Script Kiddies 4.0

Penetration tests try to find and legally exploit weaknesses in a system's security, so admins can manage their computer systems more securely. Security problems can be identified by using an automated tool, a manual method, or a combination of the two. In this environment, PowerShell can deliver excellent results with its modules for penetration testing and exploits.

Some PowerShell extensions expand the command set or provide more secure alternatives for standard procedures, such as SSH as an alternative to Windows Remote Management (WinRM) remote maintenance. Even malware scanners are implemented as PowerShell components.

Testing Windows Systems

The PowerShell PowerSploit [1] module, developed for penetration testers and reverse engineers, is used for penetration tests and as a vulnerability scanner. PowerShell is the ideal post-exploitation utility for Windows because of its ability to perform a wide range of administrative and low-level tasks without leaving traces on the hard drive. PowerShell scripts run completely in memory and are remote-enabled. The module supports IT managers in the following tasks:

• Code execution: Execution of low-level code and code injection.
• Script modification: Modifying or preparing scripts for execution on a compromised machine.
• Reverse engineering with appropriate tools.
• Filtering: Access to sensitive data from a compromised machine.
• Chaos: Destructive instructions.
• Recon: Support in the reconnaissance phase of a penetration test.

Local installation with install modules might activate your virus scanner, so you should unblock any ZIP files you download from the GitHub repository; otherwise loading additional modules fails (Figure 1).

Figure 1: To download further modules, the download block must be deactivated for ZIP files.

By combining applications like AppLocker, rigid access restrictions, and PowerSploit cmdlets, you can find an optimal configuration that makes it possible to strike a balance between functionality and security. The field of application is therefore primarily simulated attacks on remote computers.

The Invoke-Shellcode function injects executable statements into the context of running applications by selecting the host process with the process ID. An assignment of processes and process IDs is easy to implement with:

> Get-Process | Select-Object -Property name, ID

PowerSploit expects a list of bytes in the form 0xXX,0xXX,0xXX,0xXX . The Backtrack toolset is helpful for generating the correct format:

> msfpayload windows/exec CMD="cmd /k calc" EXITFUNC=thread C | sed '1,6d;s/[";]//g;s/\\/,0/g' | tr -d '\n' | cut -c2-

This command string correctly prepares the -Shellcode parameter value. When passed to -Shellcode without specifying a process ID, the Invoke-Shellcode cmdlet starts the machine in the process space of the current PowerShell.

Finding Unknown Shares

Network shares that are not inventoried, whose permissions structure is obsolete and point to users who are no longer active in the company, are a security problem. Documenting the existing shares is a necessary first step toward cleaning up the existing structure and a conceptual new beginning.

The Invoke ShareFinder function from PowerSploit is very helpful for this objective. It uses the Get-NetDomain cmdlet to find the local domain name for a host and asks the domain for all active hosts (with the Get-NetComputer cmdlet). Each server lists active shares when queried by the Get-NetShare cmdlet.

Secure Passwords

PowerSploit's Invoke-Mimikatz exploit function lets you extract plain text credentials from memory, password hashes from local SAM/NTDS.dit databases, advanced Kerberos features, and more. The Mimikatz codebase in PowerSploit is slightly modified compared with the original; it runs only in memory and leaves no traces on the hard drive.