Pentest Time Machine: NMAP + Powershell + whatever tool is next

Published: 2016-01-26
Last Updated: 2016-01-26 02:58:14 UTC
by Rob VandenBrink (Version: 1)
2 comment(s)

Early on in many penetration test or security assessment, you will often find yourself wading through what seems like hundreds or thousands of text files, each seemingly hundreds or thousands of pages long (likely because they are).  One key to success in these situations is to automate the analysis of these files as much as possible – you want to get the “drudgery” job done and move on to subsequent tasks that need real eyes on the screen and hands on the keyboard.

Let’s look at NMAP for instance.  It’s a valuable tool, we all use it.  But if you are scanning a /16 or a /8 network (or even lots of /24’s), the volume of output can be .. daunting?  ..  significant?  .. collosal ?

A common “what’s out there” nmap command might be:

Nmap –p 0-65535 –sV –-open –oA nmapoutput

Let’s look at the XML file that nmap command spits out for a small network  – the XML file format seems to be the most neglected of the 3 output files, but actually presents the information in its best form for automation (for me anyway).

Let’s parse out the XML output into the ipv4 addresses, ports, and service information:

Let’s take a look at what we have, just the open ports:

Big deal you might think, we've just written some powershell that takes nmap output and give us .. nmap output.

But now that it's in a format we can use, we can do interesting things with it ....

Let's check the certs for all the https and ms-wbt-server (RDP) services.  On a "real" network, you could expand this to include things like mail services, Lync (now called Skype for Business) and so on.  We will do this solely on service names, not on tcp port.

First, let’s filter out just the services we’re interested in – note that we could easily add additional services.

Now, let’s run the check to evaluate the certificates.  Note that we're using the ChkCert function that we wrote in yesterday's story:

Looking at the results – as suspected, all of the certs on this subnet are self-signed (it's one of my home subnets - who knew that Blackberry phones have web servers on them?):

Or to add a bit more automation, how about let's run NIKTO on anything that looks like HTTP or HTTPS (again, no matter what the port).

I'm using Nikto here, but really you can call whatever the logical "next tool" is for the services you want to assess or problem you need to solve.  Nikto is just one I commonly throw at web servers, just to get a consistent report on "the easy stuff" for all sites being assessed.  You could just as easily use wpscan (to look at Wordpress sites) or whatever else make sense in the next step against your target services.

Or, if you plan on working the Nikto output from Powershell or even sed+grep, maybe the Nikto CSV output switch will be more useful – yes, you can just keep going with this automation thing.  The more you automate, the more time you can buy, especially in the recon, scanning and mapping phases of an engagement.  While time realy often is money, in this case time translates directly to more thought and intelligence you can bring to bear on the problem - in short, buying time means a better pentest, security assessment or whatever your project is.

Please, use our comment form to share any related code-snips you might have (or feel free to point out ways to streamline my examples)

Rob VandenBrink

Keywords: nikto nmap powershell
2 comment(s)


Hi Rob
I'm having trouble getting your scripts to work--looks like the chkcert function doesn't accept pipeline input. I'm still flailing at it, so I'll let you know if I find something. This was run on PS on Win 8.1:

PS C:\Program Files (x86)\Nmap> $temp = $refinedlist[0]
PS C:\Program Files (x86)\Nmap> chkcert $ $temp.port

Thumbprint Subject
---------- -------
A10B47313F3345BD63CE8E7136C6C3E012718F72 E=1024, OU=strong, O=org, L=locality, S=state, C=co, CN=fqdn

PS C:\Program Files (x86)\Nmap> $temp | chkcert $ ([int]$_.port)
New-Object : Exception calling ".ctor" with "2" argument(s): "The requested address is not valid in its context
At line:6 char:14
+ $TcpSocket = New-Object Net.Sockets.TcpClient($ip,$port)
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [New-Object], MethodInvocationException
+ FullyQualifiedErrorId : ConstructorInvokedThrowException,Microsoft.PowerShell.Commands.NewObjectCommand

not sure what my problem was, but it's working now.

Diary Archives