diff options
| author | Matt Kelly <matt@Workstation031.wp.comcast.net> | 2016-05-05 19:12:33 -0500 |
|---|---|---|
| committer | Matt Kelly <matt@Workstation031.wp.comcast.net> | 2016-05-05 19:12:33 -0500 |
| commit | 0cedaf61421c747d9de2e033430474107040d3c8 (patch) | |
| tree | 6df5ef66359689289e7b99737014e1f2ba6a18c6 | |
| parent | 26cef85d358a2ac2acc44c1a199ac35b0e1bc17d (diff) | |
| download | PowerSploit-0cedaf61421c747d9de2e033430474107040d3c8.tar.gz PowerSploit-0cedaf61421c747d9de2e033430474107040d3c8.zip | |
Adds PSLoggedOn like functionality
Adding in Get-LoggedOnLocal which uses HKU registry checks to see who
is logged locally to a remote box and only requires user level access
rights. The benefit over NetWkstaUserEnum is less user privileges
required (admin for NetWkstaUserEnum) and is the same process
PSLoggedOn uses.
Invoke-PSLoggedOn launches both Get-LoggedOnLocal and Get-NetSessions
and outputs the same format as PSLoggedOn.exe from Sysinternals.
I did not change Invoke-UserHunter non-stealth to this option yet, but
it is beneficial in that if you use both HKU and NetSessionEnum you
only require basic user level rights not admin remote.
| -rwxr-xr-x[-rw-r--r--] | Recon/PowerView.ps1 | 143 |
1 files changed, 143 insertions, 0 deletions
diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index 0cc4739..cc588c3 100644..100755 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -8087,6 +8087,149 @@ filter Get-NetSession { } +function Get-LoggedOnLocal { +<# + .SYNOPSIS + + This function will query the HKU registry values to retrieve the local + logged on users SID and then attempt and reverse it. + Adapted technique from Sysinternal's PSLoggedOn script. Benefit over + using the NetWkstaUserEnum API (Get-NetLoggedon) of less user privileges + required (NetWkstaUserEnum requires remote admin access). + + + Note: This function requires only domain user rights on the + machine you're enumerating. + + Function: Get-LoggedOnLocal + Author: Matt Kelly, @BreakersAll; + Required Dependencies: @harmj0y's Powerview. + + .PARAMETER ComputerName + + The ComputerName to query for active sessions. + + .EXAMPLE + + PS C:\> Get-LoggedOnLocal + + Returns active sessions on the local host. + + .EXAMPLE + + PS C:\> Get-LoggedOnLocal -ComputerName sqlserver + + Returns active sessions on the 'sqlserver' host. + +#> + + [CmdletBinding()] + param( + [Parameter(ValueFromPipeline=$True)] + [Alias('HostName')] + [String] + $ComputerName = 'localhost' + ) + + begin { + if ($PSBoundParameters['Debug']) { + $DebugPreference = 'Continue' + } + } + + process { + + # process multiple host object types from the pipeline + $ComputerName = Get-NameField -Object $ComputerName + # retrieve HKU remote registry values + $Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('Users', "$ComputerName") + + # sort out bogus sid's like _class + $UserSID = $Reg.GetSubKeyNames() | ? { $_ -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' } + + # if successful, convert sid and print output + if ($UserSID) { + $UserName = Convert-SidToName $UserSID + + $LocalLoggedOnUser = New-Object PSObject + $LocalLoggedOnUser | Add-Member Noteproperty 'ComputerName' $ComputerName + $LocalLoggedOnUser | Add-Member Noteproperty 'UserName' $UserName + $LocalLoggedOnUser | Add-Member Noteproperty 'UserSID' $UserSID + $LocalLoggedOnUser + } + else { + Write-Debug "Could not retrieve values for $ComputerName" + } + + Write-Debug "UserSIDs retrieved result: $Reg.GetSubKeyNames()" + } +} + + +function Invoke-PSLoggedOn { +<# + .SYNOPSIS + + This function replicates PSLoggedOn functionality, and leverages + Get-NetSession (netsessionenum) and remote registry values. + Same actions as PSLoggedOn except in PowerShell. + + Note: This function requires only domain user rights on the + machine you're enumerating. + + Function: Invoke-PSLoggedOn + Author: Matt Kelly, @BreakersAll; + Required Dependencies: PowerView. PSv2 + + .PARAMETER ComputerName + + The ComputerName to query for active sessions. + + .EXAMPLE + + PS C:\> Invoke-PSLoggedOn + + Returns active sessions on the local host. + + .EXAMPLE + + PS C:\> Invoke-PSLoggedOn -ComputerName sqlserver + + Returns active sessions on the 'sqlserver' host. + +#> + + [CmdletBinding()] + param( + [Parameter(ValueFromPipeline=$True)] + [Alias('HostName')] + [String] + $ComputerName = 'localhost' + ) + + begin { + if ($PSBoundParameters['Debug']) { + $DebugPreference = 'Continue' + } + } + + process { + + # process multiple host object types from the pipeline + $ComputerName = Get-NameField -Object $ComputerName + + $LoggedOnLocal = Get-LoggedOnLocal $ComputerName + $NetSessionUsers = Get-NetSession $ComputerName + + Write-Host "Users logged on locally to $ComputerName:" + $LoggedOnLocal + Write-Host "" + Write-Host "Users logged on via resource shares to $ComputerName:" + $NetSessionUsers + } +} + + filter Get-NetRDPSession { <# .SYNOPSIS |