Skip to main content


Showing posts from 2009

Powershell Port Scan

Ed Skoudis used the for loop to create an ftp script for the ftp command in order to do a port scan. I did an modification to it so that it didn't require the script file and no files were written to the file system. You can find that posting here:

In my quest to port the Kung Fu of Mr. Skoudis in to powershell I came up with this command:

1..1024 | % { echo ((new-object Net.Sockets.TcpClient).Connect("",$_)) "$_ is open" } 2>out-null
If you have been following the previous entries there isn't anything fancy here, except one handy little trick that has to do with the output from the echo command. If you look closely you see that the command attempts to write the output of the connection as well as the string at the end. If the first portion throws an error, then the second part isn't output. Here is a simple example with the output.
PS C:\> echo (1+1) (2+2)
If we replace the (1…

Powershell NSLookup Brute Force

Stealing two other commands from Mr. Skoudis we can do an nslookup of each host in a range.

for /L %i in (1,1,255) do @echo 10.10.10.%i: & @nslookup 10.10.10.%i 2>nul | find "Name"

for /L %i in (1,1,255) do @nslookup 10.10.10.%i 2>nul | find "Name" && echo 10.10.10.%i

The first command shows each IP as it is looked up. The second only shows those that successfully resolve.
Here is the powershell version and it's output:

1..255 | % { [System.Net.Dns]::GetHostByAddress("10.10.10.$_") } 2> Out-Null | Format-List
HostName    :
Aliases     : {,,,}
AddressList : {}

You'll notice a big difference from the first output. The standard nslookup just returns one result, while the powershell version gets all the aliases. We may not have ever known about …

Powershell Ping Sweep

Ed Skoudis came up with some fantastic Command Line Kung Fu for Windows to do some basic scanning. Powershell is becoming more and more common so I decided to port these commands to powershell. I think Ed would agree that the standard windows commands can be rather painful and aren't easily extensible (blasted windows) and I hoped to make it slightly less agonizing. In order to make it easier to understand, I won't use the shortcuts in my examples for the foreach-object cmdlet (%) or where-object cmdlet (?).

The first CLKF I thought I would tackle was the ping sweep. You can check out the great write-up over at the Command Line Kung Fu Blog.

Taken from the blog, here is the Windows command to do ping sweep at the command line and its associated output:

C:\>for /L %i in (1,1,255) do @ping -n 1 10.10.10.%i | find "Reply"

Reply from bytes=32 time=4ms TTL=64
Reply from 192.168.1.…

VMware Login via AD

I put this together in order to integrate the login from VMWare into AD.

To setup the ESX server for AD authentication the following steps need to be taken. NTP needs to be done first so the server has a time close to that of the domain controller. The ntp ports need to be opened via the gui and the deamon needs to be started as well.

Allow the ntp client access through the firewall
In the GUI under the Configuration tab click on Security Profile then click on Properties… on the top right. A Firewall Options window will open.  Click the checkbox next to NTP Client.

Edit the ntp configuration file located at /etc/ntp.conf

Under servers add the same servers the domain uses for ntp (i.e. and
restrict default kod nomodify notrap
fudge line
server #local clock
restrict default kod nomodify notrap

Edit the steptickers file located at /etc/ntp/step-tickers
add the same servers the do…

Brute Force ESX Username/Password

This script will brute force the connection to ESX. You can either give it a single username or a username file. Similarly, you can either give it a single password or a password file. You also have the ability to define how many jobs will run in parallel.

#Description: Powershell Simple VMware ESX Login Brute Force Script
#Version: 1.0
#Author: Tim Medin
#Email: TimMedin A@T securitywhole D.O.T com
#Parameter Declaration
param (
[string] $Server= $(Read-Host -prompt "Server"),
[string] $User,
[string] $Password,
[string] $UsersFile,
[string] $PasswordsFile,
[int] $MaxJobs= 10

# Function to handle the jobs once they complete
# As the jobs finish (Completed, or Failed) they are handled by this…

Finding Old or Unused Accounts with Powershell v2

Here is a version that was 200 times faster in my environment. Depending on the number of domain controllers it could be even faster for you. It does one big query for each domain controller and then compiles the results. The original script took 45 minutes, this version took 13 seconds.

This script returns a list with all users and their last logon date/time. You can then filter by logon's older than a certain date/time, sort, or export it.

$dcs = [System.DirectoryServices.ActiveDirectory.Domain]::getcurrentdomain().DomainControllers | select name
$startdate = get-date('1/1/1601')
$lst = new-Object System.Collections.ArrayList
foreach ($dc in $dcs) {
 $root = [ADSI] "LDAP://$($dc.Name):389"
 $searcher = New-Object System.DirectoryServices.DirectorySearcher $root
 $searcher.filter = "(&(objectCategory=person)(objectClass=user))"
 $searcher.PropertiesToLoad.Add("name") | out-null
 $searcher.PropertiesToLoad.Add("LastLogon") | out-null

Finding Old or Unused Accounts with Powershell

Recently I tried to find accounts that haven't been used in a long time. In order to do this I wrote a powershell script to get the last logon time for all accounts in the domain. The problem is, each domain controller contains a different time for the Last Logon depending on which was used as the logon server. In order to get an accurate time we need to get the last logon from each domain controller for each user. This is NOT a fast process. If there are 500 users and 4 domain controllers that is 2000 requests. On top of that some of the domain controllers might be a different location with a slower WAN link which will make it go even slower.

Note: This script requires Quest Software's Active Directory cmdlets. You can download it from here:

Add-PSSnapIn Quest.ActiveRoles.ADManagement -ErrorAction SilentlyContinue
$dcs = Get-QADComputer -ComputerRole DomainController $users = Get-QADUser -SizeLimit 0
#$ErrorActionPreference =…

Make Windows more secure, use a blank password

Today I was attacking and pillaging a test windows machine from a linux box. Many windows machines are setup with a blank administrator password since people just hit the enter key when they are prompted for a password. I was testing to see what happens on these machines with this configuration. I also created another account with a blank password.

Using either of these accounts I was able to connect to manually created shares, but not to the admin shares (c$, d$, admin$). Beginning with Windows XP Home edition and later non-server editions of Windows, Windows implements the "ForceGuest" feature when the local Administrator account has a blank password. When a remote user authenticates to Windows XP (and later) as Administrator with a blank password (e.g. by mapping to one of the administrative shares), Windows will assign to their session a Guest access token, not an Administrator access token thereby preventing access to the entire C drive (a good thing).

These home users wh…

Rickroll Meterpreter Script

In order to be well prepared for April Fools day I decided to put out a rickroll meterpreter script.

It defaults to looking for rickroll.mp3 in the metasploit framework root directory, but you can use another file with the -f option. I don't parse out the name so you will have to copy it into the metasploit directory.

You can also use any file format supported by windows media player so you can have it play a wmv (even better). By default the process is hidden, but you can make it visible with a -v option.

New Features!
And just for added fun, throw in a -k to disable the keyboard or -m to disable the mouse or you can go all in by using the -e to disable the mouse and keyboard and save precious keystrokes.

Here is the file:

Put it in framework3/meterpreter/scripts

# Provided by Tim Medin at timmedin[at]gmail [dot] com
# Uploads the rick roll'ing mp3 and then runs it as a hidden process
# You can also upload a different file (like a wmv video) and have it display -v
# K…