RedSnarf is a pen-testing / red-teaming tool by Ed William and Richard Davy for retrieving hashes and credentials from Windows workstations, servers and domain controllers using OpSec Safe Techniques.

RedSnarf aims to do the following:

• Leave no evidence on the host of intrusion/exfiltration – this includes files, processes and services;
• Not cause undue damage to the host i.e. forcing the host to re-boot

Why use RedSnarf?

Currently there are a number of excellent “post-exploitation” tools; these include the smbexec and Metasploit post-exploitation modules to name but a few.

RedSnarf differs in that:

• It’s easy to use
• It’s lightweight at less than 500 lines of code
• It does as little on the server as possible
• It’s modular
• It’s threaded

     RedSnarf is a pen-testing / red-teaming tool by Ed William and Richard Davy for retrieving hashes and credentials from Windows workstations, servers and domain controllers using OpSec Safe Techniques.

RedSnarf functionality includes:

• Retrieval of local SAM hashes
• Enumeration of user/s running with elevated system privileges and their corresponding lsa secrets password;
• Retrieval of MS cached credentials;
• Pass-the-hash;
• Quickly identify weak and guessable username/password combinations (default of administrator/Password01);
• The ability to retrieve hashes across a range;
• Hash spraying –
Credsfile will accept a mix of pwdump, fgdump and plain text username and password separated by a space;
• Lsass dump for offline analysis with Mimikatz;
• Dumping of Domain controller hashes using NTDSUtil and retrieval of NTDS.dit for local parsing;
• Dumping of Domain controller hashes using the drsuapi method;
• Retrieval of Scripts and Policies folder from a Domain controller and parsing for ‘password’ and ‘administrator’;
• Ability to decrypt cpassword hashes;
• Ability to start a shell on a remote machine;
• The ability to clear the event logs (application, security, setup or system); (Internal Version only)
• Results are saved on a per-host basis for analysis.
• Enable/Disable RDP on a remote machine.
• Change RDP port from 3389 to 443 on a remote machine.
• Enable/Disable NLA on a remote machine.
• Find where users are logged in on remote machines.
• Backdoor Windows Logon Screen
• Enable/Disable UAC on a remote machine.
• Stealth mimikatz added.
• Parsing of domain hashes
• Ability to determine which accounts are enabled/disabled
• Take a screen shot of a Remote logged on Active Users Desktop
• Record Remote logged on Active Users Desktop
• Decrypt Windows CPassword
• Decrypt WinSCP Password
• Get User SPN’s
• Retrieve WIFI passwords from remote machines

Development & Dependencies

RedSnarf was developed on the following environment:

• Kali Linux
• python 2.7.9
  • termcolor (1.1.0), it does help, honestly!

Requirements:

• Impacket v0.9.16-dev – https://github.com/CoreSecurity/impacket.git
• CredDump7 – https://github.com/Neohapsis/creddump7
• Lsass Retrieval using procdump – https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx
• Netaddr (0.7.12) – pip install netaddr
• Termcolor (1.1.0) – pip install termcolor
• iconv – used with parsing Mimikatz info locally

Show Help

./redsnarf.py -h
./redsnarf.py --help