Skip to content

Ayoub-2/RedReason

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

17 Commits
core
core
 
 
docs
docs
 
 
modules
modules
 
 
.gitignore
.gitignore
 
 
CHANGELOG.md
CHANGELOG.md
 
 
Dockerfile
Dockerfile
 
 
LICENSE
LICENSE
 
 
NOTICE
NOTICE
 
 
README.md
README.md
 
 
VERSION
VERSION
 
 
main.py
main.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

RedReason v1.1.0 🛡️

Status Version

An autonomous Red Team operator tool designed for the CRTP mindset.

Philosophy

  • Reliability > Noise: Doesn't spray; validates specific vectors.
  • Reasoning: Logs why an attack is attempted (Hypothesis driven).
  • Lab Ready: Built for Active Directory labs (like alteredsecurity.com).

Architecture & Extensibility

RedReason is built on a modular architecture designed for "Senior Red Team" operations:

  • Strict Data Model: Uses typed objects (ADUser, ADComputer) for consistency.
  • State Sharing: Modules share intelligence to reduce network noise (e.g., Attack module uses Enumeration cache).
  • Plugin System: Easily extensible via the RedReasonModule interface.

See Developer Guide for instructions on creating new modules.

Features

  • Enumeration (L0-L2 Maturity):

    • Users, Computers, Trusts, LAPS
    • DNS: Infrastructure discovery via AD-Integrated zones.
    • ACLs: Dangerous ACE detection (GenericAll, WriteDACL).
    • GPO: Policy weakness and linkage analysis.
    • ADCS: Enterprise CA and ESC1/ESC8 misconfiguration detection.
    • Exchange: Server enumeration, PrivExchange (ACLs), and RBAC auditing.
    • Virtualization: ESXi/vCenter enumeration, "ESX Admins" abuse (CVE-2024-37085), and Version Fingerprinting.
    • Lateral: WinRM/RDP exposure mapping and LAPS coverage.
    • Defense: Credential Guard and Defensive Posture checks.

  • Attacks (L3 Execution):

    • Kerberoasting: (Saves hashes to reports/hashes_kerb.txt)
    • AS-REP Roasting: (Saves hashes to reports/hashes_asrep.txt)
    • Identity Hardening: Checks for encryption downgrade risks (RC4/DES).
    • Post-Exploitation: Golden Ticket forging capabilities.

  • Reasoning Engine:

    • Filters False Positives based on prerequisites.
    • Enforces Maturity Model (Presence -> Misconfig -> Validation -> Execution).

MITRE ATT&CK Mapping

RedReason maps its capabilities to the MITRE ATT&CK framework. See full details in docs/mitre_mapping.md.

Attack ID Technique
T1558 Steal or Forge Kerberos Tickets (Kerberoasting, AS-REP)
T1557 Adversary-in-the-Middle (SMB Relay / Signing)
T1003 OS Credential Dumping (DCSync)
T1552 Unsecured Credentials (GPP, LAPS)
T1649 Steal or Forge Authentication Certificates (AD CS)

Installation (Docker)

docker build -t redreason .

Usage

Docker (Recommended)

Mount a volume to /app/reports to access generated reports and dumped hashes.

# Standard Scan (All checks)
docker run --rm -v ${PWD}/reports:/app/reports redreason --target <IP> --domain <DOMAIN> --user <USER> --password <PASS> --module all

# Specific Vector Scans
docker run ... --module acl      # Authorization Abuse
docker run ... --module gpo      # Group Policy Abuse
docker run ... --module cs       # ADCS Abuse
docker run ... --module exchange # Exchange Ops
docker run ... --module virt     # Virtualization Ops
docker run ... --module defense  # Defensive Posture

# Pass-the-Hash
docker run --rm -v ${PWD}/reports:/app/reports redreason --target <IP> --domain <DOMAIN> --user <USER> --hashes <LM:NT>

Local Python

pip install -r requirements.txt
python main.py --target <IP> --domain <DOMAIN> --user <USER> --password <PASS>

Command-Line Options (v1.1.0+)

Verbosity Control

Control output detail level with multi-level verbosity:

# Quiet mode (warnings only)
python main.py --target <IP> ... --verbose 0

# Normal mode (default, INFO level)
python main.py --target <IP> ...

# Verbose mode (DEBUG level, detailed checks)
python main.py --target <IP> ... -v

# Very verbose mode (TRACE level, granular diagnostics)
python main.py --target <IP> ... -vvv

Stealth Mode

Passive-only scanning to avoid triggering detection systems:

# Enable stealth mode (skips active coercion attacks, RPC enumeration)
python main.py --target <IP> ... --stealth

Additional Flags

--bloodhound         # Generate BloodHound JSON output
--module <name>      # Run specific module (enum, attack, post, acl, gpo, cs, lateral, defense, exchange, virt, all)
--hashes <LM:NT>     # Use pass-the-hash authentication

License

This project is licensed under the MIT License - see the LICENSE file for details.

Copyright (c) 2026 RedReason Authors

You are free to use, modify, and distribute this software under the terms of the MIT License. This tool is provided "as is" without any warranty.

Disclaimer

RedReason is designed for authorized security testing and red team operations in controlled environments (e.g., lab environments, authorized penetration tests). Unauthorized access to computer systems is illegal. Always obtain proper authorization before conducting security assessments.

About

Auto Scanner of AD

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

0 watching

Forks

0 forks
Report repository

Releases 1

RedReason v1.0 Latest
Jan 7, 2026

Packages

No packages published

Languages