SharpStrike: post-penetration exploit tool based on C#

About SharpStrike

SharpStrike is a C# based afterpenetration tool that queries remote systems using CIM or WMI. In addition, the tool can use credential information provided by the researcher or use the current user session.

Note: Some commands in SharpStrike use PowerShell in conjunction with WMI for their functionality.

SharpStrike helps researchers gather data, execute commands, and extract data from targeted remote systems. The tool allows you to connect to remote systems using WMI or CIM, which requires you to obtain administrator privileges for the target system.

Solution Architecture

SharpStrike consists of three main components:

Service layer: provides core functionality and is used by the UI layer (CS, executeWmi. cs, executecim.cs);

Model: contains all shared data types for the entire project;

User interface: GUI/ command line terminal;

Tools installation

We can choose to use the pre-built version provided with the Releases page of the project directly, but it is built in modal mode.

Manual build

First, we need to clone the project source locally using the following command:

git clone https://github.com/iomoath/SharpStrike.git
Copy the code

Next, load the sharpstrik. SLN file in your project in Visual Studio.

Select the Build TAB in the top menu, and then build the solution.

At this point, two versions of SharpStrike, WinForms with a GUI interface and a command-line terminal application, are generated, each implementing the same functionality.

Tool use

Command line terminal version

SharpStrike.exe --help SharpStrike.exe --show-commands SharpStrike.exe --show-examples SharpStrike.exe -c ls_domain_admins SharpStrike.exe -c ls_domain_users_list SharpStrike.exe -c cat -f "c:\users\user\desktop\file.txt" -s [remote IP address] SharpStrike.exe -c cat -f "c:\users\user\desktop\file.txt" -s [remote IP address] -u [username] -d [domain] -p [password] -c SharpStrike.exe -c command_exec -e "quser" -s [remote IP address] -u [username] -d [domain] -p  [password]Copy the code

GUI version

show-commands

show-examples

ls_domain_admins

ls_domain_users_list

cat -f "c:\users\user\desktop\file.txt" -s [remote IP address]

cat -f "c:\users\user\desktop\file.txt" -s [remote IP address] -u [username] -d [domain] -p [password]

command_exec -e "quser" [remote IP address] -u [username] -d [domain] -p [password]
Copy the code

Function is introduced

File operations

cat - Reads the contents of a file copy - Copies a file from one location to another download** - Download a file from the targeted machine ls - File/Directory listing of a specific directory search - Search for a file on a user upload** -  Upload a file to the targeted machineCopy the code

Lateral activities

command_exec**               -  Run a command line command and receive the output. Run with nops flag to disable PowerShell

disable_wdigest              -  Sets the registry value for UseLogonCredential to zero

enable_wdigest               -  Adds registry value UseLogonCredential

disable_winrm**              -  Disables WinRM on the targeted system

enable_winrm**               -  Enables WinRM on the targeted system

reg_mod                      -  Modify the registry on the targeted machine

reg_create                   -  Create the registry value on the targeted machine

reg_delete                   -  Delete the registry on the targeted machine

remote_posh**                -  Run a PowerShell script on a remote machine and receive the output

sched_job                    -  Not implimented due to the Win32_ScheduledJobs accessing an outdated API

service_mod                  -  Create, delete, or modify system services

ls_domain_users***           - List domain users                                 

ls_domain_users_list***      - List domain users sAMAccountName                  

ls_domain_users_email***     - List domain users email address                   

ls_domain_groups***          - List domain user groups                           

ls_domain_admins***          - List domain admin users                           

ls_user_groups***            - List domain user with their associated groups

ls_computers***              - List computers on current domain
Copy the code

Process operation

process_kill                 -  Kill a process via name or process id on the targeted machine

process_start                -  Start a process on the targeted machine

ps                           -  Process listing
Copy the code

System operation

active_users                 -  List domain users with active processes on the targeted system

basic_info                   -  Used to enumerate basic metadata about the targeted system

drive_list                   -  List local and network drives

share_list                   -  List network shares

ifconfig                     -  Receive IP info from NICs with active network connections

installed_programs           -  Receive a list of the installed programs on the targeted machine

logoff                       -  Log users off the targeted machine

reboot (or restart)          -  Reboot the targeted machine

power_off (or shutdown)      -  Power off the targeted machine

vacant_system                -  Determine if a user is away from the system

edr_query                    -  Query the local or remote system for EDR vendors
Copy the code

Log operation

logon_events                 -  Identify users that have logged onto a system

 

* All PowerShell can be disabled by using the --nops flag, although some commands will not execute (upload/download, enable/disable WinRM)

** Denotes PowerShell usage (either using a PowerShell Runspace or through Win32_Process::Create method)

*** Denotes LDAP usage - "root\directory\ldap" namespace
Copy the code

Tool Usage Demo

GUI version use

reference

The project address

SharpStrike: GitHub Portal

【 Network security learning Strategy 】