Powershell Basics Part -1

           Basics Of Powershell - Part 1

PowerShell is used for automation of tasks , configuration and for scripting purposes , learning powershell will make our lifes a lot easier than we think and a pentester learning basics of powershell is always going to benifit us as most of the industries use windows and these are the small things that sets apart from the rest !

So lets dive into it

Getting Started with Powershell :

Lets lauch powershell

Just go and search "powershell" in the windows search bar and hit enter Fig : 1.0

Fig : 1.0 

To lauch it as an adminsitrator we can by right clicking it and run it as administrator or you can simply press ctrl+shift+enter

Fig : 1.1

In Fig : 1.1 we can see our beautiful baby powershell

In Linux the things we execute are know as commands and here it is a bit different , they are known as commandlets .And there are literally thousands of commandlets that can be executed in powershell

Before we get to execute these commandlets , we need to know the architecture or design of how these commandlets . So lets get into it already !

Modules : 

Lets say that you have a lot of clothes in one shelf and all of a suden you want a party wear for a party , woudn't it be tedious for you to search through them , but what if all you are clothes are arranged in a way that some of kept aside for party wear , some of for regular use and some are your gym time clothes . Just the thought alone make life a lot easier , doesn't it ? . The same idealogy is taken in consideration for Modules . A module holds all the related commandlets and resources together . For instance there is a module for dhcp , it consists all the commands that are used to work with dhcp 

Commandlets : 

All the commandlets in powershell follow the format Verb-Noun

For instance : 

Get-NetIPAddress 

This displays ipaddress configurations

Note : 

Commandlets are case-insensitive unlike commands in linux

To list all the commandlets that were installed on the computer system 

Get-Command

Fig : 1.2

In Fig : 1.2 we can see the list of all the commandlets that are installed on the system

To count'em we can use the pipe symbol with the measure function . If you are familiar with linux commands then you might probably know what the pipe symbol does , but anyways pipe symbol will redirect the output that will be displayed onto the screen to the function which is measure in our case so that measure function can process the output and count'em.

Commandlet :

Get-Command |  measure

Fig : 1.3

In Fig : 1.3 we can see the  count of all the commandlets from all the modules installed into the system are 1503 .

Note : 

If we need to execute a commandlet in our powershell , firstly the module that particular commandlet belongs to , shall be imported into the current session and by default not all modules will be imported into the session when we load the powershell . The thing I want you to know is that the commandlets 1503 are just installed into the system and are ready to get imported so that we can use them in the current session .

Lets see the commandlets that are imported into the current session 

Commandlet :

Get-Command -ListImported

Fig : 1.4

Fig : 1.5

In Fig : 1.5 we can see the number commandlets that are imported into the session or the commandlets that can be used by us in the current session

To see the modules that are imported into the session

Commandlet :

Get-Module

Fig : 1.6

In Fig : 1.6 these are the three modules we can see by default when we fireup powershell in windows 10

and this need not be the same case if you are not running window 10

To list all the modules that are installed or available in the system

Commandlet :

Get-Module -ListAvailable

Fig : 1.7

In Fig : 1.7 we can the list of all the available modules or the modules that are installed into the system

Lets see how we can import an installed module into the session

Commandlet : 

Import-Module [NameOfTheModule]

Fig : 1.8

In Fig : 1.8 we can see that we have sucessfully imported the module SmbShare into the session which as a result loads the commandlets related that module and so we could see the increase in the number of commandlets compare to Fig : 1.5 where there were only 302 commandlets

To list the commandlets that belong to a particular module 

Commandlet :

Get-Command -Module SmbShare

Fig : 1.9

In Fig : 1.9 we can see the commandlets that got added into the session upon adding the module

Importing the modules before using their commandlets used to be the case for older version of powershell where we couldn't use a commandlet if the module that belongs to isn't imported . In the newer version of powershell , the module gets automatically imported if the commandlet of it gets executed in that session.

Fig : 2.0

In Fig : 2.0 we can see that powershell had automatically imported the module when the commandlet happened to be executed 

Wildcards : 

We can also use the wild cards if we are unsure of the commandlet we wanted to use

For instance :

To view all the commandlets related to dns

Commandlet :

Get-Command *dns*

Fig : 2.1

In Fig : 2.1 we can see the list of all the commandlets that has dns in it , the location of the string 'dns' in the commandlet doesn't matter

To list all the commandlets that start with Get-Dns followed by anything

Commandlet :

Get-Command Get-Dns*

Fig : 2.2

In Fig : 2.2 we can see the list of commandlet that start with Get-Dns

To list all the commadlets that ends with Address

Commandlet : 

Get-Command *Address

Fig : 2.3

In Fig : 2.3 we can see all the commandlets that ends with Address

Getting Help for Commandlets :

Commandlet :

Get-Help

Fig : 2.4

In Fig : 2.4 we can see that upon execution of the commandlet Get-Help we get the help for using the Get-Help commandlet itself :)

To get information about how to use a specific commandlet

Commandlet : 

Get-Help cmdlet-name

Note : Using the commandlet name next to Get-Help Commanlet and executing it also makes powershell import the module the commandlet belongs to 

Fig : 2.5

In Fig : 2.5 we can see the syntax we could we with the commandlet and also notice the remarks we've got at the end as it cannot find the help files for the commandlet on the system and we could fix this by using Update-Help which updates the help files.

Note  : One must have the administrative level access inorder use the commandlet Update-Help , so re-lauch your as an administrator if you are a regular user.

Commandlet :

Update-Help

Fig : 2.6

In Fig : 2.6 we could see the working of Update-Help commandlet

Fig : 2.7

In Fig : 2.7 we could see a new description block , Related links added after updating the Help files !

We can also use different options with the Get-Help commandlet as the Remarks block shows

Commandlet :

Get-Help Get-NetIpAddress -examples

Fig : 2.8

In Fig : 2.8 we can see the examples on how to use the commandlet ! I encourage you to try other variations as well and find out which works out best for you

And the most verbose mode is -full , it includes examples and detailed option in itself or we can also use -online incase the commandlet has been updated online but in the local database or if you might find it easier to read it online rather than reading it in the powershell

Apart from these options we can also get to read the help info in a seperate window as well , it comes handy when we often need to refer it , it prevents from scrolling back or executing the help commandlet again and again while we are working.

Commandlet : 

Get-Help Get-NetIPAddress -ShowWindow

Fig : 2.9

In Fig : 2.9 we can see the popup window onto the side of our powershell

Command History and aliases

There are a lot of cases where we would like to just re-run the commands and feel lazy to type the whole command again and there are a lot of people our there like you and me , So we have been provided with a feature called Command History !

Commandlet : 

Get-History

Fig : 3.0

In Fig : 3.0 we can see the list of commandlets we have executed in the current session

Now there are two ways to re-execute the commandlets that are saved in our history

1) we can use our up and down arrows in our keypad to navigate through the commandlets and re-execute them

Or

Lets say the id of the command comes out to be 5 and there are over 400 commandlets saved into the history , then we don't use the up arrow till it breaks or our finger feel numb , We can overcome this by executing the commandlet with the help of its id.

Commandlet : 

Invoke-History -Id 8

Fig : 3.1 

 

In Fig : 3.1 we can see that we have re-executed the command saved in the history using the Id reference

Generally if we have closed the powershell session the all the history uptill then is lost which means powerhsell can only keep track of the commandlet for that particular session . But there is a third party module which helps with persistence history and that is PSReadline . PSReadline module is by default imported if you are running powershell on Windows 10 but in other cases you might have to import the module manually .

We can view the Properties or the behaviour of the PSReadline Module 

Commandlet :

 Get-PSReadLineOption

Fig : 3.2

In Fig : 3.2 we can see the options that are set by default . We could see that the MaxHistoryCount is 4096 , meaning that the modules saves 4096 executed command in the history ,  The location of the file is  C:\Users\Username\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ with the name ConsoleHost_history.txt and HistoryNoDuplicates is set to true , Which means no commandlet in the history file is repeated , if the module sees any commandlet comming in which is already present in the history file ConsoleHost_history.txt , it doesn't allow it. By doing this we can reduce the size of the history file and these options can be changed according to your perferences

For instance :

To set the attribute HistoryNoDuplicates to false

Commandlet : 

Set-PSReadLineOption -HistoryNoDuplicates:$false

To Change the size of the History File

Commandlet : 

Set-PSReadLineOption -MaximumHistoryCount:4000

Fig : 3.3

In Fig : 3.3 we can see that we have sucesfully change the size of the history file

Now if you know the start of the commandlet then you can simply type the start of the command and press f8 key so that the powershell will automatically fill the command for you.

Fig : 3.4

In Fig : 3.4 we can see that powershell has filled the commandlet based on from the history file , The Blue color text donotes the characters that we have typed and the yellow colors are those it has filled up for us and if its not the command you are looking for , then simply press f8 again to move to the another history entry matching the characters you have typed .

Now , lets say that you don't remember the start of the commandlet but you just remember a subset of the commandlet . Then f8 feature is all vain for you . But don't worry powershell offers a new feature for us and that is we use ctrl+r .

Fig : 3.5

In Fig : 3.5 we can see that I know that there used to be a commandlet that has the subset word option in it , so i have simply pressed ctrl+r and then typed the word and powershell found it for me from the history file entry

Aliases :

An Aliase is nothing but an alternate name , in powershell it is an alternate name for cmdlet .

For instance :

clear

clear is cleary not a powershell shell cmdlet as every powershell cmdlet is with the syntax Verb-Noun right ? then how come we can execute it sucessfully ? and yes you are right , it is an alias for a cmdlet

To view all the alias in the powershell

Commandlet :

Get-alias

Fig : 3.6

In Fig : 3.6 we can see the list of the all the aliases in powershell

To view the real cmdlet thats getting executed upon execution of the cmdlet

Commandlet :

Get-alias alias-name

Fig : 3.7

In Fig : 3.7 we can see that clear is an alias of the cmdlet Clear-Host

To list all the alias of a cmdlet

Commandlet : 

Get-alias -Definition Clear-Host

Fig : 3.8

In Fig : 3.8 we can see that there are two aliases for the cmdlet Clear-Host

Setting New alias :

we can set a new alias of our wish according to you comfort

Lets create an alias for the cmdlet Get-NetIPAddress

Commandlet :

New-alias -name ipaddr -value Get-NetIPAddress

Here the name field denotes the new alias name you to assign and the value field denotes the cmdlet to which the alias names gets assigned to

Fig : 3.9

Fig : 3.9 we can see sucessfully execute the alias ipaddr which executes Get-NetIPAddress cmdlet as a result and remember that there is not limit to the alias 

We can also re-configure the existing alias to point to a different cmdlet 

Lets point the existing alias ipaddr to cmdlet Get-NetA

Commandlet :

Set-alias -name ipaddr -value Get-NetAdapter

Fig : 4.0

In Fig : 4.0 we can see this time ipaddr works as an alias for Get-NetAdaptor

Importing and exporting alias :

We can also import and export aliases to and from the powershell

To export the aliases

Commandlet :

Export-Alias -Path 'C:\Users\Itachi\Desktop\alias.ps1' -As Script

Fig : 4.1

In Fig : 4.1 we have sucessfully export the alias of the current session into a file alias.ps1 at the specified location . You can also try different formats using the Get-Help commandlet

Fig : 4.2

In Fig : 4.2 we can see the alias.ps1 file