• Stars
    star
    571
  • Rank 78,127 (Top 2 %)
  • Language
    C#
  • License
    BSD 3-Clause "New...
  • Created about 4 years ago
  • Updated almost 2 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

.Net port of the remote SAM + LSA Secrets dumping functionality of impacket's secretsdump.py

SharpSecDump

.Net port of the remote SAM + LSA Secrets dumping functionality of impacket's secretsdump.py. By default runs in the context of the current user. Please only use in environments you own or have permission to test against :)

Usage

SharpSecDump.exe -target=192.168.1.15 -u=admin -p=Password123 -d=test.local

Required Flags

  • -target - Comma seperated list of IP's / hostnames to scan. Please don't include spaces between addresses. Can also dump hashes on the local system by setting target to 127.0.0.1.

Optional Flags

  • -u - Username to use, if you want to use alternate credentials to run. Must use with -p and -d flags
  • -p - Plaintext password to use, if you want to use alternate credentials to run. Must use with -u and -d flags
  • -d - Domain to use, if you want to use alternate credentials to run (. for local domain). Must use with -u and -p flags
  • -threads - Threads to use to concurently enumerate multiple remote hosts (Default: 10)

Notes

The project has been tested against Win 7,10, Server 2012, and Server 2016. Older versions (win 2003 / xp) may not work with this tool.

By default, if you're attempting to dump hives from your local system, you'll need to be running from a high-integrity context. However, this is not necessary when targeting remote systems.

This currently supports SAM + SECURITY registry hive dumping to retrieve cached credential data. However, it does not support NTDS.dit parsing / dcsync yet. If you're looking for dcsync functionality in a .Net project I recommend sharpkatz.

If a system is configured to disallow RPC over TCP (RPC over named pipe is required -- this is not a default setting) there is a 21s delay before Windows will fall back to RPC/NP, but will still allow the connection. This appears to be a limitation of using API calls that leverage the SCManager to remotely bind to services.

Credits

This code is a port of functionality from impacket by @agsolino and pypykatz by @skelsec. All credit goes to them for the original steps to parse and decrypt info from the registry hives.

The registry hive structures used are from gray_hat_csharp_code by @BrandonPrry.

Finally, the original idea for the script was based on a partial port I was working on of Posh_SecModule by @Carlos_Perez, a good chunk of initial SAM parsing code came from that project.

More Repositories

1

SharpTransactedLoad

Load .net assemblies from memory while having them appear to be loaded from an on-disk location.
C#
157
star
2

PowerPriv

A Powershell implementation of PrivExchange designed to run under the current user's context
PowerShell
123
star
3

GetWebDAVStatus

Determine if the WebClient Service (WebDAV) is running on a remote system
C
117
star
4

wmiServSessEnum

.net tool that uses WMI queries to enumerate active sessions and accounts configured to run services on remote systems
C#
32
star
5

DayBird

Extension functionality for the NightHawk operator client
C#
26
star
6

backdoorLnkMacroStagerObfuscated

Obfuscated Powershell Empire 2.x stager that allows for creation of a macro which uses VBA to backdoor .lnk files on the system. This is done to obtain a shell via follow-up user interaction natively through powershell, in order to evade tools that monitor process execution. Backdoors are self-cleaning on execution.
Python
17
star
7

PreliminaryBackdoorLnkMacroStager

Original testing version of the backdoorLnkMacroStager - please reference backdoorLnkMacroStagerObfuscated or backdoorLnkMacroStagerCellEmbed for current versions
Python
5
star
8

backdoorLnkMacroStagerCellEmbed

Powershell Empire 2.x stager that allows for creation of a macro which uses VBA to backdoor .lnk files on the system. This is done to obtain a shell via follow-up user interaction natively through powershell, in order to evade tools that monitor process execution. Data is embedded in .xls cells and called in the macro to evade detection. Backdoors are self-cleaning on execution.
Python
5
star
9

Service-Executable-Permissions-Checker

PowerShell
3
star