RedRabbit – Offensive PowerShell

RedRabbit is the twin of BlueRabbit however, RedRabbit has more offensive scripts. RedRabbit was created to help conduct ethical pen-testing and reconnaissance.

Hosted Here: https://github.com/securethelogs/RedRabbit

Running it within memory will mean always running the most up-to-date version. To do so, open PowerShell and run:

powershell –nop –c “iex(New-Object Net.WebClient).DownloadString(‘https://raw.githubusercontent.com/securethelogs/RedRabbit/master/redrabbit.ps1’)”

Below shows the options available when running RedRabbit. If you have any feedback, wants or questions about the script, please let me know.

Option 1: Quick Recon

Quick recon will display details about the user, groups, host and network. In order:

  • Lists User
  • Lists Host
  • Lists Network Interfaces
  • Lists User Groups (inc domain)
  • Shows Privilege
  • Lists Local Admins
  • Lists Local Users
  • Lists Current Logged in Users
  • Shows Installed Programs
  • Tests If Internet Is Reachable
  • Shows Local Firewall Rules

If the firewall rules are taking to long, you can exit with Ctrl + C.

Option 2: Scan Subnet

This option will find the current subnet in which the machine is connected to and perform the following:

  • Scan for Live Hosts
  • Resolve DNS for Live Hosts
  • Scan for Open Ports on Live Hosts

Option 3: Clipboard Logger

This is my PSClippy scripts which creates a PowerShell session in the background. This session will record, and values copied to clipboard and store them. Once a threshold of 10 is met, it will either store to file or upload to PasteBin.

Securethelogs.com
PSclippy (Option 3 of RedRabbit)

Option: F
This will then prompt you for a file location. You will need to enter the full path including the file name:

This will then create another hidden process and store in file:

Option: P
This will upload the pastes to PasteBin once the counter has hit 10 (by default).
You will need to enter an API key though. This can be obtained once you have an account with Pastebin.

Option 4: Network Scanner

This is a simple network scanner which will allow you to either scan:

  • Common Ports
  • Full Scan (Ports 1-65535)
  • Quick Scan (Ports 1-65535 but less wait time as above option)

Option 5: DNS Resolver

This will allow you to resolve an IP to either a single IP address or multiple, using a txt file.

Option 6: Brute Force ZIP

This option will allow you to brute force a ZIP file using a wordlist.
You will need to have 7zip installed before this can run.

Option 7: Brute WinRM

This option will scan and allow you to brute force credentials using the WinRM service. For this to work, you need:

  • A machine running the WinRM service (Port open)
  • A user list
  • A password list

Option 8: Test Extraction Connection

Given your method of choice, this will test if the machine can reach your destination on common ports (80,443,445).

Option 9: Show Local Firewall Deny Rules

This option will display the local firewall rules which have a deny action and format them in a handy table.

Option 10: Password Extraction

If the session is ran as an admin, it will extract the SAM/System File for offline cracking. If not, it will continue to run through the following:

  • Extracting credentials saved inside credential manager.
  • Extract saved Wi-fi passwords.

Option 11: Encode Commands (Base64)

This will encode text into Base64:

Option 12: Run Encoded Commands

This will then run the command whilst still encoded. This mainly requires admin however, it still functions with low level requests such as echo “hi”:

Option 13: Edit Local Host

This requires the session to ran as admin. This is because writing to host file requires elevated rights. If there is a share present, you can change the resolved IP for the host to your attacking IP, by adding it to the host file.

Option 14: Probe For SMB Share

You will need a IP list which can contain IPs, or FQDN. This will then probe each one for reachable SMB shares.

Option 15: Web Crawler

This will allow you to crawl through web directories of your chosen site.

Option 16: File Crawler

This will allow you to search for filenames or for keywords within certain files.
See more here: https://github.com/securethelogs/Powercrawler

-OSINT Options-

Option A: Find Subdomains

This option will allow you to search the internet for subdomains.

Option B: Daily PasteBin

This option will pull the recent pastes and search them for key words. The script will then display each and highlight any juicy values such as passwords or API keys.

Option C: Scan Azure Resource

This option will allow you to hunt for reachable Azure resource based on a wordlist provided. See more: https://github.com/securethelogs/ZorkAzure

Option D: Scan Socials for Usernames

This will scan a few social media sites for a matching username.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s