Division Zero (Div0). Copyright © 2011-2018

All rights reserved.

Powershell Injection using SET

13 Sep 2012

At this year's BSides Cleveland and BSides Las Vegas, Dave Kennedy (ReL1K) presented "Secret Pentesting Techniques Shhh...".

 

The purpose of this talk is to show the audiences some techniques he used as a penetration tester that is not widely known.

 

The first technique he demonstrated was the Java Applet Attack, also the first attack I played with using SET. As we all know, attacks using binary, such as Java Applet Attack,  interact directly with the file system and write itself to the disk, and thus can be easily picked up by anti-virus software.

 

A new technique that Dave demonstrated using SET during the presentation is Powershell Injection. The idea originated from Matthew Graeber, is an extremely reliable technique - Powershell is installed by default in Windows operating systems since Windows Vista, and since it never touches the file system, it evades signature-based antivirus software and host-based intrusion detection systems (HIDS).

 

Trying It Out

I used a Backtrack 5 R3 (192.168.182.130) as my attacking machine and an up-to-date Windows 7 operating system with Kaspersky antivirus installed and updated (192.168.182.1).

Starting up SET on my attacking machine,

and trying out the Powershell attack!

This will create a couple of powershell_injection files, in different system architecture, that can be used as batch file (.bat extension). The moment it is executed in a Windows environment with Powershell installed, the attacker would have got a Meterpreter shell on his / her end. Alternatively, you can copy the content in the file and run it as a command under the victim's cmd.

Now verifying that I'm on the victim's machine through my Meterpreter shell:

Over at my Windows 7 machine, there was no visible sign that my machine has being compromised:

Although there are clues if I look for them:

Process Explorer

netstat

Share on Facebook
Share on Twitter
Please reload

RECENT POST

September 5, 2017

Please reload

CATEGORIES
Please reload

TAGS
RSS
RSS Feed