域渗透之用户会话收集分析技术文档<\/h1>

1. 查询远程计算机当前登录的用户<\/h2>

1.1 RegistryKey方法<\/h3>

1.1.1 技术原理<\/h4>

Windows注册表HKU记录了计算机当前登录的用户SID<\/li>
HKU SID下Volatile Environment的USERNAME属性包含实际用户名<\/li>

通过远程注册表服务(Remote Registry Service)可远程读取注册表<\/li> <\/ul>

1.1.2 服务配置<\/h4>

客户端<\/strong>：默认关闭(Disabled)<\/li>
服务器<\/strong>：默认开启(Automatic)<\/li>

空闲停止配置：HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\RemoteRegistry<\/code>中的DisableIdleStop<\/code>值 0：空闲10分钟后停止<\/li> 1：空闲时不停止<\/li> <\/ul> <\/li> <\/ul> 1.1.3 权限要求<\/h4> HKEY_USERS：Everyone可读<\/li> HKEY_USERS<SID>\Volatile Environment：普通用户无访问权限<\/li> <\/ul> 1.1.4 实现方式<\/h4> 注册表编辑器(regedit.exe)<\/strong><\/p> File => Connect Network Registry<\/li> 输入远程计算机地址<\/li> 查看HKU中的SID<\/li> <\/ul> <\/li> PowerShell<\/strong><\/p> # 查看HKU<\/span> <\/span><\/span>[Microsoft.Win32.RegistryKey]<\/span>::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]<\/span>::Users,'192.168.1.9'<\/span>).OpenSubKey(''<\/span>).GetSubKeyNames() <\/span><\/span> <\/span><\/span># 查看HKLM<\/span> <\/span><\/span>[Microsoft.Win32.RegistryKey]<\/span>::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]<\/span>::Users,'192.168.1.9'<\/span>).OpenSubKey('\System\CurrentControlSet'<\/span>).GetSubKeyNames() <\/span><\/span><\/code><\/pre><\/li> Python脚本<\/strong><\/p> 核心功能：通过WINREG协议远程读取注册表<\/li> <\/ul> <\/li> <\/ol> 1.1.5 流量分析<\/h4> 协议栈：TCP=>NetBIOS=>SMB=>DCERPC=>WINREG<\/li> 主要阶段：建立SMB会话<\/li> 连接IPC$共享<\/li> 打开winreg命名管道<\/li> 绑定winreg接口<\/li> RPC方法调用<\/li> 关闭连接<\/li> <\/ol> <\/li> <\/ul> 1.2 NetWkstaUserEnum方法<\/h3> 1.2.1 技术原理<\/h4> 查询当前登录到工作站的所有用户信息<\/li> 包括：交互式登录、服务和批处理登录<\/li> <\/ul> 1.2.2 函数结构<\/h4> NET_API_STATUS NET_API_FUNCTION NetWkstaUserEnum<\/span>( <\/span><\/span> [in] LMSTR servername, <\/span><\/span> [in] DWORD level, <\/span><\/span> [out] LPBYTE *<\/span>bufptr, <\/span><\/span> [in] DWORD prefmaxlen, <\/span><\/span> [out] LPDWORD entriesread, <\/span><\/span> [out] LPDWORD totalentries, <\/span><\/span> [in, out] LPDWORD resumehandle <\/span><\/span>); <\/span><\/span><\/code><\/pre>1.2.3 权限要求<\/h4> 需要目标计算机管理员权限<\/li> 允许的组：Administrators、Server、System和Print Operator本地组<\/li> <\/ul> 1.2.4 实现方式<\/h4> Python脚本<\/strong>：调用NetWkstaUserEnum API<\/li> 示例输出： Found logged on user at 192.168.1.15: lihua@QFTM Found logged on user at 192.168.1.15: dadmin@QFTM <\/code><\/pre> <\/li> <\/ul> 1.2.5 流量分析<\/h4> 协议栈：TCP=>NetBIOS=>SMB=>DCERPC=>WKSSVC<\/li> 主要阶段：建立SMB会话<\/li> 连接IPC$共享<\/li> 打开wkssvc命名管道<\/li> 绑定wkssvc接口<\/li> RPC方法调用(NetrWkstaUserEnum)<\/li> 关闭连接<\/li> <\/ol> <\/li> <\/ul> 2. 查询远程计算机当前用户网络会话<\/h2> 2.1 NetSessionEnum方法<\/h3> 2.1.1 技术原理<\/h4> 查询访问远程主机网络资源(如文件共享)时创建的网络会话<\/li> 可获取域用户及IP等信息<\/li> <\/ul> 2.1.2 函数结构<\/h4> NET_API_STATUS NET_API_FUNCTION NetSessionEnum<\/span>( <\/span><\/span> [in] LMSTR servername, <\/span><\/span> [in] LMSTR UncClientName, <\/span><\/span> [in] LMSTR username, <\/span><\/span> [in] DWORD level, <\/span><\/span> [out] LPBYTE *<\/span>bufptr, <\/span><\/span> [in] DWORD prefmaxlen, <\/span><\/span> [out] LPDWORD entriesread, <\/span><\/span> [out] LPDWORD totalentries, <\/span><\/span> [in, out] LPDWORD resume_handle <\/span><\/span>); <\/span><\/span><\/code><\/pre>2.1.3 权限要求<\/h4> 早期系统：Authenticated Users可访问<\/li> 后期系统(Windows 10 1709+\/Windows Server 2019 1809+)：需要管理员权限<\/li> Level权限： 0或10：不需要管理员权限<\/li> 1或2：需要Administrators或Server Operators权限<\/li> 502：需要更高权限<\/li> <\/ul> <\/li> <\/ul> 2.1.4 实现方式<\/h4> NetSess工具<\/strong>： NetSess.exe 192.168.1.15 NetSess.exe 192.168.1.15 -u lihua <\/code><\/pre> <\/li> Python脚本<\/strong>：调用NetSessionEnum API<\/li> <\/ul> 2.1.5 流量分析<\/h4> 协议栈：TCP=>NetBIOS=>SMB=>DCERPC=>SRVSVC<\/li> 主要阶段：建立SMB会话<\/li> 连接IPC$共享<\/li> 打开srvsvc命名管道<\/li> 绑定srvsvc接口<\/li> RPC方法调用(NetrSessionEnum)<\/li> 关闭连接<\/li> <\/ol> <\/li> <\/ul> 3. 常见用户会话收集工具<\/h2> 3.1 SharpHound<\/h3> 3.1.1 收集方法<\/h4> Session收集<\/strong>：使用NetSessionEnum<\/li> LoggedOn收集<\/strong>：使用NetWkstaUserEnum和RegistryKey<\/li> 组合收集<\/strong>：SharpHound.exe -c session,loggedon<\/code><\/li> <\/ul> 3.1.2 方法对比<\/h4> 方法<\/th> OS版本<\/th> 需要管理员<\/th> 收集方式<\/th> BloodHound边<\/th> 本地用户<\/th> <\/tr> <\/thead> NetWkstaUserEnum<\/td> 所有<\/td> 是<\/td> LoggedOn<\/td> HasSession<\/td> 否<\/td> <\/tr> NetSessionEnum<\/td> Win10 1709+\/WinSrv2019 1809+<\/td> 是<\/td> Session<\/td> HasSession<\/td> 否<\/td> <\/tr> RegistryKey<\/td> Windows Server<\/td> 否<\/td> LoggedOn<\/td> HasSession<\/td> 是<\/td> <\/tr> <\/tbody> <\/table> 3.2 PsLoggedOn<\/h3> 3.2.1 收集方法<\/h4> RegistryKey：查询HKU<\/li> NetSessionEnum：查询网络会话<\/li> <\/ul> 3.2.2 使用方式<\/h4> PsLoggedon.exe \/accepteula \\dc PsLoggedon.exe \/accepteula administrator <\/code><\/pre> 3.3 PVEFindADUser<\/h3> 3.3.1 收集方法<\/h4> RegistryKey：查询HKU<\/li> <\/ul> 3.3.2 使用方式<\/h4> PVEFindADUser.exe -current PVEFindADUser.exe -current -target dc -noping PVEFindADUser.exe -current qftm\dadmin -noping <\/code><\/pre> 3.4 NetSess<\/h3> 3.4.1 收集方法<\/h4> NetSessionEnum：查询网络会话<\/li> <\/ul> 3.4.2 使用方式<\/h4> NetSess.exe 192.168.1.15 NetSess.exe 192.168.1.15 -u lihua <\/code><\/pre> 4. 总结对比表<\/h2> 4.1 API方法对比<\/h3> API Call<\/th> OS version<\/th> Admin needed<\/th> User status<\/th> SMB share<\/th> Port<\/th> Protocol<\/th> Name pipe<\/th> RPC Interface UUID<\/th> RPC Method Call<\/th> <\/tr> <\/thead> RegistryKey<\/td> Windows Server<\/td> No<\/td> LoggedOn<\/td> IPC$<\/td> 445<\/td> SMB\/DCERPC\/WINREG<\/td> \pipe\winreg<\/td> 338cd001-2244-31f1-aaaa-900038001003<\/td> OpenRemoteBaseKey\/OpenSubKey\/GetSubKeyNames<\/td> <\/tr> NetWkstaUserEnum<\/td> All<\/td> Yes<\/td> LoggedOn<\/td> IPC$<\/td> 445<\/td> SMB\/DCERPC\/WKSSVC<\/td> \pipe\wkssvc<\/td> 6BFFD098-A112-3610-9833-46C3F87E345A<\/td> NetrWkstaUserEnum<\/td> <\/tr> NetSessionEnum<\/td> Win10 1709+\/WinSrv2019 1809+<\/td> Yes<\/td> Net Session<\/td> IPC$<\/td> 445<\/td> SMB\/DCERPC\/SRVSVC<\/td> \pipe\srvsvc<\/td> 4B324FC8-1670-01D3-1278-5A47BF6EE188<\/td> NetrSessionEnum<\/td> <\/tr> <\/tbody> <\/table> 4.2 工具方法对比<\/h3> 工具<\/th> 使用的方法<\/th> 优点<\/th> 缺点<\/th> <\/tr> <\/thead> SharpHound<\/td> NetWkstaUserEnum\/NetSessionEnum\/RegistryKey<\/td> 功能全面，与BloodHound集成<\/td> 体积较大，可能被AV检测<\/td> <\/tr> PsLoggedOn<\/td> RegistryKey\/NetSessionEnum<\/td> 轻量，Sysinternals工具<\/td> 功能相对简单<\/td> <\/tr> PVEFindADUser<\/td> RegistryKey<\/td> 可查询域内用户登录位置<\/td> 仅支持.NET 2.0<\/td> <\/tr> NetSess<\/td> NetSessionEnum<\/td> 轻量，快速查询网络会话<\/td> 功能单一<\/td> <\/tr> <\/tbody> <\/table>