🆕Enumerate Active Windows Sessions

You need at least local admin privilege on the remote target, use option --local-auth if your user is a local account

When connecting to a Windows server via GUI interface (local connection or RDP) a windows session will be created. These session can be listed using the following option

nxc smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --qwinsta

Note that if a session if found, an attacker will be able to:

Impersonate the primary token for that user (if credentials are stored in memory) ;
Run tasks on behalf of that user.

Sometimes you'll end up having to hunt for a specific user which can be done filling the username you are looking for:

nxc smb 192.168.1.0/24 -u UserNAme -p 'PASSWORDHERE' --qwinsta username

PreviousEnumerate Hosts with SMB Signing Not Required NextEnumerate Logged-On Users with the Remote Registry Service

Last updated 5 months ago

Was this helpful?