PowerShell for Pentesters Course Complete Review (PSSE)
I highly enjoyed this course! I found both the material and exam to be exciting, pushing me to try many new things in a language I didn't necessarily feel comfortable in to begin with. At the end of it all, I feel confident I could tackle most programming challenges in PowerShell, it's a practical administrative language seeing a lot of current development effort. Taught by Nikhil Mittal, the course material took roughly the same amount of time as the Python for Pentesters material took, however I think this course exam took much longer. Like I said in my main course review, the only downside in my opinion was the speed at which this course progresses, that said I'm going to focus on the exam in this review. To put it simply, with the Python for Pentesters exam you were required to write 3-4 programs, within 3-4 hours, whereas with this exam you were required to write a minimum of 10 programs with unlimited time to complete them all. The major difference to me is that this exam requires more of a variable time commitment to complete all of the programs, where as the other exam had a solid time frame with a pass / fail result. I think this may actually be a benefit in the world of programming, however it seemed very time consuming, especially considering how involved some of the final programs were.
The following is a full list of the programs and their solutions, based on my interpretation of the exam rules:
Task 1 Description: Brute force basic auth.
Task 1 Write-Up: http://lockboxx.blogspot.com/2016/01/brute-force-basic-authentication.html
Task 1 Code: https://github.com/ahhh/PSSE/blob/master/Brute-Basic-Auth.ps1
Task 2 Description: Enumerate all open shares on a network.
Task 2 Write-Up: http://lockboxx.blogspot.com/2016/01/scan-share-permissions-powershell-for.html
Task 2 Code: https://github.com/ahhh/PSSE/blob/master/Scan-Share-Permissions.ps1
Task 3 Description: Enumerate directories inside "C:\Windows\System32" which are writable by non-admin users.
Task 3 Write-Up: http://lockboxx.blogspot.com/2016/01/scan-dir-permissions-powershell-for.html
Task 3 Code: https://github.com/ahhh/PSSE/blob/master/Scan-Dir-Permissions.ps1
Task 4 Description: Write a registry scrapper which looks for passwords stored in Windows registry.
Task 4 Write-Up: http://lockboxx.blogspot.com/2016/01/search-local-passwords-powershell-for.html
Task 4 Code: https://github.com/ahhh/PSSE/blob/master/Search-Local-Passwords.ps1
Task 5 Description: Port any two command injection exploits from exploit-db to PowerShell.
Task 5 Write-Up: http://lockboxx.blogspot.com/2016/01/command-injection-powershell-for.html
Task 5 Code A: https://github.com/ahhh/PSSE/blob/master/Exploit-TrendMicroPWM-LocalNodeJSAPI.ps1
Task 5 Code B: https://github.com/ahhh/PSSE/blob/master/Exploit-CVE-2014-6287.ps1
Task 6 Description: Transfer files over PowerShell Remoting.
Task 6 Write-Up: http://lockboxx.blogspot.mx/2016/02/send-files-via-psremoting-powershell.html
Task 6 Code: https://github.com/ahhh/PSSE/blob/master/Send-File-PSRemoting.ps1
Task 7 Description: Write a simple web server in PowerShell which could be used to list, delete, download and upload files over HTTP.
Task 7 Write-Up: http://lockboxx.blogspot.com/2016/02/simple-web-server-powershell-for.html
Task 7 Code: https://github.com/ahhh/PSSE/blob/master/Run-Simple-WebServer.ps1
Task 8 Description: Use a popular third party website for exfiltration.
Task 8 Write-Up: http://lockboxx.blogspot.com/2016/02/exfiltrate-to-slack-powershell-for.html
Task 8 Code: https://github.com/ahhh/PSSE/blob/master/Exfil-To-Slack.ps1
Task 9 Description: Use a popular third party website for interactive shell.
Task 9 Write-Up: http://lockboxx.blogspot.com/2016/02/irc-shellbot-powershell-for-pentesters.html
Task 9 Code: https://github.com/ahhh/PSSE/blob/master/shellbot.ps1
Task 10 Description: Write a PoC backdoor which reads instructions/scripts from registry, could be triggered by creation of another registry key and stores the output back to Registry.
Task 10 Write-Up: http://lockboxx.blogspot.com/2016/03/registry-trojan-powershell-for.html
Task 10 Code: https://github.com/ahhh/PSSE/blob/master/RegTrojan.ps1
This class has inspired me to write and extend numerous other PowerShell scripts with a security focus, that I've found on Github, in a repository I have deemed the PowerShell Expert Scripting Repository and any code which I extended is cited / linked and to from: https://github.com/ahhh/PSSE/
Overall, I can't recommend this class enough to those who are eager to learn PowerShell and work well in a self motivated environment. It really was a fantastic learning experience, a nice challenge, and prepared me for using offensive PowerShell in my everyday operations. Even though the exam was a little long, I stayed focused and that attention really made sure I was writing PowerShell till I was fluent with it. PowerShell is a really useful language too, despite knowing several other languages, I'm glad I picked this one up in particular due to its amazing application in Windows domains. The course also got me involved in many of the existing PowerShell pentest projects out there, which was a large motivation behind why I took this course and it really delivered in that regard. Where before I was simply using these tools, this course prompted me to dig into each of their respective source to see how they executing these methods, greatly increasing my understanding of both the security techniques and language's capabilities. I even used those capabilities in an excellent / fun operation, which I will be blogging about soon, so stay tuned for that! Again, great course and highly recommended!
The following is a full list of the programs and their solutions, based on my interpretation of the exam rules:
Task 1 Description: Brute force basic auth.
Task 1 Write-Up: http://lockboxx.blogspot.com/2016/01/brute-force-basic-authentication.html
Task 1 Code: https://github.com/ahhh/PSSE/blob/master/Brute-Basic-Auth.ps1
Task 2 Description: Enumerate all open shares on a network.
Task 2 Write-Up: http://lockboxx.blogspot.com/2016/01/scan-share-permissions-powershell-for.html
Task 2 Code: https://github.com/ahhh/PSSE/blob/master/Scan-Share-Permissions.ps1
Task 3 Description: Enumerate directories inside "C:\Windows\System32" which are writable by non-admin users.
Task 3 Write-Up: http://lockboxx.blogspot.com/2016/01/scan-dir-permissions-powershell-for.html
Task 3 Code: https://github.com/ahhh/PSSE/blob/master/Scan-Dir-Permissions.ps1
Task 4 Description: Write a registry scrapper which looks for passwords stored in Windows registry.
Task 4 Write-Up: http://lockboxx.blogspot.com/2016/01/search-local-passwords-powershell-for.html
Task 4 Code: https://github.com/ahhh/PSSE/blob/master/Search-Local-Passwords.ps1
Task 5 Description: Port any two command injection exploits from exploit-db to PowerShell.
Task 5 Write-Up: http://lockboxx.blogspot.com/2016/01/command-injection-powershell-for.html
Task 5 Code A: https://github.com/ahhh/PSSE/blob/master/Exploit-TrendMicroPWM-LocalNodeJSAPI.ps1
Task 5 Code B: https://github.com/ahhh/PSSE/blob/master/Exploit-CVE-2014-6287.ps1
Task 6 Description: Transfer files over PowerShell Remoting.
Task 6 Write-Up: http://lockboxx.blogspot.mx/2016/02/send-files-via-psremoting-powershell.html
Task 6 Code: https://github.com/ahhh/PSSE/blob/master/Send-File-PSRemoting.ps1
Task 7 Description: Write a simple web server in PowerShell which could be used to list, delete, download and upload files over HTTP.
Task 7 Write-Up: http://lockboxx.blogspot.com/2016/02/simple-web-server-powershell-for.html
Task 7 Code: https://github.com/ahhh/PSSE/blob/master/Run-Simple-WebServer.ps1
Task 8 Description: Use a popular third party website for exfiltration.
Task 8 Write-Up: http://lockboxx.blogspot.com/2016/02/exfiltrate-to-slack-powershell-for.html
Task 8 Code: https://github.com/ahhh/PSSE/blob/master/Exfil-To-Slack.ps1
Task 9 Description: Use a popular third party website for interactive shell.
Task 9 Write-Up: http://lockboxx.blogspot.com/2016/02/irc-shellbot-powershell-for-pentesters.html
Task 9 Code: https://github.com/ahhh/PSSE/blob/master/shellbot.ps1
Task 10 Description: Write a PoC backdoor which reads instructions/scripts from registry, could be triggered by creation of another registry key and stores the output back to Registry.
Task 10 Write-Up: http://lockboxx.blogspot.com/2016/03/registry-trojan-powershell-for.html
Task 10 Code: https://github.com/ahhh/PSSE/blob/master/RegTrojan.ps1
This class has inspired me to write and extend numerous other PowerShell scripts with a security focus, that I've found on Github, in a repository I have deemed the PowerShell Expert Scripting Repository and any code which I extended is cited / linked and to from: https://github.com/ahhh/PSSE/
Overall, I can't recommend this class enough to those who are eager to learn PowerShell and work well in a self motivated environment. It really was a fantastic learning experience, a nice challenge, and prepared me for using offensive PowerShell in my everyday operations. Even though the exam was a little long, I stayed focused and that attention really made sure I was writing PowerShell till I was fluent with it. PowerShell is a really useful language too, despite knowing several other languages, I'm glad I picked this one up in particular due to its amazing application in Windows domains. The course also got me involved in many of the existing PowerShell pentest projects out there, which was a large motivation behind why I took this course and it really delivered in that regard. Where before I was simply using these tools, this course prompted me to dig into each of their respective source to see how they executing these methods, greatly increasing my understanding of both the security techniques and language's capabilities. I even used those capabilities in an excellent / fun operation, which I will be blogging about soon, so stay tuned for that! Again, great course and highly recommended!
