logo
DATABASE RESOURCES PRICING ABOUT US

SharpWebServer - HTTP And WebDAV Server With Net-NTLM Hashes Capture Functionality

Description

[![](https://1.bp.blogspot.com/-ffC9rOMK9xI/YL1pGIREnfI/AAAAAAAAZ8k/bumn5seRzrQcuC-0ouBIsgDfJzsP3hIjgCNcBGAsYHQ/s16000/Net-NTLM%2BHashes.png)](<https://1.bp.blogspot.com/-ffC9rOMK9xI/YL1pGIREnfI/AAAAAAAAZ8k/bumn5seRzrQcuC-0ouBIsgDfJzsP3hIjgCNcBGAsYHQ/s440/Net-NTLM%2BHashes.png>) A [Red Team](<https://www.kitploit.com/search/label/Red%20Team> "Red Team" ) oriented simple **HTTP & WebDAV** server written in C# with functionality to [capture](<https://www.kitploit.com/search/label/Capture> "capture" ) Net-NTLM hashes. To be used for serving payloads on compromised machines for [lateral movement](<https://www.kitploit.com/search/label/Lateral%20Movement> "lateral movement" ) purposes. Requires .NET Framework 4.5 and _System.Net_ and _System.Net.Sockets_ references. **Usage** :: SharpWebServer :: a Red Team oriented C# Simple HTTP Server with Net-NTLMv1/2 hashes capture functionality Authors: - Can Güney Aksakalli (github.com/aksakalli) - original implementation - harrypatrick442 (github.com/harrypatrick442) - aksakalli's fork & changes - Dominic Chell (@domchell) from MDSec - Net-NTLMv2 hashes capture code borrowed from Farmer - Mariusz B. / mgeeky, <mb [at] binary-offensive.com> - combined all building blocks together, added connection keep-alive to NTLM Authentication Usage: SharpWebServer.exe <port=port> [dir=path] [verbose=true] [ntlm=true] [logfile=path] Options: port - TCP Port number on which to listen (1-65535) dir - Directory with files to be hosted. verbose - Turn verbose mode on. seconds - Specifies h ow long should the server be running. Default: indefinitely ntlm - Require NTLM Authentication before serving files. Useful to collect NetNTLMv2 hashes (in MDSec's Farmer style) logfile - Path to output logfile. **Example** Example use-case serving files and capturing Net-NTLM hashes at the same time: **Server**: WebDAV Server with Net-NTLM hashes capture functionality Authors: - Dominic Chell (@domchell) from MDSec - Net-NTLM hashes capture code borrowed from Farmer - Mariusz B. / mgeeky, <mb [at] binary-offensive.com> \- WebDAV implementation, NTLM Authentication keep-alive, all the rest. Usage: SharpWebServer.exe <port=port> [dir=path] [verbose=true] [ntlm=true] [logfile=path] Options: port - TCP Port number on which to listen (1-65535) dir - Directory with files to be hosted. verbose - Turn verbose mode on. seconds - Specifies how long should the server be running. Default: indefinitely ntlm - Require NTLM Authentication before serving files. Useful to collect NetNTLM hashes (in MDSec's Farmer style) logfile - Path to output logfile. "> C:\> SharpWebServer.exe port=8888 dir=C:\Windows\Temp verbose=true ntlm=true :: SharpWebServer :: a Red Team oriented C# Simple HTTP & WebDAV Server with Net-NTLM hashes capture functionality Authors: - Dominic Chell (@domchell) from MDSec - Net-NTLM hashes capture code borrowed from Farmer - Mariusz B. / mgeeky, <mb [at] binary-offensive.com> - WebDAV implementation, NTLM Authentication keep-alive, all the rest. Usage: SharpWebServer.exe <port=port> [dir=path] [verbose=true] [ntlm=true] [logfile=path] Options: port - TCP Port number on which to listen (1-65535) dir - Directory with files to be hosted. verbose - Turn verbose mode on. seconds - Specifies how long should the server be running. Default: indefinitely ntlm - Require NTLM Authentication befo re serving files. Useful to collect NetNTLM hashes (in MDSec's Farmer style) logfile - Path to output logfile. **Client**: C:\> curl -sD- http://localhost:8888/test.txt --ntlm --negotiate -u TestUser:TestPassword HTTP/1.1 401 Unauthorized Transfer-Encoding: chunked WWW-Authenticate: NTLM Date: Mon, 29 Mar 2021 15:55:14 GMT HTTP/1.1 401 Unauthorized Transfer-Encoding: chunked WWW-Authenticate: NTLM TlRMTVNTUAACAAAABgAGADgAAAAFAomiESIzRFVmd4gAAAAAAAAAAIAAgAA+AAAABQLODgAAAA9TAE0AQgACAAYAUwBNAEIAAQAWAFMATQBCAC0AVABPAE8ATABLAEkAVAAEABIAcwBtAGIALgBsAG8AYwBhAGwAAwAoAHMAZQByAHYAZQByADIAMAAwADMALgBzAG0AYgAuAGwAbwBjAGEAbAAFABIAcwBtAGIALgBsAG8AYwBhAGwAAAAAAA== Date: Mon, 29 Mar 2021 15:55:14 GMT HTTP/1.1 200 OK Content-Length: 6 Content-Type: text/plain Date: Mon, 29 Mar 2021 15:55:14 GMT foobar **WebDAV client**: C:\> dir \\[email protected]\test Volume in drive \\[email protected]\test has no label. Volume Serial Number is 0000-0000 Directory of \\[email protected]\test 30.03.2021 05:12 <DIR> . 30.03.2021 05:12 <DIR> .. 30.03.2021 04:27 11 test2.txt 30.03.2021 05:12 12 test3.txt 30.03.2021 05:12 <DIR> test4 2 File(s) 23 bytes 3 Dir(s) 225 268 776 960 bytes free C:\> type \\[email protected]\test\test4\test5.txt Hello world! C:\> copy \\[email protected]\test\test4\test5.txt . 1 file(s) copied. **Authors** * NTLM hashes capture code & TCP [Listener](<https://www.kitploit.com/search/label/Listener> "Listener" ) backbone borrowed from MDSec ActiveBreach Farmer project written by Dominic Chell (@domchell): * <https://github.com/mdsecactivebreach/Farmer> * WebDAV implementation, NTLM Authentication keep-alive logic & all the rest `Mariusz B. / mgeeky, '21, <mb [at] binary-offensive.com>` **[Download SharpWebServer](<https://github.com/mgeeky/SharpWebServer> "Download SharpWebServer" )**