PowerShell - Be A Cool Blue Kid
-
Upload
matthew-johnson -
Category
Technology
-
view
1.247 -
download
7
description
Transcript of PowerShell - Be A Cool Blue Kid
PowerShell - Be a cool blue kid.
GrrCON 2012Matt Johnson@mwjcomputingMWJ Computing
Get-Agenda
• Intro• Basics of PowerShell• Files / File System• Users / Access• Event Logs• System Management• Wrap Up
SHOW-INTRO
About me
• System Analyst at a non-profit religious organization
• Founder of Michigan PowerShell User Group
• Moderator on Hey! Scripting Guys forums and judge for Microsoft’s Scripting Games.
• Member of #misec
• Avid Gamer and huge sports fan
• Father to a future hacker (kid0) and husband to a wonderful wife.
Disclaimer
• I am not an “expert”, so lets just pretend for the next little bit that I am.
• There is a TON of sysadmin stuff in here, however it doubles as security / blue team.
• This talk doesn’t in anyway reflect the stance of my employer or Microsoft.
• I think I am funny and sometimes talk too fast. If you have a problem, get over it.
EXPORT-POWERSHELL
Have you seen me?
What is PowerShell?
• In case you haven’t heard….– It is a task automation framework, command-line shell
and a scripting language that uses and is built upon the .NET Framework
• Installed in every Microsoft Operating System from Windows 7 / 2008 R2 and beyond.
• Current Version is 3.0
Tons of support
• Integration is deep within Microsoft Product line
• Other vendors support it as well
What is a cmdlet?
• A cmdlet is a “lightweight command that is used in the Windows PowerShell environment.”
• Basically it is the commands built into the language.
• Examples:– Get-Help– Write-Host– Register-ObjectEvent
Some basic language information
• Naming Convention– Verb-Noun
• Get-Mailbox• New-ADComputer
– Verbs are Defined by Microsoft (98 Total)
• Aliases Help– Get-Childitem (ls, dir, gci) – But, you shouldn’t use them in your scripts.– See them all? Get-Alias
• Get-Help also “helps”– Get-Help is your new best friend
Aliases for the *nix Guys
PowerShell PowerShell Alias *nix
Get-ChildItem ls, gci, dir ls
Copy-Item cp, copy cp
Get-Help man, help man
Get-Content cat, type cat
Get-ExecutionPolicy
• From about_execution_policies– Windows PowerShell execution policies let you determine
the conditions under which Windows PowerShell loads configuration files and runs scripts.
– Instead, the execution policy helps users to set basic rules and prevents them from violating them unintentionally.
• Can set system-wide or on user basis and via Group Policy
• Can bypass easily so this is not a security measure!!!!
Making Tools
• One of the best things about PowerShell.
• You can easily make tools (functions, scripts, modules, etc…) and repackage them and share them.
• Tons of resources on how to share and where to share are out there.
Modules
• A module is a set of related Windows PowerShell functionalities that can be dynamic or that can persist on disk. Modules that persist on disk are referenced, loaded, and persisted as script modules, binary modules, or manifest modules. Unlike snap-ins, the members of these modules can include cmdlets, providers, functions, variables, aliases, and much more.
Modules Cont…
• What are modules good for?– Repackaging tools– Sharing Scripts
• Some very cool modules out there– PSCX– Office 365– NTFS Security
Recording your session
• PowerShell has built in logging.
• Log your commands, the output and whole kitten kaboodle
• Start-Transcript• Stop-Transcript
A few last minute notes
• Objects!– Everything is an object unless you decide to make it text.
• Pipeline!– Things being objects makes everything much more fun.
• Variables!– Prefixed with $
• Special Variables!– Some special ones including
• $_• $true
Set-LastNote
• Everything in this talk works with Version 2 or above.
V2!
SHOW-FILEFUN
File Permissions
• By far not my favorite thing to do
• A complete pain if you have to set permissions a lot of files
• xcals and cacls.exe are nice, but we can use PowerShell
File Permissions
• Built in commands for doing ACLS– Get-ACL, Set-ACL
• However…. These cmdlets are difficult at best to use. Actuallypainful is a better word.
File Permission Demo 1
That sucks…. Kind of
• Easily put into a function. Especially if files you are setting permissions on have the same permissions required.
• Requires time spent in the MSDN documentation to actually get setting permissions right.
• There is some help though. The File System Security PowerShell Module 2.1 by Raimund Andrée
File Permission Demo 2
Monitor File System Changes
• With a few lines of code, you can monitor to changes in a directory.
• However, it goes away with PowerShell Session.
• Can email, write to host, log to file or event logs.
File Monitoring Demo
SHOW-USERS
Show-Users
• This section will be a lot of auditing commands / scripts / functions.
• Creating users is done everywhere.
• Lets see some info about what info we can gather
Local Users?
• Local Users are a pain… Lets view them all!
$computer = $env:COMPUTERNAME
$adsi = [ADSI]("WinNT://$computer,computer")
$users = $adsi.psbase.children | Where {$_.psbase.schemaclassname -eq "User"} | Select Name
foreach ($user in $users) {$user.name
}
Local Groups?
• Local Groups are a pain… Lets view them all!
$computer = $env:COMPUTERNAME
$adsi = [ADSI]("WinNT://$computer,computer")
$groups = $adsi.psbase.children | Where {$_.psbase.schemaclassname -eq "Group"} | Select Name
foreach ($group in $groups) {$group.name
}
Local Admins?
• Get local admins on a machine. Better yet scan all the machines!
function Get-LocalAdministrators { param (
[string]$computer = $env:computername) $admins = Get-WMIObject -class win32_groupuser –computer $computer $admins = $admins | where {$_.groupcomponent –like '*"Administrators"'} $admins | Foreach{
$_.partcomponent –match “.+Domain\=(.+)\,Name\=(.+)$”>$nul $matches[1].trim('"') + “\” + $matches[2].trim('"')
} }
Services and Users
• One of the biggest pains I find is people using accounts for services.
• Quick way to check tons of computers using Confirm-ServiceAccounts
Get-Content computers.txt | Confirm-ServiceAccounts |Select SystemName, DisplayName, StartName
SIDS….
• Easily get SIDs while doing forensics.
$objUser = New-Object System.Security.Principal.NTAccount($domain,$user)
$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
$strSID.Value
Lets track some users…..
• Lets see who logged on and logged off on a computer.
get-winevent -FilterHashTable @{LogName='Security'; StartTime='6/27/2012 12:00:00am'; ID=@(4624,4625,4634,4647,4648)} |select timecreated,id
Across the entire network.
get-winevent -FilterHashTable @{LogName='Security'; StartTime='6/27/2012 12:00:00am'; ID=@(4624,4625,4634,4647,4648)} |select timecreated,id$eventhashtable = @{LogName='Security'; StartTime='6/27/2012 12:00:00am'; ID=@(4624,4625,4634,4647,4648)}
Get-Content computers.txt | Foreach { Write “Retrieving logs for $_ at $(Get-Date)” get-winevent –FilterHashTable $eventhashtable | select timecreated,id;}
User have profile on PC?
• A very rudimentary way to check to see if someone logged on to a PC.
Get-WmiObject -Class Win32_UserProfile | Select SID, LastUseTime, LocalPath
SET-SYSTEMMANAGEMENT
Host Files…..
• Editing hosts files is always fun.
• Merged some functions into a module that does host file manipulation.
• REMEMBER TO RUN AS ADMINISTRATOR…..
Host File Demo
Firewall fun (V3)
• You can manage the Windows Firewall using PowerShell in Windows 7. Can do it, but takes a little bit to get used to.
• Microsoft added Firewall Commands in Windows 8 / Windows 2012.
• There is a new module called NetworkSecurity
Basic Firewall Administration
• The following command is pretty straight forward. Allows telnet to be accessible on the local subnet.
New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow
Where it gets cool….
• This rule BLOCKS telnet. However, this stores the firewall rule in a GPO so you can deploy it from the PowerShell window.
New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe –Protocol TCP –LocalPort 23 -Action Block –PolicyStore domain.contoso.com\gpo_name
Even cooler…..
• You can manage a Windows Firewall Remotely!• You must be admin on the remote computer. Well
hopefully you are. • Note: A CIM session is a client-side object
representing a connection to a local or remote computer.
$Session = New-CimSession –ComputerName HostRemove-NetFirewallRule –DisplayName “AllowTelnet” –CimSession $Session
DISCONNECT-SESSION
PoshSec.com
• A project to help better utilize PowerShell in the Infosec Space.
• Started by myself and Will Steele (@pen_test).• Looking for guest bloggers. If you want to write an
article, let us know. [email protected]
PowerShell Saturday in Michigan?
• I am looking to bring PowerShell Saturday to Michigan.
• PowerShell Saturday is a day long conference on PowerShell.
• Want to speak? Let me know. Can be anything PowerShell related.
Special Thanks!
• Thank you for proofing my slides and providing valuable feed back!
• Will (@pen_test)• Wolfgang (@jwgoerlich)• Scott (@sukotto_san)• Matt (@mattifestation)
Contact & Downloads
• Contact:– [email protected]– @mwjcomputing– http://www.mwjcomputing.com/– http://www.michiganpowershell.com/
• Downloads related to talk– http://www.mwjcomputing.com/resources/grrcon-2012
• Sides, Code Samples and links to scripts used in this talk.• Note: Code isn’t completely done. I need to add help and clean it
up a tad. It does however all work. So expect updates within a week.