Date post: | 25-Dec-2014 |
Category: |
Technology |
Upload: | veilframework |
View: | 1,658 times |
Download: | 0 times |
Veil-PowerView:Situational Awareness
With Powershell
Will@harmj0y
Veris Group
$ whoami
● Security researcher and penetration tester for Veris Group
● Co-founder of the Veil-Framework #avlol
○ www.veil-framework.com○ Shmoocon ‘14: AV Evasion with the Veil Framework○ co-wrote Veil-Evasion, wrote Veil-Catapult
● BSides ATX ‘14: Wielding a Cortana● https://github.com/HarmJ0y/
tl;dr
● Situational Awareness; redux● Veil-PowerView● Net-*● Run-Netview● Run-ShareFinder● Run-FindLocalAdminAccess● Run-UserHunter● Run-StealthUserHunter
Situational Awareness; redux
● Goal: Gain an understanding of an exploited host/network to aid in deeper infiltration
● Old schoolz:○ net group /domain○ net group “domain admins” /domain○ net users /domain○ net user “jsmith” /domain○ net view //hostname○ blah blah blah
Why Powershell?
● Really need to say anything?
● Whitelisted, trusted execution, full .NET capabilities, etc.
● It’s the “new hotness”○ PowerSploit○ Posh-SecMod
Veil-PowerView
● Arose partially because a client banned “net” commands on domain machines○ annoying, but only a minor roadblock
● Otherwise initially inspired by Rob Fuller’s netview.exe tool
● Wanted something a bit more flexible that also didn’t drop a binary to disk
Net-*
● Full-featured replacements for almost all “net *” commands, utilizing powershell AD hooks and various API calls
● Net-Users, Net-Group, Net-Servers, Net-Sessions, Net-Loggedon, etc.
● See README.md for complete list, and function descriptions for usage options
Meta-Functions
now the fun stuff
Run-Netview
● Full powershell port of @mubix’s netview.exe
● Queries the domain for all hosts with Net-Servers, then runs Net-Sessions, Net-Share, and Net-Loggedon on targets
● Can take an optional hostlist, has the ability to exclude common shares, and can utilize a delay/jitter between host enumerations
Run-ShareFinder
● Finds non-standard shares on machines in the domain
● Queries for all servers using Net-Servers, then runs Net-Share on each host, excluding standard shares (C$, IP$, PRINT$, etc.)
● Also can utilize the delay/jitter between host enumerations
Run-FindLocalAdminAccess
● Port of local_admin_search_enum.rb Metaspoit module
● Finds machines on the local domain where the current user has local administrator access
● Utilizes the OpenSCManagerA API call
Run-UserHunter
● Goal: find which domain machines specific users are logged into
● Accepts a username, userlist, or domain group, and accepts a host list or queries the domain for available hosts using Net-Servers
● Runs Net-Sessions and Net-Loggedon against every server in the target list
Run-UserHunter
● Compares the results against the target user list, noting when it finds where a target user is logged into
● Can also check found machines using Net-CheckLocalAdminAccess
● Option to utilize the delay/jitter
Run-StealthUserHunter
● Issues one query to get all users in the domain, and extracts all servers from user.HomeDirectories
● Runs one Net-Sessions call against each file server, comparing the results against the target user list
● Find users with significantly less traffic than Run-UserHunter !
Demo
Questions?
● Contact me:○ @harmj0y○ [email protected]
● Read more:○ https://www.veil-framework.com/veil-powerview/○ https://www.veil-framework.com/hunting-users-veil-
framework/
● Get Veil-PowerView○ https://github.com/Veil-Framework/Veil-PowerView○ In PowerSploit soon!