PowerShell for Pentesters

PowerShell is extremely useful for admins. This power is also extremely useful for attackers.

There are several PowerShell tools specifically for increasing access on a network:


PowerSploit – PowerShell based pentest tool set developed by Mattifestation.

PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid reverse engineers, forensic analysts, and penetration testers during all phases of an assessment.

PowerSploit is comprised of the following major components:


The last one listed, Exfiltration, includes the following useful PowerShell pentest scripts.



The Posh-SecModule by DarkOperator includes lots of useful pentest PowerShell cmdlets.

This module is a PowerShell v3 only module at the moment. The module is a collection of functions that I have found usefull in my day to day work as a security professional. The functions are broken in to functionality:

Discovery: Perform network discovery.
Parse: Parsers for Nmap, DNSRecon and other type of output files from security tools.
PostExploitation: Functions to help in performing post exploitation tasks.
Registry: Collection of functions for manipulating the registry in remote hosts using WMI.
Nessus: Collection of assemblies and functions for automating the Nessus Vulnerability Scanner.
Utilities: General purpose functions.
Audit: Functions that may be usful when performing audit of systems.
Database: Functions that are useful when interacting with databases.
Shodan: Functions for doing discovery using Shodan using a valid API key.
VirusTotal: Functions for Interacting with Virus Total using a valid API key.
Metasploit: Functions for automating Metasploit Framework and the comercial version using the XMLRPC API.


Nishang is a suite of PowerShell pentest tools developed by Nikhil “SamratAshok” Mittal. He also blogs at:  http://www.labofapenetrationtester.com/

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security usage and during Penetraion Tests. Nishang is useful during various phases of a penetration test and is most powerful for post exploitation usage.

Nishang includes several very interesting (and useful PowerShell pentest scripts):

  • HTTP-Backdoor
    A backdoor which is capable to recieve instructions from third party websites and could execute powershell scripts in memory.
  • DNS_TXT_Pwnage
    A Backdoor which could recieve commands and powershell scripts from DNS TXT queries and execute those on target and could be controlled remotely using the queries.
  • Execute-OnTime
    A Backdoor which could execute powershell scripts on a given time on a target.
  • Remove-Update
    Introduce vulnerabilites by removing patches.
  • Download-Execute-PS
    Download and execute a powershell script in memory.
  • Copy-VSS
    Copy the SAM file using Volume Shadow Service.
  • FireBuster FireListener
    A pair of scripts for Egress Testing
  • Get-LSASecret
    Get LSA Secret from a target.
  • Get-PassHashes
    Get password hashes from a target.
  • Get-WLAN-Keys
    Get WLAN keys in plain from a target.
  • Keylogger
    Log keys from a target.
  • Brute-Force
    Brute force FTP, Active Directory, MS SQL Server and Sharepoint.
  • Port-Scan
    A handy port scanner.
  • Add-Exfiltration
    Add data exfiltration capability to gmail,pastebin, webserver and DNS to any script.
  • Add-Persistence
    Add Reboot persistence capability to a script.
  • Remove-Persistence
    Remoce persistence added by the Add-Persistence script.
  • Do-Exfiltration
    Pipe (|) this to any script to exfiltrate the output.




(Visited 8,661 times, 1 visits today)