Tactics, Techniques, and Procedures
Personal BlogTwitterGitHubContact
  • Tactics, Techniques, and Procedures
  • ☠️Pentesting
    • Fortress
      • Automation
      • Cisco
        • Cisco Adaptive Security Appliance
        • Cisco Smart Install
      • CMS
        • Drupal
        • Wordpress
      • Exchange
      • Office365
      • Okta
      • Outlook Web Access (OWA)
      • SSH
      • Subdomain Takeover
    • Infrastructure
      • Active Directory
        • AD CS
        • Coercing Authentication
        • Credential Dumping
          • Cached Domain Credentials
          • Data Protection API (DPAPI)
          • Group Policy Preferences
          • LSA Secrets
          • LSASS Memory
          • NTDS
          • Security Account Manager (SAM)
          • Kerberos Tickets
          • Unsecured Credentials
          • WDigest
          • WiFi Profiles
        • Delegation Abuse
          • Constrained Delegation
          • Unconstrained Delegation
        • Domain Enumeration
        • Domain Dominance
          • Forge Golden Ticket
          • Forge Silver Ticket
          • Forge Trust Ticket
          • Skeleton Key
        • Group Policy Preferences
        • Kerberos
          • AS-REP Roasting
          • Kerberoasting
          • Kerberos Relaying
        • Lateral Movement
          • PowerShell
          • Windows Remote Management (WinRM)
        • Local Administrator Password Solution (LAPS)
        • NoPac
        • NTLMv1
        • Password Cracking
        • Password Policy
        • Password Spraying
        • Reconnaissance
        • Relaying
          • LDAP Relaying
          • SMB Relaying
        • Shadow Credentials
        • Zerologon
      • Database Management System (DBMS)
        • Microsoft SQL Server
      • Defense Evasion
        • Disable or Modify Tools
        • Disable Windows Event Logging
        • Impair Command History Logging
        • Timestomping
      • Low-Hanging Fruit
      • Networks
        • IPv6
        • LLMNR/NBT-NS Poisoning
        • Network Scanning
        • Network Sniffing
        • Segmentation Testing
        • Simple Network Management Protocol (SNMP)
        • Subnet Enumeration
        • Identifying Domain Information
      • Persistence
        • Create Account
        • Remote Desktop
        • Services
          • Service Privilege Escalation / Persistence
          • Systemd Service Persistence
        • Web Shell
        • DLL Hijacking
      • Pivoting
      • Privilege Escalation
        • Linux
          • Setuid and Setgid
        • Windows
          • Privilege Abuse
            • SeImpersonatePrivilege
            • SeLoadDriverPrivilege
          • Service Exploitation
    • Initial Access
      • Phishing
        • Creating Templates
          • Leveraging AI During Template Creation
        • Payloads
          • Non-malicious Callback
          • Macros
    • OSINT
      • Identifying Users
      • Network Information
      • Search Engines
    • Web Applications
      • Access Control
      • APIs
        • Swagger API
      • Authentication
        • Account Takeover
      • Clickjacking
      • Cross Origin Resource Sharing (CORS)
      • Cross Site Request Forgery (CSRF)
      • Document Object Model (DOM)
      • File Upload
      • Google Dorking
      • GraphQL
      • HTTP Request Smuggling
      • Information Disclosure
      • Insecure Direct Object Reference (IDOR)
      • Injection Vulnerabilities
        • Cross-Site Scripting (XSS)
          • Blind Cross-Site Scripting
          • Finding Cross-Site Scripting
          • Stealing Cookies
          • XSS Payloads
        • CSV Injection
        • XML External Entity Injection (XXE)
        • LDAP Injection
        • NoSQL Injection
        • Server-Side Template Injection
        • SQL Injection
      • JSON Web Tokens (JWT)
      • Local File Inclusion (LFI)
      • OAuth
      • Open Redirection
      • Password Reset Poisoning
      • Prototype Pollution
      • Race Condition
      • Rate Limit Bypass
      • Remote Code Execution (RCE)
      • Remote File Inclusion (RFI)
      • Suspicious Parameters
      • Tooling
        • Burp Suite
          • Authentication / Proxy Issues
          • Intruder Attack Types
          • Match and Replace
          • Quality of Life
        • Misc Tooling
      • WAF Bypasses
      • WebSockets
      • Web Cache Deception
      • Web Cache Poisoning
    • Wireless
      • WPA / WPA2
        • Alfa Troubleshooting
        • Enterprise
        • Personal
    • Cloud
      • Amazon Web Services (AWS)
      • Microsoft Azure
  • 🧨Red Teaming
    • C2
      • Cobalt Strike
      • Empire
      • Metasploit
        • Metasploit Datatabase
      • Mythic
      • Sliver
    • Malware Dev
    • Offensive Infrastructure
      • Cloud Fronting
      • Redirectors
      • OpSec
      • Phishing Infrastructure
      • Creating a Dropbox
    • Offensive Tactics
    • Philosophy
  • 🦋Bug Bounty
    • Bug Bounty Tips & Tricks
  • 📖Resources
    • Blog Posts and Goodies
    • Checklists
    • Offensive Security Notes
    • Tooling Repository
    • Active Directory Toolkit
Powered by GitBook
On this page
  • Validating Scope
  • Find Email Addresses
  • Phishing
  • External Penetration Testing
  • Password Hunting
  • Scanning/Enumeration Tools
  • APIs
  • LinkedIn Reconnaissance
  • Passive Reconnaissance
  • Footholds
  • Credential Spraying and Bruteforce
  • Default Credentials
  • Wordlists
  • Password Cracking
  • Database
  • Command and Control
  • Amazon Web Services (AWS)
  • Attacking Outlook / Similar Products
  • Obfuscation
  • Unix
  • MacOS
  • Wireless Attacks
  • SSL/TLS Auditing
  • SSH Auditing
  • Setup
  • SMTP
  • Post Exploitation
  • Penetration Testing Reports
  • Hardening
  • Miscellanious
  • Penetration Testing Distros
  1. Resources

Tooling Repository

PreviousOffensive Security NotesNextActive Directory Toolkit

Last updated 3 months ago

Validating Scope

  • - Find out who owns an IP Address

  • - Find IP addresses owned by a company

Find Email Addresses

  • - Identify the email schema used by an organization

  • Phonebook.cz - Lookup emails related to the organization

  • - Validate emails identified are in use by the organization

  • - Find emails via search engines

  • - Well known OSINT tool that can be used to gather names, email addresses, and more

Phishing

  • - An incredible open-source phishing framework

  • - Man-in-the-middle attack framework for phishing login credentials and bypassing 2fa

  • - Generate similar looking domains for use in phishing attacks

  • - Generate malicious XLM documents for phishing

  • - Automize obfuscation of Office documents

  • - Collection of pretexts to use when crafting campaigns

External Penetration Testing

Password Hunting

Scanning/Enumeration Tools

APIs

LinkedIn Reconnaissance

Passive Reconnaissance

Footholds

Credential Spraying and Bruteforce

Default Credentials

Wordlists

Password Cracking

Database

Command and Control

Amazon Web Services (AWS)

Attacking Outlook / Similar Products

Obfuscation

Unix

MacOS

Wireless Attacks

SSL/TLS Auditing

SSH Auditing

Setup

SMTP

Post Exploitation

Penetration Testing Reports

Hardening

Miscellanious

Penetration Testing Distros

- Amazing for performing initial reconnaissance on a website. Also has a PoC for Sweet32 built into it

- Googles active web application security reconnaissance tool

- Vulnerability scanner that is actively maintained and updated frequently

- Parse Nmap scans and run DirBuster against targets. Useful when covering a large scope$

- My replacement for Dirb and other fuzzing tooling

- In-depth attack surface mapping. Great for asset discovery and performing external reconnaissance

- Scan Google search results for vulnerabilities with dorks

- Searches for leaked credentials

- Popular way to search for leaked credentials but requires payment

- Alternative to DeHashed

- TCM's script to parse databases and identify leaked credentials

- OSINT tool to identify if an account has appeared in a database leak

- Alternative to Nmap. Port scanning goes brrr

- NSE script for scanning Elasticsearch. Useful when identified in a penetration test.

- Useful for gathering information from a host with anoymous access or authenticating to a DC to obtain a list of usernames

- Automated enumeration of services

- Visually inspect websites. Has the ability to parse Nmap scans

- Visually inspect websites. My preferred tool of choice. Has the ability to parse Nessus scans

- A tool geared towards pentesting APIs using OpenAPI definitions

- LinkedIn reconnaissance tool that provides output with picture, name, email, title, and location

- Reguarly updated LinkedIn recon tool (10/11/2021)

- My favorite LinkedIn reconnaissance tool. It should be noted that this tool will not reliably identify all of the emails for a company.

- LinkedIn reconnaissance tool that works great in combination with LinkedIn2Username

- Email Generation from Bing using LinkedIn Dorks

- Analyze PCAPs. Can extract useful data and create a network diagram

- Analyze PCAPs. The free version is great but the professional is better (costs $$$)

- My favorite way to analyze PCAPs or live captures. Free, fast, and great for PCI tests

- Abuse LLMNR and NBT-NS protocols (and more) to get a reliable foothold

- Abuse IPv6 to obtain a foothold

- The options are endless with Impacket. Kerberoast until you drop!

- Capture credentials sprayed across the network

- Collection of Windows print spooler exploits. Great for obtaining a foothold or escalating privileges!

- Router exploitation framework

- Smart Install Exploitation Tool

- Spraying attacks against Lync/S4B, OWA, and O365

- Spraying attacks against.. Everything

- Spraying attacks against a domain. Gathers account lockout windows which is nifty

- Spraying against Active Directory

- Multi-purpose brute-forcer. Takes a little reading of the manual but works incredibly

- Brute-Forcing from an Nmap output. One of my favorites for automating the assessment of a network

- Brute-forcing tool that supports protocols not currently supported by Hydra

- Updated Nmap default credential list

- Default credential scanner. I've had mixed results with this. When it works it's great!

- List of common default credentials

- Hashcat Automation Tool

- My favorite rule list

- Probable wordlists to use in password attacks

- This should go without saying.. But Hashcat is amazing

- Password Analysis and Cracking Toolkit. There's a lot of password goodies and resources here

- TrustedSec's password cracking utility. Automates a lot

- Perform password analysis

- One of the best tools I've used to interact with databases.

- Interact with NoSQL (DBeaver removed this in the community version)

- I used Covenant throughout the CRTO certification and fell in love. Free and easy to use

- Bishop Fox's C2 framework

- Bats3c's C2. Used it a few times and it's a ton of fun!

- Cross-platform C2. Previously used while on an OSX engagement

- AWS exploitation fraemwork from RhinoSecurityLabs

- AWS red teaming framework

- A tool to abuse Exchange services

- My goto when spraying Office 365

- Conduct password attacks against Azure AD and Office 365 endpoints

- User enumeration with the Microsoft Teams API

- Exchange Attack Tool

- Bats3c's obfuscation tool.

- Shellcode and PE packer

- Store obfuscated pentesting tools in one place

- PowerShell script obfuscator

- PowerShell obfuscator. I've had a lot of success using this tool

- Powershell obfuscator using polyglots

- Python obfuscation tool

- Post exploitation toolkit in a bash script

- Mimikatz for Unix

- A customizable post exploitation Linux framework

- Payload generator for MacOS

- Mac red teaming resources

- Automate attack against WiFi

- Framework for rogue access point attacks

- One of the more comprehensive SSL/TLS testing tools I've used

- Useful when SSLyze doesn't work as intended

- Useful when SSLScan doesn't work as intended

- Comprehensive audit of SSH. Provides comprehensive information about the SSH server in use

- Automate the installation of additional tools

- Any dotfiles work, make sure you're comfortable in your environment and log log log

- Swiss army knife for SMTP testing

- Collection of offensive PowerShell scripts for use in penetration testing and red teaming

- Collection of offensive PowerShell scripts, useful in all phases of testing

- Runs Mimikatz but better

- Dump information about the domain. Incredibly useful for escalating privileges or gathering additional information for spraying attacks

- Exfiltrate sensitive data from Confluence

- Need I say more? Find attack paths and own the domain

- Find delicious candy on a domain

- Netcat on steroids. Post exploitation tool that has some neat tools built into it

- Extract passwords from a KeePass 2.x database from memory

- Grab information about Active Directory (this tool does way more, check it out)

- Gathers information about Active Directory

- Collection of well known offensive scripts in one place

- Similar collection to WinPwn but can be encrypted

- Same as the above, collection of red team PowerShell tools

- Script for advanced discovery of Privileged Accounts

- Searches through DNS after compromising a machine to identify interesting assets

- Repository of public pentesting resources

- Tips to secure Kali Linux installation

- Build tools within PowerShell

- Recover information from pixelized screenshots

- Monitor changes throughout the environment during a penetration test

- Slingshot is an Ubuntu-based Linux distribution with the MATE Desktop Environment built for use in the SANS penetration testing curriculum and beyond.

- Hopefully no explanation needed here

- A fully customizable Windows-based pentesting virtual machine distribution

- GNU/Linux distribution based on Debian and designed with Security and Privacy in mind

📖
Hurricane Electric Internet Services
NetBlockTool
Hunter.io
EmailHippo
EmailHarvester
theHarvester
GoPhish
Evilginx2
Catphish
Boobsnail
MacroPack
Pretext-Project
YAWAST
Skipfish
Nuclei
AutoDirBuster
FeroxBuster
Amass
Dorkbot
PwnDB
DeHashed
Snusbase
Breach-Parse
pwnedOrNot
RustScan
Nmap-Elasticsearch-NSE
Enum4Linux
Autorecon
Aquatone
EyeWitness
Swagger-EZ
LeakedInt
WeakestLink
LinkedIn2Username
BridgeKeeper
EmailGen
BruteShark
NetworkMiner
PCredz
Responder
mitm6
Impacket
Flamingo
SpoolSploit
RouterSploit
SIET
SprayingToolkit
CrackMapExec
DomainPasswordSpray
Spray
Patator
BruteSpray
Crowbar
nndefaccts
ChangeMe
DefaultCredsCheatsheet
HAT
OneRuleToRuleThemAll
ProbableWordlists
Hashcat
PACK
Hate_Crack
Pipal
DBeaver
NOSQLBooster
Covenant
Sliver
Shad0w
Mythic
Pacu
Scour
Ruler
O365Spray
Msspray
TeamsUserEnum
Carnivore
Darkarmour
PEzor
PowerShellArmoury
Invoke-Obfuscation
Chameleon
Powerglot
Phantom-Evasion
Bashark
Mimipenguin
Emp3r0r
Mystikal
MacOSRedTeaming
WiFite2
WifiPumpkin3
TestSSL
SSLScan
SSLyze
SSH-Audit
WeaponizeKali.sh
My Dotfiles
Swaks
Nisahng
PowerSploit
BetterSafetyKatz
LdapDomainDump
Conf-Thief
BloodHound
Snaffler
Pwncat
KeeFarce
PingCastle
ADRecon
WinPwn
PowerShellArmoury
RedRabbit
ACLight
Invoke-DNSDiscovery
PublicPentestingResources
SecureKali
OffensivePipeline
Depix
LDAPMonitor
Slingshot
Kali_Linux
Commando_VM
Parrot_OS