PowerSploit is a set of Microsoft PowerShell modules that can be utilized to help penetration testers during all phases of an assessment.
Disclaimer: This tool if for educational purpose only. Any illegitimate usage of this tool is illicit with out client consent. Securityloops won’t be chargeable for any misuse of this tool.
PowerSploit is comprised of the next modules and scripts:
Execute code on a target machine.
Invoke-DllInjection:Injects a Dll into the process ID of your choosing.
Invoke-ReflectivePEInjection :Reflectively loads a Windows PE file (DLL/EXE) in to the powershell process, or reflectively injects a DLL in to a remote process.
Invoke-Shellcode :Injects shellcode into the process ID of your choosing or inside PowerShell locally.
Invoke-WmiCommand :Executes a PowerShell ScriptBlock on a target computer and returns its formatted output utilizing WMI as a C2 channel.
Modify and/or prepare scripts for execution on a compromised machine.
Out-EncodedCommand :Compresses, Base-64 encodes, and generates command-line output for a PowerShell payload script.
Out-CompressedDll :Compresses, Base-64 encodes, and outputs generated code to load a managed dll in memory.
Out-EncryptedScript :Encrypts text files/scripts.
Remove-Comments :Strips comments and further whitespace from a script.
Add persistence capabilities to a PowerShell script
New-UserPersistenceOption :Configure user-level persistence options for the Add-Persistence function.
New-ElevatedPersistenceOption :Configure elevated persistence options for the Add-Persistence function.
Add-Persistence :Add persistence capabilities to a script.
Install-SSP :Installs a security help provider (SSP) dll.
Get-SecurityPackages:Enumerates all loaded security packages (SSPs).
AV does not stand an opportunity against PowerShell!
Find-AVSignature :Locates single Byte AV signatures utilizing the identical method as DSplit from “class101”.
All your data belong to me!
Invoke-TokenManipulation:Lists available logon tokens. Creates processes with other users logon tokens, and impersonates logon tokens within the current thread.
Invoke-CredentialInjection :Create logons with clear-text credentials with out triggering a suspicious Event ID 4648 (Explicit Credential Logon).
Invoke-NinjaCopy :Copies a file from an NTFS partitioned volume by studying the raw volume and parsing the NTFS structures.
Invoke-Mimikatz :Reflectively loads Mimikatz 2.zero in memory utilizing PowerShell. Can be used to dump credentials with out writing anything to disk. Can be used for any functionality supplied with Mimikatz.
Get-Keystrokes :Logs keys pressed, time and the active window.
Get-GPPPassword :Retrieves the plaintext password and other information for accounts pushed through Group Policy Preferences.
Get-GPPAutologon :Retrieves autologon username and password from registry.xml if pushed through Group Policy Preferences.
Get-TimedScreenshot :A function that takes screenshots at an everyday interval and saves them to a folder.
New-VolumeShadowCopy :Creates a brand new volume shadow copy.
Get-VolumeShadowCopy :Lists the device paths of all local volume shadow copies.
Mount-VolumeShadowCopy :Mounts a volume shadow copy.
Remove-VolumeShadowCopy :Deletes a volume shadow copy.
Get-VaultCredential :Displays Windows vault credential objects including cleartext web credentials.
Out-Minidump :Generates a full-memory minidump of a process.
Get-MicrophoneAudio : Records audio from system microphone and saves to disk
Cause general mayhem with PowerShell.
Set-MasterBootRecord :Proof of concept code that overwrites the master boot record with the message of your choice.
Set-CriticalProcess :Causes your machine to blue screen upon exiting PowerShell.
Tools to assist with escalating privileges on a target.
PowerUp : Clearing home of common privilege escalation checks, together with some weaponization vectors.
Tools to help within the reconnaissance phase of a penetration test.
Invoke-Portscan : Does a easy port scan utilizing regular sockets, based (fairly) loosely on nmap.
Get-HttpStatus :Returns the HTTP Status Codes and full URL for specified paths when supplied with a dictionary file.
Invoke-ReverseDnsLookup :Scans an IP address range for DNS PTR records.
PowerView :PowerView is series of functions that performs network and Windows domain enumeration and exploitation.
A set of dictionaries used to help within the reconnaissance phase of a penetration test. Dictionaries were taken from the next sources.
How to make use of Powersploit?
- To install this module, drop the whole PowerSploit folder into certainly one of your module directories. The default PowerShell module paths are listed within the $Env:PSModulePath environment variable.
- The default per-user module path is: “$Env:HomeDrive$Env:HOMEPATHDocumentsWindowsPowerShellModules”
- The default computer-level module path is: “$Env:windirSystem32WindowsPowerShellv1.0Modules”
- To use the module, type Import-Module PowerSploit
- To see the commands imported, type Get-Command -Module PowerSploit
- If you are running PowerShell v3 and you would like to remove the annoying ‘Do you really need to run scripts downloaded from the Internet’ warning, as soon as you have positioned PowerSploit into your module path, run the next one-liner: $Env:PSModulePath.Split(‘;’) | % if ( Test-Path (Join-Path $_ PowerSploit) ) Unblock-File
- For assistance on each individual command, Get-Help is your friend.
Note: The tools contained inside this module were all designed such that they are often run individually. Including them in a module merely lends itself to increased portability.