Powershell tips from my expereinces

[PoSHMagiC0de]

So, I thought I would post some tools and tips on my experiences with Powershell over the last 10 years or so.  Yeah, I started dabbling a little at 1.0 and got into fully at 2.0.

Using Powershell as payloads I found out works best encoded.  It automatically bypasses the execution policy.  Once in the script, it is allowed to invoke scripts as expressions and jobs all it wants unless someone got one of those new virus scanners that Powershell can jack into and scan your script before it runs and seen as malicious in which the script itself needs obfuscation hence the popping up of mimidogz.

 

For reducing my scripts and minifying them (will remove comments and everything a concat it as a 1 liner.) I use MinifyPS.  It is a Powershell script for minifying js files and ps files.  Of course it doesn't take the file path but the actual contents of the file as a string.  Location of script is here on sourceforge (not written by me).  If you use Powershell 6 in Linux you will have to make a line change, Windows it is not necessary but you can make the change with no ill effects.

You open the minjs.psm1 file and search for sort and change it to sort-object.  Reason being is sort is PS shorthand for sort-object but Linux has a sort command so it gets run first so making it the actual command keeps Powershell from being confused by which one you want.

 

Now to read in a script and minify you run the below (will show difference in versions.

# Read the file to a variable
# Windows with Powershell 4.0 or greater and All OS Powershell version 6.

$myscript = get-content -path "pathtoscript" -Raw   #Raw does no formatting or changes to line endings, all is read as is as a string

# Windows with Powershell 2.0

$myscript = [System.IO.File]::ReadAllTest("absolute path to script")  #Using .NET to get file needs absolute path, not relative.

#To Minify all versions

Import-Module "./path to minjs.psm1"
$minscript = minify -inputdata $myscript -inputtype ps1

 

Now you have the minified version of the script you want.

Next step is your choice in how you do it.  To encode the script you can do it manually and can find the instruction by typing Powershell /?.  At the bottom of the help it will show the procedure to make and use encoded commands.

The way I use it so it creates and command and the runner for it (and compresses it) is to use a script from Powersploit's scripts modification folder cann Out-EncodedCommand.ps1.  You can get it from github.

 

This will turn your minified scripts to a compressed encoded command with the command to decompress it and run it.  So, all the code and the actual command to run it has to be in the script since it is immediately invoked as an expression upon decompression.

 

Example of the command is below continuing with our minified script.

# Powersploit's Out-Encodedcommand example.
# Out-Encodedcommand input parameter takes the script as a scriptblock so we need to convert the string to one also.

Import-Module "Path to Out-EncodedCommand.ps1"
$myscriptblock = [ScriptBlock]::Create($minscript)   #Convert minified ps1 files as a string to a scriptblock
$myPayload = Out-EncodedCommand -scriptblock $myscriptblock

If you print out $myPayload, that is the command you use to run that script.  So with the above method you can create your script as normal with line spacing and all and then condense it to use for your means in the RubberDucky or BashBunny.

MinifyPS:

https://minifyps.codeplex.com/

Powersploit:

https://github.com/PowerShellMafia/PowerSploit

 

Now, the last things I am goign to try and see is if I can control the LEDs from inside python or node running on the BB.  Would be nice to get status lights from within custom apps ran from the BB through the LEDs.

[PoSHMagiC0de]

Wanted to add one more thing I forgot.  On the bashbunny with the encoded out you do need to add 2 escaped quotes.

1 in the beginning of the command after the first double quote and one before the ending double quote.  That is just so you can encapsulate the command in quotes since bash will take the ones there as string encapsulation and now show up in the typed text.

Of course you could copy the encoded command script and make it Out-EncodedBBCommand and change it so it includes the escaped quotes.