Skip to content
.net tool that uses WMI queries to enumerate active sessions and accounts configured to run services on remote systems
C#
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
wmiServSessEnum
.gitattributes
README.md
wmiServSessEnum.sln

README.md

wmiServSessEnum

multithreaded .net tool that uses WMI queries to enumerate active user sessions and accounts configured to run services (even those that are stopped and disabled) on remote systems

Usage

WmiServSessEnum can be ran in several different modes:

  • sessions – output similar to other user enumeration tools, this will query the Win32_LoggedOnUser and Win32_SessionProcess WMI classes to return a list of active sessions on the remote system
  • services – this option will query the Win32_Service WMI class and return a list (if any) of non-default accounts configured to run services on the remote system
  • all(default) – runs both collection methods on each host

Required Flags (one of the following two required)

  • -L - Comma seperated list of IP's / hostnames to scan. Please don't include spaces between addresses
  • -F - File containing a list of IP's / hostnames to scan, one per line

Optional Flags

  • -M - Mode selection (options = services, sessions, all) (Default: all)
  • -U - Username to use, if you want to use alternate credentials to run. Must use with -P and -D flags
  • -P - Plaintext password to use, if you want to use alternate credentials to run. Must use with -U and -D flags
  • -D - Domain to use, if you want to use alternate credentials to run (. for local domain). Must use with -U and -P flags
  • -T - Threads to use to concurently enumerate multiple remote hosts (Default: 10)
  • -W - Wait time, in seconds, for CimSession connect before connection timeout (Default: 10) - I wouldn't drop this number too low or you will get false negatives

Note: Designed for informational purposes only, please only use this tool on networks you own or have permission to test against.

You can’t perform that action at this time.