PowerShell Remoting Exposed: How To Command Your Minions
We have many words to describe those who do the boss's dirty work: minion, henchman, and toadie. My personal favorite is "toadie", as referenced in A Christmas Story. You can tour the house just outside of Cleveland, Ohio. Of course I got my picture taken with the leg lamp.
"So what does 'toadie' have to do with PowerShell?" you ask. Everything. We PowerShell-writing IT pros are like emperors. We sit in the royal cube on the royal throne and make royal decrees like:
- "Go fetch hotfixes from those servers."
- "Fix that NIC setting on the DCs."
- "How many days until my vacation week?"
From this vantage point we write "toadie" scripts to go do our bidding across the empire. Call them "scripted minions" if you like.
Today we are diving into PowerShell remoting to understand five different methods for commanding our army of minions. We will also examine the protocols and requirements under the hood so we know exactly what we are getting. The information below comes from some testing in my home lab where I captured network traces of each remoting technology to see the ports, protocols, and protections employed between two Windows Server 2008 R2 member servers. The capture file is attached at the end of the article.
Method #1: The Computername Switch
| Remoting Command | Get-Process -Computername computer1 |
| Protocols | RPC, Remote Registry (RRP), SMB2 |
| Port | 445 |
| Data Encryption | Encrypted |
| Supported OS | Windows 2000 and above |
| Data Returned | Object |
| Pros | Works against older OSesDoes not require WinRM |
| Cons | Limited to cmdlets that support the Computername switch |
Method #2: WMI
| Remoting Command | Get-WMIObject Win32_Process -Computername computer1 |
| Protocols | WMI/RPC/DCOM |
| Port | Random high port |
| Data Encryption | Clear text |
| Supported OS | Windows 2000 and above |
| Data Returned | Object |
| Pros | Works against older OSesDoes not require WinRM |
| Cons | Random high portsTransmits data in clear text |
Method #3: PowerShell Remoting Interactively
| Remoting Command | Enter-PSSession computer1Get-ProcessExit-PSSession |
| Protocols | HTTP (wsman), MIME, SOAP, XML |
| Port | 5985 |
| Data Encryption | Encrypted |
| Supported OS | Windows 7/2008 R2 and aboveOlder OSes with WINRM install |
| Data Returned | In an interactive session all data remains on the remote host. |
| Pros | Single port requiredSupports any cmdletBuilt in on Windows 7/2008 R2 |
| Cons | Requires WinRM on older OSesRequires configuration to allow it (Enable-PSRemoting or GPO) |
Method #4: PowerShell Remoting Commands
| Remoting Command | Invoke-Command -Computername computer1 -Scriptblock {Get-Process} |
| Protocols | HTTP (wsman), MIME, SOAP, XML |
| Port | 5985 |
| Data Encryption | Encrypted |
| Supported OS | Windows 7/2008 R2 and aboveOlder OSes with WINRM install |
| Data Returned | Deserialized object |
| Pros | Single port requiredSupports any cmdletBuilt in on Windows 7/2008 R2 |
| Cons | Requires WinRM on older OSesRequires configuration to allow it (Enable-PSRemoting or GPO) |
Method #5: WMI Tunneling Through PowerShell Remoting
| Remoting Command | Invoke-Command -Computername computer1 -Scriptblock {Get-WMIObject Win32_Process} |
| Protocols | HTTP (wsman), MIME, SOAP, XML |
| Port | 5985 |
| Data Encryption | Encrypted |
| Supported OS | Windows 7/2008 R2 and aboveOlder OSes with WINRM install |
| Data Returned | Deserialized object |
| Pros | Single port requiredWMI data encrypted on the wire |
| Cons | Requires WinRM on older OSesRequires configuration to allow it (Enable-PSRemoting or GPO) |
Now you have some ideas for collecting data remotely, and there are many variations of the examples listed above. For example, you can pass multiple computer names to the Computername switch:
Get-Process -Computername computer1, computer2, computer3
Or you could pipe a list of computer names into any of these commands:
Get-Content computers.txt | Foreach-Object {Get-Process -Computername $_}
To scale remoting commands out to hundreds of computers explore using Invoke-Command with the switches -AsJob and -ThrottleLimit.
For more information try these lines at the PowerShell console:
- Get-Help * -Parameter Computername
- Get-Help about_remote
- Get-Help about_remote_FAQ
- Get-Help about_remote_output
- Get-Help about_remote_requirements
- Get-Help about_remote_troubleshooting
- Get-Help PSSession
- Get-Help about_pssessions
- Get-Help about_pssession_details
Now go unleash your PowerShell minions!
Comments
Anonymous
May 27, 2011
Thanks for tonight's presentation. Good Deal!Anonymous
September 13, 2011
thanks!