One liners for retrieving Windows TCP/IP and IP Address information

One liners for retrieving Windows IP Address information from Powershell v3.0:

• gwmi -class Win32_NetworkAdapterConfiguration | % {if ($_.IPAddress -ne $null) {$input}}
• gwmi -class Win32_NetworkAdapterConfiguration | % {if ($_.IPAddress -ne $null) {$input}} | fl *
• gwmi -class Win32_NetworkAdapterConfiguration | % {if ($_.IPAddress -ne $null) {$input | Select -ea 0 IP,DHCP,DNS,WINS}}
• gwmi -class Win32_NetworkAdapter |  % {If ($_.NetEnabled) {$input | Select Caption, Name, Speed, TimeOflastReset,Net*}}
• gwmi -class Win32_NetworkAdapterConfiguration | % {If ($_.IPAddress -ne $null) {write "$($_.caption) $($_.IPAddress) $($_.SettingID)"}}
• gwmi -class Win32_PerfRawData_Tcpip_NetworkInterface | % {if ($_.BytesReceivedPersec -ne 0) {write "$($_.Name) $($_.BytesReceivedPersec) $($_.BytesSentPersec)"} }

FileVersionInfo Part II

# Powershell v3.0 code
# Recurses current directory to gather file version information of a boolean property
# Returns number of Debug,Patched,PreRelease,Private,Special builds
# Creates csv of those properties in current directory
# Takes up to three arguments:
# [mandatory]$filename (e.g. *.dll),$exportflag (e.g. "0" to output csv;default is off), $filetime (default is now)

FileVersionInfo Part I

Retrieving FileVersionInfo in Powershell involves calling [System.Diagnostics.FileVersionInfo]::GetVersionInfo(). "ls ' or 'Get-childitem' has a scriptproperty named "VersionInfo" that can be used for this:

Muxing System.Diagnostics.Process with System.Security.AccessControl

# three functions that produce filepath,Owner,Access,SDDL

# for the binaries listed by ps ("get-process")
# All rights reserved Ryan M. Ferris @ RMF Network Security
# Version r5:21 PM 9/6/2011

function Get-PSACL
{
ps | get-acl -ea 0 | Select pschildname,owner,AccessToString,Sddl
}

function Get-PEX
{
[array]$global:ps_list=ps
[array]$global:acl_list=$ps_list | get-acl -ea 0
$acl_list | Select @{label="FilePath"; Expression={ls $_.PsPath}},Owner,AccessToString,Sddl
}

function Get-PIDACL 
{
foreach ($id in $(ps)) 
    {$id | Select Name,ID,
    @{Label="Owner";Expression={get-acl $id.Path | % {$_.Owner}}},
    @{Label="Access";Expression={get-acl $id.Path | % {$_.AccessToString}}},
    @{Label="SDDL";Expression={get-acl $id.Path | % {$_.SDDL}}}
    }
}

Get-PSACL
Get-PEX
Get-PIDACL

Muxing AccessControl and FileInfo objects

Most of us know the members (partially printed at bottom) of System.Security.AccessControl and System.IO.FileInfo. And most of us know they both share the PS* NoteProperty items:

• PSChildName                     NoteProperty   System.String PSChildName=test.txt
• PSDrive                         NoteProperty   System.Management.Automation.PSDriveInfo PSDrive=C
• PSParentPath                    NoteProperty   System.String PSParentPath=Microsoft.PowerShell.Core\FileSystem::C:\
• PSPath                          NoteProperty   System.String PSPath=Microsoft.PowerShell.Core\FileSystem::C:\test.txt
• PSProvider                      NoteProperty  

New-Object -ComObject Shell.Application

Here are some notes on exposing  the Shell as a ComObject with Powershell. Here, I trace down the cookies folder:


$a = New-Object -ComObject Shell.Application
$b=1..100
 foreach ($i in $b) {write "$i $($a | % {$_.Namespace($i).Self.Path})"}
....
32 C:\Users\rferrisx\AppData\Local\Microsoft\Windows\Temporary Internet Files
33 C:\Users\rferrisx\AppData\Roaming\Microsoft\Windows\Cookies
34 C:\Users\rferrisx\AppData\Local\Microsoft\Windows\History
...

Sorting Windows events by UserID: Part II (Building a Module)

I am a bit late to some v2.0 functionality.  I made my first attempt at creating a module, in this case a six function script that queries general information from an event log. I ran into at least two problems:

• (a) get-winevent is slow for high volume queries
• (b) modules so encapsulate their variables in functions that I could not find how to call all functions globally from an internal or external script.                                                                                                                                                                                                                                                                                                                                                                                           

Sorting Windows events by UserID

Sorting Windows events by UserID is a critical piece of auditing. In the code and examples below, I concentrate on:


$Logs="System","Application","Microsoft-Windows-GroupPolicy/Operational"


purposefully leaving out the Security log. We can create a simple function that allows us to check all events logs on any machine sorted by file size:

function CheckEventLogsBySize
{
get-winevent -listlog * | Sort -desc FileSize |
ft -auto LogName,@{Label="FileLogSize(MB)"; Expression={$_.FileSize/1MB}},@{Label="MaxLogSize(MB)"; Expression={$_.MaximumSizeINBytes/1MB}},LastWriteTime,IsLogFull 
}

Get-Winevent Part III: Querying the Event Log for Logons (Part E)

In Part A of this series ('Get-Winevent Part III Querying the Event Log for logons'), I worked with the 'where-object' cmdlet to filter through properties of specific logon event types. In Part B, I used '-filterhashtable' and 'findstr' to more quickly dig into the message field of logon events, utlimately producing a spreadsheet or database format of those events. In Part C, I presented code that enumerates all provider types for these events.  Then I used '-filterhashtable' with an array of multiple security EventIDs whose select 'Message' fields I searched with 'findstr' for specific properties relating to logons.  In Part D,  I pull this all together, creating a timeline of multiple security EventIDs whose select 'Message' fields I pump into a spreadsheet for further analysis. In Part E (below), I tie in additional auditing events, specifically connections permitted by the Windows Filtering Platform:

Get-WinEvent, EventLogs, ETL, Providers on Win7 Part III

Microsoft has exposed substantial providers since XP. With Windows 7, Microsoft has increased the number of providers substantially over previous versions of Windows and added 'netsh trace' functionality to enable tracing, conversion, batching of these kernel level counters. In the commands below, I have mixed cmd shell, powershell, cygwin cmds to parse ETL files. In  general, parsing etl files with 'get-winevent' and powershell takes a while...  You can understand 'netsh' filtering best with 'netsh trace show CaptureFilterHelp', however I recommend setting your 'netsh trace start maxSize=' parameter at 150 MB or less. (The default is an almost unworkable 250MB.)

Get-Winevent Part III: Querying the Event Log for Logons (Part D)

In Part A of this series ('Get-Winevent Part III Querying the Event Log for logons'), I worked with the 'where-object' cmdlet to filter through properties of specific logon event types. In Part B, I used '-filterhashtable' and 'findstr' to more quickly dig into the message field of logon events, utlimately producing a spreadsheet or database format of those events. In Part C, I presented code that enumerates all provider types for these events.  Then I used '-filterhashtable' with an array of multiple security EventIDs whose select 'Message' fields I searched with 'findstr' for specific properties relating to logons.  In this post (Part D),  I pull this all together, creating a timeline of multiple security EventIDs whose select 'Message' fields I pump into a spreadsheet for further analysis.

Get-Winevent Part III: Querying the Event Log for Logons (Part C)

To list Opcodes, Event IDs, Event Descriptions from any group of provider's (e.g. Securit*) events, you can use:

$ProviderNames=get-winevent -listprovider microsoft-windows-Securit* | % {$_.Name}
$ProviderNames | % {((get-winevent -listprovider $_).events) | format-table @{Name="Opcode"; Expression = {$_.Opcode.Name}},ID,Description -auto -wrap}

Get-Winevent Part III: Querying the Event Log for Logons (Part B)

This is a long post that I've edited from a answer I gave on Stack Overflow.  Although the post is about how to audit logon information in the Security log of Windows 7, it is also about discovering methods to extract critical information from the 'Message' field of a "Logon Type" (ID=4624).  

Get-Winevent Part III: Querying the Event Log for Logons (Part A)

The following is a digression on using Powershell's where-object (filter) to query System and Administrative events with 'Get-WinEvent'.  I like this method of querying the event logs because it is "pipeline" oriented and allows me to re-use/amend/copy previous syntax.  I was having some concern understanding a mysterious problem: my Windows 7 PC spontaneously un-sleeps itself and seemingly commences a log-on. I wanted to understand why this happened and if there was evidence of ex-filtration or malware.
  

Is Digital Security Possible?

"Africa is not a continent which is any longer isolated. It is not a place where people are uninformed. It is the fastest growing market for cellular phones. Information, whether it is in the townships or wherever, now passes very quickly... And this is not an issue which is going to go away. Nor is it an issue that is trivial for those of us that live here as we do here."

 JAMES WOLFENSOHN ex-President of the World Bank 


Below is a philosophical comment I  posted on Dark Reading today:

"It has occurred to me lately (because of the advances and volume increase in penetration and ex-filtration) that the digital industry has falsely assumed that data can be kept private in a networked world; that perhaps the concept of "data security" or "network security" is not achievable or (at best) not achievable at current levels of technology, internet reach, network topology.
If this is the case, we will have to rethink our current goals. Is data security possible? If so, at what costs? Can commercial interests or individual privacy be protected on the internet? If so, what would be the true costs for such protection?
Social and economic inequality, the true driver behind nation state and organized criminal penetration and ex-filtration, may not be an affordable reality in a networked world. Conversely, a secure, networked world may be not an achievable reality in a world of social and economic inequality. Either conclusion has gross implications for the global economy as it now exists."

For some long time, in the moments between burying my head in code or research, this rather somber thought has occurred to me. If digital security is not truly possible, would the current world of security architects be able to recognize the futility of their own profession?  Probably not, I would answer. Good engineers that we are (in a profit hungry market capitalism), we simply just keep chasing the next big thing or fixing the last defect.  But what if it were the case that digital security is  not an existential possibility? What if it were the case that the next abstraction, the next algorithm always begat the next penetration or ex-filtration? What if digital security was never truly achievable for any moment but  a single point in time?

Security Process Document

I've created four separate documents outlining The Security Process for a consultant. The documents detail work flow from initial client meeting, to engaging The Security Process, and transitioning to monitoring/training of completed work. My text is intended as an outline for consultants and clients interested in understanding the steps of the The Security Process. The text is intended to function as a guideline to the process of developing security independent of operating system, network or company size. Additionally, the document is designed to function independently of associated disciplines of computer security: cryptography, network security, auditing, forensics, REM (reverse engineering of malware), secure authentication, etc. This document is an outline only at present. I hope to update it with more information.

Chapters include:

First Contact: Small Business Work Flow for The Security Process

Designed to help screen client needs during the first phone call or meeting.

Second Contact: Templates for Managing Expectation For All Clients

Designed to generate ideas for the first PowerPoint Presentation.

The Phases of the Security Process

A brief overview of the phases in The Security Process.

Frequently Asked Questions

A list of questions you should be able to respond to with some level of competence.

Collating and parsing netmon capture files

I have added a Powershell function that uses logparser to mux all the netmon capture files in a directory and list unique IPs and Ports.

Parsing Windows 7 Firewall Logs

I've talked quite a bit about on this blog about parsing Microsoft's Windows Firewall: 

• http://thinking-about-network-security.blogspot.com/2009/07/parsing-vista-firewall-logs-part-i.html
• http://thinking-about-network-security.blogspot.com/2009/07/parsing-vista-firewall-logs-part-ii.html
• http://thinking-about-network-security.blogspot.com/2009/07/parsing-vista-firewall-logs-part-iii.html
• http://thinking-about-network-security.blogspot.com/2009/08/parsing-vista-firewall-part-iv.html 
• http://thinking-about-network-security.blogspot.com/2009/08/parsing-vista-firewalls-part-v.html

There are a number of Microsoft sites with more information on Windows Firewall:

• http://technet.microsoft.com/en-us/network/bb545423.aspx
• http://msdn.microsoft.com/en-us/library/aa366453(v=VS.85).aspx
• http://msdn.microsoft.com/en-us/library/ee663289(v=VS.85).aspx
• http://www.microsoft.com/downloads/en/details.aspx?FamilyId=DF192E1B-A92A-4075-9F69-C12B7C54B52B&displaylang=en

This is the report output of two scripts (1, 2) designed to help suggest a "Windows Firewall Log Parsing" Framework.

Get-WinEvent, EventLogs, ETL, Providers on Win7 Part II

Working with Windows Tracing (ETL) logs
This is part of ongoing research project to understand how improved tracing providers in Windows 7 can help detect the presence of malware.  Microsoft has been improving event tracing for a number of years. The latest versions allows netsh to invoke multiple providers. After you have chosen your providers, you start the trace either by referencing the provider name or GUID. 'Netsh trace start' allows for keyword or capture filters, which can be useful if you know what specific events for which you need to trace. For this example, we will not create an NDIS capture ('capture=yes') nor will we select keywords or levels for the filters. After a few busy hours, this leads to quite a bit tracing.

Get-WinEvent, EventLogs, ETL, Providers on Win7

'Get-WinEvent' in Powerhsell 2 when combined with ETL on Windows 7 allows exceptional event log queries. This function allows the administrator to create an array of all Event Logs and sort by 'time created' all those records created in the last (1) day:



function global:LatestLogEntries
{
   [CmdletBinding()]
   Param(
       [Parameter(Mandatory=$true,ValueFromPipeline=$true)]
       [int32] $param1,
       [string] $ErrorActionPreference="silentlycontinue"
            )


$LogNames=(Get-Winevent -listlog  * )
$goback = (get-date) - (new-timespan -days $param1 )
$LogNames | % {get-winevent -FilterHashTable  @{LogName=$_.LogName;StartTime=$goback}}
}