SessionHunter

Hunt for Active User Sessions | https://github.com/Leo4j/Invoke-SessionHunter

The SessionHunter command in Amnesiac allows users to retrieve and display information about active user sessions on remote computers, all without requiring admin privileges. This tool leverages the capabilities of Invoke-SessionHunter to provide valuable insights into who is currently logged into remote systems.

Key Features

• No Admin Privileges Required: One of the features of Invoke-SessionHunter is that it doesn't demand administrative privileges to function effectively. This means users can gather session information without the need for elevated access.

• Remote Registry Service: SessionHunter harnesses the remote registry service to query the HKEY_USERS registry hive on remote computers. By doing so, it can identify and extract Security Identifiers (SIDs) associated with active user sessions.

• Username Translation: The tool goes a step further by translating these SIDs into corresponding usernames, making it easy for users to identify who is currently logged into remote systems.

Limitations

SessionHunter relies on the remote registry service running on the target computer to function effectively. If the remote registry service is not running but its Startup type is configured to "Automatic" or "Manual," the service will start automatically on the target computer once queried by SessionHunter. This behavior is native to the Windows operating system. However, if the remote registry service is set to "Disabled" on the target, no session information can be retrieved from that computer.

Loading SessionHunter

To load the Invoke-SessionHunter tool into Amnesiac, simply type SessionHunter in the command prompt. This command will not only load the tool but also provide information on its usage, ensuring that users have clear instructions on how to make the most of its capabilities.

Basic Usage

After loading SessionHunter, users can simply type Invoke-SessionHunter. This command will initiate the session retrieval process and display the results, offering a quick overview of active user sessions on remote systems.

Enhanced Functionality

For more comprehensive session retrieval, users have the -CheckAdminAccess switch. This switch allows SessionHunter to gather sessions by authenticating to targets where the user has local admin access, using Invoke-WMIRemoting. This approach is likely to retrieve more results, providing a more detailed view of active sessions.

Additional Resources

For in-depth details about advanced usage, command options, and additional features, please refer to the "Usage" section displayed when loading the tool within Amnesiac. Additionally, you can access comprehensive documentation and updates about Invoke-SessionHunter by visiting the official repository at https://github.com/Leo4j/Invoke-SessionHunter.