reconerator: C# Targeted Attack Reconnissance Tools


This is a custom .NET assembly which will perform a number of situational awareness activities. There are a number of current feature sets:

  • BASIC – Obtains information from the disk and registry.
    This obtains a number of pieces of information from the host. Be warned that there might be a LOT of output. It will display:

    • All environment variables (API)
    • The hostname, workgroup and Windows version number of the host (API)
    • Word, Access, Excel, Publisher & Powerpoint Most Recently Used Documents for all versions installed (Registry)
    • Word, Access, Excel, Publisher & Powerpoint Trusted Locations for all versions installed (Registry)
    • Favourites (Bookmarks) and extracts the URL from the bookmark. Could be interesting to easily find sharepoint/confluence/wiki/self service payroll etc. (Disk)
    • Mapped drives, including the drive letter, description and remote location (WMI)
    • Installed applications, for all users and for the specific user only (Registry)
  • LDAP – Allows customised AD LDAP queries to be made.
  • RESOLVEHOST – Performs DNS lookup queries.
  • INDEXSEARCH – Searches the Windows Indexing Service for local files and e-mails (filename and content).
    This allows you to interact with Windows Search (formerly the Windows Indexing Service) which will allow you to search for interesting files and folders (and their contents) really quickly. E-Mails are usually indexed, but network folders are not, so it may not be perfect for searching users’ home directories if they are stored remotely. However, it is very fast.The interface to Windows Search is SQL-like; this implementation allows you to, in effect, specify the contents of the ‘WHERE’ clause. It is easiest to explain by example, but you will need to read MSDN if you want to know every possible criteria.
  • PROXYCHECK – Displays the proxy server that will be used when attempting to access a provided URL.
    This returns the proxy server that would be used to visit a given URL. This is to cope with the situation where there may be different proxies for different URLs or various complex exclusions in place. The URL of interest is passed as a parameter.Note that if ‘basic all’ is specified (see above), it automatically includes a proxycheck to, on the assumption that most organisations have one outbound proxy for all non-internal internet access.
  • PRIVESCCHECK – Identifies privilege escalation vectors.
    This will explore a number of privilege escalation vectors and report on whether they are possible or not. Currently, that number is 1.Much like the BASIC module above, privesccheck all can be specified on the command line to attempt all checks, or a specific check can be specified if required.

The key point about this is that it is all implemented in raw .NET – so no powershell.

It is configured and controlled by command line parameters, making it suitable for use with Beacon’s execute-assemblydirective.

Download && Use

Copyright (C) 2018 stufus