HostRecon is a tool I wrote in PowerShell to assist with quickly enumerating a number of items that I would typically check after gaining access to a system. It can assist in providing situational awareness to a penetration tester during the reconnaissance phase of an engagement. It gathers information about the local system, users, and domain information. Probably the most important thing about it is that it does not use any ‘net’, ‘ipconfig’, ‘whoami’, ‘netstat’, or other system commands. I’ve had some security products alert on the use of those common commands/tools. Instead, those commands have been replaced with PowerShell and WMI queries. On many pentests we are still seeing Windows 7 systems that only have PowerShell version 2.0 installed. To assist with backward compatibility for these systems I’ve avoided using many of cmdlets available in PowerShell version 3.0 and up that would have provided the functionality I needed. Common Security Product Detection I wanted a tool that had the ability to help quickly identify security products in use on a system. HostRecon attempts to enumerate common security products on the system including AV, IDS, AppWhitelisting, Behavioral Analysis, etc. This will be an ever-changing/ever-growing list that I will attempt to keep as updated as possible. I’ve asked my colleagues at BHIS to help me grow this list of security products by sending me any new processes and product names they see on pentests. Situational Awareness HostRecon provides information from a target system that will assist a pentester in crafting further attacks. Prior to blindly running payloads on a system it’s good to know what security protections are in place. Is the system running application whitelisting? Is there a web proxy in use for Internet traffic? Is the local administrator’s password possibly randomized? HostRecon will attempt to answer some of these questions. Having a good situational awareness prior to moving forward should increase your chances of success. Here is a full list of things it currently checks:
Egress Filter Check Invoke-HostRecon also includes a functionality for assessing egress filtering from the system. The -Portscan flag can be passed to initiate an outbound portscan against allports.exposed to help determine open ports allowed through an egress firewall. (Credit for the Portscan module goes to Joff Thyer). By running ‘Invoke-HostRecon -Portscan’ it will perform an egress check against allports.exposed as well. Usage HostRecon can be downloaded here: https://github.com/dafthack/HostRecon Start a PowerShell session on a system C:>powershell.exe -exec bypass Import the script PS C:>Import-Module HostRecon.ps1 Run HostRecon PS C:>Invoke-HostRecon To perform an egress filter check on the top 100 ports run the following command: PS C:> Invoke-HostRecon -Portscan -TopPorts 100 If you have any other ideas that you would like added into HostRecon please shoot me an email, contact me on Twitter (@dafthack), or open an issue on Github. Please keep in mind I am avoiding the use of any system tools (‘ipconfig’, ‘net’, ‘netstat’, ‘arp’, etc…) and also avoiding any PowerShell 3.0 and up cmdlets. This is a cross-post from the Black Hills Information Security blog here: http://www.blackhillsinfosec.com/?p=5824 |
root@dafthack:~# >