Index / Blog / Powershell Automation Basics - Part 1
Monday, December 16, 2024 • SECURITY RESEARCH ADVISORY

Powershell Automation Basics - Part 1

Pentest Notes: PowerShell Automation - Basics

Pentest Notes: PowerShell Automation - Basics

These notes cover PowerShell automation for penetration testing, focusing on practical applications and techniques.

What is PowerShell?

A powerful scripting language and command-line shell built on the .NET framework, heavily integrated with Windows. Ideal for system administration and automation, making it a valuable tool for pentesters.

Why PowerShell for Pentesting?

  • Native to Windows: Pre-installed on most Windows systems.
  • Object-oriented: Allows for complex data manipulation and interaction with APIs.
  • Access to .NET Framework: Enables interaction with a vast library of classes and functions.
  • Remoting capabilities: Execute commands on remote systems.
  • Bypass security restrictions: Can be used to circumvent some security measures if not properly configured.

Basic Syntax

  • Cmdlets: Commands in PowerShell (e.g., Get-Process, Get-Service, Get-ChildItem).
  • Pipes (|): Used to chain cmdlets, passing the output of one cmdlet as input to the next.
  • Objects: PowerShell works with objects, not just text.
  • Variables: Use $ to define variables (e.g., $process = Get-Process).

Key Cmdlets for Pentesting

  • System Information Gathering:
    • Get-WmiObject: Access WMI (Windows Management Instrumentation) for detailed system information (e.g., OS version, hardware details, installed software).
    • Get-ComputerInfo: Provides a summary of computer information.
    • Get-Process: Lists running processes.
    • Get-Service: Lists services.
    • Get-LocalUser: Lists local users.
    • Get-NetIPAddress, Get-NetAdapter: Network information.
  • File System Interaction:
    • Get-ChildItem: Lists files and directories (equivalent to dir or ls).
    • New-Item: Creates files and directories.
    • Remove-Item: Deletes files and directories.
    • Get-Content: Reads file content.
    • Set-Content: Writes content to a file.
  • Networking:
    • Test-NetConnection: Checks network connectivity and port status (equivalent to ping or telnet).
    • Invoke-WebRequest: Sends HTTP requests (useful for web application testing).
  • Security:
    • Get-EventLog: Retrieves event logs (useful for post-exploitation and log analysis).
    • Get-Acl: Retrieves Access Control Lists (ACLs) for files, directories, and other objects.
  • Execution:
    • Invoke-Expression: Executes a string as a PowerShell command (use with caution due to security risks).
    • Start-Process: Starts a new process.
  • PowerShell Remoting:
    • Enabling Remoting: Enable-PSRemoting.
    • Connecting to Remote Systems: Enter-PSSession -ComputerName "hostname/IP".
    • Executing Commands Remotely: Invoke-Command -ComputerName "hostname/IP" -ScriptBlock { "Commands" }.
    • CredSSP: Delegate credentials for multi-hop scenarios.

Exploitation Techniques

  • Bypassing Execution Policies:
    • Set-ExecutionPolicy Bypass -Scope Process: Bypasses execution policy for the current process.
    • Encoding/Obfuscation: Techniques to evade detection by security software.
  • Credential Dumping:
    • Mimikatz: A powerful tool for extracting credentials from memory (often used with PowerShell).
    • PowerShell scripts for extracting credentials from LSASS.
  • Lateral Movement:
    • Using PowerShell Remoting and credential theft to move between systems within a network.
    • Web Shells: Deploying web shells using PowerShell for persistent access.

Defense Evasion

  • Obfuscation: Encoding, string manipulation, and other techniques to make PowerShell scripts harder to analyze.
  • AMS (Antimalware Scan Interface) Bypass: Techniques to avoid detection by AMS.
  • Logging and Monitoring Evasion: Techniques to minimize logging and avoid detection by security monitoring tools.

Resources and Tools

  • PowerSploit: A collection of PowerShell modules for penetration testing.
  • Nishang: Another collection of PowerShell scripts and modules for offensive security.
  • Invoke-Obfuscation: A PowerShell obfuscation framework.
  • Empire: A post-exploitation framework that uses PowerShell agents.
  • PSAttack: PowerShell Attack Framework.

Best Practices

  • Code Review: Always review PowerShell scripts before executing them.
  • Principle of Least Privilege: Use the minimum necessary privileges when executing PowerShell commands.
  • Logging and Monitoring: Implement proper logging and monitoring to detect malicious PowerShell activity.
  • Constrained Language Mode: Restricts PowerShell to a subset of its functionality, limiting the impact of malicious scripts.
  • Application Control: Whitelisting allowed PowerShell scripts and modules.

Example Snippets

  • Get System Info: 
    Get-WmiObject Win32_OperatingSystem | Select-Object Caption, Version, BuildNumber
  • Check Port: 
    Test-NetConnection -ComputerName <IP/Hostname> -Port <Port>
  • Download File: 
    Invoke-WebRequest -Uri <URL> -OutFile <LocalPath>

IX. Conclusion

PowerShell is a powerful tool for penetration testing. Understanding its capabilities and limitations is essential for both offensive and defensive security. These notes provide a starting point for learning PowerShell automation for pentesting. Continuous learning and practice are key to mastering this valuable skill.

This outline provides a more structured and comprehensive set of notes. Remember to practice these techniques in a safe and legal environment.

Get In Touch

Open for technical advisories and offensive security engineering opportunities.

DIRECT EMAIL contact@nulljournal.info