Scribd
Upload
6 views

Section 3 Module 1 Introduction

Uploaded by

es169371
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
6 views

Section 3 Module 1 Introduction

Uploaded by

es169371
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 21

1.1 Why Powershell?

1.2 What IS Powershell?


Penetration Testing Professional 5.0 – Caendra Inc. © 2018
By the end of this module, you should have a better understanding of:

✓ The benefits of utilizing Powershell for penetration tests.

✓ What Powershell is at a high-level.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Powershell is a powerful built-in shell
and scripting environment we can
utilize as penetration testers
considering its wide-spread availability
on all modern Windows-based
systems.

https://en.wikipedia.org/wiki/PowerShell

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


The use of Powershell allows us to take advantage of the “living-
off-the-land” concept, where using tools that are built-in to the
Operating System work to our advantage once we’ve obtained
access to a system.

https://www.secureworks.com/blog/living-off-the-land

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


There are many advantages to using Powershell as it
relates to penetration testing, with some of them being:
• Many organizations aren’t actively hunting for Powershell activity
since it is usually considered a “trusted” application.

• We can use Powershell to run, download or execute code, entirely


within the memory process of the Powershell executable, helping
us evade endpoint security solutions.

• We can use it to interface with the .NET and other Windows APIs.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Advantages (continued):
• We can call Windows DLL functions from within Powershell.

• We can use it to bypass application whitelisting


implementations by running the usual operating system
commands from the Powershell CLI.

• Many tools are already available to us for a large number of


purposes related to penetration testing.
https://github.com/PowerShellMafia/PowerSploit

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Having access to all of those things through Powershell helps us
reduce our footprint and evade defense mechanisms while
conducting post-exploitation tasks.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Powershell is also easy to use, and there are many scripts and
frameworks written that we can utilize for our offensive purposes.

Furthermore, it doesn’t take much to create our own scripts to


carry out some of our tasks as we’ll see in the modules that follow.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Powershell is a powerful built-in Command Line Interpreter or
“shell,” and task-oriented scripting language environment found on
most current Windows Operating Systems starting with Windows
7, and through to Windows 2008 R2 and onward.

https://en.wikipedia.org/wiki/PowerShell
https://en.wikipedia.org/wiki/Command-line_interface#Command-line_interpreter
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Powershell is typically used by administrators as it provides great
functionality and flexibility in regards to managing Windows
systems and automating tasks, which is mostly the reason why it’s
the perfect tool when it comes to our process as penetration
testers.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Powershell is tightly integrated with the .NET framework (built on
top of it actually).

It also provides convenient access to the .NET Framework API,


Component Object Model (COM) and Windows Management
Instrumentation (WMI), which is another plus in regard to
persistence methods and ways we can gather information as we’ll
see later.
https://en.wikipedia.org/wiki/.NET_Framework https://en.wikipedia.org/wiki/Windows_Management_Instrumentation
https://en.wikipedia.org/wiki/Component_Object_Model
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Most of the time, we’ll either be working with scripts commonly
identified by the “.ps1” file extension, or through what are
known as “Cmdlets” (native Powershell commands) of which we
can also create our own, and other times, we’ll be interacting
directly with via the Powershell CLI.

https://msdn.microsoft.com/en-us/library/ms714395(v=vs.85).aspx

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


An important point to note as we navigate through the upcoming
topics is that more recent versions of Powershell, specifically 5.0
and onward, introduce some potential hurdles in regards to
detection, logging and more restrictive modes, which we will cover
workarounds for briefly.

For the most part, we will be working with version 1.0 or 2.0.

https://en.wikipedia.org/wiki/PowerShell#Versions https://www.crowdstrike.com/blog/investigating-powershell-command-and-script-logging/
https://blogs.msdn.microsoft.com/powershell/2017/11/02/powershell-constrained-language-mode/
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Advancements in the “freedom” of Powershell:

In 2016, Powershell 6.0 (Powershell Core) was made available as an open


source project and is available for several different platforms, including
some major Linux distributions, MacOS, and also as a Docker container
image.

You can learn more about Open source Powershell, and it can be
downloaded from the following github page:

https://github.com/powershell/powershell
https://blogs.msdn.microsoft.com/powershell/2018/01/10/powershell-core-6-0-generally-available-ga-and-supported/

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


This concludes the Powershell For Pentesters Introduction
Module.
In this module, we covered:

✓ A brief introduction as to why Powershell is a great tool for


our purposes.

✓ A high-level overview of Powershell.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Powershell Component Object Model
https://en.wikipedia.org/wiki/PowerShell https://en.wikipedia.org/wiki/Component_O
bject_Model

Windows Management
Living Off The Land Instrumentation
https://www.secureworks.com/blog/living-
https://en.wikipedia.org/wiki/Windows_Man
off-the-land
agement_Instrumentation

Command Line Interpreter Cmdlets


https://msdn.microsoft.com/en-
https://en.wikipedia.org/wiki/Command- us/library/ms714395(v=vs.85).aspx
line_interface#Command-line_interpreter

Powershell Versions
.NET Framework https://en.wikipedia.org/wiki/PowerShell#
https://en.wikipedia.org/wiki/.NET_Framewo Versions
rk

Penetration Testing Professional 5.0 – Caendra Inc. © 2018


Constrained Language Mode Script Block Logging
https://blogs.msdn.microsoft.com/powershel https://www.crowdstrike.com/blog/investiga
l/2017/11/02/powershell-constrained- ting-powershell-command-and-script-
language-mode/ logging/

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

You might also like