Convert Figma logo to code with AI

Arvanaghi logoSessionGopher

SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally.

1,196
168
1,196
3

Top Related Projects

PowerSploit - A PowerShell Post-Exploitation Framework

7,394

Empire is a PowerShell and Python post-exploitation agent.

Six Degrees of Domain Admin

19,244

A little tool to play with Windows security

9,431

Credentials recovery project

15,911

PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)

Quick Overview

SessionGopher is a PowerShell tool designed for extracting saved session information from remote systems. It focuses on retrieving credentials from popular remote access tools like PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP, making it valuable for both penetration testers and system administrators.

Pros

  • Automates the process of extracting saved credentials from multiple remote access tools
  • Can be run against remote systems, enhancing its utility in network environments
  • Supports both 32-bit and 64-bit systems
  • Provides options for targeting specific users or all users on a system

Cons

  • Limited to Windows environments
  • Requires administrative privileges for full functionality
  • May be flagged by antivirus software as a potential security threat
  • Ethical considerations must be taken into account when using the tool

Code Examples

  1. Basic local system scan:
Import-Module .\SessionGopher.ps1
Invoke-SessionGopher

This example runs SessionGopher on the local system, searching for saved credentials.

  1. Remote system scan:
Import-Module .\SessionGopher.ps1
Invoke-SessionGopher -Target computer01.domain.com

This code scans a remote system named "computer01.domain.com" for saved credentials.

  1. Thorough scan of all users on a remote system:
Import-Module .\SessionGopher.ps1
Invoke-SessionGopher -Target computer01.domain.com -Thorough -AllDomain

This example performs a thorough scan of all domain users on the remote system "computer01.domain.com".

Getting Started

To use SessionGopher:

  1. Clone the repository:

    git clone https://github.com/Arvanaghi/SessionGopher.git
    
  2. Navigate to the cloned directory:

    cd SessionGopher
    
  3. Import the module in PowerShell:

    Import-Module .\SessionGopher.ps1
    
  4. Run SessionGopher with desired options:

    Invoke-SessionGopher -Thorough
    

Note: Ensure you have the necessary permissions and consider the ethical implications before using this tool.

Competitor Comparisons

PowerSploit - A PowerShell Post-Exploitation Framework

Pros of PowerSploit

  • More comprehensive toolkit with a wider range of post-exploitation modules
  • Actively maintained with regular updates and contributions from the community
  • Includes advanced features like privilege escalation and persistence mechanisms

Cons of PowerSploit

  • Larger codebase, which may be more complex to navigate and use
  • Higher likelihood of detection by antivirus software due to its popularity
  • Requires more setup and configuration for specific tasks

Code Comparison

SessionGopher:

function Invoke-SessionGopher {
    [CmdletBinding()]
    param (
        [switch]$Thorough,
        [switch]$Quiet
    )

PowerSploit:

function Invoke-Mimikatz {
    [Diagnostics.CodeAnalysis.SuppressMessageAttribute('PSShouldProcess', '')]
    [CmdletBinding(DefaultParameterSetName = 'DumpCreds')]
    Param(
        [Parameter(Position = 0, ParameterSetName = 'DumpCreds')]
        [Switch]
        $DumpCreds
    )

Both repositories provide PowerShell-based tools for post-exploitation activities. SessionGopher focuses specifically on extracting saved session information, while PowerSploit offers a broader range of functionalities. PowerSploit's code tends to be more complex due to its wider scope, as seen in the example above.

7,394

Empire is a PowerShell and Python post-exploitation agent.

Pros of Empire

  • More comprehensive post-exploitation framework with extensive capabilities
  • Active development and community support
  • Modular architecture allowing for easy extension and customization

Cons of Empire

  • Larger footprint and potentially more detectable
  • Steeper learning curve due to its complexity
  • Requires more setup and configuration

Code Comparison

SessionGopher (PowerShell):

function Invoke-SessionGopher {
    [CmdletBinding()]
    param(
        [switch]$Thorough,
        [switch]$Recon,
        [string]$Target,
        [switch]$AllDomain,
        [string]$OutputDirectory
    )
    # ... (implementation details)
}

Empire (Python):

class Stager:
    def __init__(self, mainMenu, params=[]):
        self.info = {
            'Name': 'DuckyLauncher',
            'Author': ['@harmj0y', '@midnite_runr'],
            'Description': ('Generates a ducky script that launches'),
            'Comments': ['']
        }
        # ... (additional setup)

SessionGopher is a focused PowerShell tool for extracting saved session information, while Empire is a more extensive post-exploitation framework written primarily in Python. SessionGopher is simpler to use for its specific purpose, while Empire offers a broader range of capabilities but with increased complexity.

Six Degrees of Domain Admin

Pros of BloodHound

  • More comprehensive Active Directory attack path analysis
  • Graphical interface for visualizing attack paths
  • Actively maintained with regular updates

Cons of BloodHound

  • Requires more setup and infrastructure
  • Steeper learning curve for new users
  • Potentially more resource-intensive

Code Comparison

SessionGopher (PowerShell):

function Invoke-SessionGopher {
    [CmdletBinding()]
    param(
        [Switch]$Thorough,
        [Switch]$Stealth
    )

BloodHound (JavaScript):

function startBloodHound() {
    const electron = require('electron');
    const app = electron.app;
    const BrowserWindow = electron.BrowserWindow;
    const path = require('path');

SessionGopher focuses on extracting session and credential information from Windows systems using PowerShell, while BloodHound is a more complex tool for mapping and analyzing Active Directory environments using a combination of PowerShell data collection and a JavaScript-based interface. BloodHound offers more extensive capabilities for identifying attack paths in AD environments, but SessionGopher is simpler to use for quick credential harvesting tasks.

19,244

A little tool to play with Windows security

Pros of Mimikatz

  • More comprehensive functionality for credential extraction and manipulation
  • Supports a wider range of Windows versions and authentication mechanisms
  • Actively maintained with frequent updates and improvements

Cons of Mimikatz

  • Larger footprint and more complex to use
  • Highly detected by antivirus software due to its popularity
  • Requires administrative privileges for most operations

Code Comparison

SessionGopher (PowerShell):

function Invoke-SessionGopher {
    [CmdletBinding()]
    param(
        [switch]$Thorough,
        [switch]$Quiet
    )
    # ... (implementation)
}

Mimikatz (C):

BOOL APIENTRY DllMain(HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved)
{
    switch (ul_reason_for_call)
    {
        case DLL_PROCESS_ATTACH:
        case DLL_THREAD_ATTACH:
        case DLL_THREAD_DETACH:
        case DLL_PROCESS_DETACH:
            break;
    }
    return TRUE;
}

SessionGopher is a PowerShell-based tool focused on extracting saved session information, while Mimikatz is a more comprehensive C-based tool for various credential extraction and manipulation tasks. SessionGopher is lighter and less detected but has more limited functionality compared to Mimikatz.

9,431

Credentials recovery project

Pros of LaZagne

  • Multi-platform support (Windows, Linux, macOS)
  • Broader scope of credential retrieval (browsers, email clients, databases, etc.)
  • Active development and regular updates

Cons of LaZagne

  • More complex to use and configure
  • Potentially higher false positive rate
  • Larger codebase, which may impact performance on resource-constrained systems

Code Comparison

LaZagne (Python):

def run_lazagne(category_selected="all", subcategories={}, password=None):
    for category in category_selected:
        for r in runModule(category):
            yield r

SessionGopher (PowerShell):

function Invoke-SessionGopher {
    [CmdletBinding()]
    param (
        [Switch]$Thorough,
        [Switch]$Quiet
    )

LaZagne offers a more flexible approach with category selection and subcategories, while SessionGopher focuses on specific Windows-related credentials with simpler parameters.

Summary

LaZagne provides a comprehensive, multi-platform solution for credential retrieval, supporting various applications and services. It offers more flexibility but requires more setup and may produce more false positives. SessionGopher, on the other hand, is tailored for Windows environments, focusing on specific credential types with a simpler interface. The choice between the two depends on the target environment and the breadth of credential retrieval required.

15,911

PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)

Pros of PEASS-ng

  • Comprehensive privilege escalation toolkit for multiple operating systems (Windows, Linux, macOS)
  • Actively maintained with frequent updates and contributions
  • Includes both automated scanning and manual techniques for thorough assessments

Cons of PEASS-ng

  • Larger codebase and more complex to use compared to SessionGopher
  • May generate more noise and false positives due to its comprehensive nature
  • Requires more setup and configuration for optimal use

Code Comparison

SessionGopher (PowerShell):

function Get-PuTTYSessions {
    $regPath = "Registry::HKEY_USERS\*\Software\SimonTatham\PuTTY\Sessions"
    Get-ChildItem $regPath | ForEach-Object {
        $_.Name
    }
}

PEASS-ng (Bash):

function check_sudo_commands {
    echo "====== Checking Sudo Commands ======"
    sudo -l 2>/dev/null | grep -v "may run the following commands" | sed "s/^/\t/"
    echo ""
}

Both tools focus on privilege escalation and information gathering, but PEASS-ng offers a more comprehensive approach across multiple platforms, while SessionGopher specializes in Windows session data extraction. PEASS-ng's broader scope makes it more versatile but potentially more complex to use effectively.

Convert Figma logo designs to code with AI

Visual Copilot

Introducing Visual Copilot: A new AI model to turn Figma designs to high quality code using your components.

Try Visual Copilot

README

Copyright 2017 FireEye, created by Brandon Arvanaghi (@arvanaghi)

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.


SessionGopher

Quietly digging up saved session information for PuTTY, WinSCP, FileZilla, SuperPuTTY, and RDP

SessionGopher is a PowerShell tool that finds and decrypts saved session information for remote access tools. It has WMI functionality built in so it can be run remotely. Its best use case is to identify systems that may connect to Unix systems, jump boxes, or point-of-sale terminals.

SessionGopher works by querying the HKEY_USERS hive for all users who have logged onto a domain-joined box at some point. It extracts PuTTY, WinSCP, SuperPuTTY, FileZilla, and RDP saved session information. It automatically extracts and decrypts WinSCP, FileZilla, and SuperPuTTY saved passwords. When run in Thorough mode, it also searches all drives for PuTTY private key files (.ppk) and extracts all relevant private key information, including the key itself, as well as for Remote Desktop (.rdp) and RSA (.sdtid) files.

Usage

-Thorough: searches all drives for PuTTY private key (.ppk), Remote Desktop Connecton (.rdp), and RSA (.sdtid) files.

-o: outputs the data to a folder of .csv files

-iL: provide a file with a list of hosts to run SessionGopher against, each host separated by a newline. Provide the path to the file after -iL.

-AllDomain: SessionGopher will query Active Directory for all domain-joined systems and run against all of them.

-Target: a specific host you want to target. Provide the target host after -Target.

To run locally

. .\SessionGopher.ps1
Invoke-SessionGopher -Thorough

To run remotely (-iL, -AllDomain, -Target)

To run remotely, you can either provide a privileged account's credentials for the remote system using the -u and -p flags. If you omit the -u and -p flags, SessionGopher will run under the security context of the account from which you run the script (e.g. if you are already logged in as DA account, or logged in as an account that is local admin for the target system, or doing a runas with either of the two, you won't need to supply credentials).

Import-Module path\to\SessionGopher.ps1;
Invoke-SessionGopher -AllDomain -u domain.com\adm-arvanaghi -p s3cr3tP@ss

or

Import-Module path\to\SessionGopher.ps1;
Invoke-SessionGopher -iL computerlist.txt -u domain.com\adm-arvanaghi -p s3cr3tP@ss -o

or

Import-Module path\to\SessionGopher.ps1;
Invoke-SessionGopher -Target brandonArvanaghi_win7 -Thorough

Any of these commands can be coupled with -Thorough, but note that it takes significantly longer as it queries the entire remote filesystem. It is not recommended you run in -Thorough mode when querying more than a small set of systems at a time.

Running remotely by adding -o (print to CSV) works nicely, as SessionGopher will accumulate all sessions it finds and tell you exactly where it found that saved session.

To write to CSV (whether remote or local)

To have SessionGopher create a folder to neatly contain .csvs of the extracted sessions:

Import-Module path\to\SessionGopher.ps1;
Invoke-SessionGopher -AllDomain -o

... that's it.

Accessing the saved session information for every user in HKEY_USERS requires local admin privileges. Without local admin privileges, you will still receive saved session information for that user.

Sample output (-Thorough):

[+] Digging on Win7-Arvanaghi ...
WinSCP Sessions

Session  : admin-anthony@198.273.212.334
Hostname : 198.273.212.334
Username : admin-anthony
Password : Super*p@ssw0rd

Session  : Freddy@204.332.455.213
Hostname : 204.332.455.213
Username : Freddy
Password : angelico1892

FileZilla Sessions

Name     : BarrySite
Password : imr34llytheFl@sh
Host     : 10.8.30.21
User     : BarryAllen
Protocol : Use FTP over TLS if available
Account  : BarryAllenAccount
Port     : 22

PuTTY Sessions

Session  : PointOfSaleTerminal
Hostname : 10.8.0.10

PuTTY Private Key Files (.ppk)

Path                   : C:\Users\Brandon Arvanaghi\Documents\mykey.ppk
Protocol               : ssh-rsa
Comment                : rsa-key-20170116
Private Key Encryption : none
Private Key            : {AAABAEazxtDz6E9mDeONOmz07sG/n1eS1pjKI8fOCuuLnQC58LeCTlysOmZ1/iC4, g4HyRpmdKJGhIxj66/RQ135hVesyk02StleepK4+Tnvz3zmdr4Do5W99qKkrWI3D, T9GOxOIoR9Zc6j57D+fdesJq4ItEIxcQZlXC1F9KZcbXjSJ3iBmCsbG/aRJmMJNx, 
                         nCMaZkySr4R4Z/E+l1JOzXaHh5WQ2P0K4YM1/6XG6C4VzDjvXwcY67MYsobTeCR2...}
Private MAC            : b7e47819fee39a95eb374a97f939c3c868f880de


Microsoft Remote Desktop (RDP) Sessions

Hostname : us.greatsite.com
Username : Domain\tester 

Microsoft Remote Desktop .rdp Files

Path                    : C:\Users\Brandon Arvanaghi\Desktop\config\PenTestLab-Win.RDP
Hostname                : dc01.corp.hackerplaypen.com
Gateway                 : rds01.corp.hackerplaypen.com
Prompts for Credentials : No
Administrative Session  : Does not connect to admin session on remote host


Written by Brandon Arvanaghi (@arvanaghi)

This code was initially developed at FireEye. However, any subsequent update is done by the author outside of FireEye.