Powershell Pentest (Discovery)

Published by brgeek on


Unleash the PowerShell Ninja: Pentesting and Breach Hunting Like a Pro

Engineers, sharpen your scripting skills! PowerShell isn’t just for managing systems; it’s a potent weapon in your pentesting arsenal. This ubiquitous tool, pre-installed on most Windows machines, offers unique advantages for uncovering vulnerabilities and hunting breaches.

Why PowerShell for Pentesting?

  • Ubiquity: It’s everywhere, bypassing traditional security measures that block external tools.
  • Native Integration: Seamless access to Active Directory, file systems, and system internals.
  • Scripting Power: Automate repetitive tasks, gather evidence efficiently, and deploy custom exploits.
  • Stealthy Execution: Often overlooked by security software, enabling covert operations.

Unveiling the Darkness:

  • Recon and Enumeration: Gather system information, user accounts, and open shares.
  • Vulnerability Scanning: Leverage built-in cmdlets and community-built modules to identify weaknesses.
  • Privilege Escalation: Exploit misconfigurations and known vulnerabilities to gain higher access.
  • Lateral Movement: Navigate the network, hopping between systems to expand your foothold.
  • Data Exfiltration: Extract sensitive information discreetly using PowerShell’s file transfer capabilities.

Remember:

  • Ethical Hacking: Always obtain proper authorization before conducting pentesting activities.
  • Beyond Basics: This is just a glimpse. Explore advanced techniques like encoding, obfuscation, and PowerShell remoting.
  • Community Power: Leverage the wealth of open-source scripts and modules available online.

Empower Yourself:

Mastering PowerShell for pentesting equips you to:

  • Proactively identify and address security risks in your own environment.
  • Think like an attacker, enhancing your defensive strategies.
  • Become a valuable asset in ethical hacking engagements.

Start your journey today! With dedication and practice, you’ll transform from an engineer into a true PowerShell ninja, ready to uncover the hidden vulnerabilities lurking in your systems.

Port scan a host for interesting ports
Here’s how to quickly port scan a specified IP address (127.0.0.1) for selected 39 interesting ports

$ports = "21 22 23 25 53 80 88 111 139 389 443 445 873 1099 1433 1521 1723 2049 2100 2121 3299 3306 3389 3632 4369 5038 5060 5432 5555 5900 5985 6000 6379 6667 8000 8080 8443 9200 27017"
$ip = "10.10.15.232"
$ports.split(" ") | % {echo ((new-object Net.Sockets.TcpClient).Connect($ip,$_)) "Port $_ is open on $ip"} 2>$null 
This will give us a quick situational awareness about a particular host on the network using nothing but a pure PowerShell
Port scan a network for a single port (port-sweep)
This could be useful for example for quickly discovering SSH interfaces (port tcp/22) on a specified network Class C subnet (10.10.0.0/24):

$port = 22
$net = "10.10.0."
0..255 | foreach { echo ((new-object Net.Sockets.TcpClient).Connect($net+$_,$port)) "Port $port is open on $net$_"} 2>$null
If you are trying to identify just Windows systems, just change the port to 445.
Set MAC address from command-line
Sometimes it can be useful to set MAC address on a network interface and with PowerShell we can easily do it without using any 3rd party utility:

Set-NetAdapter -Name "Ethernet0" -MacAddress "00-01-18-57-1B-0D"
This can be useful e.g. when we are testing for NAC (network access control) bypass and other things.
Search registry for auto-logon credentials
Windows systems can be configured to auto login upon boot, which is for example used on POS (point of sale) systems. Typically, this is configured by storing the username and password in a specific Winlogon registry location, in clear text.

The following command will get the auto-login credentials from the registry:

gp 'HKLM:\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon' | select "Default*"
Search registry for auto-logon credentials
Check if AlwaysInstallElevated is enabled
If the following AlwaysInstallElevated registry keys are set to 1, it means that any low privileged user can install *.msi files with NT AUTHORITY\SYSTEM privileges. Here’s how to check it with PowerShell:

gp 'HKCU:\Software\Policies\Microsoft\Windows\Installer' -Name AlwaysInstallElevated
gp 'HKLM:\Software\Policies\Microsoft\Windows\Installer' -Name AlwaysInstallElevated
Note that both registry keys have to be set to 1 in order for this to work.
Categories: Powershell BLOG
Tags:

0 Comments

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *

Related Posts

Powershell BLOG

Coffee Friday #5

Well, you know I love coffee, and I’ve attempted several projects to automate my coffee brewing, but I wind up with a lot of cables and equipment laying around and making my kitchen seem ugly, Read more…

Active Directory

Start Script to get you Active Directory Secure

Here’s an example of a PowerShell script that you can use to analyze security issues with Active Directory: This script will check for several common security issues with Active Directory, such as: Users with empty Read more…

Active Directory

Secure your Active Directory

Cyber Threats Implement strong password policies: Ensure that your users are required to use strong and complex passwords and that they are changed regularly. You can also use multi-factor authentication (MFA) to add an extra Read more…