A common step in the life-cycle of a red team engagement is to gather as much information is possible for the compromised environments and the domain network. This activity is often called situational awareness and there is no defined list of commands that a red teamer should execute. However all the gathered information in that stage will determine the next actions towards privilege escalation and lateral movement and will assist to map the domain.

Traditional penetration tests during internal recon use Windows built-in commands such as net view, net user etc. in order to obtain host and domain information. These commands are considered the stealthiest approach for red teams since it can be monitored by the blue team and will trigger alerts. Alternative methods can be utilized such as PowerShell and WMI to conduct situational awareness without being detected.

PowerView

PowerView is a PowerShell script which was developed by Will Schroeder and is part of PowerSploit framework and Empire. The script relies solely on PowerShell and WMI (Windows Management Instrumentation) queries. From an existing meterpreter session PowerView can be loaded and executed with the following commands to retrieve information about the domain:

load powershell
powershell_import /root/Desktop/PowerView.ps1
powershell_execute Get-NetDomain
PowerView - Retrieve Domain Name Information
PowerView – Retrieve Domain Name Information

PowerView has a variety of cmdlets which can discover local administrators.

PowerView - Enumerate Local Admins
PowerView – Enumerate Local Admins

The Invoke-UserHunter can assist to expand network access since it can identify systems which users are logged into and can verify if the current user has local administrator access to these hosts.

PowerView - User Hunter
PowerView – User Hunter

Retrieval of domain information is also possible as PowerView contains several cmdlets.

PowerView - Obtain Trusts for the Forest
PowerView – Forest Information

PowerView is also implemented inside Empire. The following image illustrates the domain policy of the network.

Empire - Domain Policy
Empire – Domain Policy

There are also modules which can perform host based enumeration.

Empire - Windows Enum
Empire – Windows Enum

Alternatively there is a Python implementation of PowerView which can be executed from a host that is not part of the domain if credentials are supplied.

Pywerview
PywerView

HostRecon

There is a also a PowerShell script which automates the task of situational awareness in a host. Beau Bullock developed HostRecon and can retrieve various information from a host using PowerShell and WMI queries to evade detection.

powershell_import /root/Desktop/HostRecon.ps1
powershell_execute Invoke-HostRecon
HostRecon Execution
HostRecon Execution

HostRecon can enumerate the local users and the local administrators of the host.

HostRecon - Local Users and Local Admins
HostRecon – Local Users and Local Admins

The script will perform a series of checks to determine the firewall status, the antivirus solution installed, if LAPS is used and the application whitelisting product. Since remain stealthy is a high priority in a red team assessment gaining that knowledge is essential for the evasion actions that will be used in this stage and later.

HostRecon - Checks for Security
HostRecon – Checks for Security

The script also tries to identify and some domain information like the domain password policy, the domain controllers and the domain administrators.

HostRecon - Domain Checks
HostRecon – Domain Checks

HostEnum

A similar script to HostRecon was developed by Andrew Chiles that provides detailed information when it is executed in a host. HostEnum can be executed either locally or from memory and can generate output in HTML format.

load powershell
powershell_import /root/Desktop/HostEnum.ps1
powershell_shell
Invoke-HostEnum -Local -Domain
HostEnum
HostEnum

The parameter -Domain will perform and some domain checks like retrieving the list of domain users and other domain information.

HostEnum - Domain Users
HostEnum – Domain Users

Domain Information: 

HostEnum - Domain Checks
HostEnum – Domain Checks

RemoteRecon

In the scenario where local administrator credentials have been obtained and these credentials are shared into a number of hosts it is possible to utilize WMI in order to perform situational awareness on remote hosts. RemoteRecon was developed by Chris Ross and its purpose is to allow the red teamers to conduct recon without deploying the original implant. The script can capture keystrokes and screenshots, execute commands and shellcode and also can load PowerShell scripts for additional tasks.

Prior to any operation the script needs to be installed first remotely into hosts by using local administrator credentials or if the current user is already local admin on the target host only the computer name is necessary.

Import-Module .\RemoteRecon.ps1
Install-RemoteRecon -ComputerName 'WIN-2NE38K15TGH'
RemoteRecon - Install
RemoteRecon – Install

Output of the commands that are executed via the script can be retrieved with the Results parameter.

Invoke-PowerShellCmd -ComputerName 'WIN-2NE38K15TGH' -Cmd "ps -name exp" -Verbose
Invoke-PowerShellCmd -ComputerName 'WIN-2NE38K15TGH' -Results
RemoteRecon - Usage
RemoteRecon – Usage

References

Leave a comment