Skip to content
This repository has been archived by the owner on Aug 26, 2024. It is now read-only.

Latest commit

 

History

History
507 lines (312 loc) · 18.2 KB

README.md

File metadata and controls

507 lines (312 loc) · 18.2 KB

SharpUtils

A collection of C# utilities intended to be used with Cobalt Strike's execute-assembly.

When feasible, I have tried to emulate native Windows output formats for matching commands to aid potential text parsing and reduce the learning curve for users familiar with Windows commands. One caveat to this is that the word "DONE" is printed at the end of every execution; this is to provide confirmation that the command completed successfully and all data was received.

Compilation

Open a PowerShell prompt and run the included make.ps1 script. This will create a bin\ directory containing the compiled executables; no fancy IDE required.

Whenever possible, the oldest version of .NET is used for compatibility with older systems.

I opted to use the C# Command-Line Compiler (csc.exe) instead of Visual Studio to lower the barrier to entry. That is, users should be able to simply clone the repo and build the utilities with little to no configuration, rather than having to download, install, and configure a full development suite.

Credits

Much of this code is derived from online examples. Where applicable, sources are listed as comments in the code.

Utilities


arp.exe

Displays cached mappings between IP addresses and MAC addresses

Usage

arp.exe [/?]

auditpol.exe

Displays the computer's auditing policy (i.e., what actions will be logged)

Requires administrative privileges

Usage

auditpol.exe [/?]

check_sig.exe

Checks whether an EXE/DLL is signed and, if so, validates the signature.

Usage

check_sig.exe [/online] <path_to_exe/dll> [...] [/?]

Examples

PS> .\check_sig_4.0.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" "C:\Windows\System32\cmd.exe"
[*] [CheckSign] Checking 2 files

[*] [CheckSign] File 1: C:\Program Files\Google\Chrome\Application\chrome.exe
    [*] Digital signature found
        Publisher  : CN=Google LLC, O=Google LLC, L=Mountain View, S=California, C=US
        Valid From : 7/1/2021 20:00:00 PM
        Valid To   : 7/10/2024 19:59:59 PM
        Issued By  : CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
    [+] Signature valid!

[*] [CheckSign] File 2: C:\Windows\System32\cmd.exe
    [-] [CheckSign] No digital signature found!


DONE

create_process.exe

Uses WMI to execute a command on the specified remote host

Uses WMI

Requires administrative privileges on the remote host

Usage

create_process.exe <host> <full_path_to_exe_on_remote_host> <executable_arguments>

dsquery.exe

Queries directory services (e.g., Active Directory). Only complex queries (dsquery *) are supported at this time, and the -filter option is required.

  • Can provide a space-delimited list of attributes to return or * to get all attributes. If the -attr argument is omitted, it defaults to -attr *
  • Can optionally limit the number of results returned using -limit #
  • Can optionally query a specified server (-s) or domain (-d); if both are provided, it will default to the specified server
  • Outputs in native table format by default (unless -attr * is specified, in which case list format is used); list format can be specified using the -l option. A -t option prints in table format with ASCII borders around each cell.
  • Can optionally provide a username and password to use for the query (-u and -p, respectively)
  • Can optionally provide a start node such as a specific OU; forestroot and domainroot are NOT supported at this time
  • Can optionally provide an output filepath (-o) where the results will be written; the -b option allows users to specify a buffer size in MB for the file writer

The number of results returned by the search will be printed at the top of the output; while this deviates from the native output format, it can be very useful to help gauge the size of your query. Similarly the -c (count only) option was included for this reason.

This can be run without administrative privileges from any system that can communicate with directory services on the intended target. If run from a domain-joined host, it will automatically run against the current domain unless the -s or -d options are specified. If run from a host that is not joined to a domain, the -s or -d options must be specified. The -u and -p options may be required as well if not running with domain credentials (e.g., from a runas session).

Usage

dsquery * [startNode] -filter <filter_string> [-attr <attributes>] [-limit <number>] [-c | -l | -t] [[-s <server>] | [-d <domain>]] [-u <UserName>] [-p <password>] [-b <buffer_size_in_MB>] [-o <output_file>] [/?]

    [startNode]             Optional start node (e.g., specific OU; forestroot and domainroot
                            are NOT supported at this time)
    -filter <filter>        Standard dsquery filter string
    -attr <attributes>      Space-delimited list of attributes; use '*' to return all attributes
                            If omitted, defaults to '-attr *'
    -limit <number>         Limits query to <number> records
    -c                      Count only; prints the number of records returned by a search and exits
    -l                      Print in list format
    -t                      Print in table format with ASCII borders around each cell
    -s <server>             Query the specified server
    -d <domain>             Query the specified domain
    -u <username>           Authenticate using the specified username
    -p <password>           Authenticate using the specified password
    -o <output_filepath>    Write output to the specified file; will not overwrite an existing file
    -b <buffer_size>        Write to output file in 'buffer_size' chunks (specified in MB)
    /?                      Prints help

driver_list.exe

Displays info about installed drivers. Name and signer are displayed by default; normal verbose flag (/V) adds version number and DeviceID, and the very verbose flag (/VV) lists all driver properties.

Uses WMI

Usage

driver_list.exe [/V | /VV] [/?]

dump_dns.exe

Uses Active Directory Search Interface (ADSI) to dump DNS data from Active Directory. If the DNS records cannot be parsed, it will fallback to performing DNS requests for individual hostnames.

It can be run with no arguments from a domain-joined host with normal user credentials. If running from a non-domain-joined host, use the /s option to specify a server to query. The /d and /f options can be used to specify specific domains and forests to dump.

Users can optionally specify an output file using /o; if omitted, output will be written to STDOUT.

Since it queries Active Directory, it may need to be run using domain user credentials (non-privileged will suffice). If necessary and missing, a [-] ERROR: The user name or password is incorrect. message will be displayed.

Usage

dump_dns.exe [/S <dns_server>] [/D <domain_name>] [/F <forest_name>] [/T] [/O <output_filepath>] [/?]

    /T    Optionally include tombstoned values

env.exe

Displays environment variables (in alphabetical order)

Usage

env.exe [/?]

eventlog.exe

Reads events from the specified log file; optionally limit by EventID and number of events returned

Usage

eventlog.exe <log name> [/C <count>] [/E <event IDs (comma-separated, no space)>] [/?]

farm_dns.exe

Performs reverse DNS lookups on the specified range of IP addresses (IPv4 only). Opted to remove the output file support from the original design because all data was written at the end; if a user choose to end the farming early all data would be lost. Writing to STDOUT in real-time allows a user to end the farming and resume later with the IP address where they left off without losing any data.

Usage

farm_dns.exe [/T <seconds_to_sleep>] <start_IP> <end_IP> [/?]

freespace.exe

Lists logical drives, including total and available free space. Mapped drives will only be shown when freespace.exe is run within the same session or with the same credentials used to map the drive.

Usage

freespace.exe [/?]

get_chrome_tab_info.exe

Displays the URL of the current tab and the titles of all tabs in foremost Chrome window. Will NOT display information about other Chrome windows.

Currently Broken

Usage

get_chrome_tab_info.exe [/?]

get_hotfix.exe

Lists patches, optionally including verbose information such as Description, InstalledBy, and InstalledOn.

Usage

get_hotfix.exe [/S <system>] [/U [<domain>\]<username> /P <password>] [/V] [/?]

icacls.exe

Displays permissions, grouped by user/group, for each file or directory specified

Usage

icacls.exe <file_or_directory> [...] [/?]

lld.exe

Lists logical drives (using WMI), including total and available free space. Mapped drives will only be shown when lld.exe is run within the same session or with the same credentials used to map the drive. This differs from freespace.exe because it can be used against a remote system.

Uses WMI Requires administrative privileges when used against a remote host

Usage

lld.exe [system] [/?]

netstat.exe

Lists listening TCP and UDP ports, and active TCP connections (equivalent to netstat -ano); optionally writes output to a file. TCP or UDP can be specified to show only the matching data.

Uses WMI

Usage

netstat.exe [/S <system> [/U [<domain>\]<username> /P <password>]] [/O <output_filepath>] [TCP | UDP] [/?]

Examples

netstat.exe

netstat.exe udp

netstat.exe -S DC01.MGMT.LOCAL tcp

netstat.exe -S DC01.MGMT.LOCAL -U MGMT\Administrator -P password

pagegrab.exe

NOTE: This will fail against any HTTPS site that does not support SSL 3.0 or TLS 1.0; this is due to the ancient .NET versions it targets. For newer TLS versions, use SharpPageGrab instead.

Makes a web request; can be used to check external connectivity or get the content of an internal web page without going through the trouble of setting up a SOCKS proxy.

Can optionally specify the HTTP method, POST request data (if applicable), a proxy server/port, and an arbitrary number of headers.

Custom headers are supported; however, Date, Host, and If-Modified-Since are not. Headers are case sensitive and will be sent the way they are specified on the command-line. Headers must be specified in key-value pairs (header name, header value). If no User-Agent is specified, a hardcoded User-Agent string using the current version of Edge will be used; this is not perfect since the current version of Edge will not match the Chrome version, but it's probably better than sending no user-agent.

The Proxy header will always show in the printed output; however, if the value is None, no Proxy header was sent as part of the request.

The -c flag displays info about the SSL / TLS certificate. The -v flag causes the HTML contents of the page to be printed; if omitted, only the response headers will be shown.

Usage

pagegrab.exe [-p http(s)://<proxy>:<proxy_port>] [-m <method>] [-d <URL encoded POST data>] [-h <header_1_name> <header_1_value> [-h <header_2_name> <header_2_value>]] [-c] [-v] <URL> [/?]
  -c  Display the SSL / TLS certificate
  -v  Print the HTML contents of the response

Examples

pagegrab.exe https://google.com -h User-Agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Edg/89.0.774.75"

GET https://example.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.114 Safari/537.36 Edg/89.0.774.75
pagegrab.exe https://example.com -h Referer https://www.google.com -h DNT 1 -h Cache-Control no-cache

GET https://example.com
Proxy: None
Referer: https://www.google.com
DNT: 1
Cache-Control: no-cache
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/92.0.4515.107 Safari/537.36 Edg/92.0.902.67

readfile.exe

Read the contents of a file; optionally limit to X number of lines from the beginning of the file or Y number of lines from the end

Usage

readfile.exe [+X] [-Y] <path_to_file> [/?]

tasklist_svc.exe

Lists processes, their PIDs, and their associated services (if applicable)

Uses WMI

Usage

tasklist_svc.exe [/?]

tasklist_wmi.exe

List processes on local or remote system, optionally filter by ID, name, or WQL query.

When using /FI, you must provide a Win32_Process-compatible WMI query language (WQL) condition string rather than a standard tasklist filter. You may use % as a wildcard

Verbose mode (/V) will return the user name under which the process is running; however, this uses .NET reflection (InvokeMethod) which can be slow.

Uses WMI Uses .NET Reflection Requires administrative privileges if used against a remote host and for some local tasks (i.e., retrieving user context for processes owned by other users)

Usage

tasklist_wmi.exe [/S <system> [/U [<domain>\]<username> /P <password>]] [ [/PID <processid> | /IM <imagename> | /FI <"WQL where clause">] ] [/V] [/D "<delimiter>"] [/?]

Examples

tasklist_wmi.exe /v

tasklist_wmi.exe /S 192.168.20.10 /FI "Name Like 'cmd%'"

tasklist_wmi.exe /S 192.168.20.10 /FI "CommandLine Like '%svchost%'"

tasklist_wmi.exe /S 192.168.20.10 /U Desktop-624L8K3\Administrator /P password /FI "CommandLine Like '%svchost%'"

taskkill.exe

Kills one or more processes by PID or imagename; multiple PIDs should be provided as a comma-separated list. Optionally, target a remote host and/or provide plaintext username and password from the command-line.

Uses WMI Requires administrative privileges if used against a remote host and for some local tasks (i.e., killing processes with a different owner)

Usage

taskkill.exe [/S <system> [/U [<domain>\]<username> /P <password>]] { [/PID <processid> | /IM <imagename>] } [/?]

Examples

taskkill.exe /PID 964

taskkill.exe /PID 340,1432

taskkill.exe /IM Calculator.exe

taskkill.exe /IM Calculator.exe /S 192.168.2.14

test_ad_creds.exe

Authenticates against the specified Active Directory (AD) domain using the provided username and password; indicates whether the credentials are valid or not. Can optionally specify a specific server with /S. Does not work with local credentials, only AD creds.

This WILL create a failed logon event if the credentials are not valid; use sparingly to avoid account lockout

Usage

test_ad_creds.exe [/S <server>] <domain> <username> <password> [/?]

window_list.exe

Displays a list of visible windows and their associated process.

BETA: Has only been tested locally under Medium and High Integrity accounts. SYSTEM-level access may provide information from multiple sessions, and remote access may provide results (initial testing resulted in "Network path not found" errors)

Usage

    window_list.exe [/S <host>] [/?]

wmi_query.exe

Runs the specified WMI query and displays properties in key-value pairs. The query string must be in quotes. The default server is localhost, and the default namespace is root\cimv2.

Uses WMI (...obviously)

Usage

wmi_query.exe [/S <system> [/U [<domain>\]<username> /P <password>]] [-N <namespace>] [/O <output_filepath>] [/V] "<wmi_query>" [/?]

Examples

wmi_query.exe "Select * from win32_process"

wmi_query.exe -S DC01.MGMT.LOCAL -N root\standardcimv2 "Select * from MSFT_NetTCPConnection"

wmi_query.exe -S DC01.MGMT.LOCAL -U MGMT\Administrator -P password -N root\standardcimv2 "Select * from MSFT_NetTCPConnection"

Other Resources

Below is a list of other utilities that I have collected (though not personally tested) that may be of interest.

  • Covenant - a collaborative .NET C2 framework for red teamers
  • GhostPack - a collection of security tools from Specter Ops
  • SharpView - C# implementation of harmj0y's PowerView
  • SharpSploit - a .NET post-exploitation library and spiritual successor to PowerSploit
  • SharpHound - C# Data Collector for the BloodHound Project, Version 3
  • SharpClipHistory - a .NET application written in C# that can be used to read the contents of a user's clipboard history in Windows 10
  • SharpGPOAbuse - a .NET application written in C# that can be used to take advantage of a user's edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO.
  • SharpGPO-RemoteAccessPolicies - a C# tool for enumerating remote access policies through group policy
  • SharpRDPCheck and SharpRDPUploader - tools for exploiting RDP
  • autorunner - emulates the Sysinternals Autoruns tool, using C# / .NET
  • taskscheduler - provides a .NET wrapper for the Windows Task Scheduler
  • .NET Binary Obfuscator / Packer

Contributors

Many thanks to my contributors!