Skip to content


Folders and files

Last commit message
Last commit date

Latest commit



39 Commits

Repository files navigation


And many more. I created this repo to have an overview over my starred repos. I was not able to filter in categories before. Feel free to use it for yourself. I do not list Kali default tools as well as several testing tools which are state of the art. STRG+F searches are helpful here.

Windows Active Directory Pentest

General usefull Powershell Scripts - 😎 - same but kerberos auth for more stealth and lockout-sleep - domainpasswordspray executable with lockout-sleep - supported version - really nice Excel-Sheet for an AD-Overview - Various Powersploit Tasks in C# - Adidns Attacks

AMSI Bypass restriction Bypass - modified PowerLessShell C# Powershell - Salsa Tools - ShellReverse TCP/UDP/ICMP/DNS/SSL/BINDTCP and AV bypass, AMSI patched - Constrained language mode bypass - Applocker Bypass - This tool enables the compilation of a C# program that will execute arbitrary PowerShell code, without launching PowerShell processes through the use of runspace. - The Hunt for Malicious Strings - Bypass AMSI and Defender using Ordinal Values in VBS - OpSec-safe Powershell runspace from within C# (aka SharpPick) with AMSI, CLM and Script Block Logging disabled at startup - Using DInvoke to patch AMSI.dll in order to bypass AMSI detections triggered when loading .NET tradecraft via Assembly.Load(). - MSBuild without MSbuild.exe - MSBuildShell, a Powershell Host running within MSBuild.exe - Executes Blended Managed/Unmanged Exports - A tool to be used in post exploitation phase for blue and red teams to bypass APPLICATIONCONTROL policies / Applocker Bypass Scan - AmsiHook is a project I created to figure out a bypass to AMSI via function hooking. - Load .net assemblies from memory while having them appear to be loaded from an on-disk location. - Bypass LSA Protection - Dump the memory of a PPL with a userland exploit

Payload Hosting - Self-deployable file hosting service for red teamers, allowing to easily upload and share payloads over HTTP and WebDAV. - Updog is a replacement for Python's SimpleHTTPServer. It allows uploading and downloading via HTTP/S, can set ad hoc SSL certificates and use http basic auth.

Network Share Scanner

Find Juicy Stuff - a tool for pentesters to help find delicious candy, by @l0ss and @Sh3r4 - Enumerate all network shares in the current domain. Also, can resolve names to IP addresses. - Search tool to find specific files containing specific words, i.e. files containing passwords.. - .NET 4.0 Console App to browse VMDK / VHD images and extract files - Multithreaded C# .NET Assembly to enumerate accessible network shares in a domain

Reverse Shellz - A small reverse shell for Linux & Windows - netcat on steroids with Firewall, IDS/IPS evasion, bind and reverse shell, self-injecting shell and port forwarding magic - and its fully scriptable with Python (PSE) - C# reverse shell using Background Intelligent Transfer Service (BITS) as communication protocol and direct syscalls for EDR user-mode hooking evasion.

Backdoor finder

Lateral Movement - WMI,SMB,RDP,SCM,DCOM Lateral Movement techniques - WMI, SCM, DCOM, Task Scheduler and more - C# Port of Invoke-DCOM - An implementation of PSExec in C# - CsExec, CsPosh (Remote Powershell Runspace), CsWMI,CsDCOM - Automate Getting Dom-Adm - automated lateral movement - backdoor / rootkit - automation for various mitm attacks + vulns - automated penetration toolkit - Netbios Network interface Enumeration (discovery of dual homed hosts) - Find dual homed hosts over DCOM - A collection of proof-of-concept source code and scripts for executing remote commands over WinRM using the WSMan.Automation COM object - unconstrained delegation, printer bug (MS-RPRN) exploitation, Remote ADIDNS attacks - Fileless lateral movement tool that relies on ChangeServiceConfigA to run command - AD Bloodhound 3.0 Path - A Bypass Anti-virus Software Lateral Movement Command Execution Tool - PoC tool to coerce Windows hosts authenticate to other machines via the MS-RPRN RPC interface. - Collection of remote authentication triggers in C# - Implementation of SpoolSample without rDLL - PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions. - Post-exploit tool that enables a SOCKS tunnel via a Windows host using an extensible custom RPC proto over SMB through a named pipe. - C# application that allows you to quick run SSH commands against a host or list of hosts - A lightweight tool to quickly extract valuable information from the Active Directory environment for both attacking and defending. - .NET 4.0 Scheduled Job Lateral Movement - Remotely enables Restricted Admin Mode - LiquidSnake is a tool that allows operators to perform fileless lateral movement using WMI Event Subscriptions and GadgetToJScript - Python tool to Check running WebClient services on multiple targets based on @leechristensen - - Tools for Kerberos PKINIT and relaying to AD CS - Get file less command execution for lateral movement.

POST Exploitation - Automatically scan any windows or tabs for login forms and then record what gets posted. A notification will appear when some have arrived. - McAfee Epo or Solarwinds post exploitation - A POC Remote Desktop (RDP) session hijack utility for disconnected sessions - RunasCs - Csharp and open version of windows builtin runas.exe - Powershell VNC injector - Chrome-extension implant that turns victim Chrome browsers into fully-functional HTTP proxies, allowing you to browse sites as your victims. - .NET 4.0 Project to interact with video, audio and keyboard hardware. - Lockless allows for the copying of locked files. - C# Clipboard Monitor - SharpDoor is alternative RDPWrap written in C# to allowed multiple RDP (Remote Desktop) sessions by patching termsrv.dll file. - MultiRDP is a C# consosle application to make multiple RDP (Remote Desktop) sessions possible by patching termsrv.dll correctly. - Using outlook COM objects to create convincing phishing emails without the user noticing. This project is meant for internal phishing. - A little tool to play with Outlook - Tool for interacting with outlook interop during red team engagements - 2 ways of Password Filter DLL to record the plaintext password - A .NET tool for exporting and importing certificates without touching disk. - Retrieve LAPS password from LDAP - remote LAPS dumping from linux

Post Exploitation - Phish Credentials - Windows active user credential phishing tool - Creates a login prompt to gather username and password of the current user. This project allows red team to phish username and password of the current user without touching lsass and having adminitrator credentials on the system. - Phish Smartcard PIN - PyHook is an offensive API hooking tool written in python designed to catch various credentials within the API call. - SharpHook is an offensive API hooking tool designed to catch various credentials within the API call.

Wrapper for various tools - Various .NET Tools wrapped in Powershell - GhostBuild is a collection of simple MSBuild launchers for various GhostPack/.NET projects - rundll32 Wrapper for Rubeus - execute Python in C# via ironpython

Pivot - Webshell tunnel over socks proxy - pentesters dream - reGeorg customized for weblogic TCP tunneling over HTTP/HTTPS for web application servers like reGeorg - check for internet access over open ports / egress filtering - C# Wrapper around Chisel from - A fast TCP tunnel over HTTP - ping tunnel is a tool that advertises tcp/udp/socks5 traffic as icmp traffic for forwarding. - Reverse Tunneling made easy for pentesters, by pentesters - An advanced, yet simple, tunneling/pivoting tool that uses a TUN interface. - Socks5/4/4a Proxy support for Remote Desktop Protocol / Terminal Services / Citrix / XenApp / XenDesktop - mssqlproxy is a toolkit aimed to perform lateral movement in restricted environments through a compromised Microsoft SQL Server via socket reuse - Amplify network visibility from multiple POV of other hosts - A tool to make socks connections through HTTP agents - TCP Port Redirection Utility - socks4 reverse proxy for penetration testing

Active Directory Audit and exploit tools - C# Data Collector for the BloodHound Project, Version 3 - Maximizing BloodHound. Max is a good boy. - same as invoke-aclpwn but in python - Active Directory information dumper via LDAP - Kerberos Resource-Based Constrained Delegation Attack from Outside using Impacket - SpoolSample -> Responder w/NetNTLM Downgrade -> NetNTLMv1 -> NTLM -> Kerberos Silver Ticket - Tool to discover Resource-Based Constrained Delegation attack paths in Active Directory environments - Add SD for controlled computer object to a target object for RBCD using LDAP - Active Directory certificate abuse. - Python implementation for Active Directory certificate abuse - ADCS abuser - PowerShell toolkit for AD CS auditing based on the PSPKI toolkit. - A proof of concept on attack vectors against Active Directory by abusing Active Directory Certificate Services (ADCS) - C# version of Powermad

Persistence on windows - The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification - Python version of the C# tool for "Shadow Credentials" attacks - pyForgeCert is a Python equivalent of the ForgeCert. - Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute, effectively adding "Shadow Credentials" to the target account. - "Golden" certificates - Hijack Printconfig.dll to execute shellcode

Web Application Pentest

Framework Discovery - Wordpress, Joomla, Drupal Scanner

Framework Scanner / Exploitation - wordpress - lotus domino - Drupal - Typo3 - Joomla

Web Vulnerability Scanner / Burp Plugins - all in one scanner - XSS discovery - Burpsuite Extension to bypass 403 restricted directory - Probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on remote Java classpaths.

Network- / Service-level Vulnerability Scanner

File / Directory / Parameter discovery - Mining parameters from dark corners of Web Archives - 💗 - Directory lookup from Javascript files - Automation for javascript recon in bug bounty. - Admin Panel Finder

Crawler - Headless web crawler for bugbounty and penetration-testing/redteaming - 💗 - Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.

Web Exploitation Tools - lfi - xxe - shellz - ssti - xpath injection - File Uploads - deserialization - IIS Short Filename Vuln. exploitation - Deserialize Java Exploitation - Deserialize .NET Exploitation - Exploit .git Folder Existence - Leak git repositories from misconfigured websites - SSRF Tutorials - PHP Unserialize Payload generator - Malicious Office XXE payload generator - Angularjs Csti Scanner - Deserialize .NET Viewstates - Deserialize .NET Viewstates

REST API Audit - RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.

SAML Login - Python Script for SAML2 Authentication Passwordspray

Swagger File API Attack

Windows Privilege Escalation / Audit - Privilege Escalation Enumeration Script for Windows - powerfull Privilege Escalation Check Script with nice output - UAC - C# tool for UAC bypasses - Bypass UAC at any level by abusing the Program Compatibility Assistant with RPC, WDI, and more Windows components - UAC - find vulnerable dlls for preloading attack - dll hijack scanner - admin to system - Exploit for the RpcEptMapper registry key permissions vulnerability (Windows 7 / 2088R2 / 8 / 2012)

Windows Privilege Abuse (Privilege Escalation) - Abuse Windows Privileges - load malicious dlls from system32 - Exploit potatoes with automation - from Service Account to System - Another Windows Local Privilege Escalation from Service Account to System - Abusing Impersonation Privileges on Windows 10 and Server 2019 - itm4ns Printspoofer in C# - Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability). - Just another "Won't Fix" Windows Privilege Escalation from User to Domain Admin. - Recover the default privilege set of a LOCAL/NETWORK SERVICE account

T3 Enumeration

Linux Privilege Escalation / Audit - powerfull Privilege Escalation Check Script with nice output - lookup vulnerable installed software - find suid bins and look them up under gtfobins / exploitable or not - Offline GTFOBins - sudo misconfiguration exploitation - easily manipulate the tty and create fake binaries - not really privesc but helpfull - Automatic Linux privesc via exploitation of low-hanging fruit e.g. gtfobins, polkit, docker socket


Credential harvesting Windows Specific - Fork of SafetyKatz that dynamically fetches the latest pre-compiled release of Mimikatz directly from gentilkiwi GitHub repo, runtime patches signatures and uses SharpSploit DInvoke to PE-Load into memory. - Kerberoast with ACL abuse capabilities - remote lazagne - Browser Creds gathering - hack-browser-data is an open-source tool that could help you decrypt data[passwords|bookmarks|cookies|history] from the browser. - ClipHistory feature get the last 25 copy paste actions - extract live rdp logins - Simple C# for checking for the existence of credential files related to AWS, Microsoft Azure, and Google Compute. - .NET 4.0 CLR Project to retrieve Chromium data, such as cookies, history and saved logins. - Chromium Cookie import / export tool - ThunderFox for Firefox Credentials, SitkyNotesExtract for "Notes as passwords" - Command line tool to extract/decrypt the password that was stored in the LSA by SysInternals AutoLogon - .Net port of the remote SAM + LSA Secrets dumping functionality of impacket's - C# tool to discover low hanging fruits like SessionGopher - DPAPI Creds via C# - C# porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands - Dumping DPAPI credz remotely - credential dump using foreshaw technique using SeTrustedCredmanAccessPrivilege - Mimikatz implementation in pure Python

LSASS dumper / process dumper - PIC lsass dumper using cloned handles - Dump stuff without touching disk - Another LSASS dumping tool that uses a dynamically compiled LSA plugin to grab an lsass handle and API hooking for capturing the dump in memory - Command line interface to dump LSASS memory to disk via SilentProcessExit - dump lsass using direct system calls and API unhooking - C# Lsass parser - Create a minidump of the LSASS process from memory - using Dumpert - Evade WinDefender ATP credential-theft - remote procdump.exe, copy dump file to local system and pypykatz for analysis/extraction - This project reuses open handles to lsass to parse or minidump lsass

Credential harvesting Linux Specific - SSH Credential loot - SSH / Sudo / SU Credential loot - Tool to extract Kerberos tickets from Linux kernel keys.

Data Exfiltration - DNS/ICMP/Wifi Exfiltration - Wifi Exfiltration - Tunna is a set of tools which will wrap and tunnel any TCP communication over HTTP - Easy files and payloads delivery over DNS - Hide your payload in DNS - Modular C# framework to exfiltrate loot over secure and trusted channels.

Git Specific

Windows / Linux

Reverse Engineering / decompiler - .NET Disassembler


Network Attacks - 💗 - more up to date - Deprecated but still good - mitm6 in C# + Inveigh default features - Farmer is a project for collecting NetNTLM hashes in a Windows domain. Farmer achieves this by creating a local WebDAV server that causes the WebDAV Mini Redirector to authenticate from any connecting clients. - leaking net-ntlm with webdav - Red Team oriented C# Simple HTTP & WebDAV Server with Net-NTLM hashes capture functionality

Specific MITM service Exploitation - SSH - WSUS - WSuspicious - A tool to abuse insecure WSUS connections for privilege escalations - WSUS mitm - Standalone implementation of a part of the WSUS spec. Built for offensive security purposes. - RDP - RDP man-in-the-middle (mitm) and library for Python with the ability to watch connections live or after the fact - Fake Updates for various Software - web application live recording, keystroke logger - User Enumeration with SMB Relay Attacks

Sniffing / Evaluation / Filtering -

Red-Team SIEM - Red Team's SIEM - tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations.

Scanner / Exploitation-Frameworks / Automation - automate nmap with scripting capabilities - Spray a hash via smb to check for local administrator access

Default Credential Scanner - Login hunter of default credentials for administrative web interfaces leveraging NNdefaccts dataset. - screenshot for webservers - One place for all the default credentials to assist the Blue/Red teamers activities on finding devices with default password

Default Credential Lookup

Payload Generation / AV-Evasion / Malware Creation - Office RCE POC - Bring your own print driver privilege escalation tool - reverse shell generator - Sandbox Evasion techniques - SandBox Evasion in C# - Encrypted HTA Generation - Optimized GadgetToJScript version - Shikata ga nai (仕方がない) encoder ported into go with several improvements - Spotter is a tool to wrap payloads in environmentally-keyed, AES256-encrypted launchers. - Malleable payload generation framework. - Build Powershell Script from .NET Executable - Excel 4.0 (XLM) Macro Generator for injecting DLLs and EXEs into memory. - A tool for generating multiple types of NTLMv2 hash theft files by Jacob Wilkin (Greenwolf) - AES Encrypt payloads - Embed and hide any file in an HTML file - AES Encrypt C/C++ Compiled binaries and decrypt at runtime - PoC of a VBA macro spawning a process with a spoofed parent and command line. - Generates Malicious Macro and Execute Powershell or Shellcode via MSBuild Application Whitelisting Bypass. - A cross-platform assistant for creating malicious MS Office documents. Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. Runs on Linux, OSX and Windows. - Excel 4.0 (XLM) Macro Generator for injecting DLLs and EXEs into memory. - BoobSnail allows generating Excel 4.0 XLM macro. Its purpose is to support the RedTeam and BlueTeam in XLM macro generation. - Excel Macro Document Reader/Writer for Red Teamers & Analysts - Out-of-the-Box Tool to Obfuscate Excel XLS. Include Obfuscation & Hide for Cell Labels & BoundSheets - PwnyForm will take an MSI installer as input and generate an MSI transform (mst) that can be used to inject arbitrary command execution by adding a custom action that will execute during the UI or Install sequence of an MSI file. - VBA purge your Office documents with OfficePurge. VBA purging removes P-code from module streams within Office documents. Documents that only contain source code and no compiled code are more likely to evade AV detection and YARA rules. - A Control Panel Applet dropper project. It has a high success rate on engagements since nobody cares about .CPL files and you can just double click them. - Macro-Enabled Excel File Generator (.xlsm) using the EPPlus Library. - C# based tool which automates the process of discovering and exploiting DLL Hijacks in target binaries. The Hijacked paths discovered can later be weaponized during Red Team Operations to evade EDR's. - Retrieves exported functions from a legitimate DLL and generates a proxy DLL source code/template for DLL proxy loading or sideloading - Koppeling x Metatwin x LazySign - Sign an executable for AV-Evasion - A tool for generating fake code signing certificates or signing real ones - RCE 0-day for GhostScript 9.50 - Payload generator - ImageMagick - Just a PoC to turn xlsx (regular Excel files) into xlsm (Excel file with macro) and slipping inside a macro (vbaProject.bin) - SigFlip is a tool for patching authenticode signed PE files (exe, dll, sys ..etc) without invalidating or breaking the existing signature. - Template-Driven AV/EDR Evasion Framework - BadAssMacros - C# based automated Malicous Macro Generator. - LittleCorporal: A C# Automated Maldoc Generator - Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file - ScareCrow - Payload creation framework designed around EDR bypass. - Undetectable & Xor encrypting with custom KEY (FUD Metasploit Rat) bypass Top Antivirus like BitDefender,Malwarebytes,Avast,ESET-NOD32,AVG,... & Automatically Add ICON and MANIFEST to excitable

Shellcode Injection - Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters - D/Invoke port of UrbanBishop - A port of FuzzySecurity's UrbanBishop project for inline shellcode execution - Donut for Shellcode Injection - Mapping injection is a process injection technique that avoids the usage of common monitored syscall VirtualAllocEx, WriteProcessMemory and CreateRemoteThread. - Shellcode injection POC using syscalls. - Shellcode wrapper with encryption for multiple target languages - A repository of Windows Shellcode runners and supporting utilities. The applications load and execute Shellcode using various API calls or techniques. - C# Shellcode Runner to execute shellcode via CreateRemoteThread and SetThreadContext to evade Get-InjectedThread - A set of scripts that demonstrate how to perform memory injection in C# - SysWhispers helps with evasion by generating header/ASM files implants can use to make direct system calls. - X86 version of syswhispers2 / x86 direct system call - CreateThreadpoolWait, Fiber Load, NtTestAlert Load, SEH Except Load, TLS CallBack Load, Dynamic Load, Dynamic Load plus, Syscall Load, APC-Inject Load, Early Brid APC-Inject Load, NtCreateSection-Inject Load, OEP Hiijack-Inject Load, Thread Hiijack-Inject Load - Suite of Shellcode Running Utilities - Shellcode runner in GO that incorporates shellcode encryption, remote process injection, block dlls, and spoofed parent process - Yet another shellcode runner consists of different techniques for evaluating detection capabilities of endpoint security solutions - It's a go variant of Hells gate! (directly calling windows kernel functions, but from Go!) - This program is designed to demonstrate various process injection techniques - A collection of C# shellcode injection techniques. All techniques use an AES encrypted meterpreter payload. I will be building this project up as I learn, discover or develop more techniques. Some techniques are better than others at bypassing AV. - Collection of shellcode injection techniques packed in a D/Invoke weaponized DLL - Another meterpreter injection technique using C# that attempts to bypass Defender - Module Stomping, No New Thread, HellsGate syscaller, UUID Dropper for x64 Windows 10! - Upsilon execute shellcode with syscalls - no API like NtProtectVirtualMemory is used - Complete Arsenal of Memory injection and other techniques for red-teaming in Windows - Injects shellcode into remote processes using direct syscalls - A collection of weird ways to execute unmanaged code in .NET - Evasive shellcode loader for bypassing event-based injection detection (PoC) - A protective and Low Level Shellcode Loader that defeats modern EDR systems. - C++ Injection techniques - - POCs for Shellcode Injection via Callbacks - PoC for UUID shellcode execution using DInvoke - Alternative Shellcode Execution Via Callbacks - NativePayload_CallBackTechniques C# Codes (Code Execution via Callback Functions Technique, without CreateThread Native API) - CallBack-Techniques for Shellcode execution ported to Nim

Loader / Packer / Injectors - Load/Inject .NET assemblies by; reusing the host (spawnto) process loaded CLR AppDomainManager, Stomping Loader/.NET assembly PE DOS headers, Unlinking .NET related modules, bypassing ETW+AMSI, avoiding EDR hooks via NT static syscalls (x64) and hiding imports by dynamically resolving APIs (hash) - Reflective PE packer. - Suite of Shellcode Running Utilities - Open-Source PE Packer - This project describes a technique how a NATIVE dynamic link library (DLL) can be loaded from memory (In C#) without storing it on the hard-disk first. - C# Reflective loader for unmanaged binaries.

EDR Evasion - Logging Evasion - A method of bypassing EDR's active projection DLL's by preventing entry point execution - Evade sysmon and windows event logging - C# Implementation of the Hell's Gate VX Technique - Original C Implementation of the Hell's Gate VX Technique - C++ Version of Invoke-Phantom - C# version of Invoke-Phantom - .Net Assembly to block ETW telemetry in current process - A Bind Shell Using the Fax Service and a DLL Hijack - Protected Process (Light) Dump: Uses Zemana AntiMalware Engine To Open a Privileged Handle to a PP/PPL Process And Inject MiniDumpWriteDump() Shellcode - This is a tool that allows you to offensively use YARA to apply a filter to the events being reported by windows event logging. - Extracting Syscall Stub, Modernized - Hiding your process in ProcessHacker,Task Manager,etc by patching NtQuerySystemInformation - LoadLibrary for offensive operations - Same but with LLVM support - An implementation of a Windows loader that can load dynamic-linked libraries (DLLs) directly from memory - A tool to kill antimalware protected processes - Tool to bypass LSA Protection (aka Protected Process Light) - get NTDLL copy from suspended process - A way to delete a locked file, or current running executable, on disk. - C# implementation of the research by @jonaslyk and the drafted PoC from @LloydLabs - Process Herpaderping proof of concept, tool, and technical deep dive. Process Herpaderping bypasses security products by obscuring the intentions of a process. - A centralized resource for previously documented WDAC bypass techniques - An advanced in-memory evasion technique fluctuating shellcode's memory protection between RW/NoAccess & RX and then encrypting/decrypting its contents - Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts. - A shellcode function to encrypt a running process image when sleeping. - some gadgets about windows process and ready to use :) - A memory scanning evasion technique - Some source code to demonstrate avoiding certain direct syscall detections by locating and JMPing to a legitimate syscall instruction within NTDLL. - A more stealthy variant of "DLL hollowing" - Phantom DLL hollowing PoC - Transacted Hollowing - a PE injection technique, hybrid between ProcessHollowing and ProcessDoppelgänging - C# Based Universal API Unhooker - UnhookMe is an universal Windows API resolver & unhooker addressing problem of invoking unmonitored system calls from within of your Red Teams malware - PoC: Exploit 32-bit Thread Snapshot of WOW64 to Take Over $RIP & Inject & Bypass Antivirus HIPS (HITB 2021) - OffensivePH - use old Process Hacker driver to bypass several user-mode access controls - A framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's WDAPT sensors. - A manual system call library that supports functions from both ntdll.dll and win32u.dll - Resolve syscall numbers at runtime for all Windows versions. - Enumerating and removing kernel callbacks using signed vulnerable drivers - Enumerate and disable common sources of telemetry used by AV/EDR. - Dynamically invoke arbitrary unmanaged code from managed code without PInvoke. - I used this to see if an EDR is running in Safe Mode - DoppelGate relies on reading ntdll on disk to grab syscall stubs, and patches these syscall stubs into desired functions to bypass Userland Hooking.

Useful Binary Modification tools


External Penetration Testing

Domain Finding / Subdomain Enumeration + Scanner - more like an audit - 💗

File Search / Metadata extraction

Scanner - The Swiss Army knife for automated Web Application Testing

Email Gathering - Find Emails of Github Users - super fast emails via google/bing linkedin dorks - A simple email generator that uses dorks on Bing to generate emails from LinkedIn Profiles.

Check Email Accounts - allows you to check if the mail is used on different sites like twitter, instagram and will retrieve information on sites with the forgotten password function.

Domain Auth + Exploitation - Enumerate valid usernames from Office 365 using ActiveSync, Autodiscover v1, or login page. - A password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled. - Tool to enumerate information from NTLM authentication enabled web endpoints - rotate IP Adresses over AWS - Combine with MSOLSpray - office 365 recon - lockout Time integrated - Lync Credential Finder - Scripts to make password spraying attacks against Lync/S4B & OWA a lot quicker, less painful and more efficient - Lync Credential Finder - Use to browse the share file by eas(Exchange Server ActiveSync) - PEAS is a Python 2 library and command line application for running commands on an ActiveSync server e.g. Microsoft Exchange. - Modified version of PEAS client for offensive operations - - A C# tool to send emails through Outlook from the command line or in memory - Tool for assessing on-premises Microsoft servers authentication such as ADFS, Skype, Exchange, and RDWeb - A script to test credentials against Active Directory Federation Services (ADFS), allowing password spraying or bruteforce attacks. - onedrive user enumeration - pentest tool to enumerate valid onedrive users - Brute force attack tool for Azure AD Autologon/Seamless SSO - Source: - POC of SecureWorks' recent Azure Active Directory password brute-forcing vuln - Password attacks and MFA validation against various endpoints in Azure and Office 365 - User enumeration with Microsoft Teams API - Refactored & improved CredKing password spraying tool, uses FireProx APIs to rotate IP addresses, stay anonymous, and beat throttling

Exchange RCE-exploits - Exchange2010 authorized RCE - OWA Deserialisation RCE

MobileIron RCE

Specific Service Scanning / Exploitation

Login Brute Force + Wordlist attacks - Brute force non hydra compliant services - RDP, VNC, OpenVPN - Brute Force various services - 😎 - Crack any Microsoft Windows users password without any privilege (Guest account included) - RDP Password Spray - No Event Logs - Python3 tool to perform password spraying using RDP


Open X11

Printers - Automation for PRET




SMB Null Session Exploitation

iLO Exploitation

vmware vCenter Exploits - Exploit for CVE-2020-3952 in vCenter 6.7

Intel AMT Exploitation

SAP Exploitation

FPM port

Found Port 9001 open? Try that: - bash poc scripts to exploit open fpm ports

Weblogic Exploitation - scan/test for nearly all weblogic vulns - WEblogic Server Tests - cve-2019-2725

Sharepoint exploitation - Sharepoint Fingerprint + Exploitation

JIRA - One stop place for exploiting Jira instances in your proximity

Sonicwall VPN

VSphere VCenter - .NET Project for Attacking vCenter


Confluence Exploit - Confluence Server Webwork OGNL injection

Telerik UI for ASP.NET AJAX Exploit

General Recon

Solarwinds - SolarWinds Orion Account Audit / Password Dumping Utility

Command & Control Frameworks - Command and Control Framework written in C#. - Empire with embedded AMSI-Bypass - C2Bridges allow developers to create new custom communication protocols and quickly utilize them within Covenant. - Source for tasks I have used with Covenant - Implant framework - A post exploitation framework designed to operate covertly on heavily monitored environments - Custom Command and Control (C3). A framework for rapid prototyping of custom C2 channels, while still providing integration with existing offensive toolkits. - Open-Source Remote Administration Tool For Windows C# (RAT) - Small and convenient C2 tool for Windows targets - Kubesploit is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in Golang, focused on containerized environments.

Mythic Agents

VBA - This repository is a collection of my malicious VBA projects. - Trigen is a Python script which uses different combinations of Win32 function calls in generated VBA to execute shellcode. - AMSI Bypass Via the Heap - This repo covers some code execution and AV Evasion methods for Macros in Office documents

Rust - Dynamically invoke arbitrary unmanaged code. - Rust Weaponization for Red Team Engagements.

Go - Golang PE injection on windows

Cobalt Strike Stuff - My collection of battle-tested Aggressor Scripts for Cobalt Strike 4.0+ - Proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon communication channel - Dumping SAM / SECURITY / SYSTEM registry hives with a Beacon Object File - A Cobalt Strike Aggressor script to generate GadgetToJScript payloads - Various Cobalt Strike BOFs - A BOF port of the research of @thefLinkk and @codewhitesec - Situational Awareness commands implemented using Beacon Object Files - InlineExecute-Assembly is a proof of concept Beacon Object File (BOF) that allows security professionals to perform in process .NET assembly execution as an alternative to Cobalt Strikes traditional fork and run execute-assembly module - BOF implementation of the research by @jonaslyk and the drafted PoC from @LloydLabs - A faithful transposition of the key features/functionality of @itm4n's PPLDump project as a BOF. - Cobalt Strike User-Defined Reflective Loader written in Assembly & C for advanced evasion capabilities. - Cobalt Strike Aggressor Script that Performs System/AV/EDR Recon - SourcePoint is a C2 profile generator for Cobalt Strike command and control servers designed to ensure evasion. - Cobalt Strike BOF that spawns a sacrificial process, injects it with shellcode, and executes payload. Built to evade EDR/UserLand hooks by spawning sacrificial process with Arbitrary Code Guard (ACG), BlockDll, and PPID spoofing. - Read Excel Spreadsheets (XLS/XLSX) using Cobalt Strike's Execute-Assembly - Read the contents of DOCX files using Cobalt Strike's Execute-Assembly - Project to enumerate proxy configurations and generate shellcode from CobaltStrike - Cobalt Strike C2 Reverse proxy that fends off Blue Teams, AVs, EDRs, scanners through packet inspection and malleable profile correlation - Remove API hooks from a Beacon process. - Collection of Beacon Object Files - Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF)


Linux MacOSX Specific

Wifi Tools - Powerful framework for rogue access point attack.

Android / Nethunter

NAT Slipstreaming - NAT Slipstreaming allows an attacker to remotely access any TCP/UDP services bound to a victim machine, bypassing the victim’s NAT/firewall, just by the victim visiting a website

Raspberri PI Exploitation

Physical Security / HID/ETH Emulator - PCI-based DMA - PCI based DMA - Teensy Payloads

Social Engeneering - lookup valid phishing-Domains - lookup valid phishing-Domains - Change SMB Files on the fly - Comprehensive Web Based Phishing Suite of Tools for Rapid Deployment and Real-Time Alerting!

Defender Guides / Tools / Incident Response / Blue Team - Hunts out CobaltStrike beacons and logs operator command output - Detect and respond to Cobalt Strike beacons using ETW. - Detect AMSI.dll in memory patch - Sparrow.ps1 was created by CISA's Cloud Forensics team to help detect possible compromised accounts and applications in the Azure/m365 environment. - Credential and Red Teaming Defense for Windows Environments - powershell obfuscation detection - Lists of .NET Deobfuscator and Unpacker (Open Source) - python exe decompile - .NET Revoke-Obfuscation - ids - Investigate malicious Windows logon by visualizing and analyzing Windows event log - AD Passwort Blacklisting - Powershell DE-Obfuscation - A tool for de-obfuscating PowerShell scripts - Identifies the bytes that Microsoft Defender flags on. - Identifies the bytes that Microsoft Defender / AMSI Consumer flags on. - Tool written in python3 to determine where the AV signature is located in a binary/payload - An Active Defense and EDR software to empower Blue Teams - Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches). - Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches). - AD Security Intrusion Detection System - Small and highly portable detection tests based on MITRE's ATT&CK. - ETWProcessMon2 is for Monitoring Process/Thread/Memory/Imageloads/TCPIP via ETW + Detection for Remote-Thread-Injection & Payload Detection by VirtualMemAlloc Events (in-memory) etc. - Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration! - PSGumshoe is a Windows PowerShell module for the collection of OS and domain artifacts for the purposes of performing live response, hunt, and forensics. - FalconEye is a windows endpoint detection software for real-time process injections. It is a kernel-mode driver that aims to catch process injections as they are happening (real-time). Since FalconEye runs in kernel mode, it provides a stronger and reliable defense against process injection techniques that try to evade various user-mode hooks.

Wordlists / Wordlist generators - A collection of all the data i could extract from 1 billion leaked credentials from internet.

AD Lab Environment - Create a vulnerable active directory that's allowing you to test most of the active directory attacks in a local lab - Automate the creation of a lab environment complete with security tooling and logging best practices

Obfuscation - GO Obfuscator - Lists of .NET Obfuscator (Free, Trial, Paid and Open Source ) - Javascript Obfuscator - Powershell Obfuscator - .NET IL Obfuscator - C/C++ source obfuscator for antivirus bypass - GIMPLE obfuscator for C, C++, Go, ... all supported GCC targets and front-ends that use GIMPLE. - VBS Obfuscator - Shellcode Obfuscator - Shellcode Encoder - Obfuscate Go builds - heavily vectorized c++17 compile time string encryption. - A more advanced free and open .NET obfuscator using dnlib. - PowerShell Script Obfuscator - Proof-of-concept obfuscation toolkit for C# post-exploitation tools - YouTube/Livestream project for obfuscating C# source code using Roslyn - Simple & Powerful PowerShell Script Obfuscator - A better version of Xencrypt.Xencrypt it self is a Powershell runtime crypter designed to evade AVs. - C obfuscator - NIM llvm obfuscator

Hash Crack / Decryption - Ciphey is an automated decryption tool. Input encrypted text, get the decrypted text back. - A mostly-serverless distributed hash cracking platform - Cracking hashes in the Cloud (for free!) - CrackQ: A Python Hashcat cracking queue system

Source Code / Binary Analysis

Binary Analysis

Source Code Analysis - Javascript - Javascript - PHP - Audit tool to find common vulnerabilities in PHP source code

Nim - Nim implementation of Process Hollowing using syscalls (PoC) - Malicious PDF Generator - A tiny library to automatically encrypt string literals in Nim code - RDI implementation in Nim - A collection of offensive Nim example code - SMBExec implementation in Nim - SMBv2 using NTLM Authentication with Pass-The-Hash technique - Nim Socks5 library

MISC - Azure JWT Token Manipulation Toolset - A little tool to convert ccache tickets into kirbi (KRB-CRED) and vice versa based on impacket. - Drupal Exploit - SAMBA Exploit - Reverse Shell Oneliner / Payload Generation - Reverse/Bind Shell Generator - check if a user is valid in a domain - Living of the Land Binaries - Windows Denial of Service Exploit - Windows Denial of Service Exploit PDF Steal NTLMv2 Hash Exploit - CVE-2018-4993 - 💥 🔥 💥 - LibSSH Authentication Bypass vuln. - windows Privesc Exploit - OSINT - Deserialisation Exploits - S3 bucket tester - Zone transfer like for internal assessment - Get-ShellContent.ps1 get the typed content for all open shells - windows CTF Exploitation - Apache Privilege Escalation - Windows Elevation(持续更新) - Execute python from powershell - Recovers passwords from pixelized screenshots - This is a tool suite consisting of miscellaneous offensive tooling aimed at red teamers/penetration testers to primarily aid in Defense Evasion TA0005 - Utility to find AES keys in running processes - Nightly builds of common C# offensive tools, fresh from their respective master branches built and released in a CDI fashion using Azure DevOps release pipelines. - A C# port of the MinHook API hooking library - This repo contains information about EDRs that can be useful during red team exercise.

Big-IP Exploitation

Azure Cloud Tools - The Azure AD exploration framework. - Find exposed data in Azure with this public blob scanner

Anonymous / Tor Projects

Exploit Search

Industrial Control Systems -

Network access control bypass


JMX Exploitation - JMX enumeration and attacking tool. - Mogwai Java Management Extensions (JMX) Exploitation Toolkit

Citrix Netscaler Pwn

mikrotik pwn - Fast exploitation tool for Mikrotik RouterOS up to 6.38.4

Red Team infrastructure setup - terraform cloud c2 redirector setup - Red Teaming Infrastructure Automation based on Red-Baron - This application assists in managing attack infrastructure for penetration testers by providing an interface to rapidly deploy, manage, and take down various cloud services. These include VMs, domain fronting, Cobalt Strike servers, API gateways, and firewalls. - Domain Borrowing is a new method to hide C2 traffic using CDN. It was first presented at Blackhat Asia 2021 by Junyu Zhou and Tianze Ding. - Domain Borrowing PoC


Redis Exploitation


  • scanner/redis/file_upload

  • exploit/linux/redis/redis_replication_cmd_exec

Windows Targets - Webshell upload

redis-cli -h targethost -p targetport
config set dir C:\inetpub\wwwroot\
config set dbfilename shell.aspx
set test "Webshell content"

Apache Tomcat Exploitation - Apache Tomcat auto WAR deployment & pwning penetration testing tool. - AJP Exploit CVE-2020-1938

SSRF Exploitation

LFI exploitation

MondoDB Redis Couchdb Exploitation - NoSql Injection CLI tool, for finding vulnerable websites using MongoDB.


Elasticsearch / Kibana Exploitation

RMI attacks - RMIScout uses wordlist and bruteforce strategies to enumerate Java RMI functions and exploit RMI parameter unmarshalling vulnerabilities

JSON Web Token Analysis / Exploitation

Docker Exploitation - automation of Docker TCP socket abuse - Docker API exposed RCE

PHP exploits - nginx + php misconfiguration

Cloud attack tools

Bluetooth / low energy

Wireless / Radio Exploitation

APT / Malware Emulation / Defense Check

Hash Crack / Lookup

OSCP Lists / tools / help

ASPX Webshells

PHP Webshells - Full-featured C2 framework which silently persists on webserver via evil PHP oneliner - A PHP backdoor management and generation tool/C2 featuring end to end encrypted payload streaming designed to bypass WAF, IDS, SIEM systems.

JSP WebShells

Other Tool-Lists / Cheat Sheets - List of Hooking DLLs for different AV vendors - Checks running processes, process metadata, Dlls loaded into your current process and the each DLLs metadata, common install directories, installed services and each service binaries metadata, installed drivers and each drivers metadata, all for the presence of known defensive products such as AV's, EDR's and logging tools.