PenTest: PowerShell for penetration testing

Dear PenTest Readers,

We would like to proudly present you the newest issue of PenTest. We hope that you will find many interesting articles inside the magazine and that you will have time to read all of them.

We are really counting on your feedback here!

In this issue we discuss the tools and methods that you can find useful while using PowerShell. You can read about privilege escalation with PowerShell and about ICMP Tunneling. There are few articles presenting the power of PowerShell.

Enjoy your reading,
Anna Kondzierska & PenTest Team

If you would like to learn more about PowerShell Programming for Pentesters join our online course: https://pentestmag.com/course/powershell-programming-for-pentesters-w29/

Table of Contents

PS RECON Live Forensics Data Acquistition

by Greg Foss

Live incident response and forensic data acquisition is often a very manual and time consuming process that leaves significant room for error and can even result in the destruction of evidence. There are many people involved when investigating an incident, which makes process consistency difficult. Often, when retrieving a system, evidence can be tampered with and altered in the short time frame between the identification of an issue and the interception of the suspected host or user. For this reason, electronic evidence can sometimes be thrown out of a court of law due to possible tampering or inability to show proof.

0wning the forest with PowerShell and Empire

by Guglielmo Scaiola

In the last few years, the approach to security is changing, the idea that “my IT infrastructure is not penetrable” and “my network has never been 0wned” is changing to the new approach named “Assume Breach”. In this approach, the logic is that I assume my network was hacked (or hackable). If my network was hacked, the only way to save my data is the in depth defense. Also, the methodology used in PenTest is changing; the idea is to emulate, wherever possible, the behavior of Sysadmin, so any activity executed by the pentester can be more stealthy. To do this, in Windows hosts, the better way was to use PowerShell. PowerShell in post-exploitation can be very stealthy, can easily bypass antivirus and can be hard to detect in postmortem analysis.

In this article, I will try to show how to use PowerShell in post-exploitation, when the attack starts from a Linux box, using a new tool named Empire.

Inspecting Windows Remoting

by Mohammed Tanveer

Today, let’s talk about one of coolest features of PowerShell -Windows Remote Management (WinRM), which became available from Version 2.0. I am assuming most of us are already familiar with this topic, establishing remote connections and exercising commands, such as Enter-PsSession, Get-PsSession etc. In case you are not, I am covering the basics around it and you can follow along.

Threat Inteligence and Response

by Ronan Dunne & Anthony Caldwell

The commercialization of malware has made the job of the security professional difficult and reports indicate that malicious users will progressively shift their focus to exploits involving more sophisticated malware delivery mechanisms in the near future (Sophos, 2015a; TrendMicro, 2015). Released by Microsoft in 2006, PowerShell simplifies and automates the management of many systems using the .NET Framework for taking control of the Windows environment. It is used in security as an integration tool which can coordinate resources to isolate and identify the source of potential malware. This article focuses on howthe security professional uses PowerShell in the detection of malware and the subsequent process of containment and remediation.

ICMP Tunneling

by Dhaval Kapil

ICMP Tunneling establishes a virtual connection between two remote systems(client and proxy machines). This virtual connection sends only ping echo and reply packets. All of the IP traffic(HTTP, DNS, SSH) on one machine(client) is tunneled to the other machine(server) which forwards the traffic to the internet. The response is returned back to the client using this tunnel. This allows a remote machine to operate on any protocol in the IP stack while sending and receiving only ICMP ping packets. Use cases involve bypassing firewalls, captive portals and establishing a secure encrypted connection between two machines.

Reveal Windows Memory Credentials

by Mayur Agnihotri

The purpose of this script is to make a proof of concept of how to retrieve Windows credentials withmPowerShell and CDB Command-Line Options (Windows Debuggers). It allows one to retrieve credentials from Windows 2003 to 2012 and Windows 10 (it was tested on 2003, 2008r2, 2012, 2012r2 and Windows 7 – 32 and 64 bits, Windows 8 and Windows 10 Home edition).

(This article is related to Computer Security and I do not promote hacking / cracking / software piracy.)

Power of Manual Penetration Testing

by Syed Fahd Azam & Adeel Imtiaz

Manual penetration testing; an art claimed by many but, in actuality, possessed by very few genuine artists. There are very few pen testers who can identify security flaws within systems through manual techniques while most of the testers rely heavily on tools. Analyzing and thinking about the way hackers can exploit to disrupt services or gain access to the data contained within the information systems is a difficult task. Penetration testing tools can identify vulnerabilities and facilitate in reconnaissance that are generally based on certain patterns against which its signatures are updated.

Privilege escalation using PowerShell

by Shaikh Hashim

Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions. We will be using the famous Kitrap0d exploit for privilege escalation. This exploit can be used on various OS such as Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008,and Windows 7.

Network Information Gathering

by Bruno Rodrigues

As an ethical hacker, there’s nothing more relevant for our job than direct access to a scripting language. Of course, we all know that there are plenty out there, one of my favourites would be Python, but if you find yourself in a situation where you need to gain access to one of the Windows hosts in the organisation (maybe using Metasploit) and you only have PowerShell access, you might be out of chances. This article is for you.

The POWER of PowerShell

by Sam Vega

PowerShell is quickly becoming a must-know language. In Windows 8.1, there are certain tasks you can only accomplish through PowerShell, such as permanently remove the Metro Apps instead of staging them for newly created profiles. I enjoy using the pipeline to write oneliners and finding different ways to accomplish the same task but this article will not be on that. This is Pentest Magazine! Let’s think offensive PoSh (PowerShell). There are various post exploitation frameworks available for PoSh: Empire, PowerSploit, Veil Framework, Posh-SecMod, Nishang to name a few. I would advise you to research those frameworks further. They are excellent frameworks written by talented individuals. With that said, I thought my article should focus on using the native PoSh environment as the attack vector with limited use of external frameworks.

If you are not a subscriber and want to buy this magazine click here