality of a module.
The components that can make up a typical module are:
There are also several different types of modules:
Modules are typically “imported” into the current PowerShell session. To obtain a list of all currently imported modules, we can use the “Get-Module” cmdlet. In the example below, we can see all of the currently imported modules for the current PowerShell session.
We can also list all modules available to us for importing with the “-ListAvailable” parameter, which returns a long list of available modules.
As we’ve mentioned, modules that we want to use, will first need to be imported into our current PowerShell session. This, can be done with the “Import-Module” cmdlet, as follows:
Once we import a PowerShell module, all of its various cmdlets and other components become available to us, and we can simply then execute the cmdlets that are part of the module.
As an example, let’s take a quick look at the popular PowerShell exploitation framework “PowerSploit”, and how we would go about importing all of its functionality into our current PowerShell session.
Its usage and installation is straightforward, and we should be able to get it up and running in just a few steps.
First, we download the PowerSploit package to our local machine from the following location: https://github.com/PowerShellMafia/PowerSploit/archive/master.zip
The PowerSploit modules will need to be copied into one of the module paths specified by the “$Env:PSModulePath” PowerShell environment variable. To find these paths, simply type the above into your PowerShell Console:
For our purposes, we’ll use the local users module path, which is in:
We’ll need to then create a “PowerSploit” folder in our chosen Modules directory, where we will copy all of the contents of the PowerSploit archive into.
Many exploitation frameworks, will be detected as “hacking tools” and other signatures by a number of Antivirus solutions. This is somewhat “normal”, it’s Antivirus just doing its job, in this case, at detecting strings within the powershell scripts as being malicious, or flagging on names of modules, etc. Either way, you can create an exclude directory for your AV software for the purpose of this lesson, and download the modules into that directory for now.
Once we’ve downloaded the PowerSploit archive, extracted it and copied all of its contents into our chosen module directory into a folder called “PowerSploit”, we can then launch a PowerShell console.
We can then import all of the PowerSploit modules into our current session with the Import-Module cmdlet, and if we run the “Get-Module” cmdlet, we can see it’s now included in our list of currently imported modules.
To list all of the PowerSploit associated cmdlets (of which there are many), we can use the “Get-Command” cmdlet, and specify the PowerSploit module with the –Module parameter:
Furthermore, there are help files for all of the modules. For help on a specific PowerSploit cmdlet, we simply run the Get-Help cmdlet, for instance, getting help on the “Write-HijackDLL” PowerSploit cmdlet:
We will cover other modules we can use for our offensive purposes in sections that follow.
Last updated