├── PSpanner.ps1 └── README.md /PSpanner.ps1: -------------------------------------------------------------------------------- 1 |  <# 2 | .SYNOPSIS 3 | Scan Network Devices 4 | 5 | .DESCRIPTION 6 | Simple Light Weight Network Scanner 7 | 8 | .NOTES 9 | Aurthor: https://securethelogs.com 10 | 11 | 12 | #> 13 | 14 | 15 | 16 | $logo = @( "", 17 | "__________ _________ ", 18 | "\______ \/ _____/__________ ____ ____ ___________ ", 19 | " | ___/\_____ \\____ \__ \ / \ / \_/ __ \_ __ \", 20 | " | | / \ |_> > __ \| | \ | \ ___/| | \/", 21 | " |____| /_______ / __(____ /___| /___| /\___ >__| ", 22 | " \/|__| \/ \/ \/ \/ ", 23 | "", 24 | 25 | "Creator: https://securethelogs.com / @securethelogs", 26 | "") 27 | 28 | 29 | 30 | 31 | # Set Variables and Arrays 32 | 33 | $ScanAll = "" 34 | 35 | $waittime = 400 36 | $liveports = @() 37 | 38 | $destip = @() 39 | 40 | $Portarray = @(20,21,22,23,25,50,51,53,80,110,119,135,136,137,138,139,143,161,162,389,443,445,636,1025,1443,3389,5985,5986,8080,10000) 41 | 42 | 43 | 44 | # -------------- Get the Details From The User ------------- 45 | 46 | 47 | $logo 48 | 49 | # Get the Target/s 50 | 51 | Write-Output "Please enter either an IP Address, URL or File Path (Example: C:\Temp\IPList.txt)....." 52 | 53 | [string]$Typeofscan = Read-Host -Prompt "Target" 54 | 55 | 56 | if ($Typeofscan -like "*txt") { 57 | 58 | $PulledIPs = Get-Content $Typeofscan 59 | 60 | foreach ($i in $PulledIPs) { 61 | 62 | # Fill destination array with all IPs 63 | 64 | $destip += $i 65 | 66 | } # for each 67 | 68 | } 69 | 70 | else { 71 | 72 | # Single Scan 73 | 74 | $destip = $Typeofscan 75 | 76 | } 77 | 78 | 79 | # ------------------- Get the Ports ----------------- 80 | Write-Output "`n" 81 | Write-Output "Option 1: Common Scan | Option 2: Full Scan (1-65535) | Options 3: Quick Scan (Less Accurate)" 82 | Write-Output "--------------------------------------------------------------------------------------------------" 83 | 84 | $ScanPorts = Read-Host -Prompt "Option Number" 85 | 86 | if ($ScanPorts -eq 1) {$ScanAll = ""} 87 | if ($ScanPorts -eq 2) {$ScanAll = "True"} 88 | if ($ScanPorts -eq 3) {$ScanAll = "Quick"} 89 | if ($ScanPorts -ne 1 -AND $ScanPorts -ne 2 -AND $ScanPorts -ne 3){exit} 90 | 91 | 92 | 93 | # --------------- Get the Ports ------------------------------------- 94 | 95 | 96 | if ($ScanAll -eq "True") { 97 | 98 | $waittime = 400 99 | $Portarray = 1..65535 100 | 101 | } 102 | 103 | if ($ScanAll -eq "Quick") { 104 | 105 | $waittime = 40 106 | $Portarray = 1..65535 107 | 108 | } 109 | 110 | else { 111 | 112 | # Portarray remains the same (Common ports) 113 | 114 | } 115 | 116 | 117 | 118 | #----------------------- SCAN ----------------------------------------- 119 | 120 | 121 | Write-Output "" 122 | Write-Output "Running Scan................" 123 | 124 | 125 | foreach ($i in $destip){ # Scan Every Dest 126 | 127 | 128 | 129 | foreach ($p in $Portarray){ 130 | 131 | 132 | $TCPObject = new-Object system.Net.Sockets.TcpClient 133 | 134 | $Result = $TCPObject.ConnectAsync($i,$p).Wait($waittime) 135 | 136 | 137 | if ($Result -eq "True") { 138 | 139 | $liveports += $p 140 | 141 | } 142 | 143 | 144 | } # For each Array 145 | 146 | # --------------- Show Known Ports ------------------------------ 147 | 148 | 149 | $Knownservices = @() 150 | 151 | $ftp = "Port: 20,21 Service: FTP" 152 | $http = "Port: 80 Service: HTTP" 153 | $https = "Port: 443 Service: HTTPS" 154 | $ssh = "Port: 22 Service: SSH" 155 | $telnet = "Port: 23 Service: Telnet" 156 | $smtp = "Port: 25 Service: SMTP" 157 | $ipsec = "Port: 50,51 Service: IPSec" 158 | $dns = "Port: 53 Service: DNS" 159 | $pop3 = "Port: 110 Service: POP3" 160 | $netbios = "Port: 135-139 Service: NetBIOS" 161 | $imap4 = "Port: 143 Service: IMAP4" 162 | $snmp = "Port: 161,162 Service: SNMP" 163 | $ldap = "Port: 389 Service: LDAP" 164 | $smb = "Port: 445 Service: SMB" 165 | $ldaps = "Port: 636 Service: LDAPS" 166 | $rpc = "Port: 1025 Service: Microsoft RPC" 167 | $sql = "Port: 1433 Service: SQL" 168 | $rdp = "Port: 3389 Service: RDP" 169 | $winrm = "Port: 5985,5986 Service: WinRM" 170 | $proxy = "Port: 8080 Service: HTTP Proxy" 171 | $webmin = "Port: 10000 Service: Webmin" 172 | 173 | 174 | if ($liveports -contains "20" -or $liveports -contains "21"){$knownservices += $ftp} 175 | if ($liveports -contains "22"){$knownservices += $ssh} 176 | if ($liveports -contains "23"){$knownservices += $telnet} 177 | if ($liveports -contains "50" -or $liveports -contains "51"){$knownservices += $ipsec} 178 | if ($liveports -contains "53"){$knownservices += $dns} 179 | if ($liveports -contains "80"){$knownservices += $http} 180 | if ($liveports -contains "110"){$knownservices += $pop3} 181 | if ($liveports -contains "135" -or $liveports -contains "136" -or $liveports -contains "137" -or $liveports -contains "138" -or $liveports -contains "139"){$knownservices += $netbios} 182 | if ($liveports -contains "143"){$knownservices += $IMAP4} 183 | if ($liveports -contains "161"-or $liveports -contains "162"){$knownservices += $snmp} 184 | if ($liveports -contains "389"){$knownservices += $ldap} 185 | if ($liveports -contains "443"){$knownservices += $https} 186 | if ($liveports -contains "445"){$knownservices += $smb} 187 | if ($liveports -contains "636"){$knownservices += $ldaps} 188 | if ($liveports -contains "1025"){$knownservices += $rpc} 189 | if ($liveports -contains "1433"){$knownservices += $sql} 190 | if ($liveports -contains "3389"){$knownservices += $rdp} 191 | if ($liveports -contains "5985" -or $liveports -contains "5986"){$knownservices += $winrm} 192 | if ($liveports -contains "8080"){$knownservices += $proxy} 193 | if ($liveports -contains "10000"){$knownservices += $webmin} 194 | 195 | # -------------------------- Output Results --------------------------------- 196 | 197 | Write-Output "--------------------------------------------------------------------------------------------------" 198 | Write-Output "" 199 | Write-Output "Target: $i" 200 | Write-Output "" 201 | Write-Output "Ports Found: " 202 | Write-Output "" 203 | Write-Output $liveports 204 | Write-Output "" 205 | Write-Output "" 206 | Write-Output "Known Services:" 207 | Write-Output "" 208 | Write-Output $Knownservices 209 | Write-Output "" 210 | 211 | 212 | #Clear Array for next 213 | $liveports = @() 214 | 215 | 216 | 217 | } # For Each $i in DestIP 218 | 219 | 220 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # PSpanner 2 | 3 | ![Securethelogs.com](https://ctrla1tdel.files.wordpress.com/2020/01/image-37.png) 4 | 5 | 6 | PSPanner is a lightweight PowerShell script which can help you identify open TCP ports. I created this as certain Anti-Virus vendors block tools such as NMAP. 7 | 8 | Network scans are often used for good and can help the blue team identify gaps and potential entry points for attackers. 9 | 10 | Selecting your destination 11 | 12 | If you wish to do a single scan, enter the URL or IP. At this moment of time, it doesn’t support IP ranges. If you wish to scan multiple, enter all destination into a txt file. 13 | 14 | Single Destination Scan 15 | ![singlescan](https://ctrla1tdel.files.wordpress.com/2020/01/singlescan.gif) 16 | 17 | Multiple Destination Scan 18 | ![singlescan](https://ctrla1tdel.files.wordpress.com/2020/01/txtscan.gif) 19 | 20 | *The IPs I took from Shodan. I don’t own or advise scanning them. 21 | They were the first ones on the site and are used as an example. 22 | 23 | 24 | Run the following within Powershell: 25 | 26 | powershell –nop –c “iex(New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/securethelogs/PSpanner/master/PSpanner.ps1’)” 27 | 28 | For More Information: https://securethelogs.com/pspanner-network-scanner/ 29 | --------------------------------------------------------------------------------