SharpSploit v1.6 releases: a .NET post-exploitation for red teamers

by do son · Published December 20, 2018 · Updated January 29, 2023

SharpSploit is a .NET post-exploitation library written in C# that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers.

SharpSploit is named, in part, as a homage to the PowerSploit project, a personal favorite of mine! While SharpSploit does port over some functionality from PowerSploit, my intention is not at all to create a direct port of PowerSploit. SharpSploit will be its own project, albeit with similar goals to PowerSploit.

SharpSploit.Credentials

SharpSploit.Credentials.Mimikatz

Command() – Loads the Mimikatz PE with PE.Load() and executes a chosen Mimikatz command.

LogonPasswords() – Loads the Mimikatz PE with PE.Load() and executes the Mimikatz command to retrieve plaintext passwords from LSASS. Equates to Command("privilege::debug sekurlsa::logonPasswords"). (Requires Admin)

SamDump() – Loads the Mimikatz PE with PE.Load() and executes the Mimikatz command to retrieve password hashes from the SAM database. Equates to Command("privilege::debug lsadump::sam"). (Requires Admin)

LsaSecrets() – Loads the Mimikatz PE with PE.Load() and executes the Mimikatz command to retrieve LSA secrets stored in registry. Equates to Command("privilege::debug lsadump::secrets"). (Requires Admin)

LsaCache() – Loads the Mimikatz PE with PE.Load() and executes the Mimikatz command to retrieve Domain Cached Credentials hashes from registry. Equates to Command("privilege::debug lsadump::cache"). (Requires Admin)

Wdigest() – Loads the Mimikatz PE with PE.Load() and executes the Mimikatz command to retrieve Wdigest credentials from registry. Equates to Command("sekurlsa::wdigest").

All() – Loads the Mimikatz PE with PE.Load() and executes each of the above builtin, local credential dumping commands. (Requires Admin)

DCSync() – Loads the Mimikatz PE with PE.Load() and executes the “dcsync” module to retrieve the NTLM hash of a specified (or all) Domain user. (Requires Domain Admin (or equivalent rights))

PassTheHash() – Loads the Mimikatz PE with PE.Load() and executes the “pth” module to start a new process as a user using an NTLM password hash for authentication. (Requires Admin)

Changelog v1.6

Added

Added ManualMapping functions (credit @b33f, @TheWover)
Added ModuleOverloading functions (credit @b33f)
Added Syscall stub function (credit @b33f)
Added SharpSploit.Execution.Injection namespace (credit @TheWover)
Added SharpSploit.Pivoting namespace, reverse port forwarding (credit @rasta-mouse)