Section 3 Module 2 PowerShell Fundamentals
Section 3 Module 2 PowerShell Fundamentals
2.2 Cmdlets
2.3 Modules
2.4 Scripts
2.5 Objects
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
By the end of this module, you should have a better understanding of:
http://radar.oreilly.com/2013/06/powershell-command-line-introduction.html
C:\Windows\System32\WindowsPowerShell\*
Although our examples are shown on Windows 10, all of the steps
will be similar for Windows 7 and other versions of Windows,
unless otherwise noted.
-ExecutionPolicy
The PowerShell execution policy determines which scripts if any, we can run and
can easily be disabled with the “Bypass” or “Unrestricted” arguments.
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_script_blocks?view=powershell-6
https://technet.microsoft.com/en-us/library/cc764318.aspx
https://technet.microsoft.com/en-us/library/cc764318.aspx
https://msdn.microsoft.com/en-us/library/ms714395(v=vs.85).aspx
https://www.petri.com/understanding-the-powershell-pipeline
https://www.petri.com/understanding-the-powershell-pipeline
https://github.com/rebootuser/LinEnum
https://github.com/rebootuser/LinEnum
We would get the same exact results by simply just running “Get-ChildItem.”
As we can see, the “Get-ChildItem” cmdlet has three aliases, “dir,” “gci,”
and “ls.”
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
Another alias you’ll see quite often is “select” when used in
conjunction with other cmdlets in pipeline operations, and is an
alias for the “Select-Object” cmdlet.
For this, we can pipe all of the output to the “Export-Csv” cmdlet,
and save the results in CSV format:
PS C:\> Get-WmiObject -class win32_operatingsystem | fl * | Export-Csv C:\host_info.csv
In the example below, we search for files of a .txt extension within a user's
“Documents” directory, containing the string “pass*” in their contents:
PS C:\> Select-String -Path C:\users\user\Documents\*.txt -Pattern pass*
Running it
without
parameters or
arguments
simply returns a
three column
list of all
services.
we’ve seen
before, with the
“Sort-Object”
cmdlet. In this
example, all
services starting
with “s*” in
descending order
and sorting by
the “Status”
property.
Penetration Testing Professional 5.0 – Caendra Inc. © 2018
As we can see, there are many ways and variations of using
cmdlets, pipelines and aliases we can leverage to conduct tasks
that are relevant to our objectives, and different ways to craft
commands we can use to achieve similar results.
https://msdn.microsoft.com/en-us/library/dd878324(v=vs.85).aspx
• Binary Modules
• Manifest Modules
https://github.com/rebootuser/LinEnum
https://github.com/PowerShellMafia/PowerSploit/archive/master.zip
For our purposes, we’ll use the local users module path, which
is in:
C:\users\user\Documents\WindowsPowerShell\Modules
PS C:\> Get-Module
For the most part, we’ll be dealing with the .ps1 file.
* You may have to bypass the current execution policy (as shown earlier) before you execute the script of your choosing.
The above script simply takes a file name as an argument for which
it creates a variable called “$file,” and runs the “Get-Content”
cmdlet on our variable.
In other words, a loop will repeatedly execute code in its body until
a conditional statements returns “False” or, returns no additional
data.
• for()
• foreach()
• while()
• do {something} while()
• do {something} until()
In the first line, we’re creating a variable called “$services” which will return the
Get-Service objects collection as a result of running the “Get-Service” cmdlet.
We then use the “foreach()” loop statement to create a new variable “$service”
to contain each resulting object of the $services variable, and finally, we’re
telling PowerShell to return the name of each $service with the “.Name”
property in the loop body, between the {} brackets.
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/where-object?view=powershell-6
PS C:\Users\user\Desktop> .\Scan-Ports.ps1
2. We’ve determined the methods that are available for use with the
objects that were returned by using the “Get-Process | Get-
Member” cmdlet and pipeline.
3. And we’ve decided that the “Kill” method is the method we’d like
to use for that process (as an example).
https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/new-object?view=powershell-6
https://msdn.microsoft.com/en-us/library/system.type(v=vs.110).aspx
3. The “$file” variable is then used as the location to which we want to save
the payload on the target system.
Get-Command Pipeline
https://ss64.com/ps/get-command.html https://en.wikipedia.org/wiki/PowerShell#Pip
eline
PowerSploit New-Object
https://github.com/PowerShellMafia/Power https://docs.microsoft.com/en-
Sploit us/powershell/module/microsoft.powershell.
utility/new-object?view=powershell-6