Weird behaviour observed when using PowerShdll

[a7t0fwa7]

Hey man I am back with a few queries :+1:

So basically i am running WinPwn on a JUMP Server that has both CMD and PS disabled. I am running WinPwn via PowerShdll.

I don't have Internet Access so using Offline_WinPwn

So my query is that i get error messages when i attempt to run the following commands:

PS H:\Desktop2019>WinPwn -noninteractive -consoleoutput -DomainRecon
A parameter cannot be found that matches parameter name 'FullData'.

However when i try to run the same command without the -consoleoutput parameter i get

PS H:\Desktop2019>WinPwn -noninteractive -DomainRecon
A positional parameter cannot be found that accepts argument 'proxy.redacted.local:80'

Any ideas as to why this is occurring? i presume that PowerShdll is not providing verbose error messages so it is kind of hard to understand what is occurring.

However when i run WinPwn -PowerSharpPack -consoleoutput -noninteractive

I manage to get the output in full.

I would like to know if you have a cheatsheet I could use to run WinPwn in -consoleoutput -noninteractive mode with a list of parameters we can pass because the help menu seems to contian only a few examples of usage if i am not mistaken.

Cheers

[S3cur3Th1sSh1t]

Hey,

The parameters are correct if you want to use Domainreconmodules.

DomainReconmodules will most likely run a very long time with theese parameters depending on the domain size, especially the search for network shares takes much time here. Take a look at the code, the WinPwn function calls the Domainreconmodules function and Domainreconmodules calls different sub-functions like generaldomaininfo, shareenumeration, powerSQL, printercheck and so on with the corresponding parameters:

So you could also use them as standalone functions depending on what you want to do:

powerSQL -noninteractive - PowerUPSQL Checks

snaffler -noninteractive -consoleoutput - snaffler without questions and with consoleoutput

generaldomaininfo -noninteractive -consoleoutput - All those text file information which is normally generated in the Domainrecon Folder

Your error messages look like some of the scripts used by Domainreconmodules have problems in your environment, but i didn´t see theese messages so far anywhere. Didn´t use the Offline version in combination with PowerShdll so till now.

You could try all the subfunctions of generaldomainInfo and tell me which one of it has this problem.

Greetings

[a7t0fwa7]

Ah excellent will definitely give it a try and let you know which parameters could potentially present issues. Thanks again for your great help. Yes I thought you would be interested in knowing the pre-conditions on how WinPwn is being used i am engaged in a locked down environment at the moment so was interested in seeing how WinPwn would behave. Cheers

[a7t0fwa7]

Ok buddy,

Seems that Powershdll doesn't handle the console output properly so you actually need to push all the WInPwn output to a file and only then can i go through the findings

`PS H:\Desktop2019>WinPwn -noninteractive -consoleoutput -Privesc >WinPwn_Privesc_output.txt`

otherwise i get this below

PS H:\Desktop2019>WinPwn -noninteractive -Privesc
A positional parameter cannot be found that accepts argument 'proxy.redacted.local:80'.

PS H:\Desktop2019>WinPwn -noninteractive -consoleoutput -Privesc 
Cannot find drive. A drive with the name 'blahblahblah' does not exist.

Will continue to test on target while i can and update.

Cheers

[S3cur3Th1sSh1t]

I am interested in how WinPwn is used and i am interested in how it behaves in different situations, this could also happen to me sometime. I just tried to replicate this using PowerShdll but i can´t even load WinPwn in its runspace. You could also try other open source alternatives like MsBuildshell, just replace the AMSI Bypass Namespace and Class name with random names. There are several projects like PowerLessShell, nopowershell Stracciatella and more. You will get the output from other tools including error messages in the MsBuildShell.

[a7t0fwa7]

Awesome thanks mate. Definitely will try the alternatives. Just as a heads up and interesting thing to note, i also used PowerSharpPack and found that the PowerSharpPack.ps1 gets flagged by AMSI but lets all the other binaries through LOL.

[S3cur3Th1sSh1t]

Thats because i didn´t change the AMSITrigger there so far, it´s explained in one of my blog posts here:

https://s3cur3th1ssh1t.github.io/Bypass_AMSI_by_manual_modification/

I switched all scripts to gzip compression yesterday so at this time they are not flagged but they will get flagged in the near future again ;-)

[a7t0fwa7]

Tried out MSBuildSell and it works great on my lab test machine, but as soon as i attempt to run it on my target for some reason there seems to be build errors occuring. Mind you i am launching this via PowerShdll. So tomorrow will test out by launching commands from a batch script and see if that works. Will keep you posted

[a7t0fwa7]

Excellent blog posts mate. Thank you for awesome contributions.

[S3cur3Th1sSh1t]

If you encounter new behaviours feel free to reopen.