payatu.com
Open in
urlscan Pro
2606:4700:20::681a:bed
Public Scan
URL:
https://payatu.com/blog/remote-information-gathering-windows-terminal-services-apis/
Submission: On October 23 via api from US — Scanned from US
Submission: On October 23 via api from US — Scanned from US
Form analysis 3 forms found in the DOM
POST
<form data-form_id="2" id="fluentform_2" class="frm-fluent-form fluent_form_2 ff-el-form-top ff_form_instance_2_1 ffs_default ff-form-loaded" data-form_instance="ff_form_instance_2_1" method="POST" data-cb-wrapper="true">
<fieldset style="border: none!important;margin: 0!important;padding: 0!important;background-color: transparent!important;box-shadow: none!important;outline: none!important; min-inline-size: 100%;">
<legend class="ff_screen_reader_title" style="display: block; margin: 0!important;padding: 0!important;height: 0!important;text-indent: -999999px;width: 0!important;overflow:hidden;">Subscription Form</legend><input type="hidden"
name="__fluent_form_embded_post_id" value="2645"><input type="hidden" id="_fluentform_2_fluentformnonce" name="_fluentform_2_fluentformnonce" value="ac5b5ca244"><input type="hidden" name="_wp_http_referer"
value="/blog/remote-information-gathering-windows-terminal-services-apis/">
<div data-name="ff_cn_id_1" class="ff-t-container ff-column-container ff_columns_total_2 ">
<div class="ff-t-cell ff-t-column-1" style="flex-basis: 80%;">
<div class="ff-el-group">
<div class="ff-el-input--content"><input type="email" name="email" id="ff_2_email" class="ff-el-form-control" placeholder="Your Email Address" data-name="email" aria-invalid="false" aria-required="true"></div>
</div>
</div>
<div class="ff-t-cell ff-t-column-2" style="flex-basis: 20%;">
<div class="ff-el-group ff-text-left ff_submit_btn_wrapper ff_submit_btn_wrapper_custom"><button class="ff-btn ff-btn-submit ff-btn-md ff_btn_style wpf_has_custom_css" type="submit" name="custom_submit_button-2_1"
data-name="custom_submit_button-2_1">Subscribe</button>
<style>
form.fluent_form_2 .wpf_has_custom_css.ff-btn-submit {
background-color: #409EFF;
border-color: #409EFF;
color: #ffffff;
min-width: 100%;
}
form.fluent_form_2 .wpf_has_custom_css.ff-btn-submit:hover {
background-color: #ffffff;
border-color: #409EFF;
color: #409EFF;
min-width: 100%;
}
</style>
</div>
</div>
</div>
</fieldset>
</form>POST
<form data-form_id="2" id="fluentform_2" class="frm-fluent-form fluent_form_2 ff-el-form-top ff_form_instance_2_2 ffs_default ff-form-loaded" data-form_instance="ff_form_instance_2_2" method="POST" data-cb-wrapper="true">
<fieldset style="border: none!important;margin: 0!important;padding: 0!important;background-color: transparent!important;box-shadow: none!important;outline: none!important; min-inline-size: 100%;">
<legend class="ff_screen_reader_title" style="display: block; margin: 0!important;padding: 0!important;height: 0!important;text-indent: -999999px;width: 0!important;overflow:hidden;">Subscription Form</legend><input type="hidden"
name="__fluent_form_embded_post_id" value="2645"><input type="hidden" id="_fluentform_2_fluentformnonce" name="_fluentform_2_fluentformnonce" value="ac5b5ca244"><input type="hidden" name="_wp_http_referer"
value="/blog/remote-information-gathering-windows-terminal-services-apis/">
<div data-name="ff_cn_id_1" class="ff-t-container ff-column-container ff_columns_total_2 ">
<div class="ff-t-cell ff-t-column-1" style="flex-basis: 80%;">
<div class="ff-el-group">
<div class="ff-el-input--content"><input type="email" name="email" id="ff_2_2_email" class="ff-el-form-control" placeholder="Your Email Address" data-name="email" aria-invalid="false" aria-required="true"></div>
</div>
</div>
<div class="ff-t-cell ff-t-column-2" style="flex-basis: 20%;">
<div class="ff-el-group ff-text-left ff_submit_btn_wrapper ff_submit_btn_wrapper_custom"><button class="ff-btn ff-btn-submit ff-btn-md ff_btn_style wpf_has_custom_css" type="submit" name="custom_submit_button-2_1"
data-name="custom_submit_button-2_1">Subscribe</button>
<style>
form.fluent_form_2 .wpf_has_custom_css.ff-btn-submit {
background-color: #409EFF;
border-color: #409EFF;
color: #ffffff;
min-width: 100%;
}
form.fluent_form_2 .wpf_has_custom_css.ff-btn-submit:hover {
background-color: #ffffff;
border-color: #409EFF;
color: #409EFF;
min-width: 100%;
}
</style>
</div>
</div>
</div>
</fieldset>
</form><form autocomplete="off" role="search" class="jetpack-instant-search__search-results-search-form" data-cb-wrapper="true">
<div class="jetpack-instant-search__search-form">
<div class="jetpack-instant-search__box"><label for="jetpack-instant-search__box-input-1" class="jetpack-instant-search__box-label">
<div class="jetpack-instant-search__box-gridicon"><svg focusable="true" height="24" viewBox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg" aria-hidden="false" class="gridicon gridicons-search " style="height: 24px; width: 24px;">
<title>Magnifying Glass</title>
<g>
<path d="M21 19l-5.154-5.154C16.574 12.742 17 11.42 17 10c0-3.866-3.134-7-7-7s-7 3.134-7 7 3.134 7 7 7c1.42 0 2.742-.426 3.846-1.154L19 21l2-2zM5 10c0-2.757 2.243-5 5-5s5 2.243 5 5-2.243 5-5 5-5-2.243-5-5z"></path>
</g>
</svg></div><input autocomplete="off" id="jetpack-instant-search__box-input-1" inputmode="search" placeholder="Search…" type="search" class="search-field jetpack-instant-search__box-input"><button tabindex="-1"
class="screen-reader-text assistive-text">Search</button>
</label></div>
</div>
</form>Text Content
We value your privacy
Dear visitor, our website uses cookies to provide you with a better browsing
experience and to analyze site traffic. By clicking 'Accept,' you consent to our
use of cookies.
Customize Reject All Accept All
Customize Consent Preferences
We use cookies to help you navigate efficiently and perform certain functions.
You will find detailed information about all cookies under each consent category
below.
The cookies that are categorized as "Necessary" are stored on your browser as
they are essential for enabling the basic functionalities of the site. ... Show
more
NecessaryAlways Active
Necessary cookies are required to enable the basic features of this site, such
as providing secure log-in or adjusting your consent preferences. These cookies
do not store any personally identifiable data.
No cookies to display.
Functional
Functional cookies help perform certain functionalities like sharing the content
of the website on social media platforms, collecting feedback, and other
third-party features.
No cookies to display.
Analytics
Analytical cookies are used to understand how visitors interact with the
website. These cookies help provide information on metrics such as the number of
visitors, bounce rate, traffic source, etc.
No cookies to display.
Performance
Performance cookies are used to understand and analyze the key performance
indexes of the website which helps in delivering a better user experience for
the visitors.
No cookies to display.
Advertisement
Advertisement cookies are used to provide visitors with customized
advertisements based on the pages you visited previously and to analyze the
effectiveness of the ad campaigns.
No cookies to display.
Reject All Save My Preferences Accept All
Skip to content
* Services
SERVICES
* IoT Security Assessment
* Red Team Assessment
* Product Security
* AI/ML Security Audit
* Web Application Security Testing
* SOC Service
* IoT Security Assessment
* Red Team Assessment
* Product Security
* AI/ML Security Audit
* Web Application Security Testing
* SOC Service
* Mobile Application Security Testing
* DevSecOps Consulting
* Code Review
* Cloud Security Assessment
* Critical Infrastructure Assessment
* Mobile Application Security Testing
* DevSecOps Consulting
* Code Review
* Cloud Security Assessment
* Critical Infrastructure Assessment
* Products
PRODUCTS
EXPLIoT
EXPLIoT is framework for IoT security testing
and exploitation.
EXPLIoT Store
EXPLIoT Store is the ultimate marketplace
for IoT security hacking and learning gadgets.
EXPLIoT Academy
EXPLIoT Academy is an online institution
for learning practical courses related to IoT security.
CloudFuzz
CloudFuzz is platform that lets you code for bugs
by running your software with millions of test cases.
Product Partner – Riscure
Riscure’s top-of-the-line security products such as Inspector SCA, Inspector
FI, Truecode, etc.
* Who We Are
WHO WE ARE
* About Us
* Payatu Bandits
* Hardware-Lab
* News
* Career
* About Us
* Payatu Bandits
* Hardware-Lab
* News
* Career
* Resources
RESOURCES
* Blog
* Masterclass
* Case Studies
* Ebooks
* Advisory
* Media
* Checklist
* Reports
* Datasheet
* Blog
* Masterclass
* Case Studies
* Ebooks
* Advisory
* Media
* Checklist
* Reports
* Datasheet
TOOLS
* BugBazaar
* securecode.wiki
* DVAPI
* BugBazaar
* securecode.wiki
* DVAPI
COMMUNITY
* Telegram Community
* Telegram Community
* Contact Us
CONTACT US
* Pune Location
* Europe Location
* Australia Location
* USA Location
* Pune Location
* Europe Location
* Australia Location
* USA Location
* We Are Hiring
TOP OPENINGS
* Security consultant
* IT sales
* Pre-Sales Executive
* Software Developer
* Embedded Developer
* Security consultant
* IT sales
* Pre-Sales Executive
* Software Developer
* Embedded Developer
ALL OPENINGS
Get all of it
Be a Bandit
EMPLOYEE CENTRIC WORK CULTURE
Join the work culture that offers - Flexible Work Hours, Adaptable Leave
Structure, Employee Wellness Schemes, Wanderlusting Work Plans, International
Brand Exposure, Rewards and Recognitions.
NEVER STOP LEARNING
Be a part of a clan that motivates and keeps you on edge with opportunities
like Reimbursement Policy Upto 1000 USD for Certification Courses, Hosting
Internal & External Webinars, Personal Goal Setting & Guidance for KRA.
COHERE WITH THE COMMUNITY
We are more than a company; we are a community which offers opportunities to
be a part of global conferences, promote in-house talent for writing research
papers, provides support and rewards for writing blogs and reward employees
for referrals.
* Services
SERVICES
* IoT Security Assessment
* Red Team Assessment
* Product Security
* AI/ML Security Audit
* Web Application Security Testing
* SOC Service
* IoT Security Assessment
* Red Team Assessment
* Product Security
* AI/ML Security Audit
* Web Application Security Testing
* SOC Service
* Mobile Application Security Testing
* DevSecOps Consulting
* Code Review
* Cloud Security Assessment
* Critical Infrastructure Assessment
* Mobile Application Security Testing
* DevSecOps Consulting
* Code Review
* Cloud Security Assessment
* Critical Infrastructure Assessment
* Products
PRODUCTS
EXPLIoT
EXPLIoT is framework for IoT security testing
and exploitation.
EXPLIoT Store
EXPLIoT Store is the ultimate marketplace
for IoT security hacking and learning gadgets.
EXPLIoT Academy
EXPLIoT Academy is an online institution
for learning practical courses related to IoT security.
CloudFuzz
CloudFuzz is platform that lets you code for bugs
by running your software with millions of test cases.
Product Partner – Riscure
Riscure’s top-of-the-line security products such as Inspector SCA, Inspector
FI, Truecode, etc.
* Who We Are
WHO WE ARE
* About Us
* Payatu Bandits
* Hardware-Lab
* News
* Career
* About Us
* Payatu Bandits
* Hardware-Lab
* News
* Career
* Resources
RESOURCES
* Blog
* Masterclass
* Case Studies
* Ebooks
* Advisory
* Media
* Checklist
* Reports
* Datasheet
* Blog
* Masterclass
* Case Studies
* Ebooks
* Advisory
* Media
* Checklist
* Reports
* Datasheet
TOOLS
* BugBazaar
* securecode.wiki
* DVAPI
* BugBazaar
* securecode.wiki
* DVAPI
COMMUNITY
* Telegram Community
* Telegram Community
* Contact Us
CONTACT US
* Pune Location
* Europe Location
* Australia Location
* USA Location
* Pune Location
* Europe Location
* Australia Location
* USA Location
* We Are Hiring
TOP OPENINGS
* Security consultant
* IT sales
* Pre-Sales Executive
* Software Developer
* Embedded Developer
* Security consultant
* IT sales
* Pre-Sales Executive
* Software Developer
* Embedded Developer
ALL OPENINGS
Get all of it
Be a Bandit
EMPLOYEE CENTRIC WORK CULTURE
Join the work culture that offers - Flexible Work Hours, Adaptable Leave
Structure, Employee Wellness Schemes, Wanderlusting Work Plans, International
Brand Exposure, Rewards and Recognitions.
NEVER STOP LEARNING
Be a part of a clan that motivates and keeps you on edge with opportunities
like Reimbursement Policy Upto 1000 USD for Certification Courses, Hosting
Internal & External Webinars, Personal Goal Setting & Guidance for KRA.
COHERE WITH THE COMMUNITY
We are more than a company; we are a community which offers opportunities to
be a part of global conferences, promote in-house talent for writing research
papers, provides support and rewards for writing blogs and reward employees
for referrals.
REMOTE PROCESS ENUMERATION USING WINDOWS TERMINAL SERVICES APIS
* Arun Nair
* December 28, 2021
Hi All. I welcome you again. In this particular blog post we’ll code our own
tool in C++ to gather information (list of running processes) from remote
system. We will be assuming that we got initial access in the AD network somehow
and we want to gather information (in this case list of running processes) from
remote system without having to use any complete framework tool with known
signatures.
Windows API provides several ways to enumerate processes. The first set of APIs
we will see are ToolHelp functions. They were introduced in Windows 2000 to
faciliate easier process enumeration. ToolHelp comes with these set of APIs that
can aid us in Process Enumeration, CreateToolhelp32Snapshot, Process32First and
Process32Next. CreateToolhelp32Snapshot function allows us to enumerate both
processes and threads. It also allows to enumeration modules and heaps in
specific process. For process enumeration, Process32First and Process32Next
function is going to be used. The first function will return the handle to the
first process and we’ll use Process32Next to enumeration through the list of
process until we have no more processes.
Let’s start writing the code to utilize the above API functions. TlHelp32.h is
where all the ToolHelp32 functions defined.
#include <Windows.h>
#include <stdio.h>
#include <TlHelp32.h>
int main()
{
HANDLE hSnapshot = ::CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, 0);
if (hSnapshot == INVALID_HANDLE_VALUE)
return 1;
PROCESSENTRY32 pe;
pe.dwSize = sizeof(pe);
if (::Process32First(hSnapshot, &pe)) {
do {
printf("PID: %utThreads: %utPPID: %utName: %wsn", pe.th32ProcessID, pe.cntThreads, pe.th32ParentProcessID, pe.szExeFile);
} while (::Process32Next(hSnapshot, &pe));
}
::CloseHandle(hSnapshot);
return 0;
}
CreateToolhelp32Snapshot functions accepts two parameters, the first one is the
flag which indicates what kind of enumeration we wish to do or what kind of
snapshot we wish to capture, that could be either processes snapshot for the
entire processes in the system or thread snapshot for the entire threads in the
system or a set of modules or heaps in a particular process. We will stick with
TH32CS_SNAPPROCESS to take the snapshot of processes. The second parameter takes
the process id which is only relevant when we use the snapshot of heaps or
modules of any specific process, we will keep this value 0 to acquire processes
system wide. On success this function will return a valid handle to the
snapshot. After that we are just if if in case we get returned an invalid
handle, we will just return from the program with return value of 1.
Process32First function retrieves information about the first process
encountered in a system snapshot. The first handle is the handle to the snapshot
we had been returned from the CreateToolhelp32Snapshot and the second value is
the structure where we get the result back called PROCESSENTRY32 The only thing
we need to do before calling the Process32First function is to declare the
structure and initialize it’s first size member to the size of the structure.
Process32Next function retrieves information about the next process recorded in
a system snapshot. We will use this function to iterate through all the
processes untili there’s no more.
Inside the printf we are just printing the process id, number of threads it has,
the parent process id and finally the name of the process.
This is how we could enumerate processes on the local machine using Windows API.
How about doing the same on a remote machine. There’s another way of enumerating
processes, this is using WTS set of functions. WTS functions are set of Windows
Terminal Services APIs that are intended for terminal services environment, but
work equally well in a local environment.
#include <Windows.h>
#include <stdio.h>
#include <WtsApi32.h>
#pragma comment(lib, "Wtsapi32")
int main(int argc, char** argv)
{
CHAR* host = argv[1];
HANDLE hServer = ::WTSOpenServerA(host);
if (!hServer) {
printf("Could not open a handle to the server %sn", host);
return 1;
}
printf("Opened a handle to the server %s : 0x%pn", host, hServer);
WTS_PROCESS_INFOA* info = NULL;
DWORD count;
if (!::WTSEnumerateProcessesA(hServer, 0, 1, &info, &count)) {
printf("Could not enumerate process on the host %sn", host);
return 1;
}
printf("Found %d processesn", count);
for (DWORD i = 0; i < count; i++) {
printf("PID: %utSession: %utName: %sn", info[i].ProcessId, info[i].SessionId, info[i].pProcessName);
}
::WTSFreeMemory(info);
return 0;
}
WTSOpenServerA is used to open a handle to the remote host on which we want to
enumeate the list of running processes.
WTSEnumerate can be used to retrieve information about the active processes on
either a local machine or remote host. The first argument to this function is
the handle to the remote host. The second and third parameter will be 0 and 1
according to the official documentation. The fourth parameter is the array of
structure where the information will be returned and last parameter is the count
of the returned by the function.
Then we are using the for loop to iterate through each structure and then print
the values one by one.
Let’s run the program now to see if we can enumerate processes from the remote
host (In my case I will be my DC’s IP Address)
You can see that we were successfully able to open the handle to the host but we
could not enumerate running process which actually makes sense as our program is
running in the context of normal domain user which doesn’t have right to
enumerate process on the Domain Controller.
We are going to make our program perform impersonation to get the access token
of the user which has proper rights (In my case Domain Admin). I am going to
copy paste the snippet of code from the scshell program
CHAR* host = argv[1];
CHAR* domain = argv[2];
CHAR* username = argv[3];
CHAR* password = argv[4];
BOOL bResult = FALSE;
HANDLE hToken = NULL;
if (username != NULL) {
printf("Username was provided attempting to call LogonUserAn");
bResult = LogonUserA(username, domain, password, LOGON32_LOGON_NEW_CREDENTIALS, LOGON32_PROVIDER_DEFAULT, &hToken);
if (!bResult) {
printf("LogonUserA failed %ldn", GetLastError());
ExitProcess(0);
}
bResult = FALSE;
bResult = ImpersonateLoggedOnUser(hToken);
if (!bResult) {
printf("ImpersonateLoggedOnUser failed %ldn", GetLastError());
ExitProcess(0);
}
The above code takes Domain Name, Username and Password from the command line
and tries to login and impersonate as that user. We’ll add this code in our
program to impersonate as the Domain Admin User to get process list from the
Domain Controller.
So our final code will look like this now.
#include <Windows.h>
#include <stdio.h>
#include <WtsApi32.h>
#pragma comment(lib, "Wtsapi32")
int main(int argc, char** argv)
{
CHAR* host = argv[1];
CHAR* domain = argv[2];
CHAR* username = argv[3];
CHAR* password = argv[4];
BOOL bResult = FALSE;
HANDLE hToken = NULL;
if (username != NULL) {
printf("Username was provided attempting to call LogonUserAn");
bResult = LogonUserA(username, domain, password, LOGON32_LOGON_NEW_CREDENTIALS, LOGON32_PROVIDER_DEFAULT, &hToken);
if (!bResult) {
printf("LogonUserA failed %ldn", GetLastError());
ExitProcess(0);
}
}
bResult = FALSE;
bResult = ImpersonateLoggedOnUser(hToken);
if (!bResult) {
printf("ImpersonateLoggedOnUser failed %ldn", GetLastError());
ExitProcess(0);
}
HANDLE hServer = ::WTSOpenServerA(host);
if (!hServer) {
printf("Could not open a handle to the server %sn", host);
return 1;
}
printf("Opened a handle to the server %s : 0x%pn", host, hServer);
WTS_PROCESS_INFOA* info = NULL;
DWORD count;
if (!::WTSEnumerateProcessesA(hServer, 0, 1, &info, &count)) {
printf("Could not enumerate process on the host %sn", host);
return 1;
}
printf("Found %d processesn", count);
for (DWORD i = 0; i < count; i++) {
printf("PID: %utSession: %utName: %sn", info[i].ProcessId, info[i].SessionId, info[i].pProcessName);
}
::WTSFreeMemory(info);
return 0;
}
Now we can successfully enumerate process in Domain Controller.
* Tags: Dev, PT, RedTeam
Subscribe to our Newsletter
Subscription Form
Subscribe
Research Powered Cybersecurity Services and Training. Eliminate security threats
through our innovative and extensive security assessments.
SUBSCRIBE TO OUR NEWSLETTER
Subscription Form
Subscribe
SERVICES
* IoT Security Assessment
* Red Team Assessment
* Product Security
* AI/ML Security Audit
* Web Application Security Testing
* SOC Service
* Mobile Application Security Testing
* DevSecOps Consulting
* Code Review
* Cloud Security Assessment
* Critical Infrastructure Assessment
PRODUCTS
* ExPLIoT
* EXPLIoT Store
* EXPLIoT Academy
* CloudFuzz
CONFERENCE
* Nullcon
* Hardwear.io
RESOURCES
* Blog
* Masterclass
* Case Studies
* Ebooks
* Advisory
* Media
* Checklist
* Reports
* Datasheet
ABOUT
* Career
* About Us
* News
* Contact-Us
* Payatu Bandits
* WhatsApp Community
* Hardware-Lab
* Disclosure Policy
* Corporate Partners
Services
Iot Security Testing
Red Team Assessment
Product Security
AI/ML Security Audit
Web Security Testing
Mobile Security Testing
DevSecOps Consulting
Code Review
Cloud Security
Critical Infrastructure
SOC Service
Products
ExPLIoT
CloudFuzz
Conference
Nullcon
Hardwear.io
Resources
Blog
E-Book
Advisory
Media
Case Studies
MasterClass Series
BugBazaar
Securecode.wiki
About
About Us
Career
News
Contact Us
Payatu Bandits
WhatsApp Community
Hardware-Lab
Disclosure Policy
Corporate Partners
Youtube Linkedin Facebook Twitter Instagram Whatsapp
All rights reserved © 2024 Payatu
SEARCH RESULTS
Magnifying Glass
Search
Close search results
FiltersShow filters
Sort by:
Relevance•Newest•Oldest
NO RESULTS FOUND
FILTER OPTIONS
Close Search
Search powered by Jetpack