Full walk-through and examples available here.
- 1.0 - Initial Release
- 2.0 - Added supported for pass-through authentication using SSPI.
- 2.1 - Added support for Linux target VMs with --linux, and added a --verbose flag for listing vCenter users and groups
SharpSphere gives red teamers the ability to easily interact with the guest operating systems of virtual machines managed by vCenter. It uses the vSphere Web Services API and exposes the following functions:
- Command & Control - In combination with F-Secure's C3, SharpSphere provides C&C into VMs using VMware Tools, with no direct network connectivity to the target VM required.
- Code Execution - Allows arbitrary commands to be executed in the guest OS and returns the result
- File Upload - Allows arbitrary files to be uploaded to the guest OS
- File Download - Allows arbitrary files to be downloaded from the guest OS
- List VMs - Lists the VMs managed by vCenter that have VMware Tools running
- Dump Memory - Dump and download VM's memory, then manually extract credentials from LSASS offline using WinDbg and Mimikatz (Guide)
SharpSphere supports execution through Cobalt Strike's execute-assembly.
Compiled versions can be found here.
Available modules:
SharpSphere.exe help
list List all VMs managed by this vCenter
execute Execute given command in target VM
c2 Run C2 using C3's VMwareShareFile module
upload Upload file to target VM
download Download file from target VM
help Display more information on a specific command.
version Display version information.
SharpSphere.exe list --help
--url Required. vCenter SDK URL, i.e. https://127.0.0.1/sdk
--username vCenter username, i.e. administrator@vsphere.local. Defauls to executing user and pass-through
authentication if not supplied.
--password vCenter password. Defaults to executing user and pass-through authentication if not supplied.
--verbose (Default: false) Prints verbose output about vCenter, inc. groups and users
--help Display this help screen.
--version Display version information.
SharpSphere.exe execute --help
--url Required. vCenter SDK URL, i.e. https://127.0.0.1/sdk
--username vCenter username, i.e. administrator@vsphere.local. Defaults to executing user and pass-through authentication if not supplied.
--password vCenter password. Defaults to executing user and pass-through authentication if not supplied.
--ip Required. Target VM IP address
--guestusername Username used to authenticate to the guest OS. Defaults to executing user and pass-through authentication if not supplied
--guestpassword Password used to authenticate to the guest OS. Defaults to executing user and pass-through authentication if not supplied
--command Required. Command to execute
--output (Default: false) Receive output from your command. Will create a temporary file in outputDir on the guest to save the output. This is then downloaded and printed to the console and the file
deleted
--outputDir When --output is provided, this is where to store the temporary file.
--linux (Default: false) Set if target VM is Linux
--help Display this help screen.
--version Display version information.
SharpSphere.exe c2 --help
--url Required. vCenter SDK URL, i.e. https://127.0.0.1/sdk
--username vCenter username, i.e. administrator@vsphere.local. Defaults to executing user and pass-through
authentication if not supplied.
--password vCenter password. Defaults to executing user and pass-through authentication if not supplied.
--ip Required. Target VM IP address
--guestusername Username used to authenticate to the guest OS. Defaults to executing user and pass-through
authentication if not supplied
--guestpassword Password used to authenticate to the guest OS. Defaults to executing user and pass-through
authentication if not supplied
--command Required. Command to execute
--output (Default: false) Receive output from your command. Will create a temporary file in outputDir on the
guest to save the output. This is then downloaded and printed to the console and the file deleted
--outputDir (Default: C:\Windows\Temp) When --output is provided, this is where to store the temporary file.
SharpSphere.exe upload --help
--url Required. vCenter SDK URL, i.e. https://127.0.0.1/sdk
--username vCenter username, i.e. administrator@vsphere.local. Defaults to executing user and pass-through authentication if not supplied.
--password vCenter password. Defaults to executing user and pass-through authentication if not supplied.
--ip Required. Target VM IP address
--guestusername Username used to authenticate to the guest OS. Defaults to executing user and pass-through authentication if not supplied
--guestpassword Password used to authenticate to the guest OS. Defaults to executing user and pass-through authentication if not supplied
--source Required. Full path to local file to upload
--destination Required. Full path to location where file should be uploaded
--help Display this help screen.
--version Display version information.
>SharpSphere.exe download --help
--url Required. vCenter SDK URL, i.e. https://127.0.0.1/sdk
--username vCenter username, i.e. administrator@vsphere.local. Defaults to executing user and pass-through
authentication if not supplied.
--password vCenter password. Defaults to executing user and pass-through authentication if not supplied.
--ip Required. Target VM IP address
--guestusername Username used to authenticate to the guest OS. Defaults to executing user and pass-through
authentication if not supplied
--guestpassword Password used to authenticate to the guest OS. Defaults to executing user and pass-through
authentication if not supplied
--source Required. Full path in the guest to the file to upload
--destination Required. Full path to the local directory where the file should be downloaded
>SharpSphere.exe dump --help
--url Required. vCenter SDK URL, i.e. https://127.0.0.1/sdk
--username vCenter username, i.e. administrator@vsphere.local. Defaults to executing user and pass-through
authentication if not supplied.
--password vCenter password. Defaults to executing user and pass-through authentication if not supplied.
--targetvm Required. VM to snapshot
--snapshot (Default: false) WARNING: Creates and then deletes a snapshot. If unset, SharpSphere will only
extract memory from last existing snapshot, or none if no snapshots are available.
--destination Required. Full path to the local directory where the file should be downloaded
- Add support for Linux guest OS
- Include a
--verboseoption for listing VMs - Add a
--quietflag to not mention every packet that's transferred - Add a
--testauthflag to confirm guest credentials are valid