Upload
mohanish
View
246
Download
0
Embed Size (px)
Citation preview
8/6/2019 Power Shell Documentation
http://slidepdf.com/reader/full/power-shell-documentation 1/38
Scripts: The big concern
*Execution policy NO Integrity
Script Signing No Identity
*Profiles (and back doors) Command Hijacking
*Security Feature Double click to run
Path Required
Filename extension
Create test.vbs file on desktop
Edit:- wscript.echo:"Hello"
Digital Signature
Path for digital Sign
PS:set-execution
8/6/2019 Power Shell Documentation
http://slidepdf.com/reader/full/power-shell-documentation 2/38
Execution Policy
Right \--Restricted -No script will run (default)
Production :All Signed--Should have signature
Test :Remote Signed -- Local computer Without si
--Remote -should havesignatu
X:Unrestricted--All Scripts can Run
ture
licy
8/6/2019 Power Shell Documentation
http://slidepdf.com/reader/full/power-shell-documentation 5/38
If you ar opening the powershell firsttime
it will place you to administrator' folderMy Document > Windowspowershell >
profile.ps1So whatever you have added in
profile.ps1 it will be executed at he startof opening powershell
Command Hijackinge.g.lets say you have test.ps1 located in
C:\demo\test.ps1 while running thisscript if you are at C:\ demo> test --thescript wont work. To run the script youneed to give full path of the script or inabove case ./test will execute the script
CA
If this script turnsout to be maliciousthen we can use thiscertificateinformation to deriveinformation that wewrote the script andact accordingly
Cert
IDENTIFICATION
8/6/2019 Power Shell Documentation
http://slidepdf.com/reader/full/power-shell-documentation 7/38
Using shell for file and folder management
dir \ls
Ipconfig
ping Command recurse -filter "*.dll"
cp test.ps1 tst.ps1 >> a
cd ..
cd
cd "program file"
Command line tricks ,tips and gotches
F7 lists all commands executes earlier
dir
cd HKCU
8/6/2019 Power Shell Documentation
http://slidepdf.com/reader/full/power-shell-documentation 9/38
Command line tricks ,tips and gotches
Quotes and escape sequences
Cd program file
Cd "program file"
cd 'program file'
Tab completion will put quotation mark
Escaping characterspace as special character
Wild Character
? * bcoz these are not ligle character in file name
Transcript
start-transcript trance.txt
stop-transcript
8/6/2019 Power Shell Documentation
http://slidepdf.com/reader/full/power-shell-documentation 10/38
commandlets,snap-ins,aliases & help
Alises & commandlets
dir = get-childitem
get-childitem -resurse -filter "*.dll"
get-eventlog security -newest 20
get-command
get-command *service*gcm -noun service
gcm -verb new
help dir
help dir -example
help-dir -detailed
help-dir -full
help
Powershell Snapins (to extend the functionality of sh
Pssnapins
Get-pssnapinadd-pssnapins quest.activeroles.admanagement
8/6/2019 Power Shell Documentation
http://slidepdf.com/reader/full/power-shell-documentation 11/38
sic Command-lets for Processes, services, and eventl
Processes
help *process *; get-command *process*;help stop-process
get-process
kill 568 -whatif
kill -name svchost -whatif
Take an example of calc
Services
get-command *service*
gcm -noun service
You can start, stop, supend, Set & New services
get-service= gsv
gsv -include "b*"
get-credential
Eventlogs
get-command -noun *event* (gel)gel system -newest 10
what is common parameter "need to find"
gsv | formatlist *
gel | formatlist*
What PS can & cant do
Remoting is not allowed /
Cmdlets WMI
.Net framework its own Arch
Non remoting RemotingEasy to understand Complicated
Built in help No Built in help
8/6/2019 Power Shell Documentation
http://slidepdf.com/reader/full/power-shell-documentation 12/38
Retriving Management Information form remote computers
Desktop Management taskforce (DMTF)
Common Information Module (CIM v2)
Web based ent management (IIS v5)
Windows management information
Wmi explorer.exe from www.scriptinganswers.com
help gwmi
gwmi win32_service
gwmi win32_service | format list
gwmi win32_service -filter "name like 'b%"
gwmi win32_operatingsystem
gwmi win32_operatingsystem -comp (type c:\temp\servers.
WMI Security
gwmi win32_services -comp localhost -cred "administrator"
WMI Filtering
gwmi win32_process -filter "name like 's%' "
gwmi win32_service -filter "name='bits' "
gwmi win32_operatingsystem -filter "buildnumber>6000"
Introduction to WMI
Exploring Wmi
WMI from Local Machine
Remote Wmi
Alternate credentials
Filtering Wmi objects
gwmi win32_operatingsystem -comp "nydc2k8","localhost"
MMC > Add/remove snapin > Wmi control (local)> right click>properties>security> only Administrator have the permission
for executing remote command
Provi
Ex
8/6/2019 Power Shell Documentation
http://slidepdf.com/reader/full/power-shell-documentation 13/38
WMI WMI
CIMClass
Dick DriveCPUA RecordsWeb IISOperating system
Providerder
h SQLInstance
8/6/2019 Power Shell Documentation
http://slidepdf.com/reader/full/power-shell-documentation 14/38
Using variables,Objects & Members
new-variable -name var -value 5
$var2 =10
$var2 ,$age, $year,$counter
$counter =$counter + 10
$name= "Nugget2" or $name = 'nugget2'
$object ="hello"$object.length
$object.toupper()
$number =100
$number.length
$number.toupper()
[string]$var ="Hello"
$var.toupper()
$var=5
$var.toupper()
Three Data type$S- string ,$i=5 ,$d= get-date
[string]$S ="hello"
[int]$i= 5
[datetime]$d =get-date
$d | get-member
$D.day
$d.year
$d.toshortdatestring()
$d.tolongdatestring()
$d.addmonths(2)$S | get-member
$s.length
$s.tolower()
$s.replace("i","o")
wmi win32_operatingsystem | gm
$procs =get-processes
$procs[0] , $procs[1] for last process $procs[-1]
$procs[0] | gm
$proc[0].kill
get-credential
$cred = get-credential
gwmi win32_operatingsystem -comp nugget5 -cred $cred
what are variables
crating, populating and displaying
8/6/2019 Power Shell Documentation
http://slidepdf.com/reader/full/power-shell-documentation 15/38
Introducing object
Simple Object
Viewing object members
Objects in variables
Removing variables
Example :credntial storage
8/6/2019 Power Shell Documentation
http://slidepdf.com/reader/full/power-shell-documentation 16/38
Understanding The Pipeline
get-service
get-service |where-object { $_.stastus -eq "running" }
get-service |where-object { $_.stastus -eq "stopped" } | start-service -whatif
get-process | stop-process -whatif
get-service | out-file C:\services.txt
write-output "hello"
Write-Host "Hello"
Write-Host "Hello" fore yellow
write-output "Hello" | where-object { $_.Length -gt 100 }
write-Host "Hello" | where-object { $_.Length -gt 100 }
Why Pipeline
Visualizing the Pipelineservice in the pipeline
Processes in the pipeline
Piping to file or printer
Write-output
Write-host
get-service |where-object { $_.stastus -eq "stopped" } | set-service-startuptype Dissabled -whatif
ps | out-printer hplaserhet4
8/6/2019 Power Shell Documentation
http://slidepdf.com/reader/full/power-shell-documentation 18/38
Mathematical & Comparison Opreator
5+5; 10-1; 10*10; 100/10
5+ (5*10); 100 % 10; 5 *(5*5)
5 -eq 5; 10 -eq 5;
$var=5; 10 -gt 5; 10 -gt $var; 10 -lt $var; "Hello" -eq "Hello"
(10 -gt $var) -and (10 -lt $var2)
(10 -gt $var) -or (10 -lt $var2)
(10 -gt $var) -and -not (10 -lt $var2)not (10 -gt $var)-and -not (10 -lt $var2)
"Hello" -ceq "Hello"
"Hello" -ceq "HELLO"
"Hello" -ne "HELLO"
Parsing Mode
Write-host 5+5
Write-host (5+5)
Write-host (5+5) -fore green
Write-host ($var -eq 10) -fore redWrite-host $var -eq 10 -fore red
Basic math operator
Advanced math
Basic and advanced comparison
case sensitivity
parsing mode
Command
Expression
8/6/2019 Power Shell Documentation
http://slidepdf.com/reader/full/power-shell-documentation 19/38
Sorting,measuring ,selecting & Filtering Objects in the Pipeline
ps | sort-object vm
ps | sort-object vm -descending
ps |sort.name vm
gsv|sort status
gsv |measure-object
ps | measure-object
ps | measure-object -property pm -sum -min -max - average
gsv | select-object displayname,depandantservices
ps | select -last 10
ps| sort vm -desc |select -first 10 | out-file C:\tip.txt
gsv | where-object {$_.status -eq "running" } | sort displayname
gsv | where-object {$_.status -eq "running" } | sort displayname | -first 10
ps | select Vm
ps | select Vm, name
ps | where{$_.vm -gt 100}ps | where{$_.vm -gt 100MB}
WorkFlow Powershell
ps
ps | sort pm
ps | sort pm -desc |select -first 10
Sorting
Measuring
Selecting Properties
Selecting a subset
Filtering
Powershelklworkflow
gsv | measure-object | measur-object -property Displayname-line -word -character
8/6/2019 Power Shell Documentation
http://slidepdf.com/reader/full/power-shell-documentation 20/38
= is assignment oerator
8/6/2019 Power Shell Documentation
http://slidepdf.com/reader/full/power-shell-documentation 21/38
Working Wilth Collection of object in Pipeli
ps (collection of object)
gsv
gsv | where {$_.status -eq "stopped"}
gsv | where {$_.status -eq "stopped"} | start-service -whatif
dir *.mp3 -recurse | del
gc computrs.txt | foreach-object { gwmi win32_operatingsystem -com
gc computrs.txt | foreach-object { gwmi win32_operatingsyste
Object collection
Working with group
Working with individual
E.g for each object & wmi
gc computrs.txt | % {gwmi win32_service -comp $_ -filter "name='MS% {$_.change(,,,,,,,,,,,"P@ssw0rd") } }
8/6/2019 Power Shell Documentation
http://slidepdf.com/reader/full/power-shell-documentation 22/38
ine
$_ }
m -comp $_ | foreach {
QLSERVER' |
In powershEverything
object
Grou of service
Get Content Server
1
WMI
WMI
Server 2 WMI
LO
Server 3
Methroerties
8/6/2019 Power Shell Documentation
http://slidepdf.com/reader/full/power-shell-documentation 24/38
Understanding and using formating subsys
gsv | out-default
gsv | fw
gsv |fw displayname
gsv | fw name -col 4
Format-List
gsv | fl status,displayname ,name
gsv | fl *gsv |fl name,displayname,status -groupby status
gsv | sort status | fl name,displayname,status -groupby status
Format-table
gsv | ft name,status
gsv | ft name,status -auto
gsv | ft *
gsv | ft * -auto
gsv | ft * -auto -wrap
gsv | sort status | ft displayname -groupby statusps | ft name,id,vm,pm
ps | sort vm -desc | ft name,id,vm,pm -auto
gwmi win32_logicaldisk
gwmi win32_logicaldisk -filter "drivetype=3"
gwmi win32_logicaldisk -filter "drivetype=3" |select deviceid,freespace,si
gwmi win32_logicaldisk -filter "drivetype=3" |ft deviceid,freespace,size -
How Obj.becomes text
Text in console window
The formtting subsystem
Format-Wide
Format-list
format-table
gwmi win32_logicaldisk -filter "drivetype=3" |ft deviceid, @{ Label="size1gb}},
" "gwmi win32_logicaldisk -filter "drivetype=3" |ft deviceid, @{ Label="size1gb) -as [int]}},
gwmi win32_logicaldisk -filter "drivetype=3" |ft deviceid, @{ Label="size1gb) -as [int]}},
8/6/2019 Power Shell Documentation
http://slidepdf.com/reader/full/power-shell-documentation 25/38
custom column in tables
8/6/2019 Power Shell Documentation
http://slidepdf.com/reader/full/power-shell-documentation 26/38
tem
ze
uto
(G)"; Expression={$_.size /
(G)"; Expression={($_.size /
(G)"; Expression={($_.size /
8/6/2019 Power Shell Documentation
http://slidepdf.com/reader/full/power-shell-documentation 28/38
Exporting ,Importing ,Comparing & Converting Object
ps | export-csv C:\proc.txt
Lets say we have Csv file at c:\provision1.csv
$imported = import-csv c:\provision1.csv
$imported
$imported | ft
$imported[0].country
$imported[0].'first name'$imported[0].fax
$imported | foreach-object {$_.'first name'.toupper() }
gsv | select -first2 | export-clixml c:\services.xml
import-clixml c:\services.xml
import-clixml c:\services.xml | sort vm -desc | select -first 10 | fl name,id
ps | export-clixml c:\baseline.xml
diff (ps) (import-clixml c:\services.xml ) -property name
gsv | export-clixml c:\services.xmldiff (gsv) (export-clixml c:\services.xml) -prop status
gel security -newest 20 | export-clixml c:\eventlogs.xml
$event = import-clixml c:\eventlogs.xml
$event
$event | ft source,timewritten,index
Exporting to csv
Importing to csv
Cli xml import/export
Comparing collections
convert to HTML
get-wmiobject win32_service | where{$_.startmode -eq "auto" -and $_.state-ne "running"
get-wmiobject win32_service | where{$_.startmode -eq "auto" -and $_.state-ne "running" | convertto-html| out-file c:\badservice.html
get-wmiobject win32_service | where{$_.startmode -eq "auto" -and $_.state-ne "running" | select startmode,state,name | convertto-html| out-filec:\badservice.html
8/6/2019 Power Shell Documentation
http://slidepdf.com/reader/full/power-shell-documentation 30/38
Windows Powershell Script
$computer = "localhost"
Parameterized script
param (
$computer = "localhost" )
Script ,Ad-hoc…same !
Script security review
A Basic script
Parameterizing a script
For (i=0;$i -lt 100; $i++) {write-host $i }
_ Address= '$computer' "
if ($result.statuscode -eq 0) {Write-host "$computer is Pingable"} Else {"$computer is not pingable"}
= '$computer' "
}
8/6/2019 Power Shell Documentation
http://slidepdf.com/reader/full/power-shell-documentation 32/38
Modularization :scriptblocks and Functions
8/6/2019 Power Shell Documentation
http://slidepdf.com/reader/full/power-shell-documentation 33/38
Creating Fuctions that work in the Pipeline
8/6/2019 Power Shell Documentation
http://slidepdf.com/reader/full/power-shell-documentation 34/38
Creating functions that produce custom Objects
8/6/2019 Power Shell Documentation
http://slidepdf.com/reader/full/power-shell-documentation 35/38
Introduction to regular Expression
8/6/2019 Power Shell Documentation
http://slidepdf.com/reader/full/power-shell-documentation 36/38
The purpose of Debugging
8/6/2019 Power Shell Documentation
http://slidepdf.com/reader/full/power-shell-documentation 37/38
Introduction to Regular Expression