Sometimes during an internal penetration test I find myself spending a fair amount of effort locating a server or workstation with a specific user logged into it. This could be because I am searching for a box with a Domain Admin, or maybe my engagement’s scope has a CTF style scope that requires me to find a single user logged into a large enterprise domain.
Whatever the reason, this processes can sometimes take a long time. Especially on a sizable network. Like most security auditors I’m not a big fan of doing the same thing over and over again so I decided to build a tool to help automate this process.
First we query HKEY_USERS to find out how many legitimate SIDs are currently logged in. We should see an output simalr to this.
C:Usersserveradmin>reg.exe query HKU
If we sift through this output we can see that there are only two valid SIDs. UserID ’1104′ and ’500′. To figureout what the proper username for a particluar sid you simply need to query the ‘Volatile Environment’ key like this.
C:Usersserveradmin>reg.exe query "HKUS-1-5-21-3064359591-4294004252-2834161185-1104Volatile Environment"
LOGONSERVER REG_SZ \GOKU
USERDNSDOMAIN REG_SZ DBZ-VULN.NET
USERDOMAIN REG_SZ DBZ-VULN
USERNAME REG_SZ serveradmin
USERPROFILE REG_SZ C:Usersserveradmin
HOMEPATH REG_SZ Usersserveradmin
HOMEDRIVE REG_SZ C:
APPDATA REG_SZ C:UsersserveradminAppDataRoaming
LOCALAPPDATA REG_SZ C:UsersserveradminAppDataLocal
As you can see this registry key has all the information we care about. We can throw this into an auxiliary module and make use of some existing Metasploit code to execute these commands from an authenticated admin user without having to upload any binaries to the target. With the power of Ruby threads we can cover a large network in a fraction of the time that it would take to do this one system at a time.
The module can be run one of two ways. Either specify an individual user such as ‘DOMAINAdministrator’ and it will locate which system that user is logged into. Or run it without specifying the datastore['USERNAME'] variable and it will simply tell you the names of all users logged into all systems specified with datastore['RHOSTS'].
Download Module: Source