SANS Penetration Testing

Pen Test Poster: "White Board" - PowerShell - Get Firewall Rules

Board Elements_clean_Get Firewall Rules

By Matthew Toussain, Grant Curell
Updated - 3/14/2017

 

Concealed within his fortress, the Lord of Mordor sees all? And with PowerShell we can too!

 

Microsoft has truly given system administrators and computer hackers alike a gift: The gift of vision. Take for instance, PowerShell output, format, and export functions. Most scripting languages are built to be lean, efficient, and capable. PowerShell manages all three while natively supporting a host of features to retrieve data and walk through it, step by step.

get_firewall_rules_v2_01

Methods Covered in this Section

Get-NetFirewallRule display rules:

Get-NetFirewallRule -all

Get-NetFirewallRule basic formatting (list of names):

Get-NetFirewallRule -all | Format-List -Property Name

Get-NetFirewallRule in grid view:

Get-NetFirewallRule -all | Out-GridView

Get-NetFirewallRule export to csv:

Get-NetFirewallRule -all | Export-Csv <file_path.csv>

Firewall rules via comObjects:

$(New-object -comObject HNetCfg.FwPolicy2).rules | Format-Table -Property name, protocol, localports

 

PowerShell cmdlets are built around the concept of objects. To display a list of all firewall rule objects run the command below.

 

Get-NetFirewallRule display rules:
Get-NetFirewallRule -allget_firewall_rules_v2_02

 

The robust formatting capabilities of PowerShell would not be possible without its object oriented design. For example, because we are interacting with firewall rule objects we do not have to parse the results of our command line-by-line. In bash, we would have to use some combination of the cut, grep, sort, and uniq commands to have even the slightest chance at transforming the above data into the list below.

 

Get-NetFirewallRule basic formatting (list of names):
Get-NetFirewallRule -all | Format-List -Property Name
get_firewall_rules_v2_03

 

The Format-List cmdlet is the most basic method to control and format object information with PowerShell. Where the first command spewed lines of data, Format-List (limiting by the Name property) is able to present a list of all firewall rules by name.

 

A more robust output format is Out-GridView this sends command output into a specialized grid view window where it is displayed in an interactive table:

 

Get-NetFirewallRule in grid view:
Get-NetFirewallRule -all | Out-GridViewget_firewall_rules_v2_04

 

Grid view can be exceptionally handy as part of a clickable script allowing for quick spreadsheet viewing of large datasets without ever delving into the command line. As a result, it proves particularly useful for technical experts to make their results accessible to less specialized analysts. Its direct interactivity and built-in search filter only make it more useful.

 

Even more extensibility is possible by leveraging the export set of cmdlets. PowerShell natively supports several export mechanisms including ConvertTo-Html and Export-Csv.

 

Get-NetFirewallRule export to csv:
Get-NetFirewallRule -all | Export-csv <file_path.csv>

get_firewall_rules_v2_05

 

Bonus Command — Firewall Rules on Windows 7

There is one major downside to the NetFirewall series of cmdlets, they are not supported on Windows 7 and older systems even when their PowerShell version has been upgraded past version 3.0. Fortunately, we can still arrive at similar functionality within PowerShell via a clever little hack. Using the Microsoft Component Object Model (COM) to leverage comObjects allows us to use a set of features introduced in 1993 to empower backwards compatibility within our PowerShell scripts. Behold!

 

Firewall rules via comObjects:
$(New-object -comObject HNetCfg.FwPolicy2).rules | Format-Table -Property name, protocol, localportsget_firewall_rules_v2_06

 

Conclusion

PowerShell is magical. Consider for a moment what just went on under the hood as you executed these ultra-simple one liners. Controlling, managing, and formatting information is an inherent facet of PowerShell. As such, its application is not limited to viewing the Windows firewall setup. Let the situation and your imagination drive its usage! Remember: No matter how much data you are presented with, through PowerShell you are the Dark Lord, and YOU. SEE.. ALL...

 

SANS Note:

Matthew Toussain is teaching, SANS SEC560: Network Penetration Testing and Ethical Hacking in Reston, VA in May, and San Antonio in August. Or you can take SEC560 at anytime - online - by taking it OnDemand.

 

Upcoming SANS Pen Test Training Opportunity: SANS Pen Test Austin 2017

Austin_BannerAd_Blogs

Post a Comment






Captcha


* Indicates a required field.