Powershell and HTTPS ? It Ain?t All Rainbows And Lollipops! (or is it?)
Back in PowerShell school everyone discusses how great Powershell is for Windows functions, and an obligatory part of everyone powershell class is to cover off “Invoke-WebRequest”, which allows you to perform curl-like functions. In fact, “curl” is aliased to “invoke-webrequest” in PowerShell.
In fact, this does work in most situations, for instance, let’s grab the ISC main page:
However, in a lot of cases a penetration tester is assessing network infrastructure – routers, firewalls, virtual infrastructure and so on. Let’s take a look at a typical HTTPS request to say, a firewall API:
The problem? Yup – it’s a self signed certificate, and PowerShell needs a “real” trusted certificate with a real CA, the whole 9 yards. There’s no “-trust-it-anyway-its-all-good” parameter in the Invoke-WebRequest command.
What to do? Luckily, Powershell is based on .Net (or dotnet, however you want to spell it), so there’s a way. What I ended up doing was:
First, set the Certificate Validation Callback value in .Net
Next, create a temporary object, which will server as the .Net Webclient:
Finally ,invoke the web request using the temporary object. Note that in this case the return value is in XML format, so I cast the variable.
The final result? In this case it’s an API key for a Palo Alto Firewall which we then use to make subsequent calls to the REST API.
Let’s use the key to do something useful – for instance, grab the current configuration:
Note that “in real life”, or in real code, you’d have some error checks along the way to ensure that your https calls are successful (for instance, by using the “try” command). In the Palo Alto API in particular, the API returns an additional value in the XML that gives us the status of the return – a really nice touch!
But really, that https call could be anything. For instance, to return the running config on a Cisco ASA Firewall, we just need to add credentials to our variable, then change the called parameters a bit:
Or to show the current version:
Looking at the first few lines of $asaver, it looks exactly like you’d expect:
Ah – look the sun is coming out – and is that a rainbow? Thanks Powershell! All we need is ah HTTPS unicorn now (stay tuned).
===============
Rob VandenBrink
Compugen
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago