wmiServSessEnum: uses WMI queries to enumerate active sessions and accounts
wmiServSessEnum
multithreaded .net tool that uses WMI queries to enumerate active user sessions and accounts configured to run services (even those that are stopped and disabled) on remote systems.
WmiServSessEnum can be run in several different modes:
- sessions – similar to other user enumeration methods, will return a list of active sessions on the remote system
- services – returns a list (if any) of non-default accounts configured to run services on the remote system
- all (default) – runs both
flags should be inputted in the format of –u=UserName etc.
When everything works you should get something back that looks like this when running against a remote system:
Required Flags (one of the following two required)
- -L – Comma separated list of IP’s / hostnames to scan. Please don’t include spaces between addresses
- -F – File containing a list of IP’s / hostnames to scan, one per line
Optional Flags
- -M – Mode selection (options = services, sessions, all) (Default: all)
- -U – Username to use if you want to use alternate credentials to run. Must use with -P and -D flags
- -P – Plaintext password to use if you want to use alternate credentials to run. Must use with -U and -D flags
- -D – Domain to use, if you want to use alternate credentials to run (. for local domain). Must use with -U and -P flags
- -T – Threads to use to concurrently enumerate multiple remote hosts (Default: 10)
- -W – Wait time, in seconds, for CimSession connect before connection timeout (Default: 10) – I wouldn’t drop this number too low or you will get false negatives
