PaulDotCom

Episode 287 with Dr. Anton Chuvakin & Daniel Martin at 6PM tonight

Thu, 10 May 2012 09:00:00 -0500

Episode 287 of PaulDotCom Security Weekly will feature an interview with Dr. Anton Chuvakin to talk log management, SIEM and PCI DSS compliance and a Guest Technical Segment from Dradis Framework creator Daniel Martin. Come participate in our IRC channel or sit back and enjoy it live via our Ustream channel:

NOTE: The video will play the most recent show up until we are live!

Hack Naked TV Episode 34

Wed, 09 May 2012 06:40:00 -0500

In this episode we have a special guest. Larry Pesce from Hack Naked at Night drops by to talk about hardware patching, leaks and adult diapers.

Links for this episode:

Mac security kind of sucks

PaulDotCom Espanol Episode 12 - Efrain Torres

Tue, 08 May 2012 14:09:18 -0500

Hola to all of our Spanish-speaking PaulDotCom listeners! (The rest of this message will be in Espanol)

Episodio doce esta disponible!

En este episodio entrevistamos a Efrain Torres especialista de seguridad Colombiano trabajando en US y miembro del equipo de Metasploit. Efrain nos habla de el ultimo plugin que escribio para Metasploit y los modulos que forman parte de lo que se conoce como WMAP dentro de Metasploit para la uditoria de applicaciones web. Tambien conversamos y debatimos sobre los retos que enfrentan muchas companias grandes en la reducccion de riesgo y vulnerabilidades.

Usted puede encontrar las notas de todos los episodios PaulDotCom en español en PaulDotCom Espanol página principal

Audio Feeds:

PaulDotCom Security Weekly Episode 286 - Penetration Testing, Exploits, Poop for Wifi

Mon, 07 May 2012 15:55:10 -0500

Audio Feeds:

Video Feeds:

Alex Horan & Mife Yaffe Discussion:

Drunken Security News #286:

Episode 286 Show Notes

Episode 286 Part 1 (mp3)

Episode 286 Part 2 (mp3)

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Hack Naked At Night - Episode 5 - Badges, Barcodes & Arduino

Mon, 07 May 2012 11:07:02 -0500

Episode 286 with Core Security Technologies Tonight 6PM EDT

Thu, 03 May 2012 09:37:18 -0500

Episode 286 of PaulDotCom Security Weekly will feature an interview with Core Security Technologies Alex Horan and Mike Yaffe. We will have a lively discussion of exploits, vulnerabilities, penetration testing, and more! At the request of our guests we will be in "Studio B" where smoking cigars is not just encouraged, but required. Come participate in our IRC channel or sit back and enjoy it live via our Ustream channel:

NOTE: The video will play the most recent show up until we are live!

For interactive live video, audio, and chat during each episode you can visit PaulDotCom Live!, just hang out in our IRC channel, or if you prefer, visit the Episode 286 show notes page.

Don't forget to follow us on Twitter: Paul Asadoorian, Larry Pesce, Jack Daniel, Carlos Perez, John Strand and Mike Perez.

Hack Naked TV Episode 33

Thu, 03 May 2012 05:45:38 -0500

In this episode we discuss the VMware source code leak, backdoors in control systems and Conficker refusing to go away. I guess the theme for this episode is how the things you don't expect can haunt you. None of the above new stories really fall cleanly into traditional categories of security defense. Rather, they all force us to start thinking about what happens when Malware specifically targets AV? What happens when a vendor has a backdoor in a product? See, these are questions we need to start asking about every component in our environments. If we don't, we are not really practicing security, we are simply buying products.

Links for this episode:

Vmware source code leak

Conficker refuses to die

RuggedCom backdoor

Offensive Countermeasures at BlackHat

Links to cool stuff our awesome sponsors are providing:

Check it out here

Manage your Big Data with the most scalable log & security intelligence platform for the Enterprise & Cloud.Don’t take our word. Try it for yourself! For a limited time, download here

Video Feeds:

PaulDotCom Security Weekly Episode 285 - Nick Farr, Hacker Spaces, Hackers In Space

Tue, 01 May 2012 15:41:19 -0500

Audio Feeds:

Video Feeds:

Nick Farr Interview:

Drunken Security News #285:

Episode 285 Show Notes

Episode 285 (mp3)

Episode Hosts:

Paul Asadoorian, Host of Security Weekly and Stogie Geeks

Carlos Perez, Host of PaulDotCom Espanol

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

PaulDotCom Security Weekly Episode 284 - Martin Bos, Derbycon, Backtrack, Password Cracking

Tue, 24 Apr 2012 12:33:59 -0500

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Martin Bos Interview:

Password Auditing with Nessus & Metasploit:

Drunken Security News #284:

Episode 284 Show Notes

Episode 284 (mp3)

Episode Hosts:

Paul Asadoorian, Host of Security Weekly and Stogie Geeks

Larry Pesce, Host of Hack Naked At Night

John Strand, Host of Hack Naked TV

Carlos Perez, Host of PaulDotCom Espanol

Audio Feeds:

Video Feeds:

Hack Naked TV Episode 32

Fri, 20 Apr 2012 12:11:17 -0500

In this episode we talk about more OS X Malware. More! We also discus POS trojans.

Links for this episode:

Yet another Mac Trojan

Yet another Hotel Trojan

Links to cool stuff our awesome sponsors are providing:

Check out Log Logic:

Manage your Big Data with the most scalable log & security intelligence platform for the Enterprise & Cloud.Don’t take our word. Try it for yourself! For a limited time, download here

Check out Halo from Cloud Passage:

Check it out here

Video Feeds:

Episode 284 with Martin "PureHate" Bos Thursday night 6PM

Wed, 18 Apr 2012 09:00:00 -0500

Episode 284 of PaulDotCom Security Weekly will feature an interview with DerbyCon & Question Defense Tool founder and Backtrack Linux developer Martin "Pure Hate" Bos. Come participate in our IRC channel or sit back and enjoy it live via the link below:

NOTE: The video will play the most recent show up until we are live!

For interactive live video, audio, and chat during each episode you can visit PaulDotCom Live!, just hang out in our IRC channel, or if you prefer, visit the Episode 284 show notes page.

- Paul Asadoorian, Larry Pesce, Jack Daniel, Carlos Perez, John Strand, Darren Wigley, and Mike Perez.

Hack Naked TV Episode 31

Tue, 17 Apr 2012 15:42:56 -0500

In this edition of Hack Naked TV we discuss AV an how we fail to implement it correctly in our environments.

Links for this episode:

Bypassing AV for the sake of Forensic Analysts everywhere

A couple of weeks ago Tim Tomes and I worked with Rob Lee to set up a realistic APT exercise for the new and improved forensics track. As part of this lab we had to choose an AV vendor to implement a more realistic sense of a defended network. Rob chose McAfee because the vast majority of people polled used McAfee in their organization. But I want to submit that it would not have mattered much which traditional out-of-the-box blacklist AV product was used.

I want to spend a couple of moments and explain why. You see, Tim and I regularly perform penetration tests for organizations. One of the key activities we undertake as part of any penetration test is bypassing the AV of the target organization. We do this because this is what the bad guys do. There are a whole range of different tools and techniques that can be used to bypass traditional blacklist AV products. Many are built into exploitation frameworks like the Social Engineering Toolkit or into Metasploit. And many are very, very easy to use. It is not elite-hacker-wizard magic. We do not spend hours on it. We do not lose sleep over it. In many situations it can take us less than an hour.

Many of my former students of SANS 504 and 560 have seen the article posted by Rob and have asked me if there is something wrong with McAfee and if they should they replace it. The answer is "no" on both counts. I also know there are vendors who would like to capitalize on Rob's previous article to show how their product is superior in every way and will use it to steal customers from McAfee. I hope there is a place in info-sec hell for any vendor who does this.

McAfee has been awesome through this process. It takes tremendous guts to put their product on the line like they did. They have been supportive through the whole process. The even made a number of recommendations on how to tweak their products to help slow the type of attack we launched. Check it out at Robs blog.

You see, the issue here is not that one AV vendor is better than the rest. It does not work that way. Rather, there is a problem with the way we are implementing our defensive architectures. I think many organizations look at AVs place in their environment incorrectly. Many believe that if AV is installed then their systems will be protected against all forms of malware. This belief and worse, the actions taken based on this flawed belief, is one of the core reasons why so many organizations are getting compromised so easily today.

Let’s use an analogy. Traditional blacklist AV is very much like an immunization. You get shots as a child and boosters as an adult to protect you from things like Small Pox, Polio, Measles, Tetanus and a whole host of other evil pathogens that would seriously curb your life span and ruin your day. Because you are immunized against a whole list of evil germs, it does not mean you can undergo risky behavior. You cannot swim in a cesspool. You should not, I repeat NOT eat the bologna sausage in the fridge that is 3 months past its prime. Trust me, I know. Being healthy means being immunized and undergoing other health behaviors like washing your hands and not attending raves with lepers.

Think of your defensive layers in your organization for a moment. How many layers of defense do you have from the outside in? Let’s see, a firewall, IDS/IPS, DMZ and NAT just to name a few. Now, if a user surfs the Internet (think rave with lepers) how may layers of defense do you have? For the vast majority of organizations there is only one layer of defense, AV. And this is one of the things that Rob wanted to demonstrate with this lab. If an attacker has to bypass just one layer of defense, they will.

So when we think of our defensive architectures, we need to make an assumption that every single component can (and will) fail at some point. We need to start looking for mitigating technologies that will step in if something like AV fails. There are a whole lot of things we could have done to make the target lab more secure.

Below are just a few:

We could have implemented protocol inspection.

We could have implemented Internet whitelisting.

We could have upgraded all of the systems to Windows 7.

We could have implemented segmentation between systems.

We could have implemented application whitelisting.

We could have implemented the full SANS 20 critical controls.

We could have monitored the users for multiple logons from multiple systems.

We could have enabled SSL inspection.

We could have monitored, alerted and reacted when a new domain administrator account was created.

We could have restricted user access to public email sites.

But we didn't, because the vast majority of organizations today don't.

Links to cool stuff our awesome sponsors are providing:

Check out Log Logic:

Manage your Big Data with the most scalable log & security intelligence platform for the Enterprise & Cloud.Don’t take our word. Try it for yourself! For a limited time, download here

Check out Halo from Cloud Passage:

Check it out here

Video Feeds:

PaulDotCom Security Weekly Episode 283 - Gene Kim

Mon, 16 Apr 2012 10:09:34 -0500

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Gene Kim Interview:

The real story behind Goatse:

Episode 283 Show Notes

Episode 283 - Part 1 with Gene Kim- Direct Audio Download (mp3)

Episode 283 - Part 2 with the man behind Goatse - Direct Audio Download (mp3)

Episode Hosts:

Paul Asadoorian, Host of Security Weekly and Stogie Geeks

Larry Pesce, Host of Hack Naked At Night

Jack Daniel, Security B-Sides, Most epic beard in information security.

John Strand, Host of Hack Naked TV

Carlos Perez, Host of PaulDotCom Espanol

Audio Feeds:

Video Feeds:

PaulDotCom Security Weekly Episode 282 - Dan Geer, Alan Paller, and more!

Tue, 10 Apr 2012 08:43:07 -0500

Tune in to PaulDotCom Security Weekly TV, Hack Naked TV, and Hack Naked At Night episodes on our YouTube Channel or our Bliptv channel.

Dan Geer Interview:

Alan Paller Interview:

Episode 282 Show Notes

Episode 282 - Part 1 with Dan Geer - Direct Audio Download (mp3)

Episode 282 - Part 2 with Alan Paller - Direct Audio Download (mp3)

Episode Hosts:

Paul Asadoorian, Host of Security Weekly and Stogie Geeks

Larry Pesce, Host of Hack Naked At Night

Jack Daniel, Security B-Sides, Most epic beard in information security.

John Strand, Host of Hack Naked TV

Carlos Perez, Host of PaulDotCom Espanol

Audio Feeds:

Video Feeds:

Introduction to Microsoft PowerShell – Working with PSDrives and Items

Mon, 09 Apr 2012 17:29:18 -0500

PowerShell provides many ways to work with files and with other sorts of structured data it treats as files. Typically as shown before we can use the same commands as in cmd.exe but they parameters change also we can call many using he names of commands found in Unix type systems, these are aliases for PowerShell cmdlets so as to make the transition to PowerShell easier for administrators. Let have a look at the common commands used to manage files and their aliases. Do not worry to much on the manipulation commands used since I will cover those later in other blog posts but do take a look at what those aliases map to:

PS C:\> Get-Alias | where {$_.definition -match "path|item|content|location"} | Group-Object definition
Count Name                      Group
----- ----                      -----
    1 Add-Content               {ac}
    3 Get-Content               {cat, gc, type}
    3 Set-Location              {cd, chdir, sl}
    1 Clear-Content             {clc}
    1 Clear-Item                {cli}
    1 Clear-ItemProperty        {clp}
    3 Copy-Item                 {copy, cp, cpi}
    1 Copy-ItemProperty         {cpp}
    1 Convert-Path              {cvpa}
    6 Remove-Item               {del, erase, rd, ri...}
    3 Get-ChildItem             {dir, gci, ls}
    1 Get-Item                  {gi}
    2 Get-Location              {gl, pwd}
    1 Get-ItemProperty          {gp}
    1 Invoke-Item               {ii}
    3 Move-Item                 {mi, move, mv}
    1 Move-ItemProperty         {mp}
    1 New-Item                  {ni}
    1 Pop-Location              {popd}
    1 Push-Location             {pushd}
    2 Rename-Item               {ren, rni}
    1 Rename-ItemProperty       {rnp}
    1 Remove-ItemProperty       {rp}
    1 Resolve-Path              {rvpa}
    1 Set-Content               {sc}
    1 Set-Item                  {si}
    1 Set-ItemProperty          {sp}

As we can see in addition to the commands that we know from Unix type systems and those we use from cmd.exe we can find that PowerShell provides even more aliases for those cmdlets and for other actions we will discuss we will see that it has it’s own aliases and cmdlets.

PSDrives

Lets start with the concept that PowerShell treats files and folders as Items, the reason for this is that PowerShell treats other structure data as a file systems and calls the mappings to them PSDrives. To list the PSDrives on our current system we use the cmdlet Get-PSDive:

PS C:\> Get-PSDrive | ft -AutoSize
Name     Used (GB) Free (GB) Provider    Root               CurrentLocation
----     --------- --------- --------    ----               ---------------
Alias                        Alias
C            60.13    535.94 FileSystem  C:\
cert                         Certificate \
D           764.70    166.81 FileSystem  D:\
E           617.89    313.62 FileSystem  E:\
Env                          Environment
F                            FileSystem  F:\
Function                     Function
G                            FileSystem  G:\
H                            FileSystem  H:\
HKCU                         Registry    HKEY_CURRENT_USER
HKLM                         Registry    HKEY_LOCAL_MACHINE
I                            FileSystem  I:\
J                            FileSystem  J:\
Variable                     Variable
WSMan                        WSMan

As we can see in addition to the normal drives we have on the system we have others drives we can navigate to:

Alias – Represent all aliases valid for the current PowerShell Session.

Cert – Certificate store for the user represented in Current Location.

Env – All environment variables for the current PowerShell Session.

Function - All functions available for the current PowerShell Session.

HKLM - Registry HKey Local Machine Registry Hive.

HKCU - Registry HKey Current User Hive for the user the PowerShell session is running as.

WSMan - WinRM (Windows Remote Management) configuration and credentials.

Each of these PowerShell Drives are dependent on what is called PowerShell Providers that allow the access to the structured information. These can be listed with the Get-PSProvider cmndlet:

PS C:\> Get-PSProvider | ft -AutoSize
Name        Capabilities                Drives
----        ------------                ------
WSMan       Credentials                 {WSMan}
Alias       ShouldProcess               {Alias}
Environment ShouldProcess               {Env}
FileSystem  Filter, ShouldProcess       {C, D, E, F...}
Function    ShouldProcess               {Function}
Registry    ShouldProcess, Transactions {HKLM, HKCU}
Variable    ShouldProcess               {Variable}
Certificate ShouldProcess               {cert}

As we can see there are provider for other types other than FileSystem, this can me extended depending on PowerShell modules loaded and installed on a system for example on Windows 7 systems with the Remote Administration Tools or Windows 2008 R2 Domain Controller the can have access to an Active Directory provider, machines with the VMware PowerCLI installed will have access to providers for VMware Datastore and Virtual Infrastructures:

PowerCLI C:\> Get-PSProvider
Name                 Capabilities                  Drives
----                 ------------                  ------
WSMan                Credentials                   {WSMan}
Alias                ShouldProcess                 {Alias}
Environment          ShouldProcess                 {Env}
FileSystem           Filter, ShouldProcess         {C, A, D}
Function             ShouldProcess                 {Function}
Registry             ShouldProcess, Transactions   {HKLM, HKCU}
Variable             ShouldProcess                 {Variable}
Certificate          ShouldProcess                 {cert}
VimDatastore         ShouldProcess                 {vmstores, vmstore}
VimInventory         Filter                        {vis, vi}

Using one of this providers is quite simple, for it we use the New-PSDrive cmdlet, options for the cmdlet may change depending on the provider used so if using any external provide do look at the documentation provided by the company that made the provider. Each provider has different capabilities and this capabilities dictate what can be done on the data that is accessed, for example:

ShouldProcess - Cmdlets that support the -Confirm and -WhatIf parameter can be used against the PSDrive.

Credentials - Cmdlets that use the -Credential parameter can be used against the PSDrive

Transactions - Cmdlets can me executed in a transactional fashion and use the parameter -UseTransaction against the PSDrive.

Filter - Cmdlets can use wildcard filtering for enumerating objects using the -Filter parameter against the PSDrive.

Lets map a drive:

PS C:\Users\carlos> New-PSDrive -Name isostore -Root \\192.168.1.2\isostore -PSProvider filesystem
Name           Used (GB)     Free (GB) Provider      Root                      CurrentLocation
----           ---------     --------- --------      ----                      ---------------
isostore                               FileSystem    \\192.168.1.2\isostore
PS C:\Users\carlos> ls isostore:
    Directory: \\192.168.1.2\isostore
Mode                LastWriteTime     Length Name
----                -------------     ------ ----
da---         1/26/2012  12:49 PM            Oracle
da---         3/27/2012   1:11 PM            Microsoft
da---         3/15/2012   7:34 PM            Linux
da---        12/30/2011   3:49 PM            FreeBSD
da---         3/15/2012   7:33 PM            Solaris
d----         12/2/2011  11:29 AM            unlock-all-v102
da---         3/15/2012   7:34 PM            VMWare
da---         2/27/2012   8:04 AM            Apple
-a---         2/24/2012   9:51 PM 3589316608 8250.0.WINMAIN_WIN8BETA.120217-1520_X64FRE_SERVER_EN-US-HB1_SSS_X64FRE_EN-
                                             US_DV5.ISO
-a---          1/4/2012   2:06 PM        403 shutdown_vms.rb
-a---         4/13/2011   3:17 AM  531705856 openfileresa-2.99.1-x86_64-disc1.iso
-a---         10/8/2007   4:06 PM  661127168 win2k3entsp2.iso
-a---        12/30/2011   7:32 PM  115838976 pfSense.iso
-a---          1/2/2012  11:16 PM  533204992 XenServer-6.0.0-install-cd.iso
-a---          1/4/2012   1:50 PM        177 shtdown.sh
-a---          5/4/2011   5:42 PM  369717248 VMware-VMvisor-Installer-4.0.0.Update01-208167.x86_64.iso

One thing that we need to keep in mind is that the drives we create are only present in the current PowerShell Session only and only can be accessed by the session so Windows Explorer and other tools on windows will not have access to the drive. Also as we can see in the example we can use a longer name for the drive than the letters we are used to use on Windows when mapping drives.

Working with Items

Listing Items

Lets look first at listing the contents of the current working folder for this we will use the Get-ChildItem cmdlet:

PS C:\> Get-ChildItem
    Directory: C:\
Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d----         7/13/2009  11:20 PM            PerfLogs
d-r--          4/5/2012  10:27 PM            Program Files
d-r--          4/8/2012   6:39 PM            Program Files (x86)
d----          4/5/2012   7:42 PM            Python27
d----          4/5/2012   7:41 PM            Python32
d----          4/5/2012   7:38 PM            Ruby193
d----          4/6/2012  12:27 PM            SysinternalsSuite
d-r--          4/5/2012  10:54 PM            Users
d----          4/8/2012  11:14 AM            Windows
-a---          4/5/2012  10:32 PM       1024 .rnd

As we can see we get a listing of the files and folders and basic information about them. Each item is in fact a .Net object of System.IO.FileInfo type that we can manipulate. Lets try searching in a given path for a file that matches a wild card, as we saw before when talink about PSProviders the FileSystem provider allows for filtering. Lets search for any file that starts with telnet in my install of Ruby 1.9.3:

PS C:\> Get-ChildItem -Path .\Ruby193 -Recurse -Filter telnet*
    Directory: C:\Ruby193\lib\ruby\1.9.1\net
Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---         5/18/2011   9:07 PM      32598 telnet.rb

Creating Files and Folders

Lets crate a directory and file for us to use to keep exploring the cmdlets, lets start by using the New-Item cmdlet to create a folder called testfolder:

PS C:\> New-Item -Path . -Name testfolder -ItemType "directory"
    Directory: C:\
Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d----          4/9/2012  11:45 AM            testfolder

As with all cmdlets I mention on the blog posts I do recommend that you look at full help of the command and look at the members of the objects returned as covered in the initial blogposts.

Now lets create a file, for this we will use the ItemType of "file" to indicate we want a file.

PS C:\> New-Item -Path .\testfolder -Name testfile -ItemType "file"
    Directory: C:\testfolder
Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---          4/9/2012  11:53 AM          0 testfile

Working with Items

Now that we have a file we can work with lets look at the properties and methods available with the Get-Item cmdlet:

PS C:\> Get-Item -Path .\testfolder\testfile | Get-Member
   TypeName: System.IO.FileInfo
Name                      MemberType     Definition
----                      ----------     ----------
Mode                      CodeProperty   System.String Mode{get=Mode;}
AppendText                Method         System.IO.StreamWriter AppendText()
CopyTo                    Method         System.IO.FileInfo CopyTo(string destFileName), System.IO.FileInfo CopyTo(s...
Create                    Method         System.IO.FileStream Create()
CreateObjRef              Method         System.Runtime.Remoting.ObjRef CreateObjRef(type requestedType)
CreateText                Method         System.IO.StreamWriter CreateText()
Decrypt                   Method         System.Void Decrypt()
Delete                    Method         System.Void Delete()
Encrypt                   Method         System.Void Encrypt()
Equals                    Method         bool Equals(System.Object obj)
GetAccessControl          Method         System.Security.AccessControl.FileSecurity GetAccessControl(), System.Secur...
GetHashCode               Method         int GetHashCode()
GetLifetimeService        Method         System.Object GetLifetimeService()
GetObjectData             Method         System.Void GetObjectData(System.Runtime.Serialization.SerializationInfo in...
GetType                   Method         type GetType()
InitializeLifetimeService Method         System.Object InitializeLifetimeService()
MoveTo                    Method         System.Void MoveTo(string destFileName)
Open                      Method         System.IO.FileStream Open(System.IO.FileMode mode), System.IO.FileStream Op...
OpenRead                  Method         System.IO.FileStream OpenRead()
OpenText                  Method         System.IO.StreamReader OpenText()
OpenWrite                 Method         System.IO.FileStream OpenWrite()
Refresh                   Method         System.Void Refresh()
Replace                   Method         System.IO.FileInfo Replace(string destinationFileName, string destinationBa...
SetAccessControl          Method         System.Void SetAccessControl(System.Security.AccessControl.FileSecurity fil...
ToString                  Method         string ToString()
PSChildName               NoteProperty   System.String PSChildName=testfile
PSDrive                   NoteProperty   System.Management.Automation.PSDriveInfo PSDrive=C
PSIsContainer             NoteProperty   System.Boolean PSIsContainer=False
PSParentPath              NoteProperty   System.String PSParentPath=Microsoft.PowerShell.Core\FileSystem::C:\testfolder
PSPath                    NoteProperty   System.String PSPath=Microsoft.PowerShell.Core\FileSystem::C:\testfolder\te...
PSProvider                NoteProperty   System.Management.Automation.ProviderInfo PSProvider=Microsoft.PowerShell.C...
Attributes                Property       System.IO.FileAttributes Attributes {get;set;}
CreationTime              Property       System.DateTime CreationTime {get;set;}
CreationTimeUtc           Property       System.DateTime CreationTimeUtc {get;set;}
Directory                 Property       System.IO.DirectoryInfo Directory {get;}
DirectoryName             Property       System.String DirectoryName {get;}
Exists                    Property       System.Boolean Exists {get;}
Extension                 Property       System.String Extension {get;}
FullName                  Property       System.String FullName {get;}
IsReadOnly                Property       System.Boolean IsReadOnly {get;set;}
LastAccessTime            Property       System.DateTime LastAccessTime {get;set;}
LastAccessTimeUtc         Property       System.DateTime LastAccessTimeUtc {get;set;}
LastWriteTime             Property       System.DateTime LastWriteTime {get;set;}
LastWriteTimeUtc          Property       System.DateTime LastWriteTimeUtc {get;set;}
Length                    Property       System.Int64 Length {get;}
Name                      Property       System.String Name {get;}
BaseName                  ScriptProperty System.Object BaseName {get=if ($this.Extension.Length -gt 0){$this.Name.Re...
VersionInfo               ScriptProperty System.Object VersionInfo {get=[System.Diagnostics.FileVersionInfo]::GetVer...

For getting properties for the file object we have several ways to achive this first one is using the Get-ItemProperty cmdlet by given as the name the object property:

PS C:\> Get-ItemProperty -Path .\testfolder\testfile -Name LastAccessTime
PSPath         : Microsoft.PowerShell.Core\FileSystem::C:\testfolder\testfile
PSParentPath   : Microsoft.PowerShell.Core\FileSystem::C:\testfolder
PSChildName    : testfile
PSDrive        : C
PSProvider     : Microsoft.PowerShell.Core\FileSystem
LastAccessTime : 4/9/2012 11:53:25 AM

Another Method we can use is to get the object and just request it, lets look at some properties that security professionals will find quite interesting:

PS C:\> (Get-Item -Path .\testfolder\testfile).LastWriteTime
Monday, April 09, 2012 11:53:25 AM
PS C:\> (Get-Item -Path .\testfolder\testfile).LastAccessTime
Monday, April 09, 2012 11:53:25 AM
PS C:\> (Get-Item -Path C:\Windows\System32\aaclient.dll).VersionInfo
ProductVersion   FileVersion      FileName
--------------   -----------      --------
6.1.7600.16385   6.1.7600.1638... C:\Windows\System32\aaclient.dll

Just like other shell we can redirect output of commands as text to files using > and >> symbols:

cmdlet > filename - Redirect command output to a file and overwrite content.

cmdlet >> filename - append into a file

cmdlet 2> filename - Redirect Errors from operation to a file and overwrite content.

cmdlet 2>> filename - Append errors to a file

cmdlet 2>&1 - Add errors to output

cmdlet 1>&2 - Add output to errors

Lets look also at the Add-Content cmdlet:

PS C:\> Add-Content -Path C:\testfolder\testfile -Value (get-date)
PS C:\> Get-Content -Path C:\testfolder\testfile
4/9/2012 3:39:29 PM

Lets work with the object method to modify the file, in this case we will use EFS to encrypt the file on NTFS, lets start with checking if the file is encrypted:

PS C:\> (Get-Item -Path .\testfolder\testfile).attributes
Archive

Now lets encrypt the file and see if its encrypted:

PS C:\> (Get-Item -Path .\testfolder\testfile).encrypt()
PS C:\> (Get-Item -Path .\testfolder\testfile).attributes
Archive, Encrypted

We can even confirm using the cipher.exe command:

PS C:\> cipher.exe /c .\testfolder\testfile
 Listing C:\testfolder\
 New files added to this directory will not be encrypted.
E testfile
  Compatibility Level:
    Windows XP/Server 2003
  Users who can decrypt:
    infidel01\Carlos [Carlos(Carlos@infidel01)]
    Certificate thumbprint: 45F5 3D35 94B0 3C47 B727 AB63 0198 F19A 2793 1283
  No recovery certificate found.
  Key Information:
    Algorithm: AES
    Key Length: 256
    Key Entropy: 256

Lets Rename an item with the Rename-Item cmdlet:

PS C:\> Rename-Item -Path C:\testfolder -NewName test_folder
PS C:\> ls
    Directory: C:\
Mode                LastWriteTime     Length Name
----                -------------     ------ ----
d----         7/13/2009  11:20 PM            PerfLogs
d-r--          4/5/2012  10:27 PM            Program Files
d-r--          4/8/2012   6:39 PM            Program Files (x86)
d----          4/5/2012   7:42 PM            Python27
d----          4/5/2012   7:41 PM            Python32
d----          4/5/2012   7:38 PM            Ruby193
d----          4/6/2012  12:27 PM            SysinternalsSuite
d----          4/9/2012   4:44 PM            test_folder
d-r--          4/5/2012  10:54 PM            Users
d----          4/8/2012  11:14 AM            Windows
-a---          4/5/2012  10:32 PM       1024 .rnd

Lets delete the file we have been using for the examples:

PS C:\> Remove-Item -Path C:\test_folder\testfil
PS C:\> ls .\test_folder
    Directory: C:\test_folder
Mode                LastWriteTime     Length Name
----                -------------     ------ ----
-a---          4/9/2012   3:39 PM         21 testfile
PS C:\>  Remove-Item -Path C:\test_folder\testfile
PS C:\> ls .\test_folder

Working with Paths

Lets look at working with paths, we will firs start with defining the difference of Path and LiteralPath in the parameters of several commands. This is a source of confusion for many people learning PowerShell on their own by exploring the shell cmdlets. When working with a file system on a drive or share Powershell Windows restricts the characters that can be used for a file name, like *, ?, /, $ and others since they are use for variable expansion and wildcard search but since PowerShell lets us work with Active Directory, Certificate Store, Registry and others that do not have the same restrictions as the file system. This is why we use -Path when we want the special characters treated as wildcards and -LiteralPath for those cases where those special characters are part of the item names. An example of expansion:

PS C:\> Set-Location -Path Perf*
PS C:\PerfLogs>

We can see as wildcards where used to match the path. To get the current location of where we are in a provider we use the Get-Location cmdlet:

PS C:\PerfLogs> Get-Location
Path
----
C:\PerfLogs

To Change locations we use the Set-Location cmdlet:

PS C:\PerfLogs> Set-Location C:\testfolder
PS C:\testfolder> Get-Location
Path
----
C:\testfolder

We can take a path and add a child item to the path with Join-Path cmdlet:

PS C:\> Join-Path -Path C:\Windows -ChildPath system
C:\Windows\system

We can also have it join a path using wildcards:

PS C:\> Join-Path -Path C:\Win* -ChildPath tem* -Resolve
C:\Windows\Temp

We can also give it a list of path to append a child object to:

PS C:\> join-path -path c:\windows,c:\python,c:\ruby  -ChildPath temp
c:\windows\temp
c:\python\temp
c:\ruby\temp

Some time we will find our self with path that we obtained from a property of an object and we may need to extract parts of the path, for this we will use the Split-Path cmdlet and we can get different pats of the paths depending of what we want:

PS C:\> split-path c:\windows\secret.txt
c:\windows
PS C:\> split-path c:\windows\secret.txt -Qualifier
c:
PS C:\> split-path c:\windows\secret.txt -NoQualifier
\windows\secret.txt
PS C:\> split-path c:\windows\secret.txt -Parent
c:\windows
PS C:\> split-path c:\windows\secret.txt -Leaf
secret.txt

It also supports extracting parts from other types of paths:

PS C:\> Split-Path -Path /var/log/tftp.log -Leaf
tftp.log
PS C:\> Split-Path -Path /var/log/tftp.log -Parent
\var\log
PS C:\> split-path -Path http://www.darkoperator.com/index.html -Qualifier
http:
PS C:\> split-path -Path http://www.darkoperator.com/index.html -NoQualifier
//www.darkoperator.com/index.html

We can test if a path exists:

PS C:\> test-path -path HKLM:\Software\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
True
PS C:\> test-path -path C:\Windows
True
PS C:\> test-path -path C:\Windows\system32\aaclient.dll
True

As we can see this works with both files, folders and even other paths in other providers. Lets say we want to test is the path is for a File or a Folder, for this we will use Container for Folder and Leaf for File:

PS C:\> test-path -path C:\Windows\system32\aaclient.dll -PathType leaf
True
PS C:\> test-path -path C:\Windows\system32\aaclient.dll -PathType container
False

Conclusion

I invite you to keep exploring in the registry, variables and other psdrives available and learning what is possible and not and the differences in the parameters we can use with this providers. As always I hope this blog post is useful and informative.