HostRecon: A Situational Awareness Tool
Beau Bullock //
Overview
HostRecon is a tool I wrote in PowerShell to assist with quickly enumerating a number of items that I would typically check after gaining access to a system. It can assist in providing situational awareness to a penetration tester during the reconnaissance phase of an engagement. It gathers information about the local system, users, and domain information. Probably the most important thing about it is that it does not use any ‘net’, ‘ipconfig’, ‘whoami’, ‘netstat’, or other system commands. I’ve had some security products alert on the use of those common commands/tools. Instead, those commands have been replaced with PowerShell and WMI queries.
On many pentests we are still seeing Windows 7 systems that only have PowerShell version 2.0 installed. To assist with backward compatibility for these systems I’ve avoided using many of cmdlets available in PowerShell version 3.0 and up that would have provided the functionality I needed.
Common Security Product Detection
I wanted a tool that had the ability to help quickly identify security products in use on a system. HostRecon attempts to enumerate common security products on the system including AV, IDS, AppWhitelisting, Behavioral Analysis, etc. This will be an ever-changing/ever-growing list that I will attempt to keep as updated as possible. I’ve asked my colleagues at BHIS to help me grow this list of security products by sending me any new processes and product names they see on pentests.
Situational Awareness
HostRecon provides information from a target system that will assist a pentester in crafting further attacks. Prior to blindly running payloads on a system it’s good to know what security protections are in place. Is the system running application whitelisting? Is there a web proxy in use for Internet traffic? Is the local administrator’s password possibly randomized? HostRecon will attempt to answer some of these questions. Having a good situational awareness prior to moving forward should increase your chances of success.
Here is a full list of things it currently checks:
- Current Hostname – Gathers the hostname of the local system
- IP Information – Gathers IP info; Alternative for ‘ipconfig’
- Current Username – Gathers current username; Alternative for ‘whoami’
- Current Domain Name – Gathers current domain name
- All Local Users – Gathers local users from the system; Alternative for ‘net users’
- Local Admins Group – Gathers local admins group members; Alternative for ‘net localgroup administrators’
- Netstat Information – Gathers listening and established connection info; Alternative for ‘netstat’
- DNS Cache Information – Gathers DNS cache information; Alternative for ‘ipconfig /displaydns’
- Shares – Gathers Share info; Alternative for ‘net use’
- Scheduled Tasks – Gathers any scheduled tasks from the system; Alternative for ‘schtasks’
- Web Proxy Information – Determines if a web proxy is in use
- Process Listing – Lists out all current running processes on the system
- AntiVirus Information – Checks if AV is enabled and what product is running
- Firewall Status – Determines if the local firewall is enabled or not
- Local Admin Password Solution (LAPS) – Attempts to locate the DLL used when installing LAPS.
- Domain Password Policy – Gathers the domain account password policy
- Domain Admins Group Members – Lists the members of the Domain Admins group
- Domain Controllers – Lists any Domain Controllers
- Checks for Common Security Products – Analyzes the process listing for common security product processes and names
Egress Filter Check
Invoke-HostRecon also includes a functionality for assessing egress filtering from the system. The -Portscan flag can be passed to initiate an outbound portscan against allports.exposed to help determine open ports allowed through an egress firewall. (Credit for the Portscan module goes to Joff Thyer). By running ‘Invoke-HostRecon -Portscan’ it will perform an egress check against allports.exposed as well.
Usage
HostRecon can be downloaded here: https://github.com/dafthack/HostRecon
- Start a PowerShell session on a system
C:>powershell.exe -exec bypass
- Import the script
PS C:>Import-Module HostRecon.ps1
- Run HostRecon
PS C:>Invoke-HostRecon
To perform an egress filter check on the top 100 ports run the following command:
PS C:> Invoke-HostRecon -Portscan -TopPorts 100
If you have any other ideas that you would like added into HostRecon please shoot me an email, contact me on Twitter (@dafthack), or open an issue on Github. Please keep in mind I am avoiding the use of any system tools (‘ipconfig’, ‘net’, ‘netstat’, ‘arp’, etc…) and also avoiding any PowerShell 3.0 and up cmdlets.
*Psst* If you liked this blog, we think you’d enjoy Beau’s class:
Available live/virtual and on-demand!