Veil-PowerView:Situational Awareness

With Powershell

Will@harmj0y

Veris Group

$ whoami

● Security researcher and penetration tester for Veris Group

● Co-founder of the Veil-Framework #avlol

○ www.veil-framework.com○ Shmoocon ‘14: AV Evasion with the Veil Framework○ co-wrote Veil-Evasion, wrote Veil-Catapult

● BSides ATX ‘14: Wielding a Cortana● https://github.com/HarmJ0y/

tl;dr

● Situational Awareness; redux● Veil-PowerView● Net-*● Run-Netview● Run-ShareFinder● Run-FindLocalAdminAccess● Run-UserHunter● Run-StealthUserHunter

Situational Awareness; redux

● Goal: Gain an understanding of an exploited host/network to aid in deeper infiltration

● Old schoolz:○ net group /domain○ net group “domain admins” /domain○ net users /domain○ net user “jsmith” /domain○ net view //hostname○ blah blah blah

Why Powershell?

● Really need to say anything?

● Whitelisted, trusted execution, full .NET capabilities, etc.

● It’s the “new hotness”○ PowerSploit○ Posh-SecMod

Veil-PowerView

● Arose partially because a client banned “net” commands on domain machines○ annoying, but only a minor roadblock

● Otherwise initially inspired by Rob Fuller’s netview.exe tool

● Wanted something a bit more flexible that also didn’t drop a binary to disk

Net-*

● Full-featured replacements for almost all “net *” commands, utilizing powershell AD hooks and various API calls

● Net-Users, Net-Group, Net-Servers, Net-Sessions, Net-Loggedon, etc.

● See README.md for complete list, and function descriptions for usage options

Meta-Functions

now the fun stuff

Run-Netview

● Full powershell port of @mubix’s netview.exe

● Queries the domain for all hosts with Net-Servers, then runs Net-Sessions, Net-Share, and Net-Loggedon on targets

● Can take an optional hostlist, has the ability to exclude common shares, and can utilize a delay/jitter between host enumerations

Run-ShareFinder

● Finds non-standard shares on machines in the domain

● Queries for all servers using Net-Servers, then runs Net-Share on each host, excluding standard shares (C$, IP$, PRINT$, etc.)

● Also can utilize the delay/jitter between host enumerations

Run-FindLocalAdminAccess

● Port of local_admin_search_enum.rb Metaspoit module

● Finds machines on the local domain where the current user has local administrator access

● Utilizes the OpenSCManagerA API call

Run-UserHunter

● Goal: find which domain machines specific users are logged into

● Accepts a username, userlist, or domain group, and accepts a host list or queries the domain for available hosts using Net-Servers

● Runs Net-Sessions and Net-Loggedon against every server in the target list

Run-UserHunter

● Compares the results against the target user list, noting when it finds where a target user is logged into

● Can also check found machines using Net-CheckLocalAdminAccess

● Option to utilize the delay/jitter

Run-StealthUserHunter

● Issues one query to get all users in the domain, and extracts all servers from user.HomeDirectories

● Runs one Net-Sessions call against each file server, comparing the results against the target user list

● Find users with significantly less traffic than Run-UserHunter !

Demo

Questions?

● Contact me:○ @harmj0y○ harmj0y@veil-framework.com

● Read more:○ https://www.veil-framework.com/veil-powerview/○ https://www.veil-framework.com/hunting-users-veil-

framework/

● Get Veil-PowerView○ https://github.com/Veil-Framework/Veil-PowerView○ In PowerSploit soon!