PowerQuinsta

I wanted to do a quick writeup on one of PowerView‘s latest features- the ability to enumerate RDP sessions on remote machines.

Qwinsta

For those unfamiliar, qwinsta is a built in Windows command that allows you to query information about remote desktop sessions locally or on a remote server. You need administrative privileges to perform remote querying, but this can be a useful tool in enumerating remote servers and mapping out admin trust relationships. Here’s what the output from qwinsta looks like:

From the above output, the SESSIONNAME of console means a local logon, and the rdp-tcp#0means that “chris” has an RDP session established on SECONDARY. Since qwinsta takes advantage of native Windows APIs, lets try to figure out what functions let it enumerate this remote desktop session data. Here’s part of the strings output for qwinsta.exe:

After some searching around, we can find that the equivalent of these functions exist under WTS*. The key call here is WTSEnumerateSessionsEx, which lets us retrieve the same session information that qwinsta displays.

Get-NetRDPSessions

I was able to implement these functions easily in PowerShell using PowerShell’s Win32 API access that I’ve talked about before. I stuck with Matt Graeber’s PSReflect method that I already have implemented in PowerView. This made is really easy to implement the additional calls and structs that I needed:

There was also another interesting call that’s a part of the “Remote Desktop Services API Functions” documentation, the WTSQuerySessionInformation function. This lets us query information about a specific remote desktop services session beyond the standard returned information from WTSEnumerateSessionsEx. The information that can be retrieved is broken out in the WTS_INFO_CLASS enumeration. The WTSClientAddress field looks interesting- this means that we can correlate the users RDP’ed into a remote host with where they connected from, giving us more contextual network information. This lets us get results like the following by using the new Get-NetRDPSessions function in PowerView:

And because PowerView has been ported to (mostly!) be pipeline compliant, we can do things like Get-NetComputers | Get-NetRDPSessions | Export-Csv -NoTypeInformation rdpsessions.csv to enumerate all active RDP sessions on the domain and export them to a csv file:

With elevated domain privileges, this can give us a great idea of what users are RDP’ed into what from where. We can use this information to figure out what users to go after, and the nature of the trust relationships of the domain.