(l)user hunter using WinAPI calls only
During Red Team engagements it is common to track/hunt specific users. Assuming we already have access to a desktop as a normal user (no matter how, always "assume compromise") in a Windows Domain and we want to spread laterally. We want to know where the user is logged on, if he is a local administrator in any box, to which groups he belongs, if he has access to file shares, and so on. Enumerating hosts, users, and groups will also help to get a better understanding of the Domain layout.
You might be thinking, "use Powerview". Lately, one of the most common problems I encounter during Red Team exercises is the fact that PowerShell is heavily monitored. If you use it, you'll get caught, sooner or later. By now everyone is well aware how powerful PowerShell is, including Blue Teams and Security Vendors.
There are multiple ways to work around this. To avoid using multiple old school tools (psloggedon.exe, netsess.exe, nltest, netview, among others) and to reduce the amount of tools uploaded to compromised systems I created a simple tool that doesn't require Administrative privileges to run and collect the information listed below, and relies only on the Windows API.
You might end up dealing with white list bypass and process evasion, but I'll leave that for another day.
What is it:
The (l)user hunter tool is a small program written in C/C++ that uses WinAPI calls only to:
- Retrieves current configuration information for the specified server (via list of hosts or domain enumeration).
- OS Version
- Server Type (DC, Backup DC, Workstation or Server, Terminal Server, MSSQL Server)
- Lists information about all users currently logged on to the workstation.
- interactive, service and batch logons.
- Lists information about sessions established on a server.
- Retrieves information about each shared resource on a server.
- checks if current user as read access.
- Returns results for the NS_DNS namespace, IPv4 protocol.
- Checks if current user is an Administrator on a server.
- Retrieves information about all user accounts on a server or DC.
- Retrieves a list of global groups to which a specified user belongs on a server or DC.
- Retrieves information about each global group in the security database, SAM database or Active Directory.
- Retrieves a list of the members in a particular global group in the security database, SAM database or Active Directory.
- Retrieves information about a particular user account on a server or DC.
- Enumerate the domain controllers in the local domain.
Additionally, for hosts enumeration there's a minimum and maximum delay value in seconds you can add to avoid detection/noise.
How to Compile it:
Grab a copy of Visual Studio, it's free. It won't build on Linux, maybe later.
How to use it:
See below some usage examples.
- Improve Error handling
- Improve output
- Identify IPv6 interfaces
- Improve arg parsing
- Create command line flags to specify what queries to run
- Rewrite the random delay counter between queries
This is a beta version, use at your own risk.
- When Windows 10 is identified via network discovery some queries fail. If you query it via an IP address it works.
- Error handling is far from awesome.
Credits where they are due. MSDN is awesome and I grabbed a big part of the code from the examples provided. Just look for the API calls used for more informaton.