Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Powershell and HTTPS ? It Ain?t All Rainbows And Lollipops! (or is it?) - SANS Internet Storm Center SANS ISC InfoSec Forums

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Powershell and HTTPS ? It Ain?t All Rainbows And Lollipops! (or is it?)

Back in PowerShell school everyone discusses how great Powershell is for Windows functions, and an obligatory part of everyone powershell class is to cover off “Invoke-WebRequest”, which allows you to perform curl-like functions.  In fact, “curl” is aliased to “invoke-webrequest” in PowerShell.

In fact, this does work in most situations, for instance, let’s grab the ISC main page:

However, in a lot of cases a penetration tester is assessing network infrastructure – routers, firewalls, virtual infrastructure and so on.   Let’s take a look at a typical HTTPS request to say, a firewall API:

The problem?  Yup – it’s a self signed certificate, and PowerShell needs a “real” trusted certificate with a real CA, the whole 9 yards.  There’s no “-trust-it-anyway-its-all-good” parameter in the Invoke-WebRequest command.

What to do?  Luckily, Powershell is based on .Net (or dotnet, however you want to spell it), so there’s a way.  What I ended up doing was:

First, set the Certificate Validation Callback value in .Net

Next, create a temporary object, which will server as the .Net Webclient:

Finally ,invoke the web request using the temporary object.  Note that in this case the return value is in XML format, so I cast the variable.

The final result?  In this case it’s an API key for a Palo Alto Firewall which we then use to make subsequent calls to the REST API.

Let’s use the key to do something useful – for instance, grab the current configuration:

Note that “in real life”, or in real code, you’d have some error checks along the way to ensure that your https calls are successful (for instance, by using the “try” command).  In the Palo Alto API in particular, the API returns an additional value in the XML that gives us the status of the return – a really nice touch!

But really, that https call could be anything.  For instance, to return the running config on a Cisco ASA Firewall, we just need to add credentials to our variable, then change the called parameters a bit:

Or to show the current version:

Looking at the first few lines of $asaver, it looks exactly like you’d expect:

Ah – look the sun is coming out – and is that a rainbow?  Thanks Powershell! All we need is ah HTTPS unicorn now (stay tuned).


Rob VandenBrink

Rob VandenBrink

468 Posts
ISC Handler
Going to try this, thanks for the post!

Sign Up for Free or Log In to start participating in the conversation!