Reconerator - C# Targeted Assault Reconnaissance Tools
This is a custom .NET assembly which volition perform a publish of situational awareness activities. There are a publish of electrical current featuresets:
- BASIC - Obtains information from the disk too registry.
- LDAP - Allows customised AD LDAP queries to survive made.
- RESOLVEHOST - Performs DNS lookup queries.
- INDEXSEARCH - Searches the Windows Indexing Service for local files too e-mails (filename too content).
- PROXYCHECK - Displays the proxy server that volition survive used when attempting to access a provided URL.
- PRIVESCCHECK - Identifies privilege escalation vectors.
It is configured too controlled past times command line parameters, making it suitable for role amongst Beacon's
execute-assembly directive.BASIC
Overview
This obtains a publish of pieces of information from the host. Be warned that in that location powerfulness survive a LOT of output. It volition display:
- All environs variables (API)
- The hostname, workgroup too Windows version publish of the host (API)
- Word, Access, Excel, Publisher & Powerpoint Most Recently Used Documents for all versions installed (Registry)
- Word, Access, Excel, Publisher & Powerpoint Trusted Locations for all versions installed (Registry)
- Favourites (Bookmarks) too extracts the URL from the bookmark. Could survive interesting to easily notice sharepoint/confluence/wiki/self service payroll etc. (Disk)
- Mapped drives, including the displace letter, description too remote location (WMI)
- Installed applications, for all users too for the specific user exclusively (Registry)
Parameters
The verb 'basic' needs to survive passed on the command line, followed past times the specific cheque that is required. If the give-and-take 'all' is passed equally the 2nd parameter, every cheque volition survive performed.
| Check | Description |
|---|---|
| env | Displays all of the environs variables. |
| info | Displays the IP address of the host too the major/minor OS version identifier. |
| mru | Searches diverse "most of late used" lists. These currently comprise the Run box history too the Office file too path MRU for all versions of Word, Excel, Powerpoint, Access, Publisher too Visio. It too displays the location of the particular "Recent" folder. |
| favourites | Displays the URLs stored inwards the favourites folder (which is basically the user's bookmarks). It currently does non back upwards subfolders; I'll ask to laid upwards that. |
| mappeddrives | Displays the network mapped drives from the user's session. Useful for apace finding key file shares too abode directories. If it is mapped, it likely contains useful data. |
| installedapplications | Lists the applications that bring been installed. This includes applications which bring been installed equally an admin (on the local machine) AND applications which bring been installed past times the electrical current user. They are listed inwards different places inwards the registry. |
Examples
Perform all basic checks:
beacon> execute-assembly /tmp/Reconerator.exe or beacon> execute-assembly /tmp/Reconerator.exe basic allPerform mru enumeration only:
beacon> execute-assembly /tmp/Reconerator.exe basic mruList the mapped drives only:
beacon> execute-assembly /tmp/Reconerator.exe basic mappeddrivesOpSec
Reasonably safe. This is querying the scheme registry; it is unlikely to survive monitored.
Limitations (and farther work)
- You can't selection too direct what you lot desire - its all or nothing.
- Favourites create non recurse through directories
- Missing a charge of stuff.
LDAP
This allows you lot to perform an LDAP query. The easiest agency of demonstrating this is past times example.
Examples
This volition present all users on the domain 'dc=stufus,dc=lan' amongst W2K8DC equally a domain controller:
beacon> execute-assembly /tmp/Reconerator.exe ldap "LDAP://W2K8DC/dc=stufus,dc=lan" "objectClass=user" 0This volition present a maximum of five users on the domain 'dc=stufus,dc=lan' amongst W2K8DC equally a domain controller:
beacon> execute-assembly /tmp/Reconerator.exe ldap "LDAP://W2K8DC/dc=stufus,dc=lan" "objectClass=user" 5This volition present all members of the domain admin grouping on the domain 'dc=stufus,dc=lan' amongst W2K8DC equally a domain controller:
beacon> execute-assembly /tmp/Reconerator.exe ldap "LDAP://W2K8DC/dc=stufus,dc=lan" "(&(objectClass=group)(cn=Domain Admins))" 0This volition present all members of the domain admin or corporation admin groups on the domain 'dc=stufus,dc=lan' amongst W2012DC equally a domain controller:
beacon> execute-assembly /tmp/Reconerator.exe ldap "LDAP://W2012DC/dc=stufus,dc=lan" "(&(objectClass=group)(|(cn=Enterprise Admins)(cn=Domain Admins)))" 0OpSec
This volition generate network traffic to the domain controller that you lot specify. For the avoidance of doubt, it uses LDAP (as opposed to RPC or similar), too ATA does non seem to selection it upwards at the minute (as of 15/06/18).
Limitations (and farther work)
- Its a petty untidy
- It won't display anything that isn't a .NET string (needs to a greater extent than parsing)
- Can't specify specific fields/attributes to show
- You ask to run out the DC yourself (you tin flaming larn that from the LOGONSERVER environs variable) too run out the DN yourself. I'll larn circular to retrieving that automatically at around point.
RESOLVEHOST
Overview
This performs a DNS enquiry using the host's DNS server.
Example
Resolve www.google.com:
beacon> execute-assembly /tmp/Reconerator.exe resolvehost www.google.comOpSec
This volition generate a DNS enquiry to the domain controller, but it is unlikely that anything volition enhance this equally an warning due to the sheer mass of legitimate DNS requests.
INDEXSEARCH
Overview
This allows you lot to interact amongst Windows Search (formerly the Windows Indexing Service) which volition allow you lot to search for interesting files too folders (and their contents) actually quickly. E-Mails are unremarkably indexed, but network folders are not, too hence it may non survive perfect for searching users' abode directories if they are stored remotely. However, it is really fast.
The interface to Windows Search is SQL-like; this implementation allows you lot to, inwards effect, specify the contents of the 'WHERE' clause. It is easiest to explicate past times example, but you lot volition ask to read MSDN if you lot desire to know every possible criteria.
Examples
Find everything that has been indexed which contains the give-and-take 'password' inwards it somewhere (i.e. searches the contents of files too e-mails):
beacon> execute-assembly /tmp/Reconerator.exe indexsearch "CONTAINS('password')"Find everything that has been indexed which has the give-and-take 'stufus' inwards the path or filename somewhere:
beacon> execute-assembly /tmp/Reconerator.exe indexsearch "System.ItemPathDisplay LIKE '%stufus%'"Find everything that has been indexed which has the give-and-take 'stufus' inwards the filename OR contains the give-and-take 'secret':
beacon> execute-assembly /tmp/Reconerator.exe indexsearch "System.ItemName LIKE '%stufus%' OR CONTAINS('secret')"OpSec
I'm non aware of anything that would enhance this equally suspicious.
PROXYCHECK
Overview
This returns the proxy server that would survive used to see a given URL. This is to care amongst the province of affairs where in that location may survive different proxies for different URLs, or diverse complex exclusions inwards place. The URL of involvement is passed equally a parameter.
Note that if 'basic all' is specified (see above), it automatically includes a proxycheck to http://www.google.com, on the supposition that most organisations bring ane outbound proxy for all non-internal cyberspace access.
Examples
Display the proxy server which volition survive used when visiting www.google.com:
beacon> execute-assembly /tmp/Reconerator.exe proxycheck www.google.comDisplay the proxy server which volition survive used when visiting https://www.mwrinfosecurity.com:
beacon> execute-assembly /tmp/Reconerator.exe proxycheck https://www.mwrinfosecurity.comOpSec
This is a local activeness too a legitimate one; I'm non aware of anything that would enhance it equally suspicious.
PRIVESCCHECK
Overview
This volition explore a publish of privilege escalation vectors too written report on whether they are possible or not. Currently, that publish is 1.
Much similar the BASIC module above,
privesccheck all tin flaming survive specified on the command trouble to sweat all checks, or a specific cheque tin flaming survive specified if required.Parameters
The verb 'basic' needs to survive passed on the command line, followed past times the specific cheque that is required. If the give-and-take 'all' is passed equally the 2nd parameter, every cheque volition survive performed.
| Check | Description |
|---|---|
| alwaysinstallelevated | Determine whether the 'AlwaysInstallElevated' key is laid to 1 or not. If set, this volition run whatever MSI file equally a local administrator. |
OpSec
| Check | Notes |
|---|---|
| alwaysinstallelevated | This is a local registry query; it is unlikely that anything volition flag this equally malicious. |
Examples
Attempt all privilege escalation checks:
beacon> execute-assembly /tmp/Reconerator.exe privesccheck allCheck whether the AlwaysInstallElevated registry key is laid only:
beacon> execute-assembly /tmp/Reconerator.exe privesccheck alwaysinstallelevatedCompiling
Compile this inwards Visual Studio 2017. It currently uses .NET v4. You tin flaming alter that inwards the compilation preferences if you lot desire to.
