CY4700

Applied Defensive Cyberspace Operations

PowerShell Overview
At Least It’s Not AWK

2
 Overview

Windows PowerShell
• Version 1 was released in 2006
• Jeffrey Snover is the Architect of PowerShell
• It’s not a scripting language
• Command-line shell for command-line utilities
• Like all good shells it has scripting capabilities

• VBScript is closest to PowerShell

•Want to check a NIC? Sure
•Want to check link speed? Nope
• VBScript can’t do that “Last Mile”
•PowerShell Can 3
 Overview

• Has 100% of MS’ administrative functionality in the

shell
• All MS’ GUI consoles run PowerShell behind the
scenes
• Automates repetitive tasks
• Runs entirely in memory (Nothing to Disk)
• Server 2008 introduced Version 3
•Almost completely managed from PowerShell or
PowerShell’s GUI

4
 Overview

• As of 16AUG2016
•Open Source Alpha for Linux and Mac

5
 Overview

• As of 16AUG2016
•This Tweet followed the announcement

6
 Overview

• Requires .NET Framework V4 at a minimum

• PowerShell also installs Windows Remote
Management (WinRM) service
• It’s a core Windows technology
•Installed as a hotfix, so once installed it can be
almost impossible to remove
•Bugfixes and Updates are also hotfixes

7
 Overview

Windows PowerShell
• Comprised of:
• PowerShell.exe
• PowerShellISE.exe
• Integrated Scripting Environment
•Not installed by default on older Server Versions
•Use Add-WindowsFeature powershell-ise

8
 Version

• $PSVersionTable

9
 Exercise 1

• Take a snapshot of all the VMs you’re working with

• Open Powershell as Administrator on a VM
•Run $PSVersionTable

10
Version

11
 Version

• Why do we care about the version of PS?

• If we want to attach to a Windows XP box (or any

older system), then we may want to use PS Ver 2

• If we want to make sure we can connect to any

given box/machine, we may not want to build a script
with PS Ver 5 and hope it works...

12
Version

13
 Your Mileage May Vary

• You may encounter a problem with commands or

script execution between versions

• Most, if not all, of these commands should work

without a problem

• Always a good idea to check on the local machine

with the version that’s on the target before executing
anything significant (we’ll talk about that more in a
minute)

14
 Overview

• PowerShell is huge, so we won’t get to most of

the internals or the behind the scenes of
PowerShell
• Again, writing for Version 2 makes sense since it
will work on everything you should come across
• “PowerShell helps IT professionals and power
users control and automate the administration of
the Windows operating system and the
applications that run on Windows”

15
 Overview

• PowerShell is a good alternative to the MSF and

<insert_linux_script>
• Already resides on Windows servers and clients
• PowerShell is the bash of Windows

16
 Exercise 2 Update To PS Version 4

• Inside PowerShell (Version 2)

– On your Win 7 Boxes
– net use K: \\29.0.0.100\share <enter>
– IF you’re asked, use these credentials
– username: administrator <enter>
– password: Badpassword12!@ <enter>
– K:
– Copy PS4Installer.msu to local machine
• PS:> copy K:PS4Installer.msu
• This will copy the file to the local working directory on the local machine
– Copy Hacker_Secret.jpeg to local machine
– Make sure the Windows Update service is running

– Open a CMD shell if this doesn’t work in PowerShell

– wusa.exe PS4Installer.msu
– Reboot
17
 Exercise 3 Version

• Let’s slip into Version 2 on the Win 7 Client...

– Powershell.exe -Version 2
– $PSVersionTable
• And Back
– Powershell.exe -Version 4
– $PSVersionTable
• Since we’re using Win 7, we get Version 4

18
 Font

• Customize the window

• Use Lucida font
• Make sure the PS window does not have a scroll
bar at the bottom!
• On the Layouts tab set both Width #’s to the
same #
• PS right justifies the output
• If you see a horizontal scrollbar at the bottom,
you will probably miss output
• Single Quote - ‘
• Backtick - `
• Number one and lowercase L
19
 ISE

• ISE
• Use font slider
• Customize the window as you see fit

• Syntax is EXTREMELY Important

• Make sure PS App window runs as Administrator

20
 Console

• Run the 64-bit versions of the app, not 32-bit

• Clipboard operations in PS are nonstandard
• ISE is standard
• F7
• Get-a... and tab and shift-tab
• dir c:\ … and tab
• Set-Ex… Tab... then - (tac) … then Tab -e or -s and
Tab
• Or - … and Tab and then - ... then Shift-Tab
• Esc clears the command line
• Clear clears the screen

21
 ISE

• ISE has Intellisense

• Ctrl+Space or Right Click
• Clipboard operations in PS are nonstandard
• ISE is standard

22
 Help

• Don’t use Google or Bing (Good way to rile Prof Wyatt)

• Help Get-Service (for example)

• The error will tell you exactly where you went wrong
– It really is useful

• Updateable Help
• Update-help

• Wildcards
• Help *log*
• Help *event*
23
 Help

• A number of Options and Filters

• Get-Help, Help, and -? are your friends

24
 Help

• Get-Member

• Get-Help Get-Member -Examples | more

– View the properties and methods of another
PowerShell object

25
 Exercise 4

• Updateable Help
• Update-help

26
 Exercise 5 Show-Command

• Show-Command Get-EventLog (local)

27
 Show-Command

• Full Form Command

• Command Name
• Full parameter names
• All parameter names regardless of
position

• Show-Command will not work when stringing

multiple commands together

28
 Exercise 6

• Get-Command

• This lists all the cmdlets available

• Of course this runs off the screen so we need to

pipe

• Get-Command | More
• Space bar - One Page at a Time
• Return - One Command at a Time
• Ctrl-C Exits

29
 Exercise 6 Cont

• Get-Command

• Take a look at the descriptions

• Some of course, you can see could be very

helpful, some very destructive

• Look for the top dozen you might be interested in

or find useful

30
 Exercise 7 Command Line

• Normal CMD Commands work as well

• Ping
• Nslookup
• Ipconfig
• Net
• NSLookup
• Test-Connection
• PS or Get-Process
• Net View
• Net View /Domain:<domain name>
• Net Users /Domain
• Net Use
• Launches CMD.EXE behind the scenes

31
 Exercise 7 Command Line

• Test-Connection = better than Ping

• Test-Connection -ComputerName www.sun.com

32
 Exercise 8 Piping and Exporting

• Dir | More
– Works as you would expect

• Get-Process | Export-Csv procs.csv

• Notepad procs.csv

• You can pipe the output of almost any Get- to a

.CSV

• Then it’s easily searchable and sortable

33
 Exercise 8 Cont Piping and Exporting

• Get-Process | Export-CliXML reference.xml

• Notepad reference.xml

• Better to use CliXML because it can hold more

than a flat file format like .CSV

34
 Exercise 8 Cont Piping and Exporting

• Get-Service | ConvertTo-Html | out-file

c:\services
• Open IE and take a look

35
 Killing and Stopping Services

• THIS WILL CRASH YOUR COMPUTER

• DO NOT RUN
• Get-Process | Stop-Process
– OR
• Stop-Process
• Get-Process -name Notepad | Stop-Process
– OR
• Stop-Process -name Notepad

• Stop-Service
• Start-Service
• Set-Service
36
 Exercise 9 Aliases

• Get-Alias -definition Get-Service

• Alias GSV -> Get-Service

• Get-Alias -definition Stop-Process

• Alias -> Kill
• Alias -> spps

• New-Alias
• Help New-Alias -examples

37
 Exercise 10 Another Output

• Similar to what we did with CSV and HTML

• Get-Process | Out-Gridview

• Get-Service | Where Status -eq ‘running’

• Get-Service | Where Status -eq ‘stopped’

38
Yet Another Output

39
 Registry Access Exercise 11

• PS C:> cd hklm:
• hklm:\> dir
• hklm:\> cd \system\currentcontrolset\control
• hklm:\> dir | more

• hklm:\> powershell

• Notice that the output of dir (Get-Childitem) is different in the

registry drives than it is in the file system. Because the registry
has different drives, Windows PowerShell displays a different
view of the data
• The output includes a subkey count (SC) and a value count (VC)

40
 Remoting Into Another Machine

• Remote PowerShell is very similar to…

• Telnet
• SSH
• MSF psexec

41
 Remoting Into Another Machine

• Uses Web Services for Management (WSMAN)

• Operates entirely over
– HTTP
– HTTPS
• Makes it easier to flow through firewalls
• But uses nonstandard ports so as not to
conflict
• Microsoft background service Windows Remote
Management (WinRM)
• Only get the credential permissions you log in
with... admin=admin

42
 Remoting Into Another Machine

• Need to be members of the Same Domain, or of

Trusted/Trusting Domains
• PowerShell give the ability to remote into the
background (usually unseen by users)
• WinRM services tens, to hundreds of service
endpoints on systems
• HTTP over port 5985
• HTTPS over port 5986

43
 Remoting Into Another Machine

• Kerberos Authentication

• You can even do a Kerberos Double Hop

44
 Remoting Into Another Machine

• On the Client System

• WinRM set
WinRM/config/listener?address=*+transport=HTT
P@(port’1234’)
• OR
• WinRM QuickConfig
• OR
• Set-WSManQuickConfig
• OR
• Better Yet...

45
Remoting Into Another Machine

46
 Remoting Into Another Machine

• Error if adapter is set for “Public”

– Public can’t have Win Firewall Exceptions
– Network adapter must be set for Home or
Work

47
 Remoting Into Another Sys Exercise 12

• Enable-PSRemoting
• Runs on the Client
• New-PSSession <IP or Name> -Credential
<Name>
• Runs on the CC system

• Error if adapter is set for “Public”

– Public can’t have Win Firewall Exceptions
– Adapter must be set for Home or Work

48
 Remoting Sys Exercise 12 Cont

• Enable-PSRemoting
• Runs on the Client
• New-PSSession <IP> -Credential <UserName>
• Runs on the CC system
• Starts a new session and runs it in the
background on a CC system
– After session start the ID will be presented
• WinRM, by default, won’t let you connect
via IP Addy or a DNS Alias

• Enter-PSSession #
• To enter that session
49
 Remoting Sys Exercise 12 Cont

• Your copy of PowerShell will pass along

whatever security token it is running under
• Uses Kerberos
– So your Username and Pass are not
transmitted

• Get-ExecutionPolicy
• Should be set to Restricted
• Set-ExecutionPolicy
• Unrestricted
• This actually changes HKEY_LOCAL_MACHINE
50
 Remoting Into Another Machine

• There are Five Different Levels for Script

Execution
• Restricted - (Default) Scripts won’t
execute
• AllSigned - Will run scripts that have been
signed by trusted CA
• RemoteSigned - Execute local script, and
execture remote script if they have been
signed by a trusted CA
• Unrestricted - All scripts will run
• Bypass - Special setting used by
Developers
51
 Remoting Into Another Machine

• PowerShell Security...

• PowerShell security is only designed to prevent a

user from running a script, not stop a determined
user from doing same
• PowerShell only tries to stop users from being
tricked by untrusted sources

52
 Remoting Into Another Machine

• While we’re on the subject of security…

• The default script extension for PowerShell is

.PS1

• Windows does not consider .PS1 filename

extensions as executable
» But you can change that
• You can’t run the script by typing it’s name
» But you can use absolute (C:\test.ps1)
» Or relative paths (.\test.ps1)

53
 Remoting Into Yet Another Machine

• Enable-WSManCredSSP -Role Server

• Runs on the Client
• Enable-WSManCredSSP -Role Client
-DelegateComputer X
• Runs on the CC system
• X is replaced with the name of the
computer that your credentials may be
delegated to
• You can do this and “Hop” or Pivot from one
machine to another
– Creates a Remote Chain
– Otherwise called a Proxy Chain ...
54
 Remoting Into Another Machine

• If you, at the CC machine, retrieve a process and

pipe it to Stop-Process, it’ll stop running, as you
would expect
• And what you did will be hidden from the
user
• Becomes useful to “hop” over Firewalls in some
cases
• Be aware that GPO can mess with anything set
locally (because it’s Global), and cause problems
with remoting in an Enterprise/Organization

55
 Invoke versus Remoting

• Run command or a script on remote system/s as

background process/job

• Invoke-Command -ComputerName
<computername> -FilePath <pathToScript>
-ArgumentList <argument 1, 2, 3>

56
 Invoke Exercise 14

• Local machine

• PS C:\Users\Administrator>

• Invoke-Command <IP or ComputerName>

-Command {Get-EventLog Application -newest
25}
• Change Application to Security

• Get-Job and Receive-Job to get status

• Did you catch the Triskaidekaphobia?

57
 Invoke Exercise 14 Cont

• PS C:\Users\Administrator>

• How do you think you can use the Invoke to do

the same thing as using the “PS” command on
your local machine to display just the SVCHOST
processes?

58
 Invoke Exercise 14 Cont

• PS C:\Users\Administrator>

• Invoke-Command <IP or ComputerName>

-Command {Get- Process svchost} -Credential
<UserName>

59
 Invoke to Multiple Machines

• 1:n Remoting
• Send a command to multiple remote computers
at the same time
• Each system will independently execute the
command and send the results back to you
• By default, PowerShell can talk to 32 computers
at once
• I could use -ThrottleLimit to increase that
number...

60
 Invoke to Multiple Machines

• Invoke-Command -ComputerName Server-DC1,

Server-R2 -Command {Get-EventLog Security
-newest 200 | Where { $_.EventID -eq 1212 }}

• Get-Job and Receive-Job to get status

61
 Invoke to Multiple Machines

• Invoke-Command -ComputerName Server-DC1,

Server-R2 -Command {Get-EventLog Security
-newest 200 | Where { $_.EventID -eq 1212 }}

• Instead of listing a number of systems every

time, as I’ve done above
– Invoke-Command -Command { dir }
-ComputerName (Get-Content
domainservers.txt)
• This pulls all the computer names from the
domainservers.txt file

62
 Setting Trusted Hosts

• Even though you’re not supposed to be able to

use IP addresses - this allows you to:
• get-item wsman:\localhost\client\trustedhosts
• set-item wsman:\localhost\client\trustedhosts
-value <ipaddress>

• winrm quickconfig (really no need to use this)

63
 Exercise 15 Cleaning up

• Closes one or more Windows PowerShell

sessions (PSSessions)

• PS C:\Users\Administrator>

• Get-PSSession

• Remove-PSSession #

• Alias

• RSN # --OR-- RSN #, #, #

64
 Schedule

• Set-ScheduledJob
– Cmdlet for running virtually any PowerShell
script at a specific time or on a predetermined
schedule.
– Version 4.0 adds the parameter RunNow to
Set-ScheduledJob Cmdlet
– New-JobTrigger and Set-JobTrigger cmdlets
is RepeatIndefinitely, for jobs you want to
start, and run forever.

65
 Hash

• Get-FileHash
– Cmdlet will compute a hash of any file(s) you
pass to it.
– Choose which algorithm is used to compute
the hash.
• The default hashing algorithm in SHA256, but you can
use any of these:
● SHA1 / SHA256 / SHA384 / SHA512 / MACTripleDES / MD5 / RIPEMD160

– Can be used with Window’s ISO files.

– Microsoft usually provides the SHA1 file hash
of all downloads

• get-filehash svchost.exe
66
 APT Anyone?

• Persistence with PowerShell

• This is APT

67
 More?

• Did we miss anything?

68
 Notes

• New-PSSession <Name or IP> -Credential

<UserName>
– Starts a new session
• Get-PSSession
– Lists all open sessions
• Enter-PSSession <session #>
• Enters that session

• New-PSSession localhost
– Enter-PSSession

69
 Lab

• Snapshot all of your machines on the ship

• Upgrade clients to version 4 (slide 43)
• Copy the PS4Installer.msu off the K: share to the local
drive and then double click on it locally
• Install PS4Installer.msu on all of your ship hosts that
have Version 2
• Check by using $PSVersionTable
• remove-pssession

70