Quick Overview
If you are like me, you are switching back and forth between Linux and Windows systems while you are on a pentest. Even if you don’t use Kali, Linux is by far one of the most popular systems for pentesting as it offers a wide range of tools out there that run on it. Using Linux works great but I have found that there are times when Windows may be better, especially when working in a Windows centric environment. Linux is great, but a Windows system (that you control) joined to your client's domain offers a lot of native potential and capability for attacking a Windows domain environment. Even if you only have your trusty Linux based host, there are times that you will have to navigate around on a Windows system. Since we are all moving back and forth, I thought I would do a quick comparison between Linux commands and their PowerShell equivalent. This way, if you are starting out with one OS, you’ll be able to navigate around a system more effectively with the other. All of the commands in this post offer different flags and options to enhance their abilities to do their functions, but I am not going to go in-depth with each item. Think of this as a crosswalk between linux commands and the existing Windows mechanism for it.
If you are coming from the Linux side, you are in luck! It may not seem like it, as most examples out there use the full cmdlet name, but most of your favorite commands already work in PowerShell as is; there just may be some differences in the flags you submit. PowerShell is even nice enough to understand if you continue to use / in file paths. It will switch them to Windows’ \, but it will still understand.
If you are mainly familiar with Windows and PowerShell, you might have a little more reference lookup work to do. It just depends on if you use aliases or the full cmdlet names. Of course, another option for you is that you could just load PowerShell on your Linux box (https://learn.microsoft.com/en-us/powershell/scripting/install/installing-powershell-on-linux?view=powershell-7.4).
All of the PowerShell cmdlets in the examples below have been capitalized but PowerShell will accept them in all lowercase letters as well.
General Commands
We are going to start off with some general, basic commands.
1 Linux’s ls and PowerShell’s Get-ChildItem
By far, it’s one of the most basic commands out there but also one of the most important. I’m always looking to see what is in different directories on a system. With Linux, I find ls -l (or ls-la to see hidden files, etc) to be a better option as it gives me more information about the files and directories and not just the file names.
The official method to do the same behavior with PowerShell is Get-ChildItem. However, you can also use either of the aliases ls, dir, or gci. The data returned looks very similar to the Linux ls -l command.
Alongside the commands to list files and directories, the command to change your current directory is practically the same between both languages: cd. I figure this is common knowledge but I also started with DOS and it has always been that way on Windows systems. However, the official PowerShell cmdlet name for this function is Set-Location (as well as cd, chdir, and sl).
Similarly, all of the common file operations (copy, move, and delete) match:
- Copying is cp (which is an alias for Copy-Item, copy, and ci in PowerShell)
- Deleting is rm (equating to Remove-Item and other aliases del, erase, and ri)
- Moving is mv (an alias, along with move and mi, for Move-Item)
2 Linux’s cat and PowerShell’s Get-Content
The cat command is used to display the contents of one or more files, or to concatenate them into a single output. It can also be used to create new files or append data to existing files by using the > (make a new file and send the data to it) and >> (append content to existing file) characters.
The PowerShell equivalent of cat is Get-Content (or its aliases of cat or gc). It can also display the contents of one or more files, or concatenate them into a single output. You can use various parameters to filter or format the output, such as -Tail, -Encoding, -Raw, etc. You do need to be careful about where you put the * wildcard when concatenating multiple files into a new one. Unlike Linux that ignores the file you are putting the data into, PowerShell could include that final file as well, getting into an infinite loop. This is why my placement in PowerShell is doc*.txt instead of the *.txt I used above.
3 Linux’s head / tail and PowerShell’s Get-Content
Sometimes you don’t want to view all the content in the file and you just want a portion of the front or the end. That’s where head and tail come in. In Linux, these two commands typically default to 10 first (head) or 10 last (tail) lines of a file.
PowerShell doesn’t have new commands for this type of filtering. Instead they are extensions of the Get-Content (or as we learned above, it could be cat or gc) with different parameters at the end. They do match the names of the Linux commands, however, they don’t have a default set of lines and you have to specify them
Both Linux and PowerShell offer the ability to use tail to display the end of a file and update the screen in real-time as new lines are added. In Linux it is the command of tail -f <filename>, while in PowerShell it is in Linux is Get-Content -Tail 10 -Wait <filename>.
4 Linux’s grep and PowerShell’s Select-String
The grep command is used to search for patterns in files or input, and print the matching lines. It supports various options to modify the search behavior, such as -i (ignore case), -v (invert match), -r (recursive), -E (extended regular expressions), etc.
The PowerShell equivalent of grep is Select-String (or its alias sls). It can also search for patterns in files or input, and print the matching lines. It supports various options to modify the search behavior, such as -CaseSensitive, -NotMatch, -AllMatches, -Pattern (regular expressions), etc. Unlike grep, it is not case specific unless you add the -CaseSensitive parameter. Please note in the example below, I used the Linux / directory separator instead of Microsoft’s \ in the path statement and PowerShell worked anyways.
5 Linux’s touch and PowerShell’s New-Item
Sometimes you just need to create an empty file somewhere. Maybe you are testing write access or maybe you are creating something that you will put more information into later. Regardless, this is where touch and New-Item (or its alias of ni) come into play.
Using touch
Using New-Item
While the touch command in Linux is primarily used for creating empty files quickly without opening an editor, it can also be used to update the timestamps on existing files or directories, which is useful for various other tasks. Maybe you want to update file modification times without altering the content. New-Item does not have this functionality. It only creates new files.
The PowerShell method for updating a timestamp is a little longer and leverages Get-Item. Get-Item will return some information about a file. Putting Get-Item inside parentheses - (Get-Item <File Path>).lastwritetime - allows you to specify to only reference the LastWriteTime property. Then adding an equals sign and a new date will set it to the new date. To make it more interesting, the new date could be in the past.
6 Linux’s find and PowerShell’s Get-ChildItem
When you need to locate a file on the system but you aren’t sure where it exists, these commands are what you use. The commands can be used to find files or directories that match certain criteria, such as name, size, type, permission, owner, etc. We’ve already talked about Get-ChildItem before, as far as giving information about files and directories in a path. It just takes an extra parameter to be used like find. Get-ChildItem also accepts wildcards in file names without adding the quotes around the name.
Example using find
Example using Get-ChildItem
7 Linux’s history and PowerShell’s Get-History
Both Linux and PowerShell allow you to hit the up arrow to look through previous commands. They both offer ways of displaying all of the commands that have been run on the system. With Linux, that is the history command. Unfortunately, things aren’t as straightforward in PowerShell. While it does remember what has been entered into the console, it has one method to see the history of the current session and another to see commands run in previous sessions. To view the history of the current session you can use history, Get-History, ghy, or h. In order to see the entire history, you have to read the content from a specific file. In order to do that, run this command: Get-Content (Get-PSReadlineOption).HistorySavePath
8 Linux’s man and PowerShell’s Get-Help
With all the potential commands in Linux and PowerShell, it’s easy to forget what options the commands have and how they change the command’s behavior. Luckily, both Linux and PowerShell include built-in documentation. The level of information varies depending on each command. The Linux command for this is man and the equivalent in PowerShell is Get-Help, man, or help. They are used the same way: man <command to get information about>. For example, man cp.
More Pentesting Related Commands
Now that we’ve covered some of the basics, let’s move on to some others that are more specific to device administration and pentesting.
1 Linux’s ping and PowerShell’s Test-Connection
These commands are used to test the network connectivity between two hosts by sending packets and measuring the response time. The primary use is to check network connectivity and response time but they can also provide information about the network quality, such as packet loss, latency, jitter, etc.
The Linux command for testing this is ping. The Linux version will continuously ping the target until you cancel the command unless you tell it to only send a specific number of requests (i.e. ping -c 4)
The PowerShell version is Test-Connection. By default it only sends 4 requests unless you tell it to send more with the -Count parameter.
To make life interesting, PowerShell can still run old DOS commands, so ping still works as well.
2 Linux’s netcat and PowerShell’s Test-NetConnection
While not our usual method for doing host and port discovery, netcat is another option when nmap is not available to us. Netcat is often aliased to nc. As netcat does considerably more (creating TCP or UDP connections, listening on ports, transferring data, etc.), we often only think about when setting up shells / reverse shells on hosts. But, it can be used to simply connect to a remote port to see if it is open. You just need to use the vz flags. For example: netcat -vz secureideas.com 443
The PowerShell equivalent of netcat is Test-NetConnection that has an alias of tnc.
3 Linux’s netstat and PowerShell’s Get-NetTCPConnection
These commands display information about the network connections and statistics on a system. It can show various details such as protocol, local and remote address and port, state, process ID, etc.
A common use of netstat is netstat -ano. The -ano flags are a combination of three separate options. The -a option displays all connections and listening ports, the -n option displays addresses and port numbers in numerical form, and the -o option shows the process ID associated with each connection.
The official PowerShell equivalent of netstat is Get-NetTCPConnection. However, just like ping, PowerShell can be used to run the old DOS version of netstat.
4 Linux’s ps and PowerShell’s Get-Process
We may need to see information about processes on a system: did something we want to be running actually there, is there a process we want to jump into, etc. Linux’s ps and PowerShell’s Get-Process show various details such as process ID, command name,CPU usage,memory usage, etc. Running Linux’s ps aux will show you the user the process is running under. Get-Process will only show the user information if you run your PowerShell window with administrative rights and include the -IncludeUserName variable.
Another way to see the owner of a process on Windows, when you don’t have elevated privileges, is to run the following command:
Get-WmiObject Win32_Process | Select-Object Name, @{Name='User';Expression={$_.GetOwner().User}}
However, this command does not give any other information about the process except the process name and the owner. In addition, Get-WmiObject (and its alias gwmi) often get flagged by endpoint protection as malicious activities.
Get-Process can also be called using either of its aliases ps or gps.
5 Linux’s curl and PowerShell’s Invoke-WebRequest
Curl is the goto command to connect to web pages from a Linux terminal window. But it also can be used to transfer data from or to a server, using various protocols such as HTTP, FTP, SMTP, etc. Therefore, it performs various tasks such as downloading files, uploading files, sending requests, receiving responses, etc.
The equivalent PowerShell command is Invoke-WebRequest (or iwr). Depending on the version of PowerShell, curl will also alias to Invoke-WebRequest. Not only does it perform the same functions as Linux’s curl but it also can easily parse and manipulate the data returned by web requests as they are properties.
To make life more interesting, if you use PowerShell 7, curl no longer aliases to Invoke-WebRequest and instead is a Linux-like version of curl.
To ensure consistency, the Linux-like curl can always be invoked using curl.exe instead of the alias curl.
One Last PowerShell Command of Note
PowerShell is an object oriented language and there may be times when you want to see what properties and methods are available for all of the different objects associated with different commands. That’s where Get-Member comes into play. When an object is piped into Get-Member, it inspects the object and returns information about the object's definition, including the type of object, the properties and methods it contains, and other related information. I find this command to be particularly useful for understanding the structure of an object, especially when sending things through the pipeline and when scripting.
When using Get-Member, you can send a specific object, a command, or a command’s alias. In all cases, it will display information about the object or the object created by the command.
Download our Linux Command PowerShell cmdlet and PowerShell cmdlet to Linux Command Reference Sheets below!
Quick Links: