Redpill : Assist Reverse Tcp Shells In Post-Exploration Tasks

Redpill project aims to assist reverse tcp shells in post-exploration tasks. Often in redteam engagements we
need to use unconventional ways to access target system, such as reverse tcp shells (not metasploit) in order
to bypass the defenses implemented by the system administrator. After the first stage was successful compleated
we face another type of problems: “I have (shell) access to the target system, and now what can I do with it?”

This project consists of several PowerShell scripts that perform different post-exploitation functions and the
main script redpill.ps1 that is main work its to download/config/exe the scripts contained in this repository.

The goal is to have a similar meterpreter experience in our reverse tcp shell prompt (meterpreter similar options)

Folder NameDescriptionNotes
BinContains redpill main modulesSysinfo | GetConnections | Persiste | Keylogger | etc.
BypassContains redpill bypass scriptsManual Download/Execution required
modulesContains redpill modulesSherlock | CredsPhish | Webserver | StartWebServer | etc.
UtilsContains BAT | PS1 scriptsManual execution required

CmdLet Parameters syntax\examples

This cmdlet belongs to the structure of venom v1.0.17.8 as a post-exploitation module.
venom amsi evasion agents automatically uploads this CmdLet to %TMP% directory to be
easily accessible in our reverse tcp shell ( shell prompt ).

To List All Parameters Available, execute in powershell prompt:

.\redpill.ps1 -Help Parameters

CmdLet Parameter NameParameter ArgumentsDescription
-SysInfoEnum | VerboseQuick System Info OR Verbose Enumeration
-GetConnectionsEnum | VerboseEnumerate Remote Host Active TCP Connections
-GetDnsCacheEnum | ClearEnumerate\Clear remote host DNS cache entrys
-GetInstalledEnumEnumerate Remote Host Applications Installed
-GetProcessEnum | Kill | TokensEnumerate OR Kill Remote Host Running Process(s)
-GetTasksEnum | Create | DeleteEnumerate\Create\Delete Remote Host Running Tasks
-GetLogsEnum | Verbose | ClearEnumerate eventvwr logs OR Clear All event logs
-LiveStreamBind | Reverse | StopNishang script for streaming a target desktop using MJPEG
-GetBrowsersEnum | Verbose | CredsEnumerate Installed Browsers and Versions OR Verbose
-GetSkypeContacts|DomainUsersEnumerating and attacking federated Skype
-Screenshot1Capture 1 Desktop Screenshot and Store it on %TMP%
-CameraEnum | SnapEnum computer webcams OR capture default webcam snapshot
-StartWebServerPython | PowershellDownloads webserver to %TMP% and executes the WebServer
-KeyloggerStart | StopStart OR Stop recording remote host keystrokes
-MouseLoggerStartCapture Screenshots of Mouse Clicks for 10 seconds
-PhishCredsStart | BrutePromp current user for a valid credential and leak captures
-GetPasswordsEnum | DumpEnumerate passwords of diferent locations {Store|Regedit|Disk}
-WifiPasswordsDump | ZipDumpEnum Available SSIDs OR ZipDump All Wifi passwords
-EOPEnum | VerboseFind Missing Software Patchs for Privilege Escalation
-ADSEnum | Create | Exec | ClearHidde scripts { bat | ps1 | exe } on $DATA records (ADS)
-BruteZip$Env:TMP\archive.zipBrute force sellected Zip archive with the help of 7z.exe
-Uploadscript.ps1Upload script.ps1 from attacker apache2 webroot
-Persiste$Env:TMP\Script.ps1Persiste script.ps1 on every startup {BeaconHome}
-CleanTracksClear | ParanoidClean disk artifacts left behind {clean system tracks}
-AppLockerEnum | WhoAmi | TestBatEnumerate AppLocker Directorys with weak permissions
-FileMace$Env:TMP\test.txtChange File Mace {CreationTime,LastAccessTime,LastWriteTime}
-MetaData$Env:TMP\test.exeDisplay files \ applications description (metadata)
-PEHollowGetSystem | $Env:TMP\test.exeProcess Hollowing {impersonate explorer.exe as parent}
-MsgBox“Hello World.”Spawns “Hello World.” msgBox on local host {wscriptComObject}
-SpeakPrank“Hello World.”Make remote host speak user input sentence {prank}
-NetTraceEnumAgressive Enumeration with the help of netsh {native}
-PingSweepEnum | VerboseEnumerate Active IP Address and open ports on Local Lan
-DnsSpoofEnum | Redirect | ClearRedirect Domain Names to our Phishing IP address
-DisableAVQuery | Start | StopDisable Windows Defender Service (WinDefend)
-HiddenUserQuery | Create | DeleteQuery \ Create \ Delete Hidden User Accounts
-CsOnTheFlyCompile | ExecuteDownload \ Compile (to exe) and Execute CS scripts
-CookieHijackDump|HistoryEdge|Chrome Cookie Hijacking tool
-UacMeBypass | Elevate | CleanUAC bypass|EOP by dll reflection! (cmstp.exe)

To Display Detailed information about each parameter execute:

Syntax : .\redpill.ps1 -Help [ -Parameter Name ]
Example: .\redpill.ps1 -Help WifiPasswords

Instructions how to use the Cmdlet {Local tests}

This cmdlet belongs to the structure of venom v1.0.17.8 as a post-exploitation module.
venom amsi evasion agents automatically uploads this CmdLet to %TMP% directory to be
easily accessible in our reverse tcp shell ( shell ).

‘this section describes how to test this Cmdlet Locally without exploiting target host’

1º – Download CmdLet from GitHub repository to ‘Local Disk’

iwr -Uri https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/redpill.ps1 -OutFile redpill.ps1

2º – Set Powershell Execution Policy to ‘UnRestricted’

Set-ExecutionPolicy UnRestricted -Scope CurrentUser

3º – Browse to ‘redpill.ps1’ storage directory

cd C:\Users\pedro\Desktop

4º – Access CmdLet Help Menu {All Parameters}

.\redpill.ps1 -Help Parameters

5º – Access [ -WifiPasswords ] Detailed Parameter Help

Syntax : .\redpill.ps1 -Help [ -Parameter Name ]
Example: .\redpill.ps1 -Help WifiPasswords

6º – Running [ -WifiPasswords ] [ Dump ] Module

Syntax : .\redpill.ps1 [ -Parameter Name ] [ @argument ]
Example: .\redpill.ps1 -WifiPasswords Dump

7º – Running [ -sysinfo ] [ Enum ] Module

Syntax : .\redpill.ps1 [ -Parameter Name ] [ @argument ]
Example: .\redpill.ps1 -sysinfo Enum

Instructions how to use the CmdLet under Venon v1.0.17.8

This cmdlet belongs to the structure of venom v1.0.17.8 as a post-exploitation module.
venom amsi evasion agents automatically uploads this CmdLet to %TMP% directory to be
easily accessible in our reverse tcp shell ( shell prompt ).

1º – execute in reverse tcp shell prompt

[SKYNET] C:\Users\pedro\AppData\Local\Temp> powershell -File redpill.ps1 -Help Parameters

2º – Access [ -WifiPasswords ] Detailed Parameter Help

[SKYNET] C:\Users\pedro\AppData\Local\Temp> powershell -File redpill.ps1 -Help WifiPasswords

3º – Running [ -WifiPasswords ] [ Dump ] Module

[SKYNET] C:\Users\pedro\AppData\Local\Temp> powershell -File redpill.ps1 -WifiPasswords Dump

To Manual download the CmdLet for Local Tests, execute

iwr -Uri https://raw.githubusercontent.com/r00t-3xp10it/redpill/main/redpill.ps1 -OutFile redpill.ps1

Video Tutorials

Demonstration – This tutorial uses: sysinfo, GetPasswords, UacMe modules
MouseLogger – Capture Screenshots of ‘MouseClicks’ with the help of psr.exe
PhishCreds – Phish for login credentials OR Brute Force user account password
FileMace – Change File TimeStamp {CreationTime, LastAccessTime, LastWriteTime}
CsOnTheFly – Download (from url), Auto-Compile and Execute CS scripts On-The-Fly!
EOP – Find missing software patchs for privilege escalation

Acknowledgments

hax0rFunctionOS Flavor
@youhacker55For All the help Debugging this cmdlet (Testing BETA version)Windows 7 x64bits
@0xyg3nFor All the help Debugging this cmdlet (Testing BETA version)Windows 10 x64bits
@Shanty_DamayantiDebugging this cmdlet (amsi string detection bypasses)Windows 10 x64bits
@miltinhocDebugging this cmdlet and recording video tutorialsWindows 10 x64bits

Any collaborations Or bugreports are wellcome