This module introduces us to the Windows Command Prompt and PowerShell in general for both offensive and defensive security practitioners. The ability to utilize the Windows command line is a must for defenders. The capability to administer hosts quickly is critical to ensuring the availability, confidentiality, and integrity of our systems and networks. From a hacking perspective, a functional understanding of CMD.exe, PowerShell, and the myriad of Windows native tools will ensure you can complete your actions on hosts while in a Windows environment. We will not always have access to a graphical user interface, primarily when operating over a tunnel or from a point where it is not feasible for us to have direct access.
In this module, we will cover the following:
- The History of the Windows command line and PowerShell
- Using CMD.exe basics
- CMD for sysadmins and hackers
- PowerShell basics
- Navigating the Windows file structure from the command line
- Utilizing and creating modules with PowerShell
- PowerShell for sysadmins and hackers
CREST CPSA/CRT-related Sections:
- All sections
CREST CCT APP-related Sections:
- All sections
This module is broken down into sections with accompanying hands-on exercises to practice the tactics and techniques we cover. The module ends with a practical hands-on skills assessment to gauge your understanding of the various topic areas.
As you work through the module, you will see example commands and command output for the various topics introduced. It is worth reproducing as many of these examples as possible to reinforce further the concepts introduced in each section. You can do this in the Pwnbox provided in the interactive sections or in your own virtual machine.
You can start and stop the module anytime and pick up where you left off. There is no time limit or "grading," but you must complete all of the exercises and the skills assessment to receive the maximum number of cubes and have this module marked as complete in any paths you have chosen.
The module is classified as "Easy" and only assumes the student has a foundational knowledge of Windows and the Windows file system.
A firm grasp of the following module can be considered a prerequisite for the successful completion of this module:
- Windows Fundamentals
The built-in command shell CMD.exe and PowerShell are two implementations included in all Windows hosts. These tools provide direct access to the operating system, automate routine tasks, and provide the user with granular control of any aspect of the computer and installed applications. This module will give us the knowledge, skills, and abilities to effectively administer Windows hosts via the command line.
From a penetration testing perspective, we will learn how to utilize built-in Windows tools and commands and third-party scripts and applications to help with reconnaissance, exploitation, and exfiltration of data from within a Windows environment as we move into more advanced modules within HTB Academy.
Command Prompt Vs. PowerShell
There are some key differences between Windows Command Prompt and PowerShell, which we will see throughout this module. One key difference is that you can run Command Prompt commands from a PowerShell console, but to run PowerShell commands from a Command Prompt, you would have to preface the command with
powershell get-alias). The following table outlines some other key differences.
|Introduced in 2006||Introduced in 1981|
|Can run both batch commands and PowerShell cmdlets||Can only run batch commands|
|Supports the use of command aliases||Does not support command aliases|
|Cmdlet output can be passed to other cmdlets||Command output cannot be passed to other commands|
|All output is in the form of an object||Output of commands is text|
|Able to execute a sequence of cmdlets in a script||A command must finish before the next command can run|
|Has an Integrated Scripting Environment (ISE)||Does not have an ISE|
|Can access programming libraries because it is built on the .NET framework||Cannot access these libraries|
|Can be run on Linux systems||Can only be run on Windows systems|
As we can see, the Command Prompt is a much more static way of interacting with the operating system, while PowerShell is a powerful scripting language that can be used for a wide variety of tasks and to create simple and very complex scripts.
We will use a scenario through this module to help keep the topics in scope and provide insight into how these tools and commands can aid our mission.
Consider this scenario:
We are a system administrator looking to broaden our horizons and dip our toes into pentesting. Before we approach our manager and Internal Red Team Lead to see about apprenticing, we must first practice and gain a fundamental understanding of Windows primary command line interfaces:
Command Prompt. Soon they will have no choice but to accept us as a certified
Command Line Ninja and grant us a seat at the table.
For this module, you will have access to several Windows hosts from which you can perform any actions needed to complete the lab exercises. Since we are working in a pure CLI-based module, this challenge will use
SSH only to connect with the targets.
To connect to the target hosts as the user via SSH, utilize the following format:
ssh [email protected]<IP-Address>
Once connected, you will be asked to accept the host's certificate and provide the user's password to log in completely. After you authenticate, you are free to dive in.