What do you do after you have successfully gained access to a system and you want to improve your foothold or try to move laterally in the network? You run RedSnarf, that helps you start by retrieving hashes and credentials from Windows workstations, servers and domain controllers!
What is RedSnarf?
RedSnarf is an easy to use, open source, multi-threaded and modular post-exploitation tool that helps you retrieve hashes and credentials from Windows workstations, servers and domain controllers using OpSec-Safe techniques.
Functions of RedSnarf:
- Retrieval of local SAM hashes
- Enumeration of user/s running with elevated system privileges and their corresponding Local Security Authority (LSA) secrets password;
- Retrieval of Microsoft cached credentials;
- Quickly identify weak and guessable username/password combinations (default of administrator/Password01);
- The ability to retrieve hashes across a range;
- Hash spraying –
Credsfile will accept a mix of pwdump, fgdump and plain text username and password separated by a space;
- Local Security Authority Subsystem Service (LSASS) dump for offline analysis with Mimikatz;
- Dumping of Domain controller hashes using NTDSUtil and retrieval of NTDS.dit for local parsing;
- Dumping of Domain controller hashes using the drsuapi method;
- Retrieval of Scripts and Policies folder from a Domain controller and parsing for ‘password’ and ‘administrator’;
- Ability to start a shell on a remote machine;
- The ability to clear the event logs (application, security, setup or system); (internal version only)
- Results are saved on a per-host basis for analysis.
- Enable/Disable Remote Desktop Protocol (RDP) on a remote machine.
- Change RDP port from 3389 to 443 on a remote machine.
- Enable/Disable Network Level Authentication (NLA) on a remote machine.
- Find where users are logged in on remote machines.
- Backdoor Windows Logon Screen
- Enable/Disable User Account Control (UAC) on a remote machine.
- Stealth Mimikatz added.
- Parsing of domain hashes
- Ability to determine which accounts are enabled/disabled
- Take a screen shot of a remote logged on Active Users Desktop
- Record remote logged on Active Users Desktop
- Decrypt Windows CPassword
- Decrypt WinSCP Password
- Get User SPN’s
- Retrieve WIFI passwords from remote machines
RedSnarf is more of a well rounded wrapper around other tools such as pth-winexe, pth-smbclient, creddump7, Impacket v0.9.16-dev, procdump.exe and dos2unix. It simplifies manual intervention while working with these tools and does this in a safe manner while extracting hashes and credentials. RedSnarf is also designed to be modular in nature; if dependencies are missing for one module this will have no impact on other modules, just that particular functionality is disabled. To clear application, security, setup or system event logs, it uses pth-winexe. There are lot of functionalities in this tool which have been well documented and there are good demonstration videos of this. It also takes care of logging all relevant data on a host basis.
RedSnarf version 0.4o can be found here.