Powershell Injection Using SET
Updated: May 24, 2020
At this year's BSides Cleveland and BSides Las Vegas, Dave Kennedy (ReL1K) presented "Secret Pentesting Techniques Shhh...". The purpose of the talk is to demo some techniques he used as a penetration tester that is not widely known.
The 1st technique he demonstrated using the Social Engineering Toolkit (SET) was the Java Applet Attack. Attacks involving binaries, including the Java Applet Attack, interact directly with the file system and write itself to the disk, and thus can be easily picked up by antivirus.
The new technique that Dave revealed was Powershell Injection. The idea, originated from Matthew Graeber, is an extremely reliable technique. Powershell is installed by default in Windows OS since Windows Vista. And since Powershell Injection doesn't touch the file system, it evades signature-based antivirus and host-based intrusion detection systems (HIDS).
Trying It Out
I used a Backtrack 5 R3 (IP address: 192.168.182.130) as my attacking machine and an up-to-date Windows 7 OS with Kaspersky antivirus installed and updated (IP address: 192.168.182.1).
Starting up SET on my attacking machine:
Trying out the Powershell attack:
This will create a couple of powershell_injection files for different system architecture that can be used as batch files (.bat extension). The moment it is executed in a Windows environment with Powershell installed, the attacker will get a Meterpreter shell on his/her machine. Alternatively, you can copy the content of the powershell_injection files in the target machine and run it as a command using the target's cmd.
Now verifying that I'm on the target's machine through my Meterpreter shell:
On my Windows 7 machine, there were no visible signs that my machine was already compromised:
However, there were clues if I hunt for them on my Process Explorer and netstat:
Shared by Emil Tan, Skipper & Co-Founder of Div0.