Basics of PowerShell P2 : Port Scanning and Pattern Matching - TryHackme Hacking with Powershell

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so here we come with the part two of powershell for pen testing now basically this is also part of troy hackme offensive security pathway and this is also a reminder about the room the room is their own name is hacking with partial and in the last video or in one video we have completed the task all the tasks or from task 1 all the way to task 4. now in this video we're going to go over basic scripting challenge and intermediate scripting so both tasks as you can see five and four i try to introduce the concept of using scripts to automate the tasks you might encounter while you'll do your pen testing so basically this is not exhaustive of course knowledge you have to keep digging but these are also kind of introductory examples on how to script with powershells or shell for your pen testing so for example in this challenge here we have to write script to answer the questions but before writing that script let's explain the script given here okay and after we make sure that everything is correct everything is ingested in the mind we can then head over to writing the challenge script so for that reason we would type ise open departure editor let's take this on the right so basically if i click on script here i am as you can see the script editor whatever i write here i can save it and execute so let me paste this script here that's the one that is shown in the example in the room so basically what this script does is we have a variable defined as system ports and uh here we have the get tcp get tcp connection if you remember in the last video we said that get tcp connection is much much like net stats to display the status of the ports listed the listing boards the established one and here is saying that display the status of all the boards and pick up only the ones that are listening or open so basically here we see if the ports or the local port is listening so let's take this command individually and try to execute this let me open powershell another partial [Music] window so if i execute this on its own as you can see i get a list of the ports i made a mistake i said previously the list of open ports and that's uh confusion with the nmap now here we can see a list of the ports and their status so here's the state that we picked up from the property here variable of course you can use word object but this is much faster to use dash state listen so here we have the ports that are listening okay and here we have the remote addresses on which the board is listening that's the output of this command so all of this output is stored in this variable next we define another variable the export text port contains or holds the value of this command if you take this command on its own and execute that on its own we see we get a list of reports now as you can see get content dash path we specify the path of the file and here we get its content so we saw all of that in the text port and then we enter into a loop so for each as you can see and under for each we have an if statement so basically for it here checks right checks it has defined a variable called ports and this variable is iterated through the values defined and held in the text port so ports will go over one by one okay and for each port here it will enter the if statement now if statement here we have as you can see report that's picked up from the file here is checked if it does exist as you can see in the system ports system ports contains um the ports this ports right whose status is listen so basically the if statement it checks empty port from here does exist in or among these ports by just mentioning the file and typing the property of the file the property here is local board as you can see now if it does actually it says echo ports so it echoes the port that's actually on the listening state so in total the script here outputs all of the ports that are on the listening state or checks the file ports here and say what are the ports in this file right that are listening by comparing them to the list here or the exhaustive list here okay let's save this one oh it's here actually look listening ports we can execute this right away so in here see the desktop i'm gonna need to just uh [Music] change some stuff here say medium and let's see oh i want to change the it's a font let's see the font properties i'm gonna make it bigger it seem too big that's much better actually all right so they are and this is the script we have explained so just execute that as you can see the output is these ports now these ports they do exist in the file and they cross with the ports that are listening or in the listening states okay that's about this let's cancel this one and see what triangle wants us to do so basically we're required to write a script that as you can see now that we have seen what the script basically looks like okay now he's saying look the emails folder on the desktop contains copies of the emails john marta and mary have been sending to each other answer the following questions with regards to these emails try not to open the files and use a script to answer the questions so here basically we have a file called emails on the desktop and contains the subfolders for each folder we have the user or the email and if you open that you can see some messages right for each one now you're not required to answer the questions by reading the folders orbiting the text files uh since they're required to write a script to extract the content from these files okay so what do we do here let's get back what file contains the password when i find the file that contains plain text password among these files now what is the password and what files can take what file what files oh what does oh my god this is it's grammatically wrong and what file contains uh https link much like we find the password we find the https link let's do that and write a script to do this so here's the script let's first save as and say emails finder or let's say yeah e finder so this is a script let's now understand what we need to do so basically first we have to define the path in order for the script to find these files and look into them we just have to tell the script where is or where is that folder where are the files that we need you to look in so basically we define a variable called path let's for example and in this file we defined the path of the folder containing the files so open double code and paste this all right so this is the path of the folder right but we want the script to look into the files everything under emails john mart and mary so it's not enough to define the only the path of the directory we have to define also everything under this directory to that we have to type star and close this okay don't put semicolon okay now we have to define what is it that the script needs to look for okay so according to the question here what file contains the password so we're assuming that there is a file among the emails that does contain the password and it does contain the password there will be a string indicating that this is the password so we're assuming that one of the files contains a string with this string okay we're gonna find this password so we can define a variable here so in this variable we will say pattern and define the pattern as passwords okay now i have defined the files and we define what is it what is it uh we want to use to find the password now we will execute the actual command so we'll define here cmd equal and we type the command now if you remember when we go over files right and find find some files in some directory we have to use getchat item so as a reminder it's child item it does list what is in this directory so if i use get child item and i tell get child item to look in specific path in this case i want to get child item to list everything in the emails and extract some stuff from it so we can do this definitely let's minimize this so here the first one will be get so it item i will define the path the path is mentioned by mentioning the variable and then recurs requests to look into the subdirectories as well so it is here okay now what is the output of this one the output of this is a list of all of the subdirectories and files under the path i want to take this output okay and feed it into another command so there is cm delete in powershell called select string select string oh wait i have a mistake so here let's say get help selects so what does select string does finds text in strings and files so that's what we're looking for after we list the contents after we list the files and direct within the emails directory okay we want to go every single file every single directory and see what is in these files what's in there select history now i want to say here i want to select string what do you want it's asking what do you want me to look for what's this thing we're looking for what's the pattern so here i can type dash pattern as you can see it pops up by its own at the bottom we have it here this password yep that's it and then we say echo command no equal cmd save now head to parcel clear ls so e finder execute so what do we see here emails john it's saying in this file i got some errors trying to access my passwords file is there any way we you can help here's the output i got so why why do we see this output the script find i found that there is a string password mentioned but the first output is not relevant for us okay because there is no password here but there is a string password which means that the script actually worked the second line here indicates that there is another file under marta which contains the string password it managed to fix the corrupted file to get the output but the password is buried somewhere in these locks the first the third file does contain the string password is 106 password is john is legend 99 so this is the password hmm not correct 106. let me tell you why not correct password is oh not here what is the password okay what file contains the password now what file contains the password is this one okay what's files what's file what files i don't know what the what what do they mean by they're saying files contains https link so here we get back to the script and make a little modification so here we were in the last example or in this example we were looking for the string password in this case we're going to look for the string htbs or case sensitive it doesn't matter i guess i need to do this save that so what's the question here what file okay the file is dock two merry okay that's one was done so basically here this is a basic scripting as the title indicates and you learn some basic stuff like how to open the files how to find the listening ports and how to find uh strings pattern matching this kind of stuff next one is intermediate scripting now here the challenge is saying build a port scanner and after you build the board scanner answer this question the question is saying how many open ports that you find between 130 and 140 so let's try some small port scanner and try to find what are the ports that are open between 130 and 140. so let's get back to the editor and here open a new one no new one and name it here something like let's save it first say import okay let me get back to that question now that you have learned a little bit about how scripting works let's try something a bit more interesting sometimes you may not have utilities like in map and python available now and we are forced to write scripts to do very rudimentary tasks we're going to try writing a simple port scan using partial here is the general approach to use it determine ip ranges to scan in this case it will be localhost so it's saying that find the open boards on the localhost this is your target and of course you should have a target right because in map or another another scanner you would first define a target before scanning you will not shoot in the air and you can provide the inputs in any way you want determine the port ranging to scan in our case we're going to define between 130 140. determine the type of scan to run in this case it would be a simple tcp connect scan so the channel is a challenge actually the scripture is dissected into three sections first let's define okay the ip range or the uh target that we're gonna scan so basically here first variable is targets equal um you want this to be localhost so here will be local hosts next one determine the port ranges the port ranges so you have to use a specific function to generate the range or we can use this inside um for loop so let's leave that with the for loop the third one is determine the type of scan to run in this case it will be a simple tcp connect scan so here we have to know how to perform or how to perform like tcb we we got to know the tcp and utv functions in powershell so let's import google assuming that not all of us are born uh knowing partial so we have to use google first powershell tcp connect cmd so tcp net connection get the tcp we saw what's the purpose of this in the last video let's see this one so test net connection computer name string traceroute host let's see an example the testnet connection theme that displays diagnostic info for a connection it supports big test tcp test route racing and node selection all right example one ping connectivity test net connection so if you don't provide a variable it does scan or it does connect to the local host here information level detailed we get detailed info tcp connectivity and just deleted results so it is scanning as you can see the port is defined and the target is defined and here the result is as you can see is admin source remote ports so it was able to connect to the host on the swatch so it means the port is open oh tcp test succeed true okay so here we know from this here we define the computer name as you can see if we ours if the computer name is added to the host file or as defined in dns server all right i think enough for now we can just go ahead dash current tcp ports specify the command server tcp port number so here you can select quantities report and scan by the way this is very good okay let's head over and i guess the only variable we have to define is this one so we can go ahead and use the for loop now for and here's a port start from so the question is asking here let's get back to the question 30 and 40. so here the first or the start of the board will be on 1 30. this is the start now we will increment y by one right and the end of the road will be 140. so basically here we will it will be port dash less than less than or equal 140. so this way we scan by 130 we end up with 140 and then we stop plus now we have defined the range the range is done now the connection so we know that the test net connection can be used and let's see the variables or the arguments so we can select information level [Music] detailed now we have to define the dashboard so measurable details that support ports are we done i guess we are done so basically let's save and run the board scanner let's see here so let's examine the results here and see how many ports are opened so how do we know this we have to look at the so it's saying the connection has failed but if we look at the ping succeeded it's saying false the next one false here we have one true pinksixty is true and this is the first one pink succeeded through the second port is open things succeeded through three four five five six seven 8 9 10 11 so 11 open ports this is microsoft where's the page okay and that was the end of this i hope you guys if i hope you guys find this helpful and of course this is not the end of all powershell is a very wide scripting language and you have to drill down for more details research practice but i think that's a good start and yeah see you in the next video

Info

Channel: Motasem Hamdan

Views: 5,908

Rating: undefined out of 5

Keywords: Powershell, OSCP, Pentesting, tryhackme

Id: 5Sh8xLC8wEo

Channel Id: undefined

Length: 27min 7sec (1627 seconds)

Published: Sat Jan 09 2021