Get-LoggedOnLocal now handles the situation when multiple SIDs are returned

Get-LoggedOnLocal turned into a filter and given additional error handling Standardized tab/line spacing Removed Invoke-PSLoggedOn
2016-05-22 14:07:37 -04:00 · 2016-05-22 14:07:37 -04:00 · b568271d57
parent 2e6c9392c9
commit b568271d57
1 changed files with 37 additions and 105 deletions
--- a/Recon/PowerView.ps1
+++ b/Recon/PowerView.ps1
@ -8147,7 +8147,7 @@ filter Get-NetSession {
 }


-function Get-LoggedOnLocal {
+filter Get-LoggedOnLocal {
 <#
    .SYNOPSIS

@ -8157,13 +8157,11 @@ function Get-LoggedOnLocal {
        using the NetWkstaUserEnum API (Get-NetLoggedon) of less user privileges
        required (NetWkstaUserEnum requires remote admin access).

-		
        Note: This function requires only domain user rights on the
-        machine you're enumerating.
+        machine you're enumerating, but remote registry must be enabled.

        Function: Get-LoggedOnLocal
-	Author: Matt Kelly, @BreakersAll;
-	Required Dependencies: @harmj0y's Powerview.
+        Author: Matt Kelly, @BreakersAll

    .PARAMETER ComputerName

@ -8187,105 +8185,39 @@ function Get-LoggedOnLocal {
    param(
        [Parameter(ValueFromPipeline=$True)]
        [Alias('HostName')]
-        [String]
+        [Object[]]
+        [ValidateNotNullOrEmpty()]
        $ComputerName = 'localhost'
    )

-    begin {
-        if ($PSBoundParameters['Debug']) {
-            $DebugPreference = 'Continue'
-        }
-    }
-
-    process {
-
    # process multiple host object types from the pipeline
    $ComputerName = Get-NameField -Object $ComputerName
+
+    try {
        # retrieve HKU remote registry values
        $Reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('Users', "$ComputerName")

        # sort out bogus sid's like _class
-		$UserSID = $Reg.GetSubKeyNames() | ? { $_ -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' }
+        $Reg.GetSubKeyNames() | Where-Object { $_ -match 'S-1-5-21-[0-9]+-[0-9]+-[0-9]+-[0-9]+$' } | ForEach-Object {
+            $UserName = Convert-SidToName $_

-		# if successful, convert sid and print output
-		if ($UserSID) {
-			$UserName = Convert-SidToName $UserSID
+            $Parts = $UserName.Split('\')
+            $UserDomain = $Null
+            $UserName = $Parts[-1]
+            if ($Parts.Length -eq 2) {
+                $UserDomain = $Parts[0]
+            }

            $LocalLoggedOnUser = New-Object PSObject
-			$LocalLoggedOnUser | Add-Member Noteproperty 'ComputerName' $ComputerName
+            $LocalLoggedOnUser | Add-Member Noteproperty 'ComputerName' "$ComputerName"
+            $LocalLoggedOnUser | Add-Member Noteproperty 'UserDomain' $UserDomain
            $LocalLoggedOnUser | Add-Member Noteproperty 'UserName' $UserName
-			$LocalLoggedOnUser | Add-Member Noteproperty 'UserSID' $UserSID
+            $LocalLoggedOnUser | Add-Member Noteproperty 'UserSID' $_
            $LocalLoggedOnUser
        }
-		else {
-			Write-Debug "Could not retrieve values for $ComputerName"
    }
-
-        Write-Debug "UserSIDs retrieved result: $Reg.GetSubKeyNames()"
-    }
-}
-
-
-function Invoke-PSLoggedOn {
-<#
-    .SYNOPSIS
-
-        This function replicates PSLoggedOn functionality, and leverages 
-        Get-NetSession (netsessionenum) and remote registry values.
-        Same actions as PSLoggedOn except in PowerShell.
-
-        Note: This function requires only domain user rights on the
-        machine you're enumerating.
-			
-    Function: Invoke-PSLoggedOn
-	Author: Matt Kelly, @BreakersAll;
-	Required Dependencies: PowerView. PSv2
-	
-    .PARAMETER ComputerName
-
-        The ComputerName to query for active sessions.
-
-    .EXAMPLE
-
-        PS C:\> Invoke-PSLoggedOn
-
-        Returns active sessions on the local host.
-
-    .EXAMPLE
-
-        PS C:\> Invoke-PSLoggedOn -ComputerName sqlserver
-
-        Returns active sessions on the 'sqlserver' host.
-
-#>
-
-    [CmdletBinding()]
-    param(
-        [Parameter(ValueFromPipeline=$True)]
-        [Alias('HostName')]
-        [String]
-        $ComputerName = 'localhost'
-    )
-	
-	begin {
-        if ($PSBoundParameters['Debug']) {
-            $DebugPreference = 'Continue'
-        }
-    }
-
-    process {
-
-        # process multiple host object types from the pipeline
-        $ComputerName = Get-NameField -Object $ComputerName
-		
-		$LoggedOnLocal = Get-LoggedOnLocal $ComputerName
-		$NetSessionUsers = Get-NetSession $ComputerName
-		
-		Write-Host "Users logged on locally to $ComputerName:"
-		$LoggedOnLocal
-		Write-Host ""
-		Write-Host "Users logged on via resource shares to $ComputerName:"
-		$NetSessionUsers
+    catch {
+        Write-Verbose "Error opening remote registry on '$ComputerName'"
    }
 }