The previous article introduced the use of PowerShell to bulk scan IP segments and ports, adding the Invoke-scanipport function in the Psnet assembly, which, although scanned to the port listening to the specified IP end, does not correspond to the port and the corresponding program. As we know some common applications use the default port is fixed, through the collection of the corresponding relationship will facilitate the implementation of the IP range of the existence of the business to confirm, this feature we will be introduced in subsequent articles.
After scanning some specific ports, we will need to find the port for the business of the weak password and common password, through the default password scan, if the correct password to try out, many times we can find penetration test important breach. The direction of weak password attacks that can be used as penetration testing are usually FTP, MySQL, SQL Server, Oracle, Telnet, SSH, Tomcat, WebLogic, and so on, if you can scan a service like this, Fast scanning through a unified approach to weak passwords will greatly speed up the progress of sensitive information and privilege elevation. This article and subsequent articles will attempt to implement a weak password attempt on the above potential attack points through PowerShell, first of all, for the FTP password attempt.
Continue with the extension in the Psnet assembly, and create a script named Invoke-ftplogin.ps1 under $env:psspace/psnet/tcpop/to return login success after passing in the specified FTP address, user name, and password.
At the same time, the application of INVOKE-FTPLOGIN.PS1 program files is added to the $ENV:PSSPACE/PSNET/PSNET.PSM1 to facilitate initialization of this function while PowerShell is initialized:
Copy Code code as follows:
. $env:P Sspace/psnet/tcpop/invoke-ftplogin.ps1
The following describes the role of the related parameters in this function:
Copy Code code as follows:
-site used for incoming FTP server address, format such as Ftp://localhost, you can use domain name or IP address, this parameter must select
-user the user name used to pass in the FTP server to be validated, the default value is anonymous, optional
-pass the password used to pass in the FTP server to be validated, the default value is Hello@world, optional (note: The password of an anonymous user in the FTP protocol can be replaced with any string with the @ symbol)
-port the port number for the FTP server to authenticate, with a default value of 21, optional (temporarily unused, subsequent articles will be used for expansion)
-timeout is used to specify the FTP server timeout when validating passwords, the default is 3000ms, optional (temporarily unused, subsequent articles will be used for expansion)
-readwritetimeout is used to specify the default read/write timeout for the FTP server, with a default value of 10000ms, optional (temporarily unused, subsequent articles to be extended)
How this script is invoked:
Copy Code code as follows:
Invoke-ftplogin-site Ftp://localhost-User Test-pass abcd1234
The execution effect is as follows:
Can see the presence of anonymous users in the case of entering an FTP host address can be logged in, and enter the FTP corresponding password only input the correct value will show normal.
The code is as follows:
Copy Code code as follows:
===== FileName: invoke-ftplogin.ps1=====
Function invoke-ftplogin{
Param (
[Parameter (mandatory = $true)]
[string] $Site = "Ftp://localhost",
[string] $User = "Anonymous",
[string] $Pass = "Hello@world",
[int] $Port = 21,
[int] $TimeOut = 3000,
[INT] $ReadWriteTimeout =10000
)
Write-host "Get FTP site dir listing ..."
# do directory listing
$FTPreq = [System.net.ftpwebrequest]::create ($Site)
$FTPreq. Timeout = $TimeOut # msec (default is infinite)
$FTPreq. readwritetimeout = $ReadWriteTimeout # msec (default is 300,000-5 mins)
$FTPreq. KeepAlive = $false # (default is enabled)
$FTPreq. Credentials = New-object System.Net.NetworkCredential ($User, $Pass)
$FTPreq. method = [System.net.webrequestmethods+ftp]::listdirectory
Try
{
$FTPres = $FTPreq. GetResponse ()
Write-host "$User _ $Pass OK"
$success = $true
#Write-host $FTPres. statuscode-nonewline
#Write-host $FTPres. statusdescription
$FTPres. Close ()
}
Catch
{
Write-host "FAILED: $_"
$success = $false
}
}