Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Veil-PowerView:
Situational Awareness
With Powershell
Will
@harmj0y
Veris Group
$ whoami
● Security researcher and penetration tester for
Veris Group
● Co-founder of the Veil-Framework #avlol
○ www.veil...
tl;dr
● Situational Awareness; redux
● Veil-PowerView
● Net-*
● Run-Netview
● Run-ShareFinder
● Run-FindLocalAdminAccess
●...
Situational Awareness; redux
● Goal: Gain an understanding of an exploited
host/network to aid in deeper infiltration
● Ol...
Why Powershell?
● Really need to say anything?
● Whitelisted, trusted execution, full .NET
capabilities, etc.
● It’s the “...
Veil-PowerView
● Arose partially because a client banned “net”
commands on domain machines
○ annoying, but only a minor ro...
Net-*
● Full-featured replacements for almost all
“net *” commands, utilizing powershell AD
hooks and various API calls
● ...
Meta-Functions
now the fun stuff
Run-Netview
● Full powershell port of @mubix’s
netview.exe
● Queries the domain for all hosts with Net-
Servers, then runs...
Run-ShareFinder
● Finds non-standard shares on machines in
the domain
● Queries for all servers using Net-Servers,
then ru...
Run-FindLocalAdminAccess
● Port of local_admin_search_enum.rb
Metaspoit module
● Finds machines on the local domain where
...
Run-UserHunter
● Goal: find which domain machines specific
users are logged into
● Accepts a username, userlist, or domain...
Run-UserHunter
● Compares the results against the target user
list, noting when it finds where a target user
is logged int...
Run-StealthUserHunter
● Issues one query to get all users in the
domain, and extracts all servers from
user.HomeDirectorie...
Demo
Questions?
● Contact me:
○ @harmj0y
○ harmj0y@veil-framework.com
● Read more:
○ https://www.veil-framework.com/veil-powerv...
Upcoming SlideShare
Loading in …5
×

Veil-PowerView - NovaHackers

3,128 views

Published on

These slides detail Veil-Powerview, a pure powershell tool for situational awareness on Windows domains.

Published in: Technology
  • Be the first to comment

Veil-PowerView - NovaHackers

  1. 1. Veil-PowerView: Situational Awareness With Powershell Will @harmj0y Veris Group
  2. 2. $ whoami ● Security researcher and penetration tester for Veris Group ● Co-founder of the Veil-Framework #avlol ○ www.veil-framework.com ○ Shmoocon ‘14: AV Evasion with the Veil Framework ○ co-wrote Veil-Evasion, wrote Veil-Catapult ● BSides ATX ‘14: Wielding a Cortana ● https://github.com/HarmJ0y/
  3. 3. tl;dr ● Situational Awareness; redux ● Veil-PowerView ● Net-* ● Run-Netview ● Run-ShareFinder ● Run-FindLocalAdminAccess ● Run-UserHunter ● Run-StealthUserHunter
  4. 4. Situational Awareness; redux ● Goal: Gain an understanding of an exploited host/network to aid in deeper infiltration ● Old schoolz: ○ net group /domain ○ net group “domain admins” /domain ○ net users /domain ○ net user “jsmith” /domain ○ net view //hostname ○ blah blah blah
  5. 5. Why Powershell? ● Really need to say anything? ● Whitelisted, trusted execution, full .NET capabilities, etc. ● It’s the “new hotness” ○ PowerSploit ○ Posh-SecMod
  6. 6. Veil-PowerView ● Arose partially because a client banned “net” commands on domain machines ○ annoying, but only a minor roadblock ● Otherwise initially inspired by Rob Fuller’s netview.exe tool ● Wanted something a bit more flexible that also didn’t drop a binary to disk
  7. 7. Net-* ● Full-featured replacements for almost all “net *” commands, utilizing powershell AD hooks and various API calls ● Net-Users, Net-Group, Net-Servers, Net- Sessions, Net-Loggedon, etc. ● See README.md for complete list, and function descriptions for usage options
  8. 8. Meta-Functions now the fun stuff
  9. 9. Run-Netview ● Full powershell port of @mubix’s netview.exe ● Queries the domain for all hosts with Net- Servers, then runs Net-Sessions, Net- Share, and Net-Loggedon on targets ● Can take an optional hostlist, has the ability to exclude common shares, and can utilize a delay/jitter between host enumerations
  10. 10. Run-ShareFinder ● Finds non-standard shares on machines in the domain ● Queries for all servers using Net-Servers, then runs Net-Share on each host, excluding standard shares (C$, IP$, PRINT$, etc.) ● Also can utilize the delay/jitter between host enumerations
  11. 11. Run-FindLocalAdminAccess ● Port of local_admin_search_enum.rb Metaspoit module ● Finds machines on the local domain where the current user has local administrator access ● Utilizes the OpenSCManagerA API call
  12. 12. Run-UserHunter ● Goal: find which domain machines specific users are logged into ● Accepts a username, userlist, or domain group, and accepts a host list or queries the domain for available hosts using Net-Servers ● Runs Net-Sessions and Net-Loggedon against every server in the target list
  13. 13. Run-UserHunter ● Compares the results against the target user list, noting when it finds where a target user is logged into ● Can also check found machines using Net- CheckLocalAdminAccess ● Option to utilize the delay/jitter
  14. 14. Run-StealthUserHunter ● Issues one query to get all users in the domain, and extracts all servers from user.HomeDirectories ● Runs one Net-Sessions call against each file server, comparing the results against the target user list ● Find users with significantly less traffic than Run-UserHunter !
  15. 15. Demo
  16. 16. Questions? ● Contact me: ○ @harmj0y ○ harmj0y@veil-framework.com ● Read more: ○ https://www.veil-framework.com/veil-powerview/ ○ https://www.veil-framework.com/hunting-users-veil- framework/ ● Get Veil-PowerView ○ https://github.com/Veil-Framework/Veil-PowerView ○ In PowerSploit soon!

×