Over the last decade, Powershell is now used to do everything on a Windows platform and we as pentesters can also utilize it as a powerful post-exploitation “tool/language” that can give us so much power and a very big attack surface/possibility.
It can also be leveraged to run “file-less” malware, which are non-binary files that can’t easily be detected by anti-virus (AV) solutions.
Microsoft has also made PowerShell available for non-Windows platforms using .NET Core. Recently, Offensive Security added PowerShell to Kali Linux.
So, what is PowerShell, let’s begin. Also, this blog is divided in three categories
- Base-I
- Base-II (To be read after Base-I)
- Conclusion (Users, who are in windows target and have no time to waste)
Powershell is a scripting language, built on a .NET framework. The core of PowerShell is the cmdlets (command – lets), which basically help us with everything in a Windows platform.
Cmdlets are basically the objects in PowerShell.
And we know that objects in programming languages have properties as well as methods.
Same is with the cmdlets.
Each cmdlet has properties and methods.
Basic structure is Verb + Noun.
Here, Get-Process is a cmdlet. Forget about what it does.
Now remember that you don’t want to memorize any command. Our motto is the concept.
Get-help, the only cmdlet we will learn about.
The only difference between professionals and beginners is that professionals know how to figure out things and beginners just mug out everything. So, guys let’s make a habit of becoming professionals, we too will figure out things when stuck.
BASE-I
Now, just fire up your PowerShell and get started.
What’s the noun you want to search for, think it for a while, then just add get-help in front of it, with wild characters.
Like, I want to list all the processes in the system, maybe “process” is a noun here, let’s do get-help with wildcards.
Get-help *process*
Yeah. I got tons of commands, now just using some basic common sense, it can be found that “get-process” matches the work we want to perform, right ?
But wait let’s verify it .
Get-help get-process
Ok this is cool !
So what do we have to do every time ? Just close your eyes and
“Think about something you want to do, then type it and get it.”
Some people like me hate to read those long manual pages, but what we love are some short and concise examples.
Examples are really close to what you want to do and here is how we can achieve it.
Get-help Get-Process -Examples
See, there are enough, they contain basically everything we want to do.
Then, there is one more way to list get-help , this is the most handy and easy to use way.
How about, if we can get a whole help system with examples in one place with just one command.
Here is it,
get-help get-process -showWindow
A nice and beautiful UI will get popped in front of you.
Go to the settings on the top right and select only the things you want to see.
Here, I only want to see examples.
See, it gives us the whole help system in one place. I only want to see examples, though.
Isn’t it awesome ?
PowerShell is very flexible to their users.
BASE-II
The next command I want to show you will list all the commands in the system itself.
Let’s search for it.
Get-help *command*
Here, get-command matches with our desire so I’m going with it.
Get-help Get-command | more
Also, windows is case in-sensitive and more is a useful command for Linux too, right ?
Finally, to list all the commands in system, type the following command
Get-command | more
It will list all the aliases, functions and cmdlets.
Ok, I will show you the cmdlets alone.
Get-command -CommandType cmdlets | more
Here, I have added command type as a parameter, you can always use get-help get-command -full or get-help get-command -show-window to see the full help system of get-command.
Windows gives its users everything they want. And yes, if you just need core commands and don’t want all the tricks, then windows has already given a list of them.
Get-help *command*
There are some help files about commands at the bottom.
Get-help about_core_commands
CONCLUSION
Now, maybe you are a Linux user and know nothing about PowerShell and you hate reading. But still, you got a shell in the windows system and now are ready for post-exploitation.
So, here is the list of PowerShell commands collected from various corners of the Internet which could be helpful during penetration tests or red team exercises.
Powershell Commands for Pentesters
I’m sure that this will help you a lot.
For the readers, who want to dive with me in PowerShell, I will be back with scripting, remoting, and some more cool things.
See you in my next blog. Till then, Take care !