Skip to content

Latest commit

 

History

History
143 lines (141 loc) · 11.3 KB

CsharpTools.md

File metadata and controls

143 lines (141 loc) · 11.3 KB

Offensive C# tools

There's also a separate public repository at https://github.com/boh/RedCsharp

  • CasperStager
    • PoC for persisting .NET payloads in Windows Notification Facility (WNF) state names using low-level Windows Kernel API calls.
  • CSExec
    • An implementation of PSExec in C#
  • CSharpCreateThreadExample
    • C# code to run PIC using CreateThread
  • CSharpScripts
    • Collection of C# scripts
  • CSharpSetThreadContext
    • C# Shellcode Runner to execute shellcode via CreateRemoteThread and SetThreadContext to evade Get-InjectedThread
  • DnsCache
    • This is a reference example for how to call the Windows API to enumerate cached DNS records in the Windows resolver. Proof of concept or pattern only.
  • FreshCookees
    • C# .NET 3.5 tool that keeps proxy auth cookies fresh by maintaining a hidden IE process that navs to your hosted auto refresh page. Uses WMI event listeners to monitor for InstanceDeletionEvents of the Internet Explorer process, and starts a hidden IE process via COM object if no other IE processes are running.
  • GoldenTicket
    • This .NET assembly is specifically designed for creating Golden Tickets. It has been built with a custom version of SharpSploit and an old 2.0 alpha (x64) version of Powerkatz.
  • Grouper2
    • Find vulnerabilities in AD Group Policy
  • Inception
    • Provides In-memory compilation and reflective loading of C# apps for AV evasion.
  • KittyLitter
    • Credential Dumper. It is comprised of two components, KittyLitter.exe and KittyScooper.exe. This will bind across TCP, SMB, and MailSlot channels to communicate credential material to lowest privilege attackers.
  • Lockless
    • Lockless allows for the copying of locked files.
  • Minidump
    • The program is designed to dump full memory of the process by specifing process name or process id.
  • MiscTools
    • Miscellaneous Tools
  • NamedPipes
    • A pattern for client/server communication via Named Pipes via C#
  • nopowershell
    • PowerShell rebuilt in C# for Red Teaming purposes
  • Reg_Built
    • C# Userland Registry RunKey persistence
  • RemoteProcessInjection
    • C# remote process injection utility for Cobalt Strike
  • Rubeus
    • Rubeus is a C# toolset for raw Kerberos interaction and abuses.
  • RunProcessAsTask
  • RunSharp
    • Simple program that allows you to run commands as another user without being prompted for their password. This is useful in cases where you don't always get feedback from a prompt, such as the case with some remote shells.
  • SafetyKatz
    • SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subTee's .NET PE Loader
  • Seatbelt
    • Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
  • self-morphing-csharp-binary
    • C# binary that mutates its own code, encrypts and obfuscates itself on runtime
  • Sharp-InvokeWMIExec
    • A native C# conversion of Kevin Robertsons Invoke-WMIExec powershell script
  • Sharp-Suite
    • fork of FuzzySecurity/Sharp-Suite
  • SharpAdidnsdump
    • c# implementation of Active Directory Integrated DNS dumping (authenticated user)
  • SharpAttack
    • SharpAttack is a console for certain things I use often during security assessments. It leverages .NET and the Windows API to perform its work. It contains commands for domain enumeration, code execution, and other fun things.
  • SharpClipHistory
    • SharpClipHistory is a .NET application written in C# that can be used to read the contents of a user's clipboard history in Windows 10 starting from the 1809 Build.
  • SharpCloud
    • Simple C# for checking for the existence of credential files related to AWS, Microsoft Azure, and Google Compute.
  • SharpCOM
    • CSHARP DCOM Fun
  • SharpCompile
    • SharpCompile is an aggressor script for Cobalt Strike which allows you to compile and execute C# in realtime. This is a more slick approach than manually compiling an .NET assembly and loading it into Cobalt Strike.
  • SharpCradle
    • SharpCradle is a tool designed to help penetration testers or red teams download and execute .NET binaries into memory.
  • SharpDomainSpray
    • Basic password spraying tool for internal tests and red teaming
  • SharpDoor
    • SharpDoor is alternative RDPWrap written in C# to allowed multiple RDP (Remote Desktop) sessions by patching termsrv.dll file.
  • SharpDPAPI
    • SharpDPAPI is a C# port of some Mimikatz DPAPI functionality.
  • SharpDump
    • SharpDump is a C# port of PowerSploit's Out-Minidump.ps1 functionality.
  • SharpEdge
    • C# Implementation of Get-VaultCredential
  • SharPersist
    • Windows persistence toolkit written in C#.
  • SharpExec
    • SharpExec is an offensive security C# tool designed to aid with lateral movement. WMIExec. SMBExec. PSExec. WMI.
  • SharpFruit
    • A C# penetration testing tool to discover low-haning web fruit via web requests.
  • SharpGPOAbuse
    • application written in C# that can be used to take advantage of a user's edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO.
  • SharpHide
    • Tool to create hidden registry keys.
  • SharpInvoke-SMBExec
    • SMBExec C# module
  • SharpLoadImage
    • Hide .Net assembly into png images
  • SharpLocker
    • SharpLocker helps get current user credentials by popping a fake Windows lock screen, all output is sent to Console which works perfect for Cobalt Strike.
  • SharpLogger
    • Keylogger written in C#
  • SharpNeedle
    • Inject C# code into a running process. Note: SharpNeedle currently only supports 32-bit processes.
  • SharpPack
    • An Insider Threat Toolkit. SharpPack is a toolkit for insider threat assessments that lets you defeat application whitelisting to execute arbitrary DotNet and PowerShell tools.
  • sharppcap
    • Official repository - Fully managed, cross platform (Windows, Mac, Linux) .NET library for capturing packets
  • SharpPrinter
    • Discover Printers
  • SharpRoast
    • SharpRoast is a C# port of various PowerView's Kerberoasting functionality.
  • SharpSC
    • Simple .NET assembly to interact with services.
  • SharpSniper
    • Find specific users in active directory via their username and logon IP address
  • SharpSocks
    • Tunnellable HTTP/HTTPS socks4a proxy written in C# and deployable via PowerShell
  • SharpSploit
  • SharpSpray
    • SharpSpray a simple code set to perform a password spraying attack against all users of a domain using LDAP and is compatible with Cobalt Strike.
  • SharpSSDP
    • SSDP Service Discovery
  • SharpTask
    • SharpTask is a simple code set to interact with the Task Scheduler service api and is compatible with Cobalt Strike.
  • SharpView
    • C# implementation of harmj0y's PowerView
  • SharpWeb
    • .NET 2.0 CLR project to retrieve saved browser credentials from Google Chrome, Mozilla Firefox and Microsoft Internet Explorer/Edge.
  • SharpWMI
    • SharpWMI is a C# implementation of various WMI functionality.
  • SharPyShell
    • SharPyShell - tiny and obfuscated ASP.NET webshell for C# web applications
  • SilkETW
    • SilkETW & SilkService are flexible C# wrappers for ETW, they are meant to abstract away the complexities of ETW and give people a simple interface to perform research and introspection. While both projects have obvious defensive (and offensive) applications they should primarily be considered as research tools.
  • SneakyService
    • A simple, minimal C# windows service implementation that can be used to demonstrate privilege escalation from misconfigured windows services.
  • Stracciatella
    • OpSec-safe Powershell runspace from within C# (aka SharpPick) with AMSI and Script Block Logging disabled at startup
  • taskkill
    • This is a reference example for how to call the Windows API to enumerate and kill a process similar to taskkill.exe. This is based on (incomplete) MSDN example code. Proof of concept or pattern only.
  • TCPRelayInjecter2
    • Tool for injecting a "TCP Relay" managed assembly into an unmanaged process.
  • TikiTorch
    • Process Injection. The basic concept of CACTUSTORCH is that it spawns a new process, allocates a region of memory, then uses CreateRemoteThread to run the desired shellcode within that target process. Both the process and shellcode are specified by the user.
  • Watson
    • Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities