From aldeid
Jump to navigation Jump to search

What is Powershell?

Windows PowerShell is a shell initially developed by Microsoft for the purposes of task automation and configuration management. PowerShell is now an open source project, and it can be installed on Windows, macOS, and Linux platforms. This shell is based on the .NET framework, and it includes a command-line shell and a scripting language.

Most Powershell commands, called cmdlets, are written in .NET. Unlike other scripting languages and shell environments, the output of these cmdlets are objects.

The normal format of a cmdlet is represented using Verb-Noun:


  • Command: Invoke-WebRequest
  • Verb: Invoke
  • Noun: WebRequest

Common verbs to use include:

  • Get
  • Start
  • Stop
  • Read
  • Write
  • New
  • Out
  • Invoke


Help on a command

To get help on a command, use the Get-Help command:

PS C:\Users\Administrator> Get-Help Invoke-WebRequest


    Gets content from a web page on the Internet.

    Invoke-WebRequest [-Uri] <Uri> [-Body <Object>] [-Certificate <X509Certificate>] [-CertificateThumbprint <String>]
    [-ContentType <String>] [-Credential <PSCredential>] [-DisableKeepAlive] [-Headers <IDictionary>] [-InFile
    <String>] [-MaximumRedirection <Int32>] [-Method {Default | Get | Head | Post | Put | Delete | Trace | Options |
    Merge | Patch}] [-OutFile <String>] [-PassThru] [-Proxy <Uri>] [-ProxyCredential <PSCredential>]
    [-ProxyUseDefaultCredentials] [-SessionVariable <String>] [-TimeoutSec <Int32>] [-TransferEncoding {chunked |
    compress | deflate | gzip | identity}] [-UseBasicParsing] [-UseDefaultCredentials] [-UserAgent <String>]
    [-WebSession <WebRequestSession>] [<CommonParameters>]

    The Invoke-WebRequest cmdlet sends HTTP, HTTPS, FTP, and FILE requests to a web page or web service. It parses the
    response and returns collections of forms, links, images, and other significant HTML elements.

    This cmdlet was introduced in Windows PowerShell 3.0.

    Online Version: http://go.microsoft.com/fwlink/?LinkId=821826

    To see the examples, type: "get-help Invoke-WebRequest -examples".
    For more information, type: "get-help Invoke-WebRequest -detailed".
    For technical information, type: "get-help Invoke-WebRequest -full".
    For online help, type: "get-help Invoke-WebRequest -online"

Get-Help examples

If you are interested in examples, use Get-Help <command> -examples:

PS C:\Users\Administrator> Get-Help Invoke-WebRequest -examples


    Gets content from a web page on the Internet.

    Example 1: Send a web request

    PS C:\>$R = Invoke-WebRequest -URI http://www.bing.com?q=how+many+feet+in+a+mile
    PS C:\>$R.AllElements | where {$_.innerhtml -like "*=*"} | Sort { $_.InnerHtml.Length } | Select InnerText -First 5
    innerText---------1 =5280 feet1 mile

    This command uses the Invoke-WebRequest cmdlet to send a web request to the Bing.com site.

    The first command issues the request and saves the response in the $R variable.

    The second command gets the InnerHtml property when it includes an equal sign, sorts the inner HTML by length and
    selects the 5 shortest values. Sorting by the shortest HTML value often helps you find the most specific element
    that matches that text.
    Example 2: Use a stateful web service

    The first command uses the **Invoke-WebRequest** cmdlet to send a sign-in request. The command specifies a value
    of "FB" for the value of the *SessionVariable* parameter, and saves the result in the $R variable.When the command
    completes, the $R variable contains an **HtmlWebResponseObject** and the $FB variable contains a
    **WebRequestSession** object.
    PS C:\>$R=Invoke-WebRequest http://www.facebook.com/login.php -SessionVariable fb

    The second command shows the **WebRequestSession** object in the $FB variable.
    PS C:\>$FB

    The third command gets the first form in the **Forms** property of the HTTP response object in the $R variable,
    and saves it in the $Form variable.
    PS C:\>$Form = $R.Forms[0]

    The fourth command pipes the properties of the form in the $Form variable into a list by using the Format-List
    PS C:\>$Form | Format-List

    The fifth command displays the keys and values in the hash table (dictionary) object in the Fields property of the
    PS C:\>$Form.fields

    The sixth and seventh commands populate the values of the email and pass keys of the hash table in the **Fields**
    property of the form. You can replace the email and password with values that you want to use.
    PS C:\>$Form.Fields["email"]="[email protected]"
    $Form.Fields["pass"]="[email protected]"

    The eighth command uses the **Invoke-WebRequest** cmdlet to sign into the Facebook web service.The value of the
    *Uri* parameter is the value of the **Action** property of the form. The **WebRequestSession** object in the $FB
    variable (the session variable specified in the first command) is now the value of the *WebSession* parameter. The
    value of the *Body* parameter is the hash table in the Fields property of the form and the value of the *Method*
    parameter is POST. The command saves the output in the $R variable.
    PS C:\>$R=Invoke-WebRequest -Uri ("https://www.facebook.com" + $Form.Action) -WebSession $FB -Method POST -Body

    The full script, then, is as follows.
    PS C:\># Sends a sign-in request by running the Invoke-WebRequest cmdlet. The command specifies a value of "fb"
    for the SessionVariable parameter, and saves the results in the $R variable.

    $R=Invoke-WebRequest http://www.facebook.com/login.php -SessionVariable fb

    # Use the session variable that you created in Example 1. Output displays values for Headers, Cookies,
    Credentials, etc.


    # Gets the first form in the Forms property of the HTTP response object in the $R variable, and saves it in the
    $Form variable.

    $Form = $R.Forms[0]

    # Pipes the form properties that are stored in the $Forms variable into the Format-List cmdlet, to display those
    properties in a list.

    $Form | Format-List

    # Displays the keys and values in the hash table (dictionary) object in the Fields property of the form.


    # The next two commands populate the values of the "email" and "pass" keys of the hash table in the Fields
    property of the form. Of course, you can replace the email and password with values that you want to use.

    $Form.Fields["email"] = "[email protected]"
    $Form.Fields["pass"] = "[email protected]"

    # The final command uses the Invoke-WebRequest cmdlet to sign in to the Facebook web service.

    $R=Invoke-WebRequest -Uri ("https://www.facebook.com" + $Form.Action) -WebSession $FB -Method POST -Body

    When the command finishes, the **StatusDescription** property of the web response object in the $R variable
    indicates that the user is signed in successfully.
    PS C:\>$R.StatusDescription

    This example shows how to use the Invoke-WebRequest cmdlet with a stateful web service, such as Facebook.
    Example 3: Get links from a web page

    PS C:\>(Invoke-WebRequest -Uri "http://msdn.microsoft.com/en-us/library/aa973757(v=vs.85).aspx").Links.Href

    This command gets the links in a web page. It uses the Invoke-WebRequest cmdlet to get the web page content. Then
    it users the Links property of the HtmlWebResponseObject that Invoke-WebRequest returns, and the Href property of
    each link.


Get-Command gets all the cmdlets installed on the current Computer. You can filter the output using wildcard. The below example will list all cmdlets with the verb "Invoke".

PS C:\Users\Administrator> Get-Command Invoke-*

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Invoke-AsWorkflow                            PSWorkflowUtility
Function        Invoke-Mock                                        3.4.0      Pester
Function        Invoke-OperationValidation                         1.0.1      Microsoft.PowerShell.Operation.Validation
Function        Invoke-Pester                                      3.4.0      Pester
Function        Invoke-RDUserLogoff                          RemoteDesktop
Cmdlet          Invoke-ACMCertificateRenewal                       3.3.563.1  AWSPowerShell
Cmdlet          Invoke-BpaModel                                    1.0        BestPractices
Cmdlet          Invoke-CHMUserLogout                               3.3.563.1  AWSPowerShell
Cmdlet          Invoke-CimMethod                             CimCmdlets
Cmdlet          Invoke-Command                               Microsoft.PowerShell.Core
Cmdlet          Invoke-CommandInDesktopPackage               Appx
Cmdlet          Invoke-DMSSchemaRefresh                            3.3.563.1  AWSPowerShell
Cmdlet          Invoke-DPExpression                                3.3.563.1  AWSPowerShell
Cmdlet          Invoke-DscResource                                 1.1        PSDesiredStateConfiguration
Cmdlet          Invoke-EMPChannelCredentialRotation                3.3.563.1  AWSPowerShell
Cmdlet          Invoke-EMPIngestEndpointCredentialRotation         3.3.563.1  AWSPowerShell
Cmdlet          Invoke-Expression                            Microsoft.PowerShell.Utility
Cmdlet          Invoke-History                               Microsoft.PowerShell.Core
Cmdlet          Invoke-Item                                  Microsoft.PowerShell.Management
Cmdlet          Invoke-KMSDecrypt                                  3.3.563.1  AWSPowerShell
Cmdlet          Invoke-KMSEncrypt                                  3.3.563.1  AWSPowerShell
Cmdlet          Invoke-KMSReEncrypt                                3.3.563.1  AWSPowerShell
Cmdlet          Invoke-LMFunction                                  3.3.563.1  AWSPowerShell
Cmdlet          Invoke-LMFunctionAsync                             3.3.563.1  AWSPowerShell
Cmdlet          Invoke-R53DDomainTransfer                          3.3.563.1  AWSPowerShell
Cmdlet          Invoke-RDSDSqlStatement                            3.3.563.1  AWSPowerShell
Cmdlet          Invoke-RDSDStatement                               3.3.563.1  AWSPowerShell
Cmdlet          Invoke-RDSDStatementBatch                          3.3.563.1  AWSPowerShell
Cmdlet          Invoke-RestMethod                            Microsoft.PowerShell.Utility
Cmdlet          Invoke-SECSecretRotation                           3.3.563.1  AWSPowerShell
Cmdlet          Invoke-SGCacheRefresh                              3.3.563.1  AWSPowerShell
Cmdlet          Invoke-SMREndpoint                                 3.3.563.1  AWSPowerShell
Cmdlet          Invoke-SMUiTemplateRendering                       3.3.563.1  AWSPowerShell
Cmdlet          Invoke-TroubleshootingPack                   TroubleshootingPack
Cmdlet          Invoke-TXTDocumentAnalysis                         3.3.563.1  AWSPowerShell
Cmdlet          Invoke-WebRequest                            Microsoft.PowerShell.Utility
Cmdlet          Invoke-WmiMethod                             Microsoft.PowerShell.Management
Cmdlet          Invoke-WSManAction                           Microsoft.WSMan.Management


Download a file

C:\> powershell -c "Invoke-WebRequest -Uri '' -OutFile 'C:\windows\temp\shell.exe'"

Search files

PS C:\> Get-ChildItem -Path C:\ -Recurse -Name *interesting-file.txt* -ErrorAction SilentlyContinue

Read file content

PS C:\Users\Administrator\Desktop> Get-Content 'c:\program files\interesting-file.txt.txt' 

MD5 / SHA1 hashes

Default Algorithm (if not mentionned) is SHA1.

PS C:\Users\Administrator\Desktop> Get-Filehash 'C:\Program Files\interesting-file.txt.txt' 
PS C:\Users\Administrator\Desktop> Get-Filehash 'C:\Program Files\interesting-file.txt.txt' -Algorithm MD5 

Get current location (pwd)

PS C:\> Get-Location
PS C:\> pwd

Test existence of path

PS C:\> Test-Path C:\Users\Administrator\Documents\Passwords

Base64 decode file

PS C:\Users\Administrator\Desktop> $file = "C:\Users\Administrator\Desktop\b64.txt"
PS C:\Users\Administrator\Desktop> $data = Get-Content $file
PS C:\Users\Administrator\Desktop> [System.Text.Encoding]::Ascii.GetString([System.Convert]::FromBase64String($data))
this is the flag - ihopeyoudidthisonwindows

Enumerate local users

PS C:\Users\Administrator\Desktop> Get-LocalUser

Name           Enabled Description
----           ------- -----------
Administrator  True    Built-in account for administering the computer/domain
DefaultAccount False   A user account managed by the system.
duck           True
duck2          True
Guest          False   Built-in account for guest access to the computer/domain

Identify user by SID

PS C:\Users\Administrator\Desktop> Get-LocalUser -SID S-1-5-21-1394777289-3961777894-1791813945-501