Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/r00t-3xp10it/redpill
Assist reverse tcp shells in post-exploration tasks
https://github.com/r00t-3xp10it/redpill
c2-options cmdlet post-exploitation redteam reverse-tcp-shells
Last synced: 25 days ago
JSON representation
Assist reverse tcp shells in post-exploration tasks
- Host: GitHub
- URL: https://github.com/r00t-3xp10it/redpill
- Owner: r00t-3xp10it
- Created: 2021-02-20T23:59:07.000Z (almost 4 years ago)
- Default Branch: main
- Last Pushed: 2024-03-19T15:03:16.000Z (9 months ago)
- Last Synced: 2024-11-09T19:02:36.470Z (about 1 month ago)
- Topics: c2-options, cmdlet, post-exploitation, redteam, reverse-tcp-shells
- Language: PowerShell
- Homepage:
- Size: 74.3 MB
- Stars: 213
- Watchers: 8
- Forks: 52
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-hacking-lists - r00t-3xp10it/redpill - Assist reverse tcp shells in post-exploration tasks (PowerShell)
README
![wikibanner](https://user-images.githubusercontent.com/23490060/107761196-e0a29880-6d22-11eb-9dfc-35028c9463f6.png)
[![Version](https://img.shields.io/badge/redpill-1.2.6-brightgreen.svg?maxAge=259200)]()
[![Stage](https://img.shields.io/badge/Release-Stable-brightgreen.svg)]()
[![Build](https://img.shields.io/badge/OS-Windows-orange.svg)]()
![licence](https://img.shields.io/badge/license-GPLv3-brightgreen.svg)
![Last Commit](https://img.shields.io/github/last-commit/r00t-3xp10it/redpill)
![isues](https://img.shields.io/github/issues/r00t-3xp10it/redpill)
![Repo Size](https://img.shields.io/github/repo-size/r00t-3xp10it/redpill)
![topLanguages](https://img.shields.io/github/languages/top/r00t-3xp10it/redpill)
## :octocat: Project Description
The redpill project aims to assist reverse tcp shells in post-exploration tasks. Often, on redteam appointments we
need to use unconventional ways to access the target system, like reverse tcp shells (not metasploit) in order
to bypass the defenses implemented by the system administrator. After the first step has been successfully completed
we face another type of problem: "I have (shell) access to the target system, and now what can I do with it?"This project consists of several PowerShell scripts that perform different post-exploitation tasks and
The main script redpill.ps1 whose main job is to download/config/exec the scripts contained in this repository.
The goal is to have a similar meterpreter experience in our reverse tcp shell prompt (meterpreter similar options)
CmdLet Parameters syntax\examples
This cmdlet belongs to the structure of venom v1.0.17.8 as a post-exploitation module.
venom amsi evasion agents automatically uploads this CmdLet to %TMP% directory to be
easily accessible in our reverse tcp shell ( shell prompt ).
To List All Parameters Available, execute in powershell prompt:
```powershell
.\redpill.ps1 -Help Parameters
```
|CmdLet Parameter Name|Parameter Arguments|Description|
|---|---|---|
|-SysInfo| Enum \| Verbose |Quick System Info OR Verbose Enumeration|
|-GetConnections| Enum \| Verbose |Enumerate Remote Host Active TCP Connections|
|-GetDnsCache| Enum \| Clear |Enumerate\Clear remote host DNS cache entrys|
|-GetInstalled| Enum |Enumerate Remote Host Applications Installed|
|-GetProcess| Enum \| Kill \| Tokens |Enumerate OR Kill Remote Host Running Process(s)|
|-GetTasks| Enum \| Create \| Delete |Enumerate\Create\Delete Remote Host Running Tasks|
|-GetLogs| Enum \| Verbose \| Clear |Enumerate eventvwr logs OR Clear All event logs|
|-LiveStream| Bind \| Reverse \| Stop |Nishang script for streaming a target desktop using MJPEG|
|-GetBrowsers| Enum \| Verbose \| Creds |Enumerate Installed Browsers and Versions OR Verbose|
|-GetSkype| Contacts\|DomainUsers |Enumerating and attacking federated Skype|
|-Screenshot| 1 |Capture 1 Desktop Screenshot and Store it on %TMP%|
|-Camera| Enum \| Snap |Enum computer webcams OR capture default webcam snapshot|
|-StartWebServer| Python \| Powershell |Downloads webserver to %TMP% and executes the WebServer|
|-Keylogger| Start \| Stop |Start OR Stop recording remote host keystrokes|
|-MouseLogger| Start |Capture Screenshots of Mouse Clicks for 10 seconds|
|-PhishCreds| Start \| Brute |Promp current user for a valid credential and leak captures|
|-GetPasswords| Enum \| Dump |Enumerate passwords of diferent locations {Store\|Regedit\|Disk}|
|-PasswordSpray| Spray |Password spraying attack against accounts in Active Directory!|
|-WifiPasswords| Dump \| ZipDump |Enum Available SSIDs OR ZipDump All Wifi passwords|
|-EOP| Enum \| Verbose |Find Missing Software Patchs for Privilege Escalation|
|-ADS| Enum \| Create \| Exec \| Clear|Hidde scripts { bat \| ps1 \| exe } on $DATA records (ADS)|
|-BruteZip| $Env:TMP\archive.zip |Brute force sellected Zip archive with the help of 7z.exe|
|-Upload| script.ps1|Upload script.ps1 from attacker apache2 webroot|
|-Persiste| $Env:TMP\Script.ps1 |Persiste script.ps1 on every startup {BeaconHome}|
|-CleanTracks| Clear \| Paranoid |Clean disk artifacts left behind {clean system tracks}|
|-AppLocker| Enum \| WhoAmi \| TestBat |Enumerate AppLocker Directorys with weak permissions|
|-FileMace| $Env:TMP\test.txt |Change File Mace {CreationTime,LastAccessTime,LastWriteTime}|
|-MetaData| $Env:TMP\test.exe |Display files \ applications description (metadata)|
|-psgetsys| Enum \| Auto \| Impersonate | spawn a process under a different parent process!|
|-MsgBox| "Hello World." |Spawns "Hello World." msgBox on local host {wscriptComObject}|
|-SpeakPrank| "Hello World." |Make remote host speak user input sentence {prank}|
|-NetTrace| Enum |Agressive Enumeration with the help of netsh {native}|
|-PingSweep| Enum \| Verbose |Enumerate Active IP Address and open ports on Local Lan|
|-DnsSpoof| Enum \| Redirect \| Clear | Redirect Domain Names to our Phishing IP address|
|-DisableAV| Query \| Start \| Stop | Disable Windows Defender Service (WinDefend)|
|-HiddenUser| Query \| Create \| Delete | Query \ Create \ Delete Hidden User Accounts|
|-CsOnTheFly| Compile \| Execute | Download \ Compile (to exe) and Execute CS scripts|
|-CookieHijack| Dump\|History | Edge\|Chrome Cookie Hijacking tool|
|-UacMe| Bypass \| Elevate \| Clean | UAC bypass\|EOP by dll reflection! (cmstp.exe)|
|-GetAdmin| check \| exec |Elevate sessions from UserLand to Administrator!|
|-NoAmsi| List \| TestAll \| Bypass |Test AMS1 bypasses or simple execute one bypass|
|-Clipboard| Enum \| Capture \| Prank |Capture clipboard text\file\image\audio contents!|
|-GetCounterMeasures| Enum \| verbose | List common security processes\pid's running!|
|-DumpLsass|lsass\| all| Dump data from lsass/sam/system/security process/reg hives|
To Display Detailed information about each parameter execute:
```powershell
Syntax : .\redpill.ps1 -Help [ Parameter Name ]
Example: .\redpill.ps1 -Help WifiPasswords
```![Parametershelp](https://user-images.githubusercontent.com/23490060/107767610-1e0c2380-6d2d-11eb-946e-ce4988087dca.png)
Instructions how to use the Cmdlet {Local tests}
This cmdlet belongs to the structure of venom v1.0.17.8 as a post-exploitation module.
venom amsi evasion agents automatically uploads this CmdLet to %TMP% directory to be
easily accessible in our reverse tcp shell ( shell ).'this section describes how to test this Cmdlet Locally without exploiting target host'
1º - Download CmdLet from GitHub repository to 'Local Disk'
```powershell
iwr -Uri https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/redpill.ps1 -OutFile redpill.ps1|Unblock-File
```
2º - Set Powershell Execution Policy to 'UnRestricted'
```powershell
Set-ExecutionPolicy UnRestricted -Scope CurrentUser
```![ste](https://user-images.githubusercontent.com/23490060/106375669-f2308b80-6385-11eb-8cff-947178c52915.png)
3º - Browse to 'redpill.ps1' storage directory
```powershell
cd C:\Users\pedro\Desktop
```![redpillpath](https://user-images.githubusercontent.com/23490060/107781146-76e4b780-6d3f-11eb-9a41-de1163086c70.png)
4º - Access CmdLet Help Menu {All Parameters}
```powershell
.\redpill.ps1 -Help Parameters
```![menu](https://user-images.githubusercontent.com/23490060/107781666-0c804700-6d40-11eb-9fbc-4826705534e5.png)
5º - Access [ -WifiPasswords ] Detailed Parameter Help
```powershell
Syntax : .\redpill.ps1 -Help [ Parameter Name ]
Example: .\redpill.ps1 -Help WifiPasswords
```![Parametershelp](https://user-images.githubusercontent.com/23490060/107767610-1e0c2380-6d2d-11eb-946e-ce4988087dca.png)
6º - Running [ -WifiPasswords ] [ Dump ] Module
```powershell
Syntax : .\redpill.ps1 [ Parameter Name ] [ @argument ]
Example: .\redpill.ps1 -WifiPasswords Dump
```![wifidump](https://user-images.githubusercontent.com/23490060/107768059-c7531980-6d2d-11eb-9f2a-2e2f2e649f56.png)
7º - Running [ -sysinfo ] [ Enum ] Module
```powershell
Syntax : .\redpill.ps1 [ Parameter Name ] [ @argument ]
Example: .\redpill.ps1 -sysinfo Enum
```![geolocation](https://user-images.githubusercontent.com/23490060/107866747-c7593380-6e6b-11eb-8e38-9ef3acdb3c01.png)
Instructions how to use the CmdLet under Venon v1.0.17.8
This cmdlet belongs to the structure of venom v1.0.17.8 as a post-exploitation module.
venom amsi evasion agents automatically uploads this CmdLet to %TMP% directory to be
easily accessible in our reverse tcp shell ( shell prompt ).
1º - execute in reverse tcp shell prompt
```cmd
[SKYNET] C:\Users\pedro\AppData\Local\Temp> powershell -File redpill.ps1 -Help Parameters
```
![menu](https://user-images.githubusercontent.com/23490060/107781666-0c804700-6d40-11eb-9fbc-4826705534e5.png)
2º - Access [ -WifiPasswords ] Detailed Parameter Help
```cmd
[SKYNET] C:\Users\pedro\AppData\Local\Temp> powershell -File redpill.ps1 -Help WifiPasswords
```![Parametershelp](https://user-images.githubusercontent.com/23490060/107767610-1e0c2380-6d2d-11eb-946e-ce4988087dca.png)
3º - Running [ -WifiPasswords ] [ Dump ] Module
```cmd
[SKYNET] C:\Users\pedro\AppData\Local\Temp> powershell -File redpill.ps1 -WifiPasswords Dump
```![wifidump](https://user-images.githubusercontent.com/23490060/107768059-c7531980-6d2d-11eb-9f2a-2e2f2e649f56.png)
To Manual download the CmdLet for Local Tests, execute:
```powershell
iwr -Uri https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/redpill.ps1 -OutFile redpill.ps1|Unblock-File
```
## :octocat: Video Tutorials
![Demo](https://user-images.githubusercontent.com/23490060/117714794-5a85d900-b1cf-11eb-8928-b183d6966f3b.gif)
Demonstration - [This tutorial uses: sysinfo, GetPasswords, UacMe modules](https://drive.google.com/file/d/1iryAhz-ryJWMz8-MNqKm1WffLYS6nhT0/view?usp=sharing)
MouseLogger - [Capture Screenshots of 'MouseClicks' with the help of psr.exe](https://drive.google.com/file/d/1k3DrsDEc6nOd7RHm-25nw0q6oD_aGxjg/view?usp=sharing)
PhishCreds - [Phish for login credentials OR Brute Force user account password](https://drive.google.com/file/d/1m1M4rp24QGYftv9JPnp5Kj_zs8YFhz3_/view?usp=sharing)
FileMace - [Change File TimeStamp {CreationTime, LastAccessTime, LastWriteTime}](https://drive.google.com/file/d/10tR3hu_pS9tJiTImJTkraXozEEgAezwx/view?usp=sharing)
CsOnTheFly - [Download (from url), Auto-Compile and Execute CS scripts On-The-Fly!](https://drive.google.com/file/d/1L4Qj0eK4QMbC6yBFlUVJQyi0NEoe25Ug/view?usp=sharing)
EOP - [Find missing software patchs for privilege escalation](https://drive.google.com/file/d/1s6hPm63i4m2CHXEZU4ByRJRA41EOwUGf/view?usp=sharing)
## :octocat: Acknowledgments
|hax0r|Function|OS Flavor|
|---|---|---|
|@youhacker55|For All the help Debugging this cmdlet (Testing BETA version)|Windows 7 x64bits|
|@0xyg3n|For All the help Debugging this cmdlet (Testing BETA version)|Windows 10 x64bits|
|@Shanty_Damayanti|Debugging this cmdlet (amsi string detection bypasses)|Windows 10 x64bits|
|@miltinhoc|Debugging this cmdlet and recording video tutorials|Windows 10 x64bits|![sysinfo](https://user-images.githubusercontent.com/23490060/128348577-107d7478-8d92-46be-b617-9878f08bb524.png)
![GetConnections](https://user-images.githubusercontent.com/23490060/127775867-3a1d4e60-81df-4982-8c63-4d54fcbd0e8b.png)
![SAM](https://user-images.githubusercontent.com/23490060/128350159-85cf1868-64ff-488d-8bbf-26c614b8cf3f.png)
![brute](https://user-images.githubusercontent.com/23490060/128359506-f9dff4fe-e586-4407-998c-a467875745a9.jpg)
![eop](https://user-images.githubusercontent.com/23490060/128349459-eb129772-6955-4822-8677-fa1878d4ec01.png)
![NoAmsi](https://user-images.githubusercontent.com/23490060/125387813-6429e980-e396-11eb-9ae7-6a488f1647b8.png)**[Any collaborations Or bugreports are wellcome](https://github.com/r00t-3xp10it/redpill/issues)**
## SuspiciousShellActivity - RedTeam @2021