Redpill

<br />

:octocat: Project Description

The redpill project aims to assist reverse tcp shells in post-exploration tasks. Often, on redteam appointments we<br /> need to use unconventional ways to access the target system, like reverse tcp shells (<b><i>not metasploit</i></b>) in order<br /> to bypass the defenses implemented by the system administrator. After the first step has been successfully completed<br /> we face another type of problem: <b> <i> "I have (shell) access to the target system, and now what can I do with it?" </i> </b> <br />

This project consists of several PowerShell scripts that perform different <b><i> post-exploitation</i> </b> tasks and <br /> The main script <b><i>redpill.ps1</i> </b> whose main job is to download/config/exec the scripts contained in this repository. <br />

The goal is to have a similar meterpreter experience in our reverse tcp shell prompt (meterpreter similar options)<br />

<br /> <details> <summary>CmdLet Parameters syntax\examples</summary> <br />

 This cmdlet belongs to the structure of venom v1.0.17.8 as a post-exploitation module.
 venom amsi evasion agents automatically uploads this CmdLet to %TMP% directory to be
 easily accessible in our reverse tcp shell ( shell prompt ).

<br />

<i>To List All Parameters Available, execute in powershell prompt:</i>

.\redpill.ps1 -Help Parameters

<br />

|CmdLet Parameter Name|Parameter Arguments|Description| |---|---|---| |-SysInfo| Enum | Verbose |Quick System Info OR Verbose Enumeration| |-GetConnections| Enum | Verbose |Enumerate Remote Host Active TCP Connections| |-GetDnsCache| Enum | Clear |Enumerate\Clear remote host DNS cache entrys| |-GetInstalled| Enum |Enumerate Remote Host Applications Installed| |-GetProcess| Enum | Kill | Tokens |Enumerate OR Kill Remote Host Running Process(s)| |-GetTasks| Enum | Create | Delete |Enumerate\Create\Delete Remote Host Running Tasks| |-GetLogs| Enum | Verbose | Clear |Enumerate eventvwr logs OR Clear All event logs| |-LiveStream| Bind | Reverse | Stop |Nishang script for streaming a target desktop using MJPEG| |-GetBrowsers| Enum | Verbose | Creds |Enumerate Installed Browsers and Versions OR Verbose| |-GetSkype| Contacts|DomainUsers |Enumerating and attacking federated Skype| |-Screenshot| 1 |Capture 1 Desktop Screenshot and Store it on %TMP%| |-Camera| Enum | Snap |Enum computer webcams OR capture default webcam snapshot| |-StartWebServer| Python | Powershell |Downloads webserver to %TMP% and executes the WebServer| |-Keylogger| Start | Stop |Start OR Stop recording remote host keystrokes| |-MouseLogger| Start |Capture Screenshots of Mouse Clicks for 10 seconds| |-PhishCreds| Start | Brute |Promp current user for a valid credential and leak captures| |-GetPasswords| Enum | Dump |Enumerate passwords of diferent locations {Store|Regedit|Disk}| |-PasswordSpray| Spray |Password spraying attack against accounts in Active Directory!| |-WifiPasswords| Dump | ZipDump |Enum Available SSIDs OR ZipDump All Wifi passwords| |-EOP| Enum | Verbose |Find Missing Software Patchs for Privilege Escalation| |-ADS| Enum | Create | Exec | Clear|Hidde scripts { bat | ps1 | exe } on $DATA records (ADS)| |-BruteZip| $Env:TMP\archive.zip |Brute force sellected Zip archive with the help of 7z.exe| |-Upload| script.ps1|Upload script.ps1 from attacker apache2 webroot| |-Persiste| $Env:TMP\Script.ps1 |Persiste script.ps1 on every startup {BeaconHome}| |-CleanTracks| Clear | Paranoid |Clean disk artifacts left behind {clean system tracks}| |-AppLocker| Enum | WhoAmi | TestBat |Enumerate AppLocker Directorys with weak permissions| |-FileMace| $Env:TMP\test.txt |Change File Mace {CreationTime,LastAccessTime,LastWriteTime}| |-MetaData| $Env:TMP\test.exe |Display files \ applications description (metadata)| |-psgetsys| Enum | Auto | Impersonate | spawn a process under a different parent process!| |-MsgBox| "Hello World." |Spawns "Hello World." msgBox on local host {wscriptComObject}| |-SpeakPrank| "Hello World." |Make remote host speak user input sentence {prank}| |-NetTrace| Enum |Agressive Enumeration with the help of netsh {native}| |-PingSweep| Enum | Verbose |Enumerate Active IP Address and open ports on Local Lan| |-DnsSpoof| Enum | Redirect | Clear | Redirect Domain Names to our Phishing IP address| |-DisableAV| Query | Start | Stop | Disable Windows Defender Service (WinDefend)| |-HiddenUser| Query | Create | Delete | Query \ Create \ Delete Hidden User Accounts| |-CsOnTheFly| Compile | Execute | Download \ Compile (to exe) and Execute CS scripts| |-CookieHijack| Dump|History | Edge|Chrome Cookie Hijacking tool| |-UacMe| Bypass | Elevate | Clean | UAC bypass|EOP by dll reflection! (cmstp.exe)| |-GetAdmin| check | exec |Elevate sessions from UserLand to Administrator!| |-NoAmsi| List | TestAll | Bypass |Test AMS1 bypasses or simple execute one bypass| |-Clipboard| Enum | Capture | Prank |Capture clipboard text\file\image\audio contents!| |-GetCounterMeasures| Enum | verbose | List common security processes\pid's running!| |-DumpLsass|lsass| all| Dump data from lsass/sam/system/security process/reg hives|

<br />

<i>To Display Detailed information about each parameter execute:</i>

Syntax : .\redpill.ps1 -Help [ Parameter Name ]
Example: .\redpill.ps1 -Help WifiPasswords

</details> <br /> <details> <summary>Instructions how to use the Cmdlet {<b><i>Local tests</i></b>}</summary> <br />

 This cmdlet belongs to the structure of venom v1.0.17.8 as a post-exploitation module.
 venom amsi evasion agents automatically uploads this CmdLet to %TMP% directory to be
 easily accessible in our reverse tcp shell ( shell ).

 'this section describes how to test this Cmdlet Locally without exploiting target host'

<br />

1º - Download CmdLet from GitHub repository to <b><i>'Local Disk'</i></b>

iwr -Uri https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/redpill.ps1 -OutFile redpill.ps1|Unblock-File

<br />

2º - Set Powershell Execution Policy to <b><i>'UnRestricted'</i></b>

Set-ExecutionPolicy UnRestricted -Scope CurrentUser

<br />

3º - Browse to <b><i>'redpill.ps1'</i></b> storage directory

cd C:\Users\pedro\Desktop

<br />

4º - Access CmdLet Help Menu {All Parameters}

.\redpill.ps1 -Help Parameters

<br />

5º - Access <b><i>[ -WifiPasswords ]</i></b> Detailed Parameter Help

Syntax : .\redpill.ps1 -Help [ Parameter Name ]
Example: .\redpill.ps1 -Help WifiPasswords

<br />

6º - Running <b><i>[ -WifiPasswords ] [ Dump ]</i></b> Module

Syntax : .\redpill.ps1 [ Parameter Name ] [ @argument ]
Example: .\redpill.ps1 -WifiPasswords Dump

<br />

7º - Running <b><i>[ -sysinfo ] [ Enum ]</i></b> Module

Syntax : .\redpill.ps1 [ Parameter Name ] [ @argument ]
Example: .\redpill.ps1 -sysinfo Enum

</details> <br /> <details> <summary>Instructions how to use the CmdLet under <b><i>Venon v1.0.17.8</i></b></summary> <br />

 This cmdlet belongs to the structure of venom v1.0.17.8 as a post-exploitation module.
 venom amsi evasion agents automatically uploads this CmdLet to %TMP% directory to be
 easily accessible in our reverse tcp shell ( shell prompt ).

<br />

1º - execute in reverse tcp shell prompt

[SKYNET] C:\Users\pedro\AppData\Local\Temp> powershell -File redpill.ps1 -Help Parameters

<br />

<br />

2º - Access <b><i>[ -WifiPasswords ]</i></b> Detailed Parameter Help

[SKYNET] C:\Users\pedro\AppData\Local\Temp> powershell -File redpill.ps1 -Help WifiPasswords

<br />

3º - Running <b><i>[ -WifiPasswords ] [ Dump ]</i></b> Module

[SKYNET] C:\Users\pedro\AppData\Local\Temp> powershell -File redpill.ps1 -WifiPasswords Dump

![wifidump](https://user-images.githubusercontent.com/23490060/107768059-c7531980-6d2d-11eb-9f2a-2e2f2