一、注册表查询

原理：当用户登陆到某台主机后，会在HKEY_USERS注册表会创建文件夹。普通域用户默认有权限访问Server系统的注册表查询（普通机器默认没开远程注册表访问）

1、Psloggedon

1）查询本机登陆的用户

PS C:\Users\administrator.SEC\Downloads\PSTools> .\PsLoggedon.exe /accepteula

PsLoggedon v1.35 - See who's logged on
Copyright (C) 2000-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

Users logged on locally:
     5/14/2025 10:43:52 PM      SEC\administrator

No one is logged on via resource shares.
PS C:\Users\administrator.SEC\Downloads\PSTools>

2）查询指定主机登陆的用户

PS C:\Users\administrator.SEC\Downloads\PSTools> .\PsLoggedon.exe /accepteula \\10.10.4.20

PsLoggedon v1.35 - See who's logged on
Copyright (C) 2000-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

No one is logged on locally.

Users logged on via resource shares:
     5/14/2025 10:50:39 PM      WIN10-1\Administrator
PS C:\Users\administrator.SEC\Downloads\PSTools>

2、PVEFindADUser

1）查询所有机器当前的登陆用户

# 查询域中所有机器当前登陆的用户
PS C:\Users\administrator.SEC\Downloads> .\PVEFindADUser.exe -current
 -----------------------------------------
  PVE Find AD Users
  Peter Van Eeckhoutte
  (c) 2009 - http://www.corelan.be:8800
  Version : 1.0.0.12
 -----------------------------------------
 [+] Finding currently logged on users ? true
 [+] Finding last logged on users ? false

 [+] Enumerating all computers...
 [+] Number of computers found : 6
 [+] Launching queries
     [+] Processing host : Win2019-DC1.sec.local (Windows Server 2019 Datacenter Evaluation)
         - Logged on user : sec\administrator
     [+] Processing host : WIN2008-1.sec.local (Windows Server 2008 R2 Datacenter;Service Pack 1)
     [+] Processing host : machine1.sec.local ()
         [-] Computer : machine1.sec.local Down
     [+] Processing host : machine2.sec.local ()
         [-] Computer : machine2.sec.local Down
     [+] Processing host : Win10-1.sec.local (Windows 10 Pro for Workstations)
     [+] Processing host : exchange.sec.local (Windows Server 2019 Datacenter Evaluation)
         - Logged on user : sec\administrator
 [+] Report written to report.csv
PS C:\Users\administrator.SEC\Downloads>

# 查询域中所有机器当前登陆的用户，不通过ping
PS C:\Users\administrator.SEC\Downloads> .\PVEFindADUser.exe -current -noping
 -----------------------------------------
  PVE Find AD Users
  Peter Van Eeckhoutte
  (c) 2009 - http://www.corelan.be:8800
  Version : 1.0.0.12
 -----------------------------------------
 [+] Finding currently logged on users ? true
 [+] Finding last logged on users ? false

 [+] Enumerating all computers...
 [+] Number of computers found : 6
 [+] Launching queries
     [+] Processing host : Win2019-DC1.sec.local (Windows Server 2019 Datacenter Evaluation)
         - Logged on user : sec\administrator
     [+] Processing host : WIN2008-1.sec.local (Windows Server 2008 R2 Datacenter;Service Pack 1)
     [+] Processing host : machine1.sec.local ()
     [+] Processing host : machine2.sec.local ()
     [+] Processing host : Win10-1.sec.local (Windows 10 Pro for Workstations)
     [+] Processing host : exchange.sec.local (Windows Server 2019 Datacenter Evaluation)
         - Logged on user : sec\administrator
 [+] Report written to report.csv
PS C:\Users\administrator.SEC\Downloads>

2）查询指定主机当前登陆的用户

PS C:\Users\administrator.SEC\Downloads> .\PVEFindADUser.exe -current -target 10.10.4.2
 -----------------------------------------
  PVE Find AD Users
  Peter Van Eeckhoutte
  (c) 2009 - http://www.corelan.be:8800
  Version : 1.0.0.12
 -----------------------------------------
 [+] Finding currently logged on users ? true
 [+] Finding last logged on users ? false

     [+] Processing host : 10.10.4.2 ()
         - Logged on user : sec\administrator
 [+] Report written to report.csv
PS C:\Users\administrator.SEC\Downloads>

3）查询指定用户当前登陆的主机

PS C:\Users\administrator.SEC\Downloads> .\PVEFindADUser.exe -current sec\administrator
 -----------------------------------------
  PVE Find AD Users
  Peter Van Eeckhoutte
  (c) 2009 - http://www.corelan.be:8800
  Version : 1.0.0.12
 -----------------------------------------
 [+] Finding currently logged on users ? true
 [+] Finding last logged on users ? false

 [+] Enumerating all computers...
 [+] Number of computers found : 6
 [+] Launching queries
 [+] Finding computers where user sec\administrator is logged on
     [+] Processing host : Win2019-DC1.sec.local (Windows Server 2019 Datacenter Evaluation)
         - Logged on user : sec\administrator
     [+] Processing host : WIN2008-1.sec.local (Windows Server 2008 R2 Datacenter;Service Pack 1)
     [+] Processing host : machine1.sec.local ()
         [-] Computer : machine1.sec.local Down
     [+] Processing host : machine2.sec.local ()
         [-] Computer : machine2.sec.local Down
     [+] Processing host : Win10-1.sec.local (Windows 10 Pro for Workstations)
     [+] Processing host : exchange.sec.local (Windows Server 2019 Datacenter Evaluation)
         - Logged on user : sec\administrator
 [+] Report written to report.csv
PS C:\Users\administrator.SEC\Downloads>

二、域控日志查询

#导出log
C:\Users\Administrator\Desktop>wevtutil epl Security 1.evtx /q:"*[System[(EventID=4624)] and EventData[Data[@Name='LogonType']='3']]"

C:\Users\Administrator\Desktop>LogParser.exe -i:EVT -o:CSV "SELECT TO_UPPERCASE(EXTRACT_TOKEN(Strings,5,'|')) as USERNAME,TO_UPPERCASE(EXTRACT_TOKEN(Strings,18,'|')) as SOURCE_IP FROM 1.evtx" > log.csv

在Kali中分析

└─# cat log.csv|grep ADMINISTRATOR | sort | uniq
ADMINISTRATOR,10.10.4.1
ADMINISTRATOR,10.10.4.21
ADMINISTRATOR,10.10.4.5

(base) ┌──(root㉿Kali)-[~]
└─#

菜单

分享

4.10 定位用户登陆的主机

一、注册表查询

1、Psloggedon

2、PVEFindADUser

二、域控日志查询

评论

6.7 域权限维持之AdminSDHolder滥用

6.6 域权限维持之重置DSRM密码

3.7 Kekeo

2.1 域常见名词

1.2 Kerberos协议

6.9 域权限维持之伪造域控

6.5 域权限维持之SID History滥用

2.8 服务主体名称

1.1 LM、NTLM协议

6.10 后渗透密码收集之 Hook PasswordChangeNotify