Windows Forensics Net Session Lab

Net Sessions is a command line utility that demonstrates for you what sessions are running and how permissions play a significant part in executing that command.  So you’ll learn the correct logon protocol to execute it. The Net File lab shows what you can do remotely to confirm if host sessions are running, when to force a session disconnection, and how to use the utility to monitor for unauthorized open sessions on your network by probing to see what running and why. [toggle_content title="Transcript"] Hi, Leo Dregier here. I want to thank everyone for all of the connecting, the commenting. Uh, this thing’s really starting to come together, so I just want to extend my personal thanks. I want to show you a couple tools here. Uh, I’m going to do a net sessions, okay? And it says zero – um, system error 5 has occurred. Access is denied. So what does that mean? Does that mean you give up? Well, let’s get around that error, okay? So let’s just do something simple. CMD, let’s try – whoops. Not that one. It’s, uh, force of habit, folks. I go through these relatively quickly here by, uh, uh, subconscious level here. So let’s do CMD. Don’t hit Enter. And I want you to right click the program and do a Run as administrator, okay? So even though I’m logged as administer, I’m now choosing to run it as administrator. Net sessions and it says, “There are no entries in the list.” That’s much, much, much different than, um, “Access is denied,” okay? So let’s say that you didn’t know what that was, okay? Let’s go to Google, net sessions. Now we could obviously pull Help Files or something like that, but in this case, we could just do, uh, right to TechNet. And I try to give you a variety of different ways in which you can find the answers to your questions. This manages the server computer connections. This command has actually been around for quite some time. Uh, I’ve used it sense the Windows NT 4.0 days. “Used without permission, net session displays information about all sessions on the local computer.” So you’ve got net session, computer name, and then delete. Hmm, okay, great to know. Let’s try that, okay. And we’re going to go get rid of the “Access is denied.” So let’s find out, uh – let me ask you. How will we find out our computer name? If you were thinking host name, you were correct, alright. So net sessions, back slash, back slash, uh, CEH-Windows 7, boom. “This session does not exist with that computer name.” Uh, you can do, uh, NET HELPMSG if you want. Uh, I find it much easier here just to, kind of, go over and keep reading the Help File. Uh, and actually, it’s net session. Not net sessions. Let’s try that. Uh, nope, no different there, okay. “Using net session can result in a loss of data. You might want to warn users before you disconnect them.” Okay, so what it sounds like it’s doing is it – if another computer is connected to my computer, then we can delete or remove their session. In other words, force them to log off. Well, when would you want to force a whole bunch of people to auto disconnect? How about if you were rebooting a server? Would you want to reboot – remove everybody? See if anybody kicks and screams? See if there’s just idle connections in the list, um, or force everybody off of it? Well, in a production environment, we always have to go through change control if you want to do something as simple as reboot a server. However, there are certain instances where if nobody’s using it or if it’s in the middle of the night, uh, and change control is not available, and you do need to do a quick reboot for whatever sess – uh, uh, whatever you want, okay, you can do a net sessions, and see who has an active session. And basically, see how long they’ve been idle on their session with the computer. That way, if you reboot the server, chances are when they come in the next morning, they just have to reconnect, and they’ll never skip a beat. Now, of course it’s also going to depend on, you know, what’s the role of the computer, computer. If it’s, uh, the main control or log on server, that’s clearly going to have a different impact if it’s just something as a file, or a print server, or something like that. So nonetheless, I want everybody to know that, that the command exists. It’s net sessions. It views who’s connected to your computer. And it’s a great way of, basically, just probing the network and seeing how busy some of that, uh, session traffic is. Now if you really wanted to, you know, throw me here, somebody should write a version of this in a graphical format. Something like an EtherApe so you could see, you know, all of the connections in a visual format, and see people adding and dropping and everything like that. Uh, that would be a great graduate project if you ask me, especially for a forensics tool. Alright, so my name’s Leo Dregier. Thank you for watching, and I’ll see you all in the comments. Be sure to comment, share, and ask questions because this is the place where learning happens. [/toggle_content]
Recommended Study Material
Learn on the go.
The app designed for the modern cyber security professional.
Get it on Google Play Get it on the App Store

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?