hunter: uses WinAPI calls only to gather information on Windows machine
(l)user hunter using WinAPI calls only
During Red Team engagements it is common to track/hunt specific users. Assuming we already have access to a desktop as a normal user (no matter how always “assume compromise”) in a Windows Domain and we want to spread laterally. We want to know where the user is logged on if he is a local administrator in any box, to which groups he belongs if he has access to file shares, and so on. Enumerating hosts, users, and groups will also help to get a better understanding of the Domain layout.
You might be thinking, “use Powerview”. Lately, one of the most common problems I encounter during Red Team exercises is the fact that PowerShell is heavily monitored. If you use it, you’ll get caught, sooner or later. By now everyone is well aware how powerful PowerShell is, including Blue Teams and Security Vendors.
There are multiple ways to work around this. To avoid using multiple old school tools (psloggedon.exe, netsess.exe, nltest, netview, among others) and to reduce the number of tools uploaded to compromised systems I created a simple tool that doesn’t require Administrative privileges to run and collect the information listed below and relies only on the Windows API.
What is it:
The (l)user hunter tool is a small program written in C/C++ that uses WinAPI calls only to:
- Retrieves current configuration information for the specified server (via list of hosts or domain enumeration).
- OS Version
- Server Type (DC, Backup DC, Workstation or Server, Terminal Server, MSSQL Server)
- Lists information about all users currently logged on to the workstation.
- interactive, service and batch logons.
- Lists information about sessions established on a server.
- Retrieves information about each shared resource on a server.
- checks if the current user as reading access.
- Returns results for the NS_DNS namespace, IPv4 protocol.
- Checks if the current user is an Administrator on a server.
- Retrieves information about all user accounts on a server or DC.
- Retrieves a list of global groups to which a specified user belongs on a server or DC.
- Retrieves information about each global group in the security database, SAM database or Active Directory.
- Retrieves a list of the members of a particular global group in the security database, SAM database or Active Directory.
- Retrieves information about a particular user account on a server or DC.
- Enumerate the domain controllers in the local domain.
Additionally, for hosts enumeration there’s a minimum and maximum delay value in seconds you can add to avoid detection/noise.
How to compile
git clone https://github.com/fdiskyou/hunter.git
Grab a copy of Visual Studio.
How to use it:
See below some usage examples.
Copyright (c) 2016, fdiskyou
All rights reserved.