Validating Scope

• Hurricane Electric Internet Services - Find out who owns an IP Address

• NetBlockTool - Find IP addresses owned by a company

Find Email Addresses

• Hunter.io - Identify the email schema used by an organization

• Phonebook.cz - Lookup emails related to the organization

• EmailHippo - Validate emails identified are in use by the organization

• EmailHarvester - Find emails via search engines

• theHarvester - Well known OSINT tool that can be used to gather names, email addresses, and more

Phishing

• GoPhish - An incredible open-source phishing framework

• Evilginx2 - Man-in-the-middle attack framework for phishing login credentials and bypassing 2fa

• Catphish - Generate similar looking domains for use in phishing attacks

• Boobsnail - Generate malicious XLM documents for phishing

• MacroPack - Automize obfuscation of Office documents

• Pretext-Project - Collection of pretexts to use when crafting campaigns

External Penetration Testing

• YAWAST - Amazing for performing initial reconnaissance on a website. Also has a PoC for Sweet32 built into it

• Skipfish - Googles active web application security reconnaissance tool

• Nuclei - Vulnerability scanner that is actively maintained and updated frequently

• AutoDirBuster - Parse Nmap scans and run DirBuster against targets. Useful when covering a large scope$

• FeroxBuster - My replacement for Dirb and other fuzzing tooling

• Amass - In-depth attack surface mapping. Great for asset discovery and performing external reconnaissance

• Dorkbot - Scan Google search results for vulnerabilities with dorks

Password Hunting

• PwnDB - Searches for leaked credentials

• DeHashed - Popular way to search for leaked credentials but requires payment

• Snusbase - Alternative to DeHashed

• Breach-Parse - TCM's script to parse databases and identify leaked credentials

• pwnedOrNot - OSINT tool to identify if an account has appeared in a database leak

Scanning/Enumeration Tools

• RustScan - Alternative to Nmap. Port scanning goes brrr

• Nmap-Elasticsearch-NSE - NSE script for scanning Elasticsearch. Useful when identified in a penetration test.

• Enum4Linux - Useful for gathering information from a host with anoymous access or authenticating to a DC to obtain a list of usernames

• Autorecon - Automated enumeration of services

• Aquatone - Visually inspect websites. Has the ability to parse Nmap scans

• EyeWitness - Visually inspect websites. My preferred tool of choice. Has the ability to parse Nessus scans

APIs

• Swagger-EZ - A tool geared towards pentesting APIs using OpenAPI definitions

LinkedIn Reconnaissance

• LeakedInt - LinkedIn reconnaissance tool that provides output with picture, name, email, title, and location

• WeakestLink - Reguarly updated LinkedIn recon tool (10/11/2021)

• LinkedIn2Username - My favorite LinkedIn reconnaissance tool. It should be noted that this tool will not reliably identify all of the emails for a company.

• BridgeKeeper - LinkedIn reconnaissance tool that works great in combination with LinkedIn2Username

• EmailGen - Email Generation from Bing using LinkedIn Dorks

Passive Reconnaissance

• BruteShark - Analyze PCAPs. Can extract useful data and create a network diagram

• NetworkMiner - Analyze PCAPs. The free version is great but the professional is better (costs $$$)

• PCredz - My favorite way to analyze PCAPs or live captures. Free, fast, and great for PCI tests

Footholds

• Responder - Abuse LLMNR and NBT-NS protocols (and more) to get a reliable foothold

• mitm6 - Abuse IPv6 to obtain a foothold

• Impacket - The options are endless with Impacket. Kerberoast until you drop!

• Flamingo - Capture credentials sprayed across the network

• SpoolSploit - Collection of Windows print spooler exploits. Great for obtaining a foothold or escalating privileges!

• RouterSploit - Router exploitation framework

• SIET - Smart Install Exploitation Tool

Credential Spraying and Bruteforce

• SprayingToolkit - Spraying attacks against Lync/S4B, OWA, and O365

• CrackMapExec - Spraying attacks against.. Everything

• DomainPasswordSpray - Spraying attacks against a domain. Gathers account lockout windows which is nifty

• Spray - Spraying against Active Directory

• Patator - Multi-purpose brute-forcer. Takes a little reading of the manual but works incredibly

• BruteSpray - Brute-Forcing from an Nmap output. One of my favorites for automating the assessment of a network

• Crowbar - Brute-forcing tool that supports protocols not currently supported by Hydra

Default Credentials

• nndefaccts - Updated Nmap default credential list

• ChangeMe - Default credential scanner. I've had mixed results with this. When it works it's great!

• DefaultCredsCheatsheet - List of common default credentials

• HAT - Hashcat Automation Tool

Wordlists

• OneRuleToRuleThemAll - My favorite rule list

• ProbableWordlists - Probable wordlists to use in password attacks

Password Cracking

• Hashcat - This should go without saying.. But Hashcat is amazing

• PACK - Password Analysis and Cracking Toolkit. There's a lot of password goodies and resources here

• Hate_Crack - TrustedSec's password cracking utility. Automates a lot

• Pipal - Perform password analysis

Database

• DBeaver - One of the best tools I've used to interact with databases.

• NOSQLBooster - Interact with NoSQL (DBeaver removed this in the community version)

Command and Control

• Covenant - I used Covenant throughout the CRTO certification and fell in love. Free and easy to use

• Sliver - Bishop Fox's C2 framework

• Shad0w - Bats3c's C2. Used it a few times and it's a ton of fun!

• Mythic - Cross-platform C2. Previously used while on an OSX engagement

Amazon Web Services (AWS)

• Pacu - AWS exploitation fraemwork from RhinoSecurityLabs

• Scour - AWS red teaming framework

Attacking Outlook / Similar Products

• Ruler - A tool to abuse Exchange services

• O365Spray - My goto when spraying Office 365

• Msspray - Conduct password attacks against Azure AD and Office 365 endpoints

• TeamsUserEnum - User enumeration with the Microsoft Teams API

• Carnivore - Exchange Attack Tool

Obfuscation

• Darkarmour - Bats3c's obfuscation tool.

• PEzor - Shellcode and PE packer

• PowerShellArmoury - Store obfuscated pentesting tools in one place

• Invoke-Obfuscation - PowerShell script obfuscator

• Chameleon - PowerShell obfuscator. I've had a lot of success using this tool

• Powerglot - Powershell obfuscator using polyglots

• Phantom-Evasion - Python obfuscation tool

Unix

• Bashark - Post exploitation toolkit in a bash script

• Mimipenguin - Mimikatz for Unix

• Emp3r0r - A customizable post exploitation Linux framework

MacOS

• Mystikal - Payload generator for MacOS

• MacOSRedTeaming - Mac red teaming resources

Wireless Attacks

• WiFite2 - Automate attack against WiFi

• WifiPumpkin3 - Framework for rogue access point attacks

SSL/TLS Auditing

• TestSSL - One of the more comprehensive SSL/TLS testing tools I've used

• SSLScan - Useful when SSLyze doesn't work as intended

• SSLyze - Useful when SSLScan doesn't work as intended

SSH Auditing

• SSH-Audit - Comprehensive audit of SSH. Provides comprehensive information about the SSH server in use

Setup

• WeaponizeKali.sh - Automate the installation of additional tools

• My Dotfiles - Any dotfiles work, make sure you're comfortable in your environment and log log log

SMTP

• Swaks - Swiss army knife for SMTP testing

Post Exploitation

• Nisahng - Collection of offensive PowerShell scripts for use in penetration testing and red teaming

• PowerSploit - Collection of offensive PowerShell scripts, useful in all phases of testing

• BetterSafetyKatz - Runs Mimikatz but better

• LdapDomainDump - Dump information about the domain. Incredibly useful for escalating privileges or gathering additional information for spraying attacks

• Conf-Thief - Exfiltrate sensitive data from Confluence

• BloodHound - Need I say more? Find attack paths and own the domain

• Snaffler - Find delicious candy on a domain

• Pwncat - Netcat on steroids. Post exploitation tool that has some neat tools built into it

• KeeFarce - Extract passwords from a KeePass 2.x database from memory

• PingCastle - Grab information about Active Directory (this tool does way more, check it out)

• ADRecon - Gathers information about Active Directory

• WinPwn - Collection of well known offensive scripts in one place

• PowerShellArmoury - Similar collection to WinPwn but can be encrypted

• RedRabbit - Same as the above, collection of red team PowerShell tools

• ACLight - Script for advanced discovery of Privileged Accounts

• Invoke-DNSDiscovery - Searches through DNS after compromising a machine to identify interesting assets

Penetration Testing Reports

• PublicPentestingResources - Repository of public pentesting resources

Hardening

• SecureKali - Tips to secure Kali Linux installation

Miscellanious

• OffensivePipeline - Build tools within PowerShell

• Depix - Recover information from pixelized screenshots

• LDAPMonitor - Monitor changes throughout the environment during a penetration test

Penetration Testing Distros

• Slingshot - Slingshot is an Ubuntu-based Linux distribution with the MATE Desktop Environment built for use in the SANS penetration testing curriculum and beyond.

• Kali_Linux - Hopefully no explanation needed here

• Commando_VM - A fully customizable Windows-based pentesting virtual machine distribution

• Parrot_OS - GNU/Linux distribution based on Debian and designed with Security and Privacy in mind