This script is a proof of concept that demonstrates red team automation, it compromises two hosts using eternal blue and zerologon to deliver a payload that modifies all .mp4 videos within a directory to being blank while preserving their file size, .mp4 container, and metadata.
This only works in a very specific lab environment where there is an unpatched windows machine, and an unpatched windows domain controller.
To use this, you need to have metasploit and python installed. (installation instructions for both metasploit and python are different depending on your OS)
You will need to configure where the payload is hosted on your own machine by modifying the constant at the top of the red-team.py script. You can also configure the IP address and network subnet according to your lab environment in the constants at the top of the script.
git clone https://github.com/GriffynHancock/Capstone-Automation.git .Then cd into the new directory created that has the project in it.
python3 -m venv .venvsource .venv/bin/activatepip install pymetasploit3msfrpcd -P admin -fFinally open a new terminal (because this one is being taken up by the daemon) and run the script:
python3 red-team.pyIf it doesnt work the first time, try it again, if it still doesnt work, try throwing it and details about your system into an LLM. if it still doesnt work, oh well it was only a proof of concept.
(My first foray into Metasploit automation inspired by modern cybersecurity threats)
Intended audience: Students, Security professionals, IT administrators, and anyone interested in understanding automated cyber threats and penetration testing.
I built a proof-of-concept Python script that autonomously compromises two machines, takes over a Windows domain, and corrupts business-critical files, all in approximately 30 seconds.
This isn't about sophistication and savant level hacking, It's a demonstration of how trivially easy it is to programmatically exploit "low-hanging fruit", networks with minimal security posture. The automation aspect is what makes this particularly relevant to today's threat landscape where MaaS services compromise websites en mass targeting the same few vulnerabilities (its usually wordpress plugins) across the entire internet.
Luckily the solution to defend against similar attack methods to the one I wrote is just to keep your software updated, the vulnerabilities I exploited are only present on unpatched versions of windows from before 2017.
Not having a proactive security posture has been seen as risky, like not wearing a seatbelt, 1 in 33 people might experience the consequences. However I would propose that going into the late 2020s, neglecting cybersecurity will be inevitably disastrous like playing in traffic blindfolded, it's a FAFO situation rather than a potential risk.
While analysing compromised WordPress sites for my own research (which I will present in the future), I noticed something interesting about the indicators of compromise, mainly that they were incredibly sloppy. While investigating one malicious payload URL, I found about 10 websites that featured it in text cached by google. When I went to those websites I found their pages so badly broken that malicious JavaScript containing the payload URL was literally printed into HTML paragraphs. All of those sites had 2-4 (one had 6) cPanel interface ports exposed, indicating multiple threat groups had independently compromised the same target using similar methods (or one group's automated attack had compromised the same site multiple times, opening a new port each time).
This sloppiness isn't due to incompetence, it's because of sheer scale. These attacks work on volume, not precision. The opsec is great, the obfuscation defeats my capabilities, its just these core primitives are being orchestrated at such extreme scale that it would be impossible to implement cleanly.
Today's cyber threat landscape resembles tens of thousands of automated bots walking through neighborhoods 24/7, trying every car door, briefly attempting to pick every lock. If you maintain a public-facing website or server without basic security hygiene, hundreds of automated scripts will probe it for vulnerabilities. When they succeed, your infrastructure becomes part of their attack platform, hosting phishing campaigns, distributing malware, or serving as a proxy for other attacks. This erodes trust in your organisation and opens you up for damages.
The "malware-as-a-service" industry has exploded, with cybercriminals selling pre-packaged attack chains to anyone willing to pay. These services democratise sophisticated attacks, making them available to low-skill actors who simply point the tools at their targets and let automation do the work. They also make avaliable massive networks of compromised infrastructure to deliver low complexity attacks based on simple activation logic like "user comes from a search engine", "1/100 users", or "user is on a mac in this wealthy city".
The reality of the 2020s: If you don't implement basic security controls (like patching, MFA), it's no longer a question of if you'll be compromised, it's when. You don't need to be interesting enough for human attackers to target manually. You just need to exist on the internet with exploitable vulnerabilities. And software thought to be fully secure today might be found out to have multiple critical vulnerabilities in 5 years, so even vulnerability is practically inevitable too. While I don't intend to promote paranoia, I do want to make it clear that this isnt 1990, you have to actively manage your security or pay someone to do it for you.
As a cybersecurity student serving as the red team for my certification capstone project, I needed to create a proof-of-concept demonstration. I wanted something modern and relevant that illustrated real-world threats. I developed a relatively complete automated attack chain in Python using the Metasploit Framework API (msfrpcd), with the pymetasploit3 library handling the heavy lifting of RPC communication. (thank you (author) for updating it to python 3)
The virtual environment consisted of:
Attacker machine: Linux (Ubuntu with some Kali tools)
Target 1: Unpatched Windows 7 workstation (192.168.1.80)
Target 2: Unpatched Windows Server 2012 domain controller (192.168.1.10)
Network: All systems on the same subnet with no special firewall rules.
This setup emulates a severely outdated organisation with essentially zero security maturity, which is becoming less common.
The engagement scenario assumed a physical security breach where the attacker obtained WiFi credentials (think: sticky note in a staff room visible through a window, or successful social engineering posing as IT support).
Objective: Locate a directory of "CCTV footage" and corrupt the video files in a way that preserves file size and metadata while wiping the actual video content. This simulates an amateur adversary tampering with evidence while attempting to evade forensic detection.
The script begins by exploiting MS17-010 (EternalBlue) against the Windows 7 workstation—the infamous SMBv1 vulnerability leaked from the NSA's toolkit and weaponised in the WannaCry ransomware attack.
Within seconds, we have a Meterpreter session with SYSTEM privileges on the workstation. The script then automatically establishes a routing table through this compromised host, making all future networked communication appear to be coming from this newly compromised host rather than the attackers computer
Next the script does some quick reconnaissance, checking the arp cache, and the windows environment variables, then pings the domain controller to get its hostname and match that to an IP (i would have already had the hostname, but for some reason i was struggling to get the LOGONSERVER variable through the script)
With network access established, the script performs reconnaissance to identify the domain controller, then exploits CVE-2020-1472 (Zerologon)—a critical vulnerability that allows an attacker to set the domain controller's machine account password to all 0s, so null, or effectively remove its requirement for a password altogether.
We then use impacket-secretsdump.py to enumerate every user account and the hash of their password, using grep :500: to pull out the administrator account NTLM hash.
With the Administrator hash in hand, the script performs a pass-the-hash attack using PsExec to establish a session on the domain controller:
At this point, we own the domain. The script then moves onto the payload delivery phase, using a http server we hosted at the start of the attack we pull down a powershell script using Certutil. Certutil is a normal windows binary that can be abused to download arbitrary files, passing them to other binaries like powershell to be executed.
The PowerShell payload locates all MP4 files in the target directory and corrupts them by wiping the video data while preserving the file container and metadata (creation time, modification time, file size). The files appear intact to casual inspection, and while they will play they will be blank.
One significant challenge was tracking Meterpreter sessions reliably. The script needed to distinguish between old and new sessions, handle cases where sessions already existed, and avoid re-exploiting systems unnecessarily. This is one part where I wouldn't have been successful without the pymetasploit3 library, it makes it much easier to query an object that contains all current sessions and even qualities about them. What I ended up doing is checking for the target IP in current sessions, and then finding the corresponding session ID.
Coordinating asynchronous exploitation attempts with session creation required some basic timing logic. The script polls for new sessions after launching exploits, implementing a 30-second timeout to avoid infinite loops.
This was the first time I had written anything more than 30 lines in python, so I had to read up about error handling and logging, writing automation can have many different things go wrong. While im still a beginner in this domain I at least have a strong impetus to learn these things seriously, never wanting to repeat my experience again.
This whole endeavour took significantly more time than expected mainly because there is little documentation on metasploit's RPC API, and almost none on pymetasploit3. I had to do a lot of manual debugging, printing the results of various queries into the terminal and picking them apart to understand. I also read through pymetasploit3 its self a lot, and in the process learned about how pythonic api libraries are built. (whether its a good or bad example im too beginner to tell)
Metasploit's RPC API uses HTTP POST messages that require understanding numerous RPC methods. The pymetasploit3 library abstracts this complexity, providing Pythonic interfaces to Metasploit modules. This dramatically accelerated development compared to working with raw RPC calls. I absolutely would not have been able to do this without it.
Given more time (and for future practice), I would enhance the script to do:
Automated reconnaissance: Dynamically scan the network to discover hosts and open ports
Conditional exploitation: Implement basic decision trees based on fingerprinting to do scanning and then exploitation of discovered vulnerabilities
Credential enumeration: Attempt common username/password combinations before escalating to exploit-based attacks
Cleanup and stealth: Implement better operational security measures and artefact removal
Error recovery: More robust exception handling and fallback strategies
Feeling very inspired to create a simple framework for creating tool calls for LLMs to make pentesting decisions. Everything I wrote could be broken into primitives and then packaged into tool calls, it could be an easily scaled and potentially very useful suite. I think that goal tracking would be the hardest part, which is part of the tug of war of machine learning I guess.
This project underscores several critical security principles:
Patch management is non-negotiable: Both exploited vulnerabilities had patches available for years before my test. Unpatched systems are trivial to compromise. This is seen constantly in things like wordpress.
Network segmentation matters: If the domain controller had been properly segregated with firewall rules, the initial workstation compromise wouldn't have led to domain takeover so easily.
Monitoring, detection, and security appliances: None of these attacks are silent, properly configured sysmon, tripwire and splunk can catch lots of this activity. That being said, I honestly dont have the defensive skill right now to detect SMB messages without a NGFW or some other security appliance, so it seems that security appliances are still necessary. I couldn't for the life of me find a way to detect eternal blue on windows 7. This is probably a skill issue, but again many appliances would do it with minimal configuration.
Privilege management and MFA: The domain controller should not have accepted an admin logon from just any host in the network, and even if the compromised host was a specific admin machine, it should have required MFA to be able to login. Pass the hash only works in situations where organisations dont care who, where or when an administrator account is utitilised.
Automation fundamentally changes the threat landscape. What was previously relegated to nation state level actors 10-15 years ago, both in scale and sophistication of opsec is now purchasable with a subscription fee like netflix, and only a little harder to use than online banking. The proof of concept demonstrates that organisations without fundamental security controls are vulnerable to rapid, automated compromise. The barrier to entry for attackers continues to fall as tools become more accessible and attack chains become more automated.
For defenders, this reality demands a shift in mindset: basic security hygiene isn't optional overhead—it's the minimum barrier that keeps automated threats from compromising your entire infrastructure in under a minute. The good news? The attacks demonstrated here are entirely preventable with fundamental security practices: timely patching, network segmentation, proper authentication controls, and monitoring.
This project was conducted in a controlled lab environment as part of academic research. All techniques described are well-documented and were performed only against systems I owned and controlled. This post is for educational purposes to help security professionals and IT administrators understand modern automated threats.