dafthack/HostRecon

Stars
424
Rank 102,329 (Top 3 %)
Language
PowerShell
License
MIT License
Created over 7 years ago
Updated about 7 years ago

dafthack/HostRecon

dafthack

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

This function runs a number of checks on a system to help provide situational awareness to a penetration tester during the reconnaissance phase. It gathers information about the local system, users, and domain information. It does not use any 'net', 'ipconfig', 'whoami', 'netstat', or other system commands to help avoid detection.

Invoke-HostRecon

Invoke-HostRecon runs a number of checks on a system to help provide situational awareness to a penetration tester during the reconnaissance phase of an engagement. It gathers information about the local system, users, and domain information. It does not use any 'net', 'ipconfig', 'whoami', 'netstat', or other system commands to help avoid detection.

For more info check out this blog post: http://www.blackhillsinfosec.com/?p=5824

HostRecon Demo Video: https://www.youtube.com/watch?v=H4wzhmaBgM0

Situational Awareness

Invoke-HostRecon gets the following information from the system without running system tools like 'net', 'ipconfig', etc.

Current Hostname
IP Information
Current Username
Current Domain Name
All Local Users
Local Admins Group
Netstat Information
DNS Cache Information
Shares
Scheduled Tasks
Web Proxy Information
Process Listing
AntiVirus Information
Firewall Status
Local Admin Password Solution (LAPS)
Domain Password Policy
Domain Admins Group Members
Domain Controllers
Check for Sysinternals Sysmon
Checks for Common Security Products

Common Security Product Detection

Invoke-HostRecon attempts to enumerate common security products on the system including AV, IDS, AppWhitelisting, Behavioral Analysis, etc.

Egress Filter Check

Invoke-HostRecon also includes a functionality for assessing egress filtering from the system. The -Portscan flag can be passed to initiate an outbound portscan against allports.exposed to help determine open ports allowed through an egress firewall. (Credit for the Portscan module goes to Joff Thyer)

Usage Example

This command will run a number of checks on the local system including the retrieval of local system information (netstat, common security products, scheduled tasks, local admins group, LAPS, etc), and domain information (Domain Admins group, DC's, password policy). Additionally, it will perform an outbound portscan on the top 128 ports to allports.exposed to assist in determining any ports that might be allowed outbound for C2 communications.

Invoke-HostRecon -Portscan -TopPorts 128

MailSniper

MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an administrator to search the mailboxes of every user in a domain.

CloudPentestCheatsheets

This repository contains a collection of cheatsheets I have put together for tools related to pentesting organizations that leverage cloud providers.

DomainPasswordSpray

DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain. BE VERY CAREFUL NOT TO LOCKOUT ACCOUNTS!

MFASweep

A tool for checking if MFA is enabled on multiple Microsoft Services

MSOLSpray

A password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled.

GraphRunner

A Post-exploitation Toolset for Interacting with the Microsoft Graph API

PowerMeta

PowerMeta searches for publicly available files hosted on various websites for a particular domain by using specially crafted Google, and Bing searches. It then allows for the download of those files from the target domain. After retrieving the files, the metadata associated with them can be analyzed by PowerMeta. Some interesting things commonly found in metadata are usernames, domains, software titles, and computer names.

Check-LocalAdminHash

Check-LocalAdminHash is a PowerShell tool that attempts to authenticate to multiple hosts over either WMI or SMB using a password hash to determine if the provided credential is a local administrator. It's useful if you obtain a password hash for a user and want to see where they are local admin on a network. It is essentially a Frankenstein of two of my favorite tools along with some of my own code. It utilizes Kevin Robertson's (@kevin_robertson) Invoke-TheHash project for the credential checking portion. Additionally, the script utilizes modules from PowerView by Will Schroeder (@harmj0y) and Matt Graeber (@mattifestation) to enumerate domain computers to find targets for testing admin access against.

RDPSpray

Tool for password spraying RDP

PowerWebShot

A PowerShell tool for taking screenshots of multiple web servers quickly.

PassphraseGen

A script for generating custom passphrase lists to be used for password cracking with hashcat rules

EmailAddressMangler

This module mangles two lists of names together to generate a list of potential email addresses or usernames. It can also be used to simply combine a list of full names in the format (firstname lastname) into either email addresses or usernames.

lab_scripts

Repo for hosting various scripts for creating users for password spraying and other password attacks.

BasicPHPRedirector

A basic PHP redirection site that captures request headers

Ethereham

A script for tracking and decoding input data messages sent to and from a particular Ethereum address or from every transaction in a block.

blockchain-developer-bootcamp-final-project

dafthack