{
	"id": "ee349a6a-d905-47c1-ac07-8537bb2c6f68",
	"created_at": "2026-04-06T00:09:21.872672Z",
	"updated_at": "2026-04-10T03:20:23.92463Z",
	"deleted_at": null,
	"sha1_hash": "f0c93f0e229a5e5da883a6fd6e69573d09dbf17a",
	"title": "GitHub - Arvanaghi/SessionGopher: SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally.",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 68144,
	"plain_text": "GitHub - Arvanaghi/SessionGopher: SessionGopher is a\r\nPowerShell tool that uses WMI to extract saved session\r\ninformation for remote access tools such as WinSCP, PuTTY,\r\nSuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be\r\nrun remotely or locally.\r\nBy Arvanaghi\r\nArchived: 2026-04-05 13:18:07 UTC\r\nCopyright 2017 FireEye, created by Brandon Arvanaghi (@arvanaghi)\r\nLicensed under the Apache License, Version 2.0 (the \"License\"); you may not use this file except in compliance\r\nwith the License. You may obtain a copy of the License at\r\nhttp://www.apache.org/licenses/LICENSE-2.0\r\nUnless required by applicable law or agreed to in writing, software distributed under the License is distributed on\r\nan \"AS IS\" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\r\nSee the License for the specific language governing permissions and limitations under the License.\r\nQuietly digging up saved session information for PuTTY, WinSCP, FileZilla, SuperPuTTY, and\r\nRDP\r\nSessionGopher is a PowerShell tool that finds and decrypts saved session information for remote access tools. It\r\nhas WMI functionality built in so it can be run remotely. Its best use case is to identify systems that may connect\r\nto Unix systems, jump boxes, or point-of-sale terminals.\r\nSessionGopher works by querying the HKEY_USERS hive for all users who have logged onto a domain-joined box\r\nat some point. It extracts PuTTY, WinSCP, SuperPuTTY, FileZilla, and RDP saved session information. It\r\nautomatically extracts and decrypts WinSCP, FileZilla, and SuperPuTTY saved passwords. When run in Thorough\r\nmode, it also searches all drives for PuTTY private key files (.ppk) and extracts all relevant private key\r\ninformation, including the key itself, as well as for Remote Desktop (.rdp) and RSA (.sdtid) files.\r\nUsage\r\n-Thorough: searches all drives for PuTTY private key (.ppk), Remote Desktop Connecton (.rdp), and RSA\r\n(.sdtid) files.\r\n-o: outputs the data to a folder of .csv files\r\nhttps://github.com/Arvanaghi/SessionGopher\r\nPage 1 of 4\n\n-iL: provide a file with a list of hosts to run SessionGopher against, each host separated by a newline. Provide the\r\npath to the file after -iL .\r\n-AllDomain: SessionGopher will query Active Directory for all domain-joined systems and run against all of\r\nthem.\r\n-Target: a specific host you want to target. Provide the target host after -Target .\r\nTo run locally\r\n. .\\SessionGopher.ps1\r\nInvoke-SessionGopher -Thorough\r\nTo run remotely (-iL, -AllDomain, -Target)\r\nTo run remotely, you can either provide a privileged account's credentials for the remote system using the -u and\r\n-p flags. If you omit the -u and -p flags, SessionGopher will run under the security context of the account\r\nfrom which you run the script (e.g. if you are already logged in as DA account, or logged in as an account that is\r\nlocal admin for the target system, or doing a runas with either of the two, you won't need to supply credentials).\r\nImport-Module path\\to\\SessionGopher.ps1;\r\nInvoke-SessionGopher -AllDomain -u domain.com\\adm-arvanaghi -p s3cr3tP@ss\r\nor\r\nImport-Module path\\to\\SessionGopher.ps1;\r\nInvoke-SessionGopher -iL computerlist.txt -u domain.com\\adm-arvanaghi -p s3cr3tP@ss -o\r\nor\r\nImport-Module path\\to\\SessionGopher.ps1;\r\nInvoke-SessionGopher -Target brandonArvanaghi_win7 -Thorough\r\nAny of these commands can be coupled with -Thorough , but note that it takes significantly longer as it queries\r\nthe entire remote filesystem. It is not recommended you run in -Thorough mode when querying more than a\r\nsmall set of systems at a time.\r\nRunning remotely by adding -o (print to CSV) works nicely, as SessionGopher will accumulate all sessions it\r\nfinds and tell you exactly where it found that saved session.\r\nTo write to CSV (whether remote or local)\r\nTo have SessionGopher create a folder to neatly contain .csvs of the extracted sessions:\r\nhttps://github.com/Arvanaghi/SessionGopher\r\nPage 2 of 4\n\nImport-Module path\\to\\SessionGopher.ps1;\r\nInvoke-SessionGopher -AllDomain -o\r\n... that's it.\r\nAccessing the saved session information for every user in HKEY_USERS requires local admin privileges. Without\r\nlocal admin privileges, you will still receive saved session information for that user.\r\nSample output (-Thorough):\r\n[+] Digging on Win7-Arvanaghi ...\r\nWinSCP Sessions\r\nSession : admin-anthony@198.273.212.334\r\nHostname : 198.273.212.334\r\nUsername : admin-anthony\r\nPassword : Super*p@ssw0rd\r\nSession : Freddy@204.332.455.213\r\nHostname : 204.332.455.213\r\nUsername : Freddy\r\nPassword : angelico1892\r\nFileZilla Sessions\r\nName : BarrySite\r\nPassword : imr34llytheFl@sh\r\nHost : 10.8.30.21\r\nUser : BarryAllen\r\nProtocol : Use FTP over TLS if available\r\nAccount : BarryAllenAccount\r\nPort : 22\r\nPuTTY Sessions\r\nSession : PointOfSaleTerminal\r\nHostname : 10.8.0.10\r\nPuTTY Private Key Files (.ppk)\r\nPath : C:\\Users\\Brandon Arvanaghi\\Documents\\mykey.ppk\r\nProtocol : ssh-rsa\r\nComment : rsa-key-20170116\r\nPrivate Key Encryption : none\r\nPrivate Key : {AAABAEazxtDz6E9mDeONOmz07sG/n1eS1pjKI8fOCuuLnQC58LeCTlysOmZ1/iC4, g4HyRpmdKJGhIxj66/RQ\r\n nCMaZkySr4R4Z/E+l1JOzXaHh5WQ2P0K4YM1/6XG6C4VzDjvXwcY67MYsobTeCR2...}\r\nhttps://github.com/Arvanaghi/SessionGopher\r\nPage 3 of 4\n\nPrivate MAC : b7e47819fee39a95eb374a97f939c3c868f880de\r\nMicrosoft Remote Desktop (RDP) Sessions\r\nHostname : us.greatsite.com\r\nUsername : Domain\\tester\r\nMicrosoft Remote Desktop .rdp Files\r\nPath : C:\\Users\\Brandon Arvanaghi\\Desktop\\config\\PenTestLab-Win.RDP\r\nHostname : dc01.corp.hackerplaypen.com\r\nGateway : rds01.corp.hackerplaypen.com\r\nPrompts for Credentials : No\r\nAdministrative Session : Does not connect to admin session on remote host\r\nWritten by Brandon Arvanaghi (@arvanaghi)\r\nThis code was initially developed at FireEye. However, any subsequent update is done by the author outside of\r\nFireEye.\r\nSource: https://github.com/Arvanaghi/SessionGopher\r\nhttps://github.com/Arvanaghi/SessionGopher\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://github.com/Arvanaghi/SessionGopher"
	],
	"report_names": [
		"SessionGopher"
	],
	"threat_actors": [],
	"ts_created_at": 1775434161,
	"ts_updated_at": 1775791223,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f0c93f0e229a5e5da883a6fd6e69573d09dbf17a.pdf",
		"text": "https://archive.orkl.eu/f0c93f0e229a5e5da883a6fd6e69573d09dbf17a.txt",
		"img": "https://archive.orkl.eu/f0c93f0e229a5e5da883a6fd6e69573d09dbf17a.jpg"
	}
}