PowerShell for Beginners

Post taken from: https://learn.security10x.com/powershell-for-hackers-series/powershell-for-hackers

Information based on John Hammond's Windows PowerShell videos

Part 1: https://youtu.be/TUNNmVeyjW0

Part 2: https://youtu.be/vO0P3JuItcM

Part 3: https://youtu.be/gLCqSHbXgKI

Part 1

Basics

Let's start with basic navigation in PowerShell.

Simple navigation in PowerShell

Note:

  • PowerShell is case-insensitive.

  • Commands (like dir, cd, cls, clear) are called cmdlet in PowerShell's terms.

  • To clear the output in the shell, you can use CTRL+L, cls, or clear or Clear-Host.

  • cmdlet in PowerShell has a Verb-Noun structure.

Aliases

There are many commands that are aliases for a specific command in PowerShell. For Example, diris an alias for a cmdlet Get-ChildItem

aliases

Similarly, there are other aliases. To find them, type either Get-Alias or alias.

Notice that clear and cls have the same cmdlet

You also type gal for Get-Alias to find the alias.

Getting the output based on the Name (i.e an object in PowerShell)

Passing arguments such as -First #, -Last #, -Index #. Please replace the # sign with a number. Remember, PowerShell starts counting from 0.

Passing arguments to the cmdlet

You can keep piping and get a more fine-grained result.

Piping for a specific result

You can drill down and find more and more properties regarding a specific command that may be used in a specific situation.

You can do the same things in a different way (in PowerShell way):

Get Help

We can get help using Get-Help cmdlet.

If you are unsure about the command you're looking for, you can use a wildcard like a star (*). For example. Get-Command *printer* will give all possible outputs that have the word printer at either one or both ends.

Part 2

Output & File Operations

Creating a file in PowerShell:

  • echo $null hello.txt # create an empty file

  • echo "Hey" hello1.txt # create a file with some text

  • cat filename and type filename shows the output of a file.

File Listing

  • Get-ChildItem | Format-List lists the files and folders. You can also use gci | fl if you don't want to type the full command.

  • Get-ChildItem | Format-List * lists a very detailed output.

  • Get-ChildItem | Format-Wide lists the files and folders.

You can format the output in so many ways. Get-ChildItem | Out-GridView gives you so many options to filter your dataset.

Move Command

mvis more of a Linux way to do that also works in PowerShell. mvis an alias for Move-Item cmdlet. Similarly, there are other commands such as cp, rm and more...

Similarly, we can remove a file or a directory using the command rm. Please note that to remove more than one item you need to specify a comma rm .\hello\, .\hello2\.

Part 3

Profile & Execution Policy

You can create a PowerShell profile to customize your environment and to add session-specific elements to every PowerShell session that you start. It is similar to the .bashrc file in Linux.

A PowerShell profile is a script that runs when PowerShell starts. You can use the profile as a logon script to customize the environment. You can add commands, aliases, functions, variables, snap-ins, modules, and PowerShell drives. You can also add other session-specific elements to your profile so they are available in every session without having to import or re-create them. Read more here.

But we can create and run our scripts in PowerShell we need to learn a little bit about Execution Polic. Remember to start PowerShell with Run as Administrator.

PowerShell's execution policy is a safety feature that controls the conditions under which PowerShell loads configuration files and runs scripts. This feature helps prevent the execution of malicious scripts.

There are so many PowerShell execution policies. The default policy is Restricted for Windows clients. Get help in PowerShell. help Set-ExecutionPolicy -detailed

Default

  • Sets the default execution policy.

  • Restricted for Windows clients.

  • RemoteSigned for Windows servers.

RemoteSigned

  • The default execution policy for Windows server computers.

  • Scripts can run.

  • Requires a digital signature from a trusted publisher on scripts and configuration files that are downloaded from the internet which includes email and instant messaging programs.

  • Doesn't require digital signatures on scripts that are written on the local computer and not downloaded from the internet.

  • Runs scripts that are downloaded from the internet and not signed, if the scripts are unblocked, such as by using the Unblock-File cmdlet.

  • Risks running unsigned scripts from sources other than the internet and signed scripts that could be malicious.

In our case, we need to set RemoteSigned as our policy to run it as a Windows client.

Let's first check the currently set policy in my current profile. It is RemoteSigned but usually, there is Restricted.

Set-ExecutionPolicy RemoteSigned cmdlet can change the currently set policy.

PreviousGolden/Silver TicketNextWindows Priv Escalate

Last updated