NetCease module

Almost a year ago, Itai Grady released a script on the technet gallery that blocks the reconnaissance done by using the Server Message Block (SMB) Session Enumeration method.

I’ve studied, changed the script and made a module of it. Why?
It’s easier to share and install once it’s uploaded on the PowerShellGallery.
The approach inside the module is a bit different and allows to move more easily from the default state to the hardened state and vice-versa.
Let’s say that the module assumes breach and is somehow “more” idem-potent than the original version πŸ˜€

Let’s see quickly how to use it:

# Download the module
Save-Module -Name NetCease -Repository PSGallery -Path ~/Downloads
# Load the module
Import-Module ~/Downloads/NetCease/1.0.1/NetCease.psd1 -Force -Verbose
# View current NetSessionEnum permissions
Get-NetSessionEnumPermission | 
Select TranslatedSID,SecurityIdentifier,AccessMask,AceType | ft -AutoSize
# Harden permissions
Set-NetSessionEnumPermission -Verbose -Confirm:$false
# Restart the Server service for changes to take effect
Restart-Service LanmanServer -Force -Verbose


How to test if it works?
To quickly test if, I borrowed the pieces of code: the Get-NetSession function from @harmj0y and the PSReflect module from @mattifestation

In the above screenshot, you can see that the Get-NetSession doesn’t return anything after I hardened the configuration of the targeted Domain Controller.

Note that the Server service has some dependencies on other services. Restarting these services could cause a little disruption, so be careful.

The ATA gateway detected my previous attempts:

The module will work on Windows 7, 8.1, 10, Windows Server 2008 R2, 2012 R2 and 2016 and isn’t only for domain controllers. If you want to limit the recon performed by an insider attacker, you’ll want to apply it to every machine.

Bonus: I didn’t immediately realized it but it’s possible to create a Desired State Configuration (DSC) config 😎

Here’s the result of applying twice the DSC config and having first restored the default permissions:

Advertisements

One thought on “NetCease module

  1. Pingback: NetCease module - How to Code .NET

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s