[](<https://1.bp.blogspot.com/-ffC9rOMK9xI/YL1pGIREnfI/AAAAAAAAZ8k/bumn5seRzrQcuC-0ouBIsgDfJzsP3hIjgCNcBGAsYHQ/s440/Net-NTLM%2BHashes.png>)
A [Red Team](<https://www.kitploit.com/search/label/Red%20Team> "Red Team" ) oriented simple **HTTP & WebDAV** server written in C# with functionality to [capture](<https://www.kitploit.com/search/label/Capture> "capture" ) Net-NTLM hashes. To be used for serving payloads on compromised machines for [lateral movement](<https://www.kitploit.com/search/label/Lateral%20Movement> "lateral movement" ) purposes.
Requires .NET Framework 4.5 and _System.Net_ and _System.Net.Sockets_ references.
**Usage**
:: SharpWebServer ::
a Red Team oriented C# Simple HTTP Server with Net-NTLMv1/2 hashes capture functionality
Authors:
- Can Güney Aksakalli (github.com/aksakalli) - original implementation
- harrypatrick442 (github.com/harrypatrick442) - aksakalli's fork & changes
- Dominic Chell (@domchell) from MDSec - Net-NTLMv2 hashes capture code borrowed from Farmer
- Mariusz B. / mgeeky, <mb [at] binary-offensive.com> - combined all building blocks together,
added connection keep-alive to NTLM Authentication
Usage:
SharpWebServer.exe <port=port> [dir=path] [verbose=true] [ntlm=true] [logfile=path]
Options:
port - TCP Port number on which to listen (1-65535)
dir - Directory with files to be hosted.
verbose - Turn verbose mode on.
seconds - Specifies h ow long should the server be running. Default: indefinitely
ntlm - Require NTLM Authentication before serving files. Useful to collect NetNTLMv2 hashes
(in MDSec's Farmer style)
logfile - Path to output logfile.
**Example**
Example use-case serving files and capturing Net-NTLM hashes at the same time:
**Server**:
WebDAV Server with Net-NTLM hashes capture functionality Authors: - Dominic Chell (@domchell) from MDSec - Net-NTLM hashes capture code borrowed from Farmer - Mariusz B. / mgeeky, <mb [at] binary-offensive.com> \- WebDAV implementation, NTLM Authentication keep-alive, all the rest. Usage: SharpWebServer.exe <port=port> [dir=path] [verbose=true] [ntlm=true] [logfile=path] Options: port - TCP Port number on which to listen (1-65535) dir - Directory with files to be hosted. verbose - Turn verbose mode on. seconds - Specifies how long should the server be running. Default: indefinitely ntlm - Require NTLM Authentication before serving files. Useful to collect NetNTLM hashes (in MDSec's Farmer style) logfile - Path to output logfile. ">
C:\> SharpWebServer.exe port=8888 dir=C:\Windows\Temp verbose=true ntlm=true
:: SharpWebServer ::
a Red Team oriented C# Simple HTTP & WebDAV Server with Net-NTLM hashes capture functionality
Authors:
- Dominic Chell (@domchell) from MDSec - Net-NTLM hashes capture code borrowed from Farmer
- Mariusz B. / mgeeky, <mb [at] binary-offensive.com> - WebDAV implementation, NTLM Authentication keep-alive,
all the rest.
Usage:
SharpWebServer.exe <port=port> [dir=path] [verbose=true] [ntlm=true] [logfile=path]
Options:
port - TCP Port number on which to listen (1-65535)
dir - Directory with files to be hosted.
verbose - Turn verbose mode on.
seconds - Specifies how long should the server be running. Default: indefinitely
ntlm - Require NTLM Authentication befo re serving files. Useful to collect NetNTLM hashes
(in MDSec's Farmer style)
logfile - Path to output logfile.
**Client**:
C:\> curl -sD- http://localhost:8888/test.txt --ntlm --negotiate -u TestUser:TestPassword
HTTP/1.1 401 Unauthorized
Transfer-Encoding: chunked
WWW-Authenticate: NTLM
Date: Mon, 29 Mar 2021 15:55:14 GMT
HTTP/1.1 401 Unauthorized
Transfer-Encoding: chunked
WWW-Authenticate: NTLM TlRMTVNTUAACAAAABgAGADgAAAAFAomiESIzRFVmd4gAAAAAAAAAAIAAgAA+AAAABQLODgAAAA9TAE0AQgACAAYAUwBNAEIAAQAWAFMATQBCAC0AVABPAE8ATABLAEkAVAAEABIAcwBtAGIALgBsAG8AYwBhAGwAAwAoAHMAZQByAHYAZQByADIAMAAwADMALgBzAG0AYgAuAGwAbwBjAGEAbAAFABIAcwBtAGIALgBsAG8AYwBhAGwAAAAAAA==
Date: Mon, 29 Mar 2021 15:55:14 GMT
HTTP/1.1 200 OK
Content-Length: 6
Content-Type: text/plain
Date: Mon, 29 Mar 2021 15:55:14 GMT
foobar
**WebDAV client**:
C:\> dir \\[email protected]\test
Volume in drive \\[email protected]\test has no label.
Volume Serial Number is 0000-0000
Directory of \\[email protected]\test
30.03.2021 05:12 <DIR> .
30.03.2021 05:12 <DIR> ..
30.03.2021 04:27 11 test2.txt
30.03.2021 05:12 12 test3.txt
30.03.2021 05:12 <DIR> test4
2 File(s) 23 bytes
3 Dir(s) 225 268 776 960 bytes free
C:\> type \\[email protected]\test\test4\test5.txt
Hello world!
C:\> copy \\[email protected]\test\test4\test5.txt .
1 file(s) copied.
**Authors**
* NTLM hashes capture code & TCP [Listener](<https://www.kitploit.com/search/label/Listener> "Listener" ) backbone borrowed from MDSec ActiveBreach Farmer project written by Dominic Chell (@domchell):
* <https://github.com/mdsecactivebreach/Farmer>
* WebDAV implementation, NTLM Authentication keep-alive logic & all the rest `Mariusz B. / mgeeky, '21, <mb [at] binary-offensive.com>`
**[Download SharpWebServer](<https://github.com/mgeeky/SharpWebServer> "Download SharpWebServer" )**
{"id": "KITPLOIT:1433013735880609984", "vendorId": null, "type": "kitploit", "bulletinFamily": "tools", "title": "SharpWebServer - HTTP And WebDAV Server With Net-NTLM Hashes Capture Functionality", "description": "[](<https://1.bp.blogspot.com/-ffC9rOMK9xI/YL1pGIREnfI/AAAAAAAAZ8k/bumn5seRzrQcuC-0ouBIsgDfJzsP3hIjgCNcBGAsYHQ/s440/Net-NTLM%2BHashes.png>)\n\n \n\n\nA [Red Team](<https://www.kitploit.com/search/label/Red%20Team> \"Red Team\" ) oriented simple **HTTP & WebDAV** server written in C# with functionality to [capture](<https://www.kitploit.com/search/label/Capture> \"capture\" ) Net-NTLM hashes. To be used for serving payloads on compromised machines for [lateral movement](<https://www.kitploit.com/search/label/Lateral%20Movement> \"lateral movement\" ) purposes.\n\nRequires .NET Framework 4.5 and _System.Net_ and _System.Net.Sockets_ references.\n\n \n\n\n**Usage** \n\n \n \n :: SharpWebServer :: \n a Red Team oriented C# Simple HTTP Server with Net-NTLMv1/2 hashes capture functionality \n \n Authors: \n - Can G\u00fcney Aksakalli (github.com/aksakalli) - original implementation \n - harrypatrick442 (github.com/harrypatrick442) - aksakalli's fork & changes \n - Dominic Chell (@domchell) from MDSec - Net-NTLMv2 hashes capture code borrowed from Farmer \n - Mariusz B. / mgeeky, <mb [at] binary-offensive.com> - combined all building blocks together, \n added connection keep-alive to NTLM Authentication \n \n Usage: \n SharpWebServer.exe <port=port> [dir=path] [verbose=true] [ntlm=true] [logfile=path] \n \n Options: \n port - TCP Port number on which to listen (1-65535) \n dir - Directory with files to be hosted. \n verbose - Turn verbose mode on. \n seconds - Specifies h ow long should the server be running. Default: indefinitely \n ntlm - Require NTLM Authentication before serving files. Useful to collect NetNTLMv2 hashes \n (in MDSec's Farmer style) \n logfile - Path to output logfile. \n \n\n \n**Example** \n\n\nExample use-case serving files and capturing Net-NTLM hashes at the same time:\n\n**Server**:\n\nWebDAV Server with Net-NTLM hashes capture functionality Authors: - Dominic Chell (@domchell) from MDSec - Net-NTLM hashes capture code borrowed from Farmer - Mariusz B. / mgeeky, <mb [at] binary-offensive.com> \\- WebDAV implementation, NTLM Authentication keep-alive, all the rest. Usage: SharpWebServer.exe <port=port> [dir=path] [verbose=true] [ntlm=true] [logfile=path] Options: port - TCP Port number on which to listen (1-65535) dir - Directory with files to be hosted. verbose - Turn verbose mode on. seconds - Specifies how long should the server be running. Default: indefinitely ntlm - Require NTLM Authentication before serving files. Useful to collect NetNTLM hashes (in MDSec's Farmer style) logfile - Path to output logfile. \">\n \n \n C:\\> SharpWebServer.exe port=8888 dir=C:\\Windows\\Temp verbose=true ntlm=true \n \n :: SharpWebServer :: \n a Red Team oriented C# Simple HTTP & WebDAV Server with Net-NTLM hashes capture functionality \n \n Authors: \n - Dominic Chell (@domchell) from MDSec - Net-NTLM hashes capture code borrowed from Farmer \n - Mariusz B. / mgeeky, <mb [at] binary-offensive.com> - WebDAV implementation, NTLM Authentication keep-alive, \n all the rest. \n \n Usage: \n SharpWebServer.exe <port=port> [dir=path] [verbose=true] [ntlm=true] [logfile=path] \n \n Options: \n port - TCP Port number on which to listen (1-65535) \n dir - Directory with files to be hosted. \n verbose - Turn verbose mode on. \n seconds - Specifies how long should the server be running. Default: indefinitely \n ntlm - Require NTLM Authentication befo re serving files. Useful to collect NetNTLM hashes \n (in MDSec's Farmer style) \n logfile - Path to output logfile.\n\n**Client**:\n \n \n C:\\> curl -sD- http://localhost:8888/test.txt --ntlm --negotiate -u TestUser:TestPassword \n HTTP/1.1 401 Unauthorized \n Transfer-Encoding: chunked \n WWW-Authenticate: NTLM \n Date: Mon, 29 Mar 2021 15:55:14 GMT \n \n HTTP/1.1 401 Unauthorized \n Transfer-Encoding: chunked \n WWW-Authenticate: NTLM TlRMTVNTUAACAAAABgAGADgAAAAFAomiESIzRFVmd4gAAAAAAAAAAIAAgAA+AAAABQLODgAAAA9TAE0AQgACAAYAUwBNAEIAAQAWAFMATQBCAC0AVABPAE8ATABLAEkAVAAEABIAcwBtAGIALgBsAG8AYwBhAGwAAwAoAHMAZQByAHYAZQByADIAMAAwADMALgBzAG0AYgAuAGwAbwBjAGEAbAAFABIAcwBtAGIALgBsAG8AYwBhAGwAAAAAAA== \n Date: Mon, 29 Mar 2021 15:55:14 GMT \n \n HTTP/1.1 200 OK \n Content-Length: 6 \n Content-Type: text/plain \n Date: Mon, 29 Mar 2021 15:55:14 GMT \n \n foobar\n\n**WebDAV client**:\n \n \n C:\\> dir \\\\[email\u00a0protected]\\test \n Volume in drive \\\\[email\u00a0protected]\\test has no label. \n Volume Serial Number is 0000-0000 \n \n Directory of \\\\[email\u00a0protected]\\test \n \n 30.03.2021 05:12 <DIR> . \n 30.03.2021 05:12 <DIR> .. \n 30.03.2021 04:27 11 test2.txt \n 30.03.2021 05:12 12 test3.txt \n 30.03.2021 05:12 <DIR> test4 \n 2 File(s) 23 bytes \n 3 Dir(s) 225\u00a0268\u00a0776\u00a0960 bytes free \n \n C:\\> type \\\\[email\u00a0protected]\\test\\test4\\test5.txt \n Hello world! \n \n C:\\> copy \\\\[email\u00a0protected]\\test\\test4\\test5.txt . \n 1 file(s) copied.\n\n \n**Authors** \n\n\n * NTLM hashes capture code & TCP [Listener](<https://www.kitploit.com/search/label/Listener> \"Listener\" ) backbone borrowed from MDSec ActiveBreach Farmer project written by Dominic Chell (@domchell):\n\n * <https://github.com/mdsecactivebreach/Farmer>\n * WebDAV implementation, NTLM Authentication keep-alive logic & all the rest `Mariusz B. / mgeeky, '21, <mb [at] binary-offensive.com>`\n\n \n \n\n\n**[Download SharpWebServer](<https://github.com/mgeeky/SharpWebServer> \"Download SharpWebServer\" )**\n", "published": "2021-06-09T21:30:00", "modified": "2021-06-09T21:30:00", "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "http://www.kitploit.com/2021/06/sharpwebserver-http-and-webdav-server.html", "reporter": "KitPloit", "references": ["https://github.com/mdsecactivebreach/Farmer", "https://github.com/mgeeky/SharpWebServer"], "cvelist": [], "immutableFields": [], "lastseen": "2022-04-07T12:01:56", "viewCount": 173, "enchantments": {"dependencies": {}, "score": {"value": -0.0, "vector": "NONE"}, "backreferences": {"references": [{"type": "nessus", "idList": ["OPENSUSE-2017-662.NASL", "SUSE_SU-2017-1445-1.NASL"]}, {"type": "threatpost", "idList": ["THREATPOST:3B05FD25F1EFE431C23369F5790520EB"]}]}, "exploitation": null, "vulnersScore": -0.0}, "_state": {"dependencies": 1659899726, "score": 1659749172}, "_internal": {}, "toolHref": "https://github.com/mgeeky/SharpWebServer"}