From 9a70af22f371472761969990214dfdcb7ce222a7 Mon Sep 17 00:00:00 2001 From: ptr0x1 Date: Thu, 21 Apr 2022 10:04:16 +0000 Subject: [PATCH 1/7] added x64 Build --- SharpView.sln | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/SharpView.sln b/SharpView.sln index 3800e0d..745579a 100644 --- a/SharpView.sln +++ b/SharpView.sln @@ -8,13 +8,19 @@ EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|Any CPU = Debug|Any CPU + Debug|x64 = Debug|x64 Release|Any CPU = Release|Any CPU + Release|x64 = Release|x64 EndGlobalSection GlobalSection(ProjectConfigurationPlatforms) = postSolution {22A156EA-2623-45C7-8E50-E864D9FC44D3}.Debug|Any CPU.ActiveCfg = Debug|Any CPU {22A156EA-2623-45C7-8E50-E864D9FC44D3}.Debug|Any CPU.Build.0 = Debug|Any CPU + {22A156EA-2623-45C7-8E50-E864D9FC44D3}.Debug|x64.ActiveCfg = Debug|x64 + {22A156EA-2623-45C7-8E50-E864D9FC44D3}.Debug|x64.Build.0 = Debug|x64 {22A156EA-2623-45C7-8E50-E864D9FC44D3}.Release|Any CPU.ActiveCfg = Release|Any CPU {22A156EA-2623-45C7-8E50-E864D9FC44D3}.Release|Any CPU.Build.0 = Release|Any CPU + {22A156EA-2623-45C7-8E50-E864D9FC44D3}.Release|x64.ActiveCfg = Release|x64 + {22A156EA-2623-45C7-8E50-E864D9FC44D3}.Release|x64.Build.0 = Release|x64 EndGlobalSection GlobalSection(SolutionProperties) = preSolution HideSolutionNode = FALSE From d60544f6073826856c8abfe2ae5d9c9053b13814 Mon Sep 17 00:00:00 2001 From: ptr0x1 Date: Thu, 21 Apr 2022 10:04:27 +0000 Subject: [PATCH 2/7] removed superflous Password param, changed AccountPassword to string --- SharpView/Arguments/Args_Set_DomainUserPassword.cs | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/SharpView/Arguments/Args_Set_DomainUserPassword.cs b/SharpView/Arguments/Args_Set_DomainUserPassword.cs index 59f40e3..2fd59d4 100644 --- a/SharpView/Arguments/Args_Set_DomainUserPassword.cs +++ b/SharpView/Arguments/Args_Set_DomainUserPassword.cs @@ -16,8 +16,7 @@ public class Args_Set_DomainUserPassword public string UserIdentity { get { return Identity; } set { Identity = value; } } public string User { get { return Identity; } set { Identity = value; } } - public System.Security.SecureString AccountPassword { get; set; } - public System.Security.SecureString Password { get { return AccountPassword; } set { AccountPassword = value; } } + public string AccountPassword { get; set; } public string Domain { get; set; } From b96343dc70a2437996acc48fc728c30db69f3f83 Mon Sep 17 00:00:00 2001 From: ptr0x1 Date: Thu, 21 Apr 2022 10:05:14 +0000 Subject: [PATCH 3/7] fix targetsid logic error, pw change entry, domain object XOR param --- SharpView/PowerView.cs | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/SharpView/PowerView.cs b/SharpView/PowerView.cs index 1829cca..cc1afe9 100644 --- a/SharpView/PowerView.cs +++ b/SharpView/PowerView.cs @@ -19,6 +19,8 @@ using System.Reflection; using System.Text; using System.Security.Principal; +using System.Security; +using System.Net; namespace SharpView { @@ -4803,7 +4805,7 @@ public static void Set_DomainObject(Args_Set_DomainObject args = null) foreach (var xor in args.XOR) { var PropertyName = xor.Key; - var PropertyXorValue = (int)xor.Value; + var PropertyXorValue = Convert.ToInt32(xor.Value); Logger.Write_Verbose($@"[Set-DomainObject] XORing '{PropertyName}' with '{PropertyXorValue}' for object '{obj.Properties[@"samaccountname"][0]}'"); var TypeName = Entry.Properties[PropertyName][0].GetType(); @@ -5461,7 +5463,7 @@ public static IEnumerable Get_DomainGPOUserLocalGroupMappi TargetSIDs.AddRange(sid); } TargetObjectSID = TargetSIDs; - if (TargetSIDs != null) + if (TargetSIDs == null) { throw new Exception($@"[Get-DomainGPOUserLocalGroupMapping] Unable to retrieve SID for identity '{args.Identity}'"); } @@ -7810,8 +7812,7 @@ public static void Set_DomainUserPassword(Args_Set_DomainUserPassword args = nul Logger.Write_Verbose($@"[Set-DomainUserPassword] Attempting to set the password for user '{args.Identity}'"); try { - var TempCred = new System.Net.NetworkCredential("a", args.AccountPassword); - User.SetPassword(TempCred.Password); + User.SetPassword(args.AccountPassword); User.Save(); Logger.Write_Verbose($@"[Set-DomainUserPassword] Password for user '{args.Identity}' successfully reset"); } From 090a1ec32f7fc72bacd4038904e0bbdc22c1c9c9 Mon Sep 17 00:00:00 2001 From: ptr0x1 Date: Thu, 21 Apr 2022 10:05:55 +0000 Subject: [PATCH 4/7] added regex logic to parse dictionary params (used in set-domainobject). format is key=value;key2=value2 --- SharpView/Program.cs | 26 +++++++++++++++++++++++--- 1 file changed, 23 insertions(+), 3 deletions(-) diff --git a/SharpView/Program.cs b/SharpView/Program.cs index c59437c..dc8aaa4 100644 --- a/SharpView/Program.cs +++ b/SharpView/Program.cs @@ -8,6 +8,7 @@ using System.Net.Sockets; using System.Reflection; using System.Text; +using System.Text.RegularExpressions; using System.Threading.Tasks; namespace SharpView @@ -18,7 +19,7 @@ static void Main(string[] args) { if (args.Length == 0) { - Logger.Write_Output("Ex: SharpView.exe Method-Name -Switch -String domain -Array domain,user -Enum ResetPassword -IntEnum CREATED_BY_SYSTEM,APP_BASIC -PointEnum ResetPassword,All -Credential admin@domain.local/password"); + Logger.Write_Output("Ex: SharpView.exe Method-Name -Switch -Dictionary key=value;key2=value2 -String domain -Array domain,user -Enum ResetPassword -IntEnum CREATED_BY_SYSTEM,APP_BASIC -PointEnum ResetPassword,All -Credential admin@domain.local/password"); Logger.Write_Output("Execute 'Sharpview.exe -Help' to get arguments list and expected types"); return; } @@ -480,8 +481,27 @@ static void Run(string[] args) tc = new StringArrayConverter(); else if (pinfo.PropertyType.FullName == "System.Net.NetworkCredential") tc = new NetworkCredentialConverter(); - var argValue = tc.ConvertFromString(strValue); - pinfo.SetValue(argObject, argValue); + if (pinfo.PropertyType.FullName.Contains("Dictionary")) + { + Dictionary argDict = new Dictionary(); + + string pattern = "(\\w+)[=]([\\w\\s'\",.]+)(;)?"; + var matches = Regex.Matches(strValue, pattern); + foreach (Match m in matches) + { + string key = m.Groups[1].Value; + string value = m.Groups[2].Value; + argDict.Add(key, value); + } + + pinfo.SetValue(argObject, argDict); + } + else + { + var argValue = tc.ConvertFromString(strValue); + pinfo.SetValue(argObject, argValue); + } + } catch (Exception ex) { From 1f26b8515de305ffa9f307a126f5bf420e24860d Mon Sep 17 00:00:00 2001 From: ptr0x1 Date: Thu, 21 Apr 2022 10:06:21 +0000 Subject: [PATCH 5/7] added csproj x64 --- SharpView/SharpView.csproj | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/SharpView/SharpView.csproj b/SharpView/SharpView.csproj index ceb3f84..b46e7bb 100644 --- a/SharpView/SharpView.csproj +++ b/SharpView/SharpView.csproj @@ -55,6 +55,25 @@ SharpView.Program + + true + bin\x64\Debug\ + DEBUG;TRACE + full + x64 + prompt + MinimumRecommendedRules.ruleset + + + bin\x64\Release\ + TRACE + true + pdbonly + x64 + prompt + MinimumRecommendedRules.ruleset + true + ..\packages\PCRE.NET.0.7.0\lib\net45\PCRE.NET.dll From 0fcb9886af91083cfd08cf07fdce0d5400d7d5e4 Mon Sep 17 00:00:00 2001 From: Peter Date: Thu, 21 Apr 2022 12:34:09 +0200 Subject: [PATCH 6/7] Update README.md --- README.md | 24 ++++++++++++++++++++---- 1 file changed, 20 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 05bf7e4..b6d3103 100644 --- a/README.md +++ b/README.md @@ -1,15 +1,32 @@ # SharpView .NET port of [PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1) +Forked from the original [SharpView](https://github.com/tevora-threat/SharpView) + +Modified to fix some of the errors I discovered while using it. #### Usage: ``` C:\>SharpView.exe Get-DomainController -Domain test.local -Server dc.test.local -Credential admin@test.local/password ``` + +Get the help function for a specific method: + ``` C:\>SharpView.exe Get-DomainController -Help Get-DomainController -Domain -Server -DomainController -LDAP -Credential ``` +**Note that argument names are case-sensitive!** + +##### Argument types: + +All supplied arguments are strings that SharpView has to convert to the expected type. Running SharpView without arguments shows examples of how to pass given types. Currently String, Array and Dictionary is working as expected and covers a large part of methods. + +``` +Ex: SharpView.exe Method-Name -Switch -Dictionary key=value;key2=value2 -String domain -Array domain,user -Enum ResetPassword -IntEnum CREATED_BY_SYSTEM,APP_BASIC -PointEnum ResetPassword,All -Credential admin@domain.local/password +Execute 'Sharpview.exe -Help' to get arguments list and expected types +``` + #### Available methods ``` Get-DomainGPOUserLocalGroupMapping @@ -140,9 +157,8 @@ Get-DomainGPOLocalGroup Get-NetGPOGroup ``` -Blog [Here](https://threat.tevora.com/a-sharpview-and-more-aggressor) +Blog [Here](https://www.tevora.com/threat-blog/a-sharpview-and-more-aggressor/) Currently compiled for .NET 4.5.2 todo is support 3.0 (4.0 at minimum) -##### TODO -* Fix any broken issues -* Support .NET 3.0 (or 4.0 depending on CS execute-assembly) \ No newline at end of file +##### Known Issues +* The arguments go through an automatic conversion. This is not really reliable, from what I can see it works for String arrays and Boolean values, and it can create Network Credentials if you supply them but other custom values will fail. I added a Dictionary conversion but other types might fail. From 3112ef86d6c9731fe5f8b5961b21fe64f423e9c4 Mon Sep 17 00:00:00 2001 From: Peter Date: Thu, 21 Apr 2022 12:35:24 +0200 Subject: [PATCH 7/7] Update README.md --- README.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index b6d3103..19fd370 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # SharpView .NET port of [PowerView](https://github.com/PowerShellMafia/PowerSploit/blob/dev/Recon/PowerView.ps1) -Forked from the original [SharpView](https://github.com/tevora-threat/SharpView) +forked from the original [SharpView](https://github.com/tevora-threat/SharpView) Modified to fix some of the errors I discovered while using it. @@ -158,7 +158,6 @@ Get-NetGPOGroup ``` Blog [Here](https://www.tevora.com/threat-blog/a-sharpview-and-more-aggressor/) -Currently compiled for .NET 4.5.2 todo is support 3.0 (4.0 at minimum) ##### Known Issues -* The arguments go through an automatic conversion. This is not really reliable, from what I can see it works for String arrays and Boolean values, and it can create Network Credentials if you supply them but other custom values will fail. I added a Dictionary conversion but other types might fail. +* The arguments go through an automatic conversion. This is not really reliable, from what I can see it works for String arrays and Boolean values, and it can create Network Credentials if you supply them but other custom values will fail. I added a Dictionary conversion but other types might fail for now.