Within an Active Directory environment, authenticated users are able to determine who is logged into a remote system.
This is achieved by using the NetSessionEnum function of the NET_API:
NET_API_STATUS NET_API_FUNCTION NetSessionEnum( LMSTR servername, LMSTR UncClientName, LMSTR username, DWORD level, LPBYTE *bufptr, DWORD prefmaxlen, LPDWORD entriesread, LPDWORD totalentries, LPDWORD resume_handle );
The level DWORD determines the information returned from the query, and dictates the permission level required.
Level 10 can be queried using a standard Active Directory Authenticated account:
“Return the name of the computer, name of the user, and active and idle times for the session. The bufptr parameter points to an array of SESSION_INFO_10 structures.”
I’ve create an example application to query this information available from a remote host available here:
This type of information can be useful to attackers to identify logged in administrator accounts that can be targetted with credential stealing attacks such as pass the ticket.
From a blue team perspective, this information can also be useful. For instance if suspicious activity is detected in an Active Directory user account, the account can be locked however the users session may persist. Querying active sessions remotely can allow the blue team to determine where active sessions are active so they can be manually killed.
Changing permissions of the NetSessionEnum registry key:
Can be done to remove the authenticated users group SID (S-1-5-11). A PowerShell script has been released to automate making the change: