Blog Archives

Cracking Open PowerShell’s Constrained Runspace

Recently at the PowerShell Summit, Lee Holmes and I did a talk on PowerShell security. One of the demonstrations we did showed how to find and exploit a command injection bug in a constrained runspace. I figured I’d write a

Tagged with: , , ,
Posted in Hacking, PowerShell

Injecting Logon Credentials With PowerShell

In this article I will introduce a new script, Inject-LogonCredentials, that uses PowerShell (specifically, the Invoke-ReflectivePEInjection script) to inject credentials in memory. I’ll start with a brief review of the current commonly used methods of using stolen credentials. Doing a

Tagged with: , , , ,
Posted in Hacking, PowerShell

PowerShell and Token Impersonation

This post will discuss bringing incognito-like functionality to PowerShell in the form of a new PowerShell script (Invoke-TokenManipulation), with some important differences. I’ll split this post up in to three sections: An overview on tokens and Windows authentication An overview

Tagged with: , , , , ,
Posted in Hacking, PowerShell, Uncategorized

Intercepting Password Changes With Function Hooking

Last week, Mubix published a malicious Windows password filter DLL ( The idea is simple, by installing this password filter, he can intercept the clear text credential whenever a user changes their password. There are two caveats with installing this

Tagged with: , ,
Posted in Hacking, PowerShell

Avoiding PowerShell Command Injection & Unicode Issues

PowerShell exposes a powerful set of functionality and is increasing in popularity for server management tasks. This post aims to help penetration testers identify issues that may be found when PowerShell scripts handle user input. There are multiple scenarios where

Tagged with: , , ,
Posted in Hacking, PowerShell