Download to read offline
Uploaded byCostin-Alin Neacsu
Network Mapping with PowerShell
This document summarizes a presentation given at the 5th meeting of the Romanian Powershell User Group on February 28th, 2017. The presentation introduced several methods for network mapping and discovery using Powershell, including ping sweeps, port scanning, querying active connections, reverse DNS lookups, and ARP scanning. Code examples were provided demonstrating how to perform these tasks with Powershell cmdlets, .NET classes, WMI, and Win32 APIs. The presentation concluded that Powershell allows non-privileged users to query local network information through various techniques and contacted the presenter for any additional questions.
Network Mapping with PowerShell
- 1. ROMANIAN POWERSHELL USER GROUP 5th Meeting– February 28th 2017
- 2. Network Mapping withPowerShell Neacsu Costin-Alin
- 3. PS C:> $env:USERNAME -not Sysadmin -not Developer PS C:> $env:POSITION Vulnerability Assessment Engineer at NTT Data Services, formerly Dell Services PS C:> $env:CONTACT Twitter: @z00v4sh LinkedIn: https://www.linkedin.com/in/caneacsu/ Email: caneacsu@gmail.com
- 4. Scenario: Attacker gainsaccess to a station inside the network. Question: How to discover additional hosts and services on the local network ?
- 5. Native toWindows environments Built on top of .NET Framework Rich set of Cmdlets Full access to WMI Powerful scripting engine Much more ...
- 6. PowerShell Version Installedby default on Can be Installed on PowerShell 1.0 - Windows XP SP2 Windows Server 2003 Windows Vista Windows Server 2008 PowerShell 2.0 Windows 7 Windows Server 2008 R2 Windows XP SP3 Windows Server 2003 SP2 Windows Vista SP1 PowerShell 3.0 Windows 8 Windows Server 2012 Windows 7 SP1 Windows Server 2008 SP2 Windows Server 2008 R2 SP1 PowerShell 4.0 Windows 8.1 Windows Server 2012 R2 Windows 7 SP1 Windows Server 2008 R2 SP1 Windows Server 2012 PowerShell 5.0 Windows 10 Windows Server 2016 Windows 7 SP1 Windows 8.1 Windows Server 2008 R2 SP1 Windows Server 2012 Windows Server 2012 R2
- 7. Local IP(s) PingSweep Port Scanner Active Connections Reverse DNS ARP Scanner Places to look
- 8. Cmdlets .NET Classes WMIWin32 API Methods Used
- 9.
- 10. ARP (Address ResolutionProtocol) Queries IP Addresses for MAC Addresses We use ARP Request Opcode 1 Destination MAC: FF-FF-FF-FF-FF-FF Ethernet Broadcast Address
- 11. Ping Network DiagnosticTool Uses ICMP (Internet Control Message Protocol) Sends ICMP Echo Request Messages Type 8 Expects ICMP Echo Reply Messages Type 0
- 12. IP (Internet Protocol) Main communications protocol in the Internet Protocol Suite Uses either TCP or UDP TCP (Transmission Control Protocol) Connection-oriented (3-Way Handshake) Reliable Error-checks Potentially adds latency Uses port numbers to distinguish between requests (0-65535) UDP (User Datagram Protocol) Connectionless Fast Error prone Also uses port numbers (0-65535)
- 13. DNS (Domain NameSystem) Hierarchical decentralized naming system Commonly used to resolve hostnames to IP Addresses Stores information as records in a database Multiple types of records: A record : points a hostname to an IPv4 Address PTR record: points an IP Address to a hostname Also known as Reverse DNS
- 14. .NET Framework SoftwareFramework developed by Microsoft Rich and powerful classes Serves as the foundation upon which PowerShell is built Extends the functionalities of PowerShell by writing custom code
- 15. WMI (Windows Management Instrumentation) Microsoft's implementation of Web- Based Enterprise Management (WBEM) and Common Information Model (CIM) industry standards published by the Distributed Management Task Force (DMTF) Provides the interface for management data and operations for local or remote computers Copyright: https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management- Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
- 16. Win32 API Setof functions provided by the Windows operating system Used for resource manipulation Exposed through various libraries (kernel32.dll, user32.dll, etc.)
- 18. • Get-NetIPConfiguration Cmdlet • System.Net.NetworkInformation.NetworkInterface .NETclass • Win32_NetworkAdapterConfiguration WMI Local IP(s)
- 19.
- 20. • Test-Connection Cmdlet • System.Net.NetworkInformation.Ping .NETClass • Win32_PingStatus WMI Ping Sweep
- 21.
- 22.
- 23.
- 24. • Get-NetTCPConnection Cmdlet • System.Net.NetworkInformation.SystemTcpConnectionInformation .NETClass • MSFT_NetTCPConnection WMI Active Connections
- 25.
- 26. • Resolve-DnsName Cmdlet • System.Net.Dns .NETClass Reverse DNS
- 27.
- 28.
- 29.
- 30. Conclusions Multiple waysto query the local network Different techniques to obtain the same information All from non-privilege user
- 31.
- 32. KEEP IN TOUCH Twitter:@z00v4sh LinkedIn: https://www.linkedin.com/in/caneacsu/ Email: caneacsu@gmail.com
- 33.