1 00:00:06,657 --> 00:00:08,618 - So John, what is actually Powershell? 2 00:00:08,618 --> 00:00:11,961 - So Powershell is a scripting language and modern 3 00:00:11,961 --> 00:00:15,008 command line shell for Windows system administration. 4 00:00:15,008 --> 00:00:18,253 You could use it to manage the registry, 5 00:00:18,253 --> 00:00:21,986 perform WMI commands, search for files, 6 00:00:21,986 --> 00:00:24,186 you could query domain users and groups, 7 00:00:24,186 --> 00:00:25,913 and really so much more. 8 00:00:25,913 --> 00:00:27,096 - Oh excellent. 9 00:00:27,096 --> 00:00:29,966 Is it something that is only Windows specific 10 00:00:29,966 --> 00:00:33,068 or can you run this in other operating systems? 11 00:00:33,068 --> 00:00:36,625 - That's a great question, actually in 2016 Microsoft 12 00:00:36,625 --> 00:00:38,934 released Powershell Core, an open source 13 00:00:38,934 --> 00:00:42,702 and cross platform version that runs on top of .net core. 14 00:00:42,702 --> 00:00:46,183 So now individuals can run Powershell commands 15 00:00:46,183 --> 00:00:48,975 on Linux and Mac in addition to Windows, 16 00:00:48,975 --> 00:00:50,845 whereas before it was just Windows. 17 00:00:50,845 --> 00:00:52,179 - Oh wow, okay. 18 00:00:52,179 --> 00:00:57,109 - So we do have an entire section coming out dedicated 19 00:00:57,109 --> 00:01:01,050 to Powershell security, why would we dedicate 20 00:01:01,050 --> 00:01:03,214 an entire section to Powershell? 21 00:01:03,214 --> 00:01:04,159 - Absolutely. 22 00:01:04,159 --> 00:01:06,959 So one, Powershell is actually getting a lot of attention 23 00:01:06,959 --> 00:01:10,233 from a lot of security folks out there and the reason 24 00:01:10,233 --> 00:01:13,900 for that is because Powershell allows you to 25 00:01:14,881 --> 00:01:17,159 actually do a lot of things in the system 26 00:01:17,159 --> 00:01:18,795 that traditionally you actually have done 27 00:01:18,795 --> 00:01:21,049 with other tools and other mechanisms. 28 00:01:21,049 --> 00:01:24,289 There's even a joke between security professionals 29 00:01:24,289 --> 00:01:25,938 saying that, "I don't need an expert anymore 30 00:01:25,938 --> 00:01:27,294 "I just have Powershell." 31 00:01:27,294 --> 00:01:28,709 And the reason for that is because you can actually 32 00:01:28,709 --> 00:01:31,031 invoke a lot of these actually commands and do a lot 33 00:01:31,031 --> 00:01:34,130 of things in the Windows environment, and now as you mention 34 00:01:34,130 --> 00:01:37,071 in other environments as well, without triggering a lot 35 00:01:37,071 --> 00:01:41,887 of alarms that actually can be setup by actually 36 00:01:41,887 --> 00:01:44,599 end point protections, things like antivirus, 37 00:01:44,599 --> 00:01:47,404 host based firewalls, and host based 38 00:01:47,404 --> 00:01:49,551 intrusion prevention systems. 39 00:01:49,551 --> 00:01:53,451 Since it also become kind of a factor in the Windows 40 00:01:53,451 --> 00:01:55,354 installations, it's a Swiss army knife for a lot of 41 00:01:55,354 --> 00:01:57,693 security professionals nowadays, and that's the reason 42 00:01:57,693 --> 00:02:01,110 that we want to actually dedicate a section for it. 43 00:02:01,110 --> 00:02:03,323 - Powershell sounds like it can do a lot but it sounds 44 00:02:03,323 --> 00:02:05,541 like it might be complicated, do you need 45 00:02:05,541 --> 00:02:08,298 to be an expert in order to use it? 46 00:02:08,298 --> 00:02:11,101 - Not at all and I think actually- 47 00:02:11,101 --> 00:02:12,556 You do have to have some familiarity 48 00:02:12,556 --> 00:02:14,371 of course with Powershell, 49 00:02:14,371 --> 00:02:17,028 you have to know a little bit of actually the command line 50 00:02:17,028 --> 00:02:19,736 in Windows, how to actually execute some of 51 00:02:19,736 --> 00:02:21,087 those commands and everything. 52 00:02:21,087 --> 00:02:23,366 You do not have to have a PhD in Powershell. 53 00:02:23,366 --> 00:02:24,880 So what I urge you is if you're just 54 00:02:24,880 --> 00:02:26,945 getting started of course to play with it. 55 00:02:26,945 --> 00:02:30,082 That's one of the things that you're gonna do now right, 56 00:02:30,082 --> 00:02:33,911 you're gonna do a demo on how to use Powershell 57 00:02:33,911 --> 00:02:35,680 from a high level perspective and then in other 58 00:02:35,680 --> 00:02:37,219 lessons you're actually gonna deep dive 59 00:02:37,219 --> 00:02:38,915 into the attack tools right? 60 00:02:38,915 --> 00:02:41,314 - Yep exactly, so we'll start off with regular 61 00:02:41,314 --> 00:02:43,530 Powershell in Windows and then we'll start using 62 00:02:43,530 --> 00:02:47,301 Powershell for ethical hacking purposes. 63 00:02:47,301 --> 00:02:48,845 - Excellent. 64 00:02:48,845 --> 00:02:51,025 - Okay, let's have a look at how Powershell 65 00:02:51,025 --> 00:02:53,895 works on a Windows machine. 66 00:02:53,895 --> 00:02:56,919 So right from any Windows command line, 67 00:02:56,919 --> 00:02:59,786 you can type in Powershell and it goes into 68 00:02:59,786 --> 00:03:01,363 the Powershell command prompt. 69 00:03:01,363 --> 00:03:03,982 You can see that it's changed to Powershell 70 00:03:03,982 --> 00:03:08,149 because on the left side it now has a capital PS next to it. 71 00:03:09,418 --> 00:03:11,649 So now we can type in various commands, 72 00:03:11,649 --> 00:03:15,906 if you wanna get help at any time you can type in 73 00:03:15,906 --> 00:03:20,073 get-help and it tells you exactly how the help page works. 74 00:03:23,437 --> 00:03:27,460 So you type get-help and then a process name 75 00:03:27,460 --> 00:03:31,627 and it'll tell you how to get help on that process. 76 00:03:33,760 --> 00:03:36,260 Now if you type in get-help x* 77 00:03:39,462 --> 00:03:42,146 then it pops up all the different processes 78 00:03:42,146 --> 00:03:44,229 that you can get help on. 79 00:03:45,141 --> 00:03:48,419 So we could just pick a random one from the list, 80 00:03:48,419 --> 00:03:52,586 let's pick registry and we can type get-help registry 81 00:03:55,931 --> 00:03:59,985 and it pops up a list of examples and ways you can 82 00:03:59,985 --> 00:04:04,152 use Powershell to interact with the Windows registry. 83 00:04:06,568 --> 00:04:10,485 So we want to pull some groups from the system, 84 00:04:11,994 --> 00:04:15,327 we can type in get-wmyobject win32_group 85 00:04:17,242 --> 00:04:19,300 and you can actually find all the different groups 86 00:04:19,300 --> 00:04:21,743 that are on the particular system 87 00:04:21,743 --> 00:04:23,754 so you can see there's an administrators group 88 00:04:23,754 --> 00:04:27,182 which would be the obvious target for any attacker. 89 00:04:27,182 --> 00:04:30,687 There's also the users group, guest group. 90 00:04:30,687 --> 00:04:33,626 If we want to invoke certain commands, 91 00:04:33,626 --> 00:04:37,457 we can even run certain legacy commands as well 92 00:04:37,457 --> 00:04:41,171 so the net local group administrators command 93 00:04:41,171 --> 00:04:44,395 that you run in a non-Powershell environment, 94 00:04:44,395 --> 00:04:47,051 it works here as long as you put it through the 95 00:04:47,051 --> 00:04:51,218 invoke-command in parentheses you can actually put in 96 00:04:53,092 --> 00:04:56,713 that command and it will run inside a Powershell command. 97 00:04:56,713 --> 00:05:00,359 You may ask why would you run a simple command 98 00:05:00,359 --> 00:05:03,253 within the more complicated Powershell command 99 00:05:03,253 --> 00:05:06,866 and really because you can do additional functionality 100 00:05:06,866 --> 00:05:10,596 with that so in a Powershell command you could also 101 00:05:10,596 --> 00:05:14,141 run that particular command on other machines 102 00:05:14,141 --> 00:05:16,052 on your network as well. 103 00:05:16,052 --> 00:05:18,013 But at least working on a local machine 104 00:05:18,013 --> 00:05:19,720 for demo purposes you can see 105 00:05:19,720 --> 00:05:22,453 that it popped up a couple administrators. 106 00:05:22,453 --> 00:05:24,771 There was an administrator set training 107 00:05:24,771 --> 00:05:27,839 and a Zoro user on the system. 108 00:05:27,839 --> 00:05:30,715 Let's look at other commands that we can run. 109 00:05:30,715 --> 00:05:34,292 There is a take screenshot command which is 110 00:05:34,292 --> 00:05:37,234 not something that's built in to Powershell 111 00:05:37,234 --> 00:05:39,379 but it is something that we can take 112 00:05:39,379 --> 00:05:41,663 advantage of other people's scripts. 113 00:05:41,663 --> 00:05:43,759 If you go to Microsoft's website, they have a list of 114 00:05:43,759 --> 00:05:45,785 Powershell scripts that you can run. 115 00:05:45,785 --> 00:05:49,293 We're gonna download their take screenshot command. 116 00:05:49,293 --> 00:05:52,667 You can see they have the .ps1 extension, 117 00:05:52,667 --> 00:05:54,966 we're just looking at, we downloaded the file 118 00:05:54,966 --> 00:05:57,347 onto our desktop and we can see that it is 119 00:05:57,347 --> 00:06:00,844 take-screenshot.ps1 and now we want 120 00:06:00,844 --> 00:06:03,648 to run this on our system. 121 00:06:03,648 --> 00:06:05,660 This is the full command we're gonna run 122 00:06:05,660 --> 00:06:10,008 basically saying Powershell execution policy 123 00:06:10,008 --> 00:06:12,894 remote sign which basically says we're going to 124 00:06:12,894 --> 00:06:15,366 allow execution for this particular command. 125 00:06:15,366 --> 00:06:18,002 Some commands will not let you execute without 126 00:06:18,002 --> 00:06:20,233 additional permissions, we are basically saying, 127 00:06:20,233 --> 00:06:22,314 "Allow this command to run." 128 00:06:22,314 --> 00:06:26,627 And then the command is the take-screenshot.ps1 129 00:06:26,627 --> 00:06:29,136 which is running that script that we just downloaded 130 00:06:29,136 --> 00:06:33,964 and some of the command line switches within that task 131 00:06:33,964 --> 00:06:37,214 is screen which basically says we're taking a picture 132 00:06:37,214 --> 00:06:41,213 of the entire screen and then the -file which is 133 00:06:41,213 --> 00:06:44,593 asking which file to put the screenshot into. 134 00:06:44,593 --> 00:06:48,392 So we're dumping this into a test.bmp file. 135 00:06:48,392 --> 00:06:50,823 So if we run that, we can see that it took a 136 00:06:50,823 --> 00:06:54,990 screenshot of our desktop and put it into this file.