Session Enumeration With NetSessionEnum API

Within an Active Directory environment, authenticated users are able to determine who is logged into a remote system.

This is achieved by using the NetSessionEnum function of the NET_API:

The level DWORD determines the information returned from the query, and dictates the permission level required.

Level 10 can be queried using a standard Active Directory Authenticated account:

“Return the name of the computer, name of the user, and active and idle times for the session. The bufptr parameter points to an array of SESSION_INFO_10 structures.”

I’ve create an example application to query this information available from a remote host available here:

https://github.com/bordergate/bgsession

C:\Users\user\AppData\Local\Packages\Microsoft.Office.OneNote_8wekyb3d8bbwe\TempState\msohtmlclip\clip_image001.png

This type of information can be useful to attackers to identify logged in administrator accounts that can be targetted with credential stealing attacks such as pass the ticket.

From a blue team perspective, this information can also be useful. For instance if suspicious activity is detected in an Active Directory user account, the account can be locked however the users session may persist. Querying active sessions remotely can allow the blue team to determine where active sessions are active so they can be manually killed.

Prevention

Changing permissions of the NetSessionEnum registry key:

HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/LanmanServer/DefaultSecurity/SrvsvcSessionInfo

Can be done to remove the authenticated users group SID (S-1-5-11). A PowerShell script has been released to automate making the change:

https://gallery.technet.microsoft.com/Net-Cease-Blocking-Net-1e8dcb5b