Beruflich Dokumente
Kultur Dokumente
Exploitation Library
20 Sep 2018
Today, I’m releasing SharpSploit, the first in a series of offensive C# tools I have been writing
over the past several months. SharpSploit is a .NET post-exploitation library written in C# that
aims to highlight the attack surface of .NET and make the use of offensive .NET easier for red
teamers.
The Appeal of C#
There seems to be a trend developing on the offensive side of the security community in
porting existing PowerShell toolsets to C#, particularly with the recent releases from my
SpecterOps teammates, including: @harmj0y’s GhostPack toolset
and @0xthirteen’s SharpView. And SharpSploit is another piece to that puzzle. With the
added security features in PowerShell (ie. ScriptBlock Logging, AMSI, etc.), it makes sense that
red teamers are investing in other options. And C# is the logical next step from PowerShell,
seeing that they both are based on the .NET framework and porting toolsets from PowerShell
to C# is fairly easy to do.
However, C# does not come without it’s own set of issues from an offensive perspective. It
certainly seems as if optics into .NET are on the way, and from an operator usability
perspective we lose quite a bit of flexibility moving from a scripting language like PowerShell
to a compiled language like C#.
We also need to start worrying about .NET versions. You’ll find .NET v3.5 on a majority of
Windows OS versions by default, but newer Windows 10 and Server 2016 systems will only
have .NET v4.0+ installed by default. Another “gotcha” is that .NET is not enabled by default
on all Windows OS versions either, you’ll find that it needs to be explicitly enabled on
Windows Server 2008 and earlier server OS versions. SharpSploit attempts to deal with this by
targeting .NET v3.5 and v4.0 to get the most coverage possible, but you’ll need to be careful
to use the correct version on the correct system.
Try not to worry about this too much for now, you’ll see some other creative methods
for SharpSploit execution from me here in the near future :) And I will likely add a follow-up
post at some point on convenient methods for executing SharpSploit functions.
SharpSploit
So what exactly does SharpSploit include? Let’s dive in! SharpSploit currently includes 4
key high-level namespaces: Credentials , Enumeration , Execution ,
and LateralMovement . We’ll walk through the details of each of these individually.
SharpSploit.Credentials
The SharpSploit.Credentials namespace includes any classes that deal with…well,
credentials! Currently, this includes all Mimikatz functionality as well as token manipulation.
SharpSploit.Credentials.Mimikatz
The SharpSploit.Credentials.Mimikatz class implements the ability to execute
any Mimikatz command. SharpSploit ’s implementation uses an adapted version
of @subtee’s PELoader and borrows from @xorrior’s implementation as well to
load @gentilkiwi’s excellent Mimikatz project.
Command() - Loads the Mimikatz PE with PE.Load() and executes a chosen Mimikatz
command.
LogonPasswords() - Loads the Mimikatz PE with PE.Load() and executes the
Mimikatz command to retrieve plaintext passwords from LSASS. Equates
to Command("privilege::debug sekurlsa::logonPasswords") . (Requires Admin)
SamDump() - Loads the Mimikatz PE with PE.Load() and executes the Mimikatz
command to retrieve password hashes from the SAM database. Equates
to Command("privilege::debug lsadump::sam") . (Requires Admin)
LsaSecrets() - Loads the Mimikatz PE with PE.Load() and executes the Mimikatz
command to retrieve LSA secrets stored in registry. Equates
to Command("privilege::debug lsadump::secrets") . (Requires Admin)
LsaCache() - Loads the Mimikatz PE with PE.Load() and executes the Mimikatz
command to retrieve Domain Cached Credentials hashes from registry. Equates
to Command("privilege::debug lsadump::cache") . (Requires Admin)
Wdigest() - Loads the Mimikatz PE with PE.Load() and executes the Mimikatz
command to retrieve Wdigest credentials from registry. Equates
to Command("sekurlsa::wdigest") .
All() - Loads the Mimikatz PE with PE.Load() and executes each of the above
builtin, local credential dumping commands. (Requires Admin)
DCSync() - Loads the Mimikatz PE with PE.Load() and executes the “dcsync”
module to retrieve the NTLM hash of a specified (or all) Domain user. (Requires Domain
Admin (or equivalent rights))
PassTheHash() - Loads the Mimikatz PE with PE.Load() and executes the “pth”
module to start a new process as a user using an NTLM password hash for
authentication. (Requires Admin)
SharpSploit.Credentials.Tokens
The SharpSploit.Credentials.Tokens class implements token manipulation functions, as
well as more complex actions that rely on token manipulation. While many token
manipulation projects have already been created, SharpSploit.Credentials.Tokens often
borrows from @0xbadjuju’s awesome Tokenvator project.
SharpSploit.Enumeration
The SharpSploit.Enumeration namespace includes any classes that do enumeration.
Currently, this includes some basic local host-based enumeration, network enumeration (i.e.
ping/port scanning), and Domain and Net enumeration. I think there’s room for a lot of
addition and improvement to this namespace, but it is a start.
SharpSploit.Enumeration.Host
The SharpSploit.Enumeration.Host class does basic local host-based enumeration. This
class is currently very basic. I plan to eventually make some useful additions, but currently
there are many other more robust tools, such as Seatbelt.
SharpSploit.Enumeration.Network
The SharpSploit.Enumeration.Network class includes a threaded TCP ping/port scanner
for network enumeration.
PortScan() - Conducts a port scan of specified computer(s) and port(s) and reports
open ports.
Ping() - Pings specified computer(s) to identify live systems.
SharpSploit.Enumeration.Domain
The SharpSploit.Enumeration.Domain class provides libraries for Active Directory domain
enumeration. This is a partial port of @harmj0y’s PowerView project.
This class does not intend to be a direct or complete port of PowerView, things will be
formatted and implemented differently. I should also
mention @0xthirteen’s SharpView project, which does aim to be a more direct/complete port
of PowerView.
SharpSploit.Enumeration.Domain.DomainSearcher
The SharpSploit.Enumeration.Domain.DomainSearcher class facilitates searching a
particular AD domain with a set of credentials.
GetDomainUsers() - Gets a list of specified (or all) user DomainObject s in the current
Domain.
GetDomainGroups() - Gets a list of specified (or all) group DomainObject s in the
current Domain.
GetDomainComputers() - Gets a list of specified (or all) computer DomainObject s in
the current Domain.
GetDomainSPNTickets() - Gets SPNTicket s for specified DomainObject s.
Kerberoast() - Gets a list of SPNTicket s for specified (or all) users with a SPN set in
the current Domain.
SharpSploit.Enumeration.Net
The SharpSploit.Enumeration.Net class continues the partial PowerView port, and
includes functions for enumerating local users, groups, logons, and sessions on remote
computers by using Windows API functions (similar to the native, Windows “net.exe” utility).
A key note is that the “WinNT” PowerView collection method is not supported.
SharpSploit.Execution.Assembly
The SharpSploit.Execution.Assembly class includes methods for loading .NET assemblies
and executing functions within the assembly through reflection.
SharpSploit.Execution.PE
The SharpSploit.Execution.PE class is planned to be a class for loading arbitrary PEs.
Currently, it really only serves as a Mimikatz PE loader. This class is an adapted version
of @subtee’s PE loader that has been made to support arbitrary PEs. As a warning, I have not
been successful in loading any arbitrary PE with this class, so your mileage may vary. I hope
that this will eventually be fully implemented.
SharpSploit.Execution.Shell
The SharpSploit.Execution.Shell class includes methods for executing “shell”
( cmd.exe ) commands and PowerShell commands/scripts. It is possible to execute shell
commands as an alternative user (provided that you have a valid password), similar to the
native Windows runas.exe executable.
SharpSploit.Execution.ShellCode
The SharpSploit.Execution.ShellCode class includes a method for executing shellcode.
Shellcode execution is accomplished by copying it to pinned memory, modifying the memory
permissions with Win32.Kernel32.VirtualProtect() , and executing with a
.NET delegate . This class is based on code written by @enigma0x3.
SharpSploit.Execution.Win32
SharpSploit.Execution.Win32 is a large library of PInvoke signatures and structures for
Win32 API functions used by various SharpSploit functionality. www.pinvoke.net was an
invaluable resource for the implementation of this class. I will not attempt to document all of
the signatures here, but feel free to check them out in the Win32.cs file.
SharpSploit.LateralMovement
The SharpSploit.LateralMovement namespace includes classes that allow for any type of
code execution on remote computers. Currently, this only includes WMI lateral movement,
but others will be coming soon!
SharpSploit.LateralMovement.WMI
The SharpSploit.LateralMovement.WMI class includes basic WMI lateral movement
capabilities. Currently, the only capability is to spawn a process on a remote system using
the Win32_Process.Create WMI method with a specified username and password.
The SharpSploit project also includes SharpSploit.Tests , hooray for unit testing! By no
means have I implemented complete coverage in these unit tests, but I am still working at it. I
think it would be great if we as a security community could try to up our software
development game a bit and include unit tests for offensive projects. They provide great
examples for how to use our toolsets, promote code quality, and are useful for contributors.
More To Do
This is just the beginning for SharpSploit ! You’ll notice I alluded to lots of needed
additions to SharpSploit throughout the description above. I plan to continue working on
and maintaining SharpSploit , so hopefully you will see lots of updates coming soon. The
format of SharpSploit as a library is also very conducive to contribution from others. I am very
open to pull requests and hope that others will want to contribute to the project to make it
better for everyone.
Defensive .NET
This is really an offensive post and meant as an intro to SharpSploit , but I will at least
touch on the defensive side. After educating myself a bit, I’ll plan on a more thorough
defensive blog post as a follow up.
To begin discussing defense for .NET, it’s important to clarify terms. I’ve used “.NET” and “C#”
almost interchangably throughout this post, but there is a subtle distinction. The .NET
framework is a library and runtime for Windows for “managed code”. “Managed code” is any
code that compiles to CIL (Common Intermediate Language, formerly referred to as “MSIL”)
and will be managed by the CLR (Common Language Runtime), which is the runtime for the
.NET framework and converts CIL to “native” machine code. C# is an example of a language
that uses managed code that compiles to CIL. Further, C# was created specifically to target
.NET and it’s object model aligns to the .NET object model. Other languages that can compile
to CIL (and thus, can be executed under the .NET framework) include VB.NET and JScript.NET.
So while we’ve talked quite a bit about C# from the offensive side, from a defensive
perspective what we really care about is .NET. Specifically, we care about the CIL code being
interpreted by the CLR. The bad news is that traditionally, defenders do not have much optics
into what is happening in .NET code. And even if they did, it may be hard to identify
malicious .NET. In fact, that admission in this tweet from @blowdart was what first got me
excited about offensive .NET:
The good news is that this appears to be changing. I alluded to this at the beginning of the
post, but it does seem as if .NET optics are in the works (discovered by @mattifestation):
However, as far as I know, there is no official guidance from Microsoft on how to utilize these
optics quite yet. Though hopefully we will get some guidance and documentation as this
appears to still be in the works.
Without these optics, what other options do we have? Well the good news is that there is still
very few ways to execute .NET without touching disk at some point. And if you can recover
the .NET assembly off of disk, it is very easy to reverse the assembly to source code and begin
to identify key indicators (CIL code is still bytecode!).
The easiest and most popular way to execute malicious .NET assemblies is through
the System.Reflection.Assembly.Load() method. So how will operators execute this
method to kick off their malicious .NET assembly? Typically, either
through powershell.exe or through scriptlet-based execution techniques such
as regsvr32.exe and wmic.exe through techniques demonstrated by the
great DotNetToJScript project by @tiraniddo. While those scriptlet-based techniques do have
the ability to execute remotely hosted scriplets, this still results in the scriptlet hitting disk in a
predictable location under %LOCALAPPDATA%\Microsoft\Windows\Temporary Internet
Files\ (which I’m not sure all red teamers have realized). This leaves powershell.exe as
the last real way to execute .NET assemblies without touching disk, and PowerShell has great
logging capabilities to ensure you capture the assembly in ScriptBlock logs! Once you have
captured the assembly off disk or in logs, you will be able to easily reverse it to source and
analyze using a .NET debugger, such as dnSpy.
I hope this is a decent, if not brief, start to detecting malicious .NET. Again, once I further
educate myself, I’ll try to follow up with a more detailed post.
Conclusion
This is just the beginning for SharpSploit ! You’ll notice I alluded to lots of needed
additions to SharpSploit throughout this post. I plan to continue working on and
maintaining SharpSploit , so hopefully you will see lots of updates coming soon.
I hope that others find SharpSploit helpful, particularly for those trying to diversify their
toolset from PowerShell. And as I hinted to at the beginning of this post, SharpSploit is the
first in a series of C# tooling that I have been developing over the last few months, so expect
to see much more here soon!