SlideShare ist ein Scribd-Unternehmen logo

PowerShell - Be A Cool Blue Kid

Als PPTX, PDF herunterladen
Matthew Johnson
Matthew Johnson

This document provides an agenda and slides for a PowerShell presentation. The agenda covers PowerShell basics, file systems, users and access control, event logs, and system management. The slides introduce PowerShell, discuss cmdlets and modules, and demonstrate various administrative tasks like managing files, users, services, and the firewall using PowerShell. The presentation aims to show how PowerShell can be used for both system administration and security/blue team tasks.

Technologie
1 von 49
PowerShell - Be a cool blue kid. Matt Johnson @mwjcomputing GrrCON 2012 MWJ Computing
Get-Agenda • Intro • Basics of PowerShell • Files / File System • Users / Access • Event Logs • System Management • Wrap Up
SHOW-INTRO
About me • System Analyst at a non-profit religious organization • Founder of Michigan PowerShell User Group • Moderator on Hey! Scripting Guys forums and judge for Microsoft’s Scripting Games. • Member of #misec • Avid Gamer and huge sports fan • Father to a future hacker (kid0) and husband to a wonderful wife.
Disclaimer • I am not an “expert”, so lets just pretend for the next little bit that I am. • There is a TON of sysadmin stuff in here, however it doubles as security / blue team. • This talk doesn’t in anyway reflect the stance of my employer or Microsoft. • I think I am funny and sometimes talk too fast. If you have a problem, get over it.
EXPORT-POWERSHELL
Have you seen me?
What is PowerShell? • In case you haven’t heard…. – It is a task automation framework, command-line shell and a scripting language that uses and is built upon the .NET Framework • Installed in every Microsoft Operating System from Windows 7 / 2008 R2 and beyond. • Current Version is 3.0
Tons of support • Integration is deep within Microsoft Product line • Other vendors support it as well
What is a cmdlet? • A cmdlet is a “lightweight command that is used in the Windows PowerShell environment.” • Basically it is the commands built into the language. • Examples: – Get-Help – Write-Host – Register-ObjectEvent
Some basic language information • Naming Convention – Verb-Noun • Get-Mailbox • New-ADComputer – Verbs are Defined by Microsoft (98 Total) • Aliases Help – Get-Childitem (ls, dir, gci) – But, you shouldn’t use them in your scripts. – See them all? Get-Alias • Get-Help also “helps” – Get-Help is your new best friend
Aliases for the *nix Guys PowerShell PowerShell Alias *nix Get-ChildItem ls, gci, dir ls Copy-Item cp, copy cp Get-Help man, help man Get-Content cat, type cat
Get-ExecutionPolicy • From about_execution_policies – Windows PowerShell execution policies let you determine the conditions under which Windows PowerShell loads configuration files and runs scripts. – Instead, the execution policy helps users to set basic rules and prevents them from violating them unintentionally. • Can set system-wide or on user basis and via Group Policy • Can bypass easily so this is not a security measure!!!!
Making Tools • One of the best things about PowerShell. • You can easily make tools (functions, scripts, modules, etc…) and repackage them and share them. • Tons of resources on how to share and where to share are out there.
Modules • A module is a set of related Windows PowerShell functionalities that can be dynamic or that can persist on disk. Modules that persist on disk are referenced, loaded, and persisted as script modules, binary modules, or manifest modules. Unlike snap-ins, the members of these modules can include cmdlets, providers, functions, variables, aliases, an d much more.
Modules Cont… • What are modules good for? – Repackaging tools – Sharing Scripts • Some very cool modules out there – PSCX – Office 365 – NTFS Security
Recording your session • PowerShell has built in logging. • Log your commands, the output and whole kitten kaboodle • Start-Transcript • Stop-Transcript
A few last minute notes • Objects! – Everything is an object unless you decide to make it text. • Pipeline! – Things being objects makes everything much more fun. • Variables! – Prefixed with $ • Special Variables! – Some special ones including • $_ • $true
Set-LastNote • Everything in this talk works with Version 2 or above. V2!
SHOW-FILEFUN
File Permissions • By far not my favorite thing to do • A complete pain if you have to set permissions a lot of files • xcals and cacls.exe are nice, but we can use PowerShell
File Permissions • Built in commands for doing ACLS – Get-ACL, Set-ACL • However…. These cmdlets are difficult at best to use. Actually painful is a better word.
File Permission Demo 1
That sucks…. Kind of • Easily put into a function. Especially if files you are setting permissions on have the same permissions required. • Requires time spent in the MSDN documentation to actually get setting permissions right. • There is some help though. The File System Security PowerShell Module 2.1 by Raimund Andrée
File Permission Demo 2
Monitor File System Changes • With a few lines of code, you can monitor to changes in a directory. • However, it goes away with PowerShell Session. • Can email, write to host, log to file or event logs.
File Monitoring Demo
SHOW-USERS
Show-Users • This section will be a lot of auditing commands / scripts / functions. • Creating users is done everywhere. • Lets see some info about what info we can gather
Local Users? • Local Users are a pain… Lets view them all! $computer = $env:COMPUTERNAME $adsi = [ADSI]("WinNT://$computer,computer") $users = $adsi.psbase.children | Where {$_.psbase.schemaclassname -eq "User"} | Select Name foreach ($user in $users) { $user.name }
Local Groups? • Local Groups are a pain… Lets view them all! $computer = $env:COMPUTERNAME $adsi = [ADSI]("WinNT://$computer,computer") $groups = $adsi.psbase.children | Where {$_.psbase.schemaclassname -eq "Group"} | Select Name foreach ($group in $groups) { $group.name }
Local Admins? • Get local admins on a machine. Better yet scan all the machines! function Get-LocalAdministrators { param ( [string]$computer = $env:computername ) $admins = Get-WMIObject -class win32_groupuser –computer $computer $admins = $admins | where {$_.groupcomponent –like '*"Administrators"'} $admins | Foreach{ $_.partcomponent –match “.+Domain=(.+),Name=(.+)$”>$nul $matches[1].trim('"') + “” + $matches[2].trim('"') } }
Services and Users • One of the biggest pains I find is people using accounts for services. • Quick way to check tons of computers using Confirm-ServiceAccounts Get-Content computers.txt | Confirm-ServiceAccounts | Select SystemName, DisplayName, StartName
SIDS…. • Easily get SIDs while doing forensics. $objUser = New-Object System.Security.Principal.NTAccount($domain,$user) $strSID = $objUser.Translate([System.Security.Principal.SecurityI dentifier]) $strSID.Value
Lets track some users….. • Lets see who logged on and logged off on a computer. get-winevent -FilterHashTable @{LogName='Security'; StartTime='6/27/2012 12:00:00am'; ID=@(4624,4625,4634,4647,4648)} | select timecreated,id
Across the entire network. get-winevent -FilterHashTable @{LogName='Security'; StartTime='6/27/2012 12:00:00am'; ID=@(4624,4625,4634,4647,4648)} | select timecreated,id$eventhashtable = @{LogName='Security'; StartTime='6/27/2012 12:00:00am'; ID=@(4624,4625,4634,4647,4648)} Get-Content computers.txt | Foreach { Write “Retrieving logs for $_ at $(Get-Date)” get-winevent –FilterHashTable $eventhashtable | select timecreated,id; }
User have profile on PC? • A very rudimentary way to check to see if someone logged on to a PC. Get-WmiObject -Class Win32_UserProfile | Select SID, LastUseTime, LocalPath
SET-SYSTEMMANAGEMENT
Host Files….. • Editing hosts files is always fun. • Merged some functions into a module that does host file manipulation. • REMEMBER TO RUN AS ADMINISTRATOR…..
Host File Demo
Firewall fun (V3) • You can manage the Windows Firewall using PowerShell in Windows 7. Can do it, but takes a little bit to get used to. • Microsoft added Firewall Commands in Windows 8 / Windows 2012. • There is a new module called NetworkSecurity
Basic Firewall Administration • The following command is pretty straight forward. Allows telnet to be accessible on the local subnet. New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%System32tlntsvr.exe - RemoteAddress LocalSubnet -Action Allow
Where it gets cool…. • This rule BLOCKS telnet. However, this stores the firewall rule in a GPO so you can deploy it from the PowerShell window. New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%System32tlntsvr.exe –Protocol TCP –LocalPort 23 -Action Block –PolicyStore domain.contoso.comgpo_name
Even cooler….. • You can manage a Windows Firewall Remotely! • You must be admin on the remote computer. Well hopefully you are.  • Note: A CIM session is a client-side object representing a connection to a local or remote computer. $Session = New-CimSession –ComputerName Host Remove-NetFirewallRule –DisplayName “AllowTelnet” –CimSession $Session
DISCONNECT-SESSION
PoshSec.com • A project to help better utilize PowerShell in the Infosec Space. • Started by myself and Will Steele (@pen_test). • Looking for guest bloggers. If you want to write an article, let us know. team@poshsec.com
PowerShell Saturday in Michigan? • I am looking to bring PowerShell Saturday to Michigan. • PowerShell Saturday is a day long conference on PowerShell. • Want to speak? Let me know. Can be anything PowerShell related.
Special Thanks! • Thank you for proofing my slides and providing valuable feed back! • Will (@pen_test) • Wolfgang (@jwgoerlich) • Scott (@sukotto_san) • Matt (@mattifestation)
Contact & Downloads • Contact: – mwjcomputing@gmail.com – @mwjcomputing – http://www.mwjcomputing.com/ – http://www.michiganpowershell.com/ • Downloads related to talk – http://www.mwjcomputing.com/resources/grrcon-2012 • Sides, Code Samples and links to scripts used in this talk. • Note: Code isn’t completely done. I need to add help and clean it up a tad. It does however all work. So expect updates within a week. 

Empfohlen

Professional Help for PowerShell Modules
Professional Help for PowerShell ModulesProfessional Help for PowerShell Modules
Professional Help for PowerShell ModulesJune Blender
 
Powershell Training
Powershell TrainingPowershell Training
Powershell TrainingFahad Noaman
 
Power shell training
Power shell trainingPower shell training
Power shell trainingDavid Brabant
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershelljaredhaight
 
Powershell training material
Powershell training materialPowershell training material
Powershell training materialDr. Awase Khirni Syed
 
Mastering power shell - Windows
Mastering power shell - WindowsMastering power shell - Windows
Mastering power shell - WindowsAriel Devulsky
 
Holy PowerShell, BATman! - dogfood edition
Holy PowerShell, BATman! - dogfood editionHoly PowerShell, BATman! - dogfood edition
Holy PowerShell, BATman! - dogfood editionDave Diehl
 
PowerShell Core Skills (TechMentor Fall 2011)
PowerShell Core Skills (TechMentor Fall 2011)PowerShell Core Skills (TechMentor Fall 2011)
PowerShell Core Skills (TechMentor Fall 2011)Concentrated Technology
 

Empfohlen

Professional Help for PowerShell Modules
Professional Help for PowerShell ModulesProfessional Help for PowerShell Modules
Professional Help for PowerShell ModulesJune Blender
 
Powershell Training
Powershell TrainingPowershell Training
Powershell TrainingFahad Noaman
 
Power shell training
Power shell trainingPower shell training
Power shell trainingDavid Brabant
 
Pwning with powershell
Pwning with powershellPwning with powershell
Pwning with powershelljaredhaight
 
Powershell training material
Powershell training materialPowershell training material
Powershell training materialDr. Awase Khirni Syed
 
Mastering power shell - Windows
Mastering power shell - WindowsMastering power shell - Windows
Mastering power shell - WindowsAriel Devulsky
 
Holy PowerShell, BATman! - dogfood edition
Holy PowerShell, BATman! - dogfood editionHoly PowerShell, BATman! - dogfood edition
Holy PowerShell, BATman! - dogfood editionDave Diehl
 
PowerShell Core Skills (TechMentor Fall 2011)
PowerShell Core Skills (TechMentor Fall 2011)PowerShell Core Skills (TechMentor Fall 2011)
PowerShell Core Skills (TechMentor Fall 2011)Concentrated Technology
 
On the Edge Systems Administration with Golang
On the Edge Systems Administration with GolangOn the Edge Systems Administration with Golang
On the Edge Systems Administration with GolangChris McEniry
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
 
PowerShell Scripting and Modularization (TechMentor Fall 2011)
PowerShell Scripting and Modularization (TechMentor Fall 2011)PowerShell Scripting and Modularization (TechMentor Fall 2011)
PowerShell Scripting and Modularization (TechMentor Fall 2011)Concentrated Technology
 
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)James Titcumb
 
Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016Clark Everetts
 
Unit testing presentation
Unit testing presentationUnit testing presentation
Unit testing presentationArthur Freyman
 
System Programming and Administration
System Programming and AdministrationSystem Programming and Administration
System Programming and AdministrationKrasimir Berov (Красимир Беров)
 
Virtual Bolt Workshop - April 28, 2020
Virtual Bolt Workshop - April 28, 2020Virtual Bolt Workshop - April 28, 2020
Virtual Bolt Workshop - April 28, 2020Puppet
 
Virtual Bolt Workshop - April 1, 2020
Virtual Bolt Workshop - April 1, 2020Virtual Bolt Workshop - April 1, 2020
Virtual Bolt Workshop - April 1, 2020Puppet
 
Taming the resource tiger
Taming the resource tigerTaming the resource tiger
Taming the resource tigerElizabeth Smith
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
Web Development with Python and Django
Web Development with Python and DjangoWeb Development with Python and Django
Web Development with Python and DjangoMichael Pirnat
 
Php extensions
Php extensionsPhp extensions
Php extensionsElizabeth Smith
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
Ln monitoring repositories
Ln monitoring repositoriesLn monitoring repositories
Ln monitoring repositoriessnyff
 
Php go vrooom!
Php go vrooom!Php go vrooom!
Php go vrooom!Elizabeth Smith
 
Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystackssnyff
 
PECL Picks - Extensions to make your life better
PECL Picks - Extensions to make your life betterPECL Picks - Extensions to make your life better
PECL Picks - Extensions to make your life betterZendCon
 
PHP on IBM i Tutorial
PHP on IBM i TutorialPHP on IBM i Tutorial
PHP on IBM i TutorialZendCon
 
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)Bastian Feder
 
Powershell
PowershellPowershell
PowershellF-S
 
Powershell
PowershellPowershell
PowershellTingting Wang
 

Weitere ähnliche Inhalte

Was ist angesagt?

On the Edge Systems Administration with Golang
On the Edge Systems Administration with GolangOn the Edge Systems Administration with Golang
On the Edge Systems Administration with GolangChris McEniry
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Daniel Bohannon
 
PowerShell Scripting and Modularization (TechMentor Fall 2011)
PowerShell Scripting and Modularization (TechMentor Fall 2011)PowerShell Scripting and Modularization (TechMentor Fall 2011)
PowerShell Scripting and Modularization (TechMentor Fall 2011)Concentrated Technology
 
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)James Titcumb
 
Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016Clark Everetts
 
Unit testing presentation
Unit testing presentationUnit testing presentation
Unit testing presentationArthur Freyman
 
Virtual Bolt Workshop - April 28, 2020
Virtual Bolt Workshop - April 28, 2020Virtual Bolt Workshop - April 28, 2020
Virtual Bolt Workshop - April 28, 2020Puppet
 
Virtual Bolt Workshop - April 1, 2020
Virtual Bolt Workshop - April 1, 2020Virtual Bolt Workshop - April 1, 2020
Virtual Bolt Workshop - April 1, 2020Puppet
 
Taming the resource tiger
Taming the resource tigerTaming the resource tiger
Taming the resource tigerElizabeth Smith
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...Hackito Ergo Sum
 
Web Development with Python and Django
Web Development with Python and DjangoWeb Development with Python and Django
Web Development with Python and DjangoMichael Pirnat
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric WarfareWill Schroeder
 
Ln monitoring repositories
Ln monitoring repositoriesLn monitoring repositories
Ln monitoring repositoriessnyff
 
Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystackssnyff
 
PECL Picks - Extensions to make your life better
PECL Picks - Extensions to make your life betterPECL Picks - Extensions to make your life better
PECL Picks - Extensions to make your life betterZendCon
 
PHP on IBM i Tutorial
PHP on IBM i TutorialPHP on IBM i Tutorial
PHP on IBM i TutorialZendCon
 
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)Bastian Feder
 

Was ist angesagt? (20)

On the Edge Systems Administration with Golang
On the Edge Systems Administration with GolangOn the Edge Systems Administration with Golang
On the Edge Systems Administration with Golang
 
Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017Invoke-Obfuscation nullcon 2017
Invoke-Obfuscation nullcon 2017
 
PowerShell Scripting and Modularization (TechMentor Fall 2011)
PowerShell Scripting and Modularization (TechMentor Fall 2011)PowerShell Scripting and Modularization (TechMentor Fall 2011)
PowerShell Scripting and Modularization (TechMentor Fall 2011)
 
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
Kicking off with Zend Expressive and Doctrine ORM (ZendCon 2016)
 
Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016Php Dependency Management with Composer ZendCon 2016
Php Dependency Management with Composer ZendCon 2016
 
Unit testing presentation
Unit testing presentationUnit testing presentation
Unit testing presentation
 
System Programming and Administration
System Programming and AdministrationSystem Programming and Administration
System Programming and Administration
 
Virtual Bolt Workshop - April 28, 2020
Virtual Bolt Workshop - April 28, 2020Virtual Bolt Workshop - April 28, 2020
Virtual Bolt Workshop - April 28, 2020
 
Virtual Bolt Workshop - April 1, 2020
Virtual Bolt Workshop - April 1, 2020Virtual Bolt Workshop - April 1, 2020
Virtual Bolt Workshop - April 1, 2020
 
Taming the resource tiger
Taming the resource tigerTaming the resource tiger
Taming the resource tiger
 
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
[HES2013] Virtually secure, analysis to remote root 0day on an industry leadi...
 
Web Development with Python and Django
Web Development with Python and DjangoWeb Development with Python and Django
Web Development with Python and Django
 
Php extensions
Php extensionsPhp extensions
Php extensions
 
Adventures in Asymmetric Warfare
Adventures in Asymmetric WarfareAdventures in Asymmetric Warfare
Adventures in Asymmetric Warfare
 
Ln monitoring repositories
Ln monitoring repositoriesLn monitoring repositories
Ln monitoring repositories
 
Php go vrooom!
Php go vrooom!Php go vrooom!
Php go vrooom!
 
Finding Needles in Haystacks
Finding Needles in HaystacksFinding Needles in Haystacks
Finding Needles in Haystacks
 
PECL Picks - Extensions to make your life better
PECL Picks - Extensions to make your life betterPECL Picks - Extensions to make your life better
PECL Picks - Extensions to make your life better
 
PHP on IBM i Tutorial
PHP on IBM i TutorialPHP on IBM i Tutorial
PHP on IBM i Tutorial
 
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
Advanced Eclipse Workshop (held at IPC2010 -spring edition-)
 

Andere mochten auch

Powershell
PowershellPowershell
PowershellF-S
 
30 Excel Tips in 30 Minutes
30 Excel Tips in 30 Minutes30 Excel Tips in 30 Minutes
30 Excel Tips in 30 MinutesQS-360training
 
360 Degrees Credentials Presentation
360 Degrees Credentials Presentation360 Degrees Credentials Presentation
360 Degrees Credentials Presentation360 Degrees
 
Powershell
PowershellPowershell
PowershellUGAIA
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShellWill Schroeder
 
PowerShell 101 - What is it and Why should YOU Care!
PowerShell 101 - What is it and Why should YOU Care!PowerShell 101 - What is it and Why should YOU Care!
PowerShell 101 - What is it and Why should YOU Care!Thomas Lee
 

Andere mochten auch (10)

Powershell
PowershellPowershell
Powershell
 
Powershell
PowershellPowershell
Powershell
 
Powershell
PowershellPowershell
Powershell
 
30 Excel Tips in 30 Minutes
30 Excel Tips in 30 Minutes30 Excel Tips in 30 Minutes
30 Excel Tips in 30 Minutes
 
Webinar azuretalk
Webinar azuretalkWebinar azuretalk
Webinar azuretalk
 
PowerShell
PowerShellPowerShell
PowerShell
 
360 Degrees Credentials Presentation
360 Degrees Credentials Presentation360 Degrees Credentials Presentation
360 Degrees Credentials Presentation
 
Powershell
PowershellPowershell
Powershell
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
PowerShell 101 - What is it and Why should YOU Care!
PowerShell 101 - What is it and Why should YOU Care!PowerShell 101 - What is it and Why should YOU Care!
PowerShell 101 - What is it and Why should YOU Care!
 

Ähnlich wie PowerShell - Be A Cool Blue Kid

Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, PowershellRoo7break
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration TestersNikhil Mittal
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class Chris Gates
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX SecurityHelpSystems
 
24HOP Introduction to Linux for SQL Server DBAs
24HOP Introduction to Linux for SQL Server DBAs24HOP Introduction to Linux for SQL Server DBAs
24HOP Introduction to Linux for SQL Server DBAsKellyn Pot'Vin-Gorman
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
 
Tools and Process for Streamlining Mac Deployment
Tools and Process for Streamlining Mac DeploymentTools and Process for Streamlining Mac Deployment
Tools and Process for Streamlining Mac DeploymentTimothy Sutton
 
Under the Wire PowerShell workshop - BSides Augusta 2018
Under the Wire PowerShell workshop - BSides Augusta 2018Under the Wire PowerShell workshop - BSides Augusta 2018
Under the Wire PowerShell workshop - BSides Augusta 2018Fernando Tomlinson, CISSP, MBA
 
PowerShellForDBDevelopers
PowerShellForDBDevelopersPowerShellForDBDevelopers
PowerShellForDBDevelopersBryan Cafferky
 
Python and Oracle : allies for best of data management
Python and Oracle : allies for best of data managementPython and Oracle : allies for best of data management
Python and Oracle : allies for best of data managementLaurent Leturgez
 
PuppetConf 2016: A Tale of Two Hierarchies: Group Policy & Puppet – Matt Ston...
PuppetConf 2016: A Tale of Two Hierarchies: Group Policy & Puppet – Matt Ston...PuppetConf 2016: A Tale of Two Hierarchies: Group Policy & Puppet – Matt Ston...
PuppetConf 2016: A Tale of Two Hierarchies: Group Policy & Puppet – Matt Ston...Puppet
 
Inventory Tips & Tricks
Inventory Tips & TricksInventory Tips & Tricks
Inventory Tips & TricksDell World
 
Yapc10 Cdt World Domination
Yapc10 Cdt World DominationYapc10 Cdt World Domination
Yapc10 Cdt World DominationcPanel
 
Why internal pen tests are still fun
Why internal pen tests are still funWhy internal pen tests are still fun
Why internal pen tests are still funpyschedelicsupernova
 
Windows 2012 R2 Multi Server Management
Windows 2012 R2 Multi Server ManagementWindows 2012 R2 Multi Server Management
Windows 2012 R2 Multi Server ManagementSharkrit JOBBO
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware ArchaeologistMichael Gough
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Michael Gough
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamersjasonjfrank
 

Ähnlich wie PowerShell - Be A Cool Blue Kid (20)

Power on, Powershell
Power on, PowershellPower on, Powershell
Power on, Powershell
 
PowerShell for Penetration Testers
PowerShell for Penetration TestersPowerShell for Penetration Testers
PowerShell for Penetration Testers
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
10 Tips for AIX Security
10 Tips for AIX Security10 Tips for AIX Security
10 Tips for AIX Security
 
24HOP Introduction to Linux for SQL Server DBAs
24HOP Introduction to Linux for SQL Server DBAs24HOP Introduction to Linux for SQL Server DBAs
24HOP Introduction to Linux for SQL Server DBAs
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Tools and Process for Streamlining Mac Deployment
Tools and Process for Streamlining Mac DeploymentTools and Process for Streamlining Mac Deployment
Tools and Process for Streamlining Mac Deployment
 
Under the Wire PowerShell workshop - BSides Augusta 2018
Under the Wire PowerShell workshop - BSides Augusta 2018Under the Wire PowerShell workshop - BSides Augusta 2018
Under the Wire PowerShell workshop - BSides Augusta 2018
 
PowerShellForDBDevelopers
PowerShellForDBDevelopersPowerShellForDBDevelopers
PowerShellForDBDevelopers
 
Python and Oracle : allies for best of data management
Python and Oracle : allies for best of data managementPython and Oracle : allies for best of data management
Python and Oracle : allies for best of data management
 
Automating with Ansible
Automating with AnsibleAutomating with Ansible
Automating with Ansible
 
PuppetConf 2016: A Tale of Two Hierarchies: Group Policy & Puppet – Matt Ston...
PuppetConf 2016: A Tale of Two Hierarchies: Group Policy & Puppet – Matt Ston...PuppetConf 2016: A Tale of Two Hierarchies: Group Policy & Puppet – Matt Ston...
PuppetConf 2016: A Tale of Two Hierarchies: Group Policy & Puppet – Matt Ston...
 
I hunt sys admins 2.0
I hunt sys admins 2.0I hunt sys admins 2.0
I hunt sys admins 2.0
 
Inventory Tips & Tricks
Inventory Tips & TricksInventory Tips & Tricks
Inventory Tips & Tricks
 
Yapc10 Cdt World Domination
Yapc10 Cdt World DominationYapc10 Cdt World Domination
Yapc10 Cdt World Domination
 
Why internal pen tests are still fun
Why internal pen tests are still funWhy internal pen tests are still fun
Why internal pen tests are still fun
 
Windows 2012 R2 Multi Server Management
Windows 2012 R2 Multi Server ManagementWindows 2012 R2 Multi Server Management
Windows 2012 R2 Multi Server Management
 
Ask a Malware Archaeologist
Ask a Malware ArchaeologistAsk a Malware Archaeologist
Ask a Malware Archaeologist
 
Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014Windows logging workshop - BSides Austin 2014
Windows logging workshop - BSides Austin 2014
 
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue TeamersGo Hack Yourself - 10 Pen Test Tactics for Blue Teamers
Go Hack Yourself - 10 Pen Test Tactics for Blue Teamers
 

Kürzlich hochgeladen

My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 

Kürzlich hochgeladen (20)

My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 

PowerShell - Be A Cool Blue Kid

  • 1. PowerShell - Be a cool blue kid. Matt Johnson @mwjcomputing GrrCON 2012 MWJ Computing
  • 2. Get-Agenda • Intro • Basics of PowerShell • Files / File System • Users / Access • Event Logs • System Management • Wrap Up
  • 4. About me • System Analyst at a non-profit religious organization • Founder of Michigan PowerShell User Group • Moderator on Hey! Scripting Guys forums and judge for Microsoft’s Scripting Games. • Member of #misec • Avid Gamer and huge sports fan • Father to a future hacker (kid0) and husband to a wonderful wife.
  • 5. Disclaimer • I am not an “expert”, so lets just pretend for the next little bit that I am. • There is a TON of sysadmin stuff in here, however it doubles as security / blue team. • This talk doesn’t in anyway reflect the stance of my employer or Microsoft. • I think I am funny and sometimes talk too fast. If you have a problem, get over it.
  • 8. What is PowerShell? • In case you haven’t heard…. – It is a task automation framework, command-line shell and a scripting language that uses and is built upon the .NET Framework • Installed in every Microsoft Operating System from Windows 7 / 2008 R2 and beyond. • Current Version is 3.0
  • 9. Tons of support • Integration is deep within Microsoft Product line • Other vendors support it as well
  • 10. What is a cmdlet? • A cmdlet is a “lightweight command that is used in the Windows PowerShell environment.” • Basically it is the commands built into the language. • Examples: – Get-Help – Write-Host – Register-ObjectEvent
  • 11. Some basic language information • Naming Convention – Verb-Noun • Get-Mailbox • New-ADComputer – Verbs are Defined by Microsoft (98 Total) • Aliases Help – Get-Childitem (ls, dir, gci) – But, you shouldn’t use them in your scripts. – See them all? Get-Alias • Get-Help also “helps” – Get-Help is your new best friend
  • 12. Aliases for the *nix Guys PowerShell PowerShell Alias *nix Get-ChildItem ls, gci, dir ls Copy-Item cp, copy cp Get-Help man, help man Get-Content cat, type cat
  • 13. Get-ExecutionPolicy • From about_execution_policies – Windows PowerShell execution policies let you determine the conditions under which Windows PowerShell loads configuration files and runs scripts. – Instead, the execution policy helps users to set basic rules and prevents them from violating them unintentionally. • Can set system-wide or on user basis and via Group Policy • Can bypass easily so this is not a security measure!!!!
  • 14. Making Tools • One of the best things about PowerShell. • You can easily make tools (functions, scripts, modules, etc…) and repackage them and share them. • Tons of resources on how to share and where to share are out there.
  • 15. Modules • A module is a set of related Windows PowerShell functionalities that can be dynamic or that can persist on disk. Modules that persist on disk are referenced, loaded, and persisted as script modules, binary modules, or manifest modules. Unlike snap-ins, the members of these modules can include cmdlets, providers, functions, variables, aliases, an d much more.
  • 16. Modules Cont… • What are modules good for? – Repackaging tools – Sharing Scripts • Some very cool modules out there – PSCX – Office 365 – NTFS Security
  • 17. Recording your session • PowerShell has built in logging. • Log your commands, the output and whole kitten kaboodle • Start-Transcript • Stop-Transcript
  • 18. A few last minute notes • Objects! – Everything is an object unless you decide to make it text. • Pipeline! – Things being objects makes everything much more fun. • Variables! – Prefixed with $ • Special Variables! – Some special ones including • $_ • $true
  • 19. Set-LastNote • Everything in this talk works with Version 2 or above. V2!
  • 21. File Permissions • By far not my favorite thing to do • A complete pain if you have to set permissions a lot of files • xcals and cacls.exe are nice, but we can use PowerShell
  • 22. File Permissions • Built in commands for doing ACLS – Get-ACL, Set-ACL • However…. These cmdlets are difficult at best to use. Actually painful is a better word.
  • 24. That sucks…. Kind of • Easily put into a function. Especially if files you are setting permissions on have the same permissions required. • Requires time spent in the MSDN documentation to actually get setting permissions right. • There is some help though. The File System Security PowerShell Module 2.1 by Raimund Andrée
  • 26. Monitor File System Changes • With a few lines of code, you can monitor to changes in a directory. • However, it goes away with PowerShell Session. • Can email, write to host, log to file or event logs.
  • 29. Show-Users • This section will be a lot of auditing commands / scripts / functions. • Creating users is done everywhere. • Lets see some info about what info we can gather
  • 30. Local Users? • Local Users are a pain… Lets view them all! $computer = $env:COMPUTERNAME $adsi = [ADSI]("WinNT://$computer,computer") $users = $adsi.psbase.children | Where {$_.psbase.schemaclassname -eq "User"} | Select Name foreach ($user in $users) { $user.name }
  • 31. Local Groups? • Local Groups are a pain… Lets view them all! $computer = $env:COMPUTERNAME $adsi = [ADSI]("WinNT://$computer,computer") $groups = $adsi.psbase.children | Where {$_.psbase.schemaclassname -eq "Group"} | Select Name foreach ($group in $groups) { $group.name }
  • 32. Local Admins? • Get local admins on a machine. Better yet scan all the machines! function Get-LocalAdministrators { param ( [string]$computer = $env:computername ) $admins = Get-WMIObject -class win32_groupuser –computer $computer $admins = $admins | where {$_.groupcomponent –like '*"Administrators"'} $admins | Foreach{ $_.partcomponent –match “.+Domain=(.+),Name=(.+)$”>$nul $matches[1].trim('"') + “” + $matches[2].trim('"') } }
  • 33. Services and Users • One of the biggest pains I find is people using accounts for services. • Quick way to check tons of computers using Confirm-ServiceAccounts Get-Content computers.txt | Confirm-ServiceAccounts | Select SystemName, DisplayName, StartName
  • 34. SIDS…. • Easily get SIDs while doing forensics. $objUser = New-Object System.Security.Principal.NTAccount($domain,$user) $strSID = $objUser.Translate([System.Security.Principal.SecurityI dentifier]) $strSID.Value
  • 35. Lets track some users….. • Lets see who logged on and logged off on a computer. get-winevent -FilterHashTable @{LogName='Security'; StartTime='6/27/2012 12:00:00am'; ID=@(4624,4625,4634,4647,4648)} | select timecreated,id
  • 36. Across the entire network. get-winevent -FilterHashTable @{LogName='Security'; StartTime='6/27/2012 12:00:00am'; ID=@(4624,4625,4634,4647,4648)} | select timecreated,id$eventhashtable = @{LogName='Security'; StartTime='6/27/2012 12:00:00am'; ID=@(4624,4625,4634,4647,4648)} Get-Content computers.txt | Foreach { Write “Retrieving logs for $_ at $(Get-Date)” get-winevent –FilterHashTable $eventhashtable | select timecreated,id; }
  • 37. User have profile on PC? • A very rudimentary way to check to see if someone logged on to a PC. Get-WmiObject -Class Win32_UserProfile | Select SID, LastUseTime, LocalPath
  • 39. Host Files….. • Editing hosts files is always fun. • Merged some functions into a module that does host file manipulation. • REMEMBER TO RUN AS ADMINISTRATOR…..
  • 41. Firewall fun (V3) • You can manage the Windows Firewall using PowerShell in Windows 7. Can do it, but takes a little bit to get used to. • Microsoft added Firewall Commands in Windows 8 / Windows 2012. • There is a new module called NetworkSecurity
  • 42. Basic Firewall Administration • The following command is pretty straight forward. Allows telnet to be accessible on the local subnet. New-NetFirewallRule -DisplayName “Allow Inbound Telnet” -Direction Inbound -Program %SystemRoot%System32tlntsvr.exe - RemoteAddress LocalSubnet -Action Allow
  • 43. Where it gets cool…. • This rule BLOCKS telnet. However, this stores the firewall rule in a GPO so you can deploy it from the PowerShell window. New-NetFirewallRule -DisplayName “Block Outbound Telnet” -Direction Outbound -Program %SystemRoot%System32tlntsvr.exe –Protocol TCP –LocalPort 23 -Action Block –PolicyStore domain.contoso.comgpo_name
  • 44. Even cooler….. • You can manage a Windows Firewall Remotely! • You must be admin on the remote computer. Well hopefully you are.  • Note: A CIM session is a client-side object representing a connection to a local or remote computer. $Session = New-CimSession –ComputerName Host Remove-NetFirewallRule –DisplayName “AllowTelnet” –CimSession $Session
  • 46. PoshSec.com • A project to help better utilize PowerShell in the Infosec Space. • Started by myself and Will Steele (@pen_test). • Looking for guest bloggers. If you want to write an article, let us know. team@poshsec.com
  • 47. PowerShell Saturday in Michigan? • I am looking to bring PowerShell Saturday to Michigan. • PowerShell Saturday is a day long conference on PowerShell. • Want to speak? Let me know. Can be anything PowerShell related.
  • 48. Special Thanks! • Thank you for proofing my slides and providing valuable feed back! • Will (@pen_test) • Wolfgang (@jwgoerlich) • Scott (@sukotto_san) • Matt (@mattifestation)
  • 49. Contact & Downloads • Contact: – mwjcomputing@gmail.com – @mwjcomputing – http://www.mwjcomputing.com/ – http://www.michiganpowershell.com/ • Downloads related to talk – http://www.mwjcomputing.com/resources/grrcon-2012 • Sides, Code Samples and links to scripts used in this talk. • Note: Code isn’t completely done. I need to add help and clean it up a tad. It does however all work. So expect updates within a week. 