NetCease PowerShell Module

NetCease module was designed to help disable Net Session Enumeration.

Intnet
Usage
Issues
Todo
Credits

Intent

This page and code is the result of a simple process: Study > Learn > Share.

I started to study the great anti-reconnaissance tool provided by Itai Grady on https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b

The zip file contains a document than explains the details about how to harden the Net Session Enumeration.

The zip file also contains a script that:

saves a backup of the current permissions (whatever they are)
transitions from the current security permissions to a hardened state by removing the NT AUTHORITY\Authenticated Users group and adding permissions to NT AUTHORITY\BATCH, NT AUTHORITY\INTERACTIVE, NT AUTHORITY\SERVICE.
introduces a way to revert back to the backup verison of the permissions (the version 1.02)

While the script will do the job on a safe computer, it doesn't assume breach. So, I propose a more straightforward approach :-D

The module contains 3 functions, one to view the current permissions set (with translated SIDs), a second one to set the required permissions and a third one to restore the default permissions. It just aims to make the move from the default state to the hardened one and vice-versa more easy.

I wanted the module to be available on https://www.powershellgallery.com

Usage

Install the module

# Check the mmodule on powershellgallery.com
Find-Module -Name NetCease -Repository PSGallery

Version    Name                                Repository           Description
-------    ----                                ----------           -----------
1.0.2      NetCease                            PSGallery            NetCease is a module that will help disable Net ...

# Save the module locally in Downloads folder
Save-Module -Name NetCease -Repository PSGallery -Path ~/Downloads

Stop and please review the content of the module, I mean the code to make sure it's trustworthy :-)

You can also verify that the SHA256 hashes of downloaded files match those stored in the catalog file

$HT = @{
    CatalogFilePath = "~/Downloads/NetCease/1.0.2/NetCease.cat"
    Path = "~/Downloads/NetCease/1.0.2"
    Detailed = $true
    FilesToSkip = 'PSGetModuleInfo.xml'
}
Test-FileCatalog @HT

# Import the module
Import-Module ~/Downloads/NetCease/1.0.2/NetCease.psd1 -Force -Verbose

Check the command available

Get-Command -Module NetCease

CommandType     Name                                               Version    Source
-----------     ----                                               -------    ------
Function        Get-NetSessionEnumPermission                       1.0.2      NetCease
Function        Restore-NetSessionEnumPermission                   1.0.2      NetCease
Function        Set-NetSessionEnumPermission                       1.0.2      NetCease

Get-NetSessionEnumPermission

 Get-Help Get-NetSessionEnumPermission -Full

NAME
    Get-NetSessionEnumPermission

SYNOPSIS
    Get the current Net Session Enumeration permissions


SYNTAX
    Get-NetSessionEnumPermission [<CommonParameters>]

Set-NetSessionEnumPermission

 Get-Help Set-NetSessionEnumPermission -Full

NAME
    Set-NetSessionEnumPermission

SYNOPSIS
    Set the hardened Net Session Enumeration permissions


SYNTAX
    Set-NetSessionEnumPermission [<CommonParameters>]


DESCRIPTION
    Set the hardened Net Session Enumeration permissions:

    TranslatedSID                   SecurityIdentifier AccessMask       AceType
    ------------                    ------------------ ----------       -------
    NT AUTHORITY\BATCH              S-1-5-3               2032127 AccessAllowed
    NT AUTHORITY\INTERACTIVE        S-1-5-4               2032127 AccessAllowed
    NT AUTHORITY\SERVICE            S-1-5-6               2032127 AccessAllowed
    BUILTIN\Administrators          S-1-5-32-544           983059 AccessAllowed
    BUILTIN\Power Users             S-1-5-32-547           983059 AccessAllowed
    BUILTIN\Server Operators        S-1-5-32-549           983059 AccessAllowed

Restore-NetSessionEnumPermission

Get-Help Restore-NetSessionEnumPermission -Full

NAME
    Restore-NetSessionEnumPermission

SYNOPSIS
    Restore the default Net Session Enumeration permissions


SYNTAX
    Restore-NetSessionEnumPermission [<CommonParameters>]


DESCRIPTION
    Restore the default Net Session Enumeration permissions:

    TranslatedSID                    SecurityIdentifier AccessMask       AceType
    ------------                    ------------------ ----------       -------
    NT AUTHORITY\Authenticated Users S-1-5-11                    1 AccessAllowed
    BUILTIN\Administrators           S-1-5-32-544           983059 AccessAllowed
    BUILTIN\Power Users              S-1-5-32-547           983059 AccessAllowed
    BUILTIN\Server Operators         S-1-5-32-549           983059 AccessAllowed

What's Next

Once you've used either the Set-NetSessionEnumPermission or Restore-NetSessionEnumPermission functions, you need to restart the 'Server' service for changes to take effect:

Restart-Service -Name LanmanServer -Force -Verbose

Issues

Version 1.0.0 had a -Whatif parameter after the Set-ItemProperty that was preventing to really set the hardened permissions
Version 1.0.1 had the wrong catalog file published to the PowerShell gallery

Todo

Coding best practices

Use PSScriptAnalyzer module to validate the code follows best practices
Write Pester tests for this module

Credits

Thanks go to:

@ItaiGrady:

csandfeld / netcease Goto Github PK

netcease's Introduction

NetCease PowerShell Module

Table of Contents

Intent

Usage

Install the module

Check the command available

Get-NetSessionEnumPermission

Set-NetSessionEnumPermission

Restore-NetSessionEnumPermission

What's Next

Issues

Todo

Coding best practices

Credits

Recommend Projects

React

Vue.js

Typescript

TensorFlow

Django

Laravel

D3

Recommend Topics

javascript

web

server

Machine learning

Visualization

Game

Recommend Org

Facebook

Microsoft

Google

Alibaba

D3

Tencent