piątek, 5 stycznia 2024

PowerShell: Search-IP. Function that searches clipboard, files for IP Addresses, deduplicate and sort them

 Background

Very often I have need for fast search, deduplicate and sort IP addresses in data from different sources: pdf reports, articles, logs.
This should include addresses which are written in safe format, with dots in brackets, like: 
  • 192.168.0[.]1 
  • 192.168.0(.)1
This is no problem when you have log with ~10 addresses or so, but if you have log file with ~50k - ~100k this could be a problem.

Solution

The function named Search-IP (link do Github repository) which was written in PowerShell. 

How it works

There is diagram below which showing how function works divided into 3 steps:
  • Input,
  • Working,
  • Output
Logical diagram of the function's operation
Logical diagram of the function's operation

Input

The function reads data from:
  • Clipboard. This is default behaviour. The data does not need to be prepared in any way.
  • Named parameter "IPAddress". 
    Search-IP -IPAddress "2024.01.05 21:35 source 192.168.1.2 dest 192.168.1.200"
  • Pipeline
    Get-Content "some_log.txt" | Search-IP

Working

Function is searching for IP addresses (also written in safe format with brackets around dots), deduplicate, and finally sort them.

Output

By default results are displayed to console.
Results can be redirected through pipeline to other cmd-lets like ConvertTo-HTML or Export-CSV.
Search-IP | ConvertTo-HTML | Out-File -FilePath "$($env:USERPROFILE)\Desktop\IPs.html"
Search-IP | Export-CSV -Path "$($env:USERPROFILE)\Desktop\IPs.csv"

Results also can be redirected to Invoke-RestMethod for queyring online databases like Shodan.

Sample line of log redirected to Search-IP function and its results are redirected to Shodan API
Sample line of log redirected to Search-IP function and its results are redirected to Shodan API


Example

By default function reads content from Clipboard and parse it in search for IP Addresses. 

For example you can copy to Clipboard content one of the Ukrainians CERT analysis about APT28 group (link to website) - or any other website, pdf report, etc.

Part of webpage UA CERT that contains IP addresses in safe format
Part of UA CERT webpage that contains IP addresses in safe format


Then just run in PowerShell command Search-IP and you will get all IPs existed in that data in normal format (not with brackets around dots), deduplicated and sorted in mathematical order (not like text format, like it is done by default in PowerShell). 

IPs found, deduplicated and sorted

That's all.
Autor: o
Kategoria:

Brak komentarzy:

Prześlij komentarz

Bardzo proszę o zachowanie netykiety.

Subskrybuj: Komentarze do posta (Atom)