PowerShell For Pentesters
Course Topic Overview
- Introduction To PowerShell
- PowerShell Fundamentals
- PowerShell Scripting
- Leveraging PowerShell For Exploitation & Post-Exploitation
- AV Evasion & Obfuscation With PowerShell
PowerShell 为渗透测试者
课程主题概览
- PowerShell 介绍
- PowerShell 基础
- PowerShell 脚本编写
- 利用 PowerShell 进行利用与后期利用
- 使用 PowerShell 进行杀毒规避与混淆
Prerequisites
- Basic familiarity with TCP & UDP
- Basic familiarity with Windows
先决条件
- 对 TCP 和 UDP 有基本了解
- 对 Windows 有基本了解
Learning Objectives
- Students will get an introduction to PowerShell
- Students will have an understanding of the inner workings of PowerShell and the various components that make up the language
- Students will be able to write their own PowerShell scripts for automation
- Students will be able to utilize PowerShell for exploitation & post-exploitation
- Students will be able to utilize PowerShell for AV Evasion & Obfuscation
学习目标
- 学生将获得对 PowerShell 的介绍
- 学生将了解 PowerShell 的内部机制以及构成该语言的各种组件
- 学生将能够编写自己的 PowerShell 脚本进行自动化
- 学生将能够利用 PowerShell 进行利用和后期利用
- 学生将能够利用 PowerShell 进行杀毒规避和混淆
Introduction To PowerShell
1.2 What IS Powershell?
-
Powershell is a powerful built-in Command Line Interpreter or “shell,” and task-oriented scripting language environment found on most current Windows Operating Systems starting with Windows 7, and through to Windows 2008 R2 and onward.
-
Powershell is typically used by administrators as it provides great functionality and flexibility in regard to managing Windows systems and automating tasks, which is mostly the reason why it’s the perfect tool when it comes to our process as penetration testers.
-
Powershell is tightly integrated with the .NET framework (built on top of it actually).
-
It also provides convenient access to the .NET Framework API, Component Object Model (COM) and Windows Management Instrumentation (WMI), which is another plus in regard to persistence methods and ways we can gather information as we’ll see later.
-
Most of the time, we’ll either be working with scripts commonly identified by the “.ps1” file extension, or through what are known as “Cmdlets” (native Powershell commands) of which we can also create our own, and other times, we’ll be interacting directly with via the Powershell CLI.
-
An important point to note as we navigate through the upcoming topics is that more recent versions of Powershell, specifically 5.0 and onward, introduce some potential hurdles in regard to detection, logging and more restrictive modes, which we will cover workarounds for briefly.
-
For the most part, we will be working with version 1.0 or 2.0.
Advancements in the “freedom” of Powershell:
-
In 2016, Powershell 6.0 (Powershell Core) was made available as an open source project and is available for several different platforms, including some major Linux distributions, MacOS, and also as a Docker container image.
-
You can learn more about Open source Powershell, and it can be downloaded from the following github page: https://github.com/powershell/powershell
PowerShell 介绍
1.2 什么是 PowerShell?
-
PowerShell 是一种强大的内置命令行解释器或“shell”,以及任务导向的脚本语言环境,从 Windows 7 开始,在大多数当前 Windows 操作系统中可以找到,一直到 Windows 2008 R2 及以后的版本。
-
PowerShell 通常由管理员使用,因为它在管理 Windows 系统和自动化任务方面提供了极大的功能性和灵活性,这也是它成为渗透测试过程中完美工具的主要原因。
-
PowerShell 与 .NET 框架(实际上是基于它构建的)紧密集成。
-
它还方便地访问 .NET 框架 API、组件对象模型(COM)和 Windows 管理工具(WMI),这在持久性方法和我们稍后将看到的信息收集方式方面是另一个优势。
-
大多数时候,我们要么在使用通常以“.ps1”文件扩展名标识的脚本,要么通过所谓的“Cmdlets”(原生 PowerShell 命令)工作,我们也可以自己创建 Cmdlets,其他时候,我们将直接通过 PowerShell CLI 进行交互。
-
一个重要的点是,我们在浏览即将到来的主题时需要注意,更近期的 版本,特别是 5.0 及以后的版本,引入了一些潜在的障碍,涉及检测、日志记录以及更多限制模式,我们将简要介绍解决方法。
-
在大多数情况下,我们将使用 1.0 或 2.0 版。
PowerShell“自由度”的进步:
-
2016年,PowerShell 6.0(PowerShell Core)作为一个开源项目推出,并可用于多个不同的平台,包括一些主要的 Linux 发行版、MacOS,以及作为 Docker 容器镜像。
-
你可以从以下 GitHub 页面了解更多关于开源 PowerShell 的信息,并进行下载:https://github.com/powershell/powershell
References
-
Cmdlet Overview: https://docs.microsoft.com/enus/powershell/scripting/developer/cmdlet/cmdletoverview?view=powershell-7
-
Command-line Interpreter: https://en.wikipedia.org/wiki/Commandline_interface#Command-line_interpreter
-
Component Object Model (COM): https://en.wikipedia.org/wiki/Component_Object_Model
-
Investigating PowerShell: Command and Script Logging: https://www.crowdstrike.com/blog/investigating-powershell-commandand-script-logging/
-
.NET Framework: https://en.wikipedia.org/wiki/.NET_Framework
-
PowerShell: https://github.com/powershell/powershell
-
PowerShell Constrained Language Mode: https://blogs.msdn.microsoft.com/powershell/2017/11/02/powershellconstrained-language-mode/
-
PowerShell Core 6.0: Generally Available (GA) and Supported!: https://blogs.msdn.microsoft.com/powershell/2018/01/10/powershellcore-6-0-generally-available-ga-and-supported/
-
PowerShell Wiki: https://en.wikipedia.org/wiki/PowerShell
-
PowerShell Versions: https://en.wikipedia.org/wiki/PowerShell#Versions
Why Powershell?
1.1 Why Powershell?
-
Powershell is a powerful built-in shell and scripting environment we can utilize as penetration testers considering its wide-spread availability on all modern Windows-based systems.
-
The use of Powershell allows us to take advantage of the “living-off-the-land” concept, where using tools that are built-in to the Operating System work to our advantage once we’ve obtained access to a system.
There are many advantages to using Powershell as it relates to penetration testing, with some of them being:
-
Many organizations aren’t actively hunting for Powershell activity since it is usually considered a “trusted” application.
-
We can use Powershell to run, download or execute code, entirely within the memory process of the Powershell executable, helping us evade endpoint security solutions.
-
We can use it to interface with the .NET and other Windows APIs.
Advantages (continued):
-
We can call Windows DLL functions from within Powershell.
-
We can use it to bypass application whitelisting implementations by running the usual operating system commands from the Powershell CLI.
-
Many tools are already available to us for a large number of purposes related to penetration testing.
-
Having access to all of those things through Powershell helps us reduce our footprint and evade defense mechanisms while conducting postexploitation tasks.
-
Powershell is also easy to use, and there are many scripts and frameworks written that we can utilize for our offensive purposes.
-
Furthermore, it doesn’t take much to create our own scripts to carry out some of our tasks as we’ll see in the modules that follow.
为什么选择 PowerShell?
1.1 为什么选择 PowerShell?
-
PowerShell 是一个强大的内置 shell 和脚本环境,我们作为渗透测试者可以利用它,因为它在所有现代基于 Windows 的系统上都广泛可用。
-
使用 PowerShell 允许我们利用“靠现成的工具生存”的概念,在我们获得系统访问权限后,使用内置于操作系统的工具对我们有利。
使用 PowerShell 在渗透测试中有许多优势,其中一些包括:
-
许多组织并不积极寻找 PowerShell 活动,因为它通常被认为是一个“可信”的应用程序。
-
我们可以使用 PowerShell 在 PowerShell 可执行文件的内存进程中运行、下载或执行代码,帮助我们规避端点安全解决方案。
-
我们可以使用它与 .NET 和其他 Windows API 交互。
优势(继续):
-
我们可以从 PowerShell 内部调用 Windows DLL 函数。
-
我们可以通过从 PowerShell CLI 运行常规操作系统命令来绕过应用程序白名单实施。
-
许多工具已经可用于我们进行渗透测试相关的大量目的。
-
通过 PowerShell 访问所有这些工具有助于我们减少我们的足迹并在进行后期开发任务时规避防御机制。
-
PowerShell 也易于使用,有许多脚本和框架编写,我们可以利用这些工具进行攻击性目的。
-
此外,创建我们自己的脚本来完成一些任务并不需要太多努力,我们将在后续的模块中看到这一点。
References
-
Living Off the Land: https://www.secureworks.com/blog/living-off-the-land
-
PowerShell: https://en.wikipedia.org/wiki/PowerShell
-
PowerSploit: https://github.com/PowerShellMafia/PowerSploit