# Red Team Resources ## **Powershell Scripts** * * * * * * * * * * * * * * * * * * * * * * * * SQL Injection * * ## **AMSI Bypass** * * * * * * * * * * * * * * * * * * * * * * * ## **Payload Hosting** * * ## **Network Share Scanner** * * * * ## **Reverse Shellz** * * * ## **Backdoor Finder** * * * ## **Pivoting** * * * * * * * * * * * * * * * ## **Persistence on Windows** * * * ## **Framework Discovery** * * - Wordpress, Joomla, Drupal Scanner * * * ## **Framework Scanner / Exploitation** * - wordpress * * * * - lotus domino * - Drupal * - Typo3 * - Joomla ## **File / Directory / Parameter discovery** * * * * - Mining parameters from dark corners of Web Archives * - 💗 * - Directory lookup from Javascript files * * * - Admin Panel Finder * * ## **Rest API Audit** * - RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services. * ## **Windows Privilege Escalation / Audit** * - Privilege Escalation Enumeration Script for Windows * - powerfull Privilege Escalation Check Script with nice output * * * - UAC * - UAC * * * - find vulnerable dlls for preloading attack * * - dll hijack scanner * - admin to system * * * * * * * * * ## **LinkedIn** * * ## **Windows Privilege Abuse (Privilege Escalation)** * - Abuse Windows Privileges * - load malicious dlls from system32 * - Exploit potatoes with automation * - from Service Account to System * - Another Windows Local Privilege Escalation from Service Account to System * - Abusing Impersonation Privileges on Windows 10 and Server 2019 * - itm4ns Printspoofer in C# * - Recover the default privilege set of a LOCAL/NETWORK SERVICE account ## **Exfiltration** * * * - Fork of SafetyKatz that dynamically fetches the latest pre-compiled release of Mimikatz directly from gentilkiwi GitHub repo, runtime patches signatures and uses SharpSploit DInvoke to PE-Load into memory. * * * * * - remote lazagne * * - Browser Creds gathering * - hack-browser-data is an open-source tool that could help you decrypt data\[passwords|bookmarks|cookies|history] from the browser. * - ClipHistory feature get the last 25 copy paste actions * - dump lsass using direct system calls and API unhooking * - Create a minidump of the LSASS process from memory - using Dumpert * - Evade WinDefender ATP credential-theft * - remote procdump.exe, copy dump file to local system and pypykatz for analysis/extraction * - extract live rdp logins * - Simple C# for checking for the existence of credential files related to AWS, Microsoft Azure, and Google Compute. * - .NET 4.0 CLR Project to retrieve Chromium data, such as cookies, history and saved logins. * - This project reuses open handles to lsass to parse or minidump lsass * - ThunderFox for Firefox Credentials, SitkyNotesExtract for "Notes as passwords" * - Command line tool to extract/decrypt the password that was stored in the LSA by SysInternals AutoLogon * - .Net port of the remote SAM + LSA Secrets dumping functionality of impacket's secretsdump.py * - C# tool to discover low hanging fruits like SessionGopher * - DPAPI Creds via C# * LSASS Dump Without Mimikatz * * * - C# porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands * Credential harvesting Linux Specific * * * * - SSH Credential loot * - SSH / Sudo / SU Credential loot * * - Tool to extract Kerberos tickets from Linux kernel keys. * Data Exfiltration - DNS/ICMP/Wifi Exfiltration * * * * * * - Wifi Exfiltration * - Tunna is a set of tools which will wrap and tunnel any TCP communication over HTTP * * - Easy files and payloads delivery over DNS ## **Staging** * Rapid Attack Infrastructure (RAI) Red Team Infrastructure... Quick... Fast... Simplified One of the most tedious phases of a Red Team Operation is usually the infrastructure setup. This usually entails a teamserver or controller, domains, redirectors, and a Phishing server. * Red Baron is a set of modules and custom/third-party providers for Terraform which tries to automate creating resilient, disposable, secure and agile infrastructure for Red Teams. * EvilURL generate unicode evil domains for IDN Homograph Attack and detect them. * Domain Hunter checks expired domains, bluecoat categorization, and Archive.org history to determine good candidates for phishing and C2 domain names. * PowerDNS is a simple proof of concept to demonstrate the execution of PowerShell script using DNS only. * Chameleon a tool for evading Proxy categorisation. * CatMyFish Search for categorized domain that can be used during red teaming engagement. Perfect to setup whitelisted domain for your Cobalt Strike beacon C\&C. * Malleable C2 is a domain specific language to redefine indicators in Beacon's communication. * Malleable-C2-Randomizer This script randomizes Cobalt Strike Malleable C2 profiles through the use of a metalanguage, hopefully reducing the chances of flagging signature-based detection controls. * FindFrontableDomains search for potential frontable domains. * Postfix-Server-Setup Setting up a phishing server is a very long and tedious process. It can take hours to setup, and can be compromised in minutes. * DomainFrontingLists a list of Domain Frontable Domains by CDN. * Apache2-Mod-Rewrite-Setup Quickly Implement Mod-Rewrite in your infastructure. * mod\_rewrite rule to evade vendor sandboxes. * external\_c2 framework a python framework for usage with Cobalt Strike's External C2. * Malleable-C2-Profiles A collection of profiles used in different projects using Cobalt Strike . * ExternalC2 a library for integrating communication channels with the Cobalt Strike External C2 server. * cs2modrewrite a tools for convert Cobalt Strike profiles to modrewrite scripts. * e2modrewrite a tools for convert Empire profiles to Apache modrewrite scripts. * redi automated script for setting up CobaltStrike redirectors (nginx reverse proxy, letsencrypt). * cat-sites Library of sites for categorization. * ycsm is a quick script installation for resilient redirector using nginx reverse proxy and letsencrypt compatible with some popular Post-Ex Tools (Cobalt Strike, Empire, Metasploit, PoshC2). * Domain Fronting Google App Engine. * DomainFrontDiscover Scripts and results for finding domain frontable CloudFront domains. * Automated Empire Infrastructure * Serving Random Payloads with NGINX. * meek is a blocking-resistant pluggable transport for Tor. It encodes a data stream as a sequence of HTTPS requests and responses. * CobaltStrike-ToolKit Some useful scripts for CobaltStrike. * mkhtaccess\_red Auto-generate an HTaccess for payload delivery -- automatically pulls ips/nets/etc from known sandbox companies/sources that have been seen before, and redirects them to a benign payload. * RedFile a flask wsgi application that serves files with intelligence, good for serving conditional RedTeam payloads. * keyserver Easily serve HTTP and DNS keys for proper payload protection. * DoHC2 allows the ExternalC2 library from Ryan Hanson () to be leveraged for command and control (C2) via DNS over HTTPS (DoH). This is built for the popular Adversary Simulation and Red Team Operations Software Cobalt Strike ([https://www.cobaltstrike.com](https://www.cobaltstrike.com/)). * HTran is a connection bouncer, a kind of proxy server. A “listener” program is hacked stealthily onto an unsuspecting host anywhere on the Internet. ## **Buffer Overflow and Exploit Development** * * * * * * * * * * * * * ## **MindMaps by Joas** * * * * * ## **Lateral Movement** * * * * * * * * * * * * * * * * * * * * * * * * * * * * ## **POST Exploitation** * * * * * * * * * * * * Phishing Tools * * * * * ## **Wrapper for various tools** * * * * ## **Active Directory Audit and exploit tools** * * * * * * * * * * * * * ## **Web Vulnerability Scanner / Burp Plugins** * - all in one scanner * - XSS discovery * * * * * - Burpsuite Extension to bypass 403 restricted directory * ## **Web Exploitation Tools** * - lfi * - xxe #XXE * - shellz * * - ssti * - xpath injection * - File Uploads * - deserialization * - IIS Short Filename Vuln. exploitation * - Deserialize Java Exploitation * - Deserialize .NET Exploitation * - Exploit .git Folder Existence * - SSRF Tutorials #SSRF * - PHP Unserialize Payload generator * - Malicious Office XXE payload generator * - Angularjs Csti Scanner * - Deserialize .NET Viewstates * - Deserialize .NET Viewstates ## **Linux Privilege Escalation / Audit** * - powerfull Privilege Escalation Check Script with nice output * * * * * * * * * - lookup vulnerable installed software * * * * * * * * * * - find suid bins and look them up under gtfobins / exploitable or not * - Offline GTFOBins * - sudo misconfiguration exploitation * * * - easily manipulate the tty and create fake binaries * * * - not really privesc but helpfull ## **Command and Control** * Cobalt Strike is software for Adversary Simulations and Red Team Operations. * Empire is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent. * Metasploit Framework is a computer security project that provides information about security vulnerabilities and aids in penetration testing and IDS signature development. * SILENTTRINITY A post-exploitation agent powered by Python, IronPython, C#/.NET. * Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python. * Koadic or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. * PoshC2 is a proxy aware C2 framework written completely in PowerShell to aid penetration testers with red teaming, post-exploitation and lateral movement. * Gcat a stealthy Python based backdoor that uses Gmail as a command and control server. * TrevorC2 is a legitimate website (browsable) that tunnels client/server communications for covert command execution. * Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang. * Quasar is a fast and light-weight remote administration tool coded in C#. Providing high stability and an easy-to-use user interface, Quasar is the perfect remote administration solution for you. * Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers. * FactionC2 is a C2 framework which use websockets based API that allows for interacting with agents and transports. * DNScat2 is a tool is designed to create an encrypted command-and-control (C\&C) channel over the DNS protocol. * Sliver is a general purpose cross-platform implant framework that supports C2 over Mutual-TLS, HTTP(S), and DNS. * EvilOSX An evil RAT (Remote Administration Tool) for macOS / OS X. * EggShell is a post exploitation surveillance tool written in Python. It gives you a command line session with extra functionality between you and a target machine. ## **Adversary Emulation** * MITRE CALDERA - An automated adversary emulation system that performs post-compromise adversarial behavior within Windows Enterprise networks. * APTSimulator - A Windows Batch script that uses a set of tools and output files to make a system look as if it was compromised. * Atomic Red Team - Small and highly portable detection tests mapped to the Mitre ATT\&CK Framework. * Network Flight Simulator - flightsim is a lightweight utility used to generate malicious network traffic and help security teams to evaluate security controls and network visibility. * Metta - A security preparedness tool to do adversarial simulation. * Red Team Automation (RTA) - RTA provides a framework of scripts designed to allow blue teams to test their detection capabilities against malicious tradecraft, modeled after MITRE ATT\&CK. ## **Repositores** * * * * * * * * * * * ## **Malware Analysis and Reverse Engineering** * * * * * * * * * * * * * * * * * * *