Portscanning with PowerShell

thanks very much um so bit of a last minute talk as you can see no slides uh bear with me I'm going to talk about Powershell without having Powershell to show you um so little bit about me before we start off I'm currently a senior pentester uh NCC group um I've been pentesting for about 5 years and I really enjoy writing little bits of codes that end up on the Internet doing various things um this being one of them so it's going to start off a little bit as a war story um I warn you not a very exciting one um and like all good War Stories this one starts off with a Windows build review

um so sitting there I'm doing this build review and looking at looking at the scope making sure I've got final coverage and notice that this customer has decided to add a little bit onto the end of the description of a build review that's that's not normally there and that's hi we want uh full segregation testing done from the host that you're reviewing and this is obviously last last day of the test I'm like okay sweet let to put some tools on the on the machine uh run them off and then we can sort of give a a reasonable sort of idea of what what we can see from that point in the network what I didn't realize when I

started the job and then got to this point was um we were playing sort of server setion so I think I had to go through a Citrix environment then RDP into a jump host switch to a host and then use that host to then access the host that I was reviewing and it got to the point where I'm sat on this box and they want me to do segregation testing um I'm not allowed to install anything there is nothing on the box other than pretty much a Bare Bones Windows installation um and yeah where do we go from here so normally i' I'd start off with running something like nmap uh going out to the various networks I know we there

and seeing if I can see if I can reach across obviously I can't install end map end map's not there so next thing I think of okay I'll ping I'll I'll ping out to some hosts on some other networks other subnets see what I can see uh the issue with that is obviously you can configure host not to respond to Ping so actually that told me nothing um if anything it just told me that it's either not or somebody's configured these not to show up um which makes my life a little bit difficult um now the client was very um focused on RDP access in this instance so they wanted the full segregation testing but they were primarily

concerned about can you RDP from this box I don't know if it was a workstation or a server at this point I've gone through so many layers um can you can you RDP from that onto any other host on the network that you shouldn't be able to see so that was fairly easy to test you just open up the windows RDP client put in a bunch of ips one by one see if it makes a connection um got through that everything looked everything looked pretty good couldn't reach anything um but then it came down to okay well I can provide that Assurance what what can I do about the about the rest of it um so

I thought okay I'm on Windows I have administrator access the only reason I can't install my tools is because I'm not allowed to and also getting stuff over to the box is a bit of a pain jumping through like four hurdles um so I thought okay Windows Powershell so it's not P shell sure enough yep I can I can run commands I've got the commissions so I go to Google and I type in power shell Port scanner and thinking oh there'll be loads I'll just take my pick off GitHub someone's written it and what I got back was one tutorial repeated across about 20 different websites under different names and different authors but identical text

identical code uh I couldn't find anything on GitHub and I was really surprised um so I sort of bodged together from this tutorial something that vaguely resembled a port scanner um it was atrocious I deleted it immediately never wanted to see it again would never would never give that to anyone but I walked out of that engagement and thought this has got to be a common problem if nobody's written this tool there's got to be people in the same situation I know I end up server hopping four levels at a time a lot of the time granted I don't always have to do segregation testing but somebody's got to so I got a bit of free

time uh around January this year and I sat down I thought right I'm going to take that tutorial that I started with and I'm going to develop it into a fully functional tool that someone can just copy and paste onto a Windows machine run it in Powershell and hopefully have a a much nicer time than I did so I started off pretty basic TCP connection yeah pretty easy to do you can do it in about five lines if you'd being fancy you probably do in one if you really want to um I had a look around Powershell uh commandlets so turning it into turning a script into something that resembles an actual application you can go oh yeah help and

it gives you all the options things like that which is somebody who's never touched Powers shell in their life until this point uh it was really interesting to see that you can do all that through comments power shell actually interpret your comments and will generate documentation for you based on your comments out of the box yeah there's a great function called get help you call that on a Powershell script it will uh get help um pretty much so basically as I went along I was just adding stuff and adding stuff in the comments at the top of the page and I was self generating documentation which is great um lots of people really like writing

tools nobody likes writing documentation so if you can document as you go just by writing the code it makes your life a whole lot easier and it's much nicer to share at the end of it um so yeah I went through so I thought okay basic TCP connection uh what what do I want to do with this okay I want to specify a port okay so I can take in a port and I can I can scan this do a TCP connection see what comes back um I thought that's great but TC is not the only thing you got UDP as well so like okay so how do I do this with UDP and the tutorial I

originally found the UDP scanner was touch and go at best it was I tried it on some uh tried it on some machines but I had access to that I I knew exactly what ports were running and nine times out of 10 it wouldn't pick up an open UDP Port so I had to look around at some of the tools that we normally use and I came across um I was looking at UDP Proto scanner I think that's the name off the top of my head UDP Pro scanner yeah um and they very kindly include a list of the payloads that they use on their GitHub page so I went okay that's nice I'll have those took them realized that okay

they they need some sort of weird encoding to actually receive a response it's not just copy this text send it in a connection and get you nice response back so once I worked out exactly what encoding and things were going on and managed to replicate that uh managed I managed to get something that gave me the results I expected on the host that I had I'm not going to go out there and say yes this this UDP Port scanner that I've coupled together in poers Shell is great and it will detect everything and you should use it for everything and N map's bad cuz it's not um but I was getting more reliable results and I thought I've not seen this

anywhere um all of the UDP examples I'd found were this touch and go 90% failure rate sort of code so at this point I was like great I've got TCP and I've got UDP and I can specify a port now that's great and it would have been really nice to have but if you're looking for a tool to do a job you probably not just going to want to test a single port at a time so I went through and I looked at nmap and I looked at the options that nmap offer and things like using Port ranges or specifying multiple ports at a time and expand Ed and expanded on the feature list gradually adding things in

researching and learning Powershell as I went um please don't ask me technical Powershell questions because it's all gone from my head the second I submitted that code to GitHub and was like it works people using it is good I don't need to know this anymore um but yeah and then it ended up about a thousand lines of code which if you'd have shown that to me two months prior and said hey here's this 2000 line Powershell script that you've written I would have told people that's never going to happen you've got the wrong person um so another lesson another lesson here I guess is don't be scared to try new language don't be scared to try

scripting you know nothing Google is your friend um if you got if you got a goal you want to accomplish work towards that you don't to know a language to program a solution you can program a solution and learn The Language by programming that solution um which I wish somebody told me at University instead of going learn code and leave me to it and um I was like that's great if or else whatever how do I actually turn this into something that I'm actually going to use um but yeah so anyway I produced this produced this Tool uh it's now available on GitHub um my GitHub username is James con 96 uh same username pretty much

across all platforms so Twitter um I'm on L you yeah I post it on everywhere so I'm I'm on LinkedIn um on masterdon info. Exchange if any of you on that um but yeah so it's it's posted on there it's pined on my profile if you want to find it that's probably the easiest way to get it without me putting a link up which doesn't look like I can right now because I don't have a laptop but um yeah if any anybody's got any sort of questions um ask away

yeah maybe

not um just out curiosity have you tried to recreate the same program in artificial intelligence just there's any improvements or errors with their verion uh I have not no um I mean I don't I don't really have the time to do that now sadly but it's a lot of the time hey I've got an idea I've got a tool that I want to produce that's going to help me and probably going to help other people spend all the time getting out the door and then work comes flooding in and I'm back to back to testing

24/7 any other [Music] questions so personally I have not had to touch this tool since I wrote it um other people have I've had colleagues message me out of the blue I've been sat away working and I get this teams message pop up going hi you know this toll that you wrote um how do I do this and I have to go let me just check the documentation because I don't remember um and I go oh yeah this isn't in the documentation right how do I do this right let's fix it let's update the documentation and um yeah I've had I've had people both internally um at my company and externally people on LinkedIn Twitter and that reach out to

me and say hey this this this saved me in the situation basically so it's nice to know that it works and that it's it's done a little bit of good if nothing else question actually and I can mic um so would you say that the learning curve with Powershell was much quicker than languages such as Python and things like that I mean you've obviously achieved quite a lot in short time there from Bas stuff yeah I mean I would say I primarily program in Python um so coming from someone who knows python going into Powershell it was fairly intuitive um personally I think python is still easier to learn than Powershell but it's personal preference really um it's still

pretty intuitive if you if you know English you can you can read the code and try and Mar out exactly what's going on um load to documentation it's Microsoft they like to document everything it's great right here any ideas you prod um so I mean we weren't really looking at what traffic was was going across there wasn't um I didn't get any sock alerts or anything sent my way going what was going on um I didn't design it to be oh yeah tackers use this it will get get past all the all the network sensors and everything there a kind of SK yeah so I didn't design it for stealth um there are some things in there that

could help you with stealth but it's not designed to be undetectable um I didn't really want to write something that was completely undetectable because that could really easily be misused I'm putting it out there on the internet for anyone to download so except um so there TCP uh UDP um you can ping so I MP but the this that specific message um yeah and then you can do you can do Trace Roots through it because that was um researching power shell that seems to be really easy it a on line on line a trace rout so I thought I'll add a trace rout option in say you're rning multiple commands it just does it as part of the

scan if you wanted to um there's a couple of predefined scan profiles so you can just give it one thing so I think there's uh like d dqu and it will use a predefined scan profile to like does when you run it without any arguments it use default settings no um might there might actually be some there might be some payloads for UDP in there that support those certain protocols um so again I took all the UDP payloads from UDP project scanner um so everything everything is listed everything's referenced on on the GitHub page I don't know off the top of my head but um yeah they go into detail about what what payload support what

[Music] protols [Music] questions it console yeah so um by default it'll just print to the console but um it has got options for uh text or Json output so if you want to put it through some sort of passer or WR your own passer um Jason pretty easy to pass uh that was my that was my idea um I didn't want to sit and write a passer but I was like if people want to pass this then Jason's a nice format for them to use so I'll put a Jason output in there [Music] questions sorry what Delights what are the Delights can we find on my GitHub um then there's a few things um I've got

one called GTFO lookup which is if you've ever heard of GTFO bins um basically a database of Linux binaries that you you'd find commonly on Linux systems and how you can exploit them to be hacking tools um but it it searches various databases like that so there's one for Windows one for Linux uh there's one for I think dll files specifically there's all sorts so I've just sort of collated these these databases and built a sort of I guess a search engine for them on top um so a couple of things just to make things easier like merging merging n files um configuring proxy chains things like that but they're all they're all little scripts that I've

written people might like um not things that I'm like ra raving about and giving talks about but there's there's a few little things on there that I've from time to time I'll add a little script that I found made this to do yeah you can okay I see any questions you based ining am I based in Reading uh no I'm not uh that's not where I'm base

now thanks very much right on that Bas can I just please request a massive Round of Applause for this guy