-
Notifications
You must be signed in to change notification settings - Fork 14.1k
How to use Powershell in an exploit
Powershell is a scripting language developed by Microsoft. It provides API access to almost everything in a Windows platform, less detectable by countermeasures, easy to learn, therefore it is incredibly powerful for penetration testing during post exploitation, or exploit development for payload execution. Take Metasploit's windows/smb/psexec_psh.rb module for example: it mimics the psexec utility from SysInternals, the payload is encoded in Base64 and executed from the command line, which allows it to be somewhat stealthy against antivirus. There's only less than 30 lines of code in psexec_psh.rb (excluding the metadata that describes what the module is about), because most of the work is done by the Powershell mixin, nothing is easier than that.
To use the Powershell mixin, make sure you meet these requirements:
- The target machine supports Powershell. Vista or newer should support it.
- You must have permission to execute powershell.exe
- You must be able to supply system command arguments.
- You must set up a command execution type attack in order to execute powershell.exe
- To add Powershell to your module, first you need to require it:
require 'msf/core/exploit/powershell'
- And then include the mixin within the scope of the
Metasploit3
class (or maybeMetasploit4
for some)
include Msf::Exploit::Powershell
- Use the
cmd_psh_payload
method to generate the Powershell payload.
cmd_psh_payload(payload.encoded, payload_instance.arch.first)
The actual output of cmd_psh_payload
is a system command, which would look like the following format (as a one-liner):
%COMSPEC% /B /C start powershell.exe -Command $si = New-Object
System.Diagnostics.ProcessStartInfo;$si.FileName = 'powershell.exe';
$si.Arguments = ' -EncodedCommand [BASE64 PAYLOAD] ';
$si.UseShellExecute = $false;
$si.RedirectStandardOutput = $true;$si.WindowStyle = 'Hidden';
$si.CreateNoWindow = $True;
$p = [System.Diagnostics.Process]::Start($si);
https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/exploit/powershell.rb
https://github.com/rapid7/metasploit-framework/blob/master/data/exploits/powershell/powerdump.ps1
- Home Welcome to Metasploit!
- Using Metasploit A collection of useful links for penetration testers.
-
Setting Up a Metasploit Development Environment From
apt-get install
togit push
. - CONTRIBUTING.md What should your contributions look like?
- Landing Pull Requests Working with other people's contributions.
- Using Git All about Git and GitHub.
- Contributing to Metasploit Be a part of our open source community.
- Meterpreter All about the Meterpreter payload.