Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

SessionGopher Session Extraction Tool

$
0
0

SessionGopher is a PowerShell Session Extraction tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop.


SessionGopher   Session Extraction Tool

The tool can find and decrypt saved session information for remote access tools. It has WMI functionality built in so it can be run remotely, its best use case is to identify systems that may connect to Unix systems, jump boxes, or point-of-sale terminals.

How it Works

SessionGopher works by querying the HKEY_USERS hive for all users who have logged onto a domain-joined box at some point. It extracts PuTTY, WinSCP, SuperPuTTY, FileZilla, and RDP saved session information. It automatically extracts and decrypts WinSCP, FileZilla, and SuperPuTTY saved passwords.

When run in Thorough mode, it also searches all drives for PuTTY private key files (.ppk) and extracts all relevant private key information, including the key itself, as well as for Remote Desktop (.rdp) and RSA (.sdtid) files.

Usage . .\SessionGopher.ps1 Invoke-SessionGopher -option -Thorough: searchesalldrivesfor PuTTYprivate key (.ppk), RemoteDesktopConnection (.rdp), and RSA (.sdtid) files. -o: outputsthedatato a folderof .csvfiles -iL: provide a filewith a listofhoststo runSessionGopheragainst, each hostseparatedby a newline. Providethepathto thefileafter -iL. -AllDomain: SessionGopherwillqueryActiveDirectoryfor alldomain-joinedsystemsand runagainstallofthem. -Target: a specifichostyouwantto target. Providethetargethostafter -Target.

You can download SessionGopher here:

SessionGopher.ps1

Or read more here .


Viewing all articles
Browse latest Browse all 12749

Trending Articles