PowerShell is extremely useful for admins. This power is also extremely useful for attackers.
There are several PowerShell tools specifically for increasing access on a network:
PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid reverse engineers, forensic analysts, and penetration testers during all phases of an assessment.
PowerSploit is comprised of the following major components:
The last one listed, Exfiltration, includes the following useful PowerShell pentest scripts.
This module is a PowerShell v3 only module at the moment. The module is a collection of functions that I have found usefull in my day to day work as a security professional. The functions are broken in to functionality:
Discovery: Perform network discovery.
Parse: Parsers for Nmap, DNSRecon and other type of output files from security tools.
PostExploitation: Functions to help in performing post exploitation tasks.
Registry: Collection of functions for manipulating the registry in remote hosts using WMI.
Nessus: Collection of assemblies and functions for automating the Nessus Vulnerability Scanner.
Utilities: General purpose functions.
Audit: Functions that may be usful when performing audit of systems.
Database: Functions that are useful when interacting with databases.
Shodan: Functions for doing discovery using Shodan using a valid API key.
VirusTotal: Functions for Interacting with Virus Total using a valid API key.
Metasploit: Functions for automating Metasploit Framework and the comercial version using the XMLRPC API.
Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security usage and during Penetraion Tests. Nishang is useful during various phases of a penetration test and is most powerful for post exploitation usage.
Nishang includes several very interesting (and useful PowerShell pentest scripts):
A backdoor which is capable to recieve instructions from third party websites and could execute powershell scripts in memory.
A Backdoor which could recieve commands and powershell scripts from DNS TXT queries and execute those on target and could be controlled remotely using the queries.
A Backdoor which could execute powershell scripts on a given time on a target.
Introduce vulnerabilites by removing patches.
Download and execute a powershell script in memory.
Copy the SAM file using Volume Shadow Service.
- FireBuster FireListener
A pair of scripts for Egress Testing
Get LSA Secret from a target.
Get password hashes from a target.
Get WLAN keys in plain from a target.
Log keys from a target.
Brute force FTP, Active Directory, MS SQL Server and Sharepoint.
A handy port scanner.
Add data exfiltration capability to gmail,pastebin, webserver and DNS to any script.
Add Reboot persistence capability to a script.
Remoce persistence added by the Add-Persistence script.
Pipe (|) this to any script to exfiltrate the output.