Invoke-HostRecon - Empire Module
This page contains detailed information about how to use the powershell/situational_awareness/host/hostrecon Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Invoke-HostRecon
Module: powershell/situational_awareness/host/hostrecon
Source code [1]: empire/server/modules/powershell/situational_awareness/host/hostrecon.yaml
Source code [2]: empire/server/data/module_source/situational_awareness/host/HostRecon.ps1
MITRE ATT&CK:
T1082
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: No
Invoke-HostRecon runs a number of checks on a system to help provide situational awareness to a penetration tester during the reconnaissance phase It gathers information about the local system, users, and domain information.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the hostrecon module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the hostrecon module:
Agent
Agent to enumerate trusted documents from.
Additional Module Options
This is a list of additional options that are supported by the hostrecon module:
OutputFunction
PowerShell's output function to use ("Out-String", "ConvertTo-Json", "ConvertTo-Csv", "ConvertTo-Html", "ConvertTo-Xml").
Default value: Out-String
.
Suggested values: Out-String
, ConvertTo-Json
, ConvertTo-Csv
, ConvertTo-Html
, ConvertTo-Xml
.
Hostrecon Example Usage
Here's an example of how to use the hostrecon module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/situational_awareness/host/hostrecon
Author @mishradhiraj_
Background False
Comments Original .ps1 file
https://github.com/dafthack/HostRecon/blob/master/HostRecon.ps1
Description Invoke-HostRecon runs a number of checks on a system to help provide
situational awareness to a penetration tester during the
reconnaissance phase It gathers information about the local system,
users, and domain information.
Language powershell
Name powershell/situational_awareness/host/hostrecon
NeedsAdmin False
OpsecSafe True
Techniques http://attack.mitre.org/techniques/T1082
,Record Options--,------------,----------,-------------------------------------,
| Name | Value | Required | Description |
|----------------|------------|----------|-------------------------------------|
| Agent | | True | Agent to enumerate trusted |
| | | | documents from. |
|----------------|------------|----------|-------------------------------------|
| OutputFunction | Out-String | False | PowerShell's output function to use |
| | | | ("Out-String", "ConvertTo-Json", |
| | | | "ConvertTo-Csv", "ConvertTo-Html", |
| | | | "ConvertTo-Xml"). |
'----------------'------------'----------'-------------------------------------'
(Empire: usemodule/powershell/situational_awareness/host/hostrecon) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/situational_awareness/host/hostrecon) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Author
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/situational_awareness/host/hostrecon.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/situational_awareness/host/HostRecon.ps1
- https://github.com/dafthack/HostRecon/blob/master/HostRecon.ps1
- http://attack.mitre.org/techniques/T1082
- http://techibee.com/powershell/query-list-of-listening-ports-in-windows-using-powershell/2344
See Also
Check also the following modules related to this module:
- powershell/situational_awareness/host/winenum
- powershell/situational_awareness/host/applockerstatus
- powershell/situational_awareness/host/get_uaclevel
- powershell/situational_awareness/host/dnsserver
- powershell/situational_awareness/host/antivirusproduct
- powershell/situational_awareness/host/get_pathacl
- powershell/situational_awareness/host/get_proxy
- powershell/situational_awareness/host/findtrusteddocuments
- powershell/situational_awareness/host/monitortcpconnections
- powershell/situational_awareness/host/seatbelt
- powershell/situational_awareness/host/paranoia
- powershell/situational_awareness/host/computerdetails
- python/situational_awareness/host/multi/WorldWriteableFileSearch
- python/situational_awareness/host/multi/SuidGuidSearch
- python/situational_awareness/host/osx/situational_awareness
- python/situational_awareness/host/osx/HijackScanner
- csharp/GhostPack/Rubeus
- csharp/GhostPack/SharpDPAPI
- csharp/GhostPack/SharpUp
- csharp/GhostPack/SharpDump
- csharp/GhostPack/Seatbelt
- csharp/GhostPack/SharpWMI
- python/situational_awareness/network/gethostbyname
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.