• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
PowerShell - Be A Cool Blue Kid

PowerShell - Be A Cool Blue Kid



Matt Johnson's sides for his GrrCON 2012 Talk, PowerShell - Be A Cool Blue Kid.

Matt Johnson's sides for his GrrCON 2012 Talk, PowerShell - Be A Cool Blue Kid.



Total Views
Views on SlideShare
Embed Views



1 Embed 49

http://www.mwjcomputing.com 49



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    PowerShell - Be A Cool Blue Kid PowerShell - Be A Cool Blue Kid Presentation Transcript

    • PowerShell - Be a cool blue kid.Matt Johnson@mwjcomputing GrrCON 2012MWJ Computing
    • Get-Agenda• Intro• Basics of PowerShell• Files / File System• Users / Access• Event Logs• System Management• Wrap Up
    • About me• System Analyst at a non-profit religious organization• Founder of Michigan PowerShell User Group• Moderator on Hey! Scripting Guys forums and judge for Microsoft’s Scripting Games.• Member of #misec• Avid Gamer and huge sports fan• Father to a future hacker (kid0) and husband to a wonderful wife.
    • Disclaimer• I am not an “expert”, so lets just pretend for the next little bit that I am.• There is a TON of sysadmin stuff in here, however it doubles as security / blue team.• This talk doesn’t in anyway reflect the stance of my employer or Microsoft.• I think I am funny and sometimes talk too fast. If you have a problem, get over it.
    • Have you seen me?
    • What is PowerShell?• In case you haven’t heard…. – It is a task automation framework, command-line shell and a scripting language that uses and is built upon the .NET Framework• Installed in every Microsoft Operating System from Windows 7 / 2008 R2 and beyond.• Current Version is 3.0
    • Tons of support• Integration is deep within Microsoft Product line• Other vendors support it as well
    • What is a cmdlet?• A cmdlet is a “lightweight command that is used in the Windows PowerShell environment.”• Basically it is the commands built into the language.• Examples: – Get-Help – Write-Host – Register-ObjectEvent
    • Some basic language information• Naming Convention – Verb-Noun • Get-Mailbox • New-ADComputer – Verbs are Defined by Microsoft (98 Total)• Aliases Help – Get-Childitem (ls, dir, gci) – But, you shouldn’t use them in your scripts. – See them all? Get-Alias• Get-Help also “helps” – Get-Help is your new best friend
    • Aliases for the *nix GuysPowerShell PowerShell Alias *nixGet-ChildItem ls, gci, dir lsCopy-Item cp, copy cpGet-Help man, help manGet-Content cat, type cat
    • Get-ExecutionPolicy• From about_execution_policies – Windows PowerShell execution policies let you determine the conditions under which Windows PowerShell loads configuration files and runs scripts. – Instead, the execution policy helps users to set basic rules and prevents them from violating them unintentionally.• Can set system-wide or on user basis and via Group Policy• Can bypass easily so this is not a security measure!!!!
    • Making Tools• One of the best things about PowerShell.• You can easily make tools (functions, scripts, modules, etc…) and repackage them and share them.• Tons of resources on how to share and where to share are out there.
    • Modules• A module is a set of related Windows PowerShell functionalities that can be dynamic or that can persist on disk. Modules that persist on disk are referenced, loaded, and persisted as script modules, binary modules, or manifest modules. Unlike snap-ins, the members of these modules can include cmdlets, providers, functions, variables, aliases, an d much more.
    • Modules Cont…• What are modules good for? – Repackaging tools – Sharing Scripts• Some very cool modules out there – PSCX – Office 365 – NTFS Security
    • Recording your session• PowerShell has built in logging.• Log your commands, the output and whole kitten kaboodle• Start-Transcript• Stop-Transcript
    • A few last minute notes• Objects! – Everything is an object unless you decide to make it text.• Pipeline! – Things being objects makes everything much more fun.• Variables! – Prefixed with $• Special Variables! – Some special ones including • $_ • $true
    • Set-LastNote• Everything in this talk works with Version 2 or above. V2!
    • File Permissions• By far not my favorite thing to do• A complete pain if you have to set permissions a lot of files• xcals and cacls.exe are nice, but we can use PowerShell
    • File Permissions• Built in commands for doing ACLS – Get-ACL, Set-ACL• However…. These cmdlets are difficult at best to use. Actually painful is a better word.
    • File Permission Demo 1
    • That sucks…. Kind of• Easily put into a function. Especially if files you are setting permissions on have the same permissions required.• Requires time spent in the MSDN documentation to actually get setting permissions right.• There is some help though. The File System Security PowerShell Module 2.1 by Raimund Andrée
    • File Permission Demo 2
    • Monitor File System Changes• With a few lines of code, you can monitor to changes in a directory.• However, it goes away with PowerShell Session.• Can email, write to host, log to file or event logs.
    • File Monitoring Demo
    • Show-Users• This section will be a lot of auditing commands / scripts / functions.• Creating users is done everywhere.• Lets see some info about what info we can gather
    • Local Users?• Local Users are a pain… Lets view them all!$computer = $env:COMPUTERNAME$adsi = [ADSI]("WinNT://$computer,computer")$users = $adsi.psbase.children | Where{$_.psbase.schemaclassname -eq "User"} | SelectNameforeach ($user in $users) { $user.name}
    • Local Groups?• Local Groups are a pain… Lets view them all!$computer = $env:COMPUTERNAME$adsi = [ADSI]("WinNT://$computer,computer")$groups = $adsi.psbase.children | Where{$_.psbase.schemaclassname -eq "Group"} | SelectNameforeach ($group in $groups) { $group.name}
    • Local Admins?• Get local admins on a machine. Better yet scan all the machines!function Get-LocalAdministrators {param ( [string]$computer = $env:computername)$admins = Get-WMIObject -class win32_groupuser –computer $computer$admins = $admins | where {$_.groupcomponent –like *"Administrators"}$admins | Foreach{ $_.partcomponent –match “.+Domain=(.+),Name=(.+)$”>$nul $matches[1].trim(") + “” + $matches[2].trim(") }}
    • Services and Users• One of the biggest pains I find is people using accounts for services.• Quick way to check tons of computers using Confirm-ServiceAccountsGet-Content computers.txt | Confirm-ServiceAccounts | Select SystemName, DisplayName, StartName
    • SIDS….• Easily get SIDs while doing forensics.$objUser = New-ObjectSystem.Security.Principal.NTAccount($domain,$user)$strSID =$objUser.Translate([System.Security.Principal.SecurityIdentifier])$strSID.Value
    • Lets track some users…..• Lets see who logged on and logged off on a computer.get-winevent -FilterHashTable@{LogName=Security; StartTime=6/27/201212:00:00am; ID=@(4624,4625,4634,4647,4648)} |select timecreated,id
    • Across the entire network.get-winevent -FilterHashTable @{LogName=Security;StartTime=6/27/2012 12:00:00am;ID=@(4624,4625,4634,4647,4648)} |select timecreated,id$eventhashtable = @{LogName=Security;StartTime=6/27/2012 12:00:00am;ID=@(4624,4625,4634,4647,4648)}Get-Content computers.txt | Foreach { Write “Retrieving logs for $_ at $(Get-Date)” get-winevent –FilterHashTable $eventhashtable |select timecreated,id;}
    • User have profile on PC?• A very rudimentary way to check to see if someone logged on to a PC.Get-WmiObject -Class Win32_UserProfile | Select SID, LastUseTime, LocalPath
    • Host Files…..• Editing hosts files is always fun.• Merged some functions into a module that does host file manipulation.• REMEMBER TO RUN AS ADMINISTRATOR…..
    • Host File Demo
    • Firewall fun (V3)• You can manage the Windows Firewall using PowerShell in Windows 7. Can do it, but takes a little bit to get used to.• Microsoft added Firewall Commands in Windows 8 / Windows 2012.• There is a new module called NetworkSecurity
    • Basic Firewall Administration• The following command is pretty straight forward. Allows telnet to be accessible on the local subnet.New-NetFirewallRule -DisplayName “AllowInbound Telnet” -Direction Inbound -Program%SystemRoot%System32tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow
    • Where it gets cool….• This rule BLOCKS telnet. However, this stores the firewall rule in a GPO so you can deploy it from the PowerShell window.New-NetFirewallRule -DisplayName “BlockOutbound Telnet” -Direction Outbound -Program%SystemRoot%System32tlntsvr.exe –ProtocolTCP –LocalPort 23 -Action Block –PolicyStoredomain.contoso.comgpo_name
    • Even cooler…..• You can manage a Windows Firewall Remotely!• You must be admin on the remote computer. Well hopefully you are. • Note: A CIM session is a client-side object representing a connection to a local or remote computer.$Session = New-CimSession –ComputerName HostRemove-NetFirewallRule –DisplayName“AllowTelnet” –CimSession $Session
    • PoshSec.com• A project to help better utilize PowerShell in the Infosec Space.• Started by myself and Will Steele (@pen_test).• Looking for guest bloggers. If you want to write an article, let us know. team@poshsec.com
    • PowerShell Saturday in Michigan?• I am looking to bring PowerShell Saturday to Michigan.• PowerShell Saturday is a day long conference on PowerShell.• Want to speak? Let me know. Can be anything PowerShell related.
    • Special Thanks!• Thank you for proofing my slides and providing valuable feed back!• Will (@pen_test)• Wolfgang (@jwgoerlich)• Scott (@sukotto_san)• Matt (@mattifestation)
    • Contact & Downloads• Contact: – mwjcomputing@gmail.com – @mwjcomputing – http://www.mwjcomputing.com/ – http://www.michiganpowershell.com/• Downloads related to talk – http://www.mwjcomputing.com/resources/grrcon-2012 • Sides, Code Samples and links to scripts used in this talk. • Note: Code isn’t completely done. I need to add help and clean it up a tad. It does however all work. So expect updates within a week. 