• Skip to content
  • Skip to primary sidebar
  • Skip to secondary sidebar
  • Google Dorks
  • Shodan Queries
  • Malware Sources

PenTestIT

Your source for all things Information Security!

You are here: Home / Penetration Testing / PowerSploit: A Post-Exploitation Framework in PowerShell!

PowerSploit: A Post-Exploitation Framework in PowerShell!

Posted: 1 year ago by @pentestit 2292 views
Updated: May 13, 2017 at 10:59 am

PowerSploit is an opensource, offensive Microsoft PowerShell toolkit that has been coded to help penetration testers in almost all phases of an assignment. It can help you perform reconnaissance and also help you to elevate your privileges and maintain access.


PowerSploit
PowerSploit

PowerSploit has modules that help you perform AV bypass, execute arbitrary code, exfiltrate data, cause general disturbance on the system, persist code, help in network reconnaissance and perform low-level code execution and code injection/modification.

Features of PowerSploit:

CodeExecution – Execute code on a target machine.

  • Invoke-DllInjection – Injects a Dll into the process ID of your choosing.
  • Invoke-ReflectivePEInjection – Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process.
  • Invoke-Shellcode – Injects shellcode into the process ID of your choosing or within PowerShell locally.
  • Invoke-WmiCommand – Executes a PowerShell ScriptBlock on a target computer and returns its formatted output using WMI as a C2 channel

ScriptModification – Modify and/or prepare scripts for execution on a compromised machine.

  • Out-EncodedCommand – Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.
  • Out-CompressedDll – Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.
  • Out-EncryptedScript – Encrypts text files/scripts.
  • Remove-Comment – Strips comments and extra whitespace from a script.

Persistence – Add persistence capabilities to a PowerShell script.

  • New-UserPersistenceOption – Configure user-level persistence options for the Add-Persistence function.
  • New-ElevatedPersistenceOption – Configure elevated persistence options for the Add-Persistence function.
  • Add-Persistence – Add persistence capabilities to a script.
  • Install-SSP – Installs a security support provider (SSP) dll.
  • Get-SecurityPackage – Enumerates all loaded security packages (SSPs).

AntivirusBypass – AV doesn’t stand a chance against PowerShell!

  • Find-AVSignature – Locates single Byte AV signatures utilizing the same method as DSplit from “class101”.

Exfiltration – All your data belong to me!

  • Invoke-TokenManipulation – Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens in the current thread.
  • Invoke-CredentialInjection – Create logons with clear-text credentials without triggering a suspicious Event ID 4648 (Explicit Credential Logon).
  • Invoke-NinjaCopy – Copies a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.
  • Invoke-Mimikatz – Reflectively loads Mimikatz 2.0 in memory using PowerShell. Can be used to dump credentials without writing anything to disk. Can be used for any functionality provided with Mimikatz.
  • Get-Keystrokes – Logs keys pressed, time and the active window.
  • Get-GPPPassword – Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
  • Get-GPPAutologon – Retrieves autologon username and password from registry.xml if pushed through Group Policy Preferences.
  • Get-TimedScreenshot – A function that takes screenshots at a regular interval and saves them to a folder.
  • New-VolumeShadowCopy – Creates a new volume shadow copy.
  • Get-VolumeShadowCopy – Lists the device paths of all local volume shadow copies.
  • Mount-VolumeShadowCopy – Mounts a volume shadow copy.
  • Remove-VolumeShadowCopy – Deletes a volume shadow copy.
  • Get-VaultCredential – Displays Windows vault credential objects including cleartext web credentials.
  • Out-Minidump – Generates a full-memory minidump of a process.
  • Get-MicrophoneAudio – Records audio from system microphone and saves to disk.

Mayhem – Cause general mayhem with PowerShell.

  • Set-MasterBootRecord – Proof of concept code that overwrites the master boot record with the message of your choice.
  • Set-CriticalProcess – Causes your machine to blue screen upon exiting PowerShell.

Privesc – Tools to help with escalating privileges on a target, including PowerUp.

  • PowerUp – Clearing house of common privilege escalation checks, along with some weaponization vectors.
  • Get-System – GetSystem functionality inspired by Meterpreter’s getsystem

Recon – Tools to aid in the reconnaissance phase of a penetration test, including PowerView.

  • Invoke-Portscan – Does a simple port scan using regular sockets, based (pretty) loosely on nmap.
  • Get-HttpStatus – Returns the HTTP Status Codes and full URL for specified paths when provided with a dictionary file.
  • Invoke-ReverseDnsLookup – Scans an IP address range for DNS PTR records.
  • PowerView – PowerView is series of functions that performs network and Windows domain enumeration and exploitation.

PowerSploit makes use of PowerShell, due to its ability to perform a wide range of low-level tasks without the need to use malicious executables on the disk, evading antivirus products. Most scripts in PowerSploit are individual in nature, without the need of any external dependencies. This means that, you do not have to download the complete PowerSploit framework on the remote machine.

Download PowerSploit:

PowerSploit v3.0.0.zip or PowerSploit v3.0.0.tar.gz can be downloaded here.

Share this post on:
witteracebookhatsAppoogle+ufferLinkedin It

Related Posts on PenTestIT:

  • UPDATE: Prowler 2.0 BetaUPDATE: Prowler 2.0 Beta
  • UPDATE: Nmap 7.70 Upgrade Available!UPDATE: Nmap 7.70 Upgrade Available!
  • UPDATE: Kali Linux 2018.1 Release!UPDATE: Kali Linux 2018.1 Release!
  • UPDATE: Kali Linux 2017.3 Release!UPDATE: Kali Linux 2017.3 Release!

Filed Under: Open Source, Penetration Testing Tagged With: Mimikatz, open source, penetration testing, penetration testing toolkit, PowerSploit

Reader Interactions

Primary Sidebar

Recent Posts

  • List of Adversary Emulation Tools
  • UPDATE: OWASP Dependency-Check 3.1.2
  • AutoSploit = Shodan/Censys/Zoomeye + Metasploit
  • Apache JMeter RMI Code Execution PoC (CVE-2018-1297)
  • UPDATE: Prowler 2.0 Beta

Featured Post

List of Adversary Emulation Tools

List of Adversary Emulation Tools

April 15, 2018 By Black Leave a Comment

Every once in a while, the security industry brings forth a new buzz word and introduces terminologies that sound über cool and generate lot’s of interest. One such word going around now-a-days is automated “adversary emulation“. Let’s first understand what this really means. Adversary emulation/simulation offers a method to test a network’s resilience against anRead more about List of Adversary Emulation Tools

Secondary Sidebar

Categories

  • Docker Security
  • Fuzzing
  • Malware Analysis
  • Open Source
  • OSINT
  • Penetration Testing
  • Reverse Engineering
  • Site News
  • Tool Updates
  • Tools
  • Vulnerability Assessment
  • Web Application Security
  • Wireless

Archives

  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017

Tags

Anchore APT2 Brute Force CloudFlare Cross-Site Scripting Cuckoo Sandbox DataSploit docker dockerscan docker scan FOCA Kali Linux Local File Inclusion malware malware analysis man-in-the-middle Metadata Metasploit Microsoft Windows MicroSploit Nmap open source OSINT OSRFramework OWASP OWASP Dependency-Check penetration testing penetration testing toolkit PowerMeta PowerShell PowerSploit python Raspberry Pi RedSnarf reverse engineering Short Post software composition analysis SQL injection Sysdig Falco vulnerability assessment Web Application Security WiFi Wireshark WordPress WPXF

Copyright © 2018 - PenTestIT | Information shared to be used for LEGAL purposes only!