{"id":4250,"date":"2017-01-14T06:08:12","date_gmt":"2017-01-13T22:08:12","guid":{"rendered":"https:\/\/www.darknet.org.uk\/?p=4250"},"modified":"2017-10-29T20:20:30","modified_gmt":"2017-10-29T12:20:30","slug":"p0wnedshell-powershell-runspace-post-exploitation-toolkit","status":"publish","type":"post","link":"https:\/\/www.darknet.org.uk\/2017\/01\/p0wnedshell-powershell-runspace-post-exploitation-toolkit\/","title":{"rendered":"p0wnedShell &#8211; PowerShell Runspace Post Exploitation Toolkit"},"content":{"rendered":"<p>p0wnedShell is an offensive PowerShell Runspace Post Exploitation host application written in C# that does not rely on powershell.exe but runs PowerShell commands and functions within a PowerShell run space environment (.NET). It has a lot of offensive PowerShell modules and binaries included making the process of Post Exploitation easier.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2017\/01\/p0wnedShell-PowerShell-Runspace-Post-Exploitation-Toolkit-640x341.png\" alt=\"p0wnedShell - PowerShell Runspace Post Exploitation Toolkit\" width=\"640\" height=\"341\" class=\"aligncenter size-medium wp-image-4397\" srcset=\"https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2017\/01\/p0wnedShell-PowerShell-Runspace-Post-Exploitation-Toolkit-640x341.png 640w, https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2017\/01\/p0wnedShell-PowerShell-Runspace-Post-Exploitation-Toolkit-1024x546.png 1024w, https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2017\/01\/p0wnedShell-PowerShell-Runspace-Post-Exploitation-Toolkit-1536x819.png 1536w, https:\/\/www.darknet.org.uk\/wp-content\/uploads\/2017\/01\/p0wnedShell-PowerShell-Runspace-Post-Exploitation-Toolkit.png 1631w\" sizes=\"(max-width: 640px) 100vw, 640px\" \/><\/p>\n<p>What the author tried was to build an \u201call in one\u201d Post Exploitation tool which could be used to bypass all mitigations solutions (or at least some of), and that has all relevant tooling included. You can use it to perform modern attacks within Active Directory environments and create awareness within your Blue team so they can build the right defence strategies.<\/p>\n<h3>Features\/Modules<\/h3>\n<p>The following PowerShell tools\/functions are included:<\/p>\n<ul>\n<li>PowerSploit Invoke-Shellcode<\/li>\n<li>PowerSploit Invoke-ReflectivePEInjection<\/li>\n<li>PowerSploit <a href=\"https:\/\/www.darknet.org.uk\/2015\/07\/mimikatz-gather-windows-credentials\/\">Invoke-Mimikatz<\/a><\/li>\n<li>PowerSploit Invoke-TokenManipulation<\/li>\n<li>PowerSploit PowerUp<\/li>\n<li>PowerSploit PowerView<\/li>\n<li>HarmJ0y&#8217;s Invoke-Psexec<\/li>\n<li>Besimorhino&#8217;s PowerCat<\/li>\n<li>Nishang Invoke-PsUACme<\/li>\n<li>Nishang Invoke-Encode<\/li>\n<li>Nishang Get-PassHashes<\/li>\n<li>Nishang Invoke-CredentialsPhish<\/li>\n<li>Nishang Port-Scan<\/li>\n<li>Nishang Copy-VSS<\/li>\n<li>Kevin Robertson Invoke-Inveigh<\/li>\n<li>Kevin Robertson Tater<\/li>\n<li>FuzzySecurity Invoke-MS16-032<\/li>\n<\/ul>\n<script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-3033787195489589\"\r\n     crossorigin=\"anonymous\"><\/script>\r\n<!-- Darknet Responsive Post Ad Links [previously link ad unit] -->\r\n<ins class=\"adsbygoogle\"\r\n     style=\"display:block\"\r\n     data-ad-client=\"ca-pub-3033787195489589\"\r\n     data-ad-slot=\"5456620019\"\r\n     data-ad-format=\"auto\"><\/ins>\r\n<script>\r\n     (adsbygoogle = window.adsbygoogle || []).push({});\r\n<\/script>\n<p>Powershell functions within the Runspace are loaded in memory from Base64 encode strings.<\/p>\n<p>The following Binaries\/tools are included:<\/p>\n<ul>\n<li>Benjamin DELPY&#8217;s Mimikatz<\/li>\n<li>Benjamin DELPY&#8217;s MS14-068 kekeo Exploit<\/li>\n<li>Didier Stevens modification of ReactOS Command Prompt<\/li>\n<li>MS14-058 Local SYSTEM Exploit<\/li>\n<li>hfiref0x MS15-051 Local SYSTEM Exploit<\/li>\n<\/ul>\n<h3>Compiling<\/h3>\n<p>To compile p0wnedShell you need to import this project into Microsoft Visual Studio or if you don&#8217;t have access to a Visual Studio installation, you can compile it as follows:<\/p>\n<p>To Compile as x86 binary:<\/p>\n<pre>cd \\Windows\\Microsoft.NET\\Framework\\v4.0.30319\r\n\r\ncsc.exe \/unsafe \/reference:\"C:\\p0wnedShell\\System.Management.Automation.dll\" \/reference:System.IO.Compression.dll \/win32icon:C:\\p0wnedShell\\p0wnedShell.ico \/out:C:\\p0wnedShell\\p0wnedShellx86.exe \/platform:x86 \"C:\\p0wnedShell\\*.cs\"<\/pre>\n<p>To Compile as x64 binary:<\/p>\n<pre>cd \\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\r\n\r\ncsc.exe \/unsafe \/reference:\"C:\\p0wnedShell\\System.Management.Automation.dll\" \/reference:System.IO.Compression.dll \/win32icon:C:\\p0wnedShell\\p0wnedShell.ico \/out:C:\\p0wnedShell\\p0wnedShellx64.exe \/platform:x64 \"C:\\p0wnedShell\\*.cs\"<\/pre>\n<p>p0wnedShell uses the System.Management.Automation namespace, so make sure you have the System.Management.Automation.dll within your source path when compiling outside of Visual Studio.<\/p>\n<p>You can download p0wnedShell here:<\/p>\n<p><a href=\"https:\/\/github.com\/Cn33liz\/p0wnedShell\/archive\/master.zip\">p0wnedShell-master.zip<\/a><\/p>\n<p>Or read more <a href=\"https:\/\/github.com\/Cn33liz\/p0wnedShell\">here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>p0wnedShell is an offensive PowerShell Runspace Post Exploitation host application written in C# that does not rely on powershell.exe but runs PowerShell commands and functions within a PowerShell run space environment (.NET). It has a lot of offensive PowerShell modules and binaries included making the process of Post Exploitation easier. What the author tried was [&hellip;]<\/p>\n","protected":false},"author":25,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"p0wnedShell is an offensive PowerShell Runspace Post Exploitation host application written in C# that does not rely on powershell.exe.","_seopress_robots_index":"","_genesis_hide_title":false,"_genesis_hide_breadcrumbs":false,"_genesis_hide_singular_image":false,"_genesis_hide_footer_widgets":false,"_genesis_custom_body_class":"","_genesis_custom_post_class":"","_genesis_layout":"","footnotes":""},"categories":[9],"tags":[2129,9457,9452,8981],"featured_image_src":null,"featured_image_src_square":null,"author_info":{"display_name":"Darknet","author_link":"https:\/\/www.darknet.org.uk\/author\/darknet\/"},"_links":{"self":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/4250"}],"collection":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/users\/25"}],"replies":[{"embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/comments?post=4250"}],"version-history":[{"count":0,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/posts\/4250\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/media?parent=4250"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/categories?post=4250"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.darknet.org.uk\/wp-json\/wp\/v2\/tags?post=4250"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}