SharpSploit: a .NET post-exploitation for red teamers

SharpSploit is a .NET post-exploitation library written in C# that aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red teamers.

SharpSploit is named, in part, as a homage to the PowerSploit project, a personal favourite of mine! While SharpSploit does port over some functionality from PowerSploit, my intention is not at all to create a direct port of PowerSploit. SharpSploit will be its own project, albeit with similar goals to PowerSploit.

SharpSploit

SharpSploit.Credentials

SharpSploit.Credentials.Mimikatz

  • Command() – Loads the Mimikatz PE with PE.Load() and executes a chosen Mimikatz command.
  • LogonPasswords() – Loads the Mimikatz PE with PE.Load() and executes the Mimikatz command to retrieve plaintext passwords from LSASS. Equates to Command("privilege::debug sekurlsa::logonPasswords"). (Requires Admin)
  • SamDump() – Loads the Mimikatz PE with PE.Load() and executes the Mimikatz command to retrieve password hashes from the SAM database. Equates to Command("privilege::debug lsadump::sam"). (Requires Admin)
  • LsaSecrets() – Loads the Mimikatz PE with PE.Load() and executes the Mimikatz command to retrieve LSA secrets stored in registry. Equates to Command("privilege::debug lsadump::secrets"). (Requires Admin)
  • LsaCache() – Loads the Mimikatz PE with PE.Load() and executes the Mimikatz command to retrieve Domain Cached Credentials hashes from registry. Equates to Command("privilege::debug lsadump::cache"). (Requires Admin)
  • Wdigest() – Loads the Mimikatz PE with PE.Load() and executes the Mimikatz command to retrieve Wdigest credentials from registry. Equates to Command("sekurlsa::wdigest").
  • All() – Loads the Mimikatz PE with PE.Load() and executes each of the above builtin, local credential dumping commands. (Requires Admin)
  • DCSync() – Loads the Mimikatz PE with PE.Load() and executes the “dcsync” module to retrieve the NTLM hash of a specified (or all) Domain user. (Requires Domain Admin (or equivalent rights))
  • PassTheHash() – Loads the Mimikatz PE with PE.Load() and executes the “pth” module to start a new process as a user using an NTLM password hash for authentication. (Requires Admin)

Download && Use

Copyright 2018, Ryan Cobb (@cobbr_io)

Share