Shulou(Shulou.com)05/31 Report--

This article shows you how to use the PowerView script, the content is concise and easy to understand, it will definitely brighten your eyes. I hope you can get something through the detailed introduction of this article.

Traditional internal reconnaissance tests use Windows built-in commands, such as net view, net user, etc., to obtain host and domain information. Because the blue team can monitor these commands and trigger alarms. So use other methods, such as PowerShell and WMI, to avoid detection during environmental exploration.

PowerView

PowerView is a PowerShell script developed by Will Schroeder and is part of the PowerSploit framework and Empire. The script relies only on PowerShell and WMI (the Windows management tool) for queries. From an existing meterpreter session PowerView, you can load and execute the following command to retrieve information about the domain:

Meterpreter > load powershell

Meterpreter > powershell_import / root/Desktop/PowerView.ps1

Meterpreter > powershell_execute Get-NetDomain

PowerView has a variety of cmdlet, and you can find local administrators.

Meterpreter > powershell_execute Invoke-EnumerateLocalAdmin

Invoke-UserHunter can help expand network access because it identifies the system on which the user is logged in and verifies that the current user has a local administrator accessing these hosts.

PS > Invoke-UserHunter

PowerView contains multiple cmdlet, and you can also retrieve domain information.

PS > Get-NetForest

There are also modules that can perform host-based enumerations.

(Empire: xx) > usemodule situational_awareness/host/winenum

(Empire: powershell/situational_awareness/host/winenum) > info

There is also a Python implementation of PowerView that can be executed on hosts that are not part of the domain if credentials are provided.

#. / pywerver.py get-netshare-w PENTESTLAB-u test-p Password123-- computername WIN-PTELU2U07KG

Https://github.com/PowerShellMafia/PowerSploit

HostRecon

There is also a PowerShell script that automates environment exploration tasks on the host. Beau Bullock developed HostRecon and can use PowerShell and WMI queries to retrieve a variety of information from the host to evade detection. HostRecon can enumerate local users and local administrators of hosts. The script performs a series of checks to determine the status of the firewall, the antivirus solution installed (if LAPS is used), and the application whitening product. Because keeping invisible is the top priority of the red team's evaluation, acquiring this knowledge is essential for dodging actions used at this stage and later. The script also attempts to identify domain name information such as domain name password policies, domain controllers and domain administrators.

Meterpreter > powershell_import / root/Desktop/HostRecon.ps1

Meterpreter > powershell_execute Invoke-HostRecon

Https://github.com/dafthack/HostRecon

HostEnum

HostEnum scripts are developed by Andrew Chiles to provide details when executed on the host, similar to HostRecon. HostEnum can be executed either locally or from memory, and the output can be generated in HTML format.

Meterpreter > load powershell

Meterpreter > powershell_import / root/Desktop/HostEnum.ps1

Meterpreter > powershell_shell

The PS > Invoke-HostEnum-Local-Domain parameter-Domain performs some domain checks, such as retrieving the domain user list and other domain information.

Https://github.com/threatexpress/red-team-scripts

RemoteRecon

In a scenario where local administrator credentials are obtained and shared to multiple hosts, WMI can be used to perform environment exploration on remote hosts. RemoteRecon was developed by Chris Ross and is designed to allow red teams to scout without deploying the original implant. The script can capture keystrokes and screenshots, execute commands and shell code, and load PowerShell scripts to perform other tasks. Before you can do anything, you need to install the script remotely to the host using local administrator credentials, or if the current user is already a local administrator on the target host, only the computer name is required.

PS C:\ > Import-Module.\ RemoteRecon.ps1

PS C:\ > Install-RemoteRecon-ComputerName 'WIN-2NE38K15TGH'

The output of commands executed through the script can be retrieved with the-Results parameter.

PS C:\ > Invoke-PowerShellCmd-ComputerName 'WIN-2NE38K15TGH'-Cmd "ps-name exp"-Verbose

PS C:\ > Invoke-PowerShellCmd-ComputerName 'WIN-2NE38K15TGH'-Results

The above is how to use PowerView scripts. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.