Please take a moment to read http://bit.ly/demandglobalchange, to help share the message and support the initiative to tell our leaders to focus on addressing the global world problems, instead of complaining about the effects of their lack of leadership. Be a leader yourself, and share this with as many people as possible. #demandglobalchange // https://www.facebook.com/demandglobalchange

Please consider donating: https://www.corelan.be/index.php/donate/


44,070 views | This page as PDF

Free tool : Find out where your AD Users are logged on into

Hi,

I decided to release another free utility I wrote a while ago. This small command-line utility can be used to find out where Active Directory users are logged on into, and/or to find out who is logged on on specific machines.  This should include local users, users that are logged in via RDP, user accounts that are used to run services and scheduled tasks (only when the task is running at that time).  I have not fully tested all scenario’s yet, but the first results look quite ok.

You can download the utility from https://www.corelan.be/index.php/my-free-tools/ad-cs/pve-find-ad-user/. You need .Net framework 2.0 on the machine that you are running the tool off, and you also need to have admin access on the computers you are running the utility against.

The tool is compiled on a 32bit system, but it should run fine on 64bit systems as well.

Open a command prompt and start the utility without parameters :

 

 -----------------------------------------
  PVE Find AD Users
  Peter Van Eeckhoutte
  (c) 2009 - http://www.corelan.be
  Version : x.x.x.x
 -----------------------------------------

 Syntax : pveFindADUser.exe <parameters>

 Valid parameters are :
 -h
   show help
 -u
   check for updates
 -v
   show a little bit more info (verbose)
 -current ["username"]
   The -current parameters shows the currently logged on user on each PC
   in the domain. If you specify a username (between quotes), then only
   the PC's where that specific user is logged on will be displayed.
   If you don't specify a username, all PC's with logged on users will be
   displayed in the report.
 -last ["username"]
   The -last parameters shows the last logged on user on each PC in the domain.
   If you specify a username (between quotes), then only the PC's where that
   user has logged on last time will be shown
   If you don't specify a username, all PC's with the last logged
   on users will be reported.

   In both cases, the username should contain the domain name !
   (DOMAIN\username)

   If you specify DOMAIN\*username* (with 2 asterisks), then
   all users containing the 'username' string will be displayed

 -noping
   Do not ping target computer before trying to enumerate user logons
 -p <nr of pings>
   If ping is enabled, set number of pings for verifying that host is alive
   If -p is not specified, 2 pings will be sent
 -rootpath rootpath
   Where rootpath is written in distinguishedName notation
     Example : OU=Computers,dc=domain,dc=com
 -target hostname.domain.com,hostname2.domain.com,hostname3.domain.com
   Optional parameter that allows you to specify the list of hosts
   (fqdn) to run the query against
   Without this -target parameter, queries will be executed against
   all hosts in the current domain
 -stopfound
   Stop searching when first match has been found.
   This parameter works only when looking for currently logged on users

 Output will be written to console and to a file called report.csv

While most options are self-explanatory, I’ll go through them anyway :

-h : show help. Not much to say about that.

-u : check if there is an updated version of the utility. You can use this parameter in conjunction with other parameters

-current [“username”] : This parameter can do 2 things. If you only specify  -current  then the utility will simply get all currently logged on users on all target machines.  If you specify a username (DOMAIN\Username) then only the computers where this user is logged on, will be displayed.  The utility will try to get the current logged on users from the registry first. If that fails, it will try to get the users via WMI. When the users are collected via WMI, you may see the user account that you are using the run the utility as a logged on user. This user may not be logged on interactively, it just may show up because you are connecting to the host via WMI. Just be aware of this.

-last [“username”] : This parameter can do 2 things as well.  If you only specify  -last   then the utility will attempt to get the last logged on user on the target computer. If you specify a username ( DOMAIN\Username) then only the computers that have this user account as last logon, will be displayed.  Note that, depending on your company policy, the last logon username may be hidden and the tool may not be able to get it.

-noping : this option will prevent the tool from performing a ping (well, in fact, by default the tool does 2 pings) before trying to get the user logon information.

-target : this optional parameter allows you to specify the hosts to query.  If you don’t specify this -target parameter, then all hosts in the current domain will be queried.  If you decide to specify -target, followed with a comma-separated list of hostnames, make sure to use the FQDN of the target hosts.

In its most simple form, you could just run  pveadfinduser.exe -current   to  show all currently logged on users on all machines (computers, servers, domain controllers, …) in the domain.

The tool will write the output of the queries into a csv file called report.csv. This file will contain the following fields :

computername, username, mode and technique.

Mode can be "current" (for currently logged on users) and "last" (for last logged on users).  Technique can be "registry" or "wmi", depending on the technique that was used to gather the information.


© 2009 – 2014, Corelan Team (corelanc0d3r). All rights reserved.

Related Posts:

9 Responses to Free tool : Find out where your AD Users are logged on into

  • dannyrushton says:

    Tool looks fantastic. I downloaded today but it doesn’t appear to work. The cmd window opens and the text indicated in the description of the tool spools quickly down the screen and then the cmd window closes :o(
    I did suspect .net framework to be at issue – I am running 3.0 at the moment. Would this affect the utility (I know you recommend .net 2.0 in the synopsis of the util)

  • Hi,

    Yes, it has to be .Net 2.0… sorry for the inconvenience

    Peter

  • theresnomo says:

    Did the same for me when running the executeable directly. You need to run from command line. Also instructions are a little off as it says to run pveadfinduser.exe and the name of the executeable is pvefindaduser.exe. I tried to run it to find a certain ID using the pvefindaduser -current “domain\username”, but it looks like it proceeded to search every computer in our domain (9000 computers), which was a little slow.

  • This is a command line utility, so you need to run it from the command line. :-)

    I have fixed the filename in the instructions, and I am currently testing a new option that will allow you to stop the search when a match was found.

  • This tool is great. Any chance source code could be released? Could change it up a bit to run on linux systems through mono.

  • synw says:

    Hi Peter,
    many thanks for this usefull tool !
    I tried to run this tool in our domain (4600 computers) but it seems that the program stops after connecting +/- 400 PC’s.
    Is this the normal behaviour ? If not, any idea why ?

    • I have no idea – does it make a difference if you feed it a file with all IP’s (vs allowing it to query AD directly to find PC’s) ? Unfortunately I don’t have a test lab with more than 400 devices… :(

    • jsp5107 says:

      Just ran it on a huge domain (20,000 hosts). It hung a few times for a few minutes but proceeded normally afterwards.

      Peter: Great tool. Would it be possible to later add a feature to authenticate as a domain user? I’ve been using this tool on pen tests and it would be nice to be able to run it from my testing laptop rather than running it from a compromised host.

Demand Global Change

The world needs your help !

Please take a few moments to read the "Demand Global Change Call For Action" document at
http://bit.ly/demandglobalchange
Read the full document at
http://bit.ly/demandglobalchange_full and share the message with as many people as possible.

Like the Facebook page, and SHARE it with everyone you know.



Donate

Want to support the Corelan Team community ? Click here to go to our donations page.

Want to donate BTC to Corelan Team?



Your donation will help funding server hosting.

Protected by Copyscape Web Plagiarism Tool

Corelan Team Merchandise

You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Corelan Live training

Since 2011, Corelan GCV has been teaching live win32 exploit dev classes at various security cons and private companies & organizations.

You can read more about the training and schedules here

Corelan on IRC

You can chat with us and our friends on #corelan (freenode IRC)

Categories