πŸ› οΈTools

This section will cover various attack tools, vectors, methods, and how we can use them, as well as what to look for to defend against them.

Many tools can be used both offensively and defensively, so seeing one being used should not immediately indicate malicious intent. For example, Nessus, is a vulnerability scanner and it can be used offensively to see what services are running, what version they are running on, and if they have any immediate known vulnerabilities and how they can be exploited. In the same, this can be used defensively to know what is vulnerable in your network and can tell you how to patch the vulnerability so it may not be exploited in that manor.

No one tool is a end all be all. There is no "One Tool to Rule Them All". Use multiple tools for the job. They can all do things differently and give information in various ways.

Terminology

APT is an acronym for Advanced Persistent Threat. This can be considered a team/group (threat group), or even country (nation-state group), that engages in long-term attacks against organizations and/or countries. FireEye's current list of APT groups can be found here.

TTP is an acronym for Tactics, Techniques, and Procedures:

  • The Tactic is the adversary's goal or objective.

  • The Technique is how the adversary achieves the goal or objective.

  • The Procedure is how the technique is executed.

Master list of Tools

A list of OSINT Tools can be found here

Exploitation Framework

Post Exploitation

WiFi

Enumeration

  • GoBuster - Directory/File, DNS and VHost busting tool written in Go

  • Dirb/Dirbuster - Busting Tool for Web Directories

  • Enum4Linux - Enumerating information from Windows and Samba systems

  • OneDrive UserEnum - Enumerates valid OneDrive accounts

  • Bloodhound - Active Directory Attacks

    • Cypheroth - Runs cypher queries against Bloodhound's Neo4j backend and saves output to spreadsheets.

  • Ldeep - ldap enumeration utility

  • SUCC - Queries Microsoft for a list of domains associated with an Office 365 tenant

  • Certipy - Tool for Active Directory Certificate Services enumeration and abuse

  • Legba - A multiprotocol credentials bruteforcer / password sprayer and enumerator.

  • FFUF - Fast web fuzzer written in Go

  • Dome - Subdomain Enumeration

Hash Cracking

Vulnerability Scanners

Web App

Brute Force

  • Hydra - Parallelized login cracker

  • BruteMap - BruteForce site login pages

  • Legba - A multiprotocol credentials bruteforcer / password sprayer and enumerator.

Credential Dumping

  • Mimikatz - Post Exploitation Credential Dump

  • Pcredz - Extracts hashes from a pcap or live interface

  • DonPapi - Dumps DPAPI Creds

  • ldapdomaindump - Active Directory information dumper via LDAP

  • Responder - LLMNR, NBT-NS and MDNS poisoner

MitM

Payload Generation

  • Freeze.rs - Payload toolkit for bypassing EDRs using suspended processes, direct syscalls written in RUST

  • Scarecrow - Payload creation framework designed around EDR bypass

  • URU - Payload generation

  • MSFVenom - Combination of payload generation and encoding

  • Mangle - manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs

Process Injection/Shellcode Loaders

Wordlists

Exploits Databases

Vulnerability Databases

Other

  • Impacket - A collection of Python classes for working with network protocols

  • Social-Engineer Toolkit(SET) - Open-source penetration testing framework designed for social engineering

  • HellsGate - Original C Implementation of the Hell's Gate VX Technique

  • QuickCert - Querying certificate transparency logs

  • TLOSINT - Trace Labs OSINT VM

  • DeHashed API Tool - CLI tool to query the DeHashed API

  • autoNTDS - automation script designed to simplify the process of dumping and cracking NTDS hashes using secretsdump.py and hashcat

  • PSPY - Monitor linux processes without root permissions

  • ROADtools - A collection of Azure AD tools for offensive and defensive security purposes

  • Dumpert - LSASS memory dumper using direct system calls and API unhooking.

Last updated