Skip to content

Latest commit

 

History

History
203 lines (137 loc) · 4.01 KB

powershell-cheatsheet.md

File metadata and controls

203 lines (137 loc) · 4.01 KB

powershell-cheatsheet

Powershell

Powershell Downgrade Attack

  • Logging in Powershell past v2.0 is insane. To limit this logging perform a version switch to 2.0
powershell.exe -Version 2.0 -NoLogo -NoProfile
  • Verify with 
<figure><img src="../.gitbook/assets/image (2) (2).png" alt=""><figcaption></figcaption></figure>

Resources

Basic Enumeration

systeminfo

Hotfixes

Get-HotFix | Format-List
Get-Hotfix -Id KB4023834
Get-Hotfix | measure

Creating Objects From Previous cmdlets

Zdxicjj

Get-ChildItem | Select-Object -Property Mode, Name
  • You can also use the following flags to select particular information:
  • first - gets the first x object
  • last - gets the last x object
  • unique - shows the unique objects
  • skip - skips x objects

Checking the Stopped Processes

Get-Service | Where-Object -Property Status -eq Stopped

Sort Object

Get-ChildItem | Sort-Object

Find File Recursive

Get-Childitem –Path C:\ -Recurse -Force -ErrorAction SilentlyContinue | findstr /i "interesting-file.txt"
Get-ChildItem -Path C:\ -Include *.doc,*.docx -File -Recurse -ErrorAction SilentlyContinue
  • image
  • Hash File
Get-FileHash -Algorithm md5 .\interesting-file.txt.txt
  • Will default to SHA-256

See all Cmdlets Installed

Get-Command | Where-Object -Property CommandType -eq Cmdlet | measure

Users

  • See users on the sytem
  • image
net users
Get-LocalUser
  • See what user a SID belongs to
Get-LocalUser -SID "S-1-5-21-1394777289-3961777894-1791813945-501"
  • Pull value from users
get-localuser * | select * #find parameter you want and then pass into second command value
get-localuser * | select * | findstr /i "Passwordrequired"

Groups

  • See Groups
Get-LocalGroup

IP Address Information / TCP/UDP Connections

Get-NetIPAddress
Get-NetTCPConnections
GEt-NetTCPConnection | Where-Object -Property State -Match Listen
Get-Net-UDPEndpoints
  • View all TCP ports Listen
Get-NetTCPConnection | Select RemoteAddress, State | findstr /i "Listen"

Base64 Powershell Decode

certutil -decode "C:\Users\Administrator\Desktop\b64.txt" decode.txt
Get-Content decode.txt

Find backup Files

Get-ChildItem -Path C:\ -Include *.bak* -File -Recurse -ErrorAction SilentlyContinue
  • image

Find specific string inside a file

Get-ChildItem C:\* -Recurse | Select-String -pattern API_KEY

Services and Processes

Get-Service
Get-Process

Scheduled Tasks

Get-ScheduleTask -TaskName new-sched-task
Get-ScheduleTask

See Owner and Access

Get-ACL C:\
  • image

Scanners

  • Localhost port scanner
 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("127.0.0.1",$_)) "Port $_ is open!"} 2>$null
  • PowerShell port scanner:
1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.0.0.100",$_)) "Port $_ is open!"} 2>$null
  • Test-Netconnection scan a range of IPs for a single port:
foreach ($ip in 1..20) {Test-NetConnection -Port 80 -InformationLevel "Detailed" 192.168.1.$ip}
  • PS IP range & port range scanner:
1..20 | % { $a = $_; 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.0.0.$a",$_)) "Port $_ is open!"} 2>$null}
  • PS test egress filtering:
1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("allports.exposed",$_)) "Port $_ is open!"