Invoke-HostRecon - Empire Module

This page contains detailed information about how to use the powershell/situational_awareness/host/hostrecon Empire module. For list of all Empire modules, visit the Empire Module Library.

Module Overview

---

Name: Invoke-HostRecon
Module: powershell/situational_awareness/host/hostrecon
Source code [1]: empire/server/modules/powershell/situational_awareness/host/hostrecon.yaml
Source code [2]: empire/server/data/module_source/situational_awareness/host/HostRecon.ps1
MITRE ATT&CK: T1082
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: No

Invoke-HostRecon runs a number of checks on a system to help provide situational awareness to a penetration tester during the reconnaissance phase It gathers information about the local system, users, and domain information.

This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.

Note that the hostrecon module does not need administrative privileges to work properly which means that a normal user can run this module.

Required Module Options

---

This is a list of options that are required by the hostrecon module:

Agent
Agent to enumerate trusted documents from.

Additional Module Options

---

This is a list of additional options that are supported by the hostrecon module:

OutputFunction
PowerShell's output function to use ("Out-String", "ConvertTo-Json", "ConvertTo-Csv", "ConvertTo-Html", "ConvertTo-Xml").
Default value: Out-String.
Suggested values: Out-String, ConvertTo-Json, ConvertTo-Csv, ConvertTo-Html, ConvertTo-Xml.

Hostrecon Example Usage

---

Here's an example of how to use the hostrecon module in the Empire client console:

[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/situational_awareness/host/hostrecon

 Author       @mishradhiraj_                                                       
 Background   False                                                                
 Comments     Original .ps1 file                                                   
              https://github.com/dafthack/HostRecon/blob/master/HostRecon.ps1      
 Description  Invoke-HostRecon runs a number of checks on a system to help provide 
              situational awareness to a penetration tester during the             
              reconnaissance phase It gathers information about the local system,  
              users, and domain information.                                       
 Language     powershell                                                           
 Name         powershell/situational_awareness/host/hostrecon                      
 NeedsAdmin   False                                                                
 OpsecSafe    True                                                                 
 Techniques   http://attack.mitre.org/techniques/T1082                             


,Record Options--,------------,----------,-------------------------------------,
| Name           | Value      | Required | Description                         |
|----------------|------------|----------|-------------------------------------|
| Agent          |            | True     | Agent to enumerate trusted          |
|                |            |          | documents from.                     |
|----------------|------------|----------|-------------------------------------|
| OutputFunction | Out-String | False    | PowerShell's output function to use |
|                |            |          | ("Out-String", "ConvertTo-Json",    |
|                |            |          | "ConvertTo-Csv", "ConvertTo-Html",  |
|                |            |          | "ConvertTo-Xml").                   |
'----------------'------------'----------'-------------------------------------'

(Empire: usemodule/powershell/situational_awareness/host/hostrecon) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/situational_awareness/host/hostrecon) > execute
[*] Tasked Y4LHEV83 to run Task 1
...

Now wait for the results to come.

Author

---

• @mishradhiraj_

References

---

• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/situational_awareness/host/hostrecon.yaml
• https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/situational_awareness/host/HostRecon.ps1
• https://github.com/dafthack/HostRecon/blob/master/HostRecon.ps1
• http://attack.mitre.org/techniques/T1082
• http://techibee.com/powershell/query-list-of-listening-ports-in-windows-using-powershell/2344

See Also

---

Check also the following modules related to this module:

• powershell/situational_awareness/host/winenum
• powershell/situational_awareness/host/applockerstatus
• powershell/situational_awareness/host/get_uaclevel
• powershell/situational_awareness/host/dnsserver
• powershell/situational_awareness/host/antivirusproduct
• powershell/situational_awareness/host/get_pathacl
• powershell/situational_awareness/host/get_proxy
• powershell/situational_awareness/host/findtrusteddocuments
• powershell/situational_awareness/host/monitortcpconnections
• powershell/situational_awareness/host/seatbelt
• powershell/situational_awareness/host/paranoia
• powershell/situational_awareness/host/computerdetails
• python/situational_awareness/host/multi/WorldWriteableFileSearch
• python/situational_awareness/host/multi/SuidGuidSearch
• python/situational_awareness/host/osx/situational_awareness
• python/situational_awareness/host/osx/HijackScanner
• csharp/GhostPack/Rubeus
• csharp/GhostPack/SharpDPAPI
• csharp/GhostPack/SharpUp
• csharp/GhostPack/SharpDump
• csharp/GhostPack/Seatbelt
• csharp/GhostPack/SharpWMI
• python/situational_awareness/network/gethostbyname

Version

---

This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.