Invoke-SessionHunter - Remote User Session Retrieval Tool

Invoke-SessionHunter - Remote User Session Retrieval Tool

Invoke-SessionHunter is a PowerShell tool designed to retrieve and display information about active user sessions on remote computers.

It leverages the remote registry service to query the HKEY_USERS registry hive, identifying Security Identifiers (SIDs) associated with active user sessions and translating them into usernames.

This tool is particularly useful for gaining insights into logged-in users across a network without requiring administrative privileges.

Key Features

  • No Admin Privileges Required: By default, it retrieves session data without needing elevated permissions.

  • Remote Registry Service: Utilizes the remote registry service to query session information.

  • Customizable Parameters: Offers various switches and parameters for tailored usage.

  • Admin Access Mode: With the -CheckAdminAccess switch, it authenticates to targets where you have local admin access for more comprehensive results.

Prerequisites

  1. The Remote Registry Service must be running on target machines:

    • If the service is set to "Automatic" or "Manual," it will start automatically when queried.

    • If set to "Disabled," no session information can be retrieved.

  2. Ensure PowerShell is installed and properly configured on your system.

Loading the Tool

To load Invoke-SessionHunter into memory, execute the following command:

iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/Leo4j/Invoke-SessionHunter/main/Invoke-SessionHunter.ps1')

Basic Usage

To retrieve active sessions from all computers in the current domain:

Invoke-SessionHunter

Advanced Options and Switches

1. Check Admin Access

Retrieve sessions by authenticating with local admin access using klist sessions:

Invoke-SessionHunter -CheckAsAdmin

Optionally, specify credentials:

Invoke-SessionHunter -CheckAsAdmin -UserName "domain\Administrator" -Password "P@ssw0rd!"

2. Include Local Host

Include your host machine, current user, or provided username in the results:

Invoke-SessionHunter -ShowAll -IncludeLocalHost

3. Adjust Timeout

Modify the timeout period (default is 2000ms) for slower networks:

Invoke-SessionHunter -Timeout 5000

4. Filter Privileged Users

Show only targets where you have admin access and privileged users are logged in:

Invoke-SessionHunter -Match

5. Specify Target Domain

Query a specific domain:

Invoke-SessionHunter -Domain contoso.local

6. Target Specific Machines

Provide a comma-separated list of targets or a file containing target machine names:

Invoke-SessionHunter -Targets "DC01,Workstation01.contoso.local"

Invoke-SessionHunter -Targets c:\Users\Public\Documents\targets.txt

7. Focus on Servers or Workstations

Retrieve sessions from servers only:

Invoke-SessionHunter -Servers

Retrieve sessions from workstations only:

Invoke-SessionHunter -Workstations

8. Hunt Specific Users

Search for sessions of a particular user:

Invoke-SessionHunter -Hunt "Administrator"

9. Raw Results

Return results as custom PowerShell objects instead of table-formatted output:

Invoke-SessionHunter -RawResults

10. Skip Port Scan

Avoid running a preliminary port scan to check host availability (may cause delays if hosts are unreachable):

Invoke-SessionHunter -NoPortScan

Combining Options

You can combine multiple switches for more granular control. For example:

Invoke-SessionHunter -CheckAsAdmin -UserName "domain\Administrator" -Password "P@ssw0rd!" -Timeout 5000 -Match

Notes on Behavior

  1. If the remote registry service is not running but set to "Automatic" or "Manual," it will start automatically when queried.

  2. Targets where the remote registry fails to respond within the timeout period will be skipped.

  3. The tool excludes your host machine and current user by default unless explicitly included using -ShowAll or -IncludeLocalHost.

By leveraging these features and options, you can efficiently gather active session data across your network while tailoring the process to meet your specific requirements. You can learn more and Download Invoke-SessionHunter in GitHub.

Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here

Back to blog