TCP port scanning using PowerShell

Port scanning is the practice of systematically checking the open, closed, or filtered ports on a target system. Open ports represent potential entry points for attackers, while closed or filtered ports may indicate security measures in place. By conducting a port scan, penetration testers can gather crucial information about a network or system’s security posture.

Test-NetConnection is a versatile cmdlet available in Windows PowerShell (version 4.0 and later) that primarily serves to diagnose network connectivity. However, it can be repurposed to perform port scanning in a penetration-testing context.

Single port scanning with Test-NetConnection

To perform a simple port scan on a target host using Test-NetConnection, follow this example:

Test-NetConnection -ComputerName 192.168.1.100 -Port 80
ComputerName           : 192.168.1.100
RemoteAddress          : 192.168.1.100
RemotePort             : 80
InterfaceAlias         : Ethernet
SourceAddress          : 192.168.1.101
TcpTestSucceeded       : True

In this example, Test-NetConnection confirms that port 80 on the target system is open, which is indicative of a web server.

Multiple port scanning with Test-NetConnection

A penetration tester often needs to scan multiple ports on a target system. Test-NetConnection can be used in a loop to scan a range of ports or a list of specific ports:

$RemoteHost = "192.168.1.100"
$Ports = 80, 443
foreach ($Port in $Ports) {
    Test-NetConnection -ComputerName $RemoteHost -Port $Port }
ComputerName           : 192.168.1.100
RemoteAddress          : 192.168.1.100
RemotePort             : 80
InterfaceAlias         : Ethernet
SourceAddress          : 192.168.1.101
TcpTestSucceeded       : True
ComputerName           : 192.168.1.100
RemoteAddress          : 192.168.1.100
RemotePort             : 443
InterfaceAlias         : Ethernet
SourceAddress          : 192.168.1.101
TcpTestSucceeded       : False

In this case, Test-NetConnection scans ports 80 and 443 on the target system. The results show whether each port is open or not.

Enumerating open ports with Test-NetConnection

One of the primary objectives of a penetration test is to enumerate open ports. You can utilize PowerShell to filter and display only the open ports:

$RemoteHost = "192.168.1.100"
$Ports = 1..65535
$OpenPorts = foreach ($Port in $Ports) {
    $Result = Test-NetConnection -ComputerName $RemoteHost -Port $Port
    if ($Result.TcpTestSucceeded) {
        $Port
    }
}

In this example, Test-NetConnection scans all possible ports and identifies the open ones. Test-NetConnection, while primarily designed for diagnosing network connectivity, can be a valuable tool for penetration testers to perform port scanning. By utilizing its capabilities to check the status of specific ports on a target system, penetration testers can gather crucial information about potential vulnerabilities and security weaknesses. However, it’s important to note that penetration testing should always be conducted with proper authorization and in a responsible, ethical manner to avoid any legal or ethical issues. Test-NetConnection, when used within these guidelines, can be an asset in a penetration tester’s toolkit.

Single port scanning with .NET

PowerShell can create a .NET socket object to establish a connection with a single port on a target host. Here’s an example:

$RHost = "192.168.1.100"
$Port = 80
$TcpClient = New-Object System.Net.Sockets.TcpClient
try {
    $TcpClient.Connect($RHost, $Port)
    Write-Host "Port $Port on $RHost is open."
}
catch {
    Write-Host "Port $Port on $RHost is closed or filtered."
}
finally {
    $TcpClient.Close()}

In this example, PowerShell creates a TCP client object and attempts to connect to the specified port on the target host. It then reports whether the port is open or closed.

Multiple port scanning with .NET

A typical penetration test involves scanning multiple ports on a target system. PowerShell can iterate through a list of ports and check their status:

$RHost = "192.168.1.100"
$Ports = 80, 443, 22
foreach ($Port in $Ports) {
    $TcpClient = New-Object System.Net.Sockets.TcpClient
    try {
        $TcpClient.Connect($RHost, $Port)
        Write-Host "Port $Port on $RHost is open."
    }
    catch {
        Write-Host "Port $Port on $RHost is closed or filtered."
    }
    finally {
        $TcpClient.Close()}}

This PowerShell script scans a list of ports on the target host and reports their status.

Enumerating all open ports with .NET

In some cases, it’s essential to enumerate all open ports on a target system. PowerShell can be used to scan a range of ports systematically:

$RHost = "192.168.1.100"
$StartPort = 1
$EndPort = 65535
for ($Port = $StartPort; $Port -le $EndPort; $Port++) {
    $TcpClient = New-Object System.Net.Sockets.TcpClient
    try {
        $TcpClient.Connect($RHost, $Port)
        Write-Host "Port $Port on $RHost is open."
    }
    catch {# Port is closed or filtered.}
    finally {
        $TcpClient.Close()}}

PowerShell systematically scans all possible ports on the target host and reports the open ones.

Leveraging .NET Socket Objects in PowerShell provides penetration testers with a versatile and programmable approach to conducting port scanning, as a vital part of ethical hacking assessments. Port scanning plays a pivotal role in identifying potential vulnerabilities within a target system, and .NET Socket Objects empower testers to automate and customize this process effectively. However, it’s imperative to conduct penetration tests responsibly, adhering to legal and ethical guidelines and obtaining proper authorization. When used responsibly, .NET Socket Objects in PowerShell serve as powerful tools for penetration testers to assess the security posture of systems and networks, ultimately enhancing cybersecurity.