Network Mapping with PowerShell
Download as pptx, pdf0 likes998 views
This document summarizes a presentation given at the 5th meeting of the Romanian Powershell User Group on February 28th, 2017. The presentation introduced several methods for network mapping and discovery using Powershell, including ping sweeps, port scanning, querying active connections, reverse DNS lookups, and ARP scanning. Code examples were provided demonstrating how to perform these tasks with Powershell cmdlets, .NET classes, WMI, and Win32 APIs. The presentation concluded that Powershell allows non-privileged users to query local network information through various techniques and contacted the presenter for any additional questions.
Network Mapping with PowerShell
- 1. ROMANIAN POWERSHELL USER GROUP 5th Meeting – February 28th 2017
- 2. Network Mapping with PowerShell Neacsu Costin-Alin
- 3. PS C:> $env:USERNAME -not Sysadmin -not Developer PS C:> $env:POSITION Vulnerability Assessment Engineer at NTT Data Services, formerly Dell Services PS C:> $env:CONTACT Twitter: @z00v4sh LinkedIn: https://www.linkedin.com/in/caneacsu/ Email: [email protected]
- 4. Scenario: Attacker gains access to a station inside the network. Question: How to discover additional hosts and services on the local network ?
- 5. Native to Windows environments Built on top of .NET Framework Rich set of Cmdlets Full access to WMI Powerful scripting engine Much more ...
- 6. PowerShell Version Installed by default on Can be Installed on PowerShell 1.0 - Windows XP SP2 Windows Server 2003 Windows Vista Windows Server 2008 PowerShell 2.0 Windows 7 Windows Server 2008 R2 Windows XP SP3 Windows Server 2003 SP2 Windows Vista SP1 PowerShell 3.0 Windows 8 Windows Server 2012 Windows 7 SP1 Windows Server 2008 SP2 Windows Server 2008 R2 SP1 PowerShell 4.0 Windows 8.1 Windows Server 2012 R2 Windows 7 SP1 Windows Server 2008 R2 SP1 Windows Server 2012 PowerShell 5.0 Windows 10 Windows Server 2016 Windows 7 SP1 Windows 8.1 Windows Server 2008 R2 SP1 Windows Server 2012 Windows Server 2012 R2
- 7. Local IP(s) Ping Sweep Port Scanner Active Connections Reverse DNS ARP Scanner Places to look
- 8. Cmdlets .NET Classes WMI Win32 API Methods Used
- 10. ARP (Address Resolution Protocol) Queries IP Addresses for MAC Addresses We use ARP Request Opcode 1 Destination MAC: FF-FF-FF-FF-FF-FF Ethernet Broadcast Address
- 11. Ping Network Diagnostic Tool Uses ICMP (Internet Control Message Protocol) Sends ICMP Echo Request Messages Type 8 Expects ICMP Echo Reply Messages Type 0
- 12. IP (Internet Protocol) Main communications protocol in the Internet Protocol Suite Uses either TCP or UDP TCP (Transmission Control Protocol) Connection-oriented (3-Way Handshake) Reliable Error-checks Potentially adds latency Uses port numbers to distinguish between requests (0-65535) UDP (User Datagram Protocol) Connectionless Fast Error prone Also uses port numbers (0-65535)
- 13. DNS (Domain Name System) Hierarchical decentralized naming system Commonly used to resolve hostnames to IP Addresses Stores information as records in a database Multiple types of records: A record : points a hostname to an IPv4 Address PTR record: points an IP Address to a hostname Also known as Reverse DNS
- 14. .NET Framework Software Framework developed by Microsoft Rich and powerful classes Serves as the foundation upon which PowerShell is built Extends the functionalities of PowerShell by writing custom code
- 15. WMI (Windows Management Instrumentation) Microsoft's implementation of Web- Based Enterprise Management (WBEM) and Common Information Model (CIM) industry standards published by the Distributed Management Task Force (DMTF) Provides the interface for management data and operations for local or remote computers Copyright: https://www.blackhat.com/docs/us-15/materials/us-15-Graeber-Abusing-Windows-Management- Instrumentation-WMI-To-Build-A-Persistent%20Asynchronous-And-Fileless-Backdoor-wp.pdf
- 16. Win32 API Set of functions provided by the Windows operating system Used for resource manipulation Exposed through various libraries (kernel32.dll, user32.dll, etc.)
- 18. • Get-NetIPConfiguration Cmdlet • System.Net.NetworkInformation.NetworkInterface .NET class • Win32_NetworkAdapterConfiguration WMI Local IP(s)
- 19. DEMO
- 20. • Test-Connection Cmdlet • System.Net.NetworkInformation.Ping .NET Class • Win32_PingStatus WMI Ping Sweep
- 21. DEMO
- 23. DEMO
- 24. • Get-NetTCPConnection Cmdlet • System.Net.NetworkInformation.SystemTcpConnectionInformation .NET Class • MSFT_NetTCPConnection WMI Active Connections
- 25. DEMO
- 26. • Resolve-DnsName Cmdlet • System.Net.Dns .NET Class Reverse DNS
- 27. DEMO
- 29. DEMO
- 30. Conclusions Multiple ways to query the local network Different techniques to obtain the same information All from non-privilege user
- 31. QUESTIONS?
- 32. KEEP IN TOUCH Twitter: @z00v4sh LinkedIn: https://www.linkedin.com/in/caneacsu/ Email: [email protected]
- 33. THANK YOU !