New Shell in Town: Adventures in using PowerShell on Linux

[Applause] okay so at some point i guess my slides will show okay so welcome everybody this is my talk new shell in town adventures in using powershell on linux i'm fernando tomlinson and gail i certainly appreciate the introduction a little bit more about myself i'm recently retired from the us army 10 days or so the beard i'm something i'm trying out uh oh the warrant officer yeah thank you thank you i was born officer in the united states army uh 20 years my first half of my career if you will were focused on system administration the later half latter half rather was focused cyber very defensive offensive uh focus i'm a purple heart recipient um

i was in the wrong place at the wrong time but i'm here and i'm certainly happy about that i'm also a cyber security adjunct professor where i teach a number of subjects powershell python linux also digital forensics for me that allows me to share kind of what i know what i've seen what have i experienced and share that with other individuals who are looking to also progress or also have interaction with other people as well i'm a developer of various blue and red team powershell tools i think the language is certainly amazing given the task at hand not necessarily one that you will use for every operation or instance i'm also a co-author of the powershell conference

book volume 2. this book i make no proceeds from it the purpose of the book is to take the proceeds and give it to underrepresented under uh privileged individuals allowing them to get their start in cyber security i recall 20 years ago i didn't really know computers right things have changed obviously but i too get a start by way of somebody taking some time to help me and i want to do the same thing for individuals and that's where the proceeds go for that book i developed a number of interactive powershell training platforms because i believe in the language i want to make it easier for people to grasp the language language and understand it and

i'll talk a little bit about those later on in the talk um and i'm on the interwebs in a number of places but enough about me right you're here to really talk about linux on powershell as i was putting this together there were a substantial amount of things that i wanted to shove in here and that's no different than really any other topic i talk about but i've lowered it to a number of things that we see on the screen there so what is this powershell well it came to light in 2006 uh birth as powershell but it really was developed back in 2002 when it was originally named monad it's implemented really as a

piece of windows as we traditionally think about it can be embedded from a gui or console perspective it goes beyond just the binaries that we know to be powershell.exe powershell underscore ise exe and windows but really the dll which is compiled.net is the um actual powershell itself it's a scripting language i like to definitely say object oriented in nature what makes it great is we're piping actual objects as opposed to raw text so as i talk a little bit more about linux if you're a linux person in here you know to get particular data sets within an output you might be said hawking cutting or cut aux said right some variation of it trying to get

particularly what you want but in powershell we can convert those things to objects we can get exactly what we want when we need it in a very timely fashion now there the thing that also makes powershell great is it's built on top of net it is net at its core so that gives us access to a range of net classes it also allows us to get data in a way that we traditionally wouldn't be able to do it specifically from a windows perspective we have windows apis that make those things available to us now from a blue team perspective well generally there are some great advantages if this was very specific to windows the top bullet would say it's

already resident window seven uh in uh server 2008 right but since we're talking about linux here some of the things are still the same we have access to the api specifically when we are remoting from linux to windows right which is what we'll do um through one of the demos we have the ability to track its use the abuse of it within our system now granted we need to do some configuration changes to enable that however we have the ability to gain that visibility we have the ability to make uh endpoint detection response capabilities and we can encrypt that so that way if somebody is already on our network we're not just sending that stuff over to wire and plain text and

for you who may be in an organization where you can't afford the next gen edr or or may not be allowed to put an open source um platform on your network you can build detection scripts and things to kind of get after your task in lieu of having those things now the things that make it great from a blue team perspective well one could argue also makes it great from a red team perspective i enjoy going to a friend's house and when i inquire about what i should bring uh maybe an adult beverage they say nando don't worry about it we just want you to show up well from a red team perspective with powershell enabled that

is kind of uh the same concept that one may be able to may be able to get through their red team objectives by utilizing what's already there and because admins may not be too accustomed with powershell there is a chance they might be using the older version depending on what version of windows they're using or if they're using a new version they may not have it configured right to be able to illuminate things that are being abused from a red team perspective it also is noted that hey from a blue team side encrypting the traffic is great that is equally as important from a red team perspective and depending on how we're using it we can execute it in

such a way where it doesn't touch disk reducing our abilities to be found and it's script based so when we look at detection mechanisms well we can continuously do a cat and mouse game and that aspect can quickly shift and bypass those mechanisms now if that isn't enough i look to something like scissor right so based upon a 2020's recording scissor noted that from an execution standpoint for incidents or evaluations that they responded to powershell continues to lead the pact from an execution standpoint 24 of those uh indications were based upon powershell last year excuse me the year before that 2019 it was something like 40 something percent so it's decreased however it continues to lead

this is not going anywhere if we look at the use of the language as a whole well there's tactics that are red specific but some of them overlap in the blue side or system administrator perspective and the same could be said for cis admins and defensive folks in nature now if that's not enough i like to present you know maybe something that i call objective in nature and that's going to be a red monk's take on the use of the language based upon the number of pull requests and commits in github and the tags associated in stack overflow we're able to see a i don't want to call it a popularity but popularity for lack of

better words of where powershell stacks up now i recognize it's not at the very top okay with that as a power sheller right because i see things that should certainly be there specifically uh c definitely some some python and a number of other things but it's not at the bottom right and for somebody who is dealing with this language that is so versatile that speaks volumes now if that's not enough because as we talk about red and blue and maybe some cis admin aspect of it well there's a gentleman who developed a module to control his tesla right and bless him i really wanted to test this for myself however my wife would not allow me to get a tesla and i don't have

one i tried to go to the dealership and they weren't too keen on me testing it either so i'll just have to take the men's um saying you know for what it is now you may be thinking well is is this a joke right red blue red team blue team sys admin what scissors saying controlling it with tesla controlling your tesla brother red monk all these things well no i'm very serious and as i continue here it may seem like i work for microsoft and i don't right i am certainly a fan of the language because firsthand from a blue team perspective i've seen the power within it firsthand from a red team perspective i've seen the power in it so

i just want to really set this this disclaimer right and you see it before you can read it now you may be saying tldr too long didn't read or you might be saying too small couldn't read so let me sum this up for you i'm not saying powershell is the best language for every situation i am merely highlighting how powerful it is as a cross-platform language your environment the task at hand will really depict if this is the best approach for you all right so with that there's a number of versions you might have heard of windows powershell this windows i'm sorry powershell core and all this other type stuff what is all of this well

windows powershell is specific to windows and microsoft isn't developing in on that anymore the last version is a windows powershell 5.1 and as you look at the chart you can see what version of powershell becomes resonant with each version of operating system now just because windows 7 comes with powershell version 2 doesn't mean it can be it can't be upgraded to version 5. if you still have windows 7 in your network you should absolutely do so windows powershell 2 doesn't have good security features right um now i say that because as we move on microsoft has put all their eggs in powershell core the cross-platform version this cross-platform version well it's powershell for everyone if you're using

windows you can absolutely use core if you're using linux different variations and distros of it you can use it there and if you're a mac person you can use it there as well there's other platforms that also uh support it so if you're using docker and containers or you know maybe you're going to pull down the latest cali repo that type stuff is already in there for us as well we can have windows powershell two through five installed on the same system from a windows perspective that we have powershell core six and or seven so this is great so they could be installed side by side going deeper with this power shell core it was announced in 2016 hey we're going

to open source this thing we're going to make powershell for everyone or everything all right 2018 that's when it hit the streets and in some respects people were racing to it i know in my organization we certainly were taking advantage of the previews and getting in on our systems now at the end of the day this is still built on.net it is not a full subset of.net it is a net core a reduced aspect of it but we still have access to some classes within.net that are built within that core functionality so that still makes it a plus again windows mac os linux and when we're launching this on one of those systems regardless of

the platform our shellcore it's actually pwsh.exe it's going to be installed from a windows perspective in program files from a nics perspective it's going to be in your slash opt folder all right so when you go out to their github because it's again open source you'll be presented with something like this and you can see the chart you have a couple of options for downloading it and installing it you can have an lts version the stable whatever the preview is and then they specify how to use install it for each if this is not necessarily your flavor well you got a couple of options for how you can install it simply you can browse out to the github

mainly download it and manually install it okay right um if you're in cyber you may be a little lazy when it comes to the keyboard i'm guilty of that right if i have to do something more than one time or if i can automate it i certainly want to do that so i then look at option two where uh um or somebody's made a a script where we can actually download it and then it will reach out download the binary and then do the installation for us right so use the script it downloads powershell and then we can install it that's a manual thing or there's another one liner that not only downloads powershell it also

installs it but then we have the ability to install vs code and a number of other things with it right so if you're using powershell core you're going to need an editor you might be one of these hardcore folks where it's like no vi or vim till i die okay right that's still an option for you but um you know you might want to use vs code we can do that as well now walking through this because i want to show how easy it is right because you may not be using powershell because of the the this understanding that it might be difficult to get started with no it's very simple so i'm going to go through

with option two i utilize a simple uh w get to pull it down i just installed it to my local system because i want to walk through it you could have used the other one liner to do it all for you and then once i have it downloaded i'm going to run my install powershell.sh right i would have um modded it and changed the permissions to make it executable but you got that now within that script as i look at it i see a number of switches those switches enable me to uninstall vs code also install the powershell extension as well that's gonna help my user experience when i'm within that ide now once i'm there right i've already

looked at the script seen those switches now i'm just gonna execute the sql the script i'm saying install the ide with it it's going to go through all the checks associated with it install and actually i'm sorry download and actually install it for me now as i talk about vs code because it kind of goes hand in hand there's any editor would suffice right so when you're traditionally on the linux box if you're not using vs code you might be using vi you might be using them right some of us might be using g edit or mouse pad look this is not a place in which i'm judging you however what i am saying is a editor is an

editor and whatever works for you works if you're using vs code the powershell extension well you get some things that you might be used to from a windows powershell perspective when you're using the isc intellisense right brace matching all the great things that we don't necessarily want to have to think about when we're actually developing we just want to work in a seamless environment now when we look at executing commands within powershell i mentioned pwsh is the the binary within linux for us to is powershell within linux so we can execute pwsh and drop down into an interactive session within powershell right or we can just call upon said binary and then give it a

switch of command and execute a command whichever one works best for you i'm a big recess fan right there's a number of ways to eat that thing it all makes it to the end um the destination right if you will now being a huge powershell fan when i moved over to linux and mac with it i was like this is great i'm going to do all these great things that i already know how to do in windows maybe i'll die down some of my python and just kind of focus here here's a couple of gatches for now and they may not be gatches in the long term one of them is guess what powershell specifically when you think about

windows with powershell as well is not case sensitive but linux is ill case sensitive right so it's not case sensitive until it is specifically as an example when we're trying to browse part of the directory structure right desktop downloads that's going to be uppercase so we need to be cognizant of that if we would have started on the windows side specifically with it we would have certainly gotten used to um just typing it as is powershell from a windows perspective in our alias drive had a number of aliases that made it easy for us to get started with the language for example you jumped on powershell on windows and you're like i came from linux i want to

be able to read a file well you just type in cat thing that alias of cat was really tied back to get content in windows so while that got you started using powershell in windows you now move over to linux and those aliases may not be there because there are actual commands in linux ls is one for example ps in windows powershell will give you a process list ps and linux still gives you a process list but not in the same fashion in which git process would do it all right so we have to be cognizant of that as well there are substantially less commandlets in powershell core specifically on my example here because i use synth os then what there is in

windows powershell at the moment my synth os shows 274 commandlets powershell core 7 on a windows machine shows 5040 and my windows powershell 5.1 shows roughly 5200 all right some of them you may not even be missing some of them you will absolutely recognize they are gone right so now that microsoft has moved away from developing specifically on windows powershell for the windows operating system and now are opening their aperture right it's going to take a little bit time for those things to catch up we also have to be cognizant that the windows operating system is significantly different than some of these other operating systems so some of them may not ever be there a great feature is powershell remoting

right when we think windows to windows powershell remoting right awesome we have powershell remoting with linux powershell core but it's executing over ssh not a bad thing just something for us to be cognizant of and we'll walk through i'm actually doing that and executing commands here in a minute the bad thing about that is not the bad thing the thing that we just need to be aware of is we don't have ws manage support which then leads us to not be able to execute the simple command we may be used to from windows enable ps remoting yeah that doesn't exist so we now have to be into such a place where we need to not

only enable powershell remoting but we need to configure it so since it's using ssh we now need to have an ssh server and client and then we need to go into the ssh config and we need to allow it but then we have to specify that as connections come in that are for powershell they need to be sent down to the subsystem which is then powershell so it's almost like a broker if you will but it seamlessly works once configured right if you're like me well you might like windows management instrumentation or sims common information model right but in linux we don't have that right now there is a project to get after a long-term solution being open

management infrastructure which is going to give us that management information that we are used to maybe from an admin perspective or one that you are able to leverage from a defense perspective or one that you're able to certainly take advantage of and abuse from an offense perspective but right now we don't have that so that's a that kind of hurt a little bit but something to be aware of commands can be blended so i can take my powershell pure commandlets and i can pipe them to resident um commands within linux so i can blend those together right now you may want to be cognizant of kind of what you're trying to get after an output but

nonetheless we can absolutely do that the help documentation i'm typically one right when i start to talk to you about powershell i want to show you the help and show you how to use it right so beyond our conversation you can kind of fish and you know support yourself the help documentation from a powershell core perspective is a work in progress as we recognize there's substantially less commandlets and powershell core a lot of the commandlets still kind of speak towards how do you do it from a from a windows perspective so it's a work in progress right but nonetheless the help is generally good i found great use of out grid view in windows powershell right the

um the visual excel like pop-out that allowed me to do some parsing and analysis and a tactical perspective i loved it right that doesn't exist in powershell core so again something to be cognizant of we recognize that when we look at hard drives well these hard drives in a physical standpoint have sectors on them and we are able to load an operating system on there that then makes those sectors available to us within our operating system ie the file system c drive d drive e drive whatever well powershell has these drives that seek to do essentially the same thing as some respect so from a windows perspective we have not only the file system map we

have a drive for aliases variables functions certificates right if you're hunting expired self-signed certificates or what have you it also maps the registry so we can browse the registry almost like we're browsing a file system and that's great now you may recognize that some of these things don't exist in linux and you're correct and where it doesn't exist in linux well those types of drives don't exist and looking at it we see a key difference between the two but nonetheless we still have our drives we still have the ability to map said drives we just don't have the things that are common to windows in our linux machine and that makes sense one of the greatest things microsoft did

in terms of powershell was create login features right so script block module transaction or transcription rather well those type things still exist from a powershell core they're not on by default we need to create a config file that actually enables it so this is going to be an opt microsoft powershell 7 or whatever your version is the config file is going to sit there and there's a template that you can download off of microsoft's sites or you can just kind of make your own and deploy it when it logs and it's very verbose much like the windows powershell aspect of it depending on the distro and the flavor it's going to log in a couple of places so from a red hat

perspective you see it's going to go to messages or secure from a deviant perspective syslog or offload now when i go in there and i start looking at that i have all kinds of stuff that are mixed in and i want to be able to separate the specific powershell core stuff versus some of the other stuff so i'll put a link up here to my github where i've gone through and made a script the parser to be able to do that so you can see just the powershell specific stuff but it's simple for us to create and enable this login and really what we need to be cognizant of is once we have that config file excuse me we didn't just

need to restart our powershell instance and we are good to go parsing logs wow right everything is just raw text if you will um from a text file perspective in links and cool grep is your best friend if you're just a linux person but i want objects right i want to be able to grab specific properties i want to be able to utilize methods associated with said objects and guess what powershell enables us to be object focused in nature either the commandlets are going to enable that or we can turn this flat text into objects ourself and where we have to do that once right we work hard up front to be able to reuse it many

times we can now share that parser to be able to actually do that so i mean what are the big things we want to be able to manage this data we want to be able to manipulate it and store it the quicker and more easily accessible this type of data is the more effective we are at problem solving right let's think about this if i'm red team focused i want to inundate you with data i want to bypass your ability to manually process this data from a blue team perspective i recognize that i need to make this data i need to put this data rather in such a format that i can easily understand digest and activate

and this is where the objects come into play so as i look at the screenshot here you have where i'm looking at bar log secure and then i've already used a parser that i created that's on my github i'll get to that at the end where i'm now able to just look at that log file as an object so i have a property called time i got a property called process id message and i can get to what i want if i want just the process field well i can select and return just that process property right that is a game changer for us as we look at even just the processes ps ox well we recognize what that's

going to give us that's generally what we're going to use when we're on a linux machine and when we execute git process from powershell well it has its default presentation of what properties it shows us but if we wanted to replicate what ps aux is showing us versus what git process is well we just do what i have before us what we call upon git process we select those properties that we want to see and they present themselves this isn't here where i'm like well i got to cut that and let me count this and said and awk and let me change it again no i select the property i want to see that property is returned right and i'm able

to continuously shape that and i don't have to think about switches is it oh is it a big a what's the property name all right now leading or following on with that we've already mentioned kind of how objects are great and i just want to highlight something as simple as retrieving all pids from a linux perspective well we have a number of switches and methods for us to do it we could almost take a half a day and go through where everybody comes up with their own way to pull just ahead nobody has time for that not when i'm chasing an adversary and time is of the essence so if i'm in powershell and i just want the pit i

select the id and i'm done with it and i can rinse and repeat that every time mentally that's something easily easy that i can digest understand and act upon as opposed to me big a little a big o little o let me look at the man pages ah right from a from a defensive maybe offensive perspective generally everybody is going to want to do some form of a survey what's in your survey from a day-to-day perspective maybe different than what i'm highlighting here a survey is a survey i want to get a better understanding of the system so i can then make a decision of what i'm going to do next and a lot of those things are pretty common in

nature because they're common in nature if you're already using powershell on windows you'll be able to utilize those same commands in this fashion to get that data it's not how do i get the process list in windows and now how do i get the process list in linux it's i use the same command in both to get that data a couple things i do want to highlight on are services install packages and cron jobs because at present powershell core and linux doesn't have a commandlet to do that so i recognize that's a key task develop some code put it out through my github because i want to share it with the community and why are we looking at

services well we want to understand um process data processes that are being run we want to understand when they're being used what they're actually doing for us and let's be honest malware is going to execute one or two places on disk in memory if it's on disk it's going to execute we want to be able to actually illuminate and see that now again powershell doesn't have a built-in method for us to do this powershell core and as i look at the screenshot the top one top right is just me looking at system control because i'm in um center west and that data just coming to the screen blah i could grab my way through right or do some said cut cut said

whatever to get specifically what i need but instead create a script and now i get that thing back as an object and it's in a usable format that an analyst can understand and actually act upon same thing with packages right i've already changed this to an object and now that i have that object i can specifically filter for what i want i can look for where you know it's just all packages giving me all the packaged names i can look for where the package itself starts with power right this is rinse and reuse repeatable doesn't matter if i'm on linux mac or windows that is still the same once i have it as an object

cron jobs one of the the bigger ones right so when we think of cron jobs and linux the closest thing we might have had to that in windows is scheduled tasks i want to be able to see this i want to be able to understand a digested act upon because an adversary is going to look for some form of persistence right this is pretty simple in nature but when you look at your crime jobs right unless you're looking at them on an everyday basis you're like okay uh let me see the third one i think is hour maybe that's day of the week uh what does that one mean again right so you create this this parser that not only

transform it to an object but puts it in a usable format for you the analyst so you can save time each time and get after your tasks and objectives so suspending processes this was key i started doing this on a windows perspective right uh responding to an incident something malicious is happening and it's almost like uh responding to a bomb if you will well let's defuse it well hold on we got to understand what we're doing here but the time is ticking so if i'm able to suspend that process to essentially pause the time from ticket now we can kind of have a conversation about the best way forward without having a next stage kickoff or whatever is actually

happening bringing that over to a linux perspective well i can use almost the same code a little bit different from a windows powershell perspective but the mindset is still the same so we can suspend resume set process when and how we want to this allows us to actually retrieve i don't know ransomware keys may stop uh ransomware from actually continuously encrypting a drive if we can catch it at the earlier stages and depending on what that binary is we can stop the breaking of critical processes all right so let's let's walk through this and show an example

all right so from this perspective i'm gonna go in and i have i'm in the linux box i have my vs code here and then i have some another window off to the side i don't need that so i'm going to come in and i'm going to get the pid the process id associated with my powershell process on the right that is the one that i'm going to execute um a little script that simply just uh loops through it doesn't do anything other than that all right so it's looping through my pit is five six six two nine so i'm gonna come over here and i'm going to execute my code it takes one parameter and that parameter is id

i'll feed it 56 56629 and we see that on the right hand is still going and i'll execute it i pause that process it is now in a weight state it's not taking any more instructions so now my team and i we can think through logically what we're going to do as opposed to in a hasty position just do something that may cause the situation to be worse right like i don't want to be here all day kind of dealing with this so let's think through this logically and then once we get to a point where we can move on we'll resume it or you may be working with malware in such a in a

range where it executes it then pops itself into another process and then dies off but it happens so quick so you can get to a point where you can actually pause that and then you can actually dump that sample but now that we've kind of talked through it i'm going to go ahead and resume it and i just have another function resume a process that does the inverse same thing one parameter and we're going to feed it our pit and when we're done it resumes so no harm no foul will it work for what you're trying to do in your organization maybe situational dependent however there's been huge benefit in my organization and the jobs for

assignments that i've been on where it has

so uh you might have been on linux before and just use the simple http server in python does exactly what you needed to do how you needed to do it when you needed to do it right so very hasty in nature stand up a server maybe you want to go get a second stage of your payload maybe you're an ad sysadmin defensive person and you just want to go grab something to get it to another machine either way we can set this server up fully customizable in nature if it's a well-known port we need admin rights if it's not a well-known port then guess what we can do this as a standard user by default i have it set to where it

serves up content on the desktop but you can fully customize that as well however you need it when you need it so let's walk as well

okay in this perspective i'm calling upon the powershell program and i'm going to execute my code it's bound to 9046 so i'm now just going to come back over to a powershell instance i have on windows and i'm going to utilize invoke web request very simple use bits transfer or any other um you know a unique way to reach out and grab that information i'm hosting it on uh 1946 so when i execute that just on 90 46 i get that text data back about it now i could get the text data associated with whatever i have on my desktop on that server in this case i have a script that's just test ps1 it

doesn't necessarily have to be a script it could be whatever you want it to be the same thing i'm going to get that text data back if i want to actually store or save a copy to that well i can utilize the out file switch parameter rather and then specify a path i'm going to save this to my local directory which executed this which is woof and i'm going to save it as besides text instead of actual powershell now when i do that oh you guessed it i get a copy on my local machine and when i'm done i just go ahead and tear down that other server but it's very simple it's very quick and it's something like

50 lines of code probably could make it a lot less than that if we weren't worried about formatting and trying to make it pretty but certainly seeing the versatility associated with the language we were already comfortable with from a windows perspective but being able to do it on linux if that wasn't enough web shells as you could imagine as you know are certainly a big deal specifically when i'm hosting content or i have a server that is hosting content when i look at traffic traffic headed to that server on well-known uh ports if you will necessarily cause concern they certainly don't necessarily um stand out but these web cell web shelves can serve as a method

of persistence for an actor to be on our system well typically we're thinking php asp.net what have you let's do this in powershell all right where we can have this powershell script serve this content up for us customize it the way that we want and how we need it now the one i'm going to display here it's very simple in nature you'll navigate out to the path we'll feed it a a subset of the uri and then specify command that we want but you can have full-fledged gui applications just off of this kind of blending in with whatever else is being served there and for us to do that well it's not as intuitive as it may sound

it too is a relatively short amount of code and we're talking maybe 40 lines of code so i'm going to come in and we're going to execute said code here i'm binding or opening a port 90 35 the same thing though right i need to make sure i have applicable rights or i can bundle it in such a way where it's being served through the same path of that application this is clear text at the moment however you can certainly attach your own certificate to it be it self-signed let's encrypt or one that you buy yourself now once i have this i'll then come out and we'll navigate to it so at the index of that web server all it

does is return a string but let's say i wanted to actually execute commands well i have in there you can specify a command i might say who am i and then it's going to return that information for me let's say i want to execute something else maybe get a process list we'll get that information back as well all right we're talking 30 40 lines again could probably compress it a lot more the smaller the footprint the better as you could imagine but cross platform doesn't matter what box i'm really landing on maybe a couple of lines differ if it's linux versus windows but i'm not having to make a full-fledged web shell for this operating system and then make a

full-fledged one for that instead i'm just really writing it once using it many times

so ps remoting right again i had mentioned earlier this is happening over ssh all right we're going to require powershell core or higher right we need ssh client and server on both of the systems that are going to be taking place in this and this is essentially creating a powershell host on the target machine is an ssh subsystem which is why when we configure ssh within the config we're saying hey anything bound for powershell go ahead and send it to the subsystem of powershell traditionally powershell remoting has been windows to windows traditionally it has been 5985 plaintext http or 5986 for https because we were able to use winrm right to do this on behalf of us but we don't have

that here if we look at how it actually operates well it's something like this we have the powershell client on both systems both systems um as the as the uh the client is trying to connect to said server if you will powershell is sending that information to that ssh client in this case we use openssh that ssh openssh client is then doing the configuration or settings negotiation with that ssh server ssa server is then passing it through the subsystem down to powershell core and vice versa on that now if you're not too keen over open ssh or just using ssh as a whole well if you're doing red team activities you might be familiar with socat well

you could use socat as well one thing that i have not been able to get to work is other variations but now we have endless possibilities for us to do it as opposed to ssh into a windows machine and then just calling upon powershell and leveraging it no we can utilize some of these things that are already configured to transform translate and send data on our behalf so let's look at how do we just utilize this at the most simplest level

okay so i'm going to come back in here i'll go to my windows machine and i'm going to actually excuse me my linux machine i'm going to connect to my windows machine and i'm going to do this the same way i would do if i was using a traditional powershell remoting tactic i'm going to enter ps session and when i do so i'm going to specify the ip or host name and i'm going to specify my username i'll put in my username and i'll get connected i can tell i'm connected to said machine because my path has changed if i would have used the hostname the path the host name i use the ip so it now includes

this and from here well i can execute things that we would execute period in a powershell instance all right so i can see my username is wolf i can get processes i can continue to do whatever it is that i want to do since i've ps remote it from linux to windows i can now take advantage of those 5 000 commandlets that are available on that system as opposed to the 200 and so that were available on my local machine it is really that simple once we have it set up when i'm done i can exit ps session and be good to go now let's look at it from an opposite perspective the opposite perspective of

i'm on a windows box and i want to connect to a linux machine well i'd come in here and i'm going to enter ps session the same way i'll specify my host name and then i'm going to specify my ip my ip in this aspect is dot six i also have my username my username is going to be ando

actually i'm the wrong ip i said a prayer to the demo gods earlier and it seemed like they accepted it i did not

and this is why you should record said talks

oh well you know what the demo guys just whispered in my my ear mic here it would help if i had the right ip right demo guys are like yo you said you were doing critical stuff today like a ransomware operator we said we were going to leave you alone or bad we didn't mean to mess you up um but we'll help you you got the wrong ip all right so cool so again my path is now changed i'm in my linux machine and the same thing right if i wanted to go in here and figure out who i am well i can do that and i recognize i'm nando but again when we look at

our commands because i'm in linux and linux cares about case sensitivity notice how when i call upon that environment variable of user lowercase i get nada nothing because linux is looking for that case aspect so we have to reshape some of the things that we're accustomed to because of that but when i'm in here i'm good to go now this is me doing it from a one machine perspective we can also invoke command and actually do this across a subset of systems so we'll come in here and i'm going to create this session and i'm going to store it in a variable called session once i have that i can then actually i'll go back and look at

session

yes i could you could you could absolutely do that now once i've created that session i'll go back in and i'll see it's open once i have that based upon individual ip or a subnet i can certainly invoke command call upon session feed it a script block and when i do so well this is then going gonna have this script block script whatever i feed it actually execute and come back to me in a serial manner right now i'm only doing it on one machine but if i was doing it on multiple machines there would be a property that would be added for the computer name so i'd be able to tell what's what if i don't want it to return the

standard out well guess what you can certainly out file it and save it to your local machine

all right so we're good to go in that aspect and when i'm completely done with it i'd be able to remove my session because i don't want it to sit here

and when i look at session now see that it's actually closed so powershell remoting again isn't something that we're just going to use from a windows to windows perspective we now have that ability linux to windows windows to linux holy crap that's now a game changer especially when i'm doing defense i can wrap all of these things in one instantiation of what i'm trying to grab i can go vice versa with it i don't have to have my linux only type toolset or my windows only type toolset i can absolutely write once use mini that brings us to the benefits of cross platforms right now this picture i couldn't get my wife to take one of me

but that guy represents me right newly retired i've been wearing a uniform for 20 years and now i need clothes i'm not going to go out and buy clothes for every occasion i need to be able to buy the least amount of clothes that work for everything right so i got my business attire i got nando at happy hour attire right all in one that brings us to the benefits of class across platform right maximum effectiveness the time as a developer as an operator right it's it's of the essence so how do i make the biggest benefit the hugest benefit of the time that i have how do i reuse this code maybe a good thing could be a bad

thing but certainly worthwhile of exploring uniformity of design design swifter development and certainly stability right being able to wrap that in all into one but this isn't new right there's been malware that was cross-platform in nature predominantly go as you could imagine right but malware frameworks trojans crypto miners remote access all that stuff this isn't new but as we continuously grab hold of this specifically market share being windows windows powershell and then now being able to attack from a different perspective and take what we use on a market share aspect and leverage it in on other networks that we may be concerned with as opposed to coming from a different angle now as i wrap this up here

again i'm not saying this is the language go out and install it on your mac or your linux today i am certainly telling you that if you're using windows already and leveraging powershell it is worthwhile for you from a time perspective to leverage it in a nics or mac environment because of the cross platform is but also be patient with them it is a work in progress powershell is certainly a powerful language many of you already know that again work in progress the environment would depict if you use powershell how you use it and will it be beneficial for you right this isn't a one size fits all but certainly beneficial and there's something to be

said about any language that is object oriented in nature right i can't leave without actually saying that so if you're now at a point where like okay i am digging this powershell thing and i am gonna go install it on my linux mac whatever well you may feel like uh thanos right like you now have windows you got a little linux you got mac you got docker and you got all the stones right okay i'm digging that and let's certainly connect but guess what if you're not quite there yet maybe you want to learn more about the language but you just need a little bit of time i got something for you as well right

there's always more where am i okay so a friend of mine uh pete the giorgio you see him out here with security i ain't doing the lock pick stuff him and another guy alex durkas and i came up with this thing called under the wire you might have heard of over the wire it's a play on words for us but powershell focus we drop you in a powershell console on our servers and then we present you with a subset of challenges as you answer one question and get the answer that answer becomes the password for another user or another level it focuses on the core aspects of the language because we want to give you

a challenge to then want to go out there and learn and actually complete it there's 75 challenges they're all linear in nature one after the other to date we've had a roughly 197 000 plus unique connections from uh 78 different countries it's free we make nothing for it if you've got issues and you're on our slack i'm wired post you get me not some you know intern or somebody else like i am i'm passionate about the language and i'm here to certainly have conversations if you're beyond that then i have posh hunter for you 90 challenges non-linear focused on offensive and defensive challenges i give you a virtual machine with all kinds of stuff happening in it and

you're going to utilize the powershell language to answer them and then supply that to our scoring server now you may be feeling like oh were you going to give me a virtual machine i'm going to use the raw binaries on windows i'm using the gui nah nah i've already stripped all those things out so when you boot up you get a powershell console and you get powershell ise i want to help you achieve your goals these are all based upon realistic first-hand offensive challenges defensive challenges and you can solve them all in powershell so with that that brings me to the end if there's any questions this presentation if you're interested will be on my

website any code that i've talked about here will also be on my github with some other stuff and there's my real presence on the interwebs on twitter if i speak the language that you speak or you just want to have a conversation i'm i'm open right you literally are going to get me you're not going to get anybody else i would love to have that conversation if you're interested in gardening tools that's not my thing right i can point you to somebody else but if you want to talk anything it sound related that is all me so i'll pause here for any questions and then i have questions sir i'll come to you in a minute uh young beard man sir

there is there is so we we take the team that was only working on working on powershell for windows and now they're working on everything right it's just taking a little bit of time yes uh i'll come to a ride oh sorry aaron so if you're developing these scripts

how do you head to what um well so yeah so good question the the question was how do you handle uh path separators uh delimiters in windows versus linux so the good thing is when i do it in windows doesn't matter if it's forward or backwards powershell and windows will make sense of it if that wasn't a concern for me then i would do some analysis right up front if this then do that it then and do that so you still have to do some logic right it isn't just blah right you're gonna have to add a couple more lines but with that small separation oh you'll be good to go hey rod

yeah so this uh it actually works for from both yeah um so i did a simple way where i was just doing by straight uh username password not worrying about domain workstation what have you but there's a number of other options where you can specify as well for that actual environment but in testing it worked well okay so who is the youngest person we have here do we have anybody under the age of 15. sixteen we got sixteen we have fifteen-year-old who's fifteen come on up sir ma'am [Applause] all right so i once was 15 i'm only two years from 15 right and all we need is a start all we need is somebody to spark our interest and

get us going and you sir i hope this does it for you all right all right let's sit on [Applause] all right so we had we had two people that were 16 right 16 16. all right what year was powershell named powershell what year did powershell get released for linux

not 2008 it's some powershell was released for like somewhere between 2015 and 2020.

okay well you were the closest here you go it was 2018. [Applause] you ma'am i hope this book serves you well and i hope you find a love for a power show and when you have that love pass it on to somebody else okay all right with that again i appreciate your time i'll be hanging out somewhere around here let's chat thank you