Powershell for Pentesters

index

• Welcome
  • Intro
• Course
  • Course-Intro
    • Why Powershell
    • What is Powershell
  • Powershell Fundamentals
    • The PowerShell CLI
    • Cmdlets
    • Modules
    • Scripts
    • Objects
  • Offensive Powershell
    • Downloading and execution
    • Obfuscation
    • Information gathering and recon
    • post exploitation with powershell
    • powershell and metasploit
    • powershell and metasploit quiz
    • Empire Overview
    • Empire Overview quiz
    • UAC Bypass Powersploit Script Walkthrough
    • UAC Bypass Powersploit Script Walkthrough quiz
    • Intro to leveraging WMI and Methods for Persistence
    • Intro to leveraging WMI and Methods for Persistence Quiz
    • Leveraging powershell during exploitation
• Fundamentals
• Pentesting
• Goodbye

intro

• topic overview of this section:
  • Intro to Powershell
  • Powershell Fundamentals
  • Powershell Scripting
  • Leveraging Powershell for Exploitation & Post-Exploitation
    • powersploit, powerup etc + specialised scripts oh and Empire C2
  • AV Evasion & Obfuscation With Powershell
    • will focus more on Obfuscation :)

Course

Course-Intro

Why Powershell

• its available everyone + LoL (Living off the Land) :)
• lets us run/download/execute code in memory + many orgs arent actively hunting for powershell activity + lets us use .Net and other windows APIs
• can call DLL functions and can bypass application whitelisting via running the same shit in powershell + the fact powersploit is a thing
• reduces footprint and helps evade defense. plus its easy to use and theres tons of stuff available for it + we can just make our own custom stuff too if we want

What is Powershell

• a builtin shell/CLI with scripting capabilities. mostly task/configuration management and automation focused. can be found in almost all windows systems starting windows 7, windows 2008 R2 and onward
• built on top of the .NET framework so its tightly integrated with it which basically gives convenient access to the .NET API. also supports Component Object Model (COM) objects, and Windows Management Instrumentation (WMI)
• we’ll mostly be working with powershell 1.0 or 2.0. powershell introduced stuff like logging and restrictive modes from 5.0 and onwards so that’ll be a pain. we’ll cover workarounds for that later tho
• powershell 6.0 (Powershell Core) was opensourced in 2016. available at: https://github.com/powershell/powershell
• local binary available at “C:/Windows/System32/WindowsPowerShell/v1.0/“

Powershell Fundamentals

The PowerShell CLI

• gets us access to built-in cmdlets, modules, functions, features and lets us create tasks, functions and variables etc
• 64 and 32 bit binaries stored in system32 and sysWOW64 respectively in a 64 bit system. and if its a 32bit system it’ll just be stored at System32 like usual. can check bit version by doing

[Environment]::Is64BitProcess

• can do help like this to see help text:

powershell.exe /?

• can run ps1 scripts like so:

powershell.exe .\script.ps1

• some more common powershell params we’ll be using:

param	values/examples	abbreviations	what it does
-ExecutionPolicy	- Bypass : completely bypasses execution policy - Unrestricted : allows all scripts to be run without signature requirements - Restricted : default. prevents all scripts from running including profiles. only allows individual commands to be executed - AllSigned : allows scripts to be ran if it and it’s associated config files are signed by a trusted publisher - RemoteSigned : default for alot of systems. allows local scripts to be run no problem but behaves like AllSigned if the script originates from a remote location example: - powershell.exe -ExecutionPolicy Bypass .\script.ps1 - powershell.exe -ExecutionPolicy Unrestricted .\script.ps1	-ep, -ex example: -ep by	dictates if a powershell script is allowed to be ran on a system + governs if profiles and configs can be loaded that effect the PS environment
-WindowStyle	- Normal : window displayed in the default normal state - Minimized : minimized to the taskbar - Maximized : fills the entire screen - Hidden : completely hides the window. although a brief flash of the console window will still appear before its hidden ifykyk example: - powershell.exe -WindowStyle Hidden .\script.ps1	-W, -Wi example: -W h	controls how the window of a powershell session or a process started by powershell is displayed
-Command	examples: - powershell.exe -Command Get-Process - powershell.exe -Command "& { Get-EventLog -Logname security}"		is used to specify a command or script block to run({} = script block)
-EncodedCommand	example: - powershell.exe -EncodedCommand $encodedCommand	-enco, -ec	used to execute base64 encoded scripts or commands
-NoProfile	example: - powershell.exe -NoProfile .\script.ps1		tells powershell to not load any profiles. profiles are basically the zsh equivilant of powershell and can interfere with our operations
-Version	example: - powershell.exe -Version 2		allows us to start a specific version of powershell (requires said version to be installed on said system)

• all PS params and their args can be abbreviated as long as the abbreviations are unique
• oh and PS isnt case sensitive

Cmdlets

Modules

Scripts

Objects

Offensive Powershell

Downloading and execution

Obfuscation

Information gathering and recon

post exploitation with powershell

powershell and metasploit

powershell and metasploit quiz

Empire Overview

Empire Overview quiz

UAC Bypass Powersploit Script Walkthrough

UAC Bypass Powersploit Script Walkthrough quiz

Intro to leveraging WMI and Methods for Persistence

Intro to leveraging WMI and Methods for Persistence Quiz

Leveraging powershell during exploitation