{"id":13842977,"url":"https://github.com/Verizon/redshell","last_synced_at":"2025-07-11T17:32:41.732Z","repository":{"id":37296285,"uuid":"283871344","full_name":"Verizon/redshell","owner":"Verizon","description":"An interactive command prompt for red teaming and pentesting. Automatically pushes commands through SOCKS4/5 proxies via proxychains. Optional Cobalt Strike integration pulls beacon SOCKS4/5 proxies from the team server. Automatically logs activities to a local CSV file and a Cobalt Strike team server (if configured).","archived":false,"fork":false,"pushed_at":"2022-08-23T02:05:57.000Z","size":341,"stargazers_count":206,"open_issues_count":0,"forks_count":42,"subscribers_count":17,"default_branch":"master","last_synced_at":"2024-08-05T17:35:29.707Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/Verizon.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-07-30T20:33:45.000Z","updated_at":"2024-07-21T10:08:25.000Z","dependencies_parsed_at":"2022-09-06T16:10:23.911Z","dependency_job_id":null,"html_url":"https://github.com/Verizon/redshell","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Verizon%2Fredshell","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Verizon%2Fredshell/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Verizon%2Fredshell/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/Verizon%2Fredshell/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/Verizon","download_url":"https://codeload.github.com/Verizon/redshell/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":225745397,"owners_count":17517631,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-04T17:01:52.685Z","updated_at":"2024-11-21T14:30:33.655Z","avatar_url":"https://github.com/Verizon.png","language":"Python","funding_links":[],"categories":["Python","Python (1887)"],"sub_categories":[],"readme":"# RedShell\nAn interactive command prompt for red teaming and pentesting. Automatically pushes commands through SOCKS4/5 proxies via proxychains. Optional Cobalt Strike integration pulls beacon SOCKS4/5 proxies from the team server. Automatically logs activities to a local CSV file and a Cobalt Strike team server (if configured).\n\nNote that because RedShell uses proxychains under the hood, only TCP traffic is proxied.\n\n# Installation\nRedShell runs on Python \u003e 3.8.\n\nInstall dependencies:\n```\npip3 install -r requirements.txt\n```\nInstall proxychains-ng (https://github.com/rofl0r/proxychains-ng):\n```\napt install proxychains4\n```\nRedShell is no longer dependent on Cobalt Strike. However, if you're using Cobalt Strike integration, the CS client must be installed on the same host as RedShell. Also make the agscript wrapper executable:\n```\nchmod +x agscript.sh\n```\n\n# Usage\nStart RedShell:\n```\n$python3 redshell.py \n\n ____ _______ __ ____\n / __ \\___ ____/ / ___// /_ ___ / / /\n / /_/ / _ \\/ __ /\\__ \\/ __ \\/ _ \\/ / / \n / _, _/ __/ /_/ /___/ / / / / __/ / / \n /_/ |_|\\___/\\__,_//____/_/ /_/\\___/_/_/\n\n \nLogging to: /home/user/.redshell/redshell_2022_08_22_13_00_13.csv\n\nredshell \u003e \n\n```\n\nDisplay help:\n```\nredshell \u003e help\n\nDocumented commands (use 'help -v' for verbose/'help \u003ctopic\u003e' for details):\n===========================================================================\nbeacon_exec cs_connect cs_status help pwd socks\ncd cs_disconnect cs_use_pivot history quit \nconfig cs_load_config exec log set \ncontext cs_pivots exit proxy_exec shell\n \n```\n\nSet options:\n```\nredshell\u003e set option VALUE\n```\n\n## Logging\nRedShell automatically logs activities via the `beacon_exec`, `proxy_exec`, `exec`, or `log` commands. Logging is automatically initialized on startup, and log files are written to: `~/.redshell`.\n\nTo log to Cobalt Strike, connect to a team server, select a pivot, and use the `beacon_exec` command.\n\n## Proxies\nRedShell uses proxychains-ng and a custom proxychains configuration file. Configuration file modifications and command proxying are handled on-the-fly.\n\n### Cobalt Strike\nTo proxy through a Cobalt Strike, connect to a team server, select a pivot, and use the `beacon_exec` command. Refer to the Cobalt Strike section for details.\n\n### Custom Proxies\nCustom socks version 4 or 5 proxies can be set with the `socks` command.\n```\nredshell \u003e socks -h\nusage: socks [-h] [-u SOCKS5_USER] [-p SOCKS5_PASS] {socks4,socks5} ip_address socks_port\n\nUse a custom socks4/5 server\n\npositional arguments:\n {socks4,socks5}\n ip_address\n socks_port\n\noptions:\n -h, --help show this help message and exit\n -u SOCKS5_USER\n -p SOCKS5_PASS\n```\n\n## SOCKS Proxy Verification\nRedShell automatically verifies connections and authentication (where applicable) to SOCKS proxies upon selection (either using the `socks` or `cs_use_pivot` commands). This can be disabled with the following command: `set check_socks false`\n\n## Context\nRedShell's context is a key aspect of activity logging. Context allows you to set the perspective (in activity logs) of the source host executing activities in a target network. The following context attributes can included in activity logs: IP Address, DNS Name, NetBIOS Name, User Name, and Process ID. Only IP Address is required.\n\nNotes on context:\n - Context is cleared when you set a new socks port\n - Context is cleared when you connect/disconnect from a CS team server\n\n### Context - Custom Proxies\nAfter you set a socks proxy with the `socks` command, add context details with the `context` command.\n```\nRedShell\u003e context -h\nusage: context [-h] [-d DNSNAME] [-n NETBIOSNAME] [-u USERNAME] [-p PID] ip_address\n\nSet a custom context (Source IP/DNS/NetBIOS/User/PID) for logging\n\npositional arguments:\n ip_address Source IP Address\n\noptional arguments:\n -h, --help show this help message and exit\n -d DNSNAME, --dnsname DNSNAME\n DNS Name\n -n NETBIOSNAME, --netbiosname NETBIOSNAME\n NetBIOS Name\n -u USERNAME, --username USERNAME\n User Name\n -p PID, --pid PID Process ID\n```\n\n### Context - Cobalt Strike\nIf you are using a pivot on a team server, context values are automatically set based on the beacon.\n\n### Command Prompt\nThe command prompt is automatically updated with context variables (user@host).\n\n## Execute and Log\nThe following RedShell commands are captured in activity logs:\n - `beacon_exec` - Execute a command through beacon socks proxy and simultaneously log it to the teamserver.\n - `proxy_exec` - Execute a command through custom socks proxy and simultaneously log it to the local file.\n - `exec` - Execute a command and log it to the local file.\n - `log` - Add a manual log entry to the local file.\n\n## Custom Proxy Example\n![alt text](./images/custom_proxy_example.png \"Custom Proxy Example\")\n\n## Cobalt Strike\n### Connecting to Cobalt Strike\n\nSet Cobalt Strike connection options:\n```\nredshell \u003e set cs_host 127.0.0.1\nredshell \u003e set cs_port 50050\nredshell \u003e set cs_user somedude\n```\n\nConnect to team server (you will be prompted for the team server password):\n```\nredshell \u003e cs_connect \n```\nExample:\n\n![alt text](./images/cs_connect.png \"CS Connect\")\n\nOr load from a config file. Note: team server passwords are not read from config files. RedShell will prompt for the teamserver password and then automatically connect.\n```\n$ cat config.txt \ncs_host=127.0.0.1\ncs_port=12345\ncs_user=somedude\ncs_directory=/path/to/cobaltstrike/install\n```\n```\nredshell \u003e cs_load_config config.txt\n```\n\nShow available proxy pivots:\n```\nredshell \u003e cs_pivots \n```\nExample:\n\n![alt text](./images/cs_pivots.png \"CS Pivots\")\n\nSelect a proxy pivot (note: this can only be set after a connection to the team server has been established):\n```\nredshell \u003e cs_use_pivot 2\nSOCKS5 pivot requires authentication.\n\nEnter SOCKS5 user: username\nEnter SOCKS5 password:\n```\nCheck Cobalt Strike status:\n```\nredshell \u003e cs_status\n```\nExample:\n\n![alt text](./images/cs_status.png \"CS Status\")\n\nExecute commands through the beacon socks proxy. These can be run in the context of the current user or via sudo. Specifying 'proxychains' in the command is optional. Commands are forced through proxychains. MITRE ATT\u0026CK Tactic IDs are optional. \n```\nredshell \u003e beacon_exec -h\nusage: beacon_exec [-h] [-t TTP] ...\n\nExecute a command through beacon socks proxy and simultaneously log it to the teamserver.\n\npositional arguments:\n command Command to execute through the proxy and log.\n\noptional arguments:\n -h, --help show this help message and exit\n -t TTP, --ttp TTP MITRE ATT\u0026CK Tactic IDs. Comma delimited to specify multiple.\n\nexample: \nbeacon_exec -t T1550.002,T1003.002 cme smb 192.168.1.1 --local-auth -u Administrator -H C713B1D611657D0687A568122193F230 --sam\n```\nExample:\n\n![alt text](./images/beacon_exec.png \"Beacon Exec\")\n\nNote on the Redshell and CS install directory options - the script needs to know where it lives, as well as Cobalt Strike.\nIf stuff blows up, be sure to set the directories accordingly:\n```\nredshell \u003e set redshell_directory /opt/redshell\nredshell \u003e set cs_directory /opt/cobaltstrike\n```\n\n## General\nNote on passwords used in *exec commands: special characters in passwords may be interpreted as shell meta characters, which could cause commands to fail. To get around this, set the password option and then invoke with '$password'. Example:\n```\nredshell \u003e set password Test12345\npassword - was: ''\nnow: 'Test12345'\nredshell \u003e beacon_exec cme smb 192.168.1.14 --local-auth -u administrator -p $password --shares\n```\n\nRedShell includes commands for navigating the file system:\n```\nredshell \u003e cd /opt/redshell/\nredshell \u003e pwd\n/opt/redshell\n```\n\nAdditional commands can be run via the shell command or via the '!' shortcut:\n```\nredshell \u003e shell date\nMon 29 Jul 2019 05:33:02 PM MDT\nredshell \u003e !date\nMon 29 Jul 2019 05:33:03 PM MDT\n```\n\nCommands are tracked and accessible via the history command:\n```\nredshell \u003e history \n 1 load_config config.txt\n 2 status\n 3 help\n```\n\nRedShell also includes tab-completion and clearing the terminal window via ctrl + l.\n\n## CSV Log Format\n```\nDatetime,IP Address,DNS Name,NetBIOS Name,User,PID,Activity,TTPs\n2021/09/21 14:22:32 +0000,192.168.56.106,,WINDEV,USER,7312,[PROXY] cme smb 192.168.56.105,\n```\n\nNotes:\n- Required fields: Datetime, IP Address, Activity\n- Optional fields: DNS Name, NetBIOS Name, User, PID, TTPs\n- Datetime format: \"%Y/%m/%d %H:%M:%S %z\" (UTC)\n\n## Maintainers\n\n - [exfiltrata](https://github.com/exfiltrata)\n\n## License\n\nThis project is licensed under the terms of the Apache 2.0 open source license. Please refer to [LICENSE](LICENSE.md) for the full terms.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FVerizon%2Fredshell","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FVerizon%2Fredshell","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FVerizon%2Fredshell/lists"}