SharpStrike：基于C#實現的后滲透漏洞利用研究工具 - 網安 - 專業的網絡安全產業、社區、知識平臺

關于SharpStrike

SharpStrike是一款基于C#開發的后滲透工具，該工具可以使用CIM或WMI來查詢遠程系統。除此之外，該工具還可以使用研究人員提供的憑證信息或使用當前的用戶會話。

注意：SharpStrike中的某些命令將使用PowerShell結合WMI以實現其功能。

SharpStrike可以幫助廣大研究人員收集關于目標遠程系統的數據、執行命令以及提取數據等等。該工具允許使用WMI或CIM來跟遠程系統進行連接，而CIM的使用則需要我們獲取到目標系統的管理員權限。

解決方案架構

SharpStrike由三個主組件構成：

服務層：提供核心功能并由UI層使用（cs、ExecuteWMI.cs、ExecuteCIM.cs）；

模型：包含整個項目所有共享的數據類型；

用戶接口：GUI/命令行終端；

工具安裝

我們可以選擇直接使用該項目【Releases頁面】所提供的預構建版本，不過這個版本是在調式模式下構建的。

手動構建

首先，我們需要使用下列命令將該項目源碼克隆至本地：

git clone https://github.com/iomoath/SharpStrike.git

接下來，在Visual Studio中加載項目中的SharpStrike.sln文件。

選擇頂部菜單中的“構建”項，然后構建解決方案。

此時將會生成兩個版本的SharpStrike，即帶有GUI界面的WinForms和命令行終端應用程序，每一個版本都實現的是相同的功能。

工具使用

命令行終端版本

SharpStrike.exe --help
SharpStrike.exe --show-commands
SharpStrike.exe --show-examples
SharpStrike.exe -c ls_domain_admins
SharpStrike.exe -c ls_domain_users_list
SharpStrike.exe -c cat -f "c:\users\user\desktop\file.txt" -s [remote IP address]
SharpStrike.exe -c cat -f "c:\users\user\desktop\file.txt" -s [remote IP address] -u [username] -d [domain] -p [password] -c
SharpStrike.exe -c command_exec -e "quser" -s [remote IP address] -u [username] -d [domain] -p [password]

GUI版本

show-commands
show-examples
ls_domain_admins
ls_domain_users_list
cat -f "c:\users\user\desktop\file.txt" -s [remote IP address]
cat -f "c:\users\user\desktop\file.txt" -s [remote IP address] -u [username] -d [domain] -p [password]
command_exec -e "quser" [remote IP address] -u [username] -d [domain] -p [password]

功能介紹

文件操作

cat                          -  Reads the contents of a file
copy                         -  Copies a file from one location to another
download**                   -  Download a file from the targeted machine
ls                           -  File/Directory listing of a specific directory
search                       -  Search for a file on a user
upload**                     -  Upload a file to the targeted machine

橫向活動

command_exec**               -  Run a command line command and receive the output. Run with nops flag to disable PowerShell
disable_wdigest              -  Sets the registry value for UseLogonCredential to zero
enable_wdigest               -  Adds registry value UseLogonCredential
disable_winrm**              -  Disables WinRM on the targeted system
enable_winrm**               -  Enables WinRM on the targeted system
reg_mod                      -  Modify the registry on the targeted machine
reg_create                   -  Create the registry value on the targeted machine
reg_delete                   -  Delete the registry on the targeted machine
remote_posh**                -  Run a PowerShell script on a remote machine and receive the output
sched_job                    -  Not implimented due to the Win32_ScheduledJobs accessing an outdated API
service_mod                  -  Create, delete, or modify system services
ls_domain_users***           - List domain users
ls_domain_users_list***      - List domain users sAMAccountName
ls_domain_users_email***     - List domain users email address
ls_domain_groups***          - List domain user groups
ls_domain_admins***          - List domain admin users
ls_user_groups***            - List domain user with their associated groups
ls_computers***              - List computers on current domain

進程操作

process_kill                 -  Kill a process via name or process id on the targeted machine
process_start                -  Start a process on the targeted machine
ps                           -  Process listing

系統操作

active_users                 -  List domain users with active processes on the targeted system
basic_info                   -  Used to enumerate basic metadata about the targeted system
drive_list                   -  List local and network drives
share_list                   -  List network shares
ifconfig                     -  Receive IP info from NICs with active network connections
installed_programs           -  Receive a list of the installed programs on the targeted machine
logoff                       -  Log users off the targeted machine
reboot (or restart)          -  Reboot the targeted machine
power_off (or shutdown)      -  Power off the targeted machine
vacant_system                -  Determine if a user is away from the system
edr_query                    -  Query the local or remote system for EDR vendors

日志操作

logon_events                 -  Identify users that have logged onto a system


* All PowerShell can be disabled by using the --nops flag, although some commands will not execute (upload/download, enable/disable WinRM)
** Denotes PowerShell usage (either using a PowerShell Runspace or through Win32_Process::Create method)
*** Denotes LDAP usage - "root\directory\ldap" namespace

工具使用演示

GUI版本使用

命令行終端版本使用

【GIF】

項目地址

SharpStrike：【點擊閱讀原文獲取】

參考資料

https://fortynorthsecurity.com/blog/cimplant-part-1-detections/

https://www.fireeye.com/blog/threat-research/2017/03/wmimplant_a_wmi_ba.html

https://c99.sh/sharpstrike-post-exploitation-tool-cim-wmi-inside/