Red Team Cheatsheet
RedTeam-Tools
This github repository contains a collection of 130+ tools and resources that can be useful for red teaming activities.
Some of the tools may be specifically designed for red teaming, while others are more general-purpose and can be adapted for use in a red teaming context.
🔗 If you are a Blue Teamer, check out BlueTeam-Tools
Warning
The materials in this repository are for informational and educational purposes only. They are not intended for use in any illegal activities.
Note
Hide Tool List headings with the arrow.
Click 🔙 to get back to the list.
Tool List
Red Team Tips
Learn from Red Teamers with a collection of Red Teaming Tips. These tips cover a range of tactics, tools, and methodologies to improve your red teaming abilities.
Note: Nearly all tips are currently from @Alh4zr3d, he posts good Red Team Tips!
🔙Hiding the local admin account
Description: 'Creating accounts is risky when evading blue, but when creating a local admin, use some cute sorcery in the registry to hide it.'
Credit: @Alh4zr3d
Link: Twitter
🔙Cripple windows defender by deleting signatures
Description: 'A bit messy, but if Windows Defender is causing you a big headache, rather than disabling it (which alerts the user), you should just neuter it by deleting all the signatures.'
Credit: @Alh4zr3d
Link: Twitter
🔙Enable multiple RDP sessions per user
Description: 'Sometimes you want to log in to a host via RDP or similar, but your user has an active session. Enable multiple sessions per user.'
Credit: @Alh4zr3d
Link: Twitter
🔙Sysinternals PsExec.exe local alternative
Description: 'Are you tired of uploading Sysinternals PsExec.exe when doing lateral movement? Windows has a better alternative preinstalled. Try this instead.'
Credit: @GuhnooPlusLinux
Link: Twitter
🔙Live off the land port scanner
Description: 'When possible, live off the land rather than uploading tools to machines (for many reasons). PowerShell/.NET help. Ex: simple port scanner in Powershell.'
Credit: @Alh4zr3d
Link: Twitter
🔙Proxy aware PowerShell DownloadString
Description: 'Most large orgs are using web proxies these days. The standard PowerShell download cradle is not proxy aware. Use this one.'
Credit: @Alh4zr3d
Link: Twitter
🔙Looking for internal endpoints in browser bookmarks
Description: 'You'd be surprised what you can find out from a user's bookmarks alone. Internal endpoints they can access, for instance.'
Credit: @Alh4zr3d
Link: Twitter
🔙Query DNS records for enumeration
Description: 'Enumeration is 95% of the game. However, launching tons of scans to evaluate the environment is very loud. Why not just ask the DC/DNS server for all DNS records?'
Credit: @Alh4zr3d
Link: Twitter
🔙Unquoted service paths without PowerUp
Description: 'Finding unquoted service paths without PowerUp'
Credit: @Alh4zr3d
Link: Twitter
🔙Bypass a disabled command prompt with /k
Description: 'This command prompt has been disabled by your administrator...' Can usually be seen in environments such as kiosks PCs, a quick hacky work around is to use /k via the windows run box. This will carry out the command and then show the restriction message, allowing for command execution.
Credit: Martin Sohn Christensen
Link: Blog
🔙Stop windows defender deleting mimikatz.exe
Description: 'Are you tired of Windows Defender deleting mimikatz.exe? Try this instead.'
Credit: @GuhnooPlusLinux
Link: Twitter
🔙Check if you are in a virtual machine
Description: 'Want to know if you are in a Virtual Machine? Query the registry Keys and find out!!! If any results show up then you are in a Virtual Machine.'
Credit: @dmcxblue
Link: Twitter
🔙Enumerate AppLocker rules
Description: 'AppLocker can be a pain. Enumerate to see how painful'
Credit: @Alh4zr3d
Link: Twitter
🔙CMD shortcut with 6 pixels via mspaint
Open MSPaint.exe and set the canvas size to: Width=6 and Height=1 pixels
Zoom in to make the following tasks easier
Using the colour picker, set pixels values to (from left to right):
1st: R: 10, G: 0, B: 0
2nd: R: 13, G: 10, B: 13
3rd: R: 100, G: 109, B: 99
4th: R: 120, G: 101, B: 46
5th: R: 0, G: 0, B: 101
6th: R: 0, G: 0, B: 0
Save it as 24-bit Bitmap (.bmp;.dib)
Change its extension from bmp to bat and run.
Description: 'An unusual, yet effective method of gaining a shell by creating a shortcut to cmd.exe by drawing certain colours in Microsoft Paint. Due to the encoding algorithm used to write BMP files, it is possible to dictate ASCII data written into a file by carefully selecting certain RGB colours.'
Credit: PenTestPartners
Link: Blog
🔙Link spoofing with PreventDefault JavaScript method
Description: Threat actors have been observed using this technique to trick victims into clicking spoofed in-page malware download links. Using the PreventDefault JavaScript method you can spoof the hover link to display a legit link google.com
, but once clicked the victim will be redirected to your malicious link bing.com
. Great for getting victims to download payloads via a controlled site.
Link: PreventDefault Docs
🔙Check SMB firewall rules with Responder
Description: 'When I do a Compromise Assessment, I often ask the customer if I can do a last quick check: Copy-Item -Path "C:\tmp\" -Destination "\\<ip_running_responder>\c$"
. If Responder could capture the hash, the firewall allows outgoing SMB connections'
Credit: @malmoeb
Link: Twitter
🔙Disable AV with SysInternals PsSuspend
Description: Using the Microsoft Sysinternals tool PsSuspend.exe it's possible to suspend some AV service executables. The Microsoft signed tool can be passed the PID or Name of a running service, it will suspend the process via the NtSuspendProcess Windows API.
Related Blog Post: Bypassing AV via Process Suspension with PsSuspend.exe
Link: Twitter
Reconnaissance
🔙crt.sh -> httprobe -> EyeWitness
I have put together a bash one-liner that:
Passively collects a list of subdomains from certificate associations (crt.sh)
Actively requests each subdomain to verify it's existence (httprobe)
Actively screenshots each subdomain for manual review (EyeWitness)
Usage:
Note: You must have httprobe, pup and EyeWitness installed and change 'DOMAIN_COM' to the target domain. You are able to run this script concurrently in terminal windows if you have multiple target root domains
A JavaScript bookmarklet for extracting all webpage endpoint links on a page.
Created by @renniepak, this JavaScript code snippet can be used to extract all endpoints (starting with /) from the current webpage DOM including all external script sources embedded on the webpage.
Usage (Bookmarklet)
Create a bookmarklet...
Right click your bookmark bar
Click 'Add Page'
Paste the above Javascript in the 'url' box
Click 'Save'
...then visit the victim page in the browser and click the bookmarklet.
Usage (Console)
Paste the above Javascript into the console window F12
and press enter.
Fast vulnerability scanner that uses .yaml templates to search for specific issues.
Install:
Usage:
certSniff is a Certificate Transparency logs keyword watcher I wrote in Python. It uses the certstream library to watch for certificate creation logs that contain keywords, defined in a file.
You can set this running with several keywords relating to your victim domain, any certificate creations will be recorded and may lead to the discovery of domains you were previously unaware of.
Install:
Usage:
Nice tool for brute forcing file/folder paths on a victim website.
Install:
Usage:
A tool designed to perform Forced Browsing, an attack where the aim is to enumerate and access resources that are not referenced by the web application, but are still accessible by an attacker.
Feroxbuster uses brute force combined with a wordlist to search for unlinked content in target directories. These resources may store sensitive information about web applications and operational systems, such as source code, credentials, internal network addressing, etc...
Install: (Kali)
Install: (Mac)
Install: (Windows)
For full installation instructions see here.
Usage:
Full usage examples can be found here.
Image used from https://raw.githubusercontent.com/epi052/feroxbuster/main/img/demo.gif
A tool to find a company (target) infrastructure, files, and apps on the top cloud providers (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode).
Features:
Cloud detection (IPINFO API and Source Code)
Fast (concurrent)
Cross Platform (windows, linux, mac)
User-Agent Randomization
Proxy Randomization (HTTP, Socks5)
Install:
Download the latest release for your system and follow the usage.
Usage:
Image used from https://github.com/0xsha/CloudBrute
dnsrecon is a pyhton tool for enumerating DNS records (MX, SOA, NS, A, AAAA, SPF and TXT) and can provide a number of new associated victim hosts to pivot into from a single domain search.
Install:
Usage:
Shodan crawls public infrastructure and displays it in a searchable format. Using a company name, domain name, IP address it is possible to discover potentially vulnerable systems relating to your target via shodan.
🔙AORT
Tool for enumerating subdomains, enumerating DNS, WAF detection, WHOIS, port scan, wayback machine, email harvesting.
Install:
Usage:
A program that checks if a domain can be spoofed from. The program checks SPF and DMARC records for weak configurations that allow spoofing. Additionally it will alert if the domain has DMARC configuration that sends mail or HTTP requests on failed SPF/DKIM emails.
Domains are spoofable if any of the following conditions are met:
Lack of an SPF or DMARC record
SPF record never specifies
~all
or-all
DMARC policy is set to
p=none
or is nonexistent
Install:
Usage:
AWSBucketDump is a tool to quickly enumerate AWS S3 buckets to look for interesting files. It's similar to a subdomain bruteforcer but is made specifically for S3 buckets and also has some extra features that allow you to grep for files, as well as download interesting files.
Install:
Usage:
Nice tool for finding information from GitHub with regex, with the ability to search specific GitHub users and/or projects.
Install:
Usage:
TruffleHog is a tool that scans git repositories and looks for high-entropy strings and patterns that may indicate the presence of secrets, such as passwords and API keys. With TruffleHog, you can quickly and easily find sensitive information that may have been accidentally committed and pushed to a repository.
Install (Binaries): Link
Install (Go):
Usage:
Dismap is an asset discovery and identification tool. It can quickly identify protocols and fingerprint information such as web/tcp/udp, locate asset types, and is suitable for internal and external networks.
Dismap has a complete fingerprint rule base, currently including tcp/udp/tls protocol fingerprints and 4500+ web fingerprint rules, which can identify favicon, body, header, etc.
Install:
Dismap is a binary file for Linux, MacOS, and Windows. Go to Release to download the corresponding version to run:
Usage:
Image used from https://github.com/zhzyker/dismap
A tool for enumerating information from Windows and Samba systems.
It can be used to gather a wide range of information, including:
Domain and domain controller information
Local user and group information
Shares and share permissions
Security policies
Active Directory information
Install: (Apt)
Install: (Git)
Usage:
Full usage information can be found in this blog.
Image used from https://allabouttesting.org/samba-enumeration-for-penetration-testing-short-tutorial/
Dangerously fast dns/network/port scanner, created by Esc4iCEscEsc, written in rust.
You will need a subdomains file. E.g. Subdomain wordlist by Sublist3r.
Install:
Download the latest release from here.
Usage:
Image used from https://github.com/Esc4iCEscEsc/skanuvaty
Metabigor is Intelligence tool, its goal is to do OSINT tasks and more but without any API key.
Main Features:
Searching information about IP Address, ASN and Organization.
Wrapper for running rustscan, masscan and nmap more efficient on IP/CIDR.
Finding more related domains of the target by applying various techniques (certificate, whois, Google Analytics, etc).
Get Summary about IP address (powered by @thebl4ckturtle)
Install:
Usage:
Image used from https://github.com/j3ssie/metabigor
Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github.
Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files.
The findings will be presented through a web interface for easy browsing and analysis.
Note: Gitrob will need a Github access token in order to interact with the Github API. Create a personal access token and save it in an environment variable in your .bashrc or similar shell configuration file:
Install: (Go)
Install: (Binary)
A precompiled version is available for each release.
Usage:
Image used from https://www.uedbox.com/post/58828/
Gowitness is a website screenshot utility written in Golang, that uses Chrome Headless to generate screenshots of web interfaces using the command line, with a handy report viewer to process results. Both Linux and macOS is supported, with Windows support mostly working.
Install: (Go)
Full installation information can be found here.
Usage:
Full usage information can be found here.
Image used from https://github.com/sensepost/gowitness
Resource Development
Chimera is a PowerShell obfuscation script designed to bypass AMSI and antivirus solutions. It digests malicious PS1's known to trigger AV and uses string substitution and variable concatenation to evade common detection signatures.
Install:
Usage:
Msfvenom allows the creation of payloads for various operating systems in a wide range of formats. It also supports obfuscation of payloads for AV bypass.
Set Up Listener
Msfvenom Commands
PHP:
Windows:
Linux:
Java:
HTA:
Shellter is a dynamic shellcode injection tool, and the first truly dynamic PE infector ever created.
It can be used in order to inject shellcode into native Windows applications (currently 32-bit applications only).
Shellter takes advantage of the original structure of the PE file and doesn’t apply any modification such as changing memory access permissions in sections (unless the user wants), adding an extra section with RWE access, and whatever would look dodgy under an AV scan.
Full README information can be found here.
Install: (Kali)
Install: (Windows)
Visit the download page and install.
Usage:
Just pick a legit binary to backdoor and run Shellter.
Some nice tips can be found here.
Lots of community usage demos can be found here.
Image used from https://www.kali.org/tools/shellter/images/shellter.png
Freeze is a payload creation tool used for circumventing EDR security controls to execute shellcode in a stealthy manner.
Freeze utilizes multiple techniques to not only remove Userland EDR hooks, but to also execute shellcode in such a way that it circumvents other endpoint monitoring controls.
Install:
Usage:
Image used from https://www.blackhatethicalhacking.com/tools/freeze/
This script will create a Microsoft Word Document with a remote image, allowing for the capture of NTML hashes from a remote victim endpoint.
Microsoft Word has the ability to include images from remote locations, including a remote image hosted on an attacker controlled SMB server. This gives you the opportunity to listen for, and capture, NTLM hashes that are sent when an authenticated victim opens the Word document and renders the image.
Install:
Usage:
Image used from https://pentestit.com/wordsteal-steal-ntlm-hashes-remotely/
This site provides information on undocumented Windows internals, system calls, data structures, and other low-level details of the Windows operating system.
It can be a valuable resource for individuals who want to explore the internals of Windows for various purposes, including vulnerability analysis, exploit development, and privilege escalation.
When developing exploits, understanding the internals of the target system is crucial. This site can help develop exploits by leveraging the low-level undocumented aspects of Windows.
Usage:
Visit http://undocumented.ntinternals.net/
Image used from http://undocumented.ntinternals.net/
This technical note provides a comprehensive list all the APIs exported by the Windows Kernel, for driver writes to register callback routines that are invoked by kernel components under various circumstances.
Most of these routines are documented in the Windows Driver Kit (WDK) but some of them are for use by in-box drivers.
The undocumented functions are described briefly whereas the documented ones are just listed here for reference.
Usage:
Visit https://codemachine.com/articles/kernel_callback_functions.html
Image used from https://codemachine.com
A collection of offensive techniques, scripts and useful links for achieving code execution and defense evasion via office macros.
Usage:
Visit https://github.com/S3cur3Th1sSh1t/OffensiveVBA#templates-in-this-repo
Image used from https://github.com/S3cur3Th1sSh1t
🔙WSH
Creating payload:
Execute:
🔙HTA
Creating payload:
Execute: Run file
🔙VBA
Creating payload:
Execute: Set function to Auto_Open() in macro enabled document
Initial Access
The Bash Bunny is a physical USB attack tool and multi-function payload delivery system. It is designed to be plugged into a computer's USB port and can be programmed to perform a variety of functions, including manipulating and exfiltrating data, installing malware, and bypassing security measures.
hackinglab: Bash Bunny – Guide
evilginx2 + gophish. (GoPhish) Gophish is a powerful, open-source phishing framework that makes it easy to test your organization's exposure to phishing. (evilginx2) Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
Install:
Usage:
This framework is great for creating campaigns for initial access, 'SET has a number of custom attack vectors that allow you to make a believable attack quickly'.
Install:
Usage:
Nice tool for logon brute force attacks. Can bf a number of services including SSH, FTP, TELNET, HTTP etc.
Install:
Usage:
SquarePhish is an advanced phishing tool that uses a technique combining OAuth Device code authentication flow and QR codes (See PhishInSuits for more about OAuth Device Code flow for phishing attacks).
Attack Steps:
Send malicious QR code to victim
Victim scans QR code with mobile device
Victim directed to attacker controlled server (Triggering OAuth Device Code authentication flow process)
Victim emailed MFA code (Triggering OAuth Device Code flow 15 minute timer)
Attacker polls for authentication
Victim enters code into legit Microsoft website
Attacker saves authentication token
Install:
Note: Before using either module, update the required information in the settings.config file noted with Required
.
Usage (Email Module):
Usage (Server Module):
King Phisher is a tool that allows attackers to create and send phishing emails to victims to obtain sensitive information.
It includes features like customizable templates, campaign management, and email sending capabilities, making it a powerful and easy-to-use tool for carrying out phishing attacks. With King Phisher, atackers can target individuals or organizations with targeted and convincing phishing emails, increasing the chances of success in their attacks.
Install (Linux - Client & Server):
Usage:
Once King Phisher has been installed please follow the wiki page to setup SSH, Database config, SMTP server etc.
Execution
Responder is a tool for poisoning the LLMNR and NBT-NS protocols on a network, to allow for credential capture and arbitrary code execution.
The LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) protocols are used by Windows systems to resolve hostnames to IP addresses on a local network. If a hostname cannot be resolved using these protocols, the system will broadcast a request for the hostname to the local network.
Responder listens for these broadcasts and responds with a fake IP address, tricking the requesting system into sending its credentials to the attacker.
Install:
Usage:
Full usage information can be found here.
Image used from https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/
A utility that is part of the Impacket library that can be used to extract password hashes and other secrets from a Windows system.
It does this by interacting with the Security Account Manager (SAM) database on the system and extracting the hashed passwords and other information, such as:
Password hashes for local accounts
Kerberos tickets and keys
LSA Secrets
Install:
Usage:
Image used from https://riccardoancarani.github.io/2020-05-10-hunting-for-impacket/#secretsdumppy
Evil-WinRM is a tool that provides a command line interface for Windows Remote Management (WinRM: A service that allows administrators to remotely execute commands on a Windows machine).
Evil-WinRM allows an attacker to remotely connect to a Windows machine using WinRM and execute arbitrary commands.
Some features include:
Loading in memory Powershell scripts
Loading in memory dll files bypassing some AVs
Loading x64 payloads
Pass-the-hash support
Uploading and downloading local and remote files
Install: (Git)
Install: (Ruby gem)
Alternative installation instructions can be found here.
Usage:
Full usage documentation can be found here.
Image used from https://korbinian-spielvogel.de/posts/heist-writeup/
A tool for in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies. It can be used to load and run custom payloads on target systems without the need to drop files to disk.
Install: (Windows)
To generate the loader template, dynamic library donut.dll, the static library donut.lib and the generator donut.exe. Start an x64 Microsoft Visual Studio Developer Command Prompt, change to the directory where you cloned the Donut repository and enter the following:
To do the same, except using MinGW-64 on Windows or Linux, change to the directory where you cloned the Donut repository and enter the following:
Install: (Linux)
Usage:
For full usage information, see the donut GitHub Page.
See a recent blog post from The Wover for more info.
A tool used to automatize the obfuscation and generation of Office documents, VB scripts, shortcuts, and other formats for red teaming.
Install: (Binary)
Get the latest binary from https://github.com/sevagas/macro_pack/releases/
Download binary on PC with genuine Microsoft Office installed.
Open console, CD to binary dir and call the binary
Install: (Git)
Usage:
A collection of PowerShell scripts and modules that can be used to achieve a variety of red teaming objectives.
Some of the features of PowerSploit:
Dump password hashes and extract clear-text passwords from memory
Escalate privileges and bypass security controls
Execute arbitrary PowerShell code and bypass execution restrictions
Perform network reconnaissance and discovery
Generate payloads and execute exploits
Install: 1. Save to PowerShell modules folder
First you will need to download the PowerSploit Folder and save it to your PowerShell modules folder.
Your PowerShell modules folder path can be found with the following command:
Install: 2. Install PowerSploit as a PowerShell module
You will then need to install the PowerSploit module (use the name of the downloaded folder).
Note: Your PowerShell execution policy might block you, to fix this run the following command.
Now you can install the PowerSploit module.
Usage:
A tool that can be used to perform various actions related to Microsoft Active Directory (AD) environments, such as dumping password hashes, creating/deleting users, and modifying user properties.
Some of the features of Rubeus:
Kerberoasting
Golden ticket attacks
Silver ticket attacks
Install: (Download)
You can install the unofficial pre-compiled Rubeus binary here.
Install: (Compile)
Rubeus is compatible with Visual Studio 2019 Community Edition. Open the rubeus project .sln, choose "Release", and build.
Usage:
A nice tool for checking a victims endpoint for vulnerabilites relating to high integrity processes, groups, hijackable paths, etc.
Install: (Download)
You can install the unofficial pre-compiled SharpUp binary here.
Install: (Compile)
SharpUp is compatible with Visual Studio 2015 Community Edition. Open the SharpUp project .sln, choose "Release", and build.
Usage:
MS-SQL (Microsoft SQL Server) is a relational database management system developed and marketed by Microsoft.
This C# MS-SQL toolkit is designed for offensive reconnaissance and post-exploitation. For detailed usage information on each technique, refer to the wiki.
Install: (Binary)
You can download the latest binary release from here.
Usage:
Full usage information can be found on the wiki.
Tool module usage information can be found here.
Image used from SQLRecon help page
This resrouce is a collection of the most common and known techniques to bypass AppLocker.
Since AppLocker can be configured in different ways @api0cradle maintains a verified list of bypasses (that works against the default AppLocker rules) and a list with possible bypass technique (depending on configuration) or claimed to be a bypass by someone.
They also have a list of generic bypass techniques as well as a legacy list of methods to execute through DLLs.
Indexed Lists
Image used from https://github.com/api0cradle/UltimateAppLockerByPassList
A JavaScript and VBScript Based Empire Launcher, which runs within their own embedded PowerShell Host.
Both Launchers run within their own embedded PowerShell Host, so we don't need PowerShell.exe.
This might be usefull when a company is blocking PowerShell.exe and/or is using a Application Whitelisting solution, but does not block running JS/VBS files.
Usage:
Setup a new Listener within PowerShell Empire
Use the Launcher command to Generate a PowerShell launcher for this listener
Copy and Replace the Base64 encoded Launcher Payload within the StarFighter JavaScript or VBScript file
For the JavaScript version use the following Variable:
For the VBScript version use the following Variable:
Then run: wscript.exe StarFighter.js or StarFighter.vbs on Target, or DoubleClick the launchers within Explorer.
Image used from https://www.hackplayers.com/2017/06/startfighters-un-launcher-de-empire-en-js-vbs.html
The aim of this project is to generate .html files that contain an encrypted HTA file.
The idea is that when your target visits the page, the key is fetched and the HTA is decrypted dynamically within the browser and pushed directly to the user.
This is an evasion technique to get round content / file-type inspection implemented by some security-appliances.
Further technical information here.
Install:
Usage:
Image used from https://github.com/nccgroup/demiguise
PowerZure is a PowerShell project created to assess and exploit resources within Microsoft’s cloud platform, Azure. PowerZure was created out of the need for a framework that can both perform reconnaissance and exploitation of Azure, AzureAD, and the associated resources.
There is zero reason to ever run PowerZure on a victim’s machine. Authentication is done by using an existing accesstoken.json file or by logging in via prompt when logging into Azure, meaning you can safely use PowerZure to interact with a victim’s cloud instance from your operating machine.
Install:
Usage:
Blog - Attacking Azure, Azure AD, and Introducing PowerZure
Image used from https://hakin9.org
Persistence
Impacket provides a set of low-level Python bindings for various network protocols, including SMB, Kerberos, and LDAP, as well as higher-level libraries for interacting with network services and performing specific tasks such as dumping password hashes and creating network shares.
It also includes a number of command-line tools that can be used to perform various tasks such as dumping SAM databases, enumerating domain trusts, and cracking Windows passwords.
Install:
Install: (With Example Scripts)
Download and extract the package, then navigate to the install folder and run...
Usage:
Great cheat sheet for Impacket usage.
Empire is a post-exploitation framework that allows you to generate payloads for establishing remote connections with victim systems.
Once a payload has been executed on a victim system, it establishes a connection back to the Empire server, which can then be used to issue commands and control the target system.
Empire also includes a number of built-in modules and scripts that can be used to perform specific tasks, such as dumping password hashes, accessing the Windows registry, and exfiltrating data.
Install:
Usage:
Nice usage cheat sheet by HarmJoy.
A Windows persistence toolkit written in C#.
The project has a wiki.
Install: (Binary)
You can find the most recent release here.
Install: (Compile)
Download the project files from the GitHub Repo.
Load the Visual Studio project up and go to "Tools" --> "NuGet Package Manager" --> "Package Manager Settings"
Go to "NuGet Package Manager" --> "Package Sources"
Add a package source with the URL "https://api.nuget.org/v3/index.json"
Install the Costura.Fody NuGet package. The older version of Costura.Fody (3.3.3) is needed, so that you do not need Visual Studio 2019.
Install-Package Costura.Fody -Version 3.3.3
Install the TaskScheduler package
Install-Package TaskScheduler -Version 2.8.11
You can now build the project yourself!
Usage:
A full list of usage examples can be found here.
Ligolo-ng is a simple, lightweight and fast tool that allows pentesters to establish tunnels from a reverse TCP/TLS connection using a tun interface (without the need of SOCKS).
Instead of using a SOCKS proxy or TCP/UDP forwarders, Ligolo-ng creates a userland network stack using Gvisor.
When running the relay/proxy server, a tun interface is used, packets sent to this interface are translated, and then transmitted to the agent remote network.
Install: (Download)
Precompiled binaries (Windows/Linux/macOS) are available on the Release page.
Install: (Build)
Building ligolo-ng (Go >= 1.17 is required):
Setup: (Linux)
Setup: (Windows)
You need to download the Wintun driver (used by WireGuard) and place the wintun.dll
in the same folder as Ligolo (make sure you use the right architecture).
Setup: (Proxy server)
Usage:
Start the agent on your target (victim) computer (no privileges are required!):
A session should appear on the proxy server.
Use the session command to select the agent.
Full usage information can be found here.
Image used from https://github.com/nicocha30/ligolo-ng#demo
Privilege Escalation
LinPEAS is a nice verbose privilege escalation for finding local privesc routes on Linux endpoints.
Install + Usage:
WinPEAS is a nice verbose privilege escalation for finding local privesc routes on Windows endpoints.
Install + Usage:
Linux smart enumeration is another good, less verbose, linux privesc tool for Linux.
Install + Usage:
Certify is a C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).
Certify is designed to be used in conjunction with other red team tools and techniques, such as Mimikatz and PowerShell, to enable red teamers to perform various types of attacks, including man-in-the-middle attacks, impersonation attacks, and privilege escalation attacks.
Key features of Certify:
Certificate creation
Certificate signing
Certificate import
Certificate trust modification
Install: (Compile)
Certify is compatible with Visual Studio 2019 Community Edition. Open the Certify project .sln, choose "Release", and build.
Install: (Running Certify Through PowerShell)
If you want to run Certify in-memory through a PowerShell wrapper, first compile the Certify and base64-encode the resulting assembly:
Certify can then be loaded in a PowerShell script with the following (where "aa..." is replaced with the base64-encoded Certify assembly string):
The Main() method and any arguments can then be invoked as follows:
Full compile instructions can be found here.
Usage:
Full example walkthrough can be found here.
Get-GPPPassword is a PowerShell script part of the PowerSploit toolkit, it is designed to retrieve passwords for local accounts that are created and managed using Group Policy Preferences (GPP).
Get-GPPPassword works by searching the SYSVOL folder on the domain controller for any GPP files that contain password information. Once it finds these files, it decrypts the password information and displays it to the user.
Install:
Follow the PowerSploit installation instructions from this tool sheet.
Usage:
PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.
Supports:
MS10-015 : User Mode to Ring (KiTrap0D)
MS10-092 : Task Scheduler
MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow
MS13-081 : TrackPopupMenuEx Win32k NULL Page
MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference
MS15-051 : ClientCopyImage Win32k
MS15-078 : Font Driver Buffer Overflow
MS16-016 : 'mrxdav.sys' WebDAV
MS16-032 : Secondary Logon Handle
MS16-034 : Windows Kernel-Mode Drivers EoP
MS16-135 : Win32k Elevation of Privilege
CVE-2017-7199 : Nessus Agent 6.6.2 - 6.10.3 Priv Esc
Install: (PowerShell)
Usage: (PowerShell)
Image used from https://vk9-sec.com/sherlock-find-missing-windows-patches-for-local-privilege-escalation/
Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.
Great for identifying missing patches and suggesting exploits that could be used to exploit known vulnerabilities in order to gain higher privileges on the system.
Install:
Using Visual Studio 2019 Community Edition. Open the Watson project .sln, choose "Release", and build.
Usage:
Image text used from https://github.com/rasta-mouse/Watson#usage
A C# based tool that automates the process of discovering and exploiting DLL Hijacks in target binaries.
The discovered Hijacked paths can be weaponized, during an engagement, to evade EDR's.
Install:
Procmon.exe -> https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
Custom Confirmatory DLL's :
These are DLL files which assist the tool to get the confirmation whether the DLL's are been successfully loaded from the identified hijack path
Compiled from the MalDLL project provided above (or use the precompiled binaries if you trust me!)
32Bit dll name should be: maldll32.dll
64Bit dll name should be: maldll64.dll
Install NuGet Package:** PeNet** -> https://www.nuget.org/packages/PeNet/ (Prereq while compiling the ImpulsiveDLLHijack project)
Note: i & ii prerequisites should be placed in the ImpulsiveDLLHijacks.exe's directory itself.
Build and Setup Information:
ImpulsiveDLLHijack
Clone the repository in Visual Studio
Once project is loaded in Visual Studio go to "Project" --> "Manage NuGet packages" --> Browse for packages and install "PeNet" -> https://www.nuget.org/packages/PeNet/
Build the project!
The ImpulsiveDLLHijack.exe will be inside the bin directory.
And for Confirmatory DLL's:
Clone the repository in Visual Studio
Build the project with x86 and x64
Rename x86 release as maldll32.dll and x64 release as maldll64.dll
Setup: Copy the Confirmatory DLL's (maldll32 & maldll64) in the ImpulsiveDLLHijack.exe directory & then execute ImpulsiveDLLHijack.exe :))
Install instructions from https://github.com/knight0x07/ImpulsiveDLLHijack#2-prerequisites
Usage:
Usage examples can be found here.
Image used from https://github.com/knight0x07/ImpulsiveDLLHijack#4-examples
A C# tool to dump all sorts of goodies from AD FS.
Created by Doug Bienstock @doughsec while at Mandiant FireEye.
This tool is designed to be run in conjunction with ADFSpoof. ADFSdump will output all of the information needed in order to generate security tokens using ADFSpoof.
Requirements:
ADFSDump must be run under the user context of the AD FS service account. You can get this information by running a process listing on the AD FS server or from the output of the Get-ADFSProperties cmdlet. Only the AD FS service account has the permissions needed to access the configuration database. Not even a DA can access this.
ADFSDump assumes that the service is configured to use the Windows Internal Database (WID). Although it would be trivial to support an external SQL server, this feature does not exist right now.
ADFSDump must be run locally on an AD FS server, NOT an AD FS web application proxy. The WID can only be accessed locally via a named pipe.
Install: (Compile)
ADFSDump was built against .NET 4.5 with Visual Studio 2017 Community Edition. Simply open up the project .sln, choose "Release", and build.
Usage: (Flags)