New in PowerHub 2.0
PowerHub grew over the years from a small script™ meant for personal experiments or even learning exercises to a tool that many people use, so with version 2.0 come some well-deserved changes, like proper documentation, packaging and a more fleshed-out implementation of some ideas I had in the beginning.
Documentation
Documentation is now hosted by GitHub pages; the GitHub wiki is disabled.
Packaging
The powerhub.py and requirements.txt have been removed. The setup.py
has been replaced with a setup.cfg. PowerHub is now a first-class
Python package and should be treated as such. Like any other Python package,
it should be installed with pip install, which will place executables in
~/.local/bin.
No more dev branch
Development will happen directly on the master branch. Releases will be tagged and made available on PyPI. Installing directly from the repository is not recommended, unless you want to test out the latest changes or you want to contribute to the project. I will be less inclined to help out with issues if you use a bleeding edge version. Bug reports will always be welcome, though!
Workspace directory
There is now a clearer separation of files that belong to the workspace
directory. To be precise, the database and most directories in
$XDG_DATA_HOME/powerhub have been moved into a new subdirectory named
workspace. As a side effect, this may make your clipboard and uploads
files appear empty. This fixes that (assuming $XDG_DATA_HOME is
undefined):
$ cd ~/.local/share/powerhub
$ mv powerhub_db.sqlite upload webdav* workspace/
Key exchange
In PowerHub 1.0, the key was simply embedded in the stager. In principle, this is a vulnerability, as specialized antivirus products could use the key to inspect the higher order stages. PowerHub 2.0 performs a Diffie-Hellman key exchange by default (but no server verification on top of the TLS handshake) and also supports an out-of-band key exchange, meaning the key is pasted on the command line.
Pre-loaded modules
It’s now possible to deliver the PowerHub payload with some modules pre-loaded. This is interesting for environments without network access. If the key is also embedded in the stager, you can deliver it manually e.g. via USB to the target and use the modules.
power-obfuscate
Installing PowerHub will yield a new executable: power-obfuscate. This
makes it possible to use the obfuscation techniques of PowerHub on arbitrary
PowerShell scripts or .NET executables without having to use the web
application.
Depreciation of Load-HubModule
It was confusing to have both Load-HubModule and Get-HubModule. We had
to execute the former to be able to use the latter. Now there is only
Get-HubModule. It performs lazy loading over the network when needed,
which means that the code of the module is transferred the first time you
execute Get-HubModule or if you explicitely pass the -Reload switch.
Depreciation of the Loot tab
Dumping LSASS is too much of a moving target and should be left to specialty tools. The idea was that dumping LSASS is possible with only LOLBINs, so it seemed like a small addition to endow PowerHub with this capability, but things have gotten complicated lately. AVs are quarantining the dump file, the LSASS process is protected by various mechanisms, etc. It’s better to use specialized tools as outlined here and references therein.
