PowerQuinsta
来源:互联网 发布:sql union sum 编辑:程序博客网 时间:2024/06/03 23:53
I wanted to do a quick writeup on one of PowerView‘s latest features- the ability to enumerate RDP sessions on remote machines.
Qwinsta
For those unfamiliar, qwinsta is a built in Windows command that allows you to query information about remote desktop sessions locally or on a remote server. You need administrative privileges to perform remote querying, but this can be a useful tool in enumerating remote servers and mapping out admin trust relationships. Here’s what the output from qwinsta looks like:
From the above output, the SESSIONNAME of console means a local logon, and the rdp-tcp#0means that “chris” has an RDP session established on SECONDARY. Since qwinsta takes advantage of native Windows APIs, lets try to figure out what functions let it enumerate this remote desktop session data. Here’s part of the strings output for qwinsta.exe:
After some searching around, we can find that the equivalent of these functions exist under WTS*. The key call here is WTSEnumerateSessionsEx, which lets us retrieve the same session information that qwinsta displays.
Get-NetRDPSessions
I was able to implement these functions easily in PowerShell using PowerShell’s Win32 API access that I’ve talked about before. I stuck with Matt Graeber’s PSReflect method that I already have implemented in PowerView. This made is really easy to implement the additional calls and structs that I needed:
There was also another interesting call that’s a part of the “Remote Desktop Services API Functions” documentation, the WTSQuerySessionInformation function. This lets us query information about a specific remote desktop services session beyond the standard returned information from WTSEnumerateSessionsEx. The information that can be retrieved is broken out in the WTS_INFO_CLASS enumeration. The WTSClientAddress field looks interesting- this means that we can correlate the users RDP’ed into a remote host with where they connected from, giving us more contextual network information. This lets us get results like the following by using the new Get-NetRDPSessions function in PowerView:
And because PowerView has been ported to (mostly!) be pipeline compliant, we can do things like Get-NetComputers | Get-NetRDPSessions | Export-Csv -NoTypeInformation rdpsessions.csv to enumerate all active RDP sessions on the domain and export them to a csv file:
With elevated domain privileges, this can give us a great idea of what users are RDP’ed into what from where. We can use this information to figure out what users to go after, and the nature of the trust relationships of the domain.
- PowerQuinsta
- powershell 枚举远程主机登录会话 [PowerQuinsta]
- 四种发现协议的说明文档
- map最基本的操作
- 查看Ubuntu的版本
- Android Studio SDK 更新方法
- Mybatis拦截器介绍及分页插件
- PowerQuinsta
- 6.828 lab1 bootload
- Java的JAR包, EAR包 ,WAR包 都是干什么的,有什么区别
- 关于Android蓝牙中Service discovery failed问题的解决
- linux配置java环境变量(详细)
- 如何从H264原始数据SPS里面得到视频的长宽
- android 之Intent的使用
- socket通信的环形缓冲
- 阵列卡与raid5(HP D380 G7 、DELL R720XD)