Penetration testing

PowerShell For Pentesters Part 2: The Essentials of PowerShell

Introduction

PowerShell represents one of the most interesting and powerful languages for a pentesting purpose as we explained in the first part of this lab series.

For the first part of this series of labs, we discovered together an introduction to PowerShell and CMDLETS, which represent one of the most importing things to learn before beginning to think about using PowerShell for a pentesting purpose.

Earn two pentesting certifications at once!

Enroll in one boot camp to earn both your Certified Ethical Hacker (CEH) and CompTIA PenTest+ certifications — backed with an Exam Pass Guarantee.

View Pricing

In this article, we will try to discover the essentials of this beautiful and powerful language.

Operators

The first thing that we will discover together represents operators.

Operators in PowerShell is closely similar in what we find in some other scripting language, here are the most critical operators that we will discover together.

Figure 1: Operators in PowerShell

For more details about the role of each operator you can visit the official documentation:

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/?view=powershell-6

Let's take a tour to discover the utilization of operators.

First, let's discover some basic operators like addition (+) or multiplication (*), it's used simply, as we can see in the following screenshot:

Figure 2: Basic Operators (+ and -)

We can also use arithmetic operators, precisely the addition one with Strings (that will do a concatenation between strings or between strings and numeric characters, or multiplication (*) with a string character (it will multiplicate the number of characters), which can be very useful for us in a fuzzing context, let's see that:

Figure 3: Arithmetic Operators (+ and *) with Strings

We can also use it with variables.

To declare variables, you can do it with a "$" sign before the name of your variable. Here's an example of creating variables (in our example the variable "var" is created using "$var" and manipulate them using assignation operators (very similar to assignment operators present in other languages):

Figure 4: Creating and manipulating a variable with PowerShell using assignment operators

Let's discover another operator. This time, it will be comparison operators.

Let's discover some interesting operators which represent:

-eq: Equal operator (Usage: $var1 -eq $var2 | Return: True or False)
-gt: Greater than (Usage: $var1 -gt $var2 | Return: True or False)
-match: Find if there is a string match in a phrase or a text in general

(Usage: $Text -match $String | Return: True or False)
-replace: Replace a string with another

(Usage: $Text --replace $ToBeReplaced,$ToBeReplacedWith | Return: True or False)
-in: Test if a string or a number is present in a text/list (declaring lists is straightforward: () )

And here's how we can manipulate it with some examples:

Figure 5: Comparison operators

More information can be found here:

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_comparison_operators?view=powershell-6

We can also use redirection operators, and there are the most interesting ones:

>: Sends output to a specified file (usage: Get-Process > output.txt)
>>: Appends the output of a script to a specific file (Usage: test.ps1 >> output.txt)
2>: Sends errors to a specific file (Get-Process none 2> Errors.txt)
2>>: Append errors to a specific file (Get-Process none 2>> logs-Errors.txt)

Here are some examples using these operators:

Figure 6: Example of redirection operators

Let's discover some last operators that can be very useful to us in our pentesting context.

Let's begin with some logical operators like the XOR (-xor), the and (-and) and the or (-or) one:

Figure 7: Example of logical operators

Here's also an example of the split (-split) and join (-join) operator:

Figure 8: Example of the join and split operators

And finally, with some examples of type operators like the "-is" that help us to test the type of a variable/value and return a True or False state, and "-as" that convert to us the type of an object:

Figure 9: Example of type operators

For more information, about all the operators and how to use them, don't hesitate to visit:

https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_operators?view=powershell-6

Arrays

Declaring Arrays on PowerShell is very simple. We can do it by using the following syntax:

$Array = value1, value2, value3

The type of value (we can see it by using the method GetType()) and in PowerShell, there are two kinds of types; the adaptative ones and Adaption types (Access to alternate object systems like WMI).

And when we will build our array and try to get its type, we will find Object[] that refer to an array.

An array type also has special methods to manipulate it like length() one.

Figure 10: Arrays with PowerShell

Conditional statements

Using conditional statements with PowerShell is also very simple. Let's discover how to use them together.

First, let's talk about the IF/ELSE statement. We can use them on PowerShell by using the following syntax:

If($var {comparison_statement} $var2) { What_To_Do)}

Else {what_to_do_if_not}

Here are some examples of how to use it:

Figure 11: IF/ELSE Conditional Statement with PowerShell

There is also a very interesting statement with is the switch one, and what's very interesting with this statement is that it supports many useful parameters like -Wildcard or -Regex on or even -File one which can be very useful inspecting a log file to search for specific information.

You can use it by the following syntax:

Switch (condition_X) { conditionX {what to do} conditionY {what to do} default {default_action} }

Or using parameters

Switch -ParameterX -ParameterY <File/Value/…> {What_To_Do}

Let's discover this together, see the following screenshot:

Figure 12: Switch statement with PowerShell

Loops

Let's discover how to use loops with PowerShell. Like what we discovered, loops can be used very simply and there are many possibilities.

Here are some loops that exist on PowerShell:

While () {}
Do {} While()
For(;;;) {}

Here are some examples using loops with PowerShell:

Figure 13: Loops with PowerShell

We can also use it to manipulate CMDLETS results like the following:

Figure 14: Loops with CMDLETS

There is also an awesome thing! We can use some loop CMDLETS like Where-Object (which help us to test all objects return by a CMDLET respecting specific condition) or ForEach-Object that will help us to browse all object and test them if necessary, and it that can be very useful. You can find more information about this by analyzing help result in CMDLETS or one official documentation.

Here's how to do it:

Figure 15: Loop CMDLT

Conclusion

As we saw PowerShell represent one of the most interesting and powerful languages, and the best is yet to come

In this next lab, we will try to cover the functions and scripting basics with PowerShell and then, we will start exploiting PowerShell properly in different real pentest use cases ^^

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

Brace yourself; the best is coming J

Posted: June 26, 2018

Kondah Hamza

View Profile

Kondah Hamza is an expert in it security and a Microsoft MVP in enterprise security. He is also involved with various organizations to help them in strengthening of their security. Today, he offers his services mainly as Consultant, Auditor/Pentester and Independent Trainer with Alphorm.com.