https://github.com/p0dalirius/findunusualsessions
A tool to remotely detect unusual sessions opened on windows machines using RPC
https://github.com/p0dalirius/findunusualsessions
remote rpc session smb suspicious windows
Last synced: 24 days ago
JSON representation
A tool to remotely detect unusual sessions opened on windows machines using RPC
- Host: GitHub
- URL: https://github.com/p0dalirius/findunusualsessions
- Owner: p0dalirius
- Created: 2024-08-05T05:55:12.000Z (10 months ago)
- Default Branch: main
- Last Pushed: 2025-04-17T07:45:57.000Z (about 1 month ago)
- Last Synced: 2025-04-23T23:56:07.307Z (24 days ago)
- Topics: remote, rpc, session, smb, suspicious, windows
- Language: Python
- Homepage: https://podalirius.net/
- Size: 478 KB
- Stars: 77
- Watchers: 1
- Forks: 7
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Funding: .github/FUNDING.yml
Awesome Lists containing this project
README
A tool to remotely detect unusual sessions opened on windows machines using RPC
## Features
- [x] Extracts the list of legitimate domains and trusts registered in the LDAP
- [x] Maps the current sessions open on remote machines through RPC
- [x] Highlight suspicious sessions
- [x] Multithreaded connections to enum remote sessions.
- [ ] Export results in JSON with `--export-json `.
- [ ] Export results in XLSX with `--export-xlsx `.
- [ ] Export results in SQLITE3 with `--export-sqlite `.
## Demonstration
```
./FindUnusualSessions.py -au $USER -ad $DOMAIN -ap $PASSWORD -ai $DC_IP
```
## Usage
```
$ ./FindUnusualSessions.py -h
FindUnusualSessions v1.1 - by Remi GASCOU (Podalirius)
usage: FindUnusualSessions.py [-h] [-v] [--debug] [--no-colors] [-L LOGFILE] [-t THREADS] [-ns NAMESERVER] [-tf TARGETS_FILE] [-tt TARGET] [-ad AUTH_DOMAIN] [-ai AUTH_DC_IP] [-au AUTH_USER] [--ldaps]
[--no-ldap] [--subnets] [-tl TARGET_LDAP_QUERY] [--no-pass | -ap AUTH_PASSWORD | -ah AUTH_HASHES | --aes-key hex key] [-k] [--kdcHost AUTH_KDCHOST] [--export-xlsx EXPORT_XLSX]
[--export-json EXPORT_JSON] [--export-sqlite EXPORT_SQLITE]
options:
-h, --help show this help message and exit
-v, --verbose Verbose mode. (default: False).
--debug Debug mode. (default: False).
--no-colors Disables colored output mode.
-L LOGFILE, --logfile LOGFILE
File to write logs to.
-t THREADS, --threads THREADS
Number of threads (default: 64).
-ns NAMESERVER, --nameserver NAMESERVER
IP of the DNS server to use, instead of the --dc-ip.
Targets:
-tf TARGETS_FILE, --targets-file TARGETS_FILE
Path to file containing a line by line list of targets.
-tt TARGET, --target TARGET
Target IP, FQDN or CIDR.
-ad AUTH_DOMAIN, --auth-domain AUTH_DOMAIN
Windows domain to authenticate to.
-ai AUTH_DC_IP, --auth-dc-ip AUTH_DC_IP
IP of the domain controller.
-au AUTH_USER, --auth-user AUTH_USER
Username of the domain account.
--ldaps Use LDAPS (default: False)
--no-ldap Do not perform LDAP queries.
--subnets Get all subnets from the domain and use them as targets (default: False)
-tl TARGET_LDAP_QUERY, --target-ldap-query TARGET_LDAP_QUERY
LDAP query to use to extract computers from the domain.
Credentials:
--no-pass Don't ask for password (useful for -k)
-ap AUTH_PASSWORD, --auth-password AUTH_PASSWORD
Password of the domain account.
-ah AUTH_HASHES, --auth-hashes AUTH_HASHES
LM:NT hashes to pass the hash for this user.
--aes-key hex key AES key to use for Kerberos Authentication (128 or 256 bits)
-k, --kerberos Use Kerberos authentication. Grabs credentials from .ccache file (KRB5CCNAME) based on target parameters. If valid credentials cannot be found, it will use the ones specified in the
command line
--kdcHost AUTH_KDCHOST
IP of the domain controller.
Output files:
--export-xlsx EXPORT_XLSX
Output XLSX file to store the results in.
--export-json EXPORT_JSON
Output JSON file to store the results in.
--export-sqlite EXPORT_SQLITE
Output SQLITE3 file to store the results in.
```
## Contributing
Pull requests are welcome. Feel free to open an issue if you want to add other features.