A few days ago to see an article about Metasploit and PowerShell, which mentioned a statement about the port scan, write very concise, very good idea, you can throw away the bulky nmap directly scan the specified IP port:
directly through the statement. A number between 1 and 1024 is enumerated, passed to the following operator through a pipeline, and the System.Net.Sockets.TCPClient object is created using New-object, and the Connect () method of the object is invoked to connect the specified IP port. The port is the incoming group of objects that are passed in by the pipe, the 1~1024 and the numbers between them, which are replaced by the $_ variable, representing the current object that the pipe passes in. For an open TCP port there is a program that listens to the port, waits for the program to connect, and if a port is connected that is not listening, the TcpClient object throws the following exception
For an exception thrown, the error message is redirected to a $null empty device by 2> $null, and the current screen output is no longer present, and if an exception is not thrown during the connection to the specified port the TcpClient object can be properly connected to the port. It prints out the port and prompts the port to be open.
Calls to. NET objects through PowerShell we can do a lot of things, basically WinForm and asp.net can do most of the things can be done through PowerShell, at the same time I have an idea, through the PowerShell can write some commonly used for safety and penetration test Trial work scripts, these scripts can be combined into a toolset, this can not be at hand with the relevant penetration tools in the context of a lightweight scripting environment + programming to achieve security-related functional detection?
The script above is very concise, but there is a drawback, that is, the call of the TcpClient object timeout time is relatively long, regardless of whether the port is developed, you need to wait until the connection timeout before scanning the next port, scanning a range of ports will take a lot of time, in view of this I intend to change the above script, To facilitate the sharing and reuse of functions, create a toolset named Psnet:
Step 1: Create a PowerShell working folder (D:\My documents\windowspowershell\modules) and create a system environment variable that points to the directory for subsequent calls, such as Psspace
Step 2 Create a directory with the same name as the target module in the Psspace path mentioned in the previous steps to store the script, that is, create the psnet under%psspace%
Step 3 Create a. psm1 file with the same name as module in the Psnet directory PSNET.PSM1
Step 4 Create a subdirectory of the related subdivisions in the Psnet directory to facilitate categorization of different types of operations, such as creating tcpop, creating TCP-related operations, and putting TEST-TCPPORT.PS1 in
Step 5. Open PSNET.PSM1 join line:. $PSSpace/tcpop/test-tcpport.ps1 later, if you want to create any related function files, you can add a record to the file so that module initialization can initialize the associated function. A dependent file initialization statement needs to be placed before a dependent file statement if the related functions are dependent on each other.
Step 6. Add a export-modulemember-function * statement at the end of the TEST-TCPPORT.PS1 statement to publish the functions in that file as members of the module.
The structure of this toolset was successfully created and the directory tree looks like this:
For the Test-tcpport.ps1 module, write the following code to test whether the TCP port is listening:
Try
{
$TimeOut = 1000 #定义TCP端口超时时间
if ($IP = [System.net.dns]::gethostaddresses ($EndPoint))
{
$Address = [System.Net.IPAddress]::P arse ($IP)
$Socket = New-object System.Net.Sockets.TCPClient
$Connect = $Socket. BeginConnect ($Address, $Port, $null, $null)
if ($Connect. iscompleted)
{
$Wait = $Connect. Asyncwaithandle.waitone ($TimeOut, $false)
if (! $Wait)
{
$Socket. Close ()
Return $false
}
Else
{
$Socket. EndConnect ($Connect)
$Socket. Close ()
Return $true
}
}
Else
{
Return $false
}
}
Else
{
Return $false
}
}
catch{}
}
Export-modulemember-function * #用于将函数导出为模块成员
For this module, you can use the following statement through the PowerShell command line:
Called, or when the command line or batch is started
For the first example of this article, after you have imported this module, execute:
if ($a) {
Echo $_
}
}
In this article, the idea of implementing simple security penetration through PowerShell is introduced in a small script, starting with a description of how the little Foot is implemented, followed by a method for creating a script toolset and importing, and then creating a Test-tcpport function in the toolset, and introduced the call method, in the following article will be introduced in the relevant script development, please look forward to.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
