π‘οΈ PortHunter - Advanced Port & Process Scanner
PortHunter is an advanced PowerShell tool suite for network port analysis and process correlation. It generates professional HTML reports for security audits and system troubleshooting.
π Overview
PortHunter includes two complementary scripts designed for different use cases:
| Script | Purpose | Method | Speed | Best For |
|---|---|---|---|---|
| PortHunter_Scan.ps1 | Active service discovery & port scanning | Active probing of common ports (TCP/UDP) + banner grabbing | π’ Slow (minutes) | Service discovery, penetration testing |
| PortHunter_Established.ps1 | Advanced process-port correlation | Local socket inspection (listening + established) β no active probes | π Fast (seconds) | Security audits, troubleshooting |
π― PortHunter_Scan.ps1
Key Features
- π‘ Active Port Scanning - TCP/UDP scanning of common ports
- π© Banner Grabbing - Service identification via banners
- π Process Correlation - Attempts to map discovered/open ports to processes when possible
- π Comprehensive Reporting - Detailed statistics and service analysis
Scanning Behavior
- Performs active probes (TCP connect/SYN, UDP probes) against a predefined list of common ports (
$commonPorts). - Attempts banner grabbing to identify service and version information.
- When possible, correlates discovered open ports to local processes (if the target is local or the probe establishes a connection that can be mapped).
Usage
# Basic active scan (TCP + UDP common ports)
.\PortHunter_Scan.ps1
# TCP ports only
.\PortHunter_Scan.ps1 -SkipUDP
# Fast scan mode (reduce ports / parallelism)
.\PortHunter_Scan.ps1 -FastScanπ PortHunter_Established.ps1
Key Features
- π Multi-Method Correlation - 4 different techniques to identify processes
- π― Confidence System - High/Medium/Low reliability ratings
- π Advanced Reporting - Method details and confidence levels
- β‘ Optimized Performance - Analyzes only listening ports and established connections (local socket inspection)
Correlation Methods
- NetStat Analysis - Most reliable native method (parses existing socket table)
- Active Connection Enumeration - Uses
Get-NetTCPConnection/Get-NetUDPEndpointand related APIs - Handle Analysis - System handle inspection (requires admin; uses handle enumeration)
- Network Statistics - Alternative correlation method (supplemental data)
Usage
# Basic local socket inspection (TCP + UDP)
.\PortHunter_Established.ps1
# Skip UDP endpoints
.\PortHunter_Established.ps1 -SkipUDP
# Fast mode (limited correlation methods)
.\PortHunter_Established.ps1 -FastScanπ Detailed Comparison
| Feature | PortHunter_Scan | PortHunter_Established |
|---|---|---|
| Primary Purpose | Service discovery & active scanning | Process-port correlation (local sockets) |
| Methodology | Active probing of common ports (TCP/UDP) + banner grabbing | Local socket inspection (listening + established) β no active probes |
| Ports Analyzed | Common ports + active scanning | Listening ports and established connections only |
| Speed | Minutes (depends on ports/parallelism) | Seconds |
| Banner Grabbing | Comprehensive for scanned ports | Limited to existing connections where banner data is available |
| Confidence Levels | β Not available | β Implemented (High/Medium/Low) |
| Multi-Method | β Primary method only | β 4 methods |
| Admin Required | Recommended for certain probes (raw socket/UDP) | Recommended for handle analysis and full correlation |
| Use Case | Penetration testing, discovery | Security audits, troubleshooting |
π Output Structure
Each script generates timestamped HTML reports:
- AdvancedPortScan_YYYYMMDD_HHMMSS.html (PortHunter_Scan)
- PortScanReport_YYYYMMDD_HHMMSS.html (PortHunter_Established)
Report Sections
- π Summary - Scan statistics
- π Detailed Analysis - Port and process table
- π¨ High-Risk Ports - Critical ports highlighted
- βοΈ Process Summary - Grouped by process
- π© Service Banners - Service identification banners
Best Practices
- Always run as Administrator for complete results
- Verify unknown processes on high-risk ports
- Analyze service banners for vulnerable versions
- Keep reports for audits and future comparisons
π§ Customization
Modifying High-Risk Ports
# Edit the $HighRiskPorts variable in scripts
$HighRiskPorts = @(21, 22, 23, 25, 53, 135, 139, 443, 445, 993, 995, 1433, 3389, 5900)π· Screenshot
β οΈ Disclaimer
These tools are designed for authorized security audits and system troubleshooting. Malicious use is strictly prohibited. The authors assume no responsibility for misuse of these tools.
PortHunter - Your Advanced Port & Process Hunting Companion π