PowerShell - Be A Cool Blue Kid


Published on

Matt Johnson's sides for his GrrCON 2012 Talk, PowerShell - Be A Cool Blue Kid.

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

PowerShell - Be A Cool Blue Kid

  1. 1. PowerShell - Be a cool blue kid.Matt Johnson@mwjcomputing GrrCON 2012MWJ Computing
  2. 2. Get-Agenda• Intro• Basics of PowerShell• Files / File System• Users / Access• Event Logs• System Management• Wrap Up
  3. 3. SHOW-INTRO
  4. 4. About me• System Analyst at a non-profit religious organization• Founder of Michigan PowerShell User Group• Moderator on Hey! Scripting Guys forums and judge for Microsoft’s Scripting Games.• Member of #misec• Avid Gamer and huge sports fan• Father to a future hacker (kid0) and husband to a wonderful wife.
  5. 5. Disclaimer• I am not an “expert”, so lets just pretend for the next little bit that I am.• There is a TON of sysadmin stuff in here, however it doubles as security / blue team.• This talk doesn’t in anyway reflect the stance of my employer or Microsoft.• I think I am funny and sometimes talk too fast. If you have a problem, get over it.
  7. 7. Have you seen me?
  8. 8. What is PowerShell?• In case you haven’t heard…. – It is a task automation framework, command-line shell and a scripting language that uses and is built upon the .NET Framework• Installed in every Microsoft Operating System from Windows 7 / 2008 R2 and beyond.• Current Version is 3.0
  9. 9. Tons of support• Integration is deep within Microsoft Product line• Other vendors support it as well
  10. 10. What is a cmdlet?• A cmdlet is a “lightweight command that is used in the Windows PowerShell environment.”• Basically it is the commands built into the language.• Examples: – Get-Help – Write-Host – Register-ObjectEvent
  11. 11. Some basic language information• Naming Convention – Verb-Noun • Get-Mailbox • New-ADComputer – Verbs are Defined by Microsoft (98 Total)• Aliases Help – Get-Childitem (ls, dir, gci) – But, you shouldn’t use them in your scripts. – See them all? Get-Alias• Get-Help also “helps” – Get-Help is your new best friend
  12. 12. Aliases for the *nix GuysPowerShell PowerShell Alias *nixGet-ChildItem ls, gci, dir lsCopy-Item cp, copy cpGet-Help man, help manGet-Content cat, type cat
  13. 13. Get-ExecutionPolicy• From about_execution_policies – Windows PowerShell execution policies let you determine the conditions under which Windows PowerShell loads configuration files and runs scripts. – Instead, the execution policy helps users to set basic rules and prevents them from violating them unintentionally.• Can set system-wide or on user basis and via Group Policy• Can bypass easily so this is not a security measure!!!!
  14. 14. Making Tools• One of the best things about PowerShell.• You can easily make tools (functions, scripts, modules, etc…) and repackage them and share them.• Tons of resources on how to share and where to share are out there.
  15. 15. Modules• A module is a set of related Windows PowerShell functionalities that can be dynamic or that can persist on disk. Modules that persist on disk are referenced, loaded, and persisted as script modules, binary modules, or manifest modules. Unlike snap-ins, the members of these modules can include cmdlets, providers, functions, variables, aliases, an d much more.
  16. 16. Modules Cont…• What are modules good for? – Repackaging tools – Sharing Scripts• Some very cool modules out there – PSCX – Office 365 – NTFS Security
  17. 17. Recording your session• PowerShell has built in logging.• Log your commands, the output and whole kitten kaboodle• Start-Transcript• Stop-Transcript
  18. 18. A few last minute notes• Objects! – Everything is an object unless you decide to make it text.• Pipeline! – Things being objects makes everything much more fun.• Variables! – Prefixed with $• Special Variables! – Some special ones including • $_ • $true
  19. 19. Set-LastNote• Everything in this talk works with Version 2 or above. V2!
  20. 20. SHOW-FILEFUN
  21. 21. File Permissions• By far not my favorite thing to do• A complete pain if you have to set permissions a lot of files• xcals and cacls.exe are nice, but we can use PowerShell
  22. 22. File Permissions• Built in commands for doing ACLS – Get-ACL, Set-ACL• However…. These cmdlets are difficult at best to use. Actually painful is a better word.
  23. 23. File Permission Demo 1
  24. 24. That sucks…. Kind of• Easily put into a function. Especially if files you are setting permissions on have the same permissions required.• Requires time spent in the MSDN documentation to actually get setting permissions right.• There is some help though. The File System Security PowerShell Module 2.1 by Raimund Andrée
  25. 25. File Permission Demo 2
  26. 26. Monitor File System Changes• With a few lines of code, you can monitor to changes in a directory.• However, it goes away with PowerShell Session.• Can email, write to host, log to file or event logs.
  27. 27. File Monitoring Demo
  28. 28. SHOW-USERS
  29. 29. Show-Users• This section will be a lot of auditing commands / scripts / functions.• Creating users is done everywhere.• Lets see some info about what info we can gather
  30. 30. Local Users?• Local Users are a pain… Lets view them all!$computer = $env:COMPUTERNAME$adsi = [ADSI]("WinNT://$computer,computer")$users = $adsi.psbase.children | Where{$_.psbase.schemaclassname -eq "User"} | SelectNameforeach ($user in $users) { $user.name}
  31. 31. Local Groups?• Local Groups are a pain… Lets view them all!$computer = $env:COMPUTERNAME$adsi = [ADSI]("WinNT://$computer,computer")$groups = $adsi.psbase.children | Where{$_.psbase.schemaclassname -eq "Group"} | SelectNameforeach ($group in $groups) { $group.name}
  32. 32. Local Admins?• Get local admins on a machine. Better yet scan all the machines!function Get-LocalAdministrators {param ( [string]$computer = $env:computername)$admins = Get-WMIObject -class win32_groupuser –computer $computer$admins = $admins | where {$_.groupcomponent –like *"Administrators"}$admins | Foreach{ $_.partcomponent –match “.+Domain=(.+),Name=(.+)$”>$nul $matches[1].trim(") + “” + $matches[2].trim(") }}
  33. 33. Services and Users• One of the biggest pains I find is people using accounts for services.• Quick way to check tons of computers using Confirm-ServiceAccountsGet-Content computers.txt | Confirm-ServiceAccounts | Select SystemName, DisplayName, StartName
  34. 34. SIDS….• Easily get SIDs while doing forensics.$objUser = New-ObjectSystem.Security.Principal.NTAccount($domain,$user)$strSID =$objUser.Translate([System.Security.Principal.SecurityIdentifier])$strSID.Value
  35. 35. Lets track some users…..• Lets see who logged on and logged off on a computer.get-winevent -FilterHashTable@{LogName=Security; StartTime=6/27/201212:00:00am; ID=@(4624,4625,4634,4647,4648)} |select timecreated,id
  36. 36. Across the entire network.get-winevent -FilterHashTable @{LogName=Security;StartTime=6/27/2012 12:00:00am;ID=@(4624,4625,4634,4647,4648)} |select timecreated,id$eventhashtable = @{LogName=Security;StartTime=6/27/2012 12:00:00am;ID=@(4624,4625,4634,4647,4648)}Get-Content computers.txt | Foreach { Write “Retrieving logs for $_ at $(Get-Date)” get-winevent –FilterHashTable $eventhashtable |select timecreated,id;}
  37. 37. User have profile on PC?• A very rudimentary way to check to see if someone logged on to a PC.Get-WmiObject -Class Win32_UserProfile | Select SID, LastUseTime, LocalPath
  39. 39. Host Files…..• Editing hosts files is always fun.• Merged some functions into a module that does host file manipulation.• REMEMBER TO RUN AS ADMINISTRATOR…..
  40. 40. Host File Demo
  41. 41. Firewall fun (V3)• You can manage the Windows Firewall using PowerShell in Windows 7. Can do it, but takes a little bit to get used to.• Microsoft added Firewall Commands in Windows 8 / Windows 2012.• There is a new module called NetworkSecurity
  42. 42. Basic Firewall Administration• The following command is pretty straight forward. Allows telnet to be accessible on the local subnet.New-NetFirewallRule -DisplayName “AllowInbound Telnet” -Direction Inbound -Program%SystemRoot%System32tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow
  43. 43. Where it gets cool….• This rule BLOCKS telnet. However, this stores the firewall rule in a GPO so you can deploy it from the PowerShell window.New-NetFirewallRule -DisplayName “BlockOutbound Telnet” -Direction Outbound -Program%SystemRoot%System32tlntsvr.exe –ProtocolTCP –LocalPort 23 -Action Block –PolicyStoredomain.contoso.comgpo_name
  44. 44. Even cooler…..• You can manage a Windows Firewall Remotely!• You must be admin on the remote computer. Well hopefully you are. • Note: A CIM session is a client-side object representing a connection to a local or remote computer.$Session = New-CimSession –ComputerName HostRemove-NetFirewallRule –DisplayName“AllowTelnet” –CimSession $Session
  46. 46. PoshSec.com• A project to help better utilize PowerShell in the Infosec Space.• Started by myself and Will Steele (@pen_test).• Looking for guest bloggers. If you want to write an article, let us know. team@poshsec.com
  47. 47. PowerShell Saturday in Michigan?• I am looking to bring PowerShell Saturday to Michigan.• PowerShell Saturday is a day long conference on PowerShell.• Want to speak? Let me know. Can be anything PowerShell related.
  48. 48. Special Thanks!• Thank you for proofing my slides and providing valuable feed back!• Will (@pen_test)• Wolfgang (@jwgoerlich)• Scott (@sukotto_san)• Matt (@mattifestation)
  49. 49. Contact & Downloads• Contact: – mwjcomputing@gmail.com – @mwjcomputing – http://www.mwjcomputing.com/ – http://www.michiganpowershell.com/• Downloads related to talk – http://www.mwjcomputing.com/resources/grrcon-2012 • Sides, Code Samples and links to scripts used in this talk. • Note: Code isn’t completely done. I need to add help and clean it up a tad. It does however all work. So expect updates within a week. 
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.