My Starred Repositories

With my repository Pentest-tools the idea was to use this as an alternative search for useful repositories, as the stars section has limited filter capabilities on Github. The additional information of the description is really helpfull here, so that's why I created ths original repo. It's possible there to just search for content via STRG + F and find more than with the default filter settings. Doing the categorzation however was lot of efford manually.

This is on the other hand side way faster and automated:

import requests

github_username = "<username>"  # Replace with your GitHub username

def get_starred_repos(username):
    starred_repos = []
    page = 1
    per_page = 100
    
    while True:
        url = f"https://api.github.com/users/{username}/starred?per_page={per_page}&page={page}"
        try:
            response = requests.get(url) 
            if response.status_code == 403:
                print("API rate limit exceeded. Stopping further requests.")
                break
            if response.status_code != 200:
                print(f"Error fetching starred repositories. Status code: {response.status_code}")
                print(f"Response content: {response.content}")
                break
            
            data = response.json()
            if not data:
                break
            
            for repo in data:
                starred_repos.append({
                    "name": repo["name"],
                    "url": repo["html_url"],
                    "description": repo.get("description", "No description provided.")
                })
            
            page += 1
        except requests.exceptions.RequestException as e:
            print(f"Request failed: {e}")
            break
    
    return starred_repos

def save_readme(starred_repos):
    readme_content = "# My Starred Repositories\n\n"
    for repo in starred_repos:
        readme_content += f"- [{repo['name']}]({repo['url']}): {repo['description']}\n"
    
    with open("README.md", "w", encoding="utf-8") as f:
        f.write(readme_content)
    print("README.md has been created in the current working directory.")

if __name__ == "__main__":
    starred_repos = get_starred_repos(github_username)
    if starred_repos:
        save_readme(starred_repos)

With authentication it can be extended to also e.G. filter by language, add the repo README content up to line x or whatever. But for now and 5 minutes effort I'm happy with this :-)

PowerChell: A PowerShell console in C/C++ with all the security features disabled
WebcamBOF: Webcam capture capability for Cobalt Strike as a BOF, with in-memory download options
pool_party_rs: remote process injections using pool party techniques
susinternals: psexecsvc - a python implementation of PSExec's native service implementation
vxlang-page: protector & obfuscator & code virtualizer
GraphPreConsentExplorer: A comprehensive list of usable Entra ID first-party clients with pre-consented Microsoft Graph scopes, in a simple YAML-file explorable with a simple HTML GUI.
BinaryShield: An x86-64 Code Virtualizer
adfstoolkit: None
Invoke-ArgFuscator: Invoke-ArgFuscator is an open-source, cross-platform PowerShell module that helps generate obfuscated command-lines for common system-native executables.
TermsrvPatcher: Patch termsrv.dll so that multiple remote users can open an RDP session on a non-Windows Server computer
msuserstats: msuserstats is a comprehensive Powershell tool to manage accounts from Microsoft Entra ID and Active Directory. It supports: a unified view on users across Entra ID and AD; allows to find the latest sign-in from both worlds and mark inactive users; reports on MFA methods and can support enforcement of MFA.
ChgPass: None
WinEventHooks: SetWinEventHook Sample
PPL-0day: Demoting PPL anti-malware services to less than a guest user
Stuxnet: WMI virus, because funny
awesome-tunneling: List of ngrok/Cloudflare Tunnel alternatives and other tunneling software and services. Focus on self-hosting.
EvilBurp: Automated Evilginx phishlet creator Extension for Burpsuite
speedloader: Rust template/library for implementing your own COFF loader
AdaptixC2: None
BRC4-BOF-Artillery: None
Being-A-Good-CLR-Host: None
wsgidav: A generic and extendable WebDAV server based on WSGI
Krueger: Proof of Concept (PoC) .NET tool for remotely killing EDR with WDAC
APEX: Azure Post Exploitation Framework
GraphSpy: Initial Access and Post-Exploitation Tool for AAD and O365 with a browser-based GUI
AssemblyHunter: Find .net assemblies locally
ClickonceHunter: Golang search engine scraper intended for identification of published ClickOnce deployments
RedTeamScripts: Just some random Red Team Scripts that can be useful
StoneKeeper: StoneKeeper C2, an experimental EDR evasion framework for research purposes
RustPotato: A Rust implementation of GodPotato — abusing SeImpersonate to gain SYSTEM privileges. Includes a TCP-based reverse shell and indirect NTAPI for various operations.
badsecrets: A library for detecting known secrets across many web frameworks
PoCEntraDeviceComplianceBypass: Simple pure PowerShell POC to bypass Entra / Intune Compliance Conditional Access Policy
SharpExShell: SharpExShell automates the DCOM lateral movment technique which abuses ActivateMicrosoftApp method of Excel application.
OUned: The OUned project automating Active Directory Organizational Units ACL exploitation through gPLink poisoning
RustSoliloquy: A Rust implementation of Internal-Monologue — retrieving NetNTLM hashes without touching LSASS, leveraging SSPI for NTLM negotiation and indirect NTAPIs for core operations.
Shrike: Hunting and injecting RWX 'mockingjay' DLLs in pure nim
FileRenameJunctionsEDRDisable: None
PPLKiller: Tool to bypass LSA Protection (aka Protected Process Light)
DCOMUploadExec: DCOM Lateral movement POC abusing the IMsiServer interface - uploads and executes a payload remotely
CVE-2024-40711-Exp: CVE-2024-40711-exp
ldapx: Flexible LDAP proxy that can be used to inspect & transform all LDAP packets generated by other tools on the fly.
SharpSAMDump: SAM Dumping in C#
Awesome_Malware_Techniques: This is a repository of resource about Malware techniques
PSXecute: 32bit MIPS I VM to execute payloads without allocating executable memory. Based on a PlayStation 1 (PSX) Emulator.
NativeBypassCredGuard: Bypass Credential Guard by patching WDigest.dll using only NTAPI functions
Eclipse: Activation Context Hijack
Enumprotections_BOF: A BOF to enumerate system process, their protection levels, and more.
GetSystem-LCI: GetSystem-LCI is a PowerShell script to escalate privileges from Administrator to NT AUTHORITY\SYSTEM by abusing LanguageComponentsInstaller.
ShadowHound: PowerShell scripts for alternative SharpHound enumeration, including users, groups, computers, and certificates, using the ActiveDirectory module (ADWS) or System.DirectoryServices class (LDAP).
KrbRelayEx: None
Mythic_NimSyscallPacker_Wrapper: Mythic C2 wrapper for NimSyscallPacker
Hannibal: A Mythic Agent written in PIC C.
in-memory-cpython: An In-memory Embedding of CPython
PowerHuntShares: PowerHuntShares is an audit script designed in inventory, analyze, and report excessive privileges configured on Active Directory domains.
Exploit-Street: Complete list of LPE exploits for Windows (starting from 2023)
CVE-2024-30090: CVE-2024-30090 - LPE PoC
CVE-2024-30088: None
windows-learning: None
Citrix-Virtual-Apps-XEN-Exploit: Citrix Virtual Apps and Desktops (XEN) Unauthenticated RCE
UnXorStringsNet: Deobfuscation of XorStringsNet
HostedPumpkin: Submission, compilation and execution of C# code snippets, using an unmanaged CLR Host
Cable: .NET post-exploitation toolkit for Active Directory reconnaissance and exploitation
evilginx-collection: Public repo of some woking evilginx phishlets
RustVEHSyscalls: A Rust port of LayeredSyscall — performs indirect syscalls while generating legitimate API call stack frames by abusing VEH.
assortedFunctionsV2: None
EmbedPayloadInPng: Embed a payload inside a PNG file
SCCMVNC: A tool to modify SCCM remote control settings on the client machine, enabling remote control without permission prompts or notifications. This can be done without requiring access to SCCM server.
USBArmyKnife: USB Army Knife – the ultimate close access tool for penetration testers and red teamers.
XrMT: e(X)tensiable (Rust) Malware Toolkit: (Soon!) Full Featured Rust C2 Framework with Awesome Features!
LsassReflectDumping: This tool leverages the Process Forking technique using the RtlCreateProcessReflection API to clone the lsass.exe process. Once the clone is created, it utilizes MINIDUMP_CALLBACK_INFORMATION callbacks to generate a memory dump of the cloned process
SQLRecon: A C# MS SQL toolkit designed for offensive reconnaissance and post-exploitation.
Invoke-SessionHunter: Retrieve and display information about active user sessions on remote computers. No admin privileges required.
RemoteSessionEnum: Remotely Enumerate sessions using undocumented Windows Station APIs
KrbRelay-SMBServer: None
Rustic64Shell: A 64-bit, position-independent code reverse TCP shell for Windows — built in Rust.
RustiveDump: LSASS memory dumper using only NTAPIs, creating a minimal minidump. It can be compiled as shellcode (PIC), supports XOR encryption, and remote file transmission.
Slhasher: None
noldr: Dynamically resolve API function addresses at runtime in a secure manner.
GlobalUnProtect: Decrypt GlobalProtect configuration and cookie files.
PPLrevenant: Bypass LSA protection using the BYODLL technique
bite: Disassembler focused on comprehensive rust support.
microseh: Structured Exception Handling (SEH) for Rust
encrust: Rust crate to obfuscate strings and byte arrays so they are not in memory when not in use.
dynimp: extended version of razy_importer-macros
razy_importer: Rust implementation of lazy_importer
rust-obfuscator: Automatic Rust Obfuscator and Macro Library
guardian-rs: x86-64 code/pe virtualizer
COMThanasia: A set of programs for analyzing common vulnerabilities in COM
enumhandles_BOF: None
solstice: PE loader for @carrot_c4k3's GameScript Xbox One exploit
WindowsDowndate: A tool that takes over Windows Updates to craft custom downgrades and expose past fixed vulnerabilities
exe-rs: The PE Executable Library, but for Rust!
CVE-2024-44083: Makes IDA (most versions) to crash upon opening it.
VectoredExceptionHandling: None
Advanced_Initial_access_in_2024_OffensiveX: Resources linked to my presentation at OffensiveX in Athens in June 2024 on the topic "Breach the Gat, Advanced Initial Access in 2024"
PatchlessCLRLoader: .NET assembly loader with patchless AMSI and ETW bypass
koppeling-p: Adaptive DLL hijacking / dynamic export forwarding - EAT preserve
contexter: Contexter - A secondary context path traversal / server-side parameter pollution testing tool written in Python 3
EmbedExeLnk-: EmbedExeLnk by x86matthew modified by d4rkiZ
RpcProxyInvoke: Simple POC library to execute arbitrary calls proxying them via NdrServerCall2 or similar
DriverJack: Hijacking valid driver services to load arbitrary (signed) drivers abusing native symbolic links and NT paths
Maestro: Abusing Intune for Lateral Movement over C2
Graphpython: Modular cross-platform Microsoft Graph API (Entra, o365, and Intune) enumeration and exploitation toolkit
Shwmae: None
Invoke-Maldaptive: MaLDAPtive is a framework for LDAP SearchFilter parsing, obfuscation, deobfuscation and detection.
MultiDump: MultiDump is a post-exploitation tool for dumping and extracting LSASS memory discreetly.
eop24-26229: A firebeam plugin that exploits the CVE-2024-26229 vulnerability to perform elevation of privilege from a unprivileged user
shadow-rs: Windows Kernel Rootkit in Rust
smbtakeover: BOF and Python3 implementation of technique to unbind 445/tcp on Windows via SCM interactions
Arcane: Arcane - A secure remote desktop application for Windows with the particularity of having a server entirely written in PowerShell and a cross-platform client (Python/QT6).
ArbitraryDirectoryDeletion: From directory deletion to SYSTEM shell
Disable-TamperProtection: A POC to disable TamperProtection and other Defender / MDE components
specula: None
SharpSelfDelete: PoC to self-delete a binary in C#
NativeDump: Dump lsass using only NTAPI functions by hand-crafting Minidump files (without MiniDumpWriteDump!!!)
thread_namecalling: Process Injection using Thread Name
riscy-business: RISC-V Virtual Machine
KeyCredentialLink: Add Shadow Credentials to a target object by editing their msDS-KeyCredentialLink attribute
Invoke-ShareHunter: Enumerate the Domain for Readable and Writable Shares
Amnesiac: Amnesiac is a post-exploitation framework entirely written in PowerShell and designed to assist with lateral movement within Active Directory environments
bofhound: Generate BloodHound compatible JSON from logs written by ldapsearch BOF, pyldapsearch and Brute Ratel's LDAP Sentinel
WerTrigger: Weaponizing for privileged file writes bugs with windows problem reporting
IHxExec: Process injection alternative
MSC_Dropper: None
EDRPrison: Leverage a legitimate WFP callout driver to prevent EDR agents from sending telemetry
runpe-x64: RunPE adapted for x64 and written in C, does not use RWX
C2: A basic C2 framework written in C
ghostwriting-2: A process injection technique using only thread context manipulation
cave_miner: Search for code cave in all binaries
CaveCarver: CaveCarver - PE backdooring tool which utilizes and automates code cave technique
Red-team-Interview-Questions: Red team Interview Questions
ETWListicle: List the ETW provider(s) in the registration table of a process.
ImmoralFiber: Two new offensive techniques using Windows Fibers: PoisonFiber (The first remote enumeration & Fiber injection capability POC tool) PhantomThread (An evolved callstack-masking implementation)
BlueToolkit: BlueToolkit is an extensible Bluetooth Classic vulnerability testing framework that helps uncover new and old vulnerabilities in Bluetooth-enabled devices. Could be used in the vulnerability research, penetration testing and bluetooth hacking. We also collected and classified Bluetooth vulnerabilities in an "Awesome Bluetooth Security" way
GhostWriting: GhostWriting Injection Technique.
shrink: LZSS/RLE compression library - for making big things small and then back again, or big things slightly bigger...
atexec-pro: Fileless atexec, no more need for port 445
profiler-lateral-movement: Lateral Movement via the .NET Profiler
ItsNotASecurityBoundary: None
deoptimizer: Evasion by machine code de-optimization.
RemoteKrbRelay: Remote Kerberos Relay made easy! Advanced Kerberos Relay Framework
ScriptBlock-Smuggling: Example code samples from our ScriptBlock Smuggling Blog post
Dumpy: Reuse open handles to dynamically dump LSASS.
Bin-Finder: Detect EDR's exceptions by inspecting processes' loaded modules
rust_tips_and_tricks: Rust For Windows Cheatsheet
EPI: Threadless Process Injection through entry point hijacking
TrollDump: None
TrollAMSI: None
wstunnel: Tunnel all your traffic over Websocket or HTTP2 - Bypass firewalls/DPI - Static binary available
Packer_Development: Slides & Code snippets for a workshop held @ x33fcon 2024
QRucible: Python utility that generates "imageless" QR codes in various formats
XSScope: XSScope is one of the most powerful and advanced GUI Framework for Modern Browser exploitation via XSS.
CVE-2024-26229: CWE-781: Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
conpass: Continuous password spraying tool
PsMapExec: A PowerShell tool that takes strong inspiration from CrackMapExec / NetExec
coffee: A COFF loader made in Rust
airborne: Shellcode reflective DLL injection in Rust
MDE_Enum: comprehensive .NET tool designed to extract and display detailed information about Windows Defender exclusions and Attack Surface Reduction (ASR) rules without Admin privileges
NimProtect: A tiny macro library for protecting sensitive strings in compiled binaries
nim_for_hackers2: slides for talk given during uscg 2023 combine
The_Shelf: Retired TrustedSec Capabilities
ChromeKatz: Dump cookies and credentials directly from Chrome/Edge process memory
EagleVM: Native code virtualizer for x64 binaries
UAC-Bypass: UAC Bypass via CMUACUtil & PEB Enumeration, Undetected for now.
RelabelAbuse: None
JS-Tap: JavaScript payload and supporting software to be used as XSS payload or post exploitation implant to monitor users as they use the targeted application. Also includes a C2 for executing custom JavaScript payloads in clients, and a "mimic" feature that automatically generates custom payloads.
PPLSystem: None
TrollUAC: None
ETWInspector: None
malware: malware written for educational purposes
IP-Hunter: Hunt for C2 servers and phishing web sites using VirusTotal API , you can modify code to kill the malicious process
min-sized-rust: 🦀 How to minimize Rust binary size 📦
writing_nimless: Writing Nimless Nim - Slides and source for BSIDESKC 2024 talk.
vmprotect-3.5.1: None
Rusty-Playground: Some Rust program I wrote while learning Malware Development
CSharpSourceObfuscator: A C# Solution Source Obfuscator for avoiding AV signatures with minimal user interaction. Powered by the Roslyn C# library.
okta-terrify: Okta Verify and Okta FastPass Abuse Tool
KExecDD: Admin to Kernel code execution using the KSecDD driver
TierZeroTable: Table of AD and Azure assets and whether they belong to Tier Zero
evilarc: Create tar/zip archives that can exploit directory traversal vulnerabilities
AutoAppDomainHijack: Automated .NET AppDomain hijack payload generation
Cave-Finder: Tool to find code cave in PE image (x86 / x64) - Find empty space to place code in PE files
CortexVortex: None
lsa-whisperer: Tools for interacting with authentication packages using their individual message protocols
pocs: My Proof of Concept code for different publicly disclosed vulnerabilities
IronSharpPack: IronSharpPack is a repo of popular C# projects that have been embedded into IronPython scripts that execute an AMSI bypass and then reflective load the C# project.
spam-asm-x86: Rust procedural macro to insert a few asm! calls full of junk instructions in between every line of code.
HTML-Guard: Protect your web-application with Dynamic Style Loading and Real-Time Obfuscation. Easy to use!
obfus.h: Macro-header for compile-time C obfuscation (tcc, win x86/x64)
Lsass-Shtinkering: None
interceptor: Sample Rust Hooking Engine
EventViewer-UACBypass: 🍊 Orange Tsai EventViewer RCE
SQL-BOF: Library of BOFs to interact with SQL servers
PrivKit: PrivKit is a simple beacon object file that detects privilege escalation vulnerabilities caused by misconfigurations on Windows OS.
msportals.io: MSPortals.io - Microsoft Administrator Sites, Training, and Licensing Resources
SharpConflux: None
CVE-2024-1086: Universal local privilege escalation Proof-of-Concept exploit for CVE-2024-1086, working on most Linux kernels between v5.14 and v6.6, including Debian, Ubuntu, and KernelCTF. The success rate is 99.4% in KernelCTF images.
ccmpwn: None
CLRInjector: A PoC .NET-specific process injection tool
nimvoke: Indirect syscalls + DInvoke made simple.
CloudInject: None
bypass-clm: PowerShell Constrained Language Mode Bypass
SspiUacBypass: Bypassing UAC with SSPI Datagram Contexts
GamingServiceEoP: None
Misconfiguration-Manager: Misconfiguration Manager is a central knowledge base for all known Microsoft Configuration Manager tradecraft and associated defensive and hardening guidance.
ADCSCoercePotato: None
windows: Windows inside a Docker container.
Unwinder: Call stack spoofing for Rust
Shelter: ROP-based sleep obfuscation to evade memory scanners
RustPacker: Template-based shellcode packer written in Rust, with indirect syscall support. Made with <3 for pentesters.
Embedder: Embedder is a collection of sources in different languages to embed Python interpreter with minimal dependencies
RustRedOps: 🦀 | RustRedOps is a repository for advanced Red Team techniques and offensive malware, focused on Rust
UAC-BOF-Bonanza: Collection of UAC Bypass Techniques Weaponized as BOFs
SharpADWS: Active Directory reconnaissance and exploitation for Red Teams via the Active Directory Web Services (ADWS).
NativeThreadpool: Work, timer, and wait callback example using solely Native Windows APIs.
BadExclusionsNWBO: BadExclusionsNWBO is an evolution from BadExclusions to identify folder custom or undocumented exclusions on AV/EDR
LdrLockLiberator: For when DLLMain is the only way
ThievingFox: None
Win32_Offensive_Cheatsheet: Win32 and Kernel abusing techniques for pentesters
SeeYouCM-Thief: None
SOAPHound: SOAPHound is a custom-developed .NET data collector tool which can be used to enumerate Active Directory environments via the Active Directory Web Services (ADWS) protocol.
frameless-bitb: A new approach to Browser In The Browser (BITB) without the use of iframes, allowing the bypass of traditional framebusters implemented by login pages like Microsoft and the use with Evilginx.
clroxide: A rust library that allows you to host the CLR and execute dotnet binaries.
LOLSpoof: An interactive shell to spoof some LOLBins command line
spotube: 🎧 Open source Spotify client that doesn't require Premium nor uses Electron! Available for both desktop & mobile!
avred: Analyse your malware to surgically obfuscate it
uac-bypass-oneliners: Collection of one-liners to bypass User Account Control (UAC) in Windows. These techniques exploit certain behavior in Windows applications to elevate privileges.
RequestAADRefreshToken: None
aad_prt_bof: None
BobTheSmuggler: "Bob the Smuggler": A tool that leverages HTML Smuggling Attack and allows you to create HTML files with embedded 7z/zip archives. The tool would compress your binary (EXE/DLL) into 7z/zip file format, then XOR encrypt the archive and then hides inside PNG/GIF image file format (Image Polyglots).
DDSpoof: DDSpoof is a tool that enables DHCP DNS Dynamic Update attacks against Microsoft DHCP servers in AD environments.
cuddlephish: Weaponized Browser-in-the-Middle (BitM) for Penetration Testers
Modlishka: Modlishka. Reverse Proxy.
DirtyCLR: An App Domain Manager Injection DLL PoC on steroids
Handly: Abuse leaked token handles.
redteam-research: Collection of PoC and offensive techniques used by the BlackArrow Red Team
WMIProcessWatcher: A CIA tradecraft technique to asynchronously detect when a process is created using WMI.
Marble: The CIA's Marble Framework is designed to allow for flexible and easy-to-use obfuscation when developing tools.
Christmas: None
EDRSilencer: A tool uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server.
SneakyRun: Some stuff for PHD2021
ThreadlessInject-C-Implementation: This repository implements Threadless Injection in C
Cloudflare-Redirector: Just another C2 Redirector using CloudFlare.
obfuscator: PE bin2bin obfuscator
PoolPartyBof: A beacon object file implementation of PoolParty Process Injection Technique.
pacu: The AWS exploitation framework, designed for testing the security of Amazon Web Services environments.
POSTDump: None
PoolParty: A set of fully-undetectable process injection techniques abusing Windows Thread Pools
IoctlHunter: IoctlHunter is a command-line tool designed to simplify the analysis of IOCTL calls made by userland software targeting Windows drivers.
AceLdr: Cobalt Strike UDRL for memory scanner evasion.
SharpTokenFinder: C# implementation of TokenFinder. Steal M365 access tokens from Office Desktop apps
ServiceMove-BOF: New lateral movement technique by abusing Windows Perception Simulation Service to achieve DLL hijacking code execution.
Kerbeus-BOF: BOF for Kerberos abuse (an implementation of some important features of the Rubeus).
pre2k: None
NtlmThief: Extracting NetNTLM without touching lsass.exe
BestEdrOfTheMarket: AV/EDR Evasion Lab for Training & Learning Purposes
RagingRotator: A tool for carrying out brute force attacks against Office 365, with built in IP rotation use AWS gateways.
badgerDAPS: Brute Ratel LDAP filtering and sorting tool. Easily take BR log output and pull hostnames for ease of use with other red team tooling. Supports OU filtering and removes disabled hosts.
pyGPOAbuse: Partial python implementation of SharpGPOAbuse
.NetConfigLoader: .net config loader
goldberg: A Rust-based obfuscation macro library!
No-Consolation: A BOF that runs unmanaged PEs inline
SharpVeeamDecryptor: Decrypt Veeam database passwords
LdrLibraryEx: A small x64 library to load dll's into memory.
GhostTask: A tool employs direct registry manipulation to create scheduled tasks without triggering the usual event logs.
legba: A multiprotocol credentials bruteforcer / password sprayer and enumerator. 🥷
Proxy-DLL-Loads: A proof of concept demonstrating the DLL-load proxying using undocumented Syscalls.
Cookie-and-Handle-Stealer: C or BOF file to extract WebKit master key to decrypt user cookie
NovaLdr: Threadless Module Stomping In Rust with some features (In memory of those murdered in the Nova party massacre)
GraphRunner: A Post-exploitation Toolset for Interacting with the Microsoft Graph API
LinikatzV2: linikatz is a tool to attack AD on UNIX
nimHeapEnc: Heap encryption in Nim
perfect-loader: Load a dynamic library from memory by modifying the native Windows loader
LatLoader: PoC module to demonstrate automated lateral movement with the Havoc C2 framework.
SetProcessInjection: None
SealighterTI: Combining Sealighter with unpatched exploits to run the Threat-Intelligence ETW Provider
psinline: in-process powershell runner for BRC4
pyLDAPWordlistHarvester: A tool to generate a wordlist from the information present in LDAP, in order to crack passwords of domain accounts.
Brute-Ratel-C4-Community-Kit: This repository contains scripts, configurations and deprecated payload loaders for Brute Ratel C4 (https://bruteratel.com/)
PowerAL: A Powershell module that helps you identify AppLocker weaknesses
ETWProcessMon2: ETWProcessMon2 is for Monitoring Process/Thread/Memory/Imageloads/TCPIP via ETW + Detection for Remote-Thread-Injection & Payload Detection by VirtualMemAlloc Events (in-memory) etc.
Offensive_tools: None
bofhound: Generate BloodHound compatible JSON from logs written by ldapsearch BOF, pyldapsearch and Brute Ratel's LDAP Sentinel
Nimperiments: Various one-off pentesting projects written in Nim. Updates happen on a whim.
EDRSandblast-GodFault: EDRSandblast-GodFault
Conferences: None
ModuleStomping: https://blog.f-secure.com/hiding-malicious-code-with-module-stomping/
ModuleShifting: Stealthier variation of Module Stomping and Module Overloading injection techniques that reduces memory IoCs. Implemented in Python ctypes
TGSThief: My implementation of the GIUDA project in C++
wsnet-dotnet: None
DllNotificationInjection: A POC of a new “threadless” process injection technique that works by utilizing the concept of DLL Notification Callbacks in local and remote processes.
ContainYourself: A PoC of the ContainYourself research presented in DEFCON 31, which abuses the Windows containers framework to bypass EDRs.
RDPassSpray: Python3 tool to perform password spraying using RDP
RandomTSScripts: Collection of random RedTeam scripts.
gssapi-abuse: A tool for enumerating potential hosts that are open to GSSAPI abuse within Active Directory networks
SpamChannel: Spoof emails from any of the +2 Million domains using MailChannels (DEFCON 31 Talk)
power-pwn: An offensive security toolset for Microsoft 365 focused on Microsoft Copilot, Copilot Studio and Power Platform
stego-playground: None
SharpSQLPwn: C# tool to identify and exploit weaknesses within MSSQL instances in Active Directory environments
SQLRecon: A C# MS SQL toolkit designed for offensive reconnaissance and post-exploitation.
BloodHound: Six Degrees of Domain Admin
CVE-2023-3519: RCE exploit for CVE-2023-3519
reinschauer: it is very good
KRBUACBypass: UAC Bypass By Abusing Kerberos Tickets
Shoggoth: Shoggoth: Asmjit Based Polymorphic Encryptor
dcomhijack: Lateral Movement Using DCOM and DLL Hijacking
msi-search: None
sysplant: Your syscall factory
ShellGhost: A memory-based evasion technique which makes shellcode invisible from process start to end.
Invoke-Pre2kSpray: Enumerate domain machine accounts and perform pre2k password spraying.
TeamsPhisher: Send phishing messages and attachments to Microsoft Teams users
BOFMask: None
adPEAS: Powershell tool to automate Active Directory enumeration.
Jormungandr: Jormungandr is a kernel implementation of a COFF loader, allowing kernel developers to load and execute their COFFs in the kernel.
NimExec: Fileless Command Execution for Lateral Movement in Nim
WindowsDefenderTools: Tools for instrumenting Windows Defender's mpengine.dll
CS_COFFLoader: None
PageSplit: Splitting and executing shellcode across multiple pages
Steganim: None
PICDumper: None
CVE-2023-29343: None
Vulnerability_PoC: None
Banshee: Experimental Windows x64 Kernel Rootkit with anti-rootkit evasion features.
DavRelayUp: DavRelayUp - a universal no-fix local privilege escalation in domain-joined windows workstations where LDAP signing is not enforced (the default settings).
Neo-reGeorg: Neo-reGeorg is a project that seeks to aggressively refactor reGeorg
LightsOut: Generate an obfuscated DLL that will disable AMSI & ETW
Ruy-Lopez: None
HiddenDesktop: HVNC for Cobalt Strike
NimRekey: None
file-archiver-in-the-browser: None
NixImports: A .NET malware loader, using API-Hashing to evade static analysis
keepass-password-dumper: Original PoC for CVE-2023-32784
ADCSKiller: An ADCS Exploitation Automation Tool Weaponizing Certipy and Coercer
PPLFault: None
resocks: mTLS-Encrypted Back-Connect SOCKS5 Proxy
sccmhunter: None
Freeze.rs: Freeze.rs is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls written in RUST
ETWHash: C# POC to extract NetNTLMv1/v2 hashes from ETW provider
RandomPOCs: Repo that holds random POCs
PyFuscation: Obfuscate powershell scripts by replacing Function names, Variables and Parameters.
OffensiveCpp: This repo contains C/C++ snippets that can be handy in specific offensive scenarios.
Custom-BloodHound-Queries: None
process-cloning: The Definitive Guide To Process Cloning on Windows
Hunt-Weird-Syscalls: ETW based POC to identify direct and indirect syscalls
GpuDecryptShellcode: XOR decrypting shellcode using the GPU with OpenCL.
HookDump: Security product hook detection
PowerShell-Obfuscation-Bible: A collection of techniques, examples and a little bit of theory for manually obfuscating PowerShell scripts to achieve AV evasion, compiled for educational purposes. The contents of this repository are the result of personal research, including reading materials online and conducting trial-and-error attempts in labs and pentests.
GodPotato: None
drivers-binaries: Exploitable drivers, you know what I mean
LOLDrivers: Living Off The Land Drivers
NewPowerDNS: Updated version of PowerDNS by @domchell. Adds support for transfers over DNS A records and a few other useful features.
ShellcodeStdio: An extensible framework for easily writing compiler optimized position independent x86 / x64 shellcode for windows platforms.
kdmapper: KDMapper is a simple tool that exploits iqvw64e.sys Intel driver to manually map non-signed drivers in memory
MAAD-AF: MAAD Attack Framework - An attack tool for simple, fast & effective security testing of M365 & Entra ID (Azure AD).
PPLmedic: Dump the memory of any PPL with a Userland exploit chain
TimeException: A tool to find folders excluded from AV real-time scanning using a time oracle
CVE-2023-23397-POC-Powershell: None
AMSI-ETW-Patch: Patch AMSI and ETW
Shellcode-Hide: This repo contains : simple shellcode Loader , Encoders (base64 - custom - UUID - IPv4 - MAC), Encryptors (AES), Fileless Loader (Winhttp, socket)
NativePayloads: All my Source Codes (Repos) for Red-Teaming & Pentesting + Blue Teaming
KeePwn: A python tool to automate KeePass discovery and secret extraction.
hw-call-stack: Use hardware breakpoints to spoof the call stack for both syscalls and API calls
Timeroast: Timeroasting scripts by Tom Tervoort
ThreadlessInject-BOF: BOF implementation of @EthicalChaos's ThreadlessInject project. A novel process injection technique with no thread creation, released at BSides Cymru 2023.
SharpAgent: C# havoc implant
psexec_noinstall: Repository contains psexec, which will help to exploit the forgotten pipe
dploot: DPAPI looting remotely and locally in Python
serviceDetector: Detect whether a service is installed (blindly) and/or running (if exposing named pipes) on a remote machine without using local admin privileges.
graphcat: Generate graphs and charts based on password cracking result
NimPlant: A light-weight first-stage C2 implant written in Nim (and Rust).
Paruns-Fart: Just another ntdll unhooking using Parun's Fart technique
HWSyscalls: HWSyscalls is a new method to execute indirect syscalls using HWBP, HalosGate and a synthetic trampoline on kernel32 with HWBP.
ThreadlessInject: Threadless Process Injection using remote function hooking.
winsw: A wrapper executable that can run any executable as a Windows service, in a permissive license.
PipeViewer: A tool that shows detailed information about named pipes in Windows
LocalPotato: None
OperatorsKit: Collection of Beacon Object Files (BOF) for Cobalt Strike
CVE-2023-0179-PoC: None
certsync: Dump NTDS with golden certificates and UnPAC the hash
BypassCredGuard: Credential Guard Bypass Via Patching Wdigest Memory
RToolZ: A Stealthy Lsass Dumper - can abuse ProcExp152.sys driver to dump PPL Lsass, no dbghelp.lib calls.
azbelt: AAD related enumeration in Nim
amd-ryzen-master-driver-v17-exploit: Cobalt Strike (CS) Beacon Object File (BOF) for kernel exploitation using AMD's Ryzen Master Driver (version 17).
RpcInvestigator: Exploring RPC interfaces on Windows
CreateRemoteThreadPlus: CreateRemoteThread: how to pass multiple parameters to the remote thread function without shellcode.
AADInternals: AADInternals PowerShell module for administering Azure AD and Office 365
Crassus: None
CVE-2023-21752: None
YaraMemoryScanner: Simple PowerShell script to enable process scanning with Yara.
Alcatraz: x64 binary obfuscator
WTSRM2: None
DCOMPotato: Some Service DCOM Object and SeImpersonatePrivilege abuse.
PassFiltEx: PassFiltEx. An Active Directory Password Filter.
AmsiBypassHookManagedAPI: A new AMSI Bypass technique using .NET ALI Call Hooking.
PassTheChallenge: Recovering NTLM hashes from Credential Guard
Malproxy: Proxy system calls over an RPC channel
ShellcodeMutator: None
unleashed-firmware: Flipper Zero Unleashed Firmware
msi-shenanigans: Proof of Concept code and samples presenting emerging threat of MSI installer files.
Blindside: Utilizing hardware breakpoints to evade monitoring by Endpoint Detection and Response platforms
Venom: Venom is a library that meant to perform evasive communication using stolen browser socket
Nimjector: None
MurkyStrings: A string obfuscator for .NET apps, built to evade static string analysis.
DirCreate2System: Weaponizing to get NT SYSTEM for Privileged Directory Creation Bugs with Windows Error Reporting
WTSRM: WTSRM
Dirty-Vanity: A POC for the new injection technique, abusing windows fork API to evade EDRs. https://www.blackhat.com/eu-22/briefings/schedule/index.html#dirty-vanity-a-new-approach-to-code-injection--edr-bypass-28417
phantap: Phantom Tap (PhanTap) - an ‘invisible’ network tap aimed at red teams
Home-Grown-Red-Team: None
DynamicDotNet: A collection of various and sundry code snippets that leverage .NET dynamic tradecraft
CSharp-Alt-Shellcode-Callbacks: A collection of (even more) alternative shellcode callback methods in CSharp
SilentMoonwalk: PoC Implementation of a fully dynamic call stack spoofer
PPLcontrol: Controlling Windows PP(L)s
NimDllSideload: DLL sideloading/proxying with Nim!
PrintNotifyPotato: PrintNotifyPotato
psmsi: Create MSIs using PowerShell.
WeaponizeKali.sh: Collection of extra pentest tools for Kali Linux
ReverseSock5Proxy: A tiny Reverse Sock5 Proxy written in C :V
nanorobeus: COFF file (BOF) for managing Kerberos tickets.
cThreadHijack: Beacon Object File (BOF) for remote process injection via thread hijacking
tgtdelegation: tgtdelegation is a Beacon Object File (BOF) to obtain a usable TGT via the "TGT delegation trick"
orpheus: Bypassing Kerberoast Detections with Modified KDC Options and Encryption Types
ProxyNotShell-PoC: None
CVE-2022-33679: One day based on https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
PhaseDive: Sleep Obfuscation
KeePass-the-Hash: A script that greps composite key-like strings from a KeePassXC process dump, then uses a customized version of pykeepass library to unlock the database.
Azure-App-Tools: Collection of tools to use with Azure Applications
awesome-flipperzero: 🐬 A collection of awesome resources for the Flipper Zero device.
Flipper: Playground (and dump) of stuff I make or modify for the Flipper Zero
Volumiser: None
Godmode: Tool for playing with Windows Access Token manipulation.
KeeFarceReborn: A standalone DLL that exports databases in cleartext once injected in the KeePass process.
nEkko: A nim port of C5pider's Ekko project.
EventLogging: Automation scripts to deploy Windows Event Forwarding, Sysmon, and custom audit policies in an Active Directory environment.
libpeconv: A library to load, manipulate, dump PE files. See also: https://github.com/hasherezade/libpeconv_tpl
hwbp4mw: None
ErebusGate: ErebusGate for Nim Bypass AV/EDR
VX-API: Collection of various malicious functionality to aid in malware development
TerraLdr: A Payload Loader Designed With Advanced Evasion Features
Spartacus: Spartacus DLL/COM Hijacking Toolkit
ulib: None
DragonCastle: A PoC that combines AutodialDLL lateral movement technique and SSP to scrape NTLM hashes from LSASS process.
PassTheCert: Proof-of-Concept tool to authenticate to an LDAP/S server with a certificate through Schannel
cypherhound: Python3 terminal application that contains 405 Neo4j cyphers for BloodHound data sets and 388 GUI cyphers
Bitmancer: Nim Library for Offensive Security Development
WAMBam: Tooling related to the WAM Bam - Recovering Web Tokens From Office blog post
XorStringsNET: Easy XOR string encryption for NET based binaries
linWinPwn: linWinPwn is a bash script that streamlines the use of a number of Active Directory tools
ShadowSpray: A tool to spray Shadow Credentials across an entire domain in hopes of abusing long forgotten GenericWrite/GenericAll DACLs over other objects in the domain.
ProvisionAppx: None
AtomPePacker: A Highly capable Pe Packer
TickTock: None
BOF2shellcode: POC tool to convert CobaltStrike BOF files to raw shellcode
vba2clr: Running .NET from VBA
BouncyGate: Indirect Syscalls: HellsGate in Nim, but making sure that all syscalls go through NTDLL (as in RecycledGate).
RITM: Roast in the Middle
Havoc: The Havoc Framework
LoGiC.NET: A more advanced free and open .NET obfuscator using dnlib.
KnownDllUnhook: Replace the .txt section of the current loaded modules from \KnownDlls\ to bypass edrs
Freeze: Freeze is a payload toolkit for bypassing EDRs using suspended processes, direct syscalls, and alternative execution methods
Cronos: PoC for a sleep obfuscation technique leveraging waitable timers to evade memory scanners.
JuicyPotatoNG: Another Windows Local Privilege Escalation from Service Account to System
Teamsniper: Teamsniper is a tool for fetching keywords in a Microsoft Teams such as (passwords, emails, database, etc.).
CitrixSecureAccessAuthCookieDump: Dump Citrix Secure Access auth cookie from the process memory
MANSPIDER: Spider entire networks for juicy files sitting on SMB shares. Search filenames or file content - regex supported!
pe-bear: Portable Executable reversing tool with a friendly GUI
ldapnomnom: Quietly and anonymously bruteforce Active Directory usernames at insane speeds from Domain Controllers by (ab)using LDAP Ping requests (cLDAP)
FlavorTown: Various ways to execute shellcode
Codecepticon: .NET/PowerShell/VBA Offensive Security Obfuscator
rust_syscalls: Single stub direct and indirect syscalling with runtime SSN resolving for windows.
SharpWhispers: C# porting of SysWhispers2. It uses SharpASM to find the code caves for executing the system call stub.
SharpASM: SharpASM is a C# project that aims to automate ASM (i.e. shellcode) execution in .NET programs by exploiting code caves in RWX sections allocated by the CLR.
TRunPE: A modified RunPE (process hollowing) technique avoiding the usage of SetThreadContext by appending a TLS section which calls the original entrypoint.
PowerShellMisc: None
c_syscalls: Single stub direct and indirect syscalling with runtime SSN resolving for windows.
HideProcessHook: DLL that hooks the NtQuerySystemInformation API and hides a process name
TangledWinExec: PoCs and tools for investigation of Windows process execution techniques
evilgophish: evilginx3 + gophish
CheeseOunce: Coerce Windows machines auth via MS-EVEN
SysmonEnte: None
EvilnoVNC: Ready to go Phishing Platform
Pyramid: a tool to help operate in EDRs' blind spots
DLLSpy: DLL Hijacking Detection Tool
SnaffPoint: A tool for pointesters to find candies in SharePoint
ADFSRelay: Proof of Concept Utilities Developed to Research NTLM Relaying Attacks Targeting ADFS
PersistenceSniper: Powershell module that can be used by Blue Teams, Incident Responders and System Administrators to hunt persistences implanted in Windows machines. Official Twitter/X account @PersistSniper. Made with ❤️ by @last0x00 and @dottor_morte
Randomise-api-hashes-cobalt-strike: Bypass Detection By Randomising ROR13 API Hashes
NtCreateUserProcess: A small NtCreateUserProcess PoC that spawns a Command prompt.
PIVert: None
Masky: Python library with CLI allowing to remotely dump domain user credentials via an ADCS without dumping the LSASS process memory
ascii-image-converter: A cross-platform command-line tool to convert images into ascii art and print them on the console. Now supports braille art!
HijackLibs: Project for tracking publicly disclosed DLL Hijacking opportunities.
Burp2Malleable: Quick python utility I wrote to turn HTTP requests from burp suite into Cobalt Strike Malleable C2 profiles
TeamFiltration: TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts
AceLdr: Cobalt Strike UDRL for memory scanner evasion.
concealed_code_execution: Tools and technical write-ups describing attacking techniques that rely on concealing code execution on Windows
TamperingSyscalls: None
PingCastleCloud: Audit program for AzureAD
AVIator: Antivirus evasion project
goreflect: Reflective DLL loading of your favorite Golang program
BARK: BloodHound Attack Research Kit
VehApiResolve: None
protections-artifacts: Elastic Security detection content for Endpoint
AzureHound: Azure Data Exporter for BloodHound
CallStack-Spoofer: This tool will allow you to spoof the return addresses of your functions as well as system functions.
misc: miscellaneous scripts and programs
CreateProcess: A small PoC that creates processes in Windows
NimicStack: NimicStack is the pure Nim implementation of Call Stack Spoofing technique to mimic legitimate programs
DeathSleep: A PoC implementation for an evasion technique to terminate the current thread and restore it before resuming execution, while implementing page protection changes during no execution.
grc2: grim reaper c2
RedGuard: RedGuard is a C2 front flow control tool,Can avoid Blue Teams,AVs,EDRs check.
AMSI_Rubeus_bypass: None
AlanFramework: A C2 post-exploitation framework
Lastenzug: Socks4a proxy leveraging PIC, Websockets and static obfuscation on assembly level
ProtectMyTooling: Multi-Packer wrapper letting us daisy-chain various packers, obfuscators and other Red Team oriented weaponry. Featured with artifacts watermarking, IOCs collection & PE Backdooring. You feed it with your implant, it does a lot of sneaky things and spits out obfuscated executable.
NiCOFF: COFF and BOF Loader written in Nim
CoffeeLdr: Beacon Object File Loader
pretender: Your MitM sidekick for relaying attacks featuring DHCPv6 DNS takeover as well as mDNS, LLMNR and NetBIOS-NS spoofing.
iscsicpl_bypassUAC: UAC bypass for x64 Windows 7 - 11
Azure-Red-Team: Azure Security Resources and Notes
pyobfuscate: pyobfuscate
persistence-info.github.io: None
sccmwtf: None
Coercer: A python script to automatically coerce a Windows server to authenticate on an arbitrary machine through 12 methods.
Koh: The Token Stealer
windows-coerced-authentication-methods: A list of methods to coerce a windows machine to authenticate to an attacker-controlled machine through a Remote Procedure Call (RPC) with various protocols.
digitalocean-app-redirector: Reverse-HTTP Redirector via DigitalOcean Apps Platform
AMSI-Unchained: Unchain AMSI by patching the provider’s unmonitored memory space
Stardust: A modern 64-bit position independent implant template
Koppeling: Adaptive DLL hijacking / dynamic export forwarding
maldev-for-dummies: A workshop about Malware Development
CallStackSpoofer: A PoC implementation for spoofing arbitrary call stacks when making sys calls (e.g. grabbing a handle via NtOpenProcess)
systeminformer: A free, powerful, multi-purpose tool that helps you monitor system resources, debug software and detect malware. Brought to you by Winsider Seminars & Solutions, Inc. @ http://www.windows-internals.com
bloodyAD: BloodyAD is an Active Directory Privilege Escalation Framework
WebView2-Cookie-Stealer: None
NoteThief: Grab unsaved Notepad contents with a Beacon Object File
DFSCoerce: None
Ekko: Sleep Obfuscation
HVNC: Standalone HVNC Client & Server | Coded in C++ (Modified Tinynuke)
awesome-executable-packing: A curated list of awesome resources related to executable packing
AntimalwareBlight: Execute PowerShell code at the antimalware-light protection level.
moneta: Moneta is a live usermode memory analysis tool for Windows with the capability to detect malware IOCs
COM-Hunter: COM Hijacking VOODOO
DueDLLigence: None
KaynStrike: UDRL for CS
NimlineWhispers3: A tool for converting SysWhispers3 syscalls for use with Nim projects
DeepSleep: A variant of Gargoyle for x64 to hide memory artifacts using ROP only and PIC
OpenPasswordFilter: An open source custom password filter DLL and userspace service to better protect / control Active Directory domain passwords.
SharpEventPersist: Persistence by writing/reading shellcode from Event Log
MineSweeper: Windows user-land hooks manipulation tool.
XLL_Phishing: XLL Phishing Tradecraft
WFH: None
DuplicateDump: Dumping LSASS with a duplicated handle from custom LSA plugin
NtCreateUserProcess: Minimal PoC developed as discuss in https://captmeelo.com/redteam/maldev/2022/05/10/ntcreateuserprocess.html
FindObjects-BOF: A Cobalt Strike Beacon Object File (BOF) project which uses direct system calls to enumerate processes for specific loaded modules or process handles.
SharpWSUS: None
MalSCCM: None
PersistBOF: A BOF to automate common persistence tasks for red teamers
NTLMRelay2Self: An other No-Fix LPE, NTLMRelay2Self over HTTP (Webdav).
CS-Remote-OPs-BOF: None
KrbRelayUp: KrbRelayUp - a universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings).
HalosUnhooker: Halos Gate-based NTAPI Unhooker
physmem2profit: Physmem2profit can be used to create a minidump of a target hosts' LSASS process by analysing physical memory remotely
C2-Tool-Collection: A collection of tools which integrate with Cobalt Strike (and possibly other C2 frameworks) through BOF and reflective DLL loading techniques.
SharpSCCM: A C# utility for interacting with SCCM
smartbrute: Password spraying and bruteforcing tool for Active Directory Domain Services
MagnusKatz: Research project for understanding how Mimikatz work and become better at C
Get-PDInvokeImports: Get-PDInvokeImports is tool (PowerShell module) which is able to perform automatic detection of P/Invoke, Dynamic P/Invoke and D/Invoke usage in assembly. Showing all locations from where they are referenced and Exports all to DnSpy_Bookmarks.xml
blind-ssrf-chains: An exhaustive list of all the possible ways you can chain your Blind SSRF vulnerability
avdebugger: None
com_inject: None
Invoke-Evasion: PowerShell Obfuscation and Data Science
nim-loader: WIP shellcode loader in nim with EDR evasion techniques
ARCInject: Overwrite a process's recovery callback and execute with WER
bluffy: Convert shellcode into ✨ different ✨ formats!
SyscallShuffler: Your NTDLL vaccine from modern direct syscall methods.
hacktricks: Welcome to the page where you will find each trick/technique/whatever I have learnt in CTFs, real life apps, and reading researches and news.
Evilginx2-Phishlets: Evilginx3 Phishlets version (0.2.3 & above) Only For Testing/Learning Purposes
YouMayPasser: You shall pass
ScheduleRunner: A C# tool with more flexibility to customize scheduled task for both persistence and lateral movement in red team operation
bflat: C# as you know it but with Go-inspired tooling (small, selfcontained, and native executables)
GetMail: 利用NTLM Hash读取Exchange邮件
BITB: Browser In The Browser (BITB) Templates
AzureAD-Attack-Defense: This publication is a collection of various common attack scenarios on Microsoft Entra ID (formerly known as Azure Active Directory) and how they can be mitigated or detected.
Group3r: Find vulnerabilities in AD Group Policy, but do it better than Grouper2 did.
injectAmsiBypass: Cobalt Strike BOF - Bypass AMSI in a remote process with code injection.
NimWinAPICustom: Resolve WinAPI func. Custom GetProcAddress and GetModuleHandle written in Nim
NimWhispers: None
GOAD: game of active directory
WeakestLink: Browser extension that extracts users from LinkedIn company pages
RunOF: None
CVE-2022-0847-DirtyPipe-Exploit: A root exploit for CVE-2022-0847 (Dirty Pipe)
PrivFu: Kernel mode WinDbg extension and PoCs for token privilege investigation.
O365-Doppelganger: A quick handy script to harvest credentials off of a user during a Red Team and get execution of a file from the user
SysWhispers3: SysWhispers on Steroids - AV/EDR evasion via direct system calls.
SharpLoadLibrary: An attempt to make a LoadLibrary designed for offensive operations, in C# obviously.
remote-method-guesser: Java RMI Vulnerability Scanner
SharpLdapRelayScan: C# Port of LdapRelayScan
LdapSignCheck: Beacon Object File & C# project to check LDAP signing
Nimcrypt2: .NET, PE, & Raw Shellcode Packer/Loader Written in Nim
SharpHalos: My implementation of Halo's Gate technique in C#
windows-ps-callbacks-experiments: Files for http://deniable.org/windows/windows-callbacks
BofRoast: Beacon Object Files for roasting Active Directory
Bloodhound-CustomQueries: Custom Queries - Brought Up to BH4.1 syntax
Invoke-Nanodump: HelpSystems Nanodump, but wrapped in powershell via Invoke-ReflectivePEInjection
donut: Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters
phpLFI: Tests for LFI in PHP apps and automates the process of leveraging LFI's to recursively download source code and discover new files via includes to download additional source code files.
BackupOperatorToDA: From an account member of the group Backup Operators to Domain Admin without RDP or WinRM on the Domain Controller
Invoke-CommandAs: Invoke Command As System/Interactive/GMSA/User on Local/Remote machine & returns PSObjects.
KrbRelay: Framework for Kerberos relaying
SnD_AMSI: Start new PowerShell without etw and amsi in pure nim
PPL_Sandboxer: None
HellsGate: Rewrote HellsGate in C# for fun and learning
thumbscr-ews: Exchangelib wrapper for pentesting
spraycharles: Low and slow password spraying tool, designed to spray on an interval over a long period of time
SpoolFool: Exploit for CVE-2022-21999 - Windows Print Spooler Elevation of Privilege Vulnerability (LPE)
PackMyPayload: A PoC that packages payloads into output containers to evade Mark-of-the-Web flag & demonstrate risks associated with container file formats. Supports: ZIP, 7zip, PDF, ISO, IMG, CAB, VHD, VHDX
ObjectOverloadingPOC: None
awesome-nim: A curated list of awesome Nim frameworks, libraries, software and resources.
Hunt-Sleeping-Beacons: Aims to identify sleeping beacons
C-To-Shellcode-Examples: None
KillDefenderBOF: Beacon Object File PoC implementation of KillDefender
Advanced-Process-Injection-Workshop: None
onefile_python: Run python from a single exe
TokenStomp: C# implementation of the token privilege removal flaw discovered by @GabrielLandau/Elastic
PPLGuard: None
RecycledGate: Hellsgate + Halosgate/Tartarosgate. Ensures that all systemcalls go through ntdll.dll
EvilSelenium: EvilSelenium is a tool that weaponizes Selenium to attack Chromium based browsers.
manual-syscall-detect: A tool for detecting manual/direct syscalls in x86 and x64 processes using Nirvana Hooks.
T.D.P: Using Thread Description To Hide Shellcode
ParallelNimcalls: Nim version of MDSec's Parallel Syscall PoC
PwnKit: Self-contained exploit for CVE-2021-4034 - Pkexec Local Privilege Escalation
poc-cve-2021-4034: PoC for CVE-2021-4034 dubbed pwnkit
mRemoteNG_password_decrypt: Decrypt mRemoteNG passwords
NimPackt-v1: Nim-based assembly packer and shellcode loader for opsec & profit
RefleXXion: RefleXXion is a utility designed to aid in bypassing user-mode hooks utilised by AV/EPP/EDR etc. In order to bypass the user-mode hooks, it first collects the syscall numbers of the NtOpenFile, NtCreateSection, NtOpenSection and NtMapViewOfSection found in the LdrpThunkSignature array.
AmsiHooker: Hookers are cooler than patches.
StandIn: StandIn is a small .NET35/45 AD post-exploitation toolkit
TREVORspray: TREVORspray is a modular password sprayer with threading, clever proxying, loot modules, and more!
SharpGhosting: Process Ghosting in C#
LdapRelayScan: Check for LDAP protections regarding the relay of NTLM authentication
DynimicGhostWriting: Windows x64 Process Injection via Ghostwriting with Dynamic Configuration
HellsGateNim: A quick example of the Hells Gate technique in Nim
LdrLoadDll-Unhooking: LdrLoadDll Unhooking
RunPE-In-Memory: Run a Exe File (PE Module) in memory (like an Application Loader)
Ares: Project Ares is a Proof of Concept (PoC) loader written in C/C++ based on the Transacted Hollowing technique
ReverseRDP_RCE: None
Ivy: Ivy is a payload creation framework for the execution of arbitrary VBA (macro) source code directly in memory. Ivy’s loader does this by utilizing programmatical access in the VBA object environment to load, decrypt and execute shellcode.
Process-Instrumentation-Syscall-Hook: A simple program to hook the current process to identify the manual syscall executions on windows
ParallelSyscalls: C# version of MDSec's ParallelSyscalls
NimShellCodeLoader: 免杀，bypassav，免杀框架，nim，shellcode，使用nim编写的shellcode加载器
ParallelSyscalls: None
PowerRemoteDesktop: Remote Desktop entirely coded in PowerShell.
Shhhloader: Syscall Shellcode Loader (Work in Progress)
nimcrypt: PE Crypter written in Nim
Skrull: Skrull is a malware DRM, that prevents Automatic Sample Submission by AV/EDR and Signature Scanning from Kernel. It generates launchers that can run malware on the victim using the Process Ghosting technique. Also, launchers are totally anti-copy and naturally broken when got submitted.
SweetPotato: Local Service to SYSTEM privilege escalation from Windows 7 to Windows 10 / Server 2019
inject-assembly: Inject .NET assemblies into an existing process
DPAT: Domain Password Audit Tool for Pentesters
ShadowCoerce: MS-FSRVP coercion abuse PoC
ADExplorerSnapshot.py: ADExplorerSnapshot.py is an AD Explorer snapshot parser. It is made as an ingestor for BloodHound, and also supports full-object dumping to NDJSON.
CmdLineSpoofer: How to spoof the command line when spawning a new process from C#.
vortex: VPN Overall Reconnaissance, Testing, Enumeration and eXploitation Toolkit
TartarusGate: TartarusGate, Bypassing EDRs
KaynLdr: KaynLdr is a Reflective Loader written in C/ASM
Peruns-Fart: Perun's Fart (Slavic God's Luck). Another method for unhooking AV and EDR, this is my C# version.
deltavfs: deltaVFS is an indev user-mode immutable virtual filesystem
wmiexec-RegOut: Modify version of impacket wmiexec.py, get output(data,response) from registry, don't need SMB connection, also bypassing antivirus-software in lateral movement like WMIHACKER.
NimlineWhispers2: A tool for converting SysWhispers2 syscalls for use with Nim projects
TSMSISrv_poc: C# POC code for the SessionEnv dll hijack by utilizing called functions of TSMSISrv.dll
NativeFunctionStaticMap: A very imperfect attempt to correlate Kernel32 function calls to native API (Nt/Zw) counterparts/execution flow.
HookDetection_CSharp: HookDetection
KingHamlet: Process Ghosting Tool
python-log4rce: An All-In-One Pure Python PoC for CVE-2021-44228
JNDI-Exploit-Kit: JNDI-Exploitation-Kit（A modified version of the great JNDI-Injection-Exploit created by @welk1n. This tool can be used to start an HTTP Server, RMI Server and LDAP Server to exploit java web apps vulnerable to JNDI Injection）
log4shell-vulnerable-app: Spring Boot web application vulnerable to Log4Shell (CVE-2021-44228).
sam-the-admin: Exploiting CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user
noPac: CVE-2021-42287/CVE-2021-42278 Scanner & Exploiter.
EDRSandblast: None
MalSeclogon: A little tool to play with the Seclogon service
SSHClient: A C# SSH client
PowerRunAs: This module allows you to run a process (defaulting to PowerShell) as a different user by providing a known username and password. By default, the standard output (stdout), standard error (stderr), and standard input (stdin) are attached to the current console of the caller.
XMGoat: None
WADComs.github.io: WADComs is an interactive cheat sheet, containing a curated list of offensive security tools and their respective commands, to be used against Windows/AD environments.
ForkPlayground: An implementation and proof-of-concept of Process Forking.
charlotte: c++ fully undetected shellcode launcher ;)
TortugaToolKit: Collection of some of my own tools with other great open source tools out there packaged into a powershell module
ldap-scanner: Checks for signature requirements over LDAP
TitanLdr: Cobalt Strike User Defined Reflective Loader (UDRL). Check branches for different functionality.
InstallerFileTakeOver: None
Spray365: Spray365 makes spraying Microsoft accounts (Office 365 / Azure AD) easy through its customizable two-step password spraying approach. The built-in execution plan features options that attempt to bypass Azure Smart Lockout and insecure conditional access policies.
DCToolbox: Tools for Microsoft cloud fans
GPUSleep: Move CS beacon to GPU memory when sleeping
LockdExeDemo: A demo of the relevant blog post: https://www.arashparsa.com/hook-heaps-and-live-free/
SharpSocks: Tunnellable HTTP/HTTPS socks4a proxy written in C# and deployable via PowerShell
Visual-Studio-BOF-template: A Visual Studio template used to create Cobalt Strike BOFs
InlineWhispers2: Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF) via Syswhispers2
lsarelayx: NTLM relaying for Windows made easy
RDPChecker: RDP Checker
nanodump: The swiss army knife of LSASS dumping
TokenUniverse: An advanced tool for working with access tokens and Windows security policy.
self-morphing-csharp-binary: Executable that mutates its own code
MFASweep: A tool for checking if MFA is enabled on multiple Microsoft Services
evilginx2: Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication
DLL-Hijack-Search-Order-BOF: DLL Hijack Search Order Enumeration BOF
DInvoke: Dynamically invoke arbitrary unmanaged code from managed code without P/Invoke.
Sharp-WMIExec: None
Sys-Calls: An example of using Syscalls in C# to get a meterpreter shell.
SharpLink: Create file system symbolic links from low privileged user accounts within PowerShell
DLLFromMemory-net: C# library to load a native DLL from memory without the need to allow unsafe code
SharpSelfDelete: C# implementation of the research by @jonaslyk and the drafted PoC from @LloydLabs
CredBandit: Proof of concept Beacon Object File (BOF) that uses static x64 syscalls to perform a complete in memory dump of a process and send that back through your already existing Beacon communication channel
VBA-Macro-Projects: This repository is a collection of my malicious VBA projects.
CallbackHell: Exploit for CVE-2021-40449 - Win32k Elevation of Privilege Vulnerability (LPE)
vb2clr: The helper class for Visual Basic for Applications (VBA) 7.0, providing access to CLR (.NET Framework) assemblies and classes.
SharpBypassUAC: C# tool for UAC bypasses
Shellcode-Injection-Techniques: A collection of C# shellcode injection techniques. All techniques use an AES encrypted meterpreter payload. I will be building this project up as I learn, discover or develop more techniques. Some techniques are better than others at bypassing AV.
Windows10Debloater: Script to remove Windows 10 bloatware.
ImpulsiveDLLHijack: C# based tool which automates the process of discovering and exploiting DLL Hijacks in target binaries. The Hijacked paths discovered can later be weaponized during Red Team Operations to evade EDR's.
LDAPmonitor: Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!
BOF-RegSave: Dumping SAM / SECURITY / SYSTEM registry hives with a Beacon Object File
AggressiveGadgetToJScript: A Cobalt Strike Aggressor script to generate GadgetToJScript payloads
BOF_Collection: Various Cobalt Strike BOFs
MoveScheduler: .NET 4.0 Scheduled Job Lateral Movement
Badges4-README.md-Profile: Improve your README.md profile with these amazing badges.
HandleKatz_BOF: A BOF port of the research of @thefLinkk and @codewhitesec
wifipumpkin3: Powerful framework for rogue access point attack.
Suspended-Thread-Injection: Another meterpreter injection technique using C# that attempts to bypass Defender
trigen: Trigen is a Python script which uses different combinations of Win32 function calls in generated VBA to execute shellcode.
HeapsOfFun: AMSI Bypass Via the Heap
rtfm: A database of common, interesting or useful commands, in one handy referable form
CS-Situational-Awareness-BOF: Situational Awareness commands implemented using Beacon Object Files
DInvoke_rs: Dynamically invoke arbitrary unmanaged code
DidierStevensSuite: Please no pull requests for this repository. Thanks!
AzureAD_Autologon_Brute: Brute force attack tool for Azure AD Autologon/Seamless SSO - Source: https://arstechnica.com/information-technology/2021/09/new-azure-active-directory-password-brute-forcing-flaw-has-no-fix/
HandleKatz: PIC lsass dumper using cloned handles
Certipy: Tool for Active Directory Certificate Services enumeration and abuse
InlineExecute-Assembly: InlineExecute-Assembly is a proof of concept Beacon Object File (BOF) that allows security professionals to perform in process .NET assembly execution as an alternative to Cobalt Strikes traditional fork and run execute-assembly module
Ninja_UUID_Runner: Module Stomping, No New Thread, HellsGate syscaller, UUID Shellcode Runner for x64 Windows 10!
Self_Deletion_BOF: BOF implementation of the research by @jonasLyk and the drafted PoC from @LloydLabs
OffensiveRust: Rust Weaponization for Red Team Engagements.
Medusa: Medusa is a cross-platform C2 agent compatible with Python 2.7 and 3.8, compatible with Mythic
aad-sso-enum-brute-spray: POC of SecureWorks' recent Azure Active Directory password brute-forcing vuln
ShellcodeFluctuation: An advanced in-memory evasion technique fluctuating shellcode's memory protection between RW/NoAccess & RX and then encrypting/decrypting its contents
DonPAPI: Dumping DPAPI credz remotely
ThreadStackSpoofer: Thread Stack Spoofing - PoC for an advanced In-Memory evasion technique allowing to better hide injected shellcode's memory allocation from scanners and analysts.
PPLDump_BOF: A faithful transposition of the key features/functionality of @itm4n's PPLDump project as a BOF.
TripleS: Extracting Syscall Stub, Modernized
BokuLoader: A proof-of-concept Cobalt Strike Reflective Loader which aims to recreate, integrate, and enhance Cobalt Strike's evasion features!
ticket_converter: A little tool to convert ccache tickets into kirbi (KRB-CRED) and vice versa based on impacket.
SleepyCrypt: A shellcode function to encrypt a running process image when sleeping.
PrintNightmare: None
SharpExfiltrate: Modular C# framework to exfiltrate loot over secure and trusted channels.
SharpSystemTriggers: Collection of remote authentication triggers in C#
CVE-2021-40444: CVE-2021-40444 PoC
DynamicDllLoader: This project describes a technique how a NATIVE dynamic link library (DLL) can be loaded from memory (In C#) without storing it on the hard-disk first.
pywhisker: Python version of the C# tool for "Shadow Credentials" attacks
PR0CESS: some gadgets about windows process and ready to use :)
mjet: Mogwai Java Management Extensions (JMX) Exploitation Toolkit
RCE-0-day-for-GhostScript-9.50: RCE 0-day for GhostScript 9.50 - Payload generator
xlsxPoison: Just a PoC to turn xlsx (regular Excel files) into xlsm (Excel file with macro) and slipping inside a macro (vbaProject.bin)
RestrictedAdmin: Remotely enables Restricted Admin Mode
LiquidSnake: LiquidSnake is a tool that allows operators to perform fileless lateral movement using WMI Event Subscriptions and GadgetToJScript
CVE-2021-26084_Confluence: Confluence Server Webwork OGNL injection
DetectionLab: Automate the creation of a lab environment complete with security tooling and logging best practices
Upsilon: Upsilon execute shellcode with syscalls - no API like NtProtectVirtualMemory is used
Registry-Recon: Cobalt Strike Aggressor Script that Performs System/AV/EDR Recon
SharpDllProxy: Retrieves exported functions from a legitimate DLL and generates a proxy DLL source code/template for DLL proxy loading or sideloading
Invoke-DLLClone: Koppeling x Metatwin x LazySign
garble: Obfuscate Go builds
xorstr: heavily vectorized c++17 compile time string encryption.
usbgadget-tool: Dumb USB HID gadget creator for Android (for triggering device driver install on Windows for LPE)
PyHook: PyHook is an offensive API hooking tool written in python designed to catch various credentials within the API call.
certi: ADCS abuser
PowerLessShell: Run PowerShell command without invoking powershell.exe
proxyshell-poc: None
MiniDump: C# Lsass parser
aes.vbs: AES-256-CBC Encrypt and Decrypt Functions in VBScript
kiterunner: Contextual Content Discovery Tool
OffensiveZig: Some attempts at using Zig(https://ziglang.org/) in penetration testing.
JSFScan.sh: Automation for javascript recon in bug bounty.
byeintegrity8-uac: Bypass UAC at any level by abusing the Program Compatibility Assistant with RPC, WDI, and more Windows components
SigFlip: SigFlip is a tool for patching authenticode signed PE files (exe, dll, sys ..etc) without invalidating or breaking the existing signature.
BeaconEye: Hunts out CobaltStrike beacons and logs operator command output
Beginners-Guide-to-Obfuscation: None
SourcePoint: SourcePoint is a C2 profile generator for Cobalt Strike command and control servers designed to ensure evasion.
Homework-of-C-Sharp: C Sharp codes of my blog.
concealed_position: Bring your own print driver privilege escalation tool
xlsKami: Out-of-the-Box Tool to Obfuscate Excel XLS. Include Obfuscation & Hide for Cell Labels & BoundSheets
pyForgeCert: pyForgeCert is a Python equivalent of the ForgeCert.
DeployPrinterNightmare: C# tool for installing a shared network printer abusing the PrinterNightmare bug to allow other network machines easy privesc!
targetedKerberoast: Kerberoast with ACL abuse capabilities
inceptor: Template-Driven AV/EDR Evasion Framework
spawn: Cobalt Strike BOF that spawns a sacrificial process, injects it with shellcode, and executes payload. Built to evade EDR/UserLand hooks by spawning sacrificial process with Arbitrary Code Guard (ACG), BlockDll, and PPID spoofing.
UCantSeeM3: Hiding your process in ProcessHacker,Task Manager,etc by patching NtQuerySystemInformation
WebclientServiceScanner: Python tool to Check running WebClient services on multiple targets based on @leechristensen
vulnerable-AD: Create a vulnerable active directory that's allowing you to test most of the active directory attacks in a local lab
ADCSPwn: A tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service.
ADCSPwn: A tool to escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service.
scarecrow_wrapper: None
RelayX: NTLM relay test.
memflow: physical memory introspection framework
ligolo-ng: An advanced, yet simple, tunneling/pivoting tool that uses a TUN interface.
PKINITtools: Tools for Kerberos PKINIT and relaying to AD CS
GoPEInjection: Golang PE injection on windows
EfsPotato: Exploit for EfsPotato(MS-EFSR EfsRpcOpenFileRaw with SeImpersonatePrivilege local privalege escalation vulnerability).
subTee-gits-backups: subTee gists code backups
BadAssMacros: BadAssMacros - C# based automated Malicous Macro Generator.
LittleCorporal: LittleCorporal: A C# Automated Maldoc Generator
PetitPotam: PoC tool to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions.
minhook: None
NimRDI: RDI implementation in Nim
SharpExcelibur: Read Excel Spreadsheets (XLS/XLSX) using Cobalt Strike's Execute-Assembly
SharpSword: Read the contents of MS Word Documents using Cobalt Strike's Execute-Assembly
LoGiC.NET: A free and open-source .NET obfuscator using dnlib.
TokenTactics: Azure JWT Token Manipulation Toolset
msspray: Password attacks and MFA validation against various endpoints in Azure and Office 365
TeamsUserEnum: User enumeration with Microsoft Teams API
SharpPhish: Using outlook COM objects to create convincing phishing emails without the user noticing. This project is meant for internal phishing.
Invoke-BuildAnonymousSMBServer: Use to build an anonymous SMB file server.
ItWasAllADream: A PrintNightmare (CVE-2021-34527) Python Scanner. Scan entire subnets for hosts vulnerable to the PrintNightmare RCE
public-pentesting-reports: A list of public penetration test reports published by several consulting firms and academic security groups.
dnMerge: A lightweight .NET assembly dependency merger that uses dnLib and 7zip's LZMA SDK for compressing dependant assemblies.
PortBender: TCP Port Redirection Utility
Vanara: A set of .NET libraries for Windows implementing PInvoke calls to many native Windows APIs with supporting wrappers.
Injector: Complete Arsenal of Memory injection and other techniques for red-teaming in Windows
LogonCredentialsSteal: LOCAL AND REMOTE HOOK msv1_0!SpAcceptCredentials from LSASS.exe and DUMP DOMAIN/LOGIN/PASSWORD IN CLEARTEXT to text file.
CVE-2021-1675: Pure PowerShell implementation of CVE-2021-1675 Print Spooler Local Privilege Escalation (PrintNightmare)
CVE-2021-1675-LPE: Local Privilege Escalation Edition for CVE-2021-1675/CVE-2021-34527
CVE-2021-1675: CVE-2021-1675 Detection Info
Evasor: A tool to be used in post exploitation phase for blue and red teams to bypass APPLICATIONCONTROL policies
Blackbone: Windows memory hacking library
adduser: Programmatically create an administrative user under Windows
CVE-2021-1675: C# and Impacket implementation of PrintNightmare CVE-2021-1675/CVE-2021-34527
pivotnacci: A tool to make socks connections through HTTP agents
RunPE: C# Reflective loader for unmanaged binaries.
chameleon: PowerShell Script Obfuscator
AggressiveProxy: Project to enumerate proxy configurations and generate shellcode from CobaltStrike
IEC61850ToolChain: An opensource software creates customized datasets for the validation of cybersecurity solutions for IEC 61850 communication-based substations.
scada-tools: None
Whisker: Whisker is a C# tool for taking over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute, effectively adding "Shadow Credentials" to the target account.
puppy: Puppy fetches via HTTP and HTTPS
WindowsRpcClients: This respository is a collection of C# class libraries which implement RPC clients for various versions of the Windows Operating System from 7 to Windows 10.
cornershot: Amplify network visibility from multiple POV of other hosts
PoshADCS: A proof of concept on attack vectors against Active Directory by abusing Active Directory Certificate Services (ADCS)
DarkLoadLibrary: LoadLibrary for offensive operations
PSPKIAudit: PowerShell toolkit for AD CS auditing based on the PSPKI toolkit.
DarkLoadLibrary: LoadLibrary for offensive operations
pipal: Pipal, THE password analyser
process_ghosting: Process Ghosting - a PE injection technique, similar to Process Doppelgänging, but using a delete-pending file instead of a transacted file
Backstab: A tool to kill antimalware protected processes
rpivot: socks4 reverse proxy for penetration testing
gargoyle: A memory scanning evasion technique
polkadots: CVE-2021-3560 Local PrivEsc Exploit
privesc: Process Monitor filter for finding privilege escalation vulnerabilities on Windows
forest-trust-tools: Proof-of-concept tools for my AD Forest trust research
hiding-your-syscalls: Some source code to demonstrate avoiding certain direct syscall detections by locating and JMPing to a legitimate syscall instruction within NTDLL.
Certify: Active Directory certificate abuse.
ForgeCert: "Golden" certificates
EPPlus: Create advanced Excel spreadsheets using .NET
KnockOutlook: A little tool to play with Outlook
module_overloading: A more stealthy variant of "DLL hollowing"
phantom-dll-hollower-poc: Phantom DLL hollowing PoC
cve-2021-21985_exp: cve-2021-21985 exploit
suspendedunhook: None
transacted_hollowing: Transacted Hollowing - a PE injection technique, hybrid between ProcessHollowing and ProcessDoppelgänging
AmsiScanBufferBypass: Bypass AMSI by patching AmsiScanBuffer
AzureADJoinedMachinePTC: Tool to perform lateral movement between AAD joined devices
Carbuncle: Tool for interacting with outlook interop during red team engagements
memlib: Load Windows DLL from memory
SharpUnhooker: C# Based Universal API Unhooker
wowInjector: PoC: Exploit 32-bit Thread Snapshot of WOW64 to Take Over $RIP & Inject & Bypass Antivirus HIPS (HITB 2021)
Conari: 🧬 One-touch unmanaged memory, runtime dynamic use of the unmanaged native C/C++ in .NET world, related P/Invoke features, and …
SharpHook: SharpHook is an offensive API hooking tool designed to catch various credentials within the API call.
boobsnail: BoobSnail allows generating Excel 4.0 XLM macro. Its purpose is to support the RedTeam and BlueTeam in XLM macro generation.
AmsiPatchDetection: None
InvisibilityCloak: Proof-of-concept obfuscation toolkit for C# post-exploitation tools
CredMaster: Refactored & improved CredKing password spraying tool, uses FireProx APIs to rotate IP addresses, stay anonymous, and beat throttling
PasswordFilter: 2 ways of Password Filter DLL to record the plaintext password
stealthInjector: Injects shellcode into remote processes using direct syscalls
DNSStager: Hide your payload in DNS
KernelForge: A library to develop kernel level Windows payloads for post HVCI era
forkatz: credential dump using foreshaw technique using SeTrustedCredmanAccessPrivilege
DinvokeDupetokenAndThreadSwitcheroo: None
OffensivePH: OffensivePH - use old Process Hacker driver to bypass several user-mode access controls
AmsiHook: AmsiHook is a project I created to figure out a bypass to AMSI via function hooking.
RedWarden: Cobalt Strike C2 Reverse proxy that fends off Blue Teams, AVs, EDRs, scanners through packet inspection and malleable profile correlation
RpcView: RpcView is a free tool to explore and decompile Microsoft RPC interfaces
SharpShares: Multithreaded C# .NET Assembly to enumerate accessible network shares in a domain
DefaultCreds-cheat-sheet: One place for all the default credentials to assist the Blue/Red teamers activities on finding devices with default password 🛡️
CredentialManager: C# wrapper around CredWrite / CredRead functions to store and retreive from Windows Credential Store
.NET-Deobfuscator: Lists of .NET Deobfuscator and Unpacker (Open Source)
DomainBorrowingC2: None
CVE-2021-21551: Exploit to SYSTEM for CVE-2021-21551
Dent: A framework for creating COM-based bypasses utilizing vulnerabilities in Microsoft's WDAPT sensors.
SharpNukeEventLog: nuke that event log using some epic dinvoke fu
PSGumshoe: None
Pentest-Tools-Collection: None
FalconEye: None
DomainBorrowing: Domain Borrowing PoC
jenkins-attack-framework: None
NautilusProject: A collection of weird ways to execute unmanaged code in .NET
SharpTransactedLoad: Load .net assemblies from memory while having them appear to be loaded from an on-disk location.
MicroBackdoor: Small and convenient C2 tool for Windows targets. [ Русский -- значит нахуй! ]
DripLoader: Evasive shellcode loader for bypassing event-based injection detection (PoC)
BeaconHunter: Detect and respond to Cobalt Strike beacons using ETW.
RemotePotato0: Windows Privilege Escalation from User to Domain Admin.
SharpNoPSExec: Get file less command execution for lateral movement.
PPLdump: Dump the memory of a PPL with a userland exploit
CertStealer: A .NET tool for exporting and importing certificates without touching disk.
adfsbrute: A script to test credentials against Active Directory Federation Services (ADFS), allowing password spraying or bruteforce attacks.
Max: Maximizing BloodHound. Max is a good boy.
msspray: A basic username enumeration and password spraying tool aimed at spraying Microsoft's DOM based authentication using selenium.
RosFuscator: YouTube/Livestream project for obfuscating C# source code using Roslyn
Invoke-Stealth: Simple & Powerful PowerShell Script Obfuscator
BetterXencrypt: A better version of Xencrypt.Xencrypt it self is a Powershell runtime crypter designed to evade AVs.
SevenZipSharp: Fork of SevenZipSharp on CodePlex
Pluto: A manual system call library that supports functions from both ntdll.dll and win32u.dll
universal-syscall-64: Resolve syscall numbers at runtime for all Windows versions.
experiments: Expriments
kubesploit: Kubesploit is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in Golang, focused on containerized environments.
PPLKiller: Tool to bypass LSA Protection (aka Protected Process Light)
SharpWebServer: Red Team oriented C# Simple HTTP & WebDAV Server with Net-NTLM hashes capture functionality
C2Bridge: C2Bridges allow developers to create new custom communication protocols and quickly utilize them within Covenant.
WindowsElevation: Windows Elevation(持续更新)
obfuscator: None
sandbox-attacksurface-analysis-tools: Set of tools to analyze Windows sandboxes for exposed attack surface.
streisand: Streisand sets up a new server running your choice of WireGuard, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, sslh, Stunnel, or a Tor bridge. It also generates custom instructions for all of these services. At the end of the run you are given an HTML file with instructions that can be shared with friends, family members, and fellow activists.
MirrorDump: Another LSASS dumping tool that uses a dynamically compiled LSA plugin to grab an lsass handle and API hooking for capturing the dump in memory
MinHook.NET: A C# port of the MinHook API hooking library
Limelighter: A tool for generating fake code signing certificates or signing real ones
chlonium: Chromium Cookie import / export tool
0days-in-the-wild: Repository for information about 0-days exploited in-the-wild.
EDRs: None
xeuledoc: Fetch information about a public Google document.
CVE-2021-22986-Poc: This is a Poc for BIGIP iControl unauth RCE
Nim_CBT_Shellcode: CallBack-Techniques for Shellcode execution ported to Nim
NativePayload_CBT: NativePayload_CallBackTechniques C# Codes (Code Execution via Callback Functions Technique, without CreateThread Native API)
CVE-2021-3156: Sudo Baron Samedit Exploit
Win32Interop: Win32 interop classes, constants, and structures for .NET.
OxidBindings: Extract all IP of a computer using DCOM without authentication (aka detect network used for administration)
ProxyLogon: None
pypykatz: Mimikatz implementation in pure Python
Pancakeswap-BSC-Sniper-Bot-web3-MAC-ANDROID-WINDOWS-LINUX-V2: Web3 Pancakeswap Sniper & honeypot detector Take Profit/StopLose bot written in python3, For WINDOWS & ANDROID & MAC & LINUX
pihole-regex: Custom regex filter list for use with Pi-hole.
wspe: Windows System Programming Experiments
CVE-2021-1732-Exploit: CVE-2021-1732 Exploit
nim-socks5: Nim Socks5 library
Nim-SMBExec: SMBExec implementation in Nim - SMBv2 using NTLM Authentication with Pass-The-Hash technique
SLib: SLib is a sandbox evasion library that implements some of the checks from https://evasions.checkpoint.com in C#
CSharpScripts: Collection of C# scripts
AlternativeShellcodeExec: Alternative Shellcode Execution Via Callbacks
UuidShellcodeExec: PoC for UUID shellcode execution using DInvoke
SIGRed_RCE_PoC: None
DoppelGate: DoppelGate relies on reading ntdll on disk to grab syscall stubs, and patches these syscall stubs into desired functions to bypass Userland Hooking.
traitor: ⬆️ ☠️ 🔥 Automatic Linux privesc via exploitation of low-hanging fruit e.g. gtfobins, pwnkit, dirty pipe, +w docker.sock
Callback_Shellcode_Injection: POCs for Shellcode Injection via Callbacks
SharpLAPS: Retrieve LAPS password from LDAP
LsassSilentProcessExit: Command line interface to dump LSASS memory to disk via SilentProcessExit
davil: leaking net-ntlm with webdav
Farmer: None
BlobHunter: Find exposed data in Azure with this public blob scanner
Sharpmad: C# version of Powermad
SafetyDump: Dump stuff without touching disk
CheckSafeBoot: I used this to see if an EDR is running in Safe Mode
Perfusion: Exploit for the RpcEptMapper registry key permissions vulnerability (Windows 7 / 2088R2 / 8 / 2012)
phpvuln: 🕸️ Audit tool to find common vulnerabilities in PHP source code
SharpRelay: None
jiraffe: One stop place for exploiting Jira instances in your proximity
SharpSMBSpray: Spray a hash via smb to check for local administrator access
ScareCrow: ScareCrow - Payload creation framework designed around EDR bypass.
DInvoke: Dynamically invoke arbitrary unmanaged code from managed code without PInvoke.
Zeta: Using "svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc" as trigger
HideCode: Hide code from dnSpy and other C# spying tools
RedTeamCCode: Red Team C code repo
TelemetrySourcerer: Enumerate and disable common sources of telemetry used by AV/EDR.
CheekyBlinder: Enumerating and removing kernel callbacks using signed vulnerable drivers
CVE-2021-3156: None
CVE-Exploits: PoC exploits for software vulnerabilities
NimExamples: A collection of offensive Nim example code
VisualDoor: SonicWall SSL-VPN Exploit
Homework-of-C-Language: C/C++ code examples of my blog.
SysWhispers2_x86: X86 version of syswhispers2 / x86 direct system call
gitjacker: 🔪 Leak git repositories from misconfigured websites
delete-self-poc: A way to delete a locked file, or current running executable, on disk.
injection: None
onedrive_user_enum: onedrive user enumeration - pentest tool to enumerate valid o365 users
SharpSphere: .NET Project for Attacking vCenter
InlineWhispers: Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF)
denim: Automated compiler obfuscation for nim
CVE-2020-35728: CVE-2020-35728 & Jackson-databind RCE
CovenantTasks: Source for tasks I have used with Covenant
Alaris: A protective and Low Level Shellcode Loader that defeats modern EDR systems.
Venom: Venom - A Multi-hop Proxy for Penetration Testers
printjacker: Hijack Printconfig.dll to execute shellcode
UnhookMe: UnhookMe is an universal Windows API resolver & unhooker addressing problem of invoking unmonitored system calls from within of your Red Teams malware
crackq: CrackQ: A Python Hashcat cracking queue system
BOFs: Collection of Beacon Object Files
CVE-2019-3980: None
unhook-bof: Remove API hooks from a Beacon process.
NimlineWhispers: A very proof-of-concept port of InlineWhispers for using syscalls in Nim projects.
DInvisibleRegistry: DInvisibleRegistry
ChromeTools: A collection of tools to abuse chrome browser
arsenal: Arsenal is just a quick inventory and launcher for hacking programs
aiosmb: Fully asynchronous SMB library written in pure python
Antivirus-Artifacts: Anti-virus artifacts. Listing APIs hooked by: Avira, BitDefender, F-Secure, MalwareBytes, Norton, TrendMicro, and WebRoot.
SharpHandler: None
SysWhispers2: AV/EDR evasion via direct system calls.
Harvis: Harvis is designed to automate your C2 Infrastructure.
SharpScribbles: My doodles as I learn C#
Sparrow: Sparrow.ps1 was created by CISA's Cloud Forensics team to help detect possible compromised accounts and applications in the Azure/m365 environment.
OffensiveNim: My experiments in weaponizing Nim (https://nim-lang.org/)
template-injection-workshop: Workshop on Template Injection (6 exercises) covering Twig, Jinja2, Tornado, Velocity and Freemaker engines.
neo-ConfuserEx: Updated ConfuserEX, an open-source, free obfuscator for .NET applications
ExecuteAssembly: Load/Inject .NET assemblies by; reusing the host (spawnto) process loaded CLR AppDomainManager, Stomping Loader/.NET assembly PE DOS headers, Unlinking .NET related modules, bypassing ETW+AMSI, avoiding EDR hooks via NT static syscalls (x64) and hiding imports by dynamically resolving APIs (hash).
AsyncRAT-C-Sharp: Open-Source Remote Administration Tool For Windows C# (RAT)
NoMSBuild: MSBuild without MSbuild.exe
LAPSDumper: Dumping LAPS from Python
SharpLoginPrompt: None
npk: A mostly-serverless distributed hash cracking platform
solarflare: SolarWinds Orion Account Audit / Password Dumping Utility
holehe: holehe allows you to check if the mail is used on different sites like twitter, instagram and will retrieve information on sites with the forgotten password function.
poc: Proof of Concepts
CVE-2020-17144-EXP: Exchange2010 authorized RCE
DecryptAutoLogon: Command line tool to extract/decrypt the password that was stored in the LSA by SysInternals AutoLogon
restler-fuzzer: RESTler is the first stateful REST API fuzzing tool for automatically testing cloud services through their REST APIs and finding security and reliability bugs in these services.
Carnivore: Tool for assessing on-premises Microsoft servers authentication such as ADFS, Skype, Exchange, and RDWeb
shellcodeloader: shellcodeloader
SharpMapExec: None
ADRecon: ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.
EXCELntDonut: Excel 4.0 (XLM) Macro Generator for injecting DLLs and EXEs into memory.
Macrome: Excel Macro Document Reader/Writer for Red Teamers & Analysts
amber: Reflective PE packer.
PwnyForm: None
rbcd_permissions: Add SD for controlled computer object to a target object for RBCD using LDAP
Set-RBCDBytes: None
CVE-2020-1034: PoC demonstrating the use of cve-2020-1034 for privilege escalation
BurpSuite_403Bypasser: Burpsuite Extension to bypass 403 restricted directory
OfficePurge: None
SpoolSamplerNET: Implementation of SpoolSample without rDLL
weblogicScanner: weblogic 漏洞扫描工具。目前包含对以下漏洞的检测能力：CVE-2014-4210、CVE-2016-0638、CVE-2016-3510、CVE-2017-3248、CVE-2017-3506、CVE-2017-10271、CVE-2018-2628、CVE-2018-2893、CVE-2018-2894、CVE-2018-3191、CVE-2018-3245、CVE-2018-3252、CVE-2019-2618、CVE-2019-2725、CVE-2019-2729、CVE-2019-2890、CVE-2020-2551、CVE-2020-14750、CVE-2020-14882、CVE-2020-14883
Kaspersky_Safe_Money_LPE: None
peas: Modified version of PEAS client for offensive operations
fpmvuln: bash poc scripts to exploit open fpm ports
PowerSploit: PowerSploit - A PowerShell Post-Exploitation Framework
CVE-2020-14882: CVE-2020–14882、CVE-2020–14883
cobalt-arsenal: My collection of battle-tested Aggressor Scripts for Cobalt Strike 4.0+
CredDefense: Credential and Red Teaming Defense for Windows Environments
Apollo: A .NET Framework 4.0 Windows Agent
Mythic: A collaborative, multi-platform, red teaming framework
CVE-2020-17382: PoC exploits for CVE-2020-17382
ThreatCheck: Identifies the bytes that Microsoft Defender / AMSI Consumer flags on.
PowerDrive: A tool for de-obfuscating PowerShell scripts
reGeorg-Weblogic: reGeorg的特殊版本，适用于老版本weblogic。
AMSI.fail4: C# Azure Function with an HTTP trigger that generates obfuscated PowerShell snippets that break or disable AMSI for the current process.
Cloudtopolis: Zero Infrastructure Password Cracking
UltimateWDACBypassList: A centralized resource for previously documented WDAC bypass techniques
slipstream: NAT Slipstreaming allows an attacker to remotely access any TCP/UDP services bound to a victim machine, bypassing the victim’s NAT/firewall, just by anyone on the victim's network visiting a website
eBook-BypassingAVsByCSharp: eBook "Bypassing AVS by C#.NET Programming" (Free Chapters only)
ScatterBrain: Suite of Shellcode Running Utilities
herpaderping: Process Herpaderping proof of concept, tool, and technical deep dive. Process Herpaderping bypasses security products by obscuring the intentions of a process.
RedTeam-OffensiveSecurity: Tools & Interesting Things for RedTeam Ops
.NET-Obfuscator: Lists of .NET Obfuscator (Free, Freemium, Paid and Open Source )
MSBuildShell: MSBuildShell, a Powershell Host running within MSBuild.exe
SocksProxyServer-Plugin: Socks Proxy Server Plugin for Invoke-SocksProxy
Go4aRun: Shellcode runner in GO that incorporates shellcode encryption, remote process injection, block dlls, and spoofed parent process
WSuspicious: WSuspicious - A tool to abuse insecure WSUS connections for privilege escalations
cypheroth: Automated, extensible toolset that runs cypher queries against Bloodhound's Neo4j backend and saves output to spreadsheets.
CPLDropper: A Control Panel Applet dropper project. It has a high success rate on engagements since nobody cares about .CPL files and you can just double click them.
rpc2socks: Post-exploit tool that enables a SOCKS tunnel via a Windows host using an extensible custom RPC proto over SMB through a named pipe.
DAMP: The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification
beanshooter: JMX enumeration and attacking tool.
PinSwipe: Smart Card PIN swiping DLL
UltimateAppLockerByPassList: The goal of this repository is to document the most common techniques to bypass AppLocker.
redteam: Red Team Scripts by d0nkeys (ex SnadoTeam)
SharpSecDump: .Net port of the remote SAM + LSA Secrets dumping functionality of impacket's secretsdump.py
mikrot8over: mikrot8over: Fast exploitation tool for Mikrotik RouterOS up to 6.38.4
UrbanBishopLocal: A port of FuzzySecurity's UrbanBishop project for inline shellcode execution
Gopher: C# tool to discover low hanging fruits
nosqli: NoSql Injection CLI tool, for finding vulnerable websites using MongoDB.
AMSI.fail: C# Azure Function with an HTTP trigger that generates obfuscated PowerShell snippets that break or disable AMSI for the current process.
sshiva: C# application that allows you to quick run SSH commands against a host or list of hosts
nccfsas: Information released publicly by NCC Group's Full Spectrum Attack Simulation (FSAS) team.
CVE-2020-1472: PoC for Zerologon - all research credits go to Tom Tervoort of Secura
bantam: A PHP backdoor management and generation tool/C2 featuring end to end encrypted payload streaming designed to bypass WAF, IDS, SIEM systems.
exphub: Exphub[漏洞利用脚本库] 包括Webloigc、Struts2、Tomcat、Nexus、Solr、Jboss、Drupal的漏洞利用脚本，最新添加CVE-2020-14882、CVE-2020-11444、CVE-2020-10204、CVE-2020-10199、CVE-2020-1938、CVE-2020-2551、CVE-2020-2555、CVE-2020-2883、CVE-2019-17558、CVE-2019-6340
CVE-Reverse: None
hot-manchego: Macro-Enabled Excel File Generator (.xlsm) using the EPPlus Library.
CVE-2020-1472: Test tool for CVE-2020-1472
BloodHoundQueries: None
crimson-forge: Sustainable shellcode evasion
EmailGen: A simple email generator that uses dorks on Bing to generate emails from LinkedIn Profiles.
aes-finder: Utility to find AES keys in running processes
pywsus: Standalone implementation of a part of the WSUS spec. Built for offensive security purposes.
EvtMute: Apply a filter to the events being reported by windows event logging
SAML2Spray: Python Script for SAML2 Authentication Passwordspray
GoPurple: Yet another shellcode runner consists of different techniques for evaluating detection capabilities of endpoint security solutions
BananaPhone: It's a go variant of Hells gate! (directly calling windows kernel functions, but from Go!)
Jenkins_Hunter_CSharp: C# implementation of my original Jenkins Hunter script (orig in python). It uses threading to search for unauthenticated Jenkins instances on ports 8080, 80, and 443. Author: Cedric Owens
tickey: Tool to extract Kerberos tickets from Linux kernel keys.
ppid-spoofing: Scripts for performing and detecting parent PID spoofing
SharpKatz: Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands
xxexploiter: Tool to help exploit XXE vulnerabilities
jaeles: The Swiss Army knife for automated Web Application Testing
WebHackersWeapons: ⚔️ Web Hacker's Weapons / A collection of cool tools used by Web hackers. Happy hacking , Happy bug-hunting
SharpCollection: Nightly builds of common C# offensive tools, fresh from their respective master branches built and released in a CDI fashion using Azure DevOps release pipelines.
ADCollector: A lightweight tool to quickly extract valuable information from the Active Directory environment for both attacking and defending.
Windows-Setup-EoP: None
SharpDPAPI: SharpDPAPI is a C# port of some Mimikatz DPAPI functionality.
SharpEDRChecker: Checks running processes, process metadata, Dlls loaded into your current process and the each DLLs metadata, common install directories, installed services and each service binaries metadata, installed drivers and each drivers metadata, all for the presence of known defensive products such as AV's, EDR's and logging tools.
Zolom: C# Executable with embedded Python that can be used reflectively to run python code on systems without Python installed
PEzor: Open-Source Shellcode & PE Packer
ProcessInjection: This program is designed to demonstrate various process injection techniques
Obfuscator: The program is designed to obfuscate the shellcode.
PowerSharpPack: None
tomcatWarDeployer: Apache Tomcat auto WAR deployment & pwning penetration testing tool.
fireprox: AWS API Gateway management tool for creating on the fly HTTP pass-through proxies for unique IP rotation
spotter: Targeted Payload Execution
espoofer: An email spoofing testing tool that aims to bypass SPF/DKIM/DMARC and forge DKIM signatures.🍻
dropengine: DropEngine provides a malleable framework for creating shellcode runners, allowing operators to choose from a selection of components and combine them to create highly sophisticated payloads within seconds.
overlord: Overlord - Red Teaming Infrastructure Automation
exe_to_dll: Converts a EXE into DLL
Nuitka: Nuitka is a Python compiler written in Python. It's fully compatible with Python 2.6, 2.7, 3.4-3.13. You feed it your Python app, it does a lot of clever things, and spits out an executable or extension module.
RedTeamCSharpScripts: C# Script used for Red Team
Ciphey: ⚡ Automatically decrypt encryptions without knowing the key or cipher, decode encodings, and crack hashes ⚡
BruteShark: Network Analysis Tool
CVE-2020-1313: Proof of concept exploit of Windows Update Orchestrator Service Elevation of Privilege Vulnerability
IOXIDResolver: IOXIDResolver.py from AirBus Security
RedCsharp: Collection of C# projects. Useful for pentesting and redteaming.
HackBrowserData: Extract and decrypt browser data, supporting multiple data types, runnable on various operating systems (macOS, Windows, Linux).
github-readme-stats: ⚡ Dynamically generated stats for your github readmes
SpaceRunner: This tool enables the compilation of a C# program that will execute arbitrary PowerShell code, without launching PowerShell processes through the use of runspace.
ldapdomaindump: Active Directory information dumper via LDAP
CVE-2020-15778: None
NET-Obfuscate: Obfuscate ECMA CIL (.NET IL) assemblies to evade Windows Defender AMSI
Phantom-Evasion: Python antivirus evasion tool
RuralBishop: D/Invoke port of UrbanBishop
Mapping-Injection: Just another Windows Process Injection
PowerShell-for-Pentesters: PowerShell for Pentesters
tsunami-security-scanner: Tsunami is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence.
PSBits: Simple (relatively) things allowing you to dig a bit deeper than usual.
WMIHACKER: A Bypass Anti-virus Software Lateral Movement Command Execution Tool
SharpRDPHijack: A proof-of-concept Remote Desktop (RDP) session hijack utility
CVE-2020-5902: CVE-2020-5902 BIG-IP
cve-2020-1054: LPE for CVE-2020-1054 targeting Windows 7 x64
BLUESPAWN: An Active Defense and EDR software to empower Blue Teams
Pwdb-Public: A collection of all the data i could extract from 1 billion leaked credentials from internet.
Active-Directory-Exploitation-Cheat-Sheet: A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.
avcleaner: C/C++ source obfuscator for antivirus bypass
easBrowseSharefile: Use to browse the share file by eas(Exchange Server ActiveSync)
OutlookSend: A C# tool to send emails through Outlook from the command line or in memory
SharpMiniDump: Create a minidump of the LSASS process from memory
CloudPentestCheatsheets: This repository contains a collection of cheatsheets I have put together for tools related to pentesting organizations that leverage cloud providers.
SharpBlock: A method of bypassing EDR's active projection DLL's by preventing entry point exection
Octopus: Open source pre-operation C2 server based on python and powershell
ntlm_theft: A tool for generating multiple types of NTLMv2 hash theft files by Jacob Wilkin (Greenwolf)
hollows_hunter: Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches).
pe-sieve: Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).
BetterSafetyKatz: Fork of SafetyKatz that dynamically fetches the latest pre-compiled release of Mimikatz directly from gentilkiwi GitHub repo, runtime patches signatures and uses SharpSploit DInvoke to PE-Load into memory.
SharpChisel: C# Wrapper around Chisel from https://github.com/jpillora/chisel
dll_to_exe: Converts a DLL into EXE
pe_to_shellcode: Converts PE into a shellcode
SharpHellsGate: C# Implementation of the Hell's Gate VX Technique
hellscape: GIMPLE obfuscator for C, C++, Go, ... all supported GCC targets and front-ends that use GIMPLE.
stager.dll: Code from this article: https://blog.rapid7.com/2018/05/03/hiding-metasploit-shellcode-to-evade-windows-defender/
GolanginCsharp: Project to use Golang inside C#
shad0w: A post exploitation framework designed to operate covertly on heavily monitored environments
SyscallPOC: Shellcode injection POC using syscalls.
Snaffler: a tool for pentesters to help find delicious candy, by @l0ss and @Sh3r4 ( Twitter: @/mikeloss and @/sh3r4_hax )
HellsGate: Original C Implementation of the Hell's Gate VX Technique
o365enum: Enumerate valid usernames from Office 365 using ActiveSync, Autodiscover v1, or office.com login page.
top10webseclist: Top Ten Web Hacking Techniques List
SMBGhost_RCE_PoC: None
Ninjasploit: A meterpreter extension for applying hooks to avoid windows defender memory scans
AMSITrigger: The Hunt for Malicious Strings
Corporate_Masks: 8-14 character Hashcat masks based on analysis of 1.5 million NTLM hashes cracked while pentesting
OffensiveCSharp: Collection of Offensive C# Tooling
rmiscout: RMIScout uses wordlist and bruteforce strategies to enumerate Java RMI functions and exploit RMI parameter unmarshalling vulnerabilities
sgn: Shikata ga nai (仕方がない) encoder ported into go with several improvements
PhishAPI: Comprehensive Web Based Phishing Suite for Rapid Deployment and Real-Time Alerting!
pingtunnel: Pingtunnel is a tool that send TCP/UDP traffic over ICMP
ligolo: Reverse Tunneling made easy for pentesters, by pentesters https://sysdream.com/
invoker: Penetration testing utility and antivirus assessment tool.
DNSlivery: Easy files and payloads delivery over DNS
InveighZero: .NET IPv4/IPv6 machine-in-the-middle tool for penetration testers
Priv2Admin: Exploitation paths allowing you to (mis)use the Windows Privileges to elevate your rights within the OS.
AES-PowerShellCode: Standalone version of my AES Powershell payload for Cobalt Strike.
awesome_windows_logical_bugs: collect for learning cases
WSMan-WinRM: A collection of proof-of-concept source code and scripts for executing remote commands over WinRM using the WSMan.Automation COM object
AVSignSeek: Tool written in python3 to determine where the AV signature is located in a binary/payload
WatchAD: AD Security Intrusion Detection System
SharpAllTheThings: The idea is to collect all the C# projects that are Sharp{Word} that can be used in Cobalt Strike as execute assembly command.
Pentest-and-Development-Tips: A collection of pentest and development tips
Windows-EventLog-Bypass: Use subProcessTag Value From TEB to identify Event Log Threads
RunasCs: RunasCs - Csharp and open version of windows builtin runas.exe
PSMemory: Automation Capable Multi Search 64 Bit Windows Memory Scanner
gitscraper: A tool which scrapes public github repositories for common naming conventions in variables, folders and files
cyberchef-recipes: A list of cyber-chef recipes and curated links
win-brute-logon: Crack any Microsoft Windows users password without any privilege (Guest account included)
CLRvoyance: Managed assembly shellcode generation
BlockEtw: .Net Assembly to block ETW telemetry in current process
PrintDemon: PrintDemon is a PoC for a series of issues in the Windows Print Spooler service, as well as potetial misuses of the functionality.
ilo4_toolbox: Toolbox for HPE iLO4 & iLO5 analysis
RoguePotato: Another Windows Local Privilege Escalation from Service Account to System
BadPotato: Windows 权限提升 BadPotato
xc: A small reverse shell for Linux & Windows
pwncat: pwncat - netcat on steroids with Firewall, IDS/IPS evasion, bind and reverse shell, self-injecting shell and port forwarding magic - and its fully scriptable with Python (PSE)
VmdkReader: .NET 4.0 Console App to browse VMDK / VHD images and extract files
NetLoader: Loads any C# binary in mem, patching AMSI + ETW.
SocksOverRDP: Socks5/4/4a Proxy support for Remote Desktop Protocol / Terminal Services / Citrix / XenApp / XenDesktop
PPLKiller: Protected Processes Light Killer
rbcd-attack: Kerberos Resource-Based Constrained Delegation Attack from Outside using Impacket
ESC: Evil SQL Client (ESC) is an interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features. While ESC can be a handy SQL Client for daily tasks, it was originally designed for targeting SQL Servers during penetration tests and red team engagements. The intent of the project is to provide an .exe, but also sample files for execution through mediums like msbuild and PowerShell.
faxhell: A Bind Shell Using the Fax Service and a DLL Hijack
PrintSpoofer: Abusing impersonation privileges through the "Printer Bug"
Invoke-Vnc: Powershell VNC injector
Mitigating-Web-Shells: Guidance for mitigation web shells. #nsacyber
CVE-2020-0668: Use CVE-2020-0668 to perform an arbitrary privileged file move operation.
awesome-rtc-hacking: a list of awesome resources related to security and hacking of VoIP, WebRTC and VoLTE
CursedChrome: Chrome-extension implant that turns victim Chrome browsers into fully-functional HTTP proxies, allowing you to browse sites as your victims.
Rubeus-Rundll32: Run Rubeus via Rundll32
EmbedInHTML: Embed and hide any file in an HTML file
gau: Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.
RDPassSpray: Python3 tool to perform password spraying using RDP
ShellcodeWrapper: Shellcode wrapper with encryption for multiple target languages
atomic-red-team: Small and highly portable detection tests based on MITRE's ATT&CK.
chisel: A fast TCP/UDP tunnel over HTTP
Pentesting: Tricks for penetration testing
go-shellcode: A repository of Windows Shellcode runners and supporting utilities. The applications load and execute Shellcode using various API calls or techniques.
AMSI_Ordinal_Bypass: Bypass AMSI and Defender using Ordinal Values
vmware_vcenter_cve_2020_3952: Exploit for CVE-2020-3952 in vCenter 6.7
ParamSpider: Mining URLs from dark corners of Web Archives for bug hunting/fuzzing/further probing
ROADtools: A collection of Azure AD/Entra tools for offensive and defensive security purposes
pwndrop: Self-deployable file hosting service for red teamers, allowing to easily upload and share payloads over HTTP and WebDAV.
NetNTLMtoSilverTicket: SpoolSample -> Responder w/NetNTLM Downgrade -> NetNTLMv1 -> NTLM -> Kerberos Silver Ticket
CSExec: An implementation of PSExec in C#
Disable-Windows-Defender: Changing values to bypass windows defender C#
Lime-Crypter: Simple obfuscation tool
LimeUSB-Csharp: Malware USB Spread | Example C#
GhostBuild: GhostBuild is a collection of simple MSBuild launchers for various GhostPack/.NET projects
SharpHound3: C# Data Collector for the BloodHound Project, Version 3
Get-RBCD-Threaded: Tool to discover Resource-Based Constrained Delegation attack paths in Active Directory environments
CSharpSetThreadContext: C# Shellcode Runner to execute shellcode via CreateRemoteThread and SetThreadContext to evade Get-InjectedThread
WireTap: .NET 4.0 Project to interact with video, audio and keyboard hardware.
SharpCloud: Simple C# for checking for the existence of credential files related to AWS, Microsoft Azure, and Google Compute.
default-http-login-hunter: Login hunter of default credentials for administrative web interfaces leveraging NNdefaccts dataset.
darkarmour: Windows AV Evasion
PEASS-ng: PEASS - Privilege Escalation Awesome Scripts SUITE (with colors)
Ghost-In-The-Logs: Evade sysmon and windows event logging
C3: Custom Command and Control (C3). A framework for rapid prototyping of custom C2 channels, while still providing integration with existing offensive toolkits.
changeling: Change up a binary's embedded resources with this little creature.
c-sharp-memory-injection: A set of scripts that demonstrate how to perform memory injection in C#
SharpChromium: .NET 4.0 CLR Project to retrieve Chromium data, such as cookies, history and saved logins.
Erebus: CobaltStrike后渗透测试插件
AV_Bypass: Evading Anti-Virus with Unusual Technique
Cobalt_Strike_wiki: Cobalt Strike系列
VisualBasicObfuscator: Visual Basic Code universal Obfuscator intended to be used during penetration testing assignments.
mcafee-config-decrypt: None
CVE-2020-0796: CVE-2020-0796 - Windows SMBv3 LPE exploit #SMBGhost
Lockless: Lockless allows for the copying of locked files.
Stracciatella: OpSec-safe Powershell runspace from within C# (aka SharpPick) with AMSI, Constrained Language Mode and Script Block Logging disabled at startup
Penetration-Testing-Tools: A collection of more than 170+ tools, scripts, cheatsheets and other loots that I've developed over years for Red Teaming/Pentesting/IT Security audits purposes.
donut-demos: Demos of Donut used in conferences, etc. Mostly for my use, but free for others to use as a reference.
spoofing-office-macro: 🐟 PoC of a VBA macro spawning a process with a spoofed parent and command line.
MoveKit: Cobalt Strike kit for Lateral Movement
SharpClipboard: C# Clipboard Monitor
C2concealer: C2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike.
AggressorCollection: Collection of awesome Cobalt Strike Aggressor Scripts. All credit due to the authors
AggressorScripts: Collection of Aggressor scripts for Cobalt Strike 3.0+ pulled from multiple sources
LOLBITS: ** DISCONTINUED ** C2 framework that uses Background Intelligent Transfer Service (BITS) as communication protocol and Direct Syscalls + Dinvoke for EDR user-mode hooking evasion.
awesome-bloodhound: A curated list of awesome BloodhoundAD resources
MSOLSpray: A password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled.
SMBGhost: Scanner for CVE-2020-0796 - SMBv3 RCE
pickl3: Windows active user credential phishing tool
SharpDoor: SharpDoor is alternative RDPWrap written in C# to allowed multiple RDP (Remote Desktop) sessions by patching termsrv.dll file.
SauronEye: Search tool to find specific files containing specific words, i.e. files containing passwords..
PoC-in-GitHub: 📡 PoC auto collect from GitHub. ⚠️ Be careful Malware.
CVE-2020-2551: Weblogic IIOP CVE-2020-2551
hardening: Repository of Hardening Guides
SharpShares: Enumerate all network shares in the current domain. Also, can resolve names to IP addresses.
MiscTools: Miscellaneous Tools
MaliciousMacroMSBuild: Generates Malicious Macro and Execute Powershell or Shellcode via MSBuild Application Whitelisting Bypass.
mssqlproxy: mssqlproxy is a toolkit aimed to perform lateral movement in restricted environments through a compromised Microsoft SQL Server via socket reuse
FullPowers: Recover the default privilege set of a LOCAL/NETWORK SERVICE account
SharpHide: Tool to create hidden registry keys.
Ghostcat-CNVD-2020-10487: Ghostcat read file/code execute,CNVD-2020-10487(CVE-2020-1938)
pupy: OpenSource cross-platform python security toolkit (remote shell)
phpsploit: Full-featured C2 framework which silently persists on webserver with a single-line PHP backdoor
pyrdp: RDP monster-in-the-middle (mitm) and library for Python with the ability to watch connections live or after the fact
cve-2020-0688: cve-2020-0688
PrivescCheck: Privilege Escalation Enumeration Script for Windows
EvilClippy: A cross-platform assistant for creating malicious MS Office documents. Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. Runs on Linux, OSX and Windows.
SharpMove: .NET Project for performing Authenticated Remote Execution
SharpCOM: CSHARP DCOM Fun
NoAmci: Using DInvoke to patch AMSI.dll in order to bypass AMSI detections triggered when loading .NET tradecraft via Assembly.Load().
RedELK: Red Team's SIEM - tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations.
GadgetToJScript: A tool for generating .NET serialized gadgets that can trigger .NET assembly load/execution when deserialized using BinaryFormatter from JS/VBS/VBA based scripts.
GadgetProbe: Probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on remote Java classpaths.
updog: Updog is a replacement for Python's SimpleHTTPServer. It allows uploading and downloading via HTTP/S, can set ad hoc SSL certificates and use http basic auth.
NTLMRecon: Enumerate information from NTLM authentication enabled web endpoints 🔎
desharialize: None
GMSAPasswordReader: None
RedTeaming-Tactics-and-Techniques: Red Teaming Tactics and Techniques
Shr3dKit: Red Team Tool Kit
weblogic-scan: weblogic 漏洞扫描工具
cmd.jsp: A super small jsp webshell with file upload capabilities.
fakelogonscreen: Fake Windows logon screen to steal passwords
Checklists: Red Teaming & Pentesting checklists for various engagements
Sharp-Suite: Also known by Microsoft as Knifecoat 🌶️
Scripts: Small scripts that make life better
BadBlood: BadBlood by @davidprowe, Secframe.com, fills a Microsoft Active Directory Domain with a structure and thousands of objects. The output of the tool is a domain similar to a domain in the real world. After BadBlood is ran on a domain, security analysts and engineers can practice using tools to gain an understanding and prescribe to securing Active Directory. Each time this tool runs, it produces different results. The domain, users, groups, computers and permissions are different. Every. Single. Time.
at-ps: Adversary Tactics - PowerShell Training
SharpRDP: Remote Desktop Protocol .NET Console Application for Authenticated Command Execution
satellite: easy-to-use payload hosting
PowerZure: PowerShell framework to assess Azure security
CVE-2019-13272: Linux 4.10 < 5.1.17 PTRACE_TRACEME local root
tas: A tiny framework for easily manipulate the tty and create fake binaries.
PowerShellArmoury: A PowerShell armoury for security guys and girls
Red-Baron: Automate creating resilient, disposable, secure and agile infrastructure for Red Teams.
automatic-api-attack-tool: Imperva's customizable API attack tool takes an API specification as an input, generates and runs attacks that are based on it as an output.
PoisonHandler: lateral movement techniques that can be used during red team exercises
cve-2019-19781: This is a tool published for the Citrix ADC (NetScaler) vulnerability. We are only disclosing this due to others publishing the exploit code first.
CVE-2019-1215: None
command-injection-payload-list: 🎯 Command Injection Payload List
GadgetToJScript: A tool for generating .NET serialized gadgets that can trigger .NET assembly load/execution when deserialized using BinaryFormatter from JS/VBS/VBA based scripts.
genxlm: A simple script to generate JScript code for calling Win32 API functions using XLM/Excel 4.0 macros via Excel.Application "ExecuteExcel4Macro"
python-exe-unpacker: A helper script for unpacking and decompiling EXEs compiled from python code.
lsassy: Extract credentials from lsass remotely
EVTX-ATTACK-SAMPLES: Windows Events Attack Samples
static-binaries: Various *nix tools built as statically-linked binaries
CVE-2019-18935: RCE exploit for a .NET JSON deserialization vulnerability in Telerik UI for ASP.NET AJAX.
Bloodhound-Custom-Queries: Custom Query list for the Bloodhound GUI based off my cheatsheet
uptux: Linux privilege escalation checks (systemd, dbus, socket fun, etc)
chashell: Chashell is a Go reverse shell that communicates over DNS. It can be used to bypass firewalls or tightly restricted networks.
pentest_compilation: Compilation of commands, tips and scripts that helped me throughout Vulnhub, Hackthebox, OSCP and real scenarios
ABPTTS: TCP tunneling over HTTP/HTTPS for web application servers
exe2hex: Inline file transfer using in-built Windows tools (DEBUG.exe or PowerShell).
CVE-2019-2890: None
RogueWinRM: Windows Local Privilege Escalation from Service Account to System
linux-kernel-exploits: linux-kernel-exploits Linux平台提权漏洞集合
ATPMiniDump: Evading WinDefender ATP credential-theft
PRETty: "PRinter Exploitation Toolkit" LAN automation tool
spraykatz: Credentials gathering tool automating remote procdump and parse of lsass process.
DockerPwn.py: Python automation of Docker.sock abuse
snek: PowerShell wrapper around Python for .NET to invoke Python from PowerShell
jwt_tool: 🐍 A toolkit for testing, tweaking and cracking JSON Web Tokens
SCShell: Fileless lateral movement tool that relies on ChangeServiceConfigA to run command
RdpThief: Extracting Clear Text Passwords from mstsc.exe using API Hooking.
Bluekeep-scanner: BlueKeep powershell scanner (based on c# code)
WitnessMe: Web Inventory tool, takes screenshots of webpages using Pyppeteer (headless Chrome/Chromium) and provides some extra bells & whistles to make life easier.
cve-2019-1040-scanner: None
SUID3NUM: A standalone python script which utilizes python's built-in modules to enumerate SUID binaries, separate default binaries from custom binaries, cross-match those with bins in GTFO Bin's repository & auto-exploit those, all with colors! ( ͡~ ͜ʖ ͡°)
GTFOBLookup: Offline command line lookup utility for GTFOBins (https://github.com/GTFOBins/GTFOBins.github.io), LOLBAS (https://github.com/LOLBAS-Project/LOLBAS), WADComs (https://wadcoms.github.io), and HijackLibs (https://hijacklibs.net/).
RCEScanner: Simple python script to extract unsafe functions from php projects
impacket_static_binaries: Standalone binaries for Linux/Windows of Impacket's examples
phuip-fpizdam: Exploit for CVE-2019-11043
SUDO_KILLER: A tool designed to exploit a privilege escalation vulnerability in the sudo program on Unix-like systems. It takes advantage of a specific misconfiguration or flaw in sudo to gain elevated privileges on the system, essentially allowing a regular user to execute commands as the root user.
aclpwn.py: Active Directory ACL exploitation with BloodHound
Lovely-Potato: Automating juicy potato local privilege escalation exploit for penetration testers
demiguise: HTA encryption tool for RedTeams
javascript-obfuscator: A powerful obfuscator for JavaScript and Node.js
thetick: A simple embedded Linux backdoor.
Kerberos.NET: A Kerberos implementation built entirely in managed code.
CVE-2019-1253: None
isf: ISF(Industrial Security Exploitation Framework) is a exploitation framework based on Python.
awesome-industrial-control-system-security: A curated list of resources related to Industrial Control System (ICS) security.
FindFrontableDomains: Search for potential frontable domains
Red-Team-Infrastructure-Wiki: Wiki to collect Red Team infrastructure hardening resources
VBA-RunPE: A VBA implementation of the RunPE technique or how to bypass application whitelisting.
awesome-shodan-queries: 🔍 A collection of interesting, funny, and depressing search queries to plug into shodan.io 👩‍💻
ConPtyShell: ConPtyShell - Fully Interactive Reverse Shell for Windows
osmedeus: A Workflow Engine for Offensive Security
WeblogicScan: Weblogic一键漏洞检测工具，V1.5，更新时间：20200730
SharpSniper: Find specific users in active directory via their username and logon IP address
CVE-2019-1253: Poc for CVE-2019-1253
Nosql-Exploitation-Framework: A Python Framework For NoSQL Scanning and Exploitation
DomainPasswordSpray: DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. It will automatically generate a userlist from the domain which excludes accounts that are expired, disabled locked out, or within 1 lockout attempt.
nac_bypass: Script collection to bypass Network Access Control (NAC, 802.1x)
vulscan: Advanced vulnerability scanning with Nmap NSE
SharPersist: None
SharpClipHistory: SharpClipHistory is a .NET application written in C# that can be used to read the contents of a user's clipboard history in Windows 10 starting from the 1809 Build.
pwn_jenkins: Notes about attacking Jenkins servers
defcon27_csharp_workshop: Writing custom backdoor payloads with C# - Defcon 27 Workshop
Empire: Empire is a post-exploitation and adversary emulation framework that is used to aid Red Teams and Penetration Testers.
off-by-slash: Burp extension to detect alias traversal via NGINX misconfiguration at scale.
gtfo: Search gtfobins and lolbas files from your terminal
IR-Tools: IR-Tools - PowerShell tools for IR
UsoDllLoader: Windows - Weaponizing privileged file writes with the Update Session Orchestrator service
btlejack: Bluetooth Low Energy Swiss-army knife
Zeratool: Automatic Exploit Generation (AEG) and remote flag capture for exploitable CTF problems
ctftool: Interactive CTF Exploration Tool
ILSpy: .NET Decompiler with support for PDB generation, ReadyToRun, Metadata (&more) - cross-platform!
CheckPlease: Sandbox evasion modules written in PowerShell, Python, Go, Ruby, C, C#, Perl, and Rust.
ropstar: Automatic exploit generation for simple linux pwn challenges.
Covenant: Covenant is a collaborative .NET C2 framework for red teamers.
BADministration: None
mjet: MOGWAI LABS JMX exploitation toolkit
BloodhoundAD-Queries: None
RAI: Rapid Attack Infrastructure (RAI)
dirble: Fast directory scanning and scraping tool
o365-attack-toolkit: A toolkit to attack Office365
PoshC2: A proxy aware C2 framework used to aid red teamers with post-exploitation and lateral movement.
dsvpn: A Dead Simple VPN.
PENTESTING-BIBLE: articles
CrossLinked: LinkedIn enumeration tool to extract valid employee names from an organization through search engine scraping
dtd-finder: List DTDs and generate XXE payloads using those local DTDs.
CallObfuscator: Obfuscate specific windows apis with different apis
evil-winrm: The ultimate WinRM shell for hacking/pentesting
PSByPassCLM: Bypass for PowerShell Constrained Language Mode
LOGITacker: Enumerate and test Logitech wireless input devices for vulnerabilities with a nRF52840 radio dongle.
Rock-ON: Rock-On is a all in one Recon tool that will just get a single entry of the Domain name and do all of the work alone.
nps_payload: This script will generate payloads for basic intrusion detection avoidance. It utilizes publicly demonstrated techniques from several different sources. Written by Larry Spohn (@Spoonman1091) Payload written by Ben Mauch (@Ben0xA) aka dirty_ben
redis-rce: Redis 4.x/5.x RCE
HackTheWorld: An Python Script For Generating Payloads that Bypasses All Antivirus so far .
DotNetToJScript: A tool to create a JScript file which loads a .NET v2 assembly from memory.
Invoke-TheHash: PowerShell Pass The Hash Utils
PSDecode: PowerShell script for deobfuscating encoded PowerShell scripts
Scanners-Box: A powerful and open-source toolkit for hackers and security automation - 安全行业从业者自研开源扫描器合辑
linux-smart-enumeration: Linux enumeration tool for pentesting and CTFs with verbosity levels
SharpGPOAbuse: SharpGPOAbuse is a .NET application written in C# that can be used to take advantage of a user's edit rights on a Group Policy Object (GPO) in order to compromise the objects that are controlled by that GPO.
BaRMIe: Java RMI enumeration and attack tool.
PivotSuite: Network Pivoting Toolkit
Intensio-Obfuscator: Obfuscate a python code 2.x and 3.x
SharpSpray: SharpSpray a simple code set to perform a password spraying attack against all users of a domain using LDAP and is compatible with Cobalt Strike.
Windows-RCE-exploits: The exploit samples database is a repository for RCE (remote code execution) exploits and Proof-of-Concepts for WINDOWS, the samples are uploaded for education purposes for red and blue teams.
FakeImageExploiter: Use a Fake image.jpg to exploit targets (hide known file extensions)
server-status_PWN: A script that monitors and extracts requested URLs and clients connected to the service by exploiting publicly accessible Apache server-status instances.
sRDI: Shellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode
Dumpert: LSASS memory dumper using direct system calls and API unhooking.
SSRFmap: Automatic SSRF fuzzer and exploitation tool
sliver: Adversary Emulation Framework
Watson: Enumerate missing KBs and suggest exploits for useful Privilege Escalation vulnerabilities
BurpJSLinkFinder: Burp Extension for a passive scanning JS files for endpoint links.
liffy: Local file inclusion exploitation tool
mXtract: mXtract - Memory Extractor & Analyzer
SharpPolarBear: Privesc through import of Sheduled tasks + Hardlinks - CVE-2019-1069
Invoke-CredentialPhisher: None
sjet: siberas JMX exploitation toolkit
ReverseTCPShell: PowerShell ReverseTCP Shell - Framework
SharpLocker: None
OSCP-Archives: An archive of everything related to OSCP
PowerAvails: PowerAvails is a unit of collection of Powershell modules that help you get done many things
RDPInception: A proof of concept for the RDP Inception Attack
exploits: Some of my exploits.
ntlmv1-multi: NTLMv1 Multitool
CollectorService: None
DefenderCheck: Identifies the bytes that Microsoft Defender flags on.
ssh-badkeys: A collection of static SSH keys (public and private) that have made their way into software and hardware products.
Invoke-CradleCrafter: PowerShell Remote Download Cradle Generator & Obfuscator
wifi_ducky: Upload, save and run keystroke injection payloads with an ESP8266 + ATMEGA32U4
trackerjacker: Like nmap for mapping wifi networks you're not connected to, plus device tracking
The-Hackers-Hardware-Toolkit: The best hacker's gadgets for Red Team pentesters and security researchers.
Awesome-Red-Teaming: List of Awesome Red Teaming Resources
Win10-Initial-Setup-Script: PowerShell script for automation of routine tasks done after fresh installations of Windows 10 / Server 2016 / Server 2019
linux-exploit-suggester: Linux privilege escalation auditing tool
donut: Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters
Egress-Assess: Egress-Assess is a tool used to test egress data detection capabilities
OPCDE: OPCDE Cybersecurity Conference Materials
sap_ms: SAP Message Server research presented at OPCDE 2019
SAP_GW_RCE_exploit: SAP Gateway RCE exploits
dirscraper: OSINT scanning tool which discovers and maps directories found in javascript files hosted on a website.
KeyTabExtract: Extracts Key Values from .keytab files
BloodHound.py: A Python based ingestor for BloodHound
lor-axe: 🪓 a multi-threaded, low-bandwidth HTTP DOS tool
Vulmap: Vulmap Online Local Vulnerability Scanners Project
Dell-Support-Assist-RCE-PoC: None
pspy: Monitor linux processes without root permissions
PowerHub: A post exploitation tool based on a web application, focusing on bypassing endpoint protection and application whitelisting
PSWinReporting: This PowerShell Module has multiple functionalities, but one of the signature features of this module is the ability to parse Security logs on Domain Controllers providing easy to use access to AD Events.
Salsa-tools: Salsa Tools - ShellReverse TCP/UDP/ICMP/DNS/SSL/BINDTCP/Shellcode/SILENTTRINITY and AV bypass, AMSI patched
xrdp: A rudimentary remote desktop tool for the X11 protocol exploiting unauthenticated x11 sessions
WSC2: A WebSocket C2 Tool
adidnsdump: Active Directory Integrated DNS dumping by any authenticated user
viewgen: Viewgen is a ViewState tool capable of generating both signed and encrypted payloads with leaked validation keys
RCEvil.NET: None
ad-password-protection: Active Directory password filter featuring breached password checking and custom complexity rules
phpstan: PHP Static Analysis Tool - discover bugs in your code without running it!
Arjun: HTTP parameter discovery suite.
CredsLeaker: Credsleaker allows an attacker to craft a highly convincing credentials prompt using Windows Security, validate it against the DC and in turn leak it via an HTTP request.
sudo_inject: [Linux] Two Privilege Escalation techniques abusing sudo token
awesome-windows-security: List of Awesome Windows Security Resources
adconnectdump: Dump Azure AD Connect credentials for Azure AD and Active Directory
DeathMetal: Red team & penetration testing tools to exploit the capabilities of Intel AMT
DeTTECT: Detect Tactics, Techniques & Combat Threats
SharpCradle: None
Invoke-PSImage: Encodes a PowerShell script in the pixels of a PNG file and generates a oneliner to execute
PSAmsi: PSAmsi is a tool for auditing and defeating AMSI signatures.
SharpExec: None
CMSmap: CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs.
pwdumpstats: Script to output stats around weak passwords and password re-use from an NtdsAudit (pwdump) file
SlackPirate: Slack Enumeration and Extraction Tool - extract sensitive information from a Slack Workspace
ArchiveBox: 🗃 Open source self-hosted web archiving. Takes URLs/browser history/bookmarks/Pocket/Pinboard/etc., saves HTML, JS, PDFs, media, and more...
CVE-2018-15473-Exploit: Exploit written in Python for CVE-2018-15473 with threading and export formats
commando-vm: Complete Mandiant Offensive VM (Commando VM), a fully customizable Windows-based pentesting virtual machine distribution. [email protected]
EventLogParser: Parse PowerShell and Security event logs for sensitive information.
s7scan: The tool for enumerating Siemens S7 PLCs through TCP/IP or LLC network
isf: ISF(Industrial Control System Exploitation Framework)，a exploitation framework based on Python
Hwacha: Deploy payloads to *Nix systems en masse
DET: (extensible) Data Exfiltration Toolkit (DET)
angularjs-csti-scanner: Automated client-side template injection (sandbox escape/bypass) detection for AngularJS v1.x.
McAfeeForOutlook: Beef hook OWA / Outlook
EWSToolkit: Abusing Exchange via EWS
Nope-Proxy: TCP/UDP Non-HTTP Proxy Extension (NoPE) for Burp Suite.
SharpAllowedToAct: Computer object takeover through Resource-Based Constrained Delegation (msDS-AllowedToActOnBehalfOfOtherIdentity)
P4wnP1_aloa: P4wnP1 A.L.O.A. by MaMe82 is a framework which turns a Rapsberry Pi Zero W into a flexible, low-cost platform for pentesting, red teaming and physical engagements ... or into "A Little Offensive Appliance".
Naga: A C# stager for SILENTTRINITY (https://github.com/byt3bl33d3r/SILENTTRINITY)
Excel4-DCOM: PowerShell and Cobalt Strike scripts for lateral movement using Excel 4.0 / XLM macros via DCOM (direct shellcode injection in Excel.exe)
Random: Assorted scripts and one off things
SpoolSample: PoC tool to coerce Windows hosts authenticate to other machines via the MS-RPRN RPC interface. This is possible via other protocols as well.
SpoolerScanner: Check if MS-RPRN is remotely available with powershell/c#
p0wny-shell: Single-file PHP shell
inql: InQL is a robust, open-source Burp Suite extension for advanced GraphQL testing, offering intuitive vulnerability detection, customizable scans, and seamless Burp integration.
linux-exploit-suggester-2: Next-Generation Linux Kernel Exploit Suggester
CarbonCopy: A tool which creates a spoofed certificate of any online website and signs an Executable for AV Evasion. Works for both Windows and Linux
Password-Scripts: A collection of scripts that help with different aspects of password cracking, such as wordlist generation, mask analysis, and positional character frequency.
SILENTTRINITY: An asynchronous, collaborative post-exploitation agent powered by Python and .NET's DLR
goca: Goca Scanner
goscan: Interactive Network Scanner
SharpView: C# implementation of harmj0y's PowerView
SharPyShell: SharPyShell - tiny and obfuscated ASP.NET webshell for C# web applications
Invoke-UserSimulator: Simulates common user behaviour on local and remote Windows hosts.
ghidra: Ghidra is a software reverse engineering (SRE) framework
gobfuscate: Obfuscate Go binaries and packages
kekeo: A little toolbox to play with Microsoft Kerberos in C
wesng: Windows Exploit Suggester - Next Generation
phishery: An SSL Enabled Basic Auth Credential Harvester with a Word Document Template URL Injector
GCPBucketBrute: A script to enumerate Google Storage buckets, determine what access you have to them, and determine if they can be privilege escalated.
Exchange2domain: CVE-2018-8581
dirty_sock: Linux privilege escalation exploit via snapd (CVE-2019-7304)
ExchangeRelayX: An NTLM relay tool to the EWS endpoint for on-premise exchange servers. Provides an OWA for hackers.
MicroBurst: A collection of scripts for assessing Microsoft Azure security
PassHunt: Search drives for documents containing passwords
Rubeus: Trying to tame the three-headed dog.
krbrelayx: Kerberos unconstrained delegation abuse toolkit
jackit: JackIt - Exploit Code for Mousejack
DKMC: DKMC - Dont kill my cat - Malicious payload evasion tool
phpggc: PHPGGC is a library of PHP unserialize() payloads along with a tool to generate them, from command line or programmatically.
Grouper2: Find vulnerabilities in AD Group Policy
mousejack: MouseJack device discovery and research tools
inception: A highly configurable Framework for easy automated web scanning
SharpExchangePriv: A C# implementation of PrivExchange by @_dirkjan.
PrivExchange: Exchange your privileges for Domain Admin privs by abusing Exchange
bypass-firewalls-by-DNS-history: Firewall bypass script based on DNS history records. This script will search for DNS A history records and check if the server replies for that domain. Handy for bugbounty hunters.
h8mail: Email OSINT & Password breach hunting tool, locally or using premium services. Supports chasing down related email
SharpMeter: None
PCredz: This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.
oxml_xxe: A tool for embedding XXE/XML exploits into different filetypes
post-exploitation: Post Exploitation Collection
sandcat: An open-source, pentest and developer-oriented web browser, using the power of Lua
the-book-of-secret-knowledge: A collection of inspiring lists, manuals, cheatsheets, blogs, hacks, one-liners, cli/web tools and more.
awesome-web-security: 🐶 A curated list of Web Security materials and resources.
Breacher: An advanced multithreaded admin panel finder written in python.
Zen: Find emails of Github users
java-deserialization-exploits: A collection of curated Java Deserialization Exploits
SharpWeb: .NET 2.0 CLR project to retrieve saved browser credentials from Google Chrome, Mozilla Firefox and Microsoft Internet Explorer/Edge.
SSHPry2.0: SSHPry v2 - Spy & Control os SSH Connected client's TTY
nopowershell: PowerShell rebuilt in C# for Red Teaming purposes
FOCA: Tool to find metadata and hidden information in the documents.
fuzz.txt: Potentially dangerous files
Windows-Post-Exploitation: Windows post-exploitation tools, resources, techniques and commands to use during post-exploitation phase of penetration test. Contributions are appreciated. Enjoy!
Invisi-Shell: Hide your Powershell script in plain sight. Bypass all Powershell security features
WinPwn: Automation for internal Windows Penetrationtest / AD-Security
awesome-burp-extensions: A curated list of amazingly awesome Burp Extensions
PowerShell-AD-Recon: PowerShell Scripts I find useful
AD-Attack-Defense: Attack and defend active directory using modern post exploitation adversary tradecraft activity
ADModule: Microsoft signed ActiveDirectory PowerShell module
dnSpy: .NET debugger and assembly editor
jndiat: JNDI Attacking Tool
odat: ODAT: Oracle Database Attacking Tool
RDPSpray: Tool for password spraying RDP
SSRF-Testing: SSRF (Server Side Request Forgery) testing resources
scriptsAndExploits: Some scripts and exploits
RootHelper: A Bash script that downloads and unzips scripts that will aid with privilege escalation on a Linux system.
MIDA-Multitool: Bash script purposed for system enumeration, vulnerability identification and privilege escalation.
my-arsenal-of-aws-security-tools: List of open source tools for AWS security: defensive, offensive, auditing, DFIR, etc.
windows-kernel-exploits: windows-kernel-exploits Windows平台提权漏洞集合
gimmecredz: You're a #pentester and you totally pwn that linux box, congrats! Now what? You can launch gimmecredz.sh which will try to extract all passwords from known locations.
patator: Patator is a multi-purpose brute-forcer, with a modular design and a flexible usage.
linux-soft-exploit-suggester: Search Exploitable Software on Linux
RemoteRecon: Remote Recon and Collection
CVE-2018-10933: Spawn to shell without any credentials by using CVE-2018-10933 (LibSSH)
pingcastle: PingCastle - Get Active Directory Security at 80% in 20% of the time
swap_digger: swap_digger is a tool used to automate Linux swap analysis during post-exploitation or forensics. It automates swap extraction and searches for Linux user credentials, web forms credentials, web forms emails, http basic authentication, Wifi SSID and keys, etc.
marshalsec: None
domained: Multi Tool Subdomain Enumeration
ADAPE-Script: Active Directory Assessment and Privilege Escalation Script
byob: An open-source post-exploitation framework for students, researchers and developers.
HackBar: HackBar plugin for Burpsuite
Photon: Incredibly fast crawler designed for OSINT.
Hash-Buster: Crack hashes in seconds.
eslint: Find and fix problems in your JavaScript code.
jsprime: a javascript static security analysis tool
SharpSploit: SharpSploit is a .NET post-exploitation library written in C#
egressbuster: Egressbuster is a method to check egress filtering and identify if ports are allowed. If they are, you can automatically spawn a shell.
https-portal: A fully automated HTTPS server powered by Nginx, Let's Encrypt and Docker.
Sticky-Keys-Slayer: Scans for accessibility tools backdoors via RDP
ysoserial: A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
ysoserial.net: Deserialization payload generator for a variety of .NET formatters
GatherContacts: A Burp Suite Extension to pull Employee Names from Google and Bing LinkedIn Search Results
SprayingToolkit: Scripts to make password spraying attacks against Lync/S4B, OWA & O365 a lot quicker, less painful and more efficient
GitTools: A repository with 3 tools for pwn'ing websites with .git repositories available
spiderfoot: SpiderFoot automates OSINT for threat intelligence and mapping your attack surface.
LyncSniper: LyncSniper: A tool for penetration testing Skype for Business and Lync deployments
nullinux: Internal penetration testing tool for Linux that can be used to enumerate OS information, domain information, shares, directories, and users through SMB.
smbmap: SMBMap is a handy SMB enumeration tool
Office-DDE-Payloads: Collection of scripts and templates to generate Office documents embedded with the DDE, macro-less command execution technique.
CMSeeK: CMS Detection and Exploitation suite - Scan WordPress, Joomla, Drupal and over 180 other CMSs
WinPwnage: UAC bypass, Elevate, Persistence methods
BruteX: Automatically brute force all services running on a target.
credssp: A code demonstrating CVE-2018-0886
brutespray: Bruteforcing from various scanner output - Automatically attempts default creds on found services.
impacket: Impacket is a collection of Python classes for working with network protocols.
IIS-ShortName-Scanner: latest version of scanners for IIS short filename (8.3) disclosure vulnerability
Java-Deserialization-Cheat-Sheet: The cheat sheet about Java Deserialization vulnerabilities
SMBetray: SMB MiTM tool with a focus on attacking clients through file content swapping, lnk swapping, as well as compromising any data passed over the wire in cleartext.
Pause-Process: PowerShell script which allows pausing\unpausing Win32/64 exes
hcxdumptool: Small tool to capture packets from wlan devices.
raindance: Reconnaissance tool for Microsoft Office 365
SharpWMI: SharpWMI is a C# implementation of various WMI functionality.
SafetyKatz: SafetyKatz is a combination of slightly modified version of @gentilkiwi's Mimikatz project and @subtee's .NET PE Loader
SharpRoast: DEPRECATED SharpRoast is a C# port of various PowerView's Kerberoasting functionality.
SharpUp: SharpUp is a C# port of various PowerUp functionality.
Seatbelt: Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
oscp: None
extractTVpasswords: tool to extract passwords from TeamViewer memory using Frida
LogonTracer: Investigate malicious Windows logon by visualizing and analyzing Windows event log
pi-hole: A black hole for Internet advertisements
Mobile-Security-Framework-MobSF: Mobile Security Framework (MobSF) is an automated, all-in-one mobile application (Android/iOS/Windows) pen-testing, malware analysis and security assessment framework capable of performing static and dynamic analysis.
WINspect: Powershell-based Windows Security Auditing Toolbox
dirsearch: Web path scanner
Invoke-PowerThIEf: The PowerThIEf, an Internet Explorer Post Exploitation library
Powermad: PowerShell MachineAccountQuota and DNS exploit tools
fuzzdb: Dictionary of attack patterns and primitives for black-box application fault injection and resource discovery.
PowerLessShell: Run PowerShell command without invoking powershell.exe
msdat: MSDAT: Microsoft SQL Database Attacking Tool
Infosec_Reference: An Information Security Reference That Doesn't Suck; https://rmusser.net/git/admin-2/Infosec_Reference for non-MS Git hosted version.
Invoke-TmpDavFS: Memory Backed Powershell WebDav Server
Red-Teaming-Toolkit: This repository contains cutting-edge open-source security tools (OST) for a red teamer and threat hunter.
One-Lin3r: Gives you one-liners that aids in penetration testing operations, privilege escalation and more
crypto_identifier: Crypto tool for pentest and ctf : try to uncipher data using multiple algorithms and block chaining modes. Usefull for a quick check on unknown cipher text and key dictionnary
Tokenvator: A tool to elevate privilege with Windows Tokens
freddy: Automatically identify deserialisation issues in Java and .NET applications by using active and passive scans
GyoiThon: GyoiThon is a growing penetration test tool using Machine Learning.
Robber: Robber is open source tool for finding executables prone to DLL hijacking
subfinder: Fast passive subdomain enumeration tool.
dnsmorph: Domain name permutation engine written in Go
UserEnum: Domain user enumeration tool
dnstwist: Domain name permutation engine for detecting homograph phishing attacks, typo squatting, and brand impersonation
JAWS: JAWS - Just Another Windows (Enum) Script
reactos: A free Windows-compatible Operating System
AttackDetection: Attack Detection
LOLBAS: Living Off The Land Binaries And Scripts - (LOLBins and LOLScripts)
ShellPop: Pop shells like a master.
Astra: Automated Security Testing For REST API's
SpookFlare: Loader, dropper generator with multiple features for bypassing client-side and network-side countermeasures.
passphrase-wordlist: Passphrase wordlist and hashcat rules for offline cracking of long, complex passwords
Bad-Pdf: Steal Net-NTLM Hash using Bad-PDF
Reconnoitre: A security tool for multithreaded information gathering and service enumeration whilst building directory structures to store results, along with writing out recommendations for further testing.
RedHunt-OS: Virtual Machine for Adversary Emulation and Threat Hunting
windows10_ntfs_crash_dos: PoC for a NTFS crash that I discovered, in various Windows versions
monkey: Infection Monkey - An open-source adversary emulation platform
PowerUpSQL: PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server
Invoke-ACLPwn: None
injectify: Perform advanced MiTM attacks on websites with ease 💉
PowerShell: NetSPI PowerShell Scripts
goddi: goddi (go dump domain info) dumps Active Directory domain information
ScrapedIn: A tool to scrape LinkedIn without API restrictions for data reconnaissance
ridrelay: Enumerate usernames on a domain where you have no creds by using SMB Relay with low priv.
CVE-2018-7600: 💀Proof-of-Concept for CVE-2018-7600 Drupal SA-CORE-2018-002
snallygaster: Tool to scan for secret files on HTTP servers
Invoke-DOSfuscation: Cmd.exe Command Obfuscation Generator & Detection Test Harness
dcipher-cli: 🔓Crack hashes using online rainbow & lookup table attack services, right from your terminal.
security-onion: Security Onion 16.04 - Linux distro for threat hunting, enterprise security monitoring, and log management
SPartan: Frontpage and Sharepoint fingerprinting and attack tool.
lyncsmash: locate and attack Lync/Skype for Business
Brutal: Payload for teensy like a rubber ducky but the syntax is different. this Human interfaes device ( HID attacks ). Penetration With Teensy . Brutal is a toolkit to quickly create various payload,powershell attack , virus attack and launch listener for a Human Interface Device ( Payload Teensy )
SimplyEmail: Email recon made fast and easy, with a framework to build on
Internal-Monologue: Internal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS
Passhunt: Passhunt is a simple tool for searching of default credentials for network devices, web applications and more. Search through 523 vendors and their 2084 default passwords.
SharpShooter: Payload Generation Framework
XSStrike: Most advanced XSS scanner.
CVE-2017-7494: Remote root exploit for the SAMBA CVE-2017-7494 vulnerability
nextnet: nextnet is a pivot point discovery tool written in Go.
bettercap: The Swiss Army knife for 802.11, BLE, HID, CAN-bus, IPv4 and IPv6 networks reconnaissance and MITM attacks.
Findsploit: Find exploits in local and online databases instantly
IntruderPayloads: A collection of Burpsuite Intruder payloads, BurpBounty payloads, fuzz lists, malicious file uploads and web pentesting methodologies and checklists.
gitleaks: Find secrets with Gitleaks 🔑
Tunna: Tunna is a set of tools which will wrap and tunnel any TCP communication over HTTP. It can be used to bypass network restrictions in fully firewalled environments.
PcapXray: ❄️ PcapXray - A Network Forensics Tool - To visualize a Packet Capture offline as a Network Diagram including device identification, highlight important communication and file extraction
rsg: ReverShellGenerator - A tool to generate various ways to do a reverse shell
sshLooter: Script to steal passwords from ssh.
portia: Portia aims to automate a number of techniques commonly performed on internal network penetration tests after a low privileged account has been compromised.
Invoke-WCMDump: PowerShell Script to Dump Windows Credentials from the Credential Manager
elite-proxy-finder: Finds public elite anonymity proxies and concurrently tests them
pentest-machine: Automates some pentest jobs via nmap xml file
3snake: Tool for extracting information from newly spawned processes
PRET: Printer Exploitation Toolkit - The tool that made dumpster diving obsolete.
evilgrade: Evilgrade is a modular framework that allows the user to take advantage of poor upgrade implementations by injecting fake updates.
LaZagneForensic: Windows passwords decryption from dump files
APTSimulator: A toolset to make a system look as if it was the victim of an APT attack
dnscrypt-proxy: dnscrypt-proxy 2 - A flexible DNS proxy, with support for encrypted DNS protocols.
PHP-Shell-Detector: Web Shell Detector – is a php script that helps you find and identify php/cgi(perl)/asp/aspx shells. Web Shell Detector has a “web shells” signature database that helps to identify “web shell” up to 99%.
domain_analyzer: Analyze the security of any domain by finding all the information possible. Made in python.
al-khaser: Public malware techniques used in the wild: Virtual Machine, Emulation, Debuggers, Sandbox detection.
awesome-pentest-cheat-sheets: Collection of the cheat sheets useful for pentesting
wordsmith: The aim of Wordsmith is to assist with creating tailored wordlists. This is mostly based on geolocation.
macro_pack: macro_pack is a tool by @EmericNasi used to automatize obfuscation and generation of Office documents, VB scripts, shortcuts, and other formats for pentest, demo, and social engineering assessments. The goal of macro_pack is to simplify exploitation, antimalware bypass, and automatize the process from malicious macro and script generation to final document generation. It also provides a lot of helpful features useful for redteam or security research.
LANs.py: Inject code and spy on wifi users
Vegile: This tool will setting up your backdoor/rootkits when backdoor already setup it will be hidden your spesisifc process,unlimited your session in metasploit and transparent. Even when it killed, it will re-run again. There always be a procces which while run another process,So we can assume that this procces is unstopable like a Ghost in The Shell
yara4pentesters: rules to identify files containing juicy information like usernames, passwords etc
FlyingCarpet: Cross-platform AirDrop. File transfer between Android, iOS, Linux, macOS, and Windows over ad hoc WiFi. No network infrastructure required, just two devices with WiFi chips in close range.
icebreaker: Gets plaintext Active Directory credentials if you're on the internal network but outside the AD environment
ikeforce: None
Nettacker: Automated Penetration Testing Framework - Open-Source Vulnerability Scanner - Vulnerability Management
Cr3dOv3r: Know the dangers of credential reuse attacks.
DNSExfiltrator: Data exfiltration over DNS request covert channel
archerysec: ASOC, ASPM, DevSecOps, Vulnerability Management Using ArcherySec.
mitm6: pwning IPv4 via IPv6
snmpwn: An SNMPv3 User Enumerator and Attack tool
Seth: Perform a MitM attack and extract clear text credentials from RDP connections
fuxploider: File upload vulnerability scanner and exploitation tool.
In-Spectre-Meltdown: This tool allows to check speculative execution side-channel attacks that affect many modern processors and operating systems designs. CVE-2017-5754 (Meltdown) and CVE-2017-5715 (Spectre) allows unprivileged processes to steal secrets from privileged processes. These attacks present 3 different ways of attacking data protection measures on CPUs enabling attackers to read data they shouldn't be able to. This tool is originally based on Microsoft: https://support.microsoft.com/en-us/help/4073119/protect-against-speculative-execution-side-channel-vulnerabilities-in
wordpress-exploit-framework: A Ruby framework designed to aid in the penetration testing of WordPress systems.
ADRecon: ADRecon is a tool which gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment.
nmap-vulners: NSE script based on Vulners.com API
GhostInTheNet: Ultimate Network Stealther that makes Linux a Ghost In The Net and protects from MITM/DOS/scan
V3n0M-Scanner: Popular Pentesting scanner in Python3.6 for SQLi/XSS/LFI/RFI and other Vulns
WhatWaf: Detect and bypass web application firewalls and protection systems
InsecurePowerShell: InsecurePowerShell is PowerShell with some security features removed.
merlin: Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.
retdec: RetDec is a retargetable machine-code decompiler based on LLVM.
PowerShellScripts: Collection of PowerShell scripts
statistically-likely-usernames: Wordlists for creating statistically likely username lists for use in password attacks and security testing
mitmAP: 📡 A python program to create a fake AP and sniff data.
InSpy: A python based LinkedIn enumeration tool
w3af: w3af: web application attack and audit framework, the open source web vulnerability scanner.
domi-owned: IBM/Lotus Domino exploitation
WebDavC2: A WebDAV PROPFIND C2 tool
Spray: A Password Spraying tool for Active Directory Credentials by Jacob Wilkin(Greenwolf)
static-analysis: ⚙️ A curated list of static analysis (SAST) tools and linters for all programming languages, config files, build tools, and more. The focus is on tools which improve code quality.
discover: Custom bash scripts used to automate various penetration testing tasks including recon, scanning, enumeration, and malicious payload creation using Metasploit. For use with Kali Linux.
mimikatz: A little tool to play with Windows security
sAINT: 👁️ (s)AINT is a Spyware Generator for Windows systems written in Java. [Discontinued]
ssf: Secure Socket Funneling - Network tool and toolkit - TCP and UDP port forwarding, SOCKS proxy, remote shell, standalone and cross platform
hardentools: Hardentools simply reduces the attack surface on Microsoft Windows computers by disabling low-hanging fruit risky features.
exploits: Miscellaneous exploit code
DumpsterFire: "Security Incidents In A Box!" A modular, menu-driven, cross-platform tool for building customized, time-delayed, distributed security events. Easily create custom event chains for Blue- & Red Team drills and sensor / alert mapping. Red Teams can create decoy incidents, distractions, and lures to support and scale their operations. Build event sequences ("narratives") to simulate realistic scenarios and generate corresponding network and filesystem artifacts.
tplmap: Server-Side Template Injection and Code Injection Detection and Exploitation Tool
GreatSCT: The project is called Great SCT (Great Scott). Great SCT is an open source project to generate application white list bypasses. This tool is intended for BOTH red and blue team.
phishing_catcher: Phishing catcher using Certstream
AhMyth-Android-RAT: Android Remote Administration Tool
Invoke-SocksProxy: Socks proxy, and reverse socks server using powershell.
Striker: Striker is an offensive information and vulnerability scanner.
mentalist: Mentalist is a graphical tool for custom wordlist generation. It utilizes common human paradigms for constructing passwords and can output the full wordlist as well as rules compatible with Hashcat and John the Ripper.
reGeorg: The successor to reDuh, pwn a bastion webserver and create SOCKS proxies through the DMZ. Pivot and pwn.
PowerShellDefense: Some PowerShell Defensive Scripts
EggShell: iOS/macOS/Linux Remote Administration Tool
sqliv: massive SQL injection vulnerability scanner
MS17-010: MS17-010
fluxion: Fluxion is a remake of linset by vk496 with enhanced functionality.
awesome-incident-response: A curated list of tools for incident response
awesome-hacking: A curated list of awesome Hacking tutorials, tools and resources
awesome-malware-analysis: Defund the Police.
awesome-raspberry-pi: 📝 A curated list of awesome Raspberry Pi tools, projects, images and resources
ruler: A tool to abuse Exchange services
LAPSToolkit: Tool to audit and attack LAPS environments
wifite2: Rewrite of the popular wireless network auditor, "wifite"
Awesome-Hacking-Resources: A collection of hacking / penetration testing resources to make you better!
P4wnP1: P4wnP1 is a highly customizable USB attack platform, based on a low cost Raspberry Pi Zero or Raspberry Pi Zero W.
xcat: XPath injection tool
parameth: This tool can be used to brute discover GET and POST parameters
siofra: None
security-research-pocs: Proof-of-concept codes created as part of security research done by Google Security Team.
ThunderShell: Python / C# Unmanaged PowerShell based RAT
PowerShdll: Run PowerShell with rundll32. Bypass software restrictions.
dcrawl: Simple, but smart, multi-threaded web crawler for randomly gathering huge lists of unique domain names.
dnscat2: None
VPNPivot: Explore the network using VPNPivot tool
Hijacker: Aircrack, Airodump, Aireplay, MDK3 and Reaver GUI Application for Android
LFiFreak: A unique automated LFi Exploiter with Bind/Reverse Shells
CVE-2017-0785: Blueborne CVE-2017-0785 Android information leak vulnerability
SniffAir: A framework for wireless pentesting.
bleah: This repository is DEPRECATED, please use bettercap as this tool has been ported to its BLE modules.
HideProcess: A basic Direct Kernel Object Manipulation rootkit that removes a process from the EPROCESS list, hiding it from the Task Manager
o365recon: retrieve information via O365 and AzureAD with a valid cred
msfpc: MSFvenom Payload Creator (MSFPC)
Mr.SIP: SIP-Based Audit and Attack Tool
crowbar: Crowbar is brute forcing tool that can be used during penetration tests. It is developed to support protocols that are not currently supported by thc-hydra and other popular brute forcing tools.
PayloadsAllTheThings: A list of useful payloads and bypass for Web Application Security and Pentest/CTF
XXEinjector: Tool for automatic exploitation of XXE vulnerability using direct and different out of band methods.
Revoke-Obfuscation: PowerShell Obfuscation Detection Framework
dnsenum: dnsenum is a perl script that enumerates DNS information
Wordpresscan: WPScan rewritten in Python + some WPSeku ideas
token-priv: Token Privilege Research
webshell: This is a webshell open source project
yodo: Local Privilege Escalation
hacking-online-games: A curated list of tutorials/resources for hacking online games.
CVE-2017-0199: Exploit toolkit CVE-2017-0199 - v4.0 is a handy python script which provides pentesters and security researchers a quick and effective way to test Microsoft Office RCE. It could generate a malicious RTF/PPSX file and deliver metasploit / meterpreter / other payload to victim without any complex configuration.
de4dot: .NET deobfuscator and unpacker.
ms17-010-Scanner: None
WPForce: Wordpress Attack Suite
pydictor: A powerful and useful hacker dictionary builder for a brute-force attack
wifi-bruteforcer-fsecurify: Android application to brute force WiFi passwords without requiring a rooted device.
kali-anonsurf: A port of ParrotSec's stealth and anonsurf modules to Kali Linux
blackhat-arsenal-tools: Official Black Hat Arsenal Security Tools Repository
ssh-mitm: SSH man-in-the-middle tool
WebDeveloperSecurityChecklist: A checklist of important security issues you should consider when creating a web application.
ADACLScanner: Repo for ADACLScan.ps1 - Your number one script for ACL's in Active Directory
dnsrecon: DNS Enumeration Script
nipe: An engine to make Tor network your default gateway
rattler: Automated DLL Enumerator
avet: AntiVirus Evasion Tool
VBad: VBA Obfuscation Tools combined with an MS office document generator
PowerShell-Suite: My musings with PowerShell
awesome-osint: 😱 A curated list of amazingly awesome OSINT
Exploits: Windows Exploits
CACTUSTORCH: CACTUSTORCH: Payload Generation for Adversary Simulations
bettercap-proxy-modules: This repository contains some bettercap transparent proxy example modules.
awesome-cve-poc: ✍️ A curated list of CVE PoCs.
Dr0p1t-Framework: A framework that create an advanced stealthy dropper that bypass most AVs and have a lot of tricks
Phant0m: Windows Event Log Killer
wsuxploit: This is a weaponized WSUS exploit
Uproot: Currently not updated for WMIEvent module...
PowerShell: PowerShell for every system!
ACLight: A script for advanced discovery of Privileged Accounts - includes Shadow Admins
PowerTools: PowerTools is a collection of PowerShell projects with a focus on offensive operations.
wePWNise: WePWNise generates architecture independent VBA code to be used in Office documents or templates and automates bypassing application control and exploit mitigation software.
getsploit: Command line utility for searching and downloading exploits
RedTips: Red Team Tips as posted by @vysecurity on Twitter
Pazuzu: Pazuzu: Reflective DLL to run binaries from memory
HostRecon: This function runs a number of checks on a system to help provide situational awareness to a penetration tester during the reconnaissance phase. It gathers information about the local system, users, and domain information. It does not use any 'net', 'ipconfig', 'whoami', 'netstat', or other system commands to help avoid detection.
aquatone: A Tool for Domain Flyovers
pymultitor: PyMultitor - Python Multi Threaded Tor Proxy
pcileech: Direct Memory Access (DMA) Attack Software
kwetza: Python script to inject existing Android applications with a Meterpreter payload.
domainhunter: Checks expired domains for categorization/reputation and Archive.org history to determine good candidates for phishing and C2 domain names
BloodHound-Legacy: Six Degrees of Domain Admin
StarFighters: A JavaScript and VBScript Based Empire Launcher, which runs within their own embedded PowerShell Host.
subbrute: A DNS meta-query spider that enumerates DNS records, and subdomains.
changeme: A default credential scanner.
Responder: Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
icmptunnel: Transparently tunnel your IP traffic through ICMP echo and reply packets.
PSRecon: 🚀 PSRecon gathers data from a remote Windows host using PowerShell (v2 or later), organizes the data into folders, hashes all extracted data, hashes PowerShell and various system properties, and sends the data off to the security team. The data can be pushed to a share, sent over email, or retained locally.
Empire: Empire is a PowerShell and Python post-exploitation agent.
MaliciousMacroGenerator: Malicious Macro Generator
InjectProc: InjectProc - Process Injection Techniques [This project is not maintained anymore]
Java-Deserialization-Scanner: All-in-one plugin for Burp Suite for the detection and the exploitation of Java deserialization vulnerabilities
JSMeter: JavaScript Reversed TCP Meterpreter Stager
LinEnum: Scripted Local Linux Enumeration & Privilege Escalation Checks
DeathStar: Uses Empire's (https://github.com/BC-SECURITY/Empire) RESTful API to automate gaining Domain and/or Enterprise Admin rights in Active Directory environments using some of the most common offensive TTPs.
BlockWindows: Stop Windows 10 Nagging and Spying. Works with Win7-10
betterdefaultpasslist: None
Loki: Loki - Simple IOC and YARA Scanner
APTnotes: Various public documents, whitepapers and articles about APT campaigns
UACME: Defeating Windows User Account Control
theZoo: A repository of LIVE malwares for your own joy and pleasure. theZoo is a project created to make the possibility of malware analysis open and available to the public.
Generate-Macro: This Powershell script will generate a malicious Microsoft Office document with a specified payload and persistence method.
WMIcmd: A command shell wrapper using only WMI for Microsoft Windows
DSInternals: Directory Services Internals (DSInternals) PowerShell Module and Framework
DoubleAgent: Zero-Day Code Injection and Persistence Technique
AutoLocalPrivilegeEscalation: An automated script that download potential exploit for linux kernel from exploitdb, and compile them automatically
p0wnedShell: PowerShell Runspace Post Exploitation Toolkit
luckystrike: A PowerShell based utility for the creation of malicious Office macro documents.
scanless: online port scan scraper
bettercap: DEPRECATED, bettercap developement moved here: https://github.com/bettercap/bettercap
Inveigh: .NET IPv4/IPv6 machine-in-the-middle tool for penetration testers
trufflehog: Find, verify, and analyze leaked credentials
Sublist3r: Fast subdomains enumeration tool for penetration testers
dirtycow.github.io: Dirty COW
inception: Inception is a physical memory manipulation and hacking tool exploiting PCI-based DMA. The tool can attack over FireWire, Thunderbolt, ExpressCard, PC Card and any other PCI/PCIe interfaces.
movfuscator: The single instruction C compiler
Quasar: Remote Administration Tool for Windows
Kautilya: Kautilya - Tool for easy use of Human Interface Devices for offensive security and penetration testing.
gateway-finder: Tool to identify routers on the local LAN and paths to the Internet
powerstager: A payload stager using PowerShell
eaphammer: Targeted evil twin attacks against WPA2-Enterprise networks. Indirect wireless pivots using hostile portal attacks.
morpheus: Morpheus - Automating Ettercap TCP/IP (MITM-hijacking Tool)
net-creds: Sniffs sensitive data from interface or pcap
unicorn: Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
WMImplant: This is a PowerShell based tool that is designed to act like a RAT. Its interface is that of a shell where any command that is supported is translated into a WMI-equivalent for use on a network/remote machine. WMImplant is WMI based.
Sherlock: PowerShell script to quickly find missing software patches for local privilege escalation vulnerabilities.
vuls: Agent-less vulnerability scanner for Linux, FreeBSD, Container, WordPress, Programming language libraries, Network devices
PoshC2_Old: Powershell C2 Server and Implants
BeRoot: Privilege Escalation Project - Windows / Linux / Mac
PowerMeta: PowerMeta searches for publicly available files hosted on various websites for a particular domain by using specially crafted Google, and Bing searches. It then allows for the download of those files from the target domain. After retrieving the files, the metadata associated with them can be analyzed by PowerMeta. Some interesting things commonly found in metadata are usernames, domains, software titles, and computer names.
evilginx: PLEASE USE NEW VERSION: https://github.com/kgretzky/evilginx2
lynis: Lynis - Security auditing tool for Linux, macOS, and UNIX-based systems. Assists with compliance testing (HIPAA/ISO27001/PCI DSS) and system hardening. Agentless, and installation optional.
wpscan: WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites. Contact us via [email protected]
mimipy: port of mimipenguin.sh in python with some additional protection features
mimipenguin: A tool to dump the login password from the current linux user
scapy: Scapy: the Python-based interactive packet manipulation program & library.
gobuster: Directory/File, DNS and VHost busting tool written in Go
pupy: Pupy is an opensource, cross-platform (Windows, Linux, OSX, Android) C2 and post-exploitation framework written in python and C
Sn1per: Attack Surface Management Platform
CrackMapExec: A swiss army knife for pentesting networks
shadowbroker: The Shadow Brokers "Lost In Translation" leak
Probable-Wordlists: Version 2 is live! Wordlists sorted by probability originally created for password generation and testing - make sure your passwords aren't popular!
EyeWitness: EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible.
LaZagne: Credentials recovery project
CheatSheets: Cheat sheets for various projects.
awesome-windows-domain-hardening: A curated list of awesome Security Hardening techniques for Windows.
doublepulsar-detection-script: A python2 script for sweeping a network to find windows systems compromised with the DOUBLEPULSAR implant.
PowerForensics: PowerForensics provides an all in one platform for live disk forensic analysis
PowerShellArsenal: A PowerShell Module Dedicated to Reverse Engineering
poisontap: Exploits locked/password protected computers over USB, drops persistent WebSocket-based backdoor, exposes internal router, and siphons cookies using Raspberry Pi Zero & Node.js.
Awesome-Hacking: A collection of various awesome lists for hackers, pentesters and security researchers
PowerMemory: Exploit the credentials present in files and memory
warberry: WarBerryPi - Tactical Exploitation
WiFi-Pumpkin-deprecated: DEPRECATED, wifipumpkin3 -> https://github.com/P0cL4bs/wifipumpkin3
PowerSploit: PowerSploit - A PowerShell Post-Exploitation Framework
nishang: Nishang - Offensive PowerShell for red team, penetration testing and offensive security.
SessionGopher: SessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally.
DomainPasswordSpray: DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain. BE VERY CAREFUL NOT TO LOCKOUT ACCOUNTS!
tricky.lnk: Creates a .lnk file with unicode chars that reverse the file extension and adds a .txt to the end to make it appear as a textfile. Payload is a powershell webdl and execute
sticky_keys_hunter: A script to test an RDP host for sticky keys and utilman backdoor.
TheFatRat: Thefatrat a massive exploiting tool : Easy tool to generate backdoor and easy tool to post exploitation attack like browser attack and etc . This tool compiles a malware with popular payload and then the compiled malware can be execute on windows, android, mac . The malware that created with this tool also have an ability to bypass most AV software protection .
autopwn: Specify targets and run sets of tools against them
Winpayloads: Undetectable Windows Payload Generation
routersploit: Exploitation Framework for Embedded Devices
wifiphisher: The Rogue Access Point Framework
Responder: Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authentication.
mimikittenz: A post-exploitation powershell tool for extracting juicy info from memory.
awesome-pentest: A collection of awesome penetration testing resources, tools and other shiny things
MailSniper: MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email, or by an administrator to search the mailboxes of every user in a domain.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

My Starred Repositories

About

Releases

Packages

Name		Name	Last commit message	Last commit date
Latest commit History 2 Commits
README.md		README.md

S3cur3Th1sSh1t/My-starred-Repositories

Folders and files

Latest commit

History

Repository files navigation

My Starred Repositories

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Packages