Power Shell Documentation

8/6/2019 Power Shell Documentation

http://slidepdf.com/reader/full/power-shell-documentation 1/38

Scripts: The big concern

*Execution policy NO Integrity

Script Signing No Identity

*Profiles (and back doors) Command Hijacking

*Security Feature Double click to run

Path Required

Filename extension

Create test.vbs file on desktop

Edit:- wscript.echo:"Hello"

Digital Signature

Path for digital Sign

PS:set-execution



Execution Policy

Right \--Restricted -No script will run (default)

Production :All Signed--Should have signature

Test :Remote Signed -- Local computer Without si

--Remote -should havesignatu

X:Unrestricted--All Scripts can Run

ture

licy







If you ar opening the powershell firsttime

it will place you to administrator' folderMy Document > Windowspowershell >

profile.ps1So whatever you have added in

profile.ps1 it will be executed at he startof opening powershell

Command Hijackinge.g.lets say you have test.ps1 located in

C:\demo\test.ps1 while running thisscript if you are at C:\ demo> test --thescript wont work. To run the script youneed to give full path of the script or inabove case ./test will execute the script

CA

If this script turnsout to be maliciousthen we can use thiscertificateinformation to deriveinformation that wewrote the script andact accordingly

Cert

IDENTIFICATION





Using shell for file and folder management

dir \ls

Ipconfig

ping Command recurse -filter "*.dll"

cp test.ps1 tst.ps1 >> a

cd ..

cd

cd "program file"

Command line tricks ,tips and gotches

F7 lists all commands executes earlier

dir

cd HKCU





Command line tricks ,tips and gotches

Quotes and escape sequences

Cd program file

Cd "program file"

cd 'program file'

Tab completion will put quotation mark

Escaping characterspace as special character

Wild Character

? * bcoz these are not ligle character in file name

Transcript

start-transcript trance.txt

stop-transcript



commandlets,snap-ins,aliases & help

Alises & commandlets

dir = get-childitem

get-childitem -resurse -filter "*.dll"

get-eventlog security -newest 20

get-command

get-command *service*gcm -noun service

gcm -verb new

help dir

help dir -example

help-dir -detailed

help-dir -full

help

Powershell Snapins (to extend the functionality of sh

Pssnapins

Get-pssnapinadd-pssnapins quest.activeroles.admanagement



sic Command-lets for Processes, services, and eventl

Processes

help *process *; get-command *process*;help stop-process

get-process

kill 568 -whatif

kill -name svchost -whatif

Take an example of calc

Services

get-command *service*

gcm -noun service

You can start, stop, supend, Set & New services

get-service= gsv

gsv -include "b*"

get-credential

Eventlogs

get-command -noun *event* (gel)gel system -newest 10

what is common parameter "need to find"

gsv | formatlist *

gel | formatlist*

What PS can & cant do

Remoting is not allowed /

Cmdlets WMI

.Net framework its own Arch

Non remoting RemotingEasy to understand Complicated

Built in help No Built in help



Retriving Management Information form remote computers

Desktop Management taskforce (DMTF)

Common Information Module (CIM v2)

Web based ent management (IIS v5)

Windows management information

Wmi explorer.exe from www.scriptinganswers.com

help gwmi

gwmi win32_service

gwmi win32_service | format list

gwmi win32_service -filter "name like 'b%"

gwmi win32_operatingsystem

gwmi win32_operatingsystem -comp (type c:\temp\servers.

WMI Security

gwmi win32_services -comp localhost -cred "administrator"

WMI Filtering

gwmi win32_process -filter "name like 's%' "

gwmi win32_service -filter "name='bits' "

gwmi win32_operatingsystem -filter "buildnumber>6000"

Introduction to WMI

Exploring Wmi

WMI from Local Machine

Remote Wmi

Alternate credentials

Filtering Wmi objects

gwmi win32_operatingsystem -comp "nydc2k8","localhost"

MMC > Add/remove snapin > Wmi control (local)> right click>properties>security> only Administrator have the permission

for executing remote command

Provi

Ex



WMI WMI

CIMClass

Dick DriveCPUA RecordsWeb IISOperating system

Providerder

h SQLInstance



Using variables,Objects & Members

new-variable -name var -value 5

$var2 =10

$var2 ,$age, $year,$counter

$counter =$counter + 10

$name= "Nugget2" or $name = 'nugget2'

$object ="hello"$object.length

$object.toupper()

$number =100

$number.length

$number.toupper()

[string]$var ="Hello"

$var.toupper()

$var=5

$var.toupper()

Three Data type$S- string ,$i=5 ,$d= get-date

[string]$S ="hello"

[int]$i= 5

[datetime]$d =get-date

$d | get-member

$D.day

$d.year

$d.toshortdatestring()

$d.tolongdatestring()

$d.addmonths(2)$S | get-member

$s.length

$s.tolower()

$s.replace("i","o")

wmi win32_operatingsystem | gm

$procs =get-processes

$procs[0] , $procs[1] for last process $procs[-1]

$procs[0] | gm

$proc[0].kill

get-credential

$cred = get-credential

gwmi win32_operatingsystem -comp nugget5 -cred $cred

what are variables

crating, populating and displaying



Introducing object

Simple Object

Viewing object members

Objects in variables

Removing variables

Example :credntial storage



Understanding The Pipeline

get-service

get-service |where-object { $_.stastus -eq "running" }

get-service |where-object { $_.stastus -eq "stopped" } | start-service -whatif

get-process | stop-process -whatif

get-service | out-file C:\services.txt

write-output "hello"

Write-Host "Hello"

Write-Host "Hello" fore yellow

write-output "Hello" | where-object { $_.Length -gt 100 }

write-Host "Hello" | where-object { $_.Length -gt 100 }

Why Pipeline

Visualizing the Pipelineservice in the pipeline

Processes in the pipeline

Piping to file or printer

Write-output

Write-host

get-service |where-object { $_.stastus -eq "stopped" } | set-service-startuptype Dissabled -whatif

ps | out-printer hplaserhet4





Mathematical & Comparison Opreator

5+5; 10-1; 10*10; 100/10

5+ (5*10); 100 % 10; 5 *(5*5)

5 -eq 5; 10 -eq 5;

$var=5; 10 -gt 5; 10 -gt $var; 10 -lt $var; "Hello" -eq "Hello"

(10 -gt $var) -and (10 -lt $var2)

(10 -gt $var) -or (10 -lt $var2)

(10 -gt $var) -and -not (10 -lt $var2)not (10 -gt $var)-and -not (10 -lt $var2)

"Hello" -ceq "Hello"

"Hello" -ceq "HELLO"

"Hello" -ne "HELLO"

Parsing Mode

Write-host 5+5

Write-host (5+5)

Write-host (5+5) -fore green

Write-host ($var -eq 10) -fore redWrite-host $var -eq 10 -fore red

Basic math operator

Advanced math

Basic and advanced comparison

case sensitivity

parsing mode

Command

Expression



Sorting,measuring ,selecting & Filtering Objects in the Pipeline

ps | sort-object vm

ps | sort-object vm -descending

ps |sort.name vm

gsv|sort status

gsv |measure-object

ps | measure-object

ps | measure-object -property pm -sum -min -max - average

gsv | select-object displayname,depandantservices

ps | select -last 10

ps| sort vm -desc |select -first 10 | out-file C:\tip.txt

gsv | where-object {$_.status -eq "running" } | sort displayname

gsv | where-object {$_.status -eq "running" } | sort displayname | -first 10

ps | select Vm

ps | select Vm, name

ps | where{$_.vm -gt 100}ps | where{$_.vm -gt 100MB}

WorkFlow Powershell

ps

ps | sort pm

ps | sort pm -desc |select -first 10

Sorting

Measuring

Selecting Properties

Selecting a subset

Filtering

Powershelklworkflow

gsv | measure-object | measur-object -property Displayname-line -word -character



= is assignment oerator



Working Wilth Collection of object in Pipeli

ps (collection of object)

gsv

gsv | where {$_.status -eq "stopped"}

gsv | where {$_.status -eq "stopped"} | start-service -whatif

dir *.mp3 -recurse | del

gc computrs.txt | foreach-object { gwmi win32_operatingsystem -com

gc computrs.txt | foreach-object { gwmi win32_operatingsyste

Object collection

Working with group

Working with individual

E.g for each object & wmi

gc computrs.txt | % {gwmi win32_service -comp $_ -filter "name='MS% {$_.change(,,,,,,,,,,,"P@ssw0rd") } }



ine

$_ }

m -comp $_ | foreach {

QLSERVER' |

In powershEverything

object

Grou of service

Get Content Server

1

WMI

WMI

Server 2 WMI

LO

Server 3

Methroerties





Understanding and using formating subsys

gsv | out-default

gsv | fw

gsv |fw displayname

gsv | fw name -col 4

Format-List

gsv | fl status,displayname ,name

gsv | fl *gsv |fl name,displayname,status -groupby status

gsv | sort status | fl name,displayname,status -groupby status

Format-table

gsv | ft name,status

gsv | ft name,status -auto

gsv | ft *

gsv | ft * -auto

gsv | ft * -auto -wrap

gsv | sort status | ft displayname -groupby statusps | ft name,id,vm,pm

ps | sort vm -desc | ft name,id,vm,pm -auto

gwmi win32_logicaldisk

gwmi win32_logicaldisk -filter "drivetype=3"

gwmi win32_logicaldisk -filter "drivetype=3" |select deviceid,freespace,si

gwmi win32_logicaldisk -filter "drivetype=3" |ft deviceid,freespace,size -

How Obj.becomes text

Text in console window

The formtting subsystem

Format-Wide

Format-list

format-table

gwmi win32_logicaldisk -filter "drivetype=3" |ft deviceid, @{ Label="size1gb}},

" "gwmi win32_logicaldisk -filter "drivetype=3" |ft deviceid, @{ Label="size1gb) -as [int]}},

gwmi win32_logicaldisk -filter "drivetype=3" |ft deviceid, @{ Label="size1gb) -as [int]}},



custom column in tables



tem

ze

uto

(G)"; Expression={$_.size /

(G)"; Expression={($_.size /

(G)"; Expression={($_.size /





Exporting ,Importing ,Comparing & Converting Object

ps | export-csv C:\proc.txt

Lets say we have Csv file at c:\provision1.csv

$imported = import-csv c:\provision1.csv

$imported

$imported | ft

$imported[0].country

$imported[0].'first name'$imported[0].fax

$imported | foreach-object {$_.'first name'.toupper() }

gsv | select -first2 | export-clixml c:\services.xml

import-clixml c:\services.xml

import-clixml c:\services.xml | sort vm -desc | select -first 10 | fl name,id

ps | export-clixml c:\baseline.xml

diff (ps) (import-clixml c:\services.xml ) -property name

gsv | export-clixml c:\services.xmldiff (gsv) (export-clixml c:\services.xml) -prop status

gel security -newest 20 | export-clixml c:\eventlogs.xml

$event = import-clixml c:\eventlogs.xml

$event

$event | ft source,timewritten,index

Exporting to csv

Importing to csv

Cli xml import/export

Comparing collections

convert to HTML

get-wmiobject win32_service | where{$_.startmode -eq "auto" -and $_.state-ne "running"

get-wmiobject win32_service | where{$_.startmode -eq "auto" -and $_.state-ne "running" | convertto-html| out-file c:\badservice.html

get-wmiobject win32_service | where{$_.startmode -eq "auto" -and $_.state-ne "running" | select startmode,state,name | convertto-html| out-filec:\badservice.html





Windows Powershell Script

$computer = "localhost"

Parameterized script

param (

$computer = "localhost" )

Script ,Ad-hoc…same !

Script security review

A Basic script

Parameterizing a script

For (i=0;$i -lt 100; $i++) {write-host $i }

_ Address= '$computer' "

if ($result.statuscode -eq 0) {Write-host "$computer is Pingable"} Else {"$computer is not pingable"}

= '$computer' "

}





Modularization :scriptblocks and Functions



Creating Fuctions that work in the Pipeline



Creating functions that produce custom Objects



Introduction to regular Expression



The purpose of Debugging



Introduction to Regular Expression



Creating a Practical Administrative Tool in Windows Powershell

Documents

Power Shell Documentation