"Technology sharing" teaches you to use PowerShell's built-in port scanner

"Technology sharing" teaches you to use PowerShell's built-in port scanner

Introduction

To do port scanning, Nmap is the ideal choice, but sometimes nmap is not available. Sometimes just want to see if a port is open. In these cases, PowerShell can really shine. Let's talk about how to use PowerShell to implement the basic port scanning feature.

The PowerShell command used in this article

PowerShell Port scanner: Scan multiple ports for a single IP

1..1024 | % {echo (New-object Net.Sockets.TcpClient). Connect ("10.0.0.100", $_)) "Port $_ is open!"} 2> $null

Test-netconnection scan for a single port in an IP segment

foreach ($ip in 1..20) {test-netconnection-port 80-informationlevel "detailed" 192.168.1. $ip}

Scanners for an IP segment & multiple ports

1..20 | % {$a = $_; 1..1024 |% {echo ((New-object Net.Sockets.TcpClient). Connect ("10.0.0. $a", $_)) "Port $_ is open!"} 2> $null}

PowerShell Test Outlet Filter

1..1024 | % {echo (New-object Net.Sockets.TcpClient). Connect ("allports.exposed", $_)) "Port $_ is open!"} 2> $null

To implement a port scanner with just one line of PowerShell commands, we need to combine 3 different components: Create a series of objects, iterate through each object, and output the information for each object to the screen. In PowerShell, we can take advantage of its object-oriented features to help us implement this process.

PowerShell Port Scanner

1..1024 | % {echo (New-object Net.Sockets.TcpClient). Connect ("10.0.0.100", $_)) "Port $_ is open!"} 2> $null

Command decomposition

1) 1.. 1024-Create a series of variables with values from 1 to 1024

2) | -Pipe operator to pass the above object to the loop body

3)%-in PowerShell,% is the alias of the Foreach object that is used to start a loop. The loop body is the next use of the curly braces {} content.

4) echo-Prints the output to the screen

5) New-object Net.Sockets.TcpClient-Creates an instance of a. Net TcpClient class that allows us to establish a socket connection to the TCP port

6). Connect ("10.0.0.100", $_))-invokes the Connect function of the TcpClient class, with the parameters 10.0.0.100 and Port $_. Where $_ this variable represents the current object, that is, the number in this round loop (1). 1024)

7) "Port $_ is open!") -When the program discovers an open port, the screen prints "Port # is open!"

8) 2> $null-Tell PowerShell to encounter any errors that are not displayed

The port scanned in the example above is 1-1024, but can easily be changed to as (22). 53), (8000..9000) and other port ranges.

Another method available in PowerShell is to use the Test-netconnection command. The command uses the same method and can output more useful information.

Test-netconnection scan for a single port in an IP segment

foreach ($ip in 1..20) {test-netconnection-port 80-informationlevel "detailed" 192.168.1. $ip}

The biggest disadvantage of test-netconnection is that the command was introduced in the 4.0 version of PowerShell.

Command decomposition

1) foreach ($ip in 1..20) {}-loops through the numbers 1 through 20

2) Test-netconnection-test-connection is a tool for testing different kinds of network connections

3)-port 80-Check if 80 port is available

4)-informationlevel "Detailed"-Provides detailed output information

5) 192.168.1. $IP-For the IP address in the list, try to initiate a connection to port 80 in turn. In this example, the variable $ip is looped from 1 to 20

Of course, it is also possible to build a scanner that can traverse multiple ports on multiple systems.

Scanners for an IP segment & multiple ports

1..20 | % {$a = $_; 1..1024 |% {echo ((New-object Net.Sockets.TcpClient). Connect ("10.0.0. $a", $_)) "Port $_ is open!"} 2> $null}

This version of the scanner scans the 1-1024 port of the 10.0.0.1-20IP segment. Note that this may take a long time to complete the scan. A more efficient way is to manually specify the target port, as described in the following:

Scanner v2 for an IP segment & multiple ports

1..20 | % {$a = $_; Write-host "------"; Write-host "10.0.0. $a"; 22,53,80,445 |% {echo (New-object Net.Sockets.TcpClient). Connect ("10.0.0. $a", $_)) "Port $_ is open!"} 2> $null}

Additional bonus-Test export filter

Many secure network environments turn on egress traffic filtering controls to restrict access to export agreements for certain services. This is good for improving the security of the Http/https/dns channel, which is one of the reasons. However, when an alternative outbound access needs to be identified, we can use PowerShell in the intranet to evaluate the egress filter on the network firewall.

PowerShell Test Outlet Filter

1..1024 | % {echo (New-object Net.Sockets.TcpClient). Connect ("allports.exposed", $_)) "Port $_ is open"} 2> $null

For more information on PowerShell exit testing, please refer to the article published in *black Hills information security Beau Bullock: http://www.blackhillsinfosec.com/?p=4811

Conclusion

PowerShell is a powerful tool that can do almost anything with PS once you have enabled PowerShell in your Windows environment. If you have other relevant PowerShell unique stunts, please leave a comment.

This article by the Security Guest translation, reprint please indicate "transfers from the safe guest", and attaches the link.
Original link: Https://pen-testing.sans.org/blog/2017/03/08/pen-test-poster-white-board-powershell-built-in-port-scanner

"Technology sharing" teaches you to use PowerShell's built-in port scanner