Summary<\/b>: Guest blogger, Niklas Goude, discusses using Windows PowerShell to perform ping sweeps and port scans on a connected network.\nMicrosoft Scripting Guy, Ed Wilson, is here. This week we have guest blogger Niklas Goude. Before we get to Niklas, I want to mention that you should mark your calendars for September 15, 2012 because that is the date that the second Windows PowerShell Saturday event occurs. It will be held in Charlotte, North Carolina. Attendance is limited, so keep your ears attuned for when registration opens. We will have three tracks and the event will be a lot of fun.<\/p>\n
Niklas Goude is a Security Consultant at TrueSec and an MVP in Windows PowerShell. In addition to his work performing security assessments for a variety of clients, he also has extensive experience in using Windows PowerShell to automate and implement Windows environments. He has been speaking at TechDays; SharePoint conferences in the U.S., Australia, and New Zealand; and other events and conferences. He is the author of two books about Windows PowerShell, and he shares his knowledge at PowerShell.nu<\/a>. He is a member of the TrueSec Expert Team, an independent, elite team of security and infrastructure consultants that operates all over the world. The security team at TrueSec performs various tasks and services related to IT security such as code review, security health checks, and penetration testing. TrueSec also delivers top-notch training sessions in advanced IT security. Check out the TruSec<\/a> website for additional information.\nNow, without further ado, here is Niklas…\nPenetration testing is an important part of improving security in any network environment. A hacker usually only needs to find very few weaknesses (even only one) to compromise important IT systems. An important task for an IT administrator is to identify potential weaknesses and mitigate them.\nThis is the first blog in a weekly series of five where we will talk about basic penetration testing techniques and how they affect misconfigured systems. The series will cover everything from initial network reconnaissance techniques and brute force attacks to advanced extraction of registry secrets to assess dangerous system dependencies.\nThe key learning point is to demonstrate how you can use Windows PowerShell to accomplish almost any task no matter the subject. The secondary learning point is to make you aware of common security issues and misconfigurations that may occur in Microsoft infrastructures today. One important thing to keep in mind is that the vulnerabilities we are looking for exist simply because of misconfigurations made by administrators, such as weak passwords, system dependencies, misconfigurations, and more. I hope you will learn and enjoy!<\/p>\n Note<\/b> Today’s blog discusses using Windows PowerShell to perform network discovery. On some networks, use of such techniques is expressly disallowed except for specifically authorized teams and individuals. You must ensure that you have permission to perform the techniques described here prior to using such techniques at work. This also is a good time to emphasize the importance of proper network security configuration. For help with security configuration of your computer, see the Microsoft Safety & Security Center<\/a>.<\/p>\n Scanning for IP addresses, MAC addresses, host names, and open ports is a way of finding the available computers on a network and finding out which service each computer publishes. In this blog, we will talk about how this can be performed by using Windows PowerShell.<\/p>\n This scenario is based on a Windows domain environment that consists of three machines:<\/p>\n In addition, we have a client on the same network as the domain; however, the client is not a member of the domain. Each command in this scenario is executed from the client.<\/p>\n The servers are manually installed by using the default settings. The servers use the Windows Firewalls default settings. The recommended internal firewall design is described in the following Microsoft TechNet Security Bulletin: Internal Firewall Design<\/a>.<\/p>\n The first step in scanning the network for IP addresses, host names, and open ports is to determine which network we are currently sitting on. The simplest way to do this is to use ipconfig<\/b>. As you already know, Windows PowerShell has full support for running executables.\nSimply type ipconfig<\/b> to find out which network you are on. If you are running Windows PowerShell 3.0, you can also use the new Get-NetIPAddress<\/b> cmdLlet.<\/p>\n PS > ipconfig<\/p>\n <\/p>\n Windows IP Configuration<\/p>\n Ethernet adapter Wired Ethernet Connection 2:<\/p>\n Connection-specific DNS Suffix . :<\/p>\n Link-local IPv6 Address . . . . . : fe81::3314:cf47:dbc2:935c%11<\/p>\n IPv4 Address. . . . . . . . . . . : 10.0.0.100<\/p>\n Subnet Mask . . . . . . . . . . . : 255.0.0.0<\/p>\n Default Gateway . . . . . . . . . : 10.0.0.1\nThis example tells us that our IP address is 10.0.0.100 and the subnet is 255.0.0.0. With this information, we can perform a ping sweep on the network to find out if any hosts are reachable. We could, of course, achieve this by using ping.exe. However, there are more efficient ways to perform ping sweeps in a Windows network by using Windows PowerShell. One way is to use the Test-Connection<\/b> cmdlet, which returns a Win32_PingStatus<\/b> object that we can investigate in Windows PowerShell. We can also create an instance of System.Net.Networkinformation.Ping by using the New-Object<\/b> cmdlet. This is the approach we’ll focus on. The following example demonstrates how to create an instance of System.Net.Networkinformation.Ping.<\/p>\n PS > $ping = New-Object System.Net.Networkinformation.ping\nThe Ping<\/b> class supports a method called Send()<\/b>, which we can use to send an Internet Control Message Protocol (ICMP) echo request to a computer by simply specifying an IP address. The following example demonstrates how to send an ICMP echo request to 10.0.0.2.<\/p>\n PS > $ping.Send(“10.0.0.2”)<\/p>\n <\/p>\n Status : Success<\/p>\n Address : 10.0.0.2<\/p>\n RoundtripTime : 0<\/p>\n Options : System.Net.NetworkInformation.PingOptions<\/p>\n Buffer : {97, 98, 99, 100…}\nIf the computer responds, the status property is set to Success as shown in this example. It’s also possible to add a timeout by using a different overload definition. The timeout specifies the maximum number of milliseconds to wait for the ICMP echo reply message. The following example demonstrates how to ping 10.0.0.10 and wait for 500 milliseconds.<\/p>\n PS > $ping.Send(“10.0.0.10”, 500)<\/p>\n <\/p>\n Status : TimedOut<\/p>\n Address :<\/p>\n RoundtripTime : 0<\/p>\n Options :<\/p>\n Buffer : {}\nIf we wanted to perform a ping sweep on multiple computers, we could simply take advantage of the Windows PowerShell pipeline support, and pipe any number of given IP addresses to the Send()<\/b> method.<\/p>\n PS > “10.0.0.2”,”10.0.0.3″ | ForEach-Object { $ping.Send($_, 500) }<\/p>\n <\/p>\n Status : Success<\/p>\n Address : 10.0.0.2<\/p>\n RoundtripTime : 0<\/p>\n Options : System.Net.NetworkInformation.PingOptions<\/p>\n Buffer : {97, 98, 99, 100…}<\/p>\n <\/p>\n Status : Success<\/p>\n Address : 10.0.0.3<\/p>\n RoundtripTime : 0<\/p>\n Options : System.Net.NetworkInformation.PingOptions<\/p>\n Buffer : {97, 98, 99, 100…}\nNow that we know how to perform a simple ping sweep by using Windows PowerShell, let’s take a look at how to use Windows PowerShell to resolve a host name.\nThe System.Net.DNS<\/b> class contains a static method, GetHostEntry()<\/b>, which we can use to ask the DNS server for the host name that is associated with a given IP address.<\/p>\n PS > [Net.DNS]::GetHostEntry(“10.0.0.3”)<\/p>\n <\/p>\n HostName Aliases AddressList <\/p>\n ——– ——- ———– SRV01.hacme.local {} {10.0.0.3\nIt is also possible to ask the DNS server for the host name Async<\/b> by using the BeginGetHostEntry() <\/b>and the EndGetHostEntry()<\/b> methods that are supported by System.Net.DNS<\/b>.\nNext, let us look at how to determine which ports are open on a system. The System.Net.Sockets.TcpClient<\/b> class supports the Connect()<\/b> method, which we can use to connect to a given IP address and port. First we create an instance to System.Net.Sockets.TcpClient<\/b>.<\/p>\n PS > $tcpClient = New-Object System.Net.Sockets.TCPClient\nNext, we use the Connect()<\/b> method and try to connect to a specific IP address and port. In the following example, we test if port 445 is open. Port 445 is the SMB port. If the connection is successful, the Connected<\/b> property is set to True as shown here:<\/p>\n PS > $tcpClient = New-Object System.Net.Sockets.TCPClient<\/p>\n PS > $tcpClient.Connect(“10.0.0.2”,445)<\/p>\n PS > $tcpClient.Connected<\/p>\n True\nIf the connection fails, an error message is displayed and the Connected<\/b> property is False.<\/p>\n PS > $tcpClient.Connect(“10.0.0.2”,1234)<\/p>\n Exception calling “Connect” with “2” argument(s):<\/p>\n “A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 10.0.0.2:1234”<\/p>\n At line:1 char:1+ $tcpClient.Connect(“10.0.0.2”,1234)<\/p>\n + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~<\/p>\n + CategoryInfo : NotSpecified: (:) [], MethodInvocationException<\/p>\n + FullyQualifiedErrorId : SocketException<\/p>\n PS > $tcpClient.Connected<\/p>\n False\nIt is also possible to test the port’s Async by using the BeginConnect()<\/b> method.\nThese are the basic steps that we need to perform a network scan by using Windows PowerShell. The nice thing about Windows PowerShell is that we can reuse the code by placing it in a function and simply calling the function instead of typing the code every time we want to perform a network scan.\nThe following example demonstrates the Invoke-TSPingSweep<\/b> function in action.<\/p>\n PS > Invoke-TSPingSweep -StartAddress 10.0.0.1 -EndAddress 10.0.0.10 -ResolveHost -ScanPort<\/p>\n <\/p>\n IPAddress HostName Ports <\/p>\n ——— ——– —– <\/p>\n 10.0.0.2 DC01.hacme.local {53, 139, 389, 445…} <\/p>\n 10.0.0.3 SRV01.hacme.local {21, 80, 139, 445…}<\/p>\n 10.0.0.10 SP01.hacme.local {80, 139, 445} \nThe function uses the code described in this post and supports the following parameters:<\/p>\n Using the functionality of Windows PowerShell makes it very easy to search for specific ports that are returned from a network scan to determine if a computer is running a specific service. For example, if we wanted to find all computers running SQL Server, we could simply store the output in a variable and use the Where-Object<\/b> cmdlet to retrieve each object where the Port 1433 is open.<\/p>\n PS > $pingSweep = Invoke-TSPingSweep -StartAddress 10.0.0.1 -EndAddress 10.0.0.10 -ResolveHost -ScanPort<\/p>\n PS > $pingSweep | Where-Object { $_.Ports -eq “1433” }<\/p>\n <\/p>\n IPAddress HostName Ports <\/p>\n ——— ——– —– <\/p>\n 10.0.0.3 SRV01.hacme.local {21, 80, 139, 445…}<\/p>\n <\/p>\n PS > $pingSweep | Where-Object { $_.Ports -eq 80 }<\/p>\n <\/p>\n IPAddress HostName Ports <\/p>\n ——— ——– —– <\/p>\n 10.0.0.3 SRV01.localdomain {21, 80, 139, 445…} <\/p>\n 10.0.0.10 SP01.localdomain {80, 139, 445} \nThere are, of course, other tools that you can use when performing network scans. One such tool is the Nmap<\/b> security scanner, which has the possibility to perform the tasks described previously and a lot more. As I mentioned earlier, Windows PowerShell has full support for executables, so another approach for performing a network scan would be to invoke nmap.exe and parse the XML output into a Windows PowerShell custom object to utilize the benefits of Windows PowerShell when working with the ouput. The following example demonstrates how to run nmap.exe and output the results to an XML document.<\/p>\n PS > & ‘C:Nmapnmap.exe’ -F 10.0.0.1\/24 -oX C:tempnmap.xml\nNext, we can use Get-Content<\/b> and read the content of the XML document. By adding the [xml]<\/b> data type and placing the cmdlet within parenthesis, the content is read as an XML object.<\/p>\n PS > $nmap = [xml](Get-Content C:tempnmap.xml)<\/p>\n PS > $nmap.nmaprun.host<\/p>\n <\/p>\n starttime : 1340110002<\/p>\n endtime : 1340110018<\/p>\n status : status<\/p>\n address : {address, address}<\/p>\n hostnames :<\/p>\n ports : ports<\/p>\n times : times<\/p>\n ~Niklas\nI want to thank Niklas for an interesting and informative blog. Security Week will continue tomorrow with Part 2 of Niklas’s security series.\nI invite you to follow me on Twitter<\/a> and Facebook<\/a>. If you have any questions, send email to me at scripter@microsoft.com<\/a>, or post your questions on the Official Scripting Guys Forum<\/a>. See you tomorrow. Until then, peace.<\/p>\n Ed Wilson, Microsoft Scripting Guy<\/b> <\/p>\n","protected":false},"excerpt":{"rendered":" Summary: Guest blogger, Niklas Goude, discusses using Windows PowerShell to perform ping sweeps and port scans on a connected network. Microsoft Scripting Guy, Ed Wilson, is here. This week we have guest blogger Niklas Goude. Before we get to Niklas, I want to mention that you should mark your calendars for September 15, 2012 because […]<\/p>\n","protected":false},"author":596,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[161,56,183,3,63,45],"class_list":["post-8841","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-firewall","tag-guest-blogger","tag-niklas-goude","tag-scripting-guy","tag-security","tag-windows-powershell"],"acf":[],"blog_post_summary":" Summary: Guest blogger, Niklas Goude, discusses using Windows PowerShell to perform ping sweeps and port scans on a connected network. Microsoft Scripting Guy, Ed Wilson, is here. This week we have guest blogger Niklas Goude. Before we get to Niklas, I want to mention that you should mark your calendars for September 15, 2012 because […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/8841","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/596"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=8841"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/8841\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=8841"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=8841"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=8841"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Part 1: Scanning<\/h2>\n
Scenario<\/h3>\n
\n
Configuration<\/h3>\n
Code<\/h3>\n
SRV01.hacme.local {} {10.0.0.3} <\/p>\n\n
Downloads<\/h3>\n
\n