惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
CXSECURITY Database RSS Feed - CXSecurity.com
K
Kaspersky official blog
A
Arctic Wolf
Attack and Defense Labs
Attack and Defense Labs
L
LINUX DO - 热门话题
N
News | PayPal Newsroom
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
L
Lohrmann on Cybersecurity
PCI Perspectives
PCI Perspectives
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
The Last Watchdog
The Last Watchdog
B
Blog RSS Feed
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
W
WeLiveSecurity
Know Your Adversary
Know Your Adversary
博客园 - Franky
T
Tenable Blog
T
Tailwind CSS Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
Help Net Security
Help Net Security
WordPress大学
WordPress大学
T
The Exploit Database - CXSecurity.com
www.infosecurity-magazine.com
www.infosecurity-magazine.com
博客园 - 司徒正美
阮一峰的网络日志
阮一峰的网络日志
D
Darknet – Hacking Tools, Hacker News & Cyber Security
H
Heimdal Security Blog
TaoSecurity Blog
TaoSecurity Blog
S
Security Affairs
J
Java Code Geeks
小众软件
小众软件
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
Apple Machine Learning Research
Apple Machine Learning Research
NISL@THU
NISL@THU
O
OpenAI News
The Cloudflare Blog
月光博客
月光博客
Google Online Security Blog
Google Online Security Blog
V
V2EX
罗磊的独立博客
美团技术团队
博客园 - 三生石上(FineUI控件)
Security Latest
Security Latest
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
C
Cyber Attacks, Cyber Crime and Cyber Security
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Cyberwarzone
Cyberwarzone
L
LINUX DO - 最新话题
Hacker News - Newest:
Hacker News - Newest: "LLM"
大猫的无限游戏
大猫的无限游戏

博客园 - websec80

HexStrike AI:渗透测试助手部署与配置全指南 Burp抓包被WAF拦截?这个插件一键修改JA3指纹! 安装claude code phpmyadmin爆破go语言 ollama渗透模型安装ctf-player_elona 文件下载传输hfs Bettercap(中间人攻击神器) Save Multiple URLs快速保存当前所有打开的网页 URL 后渗透方面密码收集(浏览器、anydesk、数据库工具) 隐藏 Linux 进程新姿势mount frp telegram数据解密与账号劫持的研究 2024年度TOP100弱口令密码(附社会工程学字典生成器) 【APP攻防】小黄鸟(HttpCanary)免root手机抓包 ProxyPin开源免费抓包工具,支持Windows、Mac、Android、IOS、Linux 全平台系统 linux权限维持-服务管理 ettercap安装内网嗅探抓包 低权 Linux 键盘记录方案 HSTS 检查 后台爆破工具 - blasting 一款自动化提权工具 oracleShell oracle 数据库命令执行 Linux清除记录的常见方式
一个powershell的内网端口扫描工具
websec80 · 2026-05-26 · via 博客园 - websec80
# PowerShell TCP Port Scanner - PS 5.1+ compatible
# Usage: powershell -ExecutionPolicy Bypass -File windows_scan.ps1
# Or:    powershell -ExecutionPolicy Bypass -Command "& 'C:\console\windows_scan.ps1'"

param(
    [string]$Target = "192.168.2.10",
    [int]$Threads = 50,
    [int]$TimeoutMs = 1200,
    [int]$BatchSize = 500,
    [int]$BatchDelay = 3,
    [string]$OutFile = "C:\console\open.txt",
    [string]$LogFile = "C:\console\scan_log.txt"
)

# Must be FIRST - redirect all errors to log file
$ErrorActionPreference = "Stop"
$logDir = Split-Path $LogFile -Parent
if (-not (Test-Path $logDir)) {
    New-Item -ItemType Directory -Path $logDir -Force | Out-Null
}

function Write-Log {
    param([string]$Msg, [string]$Color)
    $line = "[$(Get-Date -Format 'HH:mm:ss')] $Msg"
    # Write-Host may be invisible from cmd.exe; always write to file
    $line | Out-File -Append -FilePath $LogFile -Encoding UTF8
    if ($Color) { try { Write-Host $line -ForegroundColor $Color } catch {} } else { try { Write-Host $line } catch {} }
    try { [Console]::WriteLine($line) } catch {}
}

try {
    Write-Log "=== PowerShell TCP Scan ==="
    Write-Log "Target: $Target | Threads: $Threads | Batch: $BatchSize | Timeout: ${TimeoutMs}ms"
    Write-Log "PSVersion: $($PSVersionTable.PSVersion)"

    # Check RunspacePool
    try {
        $testPool = [runspacefactory]::CreateRunspacePool(1, 2)
        $testPool.Open()
        $testPool.Close()
        $testPool.Dispose()
        Write-Log "RunspacePool: OK"
    } catch {
        Write-Log "RunspacePool FAILED: $_"
        exit 1
    }

    # Quick probe
    Write-Log "Quick probe $Target`:445 ..."
    try {
        $quickTcp = New-Object System.Net.Sockets.TcpClient
        $quickAr = $quickTcp.BeginConnect($Target, 445, $null, $null)
        if ($quickAr.AsyncWaitHandle.WaitOne(3000)) {
            $quickTcp.EndConnect($quickAr)
            Write-Log "Port 445: OPEN"
        } else {
            Write-Log "Port 445: timeout (target may be firewalled)"
        }
        $quickTcp.Close()
        $quickTcp.Dispose()
    } catch {
        Write-Log "Port 445 probe: $_"
    }

    $allPorts = 1..65535
    $open = New-Object System.Collections.ArrayList
    $totalBatches = [math]::Ceiling($allPorts.Count / $BatchSize)
    $sw = [System.Diagnostics.Stopwatch]::StartNew()

    # Script block for single port scan
    $scanScript = {
        param($ip, $port, $timeout)
        $tcp = $null
        try {
            $tcp = New-Object System.Net.Sockets.TcpClient
            $ar = $tcp.BeginConnect($ip, $port, $null, $null)
            if ($ar.AsyncWaitHandle.WaitOne($timeout)) {
                $tcp.EndConnect($ar)
                return $port
            }
        } catch {
            # Connection refused or other error - port closed
        } finally {
            if ($tcp) {
                try { $tcp.Close() } catch {}
                try { $tcp.Dispose() } catch {}
            }
        }
    }

    for ($batch = 0; $batch -lt $totalBatches; $batch++) {
        $startIdx = $batch * $BatchSize
        $endIdx = [math]::Min($startIdx + $BatchSize - 1, $allPorts.Count - 1)
        $batchPorts = $allPorts[$startIdx..$endIdx]

        $pct = [math]::Round(($batch + 1) / $totalBatches * 100, 1)
        Write-Log ("Batch {0}/{1} ({2}%) | Ports {3}-{4} | Found: {5} | Elapsed: {6}s" -f
            ($batch + 1), $totalBatches, $pct,
            $batchPorts[0], $batchPorts[-1], $open.Count, [int]$sw.Elapsed.TotalSeconds)

        $pool = [runspacefactory]::CreateRunspacePool(1, $Threads)
        $pool.Open()
        $jobs = @()

        foreach ($p in $batchPorts) {
            $ps = [powershell]::Create().AddScript($scanScript).AddArgument($Target).AddArgument($p).AddArgument($TimeoutMs)
            $ps.RunspacePool = $pool
            $jobs += [PSCustomObject]@{ Pipe = $ps; Result = $ps.BeginInvoke() }

            if ($jobs.Count % $Threads -eq 0) {
                Start-Sleep -Milliseconds 100
            }
        }

        foreach ($j in $jobs) {
            try {
                $port = $j.Pipe.EndInvoke($j.Result)
                if ($port) {
                    Write-Log "Port $port OPEN" "Green"
                    $open.Add($port)
                }
            } catch {
                # EndInvoke exception - skip
            } finally {
                try { $j.Pipe.Dispose() } catch {}
            }
        }

        $pool.Close()
        $pool.Dispose()
        [GC]::Collect()

        if ($batch -lt $totalBatches - 1) {
            Start-Sleep -Seconds $BatchDelay
        }
    }

    $sw.Stop()

    # Save results
    $sorted = $open.ToArray() | Sort-Object { [int]$_ }
    $sorted | Out-File $OutFile -Encoding UTF8

    Write-Log "=== Done: $($sorted.Count) ports open | $([int]$sw.Elapsed.TotalSeconds)s ==="
    Write-Log "Results saved: $OutFile"

    Write-Log "Open ports:"
    foreach ($p in $sorted) {
        Write-Log "  $p"
    }

    if ($sorted.Count -eq 0) {
        Write-Log "No open ports found. Try from different host or lower threads/delay."
    }

} catch {
    Write-Log "FATAL ERROR: $_"
    Write-Log "Stack: $($_.ScriptStackTrace)"
    exit 1
}

powershell -WindowStyle Hidden -ExecutionPolicy Bypass -File c:\windows\temp\1.ps1

BatchSize 只是分批大小,每个端口的扫描精度由 TimeoutMs(800ms)决定,跟批次大小无关。

改 200 只会让总时间变长(328 批 vs 132 批,多了 196 次 BatchDelay 3 秒 ≈ 多 10 分钟),对准确度没任何提升。

想提高准确度的话,应该调大 TimeoutMs,比如改成 1200ms 甚至 1500ms。代价是每批耗时更久,但丢包/漏端口的概率更低。

posted on 2026-05-26 16:40  websec80  阅读(8)  评论()    收藏  举报