Post-Exploitation With Powershell
Now that weâve covered some remote Information Gathering and Recon methods with PowerSploit and Posh-SecMod, letâs explore some other tools we can utilize for Post-Exploitation, which is where our ability to leverage PowerShell really starts to shine.
First, letâs explore another excellent post-exploitation framework, known as âNishang,â by Nikhil Mittal. Nishang brings together some of the best tools from other frameworks, in addition to Nishang-native tools as well.
IMPORTANT:
As we mentioned previously about Antivirus and the detection of powershell and other exploitation frameworks, Nishang is no exception, and its various modules will likely be detected if imported directly to the target system.
Therefore, itâs important to make sure that most of the tools and scripts we invoke should be invoked via download cradles that support in-memory execution. For most of the examples that follow, weâll be using the Net.WebClient and DownloadString method to execute our scripts in memory. Once weâve hosted the Nishang framework scripts on our attacker system, we can begin.
======================================================================
Letâs explore some of the âGatherâ modules. These modules will help us get information from our target system locally, that we could potentially use to move laterally for instance.
The âCopy-VSSâ module will attempt to copy the SAM database using the VSS service, and if run on a domain controller, will try and copy the NTDS.dit and contents of the SYSTEM registry hive. We can try it with the following command:
The âGet-Informationâ cmdlet will get us a good deal of system information including:
We can download and execute it in memory with our Net.Webclient DownloadString download cradle:
Get-PassHints we can use to dump the saved Password Hints for users on the system:
The Invoke-Mimikatz cmdlet will dump clear-text credentials (or hashes) from memory. Note, that we can also pass command line parameters to any of the modules that have additional options as part of our download cradle commands:
There are plenty of other very useful Nishang âgatherâ modules which will come in handy for our post-exploitation purposes, explore!
As part of its catalog, Nishang includes a great brute force tool âInvoke-BruteForce.â We can use this to brute force Active Directory accounts, SQL Server, Web or FTP servers. The great thing about a brute force tool written in PowerShell is that we can execute the attack from our target host as long as we copy a file containing usernames and passwords to our target.
The âInvoke-PowerShellTcpâ cmdlet within the Nishang framework provides an excellent way to obtain a reverse PowerShell shell from our target host back to a netcat listener.
Keep in mind that if using this method, take into consideration that the traffic is traversing the wire in cleartext between attacker and target.
Although a great and undetected (by Antivirus) method to get a reverse shell from PowerShell, over-the-wire heuristics (SIEM) may pick up some of the back and forth chatter if that type of solution has been implemented within an organization.
To use this, we should first fire up a netcat listener on our attacker machine. Weâll configure it on port 4444 for this example.
Next, we can simply invoke it using a download cradle from the target system, this time, from a windows command prompt on the target.
There are several different shells, both bind, reverse, ICMP, UDP shells, and some more complex âratâ-type shells we can utilize from Nishang. Experiment with the different types:
In addition to the âGatherâ and other modules weâve covered, we can find a script for mostly any phase of our post-exploitation within the Nishang Framework with utilities in the following categories:
Seeing as weâve previously covered several tools within the PowerSploit framework for the purpose of information gathering (the Invoke-PortScan and Get-HttpStatus tools specifically), we should also cover some of the tools it provides in regards to postexploitation as well.
As with other frameworks, there are several categories in PowerSploit we can use for our post-exploitation purposes:
One which we should cover here, and offers a good starting point in the identification of misconfigurations which could lead to privilege escalation, is the âPowerUpâ module within the âPrivescâ category.
We can first import the Privesc.psm1 module from within the Privesc modules directory and have a look at some of the options we have:
We can see the PowerUp module has plenty of options for us to explore. Of course, we can run any one of those functions or scripts independently, but this module includes an âInvoke-AllChecksâ function.
Invoke-AllChecks will run all functions related to the Privesc module looking for misconfigurations, permissions issues with services, opportunities for DLL hijacking a number of other useful checks.
The output will also indicate an âAbuseFuntionâ we can use to further exploit the target. In the case with the following example, PowerUp identified a potential service binary we can install with the âInstallServiceBinary âName âClickToRunSvcâ command.
PowerUp also gives us the option to save all results to an HTML file with the -HTMLReport flag and will generate an HTML file we can use to investigate any paths to privilege escalation. The file will be saved in the current directory Invoke-AllChecks was run from and will be in âMACHINENAME.USERNAME.htmlâ naming format.
The âCodeInjectionâ category in PowerSploit gives us some options in regards to several methods we can inject our own code into existing processes on the target system, whether it be via DLL injection, injecting our own custom Shellcode into an existing process, or using WMI to execute commands on the target.
The first requirement, of course, is that we generate a DLL for demonstration purposes. This can be done in a number of ways, but most commonly, we can just use Metasploitâs msfvenom to generate one with the following command:
The DLL will need to be downloaded to the target. This can be done in any number of ways weâve covered in this module. We can use the Net.WebClient âDownloadFileâ download cradle method for that.
weâre downloading our cmd.dll file into the âC:\Programdata\â folder on the target.
We should next identify a process on the target system weâd like to inject our DLL into. We can simply run the âpsâ command from the powershell console. In this example, weâll run the âpsâ command with a where-object statement to look for a process that matches ânotepad,â and weâll inject our DLL into that process (reference figure to the right). In this case, weâve identified three processes matching the ânotepadâ string, and weâll choose the one with Pid â7420â for our DLL Injection.
Once weâve downloaded our DLL to the target, and identified the process weâre going to inject into, in this example, weâve chosen the notepad.exe process ID 7420, we can use another download cradle (this time âDownloadStringâ method) to download and execute the âInvoke-DLLInjection.ps1â script from our attacker system, along with the correct arguments for injecting our DLL into that existing process.
Once that is complete, if we run the âpsâ command again, we can confirm that we now have a âcmdâ process which has been spawned from our DLL Injection operation, which is created in a new process thread.
A great explanation of the basics of how DLL injection works can be found here:
Another excellent PowerShell tool weâd like to mention by decoder-it is âpsgetsystemâ and can be downloaded here:
Psgetsystem allows us to get SYSTEM privileges via a parent process, which then spawns a child process which effectively inherits the SYSTEM access privileges of the parent.
Although this tool needs to be run as Administrator, itâs a great way to evade application whitelisting solutions by being able to inject ourselves into an already signed or other trusted process.
Letâs see it in action. Once weâve downloaded the psgetsys.ps1 script to our target, we can source it and execute its class function with the following commands:
But before we do that, we need to identify some SYSTEM processes and choose one we can âpiggybackâ onto. We can use the following command to find those:
Now that we have a PID for a SYSTEM-owned process (3632 in this case), we can continue with our execution of psgetsystem. For demonstration purposes, weâll instruct psgetsystem to run âcmd.exeâ within the ZeroConfigService process 3632. This will launch a cmd.exe prompt, but as a child process of the SYSTEM-owned ZeroConfigService.exe process, and as a result, our âchildâ process, will also be SYSTEM.
Empire is another great post-exploitation framework which weâll briefly describe here but will cover in greater detail in a video accompanying this module.
Its main advantage is that it implements powershell functionality without requiring the existence of powershell on a target machine. It is in a world of its own in regards to other frameworks in that it utilizes its own built-in listeners, agents and modules to compromise and conduct all facets of post-exploitation from information gathering to privilege escalation, lateral movement, persistence and also integrates with the Metasploit Framework.
You can learn more about Empire here:
Make sure to check out the video included with this module for a walkthrough of its capabilities.
Last updated
Was this helpful?