Notes: Windows PowerShell | Cyber Security 101 | THM
- solbergtonje
- 9 dec. 2024
- 5 min läsning
Uppdaterat: 25 dec. 2024
PowerShell: a task automation and configuration management program from Microsoft, consist of command-line shell and associated scripting language
What Is PowerShell
PowerShell is a cross-platform task automation with command-line shell, scripting language and a configuration management framework
Do:
task automation
configuration management
Is:
command-line interface
scripting language
Built on:
.NET framework
object-oriented = can handle complex data types and interact with system components more effectively
PowerShell Core is an open-source and cross-platform version that runs on Windows, macOS and Linux
In programming an object have properties (characteristics) and methods (actions)
F.ex.: object = car, properties = Color, Model, FuelLevel, methods = Drive(), HonkHorn(), Refuel()
In PowerShell objects are units that encapsulate data and functionality to make it easier to manage and manipulate data.
An object can contain file names, usernames or sizes as data (properties) and carry functions (methods) like copying a file or stopping a process
In normal command shell, basic commands are text-based both processed and in output.
In PowerShell, cmdlet (command-let) return object's retaining properties and methods - that do not need additional parsing of text - more powerful and flexible data manipulation.
PowerShell - object-oriented
Windows and Unix handle system operations differently
Windows: structured data and APIs
Unix: treat everything as text files
SSH connect with Remmina client
Open program
(clik cancel on pop up 'Unlock Login Keyring')
Choose SSH from dropdown meny
Type in TARGET_IP and hit ENTER
Enter credentials then click OK
PowerShell Basics
Launch PowerShell from Command Prompt (cmd.exe)
Command: powershell
Notice how we now have a PS prompt in the same window
PS = PowerShell
Basic Syntax: Verb-Noun
cmdlets = command-lets
cmdlets allow for more advanced data manipulation than traditional windows commands
cmdlets consist of verb-noun naming convention - easy to understand what each cmdlet does
Verb: describes the action
Noun: specifies the object on which the action is performed
Examples:
Get-Content = gets (retrieve) content of a file and display it in the console
Set-Location = sets (change) the current working directory
Basic Cmdlets:
Get-Command: list all available cmdlets, functions, aliases, scripts
Get-Command -CommandType "PROPERTY/TYPE": filter the list by one type/property, f.ex 'funtion' = Get-Command -CommandType "Function"
Get-Help: detailed information about cmdlets like usage, parameters and examples.
Get-Help Get-Date' outputs information about the cmdlet Get-Date
Get-Date: date and time
Get-Alias: available aliases (alias=alternative names for cmdlets - similar to traditional windows commands, f.ex: dir = Get-ChildItem, cd = Set-Location, cls = Clear-Host
Clear-Host (or cls): clear prompt screen
Where to Find and Download Cmdlets
Download from online repositories like the PowerShell Gallery (PSGallery)
Cmdlet to find cmdlets to download:
Find-Module
Wildcard: *
Property: Name
Syntax: Cmdlet -Property "pattern*"
Example: Find-Module -Name "PowerShell*"
Cmdlet to download and install new cmdlets:
Install-Module
Example: Install-Module -Name "PowerShellGet"
Own research:
Test-Connection: (=ping)
Test-NetConnection: (=ping, tracerouting, dns lookup)
Navigating the File System and Working with Files
Get-ChildItem:(=dir): list files and directories
Get-ChildItem -Path: list files and directories in a certain location specified with '-Path'
Set-Location:(=cd): change directory
New-Item: create a new item (use with '-Path'(=where) and '-ItemType'(=what (file or directory))
Example: New-Item -Path ".\captain-cabin\captain-wardrobe" -ItemType "Directory"
Remove-Item: remove directory or file
Example: Remove-Item -Path ".\captain-cabin\captain\wardrobe\captain-boots.txt"
Copy-Item: copy file or directory
Example: Copy-Item -Path .\captain-cabin\captain-hat.txt -Destination .\captain-cabin\captain-hat2.txt
Move-Item: move file or directory
Example: Move-Item -Path .\captain-cabin\captain-hat.txt -Destination .\captain-cabin\captain-hat2.txt
Get-Content:(=type(win)/cat(unix)): display file content
PowerShell provide a single set of cmdlets to handle the creation and management of both files and directories
Piping, Filtering, and Sorting Data
Piping (symbol: | ) = technique in CLI to use the output of one command as input of another command
In PowerShell objects with properties and methods can be piped
Example (list files sorted by size):
Get-ChildItem | Sort-Object Length
Get-ChildItem: retrieve the files (as objects)
The pipe (|): sends the files to Sort-Object
Sort-Object: sort them by Length/size (as property)
PowerShell can be used for advanced data manipulation and analysis with cmdlets combined with piping.
Where-Object: select objects based on property
Example: Get-ChildItem | Where-Object -Property "Extension" -eq ".txt"
Properties:
Extension (filetype)
Name
Comparison Operators:
-eq (equal to)
-ne (not equal to): exclude results
-gt (greater than): objects exceeding a specified value (OBS! equals will be excluded)
-ge (greater than or equal to)
-lt (less than): objects below a specified value (OBS! equals will be excluded)
-le (less than or equal to)
-like: matching a specified pattern (used with wildcard:*)
Example: Get-ChildItem | Where-Object -Property "Name" -like "ship*"
Select-Object: select objects or object properties (used to refine output - only show what is needed)
Example: Get-ChildItem | Select-Object Name,Length (Length = size)
EXERCISE
Build a pipeline of cmdlets to sort and filter the output with the goal of displaying the largest file in the C:\Users\captain\Documents\captain-cabin directory.
My answer:
Get-ChildItem -path "C:\Users\captain\Documents\captain-cabin" | Where-Object -Property "Length" -ge "2116"
(Output show ship-flag.txt with size 2116)
Solution:
Get-ChildItem | Sort-Object Length -Descending | Select-Object -First 1
(Output show ship-flag.txt with size 2116)
Select-String:(=grep(unix)/findstr(win)): find text in strings and files
Example: Select-String -Path ".\captain-hat.txt" -Pattern "hat"
Output: Don't touch my hat!
The cmdlet 'Select-String' is typically used for finding specific content in log files or documents.
Select-String cmdlet support regualar expressions (=regex)
Regex make PowerShell a powerful tool for searching and analysing text data by matching complex patterns within files.
System and Network Information
Get-ComputerInfo:(=systeminfo): system information including os info, hardware specifications, BIOS details ++++
Managing User Accounts
Get-LocalUser: list local user accounts
Output: Username - Account status - Description
Get-NetIPConfiguration:(=ipconfig): network interface information including IP addresses, DNS servers, and gateway configurations
Get-NetIPAddress:(=ipconfig): IP addresses information
Real-Time System Analysis
Get-Process: detailed view of running processes, incl. CPU and memory usage
Get-Process is a powerful tool for monitoring and troubleshooting.
Get-Service: output services and their status (running, stopped, paused)
Get-Service used for troubleshooting, as well as by forensics analysts hunting for unusual services installed on a system
Own research:
Show only running services:
Get-Service | Where-Object -Property "Status" -eq "Running"
Get-NetTCPConnection: TCP connections
Get-NetTCPConnection show TCP connections local and remote endpoints.
Can uncover hidden backdoors or established connections towards and attacker-controlled server.
Useful during incident response or malware analysis task.
Get-FileHash: generating file hashes/computes the hash value for a file
Example: Get-FileHash -Path ".\big-treasure.txt" | Select-Object "Hash"
Get-FileHash is useful in incident response, threat hunting, and malware analysis = helps verify file integrity and detect potential tampering
Get-Service -Displayname "*merry*"
Scripting
Scripting
- process of writing and executing a series of commands
- contained in a text file = a script
- used to automate tasks
Invoke-Command: run commands on local and remote computers
(execute payloads or commands on target systems during pentesting)
Example: Run a script on a server:
Invoke-Command -FilePath c:\script\test.ps1 -ComputerName Server01
Example: Run a command on a remote server:
Invoke-Command -ComputerName Server01 -Credential Domain01\User01 -ScriptBlock {Get-Culture}
ComputerName: name of remote computer
Credential: a user with permissions to run commands on certain domain
ScriptBlock: command to be run
Invoke-Command -ComputerName RoyalFortune -ScriptBlock {Get-Service}
