Reconerator - C# Targeted Assault Reconnaissance Tools


This is a custom .NET assembly which volition perform a publish of situational awareness activities. There are a publish of electrical current featuresets:
  • BASIC - Obtains information from the disk too registry.
  • LDAP - Allows customised AD LDAP queries to survive made.
  • RESOLVEHOST - Performs DNS lookup queries.
  • INDEXSEARCH - Searches the Windows Indexing Service for local files too e-mails (filename too content).
  • PROXYCHECK - Displays the proxy server that volition survive used when attempting to access a provided URL.
  • PRIVESCCHECK - Identifies privilege escalation vectors.
The key indicate almost this is that it is all implemented inwards raw .NET - too hence no powershell.
It is configured too controlled past times command line parameters, making it suitable for role amongst Beacon's execute-assembly directive.

BASIC

Overview
This obtains a publish of pieces of information from the host. Be warned that in that location powerfulness survive a LOT of output. It volition display:
  • All environs variables (API)
  • The hostname, workgroup too Windows version publish of the host (API)
  • Word, Access, Excel, Publisher & Powerpoint Most Recently Used Documents for all versions installed (Registry)
  • Word, Access, Excel, Publisher & Powerpoint Trusted Locations for all versions installed (Registry)
  • Favourites (Bookmarks) too extracts the URL from the bookmark. Could survive interesting to easily notice sharepoint/confluence/wiki/self service payroll etc. (Disk)
  • Mapped drives, including the displace letter, description too remote location (WMI)
  • Installed applications, for all users too for the specific user exclusively (Registry)

Parameters
The verb 'basic' needs to survive passed on the command line, followed past times the specific cheque that is required. If the give-and-take 'all' is passed equally the 2nd parameter, every cheque volition survive performed.
Check Description
env Displays all of the environs variables.
info Displays the IP address of the host too the major/minor OS version identifier.
mru Searches diverse "most of late used" lists. These currently comprise the Run box history too the Office file too path MRU for all versions of Word, Excel, Powerpoint, Access, Publisher too Visio. It too displays the location of the particular "Recent" folder.
favourites Displays the URLs stored inwards the favourites folder (which is basically the user's bookmarks). It currently does non back upwards subfolders; I'll ask to laid upwards that.
mappeddrives Displays the network mapped drives from the user's session. Useful for apace finding key file shares too abode directories. If it is mapped, it likely contains useful data.
installedapplications Lists the applications that bring been installed. This includes applications which bring been installed equally an admin (on the local machine) AND applications which bring been installed past times the electrical current user. They are listed inwards different places inwards the registry.
Note that if 'all' is used, a 'proxycheck http://www.google.com' is automatically included. See the proxycheck department for details.

Examples
Perform all basic checks: beacon> execute-assembly /tmp/Reconerator.exe or beacon> execute-assembly /tmp/Reconerator.exe basic all
Perform mru enumeration only: beacon> execute-assembly /tmp/Reconerator.exe basic mru
List the mapped drives only: beacon> execute-assembly /tmp/Reconerator.exe basic mappeddrives

OpSec
Reasonably safe. This is querying the scheme registry; it is unlikely to survive monitored.

Limitations (and farther work)
  • You can't selection too direct what you lot desire - its all or nothing.
  • Favourites create non recurse through directories
  • Missing a charge of stuff.

LDAP
This allows you lot to perform an LDAP query. The easiest agency of demonstrating this is past times example.

Examples
This volition present all users on the domain 'dc=stufus,dc=lan' amongst W2K8DC equally a domain controller:
beacon> execute-assembly /tmp/Reconerator.exe ldap "LDAP://W2K8DC/dc=stufus,dc=lan" "objectClass=user" 0
This volition present a maximum of five users on the domain 'dc=stufus,dc=lan' amongst W2K8DC equally a domain controller:
beacon> execute-assembly /tmp/Reconerator.exe ldap "LDAP://W2K8DC/dc=stufus,dc=lan" "objectClass=user" 5
This volition present all members of the domain admin grouping on the domain 'dc=stufus,dc=lan' amongst W2K8DC equally a domain controller:
beacon> execute-assembly /tmp/Reconerator.exe ldap "LDAP://W2K8DC/dc=stufus,dc=lan" "(&(objectClass=group)(cn=Domain Admins))" 0
This volition present all members of the domain admin or corporation admin groups on the domain 'dc=stufus,dc=lan' amongst W2012DC equally a domain controller:
beacon> execute-assembly /tmp/Reconerator.exe ldap "LDAP://W2012DC/dc=stufus,dc=lan" "(&(objectClass=group)(|(cn=Enterprise Admins)(cn=Domain Admins)))" 0

OpSec
This volition generate network traffic to the domain controller that you lot specify. For the avoidance of doubt, it uses LDAP (as opposed to RPC or similar), too ATA does non seem to selection it upwards at the minute (as of 15/06/18).

Limitations (and farther work)
  • Its a petty untidy
  • It won't display anything that isn't a .NET string (needs to a greater extent than parsing)
  • Can't specify specific fields/attributes to show
  • You ask to run out the DC yourself (you tin flaming larn that from the LOGONSERVER environs variable) too run out the DN yourself. I'll larn circular to retrieving that automatically at around point.

RESOLVEHOST

Overview
This performs a DNS enquiry using the host's DNS server.

Example
Resolve www.google.com:
beacon> execute-assembly /tmp/Reconerator.exe resolvehost www.google.com

OpSec
This volition generate a DNS enquiry to the domain controller, but it is unlikely that anything volition enhance this equally an warning due to the sheer mass of legitimate DNS requests.

INDEXSEARCH

Overview
This allows you lot to interact amongst Windows Search (formerly the Windows Indexing Service) which volition allow you lot to search for interesting files too folders (and their contents) actually quickly. E-Mails are unremarkably indexed, but network folders are not, too hence it may non survive perfect for searching users' abode directories if they are stored remotely. However, it is really fast.
The interface to Windows Search is SQL-like; this implementation allows you lot to, inwards effect, specify the contents of the 'WHERE' clause. It is easiest to explicate past times example, but you lot volition ask to read MSDN if you lot desire to know every possible criteria.

Examples
Find everything that has been indexed which contains the give-and-take 'password' inwards it somewhere (i.e. searches the contents of files too e-mails):
beacon> execute-assembly /tmp/Reconerator.exe indexsearch "CONTAINS('password')"
Find everything that has been indexed which has the give-and-take 'stufus' inwards the path or filename somewhere:
beacon> execute-assembly /tmp/Reconerator.exe indexsearch "System.ItemPathDisplay LIKE '%stufus%'"
Find everything that has been indexed which has the give-and-take 'stufus' inwards the filename OR contains the give-and-take 'secret':
beacon> execute-assembly /tmp/Reconerator.exe indexsearch "System.ItemName LIKE '%stufus%' OR CONTAINS('secret')"

OpSec
I'm non aware of anything that would enhance this equally suspicious.

PROXYCHECK

Overview
This returns the proxy server that would survive used to see a given URL. This is to care amongst the province of affairs where in that location may survive different proxies for different URLs, or diverse complex exclusions inwards place. The URL of involvement is passed equally a parameter.
Note that if 'basic all' is specified (see above), it automatically includes a proxycheck to http://www.google.com, on the supposition that most organisations bring ane outbound proxy for all non-internal cyberspace access.

Examples
Display the proxy server which volition survive used when visiting www.google.com:
beacon> execute-assembly /tmp/Reconerator.exe proxycheck www.google.com
Display the proxy server which volition survive used when visiting https://www.mwrinfosecurity.com:
beacon> execute-assembly /tmp/Reconerator.exe proxycheck https://www.mwrinfosecurity.com

OpSec
This is a local activeness too a legitimate one; I'm non aware of anything that would enhance it equally suspicious.

PRIVESCCHECK

Overview
This volition explore a publish of privilege escalation vectors too written report on whether they are possible or not. Currently, that publish is 1.
Much similar the BASIC module above, privesccheck all tin flaming survive specified on the command trouble to sweat all checks, or a specific cheque tin flaming survive specified if required.

Parameters
The verb 'basic' needs to survive passed on the command line, followed past times the specific cheque that is required. If the give-and-take 'all' is passed equally the 2nd parameter, every cheque volition survive performed.
Check Description
alwaysinstallelevated Determine whether the 'AlwaysInstallElevated' key is laid to 1 or not. If set, this volition run whatever MSI file equally a local administrator.

OpSec
Check Notes
alwaysinstallelevated This is a local registry query; it is unlikely that anything volition flag this equally malicious.

Examples
Attempt all privilege escalation checks:
beacon> execute-assembly /tmp/Reconerator.exe privesccheck all
Check whether the AlwaysInstallElevated registry key is laid only:
beacon> execute-assembly /tmp/Reconerator.exe privesccheck alwaysinstallelevated

Compiling
Compile this inwards Visual Studio 2017. It currently uses .NET v4. You tin flaming alter that inwards the compilation preferences if you lot desire to.