InfocyteNetworkTest.psm1

Write-Host "Importing Infocyte Network Test Module"
$PS = $PSVersionTable.PSVersion.tostring()
if ($PSVersionTable.PSVersion.Major -lt 3) {
  Write-Warning "Powershell Version not supported. Install version 3.x or higher"
  return
} else {
    Write-Host "Checking PSVersion [Minimum Supported: 3.0]: PASSED [$PS]!`n"
}

<#
    .SYNOPSIS
        Test-ICNetworkAccess Tests remote administration protocols and configurations for agentless scanning with Infocyte
 
    .DESCRIPTION
        Tests Domain, System, and Credential configuration for use with Infocyte HUNT. Will attempt several
        tests of the credentials, permissions, remote connectivity, networking, and DNS Resolution.
 
    .PARAMETER Target
        (Mandantory) IP Address or FQDN of a remote system to test against
 
    .PARAMETER Credential
        (Mandatory) Network credentials to test (PSCredential Object)
 
    .PARAMETER ProxyAddress
        (Optional) Web Address of the proxy ie. http://192.168.1.2:8080
 
    .PARAMETER ProxyCredential
        (Optional) Proxy credentials (PSCredential Object)
 
    .PARAMETER Out
        (Optional) Output folder. Defaults to $env:Temp\ic\
 
    .EXAMPLE
        PS C:\> $Netcreds = Get-Credentials
        PS C:\> Test-ICNetworkAccess -Target 192.168.1.5 -Credential $Netcreds
 
    .EXAMPLE
        PS C:\> $Netcreds = Get-Credentials
        PS C:\> $Proxycreds = Get-Credentials
        PS C:\> Test-ICNetworkAccess -Target 192.168.1.5 -Credential $Netcreds -ProxyAddress "http://192.168.1.2:8080" -ProxyCredential $Proxycreds
 
    .NOTES
        Tests we will run:
        1. Test DNS Resolution
        2. Test DNS Reverse Lookup
        3. Test Proxy
        4. Test Internet Access
            a. http:\\www.google.com
            b. https:\\incyte.infocyte.com
        5. Test Remote Connectivity (Ping)
        6. Test Credentials (Username and Password Combo)
        7. Test Active Directory Permissions
        8. Gather Resultant Set of Policy (RSoP)
        9. Test Remote File Transfer (SMB)
            a. C:\Windows\Temp
            b. C:\Users\<someoneelse>\Desktop
        10. Test Remote Execution
            a. Test WMI
            b. Test Schedtasks
            c. Test Remote Registry
            d. Test PSRemoting
        11. Test 443 Back to Infocyte from Remote Endpoint
#>

Function Test-ICNetworkAccess {
    [CmdletBinding()]
    Param(
        [Parameter(Position = 0, Mandatory = $True, HelpMessage = "The remote system to test connectivity to")]
        [ValidateNotNullOrEmpty()]
          [String]
          $Target,

        [Parameter(Position = 1, Mandatory = $True, HelpMessage = "Elevated account that will be used with HUNT")]
        [ValidateNotNullOrEmpty()]
        [System.Management.Automation.PSCredential]
        $Credential,

          [Parameter(Mandatory = $False, HelpMessage = "Address of proxy in the form of: http://<myproxy-ip>:8080")]
          [String]
          $ProxyAddress,

        [Parameter(Mandatory = $False, HelpMessage = "Proxy credentials for authenticated proxies")]
        [ValidateNotNullOrEmpty()]
        [System.Management.Automation.PSCredential]
        $ProxyCredential,

        [String]
        $ReturnAddress="https://incyte.infocyte.com",

        [String]
        $Out="$Env:Temp\ic"
    )

    $Admin = ([Security.Principal.WindowsPrincipal] [Security.Principal.WindowsIdentity]::GetCurrent()).IsInRole([Security.Principal.WindowsBuiltInRole] "Administrator")
    If (-NOT $Admin) {
        Write-Verbose "NOTE: Your shell is not running as Administrator (But you shouldn't need it for this script)."
    }

    # MAIN
    $Creds = [System.Management.Automation.PSCredential]$Credential
    $Username = $Creds.GetNetworkCredential().UserName
    $Domain = $Creds.GetNetworkCredential().Domain
    if (($Domain -ne $null) -AND ($Domain -ne "")) {
        $FQUsername = "$Domain\$Username"
    } else {
        $FQUsername = $Username
    }
    $TestNum = 0
    $TestResults = @{}
    if (-NOT $PSScriptRoot) {
        $PSScriptRoot = Split-Path $MyInvocation.MyCommand.Path -Parent
    }
    if (-NOT (Test-Path $out)) {
        mkdir $out
    }
    $OutputFileLocation = "$Out\InfocyteTest.log"
    $ports = 22,53,80,135,137,139,389,443,445,1024,1025,1026,3389,5985,5986,49152,49153,49154,65535
    $ExternalIP = (Invoke-WebRequest ifconfig.me/ip -UseBasicParsing).Content.Trim()
    $IPAddress = Get-WmiObject Win32_NetworkAdapterConfiguration | Where-Object { $_.ipenabled -AND $_.Ipaddress.length -gt 0 -AND $_.DefaultIPGateway.length -gt 0 }
    If (-NOT $ReturnAddress) {
        $ReturnAddress = $IPAddress.ipaddress[0]
    }

    # Start transcript log of this script's output
    Start-Transcript -path $OutputFileLocation
    Write-Host "Running script with the following parameters:"
    Write-Host "Remote Test Target: $Target"
    Write-Host "Executed From: $ReturnAddress [ExtIP: $ExternalIP] by $(whoami)"
    Write-Host "Credential: $($Credential.Username)"
    Write-Host "ProxyAddress: $ProxyAddress"
    Write-Host "ProxyCredential: $($ProxyCredential.Username)"
    if ($ProxyAddress) {
        if ($ProxyAddress -match "http") {
            # "http://<myproxy-ip>:8012"
        } elseif ($ProxyAddress -like "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}") {
            $ProxyAddress = "http://$ProxyIP"
        } else {
            Write-Warning "ProxyAddress ($ProxyAddress) may be in the wrong format. Should be http://myproxyaddress.com or http://192.168.1.80:8080"
        }
    }
    $TestResults['Config'] = @{
        Target = $target
        ReturnAddress = $ReturnAddress
        SourceAddress = $IPAddress.ipaddress[0]
        DNS = $IPAddress.DNSServerSearchOrder
        ExtIP = $ExternalIP
        Credential = $($Credential.Username)
        ProxyAddress = $ProxyAddress
        ProxyCredential = $($ProxyCredential.Username)
    }

    Write-Host -ForegroundColor Cyan "`n==========================================================================="
    Write-Host -ForegroundColor Cyan "==========================================================================="
    Write-Host -ForegroundColor Gray "This script will run several tests to test for remote connectivity, DNS, Internet Access, and permissions necessary to run Infocyte HUNT"
    Write-Host -ForegroundColor Gray "Any failed test or warning may be an issue that needs to be addressed before you use Infocyte HUNT"
    Write-Host -ForegroundColor Gray "Log File Location: $OutputFileLocation"
    Start-Sleep 3
    Write-Host -ForegroundColor Cyan "`n=== BEGINING TESTS ==="

    # Flush Local DNS Cache for testing
    Write-Host "`nFlushing DNS"
    ipconfig /flushdns | out-null

    #region Internet Tests
    # Test DNS Resolution and connectivity to the internet
    $Testnum += 1
    $InternetTestAddr = "www.google.com"
    Write-Host -ForegroundColor Cyan "`n[TEST $TestNum] Testing DNS resolution and connectivity to the internet (Optional)"
    $Result = @{
       Name = "Internet Connectivity Test (Optional)"
       Test = $TestNum
       Description = "Testing DNS resolution and connectivity to the internet ($InternetTestAddr)"
       Success = $True
   }
    $DNSEntry = Get-DNSEntry $InternetTestAddr
    if ($DNSEntry) {
        Write-Host "SUCCESS: $($DNSEntry.Hostname) => $($DNSEntry.IP)"
        $Result['DNSResult'] = $True
    } else {
        Write-Warning "FAIL: DNS Resolution of $InternetTestAddr failed - Your internet may be down"
        $Result['DNSResult'] = $False
        $Result['Success'] = $False
    }

    try {
        $ICMP = Test-Connection -BufferSize 16 -Count 1 -ComputerName $InternetTestAddr -ea STOP
        Write-Host "SUCCESS: Ping (ICMP) to $InternetTestAddr ($($ICMP.IPV4Address)) in $($ICMP.ResponseTime) m/s"
        $Result['ICMPResult'] = $True
    } catch {
        $Message = $_.Exception.Message
        $ErrorType = $_.Exception.GetType().FullName
        Write-Warning "FAIL: Ping (ICMP) to $InternetTestAddr - Message: $Message"
        $Result['ICMPResult'] = $False
    }
    $TestResults["Test$TestNum"] = $Result


    # Test DNS Resolution and connectivity to Incyte
    $TestNum += 1
    Write-Host -ForegroundColor Cyan "`n[TEST $TestNum] Testing DNS resolution and connectivity to Infocyte (Required)"
    $Result = @{
       Name = "Infocyte Cloud Connectivity Test"
       Test = $TestNum
       Description = "Testing DNS resolution and connectivity to Infocyte (Required)"
       Success = $True
   }
    $DNSEntry = Get-DNSEntry "incyte.infocyte.com"
    if ($DNSEntry) {
        Write-Host "SUCCESS: $($DNSEntry.Hostname) => $($DNSEntry.IP)"
        $Result['DNSResult'] = $True
    } else {
        Write-Warning "FAIL: DNS Resolution of incyte.infocyte.com failed - Your internet may be down"
        $Result['DNSResult'] = $False
        $Result['Success'] = $False
    }

    try {
        $ICMP = Test-Connection -BufferSize 16 -Count 1 -ComputerName incyte.infocyte.com -ea STOP
        Write-Host "SUCCESS: Ping (ICMP) to incyte.infocyte.com ($($ICMP.IPV4Address)) in $($ICMP.ResponseTime) m/s"
        $Result['ICMPResult'] = $True
    } catch {
        $Message = $_.Exception.Message
        $ErrorType = $_.Exception.GetType().FullName
        Write-Warning "FAIL: Ping (ICMP) to incyte.infocyte.com (($($ICMP.IPV4Address)) - Message: $Message"
        $Result['ICMPResult'] = $False
    }
    $TestResults["Test$TestNum"] = $Result

    #endregion Internet Test

    #region Proxy Tests

    # $req = [system.Net.WebRequest]::Create($TestWebsite)
    # $res = $results.GetResponse()
    # $int = [int]$res.StatusCode
    # Write-Host $int
    $TestNum += 1
    Write-Host  -ForegroundColor Cyan "`n[TEST $TestNum] Testing web connectivity with direct access (No Proxy)"
    $TestWebsite = 'https://incyte.infocyte.com'
    $Result = @{
       Name = "Proxy Test"
       Test = $TestNum
       Description = "Testing connectivity to Infocyte via various proxy configurations"
       Success = $True
   }

    #Configure Proxy if required
    $showcurrentproxy = netsh winhttp show proxy
    Write-Host "Current System Proxy Settings:`n"
    Write-Host "-------------------`n" $showcurrentproxy

    try {
        $wc = new-object net.webclient
        $results = $wc.DownloadString($TestWebsite)
        if ($results -match "All services are operational") {
            Write-Host "SUCCESS: Web (http) connectivity with direct access (No Proxy) succeeded to $TestWebsite"
            $Result['NoProxy'] = $True
        } else {
            Write-Warning "FAIL: Web (http) connectivity with direct access (No Proxy) failed to $TestWebsite"
            $Result['NoProxy'] = $False
            $Result['Success'] = $False
        }
    } catch {
            Write-Warning "FAIL: Web (http) connectivity with direct access (No Proxy) failed to $TestWebsite"
            $Message = $_.Exception.Message
            Write-Warning "Message: $Message"
            $Result['NoProxy'] = $False
            $Result['Success'] = $False
    }

    if ($ProxyAddress) {
        if ($ProxyCredential) {
            # Testing web client with authenticated Proxy
            $AuthType = "Negotiate"
               Write-Host "Testing proxied web client with $AuthType Proxy Auth"
            $wc = New-ProxyWebClient $ProxyAddress $ProxyCredential $AuthType
        } else {
            # Testing web client with unauthenticated Proxy
            Write-Host "Testing web client with unauthenticated proxy ($ProxyAddress)"
            $wc = New-ProxyWebClient $ProxyAddress
        }
        try {
            $results = $wc.DownloadString($TestWebsite)
            if ($results -match "All services are operational") {
                Write-Host "SUCCESS: Web (http) connectivity with unauthenticated Proxy succeeded to $TestWebsite"
                $Result['WithProxy'] = $True
                $Result['Success'] = $True
            } else {
                Write-Warning "FAIL: Web (http) connectivity with unauthenticated Proxy failed to $TestWebsite"
                $Result['WithProxy'] = $False
                $Result['Success'] = $False
            }
        } catch {
            Write-Warning "FAIL: Web (http) connectivity with unauthenticated Proxy failed to $TestWebsite"
            $Message = $_.Exception.Message
            Write-Warning "Message: $Message"
            $Result['WithProxy'] = $False
            $Result['Success'] = $False
        }
    }
    $TestResults["Test$TestNum"] = $Result
    #endregion

    #region Remote Target Connectivity Tests
    # Test DNS Resolution and connectivity to Target
    $TestNum += 1
    Write-Host -ForegroundColor Cyan "`n[TEST $TestNum] Testing DNS resolution and connectivity to $target"
    $Result = @{
       Name = "Target DNS Test"
       Test = $TestNum
       Description = "Testing DNS resolution and connectivity to $target"
       Success = $True
    }
    $DNSEntry = Get-DNSEntry $target
    if ($DNSEntry) {
        $IP = $DNSEntry.IP
        $Hostname = $DNSEntry.Hostname
        Write-Host "SUCCESS: DNS Resolved $target to $Hostname ($IP)"
        $Result['DNSResult'] = $True
        if ($Hostname -notlike "*.$Domain") {
            Write-Warning "This system seems to have resolved to a domain that is different from the provided credentials for $Domain."
            Write-Warning "You may need to provide the correct credentials for the resolved domain or check your DNS provider"
            Write-Warning "If this result is unexpected, ensure this system is pointed to the correct DNS server."
            $Result['DNSDomainAlignment'] = $False
        } else {
            $Result['DNSDomainAlignment'] = $True
        }
    } else {
        Write-Warning "FAIL: DNS Resolution to target failed"
        $Result['DNSResult'] = $False
        $Result['Success'] = $False
    }

    # Test Remote Connectivity (Ping)
    Write-Host "`nTesting Connectivity to $IP w/ ICMP"
    try {
        $ICMP = Test-Connection -BufferSize 16 -Count 1 -ComputerName $IP -ea STOP
        Write-Host "SUCCESS: Ping (ICMP) to $Hostname ($($ICMP.IPV4Address)) in $($ICMP.ResponseTime) m/s"
        $Result['ICMPResult'] = $True
    } catch {
        $Message = $_.Exception.Message
        $ErrorType = $_.Exception.GetType().FullName
        Write-Warning "FAIL: Ping (ICMP) to $Hostname (($($ICMP.IPV4Address)) - Message: $Message"
        $Result['ICMPResult'] = $False
    }
    $TestResults["Test$TestNum"] = $Result

    # Test Remote Connectivity (Ports)
    $TestNum += 1
    Write-Host -ForegroundColor Cyan "`n[TEST $TestNum] Performing TCP port scan of the following ports:"
    Write-Host $ports
    $Result = @{
       Name = "Port Scan"
       Test = $TestNum
       Description = "Performing TCP port scan of the following ports [$ports] to $target"
       Success = $True
   }
    $PortResults = $ports | Test-Connectivity -IP $IP
    $Result['Results'] = $PortResults
    Write-Host "==========================================================================="
    Write-Host -NoNewline ("{0,-8}`t{1,-35}`t{2}`n" -f "Port","Name","Access")
    $PortResults | ForEach-Object {
        if ($_.Access) {
            Write-Host -ForegroundColor Green -NoNewline ("{0,-8}`t{1,-35}`t{2}`n" -f $_.Port,$_.Name,$_.Access)
        } else {
            Write-Host -ForegroundColor Red -NoNewline ("{0,-8}`t{1,-35}`t{2}`n" -f $_.Port,$_.Name,$_.Access)
        }
    }
    Write-Host ""

    $opendynports = ($PortResults | Where-Object { $_.Port -ge 49152 -AND $_.Port -lt 65535 }).Access | where { $_.true }
    If ($opendynports) {
        $Result['DynamicPorts'] = $true
    } else {
        Write-Warning "FAIL: No Access to $($r.Name) on $IP - Will affect WMI & RPC Execution and Deployment against a Windows-based Hosts"
        $Result['DynamicPorts'] = $False
    }
    $Result['SSH'] = $True
    $Result['SMB'] = $True
    $Result['WMI/RPC'] = $False
    $Result['WinRM_HTTP'] = $True
    $Result['WinRM_HTTPS'] = $True
    $PortResults | ForEach-Object {
        $r = $_
        if (-NOT $r.Access) {
            Switch ($_.Port){
                22  {
                    Write-Warning "FAIL: No Access to $($r.Name) on $IP - Will affect SSH Execution and Deployment against a Unix-based Hosts"
                    $Result['SSH'] = $False
                }

                135 {
                    Write-Warning "FAIL: No Access to $($r.Name) on $IP - Will affect WMI and RPC-based Execution and Deployment against a Windows-based Hosts"
                    $Result['WMI/RPC'] = $False
                }
                139 {
                    If (-NOT ($PortResults | Where-Object { $_.Port -eq 445 }).Access) {
                        Write-Warning "FAIL: No Access to $($r.Name) on $IP - May affect RPC Execution and Deployment against a Windows-based Hosts"
                        $Result['SMB'] = $False
                    }
                }
                445 {
                    If (-NOT ($PortResults | Where-Object { $_.Port -eq 139 }).Access) {
                        Write-Warning "FAIL: No Access to $($r.Name) on $IP - May affect Deployment & File Recovery against a Windows-based Hosts"
                        $Result['SMB'] = $False
                    }
                }

                5985 {
                        Write-Warning "FAIL: No Access to $($r.Name) on $IP - May affect PSRemoting Execution and Deployment against a Windows-based Hosts"
                        $Result['WinRM_HTTP'] = $False
                }
                5986 {
                        Write-Warning "FAIL: No Access to $($r.Name) on $IP - May affect PSRemoting via HTTPS Execution and Deployment against a Windows-based Hosts"
                        $Result['WinRM_HTTPS'] = $False
                }
                default {}
            }
        }
    }
    $open = ($PortResults | where { $_.Access }).count
    if ($open -eq 0) {
        $Result['Success'] = $False
    }
    $TestResults["Test$TestNum"] = $Result
    #endregion Remote Target Connectivity Test

    #region Permissions Tests
    # Test Credentials against domain
    $TestNum += 1
    Write-Host -ForegroundColor Cyan "`n[TEST $TestNum] Validating Credentials are valid..."
    $Result = @{
       Name = "Credential Test"
       Test = $TestNum
       Description = "Validating Credentials are valid on $Domain"
       Success = $True
   }
    $TestCreds = Test-ADCredentials $Creds
    if ($TestCreds.isValid) {
        Write-Host "SUCCESS: Credentials for $Username are valid on $Domain"
    } else {
        Write-Warning "FAIL: Credentials for $Username are either not valid or you cannot connect to DirectoryServices on $Domain"
        $Result['Success'] = $False
    }
    $TestResults["Test$TestNum"] = $Result

    # Get RSOP permissions
    Write-Host "Getting Resultant Set of Policy (RSoP) for localhost - output to file $Out\InfocyteTest_RSoP_localhost.html"
    GPResult.exe /USER $Username /H "$Out\InfocyteTest_RSoP_localhost.html" /F
    GPResult.exe /USER $Username /v > "$Out\InfocyteTest_RSoP_localhost.txt"

    <#
    Write-Host "Getting Resultant Set of Policy (RSoP) for $Hostname - output to file $Out\InfocyteTest_RSoP_$Hostname.txt"
    Gpresult /S $Hostname /U $FQUsername /P ($Creds.GetNetworkCredential().Password) /USER $Username /v > "$Out\InfocyteTest_RSoP_$Hostname.txt"
    if ($res -match "does not have RSOP data") {
        Write-Warning "$res"
        Write-Warning "Fallback: Attempting to gather RSoP for current user"
        Gpresult /S $Hostname /U $FQUsername /P ($Creds.GetNetworkCredential().Password) /v > "$Out\InfocyteTest_RSoP_$Hostname.txt"
    }
    #>

    #endregion Permissions Test

    #region Remote Execution Protocol Tests
    # Test WMI Execution
    $TestNum += 1
    $Result = @{
       Name = "WMI Test"
       Test = $TestNum
       Description = " Testing WMI Execution Against $Hostname ($target)"
       Success = $True
   }
    Write-Host -ForegroundColor Cyan "`n[TEST $TestNum] Testing WMI Execution..."
    if (($PortResults | Where-Object { $_.Port -eq 135 }).Access -AND $opendynports) {
        $GetWmiObjectParams = @{
            Class = "win32_OperatingSystem"
            Property = "Caption"
            ComputerName = $Hostname
            Credential = $Creds
            Impersonation = 'Impersonate'
            Authority = "ntlmdomain:$Domain"
        }

        Try {
            $OS = (Get-WmiObject @GetWmiObjectParams -ea Stop).Caption
            Write-Host "SUCCESS: WMI w/ NTLM succeeded. $Hostname ($IP) is a $OS System"
            $Result['NTLM'] = $True
        } Catch {
            Write-Warning "FAIL: WMI with NTLM failed to $Hostname ($IP)"
            $Result['NTLM'] = $False
            $Result['Success'] = $False
        }

        # Test Kerberos
        $GetWmiObjectParams = @{
            Class = "win32_OperatingSystem"
            Property = "Caption"
            ComputerName = $Hostname
            Credential = $Creds
            Impersonation = 'Impersonate'
            Authority = "kerberos:"+$Domain+"\"+$Hostname.Split('.')[0]+'$'
        }
        #Write-Host "Testing WMI w/ explicit Kerberos authentication (Recommended)"
        Try {
            $OS = (Get-WmiObject @GetWmiObjectParams -ea Stop).Caption
            Write-Host "SUCCESS: WMI w/ Kerberos succeeded. $Hostname ($IP) is a $OS System"
            $Result['Kerberos'] = $True
            $Result['Success'] = $True
        } Catch {
            Write-Warning "FAIL: WMI with Kerberos failed to $Domain\$Hostname ($IP)"
            $Result['Kerberos'] = $False
        }

    } else {
        Write-Warning "No connectivity to RPC & Dynamic port - skipping WMI test"
        $Result['Success'] = $False
    }
    $TestResults["Test$TestNum"] = $Result

    # Test SMB Connectivity
    $TestNum += 1
    $Result = @{
       Name = "SMB Test"
       Test = $TestNum
       Description = "Testing Server Message Block (SMB) connectivity to $($IP)/C$ ($target)"
       Success = $True
   }
    Write-Host -ForegroundColor Cyan "`n[TEST $TestNum] Testing Server Message Block (SMB) connectivity to $($IP)/C$ ($target)"
    if (($PortResults | Where-Object { $_.Port -eq 139}).Access -OR ($PortResults | Where-Object { $_.Port -eq 445}).Access) {

        try {
            $mountdrive = New-PSDrive -Name test -PSProvider FileSystem -Root "\\$IP\C$" -Credential $Creds -ea STOP
            Write-Host "SUCCESS: Connected to $IP via SMB"
        } catch {
            $Message = $_.Exception.Message
            Write-Warning "FAIL: Could not connect to $IP via SMB - C$ administrative share may not be accessible - Message: $Message"
            $Result['Success'] = $False
        }

    } else {
        Write-Warning "No connectivity to NetBIOS and SMB ports - skipping SMB Transfer test"
        $Result['Success'] = $False
    }
    $TestResults["Test$TestNum"] = $Result

    # Test Remote Schtasks
    $TestNum += 1
    $Result = @{
       Name = "Remote SchTasks Test"
       Test = $TestNum
       Description = "Testing Remote Schtasks Execution to $IP ($target)"
       Success = $True
   }
    Write-Host -ForegroundColor Cyan "`n[TEST $TestNum] Testing Remote Schtasks (via RPC) Execution..."
    if (($PortResults | Where-Object { $_.Port -eq 135 }).Access -AND $opendynports) {

        $a = SCHTASKS /Create /S $IP /U $FQUsername /P ($Creds.GetNetworkCredential().Password) /TN test /TR 'c:\windows\system32\cmd.exe /c Net Time' /SC ONCE /ST 23:59 /RU SYSTEM /F
        if ($a -match "SUCCESS") {
            Write-Host "SUCCESS: Remote task (test) created on $IP"
            Start-Sleep 1

            # Run the task
            $b = SCHTASKS /Run /S $IP /U $FQUsername /P ($Creds.GetNetworkCredential().Password) /TN test
            if ($b -match "SUCCESS") {
                Write-Host "SUCCESS: Remote task (test) was initiated on $IP"
            } else {
                Write-Warning "FAIL: Remote task (test) failed to initiate"
                Write-Warning "$b"
                $Result['Success'] = $False
            }

        } else {
            Write-Warning "FAIL: Remote task (test) failed on $IP"
            Write-Warning "$a"
            $Result['Success'] = $False
        }


        # Query Task status
        $a = SCHTASKS /query /S $IP /U $FQUsername /P ($Creds.GetNetworkCredential().Password) /TN test
        if (($a -match "Running") -OR ($a -match "Ready")) {
            Write-Host "SUCCESS: Remote task (test) ran successfully on $IP"
        } else {
            Write-Warning "FAIL: Remote task (test) ran into some issues on $IP"
            Write-Warning "$a"
        }

        #Delete the task (Cleanup)
        Start-Sleep 1
        SCHTASKS /delete /S $IP /U $FQUsername /P ($Creds.GetNetworkCredential().Password) /TN test /F | Out-Null

    } else {
        Write-Warning "No connectivity to RPC and Dynamic ports - skipping Remote Schtasks test"
        $Result['Success'] = $False
    }
    $TestResults["Test$TestNum"] = $Result


    # Test PSRemoting
    $TestNum += 1
    $Result = @{
       Name = "WinRM Test"
       Test = $TestNum
       Description = "Testing Powershell Remoting (WinRM) Execution to $target"
       Success = $True
   }
    Write-Host -ForegroundColor Cyan "`n[TEST $TestNum] Testing Powershell Remoting Execution..."
    if (($PortResults | Where-Object { $_.Port -eq 5985}).Access -or ($PortResults | Where-Object { $_.Port -eq 5986}).Access) {

        try {
            $errorActionPreference = "Stop"
            $r = Invoke-Command -ComputerName $target -Credential $Creds -ea Stop { 1 }
            Write-Host "SUCCESS: Powershell Remoting Session established with $target"
        }
        catch {
            $Message = $_.Exception.Message
            Write-Warning "FAIL: PSRemoting to $target failed. Message: $Message"
            $Result['Success'] = $False
        }

    } else {
        Write-Warning "No connectivity to Powershell Remoting ports - skipping Powershell Remoting test"
        $Result['Success'] = $False
    }
    $TestResults["Test$TestNum"] = $Result
    #endregion Remote Execution Protocol Tests


    # Test Endpoint Return Path to HUNT Server
    $TestNum += 1
    $Result = @{
       Name = "Return Path Test"
       Test = $TestNum
       Description = "Testing remote endpoint TCP443 return path to $ReturnAddress"
       Success = $True
   }
    Write-Host -ForegroundColor Cyan "`n[TEST $TestNum] Testing remote endpoint TCP443 return path to $ReturnAddress..."

    $RemoteScript = '
    #Infocyte Test
    function Test-Port ($target, $port=443) {
        $tcpclient = New-Object Net.Sockets.TcpClient
        try { $tcpclient.Connect($target,$port) } catch {}
        try { $tcpclient.Close() } catch {}
        if ($tcpclient.Connected) { $tcpclient.Close(); "Infocyte: SUCCESS" > C:\windows\temp\accesstest.txt } else { "Infocyte: FAIL" > C:\windows\temp\accesstest.txt }
    }
    Test-Port '
+$ReturnAddress+''
    $bytes = [System.Text.Encoding]::Unicode.GetBytes($RemoteScript)
    $encodedCommand = [Convert]::ToBase64String($bytes)

    $Result['Return443'] = $true
    if (($PortResults | Where-Object { $_.Port -eq 135 }).Access) {
            try {
                Invoke-WmiMethod -class Win32_process -name Create -ArgumentList "powershell.exe -Nop -NoLogo -Win Hidden -encodedCommand $encodedCommand" -ComputerName $Target | Out-Null
                if ($ReturnAddress -eq $IPAddress.ipaddress[0]) {
                    $server = New-TcpListener -Port 443
                    $msg = Receive-TCPMessage
                } else {
                    Start-Sleep 5
                    $msg = Get-Content test:\\result.txt -ea SilentlyContinue
                }

                if ($msg -notmatch "SUCCESS") {
                    $Result['Return443'] = $false
                    $Result['Success'] = $False
                }

            } catch {
                $Message = $_.Exception.Message
                Write-Warning "FAIL: Could not test return path - WMI Command Failed - Message: $Message"
                $Result['Success'] = $False
            } finally {
                Remove-PSDrive test -ea SilentlyContinue
            }


    } else {
        Write-Warning "No connectivity to WMI ports - skipping Remote Endpoint Return Path test"
        $Result['Success'] = $False
    }
    $TestResults["Test$TestNum"] = $Result

    <#
        if (($PortResults | Where-Object { $_.Port -eq 139}).Access -OR ($PortResults | Where-Object { $_.Port -eq 445}).Access) {
                try {
                        $mountdrive = New-PSDrive -Name test -PSProvider FileSystem -Root "\\$IP\C$\Windows\Temp" -Credential $Creds -ea STOP
                        Write-Host "SUCCESS: Connected to $IP via SMB"
                } catch {
                    $Message = $_.Exception.Message
                    $ErrorType = $_.Exception.GetType().FullName
                    Write-Warning "FAIL: Could not test return path - C$ administrative share may not be accessible - Message: $Message"
                }
 
                $RemoteScript | Out-File -FilePath "test:\testaccess.ps1" -Width 4096
            } else {
                Write-Warning "No connectivity to NetBIOS and SMB ports - skipping Remote Endpoint Return Path test"
            }
 
            $cmd = "powershell.exe -script testaccess.ps1"
 
    #>


    $TestResults | ConvertTo-Json | Out-File "$Out\InfocyteTest.json"

    Write-Host -ForegroundColor Cyan "All Tests Complete!"
    Write-Host "Results are found here:"
    Write-Host "$Out\InfocyteTest_RSoP_localhost.txt"
    Write-Host "$Out\InfocyteTest_RSoP_localhost.html"
    Write-Host "$Out\InfocyteTest.log"
    Write-Host "$Out\InfocyteTest.json"

    "$Out\InfocyteTest_RSoP_localhost.txt\n" | out-file "$env:temp\ictestoutputfolders"
    "$Out\InfocyteTest_RSoP_localhost.html" | out-file "$env:temp\ictestoutputfolders" -Append
    "$Out\InfocyteTest.log" | out-file "$env:temp\ictestoutputfolders" -Append
    "$Out\InfocyteTest.json" | out-file "$env:temp\ictestoutputfolders" -Append

    return $TestResults
}

# FUNCTIONS

Function Get-DNSEntry ($target) {

    try {
        Write-Verbose "Resolving $target"
        $Temp = [System.Net.Dns]::GetHostEntry($target)
    } catch {
        $Message = $_.Exception.Message
        $ErrorType = $_.Exception.GetType().FullName
        Write-Warning "[ERROR] Failed DNS Lookup against $target - No such host/IP is known - Message: $Message"
        Write-Warning "Using DNS $(nslookup $target)"
        return
    }
    if ($target -match "\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}") {
        $IPAddress = $target
    } else {
        if (($temp.AddressList | Where-Object { $_.AddressFamily -eq 'InterNetwork' }) -is [System.Net.IPAddress]) {
            $IPAddress = ($temp.AddressList | Where-Object { $_.AddressFamily -eq 'InterNetwork' }).IPAddressToString
        } else {
            $IPAddress = ($temp.AddressList | Where-Object { $_.AddressFamily -eq 'InterNetwork' })[0].IPAddressToString
        }
    }
    $Result = @{
        IP = $IPAddress
        IPs = $temp.AddressList.IPAddressToString
        HostName = $Temp.HostName
    }
    New-Object PSObject -Property $Result
}

function Test-Port ($target, $port) {

    $tcpclient = New-Object Net.Sockets.TcpClient
    try
    {
        $tcpclient.Connect($target,$port)
    } catch {}

    if($tcpclient.Connected)
    {
        $tcpclient.Close()
        Write-Verbose "[SUCCESS] Port $port on $target is open"
        $True
    }
    else {
        Write-Warning "[FAILURE] Port $port on $target is closed"
        $False
    }
}

Function New-TCPListener {
    Param (
        [Parameter(Mandatory=$true, Position=0)]
        [ValidateNotNullOrEmpty()]
        [int] $Port
    )
    Try {
        # Set up endpoint and start listening

        $endpoint = new-object System.Net.IPEndPoint([ipaddress]::any,$port)
        Write-Host "TCP Listener being set up on $($endpoint.Address):$($port)"
        $listener = new-object System.Net.Sockets.TcpListener $EndPoint
        $listener.start()
        return $listener
    } Catch {
        Write-Error "$($Error[0])"
    }
}

Function Receive-TCPMessage {
    Param (
        [Parameter(Mandatory=$true)]
        [ValidateNotNullOrEmpty()]
        [System.Net.Sockets.TcpListener]$Listener,

        [Parameter(Mandatory=$false)]
        [int]$timeout=15000
    )
    Try {
        # Wait for an incoming connection
        $timer = [system.diagnostics.stopwatch]::StartNew()
        while (-NOT $listener.Pending()) {
            if ($timer.Elapsed.TotalMilliseconds -gt $timeout) {
                # Close TCP connection and stop listening if hits timeout
                $listener.stop()
                # Timeout
                Write-Warning "No response from target before timeout!"
                return
            }
            Start-Sleep 1
        }

        $data = $listener.AcceptTcpClient()
        Write-Host "Connection Established!"
        if ($data -AND -NOT $data.Available) {
            return "Success!"
        }

        # Read data from stream and write it to host
        $stream = $data.GetStream()
        if (-NOT $stream.DataAvailable) {
            $stream.close()
            return "Success!"
        }
        $bytes = New-Object System.Byte[] 1024
        while (($i = $stream.Read($bytes,0,$bytes.Length)) -ne 0){
            $EncodedText = New-Object System.Text.ASCIIEncoding
            $data = $EncodedText.GetString($bytes,0, $i)
            if ($data) {
                Write-Host "Got some data:"
                Write-Output $data
            }
        }
        $stream.close()
    } Catch {
        Write-Warning "ERROR: Listener failed with: $($Error[0])"
    } finally {
        # Close TCP connection and stop listening
        $listener.stop()
    }
}

function Test-Connectivity {
    [CmdletBinding()]
    Param(
        [Parameter(Position = 0, Mandatory = $True, ValueFromPipeline=$False)]
        [ValidatePattern("\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}")]
        [String]
        $IP,

        [Parameter(Position = 1, Mandatory = $True, ValueFromPipeline=$True)]
        [ValidateRange(1,65535)]
        [Int32]
        $port,

        [Parameter(Position = 2, Mandatory = $False, ValueFromPipeline=$False)]
        [ValidateRange(1,128)]
        [Int32]
        $MaxThreads = 24
    )

    BEGIN {
        $portdict = @{
            22 = "SSH (TCP 22)"
            53 = "DNS (TCP 53)"
            80 = "HTTP (TCP 80)"
            135 = "WMI/RPC (TCP 135)"
            137 = "NetBIOS (TCP 137)"
            139 = "NetBIOS (TCP 139)"
            389 = "LDAP (TCP 389)"
            443 = "HTTPS (TCP 443)"
            445 = "SMB (TCP 445)"
            1024 = "Dynamic-Legacy (TCP 1024)"
            1025 = "Dynamic-Legacy (TCP 1025)"
            1026 = "Dynamic-Legacy (TCP 1026)"
            3389 = "Remote Desktop (TCP 3389)"
            5985 =     "PSRemoting-HTTP (TCP 5985)"
            5986 =     "PSRemoting-HTTPS (TCP 5986)"
            49152 = "Dynamic (TCP 49152)"
            49153 = "Dynamic (TCP 49153)"
            49154 = "Dynamic (TCP 49154)"
            65535 = "Dynamic (TCP 65535)"
        }

        $TestPort_Scriptblock = {
                Param($target, $port)

                $tcpclient = New-Object Net.Sockets.TcpClient
                try
                {
                    $tcpclient.Connect($target,$port)
                } catch {}

                if($tcpclient.Connected)
                {
                    $tcpclient.Close()
                    Write-Verbose "[SUCCESS] Port $port on $target is open"
                    $True
                }
                else {
                    Write-Warning "[FAILURE] Port $port on $target is closed"
                    $False
                }
        }
        $ports = @()
    }

    PROCESS {
        $ports += $_
    }

    END {

        # Create Runspace for multi-threading
        $RunspacePool = [RunspaceFactory]::CreateRunspacePool(1, $MaxThreads)
        $RunspacePool.Open()
        $Jobs = @()

        $ports | ForEach-Object {
            $Job = [powershell]::Create().AddScript($TestPort_Scriptblock)
            $Job.AddArgument($IP) | Out-Null
            $Job.AddArgument($_) | Out-Null
            $Job.RunspacePool = $RunspacePool
            $Jobs += New-Object PSObject -Property @{
                Port = $_
                Pipe = $Job
                Result = $Job.BeginInvoke()
            }
        }

        # Track Progress of Port Scan
        $elapsedTime = [system.diagnostics.stopwatch]::StartNew()
        Do {
            Write-Progress -activity "Port Scanning" -Status "$([string]::Format("Waiting... Elapsed Time: {0:d2}:{1:d2}.{2:d3}", $elapsedTime.Elapsed.minutes, $elapsedTime.Elapsed.seconds, $elapsedTime.Elapsed.Milliseconds))"
            #Start-Sleep -Milliseconds 50
        } While ( $Jobs.Result.IsCompleted -contains $false)
        Write-Progress -activity "Port Scanning" -Completed "Port scan completed!"

        $Results = @()
        ForEach ($Job in $Jobs ) {
            $Result = @{
                "Port"   = $Job.Port
                "Name"   = $portdict[$Job.Port]
                "Access" = $Job.Pipe.EndInvoke($Job.Result)[0]
            }
            $Results += New-Object PSObject -Property $Result
        }

        # Cleanup
        $elapsedTime.stop()
        $RunspacePool.Close()

        $Results
    }
}

Function Test-ADCredentials {
    Param(
        [Parameter(Position = 0, Mandatory = $True)]
        [System.Management.Automation.PSCredential]
        $Credential
    )

    Add-Type -AssemblyName System.DirectoryServices.AccountManagement -IgnoreWarnings
    $ct = [System.DirectoryServices.AccountManagement.ContextType]::Domain
    try {
        $pc = New-Object System.DirectoryServices.AccountManagement.PrincipalContext($ct, $Credential.GetNetworkCredential().Domain)
    } catch {
        $Message = $_.Exception.Message
        $ErrorType = $_.Exception.GetType().FullName
        Write-Warning "ERROR: Could not contact DirectoryServices on domain $($Credential.GetNetworkCredential().Domain) - Message: $Message"
        return
    }

    New-Object PSObject -Property @{
        Username = $Credential.UserName
        isValid  = $pc.ValidateCredentials($Credential.GetNetworkCredential().UserName, $Credential.GetNetworkCredential().Password)
    }
}

Function Test-RemoteWMI {
    Param($IP, $credential)

    $GetWmiObjectParams = @{
        Class = "win32_OperatingSystem"
        Property = "Caption"
        ComputerName = $IP
        Credential = $credential
    }

    Try {
        $OS = (Get-WmiObject @GetWmiObjectParams).Caption
    } Catch {

    }

    $GetWmiObjectParams2 = @{
        ClassName = "Win32_Process"
        Property = "Name,CommandLine,ExecutablePath"
        ComputerName = $IP
        Credential = $credential
    }
    $proc = (Get-CimInstance @GetWmiObjectParams)
    #(Get-CimInstance -ClassName Win32_Process -Property Name, CommandLine, ExecutablePath)[6] | select Name, CommandLine, ExecutablePath | fl
}

Function New-ProxyWebClient {
    # Test HTTP Proxy Authentication (Basic, NTLM, Digest, Negotiate/Kerberos)
    Param(
            [Parameter(Position = 0, Mandatory = $True)]
            [String]
            $ProxyAddress,

            [Parameter(Position = 1, Mandatory = $False)]
            [System.Management.Automation.PSCredential]
            $Credential,

            [Parameter(Position = 2, Mandatory = $False)]
            [String]
            $AuthType = "Negotiate"
    )

    $BypassLocal = $True
    $BypassList = @()
    if ($AuthType -eq "") {
        # [ValidateSet("", "Basic", "NTLM", "Digest", "Kerberos", "Negotiate")]
        $AuthType = "Negotiate"
    }
    #$BypassList.Insert(";*.$Domain")

    try {

        $wc = new-object net.webclient
        $proxyUri = new-object system.uri($ProxyAddress)
    } catch {
        $Message = [String]$_.Exception.Message
        Write-Warning "ERROR: Could not set up proxy - Message: $Message"
    }
    if ($Credential) {
        # Configure Authenticated proxy
        Write-Verbose "Configuring Proxy ($ProxyAddress) using $AuthType authentication"
        try {
            $cachedCredentials = new-object system.net.CredentialCache
            $cachedCredentials.Add($proxyUri, $AuthType, $Credential.GetNetworkCredential())

            $wc.Proxy = new-object system.net.WebProxy($proxyUri, $bypassLocal)
            $wc.Proxy.Credentials = $cachedCredentials.GetCredential($proxyUri, $AuthType, $Domain)
        } catch {
            $Message = [String]$_.Exception.Message
            Write-Warning "ERROR: Could not add credentials to proxy - Message: $Message"
        }
        return $wc

    } else {
        # Use Default System Proxy Settings (Internet Explorer Settings)
        Write-Verbose "Configuring Proxy ($ProxyAddress) using default (Internet Explorer) Proxy credentials"
        try {
            $wc.Proxy = new-object system.net.WebProxy($proxyUri, $bypassLocal)
            $wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
        } catch {
            $Message = $_.Exception.Message
            $ErrorType = $_.Exception.GetType().FullName
            Write-Warning "ERROR: Error while setting system's default proxy credentials - Message: $Message"
        }
        $showcurrentproxy = netsh winhttp show proxy
        Write-Verbose $showcurrentproxy
        return $wc

    }
}