0x00 p0wnedShell
Author: Cn33liz and Skons
Source: https://github.com/Cn33liz/p0wnedShell
What is it:
p0wnedShell is an offensive PowerShell host application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET). It has a lot of offensive PowerShell modules and binaries included to make the process of Post Exploitation easier. What we tried was to build an “all in one” Post Exploitation tool which we could use to bypass all mitigations solutions (or at least some off), and that has all relevant tooling included. You can use it to perform modern attacks within Active Directory environments and create awareness within your Blue team so they can build the right defense strategies.
0x02 “重复造一个轮子”
p0wnedShell集成了如下功能: • PowerSploit Invoke-Shellcode
• PowerSploit Invoke-ReflectivePEInjection
• PowerSploit Invoke-Mimikatz
• PowerSploit Invoke-TokenManipulation
• PowerSploit PowerUp
• PowerSploit PowerView
• HarmJ0y's Invoke-Psexec
• Besimorhino's PowerCat
• Nishang Invoke-PsUACme
• Nishang Invoke-Encode
• Nishang Get-PassHashes
• Nishang Invoke-CredentialsPhish
• Nishang Port-Scan
• Nishang Copy-VSS
• Kevin Robertson Invoke-Inveigh
• Kevin Robertson Tater
虽然功能全面,但是有以下不足:
1.太大,足有8MB
2.只能在.net 4.0使用
0x03 Smallp0wnedShell
下载地址
p0wnedShell修改版本,如下特点:
1.去掉所有powershell模块
2.将.net 4.0改为2.0
3.体积从8MB缩小至32kb
用途:
用于直接执行powershell脚本,即使系统禁用powershell脚本,或是将powershell.exe加入进程黑名单限制执行
0x04 编译方法
原始代码从.net 4.0版本降到.net 2.0会出现如下错误: 错误 1 命名空间“System”中不存在类型或命名空间名称“Linq”(是缺少程序集引用吗?)
解决方法:
需要引用一个LinqBridge.dll
(参考链接)
如果是中文版的 Visual Studio,需要作如下设置:
在控制面板找到:
工具-NuGet包管理器-程序包管理器控制台
输入Install-Package LinqBridge
即可安装LinqBridge
如图
0x05 注
默认win8不包含.net 2.0,只有.net 4.0