Last active
January 14, 2022 07:02
-
-
Save sonjz/a16b303393f6a7da8e55e8a03d7fc33f to your computer and use it in GitHub Desktop.
Revisions
-
sonjz revised this gist
Jun 12, 2018 . 2 changed files with 73 additions and 31 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,73 @@ #Requires -RunAsAdministrator # description: quick port scan for vulnerable VPNFilter for your router, you can specify router ip manually, # by default it will hit the external IP of your router, which is what VPNFilter would be scanning # author: github @sonjz param( [string]$routerIp = $null, # if not provided, it will perform a WhatsMyIp and scan that address [int[]]$ports = @(23, 80, 2000, 8080), # current VPNFilter ports, http://forums.timewarnercable.com/t5/Connectivity/VPNFilter-Arris-TG1672/m-p/152563/highlight/true#M50525 [switch]$skipInstall = $false, [switch]$y = $false ) Write-Host " VPNFilter is a vulnerability that is unintentionally installed on the router (through old firmware). https://www.androidcentral.com/vpnfilter-malware VPNFilter (Comeback) is botnet attack on port 2000 (and possibly others). The purpose of this script is to identify if you have router with open ports. Your remedy is close the ports, flash the new firmware, or get a new router. Here is a typical scan, compare with your own: Scanning ports 23,80,2000,8080 on X.X.X.X ... Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-12 12:24 Your Time Zone Initiating Parallel DNS resolution of 1 host. at 12:24 Completed Parallel DNS resolution of 1 host. at 12:24, 0.02s elapsed Initiating SYN Stealth Scan at 12:24 Scanning X-X-X-X.your.isp.com (X.X.X.X) [4 ports] Completed SYN Stealth Scan at 12:24, 3.93s elapsed (4 total ports) Nmap scan report for X-X-X-X.your.isp.com (X.X.X.X) Host is up. PORT STATE SERVICE 23/tcp filtered telnet 80/tcp filtered http 2000/tcp filtered cisco-sccp 8080/tcp filtered http-proxy Read data files from: C:\Program Files (x86)\Nmap Nmap done: 1 IP address (1 host up) scanned in 15.81 seconds Raw packets sent: 8 (352B) | Rcvd: 0 (0B) If your says ""closed"" or ""filtered"", you should be protected. If it says ""open"", you have a vulnerable router. NOTE: script requires running as Administrator mode to verify latest Powershell/nmap are installed. " ; if (-Not $y) { Read-Host "Press any key to continue ... " } # ensure prerequisities, set -skipInstall if you want to bypass this if (-Not $skipInstall) { Write-Host "Ensuring Latest Powershell and nmap, see messaging, may require reboot/rerun for Powershell (run in Admin mode) ... " ; choco upgrade powershell -y ; choco upgrade nmap -y ; } if (-Not $routerIp) { Write-Host "No routerIp specified, automatically picking up your router ... " ; $ipInfo = (curl http://ipinfo.io/json).Content | ConvertFrom-Json ; $ipInfo ; $routerIp = $ipInfo.ip ; } Write-Host "Scanning ports $($ports -join ",") on $routerIp ..." ; nmap -v -Pn -p ($ports -join ",") $routerIp ; This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,31 +0,0 @@ -
Jun 12, 2018 . 1 changed file with 1 addition and 1 deletion.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -24,7 +24,7 @@ if (-Not $routerIp) { } Write-Host "Scanning ports $($ports -join ",") on $routerIp ..." ; nmap -v -Pn -p ($ports -join ",") $routerIp ; Write-Host "`nNOTE: Guessing that filtered or closed is fine, open may mean you are vulnerable to VPNFilter" ; -
Jun 12, 2018 . No changes.There are no files selected for viewing
-
Jun 12, 2018 . 1 changed file with 18 additions and 11 deletions.There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -1,24 +1,31 @@ # description: quick port scan for vulnerable VPNFilter for your router, you can specify router ip manually, # by default it will hit the external IP of your router, which is what VPNFilter would be scanning # author: github @sonjz param( [string]$routerIp = $null, # if not provided, it will perform a WhatsMyIp and scan that address [int[]]$ports = @(23, 80, 2000, 8080), # current VPNFilter ports, http://forums.timewarnercable.com/t5/Connectivity/VPNFilter-Arris-TG1672/m-p/152563/highlight/true#M50525 [switch]$skipInstall = $false ) # ensure prerequisities, set -skipInstall if you want to bypass this if (-Not $skipInstall) { Write-Host "Ensuring Latest Powershell and Nmap, see messaging, may require reboot/rerun for Powershell (run in Admin mode) ... " ; choco upgrade powershell -y ; choco upgrade nmap -y ; } if (-Not $routerIp) { Write-Host "No routerIp specified, automatically picking up your router ... " ; $ipInfo = (curl http://ipinfo.io/json).Content | ConvertFrom-Json ; $ipInfo ; $routerIp = $ipInfo.ip ; } Write-Host "Scanning ports $($ports -join ",") on $routerIp ..." ; nmap -v -p ($ports -join ",") $routerIp ; Write-Host "`nNOTE: Guessing that filtered or closed is fine, open may mean you are vulnerable to VPNFilter" ; -
Jun 12, 2018 .There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode charactersOriginal file line number Diff line number Diff line change @@ -0,0 +1,24 @@ param( $routerIp = $null, # if not provided, it will perform a WhatsMyIp and scan that address $ports = [23, 80, 2000, 8080] # current VPNFilter ports, http://forums.timewarnercable.com/t5/Connectivity/VPNFilter-Arris-TG1672/m-p/152563/highlight/true#M50525 ) # ensure prerequisities choco upgrade powershell -y ; # may require reboot and rerun, see messaging choco upgrade nmap -y ; if ($routerIp) { Write-Host "No routerIp specified, automatically picking up your router ... " ; $ipInfo = (curl http://ipinfo.io/json).Content | ConvertFrom-Json ; $ipInfo ; $routeIp = $ipInfo.ip ; } Write-Host "Scanning ports $($ports.join(",")) on $routerIp ..." ; nmap -v -p $ports.join(",") $routerIp ; Write-Host "Guessing that filtered or closed is fine, open may mean you are vulnerable to VPNFilter" ;