2. $ whoami
● Security researcher and penetration tester for
Veris Group
● Co-founder of the Veil-Framework #avlol
○ www.veil-framework.com
○ Shmoocon ‘14: AV Evasion with the Veil Framework
○ co-wrote Veil-Evasion, wrote Veil-Catapult
● BSides ATX ‘14: Wielding a Cortana
● https://github.com/HarmJ0y/
4. Situational Awareness; redux
● Goal: Gain an understanding of an exploited
host/network to aid in deeper infiltration
● Old schoolz:
○ net group /domain
○ net group “domain admins” /domain
○ net users /domain
○ net user “jsmith” /domain
○ net view //hostname
○ blah blah blah
5. Why Powershell?
● Really need to say anything?
● Whitelisted, trusted execution, full .NET
capabilities, etc.
● It’s the “new hotness”
○ PowerSploit
○ Posh-SecMod
6. Veil-PowerView
● Arose partially because a client banned “net”
commands on domain machines
○ annoying, but only a minor roadblock
● Otherwise initially inspired by Rob Fuller’s
netview.exe tool
● Wanted something a bit more flexible that
also didn’t drop a binary to disk
7. Net-*
● Full-featured replacements for almost all
“net *” commands, utilizing powershell AD
hooks and various API calls
● Net-Users, Net-Group, Net-Servers, Net-
Sessions, Net-Loggedon, etc.
● See README.md for complete list, and
function descriptions for usage options
9. Run-Netview
● Full powershell port of @mubix’s
netview.exe
● Queries the domain for all hosts with Net-
Servers, then runs Net-Sessions, Net-
Share, and Net-Loggedon on targets
● Can take an optional hostlist, has the ability to
exclude common shares, and can utilize a
delay/jitter between host enumerations
10. Run-ShareFinder
● Finds non-standard shares on machines in
the domain
● Queries for all servers using Net-Servers,
then runs Net-Share on each host,
excluding standard shares (C$, IP$,
PRINT$, etc.)
● Also can utilize the delay/jitter between host
enumerations
11. Run-FindLocalAdminAccess
● Port of local_admin_search_enum.rb
Metaspoit module
● Finds machines on the local domain where
the current user has local administrator
access
● Utilizes the OpenSCManagerA API call
12. Run-UserHunter
● Goal: find which domain machines specific
users are logged into
● Accepts a username, userlist, or domain
group, and accepts a host list or queries the
domain for available hosts using
Net-Servers
● Runs Net-Sessions and Net-Loggedon
against every server in the target list
13. Run-UserHunter
● Compares the results against the target user
list, noting when it finds where a target user
is logged into
● Can also check found machines using Net-
CheckLocalAdminAccess
● Option to utilize the delay/jitter
14. Run-StealthUserHunter
● Issues one query to get all users in the
domain, and extracts all servers from
user.HomeDirectories
● Runs one Net-Sessions call against each
file server, comparing the results against the
target user list
● Find users with significantly less traffic than
Run-UserHunter !