Windows/Powershell

From r00tedvw.com wiki
(Difference between revisions)
Jump to: navigation, search
 
(9 intermediate revisions by one user not shown)
Line 12: Line 12:
 
# Verify start mode and state - it should be running
 
# Verify start mode and state - it should be running
 
PS> Get-WmiObject -Class win32_service | Where-Object {$_.name -like "WinRM"}
 
PS> Get-WmiObject -Class win32_service | Where-Object {$_.name -like "WinRM"}
 +
 +
# or verify it with this
 +
PS> Get-Service -Name "WinRM"
  
 
# Start/Stop service
 
# Start/Stop service
Line 30: Line 33:
 
----            ----                          -------------  -----                                                   
 
----            ----                          -------------  -----                                                   
 
System.String  TrustedHosts                                  *  </nowiki>
 
System.String  TrustedHosts                                  *  </nowiki>
 +
====Add to existing====
 +
If you want to add to the existing list without overwriting, you can either create an array out of the existing values, or use the <code>-Concatenate</code> switch.
 +
<nowiki>PS> $curList = (Get-Item WSMan:\localhost\Client\TrustedHosts).value
 +
PS> Set-Item WSMan:\localhost\Client\TrustedHosts -Value "$curList, FQDN"
 +
 +
PS> Set-Item WSMan:\localhost\Client\TrustedHosts -Concatenate -Value FQDN</nowiki>
  
 
===Test Connectivity===
 
===Test Connectivity===
 
  <nowiki>PS> Test-WSMan -ComputerName {ServerFQDN} -Credential {ServerFQDN/Domain}\{User} -Authentication Default
 
  <nowiki>PS> Test-WSMan -ComputerName {ServerFQDN} -Credential {ServerFQDN/Domain}\{User} -Authentication Default
 
ie. PS> Test-WSMan -ComputerName win-45mo0eqvg4g -Credential win-45mo0eqvg4g\Administrator -Authentication Default</nowiki>
 
ie. PS> Test-WSMan -ComputerName win-45mo0eqvg4g -Credential win-45mo0eqvg4g\Administrator -Authentication Default</nowiki>
 +
 +
==Client==
 +
===Trusted Hosts===
 +
From the Client you need add the server to the Trusted Hosts. <br>
 +
'''NOTE:''' While you do NOT need WinRM to be running on the client, you do need to start it in order to manipulate the trusted host list.
 +
<nowiki>PS> PS> Start-Service -Name "WinRM"
 +
 +
PS> Set-Item WSMan:\localhost\Client\TrustedHosts -Value "FQDN" -Force    #Adds an individual host.  Overwrites previous entry.
 +
PS> Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force      #Adds everything to the trusted host list.
 +
 +
PS> Get-Item WSMan:\localhost\Client\TrustedHosts
 +
 +
 +
  WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Client
 +
 +
Type            Name                          SourceOfValue  Value                                                 
 +
----            ----                          -------------  -----                                                 
 +
System.String  TrustedHosts                                  * 
 +
 +
PS> Stop-Service -Name "WinRM"</nowiki>
 +
 +
===Test Connectivity===
 +
<nowiki>PS> Test-WSMan -ComputerName {ServerFQDN} -Credential {ServerFQDN/Domain}\{User} -Authentication Default
 +
ie. PS> Test-WSMan -ComputerName win-45mo0eqvg4g -Credential win-45mo0eqvg4g\Administrator -Authentication Default</nowiki>
 +
 +
==Sessions/Invoke Command==
 +
To run remote powershell commands, you'll need to either specify the computer name or create a session and specify that.
 +
<nowiki>#Without a Session, unique one-liner
 +
PS> Invoke-Command -ComputerName win-45mo0eqvg4g -Credential win-45mo0eqvg4g\Administrator -ScriptBlock {HostName}
 +
WIN-45MO0EQVG4G
 +
 +
#With a session
 +
PS> New-PSSession -ComputerName win-45mo0eqvg4g -Credential win-45mo0eqvg4g\Administrator
 +
 +
Id Name            ComputerName    ComputerType    State        ConfigurationName    Availability
 +
-- ----            ------------    ------------    -----        -----------------    ------------
 +
  6 WinRM6          win-45mo0eqvg4g RemoteMachine  Opened        Microsoft.PowerShell    Available
 +
 +
PS> Invoke-Command -Session (Get-PSSession) -ScriptBlock {Hostname}
 +
WIN-45MO0EQVG4G</nowiki>
 +
 +
===New/Disconnect/Remove===
 +
The process should be to Create a NEW session > DISCONNECT the session (but leaves in history) > REMOVE the session (removes from history).
 +
<nowiki>PS> New-PSSession -ComputerName win-45mo0eqvg4g -Credential win-45mo0eqvg4g\Administrator
 +
PS> Disconnect-PSSession (Get-PSSession)
 +
PS> Remove-PSSession (Get-PSSession)</nowiki>
 +
 +
=Code Reference=
 +
==Bitbucket ouath authentication and git clone==
 +
<nowiki> $Body = "grant_type=client_credentials"
 +
$creds = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes('iuondfijondsjkofnsdofjnc:hdfiohnwdfjndsjofnjodsnfjodsnjofndsoj'))
 +
$access_token = $(Invoke-WebRequest -Uri "https://bitbucket.org/site/oauth2/access_token" -Body $Body -Method 'POST' -Headers @{ 'Authorization' = 'Basic ' + $creds } | Select-Object -Expand Content | ConvertFrom-Json | select access_token -ExpandProperty access_token)
 +
 +
Start-Process -FilePath "C:\Program Files\Git\cmd\git.exe" -ArgumentList "clone https://x-token-auth:[email protected]/repo/project.git"
 +
</nowiki>
 +
 +
=Dockerfile WinRM & SSH=
 +
example of a dockerfile that uses the powershell core 7 public docker image to connect to host
 +
<nowiki>#Image contains all the tools necessary to connect via powershell (winrm) to pwsh 5.1 along with ssh
 +
#cannot build without the ssh private key being in the build directory
 +
#sudo docker build -t "pwshcore-wsman:Dockerfile" .
 +
#vpn connection needs to be running on the docker host if required for connectivity to computers
 +
#example connecting via ssh (22)
 +
# ssh -i id_ed25519 [email protected]
 +
#example connecting via winrm (5985)
 +
# pwsh
 +
# $username = "<username>"
 +
# $password = "<password>"
 +
# $computer = "<computer>"
 +
# $securePassword = ConvertTo-SecureString $password -AsPlainText -Force
 +
# $credentials = New-Object System.Management.Automation.PSCredential ($username, $securePassword)
 +
# Enter-PSSession -ComputerName $computer -Credential $credentials
 +
 +
FROM powershell7:latest
 +
LABEL maintainer="root"
 +
 +
SHELL ["/bin/bash", "-c"]
 +
 +
RUN DEBIAN_FRONTEND=noninteractive apt update -y
 +
RUN DEBIAN_FRONTEND=noninteractive apt upgrade -y
 +
RUN DEBIAN_FRONTEND=noninteractive apt install -y iputils-ping ansible telnet vim tcpdump git python-is-python3 python3-pip
 +
RUN DEBIAN_FRONTEND=noninteractive apt install -y wget apt-transport-https software-properties-common sshpass gss-ntlmssp netcat curl
 +
RUN sed -i '/\[provider_sect\]/a legacy = legacy_sect' /etc/ssl/openssl.cnf
 +
RUN sed -i '/\[default_sect\]/a [legacy_sect]\nactivate = 1' /etc/ssl/openssl.cnf
 +
RUN sed -i '/\[default_sect\]/a activate = 1' /etc/ssl/openssl.cnf
 +
RUN pwsh -Command 'Install-Module -Name PSWSMan -Scope AllUsers -AcceptLicense -Force -Confirm:$False; Install-WSMan -Verbose'
 +
COPY id_ed25519 /id_ed25519
 +
RUN chmod 0600 id_ed25519</nowiki>

Latest revision as of 17:24, 23 November 2024

Contents

[edit] Allow Remote Powershell

[edit] Server

[edit] Enable PSRemoting

On the server you'll be accessing

PS> Enable-PSRemoting -Force      #suppresses user prompts and enables.
PS> Enable-PSRemoting -SkipNetworkProfileCheck -Force      #enables even on public networks.

[edit] Enable Windows Remote Management (WinRM)

You will also probably have to enable WinRM (windows remote management)

# Set start mode to automatic
PS> Set-Service WinRM -StartMode Automatic

# Verify start mode and state - it should be running
PS> Get-WmiObject -Class win32_service | Where-Object {$_.name -like "WinRM"}

# or verify it with this
PS> Get-Service -Name "WinRM"

# Start/Stop service
PS> Start-Service -Name "WinRM"
PS> Stop-Service -Name "WinRM"

[edit] Trusted Hosts List

You may also need to add the client that will be connecting to the trusted hosts list.

PS> Set-Item WSMan:\localhost\Client\TrustedHosts -Value "FQDN" -Force    #Adds an individual host.  Overwrites previous entry.
PS> Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force      #Adds everything to the trusted host list.

PS> Get-Item WSMan:\localhost\Client\TrustedHosts


   WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Client

Type            Name                           SourceOfValue   Value                                                  
----            ----                           -------------   -----                                                  
System.String   TrustedHosts                                   *  

[edit] Add to existing

If you want to add to the existing list without overwriting, you can either create an array out of the existing values, or use the -Concatenate switch.

PS> $curList = (Get-Item WSMan:\localhost\Client\TrustedHosts).value
PS> Set-Item WSMan:\localhost\Client\TrustedHosts -Value "$curList, FQDN"

PS> Set-Item WSMan:\localhost\Client\TrustedHosts -Concatenate -Value FQDN

[edit] Test Connectivity

PS> Test-WSMan -ComputerName {ServerFQDN} -Credential {ServerFQDN/Domain}\{User} -Authentication Default
ie. PS> Test-WSMan -ComputerName win-45mo0eqvg4g -Credential win-45mo0eqvg4g\Administrator -Authentication Default

[edit] Client

[edit] Trusted Hosts

From the Client you need add the server to the Trusted Hosts.
NOTE: While you do NOT need WinRM to be running on the client, you do need to start it in order to manipulate the trusted host list.

PS> PS> Start-Service -Name "WinRM"

PS> Set-Item WSMan:\localhost\Client\TrustedHosts -Value "FQDN" -Force    #Adds an individual host.  Overwrites previous entry.
PS> Set-Item WSMan:\localhost\Client\TrustedHosts -Value "*" -Force      #Adds everything to the trusted host list.

PS> Get-Item WSMan:\localhost\Client\TrustedHosts


   WSManConfig: Microsoft.WSMan.Management\WSMan::localhost\Client

Type            Name                           SourceOfValue   Value                                                  
----            ----                           -------------   -----                                                  
System.String   TrustedHosts                                   *  

PS> Stop-Service -Name "WinRM"

[edit] Test Connectivity

PS> Test-WSMan -ComputerName {ServerFQDN} -Credential {ServerFQDN/Domain}\{User} -Authentication Default
ie. PS> Test-WSMan -ComputerName win-45mo0eqvg4g -Credential win-45mo0eqvg4g\Administrator -Authentication Default

[edit] Sessions/Invoke Command

To run remote powershell commands, you'll need to either specify the computer name or create a session and specify that.

#Without a Session, unique one-liner
PS> Invoke-Command -ComputerName win-45mo0eqvg4g -Credential win-45mo0eqvg4g\Administrator -ScriptBlock {HostName}
WIN-45MO0EQVG4G

#With a session
PS> New-PSSession -ComputerName win-45mo0eqvg4g -Credential win-45mo0eqvg4g\Administrator

 Id Name            ComputerName    ComputerType    State         ConfigurationName     Availability
 -- ----            ------------    ------------    -----         -----------------     ------------
  6 WinRM6          win-45mo0eqvg4g RemoteMachine   Opened        Microsoft.PowerShell     Available

PS> Invoke-Command -Session (Get-PSSession) -ScriptBlock {Hostname}
WIN-45MO0EQVG4G

[edit] New/Disconnect/Remove

The process should be to Create a NEW session > DISCONNECT the session (but leaves in history) > REMOVE the session (removes from history).

PS> New-PSSession -ComputerName win-45mo0eqvg4g -Credential win-45mo0eqvg4g\Administrator
PS> Disconnect-PSSession (Get-PSSession)
PS> Remove-PSSession (Get-PSSession)

[edit] Code Reference

[edit] Bitbucket ouath authentication and git clone

 $Body = "grant_type=client_credentials"
$creds = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes('iuondfijondsjkofnsdofjnc:hdfiohnwdfjndsjofnjodsnfjodsnjofndsoj'))
$access_token = $(Invoke-WebRequest -Uri "https://bitbucket.org/site/oauth2/access_token" -Body $Body -Method 'POST' -Headers @{ 'Authorization' = 'Basic ' + $creds } | Select-Object -Expand Content | ConvertFrom-Json | select access_token -ExpandProperty access_token)
 
Start-Process -FilePath "C:\Program Files\Git\cmd\git.exe" -ArgumentList "clone https://x-token-auth:[email protected]/repo/project.git" 

[edit] Dockerfile WinRM & SSH

example of a dockerfile that uses the powershell core 7 public docker image to connect to host

#Image contains all the tools necessary to connect via powershell (winrm) to pwsh 5.1 along with ssh
#cannot build without the ssh private key being in the build directory
#sudo docker build -t "pwshcore-wsman:Dockerfile" .
#vpn connection needs to be running on the docker host if required for connectivity to computers
#example connecting via ssh (22)
# ssh -i id_ed25519 [email protected]
#example connecting via winrm (5985)
# pwsh
# $username = "<username>"
# $password = "<password>"
# $computer = "<computer>"
# $securePassword = ConvertTo-SecureString $password -AsPlainText -Force
# $credentials = New-Object System.Management.Automation.PSCredential ($username, $securePassword)
# Enter-PSSession -ComputerName $computer -Credential $credentials

FROM powershell7:latest
LABEL maintainer="root"

SHELL ["/bin/bash", "-c"]

RUN DEBIAN_FRONTEND=noninteractive apt update -y
RUN DEBIAN_FRONTEND=noninteractive apt upgrade -y
RUN DEBIAN_FRONTEND=noninteractive apt install -y iputils-ping ansible telnet vim tcpdump git python-is-python3 python3-pip
RUN DEBIAN_FRONTEND=noninteractive apt install -y wget apt-transport-https software-properties-common sshpass gss-ntlmssp netcat curl
RUN sed -i '/\[provider_sect\]/a legacy = legacy_sect' /etc/ssl/openssl.cnf
RUN sed -i '/\[default_sect\]/a [legacy_sect]\nactivate = 1' /etc/ssl/openssl.cnf
RUN sed -i '/\[default_sect\]/a activate = 1' /etc/ssl/openssl.cnf
RUN pwsh -Command 'Install-Module -Name PSWSMan -Scope AllUsers -AcceptLicense -Force -Confirm:$False; Install-WSMan -Verbose'
COPY id_ed25519 /id_ed25519
RUN chmod 0600 id_ed25519
Personal tools
Namespaces

Variants
Actions
Navigation
Mediawiki
Confluence
DevOps Tools
Open Source Products
Ubuntu
Ubuntu 22
Mac OSX
Oracle Linux
AWS
Windows
OpenVPN
Grafana
InfluxDB2
TrueNas
MagicMirror
OwnCloud
Pivotal
osTicket
OTRS
phpBB
WordPress
VmWare ESXI 5.1
Crypto currencies
HTML
CSS
Python
Java Script
PHP
Raspberry Pi
Canvas LMS
Kaltura Media Server
Plex Media Server
MetaSploit
Zoneminder
ShinobiCE
Photoshop CS2
Fortinet
Uploaded
Certifications
General Info
Games
Meal Plans
NC Statutes
Politics
Volkswagen
Covid
NCDMV
Toolbox