Skip to content

Instantly share code, notes, and snippets.

Show Gist options
  • Save chase2981/daa1f14adeef6cea1dc40d32c1d2a39e to your computer and use it in GitHub Desktop.
Save chase2981/daa1f14adeef6cea1dc40d32c1d2a39e to your computer and use it in GitHub Desktop.
Powershell - VPNFilter PortScan
#Requires -RunAsAdministrator
# description: quick port scan for vulnerable VPNFilter for your router, you can specify router ip manually,
# by default it will hit the external IP of your router, which is what VPNFilter would be scanning
# author: github @sonjz
param(
[string]$routerIp = $null, # if not provided, it will perform a WhatsMyIp and scan that address
[int[]]$ports = @(23, 80, 2000, 8080), # current VPNFilter ports, http://forums.timewarnercable.com/t5/Connectivity/VPNFilter-Arris-TG1672/m-p/152563/highlight/true#M50525
[switch]$skipInstall = $false,
[switch]$y = $false
)
Write-Host "
VPNFilter is a vulnerability that is unintentionally installed on the router (through old firmware).
https://www.androidcentral.com/vpnfilter-malware
VPNFilter (Comeback) is botnet attack on port 2000 (and possibly others).
The purpose of this script is to identify if you have router with open ports.
Your remedy is close the ports, flash the new firmware, or get a new router.
Here is a typical scan, compare with your own:
Scanning ports 23,80,2000,8080 on X.X.X.X ...
Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-12 12:24 Your Time Zone
Initiating Parallel DNS resolution of 1 host. at 12:24
Completed Parallel DNS resolution of 1 host. at 12:24, 0.02s elapsed
Initiating SYN Stealth Scan at 12:24
Scanning X-X-X-X.your.isp.com (X.X.X.X) [4 ports]
Completed SYN Stealth Scan at 12:24, 3.93s elapsed (4 total ports)
Nmap scan report for X-X-X-X.your.isp.com (X.X.X.X)
Host is up.
PORT STATE SERVICE
23/tcp filtered telnet
80/tcp filtered http
2000/tcp filtered cisco-sccp
8080/tcp filtered http-proxy
Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 15.81 seconds
Raw packets sent: 8 (352B) | Rcvd: 0 (0B)
If your says ""closed"" or ""filtered"", you should be protected.
If it says ""open"", you have a vulnerable router.
NOTE: script requires running as Administrator mode to verify latest Powershell/nmap are installed.
" ;
if (-Not $y) {
Read-Host "Press any key to continue ... "
}
# ensure prerequisities, set -skipInstall if you want to bypass this
if (-Not $skipInstall) {
Write-Host "Ensuring Latest Powershell and nmap, see messaging, may require reboot/rerun for Powershell (run in Admin mode) ... " ;
choco upgrade powershell -y ;
choco upgrade nmap -y ;
}
if (-Not $routerIp) {
Write-Host "No routerIp specified, automatically picking up your router ... " ;
$ipInfo = (curl http://ipinfo.io/json).Content | ConvertFrom-Json ;
$ipInfo ;
$routerIp = $ipInfo.ip ;
}
Write-Host "Scanning ports $($ports -join ",") on $routerIp ..." ;
nmap -v -Pn -p ($ports -join ",") $routerIp ;
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment