Brute force PowerShell in search of unknown aliases

As humans, we normally have 10 fingers. Keeping these fingers in control is not an easy feat. That is why we invent things like aliases.

An alias shortens long functions or commands to just a few characters. For example “gin” becomes an alias of Get-ComputerInfo.

Gin is not the only alias we can use. Gal is another. Gal or Get-Alias displays all aliases in our current PowerShell session. However, I suspect there could be treasure hidden in aliases or functions that are not documented (but I could be wrong…).

Let’s do some brute-forcing

So, we don’t like typing too much. Why don’t we create a script that does the heavy lifting for us?

• Create an array of characters using [char]
• Loop through the array and try to execute every possible command (what could go wrong?)

# Creating an array of the alphabet 
$characters = 65..90 | % { [char]$_ } 

# Loop once 
foreach ( $x in $characters ) { 
    $command = $x powershell $command 
} 

# Looping twice 
foreach ( $x in $characters ) {
    foreach ($y in $characters) {
        $command = $x + $y powershell $command
    }
}

Found some gold?

Well… not yet.

However, I did find some interesting functions and commands this way.

h -> Get-History

This is a great tool in PowerShell. Get-History displays the list of commands entered during the current session.

Rami created a blog post on a persistent history of commands a while ago. Maybe we will give this a try too.

It -> This is not an alias?

Aha! Eureka! This command is not listed between the aliases on my system.

Our trusty Get-help command gives us more information.

Get-Help It

NAME
 It

SYNOPSIS
 Validates the results of a test inside of a Describe block.


SYNTAX
 It [-name] <String> [[-test] <ScriptBlock>] [-TestCases <IDictionary[]>] [<CommonParameters>]

It [-name] <String> [[-test] <ScriptBlock>] [-TestCases <IDictionary[]>] [-Pending] [<CommonParameters>]

It [-name] <String> [[-test] <ScriptBlock>] [-TestCases <IDictionary[]>] [-Skip] [<CommonParameters>]


DESCRIPTION
 The It command is intended to be used inside of a Describe or Context Block.
 If you are familiar with the AAA pattern (Arrange-Act-Assert), the body of
 the It block is the appropriate location for an assert. The convention is to
 assert a single expectation for each It block. The code inside of the It block
 should throw a terminating error if the expectation of the test is not met and
 thus cause the test to fail. The name of the It block should expressively state
 the expectation of the test.

It seems to be well documented. The module can be found in “C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions”  on Windows 10 machines.

Further investigation leads us to What is Pester and Why Should I Care? An article written by The Scripting Guys.

Pester is a test framework for PowerShell. It provides a language that allows you to define test cases, and the Invoke-Pester cmdlet to execute these tests and report the results.

WF -> A sudden surprise

Suddenly. A wild WINDOWS FIREWALL appears!

Oh right… I’m still running the script above.

WF is calling wf.msc. This displays the Windows firewall console. Nice to know.

Conclusion – More brute force needed

This is only layer 2 of our conquest.

Aliases can consist of 2, 3 or even more characters. Who knows what treasure is still hidden from our fingers. Keep posted for more.

If you have suggestions for a better way of testing all possibilities, without risking a corrupt OS, please leave a comment below!

Update:

Thanks to Lee a better (less risky) way of checking if a command exists. [grin]

The Get-Command cmdlet displays all information you’ll ever need.

# Loop once 
foreach ( $x in $characters ) { 
    $command = $x 
    Get-Command -Name $command
}