Tools
Last updated
Last updated
This section will cover various attack tools, vectors, methods, and how we can use them, as well as what to look for to defend against them.
Many tools can be used both offensively and defensively, so seeing one being used should not immediately indicate malicious intent. For example, , is a vulnerability scanner and it can be used offensively to see what services are running, what version they are running on, and if they have any immediate known vulnerabilities and how they can be exploited. In the same, this can be used defensively to know what is vulnerable in your network and can tell you how to patch the vulnerability so it may not be exploited in that manor.
No one tool is a end all be all. There is no "One Tool to Rule Them All". Use multiple tools for the job. They can all do things differently and give information in various ways.
APT is an acronym for Advanced Persistent Threat. This can be considered a team/group (threat group), or even country (nation-state group), that engages in long-term attacks against organizations and/or countries. FireEye's current list of APT groups can be found .
TTP is an acronym for Tactics, Techniques, and Procedures:
The Tactic is the adversary's goal or objective.
The Technique is how the adversary achieves the goal or objective.
The Procedure is how the technique is executed.
- C2/Exploitation Framework
- C2/Exploitation Framework
- C2/Exploitation Framework
- malleable post-exploitation command and control framework
Dirb/Dirbuster - Busting Tool for Web Directories
- Post-exploitation toolset for interacting with the Microsoft Graph API
- post-exploitation tool
- Another CrackMapExec
- WiFi penetration testing
- wireless network and device detector, sniffer, wardriving tool, and WIDS (wireless intrusion detection) framework
- , , wireless and networks reconnaissance and MITM attacks.
- capture packets from wlan devices and to discover potential weak points within WiFi networks
- WiFi penetration testing
- Directory/File, DNS and VHost busting tool written in Go
- Enumerating information from Windows and Samba systems
- Enumerates valid OneDrive accounts
- Active Directory Attacks
- Runs cypher queries against Bloodhound's Neo4j backend and saves output to spreadsheets.
- ldap enumeration utility
- Queries Microsoft for a list of domains associated with an Office 365 tenant
- Tool for Active Directory Certificate Services enumeration and abuse
- A multiprotocol credentials bruteforcer / password sprayer and enumerator.
- Fast web fuzzer written in Go
- Subdomain Enumeration
- Open-source hash cracking tool
- Open-source hash cracking tool
- Vulnerability Scanner
- Vulnerability Scanner
- WebApp Pentesting Framework
- WebApp Pentesting Framework
- Parallelized login cracker
- BruteForce site login pages
- A multiprotocol credentials bruteforcer / password sprayer and enumerator.
- Post Exploitation Credential Dump
- Extracts hashes from a pcap or live interface
- Dumps DPAPI Creds
- Active Directory information dumper via LDAP
- LLMNR, NBT-NS and MDNS poisoner
- RDP MiTM Tool
- Replys to DHCPv6
- SpoolSample -> NetNTLMv1 -> NTLM -> Silver Ticket
- Payload toolkit for bypassing EDRs using suspended processes, direct syscalls written in RUST
- Payload creation framework designed around EDR bypass
- Payload generation
- Combination of payload generation and encoding
- manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs
- Go Shellcode loader using Windows API
- Syscall Shellcode Loader
- PowerShell downgrade attack and inject shellcode straight into memory
- Process Injection
- Indirect syscalls for AV/EDR evasion in Go assembly
- A small x64 library to load dll's into memory.
- A collection of Python classes for working with network protocols
- Open-source penetration testing framework designed for social engineering
-
- Original C Implementation of the Hell's Gate VX Technique
- Querying certificate transparency logs
- Trace Labs OSINT VM
- CLI tool to query the DeHashed API
- automation script designed to simplify the process of dumping and cracking NTDS hashes using secretsdump.py and hashcat
- Monitor linux processes without root permissions
- A collection of Azure AD tools for offensive and defensive security purposes
- LSASS memory dumper using direct system calls and API unhooking.