PowerSploit: PowerShell Post-Exploitation Framework


PowerSploit: PowerShell Post-Exploitation Framework

PowerSploit is a collection of Microsoft PowerShell modules which can help the penetration tester during all phases of a penetration test.

PowerSploit: PowerShell Post-Exploitation Framework

These modules allow you to run scripts on the target machine, prepare scripts for execution on a target machine, add persistence capabilities to a PowerShell script, extract data from the target machine and aid the user in performing reconnaissance during the penetration test.  PowerSploit consists of a total of 8 modules and 36 scripts to help the user in the post-exploitation phase.

Modules & Scripts:

CodeExecution

Execute code on a target machine.
– Invoke-DllInjection
– Invoke-ReflectivePEInjection
– Invoke-Shellcode
– Invoke-WmiCommand

ScriptModification

Modify and/or prepare scripts for execution on a compromised machine.
– Out-EncodedCommand
– Out-CompressedDll
– Out-EncryptedScript
– Remove-Comments

Persistence

Add persistence capabilities to a PowerShell script
– New-UserPersistenceOption
– New-ElevatedPersistenceOption
– Add-Persistence
– Install-SSP
– Get-SecurityPackages

Exfiltration

All your data belongs to me!
– Invoke-TokenManipulation
– Invoke-CredentialInjection
– Invoke-NinjaCopy
– Invoke-Mimikatz
– Get-Keystrokes
– Get-GPPPassword
– Get-GPPAutologon
– Get-TimedScreenshot
– New-VolumeShadowCopy
– Get-VolumeShadowCopy
– Mount-VolumeShadowCopy
– Remove-VolumeShadowCopy
– Get-VaultCredential
– Out-Minidump
– Get-MicrophoneAudio

Mayhem

Cause general mayhem with PowerShell.
– Set-MasterBootRecord
– Set-CriticalProcess

Recon

Tools to aid in the reconnaissance phase of a penetration test.
– Invoke-Portscan
– Get-HttpStatus
– Invoke-ReverseDnsLookup
– PowerView

AntivirusBypass

AV doesn’t stand a chance against PowerShell!
– Find-AVSignature

Privesc

Tools to help with escalating privileges on a target.
– PowerUp

Features:

  • Allows the user to run scripts on target system
  • Bypass anti-virus
  • Extract data from target machine
  • Listen to microphone of target machine

Supported Platforms:

  • Linux
  • Windows

Requirements:

  • PowerShell

Install PowerSploit

Clone the GitHub repo:

$ git clone https://github.com/PowerShellMafia/PowerSploit.git

To install this module, drop the entire PowerSploit folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.

The default per-user module path is:

$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules

And the default computer-level module path is:

$Env:windir\System32\WindowsPowerShell\v1.0\Modules

Usage

To use the module, type the following in the PowerShell window:

Import-Module PowerSploit 

To list imported commands type:

Get-Command-Module PowerSploit 

For help on each command, run:

Get-Help
Note: Each tool within the module is designed in such way that it can be run individually, which increases portability.
Trick: To remove the annoying ‘Do you really want to run scripts downloaded from the Internet‘ warning, place the PowerSploit into your module path and run:
$Env:PSModulePath.Split(';') | % { if ( Test-Path (Join-Path $_ PowerSploit) ) {Get-ChildItem $_ -Recurse | Unblock-File} }  
Documentation Box
Download Box