In previous chapters, you learned the power of PowerShell as an attacking platform. It was just the beginning. Now it is time to feel the real power of it as a perfect tool for performing sophisticated attacks, and also, we will discover how to use it side-by-side with the Metasploit Framework.

The following topics will be covered in this chapter:

• Metasploit Framework
• PowerShell essentials
• PowerShell payload modules
• Nishang PowerShell for penetration testing and offensive security

Metasploit Framework is the most well-known open source exploitation tool. It was developed at first in Perl by HD Moore, but later, it was shifted into Ruby. This framework is loaded with many useful features for hackers and penetration testers. To install Metasploit Framework, visit https://www.rapid7.com/products/metasploit/download/ and perform the following steps:

1. Choose your plan, register, and select your operating system. In this demonstration, I am using the Windows 64-bit trial version:

2. You will receive an email with the trial activation key:

3. Now install it on your machine:

4. Voila! You can start your exploitation journey:

Metasploit architecture is...

As a penetration tester, always remember that you are simulating real-world attacks, and in the real world, hackers are trying to bypass antivirus protection using many techniques. The Veil-Framework is a fantastic tool for avoiding payload detection. To install Veil 3.0, you need to download it from its official GitHub source at https://github.com/Veil-Framework/Veil:

# git clone https://github.com/Veil-Framework/Veil

Now you just need to select a task from an assisted main menu:

To generate a payload, select list, and type use 1:

To list all the available payloads, use list as usual:

Select your payload using the use command:

Enter generate to create the payload:

Complete the options, and you will generate an undetectable payload, as simple as that:

You can also do an Nmap scan using Metasploit, exporting the results and importing...

As mentioned earlier, a white hat hacker should know how to write their own tools and scripts. So, let's see how to create a simple Metasploit module. In this demonstration, we'll use Ruby as a programming language, and we'll build a TCP scanner.

First, create a Ruby file:

require 'msf/core'
class Metasploit3 <Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Auxiliary::Scanner
def intialize
super(
'Name' => 'TCP scanner',
'Version' => '$Revisiov: 1 $',
'Description' => 'This is a Demo for Packt Readers',
'License' => MSF_LICENSSE
)
register_options([
opt::RPORT(3000)
], self.class)
end
def run_host(ip)
connect()
greeting = "Hello Cybrary"
sock.puts(greeting)
data = sock.recv(1024)
print_status("Received: #{data} from #{ip}"...

Persistence is a major need in every successful hacking attack. Metasploit Framework comes with two major Persistence scripts:

• S4U Persistence (Scheduled Persistence): to use it type use exploit/windows/local/s4u_persistence

• Volume Shadow Copy Service Persistence (VSS Persistence): to use it, type use exploit/windows/local/vss_persistence

Here are some additional options for Persistence:

• The Metasploit Service, (or Metsvc)
• VNCInject

You can use Windows binaries. To locate these binaries, go to /usr/share/windows-binaries path:

In previous chapters, we witnessed the power of PowerShell and its potential. It was just the beginning; now, we are ready to leverage its power to the next level. Combining the flexibility of Metasploit and PowerShell is a great opportunity to perform more customized attacks and security tests.

PowerShell attacks are already integrated into Metasploit. You can check by using the search command:

msf> search powershell

In Chapter 4, Active Directory Exploitation, you learned how to perform some tasks using PowerShell. Now it is time to learn how to use Metasploit with PowerShell. For a demonstration of one of the many uses, you can convert a PowerShell script...

In the previous sections, we went through various techniques for attacking machines using Metasploit and PowerShell. Now it is time to learn how to defend against and mitigate PowerShell attacks. In order to protect against PowerShell attacks, you need to:

1. Implement the latest PowerShell version (version 5, when this book was written). To check, type Get-Host:

2. Monitor PowerShell logs.

3. Ensure a least-privilege policy and group policies settings. You can edit them with the Local Group Policy Editor. If you are using the Windows 10 Enterprise edition, you can also use AppLocker:

4. Use the Constrained Language mode:

PS C:\Windows\system32> [environment]::SetEnvironmentVariable('__PSLockdownPolicy', '4', 'Machine')

5. To check the Constrained Language mode, type:

 $ExecutionContext.SessionState.LanguageMode...

In this chapter, you learned how to use Metasploit and PowerShell side by side to penetrate the infrastructure and leverage your attacks to the next level, starting from reconnaissance, to maintaining access and persistence. We studied the two weapons of architecture and operations. The next chapter will be a new experience, when you will learn how to exploit enterprise VLANS, and go from theory to real-world experience.