SharpMapExec – A Sharpen Version Of CrackMapExec

A sharpen version of CrackMapExec. This tool is made to simplify penetration testing of networks and to create a swiss army knife that is made for running on Windows which is often a requirement during insider threat simulation engagements.

Besides scanning for access it can be used to identify vulnerable configurations and exfiltrate data. The idea for the data exfiltration modules is to execute the least amount of necessary code on the remote computer. To accomplish this, the tool will download all the secrets to the loot directory and parse them locally.https://googleads.g.doubleclick.net/pagead/ads?client=ca-pub-4429384950262667&output=html&h=280&adk=2213743114&adf=2956408132&pi=t.aa~a.1271756766~i.8~rp.4&w=1118&fwrn=4&fwrnh=100&lmt=1639056864&num_ads=1&rafmt=1&armr=3&sem=mc&pwprc=6189846884&psa=1&ad_type=text_image&format=1118×280&url=https%3A%2F%2Fwww.cybeseclabs.com%2F2020%2F12%2F21%2Fsharpmapexec-a-sharpen-version-of-crackmapexec%2F&flash=32.0.0&fwr=0&pra=3&rh=200&rw=1118&rpe=1&resp_fmts=3&wgl=1&fa=27&dt=1639056864418&bpp=3&bdt=1793&idt=-M&shv=r20211207&mjsv=m202112010101&ptt=9&saldr=aa&abxe=1&cookie=ID%3D4fa67b6c530d21ab-22acc6c865cf00a6%3AT%3D1639049799%3ART%3D1639049799%3AS%3DALNI_MaKeTTNrMFRAO70E8WwVoatjzsxUg&prev_fmts=0x0%2C728x90&nras=2&correlator=1566942809145&frm=20&pv=1&ga_vid=1676904316.1639056864&ga_sid=1639056864&ga_hid=866910522&ga_fc=0&u_tz=330&u_his=14&u_h=900&u_w=1440&u_ah=810&u_aw=1440&u_cd=24&u_sd=1&adx=226&ady=1770&biw=1440&bih=742&scr_x=0&scr_y=0&eid=31063752%2C44750773%2C31063824%2C31063867&oid=2&pvsid=3394438056742499&pem=263&tmod=220&ref=https%3A%2F%2Fwww.cybeseclabs.com%2Fpage%2F77%2F&eae=0&fc=1408&brdim=0%2C23%2C0%2C23%2C1440%2C23%2C1440%2C805%2C1440%2C742&vis=1&rsz=%7C%7Cs%7C&abl=NS&fu=128&bc=31&ifi=4&uci=a!4&btvi=1&fsb=1&xpc=4DCDq5btFz&p=https%3A//www.cybeseclabs.com&dtd=65

You can specify if you want to use Kerberos or NTLM authentication. If you choose Kerberos, the tool will create a sacrificial token and use Rubeus to import/ask for the ticket. If NTLM is specified, it tool will create threads and use SharpKatz to run SetThreadToken if an NTLM hash is specified, and if a password is specified, it will go with ordinary c# impersonation.

SharpMapExec.exe
usage:

--- Smb ---
SharpMapExec.exe ntlm smb /user:USER /ntlm:HASH /domain:DOMAIN /computername:TARGET
SharpMapExec.exe kerberos smb </user:USER /password:PASSWORD /domain:DOMAIN /dc:DC | /ticket:TICKET.Kirbi> /computername:TARGET

Available Smb modules
/m:shares

--- WinRm ---
SharpMapExec.exe ntlm winrm /user:USER /password:PASSWORD /domain:DOMAIN /computername:TARGET
SharpMapExec.exe kerberos winrm </user:USER /rc4:HASH /domain:DOMAIN /dc:DC | /ticket:TICKET.Kirbi> /computername:TARGET

Available WinRm modules
/m:exec /a:whoami (Invoke-Command)
/m:exec /a:C:\beacon.exe /system (Invoke-Command as System)
/m:comsvcs (Dump Lsass Process)
/m:secrets (Dump and Parse Sa m, Lsa, and System Dpapi blobs)
/m:assembly /p:Rubeus.exe /a:dump (Execute Local C# Assembly in memory)
/m:assembly /p:beacon.exe /system (Execute Local C# Assembly as System in memory)
/m:download /path:C:\file /destination:file (Download File from Host)

--- Domain ---
SharpMapExec.exe kerbspray /users:USERS.TXT /passwords:PASSWORDS.TXT /domain:DOMAIN /dc:DC
SharpMapExec.exe tgtdeleg

Smb

Can be used to scan for admin access and accessible Smb shares.

Modules;

/m:shares                                  (Scan enumerated shares for access)

WinRm

The beast. It has built-in Amsi bypass, JEA language breakout, JEA function analysis. Can be used for code execution, scaning for PsRemote access, vulnerable JEA endpoints, and data exfiltration.

Modules;

/m:exec /a:whoami                           (Invoke-Command)
/m:exec /a:C:\beacon.exe /system (Invoke-Command as System)
/m:comsvcs (Dump Lsass Process)
/m:secrets (Dump and Parse Sam, Lsa, and System Dpapi blobs)
/m:assembly /p:Rubeus.exe /a:dump (Execute Local C# Assembly in memory)
/m:assembly /p:beacon.exe /system (Execute Local C# Assembly as System in memory)
/m:download /path:C:\file /destination:file (Download File from Host)

Domain

Currently supports domain password spraying and to create a TGT for the current user that can be used with the /ticket parameter to get the current context.
Example usage

For easy or mass in-memory execution of C# assemblies

Kerberos password spraying then scanning for local admin access

This project supports scanning JEA endpoints and will analyze source code of non default commands and check if the endpoint was not configured for no-language mode.

Discover local admin password reuse with an NT hash.

Mass dump Lsass process with built-in Microsoft signed DLL and saves it to the loot folder

And much more!

Some scenarios with Kerberos will require you to sync your clock with the DC and set the DNS

net time \\DC01.hackit.local /set
Get-NetAdapter ethernet0* | Set-DnsClientServerAddress -ServerAddresses @('192.168.1.10')

Acknowledgments

Projects that helped or are existing in this tool

Download SharpMapExec

16 thoughts on “SharpMapExec – A Sharpen Version Of CrackMapExec

  1. Pingback: Talon – A Password Guessing Tool That Targets The Kerberos And LDAP Services Within The Windows Active Directory Environment - Pentester Club

  2. Pingback: Scripthunter – Tool To Find JavaScript Files On Websites - Pentester Club

  3. Pingback: Eagle – Yet Another Vulnerability Scanner - Pentester Club

  4. Pingback: csrfer-tool-to-generate-csrf-payloads-based-on-vulnerable-requests - Pentester Club

  5. Pingback: Lockphish – The First Tool For Phishing Attacks On The Lock Screen, Designed To Grab Windows Credentials, Android PIN And iPhone Passcode - Pentester Club

  6. Pingback: OFFPORT_KILLER – This Tool Aims At Automating The Identification Of Potential Service Running Behind Ports Identified Manually Either Through Manual Scan Or Services Running Locally - Pentester Club

  7. Pingback: H4Rpy – Automated WPA/WPA2 PSK Attack Tool - Pentester Club

  8. Pingback: adenum-a-pentesting-tool-that-allows-to-find-misconfiguration-through-the-the-protocol-ldap-and-exploit-some-of-those-weaknesses-with-kerberos - Pentester Club

  9. Pingback: msfpc-msfvenom-payload-creator - Pentester Club

  10. Pingback: FiddleZAP – A Simplified Version Of EKFiddle For OWASP ZAP - Pentester Club

  11. Pingback: See-SURF – Python Based Scanner To Find Potential SSRF Parameters - Pentester Club

  12. Pingback: lkwa-lesser-known-web-attack-lab - Pentester Club

  13. Pingback: kaboom-automatic-pentest - Pentester Club

  14. Pingback: Jok3R – Network And Web Pentest Framework - Pentester Club

  15. Pingback: XSRFProbe – The Prime Cross Site Request Forgery Audit And Exploitation Toolkit - Pentester Club

  16. Pingback: Photon v1.1.4 – Incredibly Fast Crawler Designed For Recon - Pentester Club

Leave a Reply

Your email address will not be published. Required fields are marked *