windows_recon

The windows_recon playbook utilizes an existing C2 agent and Active Directory Domain Controller to perform several Windows oriented reconnaissance activities. This playbook does not create the required C2 agent and Active Directory Domain Controller components so they must be initialized by another playbook such as the c2_with_ad_dc playbook.

Requirements

Running this playbook requires the following pre-existing components:

  • A PowerShell Empire container task with an established connection from a C2 agent.
  • A remote Trainman container task in the monitored network that is running an Active Directory Domain Controller as provisioned by the run_ad_dc command.

    Note that the C2 agent is typically running on a remote Trainman container task in the monitored network. If this is the case, the remote Trainman container task that is running the C2 agent should be on separate physical host from the remote Trainman container task that is running the Active Directory Domain Controller if you expect your network monitoring capabilities to observe traffic between the two containers.

Architecture

The architecture and workflow of this playbook looks as follows:

1139

Configuration

To configure this playbook, use the ./havoc -c CLI option, select the number associated with the windows_recon playbook and provide the requested details:

$./havoc -c
1) c2_and_http_server                7) pse_recon_portscan
2) c2_with_ad_dc                     8) pse_recon_reverse_dns
3) cve_2021_44228_exploit_and_c2     9) pse_recon_share_finder
4) cve_2021_44228_testing           10) simple_exfil
5) pse_lateral_movement_invoke_wmi  11) windows_exfil
6) pse_recon_bloodhound             12) windows_recon
Select a playbook to install: 12
Configuring playbook windows_recon.
If you have previously configured this playbook, configuring it again will delete the existing configuration.
Are you sure you want to continue? [Y/N]: Y
Creating a customized windows_recon.ini file.
Provide a value for each parameter.
Press enter without providing a value to accept the default.

[c2_task]
task_name [c2-http_MM_dd_YYYY_HH_mm]: <c2_task_name>
agent_name [1w2x3y4z]: <agent_name>
cidr [192.168.1.0/24]: <CIDRs_to_recon>
command_list [nmap -sS -Pn -p 1-1024 $CIDR, cme smb $CIDR -u $USER_NAME -p $USER_PASSWORD, cme smb $CIDR -u $USER_NAME -p $USER_PASSWORD --shares, cme smb $CIDR -u $USER_NAME -p $USER_PASSWORD --users, cme smb $CIDR -u $USER_NAME -p $USER_PASSWORD --groups, rpcclient -U $USER_NAME%%$USER_PASSWORD -c lsaquery $TARGET, rpcclient -U $USER_NAME%%$USER_PASSWORD -c dsroledominfo $TARGET, rpcclient -U $USER_NAME%%$USER_PASSWORD -c enumprivs $TARGET, rpcclient -U $USER_NAME%%$USER_PASSWORD -c enumdomgroups $TARGET, rpcclient -U $USER_NAME%%$USER_PASSWORD -c netshareenumall $TARGET]: <recon_commands>

[remote_ad_task]
task_name [remote_trainman_ad]: <remote_trainman_ad_task_name>
ad_tld [local]: <top_level_domain_of_ad>
ad_domain [samdom]: <ad_domain>
ad_realm [SAMDOM.LOCAL]: <ad_realm>
user_name [jdisco]: <user_name>
user_password [user_password_152637]: <user_password>
admin_password [samdom_password_152637]: <admin_password>

<snip - installing required Python modules>

Playbook windows_recon configured.
$

Execution

To execute this playbook, run the following ./havoc CLI command (where is replaced with the ./havoc config profile name that you would like to authenticate to the ./havoc API with):

$ ./havoc -e windows_recon <profile>

Clean up

Error handling
If the playbook encounters errors during execution, it will self terminate. If the playbook is hung on a specific task, you can press Ctrl+C to terminate the playbook.

Successful execution
After the playbook executes all operations successfully it will self terminate.

Associated resources
This playbook does not create any resources.