Home
%3CLINGO-SUB%20id%3D%22lingo-sub-924149%22%20slang%3D%22en-US%22%3EPowerShell%20Basics%3A%20How%20to%20Scan%20Open%20Ports%20Within%20a%20Network%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-924149%22%20slang%3D%22en-US%22%3E%3CP%3ENetwork%20complexity%20is%20rapidly%20increasing%20with%20the%20addition%20of%20non-traditional%20devices%20gaining%20access%20to%20organizational%20networks.%20Singular%20purpose%20devices%20made%20available%20through%20the%20Internet%20of%20Things%20(IoT)%20offering%20has%20increased%20network%20complexity%20even%20further%20with%20the%20ease%20of%20adding%20said%20devices%20to%20the%20network%20and%20sometimes%20without%20the%20knowledge%20of%20a%20system%20administrator.%26nbsp%3B%20Hence%20the%20following%20received%20question%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%22%3CEM%3EHow%20do%20I%20ensure%20all%20the%20appropriate%20ports%20are%20closed%20with%20all%20these%20devices%20being%20added%20to%20my%20network%3F%3C%2FEM%3E%22%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20scenarios%20like%20these%2C%20tools%20such%20as%20%3CA%20title%3D%22Azure%20Security%20Center%20for%20IoT%22%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fasc-for-iot%2Foverview%3FWT.mc_id%3DITOPSTALK-blog-abartolo%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Security%20Center%3C%2FA%3E%20do%20a%20great%20job%20on%20reporting%20probability%20of%20attacks%20that%20can%20occur%20in%20one's%20network%20and%20steps%20are%20needed%20to%20address%20this.%20However%20sometimes%20the%20challenge%20itself%20is%20convincing%20the%20organizational%20decision%20makers%20of%20the%20needed%20investment.%26nbsp%3B%26nbsp%3B%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20997px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F138963i5F343533A9CFE6DB%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22azure-iot-security-architecture.png%22%20title%3D%22azure-iot-security-architecture.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3Eazure%20iot%20security%20architecture%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ETo%20help%20with%20this%2C%20the%20following%20PowerShell%20script%20will%20provide%20a%20rudimentary%20analysis%20report%20on%20what%20ports%20of%20what%20IPs%20are%20currently%20open.%20This%20report%20can%20be%20used%20as%20a%20great%20starting%20point%20to%20highlight%20probable%20attack%20vectors%20that%20could%20occur%20and%20the%20beginning%20to%20a%20conversation%20on%20additional%20security%20tool%20adoption.%26nbsp%3B%20Lets%20begin.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3COL%3E%0A%3COL%3E%0A%3CLI%3ERun%20PowerShell%3CBR%20%2F%3E%26nbsp%3B%3CBR%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F135894iDF470B1FB4242B46%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22How_to_Force_a_Full_Password_Sync_in_AzureAD_Connect_001.png%22%20title%3D%22How_to_Force_a_Full_Password_Sync_in_AzureAD_Connect_001.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3ERun%20PowerShell%20Force%20AzureAD%20Password%20Sync%3C%2FSPAN%3E%3C%2FSPAN%3E%3CBR%20%2F%3E%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3ESpecify%20the%26nbsp%3B%3CSTRONG%3E%24port%26nbsp%3B%3C%2FSTRONG%3Evalue%20to%20scan%3A%26nbsp%3B%3CBR%20%2F%3E%26nbsp%3B%3CPRE%3E%3CEM%3E%24port%20%3D%20(80)%3C%2FEM%3E%3C%2FPRE%3E%0A%26nbsp%3B%3C%2FLI%3E%0A%3CLI%3ESpecify%20the%26nbsp%3B%3CSTRONG%3E%24network%26nbsp%3B%3C%2FSTRONG%3Evalue%20to%20scan%3A%26nbsp%3B%3CBR%20%2F%3E%26nbsp%3B%0A%3CPRE%3E%3CEM%3E%24network%20%3D%20(192.168.0)%3CBR%20%2F%3E%3C%2FEM%3E%3C%2FPRE%3E%0A%3CCODE%3E%3C%2FCODE%3E%3C%2FLI%3E%0A%3CLI%3ESpecify%20the%26nbsp%3B%3CSTRONG%3E%24range%26nbsp%3B%3C%2FSTRONG%3Evalue%20to%20scan%3A%26nbsp%3B%3CBR%20%2F%3E%26nbsp%3B%0A%3CPRE%3E%3CEM%3E%24range%20%3D%20(1..254)%3CBR%20%2F%3E%3C%2FEM%3E%3C%2FPRE%3E%0A%3CCODE%3E%3C%2FCODE%3E%3C%2FLI%3E%0A%3CLI%3EEnable%20silent%20scan%20(without%20error%20reporting)%20of%20said%20network%3A%26nbsp%3B%3CBR%20%2F%3E%26nbsp%3B%0A%3CPRE%3E%3CEM%3E%24ErrorActionPreference%3D%20%E2%80%98silentlycontinue%E2%80%99%3C%2FEM%3E%3C%2FPRE%3E%0A%3CCODE%3E%3C%2FCODE%3E%3C%2FLI%3E%0A%3CLI%3ECalling%20the%20IP%20addresses%20one%20by%20one%20from%20the%20desired%20range%20and%20displaying%20the%20percentage%20to%20complete%3A%26nbsp%3B%3CBR%20%2F%3E%26nbsp%3B%0A%3CPRE%3E%3CEM%3E%24(Foreach%20(%24add%20in%20%24range)%3CBR%20%2F%3E%7B%20%24ip%20%3D%20%E2%80%9C%7B0%7D.%7B1%7D%E2%80%9D%20%E2%80%93F%20%24network%2C%24add%3CBR%20%2F%3EWrite-Progress%20%E2%80%9CScanning%20Network%E2%80%9D%20%24ip%20-PercentComplete%20((%24add%2F%24range.Count)*100)%3CBR%20%2F%3E%3C%2FEM%3E%3C%2FPRE%3E%0A%3CCODE%3E%3C%2FCODE%3E%3C%2FLI%3E%0A%3CLI%3EPinging%20the%20desired%20IP%20via%20the%20Test-Connection%20cmdlet%20to%20validate%20its%20existence%20on%20the%20network%3A%26nbsp%3B%3CBR%20%2F%3E%26nbsp%3B%0A%3CPRE%3E%3CEM%3EIf(Test-Connection%20%E2%80%93BufferSize%2032%20%E2%80%93Count%201%20%E2%80%93quiet%20%E2%80%93ComputerName%20%24ip)%3C%2FEM%3E%3C%2FPRE%3E%0A%3CCODE%3E%3C%2FCODE%3E%3C%2FLI%3E%0A%3CLI%3EAttempt%20made%20to%20connect%20to%20the%20desired%20port%20for%20testing%3A%26nbsp%3B%3CBR%20%2F%3E%26nbsp%3B%0A%3CPRE%3E%3CEM%3E%7B%20%24socket%20%3D%20new-object%20System.Net.Sockets.TcpClient(%24ip%2C%20%24port)%3C%2FEM%3E%3C%2FPRE%3E%0A%3CCODE%3E%3C%2FCODE%3E%3C%2FLI%3E%0A%3CLI%3EReport%20success%20if%20the%20desired%20port%20is%20open%3A%26nbsp%3B%3CBR%20%2F%3E%26nbsp%3B%0A%3CPRE%3E%3CEM%3EIf(%24socket.Connected)%20%7B%20%E2%80%9C%24ip%20port%20%24port%20open%E2%80%9D%3CBR%20%2F%3E%24socket.Close()%20%7D%3CBR%20%2F%3Eelse%20%7B%20%E2%80%9C%24ip%20port%20%24port%20not%20open%20%E2%80%9D%20%7D%3CBR%20%2F%3E%7D%3C%2FEM%3E%3C%2FPRE%3E%0A%3CCODE%3E%3C%2FCODE%3E%3C%2FLI%3E%0A%3CLI%3ECreate%20the%20CSV%20output%20file%20reporting%20on%20desired%20open%20port%3A%26nbsp%3B%3CBR%20%2F%3E%26nbsp%3B%0A%3CPRE%3E%3CEM%3E%7D)%20%7C%20Out-File%20C%3A%5Creports%5Cportscan.csv%3C%2FEM%3E%3C%2FPRE%3E%0A%3CCODE%3E%3C%2FCODE%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3C%2FOL%3E%0A%3CP%3EThe%20following%20is%20the%20above%20script%20in%20its%20entirety%3A%3C%2FP%3E%0A%3CPRE%3E%3CEM%3E%24port%20%3D%20(enter%20port%20value)%3CBR%20%2F%3E%24network%20%3D%20%E2%80%9Center%20network%20value%E2%80%9D%3CBR%20%2F%3E%24range%20%3D%201..254%3CBR%20%2F%3E%24ErrorActionPreference%3D%20%E2%80%98silentlycontinue%E2%80%99%3CBR%20%2F%3E%24(Foreach%20(%24add%20in%20%24range)%3CBR%20%2F%3E%7B%20%24ip%20%3D%20%E2%80%9C%7B0%7D.%7B1%7D%E2%80%9D%20%E2%80%93F%20%24network%2C%24add%3CBR%20%2F%3EWrite-Progress%20%E2%80%9CScanning%20Network%E2%80%9D%20%24ip%20-PercentComplete%20((%24add%2F%24range.Count)*100)%3CBR%20%2F%3EIf(Test-Connection%20%E2%80%93BufferSize%2032%20%E2%80%93Count%201%20%E2%80%93quiet%20%E2%80%93ComputerName%20%24ip)%3CBR%20%2F%3E%7B%20%24socket%20%3D%20new-object%20System.Net.Sockets.TcpClient(%24ip%2C%20%24port)%3CBR%20%2F%3EIf(%24socket.Connected)%20%7B%20%E2%80%9C%24ip%20port%20%24port%20open%E2%80%9D%3CBR%20%2F%3E%24socket.Close()%20%7D%3CBR%20%2F%3Eelse%20%7B%20%E2%80%9C%24ip%20port%20%24port%20not%20open%20%E2%80%9D%20%7D%3CBR%20%2F%3E%7D%3CBR%20%2F%3E%7D)%20%7C%20Out-File%20C%3A%5Creports%5Cportscan.csv%3C%2FEM%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3CBR%20%2F%3EAgain%20this%20is%20a%20rudimentary%20report%20output%20that%20can%20be%20utilized%20to%20begin%20the%20conversation%20with%20organizational%20decision%20makers%20regarding%20needed%20investments.%20Do%20comment%20below%20on%20additional%20tips%20or%20script%20edits.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-924149%22%20slang%3D%22en-US%22%3E%3CP%3ENetwork%20complexity%20is%20rapidly%20increasing%20with%20the%20addition%20of%20non-traditional%20devices%20gaining%20access%20to%20organizational%20networks.%20Singular%20purpose%20devices%20made%20available%20through%20the%20Internet%20of%20Things%20(IoT)%20offering%20has%20increased%20network%20complexity%20even%20further%20with%20the%20ease%20of%20adding%20said%20devices%20to%20the%20network%20and%20sometimes%20without%20the%20knowledge%20of%20a%20system%20administrator.%26nbsp%3B%20Hence%20the%20following%20received%20question%3A%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%22%3CEM%3EHow%20do%20I%20ensure%20all%20the%20appropriate%20ports%20are%20closed%20with%20all%20these%20devices%20being%20added%20to%20my%20network%3F%3C%2FEM%3E%22%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F134944iD72B3B0B8F4E0886%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22PowerShell_Basics.jpg%22%20title%3D%22PowerShell_Basics.jpg%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EPowerShell%20Basics%20Series%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-924149%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAnthony%20Bartolo%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EPowerShell%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-941867%22%20slang%3D%22en-US%22%3ERe%3A%20PowerShell%20Basics%3A%20How%20to%20Scan%20Open%20Ports%20Within%20a%20Network%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-941867%22%20slang%3D%22en-US%22%3E%3CP%3EI%20wrote%20a%20Workflow%20not%20too%20long%20ago%20doing%20just%20this.%20Using%20a%20Workflow%20allowed%20me%20to%20use%20foreach%20-parallel%20which%20substantially%20sped%20up%20the%20process.%20Let%20me%20know%20if%20we%20can%20start%20an%20Nmap%20project%20in%20Pwsh...%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Microsoft

Network complexity is rapidly increasing with the addition of non-traditional devices gaining access to organizational networks. Singular purpose devices made available through the Internet of Things (IoT) offering has increased network complexity even further with the ease of adding said devices to the network and sometimes without the knowledge of a system administrator.  Hence the following received question:

 

"How do I ensure all the appropriate ports are closed with all these devices being added to my network?"

 

In scenarios like these, tools such as Azure Security Center do a great job on reporting probability of attacks that can occur in one's network and steps are needed to address this. However sometimes the challenge itself is convincing the organizational decision makers of the needed investment.  
 
azure-iot-security-architecture.pngazure iot security architecture

To help with this, the following PowerShell script will provide a rudimentary analysis report on what ports of what IPs are currently open. This report can be used as a great starting point to highlight probable attack vectors that could occur and the beginning to a conversation on additional security tool adoption.  Lets begin.

 

    1. Run PowerShell
       
      How_to_Force_a_Full_Password_Sync_in_AzureAD_Connect_001.pngRun PowerShell Force AzureAD Password Sync
       
    2. Specify the $port value to scan: 
       
      $port = (80)
       
    3. Specify the $network value to scan: 
       
      $network = (192.168.0)
    4. Specify the $range value to scan: 
       
      $range = (1..254)
    5. Enable silent scan (without error reporting) of said network: 
       
      $ErrorActionPreference= ‘silentlycontinue’
    6. Calling the IP addresses one by one from the desired range and displaying the percentage to complete: 
       
      $(Foreach ($add in $range)
      { $ip = “{0}.{1}” –F $network,$add
      Write-Progress “Scanning Network” $ip -PercentComplete (($add/$range.Count)*100)
    7. Pinging the desired IP via the Test-Connection cmdlet to validate its existence on the network: 
       
      If(Test-Connection –BufferSize 32 –Count 1 –quiet –ComputerName $ip)
    8. Attempt made to connect to the desired port for testing: 
       
      { $socket = new-object System.Net.Sockets.TcpClient($ip, $port)
    9. Report success if the desired port is open: 
       
      If($socket.Connected) { “$ip port $port open”
      $socket.Close() }
      else { “$ip port $port not open ” }
      }
    10. Create the CSV output file reporting on desired open port: 
       
      }) | Out-File C:\reports\portscan.csv

The following is the above script in its entirety:

$port = (enter port value)
$network = “enter network value”
$range = 1..254
$ErrorActionPreference= ‘silentlycontinue’
$(Foreach ($add in $range)
{ $ip = “{0}.{1}” –F $network,$add
Write-Progress “Scanning Network” $ip -PercentComplete (($add/$range.Count)*100)
If(Test-Connection –BufferSize 32 –Count 1 –quiet –ComputerName $ip)
{ $socket = new-object System.Net.Sockets.TcpClient($ip, $port)
If($socket.Connected) { “$ip port $port open”
$socket.Close() }
else { “$ip port $port not open ” }
}
}) | Out-File C:\reports\portscan.csv

 
Again this is a rudimentary report output that can be utilized to begin the conversation with organizational decision makers regarding needed investments. Do comment below on additional tips or script edits.  

1 Comment
Visitor

I wrote a Workflow not too long ago doing just this. Using a Workflow allowed me to use foreach -parallel which substantially sped up the process. Let me know if we can start an Nmap project in Pwsh...