PowerShell for Pentesters

Whether you have direct shell access and try to live off the land or use a command control infrastructure such as Covenant, PowerShell is a powerful tool to master. This section will cover the basics of PowerShell that will be useful in any engagement. If you do not feel comfortable using PowerShell, please consider revisiting the “Hacking with PowerShell” room.

As you have probably noticed, most of the command-line portions of penetration test training focus on using Linux. However, most systems used within a corporate environment are Windows; thus, it is important that the Red Team member feels at home in both operating systems.

There are several PowerShell scripts useful in penetration tests, such as PowerView and Nishang; however, please remember these two points about them;

1) They are detected by most antivirus software

2) They are detected by most antivirus software

Below is a simple test run with the free version of AVG antivirus. As you can see, the “Get-ComputerDetails.ps1” script, which is part of PowerSploit, has been detected.

So, if you dream of connecting to a target machine on a corporate network and instantly being able to fire up PowerSploit or Nishang, this might not always be the case. There will, of course, be situations where these scripts will run and be very useful, but do not take them for granted.

On the other hand, being able to use PowerShell will give you the power of an object-oriented programming language readily available on the target platform.

Before moving forward, take time to complete the “Hacking with Powershell” room.

You can connect to the target using SSH with the following credentials:

Username: walter

Password: Kowacs123!

You can then type "powershell" to access PowerShell.

Is this realistic?

This user simulates you, an attacker, having shell access to the target. As you know, this may be achieved by exploiting an existing vulnerability or through a command injection vulnerability on a web application.