p0wnedShell 与 Smallp0wnedShell

下载: p0wnedShell 时间: 2016-04-25 分类: 神器分享 下载量: 573 分享来源

0x00 p0wnedShell 
Author: Cn33liz and Skons 
Source: https://github.com/Cn33liz/p0wnedShell 
What is it: 

p0wnedShell is an offensive PowerShell host application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET). It has a lot of offensive PowerShell modules and binaries included to make the process of Post Exploitation easier. What we tried was to build an “all in one” Post Exploitation tool which we could use to bypass all mitigations solutions (or at least some off), and that has all relevant tooling included. You can use it to perform modern attacks within Active Directory environments and create awareness within your Blue team so they can build the right defense strategies. 

0x02 “重复造一个轮子” 
p0wnedShell集成了如下功能: 
• PowerSploit Invoke-Shellcode 
• PowerSploit Invoke-ReflectivePEInjection 
• PowerSploit Invoke-Mimikatz 
• PowerSploit Invoke-TokenManipulation 
• PowerSploit PowerUp 
• PowerSploit PowerView 
• HarmJ0y's Invoke-Psexec 
• Besimorhino's PowerCat 
• Nishang Invoke-PsUACme 
• Nishang Invoke-Encode 
• Nishang Get-PassHashes 
• Nishang Invoke-CredentialsPhish 
• Nishang Port-Scan 
• Nishang Copy-VSS 
• Kevin Robertson Invoke-Inveigh 
• Kevin Robertson Tater

虽然功能全面,但是有以下不足: 
1.太大,足有8MB 
2.只能在.net 4.0使用 

0x03 Smallp0wnedShell 
admin_shell.jpg 
下载地址 
p0wnedShell修改版本,如下特点: 
1.去掉所有powershell模块 
2.将.net 4.0改为2.0 
3.体积从8MB缩小至32kb 

用途: 
用于直接执行powershell脚本,即使系统禁用powershell脚本,或是将powershell.exe加入进程黑名单限制执行 

0x04 编译方法 
原始代码从.net 4.0版本降到.net 2.0会出现如下错误: 
错误 1 命名空间“System”中不存在类型或命名空间名称“Linq”(是缺少程序集引用吗?)
解决方法: 
需要引用一个LinqBridge.dll 
参考链接) 
如果是中文版的 Visual Studio,需要作如下设置: 
在控制面板找到: 
工具-NuGet包管理器-程序包管理器控制台 
输入Install-Package LinqBridge 
即可安装LinqBridge 
如图 
1.png 
0x05 注 
默认win8不包含.net 2.0,只有.net 4.0