- Powershell is build with .NET Framework. You can execute .NET fucntions from PS. the output of these functions are objectes (somehow object-oriented).
- The normal format of cmdlet is Verb-Noun. Example: Get-Command. Common verbs include: Get / Start / Stop / Read / Write / New / Out.
- learn more about verbs here: https://learn.microsoft.com/en-us/powershell/scripting/developer/cmdlet/approved-verbs-for-windows-powershell-commands?view=powershell-7.3&viewFallbackFrom=powershell-7
- Get-Help and Get-Command is your friend.
- You can use -Example with Get-Help to give an idea of how to use any cmdlet.
Get-Commandprint out all the installed cmdlet. It has pattern match. Get-Command Verb-* *-Noun- Just like bash passing output between cmdlets is done with
|Remember, in PS we pass an OBJECT and not TEXT. - Objects has methods and properties.
- You can use Where-Object to specificy wich objects to match a very specific value.
Verb-Noun | Where-Object -Property PropertyNAme -operator Value.Verb-Nound | Where-Object {$_.PropertyName -operator Value} - You can use -Conatins , -EQ, -GT, you know what they mean. for a list of Operators: https://learn.microsoft.com/en-us/powershell/module/microsoft.powershell.core/where-object?view=powershell-7.3&viewFallbackFrom=powershell-6
- Enumerating with powershell: users, basic networking information, file permisions, registry permissions, scheduled and running tasks, insecure files.
- Get-localuser and to get its SID we do
get-localuser -Name "Guest" | Select-Object sid - Find the content of a backup file inside the a machine:
Get-ChildItem -Path c:\ -Recurse | Where-Object {$_.Name -like '*backup*'} - The
$_.is like-Property Select-Objectis used to select specific properties from a given object often passed by a pipe |- to exclude dll
-Exclude *.dll* - Search for specific string in all files:
Get-ChildItem -Path c:\ -Recurse -File | Select-String -Pattern "API_KEY" Get-contentis liketype- Variables is PS:
$VariableName = Value - scripting in powershell cheatsheet: https://learnxinyminutes.com/docs/powershell/
- Powershell port scanner:
$ports = 1..1000
$ipAdresses = 1..254
foreach ($ip in $ipAdresses) {
foreach($port in $ports){
Test-NetConnection 127.0.0.$ip -Port $port | Select-Object -Property TcpTestSucceeded
}
}- Start-process can be used to start a process
- Get hash of file:
Get-FileHash -Algorithm MD5 .\powerview.ps1 | Select-Object -Property Hash | Format-Table -HideTableHeaders. The latest part gives you the hash only - Bypass execution policy.
PS C:\Users\Walter> Get-ExecutionPolicy -list
Scope ExecutionPolicy
----- ---------------
MachinePolicy Undefined
UserPolicy Undefined
Process Undefined
CurrentUser Undefined
LocalMachine Unrestricted
PS C:\Users\Walter>Set-ExecutionPolicy Bypass
PS C:\Users\Walter> Get-ExecutionPolicy -list
Scope ExecutionPolicy
----- ---------------
MachinePolicy Undefined
UserPolicy Undefined
Process Undefined
CurrentUser Undefined
LocalMachine Bypass
- if you set
-scopeexecutionpolicy will be bypassed only for the current session. it can be useful if there's a cron job that scans for execution policies evey now and then. Get-HotFixcan be used to check for missing updates. it can be used along withFormat-TableorFormat-List- Example of
Get-HotFix:Get-HotFix | Where-Object {$_.InstalledOn -like "*5/15/2019*"} - One of the most important command in powerview:
Get-NetComputerenumerate systems connected to the domain.(Get-NetComputer).samaccountname - Find-DomainShare will list all available shares. If you do
-CheckShareAccessreadable shares will be shown.