@ISC2PGHChapter - Hands on Scripting lab with PowerShell and Python

started to grow much possible dice and squared thanks for coming pizza's here and Vincent ladies rooms around the corner mercy exit is out that door we have a fire so tonight we're gonna give this cryptic a couple of announcements real quick we'll discover things about the chapter what we've done things over the summer and any questions feel free to stop sitting there oh so agenda tonight we'll just talk a little bit about the high school event we have a holiday party coming up there was a lot of discussion that one of the meetings I see Square meetings about certification so NIST has come out with information about cyber security training in skill sets so that's kind of fascinating we'll

take a look they actually have some data with little caramel quick there's a lot of questions about what certain should I take didn't think that's a look at the data thanks to Josh it started so this summer we did a high school cybersecurity event while we help assist with that Jonathan were are you right a month yeah so our high school bed you'll notice that we'll make sure it was literally right here we use this room in the room over there we have 75 students it's a partnership between ice and square and cert works out because we can get funding through sponsors that's Rises greater than certain kind provides these bodies in the contents of that so

this year we had tons of volunteers of a lot of interns and stopped working for us so summer use them use them and they've turned out be good event these high school students each year we do this press me more and more each time like they do the same kind of exercises that one of our director uses for grad students here at C we knew this grad students so yeah it's a good event they seem to be engaged I kind of always gauge how excited the students are about the stuff by how long it takes before them starts with me a knack for playing video games as we give them you know that restricted access to the Internet

and so like I said each year you know that time goes a little bit further each time out maybe after two and a half hours little cycling video games yeah

Chris valasek came and talked them do that Chris G packing David talking obviously thank the sponsor for the high school event uber drago's security risk advisors trusted sick Sisco and obviously certain college so big thanks for them because without them so real quick got one thing I found on the new knit state honor 181 workforce framework so they went through and categorized security skills for various jobs the link is there they also have a career path webpage so you can look at if you're a junior security analyst where people go next in the field and the different skill sets they have so we have a lot of discussion about certifications and people ask well what certifications should I take this

is what the data says I thought it's kind of fascinating so the orange is certification holders openings I would open requesting certification so you can see which ones are in demand I don't know where they got the data from and I know that lease is the acronym of the governor organization is putting together the framework for training yes so it's possible they did actually surgery so I'm on the webpage didn't find it by thought it's kind of interesting and CompTIA people say should I get the secured security plus you know we had a lot of conversations more about the CISSP and Gi so take a look to get a chance fascinating to see that kind of thing any questions yeah we

ready to get the pictures from the cyber seat thought work cyber seek SDK the ti-84 sponsors but if you look at it you know there's a wait too many people that are certified security plus the Predators demand I just thought that was interesting side by side I we had talked about surf before I had secured plus so they didn't get much mileage out of it it's different that's where you gotta get any questions or comments okay so on this Vista thanks for putting this together we really appreciate it good evening everybody my name is Josh Lachlan quick thing is I can bubble sometimes or get to faster to the science so I mean you slow down or speak

more clearly or loudly let me know a little introduction about me as I am a cyber security engineer engineer here at CMU the cyber workforce development might create a lot of technologies that emulate real world systems and at the end they're like wow this is really cool we want you automate it and set the scripts up and immediately have this on-demand repeatable and usually I might have a master's in software engineering from Auburn University more Eagle I am also a cpt member and an operator now and the airfares and there was a ICP team member and me harmony for about ten years so I'm planning to get into meat potatoes over here so what is scripting this

course is gonna be about scripting and put it into how it to be used word to make us more efficient better more I guess productive individuals this cooking characteristics program is bringing real-time environments or shells and our automating and tasks so these are just simple scripts or simple file that you know repeatedly and efficiently do tasks or get information to gather information from our systems there are interpreted and traditionally not be piled so this is real-time so it's a structure of a script is something like how you would do or implement a command on command line shell and traditionally execute line by line so it's not like traditional object or and programming or you define classes

or functions its line by line on executing commands and getting that return and I'm gonna doing something with it or I'm just going on to the next and these are maybe the easy to use easy to learn and easy to read so this is something that is fun and easy to do okay where the goals goals is the audience I'm gonna be able to do complete these tasks without having to run each of manned by hand if your script takes longer to run than it is for you to put it in there by hand them y'all give you strictly you'll need to be doing I complete many operation easily and quickly so if I can put about

15 to 20 command and run this script you know run same way each time it'll run much quicker than I can talk and then display the information and that desire for mattresses I want to know what my system is doing or a certain information I want to format that information so I can read it for other people but I want it to be able to give me real-time information a real result of the way I can make decisions and supposed to be easy and fun so now you can do a lot of really cool stuff you can get a lot of really robust information from these scripts that you're designing you can make quick animation like why I'm learning to

script it because the automation unleash this big thing right now everything's being automated everything's being by easily repeatable we wanted to bring down the numbers or people that were using on my team and one it'll be more efficient with less resources productive and we're being asked to do more things or be asking works or more tasks one day time of day so having more training being able to automate our job or our certain tasks that I go will free up the menial work that we'd have to do it in order to have us be able to do the more interesting work the more impactful and citizens are becoming more and more complex so that means stuff like I just

said if we can make that if I could complete those tasks really rapidly want or efficiently then I can start focusing on the more complex more difficult things and it we're taking our three or four person team and clean them into one person so they can click these tabs and be doing and then finally be able to set a schedule and execute scripts prove your schedules so like you're doing the next in or doing a scan of your network and you don't want to do it you're in peak business hours or peak times so you can schedule a cron job to do it at midnight and get that information in the morning or you can periodically check

your systems and your host intrusion systems and see where you're at or something about how vulnerable are you or a surtax so you can schedule these it's looking neat and then multi tasking and time sake so I can rapidly rapidly execute a wide array of commands or tasks it with a Sigma precedent that's that's the biggest thing I want to be able to do the most I could possibly do that the execute of many tasks I can ensure is another and you can do multiple scripts asynchronously so if I need to run a scan as well as read information from another system then I can create scripts or applications that will do that for me and then I can

monitor both the systems I can displaying information here one command-line interface many complain or I can create GUI sport it's whatever you will need and you can create a can execute commands to a decision tree so if my system is not up then I want to be able to kick it on and then I want to check again donata kick it on check again so it to make decisions on what you want to do okay so I know I've been topping off it quickly so the scripting language of types so there's five main types really now there's probably a lot more love able to identify you have your blue languages these are your conduits between your

system and certain applications an example of this would be Python in general so it can interact with an application such as if you're happy your Apache web server or web hosting server and it can translate that information from that and send it to your system or vice versa and most written language install within this characteristic these five types aren't scripting languages don't end up in one of these realms they can exhibit multiple characteristics of all these so it can be a subset or to be all-encompassing um sorry exactly languages all and they could perform a wide array of system function next we have shell scripting which is what most of us are used to to the bash shell or power

source can be your power CLI you'd be aware this is an interface to your system or into your system that you can interact with in order to interact with certain systems within your certain subsystems within here next you have your beauty scripting that is for your testing or on automating six on a screen so if you have you're an app developer and you want crazy spring it constantly presses a button to see when it breaks it should be something we've developed for that and you have application-specific scripting which is designed for by developers to interact with that software or application love example of this would be power CLI for vmware it specifically made interact with vmware tools with VMware

environment and the application developers etcetera and all these miracle man like interface so they're supposed to be an interface which and the operator would end up you know utilizing in order to get information back perform tasks or interact movies then finally extensions and edibles so these are things like hooks so there's certainly we had a chat sir we wanted to be able to identify whatever this chat server I got a message and being able to respond to that message so you put in a hook so this is an on application specific interaction with an application so it's saying I'm going to do this like an API call or web you can call so I'll do a post you know we need

the last call or what's the last message is listed and we're cooking to that that application and pull up information blue line and then finally a career translations between multiple languages example JavaScript or ECMAScript alright it's just a way to interpret information from multiple different languages I'm go over a couple of samples of some bachelor arts on scripting language I guess the biggest one obvious - and I don't know how many of you are as well bash scripting this is a UNIX shell ring see at the pier scripting language well it's a functional language meaning I perform a function and I get you know stuff back or something happened to the pieces it's not compiled but interpreted

so you get very compiler from it you just need an interpreter on the tasks that you design the results are returned as a string and you can manipulate those results any way you see fit by either piping display or or assigning a new variables are just ignoring next it is batch scripting this is windows batch scripting so this is a PMDD interface so anything can be run on sandy yonis command wash all the windows can be executed here it's the same thing as - pretty much files are in plain text compiled that's done an executable and execute any commands that can be sent to your CLI the performs logical operations such as statements all that stuff it's not

compiled and interpreting and the result of the symptom it's the string that returns and you can manipulate either by piping assigning displaying PowerShell now PowerShell is in chrome powerful because power feels different because it turns everything into an object objects can be acted upon objects and have attributes and functions associated with other projects but it why would you do manipulate a display information and a much easier much less complicated way it's much more powerful Microsoft created PowerShell command line shell which I caught today which is kind of cool that it is almost impossible and such as sent to us or me - I thought that was purely a way those things every day I can execute a mixture between

commandments which Commandments are PowerShell specific applications applications feature set their scripts if you make yourself and execute this is a pure object-oriented programming language scripting language in which everything is an object that can be acted upon manipulated or have functions called this supports piping and object creation so you can create your own objects that can be acted upon manipulated and it's a modern scripting or service 2016 is my absolute fair should be Evelyn spirit so then easy Python people like to say this is a scripting language and I say no the object-oriented functional multi faceted awesome language I guess it's a high-level programming language meaning that it is in almost playing text it's interpreted by your system converted

into binary and exit at the general-purpose language meaning that it can be utilized to fulfill functions of scripting by being system calls it is an interact with any system so volve you install Python 2 onto your system you can make system calls in whatever format that that system will read on the libraries that support scripting functionality such as writing straight system or OS on and designed to be easily used red and white so this is people took what they learn from C C++ and Java it sit out like that at all I make it love it easier to use for the more robust and Python for has very large development community and they many libraries in which you can utilize

and be able to grow into and it's a very strong and powerful which gives us to today's activities here at CMU we created four laps in which to practice and learn scripting the first one is our pcap analysis with python this is a more of a beginner so if you've never really been so Python or just really new to it this is a step by step how to learn part how to use how to create your own application and - how to pretty much how Python or each other at the end of it you'll end up doing a pcap analysis script or application in which you can identify systems it's just a behavior within the pcap so if you guys don't

have any Python experience or you're new to it I suggest you do this one after that you have Network flow analysis with Python this is more for your intermediate not really advanced but you know Python you've done for a couple years you feel pretty strongly but I suggest this one this one has little or no guidance or instruction but at the end of you you're creating a passive network a scanner to identify system capabilities and if you are a Python expert and you're like I've never touched power show before and I wanted to try something new I suggest the power show the same format the windows file system scanning with PowerShell it is a how to realize

commandlets executables and functions within PowerShell and at the end of it we'll do a base lining of windows file system in which you create a baseline that week you can compare against so identify a flavor citizen finding manipulate and then finally you have hits our host intrusion detection system the talk show this is for you intermediate this is a done PowerShell philosophy comfortable with it I'm going to go ahead and do this one once again feeling of instruction by instruction above all teach a whole lot spective you don't kind of know what you're doing with a function correction and we'll go ahead and create a hosted system detection system that creates baseline of your file system you're running

processes your network connections as well as your Windows registry and then you'll be able to compare that baseline against there's just some changes in the identified changes in your system so once again they're the four labs are if you know I'm a rock star power show never missing Python them new Python your rock star with five songs ever done partial compliance person work just for intrigued about now but they don't have any questions about script angel for all right direction they would like to have any thing to act what I was talking about went awfully quick anybody has any questions I'll be sitting over here and good luck thank you very much so when we

take that break the bathroom / eating pizza break or meeting up at the end as well me too have you anybody that doesn't have an account on this side really forward if you've never heard of it I'll have you come up and type in your email address the main page

the main page will search for this fundamental basis of scripting course and then here's the first of the three of the four and then the other three are below that but kind of piggyback off of what Josh was saying if you are new to us we we developed training for the government specifically the military specifically for this purpose was the Air Force but we don't do slides and stand out the fact I've just made a making slides before before we came in here just to give you a little bit of an overview but the most part you know the expectation that when we go to the Air Force is that they are familiar with scripting at some level and there's a

couple versions of our learning management system some are like community only and somewhere classified and stuff like that but this one time to leap forward is very much or public outreach we use this with high school event don't use it for his classes people all around campus music or other types of classes then you'll have access to this so there's you know what kind of different material lots of different labs like this on other topics besides scripting there's a hands-on labs category and the courses that give you access to all of those labs there's you want to learn about Cisco's see sense or CH version H or version 8 you could take a course on that so again we do do this

a little bit with wheelies used to do in terms of the lecture piece but the most part our main primary mission goal is to create hands-on labs and huge large-scale exercises that are like this lab environment times hundreds of systems but that's a whole other another so yeah so once you're in here this is the home page as you all know this site at script name and I'm already in progress on this one but for you or show up on this available tap under courses available and right here would be a link for you that says enroll so you can actually enroll in the course and then it moves over to this courses in progress

and then if you jump into the progress we'll just take a look at that interface for a moment here we don't do these hands-on things every month that we have meetings but every couple we like to switch things up between different speakers and the hands-on stuff so just by our with the defaults there and then hit connect show up so you can actually download the directions to and a have off to the side up here and this is the lab guy we call it but it will also show up on your scenario tab as well and then that lab guy I'm assuming that the first step is go to your math

yeah so now gate to your Madam's workstation so half there's our workstation and it will bring you in and you'll follow the directions

about town this is the quiz that I've stopped in the vault and then on the dashboard inside of the step by step line it will say like over the dashboard and trigger one of these buttons for that great to happen the score in your upper right corner there will go up if you pass that section or able tell you that correctly this big purple boxes up but you can run that multiple times so you're not dead in the water

okay

one tip is

one tip is you this is a Linux box looking we need to jump out up here if you control it will bring you office you can actually click on some middle ground where's mess does this have the partial running on the linux yep our shell is lunch the two powers show there's more boxes out there than just this one that you see on the map but we don't give you access

just running through the second member fourloves again what pay attention feel free to just keep doing it okay so I'm gonna fit a packet sniffer application on the second lap this one is confusing library plus PI sharp is that that blue sprint the next Wireshark and the Python shell and gives us information from you know PCAST alive so when we go to our last year when we create hype the object this object that the taste consists of two two variables one of the IP address the IP address which is just a screen ID and the other one is a dictionary that is when you get the services that is within this IP address we're going to

create the variables and the next we're going to go ahead and how to do it service well the service is going to be a list that's going to be added to the dictionary and the key to the dictionary is little protocol so this is going to be a tcp UDP but if you want to expand on the script you do whatever you so we're gonna do and have the protocol is define and self up service we have to reference or sell then we're gonna happen now a lot of people say the Python the spacing can be one two or four deputies isn't a task but industry is standard and how are you is the death always is four spaces just

matter what always equal not program another language

we create our ray but if it is defined within you I'm real quick exclaimed comedian albums significance of the spaces versus the temps we were actually just having this conversation so traditionally you have brackets and most languages will have brackets for your code block in Python uses spacing or tabs so this is your code block when you step into your your function or your block of code you use spacing for that either be one two or four spaces or single that you have to be consistent you can't have a mixture between tabs and spaces or you know one space here four spaces there you have to maintain consistency that is there a significance between using four spaces versus not

like you said Easter savories four spaces why wouldn't he just one tab tabs are interpreted under different for different OSS so a tab in Linux is interpreted different add in Windows so if I'm trying to bring a script / - how does issue a lot so I'll be on my host machine do me in my Mac and they're not bringing it into a synth office machine and all my space is jacked and so I have to read you a half of it that's your country good thing if it's not it's not within so it's not the fine

and by default I file returns none so saying return none as we've done it it's just when you're defining your headers and your funding definitions we don't have anything there it's going to give you an engine so this is our IP object we're going to go ahead and check the body

wait while we're waiting for that to kick in okay so next if you are for helper function a helper function is something it's really functional so it is given information and it returns information doesn't add to an object this is part of the object of our class it's just purely you know making decisions and giving you consultants so we're gonna read that IP and we're going to define all the IPS at heart defined within our a global variable which is called a packet yeah packet IP which is the global dictionary and that's just collection of everything we've learned

so I'm going the top tells you to define global global variable takagaki iPhone development but it works with variables if sometimes you have to define whether it's a global variable or multiple with dictionaries and arrays and sorry the dictionaries and arrays that you don't have to it's already understood unless you create a book but with integers strings or something like that you have to fight within the multi so we're going to go ahead and do if I peanut sauce with an IP of a packet object which has a source I between a destination if IP downforce

okay IP box then take their token what we're going to append it to our list this list it's just a list of undefined I peace within

we're going to return this so if you can G read the function header to the documentation good if your function name description of what that function does function it performs your including your outfit so we're going to be returning a string a list of unique screws it's going to be

anything for a repro poll except here we have to check two different

but the protocol saying

so that's behind then we have to decline as well as

now this is asking for a tuple of the information the difference between an A List and a tutu is you can reassign and exits in a list you can out in the tool well it's a one-time pad

per our instructions girls care about source IP the source ports and destination IP destination

we're only worried about the source so this is going to be acting on result doesn't reach one team so that happy is going to be a list of unique IP addresses that are not defined within our

this is a tuple where the person next or zero is the IP address and then we're doing a new service which takes in two arguments which is the protocol name which is the second are effective to 1x and the service port which is an affair

so you can do an inline a finer than my mrs. Hall what the NIF things so I'm going to do it was nice today

had ID if I pee which I even emptier a it means there's no new I can't identify so insulting at them and have people but if it's true it'll run that command and so with that the whole tall he can run a command if it's true it's you have to next time afraid of just anything with the protocol

there's a real of course

this is using a library called versus way to get real-time updates in place on your terminal you want to watch a live information never were able to identify systems within the network really look at the tap listing process officials Biscay 3 and if any of this happened it has a 4.3 and 80 server you know kick reports or just our very important number so maybe they might be users in size so this is just something to think about when you're identifying systems

wait tell me what that is so I just shot up you see how it's just connecting all these points

11 in max game that's what an nmap scan looks like on a large P strike nickname

the display

[Music]

[Applause]

[Applause]