Hacking Tools

LogHunter – A Revolutionary Tool For Session Detection via Event Logs

Opsec tool for finding user sessions by analyzing event log files through RPC (MS-EVEN).

I was once doing a very complex project where there were over 1000 hosts in the infrastructure.

I needed to detect the user session. Running Invoke-UserHunter would have been a huge mistake.

That’s when I came up with the idea that we could extract all the information we needed from Event Logs.

That’s how the LogHunter tool came into being. The tool is able to extract the following events via MS-EVEN protocol: 4624: “An account was successfully logged on.”, 4768: “A Kerberos authentication ticket (TGT) was requested.”, 4672: “Special privileges assigned to new logon.”, 4769: “A Kerberos service ticket (TGS) was requested.”.

These events will give us information about which computer the target user is on. Then hijack that computer and take control of the user.

Requirements

You only have to install impacket. Other modules (e.g. logging, argparse, sys, struct, Queue, Thread, datetime) are standard Python libraries and are installed with Python.

pip install impacket

Usage

See demo video at the end of the README.md 🙂

To use the tool, all you need to do is pass credentials as you would to a regular impacket tool:

python LogHunter.py OFFICE/Administrator:lolkekcheb123!@dc01.office.pwn

After that, the tool will start receiving events from the target computer (in this case, from dc01.office.pwn), writing them to the events.log file (can be overridden with the -outfile parameter).

You can then search for the file using find.sh. You can search by user name, by EventID, or by computer name – whatever you prefer.

./find.sh -file events.log -searchkeyword Administrator
Varshini

Varshini is a Cyber Security expert in Threat Analysis, Vulnerability Assessment, and Research. Passionate about staying ahead of emerging Threats and Technologies.

Recent Posts

How to Install Docker on Ubuntu (Step-by-Step Guide)

Docker is a powerful open-source containerization platform that allows developers to build, test, and deploy…

23 hours ago

Uninstall Docker on Ubuntu

Docker is one of the most widely used containerization platforms. But there may come a…

23 hours ago

Admin Panel Dorks : A Complete List of Google Dorks

Introduction Google Dorking is a technique where advanced search operators are used to uncover information…

2 days ago

Log Analysis Fundamentals

Introduction In cybersecurity and IT operations, logging fundamentals form the backbone of monitoring, forensics, and…

3 days ago

Networking Devices 101: Understanding Routers, Switches, Hubs, and More

What is Networking? Networking brings together devices like computers, servers, routers, and switches so they…

4 days ago

Sock Puppets in OSINT: How to Build and Use Research Accounts

Introduction In the world of Open Source Intelligence (OSINT), anonymity and operational security (OPSEC) are…

4 days ago