2. 2 Confidential & Proprietary
WRITING OFFENSIVE .NET TOOLS
2
Alexander Polce Leary
Name: Alexander Polce Leary
Job: Network & Application Pentester @ NetSPI
Red Team Lead
Twitter: @0xbadjuju
Slides: On their way
Blogs: https://blog.netspi.com/author/aleary/
Code: https://github.com/0xbadjuju/
7. 7 Confidential & Proprietary
WRITING OFFENSIVE .NET TOOLS
7
WheresMyImplant
Introduced DerbyCon & ArticCon 2017
C# WMI provider for persistence
Picking up where I left off
Problem: Not useful enough
Solution: Make it not dependent on other toolkits
To Do: Too long to list here
https://www.irongeek.com/i.php?page=videos/derbycon7/s01-building-better-
backdoors-with-wmi-alexander-leary
8. 8 Confidential & Proprietary
WRITING OFFENSIVE .NET TOOLS
8
WheresMyImplant
First list item – SAM Hash Dumping
Problems:
How to do this?
Requires SYSTEM access
How to get SYSTEM?
9. 9 Confidential & Proprietary
WRITING OFFENSIVE .NET TOOLS
9
Tokenvator
Started as the GetSystem portion
Released June 19
Picked up on Twitter March 18
Before it was released it was more popular than all
other projects on my GitHub combined
12. 12 Confidential & Proprietary
WRITING OFFENSIVE .NET TOOLS
12
Tokenvator
So what happened?
Ooo shiny factor (Scope Creep)
Caused it to grow in size to be it’s own tool
I Made the mistake of asking for suggestions
Tab completion?
Context Specific Help Menu?
Wiki?
13. 13 Confidential & Proprietary
WRITING OFFENSIVE .NET TOOLS
13
WheresMyImplant
Got SYSTEM
Now where were we?
Adding modules
Problem:
Testing modules in a .Net DLL
There’s no easy way of running methods
Powershell gets tedious
14. 14 Confidential & Proprietary
WRITING OFFENSIVE .NET TOOLS
14
RunDotNetDll32
Simple way to run .Net library
List the Namespaces, Classes, Methods, and
Parameters without a reflector
Released April 24
15. 15 Confidential & Proprietary
WRITING OFFENSIVE .NET TOOLS
15
RunDotNetDll32
Kept to a limited scope
...until I started using it on engagements
16. 16 Confidential & Proprietary
WRITING OFFENSIVE .NET TOOLS
16
RunDotNetDll32
Initial Release
Assembly.LoadFile()
Run into issues with EDR
Keeps the DLL in memory
Second Release
AssemblyName.GetAssemblyName() -> Type.GetType()
Avoids Assembly.LoadFile()
Doesn’t keep the DLL in memory
Third Release
Interactive Mode
Limited utility with one off commands
17. 17 Confidential & Proprietary
WRITING OFFENSIVE .NET TOOLS
WheresMyImplant
Welp that just happened again
Back to building modules
17
18. 18 Confidential & Proprietary
WRITING OFFENSIVE .NET TOOLS
MiniDump
Clipboard Monitoring
KeyLogger
Lateral Movement
WMI Method Execution
WMI Query
SMB Exec (PsExec)
PTH SMB Client - Get, Put, Del,
List
PTH SMB Exec (PsExec)
PTH WMI Exec (Win32_Process)
DCOM – DDE, MMC,
ShellWindows,
ShellBrowserWindow,
ShellAutomation, and more
ShellCode Injection
DLL Injection
Reflective PE Injection
Run Command
Run PowerShell
Run XP_CmdShell
C# Empire Agent
WMI Provider
WMI for file storage
Starting Point
Injection
Process Hollowing
Thread Hijacking
Credentials
SAM Dump
LSA Secrets
Domain Cached Credentials
Credential Vault + CLI
Wireless Profiles PSK
Collection
Browser History
Memory Scraper
New Stuff
18
19. 19 Confidential & Proprietary
WRITING OFFENSIVE .NET TOOLS
Local – Mapped Network Drives
Local – Tasklist
Misc
Base64 Encode File
Generate NTLM Hash
And More
Persistence
Add Local User + Add Local Admin
Add Domain User
Add User to Domain Group
Delete Domain User
Remove Domain User From Group
WMI Self Install
Recon
LDAP Queries
LDAP – Domain Contollers
LDAP – Domain Groups
LDAP – Domain Users
LDAP – Domain Group Members
LDAP – Domain Protected Users
LDAP – Kerberos PreAuth
LDAP – Password Never Expires
LDAP – Password Not Required
LDAP – ServicePrincipalNames
LDAP – LAPS Password
Local – ComputerName
Local – Domain Name
Local – LogonServer
Local – AntiVirus Product
Local – OS Info
19
20. 20 Confidential & Proprietary
WRITING OFFENSIVE .NET TOOLS
20
WheresMyImplant + Tokenvator
Problem: Large Shared Codebase
Maintaining consistency between the two
Did it by hand for too long
Solution:
Git Submodules
Tokenvator is a submodule of WheresMyImplant
21. 21 Confidential & Proprietary
WRITING OFFENSIVE .NET TOOLS
21
MonkeyWorks
This a library of P/Invokes and SMB Client Methods
P/Invokes are organized by library and header file
MonkeyWorks.Unmanaged.Libraries.Advapi32
MonkeyWorks.Unmanaged.Headers.Winnt
SMB Client is organized by method
Port of Invoke-TheHash
MonkeyWorks.SMB.SMB2.SMB2IoctlRequest
https://github.com/NetSPI/MonkeyWorks/
25. 25 Confidential & Proprietary
WRITING OFFENSIVE .NET TOOLS
25
Problems
Framework Versions
Windows 7 – .Net 3.5 – CLR 2.0 (Default)
Windows 10 – CLR 4.0 (Default)
More Framework Problems
.Net Framework 4.8 will be the final “Framework” release
.Net Core will be taking over
Trivial to Reverse Engineer
AMSI inevitability
Seems to be partially implemented in Defender
27. MINNEAPOLIS | NEW YORK | PORTLAND | DENVER | DALLAS
Empowering enterprises to scale & operationalize their
security programs, globally.
Editor's Notes
Familiarity – Similar to Java and Powershell
Documentation – MSDN is massive
Resources - Stack Overflow – I you have a question it’s already been answered somewhere – p/invoke
Visual Studio – Seems small but small things like intellisense lower the barrier to entry
Reaction was well… Muted
How to do this – this is a recurring theme
There a people out there that creep on repo’s
Reaction was well… Muted
I should mention that even my wife is a project manager
Well, it turned into a cool project