Вы находитесь на странице: 1из 70

CY4700

Applied Defensive Cyberspace Operations


PowerShell Overview
At Least It’s Not AWK

2
Overview

Windows PowerShell
• Version 1 was released in 2006
• Jeffrey Snover is the Architect of PowerShell
• It’s not a scripting language
• Command-line shell for command-line utilities
• Like all good shells it has scripting capabilities

• VBScript is closest to PowerShell


•Want to check a NIC? Sure
•Want to check link speed? Nope
• VBScript can’t do that “Last Mile”
•PowerShell Can 3
Overview

• Has 100% of MS’ administrative functionality in the


shell
• All MS’ GUI consoles run PowerShell behind the
scenes
• Automates repetitive tasks
• Runs entirely in memory (Nothing to Disk)
• Server 2008 introduced Version 3
•Almost completely managed from PowerShell or
PowerShell’s GUI

4
Overview

• As of 16AUG2016
•Open Source Alpha for Linux and Mac

5
Overview

• As of 16AUG2016
•This Tweet followed the announcement

6
Overview

• Requires .NET Framework V4 at a minimum


• PowerShell also installs Windows Remote
Management (WinRM) service
• It’s a core Windows technology
•Installed as a hotfix, so once installed it can be
almost impossible to remove
•Bugfixes and Updates are also hotfixes

7
Overview

Windows PowerShell
• Comprised of:
• PowerShell.exe
• PowerShellISE.exe
• Integrated Scripting Environment
•Not installed by default on older Server Versions
•Use Add-WindowsFeature powershell-ise

8
Version

• $PSVersionTable

9
Exercise 1

• Take a snapshot of all the VMs you’re working with


• Open Powershell as Administrator on a VM
•Run $PSVersionTable

10
Version

11
Version

• Why do we care about the version of PS?

• If we want to attach to a Windows XP box (or any


older system), then we may want to use PS Ver 2

• If we want to make sure we can connect to any


given box/machine, we may not want to build a script
with PS Ver 5 and hope it works...

12
Version

13
Your Mileage May Vary

• You may encounter a problem with commands or


script execution between versions

• Most, if not all, of these commands should work


without a problem

• Always a good idea to check on the local machine


with the version that’s on the target before executing
anything significant (we’ll talk about that more in a
minute)

14
Overview

• PowerShell is huge, so we won’t get to most of


the internals or the behind the scenes of
PowerShell
• Again, writing for Version 2 makes sense since it
will work on everything you should come across
• “PowerShell helps IT professionals and power
users control and automate the administration of
the Windows operating system and the
applications that run on Windows”

15
Overview

• PowerShell is a good alternative to the MSF and


<insert_linux_script>
• Already resides on Windows servers and clients
• PowerShell is the bash of Windows

16
Exercise 2 Update To PS Version 4

• Inside PowerShell (Version 2)


– On your Win 7 Boxes
– net use K: \\29.0.0.100\share <enter>
– IF you’re asked, use these credentials
– username: administrator <enter>
– password: Badpassword12!@ <enter>
– K:
– Copy PS4Installer.msu to local machine
• PS:> copy K:PS4Installer.msu
• This will copy the file to the local working directory on the local machine
– Copy Hacker_Secret.jpeg to local machine
– Make sure the Windows Update service is running

– Open a CMD shell if this doesn’t work in PowerShell

– wusa.exe PS4Installer.msu
– Reboot
17
Exercise 3 Version

• Let’s slip into Version 2 on the Win 7 Client...


– Powershell.exe -Version 2
– $PSVersionTable
• And Back
– Powershell.exe -Version 4
– $PSVersionTable
• Since we’re using Win 7, we get Version 4

18
Font

• Customize the window


• Use Lucida font
• Make sure the PS window does not have a scroll
bar at the bottom!
• On the Layouts tab set both Width #’s to the
same #
• PS right justifies the output
• If you see a horizontal scrollbar at the bottom,
you will probably miss output
• Single Quote - ‘
• Backtick - `
• Number one and lowercase L
19
ISE

• ISE
• Use font slider
• Customize the window as you see fit

• Syntax is EXTREMELY Important

• Make sure PS App window runs as Administrator

20
Console

• Run the 64-bit versions of the app, not 32-bit


• Clipboard operations in PS are nonstandard
• ISE is standard
• F7
• Get-a... and tab and shift-tab
• dir c:\ … and tab
• Set-Ex… Tab... then - (tac) … then Tab -e or -s and
Tab
• Or - … and Tab and then - ... then Shift-Tab
• Esc clears the command line
• Clear clears the screen

21
ISE

• ISE has Intellisense


• Ctrl+Space or Right Click
• Clipboard operations in PS are nonstandard
• ISE is standard

22
Help

• Don’t use Google or Bing (Good way to rile Prof Wyatt)


• Help Get-Service (for example)

• The error will tell you exactly where you went wrong
– It really is useful

• Updateable Help
• Update-help

• Wildcards
• Help *log*
• Help *event*
23
Help

• A number of Options and Filters

• Get-Help, Help, and -? are your friends

24
Help

• Get-Member

• Get-Help Get-Member -Examples | more


– View the properties and methods of another
PowerShell object

25
Exercise 4

• Updateable Help
• Update-help

26
Exercise 5 Show-Command

• Show-Command Get-EventLog (local)

27
Show-Command

• Full Form Command


• Command Name
• Full parameter names
• All parameter names regardless of
position

• Show-Command will not work when stringing


multiple commands together

28
Exercise 6

• Get-Command

• This lists all the cmdlets available

• Of course this runs off the screen so we need to


pipe

• Get-Command | More
• Space bar - One Page at a Time
• Return - One Command at a Time
• Ctrl-C Exits

29
Exercise 6 Cont

• Get-Command

• Take a look at the descriptions

• Some of course, you can see could be very


helpful, some very destructive

• Look for the top dozen you might be interested in


or find useful

30
Exercise 7 Command Line

• Normal CMD Commands work as well


• Ping
• Nslookup
• Ipconfig
• Net
• NSLookup
• Test-Connection
• PS or Get-Process
• Net View
• Net View /Domain:<domain name>
• Net Users /Domain
• Net Use
• Launches CMD.EXE behind the scenes

31
Exercise 7 Command Line

• Test-Connection = better than Ping

• Test-Connection -ComputerName www.sun.com

32
Exercise 8 Piping and Exporting

• Dir | More
– Works as you would expect

• Get-Process | Export-Csv procs.csv


• Notepad procs.csv

• You can pipe the output of almost any Get- to a


.CSV

• Then it’s easily searchable and sortable

33
Exercise 8 Cont Piping and Exporting

• Get-Process | Export-CliXML reference.xml


• Notepad reference.xml

• Better to use CliXML because it can hold more


than a flat file format like .CSV

34
Exercise 8 Cont Piping and Exporting

• Get-Service | ConvertTo-Html | out-file


c:\services
• Open IE and take a look

35
Killing and Stopping Services

• THIS WILL CRASH YOUR COMPUTER


• DO NOT RUN
• Get-Process | Stop-Process
– OR
• Stop-Process
• Get-Process -name Notepad | Stop-Process
– OR
• Stop-Process -name Notepad

• Stop-Service
• Start-Service
• Set-Service
36
Exercise 9 Aliases

• Get-Alias -definition Get-Service


• Alias GSV -> Get-Service

• Get-Alias -definition Stop-Process


• Alias -> Kill
• Alias -> spps

• New-Alias
• Help New-Alias -examples

37
Exercise 10 Another Output

• Similar to what we did with CSV and HTML

• Get-Process | Out-Gridview

• Get-Service | Where Status -eq ‘running’


• Get-Service | Where Status -eq ‘stopped’

38
Yet Another Output

39
Registry Access Exercise 11

• PS C:> cd hklm:
• hklm:\> dir
• hklm:\> cd \system\currentcontrolset\control
• hklm:\> dir | more

• hklm:\> powershell

• Notice that the output of dir (Get-Childitem) is different in the


registry drives than it is in the file system. Because the registry
has different drives, Windows PowerShell displays a different
view of the data
• The output includes a subkey count (SC) and a value count (VC)

40
Remoting Into Another Machine

• Remote PowerShell is very similar to…


• Telnet
• SSH
• MSF psexec

41
Remoting Into Another Machine

• Uses Web Services for Management (WSMAN)


• Operates entirely over
– HTTP
– HTTPS
• Makes it easier to flow through firewalls
• But uses nonstandard ports so as not to
conflict
• Microsoft background service Windows Remote
Management (WinRM)
• Only get the credential permissions you log in
with... admin=admin

42
Remoting Into Another Machine

• Need to be members of the Same Domain, or of


Trusted/Trusting Domains
• PowerShell give the ability to remote into the
background (usually unseen by users)
• WinRM services tens, to hundreds of service
endpoints on systems
• HTTP over port 5985
• HTTPS over port 5986

43
Remoting Into Another Machine

• Kerberos Authentication

• You can even do a Kerberos Double Hop

44
Remoting Into Another Machine

• On the Client System


• WinRM set
WinRM/config/listener?address=*+transport=HTT
P@(port’1234’)
• OR
• WinRM QuickConfig
• OR
• Set-WSManQuickConfig
• OR
• Better Yet...

45
Remoting Into Another Machine

46
Remoting Into Another Machine

• Error if adapter is set for “Public”


– Public can’t have Win Firewall Exceptions
– Network adapter must be set for Home or
Work

47
Remoting Into Another Sys Exercise 12

• Enable-PSRemoting
• Runs on the Client
• New-PSSession <IP or Name> -Credential
<Name>
• Runs on the CC system

• Error if adapter is set for “Public”


– Public can’t have Win Firewall Exceptions
– Adapter must be set for Home or Work

48
Remoting Sys Exercise 12 Cont

• Enable-PSRemoting
• Runs on the Client
• New-PSSession <IP> -Credential <UserName>
• Runs on the CC system
• Starts a new session and runs it in the
background on a CC system
– After session start the ID will be presented
• WinRM, by default, won’t let you connect
via IP Addy or a DNS Alias

• Enter-PSSession #
• To enter that session
49
Remoting Sys Exercise 12 Cont

• Your copy of PowerShell will pass along


whatever security token it is running under
• Uses Kerberos
– So your Username and Pass are not
transmitted

• Get-ExecutionPolicy
• Should be set to Restricted
• Set-ExecutionPolicy
• Unrestricted
• This actually changes HKEY_LOCAL_MACHINE
50
Remoting Into Another Machine

• There are Five Different Levels for Script


Execution
• Restricted - (Default) Scripts won’t
execute
• AllSigned - Will run scripts that have been
signed by trusted CA
• RemoteSigned - Execute local script, and
execture remote script if they have been
signed by a trusted CA
• Unrestricted - All scripts will run
• Bypass - Special setting used by
Developers
51
Remoting Into Another Machine

• PowerShell Security...

• PowerShell security is only designed to prevent a


user from running a script, not stop a determined
user from doing same
• PowerShell only tries to stop users from being
tricked by untrusted sources

52
Remoting Into Another Machine

• While we’re on the subject of security…

• The default script extension for PowerShell is


.PS1

• Windows does not consider .PS1 filename


extensions as executable
» But you can change that
• You can’t run the script by typing it’s name
» But you can use absolute (C:\test.ps1)
» Or relative paths (.\test.ps1)

53
Remoting Into Yet Another Machine

• Enable-WSManCredSSP -Role Server


• Runs on the Client
• Enable-WSManCredSSP -Role Client
-DelegateComputer X
• Runs on the CC system
• X is replaced with the name of the
computer that your credentials may be
delegated to
• You can do this and “Hop” or Pivot from one
machine to another
– Creates a Remote Chain
– Otherwise called a Proxy Chain ...
54
Remoting Into Another Machine

• If you, at the CC machine, retrieve a process and


pipe it to Stop-Process, it’ll stop running, as you
would expect
• And what you did will be hidden from the
user
• Becomes useful to “hop” over Firewalls in some
cases
• Be aware that GPO can mess with anything set
locally (because it’s Global), and cause problems
with remoting in an Enterprise/Organization

55
Invoke versus Remoting

• Run command or a script on remote system/s as


background process/job

• Invoke-Command -ComputerName
<computername> -FilePath <pathToScript>
-ArgumentList <argument 1, 2, 3>

56
Invoke Exercise 14

• Local machine

• PS C:\Users\Administrator>

• Invoke-Command <IP or ComputerName>


-Command {Get-EventLog Application -newest
25}
• Change Application to Security

• Get-Job and Receive-Job to get status

• Did you catch the Triskaidekaphobia?

57
Invoke Exercise 14 Cont

• PS C:\Users\Administrator>

• How do you think you can use the Invoke to do


the same thing as using the “PS” command on
your local machine to display just the SVCHOST
processes?

58
Invoke Exercise 14 Cont

• PS C:\Users\Administrator>

• Invoke-Command <IP or ComputerName>


-Command {Get- Process svchost} -Credential
<UserName>

59
Invoke to Multiple Machines

• 1:n Remoting
• Send a command to multiple remote computers
at the same time
• Each system will independently execute the
command and send the results back to you
• By default, PowerShell can talk to 32 computers
at once
• I could use -ThrottleLimit to increase that
number...

60
Invoke to Multiple Machines

• Invoke-Command -ComputerName Server-DC1,


Server-R2 -Command {Get-EventLog Security
-newest 200 | Where { $_.EventID -eq 1212 }}

• Get-Job and Receive-Job to get status

61
Invoke to Multiple Machines

• Invoke-Command -ComputerName Server-DC1,


Server-R2 -Command {Get-EventLog Security
-newest 200 | Where { $_.EventID -eq 1212 }}

• Instead of listing a number of systems every


time, as I’ve done above
– Invoke-Command -Command { dir }
-ComputerName (Get-Content
domainservers.txt)
• This pulls all the computer names from the
domainservers.txt file

62
Setting Trusted Hosts

• Even though you’re not supposed to be able to


use IP addresses - this allows you to:
• get-item wsman:\localhost\client\trustedhosts
• set-item wsman:\localhost\client\trustedhosts
-value <ipaddress>

• winrm quickconfig (really no need to use this)

63
Exercise 15 Cleaning up

• Closes one or more Windows PowerShell


sessions (PSSessions)

• PS C:\Users\Administrator>

• Get-PSSession

• Remove-PSSession #

• Alias

• RSN # --OR-- RSN #, #, #


64
Schedule

• Set-ScheduledJob
– Cmdlet for running virtually any PowerShell
script at a specific time or on a predetermined
schedule.
– Version 4.0 adds the parameter RunNow to
Set-ScheduledJob Cmdlet
– New-JobTrigger and Set-JobTrigger cmdlets
is RepeatIndefinitely, for jobs you want to
start, and run forever.

65
Hash

• Get-FileHash
– Cmdlet will compute a hash of any file(s) you
pass to it.
– Choose which algorithm is used to compute
the hash.
• The default hashing algorithm in SHA256, but you can
use any of these:
● SHA1 / SHA256 / SHA384 / SHA512 / MACTripleDES / MD5 / RIPEMD160

– Can be used with Window’s ISO files.


– Microsoft usually provides the SHA1 file hash
of all downloads

• get-filehash svchost.exe
66
APT Anyone?

• Persistence with PowerShell

• This is APT

67
More?

• Did we miss anything?

68
Notes

• New-PSSession <Name or IP> -Credential


<UserName>
– Starts a new session
• Get-PSSession
– Lists all open sessions
• Enter-PSSession <session #>
• Enters that session

• New-PSSession localhost
– Enter-PSSession

69
Lab

• Snapshot all of your machines on the ship


• Upgrade clients to version 4 (slide 43)
• Copy the PS4Installer.msu off the K: share to the local
drive and then double click on it locally
• Install PS4Installer.msu on all of your ship hosts that
have Version 2
• Check by using $PSVersionTable
• remove-pssession

70