Installing Powershell and Invoke-Obfuscation on CentOS 8

By | November 12, 2020

This article shows how to obfuscate PowerShell command or script for free using Invoke-Obfuscation. We will obfuscate powershell command on Linux CentOS machine and execute obfuscated command on Windows PC.
Invoke-Obfuscation runs under powershell and because Microsoft powershell is cross-platform tool and available for many not Windows platforms this obfuscator could be also used anywhere.
First of all check if your device has microsoft.repo in /etc/yum.repo directory. If not it is necessary to add Microsoft repository file to /etc/yum.repos.d/ directory:


# curl https://packages.microsoft.com/config/rhel/7/prod.repo | sudo tee /etc/yum.repos.d/microsoft.repo

So it is ready for powershell installation:


# yum install -y powershell

To start powershell on Linux you need to use pwsh command (not powershell command as on Windows machine):


# pwsh
PowerShell 7.1.0
Copyright (c) Microsoft Corporation.

https://aka.ms/powershell
Type ‘help’ to get help.

PS /root>

Now installing Invoke-Obfuscation:


# git clone https://github.com/danielbohannon/Invoke-Obfuscation
Cloning into ‘Invoke-Obfuscation’…
remote: Enumerating objects: 220, done.
remote: Total 220 (delta 0), reused 0 (delta 0), pack-reused 220
Receiving objects: 100% (220/220), 482.83 KiB | 1.65 MiB/s, done.
Resolving deltas: 100% (161/161), done.

Cloning created Invoke-Obfuscation directory with powershell scripts:


# ls Invoke-Obfuscation/
Invoke-Obfuscation.ps1 Out-EncodedOctalCommand.ps1
Invoke-Obfuscation.psd1 Out-EncodedSpecialCharOnlyCommand.ps1
Invoke-Obfuscation.psm1 Out-EncodedWhitespaceCommand.ps1
LICENSE Out-ObfuscatedAst.ps1
Out-CompressedCommand.ps1 Out-ObfuscatedStringCommand.ps1
Out-EncodedAsciiCommand.ps1 Out-ObfuscatedTokenCommand.ps1
Out-EncodedBinaryCommand.ps1 Out-PowerShellLauncher.ps1
Out-EncodedBXORCommand.ps1 Out-SecureStringCommand.ps1
Out-EncodedHexCommand.ps1 README.md

Now it is possible to use Invoke-Obfuscation:


# pwsh
PowerShell 7.1.0
Copyright (c) Microsoft Corporation.

https://aka.ms/powershell
Type ‘help’ to get help.

PS /root> Import-Module ./Invoke-Obfuscation/
PS /root> Invoke-Obfuscation

Invoke-Obfuscation>

Create script and obfuscate it with ENCODING/2 (hex):


Invoke-Obfuscation> SET SCRIPTBLOCK Write-Host ‘Visit ladydebug.com’ -ForegroundColor red

Successfully set ScriptBlock:
Write-Host ‘Visit ladydebug.comn’ -ForegroundColor red

Choose one of the below options:

[*] TOKEN Obfuscate PowerShell command Tokens
[*] AST Obfuscate PowerShell Ast nodes (PS3.0+)
[*] STRING Obfuscate entire command as a String
[*] ENCODING Obfuscate entire command via Encoding
[*] COMPRESS Convert entire command to one-liner and Compress
[*] LAUNCHER Obfuscate command args w/Launcher techniques (run once at end)

Invoke-Obfuscation> ENCODING

Choose one of the below Encoding options to APPLY to current payload:

[*] ENCODING\1 Encode entire command as ASCII
[*] ENCODING\2 Encode entire command as Hex
[*] ENCODING\3 Encode entire command as Octal
[*] ENCODING\4 Encode entire command as Binary
[*] ENCODING\5 Encrypt entire command as SecureString (AES)
[*] ENCODING\6 Encode entire command as BXOR
[*] ENCODING\7 Encode entire command as Special Characters
[*] ENCODING\8 Encode entire command as Whitespace

Invoke-Obfuscation\Encoding> 2
FULL: Out-EncodedHexCommand -ScriptBlock $ScriptBlock -PassThru

Result:
[sTRIng]::JoiN(”, ( ( 57 ,72 , 69, 74, 65 ,’2d’, 48, ‘6f’, 73 , 74 ,20 ,27,56, 69,73, 69 ,74, 20,’6c’ , 61,64, 79,64,65, 62 , 75 , 67 ,’2e’,63 ,’6f’, ‘6d’ , 27, 20, ‘2d’,46 ,’6f’ , 72 , 65, 67, 72 , ‘6f’ ,75 ,’6e’ ,64 , 43, ‘6f’ ,’6c’ , ‘6f’, 72 , 20 ,72 , 65,64) |% { ([cOnvErT]::toint16( ( $_.tosTRiNg() ), 16 )-aS[Char]) } ) ) | . ((gV ‘*MdR*’).NAme[3,11,2]-joIn”)

Now testing original and obfuscated commands in Windows powershell, coping and pasted these strings:
Testing obfuscated commands
The both work the same. It is possible to paste obfuscated command in notepad and save it as script, then execute the script in powershell to get the same result.


Leave a Reply

Your email address will not be published. Required fields are marked *