Skip to content

Instantly share code, notes, and snippets.

@r00t-3xp10it

r00t-3xp10it/TCPinspector.ps1

Last active November 14, 2025 22:03
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save r00t-3xp10it/586346116ddbeeeaad4e9775b123d549 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save r00t-3xp10it/586346116ddbeeeaad4e9775b123d549 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
TCPinspector.ps1
<#
.SYNOPSIS
Manage TCP connections
Author: @r00t-3xp10it
Tested Under: Windows 11 (26100) x64 bits
Required Dependencies: Get-NetTCPConnection
Optional Dependencies: Netstat, ipinfo.io
PS cmdlet Dev version: v2.10.9
.DESCRIPTION
List ESTABLISHED TCP connections in loop mode by
executing Netstat or Get-NetTCPConnection commands,
report\flush Dns resolver cache, Search for processes
that loaded DLL's, Search for alive hosts in Local LAN,
Searchs for TCP high risk [open] ports in Local LAN or WAN
[IPv4|IPv6] adrresses accepted, Scan for possible MITRE ATT&CK
vulnerabilitys and Geo-Locate [ipinfo.io] remote host addresses
.NOTES
Executing -invoke 'netstat' together with -process switch
display the ProcessName associated with the TCP connection
and alert user of suspicious TCP connections (yellow color)
Or possible dangererous service names using the (red color)
Executing -invoke 'netstat' -process -warnmeof 'svchost'
pops up one ballontip warning everytime one TCP connection
related with the process svchost is found active on device
Invoking -filter '127.0.0.1' will delete from scan reports
all '127.0.0.1' strings found and full comrrespondent line.
How to use more than one filter? -filter 'svchost|127.0.0.1'
Parameter -ScanType 'manual' requires the user to press any
key on is keyboard for next scan (bypassing -ScanEach param)
-rport, -geoLocation, -processinfo and -warnmeof requires
the invokation of -process switch at cmdlet execution time
Switchs -mitre, -dll and -dns are StandAlone switchs that
can not be invoked together with other parameters execpt
-logfile switch (available in -dll and -dns switchs)
.Parameter Invoke
List TCP connections invoking (Netstat|NetTCPConnection)
.Parameter ScanType
The type of scan (loop) to use (automatic|manual)
.Parameter ScanEach
Scan for TCP connections each 6 seconds (3|15)
.Parameter MaxScans
The max number of TCP scans to perform (1|80)
.Parameter Filter
Delete from scan reports all strings (0.0.0.0:)
.Parameter Process
Switch to retrive process name associated with TCP connection
.Parameter ProcessInfo
Switch that displays TCP connection process name detail info
.Parameter WarnMeOf
Pops up ballontip warning that process name was found active
.Parameter RPORT
Pops up ballontip warning that remote port was found active
.Parameter GeoLocation
Switch that resolves remote hosts geolocation [ipinfo.io]
.Parameter LogFile
Switch that appends scans to TCPreport_19_27_50_2025.txt
.Parameter Dns
Switch that retrieves Lhost DNS resolver cache entrys [ipv4|ipv6]
.Parameter DLL
Switch to Search for DLLs loaded by running processes
.Parameter PortScan
Switch that Searchs for TCP high risk [open] ports
.Parameter Mitre
Switch that searchs for possible MITRE ATT&CK vulnerabilitys
.EXAMPLE
PS C:\> .\TCPinspector.ps1
List TCP connections using default settings
.EXAMPLE
PS C:\> .\TCPinspector.ps1 -invoke 'netstat'
List TCP connections invoking netstat
.EXAMPLE
PS C:\> .\TCPinspector.ps1 -invoke 'NetTCPConnection' -process
List TCP connections invoking NetTCPConnection, display processname
.EXAMPLE
PS C:\> .\TCPinspector.ps1 -invoke 'netstat' -process
List TCP connections invoking netstat, display processname
.EXAMPLE
PS C:\> .\TCPinspector.ps1 -invoke 'netstat' -process -warnmeof 'svchost'
pops up one ballontip warning everytime one TCP connection related with
the process svchost is found active on device
.EXAMPLE
PS C:\> .\TCPinspector.ps1 -invoke 'Netstat' -maxscans '6' -scaneach '2' -filter '127.0.0.1'
List TCP connections invoking Netstat command, scan 6 times max with 2 seconds delay and
delete from scan reports all strings with '127.0.0.1' characters [full line]
.EXAMPLE
PS C:\> .\TCPinspector.ps1 -invoke 'NetTCPConnection' -maxscans '3' -scantype 'manual'
List TCP connections invoking NetTCPConnection, scan 3 times max, (press keyboard key for new scan)
.EXAMPLE
PS C:\> .\TCPinspector.ps1 -invoke 'Netstat' -process -warnmeof 'SVCHOST' -scaneach '10' -maxscans '6'
Execute netstat command to scan for TCP active connections, displays process names associated with
the TCP connection, triggers BallonTip warnings if SVCHOST process if found active, waits 10 seconds
before realizing the next TCP connection scan, repeats all steps described before a max of 6 times
.EXAMPLE
PS C:\> .\TCPinspector.ps1 -process -warnmeof 'true' -rport '80' -maxscans '3'
Scan for TCP active connections (NetTCPConnection), displays process names associated
with the TCP connection, triggers BallonTip warnings if rport 80 its found active
.EXAMPLE
PS C:\> .\TCPinspector.ps1 -process -processinfo -geolocation -filter '127.0.0.1' -scaneach '8' -maxscans '5' -logfile
.INPUTS
None. You cannot pipe objects into TCPinspector.ps1
.OUTPUTS
(
* ) ( )\ )
) /( )\ (()/( )
( )(_))(((_) /(_)) ( ( ( /( (
(_(_()) )\___ (_)) )\ )\ )(_)) )\ )
|_ _|((/ __|| _ \ ((_) ((_)((_)_ _(_/(
| | | (__ | _/ (_-</ _| / _ || ' \))
|_| \___||_| /__/\__| \__,_||_||_|
List ESTABLISHED 192.168.1.5 TCP Connections
Name Status LinkSpeed ifDesc
---- ------ --------- ------
Wi-Fi Up 286.8 Mbps MediaTek Wi-Fi 6 MT7921 Wireless LAN Card
Ethernet Disconnected 0 bps Realtek PCIe GbE Family Controller
TCP State LocalAddress LocalPort RemoteAddress RemotePort HostName ProcessName OwningProcess
--------- ------------ --------- ------------- ---------- -------- ----------- -------------
Established 192.168.1.5 62082 140.82.113.26 443 lb-140-82-113-26-iad.github.com opera 776
Established 127.0.0.1 60919 127.0.0.1 58995 Skynet AcerGAICameraW 6880
Established 127.0.0.1 60904 127.0.0.1 5141 Skynet AQAUserPS 3404
Established 127.0.0.1 58995 127.0.0.1 60919 Skynet AcerPixyService 4548
Established 127.0.0.1 49673 127.0.0.1 49672 Skynet AcerSysMonitorService 8560
Established 127.0.0.1 49672 127.0.0.1 49673 Skynet AcerSysMonitorService 8560
Established 127.0.0.1 49670 127.0.0.1 49669 Skynet ADESv2Svc 4508
Established 127.0.0.1 49669 127.0.0.1 49670 Skynet ADESv2Svc 4508
Established 192.168.1.5 49412 4.207.247.139 443 svchost 4964
Established 127.0.0.1 5141 127.0.0.1 60904 Skynet AcerQAAgent 4576
-|Scan[7:20]|-
.LINK
https://gist.github.com/r00t-3xp10it/586346116ddbeeeaad4e9775b123d549
https://gist.github.com/r00t-3xp10it/4f462362e54e33a52634719cd5e9dac4
#>
[CmdletBinding(PositionalBinding=$false)] param(
[string]$Invoke="NetTCPConnection",
[string]$ScanType="automatic",
[string]$Filter="0.0.0.0:",
[string]$WarnMeOf="NULL",
[switch]$GeoLocation,
[switch]$ProcessInfo,
[int]$MaxScans="10",
[int]$ScanEach="6",
[int]$RPORT='4444',
[switch]$PortScan,
[switch]$Process,
[switch]$Logfile,
[switch]$Mitre,
[switch]$DLL,
[switch]$Dns
)
$StartBanner = @"
(
* ) ( )\ )
` ) /( )\ (()/( )
( )(_))(((_) /(_)) ( ( ( /( (
(_(_()) )\___ (_)) )\ )\ )(_)) )\ )
|_ _|((/ __|| _ \ ((_) ((_)((_)_ _(_/(
| | | (__ | _/ (_-</ _| / _` || ' \))
|_| \___||_| /__/\__| \__,_||_||_|
"@;
$CmdletVersion = "v2.10.9"
# Script local Variable declarations
$IsClientAdmin = [bool](([System.Security.Principal.WindowsIdentity]::GetCurrent()).groups -Match "S-1-5-32-544")
$LogName = "TCPreport_" + "$(Get-Date -Format 'HH_mm_ss_yyyy')" + ".txt" -join ''
$host.UI.RawUI.WindowTitle = "@TCPinspector > [ $CmdletVersion ]"
$IP = ((ipconfig|findstr [0-9].\.)[0]).Split()[-1]
$ErrorActionPreference = "SilentlyContinue"
$WarnMeOf = $WarnMeOf.ToUpper()
$Backuup = $MaxScans
# make sure the correct scan mode is sellected
If($Invoke -iNotMatch "^(netstat|NetTCPConnection)$")
{
Write-Host "[" -NoNewline
Write-Host "ERROR" -ForegroundColor Red -NoNewline
Write-Host "] Wrong " -NoNewline
Write-Host "-invoke '$Invoke'" -ForegroundColor Red -NoNewline
Write-Host " input, defaulting to " -NoNewline
Write-Host "NetTCPConnection" -ForegroundColor Green
$Invoke = "NetTCPConnection"
}
# make sure the correct Loop mode is sellected
If($ScanType -iNotMatch "^(automatic|manual)$")
{
Write-Host "[" -NoNewline
Write-Host "ERROR" -ForegroundColor Red -NoNewline
Write-Host "] wrong " -NoNewline
Write-Host "-scantype '$scantype'" -ForegroundColor Red -NoNewline
Write-Host " input, defaulting to " -NoNewline
Write-Host "automatic" -ForegroundColor Green -NoNewline
Write-Host " scans"
$ScanType = "Automatic"
}
## MIn|Max number of scans permited
If($MaxScans -lt 1 -or $MaxScans -gt 80)
{
Write-Host "[" -NoNewline
Write-Host "ERROR" -ForegroundColor Red -NoNewline
Write-Host "] Non Optimal " -NoNewline
Write-Host "-maxscans '$MaxScans'" -ForegroundColor Red -NoNewline
Write-Host " Setting detected. Defaulting to " -NoNewline
Write-Host "10" -ForegroundColor Green -NoNewline
Write-Host " scans?"
Write-Host "[" -NoNewline
Write-Host "?" -ForegroundColor Yellow -NoNewline
$BypassMax = Read-Host "] Use default setting recomended? (yes|no)"
If($BypassMax -iMatch "^(y|yes)$")
{
$Backuup = $MaxScans = "10"
}
}
# Make sure the correct timming is set
If($ScanEach -lt 3 -or $ScanEach -gt 15)
{
Write-Host "[" -NoNewline
Write-Host "ERROR" -ForegroundColor Red -NoNewline
Write-Host "] Non optimal " -NoNewline
Write-Host "-scaneach '$ScanEach'" -ForegroundColor Red -NoNewline
If($ScanEach -gt 15)
{
$ScanEach = "15"
}
ElseIf(($ScanEach -lt 3) -and ($WarnMeOf -iNotMatch "^(NULL)$"))
{
$ScanEach = "4"
}
ElseIf($ScanEach -lt 3)
{
$ScanEach = "3"
}
Write-Host " Setting, defaulting to " -NoNewline
Write-Host "$ScanEach" -ForegroundColor Green -NoNewline
Write-Host " seconds"
}
# modules load incompatiblity warnings
If(($Mitre.IsPresent) -and ($Logfile.IsPresent))
{
Write-Host "[" -NoNewline
Write-Host "ERROR" -ForegroundColor Red -NoNewline
Write-Host "] " -NoNewline
Write-Host "logfile" -ForegroundColor Red -NoNewline
Write-Host " creation its not available in " -NoNewline
Write-Host "-mitre" -ForegroundColor Red -NoNewline
Write-Host " module"
Start-Sleep -Seconds 2
}
If(-not($Process.IsPresent) -and ($WarnMeOf -iNotMatch "^(NULL)$"))
{
Write-Host "`n[" -NoNewline
Write-Host "ERROR" -ForegroundColor Red -NoNewline
Write-Host "] " -NoNewline
Write-Host "-warnmeof '$WarnMeOf'" -ForegroundColor Red -NoNewline
Write-Host " requires " -NoNewline
Write-Host "-process" -ForegroundColor Red -NoNewline
Write-Host " parameters invoked together`n"
return
}
If(-not($Process.IsPresent) -and ($ProcessInfo.IsPresent))
{
Write-Host "`n[" -NoNewline
Write-Host "ERROR" -ForegroundColor Red -NoNewline
Write-Host "] " -NoNewline
Write-Host "-ProcessInfo" -ForegroundColor Red -NoNewline
Write-Host " requires " -NoNewline
Write-Host "-process" -ForegroundColor Red -NoNewline
Write-Host " parameters invoked together`n"
return
}
If(-not($Process.IsPresent) -and ($GeoLocation.IsPresent))
{
Write-Host "`n[" -NoNewline
Write-Host "ERROR" -ForegroundColor Red -NoNewline
Write-Host "] " -NoNewline
Write-Host "-GeoLocation" -ForegroundColor Red -NoNewline
Write-Host " requires " -NoNewline
Write-Host "-process" -ForegroundColor Red -NoNewline
Write-Host " parameters invoked together`n"
return
}
If(($WarnMeOf -Match "^(NULL)$") -and ($RPORT -ne 4444))
{
Write-Host "`n[" -NoNewline
Write-Host "ERROR" -ForegroundColor Red -NoNewline
Write-Host "] " -NoNewline
Write-Host "-RPORT" -ForegroundColor Red -NoNewline
Write-Host " requires " -NoNewline
Write-Host "-WarnMeOf" -ForegroundColor Red -NoNewline
Write-Host " parameters invoked together`n"
return
}
# Lack of Administrator privileges remark
If(($IsClientAdmin -Match "^(False)$") -and ($ProcessInfo.IsPresent))
{
powershell (New-Object -ComObjEct Wscript.Shell).Popup("Parameter -processinfo requires admin`nprivileges to extract info from processes",7,"TCPinspector - $CmdletVersion - ADMIN PRIVILEGES REMARK",0+64)|Out-Null
}
function Invoke-BallonTip()
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - pops up one ballontip warning
.NOTES
pops up one ballontip in the end of each scans
#>
$path = (Get-Process -id $pid).Path
Add-Type -AssemblyName System.Windows.Forms
$balmsg = New-Object System.Windows.Forms.NotifyIcon
$balmsg.Icon = [System.Drawing.Icon]::ExtractAssociatedIcon($path)
$balmsg.BalloonTipIcon = [System.Windows.Forms.ToolTipIcon]::Info
$balmsg.BalloonTipText = "Scans finished - $(Get-Date -Format g)"
$balmsg.BalloonTipTitle = "TCPinspector - $CmdLetAppl"
$balmsg.Visible = $true
$balmsg.ShowBalloonTip(10000)
}
function Invoke-ScheduleTasks()
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - Prints pending [Today:Hour] schedule tasks
.NOTES
This function only prints schedule tasks if task is
in 'Ready' state and in the next 2 hours timestamp
.OUTPUTS
TaskName State NextRunTime Execute
-------- ----- ----------- -------
Office Actions Server Ready 14/10/2025 21:00:00 C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Share...
Microsoft Compatibility Appraiser Ready 14/10/2025 21:31:07 %windir%\system32\sc.exe
Data Integrity Check And Scan Ready 14/10/2025 22:09:52
QueueReporting Ready 14/10/2025 22:35:51 %windir%\system32\wermgr.exe
#>
# Math
$CurrentHour = (Get-Date -Format 'HH')
If(($CurrentHour -Match '^(0)') -and ($CurrentHour -NotMatch '^(09)')) # From 00: to 08:
{
$OneMoreHour = [int]$CurrentHour+1
$OneMoreHour = "0" + "$OneMoreHour" -join ''
}
ElseIf($CurrentHour -Match '^(23)') # From 23: to 00:
{
$OneMoreHour = "00"
}
Else
{
$OneMoreHour = [int]$CurrentHour+1
}
## Print tasks schedule for the next 2 hours
$ReadyTasks = (Get-ScheduledTask|Select-Object TaskName,State,@{Name='NextRunTime';Expression={($_|Get-ScheduledTaskInfo).NextRunTime}},@{Name='Execute';Expression={$_.Actions.Execute}}|
Where-Object{$_.State -Match 'Ready' -and $_.TaskName -iNotMatch 'OneDrive' -and $_.NextRunTime -Match $(Get-Date -Format 'dd/') -and $_.NextRunTime -Match "($CurrentHour|$OneMoreHour):\d\d:"}|Format-Table -AutoSize)
# None tasks for the next 2 hours found
If([string]::IsNullOrEmpty($ReadyTasks))
{
Write-Host "[" -NoNewline
Write-Host "x" -ForegroundColor Red -NoNewline
Write-Host "] ERROR: " -NoNewline
Write-Host "None tasks schedule for " -ForegroundColor Red -NoNewline
Write-Host "$(Get-Date -Format 'dd/MM/yyyy')" -ForegroundColor Blue -NoNewline
Write-Host " for the next " -ForegroundColor Red -NoNewline
Write-Host "2 hours" -ForegroundColor Blue -NoNewline
Write-Host " found`n`n" -ForegroundColor Red
If($Logfile.IsPresent)
{
# Add results to logfile
echo "[x] ERROR: None tasks schedule for $(Get-Date -Format 'dd/MM/yyyy') for the next 2 hours found`n" >> $LogName
}
return
}
# Print [today::2hours] schedule tasks found OnScreen
$ReadyTasks|Format-Table -AutoSize|Out-String -Stream|select -skip 1|ForEach-Object {
$stringformat = If($_ -iMatch "^(--------)")
{
@{ 'ForegroundColor' = 'Blue' }
}
ElseIf($_ -iMatch "C:\\Users\\$Env:USERNAME")
{
@{ 'ForegroundColor' = 'Yellow' }
}
ElseIf($_ -Match '%\w*')
{
@{ 'ForegroundColor' = 'Gray' }
}
Else
{
@{ 'ForegroundColor' = 'White' }
}
Write-Host @stringformat $_
}
If($Logfile.IsPresent)
{
# Add results to logfile
echo $ReadyTasks|Format-Table -AutoSize >> $LogName
}
}
function Invoke-BallonTipWarnings()
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - pops up ballontip warnings [Netstat|NetTCPConnection]
.NOTES
pops up ballontip warnings everytime one TCP connection
related with input process name is found active on device
In adition -warnmeof '' parameter will automatic trigger
ballontip warnings if the follow process names are found:
MSTSC, TELNET, NETBIOS, VNCSERVER, WSUSSERVICE, TEAMVIEWER
remote ports: 4444[msf],80[http] and local ports: 139,445[smb]
#>
$SuspiciousDB = @(
"$WarnMeOf","TELNETCLIENT","WSUSSERVICE","TEAMVIEWER","VNCSERVER","NETBIOS","TELNET","MSTSC","WSUS","W3WP"
)
[int]$Contador='0'
# Build BallonTip Windows.Forms
$pathId = (Get-Process -id $pid).Path
Add-Type -AssemblyName System.Windows.Forms
$balmsg = New-Object System.Windows.Forms.NotifyIcon
$balmsg.Icon = [System.Drawing.Icon]::ExtractAssociatedIcon($pathId)
ForEach($NameToken in $SuspiciousDB)
{
If($ProcName -iMatch "$NameToken") ## [Netstat|NetTCPConnection]$ProcessName = $SuspiciousDB(item) ?
{
If($NameToken -iMatch "SVCHOST") ## Mitre T1021::Detection Rule::UserInput
{
## SVCHOST process found by -WarnMeOf 'SVCHOST' --> Scanning for rdpcorets.dll load
# Note: SVCHOST process by default was not inserted into $SuspiciousDB() Processes list
# Test: DLLs: ntdll.dll [loaded by 24288] OR rdpcorets.dll [realvuln]
$PPID = ((Get-Process -Name "SVCHOST" | Select-Object * | Where-Object {
$_.Id -eq "$ProcPPID" -and $_.Responding -Match "True" -and $_.Modules.ModuleName -iMatch "rdpcorets.dll"})
).Id # <-- Get Process PID that loaded DLL
# Make sure termservice (RDP) service is running
# Test: AcerPixyService [running] OR termservice [realvuln]
$RDPservice = [bool]((Get-Service -Name "termservice" -EA SilentlyContinue).Status -ieq "Running")
# Requires rdpcorets.dll [PID] loaded by SVCHOST process
# and TermService running to be vulnerable to Mitre T1021
If(($PPID -Match '^\d+$') -and ($RDPservice -Match "^(True)$")) ## SVCHOST::Detection Rule [1]
{
# TermService [Mitre T1021] vulnerability BallonTip warning
$balmsg.BalloonTipIcon = [System.Windows.Forms.ToolTipIcon]::Error
$balmsg.BalloonTipText = "DLL RDPCORETS.dll was loaded by SVCHOST PID: $PPID on Port: $LocalPor Vuln: TermService [Mitre T1021]"
$Contador++
}
## Check loaded DLLs location
$LoadedDLLs = (((Get-Process -Name "SVCHOST"|Select-Object *|Where-Object {
$_.Id -Match "$ProcPPID" -and $_.Responding -Match "True" -and $_.Modules.ModuleName -iMatch '(.dll)$'})).Modules
).FileName
ForEach($DllPath in $LoadedDLLs) # Scan each DLL location path
{
If($DllPath -iNotMatch '(\.exe)$') # Exclude SVCHOST.exe executable
{
# Check if any DLL have loaded outside C:\WINDOWS\
If(-not($DllPath -iMatch '^(C:\\WINDOWS\\)'))
{
$SuspiciousItem = ($DllPath -split("\\")|Select-Object -Last 1)
$balmsg.BalloonTipIcon = [System.Windows.Forms.ToolTipIcon]::Error
$balmsg.BalloonTipText = "DLL $SuspiciousItem was loaded by SVCHOST PID: $ProcPPID on Location: $DllPath"
$Contador++
}
}
}
}
If(($NameToken -iMatch "^(POWERSHELL)$")) ## Powershell::Detection Rule::UserInput
{
# Get all powershell.exe loaded DLL paths
$LoadedDLLs = (((Get-Process -Name "Powershell"|Select-Object *|Where-Object {
$_.Id -Match "$ProcPPID" -and $_.Responding -Match "True" -and $_.Modules.ModuleName -iMatch '(.dll)$'})).Modules
).FileName
ForEach($DllPath in $LoadedDLLs) # Scan each DLL location path
{
If($DllPath -iNotMatch '(\.exe)$') # Exclude powershell.exe executable
{
# Check if any DLL have loaded outside C:\WINDOWS\ OR C:\ProgramData\
If(-not($DllPath -iMatch '^(C:\\WINDOWS\\|C:\\ProgramData\\)'))
{
$SuspiciousItem = ($DllPath -split("\\")|Select-Object -Last 1)
$balmsg.BalloonTipIcon = [System.Windows.Forms.ToolTipIcon]::Error
$balmsg.BalloonTipText = "DLL $SuspiciousItem was loaded by $NameToken PID: $ProcPPID on Location: $DllPath"
$Contador++
}
}
}
}
## Detection rules of other $SuspiciousDB(items)
If(($NameToken -iMatch "MSTSC") -and ($LocalPor -eq 3389)) ## RDP::Detection Rule::Automatic
{
If((Get-Service -Name "TermService" -EA SilentlyContinue).Status -ieq "Running")
{
# RDP connecting to TCP Local Port 3389 with termservice running
$balmsg.BalloonTipIcon = [System.Windows.Forms.ToolTipIcon]::Error
$balmsg.BalloonTipText = "$NameToken proccess name found conecting to TCP on LocalPort: $LocalPor with PID: $ProcPPID warning: TermService service running"
$Contador++
}
}
If(($NameToken -iMatch "^(WSUSSERVICE|W3WP|WSUS)$") -and ($LocalPor -eq 8530) -or ($LocalPor -eq 8531)) ## WSUS::CVE-2025-59287::Detection Rule::Automatic
{
$Contador++ # WSUS is a legit process [only flag if regkey found]
$WantedNames = @("WUServer","WUStatusServer","WSUSStatusServer")
ForEach($RegKeyName in $WantedNames)
{
$VulnRegHive = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate').$RegKeyName
If($VulnRegHive -iMatch '^(htt(p|ps)://)')
{
# WSUS connecting to TCP port 8530|8531 [CVE-2025-59287]
$balmsg.BalloonTipIcon = [System.Windows.Forms.ToolTipIcon]::Error
$balmsg.BalloonTipText = "$NameToken proccess name found conecting to TCP on LocalPort: $LocalPor warning: WSUS RCE [CVE-2025-59287]"
break
}
}
}
If(($NameToken -iMatch "^(VNCSERVER)$")) ## VNCSERVER::Detection Rule::Automatic
{
# VNCSERVER connecting to TCP
$balmsg.BalloonTipIcon = [System.Windows.Forms.ToolTipIcon]::Error
$balmsg.BalloonTipText = "TCP connection to $Remotead addr on remote port: $Remotepo with PID: $ProcPPID warning: VNC server remote connection"
$Contador++
}
If($NameToken -iMatch "^(TEAMVIEWER)$") ## TEAMVIEWER::Detection Rule::Automatic
{
$MRU = [bool](Get-ChildItem -Path "$Env:APPDATA\TeamViewer\MRU\" -Recurse -EA SilentlyContinue -Force|Select-Object *|Where-Object {$_.Name -iMatch '(\.tvc)$'}).Name
If($MRU -Match '^(True)$')
{
# TeamViewer connecting to TCP [ .tvc session file found ]
$balmsg.BalloonTipIcon = [System.Windows.Forms.ToolTipIcon]::Error
$balmsg.BalloonTipText = "TCP connection to $Remotead addr on remote port: $Remotepo with PID: $ProcPPID warning: TeamViewer remote connection"
$Contador++
}
}
If($Contador -eq 0)
{
## [Netstat|NetTCPConnection]$ProcessName = $SuspiciousDB(item)
$balmsg.BalloonTipIcon = [System.Windows.Forms.ToolTipIcon]::Warning
$balmsg.BalloonTipText = "$NameToken proccess name found conecting to TCP on LocalPort: $LocalPor"
}
# Execute BallonTip
$balmsg.BalloonTipTitle = "TCPinspector - $CmdLetAppl"
$balmsg.Visible = $true
$balmsg.ShowBalloonTip(100)
# Time for BallonTip to close
Start-Sleep -Milliseconds 1800
}
}
# Remote|Local PORT TCP Warnings
If(($Remotepo -Match "^($RPORT|80)$") -or ($LocalPor -Match "^(139|445)$"))
{
# Identify Ports
If($Remotepo -eq 4444)
{
$TextMsg = "warning: Possible meterpreter agent connection"
$balmsg.BalloonTipIcon = [System.Windows.Forms.ToolTipIcon]::Error
$balmsg.BalloonTipText = "TCP connection to $Remotead addr on remote port: $Remotepo found $TextMsg"
}
ElseIf($Remotepo -eq 80)
{
$TextMsg = "warning: UnEncrypted [HTTP] data transmition"
$balmsg.BalloonTipIcon = [System.Windows.Forms.ToolTipIcon]::Warning
$balmsg.BalloonTipText = "TCP connection to $Remotead addr on remote port: $Remotepo found $TextMsg"
}
ElseIf($LocalPor -Match "^(139|445)$")
{
If((Get-Service -Name "LanmanWorkstation").Status -ieq "Running")
{
$balmsg.BalloonTipIcon = [System.Windows.Forms.ToolTipIcon]::Error
$balmsg.BalloonTipText = "NETBIOS service found conecting to TCP on Local Port: $LocalPor with PID: $ProcPPID"
Write-Host "`n NetBIOS Local Name Table`n"
Write-Host "Name Type Status"
Write-Host "---------------------------------------------" -ForegroundColor Blue
(nbtstat -n|Where-Object{$_ -Match '<\d\d>'}) -replace '^( )',''
}
}
Else
{
$TextMsg = "active"
$balmsg.BalloonTipIcon = [System.Windows.Forms.ToolTipIcon]::Warning
$balmsg.BalloonTipText = "TCP connection to $Remotead addr on remote port: $Remotepo found $TextMsg"
}
# Execute BallonTip
$balmsg.BalloonTipTitle = "TCPinspector - $CmdLetAppl"
$balmsg.Visible = $true
$balmsg.ShowBalloonTip(100)
# Time for BallonTip to close
Start-Sleep -Milliseconds 1800
}
}
function Invoke-ProcessTCPwarnings()
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - Use NETSTAT command to list established TCP connections
.NOTES
The -invoke 'netstat' together with -process switch will
display the Process Name associated with the TCP connection
and alert user of suspicious TCP connections (yellow color)
and possible exploitable service names using the (red color)
Parameters -invoke 'netstat' -process -warnmeof 'svchost'
pops up one ballontip warning that one TCP connection
related with process svchost was found active on device
Invoking -filter '127.0.0.1' will delete from scan report
all '127.0.0.1' strings found and is comrrespondente line
.OUTPUTS
Name Status LinkSpeed ifDesc
---- ------ --------- ------
Wi-Fi Up 286.8 Mbps MediaTek Wi-Fi 6 MT7921 Wireless LAN Card
Ethernet Disconnected 0 bps Realtek PCIe GbE Family Controller
Proto State LocalAddress LocalPort RemoteAddress RemotePort ProcessName OwningProcess
----- ----- ------------ --------- ------------- ---------- ----------- -------------
TCP Established 127.0.0.1 5141 127.0.0.1 58600 AcerQAAgent 4296
TCP Established 127.0.0.1 49669 127.0.0.1 49670 ADESv2Svc 4216
TCP Established 127.0.0.1 49670 127.0.0.1 49669 ADESv2Svc 4216
TCP Established 127.0.0.1 49672 127.0.0.1 49673 AcerSysMonitorService 8120
TCP Established 127.0.0.1 49673 127.0.0.1 49672 AcerSysMonitorService 8120
TCP Established 127.0.0.1 58600 127.0.0.1 5141 AQAUserPS 24772
TCP Established 127.0.0.1 58641 127.0.0.1 58995 AcerGAICameraW 25144
TCP Established 127.0.0.1 58995 127.0.0.1 58641 AcerPixyService 16616
TCP Established 192.168.1.5 49457 4.207.247.137 443 svchost 4804
TCP Established 192.168.1.5 63677 185.199.110.133 443 opera 16944
TCP Established 192.168.1.5 63678 185.199.108.154 443 opera 16944
TCP Established 192.168.1.5 63692 140.82.113.25 443 opera 16944
TCP Established 192.168.1.5 63659 52.123.129.14 443 MpDefenderCoreService 22416
#>
$CmdLetAppl = "Netstat"
# Build connections DataTable! [filter [ 0.0.0.0: --> IPv6 addr]
$TcpList = netstat -ano|findstr "ESTABLISHED"|findstr /V "[ $Filter"
Get-NetAdapter|Select-Object Name,Status,LinkSpeed,ifDesc|
Format-Table -AutoSize|Out-String -Stream|Select-Object -skip 1
# TCP TABLE
$TCPtable = New-Object System.Data.DataTable
$TCPtable.Columns.Add("Proto")|Out-Null
$TCPtable.Columns.Add("State")|Out-Null
$TCPtable.Columns.Add("LocalAddress")|Out-Null
$TCPtable.Columns.Add("LocalPort")|Out-Null
$TCPtable.Columns.Add("RemoteAddress")|Out-Null
$TCPtable.Columns.Add("RemotePort")|Out-Null
$TCPtable.Columns.Add("ProcessName")|Out-Null
$TCPtable.Columns.Add("OwningProcess")|Out-Null
# GeoLocation TABLE
$geotable = New-Object System.Data.DataTable
$geotable.Columns.Add("RemoteAddress")|Out-Null
$geotable.Columns.Add("country")|Out-Null
$geotable.Columns.Add("region")|Out-Null
$geotable.Columns.Add("city")|Out-Null
$geotable.Columns.Add("latitude")|Out-Null
$geotable.Columns.Add("longitude")|Out-Null
$geotable.Columns.Add("Org")|Out-Null
# PROCESSES INFO TABLE
$Proctable = New-Object System.Data.DataTable
$Proctable.Columns.Add("ProcessName")|Out-Null
$Proctable.Columns.Add("Version")|Out-Null
$Proctable.Columns.Add("Description")|Out-Null
$Proctable.Columns.Add("Path")|Out-Null
ForEach($Item in $TcpList)
{
## Loop trougth all $TcpList Items to build Table!
# Split List using the empty spaces betuiwn strings!
$ParsingData = $Item.split()
# Delete empty lines from the variable List!
$RawData = $ParsingData|Where-Object{$_.trim() -ne ""}
$Protocol = $RawData[0] ## Protocol
$AddrPort = $RawData[1] ## LocalAddress + port
$LocalHos = $AddrPort.Split(':')[0] ## LocalAddress
$LocalPor = $AddrPort.Split(':')[1] ## LocalPort
$ProcPPID = $RawData[-1] ## Process PID
$Remoteal = $RawData[2] ## RemoteAddress + port
$Remotead = $Remoteal.Split(':')[0] ## RemoteAddress
$Remotepo = $Remoteal.Split(':')[1] ## RemotePort
$ProcName = (Get-Process -Id "$ProcPPID").ProcessName
## Adding values to output DataTable! Protocol - Established
$TCPtable.Rows.Add("$Protocol", ## Protocol
"Established", ## State
"$LocalHos", ## LocalAddress
"$LocalPor", ## LocalPort
"$Remotead", ## RemoteAddress
"$Remotepo", ## RemotePort
"$ProcName", ## ProcessName
"$ProcPPID" ## OwningProcess
)|Out-Null
# BallonTip warning function
If($WarnMeOf -iNotMatch "^(NULL)$")
{
# Trigger BallonTip warning that process name has found connecting to TCP ?
If(($ProcName -iMatch "($WarnMeOf|MSTSC|TELNET|TELNETCLIENT|TEAMVIEWER|NETBIOS|VNCSERVER|WSUS|W3WP|WSUSSERVICE)") -Or ($Remotepo -Match "($RPORT|80)") -or ($LocalPor -Match "(139|445)"))
{
Invoke-BallonTipWarnings
}
}
# GeoLocate RemoteHosts
If($GeoLocation.IsPresent)
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - Resolve RemoteHosts Geo-Location [ipinfo.io]
.OUTPUTS
RemoteAddress country region city latitude longitude Org
------------- ------- ------ ---- -------- --------- ---
34.117.59.81 US Missouri Kansas City 39.0997 -94.5786 AS396982 Google LLC
4.207.247.139 IE Leinster Dublin 53.3331 -6.2489 AS8075 Microsoft Corporation
#>
If($Remotead -NotMatch "127.0.0.1") # Do not resolve this addresss
{
If($Remotead -NotMatch "$IP") # Do not resolve this addresss
{
# Resolve RemoteAddresses GeoLocations
$GeoDataBase_ = (Invoke-RestMethod -Uri "http://ipinfo.io/$Remotead"|Select-Object country,region,city,loc,org)
$IPINFO_Country = ($GeoDataBase_|findstr /C:"country") -replace 'country : ',''
$IPINFO_region = ($GeoDataBase_|findstr /C:"region") -replace 'region : ',''
$IPINFO_city = ($GeoDataBase_|findstr /C:"city") -replace 'city : ',''
$IPINFO_Org = ($GeoDataBase_|findstr /C:"org") -replace 'org : ',''
# Get remoteAddress coordinates [latitude,longitude]
$RawCoordinates = ($GeoDataBase_|findstr /C:"loc") -replace 'loc : ',''
$Latitude = ($RawCoordinates) -split(",")|Select -First 1
$Longitude = ($RawCoordinates) -split(",")|Select -Last 1
# Adding values to DataTable!
$geotable.Rows.Add("$Remotead", ## RemoteAddress
"$IPINFO_Country", ## country_name
"$IPINFO_region", ## region
"$IPINFO_city", ## city
"$Latitude", ## latitude
"$Longitude", ## longitude
"$IPINFO_Org" ## Org
)|Out-Null
}
}
}
# ProcessName Information
If($ProcessInfo.IsPresent)
{
<#
.OUTPUTS
ProcessName Version Description Path
----------- ------- ----------- ----
AcerGAICameraW 1.0.1.3016 Acer GAI Camera Windows C:\WINDOWS\System32\DriverStore\FileRepository\acergaicameracomponent.inf_amd64_3d28e...
AQAUserPS 1.4.37 Acer Quick Access User Process C:\Program Files\AcerQAAgent\AQAUserPS.exe
svchost 10.0.26100.7015 Processo Anfitrião dos Serviços do Windows C:\WINDOWS\system32\svchost.exe
AcerPixyService 2.0.0.3026 Acer Pixy Service C:\WINDOWS\System32\DriverStore\FileRepository\acerartaimmxdrivercomponent.inf_amd64_...
AcerSysMonitorService 1.0.1018.5 Acer System Monitor Service C:\WINDOWS\System32\DriverStore\FileRepository\sysmonitorservice.inf_amd64_58adec8bbc...
AcerSysMonitorService 1.0.1018.5 Acer System Monitor Service C:\WINDOWS\System32\DriverStore\FileRepository\sysmonitorservice.inf_amd64_58adec8bbc...
ADESv2Svc 1.0.0.3018 Acer Device Enabling Service V2 C:\WINDOWS\System32\DriverStore\FileRepository\acerdeviceenablingservicecomponent.inf...
ADESv2Svc 1.0.0.3018 Acer Device Enabling Service V2 C:\WINDOWS\System32\DriverStore\FileRepository\acerdeviceenablingservicecomponent.inf...
svchost 10.0.26100.7015 Processo Anfitrião dos Serviços do Windows C:\WINDOWS\system32\svchost.exe
AcerQAAgent 1.4.37 Acer Quick Access Software Component C:\WINDOWS\system32\AcerQAAgent.exe
#>
$ProcNa = (Get-Process -Id $ProcPPID).Name
$ProcDe = (Get-Process -Id $ProcPPID).Description
$DLLSLoaded = (Get-Process -Id $ProcPPID|Select *).modules.modulename
$ProcVersion = (get-process -Id $ProcPPID|Select-Object *).ProductVersion
$PriorityClass = (get-process -Id $ProcPPID|Select-Object *).PriorityClass
$ProcPath = (get-process -Id $ProcPPID|Select-Object *).Path
## Adding values to output DataTable!
$Proctable.Rows.Add("$ProcNa", ## name
"$ProcVersion", ## version
"$ProcDe", ## description
"$ProcPath" ## Path
)|Out-Null
}
}## End of ForEach()
## Display scan results OnScreen (collorize outputs)
# This function will alarm users of suspicious connections (yellow) 20|80|107|137|445
# and most commun used malicious service names will be flaged in red
$TCPtable|Format-Table -AutoSize|Out-String -Stream|select -skip 1|ForEach-Object {
$stringformat = If($_ -iMatch "(svchost|backgroundTaskHost|spoolsv|taskhostw|PhoneExperienceHost|KERBEROS)")
{
@{ 'ForegroundColor' = 'Yellow' }
}
ElseIf($_ -iMatch "($WarnMeOf|MSTSC|TELNET|TELNETCLIENT|TEAMVIEWER|NETBIOS|VNCSERVER|WSUS|W3WP|WSUSSERVICE)")
{
@{ 'ForegroundColor' = 'Red' }
}
ElseIf($_ -iMatch "(MpDefenderCoreService|MsMpEng|wermgr|SecurityHealthSystray|SecurityHealthService)")
{
@{ 'ForegroundColor' = 'Green' }
}
ElseIf($_ -Match '\s+127.0.0.1\s+')
{
@{ 'ForegroundColor' = 'Gray' }
}
ElseIf($_ -Match "^(-----)")
{
@{ 'ForegroundColor' = 'Blue' }
}
Else
{
@{ 'ForegroundColor' = 'White' }
}
Write-Host @stringformat $_
}
## GeoLocate Table output
If($GeoLocation.IsPresent)
{
# Display Data Table OnScreen
$geotable|Format-Table -AutoSize|Out-String -Stream|Select-Object -Skip 1|ForEach-Object {
$stringformat = If($_ -iMatch "(-----)")
{
@{ 'ForegroundColor' = 'Blue' }
}
Else
{
@{ 'ForegroundColor' = 'White' }
}
Write-Host @stringformat $_
}
}
# ProcessInfo TABLE output
If($ProcessInfo.IsPresent)
{
Start-Sleep -Milliseconds 1400
#echo $Proctable|Format-Table -AutoSize|Out-String -Stream|Select-Object -skip 1
$Proctable|Format-Table -AutoSize|Out-String -Stream|select -skip 1|ForEach-Object {
$stringformat = If($_ -iMatch "(svchost|backgroundTaskHost|spoolsv|taskhostw|PhoneExperienceHost|KERBEROS)")
{
@{ 'ForegroundColor' = 'Yellow' }
}
ElseIf($_ -iMatch "($WarnMeOf|MSTSC|TELNET|TELNETCLIENT|TEAMVIEWER|NETBIOS|VNCSERVER|WSUS|W3WP|WSUSSERVICE)")
{
@{ 'ForegroundColor' = 'Red' }
}
ElseIf($_ -iMatch "(MpDefenderCoreService|MsMpEng|wermgr|SecurityHealthSystray|SecurityHealthService)")
{
@{ 'ForegroundColor' = 'Green' }
}
ElseIf($_ -Match "^(-----)")
{
@{ 'ForegroundColor' = 'Blue' }
}
Else
{
@{ 'ForegroundColor' = 'White' }
}
Write-Host @stringformat $_
}
## Invoke schedule tasks
Invoke-ScheduleTasks
}
# Append to logfile ?
If($Logfile.IsPresent)
{
echo $TCPtable|Format-Table -AutoSize >> $LogName
If($GeoLocation.IsPresent)
{
echo $geotable|Format-Table -AutoSize >> $LogName
}
If($ProcessInfo.IsPresent)
{
echo $Proctable|Format-Table -AutoSize >> $LogName
}
}
}
function Invoke-TCPStats()
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - TCP\IP Statistics Final Table
.OUTPUTS
IPV6 Address Name SentBytes ReceivedBytes SentUnicastBytes ReceivedUnicastBytes SentUnicastPackets
------------ ---- --------- ------------- ---------------- -------------------- ------------------
fe80::8939:e854:6bd9:2c55%8 Wi-Fi 325768937 13457281219 322241183 13452982392 1743601
fe80::8939:e854:6bd9:2c55%8 Ethernet 0 0 0 0 0
#>
echo ""
# Get IPV6 address to colorize output table later
$Interface = (Get-NetIPAddress|Where-Object PrefixOrigin -eq dhcp).InterFaceAlias
$IPv6Addre = ((Get-NetIPAddress -AddressFamily IPv6|Select-Object *)|Where-Object {$_.InterFaceAlias -Match "$Interface"}).IPAddress
Get-NetAdapterStatistics|Select-Object @{Name='IPV6 Address';Expression={"$IPv6Addre"}},Name,SentBytes,ReceivedBytes,SentUnicastBytes,ReceivedUnicastBytes,SentUnicastPackets|Format-Table -AutoSize|Out-String -Stream|ForEach-Object {
$stringformat = If($_ -iMatch "^(--------)")
{
@{ 'ForegroundColor' = 'Blue' }
}
ElseIf($_ -iMatch "::")
{
@{ 'ForegroundColor' = 'Gray' }
}
Else
{
@{ 'ForegroundColor' = 'White' }
}
Write-Host @stringformat $_
}
# Group Tag
Write-Host "-=|[" -ForegroundColor Blue -NoNewline
Write-Host "SSA" -ForegroundColor Gray -NoNewline
Write-Host "rEdTeAm" -ForegroundColor Red -NoNewline
Write-Host "@" -ForegroundColor DarkYellow -NoNewline
Write-Host "2025" -ForegroundColor Gray -NoNewline
Write-Host "]|=-" -ForegroundColor Blue
}
function Invoke-ScanTypes()
{
# Scan Type (automatic|manual)
If($ScanType -imatch "automatic")
{
Start-Sleep -Seconds $ScanEach
}
Else
{
cmd /c 'pause'
echo ""
}
}
If($PortScan.IsPresent)
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - Searchs for TCP high risk [open] ports
.NOTES
Some firewalls are config to drop ICMP [ping]
packets producing false closed ports reports.
WE can scan Local Lan or external ip addresses
Parameter -Addport '4444' will add port 4444 to scan
[if port number does not exist in ports_to_scan_list]
.OUTPUTS
Id Proto Status IpAddress HostName DNSAddress
-- ----- ------- ------------- -------- -------------
1 TCP Active 192.168.1.1 NOSdrive.home 1.1.168.192.in-addr.arpa
2 TCP Active 192.168.1.2 zd4500zno-8C5BF0F79385 2.1.168.192.in-addr.arpa
3 TCP Active 192.168.1.3 zc4431kno-6CA604F0132A 3.1.168.192.in-addr.arpa
4 TCP Active 192.168.1.4 HUAWEI_P30_lite-440191a33 4.1.168.192.in-addr.arpa
5 TCP Active 192.168.1.9 zc4431kno-6CA604F0132A 9.1.168.192.in-addr.arpa
6 TCP Active 192.168.1.10 Redmi-12C 10.1.168.192.in-addr.arpa
RemoteHost Status Proto Port ServiceName HostName
----------- ------ ----- ----- ----------- --------
192.168.1.5 Closed tcp 21 FTP Skynet.home
192.168.1.5 Closed tcp 22 SSH Skynet.home
192.168.1.5 Closed tcp 23 TELNET Skynet.home
192.168.1.5 Closed tcp 80 HTTP Skynet.home
192.168.1.5 Closed tcp 110 POP3 Skynet.home
192.168.1.5 Open tcp 135 EPMAP Skynet.home
192.168.1.5 Open tcp 139 NETBIOS Skynet.home
192.168.1.5 Closed tcp 443 HTTPS Skynet.home
192.168.1.5 Open tcp 445 SMB Skynet.home
192.168.1.5 Closed tcp 8080 APACHE Skynet.home
#>
Clear-Host
$CmdLetAppl = "TCP Port Scanner"
write-host $StartBanner -ForegroundColor DarkRed
# Module disclamer banner
Write-Host "`nPortscan function uses ICMP (ping) packets to check" -ForegroundColor Blue
Write-Host "for high risk tcp open ports in local or external lan" -ForegroundColor Blue
Write-Host "Remmenber that some firewalls are config to drop ICMP" -ForegroundColor Blue
Write-Host "packets (ping) producing false 'closed' cmdlet reports" -ForegroundColor Blue
Write-Host "for more accurate reports please use nmap by Alor&Naga`n" -ForegroundColor Blue
Write-Host "Portscan function also allows users to discover all" -ForegroundColor Blue
Write-Host "active ip address in LAN by input: " -ForegroundColor Blue -NoNewline
Write-Host "1,255" -ForegroundColor Yellow -NoNewline
Write-Host " [IP_range]`n" -ForegroundColor Blue
# Input address to scan ?
write-host "[" -NoNewline
write-host "+" -ForegroundColor Blue -NoNewline
write-host "] Input IpAddress OR IpRange to scan" -NoNewline
write-host ": " -ForegroundColor Blue -NoNewline
$ScanMe = Read-Host
If([string]::IsNullOrEmpty($ScanMe))
{
$ScanMe = $IP # LocalHost ip addr
}
# Chose scantype to use
If($ScanMe -Match '^(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})$')
{
write-host "[" -NoNewline
write-host "+" -ForegroundColor Blue -NoNewline
write-host "] scantype (bullet|toports|maxports)" -NoNewline
write-host ": " -ForegroundColor Blue -NoNewline
$scantype = Read-Host
If([string]::IsNullOrEmpty($scantype))
{
$scantype = "topports" # 17 TCP ports to scan
}
# Add extra port to scan?
write-host "[" -NoNewline
write-host "+" -ForegroundColor Blue -NoNewline
write-host "] Add extra port to scan ? (8888|no)" -NoNewline
write-host ": " -ForegroundColor Blue -NoNewline
$NewPort = Read-Host
If(([string]::IsNullOrEmpty($NewPort)) -or ($NewPort -iMatch "^(false|no)$"))
{
$NewPort = "false" # Do not add new port to ports_list
}
}
$PingSweepLog="false"
If($logfile.IsPresent)
{
$PingSweepLog = "True" # Store logfiles
}
Clear-Host
write-host $StartBanner -ForegroundColor DarkRed
echo ""
# Download\Execute pingsweep.ps1 from my gist page :: scantype: bullet, topports, maxports
iwr -Uri "https://gist.githubusercontent.com/r00t-3xp10it/f8cb036335c5b47eb7fe8d922d6250a4/raw/a7eccffe62c05f122f8b2274dd0a8a60eed53473/ICMPscanner.ps1" -OutFile "$pwd\ICMPscanner.ps1"|Unblock-File
.\ICMPscanner.ps1 -iprange "$ScanMe" -scantypeps "$scantype" -logfile "$PingSweepLog" -addport "$NewPort"
Remove-Item -Path "$pwd\ICMPscanner.ps1" -Force
# Invoke-Others
Invoke-TCPStats
Invoke-BallonTip
return
}
If($DLL.IsPresent)
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - Search for DLLs loaded by running processes
.NOTES
This fuction will not scan processes that are not running
.OUTPUTS
Name : AMDRSSrcExt
Id : 26276
StartTime : 13/10/2025 17:22:42
Description : Radeon Settings: Source Extension
Path : C:\Program Files\AMD\CNext\CNext\AMDRSSrcExt.exe
Modules : {ntdll.dll, KERNEL32.DLL, KERNELBASE.dll, USER32.dll...}
Name : UserOOBEBroker
Id : 22804
StartTime : 13/10/2025 17:17:45
Description : User OOBE Broker
Path : C:\Windows\System32\oobe\UserOOBEBroker.exe
Modules : {ntdll.dll, KERNEL32.DLL, KERNELBASE.dll, ADVAPI32.dll...}
#>
Clear-Host
$CmdLetAppl = "DLLs search"
write-host $StartBanner -ForegroundColor DarkRed
write-host "Search for DLLs loaded by running processes`n`n" -ForegroundColor Green
write-host "Module Description"
write-host "------ -----------" -ForegroundColor Blue
write-host "Get-All Print all running processes"
write-host "Get-Dll Print all processes that load DLLs"
write-host "Get-Pro Search loaded DLLs by process name"
write-host "Get-Pid Search loaded DLLs by process PID`n`n"
write-host "[ScanDLL]" -NoNewline
write-host ": " -ForegroundColor Blue -NoNewline
$Choise = Read-Host
If($Choise -iMatch "Get-All")
{
# Print ALL running processes info
$LoadedDLLs = ((Get-Process -Name "*"|Select-Object *|Where-Object {
$_.Responding -Match "True" -and $_.Modules -ne ""}|
Select-Object Id,Name,Product,@{Name='DLLs loaded';Expression={(Get-Process -Id $_.Id).Modules.ModuleName|
Where-Object{$_ -iNotMatch ".exe"}}}|Format-Table -AutoSize))
If($LoadedDLLs)
{
Write-Host "Action : " -ForegroundColor Blue -NoNewline
Write-Host "Print all running processes`n"
Start-Sleep -Milliseconds 1500
echo $LoadedDLLs|Format-Table -AutoSize|Out-String -Stream|ForEach-Object {
$stringformat = If($_ -Match "(--)")
{
@{ 'ForegroundColor' = 'Blue' }
}
ElseIf($_ -iMatch "^(Id)")
{
@{ 'ForegroundColor' = 'Yellow' }
}
Else
{
@{ 'ForegroundColor' = 'White' }
}
Write-Host @stringformat $_
}
}
Else
{
Write-Host "`n[" -NoNewline
Write-Host "`x" -ForegroundColor Red -NoNewline
Write-Host "`] ERROR: " -NoNewline
Write-Host " None DLLs loaded by $APPLtOsEARCH found.`n" -ForegroundColor Red
return
}
}
ElseIf($Choise -iMatch "Get-Dll")
{
# Print ALL running processes that loaded DLLs
$LoadedDLLs = ((Get-Process -Name "*"|Select-Object *|Where-Object {
$_.Responding -Match "True" -and $_.Modules.ModuleName -iMatch "(.dll)$"}|
Select-Object Id,Name,Product,@{Name='Modules';Expression={(Get-Process -Id $_.Id).Modules.ModuleName|
Where-Object{$_ -iNotMatch ".exe"}}}|Format-Table -AutoSize))
If($LoadedDLLs)
{
Write-Host "Action : " -ForegroundColor Blue -NoNewline
Write-Host "Print all processes that have loaded DLLs`n"
Start-Sleep -Milliseconds 1500
echo $LoadedDLLs|Format-Table -AutoSize|Out-String -Stream|ForEach-Object {
$stringformat = If($_ -Match "(----)")
{
@{ 'ForegroundColor' = 'Blue' }
}
ElseIf($_ -iMatch "^(Id)")
{
@{ 'ForegroundColor' = 'Yellow' }
}
Else
{
@{ 'ForegroundColor' = 'White' }
}
Write-Host @stringformat $_
}
}
Else
{
Write-Host "`n[" -NoNewline
Write-Host "`x" -ForegroundColor Red -NoNewline
Write-Host "`] ERROR: " -NoNewline
Write-Host " None DLLs loaded by $APPLtOsEARCH found.`n" -ForegroundColor Red
return
}
}
ElseIf($Choise -iMatch "Get-pro")
{
# Search loaded DLLs by process name
write-host "Input ProcessName: " -ForegroundColor Blue -NoNewline
$APPLtOsEARCH = Read-Host
If([string]::IsNullOrEmpty($APPLtOsEARCH))
{
$APPLtOsEARCH = "svchost"
}
$LoadedDLLs = ((Get-Process -Name "$APPLtOsEARCH"|Select-Object *|Where-Object {
$_.Responding -Match "True" -and $_.Modules.ModuleName -iMatch "(.dll)$"}|
Select-Object Id,Name,Product,@{Name='Modules';Expression={(Get-Process -Id $_.Id).Modules.ModuleName|
Where-Object{$_ -iNotMatch ".exe"}}}|Format-Table -AutoSize))
If($LoadedDLLs)
{
Write-Host "ProcessName : $APPLtOsEARCH " -NoNewline
Write-Host "[found]" -ForegroundColor Green
# Get process name detail info
$GETPRI = (Get-Process -Name "$APPLtOsEARCH"|Select-Object *|Select-Object -Last 1).PriorityClass
$GETPro = (Get-Process -Name "$APPLtOsEARCH"|Select-Object *|Select-Object -Last 1).ProductVersion
$GETSta = (Get-Process -Name "$APPLtOsEARCH"|Select-Object *|Select-Object -Last 1).StartTime
$GETDes = (Get-Process -Name "$APPLtOsEARCH"|Select-Object *|Select-Object -Last 1).Description
$GETPat = (Get-Process -Name "$APPLtOsEARCH"|Select-Object *|Select-Object -Last 1).Path
# Make sure values are not empty
If([string]::IsNullOrEmpty($GETPRI))
{
Write-host "PriorityClass : " -NoNewline
Write-host "_" -ForegroundColor Red
}
Else
{
Write-host "PriorityClass : $GETPRI"
}
If([string]::IsNullOrEmpty($GETPro))
{
Write-host "ProductVersion : " -NoNewline
Write-host "_" -ForegroundColor Red
}
Else
{
Write-host "ProductVersion : $GETPro"
}
If([string]::IsNullOrEmpty($GETDes))
{
Write-host "Description : "-NoNewline
Write-host "_" -ForegroundColor Red
}
Else
{
Write-host "Description : $GETDes"
}
If([string]::IsNullOrEmpty($GETSta))
{
Write-host "StartTime : " -NoNewline
Write-host "_" -ForegroundColor Red
}
Else
{
Write-host "StartTime : $GETSta"
}
If([string]::IsNullOrEmpty($GETPat))
{
Write-host "Path : " -NoNewline
Write-host "_" -ForegroundColor Red
}
Else
{
Write-host "Path : $GETPat"
}
Write-Host "Action : " -ForegroundColor Blue -NoNewline
Write-Host "Print all $APPLtOsEARCH processes that have loaded DLLs`n"
Start-Sleep -Seconds 2
echo $LoadedDLLs|Format-Table -AutoSize|Out-String -Stream|ForEach-Object {
$stringformat = If($_ -Match "(----)")
{
@{ 'ForegroundColor' = 'Blue' }
}
ElseIf($_ -iMatch "^(Id)")
{
@{ 'ForegroundColor' = 'Yellow' }
}
Else
{
@{ 'ForegroundColor' = 'White' }
}
Write-Host @stringformat $_
}
}
Else
{
Write-Host "`n[" -NoNewline
Write-Host "`x" -ForegroundColor Red -NoNewline
Write-Host "`] ERROR: " -NoNewline
Write-Host "None DLLs loaded by $APPLtOsEARCH found.`n" -ForegroundColor Red
return
}
}
ElseIf($Choise -iMatch "Get-pid")
{
# Search loaded DLLs by process PID
write-host "Input Process PID: " -ForegroundColor Blue -NoNewline
$DLLPID = Read-Host
$PidLoa = (Get-Process -Id $DLLPID).ProcessName
If([string]::IsNullOrEmpty($PidLoa))
{
write-host "`n[" -NoNewline
write-host "x" -ForegroundColor Red -NoNewline
write-host "] ERROR: " -NoNewline
write-host "None Process with PID $DLLPID found running`n" -ForegroundColor Red
return
}
$LoadedDLLs = ((Get-Process -Name "*"|Select-Object *|Where-Object {
$_.Id -Match "$DLLPID" -and $_.Responding -Match "True" -and $_.Modules.ModuleName -iMatch "(.dll)$"})).Modules|
Select-Object Size,ModuleName,FileName|Where {$_ -iNotMatch "(Windows.Security.Authentication.Web.Core.dll)"}|Format-Table -AutoSize
If($LoadedDLLs)
{
Write-Host "ProcessName : $PidLoa " -NoNewline
Write-Host "[found]" -ForegroundColor Green
# Get process name detail info
$GETPRI = (Get-Process -Id "$DLLPID"|Select-Object *).PriorityClass
$GETPro = (Get-Process -Id "$DLLPID"|Select-Object *).ProductVersion
$GETSta = (Get-Process -Id "$DLLPID"|Select-Object *).StartTime
$GETDes = (Get-Process -Id "$DLLPID"|Select-Object *).Description
$GETPat = (Get-Process -Id "$DLLPID"|Select-Object *).Path
# Make sure values are not empty
If([string]::IsNullOrEmpty($GETPRI))
{
Write-host "PriorityClass : " -NoNewline
Write-host "_" -ForegroundColor Red
}
Else
{
Write-host "PriorityClass : $GETPRI"
}
If([string]::IsNullOrEmpty($GETPro))
{
Write-host "ProductVersion : " -NoNewline
Write-host "_" -ForegroundColor Red
}
Else
{
Write-host "ProductVersion : $GETPro"
}
If([string]::IsNullOrEmpty($GETDes))
{
Write-host "Description : "-NoNewline
Write-host "_" -ForegroundColor Red
}
Else
{
Write-host "Description : $GETDes"
}
If([string]::IsNullOrEmpty($GETSta))
{
Write-host "StartTime : " -NoNewline
Write-host "_" -ForegroundColor Red
}
Else
{
Write-host "StartTime : $GETSta"
}
If([string]::IsNullOrEmpty($GETPat))
{
Write-host "Path : " -NoNewline
Write-host "_" -ForegroundColor Red
}
Else
{
Write-host "Path : $GETPat"
}
Write-Host "Action : " -ForegroundColor Blue -NoNewline
Write-Host "Print all DLLs loaded by $PidLoa PID:$DLLPID`n"
Start-Sleep -Seconds 2
echo $LoadedDLLs|Format-Table -AutoSize|Out-String -Stream|ForEach-Object {
$stringformat = If($_ -Match "(----)")
{
@{ 'ForegroundColor' = 'Blue' }
}
ElseIf($_ -Match "($PidLoa.exe)")
{
@{ 'ForegroundColor' = 'Green' }
}
Else
{
@{ 'ForegroundColor' = 'White' }
}
Write-Host @stringformat $_
}
}
Else
{
Write-Host "`n[" -NoNewline
Write-Host "`x" -ForegroundColor Red -NoNewline
Write-Host "`] ERROR: " -NoNewline
Write-Host "None DLLs loaded by Id: $DLLPID found`n" -ForegroundColor Red
return
}
}
Else
{
write-host "`n[" -NoNewline
write-host "x" -ForegroundColor Red -NoNewline
write-host "] ERROR: " -NoNewline
write-host "Wrong ScanDLL choise input.`n" -ForegroundColor Red
return
}
# Append to logfile ?
If($Logfile.IsPresent)
{
Write-Host "[" -NoNewline
Write-Host ">" -ForegroundColor Green -NoNewline
Write-Host "] logfile:" -NoNewline
Write-Host "'$pwd\$LogName'" -ForegroundColor Green
echo $LoadedDLLs|Format-Table -AutoSize >> $LogName
}
# Invoke BallonTip
Invoke-BallonTip
return
}
If($Dns.IsPresent)
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - Get device DNS Resolver cache
.OUTPUTS
[+] Display SKYNET DNS Resolver Cache
[*] OS:Microsoft Windows NT 10.0.26100.0
[*] Interface: WiFi
RecordName IP4Address IP6Address
---------- ---------- ----------
a124.dscd.akamai.net 95.95.253.137
a1666.dscr.akamai.net 2.23.103.97
a1856.dspw65.akamai.net 95.95.253.201
eu2-autoupdate.opera.com 82.145.216.46
eu2-autoupdate.opera.com 2001:4c28:1:430:82:145:216:20
paRT-0014.t-0009.FB-t-mseDge.net 2620:1ec:48:1::42
www.google.CoM 216.58.209.68
www.gstatic.com 142.250.200.67
www.tm.v4.a.prd.aadg.akadns.net 20.190.181.23
[?] Flush DNS Resolver Cache? (yes|no):
#>
Clear-Host
$CmdLetAppl = "Dns Resolver"
write-host $StartBanner -ForegroundColor DarkRed
$OsStrings = ([System.Environment]::OSVersion).VersionString
$InterFace = (Get-NetIPAddress|Where-Object PrefixOrigin -eq dhcp).InterFaceAlias
Write-Host "`n[" -NoNewline
Write-Host "+" -ForegroundColor Blue -NoNewline
Write-Host "] " -NoNewline
Write-Host "Display $Env:COMPUTERNAME DNS Resolver Cache" -ForegroundColor Blue
Write-Host "[" -NoNewline
Write-Host "*" -ForegroundColor Green -NoNewline
Write-Host "] OS:$OsStrings"
Write-Host "[" -NoNewline
Write-Host "*" -ForegroundColor Green -NoNewline
Write-Host "] Interface: $InterFace"
Start-Sleep -Seconds 2
echo ""
## Remove duplicated lines: |Sort-Object -unique
# Get-DnsClientCache|Select-Object *|findstr /V "TTL CimInstanceProperties PSComputerName InstanceID Description Section Status Type Caption ElementName CimSystemProperties CimClass"|Format-List
$ReportDns = (ipconfig /displaydns|Select-String -Pattern "Record Name") -replace '^\s+',' '|Sort-Object -unique
# DNS RESOLVER CACHE - TABLE
$WhoIstable = New-Object System.Data.DataTable
$WhoIstable.Columns.Add("RecordName")|Out-Null
$WhoIstable.Columns.Add("IP4Address")|Out-Null
$WhoIstable.Columns.Add("IP6Address")|Out-Null
ForEach($WhoisLookup in $ReportDns)
{
# Parsing data from $ReportDns
$Sanitize = $WhoisLookup -replace ' Record Name . . . . . : ',''
# Resolve hostname to Ip4Adress and Ip6Adress
$LookUP_ = (Resolve-DNSName "$Sanitize"|Select-Object Name,IP4Address,IP6Address|Sort-Object -unique|Format-List)
If(-not([string]::IsNullOrEmpty($LookUP_)))
{
$_IP6Add = ($LookUP_|findstr /C:"IP6Address") -replace 'IP6Address : ',''
$_IP4Ad_ = ($LookUP_|findstr /C:"IP4Address") -replace 'IP4Address : ',''
$_Names_ = ($LookUP_|findstr /C:"Name") -replace 'Name : ',''
## Adding values to output DataTable!
$WhoIstable.Rows.Add("$_Names_", ## name
"$_IP4Ad_", ## IP4Address
"$_IP6Add" ## IP6Address
)|Out-Null
}
}
## Display DNS resolver cache OnScreen
echo $WhoIstable|Format-Table -AutoSize|Out-String -Stream|ForEach-Object {
$stringformat = If($_ -Match "(----)")
{
@{ 'ForegroundColor' = 'Blue' }
}
ElseIf($_ -Match "($PidLoa.exe)")
{
@{ 'ForegroundColor' = 'Green' }
}
Else
{
@{ 'ForegroundColor' = 'White' }
}
Write-Host @stringformat $_
}
# Append to logfile ?
If($Logfile.IsPresent)
{
Write-Host "[" -NoNewline
Write-Host ">" -ForegroundColor Green -NoNewline
Write-Host "] logfile:" -NoNewline
Write-Host "'$pwd\$LogName'" -ForegroundColor Green
echo $WhoIstable|Format-Table -AutoSize >> $LogName
}
# flush dns resolver cache ?
write-host "[" -NoNewline
write-host "?" -ForegroundColor Yellow -NoNewline
$Question = Read-Host "] Flush DNS Resolver Cache? (yes|no)"
If($Question -iMatch '^(y|yes)$')
{
ipconfig /flushdns
}
# Invoke ballontip
Invoke-BallonTip
return
}
If($Mitre.IsPresent)
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - Search for possible MITRE vulnerabilitys
.OUTPUTS
VulnId : TermService [Mitre T1021]
Service : Stopped
DLLstatus : Unknown
VulnStatus : NON VULNERABLE
VulnId : Unquoted Service Path [Mitre T1574]
FolderPath : C:\Program Files\Google\Play Games Services\25.8.551.0\Service\GooglePlayGamesServices.exe
StartName : LocalSystem
StartMode : Auto
VulnStatus : VULNERABLE
VulnId : Juicy potato golden privileges [Mitre TA0004]
*NOTES : Requires 2 Enabled privileges and BITS service
CLSID identifier to be vulnerable to escalation
-----------------------------------------------
PrivilegeName : SeAssignPrimaryTokenPrivilege
BITS CLSID : {69AD4AEE-51BE-439b-A92C-86AE490E8B30}
State : Enabled
Return : VULNERABLE
PrivilegeName : SeImpersonatePrivilege
BITS CLSID : {69AD4AEE-51BE-439b-A92C-86AE490E8B30}
State : Disabled
Return : NON VULNERABLE
-----------------------------------------------
VulnStatus : NON VULNERABLE
VulnId : Weak Directory permissions [Mitre T1222]
FolderPath : C:\Program Files (x86)\StarCraft II\Versions\Base94137
FileSystemRights : FullControl
IdentityReference : BUILTIN\\Users
IsInherited : True
VulnStatus : VULNERABLE
#>
Clear-Host
$CmdLetAppl = "Mitre ATT&CK"
write-host $StartBanner -ForegroundColor DarkRed
Write-Host "`n`n -|[ MITRE ATT&CK VULNERABILITY SCANNER ]|-`n" -ForegroundColor Green
Start-Sleep -Seconds 2
$PS2Version = ""
## [CHECK FOR POWERSHELL VERSION 2]
Write-Host "VulnId : Powershell v2 Engine [amsi bypass]"
Start-Sleep -Milliseconds 1000
$RegistryPaths = @(
"Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine",
"Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\2\PowerShellEngine",
"Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\3\PowerShellEngine"
)
ForEach($TokenID in $RegistryPaths)
{
$PS2Version = (Get-ItemProperty -Path "$TokenID" -Name PowerShellVersion).PowerShellVersion
If($PS2Version -Match "2.0")
{
$Location = $TokenID -replace "Registry::",""
break
}
}
If($PS2Version -Match "2.0")
{
Write-Host "Powershell V2 : $PS2Version"
Write-Host "RegPath : $Location"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
}
Else
{
Write-Host "Powershell V2 : Not Found"
Write-Host "RegPath : Unknown"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
## [Check UAC settings]
Write-Host "`nVulnId : UAC settings [Mitre T1052]"
Start-Sleep -Milliseconds 1000
$POSD = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System').PromptOnSecureDesktop
$CPBA = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System').ConsentPromptBehaviorAdmin
If($CPBA -eq 0 -and $POSD -eq 0){$Report = "Never notIfy"}
If($CPBA -eq 2 -and $POSD -eq 1){$Report = "Allways notIfy"}
If($CPBA -eq 5 -and $POSD -eq 1){$Report = "NotIfy me only when apps try to make changes"}
If($CPBA -eq 5 -and $POSD -eq 0){$Report = "NotIfy me only when apps try to make changes (do not dim my desktop)"}
If([string]::IsNullOrEmpty($CPBA)){$Report = "Unknow"}
If([string]::IsNullOrEmpty($POSD)){$Report = "Unknow"}
If((Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System').EnableLUA -eq 1)
{
Write-Host "EnableLUA : 1 [enabled]"
Write-Host "Status : $Report"
Write-Host "VulnStatus : " -NoNewline
If($Report -iMatch "^(Never notIfy)$")
{
Write-Host "VULNERABLE" -ForegroundColor Green
Start-Sleep -Milliseconds 700
}
Else
{
Write-Host "NON VULNERABLE" -ForegroundColor Red
Start-Sleep -Milliseconds 400
}
}
Else
{
Write-Host "EnableLUA : 0 [disabled]"
Write-Host "Status : Never notIfy"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
Start-Sleep -Milliseconds 400
}
## [LSA Protection - UEFI]
Start-Sleep -Milliseconds 1000
Write-Host "`nVulnId : LSA Protection [Mitre TA0005]"
$RunAsPPL = (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA').RunAsPPL
$AsPPLBot = (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\LSA').RunAsPPLBoot
If(-not([string]::IsNullOrEmpty($RunAsPPL)))
{
If($RunAsPPL -eq 0)
{
Write-Host "LSA protection : $RunAsPPL [disabled]"
Write-Host "RunAsPPLBoot : $AsPPLBot [UEFI]"
Write-Host "Status : LSA Protection Disabled. Try mimikatz"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
Start-Sleep -Milliseconds 400
}
ElseIf($RunAsPPL -eq 1)
{
Write-Host "LSA protection : $RunAsPPL [enabled]"
Write-Host "RunAsPPLBoot : $AsPPLBot [UEFI]"
Write-Host "Status : LSA Enabled with UEFI Lock"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
Start-Sleep -Milliseconds 400
}
ElseIf($RunAsPPL -eq 2)
{
Write-Host "LSA protection : $RunAsPPL [enabled]"
Write-Host "RunAsPPLBoot : $AsPPLBot [UEFI]"
Write-Host "Status : LSA Enabled without UEFI Lock"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
Start-Sleep -Milliseconds 400
}
}
Else
{
Write-Host "LSA protection : Unknown"
Write-Host "RunAsPPLBoot : $AsPPLBot [UEFI]"
Write-Host "Status : Unknown"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
Start-Sleep -Milliseconds 400
}
[int]$Count='0'
## [OpenSSH Keys]
Start-Sleep -Milliseconds 1300
If(Test-Path -Path "HKCU:\Software\OpenSSH\Agent\Keys")
{
$KeysDB = $(reg query 'HKCU\Software\OpenSSH\Agent\Keys')|Where-Object {$_ -ne ""}
ForEach($Key in $KeysDB)
{
$splitKey = ($Key -split("\\")|Select-Object -Last 1)
Write-Host "`nVulnId : OpenSSH Keys [Mitre T1098]"
Write-Host "Location : HKEY_CURRENT_USER\Software\OpenSSH\Agent\Keys"
Write-Host "OpenSSH Key : $splitKey"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
Start-Sleep -Milliseconds 400
$Count++
}
}
If($Count -eq 0)
{
Write-Host "`nVulnId : OpenSSH Keys [Mitre T1098]"
Write-Host "Location : Unknown"
Write-Host "OpenSSH Key : Unknown"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
Start-Sleep -Milliseconds 400
}
[int]$Counter='0'
Start-Sleep -Milliseconds 1300
## [STARTUP PROGRAMS SEARCH] - search 15 entrys max
$Names = (Get-CimInstance Win32_StartupCommand).Name
$Location = (Get-CimInstance Win32_StartupCommand).Location
$NumbersDB = @("0","1","2","3","4","5","6","7","8","9","10","11","12","13","14")
$replit = $Location -split(" ")
$splits = $Names -split(" ")
ForEach($dbNumber in $NumbersDB)
{
If(-not([string]::IsNullOrEmpty($splits[$dbNumber])))
{
Write-Host "`nVulnId : StartUp Entrys [Mitre T1547]"
Write-Host "Location :" $replit[$dbNumber]
Write-Host "name :" $splits[$dbNumber]
Write-Host "VulnStatus : " -NoNewline
Write-Host "WARNING" -ForegroundColor Yellow
Start-Sleep -Milliseconds 400
$Counter++
}
}
If($Counter -eq 0)
{
Write-Host "`nVulnId : StartUp Entrys [Mitre T1547]"
Write-Host "Location : Unknown"
Write-Host "name : Unknown"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
$Service = "Stopped"
Start-Sleep -Milliseconds 1300
## [TERMSERVICE VULNERABILITY SEARCH]
Write-Host "`nVulnId : TermService [Mitre T1021]"
If((Get-Service -Name "termservice" -EA SilentlyContinue).Status -ieq "Running")
{
$Service = "Running"
$PPID = (PS -EA SilentlyContinue|Where-Object{
$_.ProcessName -iMatch 'svchost' -and $_.Responding -iMatch 'True' -and $_.Modules.ModuleName -iMatch "rdpcorets.dll"}).Id
If($PPID)
{
$DLLstatus = "rdpcorets.dll loaded by svchost [PID $PPID]"
$Report = "VULNERABLE"
}
Else
{
$DLLstatus = "rdpcorets.dll not loaded by svchost service"
$Report = "NON VULNERABLE"
}
}
Else
{
# service stopped
$DLLstatus = "Unknown"
$Report = "NON VULNERABLE"
}
Write-Host "Service : $Service"
Write-Host "DLLstatus : $DLLstatus"
Write-Host "VulnStatus : " -NoNewline
If($Report -iMatch "^(VULNERABLE)$")
{
Write-Host "$Report" -ForegroundColor Green
}
Else
{
Write-Host "$Report" -ForegroundColor Red
}
[int]$Counter='0'
Start-Sleep -Milliseconds 1300
## [SEARCH FOR UNQUOTED SERVICE PATHS]
$UnquotedTable = (gwmi -class Win32_Service -Property Name,DisplayName,PathName,StartMode,StartName|Where-Object {
$_.StartMode -eq "Auto" -and $_.StartName -eq 'LocalSystem' -and $_.PathName -NotLike "C:\Windows*" -and $_.PathName -NotMatch '"*"'
}).PathName
If($UnquotedTable)
{
ForEach($TokenPath in $UnquotedTable)
{
Write-Host "`nVulnId : Unquoted Service Path [Mitre T1574]"
Write-Host "ServicePath : $TokenPath"
Write-Host "StartName : LocalSystem"
Write-Host "StartMode : Auto"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
Start-Sleep -Milliseconds 400
$Counter++
}
}
If($Counter -eq 0)
{
Write-Host "`nVulnId : Unquoted Service Path [Mitre T1574]"
Write-Host "ServicePath : Not Found"
Write-Host "StartName : Unknown"
Write-Host "StartMode : Unknown"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
$EnvPaths=''
$VulnPaths=''
[int]$Count='0'
## [Env:PATH DLL hijacking]
# Author: @HarmJ0y [PowerUp]
Start-Sleep -Milliseconds 600
$EnvPaths = (Get-Item Env:Path).value.split(';')|Where-Object {$_ -ne ""}
ForEach($VulnPaths in $EnvPaths)
{
$VulnPaths = $VulnPaths.Replace('"',"")
If(-not($VulnPaths.EndsWith("\")))
{
$VulnPaths = $VulnPaths + "\"
}
# reference - http://stackoverflow.com/questions/9735449/how-to-verify-whether-the-share-has-write-access
$TestPath = Join-Path -Path $VulnPaths ([IO.Path]::GetRandomFileName())
# if the path doesn't exist, try to create the folder before testing it for write
If(-not($(Test-Path -Path "$VulnPaths")))
{
try {
# try to create the folder
$Null = New-Item -ItemType directory -Path $VulnPaths
echo $Null > $TestPath
Write-Host "`nVulnId : Env:PATH DLL hijacking [Mitre T1574]"
Write-Host "Env:PATH : $VulnPaths"
If($VulnPaths.EndsWith("\"))
{
Write-Host "Exploitation : ${VulnPaths}" -NoNewline
Write-Host "Malicious.dll" -ForegroundColor Yellow
}
Else
{
Write-Host "Exploitation : ${VulnPaths}\" -NoNewline
Write-Host "Malicious.dll" -ForegroundColor Yellow
}
Write-Host "FolderAccess : Read,Write"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
Start-Sleep -Milliseconds 700
$Count++
}
catch {}
finally
{
# remove the directory
Remove-Item -Path "$VulnPaths" -Recurse -Force -EA SilentlyContinue
}
}
Else
{
# if the folder already exists
try {
echo $Null > $TestPath
Write-Host "`nVulnId : Env:PATH DLL hijacking [Mitre T1574]"
Write-Host "Env:PATH : $VulnPaths"
If($VulnPaths.EndsWith("\"))
{
Write-Host "Exploitation : ${VulnPaths}" -NoNewline
Write-Host "Malicious.dll" -ForegroundColor Yellow
}
Else
{
Write-Host "Exploitation : ${VulnPaths}\" -NoNewline
Write-Host "Malicious.dll" -ForegroundColor Yellow
}
Write-Host "FolderAccess : Read, Write"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
Start-Sleep -Milliseconds 700
$Count++
}
catch {}
finally
{
# Try to remove the item again just to be safe
Remove-Item -Path "$TestPath" -Force -EA SilentlyContinue
}
}
}
If($Count -eq 0)
{
Write-Host "`nVulnId : Env:PATH DLL hijacking [Mitre T1574]"
Write-Host "Env:PATH : Unknown"
Write-Host "Exploitation : Unknown"
Write-Host "FolderAccess : Unknown"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
$NtdsPath = "Unknown"
## [ntds.dit - SeBackupPrivilege ]
# SeChangeNotifyPrivilege <-- to test proposes (active)
# resource: https://www.semperis.com/blog/ntds-dit-extraction-explained
Write-Host "`nVulnId : Ntds::SeBackupPrivilege [Mitre T1003]"
Start-Sleep -Milliseconds 1000
# requires admin
If($IsClientAdmin)
{
If([System.IO.File]::Exists("$Env:WINDIR\NTDS\Ntds.dit"))
{
$NtdsPath = "$Env:WINDIR\NTDS\Ntds.dit"
}
$Ntds = whoami /priv|findstr /i /C:'SeBackupPrivilege'|findstr /i /C:'Enabled'
$privileges0 = $Ntds.split()[0] # SeBackupPrivilege
If($privileges0 -Match "^(SeBackupPrivilege)$")
{
Write-Host "PrivilegeName : $privileges0"
Write-Host "State : Enabled"
Write-Host "Ntds.dit : $NtdsPath"
If($NtdsPath -Match "$Env:WINDIR\NTDS\Ntds.dit")
{
Write-Host "Exploit : Ntdsutil `"activate instance ntds`" `"ifm`" `"create full $Env:TEMP`" quit quit"
Write-Host "Exploit : Reg save HKLM\SYSTEM `"$Env:TEMP\system.save`""
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
}
Else
{
Write-Host "Exploit : Unknow"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
}
Else
{
Write-Host "PrivilegeName : SeBackupPrivilege"
Write-Host "State : Unknown"
Write-Host "Ntds.dit : $NtdsPath"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
}
Else
{
# Running under user privileges
Write-Host " -----------------------------------------------"
Write-Host " Error: Can only be tested with admin privileges" -ForegroundColor Red
Write-Host " -----------------------------------------------"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
## [ROTTEN POTATO SEARCH]
# SeChangeNotifyPrivilege <-- to test proposes (active)
Write-Host "`nVulnId : Rotten potato escalation [Mitre TA0004]"
Start-Sleep -Milliseconds 1000
## Make sure we are NOT running
# tests under Admin privileges
If(-not($IsClientAdmin))
{
$RottenPrivs = whoami /priv|findstr /i /C:'SeImpersonatePrivilege'|findstr /i /C:'Enabled'
$privileges0 = $RottenPrivs.split()[0] # SeImpersonatePrivilege
If($privileges0 -iMatch "^(SeImpersonatePrivilege)$")
{
Write-Host "PrivilegeName : $privileges0"
Write-Host "State : Enabled"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
}
Else
{
Write-Host "PrivilegeName : SeImpersonatePrivilege"
Write-Host "State : Unknown"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
}
Else
{
# Running under administrator privileges
Write-Host " -----------------------------------------------"
Write-Host " Error: Can not be tested under admin privileges" -ForegroundColor Red
Write-Host " -----------------------------------------------"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
[int]$EmptySpace='0'
[int]$CountStates='0'
## [JUICY POTATO GOLDEN PRIVILEGES]
# SeShutdownPrivilege - SeChangeNotifyPrivilege <-- to test proposes (active)
Write-Host "`nVulnId : Juicy potato golden escalation [Mitre TA0004]"
Write-Host "*NOTES : Requires 2 Enabled privileges and BITS service"
Write-Host " CLSID identifier to be vulnerable to escalation"
Write-Host " -----------------------------------------------"
Start-Sleep -Milliseconds 1100
## Make sure we are NOT running
# tests under Admin privileges
If(-not($IsClientAdmin))
{
$PrivilegesNames = @(
"SeImpersonatePrivilege",
"SeAssignPrimaryTokenPrivilege"
)
# Get BITS CLSID from registry
$CLSID = (Get-ItemProperty -Path 'Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Classes\AppID\BITS' -Name AppID).AppID
If([string]::IsNullOrEmpty($CLSID))
{
$CLSID = "Not Found"
}
# Privilege(s) scanner
ForEach($Privs in $PrivilegesNames)
{
$GoldenPrivs = whoami /priv|findstr /i /C:"$Privs"|findstr /i /C:'Enabled'
$privileges1 = $GoldenPrivs.split()[0] # SeImpersonatePrivilege, SeAssignPrimaryTokenPrivilege
If($privileges1 -iMatch "^($Privs)$")
{
Write-Host " PrivilegeName : $privileges1"
Write-Host " BITS CLSID : $CLSID"
Write-Host " State : Enabled"
Write-Host " Report : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
If($EmptySpace -lt 1){echo ""} # EmptySpace trick
$CountStates++
$EmptySpace++
}
Else
{
Write-Host " PrivilegeName : $Privs"
Write-Host " BITS CLSID : $CLSID"
Write-Host " State : Unknown"
Write-Host " Report : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
If($EmptySpace -lt 1){echo ""} # EmptySpace trick
$EmptySpace++
}
}# ForEach()
# Report vuln status
If(($CountStates -eq 2) -and ($CLSID -NotMatch "^(Not Found)$"))
{
Write-Host " -----------------------------------------------"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
}
Else
{
Write-Host " -----------------------------------------------"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
}
Else
{
# Running under administrator privileges
Write-Host " Error: Can not be tested under admin privileges" -ForegroundColor Red
Write-Host " -----------------------------------------------"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
Start-Sleep -Milliseconds 1100
## [REMOTE DESKTOP CREDENTIALS VULNERABLITY]
Write-Host "`nVulnId : RDP RDCMan vulnerability [Mitre T1021]"
If([System.IO.File]::Exists("$Env:LOCALAPPDATA\Microsoft\Remote Desktop Connection Manager\RDCMan.settings"))
{
Write-Host "FileName : RDCMan.settings"
Write-Host "Directory : %LOCALAPPDATA%\Microsoft\Remote Desktop Connection Manager"
Write-Host "FilePath : $Env:LOCALAPPDATA\Microsoft\Remote Desktop Connection Manager\RDCMan.settings"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
}
Else
{
Write-Host "FileName : RDCMan.settings"
Write-Host "Directory : Not Found"
Write-Host "FilePath : Not Found"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
Start-Sleep -Milliseconds 1100
## [Plain-text Passwords in LSASS]
Write-Host "`nVulnId : Credentials in LSASS [Mitre T1003]"
$WDigest = (Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest).UseLogonCredential
If(-not([string]::IsNullOrEmpty($WDigest)))
{
If($WDigest -eq 1)
{
Write-Host "Status : Plain-text Passwords may be stored in LSASS"
Write-Host "UseLogonCredential: 1"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
}
ElseIf($WDigest -eq 0)
{
Write-Host "Status : Plain-text Passwords are not stored in LSASS"
Write-Host "UseLogonCredential: 0"
Write-Host "VulnStatus : " -NoNewline
Write-Host "WARNING" -ForegroundColor Yellow
}
}
Else
{
Write-Host "Status : registry key not found"
Write-Host "UseLogonCredential: Unknown"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
Start-Sleep -Milliseconds 1300
## [Registry Plaintext Credentials]
$TightVNC = (Get-ItemProperty -Path 'HKCU:\Software\TightVNC\Server').TightVNC
$OpenSSH = (Get-ItemProperty -Path 'HKCU:\Software\OpenSSH\Agent\Keys').OpenSSH
$WinVNC3 = (Get-ItemProperty -Path 'HKCU:\Software\ORL\WinVNC3\Password"').WinVNC3
$SNMP = (Get-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Services\SNMP').SNMP
$WinVNC4 = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\RealVNC\WinVNC4\password').WinVNC4
$SavedSessions = (Get-Item -Path 'HKCU:\Software\SimonTatham\PuTTY\Sessions\*').Name|ForEach-Object{$_.split("\")[5]}
$LastUsedUsername = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon').LastUsedUsername
$DefaultPasswords = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon').DefaultPassword
$AltDefaultUserNa = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon').AltDefaultUserName
$AltDefaultPasswo = (Get-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\Currentversion\Winlogon').AltDefaultPassword
If(-not([string]::IsNullOrEmpty($LastUsedUsername)))
{
write-host "`nVulnId : Credentials in Regedit [Mitre T1552]"
Write-Host "LastUsedUsername : $LastUsedUsername"
If([string]::IsNullOrEmpty($DefaultPasswords))
{
Write-Host "DefaultPassword : Not Found"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
Else
{
Write-Host "DefaultPassword : $DefaultPasswords"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
}
}
If(-not([string]::IsNullOrEmpty($AltDefaultUserNa)))
{
write-host "`nVulnId : Credentials in Regedit [Mitre T1552]"
Write-Host "AltDefaultUserName: $AltDefaultUserNa"
If([string]::IsNullOrEmpty($AltDefaultPasswo))
{
Write-Host "AltDefaultPassword: Not Found"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
Else
{
Write-Host "AltDefaultPassword: $AltDefaultPasswo"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
}
}
If(-not([string]::IsNullOrEmpty($SavedSessions)))
{
ForEach($Session in $SavedSessions)
{
$Username = (Get-ItemProperty "HKCU:\Software\SimonTatham\PuTTY\Sessions\$Session").UserName
$HostName = (Get-ItemProperty "HKCU:\Software\SimonTatham\PuTTY\Sessions\$Session").Hostname
$PrivateKey = (Get-ItemProperty "HKCU:\Software\SimonTatham\PuTTY\Sessions\$Session").PublicKeyFile
$ProxyPassword = (Get-ItemProperty "HKCU:\Software\SimonTatham\PuTTY\Sessions\$Session").ProxyPassword
$ProxyUsername = (Get-ItemProperty "HKCU:\Software\SimonTatham\PuTTY\Sessions\$Session").ProxyUsername
write-host "`nVulnId : Credentials in Regedit [Mitre T1552]"
write-host "Session Name : $Session"
write-host "Hostname/IP : $HostName"
write-host "UserName : $UserName"
write-host "Proxy Username : $ProxyUsername"
write-host "Proxy Password : $ProxyPassword"
write-host "Private Key : $PrivateKey"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
Start-Sleep -Milliseconds 400
}
}
If(-not([string]::IsNullOrEmpty($TightVNC)))
{
write-host "`nVulnId : Credentials in Regedit [Mitre T1552]"
Write-Host "TightVNC : $TightVNC"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
}
If(-not([string]::IsNullOrEmpty($WinVNC4)))
{
write-host "`nVulnId : Credentials in Regedit [Mitre T1552]"
Write-Host "WinVNC4 : $WinVNC4"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
}
If(-not([string]::IsNullOrEmpty($OpenSSH)))
{
write-host "`nVulnId : Credentials in Regedit [Mitre T1552]"
Write-Host "OpenSSH : $OpenSSH"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
}
If(-not([string]::IsNullOrEmpty($WinVNC3)))
{
write-host "`nVulnId : Credentials in Regedit [Mitre T1552]"
Write-Host "WinVNC3 : $WinVNC3"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
}
If(-not([string]::IsNullOrEmpty($SNMP)))
{
write-host "`nVulnId : Credentials in Regedit [Mitre T1552]"
Write-Host "SNMP : $SNMP"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
}
$Creds = @()
## [Dump WiFi Credentials]
Start-Sleep -Milliseconds 1100
$Profiles = $(netsh wlan show profiles|Select-String -Pattern "All User Profile")
$parsedata = $Profiles -replace 'Profiles on interface Wi-Fi:','' -replace '\s*All User Profile\s*: ',''
ForEach($Item in $parsedata)
{
$Creds += $(netsh wlan show profiles name=$Item key=clear|findstr "SSID Content"|findstr /V "Number")
}
If(-not([string]::IsNullOrEmpty($Creds)))
{
write-host "`nVulnId : Dump WIFI Credentials [Mitre T1016]"
Write-Host " -----------------------------------------------"
$Creds -replace '"','' -replace '^(\s*)',' ' -replace ' : ',' : ' -replace 'Key Content : ','SSID password : '
Write-Host " -----------------------------------------------"
Write-Host "VulnStatus : " -NoNewline
Write-Host "WARNING" -ForegroundColor Yellow
}
Else
{
write-host "`nVulnId : Dump WIFI Credentials [Mitre T1016]"
Write-Host "Status : Unhabble to find SSID's or credentials"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
Start-Sleep -Milliseconds 1100
## [HardCoded credentials in XML files]
$XMLDataBase = @(
"$Env:WINDIR\unattend.xml",
"$Env:WINDIR\sysprep\sysprep.xml",
"$Env:ALLUSERSPROFILE\Groups.xml",
"$Env:WINDIR\Panther\unattend.xml",
"$Env:ALLUSERSPROFILE\Services.xml",
"$Env:ALLUSERSPROFILE\Printers.xml",
"$Env:WINDIR\system32\sysprep\sysprep.xml",
"$Env:WINDIR\Panther\Unattend\Unattend.xml"
)
ForEach($Token in $XMLDataBase)
{
If([System.IO.File]::Exists("$Token"))
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - Scan for Base64 strings inside XML file
#>
$CheckBase64 = (Get-ChildItem -Path "$Token"|
Select-String -Pattern '((([A-Za-z0-9+/]{4})*)([A-Za-z0-9+/]{4}|[A-Za-z0-9+/]{3}=|[A-Za-z0-9+/]{2}==))'|
Where-Object {$_ -Match '([A-Za-z0-9+/]{10}(=|==)</\w+>|[A-Za-z0-9+/]{10}(=|==)>)$'}) # regex: '(=|==)</value>' OR '(=|==)>'
# Store the full XML syntax tag where the Base64 string was found
$FoundString = ($CheckBase64 -split(":")|Select-Object -Last 1) -replace '^\s+',''
## Get the XML line number where the Base64 string was found
$LineNumber = ($CheckBase64 -split(":")|Select-Object -Skip 2)[0]
## Get the Base64 string only to check length and empty spaces
$CheckLength = ($CheckBase64 -split(">") -split("</"))[1]
If([string]::IsNullOrEmpty($FoundString))
{
$FoundString = "Unknown"
}
Write-Host "`nVulnId : HardCoded Credentials in XML [mitre T1552]"
Write-Host "FilePath : $Token"
Write-Host "Status : XML found [scan for Base64]"
Write-Host "Base64 : " -NoNewline
Start-Sleep -Milliseconds 300
If(($CheckLength -NotMatch '\s+') -and ($CheckLength.Length -gt 10))
{
Write-Host "$FoundString" -ForegroundColor Black -BackgroundColor White
Write-Host "LineNumber : $LineNumber"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
Start-Sleep -Milliseconds 700
}
else
{
Write-Host "Unknown"
Write-Host "VulnStatus : " -NoNewline
Write-Host "WARNING" -ForegroundColor Yellow
Start-Sleep -Milliseconds 500
}
}
Else
{
Write-Host "`nVulnId : HardCoded Credentials in XML [mitre T1552]"
Write-Host "FilePath : $Token"
Write-Host "Status : XML Not found"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
Start-Sleep -Milliseconds 400
}
}
$PIPDATABASE=''
[int]$Counter='0'
Start-Sleep -Milliseconds 1100
## [NAMED PIPES VULNERABILITY]
# Get pipe HOSTNAME\USERNAME (SKYNET\pedro) AccessControl FileSystemRights
$GetAccessControl = (Get-ChildItem -Path "\\.\pipe\"|ForEach-Object -EA SilentlyContinue GetAccessControl)
$FileSystemRights = (($GetAccessControl).Access|Where-Object{
$_.FileSystemRights -Match "FullControl" -or $_.FileSystemRights -Match "CreateFiles"}|
Select-Object -first 1|findstr /C:"FileSystemRights") -replace "FileSystemRights : ",""
If([string]::IsNullOrEmpty($FileSystemRights) -or ($FileSystemRights -Match '^(-1)'))
{
$FileSystemRights = "Unknown"
}
# Search for 5 (max) named pipes available
$SearchPipes = (Get-ChildItem -Path "\\.\pipe\").FullName
$PIPDATABASE = ($SearchPipes|Select-Object -Skip 1|Select-Object -First 5)
ForEach($NamedPipe in $PIPDATABASE)
{
$OwnerID = (($GetAccessControl).Access|Where-Object{
$_.FileSystemRights -Match "FullControl" -or $_.FileSystemRights -Match "CreateFiles"}|
Select-Object -first 1|findstr /C:"IdentityReference") -replace "IdentityReference : ",""
Write-Host "`nVulnId : NAMED Pipes vulnerability [Mitre T27308]"
Write-Host "Pipe : $NamedPipe" # \\.\pipe\lsass\
Write-Host "Owner : $OwnerID" # BUILTIN\Administradores
Write-Host "GetAccessControl : $FileSystemRights" # CreateFiles, WriteExtendedAttributes, WriteAttributes, Read, Synchronize
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
Start-Sleep -Milliseconds 400
$Counter++
}
If($SearchPipes -eq 0)
{
Write-Host "`nVulnId : NAMED Pipes vulnerability [Mitre T27308]"
Write-Host "Pipe : Not Found"
Write-Host "Owner : Unknown"
Write-Host "GetAccessControl : Unknown"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
$param1 = "FullControl"
## [WEAK DIRECTORY PERMISSIONS]
# Get Group Name (BUILTIN\users) in diferent languages NOTE: England, Portugal, France, Germany, Indonesia, Holland, Romania, Croacia, spain
$FindGroupUser = whoami /groups|findstr /C:"BUILTIN\Users" /C:"BUILTIN\Utilizadores" /C:"BUILTIN\Utilisateurs" /C:"BUILTIN\Benutzer" /C:"BUILTIN\Pengguna" /C:"BUILTIN\Gebruikers" /C:"BUILTIN\Utilizatori" /C:"BUILTIN\Korisnici" /C:"BUILTIN\Usuarios"|Select-Object -First 1
$param2 = $FindGroupUser.split()[0]
# Escaping backslash's and quotes.
If($param2 -Match '"' -and $param2 -Match '\\')
{
$UserGroup = $param2 -replace '\\','\\' -replace '"',''
}
ElseIf($param2 -Match '\\')
{
$UserGroup = $param2 -replace '\\','\\'
}
ElseIf($param2 -Match '"')
{
$UserGroup = $param2 -replace '"',''
}
Else
{
$UserGroup = $param2
}
[int]$CountStates='0'
# Directorys to search recursive: $Env:PROGRAMFILES, ${Env:PROGRAMFILES(x86)}, $Env:LOCALAPPDATA\Programs\
# $dAtAbAsEList = Get-ChildItem -Path "$Env:LOCALAPPDATA\Programs\" -Recurse -ErrorAction SilentlyContinue -Force|Where { $_.PSIsContainer }|Select -ExpandProperty FullName
$dAtAbAsEList = Get-ChildItem -Path "$Env:PROGRAMFILES", "${Env:PROGRAMFILES(x86)}", "$Env:LOCALAPPDATA\Programs\" -Recurse -ErrorAction SilentlyContinue -Force|Where { $_.PSIsContainer }|Select -ExpandProperty FullName
ForEach($Token in $dAtAbAsEList)
{
If(-not($Token -Match 'WindowsApps'))
{
$IsInHerit = (Get-Acl "$Token").Access.IsInherited|Select -First 1
(Get-Acl "$Token").Access|Where-Object {
$CleanOutput = $_.FileSystemRights -Match "$param1" -and $_.IdentityReference -Match "$UserGroup" ## <-- In my system the IdentityReference is: 'BUILTIN\Utilizadores'
If($CleanOutput)
{
Write-Host "`nVulnId : Weak Directory permissions [Mitre T1222]"
Write-Host "FolderPath : $Token"
Write-Host "FileSystemRights : $param1"
Write-Host "IdentityReference : $UserGroup"
Write-Host "IsInherited : $IsInHerit"
Write-Host "VulnStatus : " -NoNewline
Write-Host "VULNERABLE" -ForegroundColor Green
Start-Sleep -Milliseconds 300
$CountStates++
}
}# End of Get-Acl loop
}# End of Exclude WindowsApps
}# End of ForEach() loop
If($CountStates -eq 0)
{
Write-Host "`nVulnId : Weak Directory permissions [Mitre T1222]"
Write-Host "FolderPath : Not Found"
Write-Host "FileSystemRights : Unknown"
Write-Host "IdentityReference : Unknown"
Write-Host "IsInherited : Unknown"
Write-Host "VulnStatus : " -NoNewline
Write-Host "NON VULNERABLE" -ForegroundColor Red
}
$WorkingPath = $pwd
## [Dump DPAPI masterkeys\blobs\loginfiles]
iwr -uri "https://raw.githubusercontent.com/r00t-3xp10it/redpill/refs/heads/main/lib/Exfiltration/Invoke-VaultCmd.ps1" -OutFile "$Env:TMP\Invoke-VaultCmd.ps1"|Unblock-File
(Get-Content -Path "$Env:TMP\Invoke-VaultCmd.ps1").Replace('Clear-Host', '#Clear-Host')|Set-Content "$Env:TMP\Invoke-VaultCmd.ps1"
cd $Env:TMP
.\Invoke-VaultCmd.ps1 -action DPAPI -Banner false
Remove-Item -Path "$Env:TMP\Invoke-VaultCmd.ps1" -Force
$host.UI.RawUI.WindowTitle = "@TCPinspector $CmdletVersion"
cd $WorkingPath
echo ""
## BaloonTip
Invoke-BallonTip
exit
}
# For LOOP [Netstat|NetTCPConnection]
For($i=1; $i -le $MaxScans; $i++)
{
If($i -eq 1)
{
## Print banner + settings OnScreen
write-host $StartBanner -ForegroundColor DarkRed
Write-Host "Capture " -ForegroundColor Red -NoNewline
Write-Host "$IP" -ForegroundColor Yellow -NoNewline
Write-Host " TCP Connections Settings`n" -ForegroundColor Red
Write-Host "Invoke : $Invoke"
Write-Host "Filter : $Filter"
Write-Host "ScanType : $ScanType"
If($ScanType -iMatch "^(automatic)$")
{
Write-Host "ScanEach : $ScanEach seconds"
}
Write-Host "MaxScans to perform : $Maxscans scans"
If($WarnMeOf -NotMatch "^(NULL)$")
{
Write-Host "Warnmeof : " -NoNewline
Write-Host "$WarnMeOf" -ForegroundColor Red
}
If($Process.IsPresent)
{
Write-Host "ProcessNames : " -NoNewline
Write-Host "$Process" -ForegroundColor Green
}
If($GeoLocation.IsPresent)
{
Write-Host "GeoLocation : " -NoNewline
Write-Host "True" -ForegroundColor Green
}
Write-Host "Create logfile : $Logfile`n"
# Press to continue
cmd /c 'pause'
Clear-Host
}
If($Invoke -iMatch "^(netstat)$")
{
# Draw script banner
$CmdLetAppl = "Netstat"
write-host $StartBanner -ForegroundColor DarkRed
Write-Host "List ESTABLISHED " -ForegroundColor Green -NoNewline
Write-Host "$IP " -ForegroundColor Yellow -NoNewline
Write-Host "TCP Connections`n" -ForegroundColor Green
If($Process.IsPresent)
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - Use NETSTAT command to list established TCP connections
.NOTES
<-Invoke 'netstat'> together with <-Process> switch will
display the Process Name associated with the TCP connection
and alert user of suspicious TCP connections (yellow color)
and possible exploitable service names using the (red color)
Invoking -filter '127.0.0.1' will delete from scan report
all '127.0.0.1' strings found and is comrrespondente line
.OUTPUTS
Name Status LinkSpeed ifDesc
---- ------ --------- ------
Wi-Fi Up 286.8 Mbps MediaTek Wi-Fi 6 MT7921 Wireless LAN Card
Ethernet Disconnected 0 bps Realtek PCIe GbE Family Controller
Proto State LocalAddress LocalPort RemoteAddress RemotePort ProcessName OwningProcess
----- ----- ------------ --------- ------------- ---------- ----------- -------------
TCP Established 127.0.0.1 5141 127.0.0.1 58600 AcerQAAgent 4296
TCP Established 127.0.0.1 49669 127.0.0.1 49670 ADESv2Svc 4216
TCP Established 127.0.0.1 49670 127.0.0.1 49669 ADESv2Svc 4216
TCP Established 127.0.0.1 49672 127.0.0.1 49673 AcerSysMonitorService 8120
TCP Established 127.0.0.1 49673 127.0.0.1 49672 AcerSysMonitorService 8120
TCP Established 127.0.0.1 58600 127.0.0.1 5141 AQAUserPS 24772
TCP Established 127.0.0.1 58641 127.0.0.1 58995 AcerGAICameraW 25144
TCP Established 127.0.0.1 58995 127.0.0.1 58641 AcerPixyService 16616
TCP Established 192.168.1.5 49457 4.207.247.137 443 svchost 4804
TCP Established 192.168.1.5 63677 185.199.110.133 443 opera 16944
TCP Established 192.168.1.5 63678 185.199.108.154 443 opera 16944
TCP Established 192.168.1.5 63692 140.82.113.25 443 opera 16944
TCP Established 192.168.1.5 63659 52.123.129.14 443 MpDefenderCoreService 22416
-|Scan [4:10]|-
#>
# Retrieve ProcessName(s)
Invoke-ProcessTCPwarnings
Write-Host "-|Scan[" -NoNewline
Write-Host "${i}" -ForegroundColor Yellow -NoNewline
Write-Host ":" -NoNewline
Write-Host "${MaxScans}" -ForegroundColor Red -NoNewline
Write-Host "]$(Get-Date -Format 'HH:mm:ss')|-"
}
Else
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - Use NETSTAT command to list established TCP connections
.NOTES
Invoking -filter '127.0.0.1' will delete from scan report
all '127.0.0.1' strings found and full comrrespondente line
.OUTPUTS
Proto Local Address Foreign Address State PID
----- ------------- --------------- ----------- ---
TCP 127.0.0.1:5141 127.0.0.1:58600 ESTABLISHED 4296
TCP 127.0.0.1:49669 127.0.0.1:49670 ESTABLISHED 4216
TCP 127.0.0.1:49670 127.0.0.1:49669 ESTABLISHED 4216
TCP 127.0.0.1:49672 127.0.0.1:49673 ESTABLISHED 8120
TCP 127.0.0.1:49673 127.0.0.1:49672 ESTABLISHED 8120
TCP 127.0.0.1:58600 127.0.0.1:5141 ESTABLISHED 24772
TCP 127.0.0.1:58641 127.0.0.1:58995 ESTABLISHED 25144
TCP 127.0.0.1:58995 127.0.0.1:58641 ESTABLISHED 16616
TCP 192.168.1.5:49457 4.207.247.137:443 ESTABLISHED 4804
TCP 192.168.1.5:63025 140.82.114.26:443 ESTABLISHED 16944
TCP 192.168.1.5:63039 13.69.239.68:443 ESTABLISHED 18212
-|Scan[2:8]|-
#>
## Use netstat command to display established TCP connections
# Findstr /V "\[ 0.0.0.0" - deletes from netstat output all IPV6 addr found.
$NetStats = Netstat -ano|findstr "ESTABLISHED"|findstr /V "$Filter"
# Display results OnScreen
Write-Host " Proto Local Address Foreign Address State PID" -ForegroundColor Yellow
Write-Host " ----- ------------- --------------- ----------- ---"
echo $NetStats
echo ""
Write-Host "-|Scan[" -NoNewline
Write-Host "${i}" -ForegroundColor Yellow -NoNewline
Write-Host ":" -NoNewline
Write-Host "${MaxScans}" -ForegroundColor Red -NoNewline
Write-Host "]$(Get-Date -Format 'HH:mm:ss')|-"
# Append to logfile?
If($Logfile.IsPresent)
{
echo "`n Proto Local Address Foreign Address State PID" >> $LogName
echo " ----- ------------- --------------- ----------- ---" >> $LogName
echo $NetStats >> $LogName
}
}
# Scan Type (manual|automatic)
Invoke-ScanTypes
## Do not clear screen if $i ...
# reachs the max of MaxScans ($MaxScans)
If($i -NotMatch "$MaxScans")
{
Clear-Host
}
}
Elseif($Invoke -iMatch "^(NetTCPConnection)$")
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - Use Get-NetTCPConnection CmdLet to list established TCP connections
.NOTES
-Invoke 'NetTCPConnection' together with -Process switch will
display the ProcessName associated with the TCP connection
Invoking -filter '127.0.0.1' will delete from scan report
all '127.0.0.1' strings found and is comrrespondente line
.OUTPUTS
Name Status LinkSpeed ifDesc
---- ------ --------- ------
Wi-Fi Up 286.8 Mbps MediaTek Wi-Fi 6 MT7921 Wireless LAN Card
Ethernet Disconnected 0 bps Realtek PCIe GbE Family Controller
TCP State LocalAddress LocalPort RemoteAddress RemotePort HostName ProcessName OwningProcess
--------- ------------ --------- ------------- ---------- -------- ----------- -------------
Established 192.168.1.5 62082 140.82.113.26 443 lb-140-82-113-26-iad.github.com opera 776
Established 127.0.0.1 60919 127.0.0.1 58995 Skynet AcerGAICameraW 6880
Established 127.0.0.1 60904 127.0.0.1 5141 Skynet AQAUserPS 3404
Established 127.0.0.1 58995 127.0.0.1 60919 Skynet AcerPixyService 4548
Established 127.0.0.1 49673 127.0.0.1 49672 Skynet AcerSysMonitorService 8560
Established 127.0.0.1 49672 127.0.0.1 49673 Skynet AcerSysMonitorService 8560
Established 127.0.0.1 49670 127.0.0.1 49669 Skynet ADESv2Svc 4508
Established 127.0.0.1 49669 127.0.0.1 49670 Skynet ADESv2Svc 4508
Established 192.168.1.5 49412 4.207.247.139 443 svchost 4964
Established 127.0.0.1 5141 127.0.0.1 60904 Skynet AcerQAAgent 4576
-|Scan[5:20]|-
#>
$CmdLetAppl = "NetTCPConnection"
write-host $StartBanner -ForegroundColor DarkRed
Write-Host "List ESTABLISHED " -ForegroundColor Green -NoNewline
Write-Host "$IP " -ForegroundColor Yellow -NoNewline
Write-Host "TCP Connections" -ForegroundColor Green
# Get NetAdaptor settings
Get-NetAdapter|Select-Object Name,Status,LinkSpeed,ifDesc|
Format-Table -AutoSize|Out-String -Stream|Select-Object -First 5
If($Process.IsPresent)
{
# List established TCP connections
$NetStats = Get-NetTCPConnection -State ESTABLISHED|
Select-Object -Property @{name='TCP State';expression={'Established'}},LocalAddress,LocalPort,RemoteAddress,RemotePort,@{name='HostName';expression={(Resolve-DnsName $_.RemoteAddress).NameHost}},@{Name="ProcessName";Expression={(Get-Process -PId $_.OwningProcess).ProcessName}},OwningProcess|
Where-Object{$_ -iNotMatch "($Filter)"}
## BallonTip TCP connection warnings
If($WarnMeOf -iNotMatch "^(NULL)$")
{
<#
.NOTES
pops up one ballontip warning that one TCP connection
related with process name was found active on device
#>
ForEach($_Processes_ in $NetStats)
{
# Get all process names from $NetStats variable
$ProcName = ($_Processes_|findstr /C:"ProcessName") -replace 'ProcessName : ',''
$RemotePo = ($_Processes_|findstr /C:"RemotePort") -replace 'RemotePort : ',''
$LocalPor = ($_Processes_|findstr /C:"LocalPort") -replace 'LocalPort : ',''
# Invoke BallonTip warning that process name has found connecting with TCP
If(($ProcName -iMatch "($WarnMeOf|MSTSC|TELNET|TELNETCLIENT|TEAMVIEWER|NETBIOS|VNCSERVER|WSUS|W3WP|WSUSSERVICE)") -Or ($Remotepo -Match "($RPORT|80)") -or ($LocalPor -Match "(139|445)"))
{
# Get Ports from $NetStats variable OwningProcess
$ProcPPID = ($_Processes_|findstr /C:"OwningProcess") -replace 'OwningProcess : ',''
$Remotead = ($_Processes_|findstr /C:"RemoteAddress") -replace 'RemoteAddress : ',''
Invoke-BallonTipWarnings
}
} # End of ForEach()
}
## GeoLocate RemoteHosts
If($GeoLocation.IsPresent)
{
<#
.SYNOPSIS
Author: @r00t-3xp10it
Helper - Resolve RemoteHosts Geo-Location [ipinfo.io]
.OUTPUTS
RemoteAddress country region city latitude longitude Org
------------- ------- ------ ---- -------- --------- ---
34.117.59.81 US Missouri Kansas City 39.0997 -94.5786 AS396982 Google LLC
4.207.247.139 IE Leinster Dublin 53.3331 -6.2489 AS8075 Microsoft Corporation
#>
# Build GeoLocation DataTable!
$geotable = New-Object System.Data.DataTable
$geotable.Columns.Add("RemoteAddress")|Out-Null
$geotable.Columns.Add("country")|Out-Null
$geotable.Columns.Add("region")|Out-Null
$geotable.Columns.Add("city")|Out-Null
$geotable.Columns.Add("latitude")|Out-Null
$geotable.Columns.Add("longitude")|Out-Null
$geotable.Columns.Add("Org")|Out-Null
# Store ALL RemoteAddresses found by -invoke parameter [delete duplicated entrys]
$Database = $NetStats.RemoteAddress|Where-Object{$_ -NotMatch "127.0.0.1"}|Sort-Object -unique
ForEach($PublicAddr in $Database)
{
# Resolve RemoteAddresses GeoLocations
$GeoDataBase_ = (Invoke-RestMethod -Uri "http://ipinfo.io/$PublicAddr"|Select-Object country,region,city,loc,org)
$IPINFO_Country = ($GeoDataBase_|findstr /C:"country") -replace 'country : ',''
$IPINFO_region = ($GeoDataBase_|findstr /C:"region") -replace 'region : ',''
$IPINFO_city = ($GeoDataBase_|findstr /C:"city") -replace 'city : ',''
$IPINFO_Org = ($GeoDataBase_|findstr /C:"org") -replace 'org : ',''
# Get remoteAddress coordinates [latitude,longitude]
$RawCoordinates = ($GeoDataBase_|findstr /C:"loc") -replace 'loc : ',''
$Latitude = ($RawCoordinates) -split(",")|Select -First 1
$Longitude = ($RawCoordinates) -split(",")|Select -Last 1
# Adding values to DataTable!
$geotable.Rows.Add("$PublicAddr", ## RemoteAddress
"$IPINFO_Country", ## country_name
"$IPINFO_region", ## region
"$IPINFO_city", ## city
"$Latitude", ## latitude
"$Longitude", ## longitude
"$IPINFO_Org" ## Org
)|Out-Null
}
}
## ProcessName detail Info
If($ProcessInfo.IsPresent)
{
<#
.OUTPUTS
ProcessName Version Description Path
----------- ------- ----------- ----
AcerGAICameraW 1.0.1.3016 Acer GAI Camera Windows C:\WINDOWS\System32\DriverStore\FileRepository\acergaicameracomponent.inf_amd64_3d28e...
AQAUserPS 1.4.37 Acer Quick Access User Process C:\Program Files\AcerQAAgent\AQAUserPS.exe
svchost 10.0.26100.7015 Processo Anfitrião dos Serviços do Windows C:\WINDOWS\system32\svchost.exe
AcerPixyService 2.0.0.3026 Acer Pixy Service C:\WINDOWS\System32\DriverStore\FileRepository\acerartaimmxdrivercomponent.inf_amd64_...
AcerSysMonitorService 1.0.1018.5 Acer System Monitor Service C:\WINDOWS\System32\DriverStore\FileRepository\sysmonitorservice.inf_amd64_58adec8bbc...
AcerSysMonitorService 1.0.1018.5 Acer System Monitor Service C:\WINDOWS\System32\DriverStore\FileRepository\sysmonitorservice.inf_amd64_58adec8bbc...
ADESv2Svc 1.0.0.3018 Acer Device Enabling Service V2 C:\WINDOWS\System32\DriverStore\FileRepository\acerdeviceenablingservicecomponent.inf...
ADESv2Svc 1.0.0.3018 Acer Device Enabling Service V2 C:\WINDOWS\System32\DriverStore\FileRepository\acerdeviceenablingservicecomponent.inf...
svchost 10.0.26100.7015 Processo Anfitrião dos Serviços do Windows C:\WINDOWS\system32\svchost.exe
AcerQAAgent 1.4.37 Acer Quick Access Software Component C:\WINDOWS\system32\AcerQAAgent.exe
#>
Start-Sleep -Seconds 1
# PROCESSES INFO TABLE
$Proctable = New-Object System.Data.DataTable
$Proctable.Columns.Add("ProcessName")|Out-Null
$Proctable.Columns.Add("Version")|Out-Null
$Proctable.Columns.Add("Description")|Out-Null
$Proctable.Columns.Add("Path")|Out-Null
ForEach($tetrys in $NetStats)
{
# Get PID of all processes found in $Netstats
$PPID = ($tetrys|findstr /C:"OwningProcess") -replace 'OwningProcess : ',''
#$DLLSLoaded = (Get-Process -Id $PPID|Select *).modules.modulename
$ProcNa = (Get-Process -Id $PPID).Name
$ProcDe = (Get-Process -Id $PPID).Description
$Versio = (get-process -Id $PPID|Select-Object *).ProductVersion
$PrPath = (get-process -Id $PPID|Select-Object *).Path
## Adding values to output DataTable!
$Proctable.Rows.Add("$ProcNa", ## name
"$Versio", ## version
"$ProcDe", ## description
"$PrPath" ## Path
)|Out-Null
} # End of ForEach()
}
## Append to logfile?
If($Logfile.IsPresent)
{
echo $NetStats|Format-Table -AutoSize >> $LogName
If($GeoLocation.IsPresent)
{
echo $geotable|Format-Table -AutoSize >> $LogName
}
If($ProcessInfo.IsPresent)
{
echo $Proctable|Format-Table -AutoSize >> $LogName
}
}
}
Else
{
# List established TCP connections only
$NetStats = Get-NetTCPConnection -State ESTABLISHED|
Select-Object -Property @{name='TCP State';expression={'Established'}},LocalAddress,LocalPort,RemoteAddress,RemotePort,@{name='HostName';expression={(Resolve-DnsName $_.RemoteAddress).NameHost}},OwningProcess|
Where-Object{$_ -iNotMatch "($Filter)"}
# Append to logfile?
If($Logfile.IsPresent)
{
echo $NetStats|Format-Table -AutoSize >> $LogName
}
}
echo ""
# Display results OnScreen
$NetStats|Format-Table -AutoSize|Out-String -Stream|ForEach-Object {
$stringformat = If($_ -iMatch "(svchost|backgroundTaskHost|spoolsv|taskhostw|PhoneExperienceHost|KERBEROS)")
{
@{ 'ForegroundColor' = 'Yellow' }
}
ElseIf($_ -iMatch "($WarnMeOf|MSTSC|TELNET|TELNETCLIENT|TEAMVIEWER|NETBIOS|VNCSERVER|WSUS|W3WP|WSUSSERVICE)")
{
@{ 'ForegroundColor' = 'Red' }
}
ElseIf($_ -iMatch "(MpDefenderCoreService|MsMpEng|wermgr|SecurityHealthSystray|SecurityHealthService)")
{
@{ 'ForegroundColor' = 'Green' }
}
ElseIf($_ -Match '\s+127.0.0.1\s+')
{
@{ 'ForegroundColor' = 'Gray' }
}
ElseIf($_ -Match "^(-----)")
{
@{ 'ForegroundColor' = 'Blue' }
}
Else
{
@{ 'ForegroundColor' = 'White' }
}
Write-Host @stringformat $_
}
## GeoLocate Table output
If($GeoLocation.IsPresent)
{
#Display Data Table OnScreen
$geotable|Format-Table -AutoSize|Out-String -Stream|Select-Object -Skip 1|ForEach-Object {
$stringformat = If($_ -iMatch "(-----)")
{
@{ 'ForegroundColor' = 'Blue' }
}
Else
{
@{ 'ForegroundColor' = 'White' }
}
Write-Host @stringformat $_
}
}
# ProcessInfo TABLE output
If($ProcessInfo.IsPresent)
{
Start-Sleep -Milliseconds 1400
$Proctable|Format-Table -AutoSize|Out-String -Stream|select -skip 1|ForEach-Object {
$stringformat = If($_ -iMatch "(svchost|backgroundTaskHost|spoolsv|taskhostw|PhoneExperienceHost|KERBEROS)")
{
@{ 'ForegroundColor' = 'Yellow' }
}
ElseIf($_ -iMatch "($WarnMeOf|MSTSC|TELNET|TELNETCLIENT|TEAMVIEWER|NETBIOS|VNCSERVER|WSUS|W3WP|WSUSSERVICE)")
{
@{ 'ForegroundColor' = 'Red' }
}
ElseIf($_ -iMatch "(MpDefenderCoreService|MsMpEng|wermgr|SecurityHealthSystray|SecurityHealthService)")
{
@{ 'ForegroundColor' = 'Green' }
}
ElseIf($_ -Match "^(-----)")
{
@{ 'ForegroundColor' = 'Blue' }
}
Else
{
@{ 'ForegroundColor' = 'White' }
}
Write-Host @stringformat $_
}
## Invoke schedule tasks
Invoke-ScheduleTasks
}
Write-Host "-|Scan[" -NoNewline
Write-Host "${i}" -ForegroundColor Yellow -NoNewline
Write-Host ":" -NoNewline
Write-Host "${MaxScans}" -ForegroundColor Red -NoNewline
Write-Host "]$(Get-Date -Format 'HH:mm:ss')|-"
# Scan Type (manual|automatic)
Invoke-ScanTypes
## Do not clear screen if $i ...
# reachs the max of MaxScans ($MaxScans)
If($i -NotMatch "$MaxScans")
{
Clear-Host
}
}
}
## TCP Statistics
Invoke-TCPStats
## BaloonTip
Invoke-BallonTip
If($Logfile.IsPresent)
{
Write-Host "`nLogfile: " -NoNewline
Write-Host "$pwd\$LogName" -ForegroundColor Green
}
echo ""
@r00t-3xp10it
Copy link
Author

r00t-3xp10it commented Sep 18, 2025
edited
Loading

Manage TCP connections

tres

Download cmdlet

iwr -uri "https://gist.githubusercontent.com/r00t-3xp10it/586346116ddbeeeaad4e9775b123d549/raw/44dcccb40aba4bd44489a6b137738a6b85391582/TCPinspector.ps1" -OutFile "TCPinspector.ps1"|Unblock-File

CmdLet Parameters\Switchs Description

Parameter Switch Description Default Value
invoke - Scan for active TCP connections using: netstat OR Get-NetTCPConnection NetTCPConnection
scantype - The type of CmdLet scan (loop) to use: automatic OR manual automatic
scaneach - Scan for TCP connections each xx seconds: 3 (min) OR 15 (max) 6
maxscans - The max number of TCP scans to perform:1 (min) OR 80 (max) 10
filter - Delete from scan reports all strings: 0.0.0.0: (IPv6 addresses) 0.0.0.0:
- logfile Switch that appends scans to TCPreport_19_27_50_2025.txt not active
- process Switch to retrive the process name associated with the TCP connection not active
- processinfo Print TCP connections process Names detail info + Todays schedule tasks not active
warnmeof - Pops up ballontip warning that process name was found active NULL
RPORT - Pops up ballontip warning that remote port number was found active * 4444
- portscan Switch that searchs for TCP high risk open ports (ICMP ping scanner) not active
- geolocation Switch that resolves remote host geolocation [ ipinfo.io ] not active
- dns Switch that retrieves Lhost DNS resolver cache entrys [ IPv4 | IPv6] not active
- dll Switch to search for DLLs loaded by running processes not active
- mitre Switch that searchs for possible MITRE ATT&CK vulnerabilitys not active

* REMARK: To only recive remote port warnings (not processname warnings): .\tcpinspector.ps1 -process -warnmeof 'true' -rport '80'


EXAMPLES

Get-Help

Get-Help .\TCPinspector.ps1 -full

List TCP connections using CmdLet default settings

.\TCPinspector.ps1
one

List TCP connections in verbose mode (display ProcessName associated with TCP connection)

 .\TCPinspector.ps1 -invoke 'NetTCPConnection' -process
two

List TCP connections in verbose mode (4 scans max) + filter '127.0.0.1'

Note: Invoking -filter '127.0.0.1' parameter deletes from outputs the full line containing the sellected string

 .\TCPinspector.ps1 -invoke 'NetTCPConnection' -process -filter '127.0.0.1' -maxscans '4'
tres

List TCP connections invoking NetTCPConnection (3 scans max) + append results to logfile

.\TCPinspector.ps1 -invoke 'NetTCPConnection' -maxscans '3' -logfile
quareo

List TCP connections with Netstat, scan 3 times max with 2 seconds delay (wait 2 sec before next scan)

.\TCPinspector.ps1 -invoke 'Netstat' -maxscans '3' -scaneach '2'
cinco

List TCP connections invoking netstat command, scan 5 times (press keyboard key for new scan)

.\TCPinspector.ps1 -invoke 'netstat' -maxscans '5' -scantype 'manual'
seis



Setting BallonTip Warnings

Description: Pops up one ballontip warning everytime one TCP connection related with the process svchost is found active on device

.\TCPinspector.ps1 -invoke 'netstat' -process -warnmeof 'SVCHOST'
sete

Description: On the next example SVCHOST process was found loading RDPCORETS.DLL [ spawning Mitre T1021 Ballontip warnings ]
Note TermService service needs to be running and rdpcorets.dll loaded by svchost for device to be vulnerable and spawn this ballontip
rdpcorets

Description: In the follow example POWERSHELL.exe process have loaded webengine4.dll outside of C:\WINDOWS\SYSTEM32 directory, spawning a ballontip warning (suspicious DLL load location found), but by default this function only flags DLLs that are loaded outside of C:\WINDOWS\ OR C:\ProgramData\ directorys (default location for powershell.exe DLL loads)

.\TCPinspector.ps1 -process -warnmeof 'POWERSHELL'
oki

Description: Print process names associated with TCP connection detail info + Todays tasks + warnmeof AcerGAICameraW connection
NOTE: Some tasks require administrator privileges to be habble to extract info from services\processes (print process detail info)

.\TCPinspector.ps1 -invoke 'netstat' -process -processinfo -warnmeof 'AcerGAICameraW'
camera

Description: Resolve Remote Addresses Geo-Location [ ipinfo.io ] 

.\TCPinspector.ps1 -process -processinfo -geolocation -filter '127.0.0.1'
all

Description: Pops up one ballontip warning everytime one TCP connection to REMOTE PORT number is found active

.\TCPinspector.ps1 -process -warnmeof 'true' -rport '443'
rport



STANTALONE SWITCHS

Description: portscan module allow us to scan local Lan for alive hosts OR scan ip adresss ( IPv4 | IPv6 ) for open ports ( local | remote )

.\TCPinspector.ps1 -portscan -logfile
err

Search for alive host in local LAN
b1

nice

Search for TCP high risk OPEN ports
b2

ps

Scanning RemoteHost IP Addresses [scantype: maxports]
external

Search for DLLs loaded by running processes

.\TCPinspector.ps1 -DLL
all pro pid

List DNS resolver cache

.\TCPinspector.ps1 -dns
dns

Search for possible MITRE vulnerabilitys

.\TCPinspector.ps1 -mitre
1 2 3 4 5

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment