{"id":13539363,"url":"https://github.com/rootclay/powershell-attack-guide","last_synced_at":"2025-04-02T06:30:48.222Z","repository":{"id":38359498,"uuid":"113740830","full_name":"rootclay/Powershell-Attack-Guide","owner":"rootclay","description":"Powershell攻击指南----黑客后渗透之道","archived":false,"fork":false,"pushed_at":"2020-07-10T04:02:27.000Z","size":8173,"stargazers_count":845,"open_issues_count":0,"forks_count":195,"subscribers_count":35,"default_branch":"master","last_synced_at":"2025-03-13T14:36:59.304Z","etag":null,"topics":["hacker","powershell","powershell-attack-guide"],"latest_commit_sha":null,"homepage":null,"language":"HTML","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/rootclay.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2017-12-10T10:23:44.000Z","updated_at":"2025-03-08T07:49:22.000Z","dependencies_parsed_at":"2022-08-25T01:31:58.376Z","dependency_job_id":null,"html_url":"https://github.com/rootclay/Powershell-Attack-Guide","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rootclay%2FPowershell-Attack-Guide","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rootclay%2FPowershell-Attack-Guide/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rootclay%2FPowershell-Attack-Guide/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/rootclay%2FPowershell-Attack-Guide/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/rootclay","download_url":"https://codeload.github.com/rootclay/Powershell-Attack-Guide/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":246767644,"owners_count":20830528,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["hacker","powershell","powershell-attack-guide"],"created_at":"2024-08-01T09:01:24.347Z","updated_at":"2025-04-02T06:30:47.701Z","avatar_url":"https://github.com/rootclay.png","language":"HTML","readme":"# Powershell-Attack-Guide\nPowershell攻击指南----黑客后渗透之道\n\n## 前言\n\u003e 时隔许久再来更新曾经的文章，对其中一些知识点重新理解记录。（2020-4-13）另外，重新更新了更可读的gitbook：https://rootclay.gitbook.io/powershell-attack-guide/\n\n\u003e 本文首发于安全客，原文专题页面:https://www.anquanke.com/subject/id/90541\n\n\u003e 一段时间以来研究Powershell，后来应朋友们对Powershell的需求，让我写一个Powershell安全入门或者介绍方面的文章，所以这篇文章就出现了。但又因为各种各样的事情搞得有些拖延，同时作者文笔不好，文章可能有不流畅的地方，还请多多见谅。这里做一些总结，来让新人对此有个大致了解，能对Powershell或是内网有更多的理解。\n\n\u003e 那么开始之前我们先来思考一下powershell一个常见的问题，那么我们知道powershell的后缀是ps1，哪为什么是ps1而不是ps2,ps3呢？那么理解这个问题呢我们可以看看powershell的特性，powershell是对下完全兼容的，也就是说你使用powershell 5.x的版本来执行powershell v1.0的代码也是完全没有问题的。那么我个人理解一下为什么是ps1，可以这么说，当我们见到ps2后缀之时就是powershell进行大的更新，也就是不对下兼容的时候，所以这里一直是使用ps1后缀。\n\n\n\u003e 那么对于我们的安全人员来说我们用什么版本呢？毫无疑问是v2,为什么呢，应为在win7当中默认安装了v2,而且之后的版本都是兼容v2的，v1版本所有的功能对于我们的需求很多都不能瞒住，所以v2成为了我们目前来说独一无二的选择，通过下面的方式我们可以看到我们的powershell的版本与一些详细的信息，后面我们的代码，大多都是以v2.0来讨论的。（经过最新的修改后可能部分功能用到最新的Powershell7.0）\n\n\n\n通过命令`Get-Host`可以获取当前的PS版本信息等\n\n```powershell\nName             : ConsoleHost\nVersion          : 2.0\nInstanceId       : 388599a6-35cd-4bba-bedb-cf00d2a39389\nUI               : System.Management.Automation.Internal.Host.InternalHostUserInterface\nCurrentCulture   : zh-CN\nCurrentUICulture : en-US\nPrivateData      : Microsoft.PowerShell.ConsoleHost+ConsoleColorProxy\nIsRunspacePushed : False\nRunspace         : System.Management.Automation.Runspaces.LocalRunspace\n``` \n\n对于安全人员学习ps主要有以下两个场景：\n\n1. 第一种我们需要获得免杀或者更好的隐蔽攻击对方的win机器，可以通过钓鱼等方式直接执行命令。\n2. 第二种我们已经到了对方网络，再不济也是一台DMZ的win-server，那么我们利用ps做的事情那么自然而然的是对内网继续深入。\n\n那么本powershell系列主要是内容涉及和安全测试相关的内容，所以面向的读者主要是安全或者运维人员，不管你是在网络世界中扮演什么角色，在这里应该是能收获到你想要的。文章主要包含下面一些内容:\n\n1. powershell基础语法\n2. powershell脚本编写与调用执行\n3. powershell的Socket编程\n4. powershell端口扫描与服务爆破\n5. powershell多线程\n6. powershell操作wmi与.net\n7. powershell操作win32API\n8. powershell操作Dll注入\u0026shellcode注入\u0026exe注入\n9. powershell混淆\n10. powershell事件日志\n11. powershell实例使用场景\n12. Powershell渗透工具集\n","funding_links":[],"categories":["\u003ca id=\"1233584261c0cd5224b6e90a98cc9a94\"\u003e\u003c/a\u003e渗透\u0026\u0026offensive\u0026\u0026渗透框架\u0026\u0026后渗透框架","\u003ca id=\"5dd93fbc2f2ebc8d98672b2d95782af3\"\u003e\u003c/a\u003e工具"],"sub_categories":["\u003ca id=\"2e40f2f1df5d7f93a7de47bf49c24a0e\"\u003e\u003c/a\u003e未分类-Pentest"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frootclay%2Fpowershell-attack-guide","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Frootclay%2Fpowershell-attack-guide","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Frootclay%2Fpowershell-attack-guide/lists"}