As PowerShell becomes more prevalent in the Windows environment, so will it’s use for vulnerability assessment and penetration tests. I have covered a few of them earlier such as PowerSploit, PSAttack. However none of the ones I mentioned help you detect network vulnerabilities. That is set to change with NetworkRecon, a script that helps you find anomalies in observable network protocols.
What is NetworkRecon?
NetworkRecon is an open source PowerShell network reconnaissance module which will capture, analyze, and identify commonly misconfigured protocols to help you perform analysis of network protocols for vulnerabilities, that are visible to Windows client systems. Analyzing a small amount of network traffic can lead to the discovery of possible network-based attack vectors such as Virtual Router Redundancy Protocol (VRRP), Dynamic Trunking Protocol (DTP), Link Local Multicast Name Resolution (LL-MNR) and PXE boot attacks. Additionally, you do not have to install third-party software as PowerShell includes several network analysis and network traffic related capabilities. It is modeled after the PowerShell Empire PowerUp script to provide easy identification of the targeted protocols.
Generally, VLAN trunking, network routing and network redundancy protocols should not be relayed to Windows clients. Misconfigurations of Dynamic Host Configuration Protocol (DHCP), also presents an attacker options such as analyzing a boot image for credentials and other sensitive information. NetworkRecon currently helps you analyze these protocols for network anomalies:
- Name Resolution protocols: Protocols such as NetBIOS Name Service (NBT-NS), Link Local Multicast Name Resolution (LLMNR) and Multicast DNS (mDNS) provide an opportunity for an attacker to execute several different attacks by manipulating the hostname to IP address relationship. An attacker can send malicious responses to a user’s requests or to become a Man-in-the-Middle (MitM) in the network conversation.
- Routing and Redundancy Protocols: Routing information from protocols such as Hot Standby Routing Protocol (HSRP), Virtual Router Redundancy Protocol (VRRP) and Open Shortest Path First (OSPF) can expose the network to route manipulation attacks. If routing traffic is present on an access port, an attacker can parse this information to determine whether authentication is being used to capture credentials, allowing the attacker to inject malicious routing information.
- Link-Layer Protocols: Misconfigured Link-Layer protocols such as Spanning Tree Protocol (STP), Cisco Discovery Protocol (CDP), Logical Link Discovery Protocol (LLDP), Dynamic Trunking Protocol (DTP), VLAN Trunking Protocol (VTP) allow an attacker to gain a man-in-the-middle position, sensitive information such as device hardware revision, device software revision etc., and allow attacks such as VLAN hopping and denial of service attacks.
- Boot Protocols: Again, misconfigured boot protocols such as Dynamic Host Configuration Protocol (DHCP), BOOTP may allow the attacker to download and inspect a boot image to discover credentials, etc.
Now, on to the modules that the script provides us with. The modules included in this script are Invoke-NeighborCacheAnalysis, Invoke-TraceCollect, and Invoke-LiveAnalysis. Their functionality is mentioned below:
- Invoke-NeighborCacheAnalysis: Looks for the presence of Layer 2 multicast addresses of potentially vulnerable protocols in the system ARP cache.
- Invoke-TraceCollect: Performs a time-limited network trace leveraging the Microsoft-Windows-NDIS-PacketCapture provider in either .etl or .cap format depending on supported operating system features.
- Invoke-LiveAnalysis: Uses a raw IP socket to listen to and parse potentially vulnerable protocols and expose details.
Limitations with Ethernet frame collection prevents parsing of LLDP, CDP, DTP, and VTP traffic. However, their presence can still be identified through Invoke-NeighborCacheAnalysis.
Using the PowerShell script is easy:
> Import-Module .\NetworkRecon.ps1 > Invoke-LiveAnalysis WARNING: Script IS NOT running as administrator. Analyzer started at 2017-07-16T09:03:36 WARNING: Windows Firewall = Enabled Listening IP Address = 127.0.0.1 Starting sniffer...
So you see, the script needs administrative privileges. With an elevated prompt, you get an output that is similar to:
powershell -exe bypass > Import-Module .\NetworkRecon.ps1 > Invoke-LiveAnalysis Script IS running as administrator. Analyzer started at 2017-07-16T09:13:13 WARNING: Windows Firewall = Enabled Inserted Inbound Multicast Rule Listening IP Address = 127.0.0.1 Starting sniffer...
Now onto Invoke-TraceCollect:
> Import-Module .\NetworkRecon.ps1 > Invoke-TraceCollect [+] Target folder exists, no action required [+] Starting capture session [-] Trying PEF trace first... [!] Unable to create PEF trace...falling back to netsh... [-] Output will be saved to C:\temp\capture_201771691852.etl Trace configuration: ------------------------------------------------------------------- Status: Running Trace File: C:\temp\capture_201771691852.etl Append: Off Circular: Off Max Size: 250 MB Report: Off [-] Sleeping for 5 minutes while packet capture is running
Get the current version of NetworkRecon.ps1 here.