Back with another review on a course, I have just finished it and as you can see from the title it’s a course using PowerShell for hacking so something totally different to what I have been doing with Linux, Kali, Parrot and suck so far.
The concept of using windows for hacking is one that fascinates me because I work in a windows machine in my day job, especially using PowerShell as again I use this in my day job already.
I really want to do another post eventually with a full CTF attempt using only windows machine but that is for another time.
So… this course is taught by Atul Tiwari.
Who is Atul?
Security Analyst | IT AUDITOR | Cyber laws expert | Author | Public speaker | CISSP
Having more than 10 years of working experience in the information security field.
He has trained more than 60k students on the topic of Information security & penetration testing in classroom mode and online across 168 countries. with expertise in web application penetration testing, he has performed several penetration tests and security audits, security analysis with private, governments and security agencies to help assist with to cope with cyber threats.
He is founder and CTO at Gray hat | security (INDIA) www.grayhat.in
Who are Hakin9, the company I am doing the course through?
Hakin9 is a monthly magazine dedicated to hacking and cybersecurity. In every edition, we try to focus on different approaches to show various techniques – defensive and offensive. This knowledge will help you understand how most popular attacks are performed and how to protect your data from them. Our tutorials, case studies and online courses will prepare you for the upcoming, potential threats in the cybersecurity world. We collaborate with many individuals and universities and public institutions, but also with companies such as Xento Systems, CATO Networks, EY, CIPHER Intelligence LAB, redBorder, TSG, and others.
So pretty good teacher and company, now onto the course 😊
PowerShell for Hackers!
Module 1: Introduction
This introductory module will drive you through basics and more useful commands, functions, objects, modules, jobs, cmdlets and syntax of PowerShell. We will see how to create powerful PowerShell scripts to port the exploits further in an attack later. All will be demonstrated in an easy to understand way.
Module 1 covered topics:
- Introduction to PowerShell
- Basics of PowerShell (Includes: syntax, cmdlets and system help)
- PowerShell modules
- PowerShell Jobs
- Functions and pipelining
- PowerShell scripts
- Scripting with PowerShell – Creating PowerShell scripts
In module one we learn about PowerShell and the basics of using it, PowerShell’s first version 1.0 was released in 2006. Today, PowerShell is at version 7.
As the year and version went by, PowerShell’s capabilities and hosting environments have grown significantly shown here by Atul.
In module one we go over stuff like syntax, cmdlets and more which is mainly for the people with no PowerShell experience, if you have any prior scripting/programming experience like in Bash, Python or the likes then you really will pick it up easily.
We are also given a handy PowerShell commands cheat-sheet which will come in handy not just for hacking but also in my day job.
I really enjoyed in the first module the case study on Nishanng scripts, it’s quite ridiculous how powerful it is.
Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.
It contains many interesting scripts like Keylogger, DNS TXT Code Execution, HTTP Backdoor, Powerpreter, LSA Secrets and much more.
There is a very good page I found that talks about all the scripts available on it here:- https://n0where.net/powershell-penetration-testing-framework-nishang
Module 1 exercises:
- PowerShell cmdlets
- PowerShell jobs
Module 2: PowerShell hands-on
This is the time to explore what a hacker can actually do with PowerShell. Various Windows features interact with PowerShell that throw some extraordinary results and make it easy for hackers to attack in action and in a fast-paced manner. Understanding how Windows interacts with system internals will give the power to do things in such a fashion as it is assumed from a hacker.
Module 2 covered topics:
- PowerShell integration with .NET
- PowerShell and WMI
- WMI Explorer
- Windows API with PowerShell
- COM objects
- PowerShell to Windows Registry
In module two we get more into the nitty-gritty of it all discussing Powershell integration with .NET, the section’s regarding WMI and registry entries were great.
Windows Management Instrumentation (WMI) consists of a set of extensions to the Windows Driver Model that provides an operating system interface through which instrumented components provide information and notification. WMI is Microsoft’s implementation of the Web-Based Enterprise Management (WBEM) and Common Information Model (CIM) standards from the Distributed Management Task Force (DMTF).
PowerShell uses WMI under hood quite a bit for many of its cmdlets.
Atul shows here why it can be used as a very good information gatherer.
Because registry entries are properties of keys and, as such, cannot be directly browsed, we need to take a slightly different approach when working with them and hacking them with PowerShell is extremely powerful, for instance, every registered Windows user, there’s a hive called NTUSER.DAT file that contains information about their identity, personal settings and so forth. You’ll find your copy sitting in your user folder, although you’ll have to enable “Hidden items” in Windows Explorer to see it.
Module 2 exercises:
- Interaction with Registry
- Windows API
- COM Objects
Module 3: Attacks with PowerShell
This module starts with the exploitation of PowerShell from information gathering to recon, client-side attacks to brute force attacks, DNS enum to hacking Windows systems with the help of Metasploit and PowerShell scripts. Vulnerability scanning can also be done using PowerShell and at last, we will see how one can bypass the two-factor authentication using PowerShell alone.
Module 3 covered topics:
- Information gathering
- Scanning and Reconnaissance
- Client-side attacks with PowerShell
- Brute-force attack with PowerShell
- DNS Enumeration
- PowerShell scripts in Metasploit
- Hacking Windows system using HTA web server with Metasploit
- Bypassing two-factor authentication (2FA) with PowerShell
In module three we go over all the things you would expect in a hacking course except it is ALL done in PowerShell, Information gathering, port scanning, brute force, DNS enumeration and loads more.
I don’t want to speak too much on these subjects as you should check them out yourself but I am blown away by how much can be done in PowerShell, we do use Linux Kali in this module but in a great way.
In the section ‘Hacking a Windows system using HTA server with Metasploit’ we attack a host that is an HTML Application (HTA) that when opened will run a payload via Powershell. When we navigate to the HTA file we will be prompted by IE twice before the payload is executed, excellent section.
Module 3 exercises:
- Information gathering
- Brute forcing
- DNS Enum
- Porting exploits to PowerShell
Module 4: Exploitation and post-exploitation
Complete exploitation with PowerShell. We will leverage the power of PowerShell to hack the systems, get the complete systems details, fetch the data, create the backdoors, create the web shells and escalate the privilege to the high level.
Module 4 covered topics:
- Privilege escalation with PowerShell
- Fetching system details
- Creating Web Shells with PowerShell
- Passing the hashes
- Retrieving NTLM hashes without LSASS
- Exfiltration mechanism
- Remote command execution with WMI and WS-Management
- Creating Backdoors with PowerShell
- Walkthrough of Nishang tool
- Bonus – useful commands and tricks for hackers
In this final module, we learn about the privilege escalation and loads more including PowerUp, PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations.
Running Invoke-AllChecks will output any identifiable vulnerabilities along with specifications for any abuse functions. The -HTMLReport flag will also generate a COMPUTER.username.html version of the report.
We also got to learn about loads more but it’s hard to speak about what you learnt as you want people to take the course and learn it for themselves.
Module 4 exercises:
- Privilege escalation
- Creating web shells
- Pass the hash
Overall the course was great, it went incredibly in-depth on the subject which was good and it was taught well by Atul, he was extremely knowledgeable on the subject and I am actually going to take another of his courses soon that a saw called ‘PenTesting with OWASP ZAP: Mastery course’.
Not going to lie, I did find some of the exercises a little hard and it is not a course you can just float through like a lot that is out there, you really need to spend a lot of time on each module to take in all the information.
I would 100% take a course that is taught by Atul again and as mentioned above I have another in mind already.
Please check them out at the places below:-
- Hakin9 Website = https://hakin9.org/
- Hakin9 Facebook = https://www.facebook.com/hakin9mag/
- Hakin9 Twitter = https://twitter.com/Hakin9
- Hakin9 LinkedIn = https://www.linkedin.com/company/hakin9-magazine
- Course = https://hakin9.org/product/powershell-for-hackers-w41/