PowerShell小技巧之獲取TCP響應(類Telnet)

2020-10-29 21:01:48

字體：大中小

來源：轉載

供稿：網友

通常情況下，為了檢測指定的TCP端口是否存活，我們都是通過telnet指定的端口看是否有響應來確定，然而默認情況下win8以后的系統默認是不安裝telnet的。設想一下如果你黑進了一個服務器，上面沒裝telnet，但是為了進一步滲透進內網，需要探測內部服務器特定端口是否打開，同時你還不愿意安裝telnet，擔心引起管理員注意。那么好吧，在這個情況下你需要我的這個腳本。由于它是原生態的PowerShell語句完成，木有telnet你也照樣能檢測TCP端口的情況了。

下面首先上代碼，后面進行講解:

復制代碼代碼如下:

        =====文件名：Get-TCPResponse.ps1=====
Function Get-TCPResponse {
<# Author:fuhj(powershell#live.cn ,http://fuhaijun.com)
        .SYNOPSIS
            Tests TCP port of remote or local system and returns a response header
            if applicable
        .DESCRIPTION
            Tests TCP port of remote or local system and returns a response header
            if applicable
            If server has no default response, then Response property will be NULL
        .PARAMETER Computername
            Local or remote system to test connection
        .PARAMETER Port
            TCP Port to connect to
        .PARAMETER TCPTimeout
            Time until connection should abort
        .EXAMPLE
        Get-TCPResponse -Computername pop.126.com -Port 110

        Computername : pop.126.com
        Port         : 110
        IsOpen       : True
        Response     : +OK Welcome to coremail Mail Pop3 Server (126coms[75c606d72bf436dfbce6.....])

        Description
        -----------
        Checks port 110 of an mail server and displays header response.
    #>
    [OutputType('Net.TCPResponse')]
    [cmdletbinding()]
    Param (
        [parameter(ValueFromPipeline,ValueFromPipelineByPropertyName)]
        [Alias('__Server','IPAddress','IP','domain')]
        [string[]]$Computername = $env:Computername,
        [int[]]$Port = 25,
        [int]$TCPTimeout = 1000
    )
    Process {
        ForEach ($Computer in $Computername) {
            ForEach ($_port in $Port) {
                $stringBuilder = New-Object Text.StringBuilder
                $tcpClient = New-Object System.Net.Sockets.TCPClient
                $connect = $tcpClient.BeginConnect($Computer,$_port,$null,$null)
                $wait = $connect.AsyncWaitHandle.WaitOne($TCPtimeout,$false)
                If (-NOT $wait) {
                    $object = [pscustomobject] @{
                        Computername = $Computer
                        Port = $_Port
                        IsOpen = $False
                        Response = $Null
                    }
                } Else {
                    While ($True) {
                        #Let buffer
                        Start-Sleep -Milliseconds 1000
                        Write-Verbose "Bytes available: $($tcpClient.Available)"
                        If ([int64]$tcpClient.Available -gt 0) {
                            $stream = $TcpClient.GetStream()
                            $bindResponseBuffer = New-Object Byte[] -ArgumentList $tcpClient.Available
                            [Int]$response = $stream.Read($bindResponseBuffer, 0, $bindResponseBuffer.count)
                            $Null = $stringBuilder.Append(($bindResponseBuffer | ForEach {[char][int]$_}) -join '')
                        } Else {
                            Break
                        }
                    }
                    $object = [pscustomobject] @{
                        Computername = $Computer
                        Port = $_Port
                        IsOpen = $True
                        Response = $stringBuilder.Tostring()
                    }
                }
                $object.pstypenames.insert(0,'Net.TCPResponse')
                Write-Output $object
                If ($Stream) {
                    $stream.Close()
                    $stream.Dispose()
                }
                $tcpClient.Close()
                $tcpClient.Dispose()
            }
        }
    }
}