0

In order to correctly do forensics; in finding vulnerabilities, that the security team has revealed in their security scans.

The two commands I use mostly do this job is:

c:\ netstat -abno | find "port number"

This command gives me a process id for the port that has the vulnerability.

After this;

I use the following comand to associate the application running on that process associated with the port above.

c:\ wmic process | find "Proccess Id" > proc.txt

Which gives me the application linked to that process, from here, I just research the application to find the vulnerability embedded within.

My question to all your PowerShell experts is;

How do I acomplish the same process in PowerShell?

Now keep in mind, I start with a port and end up with an application which is associated to that port with the steps listed above.

My thoughts:

It probably has something to do with: Get-Process
and Get-NetTCPConnection

But can't fully understand how to break down the thought process as explained above.

Improve this question
1

2 Answers 2

Reset to default
2

In Powershell you can use, as you mentioned, a combination of Get-NetTCPConnection and Get-Process like so:

$port = 80
Get-Process -PID @(Get-NetTCPConnection -LocalPort $port| select -ExpandProperty OwningProcess -Unique)
Improve this answer
1
  • Can you add "-FileVersionINfo" in this little script to spit out the version of the file for this process? thanks
    – gsb005
    Commented Mar 28, 2017 at 16:07
0

well, I always do it with (as admin)

netstat -abno | findstr portnum

tasklist | findstr PID

or if you are only worried about listeners:

netstat -abno | findstr LISTENING | findstr portnum

tasklist | findstr PID

Improve this answer
1
  • Nice! Will Get-Process / Get NetTCPConnection give us any additional useful daeta, for example, the location of the application? etc?
    – gsb005
    Commented Mar 27, 2017 at 19:57

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .