Red Teaming / Adversary Simulation Toolkit
This resource list covers a range of open source/commercial tools that are suitable for different stages of penetration testing. If you would like to add contributions to this list, you are welcome to send me a pull Request
Github:github.com/Snowming04
content
- reconnaissance
- weaponization
- Delivery of the goods
- Command and control
- Lateral movement
- Establish a foothold
- Enhanced privileges
- The data reveal that
- miscellaneous
- reference
reconnaissance
Active intelligence gathering
- EyeWitness: Can be used for web site screenshots, as well as providing some server header information and identifying default credentials where possible. Github.com/ChrisTrunce…
- AWSBucketDump: AWS S3 security scanning tool that allows you to quickly enumerate AWS S3 Buckets to find interesting or confidential files. https://github.com/jordanpotti/AWSBucketDump
- AQUATONE: Subdomain enumeration probing tool. https://github.com/michenriksen/aquatone
- Spoofcheck: checks whether the domain can be spoofed. It checks SPF and DMARC records for weak configurations that allow spoofing. https://github.com/BishopFox/spoofcheck
- Nmap is used to discover hosts and services on a computer network to build a “map” of the network https:// github.com/nmap/nmap
- A tool dnsrecon DNS enumeration script at https://github.com/darkoperator/dnsrecon
Passive intelligence gathering
- OSINT Social media mapping tool that takes lists of names and images (or LinkedIn company names) and performs automated target searches on a large scale across multiple social media sites. It is not restricted by the API because it uses selenium to browse the browser. The output report to help https://github.com/SpiderLabs/social_mapper cross-site associated goals
- Skiptracer OSINT scraping framework that uses some of the basic Python webscraping (BeautifulSoup) of the PII Paywall site to parse passive information on targets over ramen noodle budgets HTTPS: //github.com/xillwillx/skiptracer
- Scraped in a tool to scrape LinkedIn and there is no limit to the API for data search https://github.com/dchrastil/ScrapedIn
- Enumeration tool https://github.com/NickSanzotta/linkScrape linkScrape LinkedIn user/company
- FOCA (with the collection file fingerprint identification of the organization) is a kind of is mainly used for lookup in the scanning document metadata tools and hidden information https://github.com/ElevenPaths/FOCA
- TheHarvester is one for the collection of children from different sources of public domain names, email addresses, virtual host, open port/banners and employee names. https://github.com/laramies/theHarvester
- Metagoofil is a kind of used to extract the target site in public document (PDF, doc, XLS, powerpoint, etc.) metadata tools are available at https://github.com/laramies/metagoofil
- SimplyEmail Email scout is quick and easy, with a framework to build. https:// github.com/killswitch-GUI/SimplyEmail
- TruffleHog search secret by git repository, dig into submission history and branch. HTTPS: / / github.com/dxa4481/truffleHog
- Just-metadata is a tool for collecting and analyzing Metadata about IP addresses. It is trying to find system in large data set the relationship between the https://github.com/ChrisTruncer/Just-Metadata
- The discoverer of the typofinder domain name spelling mistakes https://github.com/nccgroup/typofinder show the IP address of the country
- PwnedOrNot is a python script used to check whether your email account in data leaked by the invasion, if an email account was breached, and will continue to find the infected account password. https://github.com/thewhiteh4t/pwnedOrNot
- GitHarvester this tool is used to from Google dork gather lot of information. https://github.com/metac0rtex/GitHarvester
The architecture
- Maltego is a unique platform designed to provide a clear picture of threats to the environment in which organizations own and operate. www.paterva.com/web7/downlo…
- SpiderFoot source footprints and intelligence gathering tools. https://github.com/smicallef/spiderfoot
- Datasploit is a OSINT framework for the company, personnel, telephone number, perform a variety of reconnaissance technology such as COINS address, collect all the original data, and provide the data in a variety of formats. https://github.com/DataSploit/datasploit
- Recon -NG is a full-featured network recon framework written in Python. Bitbucket.org/LaNMaSteR53…
weaponization
- Cve-2017-8570 composite Moniker proof-of-concept. https:// github.com/rxwx/CVE-2017-8570
- Vulnerability Exploitation Toolkit CVE-2017-8759 is a convenient Python script that provides testers and security researchers with a fast and efficient way to test Microsoft.net Framework RCE. HTTPS: //github.com/bhdresh/ CVE-2017-8759
- Cve-2017-11882 utilizes long commands/codes that accept up to 17K bytes. https:// github.com/unamer/CVE-2017-11882
- Adobe Flash Exploit CVE-2018-4878. HTTPS: //github.com/anbai-inc/CVE-2018-4878
- Vulnerability Exploitation Toolkit CVE-2017-0199 is a convenient Python script that provides testers and security researchers with a quick and efficient way to test Microsoft Office RCE github.com/bhdresh/CVE…
- Demiguise is RedTeams HTA encryption tool at https://github.com/nccgroup/demiguise
- Office – DDE – a collection of Payloads scripts and templates, are used to generate embedding the DDE, without a macro command execution technology Office document at https://github.com/0xdeadbeefJERKY/Office-DDE-Payloads
- Against opponents simulation CACTUSTORCH payload generated at https://github.com/mdsecactivebreach/CACTUSTORCH
- SharpShooter is a payload create framework for retrieval and execute arbitrary CSharp source code. https://github.com/mdsecactivebreach/SharpShooter
- Don’t Kill My Cat is a tool that generates confusing Shellcode stored in multilingual images. The image is 100% valid and also 100% valid shellcode. HTTPS: //github.com/Mr-Un1k0d3r/ DKMC
- Malicious macro generator utility is simple and practical program design, and is used to generate contains AV/Sandboxes escape mechanisms of mixed macros. https://github.com/Mr-Un1k0d3r/MaliciousMacroGenerator
- SCT obfuscation Cobalt Strike SCT payload obfuscation. https:// github.com/Mr-Un1k0d3r/SCT-obfuscator
- Invoke – Obfuscation PowerShell Obfuscator. HTTPS: / / github.com/danielbohannon/Invoke-Obfuscation
- Invoke – DOSfuscation CMD. Confused exe command generator and detect testing tools. https://github.com/danielbohannon/Invoke-DOSfuscation
- MorphHTA Morphing Cobalt Strike’s evil. The HTA. HTTPS: / / github.com/vysec/morphHTA
- Unicorn is a attack with PowerShell relegation and shellcode injected directly into the memory of simple tools. https://github.com/trustedsec/unicorn
- Shellter is a dynamic shellcode injection tool and the first truly dynamic PE infector ever. www.shellterproject.com/
- EmbedInHTML embedded and hide any file of HTML files. https://github.com/Arno0x/EmbedInHTML
- SigThief a steal signature and making an invalid signature. HTTPS: / / github.com/secretsquirrel/SigThief
- Veil is a tool designed to generate metasploit payloads that bypass common antivirus solutions. https:// github.com/Veil-Framework/Veil
- CheckPlease Sandbox evasion module with PowerShell, Python, Go, Ruby, C, C #, Perl and Rust writing. https://github.com/Arvanaghi/CheckPlease
- Invoke – PSImage is a PowerShell script embedded PNG file pixels and generate to perform oneliner tools. https://github.com/peewpw/Invoke-PSImage
- LuckyStrike is a Powershell-based utility for creating malicious Office macros. Only used for testing or education purposes. https://github.com/curi0usJack/luckystrike
- ClickOnceGenerator Quick Malicious ClickOnceGenerator for Red Team. The default application is a simple WebBrowser widget, point to your chosen website. https://github.com/Mr-Un1k0d3r/ClickOnceGenerator
- Macro_pack @ EmericNasi is a tool for automated generated confusion and MS Office documents, VB script as well as other for testing, demonstration and social engineering assessment format. https://github.com/sevagas/macro_pack
- Based on JavaScript, and VBScript StarFighters Empire the Launcher. https://github.com/Cn33liz/StarFighters
- Nps_payload This script generates a payload to avoid basic intrusion detection. It used public presentation technology from several different sources. https://github.com/trustedsec/nps_payload
- SocialEngineeringPayloads to id theft and spear phishing attack social engineering techniques and collection of the payload. HTTPS: / / github.com/bhdresh/SocialEngineeringPayloads
- The Social Engineer Toolkit is an open source penetration testing framework designed for social engineering. Github.com/trustedsec/…
- Phishery is a simple HTTP server SSL is enabled, the main purpose is through the basic authentication phishing. https://github.com/ryhanson/phishery
- PowerShdll uses Rundll32 to run PowerShell. Bypass software restrictions. https://github.com/p3nt4/PowerShdll
- The goal of this repository is the ultimate AppLocker ByPass list record around AppLocker most commonly used techniques. https://github.com/api0cradle/UltimateAppLockerByPassList
- Rod is a tool that allows you to through the MAPI/HTTP or RPC/HTTP protocol to interact and Exchange server. https://github.com/sensepost/ruler
- Generate – Macro is an independent PowerShell script, it will Generate has specified the payload and persistence methods of malicious Microsoft Office documents. https://github.com/enigma0x3/Generate-Macro
- Malicious macro MSBuild generator by MSBuild application whitelisting bypass generate malicious macro and execute Powershell or Shellcode. HTTPS: / / github.com/infosecn1nja/MaliciousMacroMSBuild
- Yuan Duo is designed as a file resource clone program. Metadata (including digital signatures) is extracted from one file and injected into another. Github.com/threatexpre…
- WePWNise generate VBA code has nothing to do with the system structure, used for Office document or template, and automatic bypass the application control and use some software. https://github.com/mwrlabs/wePWNise
- DotNetToJScript is a tool for creating loads from memory. .net v2 assemblies JScript file. https://github.com/tyranid/DotNetToJScript
- PSAmsi is a tool for auditing and beat AMSI signature. https://github.com/cobbr/PSAmsi
- Reflection DLL injection is a kind of library injection technology, which USES the concept of reflective programming to perform from memory to the main process of library loaded. https://github.com/stephenfewer/ReflectiveDLLInjection
- Ps1encode is used to generate and encode metasploit payloads based on PowerShell. https:// github.com/CroweCyber security/ps1encode
- The worse PDF converts ordinary PDF files into malicious files. For stealing.net from Windows machine – NTLM hash. HTTPS: / / github.com/3gstudent/Worse-PDF
- SpookFlare has a different perspective for bypassing security measures, which gives you the opportunity to bypass endpoint countermeasures for client-side and network-side detection. Github.com/hlldz/Spook…
- GreatSCT is an open source project for generating application whitelist bypasses. This tool is suitable for red and blue teams. Github.com/GreatSCT/Gr…
- NPS runs powershell without powershell. HTTPS: //github.com/Ben0xA/nps
- Sh allows users to protect temporary/stageless connections of Meterpreter by checking the certificates of their connected handlers. //github.com/r00t-3xp10it/Meterpreter_Paranoid_Mode-SSL
- Back door factory (BDF) will use the user expectations shellcode repair binary executable file and continue normal execution status ready. https://github.com/secretsquirrel/the-backdoor-factory
- MacroShop is a set of scripts, can help by Office macros provide effective load. https://github.com/khr0x40sh/MacroShop
- UnmanagedPowerShell from unmanaged process execution PowerShell. HTTPS: / / github.com/leechristensen/UnmanagedPowerShell
- Evil SSDP tricks SSDP into replying to NTLM hashes on the network for phishing. Create fake UPNP devices to trick users into visiting malicious phishing pages. Gitlab.com/initstring/…
- Ebowla develops a framework for environmental critical load. https:// github.com/Genetic-Malware/Ebowla
- Make – PDF – Embedded a tool for creating PDF documents with embedded files. //github.com/DidierStevens/DidierStevensSuite/blob/master/make-pdf-embedded.py
- Avet (AntiVirusEvasionTool) using different circumvention technology on the Windows machine with executable file. https://github.com/govolution/avet
Delivery of the goods
phishing
- King is a Phisher by simulating the real world of phishing attacks to test and improve user awareness tool. https://github.com/securestate/king-phisher
- FiercePhish is a mature phishing framework for managing all phishing activities. It allows you to track individual phishing activities, arrange to send E-mail and so on. https://github.com/Raikia/FiercePhish
- ReelPhish phishing tools is a real time dual factors. https://github.com/fireeye/ReelPhish/
- Gophish is an open source phishing kit designed for businesses and penetration testers. It provides quickly and easily set up and execute phishing conventions and the ability of security awareness training. https://github.com/gophish/gophish
- CredSniper Flask is a Python framework and phishing framework written Jinja2 template, support capture 2 fa token. https://github.com/ustayready/CredSniper
- PwnAuth is a used to start and manage request abuse Web application framework. https://github.com/fireeye/PwnAuth
- Phishing crazy Ruby on Rails framework phishing. https://github.com/pentestgeek/phishing-frenzy
- Phishing Pretexts excuse for aggressive phishing activities. https://github.com/L4bF0x/PhishingPretexts
Puddle attack
- BeEF is short for browser development framework. It is a focus on Web browser penetration testing tools. https://github.com/beefproject/beef
Command and control
Remote access tool
- Cobalt Strike is the software of Adversary granular and Red Team Operations
- After the Empire is a development framework, including pure PowerShell2.0 Windows 2.6/2.7 agents and pure Python Linux/OS X agent. https://github.com/EmpireProject/Empire
- Metasploit Framework is a computer security project, provide information about security vulnerabilities, and helps penetration test and IDS signature development. https://github.com/rapid7/metasploit-framework
- IronPython SILENTTRINITY by Python, c # /.net provides support in the late development agent. https://github.com/byt3bl33d3r/SILENTTRINITY
- Pupy is an open source, cross-platform (Windows, Linux OS, Android) remote management and late development tools, mainly written in python. HTTPS: / / github.com/n1nj4sec/pupy
- Koadic or COM Command&Control is a post-Windows rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. HTTPS: //github.com/zerosum0x0/koadic
- PoshC2 agent is a completely written in PowerShell perception C2 framework, the red team used to help penetration testers, the late development and lateral movement. https://github.com/nettitude/PoshC2
- Gcat is a hidden, based on the back door of the Python program, which USES Gmail as command and control server. https://github.com/byt3bl33d3r/gcat
- TrevorC2 is a legitimate (browsable) website for tunnel client/server communication to execute covert commands. Github.com/trustedsec/…
- Merlin is a cross-platform post-development HTTP / 2 command and control server and proxy written in Golang. Github.com/Ne0nd0g/mer…
- Quasar is a fast and lightweight remote administration tool coded in C#. Quasar offers high stability and an easy-to-use user interface, making it your ideal remote management solution. Github.com/quasar/Quas…
installment
- Rapid Attack Infrastructure (RAI) Red Team infrastructure…… Quick… Quick… One of the most tedious phases of streamlining red team operations is often the infrastructure setup. This typically requires team servers or controllers, domains, redirects, and phishing servers. Github.com/obscurityla…
- Red Baron is a set of modules and custom/third party providers from Terraform that attempt to automatically create a resilient, disposable, secure and agile infrastructure for Red Teams. Github.com/byt3bl33d3r…
- EvilURL generates Unicode unholy domains for IDN Homograph attacks and detects them. Github.com/UndeadSec/E…
- Domain Hunter checks expired Domain names, Bluecoat classification, and Archive.org history to identify good candidates for phishing and C2 Domain names. Github.com/threatexpre…
- PowerDNS is a simple proof of concept to demonstrate executing PowerShell scripts using ONLY DNS. Github.com/mdsecactive…
- Chameleon is a tool for circumventing agent classification. Github.com/mdsecactive…
- CatMyFish searches for categorization fields that can be used during red teamwork. Perfect whitelisted domain name for your Cobalt Strike beacon C&C. Github.com/Mr-Un1k0d3r…
- Malleable C2 is a domain-specific language for redefining metrics in Beacon communications. Github.com/rsmudge/Mal…
- Malleable- C2-randomizer This script hopes to reduce the likelihood of marking signating-based detection controls by randomizing the Cobalt Strike Malleable C2 configuration file using a meta-language. Github.com/bluscreenof…
- FindFrontableDomains Searches for potential front-end domains. Github.com/rvrsh3ll/Fi…
- Postfix-server-setup Setting up a phishing Server is a very long and tedious process. Setup can take hours and can leak within minutes. Github.com/n0pe-sled/P…
- DomainFronting Lists the Domain Frontable Domains of the CDN. Github.com/vysec/Domai…
- Apache2-mod-rewrite-setup quickly implements mod-rewrite in your InfaStructure. Github.com/n0pe-sled/A…
- Mod_rewrite rules to circumvent the vendor sandbox. Gist.github.com/curi0usJack…
- The External_C2 framework is a Python framework for C2 outside Cobalt Strike. Github.com/Und3rf10w/e…
- ExternalC2 is a library for integrating communication channels with Cobalt Strike ExternalC2 servers. Github.com/ryhanson/Ex…
- Cs2modrewrite a tool for converting Cobalt Strike profiles to Modrewrite scripts. Github.com/threatexpre…
- E2modrewrite a tool for converting Empire configuration files to Apache modrewrite scripts. Github.com/infosecn1nj…
- Redi automatic script for setting up the CobaltStrike redirector (nginx reverse proxy, letsencrypt). Github.com/taherio/red…
- Domain Fronting Google App Engine. Github.com/redteam-cyb…
- DomainFrontDiscover is used to find scripts and results of the CloudFront domain. Github.com/peewpw/Doma…
- Automation Empire Infrastructure github.com/bneg/RedTea…
- Use NGINX to provide random payloads. Gist.github.com/jivoi/a33ac…
- Docile is Tor’s anti-blocking pluggable transport. It encodes the data stream as a sequence of HTTPS requests and responses. Github.com/arlolra/mee…
- CobaltStrike-ToolKit some useful scripts for CobaltStrike. Github.com/killswitch-…
- Mkhtaccess_red automatically generates payload delivery HTaccess – automatically extracts IPS/nets/etc from known sandbox companies/sources that have been seen before and redirects it to benign loads. Github.com/violentlyda…
- RedFile is a WSGI application that provides smart files that facilitate conditional RedTeam payloads. Github.com/outflanknl/…
- Keyserver easily provides HTTP and DNS keys for proper load protection. Github.com/leoloobeek/…
- DoHC2 allowed from Ryan Hanson (github.com/ryhanson/Ex…) The ExternalC2 library does command and control (C2) over DNS over HTTPS (DoH). It was built for the popular Adversary Simulation and Red Team Operations Software Cobalt Strike (www.cobaltstrike.com). Github.com/SpiderLabs/…
Lateral movement
- CrackMapExec is the Swiss Army knife for testing networks. Github.com/byt3bl33d3r…
- PowerLessShell relies on msbuild.exe to execute PowerShell scripts and commands remotely without producing Powershell.exe. Github.com/Mr-Un1k0d3r…
- GoFetch is a tool that automatically executes attack plans generated by BloodHound applications. Github.com/GoFetchAD/G…
- ANGRYPUPPY CobaltStrike bloody attack path automation. Github.com/vysec/ANGRY…
- DeathStar is a Python script that uses Empire’s RESTful API to automatically use various techniques to obtain domain administrator privileges in an Active Directory environment. Github.com/byt3bl33d3r…
- SharpHound C# rewrites the BloodHound ingler. Github.com/BloodHoundA…
- Bloodhound. py is a Python-based BloodHound ingler based on Impacket. Github.com/fox-it/Bloo…
- Responder is a rogue authentication server that supports NTLMv1 / NTLMv2 / LMv2, extended security NTLMSSP and basic HTTP authentication Github.com/SpiderLabs/…
- SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can run remotely or locally. Github.com/fireeye/Ses…
- PowerSploit is a collection of Microsoft PowerShell modules that can be used to assist penetration testers in all phases of an assessment. Github.com/PowerShellM…
- Nishang is a framework and collection of scripts and payloads that can be used with PowerShell for attack security, penetration testing and red combinations. Nishang is useful at all stages of penetration testing. Github.com/samratashok…
- Inveigh is a Windows PowerShell LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool. Github.com/Kevin-Rober…
- PowerUpSQL is a PowerShell toolkit for attacking SQL Server. Github.com/NetSPI/Powe…
- MailSniper is an penetration test tool used to search E-mail in a Microsoft Exchange environment for specific terms (passwords, internal Intel, network architecture information, etc.). Github.com/dafthack/Ma…
- WMIOps is a Powershell script that uses WMI to perform various operations on local or remote hosts in a Windows environment. It is primarily used for penetration testing or red teamwork. Github.com/ChrisTrunce…
- Mimikatz is an open source utility that can view credential information from Windows LSASS. Github.com/gentilkiwi/…
- The LaZagne project is an open source application for retrieving large numbers of passwords stored on local computers. Github.com/AlessandroZ…
- Mimipenguin is a tool that dumps login passwords from current Linux desktop users. Adapted the idea behind mimikatz, a popular Windows tool. Github.com/huntergrega…
- PsExec is a lightweight Telnet alternative that allows you to execute processes on other systems to complete the interaction of console applications without manually installing client software. Docs.microsoft.com/en-us/sysin…
- KeeThief allows the extraction of KeePass 2.x key material from memory, as well as KeePass triggering backdoors and enumerations to the system. Github.com/HarmJ0y/Kee…
- PSAttack combines some of the best projects in the InfoSec Powershell community into a self-contained custom Powershell console. Github.com/jaredhaight…
- An internal monologue attack retrives an NTLM hash without touching LSASS. Github.com/eladshamir/…
- Impacket is a collection of Python classes for dealing with network protocols. Impacket focuses on providing low-level programmatic access to packets, as well as some of the protocols that implement the protocols themselves (such as NMB, SMB1-3, and MS-DCERPC). Github.com/CoreSecurit…
- If you are on an internal network but outside of an AD environment, the icebreaker will get plain text Active Directory credentials. Github.com/DanMcInerne…
- The goal of these lists is to document every binary, script, and library available for other purposes. Github.com/api0cradle/…
- WSUSpendu is used for compromised WSUS servers to extend attacks on clients. Github.com/AlsidOffici…
- Evilgrade is a modular framework that allows users to take advantage of poor upgrade implementations by injecting fake updates. Github.com/infobyte/ev…
- NetRipper is a late development tool for Windows systems that uses API hooks to intercept network traffic from low-privileged users and encryption-related features that capture plain text traffic and encrypted traffic before encryption/decryption. Github.com/NytroRST/Ne…
- LethalHTA lateral movement technique using DCOM and HTA. Github.com/codewhitese…
- Invoke-powerthief is an Internet Explorer Post Exploitation library. Github.com/nettitude/I…
- RedSnarf is a pen test/red combination tool for Windows environments. Github.com/nccgroup/re…
- The HoneypotBuster Microsoft PowerShell module is designed for red Teams and can be used to find honeypots and honeypots in the network or mainframe. Github.com/JavelinNetw…
Establish a foothold
- Tunna is a set of tools that will wrap and tunnel any TCP communication over HTTP. It can be used to bypass network restrictions in a fully firewall environment. Github.com/SECFORCE/Tu…
- ReGeorg reDuh’s successor, PWN, a fortress network server and creates a SOCKS proxy through the DMZ. Pivot and PWN. Github.com/sensepost/r…
- Blade is a console-based Webshell connectivity tool currently under development as an alternative to Chooper. Github.com/wonderqs/Bl…
- TinyShell Web Shell framework. Github.com/threatexpre…
- PowerLurk is a PowerShell toolset for building malicious WMI event subscriptions. Github.com/Sw4mpf0x/Po…
- DAMP Free ACL change item: Persistence modified through host-based security descriptors. Github.com/HarmJ0y/DAM…
Enhanced privileges
The domain name to upgrade
- PowerView is a PowerShell tool for network situational awareness on Windows domains. Github.com/PowerShellM…
- Get-gpppassword retrieves plaintext passwords and other information for accounts pushed through group policy preferences. Github.com/PowerShellM…
- Invoke-aclpwn is a tool that automatically finds and hides insecure configured ACLs in Active Directory. Github.com/fox-it/Invo…
- BloodHound uses graph theory to uncover hidden and often unintentional relationships in Active Directory environments. Github.com/BloodHoundA…
- PyKEK (Python Kerberos Exploitation Kit), a Python library for manipulating KRB5 data. Github.com/SecWiki/win…
- Grouper is a PowerShell script that helps find vulnerable Settings in AD group policies. Github.com/l0ss/Groupe…
- ADRecon is a tool that extracts various artifacts (shown below) from an AD environment in a specially formatted Microsoft Excel report, including summary views with metrics to facilitate analysis. Github.com/sense-of-se…
- ADACLS a script that scans acLs in Active Directory. Github.com/canix1/ADAC…
- LAPSToolkit is a tool to audit and attack the LAPS environment. Github.com/leoloobeek/…
- PingCastle is a free Windows-based utility for auditing the risk level of an AD infrastructure and checking vulnerable practices. www.pingcastle.com/download
- RiskySPNs is a collection of PowerShell scripts focused on detecting and abusing accounts (service principal names) associated with SPN. Github.com/cyberark/Ri…
- Mystique is a PowerShell tool using Kerberos S4U extension. The module can help blue team to identify risky Kerberos delegate configurations, and red team to pose as arbitrary users by using KCD and protocol conversion. Github.com/machosec/My…
- Rubeus is a C# toolset for primitive Kerberos interaction and abuse. It was heavily adapted from Benjamin Delpy’s Kekeo project. Github.com/GhostPack/R…
- Kekeo is a little toolkit that I have started to manipulate Microsoft Kerberos in C (and just for fun). Github.com/gentilkiwi/…
Local upgrade
- UACMe is an open source evaluation tool that contains a number of ways to bypass Windows user account controls for multiple versions of operating systems. Github.com/hfiref0x/UA…
- Windows-kernel-exploit A collection of Windows kernel vulnerability exploits. Github.com/SecWiki/win…
- PowerUp is designed to be a clearinghouse for common Windows permission upgrade vectors that rely on misconfiguration. Github.com/PowerShellM…
- The Elevate Kit demonstrates how to use Cobalt Strike’s Beacon payload to use third-party privilege promotion attacks. Github.com/rsmudge/Ele…
- Sherlock is a powerShell script that can quickly find missing software patches to catch local privilege upgrade vulnerabilities. Github.com/rasta-mouse…
- Tokenvator is a tool that promotes permissions using Windows tokens. Github.com/0xbadjuju/T…
The data reveal that
- CloakifyFactory and Cloakify toolsets – Flat view of data penetration and infiltration; Evade DLP/MLS equipment; Analyst social engineering; Beat the data whitelist control; Avoid AV detection. Github.com/TryCatchHCF…
- DET (supplied as-is) is a proof of concept for performing a data leak simultaneously using one or more channels. Github.com/sensepost/D…
- DNSExfiltrator allows the exfiltrate transfer of files through DNS requests. This is basically a data leak testing tool that allows data to be leaked through covert channels. Github.com/Arno0x/DNSE…
- PyExfil A Python package for data leakage. Github.com/ytisf/PyExf…
- Egress-assess is a tool for testing Egress data detection capabilities. Github.com/ChrisTrunce…
- A backdoor based on Powershell RAT Python that uses Gmail to leak data as email attachments. Github.com/Viralmaniar…
miscellaneous
The wireless network
- A Wifiphisher is a security tool that performs wi-fi auto-association attacks, forcing wireless clients to unknowingly connect to an attacker controlled access point. Github.com/wifiphisher…
- Evilginx is a man-in-the-middle attack framework for phishing credentials and session cookies for any Web service. Github.com/kgretzky/ev…
- Power kit for wifi rogue AP attacks and MitM. Github.com/sensepost/m…
Embedded and peripheral hacking attacks
- Magspoof is a portable device that can “wirelessly” spoof/simulate any magnetic stripe, credit card or hotel card, even on standard magnetic stripe (non-NFC/RFID) card readers. Github.com/samyk/magsp…
- WarBerryPi was used as a hardware implant in the Red Team scenario, and we wanted to get as much information as possible in a short amount of time. Github.com/secgroundze…
- P4wnP1 is a highly customizable USB attack platform based on the low cost Raspberry Pi Zero or Raspberry Pi Zero W (HID backdoor required). Github.com/mame82/P4wn…
- Malusb HID spoofs multios payloads for Teensy. Github.com/ebursztein/…
- Fenrir is a tool designed for use “out of the box” penetration testing and offensive engagement. Its primary function and use is to bypass wired 802.1x protection and allow you access to the target network. Github.com/Orange-Cybe…
- Poisontap exploits locked/password protected computers via USB, removes persistent Websocket-based backdoors, exposes internal routers, and siphons cookies using Raspberry Pi Zero and Node.js. Github.com/samyk/poiso…
- WHID WiFi HID Syringe – USB Rubberducky/BadUSB Steroids. Github.com/whid-inject…
Team communication software
- RocketChat is free, unlimited and open source. Replace Mail &Slack with the ultimate team chat software solution. rocket.chat
- Etherpad is an open source, Web-based collaborative real-time editor that allows authors to simultaneously edit the text file Etherpad.net
Log polymerization
- SIEM for RedELK Red Team – Easy to deploy tool for Red Team to track and alert Blue Team activities and for better usability in long term operations. Github.com/outflanknl/…
- The CobaltSplunk Splunk dashboard for the CobaltStrike logs. Github.com/vysec/Cobal…
- Red Team Telemetry a set of scripts and configurations for centralized recording of the Red Team infrastructure. Github.com/ztgrace/red…
- Elastic for Red Teaming Use Elastic to configure the Red Team SIEM resource library. Github.com/SecurityRis…
C# attack framework
- SharpSploit is written in C#. NET post development library, designed to highlight. NET attack surface and makes it easier for red teamers to use aggression. NET. Github.com/cobbr/Sharp…
- GhostPack (currently) is a collection of various C# implementations of previous PowerShell features, including six separate toolsets released today – Seatbelt, SharpUp, SharpRoast, SharpDump, SafetyKatz and SharpWMI. github.com/GhostPack
- The SharpWeb.net 2.0 CLR project is used to retrieve saved browser credentials from Google Chrome, Mozilla Firefox and Microsoft Internet Explorer/Edge. Github.com/djhohnstein…
- Reconerator C# Targeted Attack Reconnissance Tools. Github.com/stufus/reco…
- SharpView C# implements harmj0y’s PowerView. Github.com/tevora-thre…
- Watson is a (fit. NET 2.0) Sherlock C# implementation. Github.com/rasta-mouse…
laboratory
- Testing laboratory The design of this laboratory takes maintainers into account. The main purpose is to allow users to quickly build a Windows domain with security tools preinstalled, along with some best practices for configuring system logs. Github.com/clong/Detec…
- Modern Windows Attack and Defense Lab This is a lab configuration for modern Windows Attack and Defense classes taught by Sean Metcalf (@Pyrotek3) and ME. Github.com/jaredhaight…
- The Invoke-UserSimulator simulates common user behavior on local and remote Windows hosts. Github.com/ubeeri/Invo…
- Invoke-adlabdeployer automatically deploys the Windows and Active Directory test lab networks. For red team and blue team. Github.com/outflanknl/…
- Sheepl creates realistic user behavior to support Tradecraft development in a lab environment. Github.com/SpiderLabs/…
The script
-
Aggressor Scripts
Is a scripting language for red team operations and adversary emulation inspired by scriptable IRC clients and robots.
- Github.com/invokethrea…
- Github.com/secgroundze…
- Github.com/Und3rf10w/A…
- Github.com/harleyQu1nn…
- Github.com/rasta-mouse…
- Github.com/RhinoSecuri…
- Github.com/bluscreenof…
- Github.com/001SPARTaN/…
-
Collection scripts for red composition and testing
- Github.com/FuzzySecuri…
- Github.com/nettitude/P…
- Github.com/Mr-Un1k0d3r…
- Github.com/threatexpre…
- Github.com/SadProcesso…
- Github.com/rvrsh3ll/Mi…
- Github.com/enigma0x3/M…
- Github.com/ChrisTrunce…
- Github.com/bluscreenof…
- Github.com/xorrior/Ran…
- Github.com/xorrior/Ran…
- Github.com/leechristen…
- Github.com/mgeeky/Pene…
reference
- MITRE’s ATT&CK™ is a planned knowledge base and model of online adversary behavior that reflects the phases of an adversary’s life cycle and the platforms they are aware of as targets. Attack.mitre.org/wiki/Main_P…
- Cheat sheets for various projects (Beacon/Cobalt Strike, PowerView, PowerUp, Empire and PowerSploit). Github.com/HarmJ0y/Che…
- Former ATT and CK confrontational tactics, technology and common sense against left wing holes. Attack.mitre.org/pre-attack/…
- The attacker OPSEC involves using a variety of technologies or third-party services to obfuscate, hide, or fuse acceptable network traffic or system behavior. Attack.mitre.org/pre-attack/…
- Opponent Simulation Program MITRE developed an opponent simulation program to demonstrate the practical use of ATT and CK against offensive operators and defenders. Attack.mitre.org/wiki/Advers…
- Red-team-infrastructure-wiki collects Red Team Infrastructure enhancement resources. Github.com/bluscreenof…
- Advanced Threat Tactics – Course and Notes This is a course on red team operations and opponent simulation. Blog.cobaltstrike.com/2015/09/30/…
- Red team tips posted on Twitter by @vySecurity. Vincentyiu. Co. UK/red – team – ti…
- Red Team list of awesome Red Team/Red Team resources. Github.com/yeyintminth…
- ATT and CK for enterprise software are generic terms for custom or commercial code, operating system utilities, open source software, or other tools for modeling behavior in ATT and CK. Attack.mitre.org/wiki/Softwa…
- Planning the Red Team Practice book helps inform the Red Team plan by contrasting it with the very specific Red team style described in the Red Team. Github.com/magoo/redte…
- Awesome Lock featured guides, tools, and a featured list of other resources related to security and hazards of locks, safes, and keys. Github.com/meitar/awes…
- Awesome Threat Intelligence is a series of wonderful threat intelligence resources. Github.com/hslatman/aw…
- APT remarks need some scenarios? APTnotes is a repository of publicly available papers and blogs (classified by year) related to malicious activity/activity/software associated with vp-defined APT (Advanced Persistent Threat) groups and/or toolsets. Github.com/aptnotes/da…
- Tiber-eu FRAMEWORK The European Ethical Red Team FRAMEWORK based on threat intelligence (TIBER-EU), the first European FRAMEWORK for controlled and customized testing of cyber attacks in financial markets. www.ecb.europa.eu/pub/pdf/oth…
- CBEST implementation Guide CBEST is a framework that provides controlled, customized, intelligence-led network security testing. These tests replicate the behaviour of threat actors, assessed by the UK government and business intelligence providers as posing a genuine threat to systemically important financial institutions. www.crest-approved.org/wp-content/…
- The Association of Banks in Singapore (ABS), with the support of the Monetary Authority of Singapore (MAS), today developed a set of cyber security assessment guidelines to enhance cyber resilience in Singapore’s financial sector. Known as the Adversarial Attack Simulation Exercise (AASE) Guide or “Red Team Guide,” this guide provides financial institutions (FI) with best practices and guidance on planning and executing Red team exercises to enhance their security testing. Abs.org.sg/docs/librar…
About Hetian Net Safety Laboratory
Hetian Network security Laboratory (www.hetianlab.com) – domestic leading practical network security online education platform
Real environment, online practical operation network security; The experimental content covers: system security, software security, network security, Web security, mobile security, CTF, forensics analysis, penetration testing, network security awareness education and so on.
Transfer statement
This article from: the original: making && [FreeBuf] www.freebuf.com/sectool/175…