Invoke-Portscan - Empire Module

This page contains detailed information about how to use the powershell/situational_awareness/network/portscan Empire module. For list of all Empire modules, visit the Empire Module Library.

Module Overview

---

Name: Invoke-Portscan
Module: powershell/situational_awareness/network/portscan
Source code [1]: empire/server/modules/powershell/situational_awareness/network/portscan.yaml
Source code [2]: empire/server/data/module_source/situational_awareness/network/Invoke-Portscan.ps1
MITRE ATT&CK: T1046
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: Yes

The portscan module does a simple port scan using regular sockets, based (pretty) loosely on nmap.

This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.

Note that the portscan module does not need administrative privileges to work properly which means that a normal user can run this module.

Required Module Options

---

This is a list of options that are required by the portscan module:

Agent
Agent to run module on.

Additional Module Options

---

This is a list of additional options that are supported by the portscan module:

AllformatsOut
Output file of all formats.

ExcludeHosts
Exclude thsee comma separated hosts.

GrepOut
Greppable (.gnmap) output file.

HostFile
Input hosts from file (on the target).

Hosts
Hosts to scan.

Open
Switch. Only show hosts with open ports.
Default value: True.

OutputFunction
PowerShell's output function to use ("Out-String", "ConvertTo-Json", "ConvertTo-Csv", "ConvertTo-Html", "ConvertTo-Xml").
Default value: Out-String.
Suggested values: Out-String, ConvertTo-Json, ConvertTo-Csv, ConvertTo-Html, ConvertTo-Xml.

PingOnly
Switch. Ping only, don't scan for ports.

Ports
Comma separated ports to scan for.

ReadableOut
Readable (.nmap) output file.

SkipDiscovery
Switch. Treat all hosts as online.

TopPorts
Scan for X top ports, default 50.

XmlOut
.XML output file.

Portscan Example Usage

---

Here's an example of how to use the portscan module in the Empire client console:

[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/situational_awareness/network/portscan

 Author       Rich Lundeen                                                           
 Background   True                                                                   
 Comments     https://github.com/mattifestation/PowerSploit/blob/master/Recon/Invoke 
              -Portscan.ps1                                                          
 Description  Does a simple port scan using regular sockets, based (pretty) loosely  
              on nmap.                                                               
 Language     powershell                                                             
 Name         powershell/situational_awareness/network/portscan                      
 NeedsAdmin   False                                                                  
 OpsecSafe    True                                                                   
 Techniques   http://attack.mitre.org/techniques/T1046                               


,Record Options--,------------,----------,-------------------------------------,
| Name           | Value      | Required | Description                         |
|----------------|------------|----------|-------------------------------------|
| Agent          |            | True     | Agent to run module on.             |
|----------------|------------|----------|-------------------------------------|
| AllformatsOut  |            | False    | Output file of all formats.         |
|----------------|------------|----------|-------------------------------------|
| ExcludeHosts   |            | False    | Exclude thsee comma separated       |
|                |            |          | hosts.                              |
|----------------|------------|----------|-------------------------------------|
| GrepOut        |            | False    | Greppable (.gnmap) output file.     |
|----------------|------------|----------|-------------------------------------|
| HostFile       |            | False    | Input hosts from file (on the       |
|                |            |          | target)                             |
|----------------|------------|----------|-------------------------------------|
| Hosts          |            | False    | Hosts to scan.                      |
|----------------|------------|----------|-------------------------------------|
| Open           | True       | False    | Switch. Only show hosts with open   |
|                |            |          | ports.                              |
|----------------|------------|----------|-------------------------------------|
| OutputFunction | Out-String | False    | PowerShell's output function to use |
|                |            |          | ("Out-String", "ConvertTo-Json",    |
|                |            |          | "ConvertTo-Csv", "ConvertTo-Html",  |
|                |            |          | "ConvertTo-Xml").                   |
|----------------|------------|----------|-------------------------------------|
| PingOnly       |            | False    | Switch. Ping only, don't scan for   |
|                |            |          | ports.                              |
|----------------|------------|----------|-------------------------------------|
| Ports          |            | False    | Comma separated ports to scan for.  |
|----------------|------------|----------|-------------------------------------|
| ReadableOut    |            | False    | Readable (.nmap) output file.       |
|----------------|------------|----------|-------------------------------------|
| SkipDiscovery  |            | False    | Switch. Treat all hosts as online.  |
|----------------|------------|----------|-------------------------------------|
| TopPorts       |            | False    | Scan for X top ports, default 50.   |
|----------------|------------|----------|-------------------------------------|
| XmlOut         |            | False    | .XML output file.                   |
'----------------'------------'----------'-------------------------------------'

(Empire: usemodule/powershell/situational_awareness/network/portscan) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/situational_awareness/network/portscan) > execute
[*] Tasked Y4LHEV83 to run Task 1
...

Now wait for the results to come.

Author

---

• Rich Lundeen

References

---

• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/situational_awareness/network/portscan.yaml
• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/situational_awareness/network/Invoke-Portscan.ps1
• https://github.com/mattifestation/PowerSploit/blob/master/Recon/Invoke-Portscan.ps1
• http://attack.mitre.org/techniques/T1046
• http://webstersProdigy.net
• http://webstersprodigy.net
• http://www.nivot.org/blog/post/2009/10/09/PowerShell20AsynchronousCallbacksFromNET

See Also

---

Check also the following modules related to this module:

• powershell/situational_awareness/network/bloodhound3
• powershell/situational_awareness/network/arpscan
• powershell/situational_awareness/network/reverse_dns
• powershell/situational_awareness/network/get_sql_server_info
• powershell/situational_awareness/network/smbscanner
• powershell/situational_awareness/network/bloodhound
• powershell/situational_awareness/network/get_kerberos_service_ticket
• powershell/situational_awareness/network/get_sql_instance_domain
• powershell/situational_awareness/network/smblogin
• powershell/situational_awareness/network/smbautobrute
• powershell/situational_awareness/network/get_spn

Version

---

This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.