logo
DATABASE RESOURCES PRICING ABOUT US

Redpill - Assist Reverse Tcp Shells In Post-Exploration Tasks

Description

[![](https://1.bp.blogspot.com/-nzq-3jioimQ/YMZYSQIYLvI/AAAAAAAAZ-M/J6KpyMSDOrAlmdQNSWTHKYoRbY_ihT-IgCNcBGAsYHQ/w640-h366/redpill_1.png)](<https://1.bp.blogspot.com/-nzq-3jioimQ/YMZYSQIYLvI/AAAAAAAAZ-M/J6KpyMSDOrAlmdQNSWTHKYoRbY_ihT-IgCNcBGAsYHQ/s1280/redpill_1.png>) **Project Description** The redpill project aims to assist reverse tcp shells in post-exploration tasks. Often in redteam engagements we need to use unconventional ways to access target system, such as reverse tcp shells (**_not metasploit_**) in order to bypass the defenses implemented by the system administrator. After the first stage was successful compleated we face another type of problems: **_"I have (shell) access to the target system, and now what can I do with it?"_** This project consists of several PowerShell scripts that perform different **_post-exploitation_** functions and the main script **_redpill.ps1_** that is main work its to download/config/exe the scripts contained in this repository. The goal is to have a similar meterpreter experience in our reverse tcp shell prompt (meterpreter similar options) Folder Name | Description | Notes ---|---|--- Bin | Contains redpill main modules | Sysinfo | GetConnections | Persiste | Keylogger | etc. Bypass | Contains redpill bypass scripts | Manual Download/Execution required modules | Contains redpill modules | Sherlock | CredsPhish | Webserver | StartWebServer | etc. Utils | Contains BAT | PS1 scripts | Manual execution required CmdLet Parameters syntax\examples post-exploitation module. venom amsi evasion agents automatically uploads this CmdLet to %TMP% directory to be easily accessible in our reverse tcp shell ( shell prompt ). "> This cmdlet belongs to the structure of venom v1.0.17.8 as a post-exploitation module. venom amsi evasion agents automatically uploads this CmdLet to %TMP% directory to be easily accessible in our reverse tcp shell ( shell prompt ). _To List All Parameters Available, execute in powershell prompt:_ .\redpill.ps1 -Help Parameters CmdLet Parameter Name | Parameter Arguments | Description ---|---|--- -SysInfo | Enum | Verbose | Quick System Info OR Verbose Enumeration -GetConnections | Enum | Verbose | Enumerate Remote Host Active TCP Connections -GetDnsCache | Enum | Clear | Enumerate\Clear remote host DNS cache entrys -GetInstalled | Enum | Enumerate Remote Host Applications Installed -GetProcess | Enum | Kill | Tokens | Enumerate OR Kill Remote Host Running Process(s) -GetTasks | Enum | Create | Delete | Enumerate\Create\Delete Remote Host Running Tasks -GetLogs | Enum | Verbose | Clear | Enumerate eventvwr logs OR Clear All event logs -GetBrowsers | Enum | Verbose | Creds | Enumerate Installed Browsers and Versions OR Verbose -Screenshot | 1 | Capture 1 Desktop Screenshot and Store it on %TMP% -Camera | Enum | Snap | Enum computer webcams OR capture default webcam snapshot -StartWebServer | Python | Powershell | Downloads webserver to %TMP% and executes the WebServer -Keylogger | Start | Stop | Start OR Stop recording remote host keystrokes -MouseLogger | Start | Capture Screenshots of Mouse Clicks for 10 seconds -PhishCreds | Start | Brute | Promp current user for a valid credential and leak captures -GetPasswords | Enum | Dump | Enumerate passwords of diferent locations {Store|Regedit|Disk} -WifiPasswords | Dump | ZipDump | Enum Available SSIDs OR ZipDump All Wifi passwords -EOP | Enum | Verbose | Find Missing Software Patchs for Privilege Escalation -ADS | Enum | Create | Exec | Clear | Hidde scripts { bat | ps1 | exe } on $DATA records (ADS) -BruteZip | $Env:TMP\archive.zip | Brute force sellected Zip archive with the help of 7z.exe -Upload | script.ps1 | Upload script.ps1 from attacker apache2 webroot -Persiste | $Env:TMP\Script.ps1 | Persiste script.ps1 on every startup {BeaconHome} -CleanTracks | Clear | Paranoid | Clean disk artifacts left behind {clean system tracks} -AppLocker | Enum | WhoAmi | TestBat | Enumerate AppLocker Directorys with weak permissions -FileMace | $Env:TMP\test.txt | Change File Mace {CreationTime,LastAccessTime,LastWriteTime} -MetaData | $Env:TMP\test.exe | Display files \ applications description (metadata) -PEHollow | GetSystem | $Env:TMP\test.exe | Process Hollowing {impersonate explorer.exe as parent} -MsgBox | "Hello World." | Spawns "Hello World." msgBox on local host {wscriptComObject} -SpeakPrank | "Hello World." | Make remote host speak user input sentence {prank} -NetTrace | Enum | Agressive Enumeration with the help of netsh {native} -PingSweep | Enum | Verbose | Enumerate Active IP Address and open ports on Local Lan -DnsSpoof | Enum | Redirect | Clear | Redirect Domain Names to our Phishing IP address -DisableAV | Query | Start | Stop | Disable [Windows Defender](<https://www.kitploit.com/search/label/Windows%20Defender> "Windows Defender" ) Service (WinDefend) -HiddenUser | Query | Create | Delete | Query \ Create \ Delete Hidden User Accounts -CsOnTheFly | Compile | Execute | Download \ Compile (to exe) and Execute CS scripts -CookieHijack | Dump|History | Edge|Chrome Cookie Hijacking tool -UacMe | Bypass | Elevate | Clean | UAC bypass|EOP by dll reflection! (cmstp.exe) _To Display Detailed information about each parameter execute:_ Syntax : .\redpill.ps1 -Help [ -Parameter Name ] Example: .\redpill.ps1 -Help WifiPasswords [![](https://1.bp.blogspot.com/-lh0ODQaVLqc/YMZZ1Vy--WI/AAAAAAAAZ-c/9fA6MTHRdNUoOdjoOmAYfRFyuXMvfzU9wCNcBGAsYHQ/w640-h410/redpill_11.png)](<https://1.bp.blogspot.com/-lh0ODQaVLqc/YMZZ1Vy--WI/AAAAAAAAZ-c/9fA6MTHRdNUoOdjoOmAYfRFyuXMvfzU9wCNcBGAsYHQ/s1476/redpill_11.png>) Instructions how to use the Cmdlet {**_Local tests_**} This cmdlet belongs to the structure of venom v1.0.17.8 as a post-exploitation module. venom amsi evasion agents automatically uploads this CmdLet to %TMP% directory to be easily accessible in our reverse tcp shell ( shell ). 'this section describes how to test this Cmdlet Locally without exploiting target host' 1º - Download CmdLet from GitHub repository to **_'Local Disk'_** iwr -Uri https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/redpill.ps1 -OutFile redpill.ps1 2º - Set Powershell Execution Policy to **_'UnRestricted'_** Set-ExecutionPolicy UnRestricted -Scope CurrentUser [![](https://1.bp.blogspot.com/-zqzp3pouKoM/YMZZ7GniPoI/AAAAAAAAZ-g/rvVDVpjOlngraYRcye7H_NOEv0zWMFbRACNcBGAsYHQ/w640-h274/redpill_12.png)](<https://1.bp.blogspot.com/-zqzp3pouKoM/YMZZ7GniPoI/AAAAAAAAZ-g/rvVDVpjOlngraYRcye7H_NOEv0zWMFbRACNcBGAsYHQ/s1493/redpill_12.png>) 3º - Browse to **_'redpill.ps1'_** storage directory cd C:\Users\pedro\Desktop [![](https://1.bp.blogspot.com/-PL0j4OuhuDQ/YMZaC-7ChvI/AAAAAAAAZ-k/m70D0mmkwtEM3lAOfzdXdYAOVhIcFeQhgCNcBGAsYHQ/w640-h202/redpill_13.png)](<https://1.bp.blogspot.com/-PL0j4OuhuDQ/YMZaC-7ChvI/AAAAAAAAZ-k/m70D0mmkwtEM3lAOfzdXdYAOVhIcFeQhgCNcBGAsYHQ/s1430/redpill_13.png>) 4º - Access CmdLet Help Menu {All Parameters} .\redpill.ps1 -Help Parameters [![](https://1.bp.blogspot.com/-OHvFPPkbzbU/YMZaJyZarbI/AAAAAAAAZ-o/CWM_fy37nAwB6sVrkZXLHv_Prrm-TVluQCNcBGAsYHQ/w640-h360/redpill_14.png)](<https://1.bp.blogspot.com/-OHvFPPkbzbU/YMZaJyZarbI/AAAAAAAAZ-o/CWM_fy37nAwB6sVrkZXLHv_Prrm-TVluQCNcBGAsYHQ/s1920/redpill_14.png>) 5º - Access **_[ -WifiPasswords ]_** Detailed Parameder Help Syntax : .\redpill.ps1 -Help [ -Parameter Name ] Example: .\redpill.ps1 -Help WifiPasswords [![](https://1.bp.blogspot.com/-hh6gP7ybudk/YMZaNHvKoJI/AAAAAAAAZ-s/s-IvD4NMUygt99MQM-A-gP7tiy4gL2h-wCNcBGAsYHQ/w640-h410/redpill_15.png)](<https://1.bp.blogspot.com/-hh6gP7ybudk/YMZaNHvKoJI/AAAAAAAAZ-s/s-IvD4NMUygt99MQM-A-gP7tiy4gL2h-wCNcBGAsYHQ/s1476/redpill_15.png>) 6º - Running **_[ -WifiPasswords ] [ Dump ]_** Module Syntax : .\redpill.ps1 [ -Parameter Name ] [ @argument ] Example: .\redpill.ps1 -WifiPasswords Dump [![](https://1.bp.blogspot.com/-3TJcV3VGc5k/YMZaaZEP8EI/AAAAAAAAZ-8/rBPFapFSlrU-oZWP2LiUctRFhjDgxvKvACNcBGAsYHQ/w640-h388/redpill_16.png)](<https://1.bp.blogspot.com/-3TJcV3VGc5k/YMZaaZEP8EI/AAAAAAAAZ-8/rBPFapFSlrU-oZWP2LiUctRFhjDgxvKvACNcBGAsYHQ/s1476/redpill_16.png>) 7º - Running **_[ -sysinfo ] [ Enum ]_** Module Syntax : .\redpill.ps1 [ -Parameter Name ] [ @argument ] Example: .\redpill.ps1 -sysinfo Enum [![](https://1.bp.blogspot.com/-HVyr_h7IGlM/YMZaW_PyFII/AAAAAAAAZ-4/46NE4PUNJWw-SjEtkamO1H3uGczCty70gCNcBGAsYHQ/w640-h444/redpill_17.png)](<https://1.bp.blogspot.com/-HVyr_h7IGlM/YMZaW_PyFII/AAAAAAAAZ-4/46NE4PUNJWw-SjEtkamO1H3uGczCty70gCNcBGAsYHQ/s1464/redpill_17.png>) Instructions how to use the CmdLet under **_Venon v1.0.17.8_** This cmdlet belongs to the structure of venom v1.0.17.8 as a post-exploitation module. venom amsi evasion agents automatically uploads this CmdLet to %TMP% directory to be easily accessible in our reverse tcp shell ( shell prompt ). 1º - execute in reverse tcp shell prompt [SKYNET] C:\Users\pedro\AppData\Local\Temp> powershell -File redpill.ps1 -Help Parameters [![](https://1.bp.blogspot.com/-xXXlTi-lOSI/YMZagq1dVkI/AAAAAAAAZ_E/qJHf5ZU7QSEAT4p4wEBitzbDGqwb1cA3QCNcBGAsYHQ/w640-h360/redpill_18.png)](<https://1.bp.blogspot.com/-xXXlTi-lOSI/YMZagq1dVkI/AAAAAAAAZ_E/qJHf5ZU7QSEAT4p4wEBitzbDGqwb1cA3QCNcBGAsYHQ/s1920/redpill_18.png>) 2º - Access **_[ -WifiPasswords ]_** Detailed Parameter Help [SKYNET] C:\Users\pedro\AppData\Local\Temp> powershell -File redpill.ps1 -Help WifiPasswords [![](https://1.bp.blogspot.com/-QK3PcmUnXhc/YMZalIKMwGI/AAAAAAAAZ_M/wPGhvrv6ZOcLwrzpVE2XZUso7dJ2aOadQCNcBGAsYHQ/w640-h410/redpill_19.png)](<https://1.bp.blogspot.com/-QK3PcmUnXhc/YMZalIKMwGI/AAAAAAAAZ_M/wPGhvrv6ZOcLwrzpVE2XZUso7dJ2aOadQCNcBGAsYHQ/s1476/redpill_19.png>) 3º - Running **_[ -WifiPasswords ] [ Dump ]_** Module [SKYNET] C:\Users\pedro\AppData\Local\Temp> powershell -File redpill.ps1 -WifiPasswords Dump [![](https://1.bp.blogspot.com/-CdAJBBkCmY4/YMZaueOrtOI/AAAAAAAAZ_U/RULgkC2V8K0Z1G1tPD67-r5-JumC_0ZOgCNcBGAsYHQ/w640-h388/redpill_20.png)](<https://1.bp.blogspot.com/-CdAJBBkCmY4/YMZaueOrtOI/AAAAAAAAZ_U/RULgkC2V8K0Z1G1tPD67-r5-JumC_0ZOgCNcBGAsYHQ/s1476/redpill_20.png>) To Manual download the CmdLet for Local Tests, execute: iwr -Uri https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/redpill.ps1 -OutFile redpill.ps1 **Video Tutorials** [![](https://1.bp.blogspot.com/-pfCzS_LgfEQ/YMZYyuSe9nI/AAAAAAAAZ-U/vlQCizBxJQAMdytjenSR4RChDzp0jBkbgCNcBGAsYHQ/w640-h318/redpill_22.gif)](<https://1.bp.blogspot.com/-pfCzS_LgfEQ/YMZYyuSe9nI/AAAAAAAAZ-U/vlQCizBxJQAMdytjenSR4RChDzp0jBkbgCNcBGAsYHQ/s600/redpill_22.gif>) Demonstration - [This tutorial uses: sysinfo, GetPasswords, UacMe modules](<https://drive.google.com/file/d/1iryAhz-ryJWMz8-MNqKm1WffLYS6nhT0/view?usp=sharing> "This tutorial uses: sysinfo, GetPasswords, UacMe modules" ) MouseLogger - [Capture Screenshots of 'MouseClicks' with the help of psr.exe](<https://drive.google.com/file/d/1k3DrsDEc6nOd7RHm-25nw0q6oD_aGxjg/view?usp=sharing> "Capture Screenshots of 'MouseClicks' with the help of psr.exe" ) PhishCreds - [Phish for login ](<https://drive.google.com/file/d/1m1M4rp24QGYftv9JPnp5Kj_zs8YFhz3_/view?usp=sharing> "Phish for login" )[credentials](<https://www.kitploit.com/search/label/Credentials> "credentials" ) OR [Brute Force](<https://www.kitploit.com/search/label/Brute%20Force> "Brute Force" ) user account password FileMace - [Change File TimeStamp {CreationTime, LastAccessTime, LastWriteTime}](<https://drive.google.com/file/d/10tR3hu_pS9tJiTImJTkraXozEEgAezwx/view?usp=sharing> "Change File TimeStamp {CreationTime, LastAccessTime, LastWriteTime}" ) CsOnTheFly - [Download (from url), Auto-Compile and Execute CS scripts On-The-Fly!](<https://drive.google.com/file/d/1L4Qj0eK4QMbC6yBFlUVJQyi0NEoe25Ug/view?usp=sharing> "Download \(from url\), Auto-Compile and Execute CS scripts On-The-Fly!" ) EOP - [Find missing software patchs for privilege escalation](<https://drive.google.com/file/d/1s6hPm63i4m2CHXEZU4ByRJRA41EOwUGf/view?usp=sharing> "Find missing software patchs for privilege escalation" ) **Acknowledgments** hax0r | Function | OS Flavor ---|---|--- **_@youhacker55_** | For All the help Debugging this cmdlet (Testing BETA version) | Windows 7 x64bits **_@0xyg3n_** | For All the help Debugging this cmdlet (Testing BETA version) | Windows 10 x64bits **_@Shanty_Damayanti_** | Debugging this cmdlet (amsi string detection bypasses) | Windows 10 x64bits **_@miltinhoc_** | Debugging this cmdlet and recording video tutorials | Windows 10 x64bits [![](https://1.bp.blogspot.com/-nh8UrKfE53Y/YMZa6ItwevI/AAAAAAAAZ_s/n8gTQEQ8tdsz1v08gzic1KBjm0XSNhN7ACNcBGAsYHQ/w640-h352/redpill_28.png)](<https://1.bp.blogspot.com/-nh8UrKfE53Y/YMZa6ItwevI/AAAAAAAAZ_s/n8gTQEQ8tdsz1v08gzic1KBjm0XSNhN7ACNcBGAsYHQ/s1605/redpill_28.png>) [![](https://1.bp.blogspot.com/-gFVYqoCNApQ/YMZa5-l-pII/AAAAAAAAZ_o/r8x_USK49hMnqXozKpQO89YX_dP-6tjpACNcBGAsYHQ/w640-h284/redpill_27.jpeg)](<https://1.bp.blogspot.com/-gFVYqoCNApQ/YMZa5-l-pII/AAAAAAAAZ_o/r8x_USK49hMnqXozKpQO89YX_dP-6tjpACNcBGAsYHQ/s1341/redpill_27.jpeg>) [![](https://1.bp.blogspot.com/-imKsoDN2Vag/YMZa5imLYSI/AAAAAAAAZ_k/L-m7sC6jGywGDTNfu7oBN0SiXQFZPV-qACNcBGAsYHQ/w640-h338/redpill_26.png)](<https://1.bp.blogspot.com/-imKsoDN2Vag/YMZa5imLYSI/AAAAAAAAZ_k/L-m7sC6jGywGDTNfu7oBN0SiXQFZPV-qACNcBGAsYHQ/s1920/redpill_26.png>) [![](https://1.bp.blogspot.com/-yq_3G74q7DE/YMZa5SahCtI/AAAAAAAAZ_g/d5RPPKWqGIMYvIXc2mExaFZvQNuUK0ltQCNcBGAsYHQ/w640-h414/redpill_25.png)](<https://1.bp.blogspot.com/-yq_3G74q7DE/YMZa5SahCtI/AAAAAAAAZ_g/d5RPPKWqGIMYvIXc2mExaFZvQNuUK0ltQCNcBGAsYHQ/s1556/redpill_25.png>) [![](https://1.bp.blogspot.com/-HPoFO4OqIkM/YMZa5QrJ0HI/AAAAAAAAZ_c/MQRIp6CXTDUJainYyeclkpfGN3eY5TqHQCNcBGAsYHQ/w640-h444/redpill_24.png)](<https://1.bp.blogspot.com/-HPoFO4OqIkM/YMZa5QrJ0HI/AAAAAAAAZ_c/MQRIp6CXTDUJainYyeclkpfGN3eY5TqHQCNcBGAsYHQ/s1464/redpill_24.png>) **[Any collaborations Or bugreports are wellcome](<https://github.com/r00t-3xp10it/redpill/issues> "Any collaborations Or bugreports are wellcome" )** **SuspiciousShellActivity - RedTeam @2021** **[Download Redpill](<https://github.com/r00t-3xp10it/redpill> "Download Redpill" )**