As a penetration tester, learning how to use a CLI (Command Line Interface) is a necessary skill as there are many times where an interactive interface such as Remote Desktop won’t be available. Starting with a standard command prompt for Windows (cmd.exe) is a great start. However, there are more advanced and feature rich CLI interfaces. Two of which are WMI (Windows Management Instrumentation) and PowerShell.
PowerShell is a command line interface and .NET scripting language that has been around since Windows 2003 as an optional add on and not a part of the standard installation. PowerShell is useful for many system administrators to perform day to day tasks and these same features can be used for Offensive Security as well. To access PowerShell, click on the Windows Start icon, and type “powershell.exe” and you will see the following.
Go ahead and click on it.
Afterwards, you will see a blue prompt like the following:
The same commands from “cmd.exe” apply but there are other nice features for those who are more familiar with Linux. An example of this is the ability to use the “ls” command. “ls” works in PowerShell but not Command Prompt as shown below:
-
Command Prompt “ls”
-
PowerShell “ls”
PowerShell uses what are called cmdlets. Cmdlets are in summary commands that you can run which can perform automated tasks. Example Cmdlets include Get-NetAdapter, Get-Process, GetADUser and others. The format of Cmdlets follow (Verb-Action) format. Cmdlets can be used to write PowerShell scripts (.ps1 files) or work from the PowerShell CLI similar what you would use from a command prompt. If you want to find out how to use a particular PowerShell cmdlet, you can use the Get-Help before any cmdlet as seen below:
Using PowerShell for Offensive Security is where things are very interesting. There are many times during a penetration test where you cannot install tools on client systems, and you need to use only the features available on the compromised system. This concept is called “Living off the land” which is summary is working with the cards you’re dealt. Many penetration testers would use Nmap for conducting a port scan but you can also perform the same thing with using native PowerShell. You can run the following to perform a port scan using PowerShell:
foreach ($ip in 1..2) {Test-NetConnection -Port 80 -InformationLevel "Detailed" 192.168.0.$ip}
You can also use WMI with PowerShell by using the Get-WmiObject cmdlet. Get-WmiObject is the PowerShell cmdlet for using WMI
During the post exploitation process, you may need to identify the Anti-Virus product or EDR (Endpoint Detection and Response) software that you may need to evade when conducting your post exploitation activities. You can use WMI to identify the Anti-Virus product installed on the client system using a cmdlet such like the following example:
Get-WmiObject -Namespace 'root\SecurityCenter2' -Class AntiVirusProduct | Select-Object displayName
Another common and very useful way to use PowerShell for Offensive Security is to use Invoke-Expression (IEX). IEX is an alias for the Invoke-Expression cmdlet within PowerShell. You can use Invoke-Expression to download arbitrary scripts from sites such as Github or other locations and run them in on the compromised host. The following is an example of using IEX for running a PowerShell script called SessionGopher to gather sensitive information on the compromised machine:
PowerShell is also very useful when it comes to enumerating Active Directory. Common cmdlets such as Get-ADUser can be used to find out information about a particular user account on an Active Directory domain. Cmdlet such as the following example are useful for gathering this information:
Get-ADUser -Identity (USERID)
These are just some common examples of using PowerShell for Offensive Security and there is a wealth of information that covers this more in depth.
