Traditional internal reconnaissance testing uses Windows built-in commands such as net view, net user, etc. to obtain host and domain information. Because the blue team can monitor these commands and trigger alerts. So use other methods, such as PowerShell and WMI, to avoid detection during environment exploration.
PowerView
PowerView is a PowerShell script developed by Will Schroeder and is part of the PowerSploit framework and Empire. The script relies solely on PowerShell and WMI (Windows Management Tools) for querying. From an existing meterpreter session PowerView can load and execute the following command to retrieve information about a domain:
meterpreter > load powershell
meterpreter > powershell_import /root/Desktop/PowerView.ps1
meterpreter > powershell_execute Get-NetDomain
PowerView has a variety of cmdlets that can discover local administrators.
meterpreter > powershell_execute Invoke-EnumerateLocalAdmin
Invoke-UserHunter can help extend network access because it can identify the systems the user is logged into and can verify that the current user has local administrator access to those hosts.
PS > Invoke-UserHunter
PowerView contains multiple cmdlets and can also retrieve domain information.
PS > Get-NetForest
There are also modules that can perform host-based enumeration.
(Empire: xx) > usemodule situational_awareness/host/winenum
(Empire: powershell/situational_awareness/host/winenum) > info
There is also a Python implementation of PowerView. If credentials are provided, it Can be executed on a host that is not part of the domain.
#./pywerver.py get-netshare -w PENTESTLAB -u test -p Password123 --computername WIN-PTELU2U07KG
https://github.com/PowerShellMafia/PowerSploit
HostRecon
There is also a PowerShell script that can automate environment exploration tasks in the host. Beau Bullock developed HostRecon and can use PowerShell and WMI queries to retrieve various information from the host to evade detection. HostRecon can enumerate local users and local administrators of the host. The script will perform a series of checks to determine the firewall status, installed antivirus solutions (if LAPS is used) and application whitening products. Because maintaining stealth is a priority for red team assessments, gaining this knowledge is essential for evasive actions to be used during this phase and beyond. The script also attempts to identify domain information such as domain password policy, domain controllers, and domain administrators.
meterpreter > powershell_import /root/Desktop/HostRecon.ps1
meterpreter > powershell_execute Invoke-HostRecon
https://github.com/dafthack/HostRecon
HostEnum
HostEnum The script developed by Andrew Chiles provides detailed information when executed on the host, similar to HostRecon. HostEnum can be executed both locally and from memory and can produce output in HTML format.
meterpreter > load powershell
meterpreter > powershell_import /root/Desktop/HostEnum.ps1
meterpreter > powershell_shell
PS > Invoke-HostEnum -Local -Domain Parameters -Domain will execute certain Domain checks, such as retrieving domain user lists and other domain information.
https://github.com/threatexpress/red-team-scripts
RemoteRecon
In scenarios where you obtain local administrator credentials and share those credentials to multiple hosts, you can use WMI Perform environment exploration on the remote host. RemoteRecon was developed by Chris Ross and was designed to allow red teams to conduct reconnaissance without deploying original implants. The script can capture keystrokes and screenshots, execute commands and shell code, and can load PowerShell scripts to perform other tasks. Before doing anything, you need to first install the script remotely into the host using local administrator credentials, or just the computer name if the current user is already a local administrator on the target host.
PS C:\> Import-Module .\RemoteRecon.ps1
PS C:\> Install-RemoteRecon -ComputerName 'WIN-2NE38K15TGH'
The output of the command executed through the script can be used -Results parameters to retrieve.
PS C:\> Invoke-PowerShellCmd -ComputerName 'WIN-2NE38K15TGH' -Cmd "ps -name exp" -Verbose
PS C:\> Invoke-PowerShellCmd -ComputerName 'WIN-2NE38K15TGH' -Results
The above is the detailed content of How to use PowerView script. For more information, please follow other related articles on the PHP Chinese website!