
Invoke-SessionHunter - Remote User Session Retrieval Tool
Share
Invoke-SessionHunter is a PowerShell tool designed to retrieve and display information about active user sessions on remote computers.
It leverages the remote registry service to query the HKEY_USERS registry hive, identifying Security Identifiers (SIDs) associated with active user sessions and translating them into usernames.
This tool is particularly useful for gaining insights into logged-in users across a network without requiring administrative privileges.
Key Features
-
No Admin Privileges Required: By default, it retrieves session data without needing elevated permissions.
-
Remote Registry Service: Utilizes the remote registry service to query session information.
-
Customizable Parameters: Offers various switches and parameters for tailored usage.
-
Admin Access Mode: With the -CheckAdminAccess switch, it authenticates to targets where you have local admin access for more comprehensive results.
Prerequisites
-
The Remote Registry Service must be running on target machines:
-
If the service is set to "Automatic" or "Manual," it will start automatically when queried.
-
If set to "Disabled," no session information can be retrieved.
-
Ensure PowerShell is installed and properly configured on your system.
Loading the Tool
To load Invoke-SessionHunter into memory, execute the following command:
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/Leo4j/Invoke-SessionHunter/main/Invoke-SessionHunter.ps1')
Basic Usage
To retrieve active sessions from all computers in the current domain:
Invoke-SessionHunter
Advanced Options and Switches
1. Check Admin Access
Retrieve sessions by authenticating with local admin access using klist sessions:
Invoke-SessionHunter -CheckAsAdmin
Optionally, specify credentials:
Invoke-SessionHunter -CheckAsAdmin -UserName "domain\Administrator" -Password "P@ssw0rd!"
2. Include Local Host
Include your host machine, current user, or provided username in the results:
Invoke-SessionHunter -ShowAll -IncludeLocalHost
3. Adjust Timeout
Modify the timeout period (default is 2000ms) for slower networks:
Invoke-SessionHunter -Timeout 5000
4. Filter Privileged Users
Show only targets where you have admin access and privileged users are logged in:
Invoke-SessionHunter -Match
5. Specify Target Domain
Query a specific domain:
Invoke-SessionHunter -Domain contoso.local
6. Target Specific Machines
Provide a comma-separated list of targets or a file containing target machine names:
Invoke-SessionHunter -Targets "DC01,Workstation01.contoso.local"
Invoke-SessionHunter -Targets c:\Users\Public\Documents\targets.txt
7. Focus on Servers or Workstations
Retrieve sessions from servers only:
Invoke-SessionHunter -Servers
Retrieve sessions from workstations only:
Invoke-SessionHunter -Workstations
8. Hunt Specific Users
Search for sessions of a particular user:
Invoke-SessionHunter -Hunt "Administrator"
9. Raw Results
Return results as custom PowerShell objects instead of table-formatted output:
Invoke-SessionHunter -RawResults
10. Skip Port Scan
Avoid running a preliminary port scan to check host availability (may cause delays if hosts are unreachable):
Invoke-SessionHunter -NoPortScan
Combining Options
You can combine multiple switches for more granular control. For example:
Invoke-SessionHunter -CheckAsAdmin -UserName "domain\Administrator" -Password "P@ssw0rd!" -Timeout 5000 -Match
Notes on Behavior
-
If the remote registry service is not running but set to "Automatic" or "Manual," it will start automatically when queried.
-
Targets where the remote registry fails to respond within the timeout period will be skipped.
-
The tool excludes your host machine and current user by default unless explicitly included using -ShowAll or -IncludeLocalHost.
By leveraging these features and options, you can efficiently gather active session data across your network while tailoring the process to meet your specific requirements. You can learn more and Download Invoke-SessionHunter in GitHub.
Upgrade Your Cybersecurity Skills EHA: Learn 150+ Practical Cyber Security Courses Online With Life Time Access - Enroll Here