diff options
| author | Matt Kelly <matt@Workstation031.wp.comcast.net> | 2016-05-05 19:12:33 -0500 |
|---|---|---|
| committer | Matt Kelly <matt@Workstation031.wp.comcast.net> | 2016-05-05 19:12:33 -0500 |
| commit | 0cedaf61421c747d9de2e033430474107040d3c8 (patch) | |
| tree | 6df5ef66359689289e7b99737014e1f2ba6a18c6 /Recon | |
| parent | 26cef85d358a2ac2acc44c1a199ac35b0e1bc17d (diff) | |
| download | PowerSploit-0cedaf61421c747d9de2e033430474107040d3c8.tar.gz PowerSploit-0cedaf61421c747d9de2e033430474107040d3c8.zip | |
Adds PSLoggedOn like functionality
Adding in Get-LoggedOnLocal which uses HKU registry checks to see who
is logged locally to a remote box and only requires user level access
rights. The benefit over NetWkstaUserEnum is less user privileges
required (admin for NetWkstaUserEnum) and is the same process
PSLoggedOn uses.
Invoke-PSLoggedOn launches both Get-LoggedOnLocal and Get-NetSessions
and outputs the same format as PSLoggedOn.exe from Sysinternals.
I did not change Invoke-UserHunter non-stealth to this option yet, but
it is beneficial in that if you use both HKU and NetSessionEnum you
only require basic user level rights not admin remote.
Diffstat (limited to 'Recon')
| -rwxr-xr-x[-rw-r--r--] | Recon/PowerView.ps1 | 143 |
1 files changed, 143 insertions, 0 deletions
diff --git a/Recon/PowerView.ps1 b/Recon/PowerView.ps1 index 0cc4739..cc588c3 100644..100755 --- a/Recon/PowerView.ps1 +++ b/Recon/PowerView.ps1 @@ -8087,6 +8087,149 @@ filter Get-NetSession { } +function Get-LoggedOnLocal { +<# + .SYNOPSIS + + This function will query the HKU registry values to retrieve the local + logged on users SID and then attempt and reverse it. + Adapted technique from Sysinternal's PSLoggedOn script. Benefit over + using the NetWkstaUserEnum API (Get-NetLoggedon) of less user privileges + required (NetWkstaUserEnum requires remote admin access). + + + Note: This function requires only domain user rights on the + machine you're enumerating. + + Function: Get-LoggedOnLocal + Author: Matt Kelly, @BreakersAll; + Required Dependencies: @harmj0y's Powerview. + + .PARAMETER ComputerName + + The ComputerName to query for active sessions. + + .EXAMPLE + + PS C:\> Get-LoggedOnLocal + + Returns active sessions on the local host. + + .EXAMPLE + + PS C:\> Get-LoggedOnLocal -ComputerName sqlserver + + Returns active sessions on the 'sqlserver' host. + +#> + + [CmdletBinding()] + param( + [Parameter(ValueFromPipeline=$True)] + [Alias('HostName')] + [String] + $ComputerName = 'localhost' + ) + + begin { + if ($PSBoundParameters['Debug']) { + $DebugPreference = 'Continue' + } + } + + process { + + # process multiple host object types from the pipeline + $ComputerName = Get-NameField -Object $ComputerName + # retrieve HKU remote registry values + $Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('Users', "$ComputerName") + + # sort out bogus sid's like _class + $UserSID = $Reg.GetSubKeyNames() | ? { $_ -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' } + + # if successful, convert sid and print output + if ($UserSID) { + $UserName = Convert-SidToName $UserSID + + $LocalLoggedOnUser = New-Object PSObject + $LocalLoggedOnUser | Add-Member Noteproperty 'ComputerName' $ComputerName + $LocalLoggedOnUser | Add-Member Noteproperty 'UserName' $UserName + $LocalLoggedOnUser | Add-Member Noteproperty 'UserSID' $UserSID + $LocalLoggedOnUser + } + else { + Write-Debug "Could not retrieve values for $ComputerName" + } + + Write-Debug "UserSIDs retrieved result: $Reg.GetSubKeyNames()" + } +} + + +function Invoke-PSLoggedOn { +<# + .SYNOPSIS + + This function replicates PSLoggedOn functionality, and leverages + Get-NetSession (netsessionenum) and remote registry values. + Same actions as PSLoggedOn except in PowerShell. + + Note: This function requires only domain user rights on the + machine you're enumerating. + + Function: Invoke-PSLoggedOn + Author: Matt Kelly, @BreakersAll; + Required Dependencies: PowerView. PSv2 + + .PARAMETER ComputerName + + The ComputerName to query for active sessions. + + .EXAMPLE + + PS C:\> Invoke-PSLoggedOn + + Returns active sessions on the local host. + + .EXAMPLE + + PS C:\> Invoke-PSLoggedOn -ComputerName sqlserver + + Returns active sessions on the 'sqlserver' host. + +#> + + [CmdletBinding()] + param( + [Parameter(ValueFromPipeline=$True)] + [Alias('HostName')] + [String] + $ComputerName = 'localhost' + ) + + begin { + if ($PSBoundParameters['Debug']) { + $DebugPreference = 'Continue' + } + } + + process { + + # process multiple host object types from the pipeline + $ComputerName = Get-NameField -Object $ComputerName + + $LoggedOnLocal = Get-LoggedOnLocal $ComputerName + $NetSessionUsers = Get-NetSession $ComputerName + + Write-Host "Users logged on locally to $ComputerName:" + $LoggedOnLocal + Write-Host "" + Write-Host "Users logged on via resource shares to $ComputerName:" + $NetSessionUsers + } +} + + filter Get-NetRDPSession { <# .SYNOPSIS |