Question

What is the capability of Powersploit the PowerShell framework? What type of users would utilize the provided functionality? What are some examples of usage on a system?

Answer 1

Powersploit

PowerSploit is an opensource, offensive Microsoft PowerShell toolkit that has been coded to help penetration testers in almost all phases of an assignment. It can help you perform reconnaissance and also help you to elevate your privileges and maintain access.

Capabilities of Powersploit:

1.CodeExecution – Execute code on a target machine.

2.ScriptModification – Modify and/or prepare scripts for execution on a compromised machine.

3.Persistence – Add persistence capabilities to a PowerShell script.

4.AntivirusBypass – AV doesn’t stand a chance against PowerShell!

5.Exfiltration – All your data belong to me!

6.Mayhem – Cause general mayhem with PowerShell.

7.Privesc – Tools to help with escalating privileges on a target, including PowerUp.

8.Recon – Tools to aid in the reconnaissance phase of a penetration test, including PowerView.

PowerSploit supports various functions that can be used to add persistence capability to a script

It also implements various useful metafunctions, including some custom-written user-hunting functions which will identify where on the network specific users are logged into. It can also check which machines on the domain the current user has local administrator access on.

Invoke-UserHunter - finds machines on the local domain where specified users are logged into, and can optionally check if the current user has local admin access to found machines Invoke-StealthUserHunter - finds all file servers utilizes in user HomeDirectories, and checks the sessions one each file server, hunting for particular users Invoke-ProcessHunter - hunts for processes with a specific name or owned by a specific user on domain machines Invoke-UserEventHunter - hunts for user logon events in domain controller event logs

USAGE:

To install this module, drop the entire PowerSploit folder into one of your module directories. The default PowerShell module paths are listed in the $Env:PSModulePath environment variable.

The default per-user module path is: "$Env:HomeDrive$Env:HOMEPATH\Documents\WindowsPowerShell\Modules" The default computer-level module path is: "$Env:windir\System32\WindowsPowerShell\v1.0\Modules"

To use the module, type Import-Module PowerSploit

To see the commands imported, type Get-Command -Module PowerSploit

If you're running PowerShell v3 and you want to remove the annoying 'Do you really want to run scripts downloaded from the Internet' warning, once you've placed PowerSploit into your module path, run the following one-liner: $Env:PSModulePath.Split(';') | % { if ( Test-Path (Join-Path $_ PowerSploit) ) {Get-ChildItem $_ -Recurse | Unblock-File} }

PowerSploit makes use of PowerShell, due to its ability to perform a wide range of low-level tasks without the need to use malicious executables on the disk, evading antivirus products. Most scripts in PowerSploit are individual in nature, without the need of any external dependencies. This means that, you do not have to download the complete PowerSploit framework on the remote machine.