<<<
Develop a set of PowerShell Scripts to Scan URL Ports, Host Headers & Cookies and PKI Certificate Properties
Article authored by Agustín Hernán Borrajo on 01-13-2022


STEP_01 : Discover PowerShell commands capable of performing IPs and Port interactions
[ 01a ] : The below commands can be issued against IP addresses from resources you are familiar with
PS C:\> Test-Connection -BufferSize 32 -Count 1 -quiet -ComputerName "192.168.0.1"
True
PS C:\> Test-Connection -BufferSize 32 -Count 1 -quiet -ComputerName "192.168.0.2"
False
[ 01b ] : A socket needs to be created in order to hold the desired connection attempt
Set-ExecutionPolicy -ExecutionPolicy Unrestricted -Scope CurrentUser # ALLOW # RUN Powershell scripts
Set-ExecutionPolicy -ExecutionPolicy Undefined -Scope CurrentUser # -REVERT- # BLOCK Powershell scripts
1.ps1

$line = "--------------------------------------------------------------------------"
Write-Output $line
$port = Read-Host -Prompt ' Enter Port Number to be scanned ( e.g.: 23,80,443 ) '
$ip = Read-Host -Prompt ' Enter IP/URL Address to be scanned ( e.g.: 192.168.0.1 ) '
$ErrorActionPreference= 'silentlycontinue'
Write-Output $line
Write-Output "Scanning Network $ip"
$t=Test-Connection -BufferSize 32 -Count 1 -quiet -ComputerName $ip
Write-Output "Test Connection for $ip is $t"
Write-Output $line
If("$t")
{ $socket = new-object System.Net.Sockets.TcpClient($ip, $port)
Write-Output $socket
Write-Output $line
If($socket.Connected) { Write-Output "Port $port is either OPENED or FILTERED in $ip"
$socket.Close() }
else { Write-Output "Port $port is NOT OPENED in $ip" }
}
Write-Output $line
tnc $ip -port $port
Write-Output $line

[ 01c ] : Run the 1.ps1 script to discover responsive IPs servicing on different Ports
PS C:> powershell -file 1.ps1
--------------------------------------------------------------------------
Enter Port Number to be scanned ( e.g.: 23,80,443 ) : 80
Enter IP/URL Address to be scanned ( e.g.: 192.168.0.1 ) : 192.168.0.1
--------------------------------------------------------------------------
Scanning Network 192.168.0.1
Test Connection for 192.168.0.1 is True
--------------------------------------------------------------------------
Client              : System.Net.Sockets.Socket
Available           : 0
Connected           : True
ExclusiveAddressUse : False
ReceiveBufferSize   : 65536
SendBufferSize      : 65536
ReceiveTimeout      : 0
SendTimeout         : 0
LingerState         : System.Net.Sockets.LingerOption
NoDelay             : False
--------------------------------------------------------------------------
Port 80 is either OPENED or FILTERED in 192.168.0.1
--------------------------------------------------------------------------

STEP_02 : Develop a script capable of interacting with WebRequests, Responses & Headers

2.ps1

$ErrorActionPreference= 'silentlycontinue'
$line = "----------------"
$line = $line+$line+$line+$line
$line
$url = Read-Host -Prompt ' Enter URI address to be scanned ( e.g.: https://www.google.com ) '
$line
$line = $line+$line
$line
$url
$webRequest = [System.Net.WebRequest]::Create("$url")
$line
"webRequest.GetResponse"
$line
$request = $webRequest.GetResponse() | Out-String -Width 4096
$request
$line
"WebRequest Parsing headers"
$line
$Invoking = Invoke-WebRequest $url
$Statcode = $Invoking.StatusCode
"HTTP Status Code = $Statcode"
$line
$Invoking.Headers
" "
$line

[ 02a ] : Run the 2.ps1 script to read WebRequests, Responses & Headers on different sites
PS C:> powershell -file 2.ps1
----------------------------------------------------------------
Enter URI address to be scanned ( e.g.: https://www.google.com ) : https://agufire.000webhostapp.com/
----------------------------------------------------------------
-------------------------------------------------------------------------------------------------------
https://agufire.000webhostapp.com/
-------------------------------------------------------------------------------------------------------
webRequest.GetResponse
-------------------------------------------------------------------------------------------------------

IsMutuallyAuthenticated : False
Cookies                 : {}
Headers                 : {Transfer-Encoding, Connection, X-Xss-Protection, X-Content-Type-Options...}
SupportsHeaders         : True
ContentLength           : -1
ContentEncoding         : 
ContentType             : text/html; charset=UTF-8
CharacterSet            : UTF-8
Server                  : awex
LastModified            : 12/28/2021 8:58:58 PM
StatusCode              : OK
StatusDescription       : OK
ProtocolVersion         : 1.1
ResponseUri             : https://agufire.000webhostapp.com/
Method                  : GET
IsFromCache             : False

-------------------------------------------------------------------------------------------------------
webRequest Parsing headers
-------------------------------------------------------------------------------------------------------
HTTP Status Code = 200
-------------------------------------------------------------------------------------------------------

Key                    Value                           
   ---                    -----                        
Transfer-Encoding      chunked                         
Connection             keep-alive                      
X-Xss-Protection       1; mode=block                   
X-Content-Type-Options nosniff                         
X-Request-ID           b52f9899015c42e54823ec093a9dd677
Accept-Ranges          bytes                           
Content-Type           text/html; charset=UTF-8        
Date                   Tue, 28 Dec 2021 23:58:58 GMT   
Server                 awex                            

-------------------------------------------------------------------------------------------------------

STEP_03 : Develop a script capable of interacting with PKI certificate property values
3.ps1
$ErrorActionPreference= 'silentlycontinue' $line = "----------------"
$line = $line+$line+$line+$line
$line
$url = Read-Host -Prompt ' Enter URI address to be scanned ( e.g.: https://www.google.com ) '
$ConnectString = "$url"+":443"
$line
Write-Output "Connect String = $ConnectString"
$line
$WebRequest = [Net.WebRequest]::Create($ConnectString)
$Cert = [Security.Cryptography.X509Certificates.X509Certificate2]
$Response = $WebRequest.GetResponse()
$issuer = $WebRequest.ServicePoint.Certificate.GetIssuerName()
Write-Output "Cert Issuer = $issuer"
$Subject = $WebRequest.ServicePoint.Certificate.Subject
Write-Output "Cert Subject = $Subject"
$Serial = $WebRequest.ServicePoint.Certificate.GetSerialNumberString()
Write-Output "Cert Serial Number = $Serial"
$effective = $WebRequest.ServicePoint.Certificate.GetEffectiveDateString()
Write-Output "Cert Valid From Date = $effective"
$expiration = $WebRequest.ServicePoint.Certificate.GetExpirationDateString()
Write-Output "Cert Expiration Date = $expiration"
$public = $WebRequest.ServicePoint.Certificate.GetPublicKeyString()
Write-Output "Cert Public Key = $public"
$certhash = $WebRequest.ServicePoint.Certificate.GetCertHashString()
Write-Output "Cert Hash = $certhash"
$line
[ 03a ] : Run the 3.ps1 script to read PKI certificate property values
PS C:> powershell -file 3.ps1
----------------------------------------------------------------
Enter URI address to be scanned ( e.g.: https://www.google.com ) : https://agufire.000webhostapp.com/
----------------------------------------------------------------
Connect String = https://agufire.000webhostapp.com:443
----------------------------------------------------------------------------------------
Cert Issuer = C=US, O=DigiCert Inc, CN=RapidSSL TLS DV RSA Mixed SHA256 2020 CA-1
Cert Subject = CN=*.000webhostapp.com
Cert Serial Number = 069F27CF708F94F91AC4121D877FB070
Cert Valid From Date = 7/9/2021 9:00:00 PM
Cert Expiration Date = 8/10/2022 8:59:59 PM
Cert Public Key = 3082010A0282010100D2D5578512E9EAF0A9A6A993A
67C4C0C310F17C81A27E9D637269921AC53EF075F29705045303B10A266F4
FB64B0ED850B45D394C8E760FADE9FC8B605DBA70F3C3D86CF9A5B1CBE78C
F8A47FE5DCE296CF765EADE76FD54AC19B3A26715EF1C2E5F416BE083395F
7EFF9DC5C05E444E4D45F62FB3AC935226F18AF3BA0925A09A7A7D4491377
0868BBB53D1E89E2E3D7FF18A5FDE56DE0BB9FE78D958B4B905DF181E6F0D
AFCA62C20EAD1AA6C507DFF01F79D3E4D87AD04236A1AB20CA99591326B7E
2406BA9C2C3F20E08A85A4A655B34D26167CFBDDD1B9D40FA38CBF4016B4D
CAE3DF588A6172FE1ED7F7FBC9A7B61D1B77C86A216ED1914252D19A0BAF0
203010001
Cert Hash = F31BB747295939C1917DB461DA4DEC0D8CE1E7C1
----------------------------------------------------------------------------------------

All 3 scripts [TXT] = [ view ]

^^^