This function runs a number of checks on a system to help provide situational awareness to a penetration tester during the reconnaissance phase. It gathers information about the local system, users, and domain information. It does not use any 'net', 'ipconfig', 'whoami', 'netstat', or other system commands to help avoid detection.
Switch branches/tags
Nothing to show
Clone or download
dafthack Added DisableDomainChecks & Portlist option for portscan
The Domain checks can be disabled with the -DisableDomainChecks flag. Specific ports can now be specified for the portscan option like this: Invoke-HostRecon -Portscan -Portlist 80,443,8080,8443,10000
Latest commit 0208213 Oct 3, 2017
Permalink
Failed to load latest commit information.
HostRecon.ps1 Added DisableDomainChecks & Portlist option for portscan Oct 3, 2017
LICENSE Initial commit Mar 28, 2017
README.md Update README.md Jul 31, 2017

README.md

Invoke-HostRecon

Invoke-HostRecon runs a number of checks on a system to help provide situational awareness to a penetration tester during the reconnaissance phase of an engagement. It gathers information about the local system, users, and domain information. It does not use any 'net', 'ipconfig', 'whoami', 'netstat', or other system commands to help avoid detection.

For more info check out this blog post: http://www.blackhillsinfosec.com/?p=5824

HostRecon Demo Video: https://www.youtube.com/watch?v=H4wzhmaBgM0

Situational Awareness

Invoke-HostRecon gets the following information from the system without running system tools like 'net', 'ipconfig', etc.

Current Hostname
IP Information
Current Username
Current Domain Name
All Local Users
Local Admins Group
Netstat Information
DNS Cache Information
Shares
Scheduled Tasks
Web Proxy Information
Process Listing
AntiVirus Information
Firewall Status
Local Admin Password Solution (LAPS)
Domain Password Policy
Domain Admins Group Members
Domain Controllers
Check for Sysinternals Sysmon
Checks for Common Security Products

Common Security Product Detection

Invoke-HostRecon attempts to enumerate common security products on the system including AV, IDS, AppWhitelisting, Behavioral Analysis, etc.

Egress Filter Check

Invoke-HostRecon also includes a functionality for assessing egress filtering from the system. The -Portscan flag can be passed to initiate an outbound portscan against allports.exposed to help determine open ports allowed through an egress firewall. (Credit for the Portscan module goes to Joff Thyer)

Usage Example

This command will run a number of checks on the local system including the retrieval of local system information (netstat, common security products, scheduled tasks, local admins group, LAPS, etc), and domain information (Domain Admins group, DC's, password policy). Additionally, it will perform an outbound portscan on the top 128 ports to allports.exposed to assist in determining any ports that might be allowed outbound for C2 communications.

Invoke-HostRecon -Portscan -TopPorts 128