Defender's Notes
  • Welcome!
  • Methodology
  • Ethical Hacking
  • Resources/Blogs/Conferences/Labs
  • Writing Vulnerability Reports
  • Linux Tips
  • Certifications
  • Bug Bounty
    • Hints
  • Python
  • PenTesting
    • Recon
    • Network Scanning
    • Reverse Shell Payloads
    • API Security Testing
    • 53 - DNS
    • 21 - ftp
    • 139,445 - SMB
    • 111,2049 - rcpbind
    • Authentication
    • Scripting
    • OSINT
    • Cloud Security
    • Reverse Engineering
    • Password
    • Proxy Chain
    • Steganography
    • Buffer Overflow
  • Windows
    • Recon
    • Golden/Silver Ticket
    • PowerShell for Beginners
    • Windows Priv Escalate
      • Icecast (RPC)
    • Kerberos Attack
  • Web Pentesting
    • 80,443,8080 - Recon
    • Resources
      • Burp Suite
    • Web Vulnerabilities
      • WordPress
      • CSP Bypass
      • JSON Web Tokens
      • Insecure Desensitization
      • Open Redirect
      • Command Injection
      • Path Traversals
      • SSRF
      • SQL Injection
      • IDOR
      • Shellshock
      • Heartbleed
      • Session Attacks/Bypass
      • XSS
      • XXE
      • CSRF
      • File Inclusion (Local/Remote)
      • Drupal
    • OWASP Top 10 2017
      • Top 1: Injection
      • Top 2: Broken Authentication
      • Top 3: Sensitive Data Exposure
      • Top 4: XML External Entities (XXE)
      • Top 5: Broken Access Control
      • Top 6: Security Misconfiguration
      • Top 7: Cross-Site Scripting (XSS)
      • Top 8: Insecure Deserialization
      • Top 9: Using Components with Known Vulnerabilities
      • Top 10: Insufficient Logging & Monitoring
    • OOB
    • Java
    • Python Web Security
  • Linux
    • Upgrading shell
    • Linux Priv Escalate
      • Path Variable Manipulation
      • Systemctl
  • Binary Security
    • AOT
  • Hardware Security
    • Wi-fi
    • Radio
  • Mobile Security
    • Android
    • SMS
  • Videos
    • IppSec Videos
    • The Cyber Mentor
Powered by GitBook
On this page
  • Part 1
  • Basics
  • Aliases
  • Get Help
  • Part 2
  • Output & File Operations
  • File Listing
  • Move Command
  • Part 3
  • Profile & Execution Policy

Was this helpful?

  1. Windows

PowerShell for Beginners

PreviousGolden/Silver TicketNextWindows Priv Escalate

Last updated 4 years ago

Was this helpful?

Post taken from:

Information based on 's Windows PowerShell videos

Part 1:

Part 2:

Part 3:

Part 1

Basics

Let's start with basic navigation in PowerShell.

Simple navigation in PowerShell

Note:

  • PowerShell is case-insensitive.

  • Commands (like dir, cd, cls, clear) are called cmdlet in PowerShell's terms.

  • To clear the output in the shell, you can use CTRL+L, cls, or clear or Clear-Host.

  • cmdlet in PowerShell has a Verb-Noun structure.

Aliases

There are many commands that are aliases for a specific command in PowerShell. For Example, diris an alias for a cmdlet Get-ChildItem

Similarly, there are other aliases. To find them, type either Get-Alias or alias.

You also type gal for Get-Alias to find the alias.

Passing arguments such as -First #, -Last #, -Index #. Please replace the # sign with a number. Remember, PowerShell starts counting from 0.

You can keep piping and get a more fine-grained result.

You can drill down and find more and more properties regarding a specific command that may be used in a specific situation.

You can do the same things in a different way (in PowerShell way):

Get Help

We can get help using Get-Help cmdlet.

If you are unsure about the command you're looking for, you can use a wildcard like a star (*). For example. Get-Command *printer* will give all possible outputs that have the word printer at either one or both ends.

Part 2

Output & File Operations

Creating a file in PowerShell:

  • echo $null hello.txt # create an empty file

  • echo "Hey" hello1.txt # create a file with some text

  • cat filename and type filename shows the output of a file.

File Listing

  • Get-ChildItem | Format-List lists the files and folders. You can also use gci | fl if you don't want to type the full command.

  • Get-ChildItem | Format-List * lists a very detailed output.

  • Get-ChildItem | Format-Wide lists the files and folders.

You can format the output in so many ways. Get-ChildItem | Out-GridView gives you so many options to filter your dataset.

Move Command

mvis more of a Linux way to do that also works in PowerShell. mvis an alias for Move-Item cmdlet. Similarly, there are other commands such as cp, rm and more...

Similarly, we can remove a file or a directory using the command rm. Please note that to remove more than one item you need to specify a comma rm .\hello\, .\hello2\.

Part 3

Profile & Execution Policy

You can create a PowerShell profile to customize your environment and to add session-specific elements to every PowerShell session that you start. It is similar to the .bashrc file in Linux.

But we can create and run our scripts in PowerShell we need to learn a little bit about Execution Polic. Remember to start PowerShell with Run as Administrator.

PowerShell's execution policy is a safety feature that controls the conditions under which PowerShell loads configuration files and runs scripts. This feature helps prevent the execution of malicious scripts.

Default

  • Sets the default execution policy.

  • Restricted for Windows clients.

  • RemoteSigned for Windows servers.

RemoteSigned

  • The default execution policy for Windows server computers.

  • Scripts can run.

  • Requires a digital signature from a trusted publisher on scripts and configuration files that are downloaded from the internet which includes email and instant messaging programs.

  • Doesn't require digital signatures on scripts that are written on the local computer and not downloaded from the internet.

  • Runs scripts that are downloaded from the internet and not signed, if the scripts are unblocked, such as by using the Unblock-File cmdlet.

  • Risks running unsigned scripts from sources other than the internet and signed scripts that could be malicious.

In our case, we need to set RemoteSigned as our policy to run it as a Windows client.

Let's first check the currently set policy in my current profile. It is RemoteSigned but usually, there is Restricted.

Set-ExecutionPolicy RemoteSigned cmdlet can change the currently set policy.

aliases
Notice that clear and cls have the same cmdlet
Getting the output based on the Name (i.e an object in PowerShell)
Passing arguments to the cmdlet
Piping for a specific result

A PowerShell profile is a script that runs when PowerShell starts. You can use the profile as a logon script to customize the environment. You can add commands, aliases, functions, variables, snap-ins, modules, and PowerShell drives. You can also add other session-specific elements to your profile so they are available in every session without having to import or re-create them.

There are so many . The default policy is Restricted for Windows clients. Get help in PowerShell. help Set-ExecutionPolicy -detailed

Read more here.
PowerShell execution policies
https://learn.security10x.com/powershell-for-hackers-series/powershell-for-hackers
John Hammond
https://youtu.be/TUNNmVeyjW0
https://youtu.be/vO0P3JuItcM
https://youtu.be/gLCqSHbXgKI