🛠️Tools

This section will cover various attack tools, vectors, methods, and how we can use them, as well as what to look for to defend against them.

Many tools can be used both offensively and defensively, so seeing one being used should not immediately indicate malicious intent. For example, Nessus, is a vulnerability scanner and it can be used offensively to see what services are running, what version they are running on, and if they have any immediate known vulnerabilities and how they can be exploited. In the same, this can be used defensively to know what is vulnerable in your network and can tell you how to patch the vulnerability so it may not be exploited in that manor.

Terminology

APT is an acronym for Advanced Persistent Threat. This can be considered a team/group (threat group), or even country (nation-state group), that engages in long-term attacks against organizations and/or countries. FireEye's current list of APT groups can be found here.

TTP is an acronym for Tactics, Techniques, and Procedures:

• The Tactic is the adversary's goal or objective.

• The Technique is how the adversary achieves the goal or objective.

• The Procedure is how the technique is executed.

Master list of Tools

A list of OSINT Tools can be found here

Exploitation Framework

• Metasploit - C2/Exploitation Framework

• Sliver - C2/Exploitation Framework

• Mythic - C2/Exploitation Framework

• Cobalt Strike

• Havoc - malleable post-exploitation command and control framework

Post Exploitation

• GraphRunner - Post-exploitation toolset for interacting with the Microsoft Graph API

  • Intro to GraphRunner by BHIS

• Crackmapexec - post-exploitation tool

• NetExec - Another CrackMapExec

WiFi

• Aircrack - WiFi penetration testing

• Kismet - wireless network and device detector, sniffer, wardriving tool, and WIDS (wireless intrusion detection) framework

• Bettercap - WiFi, Bluetooth Low Energy, wireless HID hijacking and IPv4 and IPv6 networks reconnaissance and MITM attacks.

• HCXDumptool - capture packets from wlan devices and to discover potential weak points within WiFi networks

• WiFite - WiFi penetration testing

Enumeration

• GoBuster - Directory/File, DNS and VHost busting tool written in Go

• Dirb/Dirbuster - Busting Tool for Web Directories

• Enum4Linux - Enumerating information from Windows and Samba systems

• OneDrive UserEnum - Enumerates valid OneDrive accounts

• Bloodhound - Active Directory Attacks

  • Cypheroth - Runs cypher queries against Bloodhound's Neo4j backend and saves output to spreadsheets.

• Ldeep - ldap enumeration utility

• SUCC - Queries Microsoft for a list of domains associated with an Office 365 tenant

• Certipy - Tool for Active Directory Certificate Services enumeration and abuse

• Legba - A multiprotocol credentials bruteforcer / password sprayer and enumerator.

• FFUF - Fast web fuzzer written in Go

• Dome - Subdomain Enumeration

Hash Cracking

• Hashcat - Open-source hash cracking tool

• JohnTheRipper - Open-source hash cracking tool

Vulnerability Scanners

• Nessus - Vulnerability Scanner

• OpenVAS - Vulnerability Scanner

Web App

• BurpSuite - WebApp Pentesting Framework

• OWASP Zap - WebApp Pentesting Framework

Brute Force

• Hydra - Parallelized login cracker

• BruteMap - BruteForce site login pages

• Legba - A multiprotocol credentials bruteforcer / password sprayer and enumerator.

Credential Dumping

• Mimikatz - Post Exploitation Credential Dump

• Pcredz - Extracts hashes from a pcap or live interface

• DonPapi - Dumps DPAPI Creds

• ldapdomaindump - Active Directory information dumper via LDAP

• Responder - LLMNR, NBT-NS and MDNS poisoner

MitM

• SETH - RDP MiTM Tool

• MiTM6 - Replys to DHCPv6

• NetNTLMtoSilverTicket - SpoolSample -> NetNTLMv1 -> NTLM -> Silver Ticket

Payload Generation

• Freeze.rs - Payload toolkit for bypassing EDRs using suspended processes, direct syscalls written in RUST

• Scarecrow - Payload creation framework designed around EDR bypass

• URU - Payload generation

• MSFVenom - Combination of payload generation and encoding

• Mangle - manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs

Process Injection/Shellcode Loaders

• Bankai - Go Shellcode loader using Windows API

• ShhhLoader - Syscall Shellcode Loader

• Unicorn - PowerShell downgrade attack and inject shellcode straight into memory

• TikiTorch - Process Injection

• Archeron - Indirect syscalls for AV/EDR evasion in Go assembly

• Win11-OneDrive-DLL-Injection

• LdrLibraryEx - A small x64 library to load dll's into memory.

Wordlists

• VX-Underground

• Hashmob

• Seclists

Exploits Databases

• ExploitDB

• IntelligentExploit

• Shodan

• PacksetStormSec

Vulnerability Databases

• MITRE CVE

• CVE Details

• NIST

• CERT/CC Vulnerability Notes Database

• LWN security vulnerabilities database

• VulnLab

• SecDocs

Other

• Impacket - A collection of Python classes for working with network protocols

• Social-Engineer Toolkit(SET) - Open-source penetration testing framework designed for social engineering

• WolfPack -

• HellsGate - Original C Implementation of the Hell's Gate VX Technique

• QuickCert - Querying certificate transparency logs

• TLOSINT - Trace Labs OSINT VM

• DeHashed API Tool - CLI tool to query the DeHashed API

• autoNTDS - automation script designed to simplify the process of dumping and cracking NTDS hashes using secretsdump.py and hashcat

• PSPY - Monitor linux processes without root permissions

• ROADtools - A collection of Azure AD tools for offensive and defensive security purposes

• Dumpert - LSASS memory dumper using direct system calls and API unhooking.