Tools

This section will cover various attack tools, vectors, methods, and how we can use them, as well as what to look for to defend against them.

Many tools can be used both offensively and defensively, so seeing one being used should not immediately indicate malicious intent. For example, Nessus, is a vulnerability scanner and it can be used offensively to see what services are running, what version they are running on, and if they have any immediate known vulnerabilities and how they can be exploited. In the same, this can be used defensively to know what is vulnerable in your network and can tell you how to patch the vulnerability so it may not be exploited in that manor.

No one tool is a end all be all. There is no "One Tool to Rule Them All". Use multiple tools for the job. They can all do things differently and give information in various ways.

Terminology

APT is an acronym for Advanced Persistent Threat. This can be considered a team/group (threat group), or even country (nation-state group), that engages in long-term attacks against organizations and/or countries. FireEye's current list of APT groups can be found here.

TTP is an acronym for Tactics, Techniques, and Procedures:

The Tactic is the adversary's goal or objective.
The Technique is how the adversary achieves the goal or objective.
The Procedure is how the technique is executed.

Master list of Tools

A list of OSINT Tools can be found here

Exploitation Framework

Metasploit - C2/Exploitation Framework
Sliver - C2/Exploitation Framework
Mythic - C2/Exploitation Framework
Cobalt Strike
Havoc - malleable post-exploitation command and control framework

Post Exploitation

GraphRunner - Post-exploitation toolset for interacting with the Microsoft Graph API
- Intro to GraphRunner by BHIS
Crackmapexec - post-exploitation tool
NetExec - Another CrackMapExec

WiFi

Aircrack - WiFi penetration testing
Kismet - wireless network and device detector, sniffer, wardriving tool, and WIDS (wireless intrusion detection) framework
Bettercap - WiFi, Bluetooth Low Energy, wireless HID hijacking and IPv4 and IPv6 networks reconnaissance and MITM attacks.
HCXDumptool - capture packets from wlan devices and to discover potential weak points within WiFi networks
WiFite - WiFi penetration testing

Enumeration

GoBuster - Directory/File, DNS and VHost busting tool written in Go
Dirb/Dirbuster - Busting Tool for Web Directories
Enum4Linux - Enumerating information from Windows and Samba systems
OneDrive UserEnum - Enumerates valid OneDrive accounts
Bloodhound - Active Directory Attacks
- Cypheroth - Runs cypher queries against Bloodhound's Neo4j backend and saves output to spreadsheets.
Ldeep - ldap enumeration utility
SUCC - Queries Microsoft for a list of domains associated with an Office 365 tenant
Certipy - Tool for Active Directory Certificate Services enumeration and abuse
Legba - A multiprotocol credentials bruteforcer / password sprayer and enumerator.
FFUF - Fast web fuzzer written in Go
Dome - Subdomain Enumeration

Hash Cracking

Hashcat - Open-source hash cracking tool
JohnTheRipper - Open-source hash cracking tool

Vulnerability Scanners

Nessus - Vulnerability Scanner
OpenVAS - Vulnerability Scanner

Web App

BurpSuite - WebApp Pentesting Framework
OWASP Zap - WebApp Pentesting Framework

Brute Force

Hydra - Parallelized login cracker
BruteMap - BruteForce site login pages
Legba - A multiprotocol credentials bruteforcer / password sprayer and enumerator.

Credential Dumping

Mimikatz - Post Exploitation Credential Dump
Pcredz - Extracts hashes from a pcap or live interface
DonPapi - Dumps DPAPI Creds
ldapdomaindump - Active Directory information dumper via LDAP
Responder - LLMNR, NBT-NS and MDNS poisoner

MitM

SETH - RDP MiTM Tool
MiTM6 - Replys to DHCPv6
NetNTLMtoSilverTicket - SpoolSample -> NetNTLMv1 -> NTLM -> Silver Ticket

Payload Generation

Freeze.rs - Payload toolkit for bypassing EDRs using suspended processes, direct syscalls written in RUST
Scarecrow - Payload creation framework designed around EDR bypass
URU - Payload generation
MSFVenom - Combination of payload generation and encoding
Mangle - manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs

Process Injection/Shellcode Loaders

Bankai - Go Shellcode loader using Windows API
ShhhLoader - Syscall Shellcode Loader
Unicorn - PowerShell downgrade attack and inject shellcode straight into memory
TikiTorch - Process Injection
Archeron - Indirect syscalls for AV/EDR evasion in Go assembly
Win11-OneDrive-DLL-Injection
LdrLibraryEx - A small x64 library to load dll's into memory.

Wordlists

Exploits Databases

Vulnerability Databases

Other

Impacket - A collection of Python classes for working with network protocols
Social-Engineer Toolkit(SET) - Open-source penetration testing framework designed for social engineering
WolfPack -
HellsGate - Original C Implementation of the Hell's Gate VX Technique
QuickCert - Querying certificate transparency logs
TLOSINT - Trace Labs OSINT VM
DeHashed API Tool - CLI tool to query the DeHashed API
autoNTDS - automation script designed to simplify the process of dumping and cracking NTDS hashes using secretsdump.py and hashcat
PSPY - Monitor linux processes without root permissions
ROADtools - A collection of Azure AD tools for offensive and defensive security purposes
Dumpert - LSASS memory dumper using direct system calls and API unhooking.

Last updated 9 months ago

Tools

This section will cover various attack tools, vectors, methods, and how we can use them, as well as what to look for to defend against them.

No one tool is a end all be all. There is no "One Tool to Rule Them All". Use multiple tools for the job. They can all do things differently and give information in various ways.

Terminology

TTP is an acronym for Tactics, Techniques, and Procedures:

The Tactic is the adversary's goal or objective.
The Technique is how the adversary achieves the goal or objective.
The Procedure is how the technique is executed.

Master list of Tools

A list of OSINT Tools can be found here

Exploitation Framework

Metasploit - C2/Exploitation Framework
Sliver - C2/Exploitation Framework
Mythic - C2/Exploitation Framework
Cobalt Strike
Havoc - malleable post-exploitation command and control framework

Post Exploitation

GraphRunner - Post-exploitation toolset for interacting with the Microsoft Graph API
- Intro to GraphRunner by BHIS
Crackmapexec - post-exploitation tool
NetExec - Another CrackMapExec

WiFi

Aircrack - WiFi penetration testing
Kismet - wireless network and device detector, sniffer, wardriving tool, and WIDS (wireless intrusion detection) framework
Bettercap - WiFi, Bluetooth Low Energy, wireless HID hijacking and IPv4 and IPv6 networks reconnaissance and MITM attacks.
HCXDumptool - capture packets from wlan devices and to discover potential weak points within WiFi networks
WiFite - WiFi penetration testing

Enumeration

GoBuster - Directory/File, DNS and VHost busting tool written in Go
Dirb/Dirbuster - Busting Tool for Web Directories
Enum4Linux - Enumerating information from Windows and Samba systems
OneDrive UserEnum - Enumerates valid OneDrive accounts
Bloodhound - Active Directory Attacks
- Cypheroth - Runs cypher queries against Bloodhound's Neo4j backend and saves output to spreadsheets.
Ldeep - ldap enumeration utility
SUCC - Queries Microsoft for a list of domains associated with an Office 365 tenant
Certipy - Tool for Active Directory Certificate Services enumeration and abuse
Legba - A multiprotocol credentials bruteforcer / password sprayer and enumerator.
FFUF - Fast web fuzzer written in Go
Dome - Subdomain Enumeration

Hash Cracking

Hashcat - Open-source hash cracking tool
JohnTheRipper - Open-source hash cracking tool

Vulnerability Scanners

Nessus - Vulnerability Scanner
OpenVAS - Vulnerability Scanner

Web App

BurpSuite - WebApp Pentesting Framework
OWASP Zap - WebApp Pentesting Framework

Brute Force

Hydra - Parallelized login cracker
BruteMap - BruteForce site login pages
Legba - A multiprotocol credentials bruteforcer / password sprayer and enumerator.

Credential Dumping

Mimikatz - Post Exploitation Credential Dump
Pcredz - Extracts hashes from a pcap or live interface
DonPapi - Dumps DPAPI Creds
ldapdomaindump - Active Directory information dumper via LDAP
Responder - LLMNR, NBT-NS and MDNS poisoner

MitM

SETH - RDP MiTM Tool
MiTM6 - Replys to DHCPv6
NetNTLMtoSilverTicket - SpoolSample -> NetNTLMv1 -> NTLM -> Silver Ticket

Payload Generation

Freeze.rs - Payload toolkit for bypassing EDRs using suspended processes, direct syscalls written in RUST
Scarecrow - Payload creation framework designed around EDR bypass
URU - Payload generation
MSFVenom - Combination of payload generation and encoding
Mangle - manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs

Process Injection/Shellcode Loaders

Bankai - Go Shellcode loader using Windows API
ShhhLoader - Syscall Shellcode Loader
Unicorn - PowerShell downgrade attack and inject shellcode straight into memory
TikiTorch - Process Injection
Archeron - Indirect syscalls for AV/EDR evasion in Go assembly
Win11-OneDrive-DLL-Injection
LdrLibraryEx - A small x64 library to load dll's into memory.

Wordlists

Exploits Databases

Vulnerability Databases

Other

Impacket - A collection of Python classes for working with network protocols
Social-Engineer Toolkit(SET) - Open-source penetration testing framework designed for social engineering
WolfPack -
HellsGate - Original C Implementation of the Hell's Gate VX Technique
QuickCert - Querying certificate transparency logs
TLOSINT - Trace Labs OSINT VM
DeHashed API Tool - CLI tool to query the DeHashed API
autoNTDS - automation script designed to simplify the process of dumping and cracking NTDS hashes using secretsdump.py and hashcat
PSPY - Monitor linux processes without root permissions
ROADtools - A collection of Azure AD tools for offensive and defensive security purposes
Dumpert - LSASS memory dumper using direct system calls and API unhooking.

Last updated 9 months ago