PowerShell - Be a cool blue kid.

GrrCON 2012Matt Johnson@mwjcomputingMWJ Computing

Get-Agenda

• Intro• Basics of PowerShell• Files / File System• Users / Access• Event Logs• System Management• Wrap Up

SHOW-INTRO

About me

• System Analyst at a non-profit religious organization

• Founder of Michigan PowerShell User Group

• Moderator on Hey! Scripting Guys forums and judge for Microsoft’s Scripting Games.

• Member of #misec

• Avid Gamer and huge sports fan

• Father to a future hacker (kid0) and husband to a wonderful wife.

Disclaimer

• I am not an “expert”, so lets just pretend for the next little bit that I am.

• There is a TON of sysadmin stuff in here, however it doubles as security / blue team.

• This talk doesn’t in anyway reflect the stance of my employer or Microsoft.

• I think I am funny and sometimes talk too fast. If you have a problem, get over it.

EXPORT-POWERSHELL

Have you seen me?

What is PowerShell?

• In case you haven’t heard….– It is a task automation framework, command-line shell

and a scripting language that uses and is built upon the .NET Framework

• Installed in every Microsoft Operating System from Windows 7 / 2008 R2 and beyond.

• Current Version is 3.0

Tons of support

• Integration is deep within Microsoft Product line

• Other vendors support it as well

What is a cmdlet?

• A cmdlet is a “lightweight command that is used in the Windows PowerShell environment.”

• Basically it is the commands built into the language.

• Examples:– Get-Help– Write-Host– Register-ObjectEvent

Some basic language information

• Naming Convention– Verb-Noun

• Get-Mailbox• New-ADComputer

– Verbs are Defined by Microsoft (98 Total)

• Aliases Help– Get-Childitem (ls, dir, gci) – But, you shouldn’t use them in your scripts.– See them all? Get-Alias

• Get-Help also “helps”– Get-Help is your new best friend

Aliases for the *nix Guys

PowerShell PowerShell Alias *nix

Get-ChildItem ls, gci, dir ls

Copy-Item cp, copy cp

Get-Help man, help man

Get-Content cat, type cat

Get-ExecutionPolicy

• From about_execution_policies– Windows PowerShell execution policies let you determine

the conditions under which Windows PowerShell loads configuration files and runs scripts.

– Instead, the execution policy helps users to set basic rules and prevents them from violating them unintentionally.

• Can set system-wide or on user basis and via Group Policy

• Can bypass easily so this is not a security measure!!!!

Making Tools

• One of the best things about PowerShell.

• You can easily make tools (functions, scripts, modules, etc…) and repackage them and share them.

• Tons of resources on how to share and where to share are out there.

Modules

• A module is a set of related Windows PowerShell functionalities that can be dynamic or that can persist on disk. Modules that persist on disk are referenced, loaded, and persisted as script modules, binary modules, or manifest modules. Unlike snap-ins, the members of these modules can include cmdlets, providers, functions, variables, aliases, and much more.

Modules Cont…

• What are modules good for?– Repackaging tools– Sharing Scripts

• Some very cool modules out there– PSCX– Office 365– NTFS Security

Recording your session

• PowerShell has built in logging.

• Log your commands, the output and whole kitten kaboodle

• Start-Transcript• Stop-Transcript

A few last minute notes

• Objects!– Everything is an object unless you decide to make it text.

• Pipeline!– Things being objects makes everything much more fun.

• Variables!– Prefixed with $

• Special Variables!– Some special ones including

• $_• $true

Set-LastNote

• Everything in this talk works with Version 2 or above.

V2!

SHOW-FILEFUN

File Permissions

• By far not my favorite thing to do

• A complete pain if you have to set permissions a lot of files

• xcals and cacls.exe are nice, but we can use PowerShell

File Permissions

• Built in commands for doing ACLS– Get-ACL, Set-ACL

• However…. These cmdlets are difficult at best to use. Actuallypainful is a better word.

File Permission Demo 1

That sucks…. Kind of

• Easily put into a function. Especially if files you are setting permissions on have the same permissions required.

• Requires time spent in the MSDN documentation to actually get setting permissions right.

• There is some help though. The File System Security PowerShell Module 2.1 by Raimund Andrée

File Permission Demo 2

Monitor File System Changes

• With a few lines of code, you can monitor to changes in a directory.

• However, it goes away with PowerShell Session.

• Can email, write to host, log to file or event logs.

File Monitoring Demo

SHOW-USERS

Show-Users

• This section will be a lot of auditing commands / scripts / functions.

• Creating users is done everywhere.

• Lets see some info about what info we can gather

Local Users?

• Local Users are a pain… Lets view them all!

$computer = $env:COMPUTERNAME

$adsi = [ADSI]("WinNT://$computer,computer")

$users = $adsi.psbase.children | Where {$_.psbase.schemaclassname -eq "User"} | Select Name

foreach ($user in $users) {$user.name

}

Local Groups?

• Local Groups are a pain… Lets view them all!

$computer = $env:COMPUTERNAME

$adsi = [ADSI]("WinNT://$computer,computer")

$groups = $adsi.psbase.children | Where {$_.psbase.schemaclassname -eq "Group"} | Select Name

foreach ($group in $groups) {$group.name

}

Local Admins?

• Get local admins on a machine. Better yet scan all the machines!

function Get-LocalAdministrators { param (

[string]$computer = $env:computername) $admins = Get-WMIObject -class win32_groupuser –computer $computer $admins = $admins | where {$_.groupcomponent –like '*"Administrators"'} $admins | Foreach{

$_.partcomponent –match “.+Domain\=(.+)\,Name\=(.+)$”>$nul $matches[1].trim('"') + “\” + $matches[2].trim('"')

} }

Services and Users

• One of the biggest pains I find is people using accounts for services.

• Quick way to check tons of computers using Confirm-ServiceAccounts

Get-Content computers.txt | Confirm-ServiceAccounts |Select SystemName, DisplayName, StartName

SIDS….

• Easily get SIDs while doing forensics.

$objUser = New-Object System.Security.Principal.NTAccount($domain,$user)

$strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])

$strSID.Value

Lets track some users…..

• Lets see who logged on and logged off on a computer.

get-winevent -FilterHashTable @{LogName='Security'; StartTime='6/27/2012 12:00:00am'; ID=@(4624,4625,4634,4647,4648)} |select timecreated,id

Across the entire network.

get-winevent -FilterHashTable @{LogName='Security'; StartTime='6/27/2012 12:00:00am'; ID=@(4624,4625,4634,4647,4648)} |select timecreated,id$eventhashtable = @{LogName='Security'; StartTime='6/27/2012 12:00:00am'; ID=@(4624,4625,4634,4647,4648)}

Get-Content computers.txt | Foreach { Write “Retrieving logs for $_ at $(Get-Date)” get-winevent –FilterHashTable $eventhashtable | select timecreated,id;}

User have profile on PC?

• A very rudimentary way to check to see if someone logged on to a PC.

Get-WmiObject -Class Win32_UserProfile | Select SID, LastUseTime, LocalPath

SET-SYSTEMMANAGEMENT

Host Files…..

• Editing hosts files is always fun.

• Merged some functions into a module that does host file manipulation.

• REMEMBER TO RUN AS ADMINISTRATOR…..

Host File Demo

Firewall fun (V3)

• You can manage the Windows Firewall using PowerShell in Windows 7. Can do it, but takes a little bit to get used to.

• Microsoft added Firewall Commands in Windows 8 / Windows 2012.

• There is a new module called NetworkSecurity

Basic Firewall Administration

• The following command is pretty straight forward. Allows telnet to be accessible on the local subnet.

New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%\System32\tlntsvr.exe -RemoteAddress LocalSubnet -Action Allow

Where it gets cool….

• This rule BLOCKS telnet. However, this stores the firewall rule in a GPO so you can deploy it from the PowerShell window.

New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%\System32\tlntsvr.exe –Protocol TCP –LocalPort 23 -Action Block –PolicyStore domain.contoso.com\gpo_name

Even cooler…..

• You can manage a Windows Firewall Remotely!• You must be admin on the remote computer. Well

hopefully you are. • Note: A CIM session is a client-side object

representing a connection to a local or remote computer.

$Session = New-CimSession –ComputerName HostRemove-NetFirewallRule –DisplayName “AllowTelnet” –CimSession $Session

DISCONNECT-SESSION

PoshSec.com

• A project to help better utilize PowerShell in the Infosec Space.

• Started by myself and Will Steele (@pen_test).• Looking for guest bloggers. If you want to write an

article, let us know. team@poshsec.com

PowerShell Saturday in Michigan?

• I am looking to bring PowerShell Saturday to Michigan.

• PowerShell Saturday is a day long conference on PowerShell.

• Want to speak? Let me know. Can be anything PowerShell related.

Special Thanks!

• Thank you for proofing my slides and providing valuable feed back!

• Will (@pen_test)• Wolfgang (@jwgoerlich)• Scott (@sukotto_san)• Matt (@mattifestation)

Contact & Downloads

• Contact:– mwjcomputing@gmail.com– @mwjcomputing– http://www.mwjcomputing.com/– http://www.michiganpowershell.com/

• Downloads related to talk– http://www.mwjcomputing.com/resources/grrcon-2012

• Sides, Code Samples and links to scripts used in this talk.• Note: Code isn’t completely done. I need to add help and clean it

up a tad. It does however all work. So expect updates within a week.