Welcome back to Programming Thursdays, where we dive into the world of programming languages and their applications in the field of red teaming and pen testing. Today, we’ll be discussing PowerShell Scripting - a powerful language that can help you automate various tasks and expedite your pen testing and red teaming activities.

In this article, we’ll cover the basic concepts and syntax of PowerShell, including variables and data types, operators, control structures, and functions. We’ll also discuss how PowerShell can be used for pen testing and red teaming, and provide specific code examples for a port scanner, password cracker, and web crawler. Lastly, we’ll explore the pros and cons of PowerShell compared to other programming languages used in pen testing and red teaming.

So, without further ado, let’s get started!

Basic Concepts and Syntax

PowerShell is a command-line shell and scripting language developed by Microsoft for Windows operating systems. It provides a powerful set of features for system administrators and developers to automate tasks and manage Windows-based environments.

Variables and Data Types

Like most programming languages, PowerShell has variables, which can store data of various types. The most commonly used data types in PowerShell are:

  • Strings: A sequence of characters enclosed in double or single quotes. For example, “Hello, world!” or ‘12345’.
  • Integers: A whole number without a fractional component. For example, 42 or -99.
  • Floats: A number with a fractional component. For example, 3.14 or -0.01.
  • Booleans: A value that can be either True or False. To declare a variable in PowerShell, you simply use the $ symbol followed by the variable name, like this:
$myString = "Hello, world!"
$myInt = 42
$myFloat = 3.14
$myBool = $true

Operators

PowerShell supports a variety of operators, including arithmetic, comparison, and logical operators. Some of the most commonly used operators include:

  • Arithmetic Operators: + (addition), - (subtraction), * (multiplication), / (division), % (modulus).
  • Comparison Operators: -eq (equal), -ne (not equal), -gt (greater than), -lt (less than), -ge (greater than or equal to), -le (less than or equal to).
  • Logical Operators: -and (logical and), -or (logical or), -not (logical not).

Control Structures

PowerShell supports various control structures, such as If-Else statements, For loops, and While loops. These structures can be used to conditionally execute code and control the flow of the script.

For example:

if ($myInt -gt 0) {
    Write-Host "The value of myInt is positive."
} else {
    Write-Host "The value of myInt is negative or zero."
}

for ($i = 1; $i -le 10; $i++) {
    Write-Host $i
}

while ($myBool -eq $true) {
    # do something
}

Functions

Functions are a fundamental building block of PowerShell scripts. They allow you to define a block of code that can be called multiple times within the script. Here’s an example of a function that takes two arguments and returns their sum:

function Add-Numbers {
    param($num1, $num2)
    $sum = $num1 + $num2
    return $sum
}

$result = Add-Numbers 3 4
Write-Host "The sum is $result"

Pen Testing and Red Teaming with PowerShell

Now that we’ve covered the basics of PowerShell, let’s explore how it can be used for pen testing and red teaming.

PowerShell’s versatility makes it an excellent tool for various tasks, including network scanning, password cracking, and web crawling. It can also be used for tasks such as exploiting vulnerabilities, launching attacks, and manipulating data.

Port Scanner

One of the most common tasks in pen testing is port scanning. A port scanner is a tool that checks a range of IP addresses and associated ports to determine which ones are open or closed. PowerShell can be used to create a simple port scanner that checks a range of IP addresses and ports.

$ips = "192.168.1.1-10"
$ports = 1..1024

foreach ($ip in $ips) {
    foreach ($port in $ports) {
        $socket = New-Object Net.Sockets.TcpClient
        $connection = $socket.BeginConnect($ip, $port, $null, $null)
        $result = $connection.AsyncWaitHandle.WaitOne(1000,$false)
        if ($result -eq $true) {
            Write-Host "$ip:$port is open"
        }
        $socket.Close()
    }
}

This script checks the range of IP addresses specified in the $ips variable and the ports specified in the $ports variable. It uses theTcpClient class to attempt a connection to each IP address and port combination. If the connection is successful, the script outputs a message indicating that the port is open.

Password Cracker

Another task that pen testers and red teamers often face is cracking passwords. PowerShell can be used to create a password cracking tool that can brute force passwords using a dictionary attack.

$passwords = Get-Content "C:\passwords.txt"
$usernames = Get-Content "C:\usernames.txt"
$hash = "hash"

foreach ($username in $usernames) {
    foreach ($password in $passwords) {
        $test = "$username:$password"
        $testHash = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($test))
        if ($testHash -eq $hash) {
            Write-Host "Found password: $password for user: $username"
            break
        }
    }
}

This script reads in a list of usernames and passwords from text files and a hashed password that needs to be cracked. It then iterates over each combination of username and password, hashes the combination, and compares it to the target hash. If a match is found, the script outputs the password and username.

Web Crawler

Web crawling is another common task in pen testing and red teaming. PowerShell can be used to create a simple web crawler that can scrape web pages and extract information.

$url = "https://www.example.com"
$links = @($url)

while ($links.Count -gt 0) {
    $current = $links[0]
    $links = $links[1..($links.Count - 1)]
    $response = Invoke-WebRequest -Uri $current
    $response.Links | ForEach-Object {
        $link = $_.href
        if ($link.StartsWith("/") -or $link.StartsWith($url)) {
            if (!$links.Contains($link)) {
                $links += $link
                Write-Host $link
            }
        }
    }
}

This script starts by specifying a URL to start the crawl. It then uses Invoke-WebRequest to retrieve the web page’s HTML and extract all the links on the page. The script then iterates over each link, adding it to the list of links to be crawled if it hasn’t already been crawled. This process continues until all links have been crawled.

Pros and Cons of PowerShell in Pen Testing and Red Teaming

PowerShell offers several advantages and disadvantages when compared to other programming languages used in pen testing and red teaming.

Pros:

  • Integration with Windows operating system: PowerShell is native to Windows, which means it integrates seamlessly with other Windows tools and systems.
  • Versatility: PowerShell can be used for a wide range of tasks, including system administration, network scanning, and web crawling.
  • Ease of use: PowerShell’s syntax is relatively easy to learn, even for those with limited programming experience.
  • Community support: PowerShell has a large and active community of users who create and share scripts, tools, and modules.

Cons:

  • Limited cross-platform support: While PowerShell can be run on non-Windows systems, its support and functionality are limited compared to other programming languages.
  • Security concerns: PowerShell’s power and versatility can make it a popular tool for attackers, which has led some organizations to disable or restrict its use.
  • Performance: While PowerShell is fast enough for most tasks, it may not be the best choice for high-performance or resource-intensive tasks.

Conclusion

PowerShell is a powerful tool for pen testers and red teamers, providing a wide range of functionality and ease of use. Its integration with the Windows operating system and large community of users make it an attractive option for those looking to automate tasks and expedite their workflows.

In this article, we covered the basic concepts and syntax of PowerShell, including variables and data types, operators, control structures, and functions. We also provided specific code examples for a port scanner, password cracker, and web crawler.

While PowerShell has its pros and cons, it’s clear that it’s a valuable tool for those in the field of pen testing and red teaming. By leveraging PowerShell’s power and versatility, you can automate tasks, save time, and improve the efficiency of your workflows.