Working with the registry

Let's work with a Get cmdlet to nab some data from the registry, and then convert it into a different format for our use. It just so happens that the machine I've attacked is running the TightVNC server, which stores an encrypted copy of the control password in the registry. The encryption is notoriously crackable, so let's use PowerShell exclusively to grab the password in hexadecimal format, with the following:

> $FormatEnumerationLimit = -1
> Get-ItemProperty -Path registry::hklmsoftwareTightVNCServer -Name ControlPassword
> $password = 139, 16, 57, 246, 188, 35, 53, 209
> ForEach ($hex in $password) {
>> [Convert]::ToString($hex, 16) }

Let's examine what we did here. First, I set the global variable called $FormatEnumerationLimit to -1. As an experiment, try extracting the password without setting this variable first—what happens? The password gets cut off after three bytes. You can set $FormatEnumerationLimit to define how many bytes are displayed, with the default intention being space-saving. Setting it to -1 is effectively saying no limit.

Next, we issue the Get-ItemProperty cmdlet to extract the value from the registry. Note that we can use hklm as an alias for HKEY_LOCAL_MACHINE. Without -Name, it will display all of the values in the Server key.

At this point, our job is technically finished—we wanted the ControlPassword value, and now we have it. There's just one problem: the bytes are in base-10 (decimal). This is human-friendly, but not binary-friendly, so let's convert the password with PowerShell. (Hey, we're already here.) First, set a variable $password and separate the raw decimal values with commas. This tells PowerShell that you're declaring an array. For fun, try setting the numbers inside quotation marks—what happens? The variable will then be a string with your numbers and commas, and ForEach is going to see only one item. Speaking of ForEach, that cmdlet is our last step—it defines a for-each loop (I told you these cmdlet names were self-explanatory) to conduct an operation on each item in the array. In this case, the operation is converting each value into base-16.

This is just one small example. PowerShell can be used to manipulate anything in the Windows operating system, including files and services. Remember that PowerShell can do anything the GUI can.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.227.102.124