/// <summary>
/// Gets a directory listing of a directory.
/// </summary>
/// <param name="Path">The path of the directory to get a listing of.</param>
/// <returns>SharpSploitResultList of FileSystemEntryResults.</returns>
public static SharpSploitResultList <FileSystemEntryResult> GetDirectoryListing(string Path)
{
SharpSploitResultList <FileSystemEntryResult> results = new SharpSploitResultList <FileSystemEntryResult>();
foreach (string dir in Directory.GetDirectories(Path))
{
DirectoryInfo dirInfo = new DirectoryInfo(dir);
results.Add(new FileSystemEntryResult
{
Name = dirInfo.FullName,
Length = 0,
CreationTimeUtc = dirInfo.CreationTimeUtc,
LastAccessTimeUtc = dirInfo.LastAccessTimeUtc,
LastWriteTimeUtc = dirInfo.LastWriteTimeUtc
});
}
foreach (string file in Directory.GetFiles(Path))
{
FileInfo fileInfo = new FileInfo(file);
results.Add(new FileSystemEntryResult
{
Name = fileInfo.FullName,
Length = fileInfo.Length,
CreationTimeUtc = fileInfo.CreationTimeUtc,
LastAccessTimeUtc = fileInfo.LastAccessTimeUtc,
LastWriteTimeUtc = fileInfo.LastWriteTimeUtc
});
}
return(results);
}
/// <summary>
/// Gets a directory listing of the current working directory.
/// </summary>
/// <returns>List of FileSystemEntryResults.</returns>
public static SharpSploitResultList <FileSystemEntryResult> GetDirectoryListing()
{
SharpSploitResultList <FileSystemEntryResult> results = new SharpSploitResultList <FileSystemEntryResult>();
foreach (string dir in Directory.GetDirectories(GetCurrentDirectory()))
{
results.Add(new FileSystemEntryResult(dir));
}
foreach (string file in Directory.GetFiles(GetCurrentDirectory()))
{
results.Add(new FileSystemEntryResult(file));
}
return(results);
}
/// <summary>
/// Gets a list of running processes on the system.
/// </summary>
/// <returns>List of ProcessResults.</returns>
public static SharpSploitResultList <ProcessResult> GetProcessList()
{
Process[] processes = Process.GetProcesses();
SharpSploitResultList <ProcessResult> results = new SharpSploitResultList <ProcessResult>();
foreach (Process process in processes)
{
results.Add(new ProcessResult(process.Id, 0, process.ProcessName));
}
return(results);
}
/// <summary>
/// Gets a list of running processes on the system.
/// </summary>
/// <returns>List of ProcessResults.</returns>
public static SharpSploitResultList <ProcessResult> GetProcessList()
{
var processorArchitecture = GetArchitecture();
Process[] processes = Process.GetProcesses().OrderBy(P => P.Id).ToArray();
SharpSploitResultList <ProcessResult> results = new SharpSploitResultList <ProcessResult>();
foreach (Process process in processes)
{
int processId = process.Id;
int parentProcessId = GetParentProcess(process);
string processName = process.ProcessName;
string processPath = string.Empty;
int sessionId = process.SessionId;
string processOwner = GetProcessOwner(process);
Win32.Kernel32.Platform processArch = Win32.Kernel32.Platform.Unknown;
if (parentProcessId != 0)
{
try
{
processPath = process.MainModule.FileName;
}
catch (System.ComponentModel.Win32Exception) { }
}
if (processorArchitecture == Win32.Kernel32.Platform.x64)
{
processArch = IsWow64(process) ? Win32.Kernel32.Platform.x86 : Win32.Kernel32.Platform.x64;
}
else if (processorArchitecture == Win32.Kernel32.Platform.x86)
{
processArch = Win32.Kernel32.Platform.x86;
}
else if (processorArchitecture == Win32.Kernel32.Platform.IA64)
{
processArch = Win32.Kernel32.Platform.x86;
}
results.Add(new ProcessResult
{
Pid = processId,
Ppid = parentProcessId,
Name = processName,
Path = processPath,
SessionID = sessionId,
Owner = processOwner,
Architecture = processArch
});
}
return(results);
}
/// <summary>
/// Gets a list of running processes on the system.
/// </summary>
/// <returns>List of ProcessResults.</returns>
public static SharpSploitResultList <ProcessResult> GetProcessList()
{
Process[] processes = Process.GetProcesses();
SharpSploitResultList <ProcessResult> results = new SharpSploitResultList <ProcessResult>();
foreach (Process process in processes)
{
var search = new ManagementObjectSearcher("root\\CIMV2", string.Format("SELECT ParentProcessId FROM Win32_Process WHERE ProcessId = {0}", process.Id));
var pidresult = search.Get().GetEnumerator();
pidresult.MoveNext();
var parentId = (uint)pidresult.Current["ParentProcessId"];
results.Add(new ProcessResult(process.Id, Convert.ToInt32(parentId), process.ProcessName));
}
return(results);
}
/// <summary>
/// Gets a list of active Reverse Port Forwards.
/// </summary>
/// <returns>A SharpSploitResultList of ReversePortFwdResult</returns>
/// <author>Daniel Duggan (@_RastaMouse)</author>
public static SharpSploitResultList <ReversePortFwdResult> GetReversePortForwards()
{
SharpSploitResultList <ReversePortFwdResult> reversePortForwards = new SharpSploitResultList <ReversePortFwdResult>();
foreach (ReversePortForward rportfwd in _reversePortForwards)
{
reversePortForwards.Add(new ReversePortFwdResult
{
BindAddresses = rportfwd.BindAddress.ToString(),
BindPort = rportfwd.BindPort,
ForwardAddress = rportfwd.ForwardAddress.ToString(),
ForwardPort = rportfwd.ForwardPort
});
}
return(reversePortForwards);
}
private static SharpSploitResultList <DaclResult> GetDaclResults(FileSystemSecurity SecurityEntry)
{
SharpSploitResultList <DaclResult> results = new SharpSploitResultList <DaclResult>();
foreach (FileSystemAccessRule ace in SecurityEntry.GetAccessRules(true, true, typeof(NTAccount)))
{
results.Add(new DaclResult
{
IdentityReference = ace.IdentityReference.Value,
AccessControlType = ace.AccessControlType,
FileSystemRights = ace.FileSystemRights,
IsInherited = ace.IsInherited,
InheritanceFlags = ace.InheritanceFlags,
PropagationFlags = ace.PropagationFlags
});
}
return(results);
}
/// <summary>
/// Pings specified ComputerNames to identify live systems.
/// </summary>
/// <param name="ComputerNames">ComputerNames to ping.</param>
/// <param name="Timeout">Timeout (in milliseconds) before a ComputerName is considered down.</param>
/// <param name="Threads">Number of threads with which to ping simultaneously</param>
/// <returns></returns>
public static SharpSploitResultList <PingResult> Ping(IList <string> ComputerNames, int Timeout = 250, int Threads = 100)
{
IList <string> pingAddresses = Utilities.ConvertCidrToIPs(ComputerNames).Distinct().ToList();
SharpSploitResultList <PingResult> pingResults = new SharpSploitResultList <PingResult>();
using (CountdownEvent waiter = new CountdownEvent(pingAddresses.Count))
{
object pingResultsLock = new object();
int runningThreads = 0;
foreach (string ComputerName in pingAddresses)
{
Ping ping = new Ping();
PingResult pingResult = new PingResult(ComputerName, true);
ping.PingCompleted += new PingCompletedEventHandler((sender, e) =>
{
if (e.Reply != null && e.Reply.Status == IPStatus.Success)
{
lock (pingResultsLock)
{
pingResults.Add(pingResult);
}
}
((CountdownEvent)e.UserState).Signal();
});
while (runningThreads >= Threads)
{
waiter.WaitOne();
runningThreads--;
}
try
{
ping.SendAsync(ComputerName, Timeout, waiter);
runningThreads++;
}
catch { }
}
waiter.Wait(Timeout * pingAddresses.Count);
}
return(pingResults);
}
/// <summary>
/// Get all services on a remote computer.
/// </summary>
/// <param name="ComputerName">The ComputerName of the remote machine.</param>
/// <returns>A SharpSploitResultList of ServiceResults. NULL if none found.</returns>
/// <author>Daniel Duggan (@_RastaMouse)</author>
public static SharpSploitResultList <ServiceResult> GetServices(string ComputerName)
{
try
{
SharpSploitResultList <ServiceResult> results = new SharpSploitResultList <ServiceResult>();
IEnumerable <ServiceController> services = ServiceController.GetServices(ComputerName).OrderBy(S => S.ServiceName);
foreach (ServiceController service in services)
{
results.Add(new ServiceResult
{
ServiceName = service.ServiceName,
DisplayName = service.DisplayName,
Status = service.Status,
CanStop = service.CanStop
});
service.Dispose();
}
return(results);
}
catch (Win32Exception) { return(null); }
catch (InvalidOperationException) { return(null); }
}
/// <summary>
/// Gets information about current drives.
/// </summary>
/// <returns>SharpSploitResultList of DriveInfoResults</returns>
public static SharpSploitResultList <DriveInfoResult> GetDrives()
{
SharpSploitResultList <DriveInfoResult> results = new SharpSploitResultList <DriveInfoResult>();
DriveInfo[] drives = DriveInfo.GetDrives();
foreach (DriveInfo drive in drives)
{
DriveInfoResult info = new DriveInfoResult
{
Name = drive.Name,
Type = drive.DriveType
};
if (drive.IsReady)
{
info.Label = drive.VolumeLabel;
info.Format = drive.DriveFormat;
info.Capacity = Utilities.ConvertFileLengthForDisplay(drive.TotalSize);
info.FreeSpace = Utilities.ConvertFileLengthForDisplay(drive.AvailableFreeSpace);
}
results.Add(info);
}
return(results);
}
/// <summary>
/// Query specified domain controller via ldap and extrat hosts name list from dns, than perform a dns lookup to resolve ips. .
/// </summary>
/// <author>@b4rtik</author>
/// <param name="DomainController">DomainController to query.</param>
/// <returns>List of PortScanResults</returns>
/// <remarks>
/// based on
/// Getting in the zone dumping active directory dns with adidnsdump
/// https://dirkjanm.io/getting-in-the-zone-dumping-active-directory-dns-with-adidnsdump/
/// by @_dirkjan
/// </remarks>
public static SharpSploitResultList <DnsResult> DumpDns(string DomainController)
{
SharpSploitResultList <DnsResult> results = new SharpSploitResultList <DnsResult>();
try
{
string rootDn = "DC=DomainDnsZones";
string domain_local = System.Net.NetworkInformation.IPGlobalProperties.GetIPGlobalProperties().DomainName;
string domain_path = "";
foreach (string domain_path_r in domain_local.Split('.'))
{
domain_path += ",DC=" + domain_path_r;
}
rootDn += domain_path;
DirectoryEntry rootEntry = new DirectoryEntry("LDAP://" + DomainController + "/" + rootDn);
rootEntry.AuthenticationType = AuthenticationTypes.Delegation;
DirectorySearcher searcher = new DirectorySearcher(rootEntry);
//find domains
var queryFormat = "(&(objectClass=DnsZone)(!(DC=*arpa))(!(DC=RootDNSServers)))";
searcher.Filter = queryFormat;
searcher.SearchScope = SearchScope.Subtree;
foreach (SearchResult result in searcher.FindAll())
{
String domain = (result.Properties["DC"].Count > 0 ? result.Properties["DC"][0].ToString() : string.Empty);
Console.WriteLine();
Console.WriteLine("Domain: {0}", domain);
Console.WriteLine();
DirectoryEntry rootEntry_d = new DirectoryEntry("LDAP://" + DomainController + "/DC=" + result.Properties["DC"][0].ToString() + ",CN=microsoftdns," + rootDn);
rootEntry_d.AuthenticationType = AuthenticationTypes.Delegation;
DirectorySearcher searcher_h = new DirectorySearcher(rootEntry_d);
//find hosts
queryFormat = "(&(!(objectClass=DnsZone))(!(DC=@))(!(DC=*arpa))(!(DC=*DNSZones)))";
searcher_h.Filter = queryFormat;
searcher_h.SearchScope = SearchScope.Subtree;
foreach (SearchResult result_h in searcher_h.FindAll())
{
String target = "";
if (result_h.Properties["DC"].Count > 0)
{
target = result_h.Properties["DC"][0].ToString();
}
else
{
//Hidden entry
String path = result_h.Path;
target = (path.Substring(path.IndexOf("LDAP://" + DomainController + "/"), path.IndexOf(","))).Split('=')[1];
}
DnsResult dnsentry = new DnsResult(DomainName: domain, ComputerName: target);
if (!target.EndsWith("."))
{
target += "." + domain;
}
bool tombstoned = result_h.Properties["dNSTombstoned"].Count > 0 ? (bool)result_h.Properties["dNSTombstoned"][0] : false;
dnsentry.Tombstoned = tombstoned;
if (!tombstoned)
{
try
{
IPHostEntry hostInfo = System.Net.Dns.GetHostEntry(target);
foreach (IPAddress result_ip in hostInfo.AddressList)
{
dnsentry.IP = result_ip.ToString();
results.Add(dnsentry);
}
}
catch (Exception)
{
}
}
else
{
results.Add(dnsentry);
}
}
}
}
catch (Exception e)
{
Console.WriteLine("Error retriving data : {0}", e.Message);
}
return(results);
}