2. $ whoami
â Security researcher and red teamer for the
Veris Groupâs Adaptive Threat Division
â Co-founder of the Veil-Framework and
founder of Veilâs PowerTools
â Cons:
o Shmoocon â14: AV Evasion with the Veil Framework
o Defcon â14: Veil-Pillage: Post-exploitation 2.0
o Derbycon â14: Passing the Torch: Old School Red
Teaming, New School Tactics?
3. What this is
â Ways to hunt for target users on Windows
domains
â Ya really, thatâs it
â Will cover as many tools and technique for
doing this as I have time for
4. Setting the Stage
â This talk is from the âassume breachâ
perspective
o i.e. assume foothold/access to a Windows domain
machine
â Iâm also going to assume you know (more or
less) what users youâre targeting
â PowerShell methods are going to heavily
rely on PowerView
o https://github.com/veil-framework/PowerTools
5. Motivations
â Most common:
o If you have a privileged account, or local admin
account, you want to figure out where high value
users are logged in
â Hunt -> pop box -> Mimikatz -> profit
â Other times you might have domain admin
rights and need to target specific users to
demonstrate impact
o e.g. popping a CEOâs desktop and email
7. Existing Tech
â Several tools have been written that allow
you to figure out whoâs logged in where
â Iâll cover whatâs already out there, including
the positives/negatives for each
â âOffensive in depthâ
o You always want multiple ways of achieving the
same objective in your attack chain
8. â Component of Microsoftâs Sysinternals
o â...determines who is logged on by scanning the
keys under the HKEY_USERS key.â
o âTo determine who is logged onto a computer via
resource shares, PsLoggedOn uses the
NetSessionEnum API.â
â Needs remote registry access to determine
whoâs logged in
o i.e. admin privileges on a remote machine
http://technet.microsoft.com/en-us/sysinternals/bb897545.aspx
psloggedon.exe
10. netsess.exe
â Component of
http://www.joeware.net/freetools/
â Utilizes the NetSessionEnum API call
o http://msdn.microsoft.com/en-
us/library/windows/desktop/bb525382(v=vs.85).aspx
â Think a version of ânet sessionâ that works
on remote machines!
o great for targeting file servers :)
o no admin privs needed!
12. PVEFindADUser.exe
â Tool released by corelanc0d3r in 2009
â âHelps you find where AD users are logged inâ
o Can also check whoâs logged into specific machines
â But â...you also need to have admin access on
the computers you are running the utility
against.â
https://www.corelan.be/index.php/2009/07/12/free-tool-find-where-ad-users-are-logged-on-into/
14. netview.exe
â Rob Fuller (@mubixâs) netview.exe project,
presented at Derbycon 2012, is a tool to
âenumerate systems using WinAPI callsâ
â Finds all machines on the network,
enumerates shares, sessions, and logged in
users for each host
o And now can check share access, highlight high
value users, and use a delay/jitter :)
o and also, no admin privs needed!
https://github.com/mubix/netview
16. Nmap
â If you have a valid domain account, or local
account valid for several machines, you can
use smb-enum-sessions.nse
â Donât need to have admin privileges!
nmap -sU -sS --script smb-enum-
sessions.nse --script-args
'smbuser=jasonf,smbpass=BusinessBus
inessBusiness!' -p U:137,T:139
192.168.52.0/24
http://nmap.org/nsedoc/scripts/smb-enum-sessions.html
18. Email Headers
â If you have access to someoneâs email
(Mimikatz+OWA, etc.) internal headers can
provide a wealth of information
â Search for any chains to/from target users,
and examine headers for given email chains
â If the âX-Originating-IPâ header is present,
you can trace where a user sent a given
email from
20. Invoke-UserHunter
â Flexible function that:
o queries AD for hosts or takes a target list
o queries AD for users of a target group, or takes a
list/single user
o uses Win32 API calls to enumerate sessions
(NetSessionEnum) and logged in users
(NetWkstaUserEnum), matching against the target
user list
â Can also check to see if you have local
admin access on targets
o but no admin privs needed to get good info!
22. Invoke-StealthUserHunter
â Uses an old red teaming trick
1. Queries AD for all users and extracts all
homeDirectory fields to identify likely domain file
servers
2. Runs NetSessionEnum against each file server to
enumerate remote sessions, matching against target
user list
â Gets reasonable coverage with a lot less
traffic than UserHunter
o and again, no admin privs needed
24. Invoke-UserLogonHunter
â Sometimes you have DA, but need to target
specific users (think the IR team :)
â Domain controller event logs make it trivial to
track down domain users, provided you have
domain admin access
â Get-UserLogonEvents implements
@sixdubâs work on offensive event parsing
o Invoke-UserLogonHunter rolls this all into a
weaponized form
26. Questions?
â Contact me:
o @harmj0y
o will@harmj0y.net
o harmj0y in #veil and #armitage on Freenode
â Read more:
o http://blog.harmj0y.net
o https://www.veil-framework.com
â Get PowerView:
o https://github.com/Veil-Framework/PowerTools