-
Notifications
You must be signed in to change notification settings - Fork 10
/
Copy pathPOC_TrustMeter_ScanManagedAssets.ps1
112 lines (90 loc) · 5.85 KB
/
POC_TrustMeter_ScanManagedAssets.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
<#
.NOTES
Filename: Ex1 - POC_TrustMeter_ScanManagedAssets.ps1
Author: Jing Nghik <[email protected]>
Modified date: 5/11/2023
.SYNOPSIS
The purpose of this script is to perform a network port scan on assets managed by Zero Networks.
.DESCRIPTION
These exposed ports could potentially be exploited/compromised by an attacker depending on the type of vulnerability.
Its important to iteratively close these open ports unless its expected behavior.
This script was created mainly with the intent of reviewing open ports on assets targeted for the POC
Steps are:
- Conduct a scan on assets either in monitoring, learning state. (Save this report for comparison)
- Set same assets to protection.
- Perform the same scan against these protected assets.
- Compare exposed ports before/after being protected by Zero Networks.
Note
- For any protected assets, you may have to exclude the asset performing the scan from JIT MFA policies in order not to trigger multiple MFA prompts.
- It is suggested to create a scanner group and then exclude any assets that will perform scans from JIT MFA policies.
.EXAMPLE
You can run the script with no arguments and it will prompt you with the required parameters it needs.
.\POC_TrustMeter_ScanManagedAssets.ps1
You can also run this script with arguments if you wish to perform this scan in one-line without having input any required parameters.
Performs a scan on assets in learning and protected
.\POC_TrustMeter_ScanManagedAssets.ps1 -apiToken <Api Token created in portal> -mode deep -assetGroups "learning,protected"
#>
param($apiToken, $baseURL = "https://portal.zeronetworks.com/api/v1", $mode="deep", $assetGroups)
Clear-Host
Write-Host -ForegroundColor DarkCyan -BackgroundColor Cyan "POC - TrustMeter Port Scan Report`n"
Write-Host -ForegroundColor Cyan " Purpose: " -NoNewline; Write-Host "The purpose of this script is to perform a simple network port scan to help identify how exposed ports are on each asset. `n These exposed ports could potentially be exploited/compromised by an attacker depending on the type of vulnerability. `n"
Write-Host -ForegroundColor Yellow " Note: " -NoNewline; Write-Host "This script will only scan assets that are in a monitor, learning, or protected state in the Zero Networks Portal.`n Be sure assets are in a monitored, learning, or protected state to ensure they are targeted for this scan."
Read-host "`nPress Enter to continue"
if ($apiToken -eq $null) {
Write-Host -ForegroundColor Yellow "No API Token provided (We use this to automatically grab assets in learning/protection). An API token (read-only) can be created in the portal at 'https://portal-dev.zeronetworks.com/#/settings/tokens"
$apiToken = Read-Host "Please paste generated token here"
}
if ($assetGroups -eq $null) {
Write-Host -ForegroundColor Cyan "Which type of assets would you like to scan (Available groups:" -NoNewline; Write-Host " monitored, learning, protection, all" -NoNewline; Write-Host ")"
$assetGroups = Read-Host "To include multiple groups separate with comma (ex. learning,protection)"
}
$header = @{
"Authorization" = "$apiToken"
}
$scanIPs = @()
function Add-ZNAssets {
param($type, $apiToken)
$ips = @()
$endpoint = switch ($type) {
"monitored" { @{url="$baseURL/assets/monitored?_limit=50&_offset=0";color="DarkCyan"} }
"learning" { @{url="$baseURL/assets/queued?_limit=50&_offset=0";color="Cyan"} }
"protected" { @{url="$baseURL/assets/protected?_limit=50&_offset=0";color="Green"} }
}
$assets = (Invoke-RestMethod -Method GET -Uri $endpoint.url -Headers $header).items
Write-Host -Foreground $endpoint.color "`n ==== Adding $type assets to scan pool ===="
if ($assets.count -gt 0) {
ForEach ($asset in $assets) {
if ($asset.ipV4Addresses.Count -gt 0) {
Write-Host " $($asset.name) ($($asset.ipV4Addresses -join ', '))"
$ips += $asset.ipV4Addresses
}
else {
Write-Host " $($asset.name) " -NoNewline; Write-Host -foreground yellow "Could not identify IP to scan. Skipping..."
}
}
return $ips
}
else {
Write-Host -ForegroundColor yellow " No assets discovered in $type to add to scan pool"}
}
## Add assets in learning to scan pool
if($assetGroups.tolower() -match "(monitor|monitored|all)") {$scanIPs += Add-ZNAssets -type "monitored" -apiToken $apiToken}
## Add assets in learning to scan pool
if($assetGroups.tolower() -match "(learn|learning|all)") {$scanIPs += Add-ZNAssets -type "learning" -apiToken $apiToken}
## Add Protected assets to scan pool
if($assetGroups.tolower() -match "(protected|protection|all)") {$scanIPs += Add-ZNAssets -type "protected" -apiToken $apiToken}
## Remove any duplicate IPs and local IPs
$scanIPs = $scanIPs | select -Unique | Where-Object {((Get-NetIPAddress -AddressFamily IPv4).IPAddress) -notcontains $_}
Write-Host -foreground Cyan "`nStarting trust meter and including IP(s) from assets in learning/protected"
& .\TrustMeter.exe "--skipad" "--skipcloud" "--skipgui" "-cs" "no" "--mode" $mode "--ipranges" ($scanIPs -join (','))
## Create POC Subfolder if doensn't exist
If(!(test-path .\POC))
{
New-Item -ItemType Directory -Path .\POC -Force | Out-Null
}
## Moving Report to POC subfolder
$dateTime = '{0}' -f ([system.string]::format('{0:yyyyMMdd_HHmmss}',(Get-Date)))
$folder = Get-ChildItem -Directory $PSScriptRoot | Where-Object {$_.Name -match "TrustMeter Results"} | Sort CreationTime -Descending | Select -First 1
$newFolderName = "TrustMeter POC Scan Results - $($assetGroups -replace(',','-')) - $($dateTime)"
Write-Host "Moving Report to POC\$newFolderName subfolder"
Move-Item -Path $folder.FullName -Destination (Join-Path $folder.Parent.FullName "\POC\$newFolderName") -force