sonjz/Test-VPNFilterComebackPorts.ps1

## Test-VPNFilterComebackPorts.ps1
#Requires -RunAsAdministrator

# description: quick port scan for vulnerable VPNFilter for your router, you can specify router ip manually,
#              by default it will hit the external IP of your router, which is what VPNFilter would be scanning
# author: github @sonjz

param(
  [string]$routerIp = $null, # if not provided, it will perform a WhatsMyIp and scan that address
  [int[]]$ports = @(23, 80, 2000, 8080), # current VPNFilter ports, http://forums.timewarnercable.com/t5/Connectivity/VPNFilter-Arris-TG1672/m-p/152563/highlight/true#M50525
  [switch]$skipInstall = $false,
  [switch]$y = $false
)

Write-Host "

VPNFilter is a vulnerability that is unintentionally installed on the router (through old firmware).
https://www.androidcentral.com/vpnfilter-malware

VPNFilter (Comeback) is botnet attack on port 2000 (and possibly others).
The purpose of this script is to identify if you have router with open ports.
Your remedy is close the ports, flash the new firmware, or get a new router.

Here is a typical scan, compare with your own:
    Scanning ports 23,80,2000,8080 on X.X.X.X ...
    Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-12 12:24 Your Time Zone
    Initiating Parallel DNS resolution of 1 host. at 12:24
    Completed Parallel DNS resolution of 1 host. at 12:24, 0.02s elapsed
    Initiating SYN Stealth Scan at 12:24
    Scanning X-X-X-X.your.isp.com (X.X.X.X) [4 ports]
    Completed SYN Stealth Scan at 12:24, 3.93s elapsed (4 total ports)
    Nmap scan report for X-X-X-X.your.isp.com (X.X.X.X)
    Host is up.

    PORT     STATE    SERVICE
    23/tcp   filtered telnet
    80/tcp   filtered http
    2000/tcp filtered cisco-sccp
    8080/tcp filtered http-proxy

    Read data files from: C:\Program Files (x86)\Nmap
    Nmap done: 1 IP address (1 host up) scanned in 15.81 seconds
              Raw packets sent: 8 (352B) | Rcvd: 0 (0B)

If your says ""closed"" or ""filtered"", you should be protected.
If it says ""open"", you have a vulnerable router.

NOTE: script requires running as Administrator mode to verify latest Powershell/nmap are installed.
" ;

if (-Not $y) {
  Read-Host "Press any key to continue ... "
}

# ensure prerequisities, set -skipInstall if you want to bypass this
if (-Not $skipInstall) {
  Write-Host "Ensuring Latest Powershell and nmap, see messaging, may require reboot/rerun for Powershell (run in Admin mode) ... " ;
  choco upgrade powershell -y ;
  choco upgrade nmap -y ;
}

if (-Not $routerIp) {
  Write-Host "No routerIp specified, automatically picking up your router ... " ;
  $ipInfo = (curl http://ipinfo.io/json).Content | ConvertFrom-Json ;
  $ipInfo ;

  $routerIp = $ipInfo.ip ;
}

Write-Host "Scanning ports $($ports -join ",") on $routerIp ..." ;
nmap -v -Pn -p ($ports -join ",") $routerIp ;
	#Requires -RunAsAdministrator

	# description: quick port scan for vulnerable VPNFilter for your router, you can specify router ip manually,
	# by default it will hit the external IP of your router, which is what VPNFilter would be scanning
	# author: github @sonjz

	param(
	[string]$routerIp = $null, # if not provided, it will perform a WhatsMyIp and scan that address
	[int[]]$ports = @(23, 80, 2000, 8080), # current VPNFilter ports, http://forums.timewarnercable.com/t5/Connectivity/VPNFilter-Arris-TG1672/m-p/152563/highlight/true#M50525
	[switch]$skipInstall = $false,
	[switch]$y = $false
	)

	Write-Host "

	VPNFilter is a vulnerability that is unintentionally installed on the router (through old firmware).
	https://www.androidcentral.com/vpnfilter-malware

	VPNFilter (Comeback) is botnet attack on port 2000 (and possibly others).
	The purpose of this script is to identify if you have router with open ports.
	Your remedy is close the ports, flash the new firmware, or get a new router.

	Here is a typical scan, compare with your own:
	Scanning ports 23,80,2000,8080 on X.X.X.X ...
	Starting Nmap 7.70 ( https://nmap.org ) at 2018-06-12 12:24 Your Time Zone
	Initiating Parallel DNS resolution of 1 host. at 12:24
	Completed Parallel DNS resolution of 1 host. at 12:24, 0.02s elapsed
	Initiating SYN Stealth Scan at 12:24
	Scanning X-X-X-X.your.isp.com (X.X.X.X) [4 ports]
	Completed SYN Stealth Scan at 12:24, 3.93s elapsed (4 total ports)
	Nmap scan report for X-X-X-X.your.isp.com (X.X.X.X)
	Host is up.

	PORT STATE SERVICE
	23/tcp filtered telnet
	80/tcp filtered http
	2000/tcp filtered cisco-sccp
	8080/tcp filtered http-proxy

	Read data files from: C:\Program Files (x86)\Nmap
	Nmap done: 1 IP address (1 host up) scanned in 15.81 seconds
	Raw packets sent: 8 (352B) \| Rcvd: 0 (0B)

	If your says ""closed"" or ""filtered"", you should be protected.
	If it says ""open"", you have a vulnerable router.

	NOTE: script requires running as Administrator mode to verify latest Powershell/nmap are installed.
	" ;

	if (-Not $y) {
	Read-Host "Press any key to continue ... "
	}

	# ensure prerequisities, set -skipInstall if you want to bypass this
	if (-Not $skipInstall) {
	Write-Host "Ensuring Latest Powershell and nmap, see messaging, may require reboot/rerun for Powershell (run in Admin mode) ... " ;
	choco upgrade powershell -y ;
	choco upgrade nmap -y ;
	}

	if (-Not $routerIp) {
	Write-Host "No routerIp specified, automatically picking up your router ... " ;
	$ipInfo = (curl http://ipinfo.io/json).Content \| ConvertFrom-Json ;
	$ipInfo ;

	$routerIp = $ipInfo.ip ;
	}

	Write-Host "Scanning ports $($ports -join ",") on $routerIp ..." ;
	nmap -v -Pn -p ($ports -join ",") $routerIp ;