Tactics, Techniques, and Procedures
Personal BlogTwitterGitHubContact
  • Tactics, Techniques, and Procedures
  • ☠️Pentesting
    • Fortress
      • Automation
      • Cisco
        • Cisco Adaptive Security Appliance
        • Cisco Smart Install
      • CMS
        • Drupal
        • Wordpress
      • Exchange
      • Office365
      • Okta
      • Outlook Web Access (OWA)
      • SSH
      • Subdomain Takeover
    • Infrastructure
      • Active Directory
        • AD CS
        • Coercing Authentication
        • Credential Dumping
          • Cached Domain Credentials
          • Data Protection API (DPAPI)
          • Group Policy Preferences
          • LSA Secrets
          • LSASS Memory
          • NTDS
          • Security Account Manager (SAM)
          • Kerberos Tickets
          • Unsecured Credentials
          • WDigest
          • WiFi Profiles
        • Delegation Abuse
          • Constrained Delegation
          • Unconstrained Delegation
        • Domain Enumeration
        • Domain Dominance
          • Forge Golden Ticket
          • Forge Silver Ticket
          • Forge Trust Ticket
          • Skeleton Key
        • Group Policy Preferences
        • Kerberos
          • AS-REP Roasting
          • Kerberoasting
          • Kerberos Relaying
        • Lateral Movement
          • PowerShell
          • Windows Remote Management (WinRM)
        • Local Administrator Password Solution (LAPS)
        • NoPac
        • NTLMv1
        • Password Cracking
        • Password Policy
        • Password Spraying
        • Reconnaissance
        • Relaying
          • LDAP Relaying
          • SMB Relaying
        • Shadow Credentials
        • Zerologon
      • Database Management System (DBMS)
        • Microsoft SQL Server
      • Defense Evasion
        • Disable or Modify Tools
        • Disable Windows Event Logging
        • Impair Command History Logging
        • Timestomping
      • Low-Hanging Fruit
      • Networks
        • IPv6
        • LLMNR/NBT-NS Poisoning
        • Network Scanning
        • Network Sniffing
        • Segmentation Testing
        • Simple Network Management Protocol (SNMP)
        • Subnet Enumeration
        • Identifying Domain Information
      • Persistence
        • Create Account
        • Remote Desktop
        • Services
          • Service Privilege Escalation / Persistence
          • Systemd Service Persistence
        • Web Shell
        • DLL Hijacking
      • Pivoting
      • Privilege Escalation
        • Linux
          • Setuid and Setgid
        • Windows
          • Privilege Abuse
            • SeImpersonatePrivilege
            • SeLoadDriverPrivilege
          • Service Exploitation
    • Initial Access
      • Phishing
        • Creating Templates
          • Leveraging AI During Template Creation
        • Payloads
          • Non-malicious Callback
          • Macros
    • OSINT
      • Identifying Users
      • Network Information
      • Search Engines
    • Web Applications
      • Access Control
      • APIs
        • Swagger API
      • Authentication
        • Account Takeover
      • Clickjacking
      • Cross Origin Resource Sharing (CORS)
      • Cross Site Request Forgery (CSRF)
      • Document Object Model (DOM)
      • File Upload
      • Google Dorking
      • GraphQL
      • HTTP Request Smuggling
      • Information Disclosure
      • Insecure Direct Object Reference (IDOR)
      • Injection Vulnerabilities
        • Cross-Site Scripting (XSS)
          • Blind Cross-Site Scripting
          • Finding Cross-Site Scripting
          • Stealing Cookies
          • XSS Payloads
        • CSV Injection
        • XML External Entity Injection (XXE)
        • LDAP Injection
        • NoSQL Injection
        • Server-Side Template Injection
        • SQL Injection
      • JSON Web Tokens (JWT)
      • Local File Inclusion (LFI)
      • OAuth
      • Open Redirection
      • Password Reset Poisoning
      • Prototype Pollution
      • Race Condition
      • Rate Limit Bypass
      • Remote Code Execution (RCE)
      • Remote File Inclusion (RFI)
      • Suspicious Parameters
      • Tooling
        • Burp Suite
          • Authentication / Proxy Issues
          • Intruder Attack Types
          • Match and Replace
          • Quality of Life
        • Misc Tooling
      • WAF Bypasses
      • WebSockets
      • Web Cache Deception
      • Web Cache Poisoning
    • Wireless
      • WPA / WPA2
        • Alfa Troubleshooting
        • Enterprise
        • Personal
    • Cloud
      • Amazon Web Services (AWS)
      • Microsoft Azure
  • 🧨Red Teaming
    • C2
      • Cobalt Strike
      • Empire
      • Metasploit
        • Metasploit Datatabase
      • Mythic
      • Sliver
    • Malware Dev
    • Offensive Infrastructure
      • Cloud Fronting
      • Redirectors
      • OpSec
      • Phishing Infrastructure
      • Creating a Dropbox
    • Offensive Tactics
    • Philosophy
  • 🦋Bug Bounty
    • Bug Bounty Tips & Tricks
  • 📖Resources
    • Blog Posts and Goodies
    • Checklists
    • Offensive Security Notes
    • Tooling Repository
    • Active Directory Toolkit
Powered by GitBook
On this page
  • Validating Scope
  • Find Email Addresses
  • Phishing
  • External Penetration Testing
  • Password Hunting
  • Scanning/Enumeration Tools
  • APIs
  • LinkedIn Reconnaissance
  • Passive Reconnaissance
  • Footholds
  • Credential Spraying and Bruteforce
  • Default Credentials
  • Wordlists
  • Password Cracking
  • Database
  • Command and Control
  • Amazon Web Services (AWS)
  • Attacking Outlook / Similar Products
  • Obfuscation
  • Unix
  • MacOS
  • Wireless Attacks
  • SSL/TLS Auditing
  • SSH Auditing
  • Setup
  • SMTP
  • Post Exploitation
  • Penetration Testing Reports
  • Hardening
  • Miscellanious
  • Penetration Testing Distros
  1. Resources

Tooling Repository

Validating Scope

  • Hurricane Electric Internet Services - Find out who owns an IP Address

  • NetBlockTool - Find IP addresses owned by a company

Find Email Addresses

  • Hunter.io - Identify the email schema used by an organization

  • Phonebook.cz - Lookup emails related to the organization

  • EmailHippo - Validate emails identified are in use by the organization

  • EmailHarvester - Find emails via search engines

  • theHarvester - Well known OSINT tool that can be used to gather names, email addresses, and more

Phishing

  • GoPhish - An incredible open-source phishing framework

  • Evilginx2 - Man-in-the-middle attack framework for phishing login credentials and bypassing 2fa

  • Catphish - Generate similar looking domains for use in phishing attacks

  • Boobsnail - Generate malicious XLM documents for phishing

  • MacroPack - Automize obfuscation of Office documents

  • Pretext-Project - Collection of pretexts to use when crafting campaigns

External Penetration Testing

  • YAWAST - Amazing for performing initial reconnaissance on a website. Also has a PoC for Sweet32 built into it

  • Skipfish - Googles active web application security reconnaissance tool

  • Nuclei - Vulnerability scanner that is actively maintained and updated frequently

  • AutoDirBuster - Parse Nmap scans and run DirBuster against targets. Useful when covering a large scope$

  • FeroxBuster - My replacement for Dirb and other fuzzing tooling

  • Amass - In-depth attack surface mapping. Great for asset discovery and performing external reconnaissance

  • Dorkbot - Scan Google search results for vulnerabilities with dorks

Password Hunting

  • PwnDB - Searches for leaked credentials

  • DeHashed - Popular way to search for leaked credentials but requires payment

  • Snusbase - Alternative to DeHashed

  • Breach-Parse - TCM's script to parse databases and identify leaked credentials

  • pwnedOrNot - OSINT tool to identify if an account has appeared in a database leak

Scanning/Enumeration Tools

  • RustScan - Alternative to Nmap. Port scanning goes brrr

  • Nmap-Elasticsearch-NSE - NSE script for scanning Elasticsearch. Useful when identified in a penetration test.

  • Enum4Linux - Useful for gathering information from a host with anoymous access or authenticating to a DC to obtain a list of usernames

  • Autorecon - Automated enumeration of services

  • Aquatone - Visually inspect websites. Has the ability to parse Nmap scans

  • EyeWitness - Visually inspect websites. My preferred tool of choice. Has the ability to parse Nessus scans

APIs

  • Swagger-EZ - A tool geared towards pentesting APIs using OpenAPI definitions

LinkedIn Reconnaissance

  • LeakedInt - LinkedIn reconnaissance tool that provides output with picture, name, email, title, and location

  • WeakestLink - Reguarly updated LinkedIn recon tool (10/11/2021)

  • LinkedIn2Username - My favorite LinkedIn reconnaissance tool. It should be noted that this tool will not reliably identify all of the emails for a company.

  • BridgeKeeper - LinkedIn reconnaissance tool that works great in combination with LinkedIn2Username

  • EmailGen - Email Generation from Bing using LinkedIn Dorks

Passive Reconnaissance

  • BruteShark - Analyze PCAPs. Can extract useful data and create a network diagram

  • NetworkMiner - Analyze PCAPs. The free version is great but the professional is better (costs $$$)

  • PCredz - My favorite way to analyze PCAPs or live captures. Free, fast, and great for PCI tests

Footholds

  • Responder - Abuse LLMNR and NBT-NS protocols (and more) to get a reliable foothold

  • mitm6 - Abuse IPv6 to obtain a foothold

  • Impacket - The options are endless with Impacket. Kerberoast until you drop!

  • Flamingo - Capture credentials sprayed across the network

  • SpoolSploit - Collection of Windows print spooler exploits. Great for obtaining a foothold or escalating privileges!

  • RouterSploit - Router exploitation framework

  • SIET - Smart Install Exploitation Tool

Credential Spraying and Bruteforce

  • SprayingToolkit - Spraying attacks against Lync/S4B, OWA, and O365

  • CrackMapExec - Spraying attacks against.. Everything

  • DomainPasswordSpray - Spraying attacks against a domain. Gathers account lockout windows which is nifty

  • Spray - Spraying against Active Directory

  • Patator - Multi-purpose brute-forcer. Takes a little reading of the manual but works incredibly

  • BruteSpray - Brute-Forcing from an Nmap output. One of my favorites for automating the assessment of a network

  • Crowbar - Brute-forcing tool that supports protocols not currently supported by Hydra

Default Credentials

  • nndefaccts - Updated Nmap default credential list

  • ChangeMe - Default credential scanner. I've had mixed results with this. When it works it's great!

  • DefaultCredsCheatsheet - List of common default credentials

  • HAT - Hashcat Automation Tool

Wordlists

  • OneRuleToRuleThemAll - My favorite rule list

  • ProbableWordlists - Probable wordlists to use in password attacks

Password Cracking

  • Hashcat - This should go without saying.. But Hashcat is amazing

  • PACK - Password Analysis and Cracking Toolkit. There's a lot of password goodies and resources here

  • Hate_Crack - TrustedSec's password cracking utility. Automates a lot

  • Pipal - Perform password analysis

Database

  • DBeaver - One of the best tools I've used to interact with databases.

  • NOSQLBooster - Interact with NoSQL (DBeaver removed this in the community version)

Command and Control

  • Covenant - I used Covenant throughout the CRTO certification and fell in love. Free and easy to use

  • Sliver - Bishop Fox's C2 framework

  • Shad0w - Bats3c's C2. Used it a few times and it's a ton of fun!

  • Mythic - Cross-platform C2. Previously used while on an OSX engagement

Amazon Web Services (AWS)

  • Pacu - AWS exploitation fraemwork from RhinoSecurityLabs

  • Scour - AWS red teaming framework

Attacking Outlook / Similar Products

  • Ruler - A tool to abuse Exchange services

  • O365Spray - My goto when spraying Office 365

  • Msspray - Conduct password attacks against Azure AD and Office 365 endpoints

  • TeamsUserEnum - User enumeration with the Microsoft Teams API

  • Carnivore - Exchange Attack Tool

Obfuscation

  • Darkarmour - Bats3c's obfuscation tool.

  • PEzor - Shellcode and PE packer

  • PowerShellArmoury - Store obfuscated pentesting tools in one place

  • Invoke-Obfuscation - PowerShell script obfuscator

  • Chameleon - PowerShell obfuscator. I've had a lot of success using this tool

  • Powerglot - Powershell obfuscator using polyglots

  • Phantom-Evasion - Python obfuscation tool

Unix

  • Bashark - Post exploitation toolkit in a bash script

  • Mimipenguin - Mimikatz for Unix

  • Emp3r0r - A customizable post exploitation Linux framework

MacOS

  • Mystikal - Payload generator for MacOS

  • MacOSRedTeaming - Mac red teaming resources

Wireless Attacks

  • WiFite2 - Automate attack against WiFi

  • WifiPumpkin3 - Framework for rogue access point attacks

SSL/TLS Auditing

  • TestSSL - One of the more comprehensive SSL/TLS testing tools I've used

  • SSLScan - Useful when SSLyze doesn't work as intended

  • SSLyze - Useful when SSLScan doesn't work as intended

SSH Auditing

  • SSH-Audit - Comprehensive audit of SSH. Provides comprehensive information about the SSH server in use

Setup

  • WeaponizeKali.sh - Automate the installation of additional tools

  • My Dotfiles - Any dotfiles work, make sure you're comfortable in your environment and log log log

SMTP

  • Swaks - Swiss army knife for SMTP testing

Post Exploitation

  • Nisahng - Collection of offensive PowerShell scripts for use in penetration testing and red teaming

  • PowerSploit - Collection of offensive PowerShell scripts, useful in all phases of testing

  • BetterSafetyKatz - Runs Mimikatz but better

  • LdapDomainDump - Dump information about the domain. Incredibly useful for escalating privileges or gathering additional information for spraying attacks

  • Conf-Thief - Exfiltrate sensitive data from Confluence

  • BloodHound - Need I say more? Find attack paths and own the domain

  • Snaffler - Find delicious candy on a domain

  • Pwncat - Netcat on steroids. Post exploitation tool that has some neat tools built into it

  • KeeFarce - Extract passwords from a KeePass 2.x database from memory

  • PingCastle - Grab information about Active Directory (this tool does way more, check it out)

  • ADRecon - Gathers information about Active Directory

  • WinPwn - Collection of well known offensive scripts in one place

  • PowerShellArmoury - Similar collection to WinPwn but can be encrypted

  • RedRabbit - Same as the above, collection of red team PowerShell tools

  • ACLight - Script for advanced discovery of Privileged Accounts

  • Invoke-DNSDiscovery - Searches through DNS after compromising a machine to identify interesting assets

Penetration Testing Reports

  • PublicPentestingResources - Repository of public pentesting resources

Hardening

  • SecureKali - Tips to secure Kali Linux installation

Miscellanious

  • OffensivePipeline - Build tools within PowerShell

  • Depix - Recover information from pixelized screenshots

  • LDAPMonitor - Monitor changes throughout the environment during a penetration test

Penetration Testing Distros

  • Slingshot - Slingshot is an Ubuntu-based Linux distribution with the MATE Desktop Environment built for use in the SANS penetration testing curriculum and beyond.

  • Kali_Linux - Hopefully no explanation needed here

  • Commando_VM - A fully customizable Windows-based pentesting virtual machine distribution

  • Parrot_OS - GNU/Linux distribution based on Debian and designed with Security and Privacy in mind

PreviousOffensive Security NotesNextActive Directory Toolkit

Last updated 4 months ago

📖