• Stars
    star
    306
  • Rank 136,456 (Top 3 %)
  • Language
    C#
  • License
    GNU General Publi...
  • Created over 4 years ago
  • Updated 11 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Asynchronous Password Spraying Tool in C# for Windows Environments

Overview

SharpHose is a C# password spraying tool designed to be fast, safe, and usable over Cobalt Strike's execute-assembly. It provides a flexible way to interact with Active Directory using domain-joined and non-joined contexts, while also being able to target specific domains and domain controllers. SharpHose takes into consideration the domain password policy, including fine grained password policies, in an attempt to avoid account lockouts. Fine grained password policies are enumerated for the users and groups that that the policy applies to. If the policy applied also to groups, the group users are captured. All enabled domain users are then classified according to their password policies, in order of precedence, and marked as safe or unsafe. The remaining users are filtered against an optional user-supplied exclude list.

Besides just spraying, red team operators can view all of the password policies for a domain, all the users affected by the policy, or just view the enabled domain users. Output can be sent directly to the console or to a user-supplied output folder.

Follow me on Twitter for some more tool releases soon! @ustayready

Nozzles

Nozzles are built-in methods of spraying. While currently only supporting one Nozzle (LDAP), it's written in a way that makes it easily extendable.

LDAP

Active Directory spraying nozzle using the LDAP protocol

  • Asynchronous spraying for faster, but not too fast, results

  • Domain joined and non-joined spraying

  • Tight integration w/ domain password policies and fine grained password policies

  • Smart lockout prevention (lockoutThreshold n-1 just to be safe)

  • Optionally spray to specific domains and domain controllers

  • View password policies and the affected users

Coming soon!

  • MSOL

  • OWA/EWS

  • Lync

Compilation

  • Built using Visual Studio 2019 Community Edition

  • .NET Framework 4.5

Usage Examples

Cobalt Strike Users

Be sure to use the --auto to avoid the interactive prompts in SharpHose. Also, prepare your arguments locally so you can read the description before running. If you don't pass any arguments over execute-assembly, then SharpHose throws a "Missing Argument Exception" and Cobalt Strike won't return any output. You will know this is happening when you see [-] Invoke_3 on EntryPoint failed. This will be fixed eventually.

Domain Joined Spray w/o Interaction SharpHose.exe --action SPRAY_USERS --spraypassword Spring2020! --output c:\temp\ --auto

Domain Joined Spray w/ Exclusions SharpHose.exe --action SPRAY_USERS --spraypassword Spring2020! --output c:\temp\ --exclude c:\temp\exclusion_list.txt

Non-Domain Joined Spray SharpHose.exe --action SPRAY_USERS --spraypassword Spring2020! --domain lab.local --username demo --password DemoThePlanet --output c:\temp\

Domain Joined Show Policies Active Directory stores durations in negative large integer values which need to lapse after the last lockoutThreshold is exceeded. In future versions these will be formatted cleaner. SharpHose.exe --action GET_POLICIES --output c:\temp\

Domain Joined Show Policy Users SharpHose.exe --action GET_POLICY_USERS --policy lab --output c:\temp\

Domain Joined Show All Users SharpHose.exe --action GET_ENABLED_USERS --output c:\temp\

Domain Joined Spray Using Cobalt Strike execute-assembly /path/to/SharpHose.exe --action SPRAY_USERS --spraypassword Spring2020! --output c:\temp\ --auto

Shout-Outs

More Repositories

1

fireprox

AWS API Gateway management tool for creating on the fly HTTP pass-through proxies for unique IP rotation
Python
1,857
star
2

CredSniper

CredSniper is a phishing framework written with the Python micro-framework Flask and Jinja2 templating which supports capturing 2FA tokens.
HTML
1,310
star
3

CredKing

Password spraying using AWS Lambda for IP rotation
Python
566
star
4

python-pentesting

Just a repo of random Python scripts to get pentesters started with the Python language on engagements.
Python
209
star
5

golddigger

Python
180
star
6

CasperStager

PoC for persisting .NET payloads in Windows Notification Facility (WNF) state names using low-level Windows Kernel API calls.
C#
146
star
7

cloudgpt

Vulnerability scanner for AWS customer managed policies using ChatGPT
Python
141
star
8

wnfexec

WNF Code Execution Library Using C#
C#
108
star
9

ShredHound

Small utility to chunk up a large BloodHound JSON file into smaller files for importing.
Python
81
star
10

DirectAI

ChatGPT queries via OpenAI API in your terminal
Python
60
star
11

CloudBurst

CloudBurst is a red team framework for interacting with cloud providers to capture, compromise, and exfil data.
36
star
12

roguerdp

33
star
13

outpost

AWS Testing and Reporting Management Tool
Python
20
star
14

android-app-recovery

Scripts to parse large Android binary images and extracts deleted data from apps
Python
13
star
15

mavd

Mobile Application Vulnerability Detection
Python
12
star
16

physical-analyzer-scripts

Cellebrite Physical Analyzer python scripts to aid analysts with extended functionality
Python
8
star
17

googlerecon

Google Recon for Pentesting
Python
6
star
18

pynse

NSE to launch Python Scripts
Python
5
star
19

qrwifi

QRCode Wifi Generator
Python
3
star
20

forensicpy

Library for performing mobile device decoding for nibbles and 7-bit decoding
Python
3
star
21

pyslite

Script for performing SQLite database to Excel workbook conversions
Python
3
star
22

XtoTwitter

JavaScript
2
star
23

polk-sheriff-arrests

Downloads all the arrests from 1990-2017 from Polk County Sheriffs Office
Python
2
star
24

digraph

A digraph plotter for sequential byte visualization
Python
2
star
25

ipsubcon

IP Subnet Converter
Python
1
star
26

stayready.github.io

Personal Github IO Website
HTML
1
star
27

CasperWNF

Simple UI for creating, subscribing, updating, querying, and fuzzing Windows WNF state names.
1
star