Last active
February 15, 2024 13:22
-
-
Save RalphDesmangles/22f580655f479f189c1de9e7720776f1 to your computer and use it in GitHub Desktop.
Enumerating Logged-On Users on Remote Systems via RemoteRegistry / Winreg Named Pipe
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
using System; | |
using System.Collections.Generic; | |
using System.Security.Principal; | |
using System.Text.RegularExpressions; | |
/* | |
PoC To enumerate logged on users on a remote system using the winreg named pipe. | |
Based on the work of Rohan Vazarkar (@cptjesus) and Antonio Cocomazzi (@splinter_code). | |
RemoteRegistry service must be enabled (default) for this to work. | |
https://twitter.com/splinter_code/status/1715876413474025704 | |
https://blog.compass-security.com/2022/05/bloodhound-inner-workings-part-3/ | |
https://github.com/BloodHoundAD/SharpHound3/blob/master/SharpHound3/Tasks/LoggedOnTasks.cs#L150 | |
https://twitter.com/an0n_r0/status/1728580102760358296 | |
*/ | |
namespace GetLoggedOnUsersRegistry | |
{ | |
internal class Program | |
{ | |
static void Main(string[] args) | |
{ | |
string hostname = args.Length > 0 && !string.IsNullOrWhiteSpace(args[0]) ? args[0] : Environment.MachineName; | |
Console.WriteLine($"[*] Attempting to enumerate logged on users on {hostname}"); | |
var users = new Dictionary<string, string>(); | |
//Connect to winreg named pipe and trigger RemoteRegistry Service to start. | |
var reg = Microsoft.Win32.RegistryKey.OpenRemoteBaseKey(Microsoft.Win32.RegistryHive.Users, hostname); | |
var sidRegex = new Regex(@"S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$", RegexOptions.Compiled); | |
foreach (var subkey in reg.GetSubKeyNames()) | |
{ | |
if (sidRegex.IsMatch(subkey)) | |
{ | |
var sid = new SecurityIdentifier(subkey); | |
var ntAccount = (NTAccount)sid.Translate(typeof(NTAccount)); | |
users.Add(subkey, ntAccount.Value); | |
} | |
} | |
Console.WriteLine(users.Count == 0 ? "[!] No users found!" : $"[*] Successfully enumerated {users.Count} users!"); | |
foreach (var user in users) | |
{ | |
Console.WriteLine($"[+] SID: {user.Key}, User: {user.Value}"); | |
} | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment