Information Gathering & Recon

PowerShell, as we’ve seen, is largely a tool we use for postexploitation simply due to its capability, and its availability on systems we have access to. Naturally, it is a post-exploitation tool. However, we can also use it to conduct Information Gathering and Reconnaissance as well.

There are several third-party tools, built-in cmdlets, and frameworks that exist that can help us with these tasks, and we will cover some of those tools and their various components to accomplish different things.

The idea is to be able to leverage powershell for many of our pentesting activities. Again, considering its availability already on systems we’ve compromised, its ease-of-use and capabilities, or simply because the customer would like to have us perform the penetration test from a machine that they supply.

In that case, it becomes useful to be able to utilize powershell to conduct many of our tasks when we’re limited in regards to our toolset and unable to bring along all of the tools in our arsenal.

One of our first steps should be the discovery of hosts and port scans on the network we’re operating on.

As we saw in a previous module, we can do port scans with a one liner like the following, without requiring any third-party modules:

PS C:\> $ports=(80,8080,443,22);$ip=“1.1.1.1"; foreach ($port in
$ports) {try{$socket=New-Object
System.Net.Sockets.TcpClient($ip,$port);} catch{}; if ($socket -eq
$null) {echo $ip":"$port" - Closed";}else{echo $ip":"$port" -
Open"; $socket = $null;}}

The above may be useful for a targeted probe, but not in the case where we want to scan an entire net block as it only allows for scanning of one IP address at a time.

One tool we can use for efficient discovery of hosts on a network and is included with the PowerSploit framework is the “InvokePortscan” cmdlet.

First, we can utilize Invoke-PortScan to execute a ping scan (- PingOnly) against our target network range in CIDR notation with the “-Hosts” parameter in an attempt to identify live hosts:

PS C:\> Invoke-Portscan -Hosts "192.168.13.1/24" -PingOnly

We can also supply a file containing a list of IP addresses with the -HostFile parameter. The results of which will show “True” for live hosts.

To save our results, we can pipe it to the “Export-Csv” cmdlet.

PS C:\> Invoke-Portscan -HostFile ips.txt –PingOnly | Export-Csv C:\ping_scan.csv

Once we’ve identified live hosts, we can then conduct port scans using the -ports parameter. Open ports will be identified by the “openPorts” value:

PS C:\> Invoke-Portscan -HostFile live_hosts.txt -ports "53-81"

Another useful feature of Invoke-PortScan is the ability to output in a greppable “.gnmap” Nmap format with the -oG and -f parameters:

PS C:\> Invoke-Portscan -HostFile live_hosts.txt -oG port_scan.gnmap -f -ports "1-81"

For a tool similar to what we’re used to for enumerating files and directories on web servers, i.e., dirsearch, dirb, etc., we can use PowerSploit’s “Get-HttpStatus” command.

Get-HttpStatus works in conjunction with a dictionary (-Path), like other similar tools, and when used in conjunction with the “Where-Object” alias (?) will return a list of pages or directories on the web server:

PS C:\> Get-HttpStatus -Target 192.168.13.62 -Path dictionary.txt -Port 80 |
>> ? {$_.Status -match "ok"}

Another useful cmdlet we can use for host discovery, and is part of Carlos Perez’s Posh-SecMod framework, is “Invoke-ARPScan” and may generate fewer alerts than your usual SYN or TCP scan.

PS C:\> Invoke-ARPScan -CIDR 192.168.13.1/24

Posh-SecMod has several useful cmdlets we can use for host discovery purposes among others. We encourage you to explore their capabilities.

PS C:\> Get-Command –Module Posh-SecMod

For reverse DNS lookups, we can use Posh-SecMod’s “InvokeReverseDNSLookup” cmdlet against a target CIDR block.

PS C:\> Invoke-ReverseDnsLookup -CIDR 192.168.13.0/24

Resolve-HostRecord :

PS C:\> Get-Help Resolve-HostRecord -Examples

Resolve-DNSRecord:

PS C:\> Get-Help Resolve-DNSRecord -Examples