在内网渗透的过程中,经常会遇到需要查看域用户登陆了哪些机器,目前我们收集整理了三种方法,给大家分享出来。
1.使用vbs脚本来查询
' Script for getting current logged user name on Domain
' Author : mwpq
' www.sharecenter.net
strDomainName = InputBox ("Please enter the internal Domain Name:","Script for getting current logged username","yourdomain.local")
arrDomLevels = Split(strDomainName, ".")
strADsPath = "dc=" & Join(arrDomLevels, ",dc=")Const ADS_SCOPE_SUBTREE = 2
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"'
Set objCOmmand.ActiveConnection = objConnection
objCommand.CommandText = _
"Select Name, Location from 'LDAP://"&strADsPath&"' " _
& "Where objectClass='computer'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Set oFSO = CreateObject("Scripting.FileSystemObject")
Set of = oFSO.CreateTextFile("LoggedUser.txt", True, True)
Do Until objRecordSet.EOF
On Error Resume Next
sPC = objRecordSet.Fields("Name").Value
of.writeline " "
of.writeline "Machine Name: "&sPC Set objWMILocator = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & sPC & "\root\cimv2")
If Err = 0 Then Set col = objWMILocator.ExecQuery _
("Select * from win32_computersystem") For Each item In col of.writeline "Logged User: "&item.username Next
Set col = Nothing
Else
of.writeline "!!! Cant connect to "&sPC&" !!!"
End If
objRecordSet.MoveNext
Loop
of.close
MsgBox "Done! Cheers!"
2.使用Logondomaincomputersuser.exe来查询
3.使用powershell枚举远程主机登陆会话PowerQuinsta 是powerview里的一个模块,可以枚举远程主机的登录会话。
像这样:
![图片[1]-如何查看域用户登录的计算机(查看域用户登录记录)-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-124699-1583401968.jpeg)
但是这不是重点,重点是作者详细的介绍了从qwinsta命令到windows API分析,然后再到powershell的开发,之前想表明powershell和.Net的关系,然后还可以借助.Net和其他的联系开发出更多适合场景的小工具之类的。
这里可以用下面的代码查找符合关键词的对象和方法。
## class $searchtext = "*Domain*"[AppDomain]::CurrentDomain.GetAssemblies() |ForEach-Object { $_.GetExportedTypes() } |Where-Object { $_ -like $searchtext } |ForEach-Object { $_.FullName }
![图片[2]-如何查看域用户登录的计算机(查看域用户登录记录)-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-124699-15834019681.jpeg)
## method $searchtext = "*connect*"[AppDomain]::CurrentDomain.GetAssemblies() |ForEach-Object { $_.GetExportedTypes() } |ForEach-Object { $_.getmembers() } |Where-Object { $_.isStatic} |Where-Object { $_ -like $searchtext } |ForEach-Object { "[{0}]::{1} --> {2}" -f `$_.declaringtype, $_.toString().SubString( `$_.toString().IndexOf(" ")+1), $_.ReturnType }
![图片[3]-如何查看域用户登录的计算机(查看域用户登录记录)-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-124699-15834019682.jpeg)
补充一个@xti9er提到的WMI对象:
get-wmiobject|get-member
但这个不完整,详细的搜索可以这样:
Get-WmiObject -List | Where-Object { $_.name -match 'domain'}
![图片[4]-如何查看域用户登录的计算机(查看域用户登录记录)-Pikachu Hacker](https://blog.x8s.pw/proxy.php?url=https://secpulseoss.oss-cn-shanghai.aliyuncs.com/wp-content/uploads/1970/01/beepress-image-124699-15834019683.jpeg)
##附
【1】http://www.harmj0y.net/blog/powershell/powerquinsta/ 原文
【2】http://www.harmj0y.net/blog/powershell/powershell-and-win32-api-access/ Powershell and win32 API
本文作者:Ms08067安全实验室
本文为安全脉搏专栏作者发布,转载请注明:https://www.secpulse.com/archives/124699.html
暂无评论内容