SharpWebServer – HTTP And WebDAV Server With Net-NTLM Hashes Capture Functionality

A Red Team oriented simple HTTP & WebDAV server written in C# with functionality to capture Net-NTLM hashes. To be used for serving payloads on compromised machines for lateral movement purposes.

Requires .NET Framework 4.5 and System.Net and System.Net.Sockets references.

Usage

:: SharpWebServer ::

a Red Team oriented C# Simple HTTP Server with Net-NTLMv1/2 hashes capture functionality

Authors:

– Can Güney Aksakalli (github.com/aksakalli) – original implementation

– harrypatrick442 (github.com/harrypatrick442) – aksakalli’s fork & changes

– Dominic Chell (@domchell) from MDSec – Net-NTLMv2 hashes capture code borrowed from Farmer

– Mariusz B. / mgeeky, – combined all building blocks together,

added connection keep-alive to NTLM Authentication

Usage:

SharpWebServer.exe [dir=path] [verbose=true] [ntlm=true] [logfile=path]

Options:

port – TCP Port number on which to listen (1-65535)

dir – Directory with files to be hosted.

verbose – Turn verbose mode on.

seconds – Specifies h ow long should the server be running. Default: indefinitely

ntlm – Require NTLM Authentication before serving files. Useful to collect NetNTLMv2 hashes

(in MDSec’s Farmer style)

logfile – Path to output logfile.

Example

Example use-case serving files and capturing Net-NTLM hashes at the same time:

Server:

C:\> SharpWebServer.exe port=8888 dir=C:\Windows\Temp verbose=true ntlm=true

:: SharpWebServer ::

a Red Team oriented C# Simple HTTP & WebDAV Server with Net-NTLM hashes capture functionality

Authors:

– Dominic Chell (@domchell) from MDSec – Net-NTLM hashes capture code borrowed from Farmer

– Mariusz B. / mgeeky, – WebDAV implementation, NTLM Authentication keep-alive,

all the rest.

Usage:

SharpWebServer.exe [dir=path] [verbose=true] [ntlm=true] [logfile=path]

Options:

port – TCP Port number on which to listen (1-65535)

dir – Directory with files to be hosted.

verbose – Turn verbose mode on.

seconds – Specifies how long should the server be running. Default: indefinitely

ntlm – Require NTLM Authentication befo re serving files. Useful to collect NetNTLM hashes

(in MDSec’s Farmer style)

logfile – Path to output logfile. WebDAV Server with Net-NTLM hashes capture functionality Authors: – Dominic Chell (@domchell) from MDSec – Net-NTLM hashes capture code borrowed from Farmer – Mariusz B. / mgeeky, – WebDAV implementation, NTLM Authentication keep-alive, all the rest. Usage: SharpWebServer.exe [dir=path] [verbose=true] [ntlm=true] [logfile=path] Options: port – TCP Port number on which to listen (1-65535) dir – Directory with files to be hosted. verbose – Turn verbose mode on. seconds – Specifies how long should the server be running. Default: indefinitely ntlm – Require NTLM Authentication before serving files. Useful to collect NetNTLM hashes (in MDSec’s Farmer style) logfile – Path to output logfile. “>

Client:

C:\> curl -sD- http://localhost:8888/test.txt –ntlm –negotiate -u TestUser:TestPassword

HTTP/1.1 401 Unauthorized

Transfer-Encoding: chunked

WWW-Authenticate: NTLM

Date: Mon, 29 Mar 2021 15:55:14 GMT

HTTP/1.1 401 Unauthorized

Transfer-Encoding: chunked

WWW-Authenticate: NTLM TlRMTVNTUAACAAAABgAGADgAAAAFAomiESIzRFVmd4gAAAAAAAAAAIAAgAA+AAAABQLODgAAAA9TAE0AQgACAAYAUwBNAEIAAQAWAFMATQBCAC0AVABPAE8ATABLAEkAVAAEABIAcwBtAGIALgBsAG8AYwBhAGwAAwAoAHMAZQByAHYAZQByADIAMAAwADMALgBzAG0AYgAuAGwAbwBjAGEAbAAFABIAcwBtAGIALgBsAG8AYwBhAGwAAAAAAA==

Date: Mon, 29 Mar 2021 15:55:14 GMT

HTTP/1.1 200 OK

Content-Length: 6

Content-Type: text/plain

Date: Mon, 29 Mar 2021 15:55:14 GMT

foobar

WebDAV client:

Authors

Source

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s