Professional Documents
Culture Documents
Red Teaming Toolkit
Red Teaming Toolkit
Red Teaming Toolkit
Table of Contents
Reconnaissance
Initial Access
Delivery
Situational Awareness
Credential Dumping
Privilege Escalation
Defense Evasion
Persistence
Lateral Movement
Exfiltration
Miscellaneous
Reconnaissance
Name Description URL
The Modern Port Scanner. Find
ports quickly (3 seconds at its
RustScan fastest). Run scripts through our https://github.com/RustScan/RustScan
scripting engine (Python, Lua,
Shell supported).
In-depth Attack Surface
Amass https://github.com/OWASP/Amass
Mapping and Asset Discovery
Gitleaks is a SAST tool for
detecting hardcoded secrets like
gitleaks https://github.com/zricethezav/gitleaks
passwords, api keys, and tokens
in git repos.
Scan for open S3 buckets and
S3Scanner https://github.com/sa7mon/S3Scanner
dump the contents
Multi-cloud OSINT tool.
Enumerate public resources in
cloud_enum https://github.com/initstring/cloud_enum
AWS, Azure, and Google
Cloud.
Name Description URL
Open Source Intelligence
gathering tool aimed at
Recon-ng reducing the time spent https://github.com/lanmaster53/recon-ng
harvesting information from
open sources.
An advanced tool for email
buster https://github.com/sham00n/buster
reconnaissance
OSINT Tool: Generate
linkedin2username username lists for companies on https://github.com/initstring/linkedin2username
LinkedIn
Web Inventory tool, takes
screenshots of webpages using
Pyppeteer (headless
WitnessMe https://github.com/byt3bl33d3r/WitnessMe
Chrome/Chromium) and
provides some extra bells &
whistles to make life easier.
pagodo (Passive Google Dork) -
Automate Google Hacking
pagodo https://github.com/opsdisk/pagodo
Database scraping and
searching
AttackSurfaceMapper is a tool
AttackSurfaceMapper that aims to automate the https://github.com/superhedgy/AttackSurfaceMapper
reconnaissance process.
SpiderFoot is an open source
intelligence (OSINT)
automation tool. It integrates
with just about every data
SpiderFoot https://github.com/smicallef/spiderfoot
source available and utilises a
range of methods for data
analysis, making that data easy
to navigate.
dnscan is a python wordlist-
dnscan https://github.com/rbsec/dnscan
based DNS subdomain scanner.
spoofcheck A program that checks if a https://github.com/BishopFox/spoofcheck
Name Description URL
domain can be spoofed from.
The program checks SPF and
DMARC records for weak
configurations that allow
spoofing.
LinkedInt LinkedIn Recon Tool https://github.com/vysecurity/LinkedInt
Initial Access
Brute Force
Name Description URL
Scripts to make password spraying attacks
SprayingToolkit against Lync/S4B, OWA & O365 a lot https://github.com/byt3bl33d3r/SprayingToolkit
quicker, less painful and more efficient
Retrieve information via O365 with a
o365recon https://github.com/nyxgeek/o365recon
valid cred
Refactored & improved CredKing
password spraying tool, uses FireProx
CredMaster https://github.com/knavesec/CredMaster
APIs to rotate IP addresses, stay
anonymous, and beat throttling
Payload Development
Delivery
Phishing
Name Description URL
o365-
https://github.com/mdsecactivebreach/o365-
attack- A toolkit to attack Office365
attack-toolkit
toolkit
Evilginx2 is a man-in-the-middle attack
Evilginx2 framework used for phishing credentials and https://github.com/kgretzky/evilginx2
session cookies of any web service.
Gophish is an open-source phishing toolkit
designed for businesses and penetration testers.
Gophish It provides the ability to quickly and easily https://github.com/gophish/gophish
setup and execute phishing engagements and
security awareness training.
PwnAuth a web application framework for
PwnAuth launching and managing OAuth abuse https://github.com/fireeye/PwnAuth
campaigns.
Modlishka is a flexible and powerful reverse
Modlishka https://github.com/drk1wi/Modlishka
proxy, that will take your ethical phishing
Name Description URL
campaigns to the next level.
Log Aggregation
Credential Dumping
Name Description URL
Mimikatz is an open-source
application that allows users to
Mimikatz https://github.com/gentilkiwi/mimikatz
view and save authentication
credentials like Kerberos tickets.
LSASS memory dumper using
Dumpert direct system calls and API https://github.com/outflanknl/Dumpert
unhooking.
CredBandit is a proof of concept
Beacon Object File (BOF) that
uses static x64 syscalls to
CredBandit https://github.com/xforcered/CredBandit
perform a complete in memory
dump of a process and send that
back through your already
Name Description URL
existing Beacon communication
channel.
CloneVault allows a red team
operator to export and import
CloneVault https://github.com/mdsecactivebreach/CloneVault
entries including attributes from
Windows Credential Manager.
Retrieve LAPS password from
SharpLAPS https://github.com/swisskyrepo/SharpLAPS
LDAP
SharpDPAPI is a C# port of some
SharpDPAPI DPAPI functionality from https://github.com/GhostPack/SharpDPAPI
@gentilkiwi's Mimikatz project.
Allows for the extraction of
KeePass 2.X key material from
KeeThief memory, as well as the https://github.com/GhostPack/KeeThief
backdooring and enumeration of
the KeePass trigger system.
SafetyKatz is a combination of
slightly modified version of
SafetyKatz https://github.com/GhostPack/SafetyKatz
@gentilkiwi's Mimikatz project
and @subtee's .NET PE Loader.
credential dump using forshaw
technique using
forkatz https://github.com/Barbarisch/forkatz
SeTrustedCredmanAccessPrivile
ge
Tool to bypass LSA Protection https://github.com/RedCursorSecurityConsulting/PPLKil
PPLKiller
(aka Protected Process Light) ler
The LaZagne project is an open
source application used to
LaZagne https://github.com/AlessandroZ/LaZagne
retrieve lots of passwords stored
on a local computer.
AndrewSpecial, dumping lsass'
AndrewSpecial memory stealthily and bypassing https://github.com/hoangprod/AndrewSpecial
"Cilence" since 2019.
Net- .NET implementation of Get- https://github.com/outflanknl/Net-GPPPassword
Name Description URL
GPPPassword GPPPassword. Retrieves the
plaintext password and other
information for accounts pushed
through Group Policy
Preferences.
.NET 4.0 CLR Project to retrieve
SharpChromiu
Chromium data, such as cookies, https://github.com/djhohnstein/SharpChromium
m
history and saved logins.
Chlonium is an application
Chlonium designed for cloning Chromium https://github.com/rxwx/chlonium
Cookies.
SharpCloud is a simple C# utility
for checking for the existence of
SharpCloud credential files related to Amazon https://github.com/chrismaddalena/SharpCloud
Web Services, Microsoft Azure,
and Google Compute.
Mimikatz implementation in pure
pypykatz https://github.com/skelsec/pypykatz
Python. At least a part of it :)
A Beacon Object File that creates
nanodump a minidump of the LSASS https://github.com/helpsystems/nanodump
process.
Koh is a C# and Beacon Object
File (BOF) toolset that allows for
Koh the capture of user credential https://github.com/GhostPack/Koh
material via purposeful
token/logon session leakage.
Privilege Escalation
Name Description URL
The Elevate Kit demonstrates how to use
ElevateKit third-party privilege escalation attacks with https://github.com/rsmudge/ElevateKit
Cobalt Strike's Beacon payload.
Watson Watson is a .NET tool designed to enumerate https://github.com/rasta-mouse/Watson
Name Description URL
missing KBs and suggest exploits for
Privilege Escalation vulnerabilities.
SharpUp is a C# port of various PowerUp
functionality. Currently, only the most
SharpUp common checks have been ported; no https://github.com/GhostPack/SharpUp
weaponization functions have yet been
implemented.
A tool that detects the privilege escalation
vulnerabilities caused by misconfigurations
dazzleUP and missing updates in the Windows https://github.com/hlldz/dazzleUP
operating systems. dazzleUP detects the
following vulnerabilities.
Privilege Escalation Awesome Scripts SUITE
PEASS https://github.com/carlospolop/PEASS-ng
(with colors)
A collection of various native Windows
SweetPotato privilege escalation techniques from service https://github.com/CCob/SweetPotato
accounts to SYSTEM
Another Potato to get SYSTEM via
MultiPotato https://github.com/S3cur3Th1sSh1t/MultiPotato
SeImpersonate privileges
a universal no-fix local privilege escalation in
KrbRelayUp windows domain environments where LDAP https://github.com/Dec0ne/KrbRelayUp
signing is not enforced (the default settings).
Defense Evasion
Persistence
Name Description URL
SharpStay .NET project for installing Persistence https://github.com/0xthirteen/SharpStay
Windows persistence toolkit written in
SharPersist https://github.com/fireeye/SharPersist
C#.
SharpHide Tool to create hidden registry keys. https://github.com/outflanknl/SharpHide
This leverages the NetUserAdd Win32
API to create a new computer account.
DoUCMe https://github.com/Ben0xA/DoUCMe
This is done by setting the usri1_priv
of the USER_INFO_1 type to 0x1000.
A Black Path (TCP tunneling over HTTP for web
https://github.com/nccgroup/ABPTTS
Toward The Sun application servers)
A tool to make socks connections
pivotnacci https://github.com/blackarrowsec/pivotnacci
through HTTP agents
The successor to reDuh, pwn a bastion
reGeorg webserver and create SOCKS proxies https://github.com/sensepost/reGeorg
through the DMZ. Pivot and pwn.
The Discretionary ACL Modification
Project: Persistence Through Host-
DAMP https://github.com/HarmJ0y/DAMP
based Security Descriptor
Modification.
A native backdoor module for
IIS-Raid Microsoft IIS (Internet Information https://github.com/0x09AL/IIS-Raid
Services)
tiny and obfuscated ASP.NET webshell
SharPyShell https://github.com/antonioCoco/SharPyShell
for C# web applications
A C# tool with more flexibility to
customize scheduled task for both
ScheduleRunner https://github.com/netero1010/ScheduleRunner
persistence and lateral movement in red
team operation
Persistence by writing/reading
SharpEventPersist https://github.com/improsec/SharpEventPersist
shellcode from Event Log
Kraken, a modular multi-language
Kraken https://github.com/kraken-ng/Kraken
webshell coded by @secu_x11.
Lateral Movement
Exfiltration
Miscellaneous
Threat-informed Defense
Name Description URL
Tidal Cyber helps enterprise organizations to define,
Tidal Cyber measure, and improve their defenses to address the https://app.tidalcyber.com
adversary behaviors that are most important to them.
Threat modeling aide & purple team content repository,
Control pointing security & intelligence teams to 10,000+ publicly-
Validation accessible technical and policy controls and 2,100+ https://controlcompass.github.io
Compass offensive security tests, aligned with nearly 600 common
attacker techniques
Cloud
Amazon Web Services (AWS)
Name Description URL
The AWS exploitation framework,
Pacu designed for testing the security of https://github.com/RhinoSecurityLabs/pacu
Amazon Web Services environments.
CloudMapper helps you analyze your
CloudMapper Amazon Web Services (AWS) https://github.com/duo-labs/cloudmapper
environments.
Enumerate IAM Enumerate the permissions associated with https://github.com/andresriancho/enumerate-
permissions AWS credential set iam
Azure
Name Description URL
This toolkit offers several ways to
Azure AD Connect extract and decrypt stored Azure AD
https://github.com/fox-it/adconnectdump
password extraction and Active Directory credentials from
Azure AD Connect servers.
Azure Red Team tool for graphing
Storm Spotter Azure and Azure Active Directory https://github.com/Azure/Stormspotter
objects
ROADtools The Azure AD exploration framework. https://github.com/dirkjanm/ROADtools
MicroBurst: A
A collection of scripts for assessing
PowerShell Toolkit for https://github.com/NetSPI/MicroBurst
Microsoft Azure security
Attacking Azure
AADInternals PowerShell module for
AADInternals administering Azure AD and Office https://github.com/Gerenios/AADInternals
365
TeamFiltration is a cross-platform
framework for enumerating, spraying,
TeamFiltration https://github.com/Flangvik/TeamFiltration
exfiltrating, and backdooring O365
AAD accounts.
An attack tool for simple, fast &
MAAD Attack https://github.com/vectra-ai-
effective security testing of M365 &
Framework research/MAAD-AF
Azure AD.
Adversary Emulation
Name Description URL
Stratus Red Team is "Atomic Red
Stratus Red Team™" for the cloud, allowing to
https://github.com/DataDog/stratus-red-team
Team emulate offensive attack techniques in
a granular and self-contained manner.
A Platform for Developer-first
advanced security· Defend your
Prelude Operator https://www.preludesecurity.com/products/operator
organization by mimicking real
adversarial attacks.
An open source IDE for authoring,
Prelude Build testing, and verifying production- https://www.preludesecurity.com/products/build
ready security tests..
An automated adversary emulation
system that performs post-compromise
Caldera https://github.com/mitre/caldera
adversarial behavior within Windows
Enterprise networks.
A Windows Batch script that uses a
APTSimulator set of tools and output files to make a https://github.com/NextronSystems/APTSimulator
system look as if it was compromised.
Small and highly portable detection
Atomic Red
tests mapped to the Mitre ATT&CK https://github.com/redcanaryco/atomic-red-team
Team
Framework.
flightsim is a lightweight utility used
to generate malicious network traffic
Network Flight
and help security teams to evaluate https://github.com/alphasoc/flightsim
Simulator
security controls and network
visibility.
A security preparedness tool to do
Metta https://github.com/uber-common/metta
adversarial simulation.
RTA provides a framework of scripts
Red Team
designed to allow blue teams to test
Automation https://github.com/endgameinc/RTA
their detection capabilities against
(RTA)
malicious tradecraft, modeled after
Name Description URL
MITRE ATT&CK.