From 630df566d3875848be41faccabb8f1e6fb4d59a8 Mon Sep 17 00:00:00 2001 From: pe3zx Date: Wed, 18 Nov 2020 18:07:42 +0700 Subject: [PATCH] Add new page 'Offensive Bookmark' --- Offensive.md | 355 +++++++++++++++++++++++++++++++++++++++++++++++++++ README.md | 306 +++----------------------------------------- 2 files changed, 373 insertions(+), 288 deletions(-) create mode 100644 Offensive.md diff --git a/Offensive.md b/Offensive.md new file mode 100644 index 0000000..58f0c9f --- /dev/null +++ b/Offensive.md @@ -0,0 +1,355 @@ +# Offensive Bookmark + +

+ +

+ +

+ +This page will contain my bookmark for offensive tools, briefly categorized based on [MITRE ATT&CK Enterprise Matrix](https://attack.mitre.org/matrices/enterprise/). Some links and sections on [README.md](README.md) will be relocated to this page if it's related to offensive tactics and techniques. + +- [Reconnaissance/Discovery](#reconnaissancediscovery) +- [Execution](#execution) + - [Living Off The Land](#living-off-the-land) + - [Manipulating Binary's Internal](#manipulating-binarys-internal) + - [Payload Generation](#payload-generation) +- [Persistence](#persistence) +- [Privilege Escalation](#privilege-escalation) +- [Defense Evasion](#defense-evasion) +- [Credential Access](#credential-access) +- [Lateral Movement](#lateral-movement) +- [Command & Control](#command--control) +- [Exfiltration](#exfiltration) + +## Reconnaissance/Discovery + + + + + + + + + + + + + + + + + + + + + + +
LinkDescription
GhostPack/SeatbeltSeatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
NetSPI/goddigoddi (go dump domain info) dumps Active Directory domain information
outflanknl/Recon-ADRecon-AD, an AD recon tool based on ADSI and reflective DLL’s
sud0woodo/DCOMradePowershell script for enumerating vulnerable DCOM Applications
+ +## Execution + +### Living Off The Land + + + + + + + + + + + + + + + + + + + + + + + + + + +
LinkDescription
api0cradle/LOLBASLiving Off The Land Binaries and Scripts (and now also Libraries)
bohops/GhostBuildGhostBuild is a collection of simple MSBuild launchers for various GhostPack/.NET projects
Cn33liz/p0wnedShellp0wnedShell is an offensive PowerShell host application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET)
FuzzySecurity/PowerShell-SuiteThere are great tools and resources online to accomplish most any task in PowerShell, sometimes however, there is a need to script together a util for a specific purpose or to bridge an ontological gap. This is a collection of PowerShell utilities I put together either for fun or because I had a narrow application in mind.
nccgroup/GTFOBLookupOffline command line lookup utility for GTFOBins
+ +### Manipulating Binary's Internal + + + + + + + + + + + + + + + + + + + + + + + + + + +
LinkDescription
Cybellum/DoubleAgentDoubleAgent is a new Zero-Day technique for injecting code and maintaining persistence on a machine (i.e. auto-run).
jonatan1024/clrinjectInjects C# EXE or DLL Assembly into every CLR runtime and AppDomain of another process.
monoxgas/sRDIShellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode
stephenfewer/ReflectiveDLLInjectionReflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process
slyd0g/UrbanBishopLocalA port of FuzzySecurity's UrbanBishop project for inline shellcode execution. The execution vector uses a delegate vs an APC on a suspended threat at ntdll!RtlExitUserThread in UrbanBishop
+ +### Payload Generation + + + + + + + + + + + + + + + + + + + + + + + + + + +
LinkDescription
BC-SECURITY/EmpireEmpire is a PowerShell and Python post-exploitation agent.
mdsecactivebreach/SharpShooterSharpShooter is a payload creation framework for the retrieval and execution of arbitrary CSharp source code.
Plazmaz/LNKUpGenerates malicious LNK file payloads for data exfiltration
sevagas/macro_packmacro_pack is a tool used to automatize obfuscation and generation of MS Office documents for pentest, demo, and social engineering assessments. The goal of macro_pack is to simplify antimalware bypass and automatize the process from vba generation to final Office document generation.
trustedsec/unicornUnicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
+ +## Persistence + + + + + + + + + + +
LinkDescription
fireeye/SharPersistWindows persistence toolkit written in C#.
+ +## Privilege Escalation + + + + + + + + + + + + + + + + + + +
LinkDescription
0xbadjuju/TokenvatorA tool to elevate privilege with Windows Tokens
411Hall/JAWSJAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so 'should' run on every Windows version since Windows 7.
hlldz/dazzleUPA tool that detects the privilege escalation vulnerabilities caused by misconfigurations and missing updates in the Windows operating systems.
+ +## Defense Evasion + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
LinkDescription
api0cradle/UltimateAppLockerByPassListThe goal of this repository is to document the most common techniques to bypass AppLocker.
danielbohannon/Invoke-DOSfuscationCmd.exe Command Obfuscation Generator & Detection Test Harness
hlldz/Invoke-Phant0mWindows Event Log Killer
huntresslabs/evading-autorunsSlides and reference material from Evading Autoruns presentation at DerbyCon 7 (September 2017)
mdsecactivebreach/ChameleonChameleon: A tool for evading Proxy categorisation
nccgroup/demiguiseHTA encryption tool for RedTeams
OmerYa/Invisi-ShellHide your Powershell script in plain sight. Bypass all Powershell security features
peewpw/Invoke-PSImageEmbeds a PowerShell script in the pixels of a PNG file and generates a oneliner to execute
secretsquirrel/SigThiefStealing Signatures and Making One Invalid Signature at a Time
+ +## Credential Access + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
LinkDescription
Arvanaghi/SessionGopherSessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally.
DanMcInerney/icebreakerGets plaintext Active Directory credentials if you're on the internal network but outside the AD environment
eladshamir/Internal-MonologueInternal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS
FSecureLABS/physmem2profit Physmem2profit can be used to create a minidump of a target hosts' LSASS process by analysing physical memory remotely
Kevin-Robertson/InveighWindows PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool
nidem/kerberoastKerberoast is a series of tools for attacking MS Kerberos implementations. Below is a brief overview of what each tool does.
peewpw/Invoke-WCMDumpPowerShell Script to Dump Windows Credentials from the Credential Manager
putterpanda/mimikittenzA post-exploitation powershell tool for extracting juicy info from memory.
+ +## Lateral Movement + + + + + + + + + + + + + + + + + + + + + + +
LinkDescription
byt3bl33d3r/CrackMapExecA swiss army knife for pentesting networks
cobbr/SharpSploitSharpSploit is a .NET post-exploitation library written in C#
DefensiveOrigins/PlumHoundBloodhound for Blue and Purple Teams
ScorpionesLabs/DVSD(COM) V(ulnerability) S(canner) AKA Devious swiss army knife - Lateral movement using DCOM Objects
+ +## Command & Control + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
LinkDescription
3xpl01tc0d3r/CallidusIt is developed using .net core framework in C# language. Allows operators to leverage O365 services for establishing command & control communication channel. It usages Microsoft Graph APIs for communicating with O365 services.
byt3bl33d3r/SILENTTRINITYAn asynchronous, collaborative post-exploitation agent powered by Python and .NET's DLR
cobbr/Covenant Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers.
fbkcs/ThunderDNSThis tool can forward TCP traffic over DNS protocol. Non-compile clients + socks5 support.
Ne0nd0g/merlinMerlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.
Project PrismaticaProject Prismatica is a focused framework for Command and Control that is dedicated to extensibility.
sensepost/goDoHgodoh - A DNS-over-HTTPS C2
SpiderLabs/DoHC2DoHC2 allows the ExternalC2 library from Ryan Hanson (https://github.com/ryhanson/ExternalC2) to be leveraged for command and control (C2) via DNS over HTTPS (DoH).
+ +## Exfiltration + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
LinkDescription
evilsocket/sg1A wanna be swiss army knife for data encryption, exfiltration and covert communication.
hackerschoice/gsockethackerschoice/gsocketGlobal Socket. Moving data from here to there. Securely, Fast and trough NAT/Firewalls
pentestpartners/PTP-RATExfiltrate data over screen interfaces. For more information.
sensepost/DETDET (is provided AS IS), is a proof of concept to perform Data Exfiltration using either single or multiple channel(s) at the same time.
SySS-Research/SethPerform a MitM attack and extract clear text credentials from RDP connections
vp777/procrustesA bash script that automates the exfiltration of data over dns in case we have a blind command execution on a server where all outbound connections except DNS are blocked.
\ No newline at end of file diff --git a/README.md b/README.md index 4da4ff0..46e3c04 100644 --- a/README.md +++ b/README.md @@ -6,6 +6,12 @@

+--- + +**Update Nov 18, 2020**: [Offensive Bookmark.md](Offensive.md) has been created based on my need to map bookmarks (and tools) that practice tactics and techniques for offensive operations with MITRE ATT&CK Enterprise Matrix. The Post Exploitation section on [README.md](readme.md) is now migrate to the new page. I will update the new page with my personal bookmark soon. + +--- + This repository is created as an online bookmark for useful links, resources and tools in infosec field which serve my needs to have a searchable page to look further. - [Adversary Simulation & Emulation](#adversary-simulation--emulation) @@ -14,7 +20,6 @@ This repository is created as an online bookmark for useful links, resources and - [Cloud Security](#cloud-security) - [Courses](#courses) - [Cryptography](#cryptography) -- [Data Exfiltration](#data-exfiltration) - [Data Sets](#data-sets) - [Digital Forensics and Incident Response](#digital-forensics-and-incident-response) - [Exploits](#exploits) @@ -25,7 +30,6 @@ This repository is created as an online bookmark for useful links, resources and - [Network Security](#network-security) - [Open-source Intelligence (OSINT)](#open-source-intelligence-osint) - [Password Cracking and Wordlists](#password-cracking-and-wordlists) -- [Post Exploitation](#post-exploitation) - [Social Engineering](#social-engineering) - [Vulnerable](#vulnerable) @@ -784,39 +788,6 @@ This repository is created as an online bookmark for useful links, resources and -## Data Exfiltration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
LinkDescription
evilsocket/sg1A wanna be swiss army knife for data encryption, exfiltration and covert communication.
hackerschoice/gsockethackerschoice/gsocketGlobal Socket. Moving data from here to there. Securely, Fast and trough NAT/Firewalls
pentestpartners/PTP-RATExfiltrate data over screen interfaces. For more information.
sensepost/DETDET (is provided AS IS), is a proof of concept to perform Data Exfiltration using either single or multiple channel(s) at the same time.
SySS-Research/SethPerform a MitM attack and extract clear text credentials from RDP connections
vp777/procrustesA bash script that automates the exfiltration of data over dns in case we have a blind command execution on a server where all outbound connections except DNS are blocked.
- ## Data Sets @@ -1157,6 +1128,10 @@ This repository is created as an online bookmark for useful links, resources and + + + + @@ -1461,6 +1436,10 @@ This repository is created as an online bookmark for useful links, resources and + + + + @@ -1469,10 +1448,6 @@ This repository is created as an online bookmark for useful links, resources and - - - - @@ -1537,6 +1512,10 @@ This repository is created as an online bookmark for useful links, resources and + + + + @@ -2203,255 +2182,6 @@ This repository is created as an online bookmark for useful links, resources and
SekoiaLab/Fastir_Collector This tool collects different artefacts on live Windows and records the results in csv or json files. With the analyses of these artefacts, an early compromission can be detected.
shellster/DCSYNCMonitorMonitors for DCSYNC and DCSHADOW attacks and create custom Windows Events for these events.
SIEMonster SIEMonster is an Affordable Security Monitoring Software Soulutionfelixweyne/imaginaryC2 Imaginary C2 is a python tool which aims to help in the behavioral (network) analysis of malware. Imaginary C2 hosts a HTTP server which captures HTTP requests towards selectively chosen domains/IPs. Additionally, the tool aims to make it easy to replay captured Command-and-Control responses/served payloads.
FortyNorthSecurity/WMImplantThis is a PowerShell based tool that is designed to act like a RAT. Its interface is that of a shell where any command that is supported is translated into a WMI-equivalent for use on a network/remote machine. WMImplant is WMI based.
godaddy/procfilter A YARA-integrated process denial framework for Windowsips-bph-framework BLACKPHENIX is an open source malware analysis automation framework composed of services, scripts, plug-ins, and tools and is based on a Command-and-Control (C&C) architecture
FortyNorthSecurity/WMImplantThis is a PowerShell based tool that is designed to act like a RAT. Its interface is that of a shell where any command that is supported is translated into a WMI-equivalent for use on a network/remote machine. WMImplant is WMI based.
gen0cide/gscript Framework to rapidly implement custom droppers for all three major operating systemsjgamblin/JPCERTCC/MalConfScan Volatility plugin for extracts configuration data of known malware
JohnLaTwC/PyPowerShellXrayPython script to decode common encoded PowerShell scripts
KasperskyLab/klara Klara project is aimed at helping Threat Intelligence researechers hunt for new malware using Yara.
-## Post Exploitation - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0xbadjuju/TokenvatorA tool to elevate privilege with Windows Tokens
3xpl01tc0d3r/CallidusIt is developed using .net core framework in C# language. Allows operators to leverage O365 services for establishing command & control communication channel. It usages Microsoft Graph APIs for communicating with O365 services.
411Hall/JAWSJAWS is PowerShell script designed to help penetration testers (and CTFers) quickly identify potential privilege escalation vectors on Windows systems. It is written using PowerShell 2.0 so 'should' run on every Windows version since Windows 7.
api0cradle/LOLBASLiving Off The Land Binaries and Scripts (and now also Libraries)
api0cradle/UltimateAppLockerByPassListThe goal of this repository is to document the most common techniques to bypass AppLocker.
Arvanaghi/SessionGopherSessionGopher is a PowerShell tool that uses WMI to extract saved session information for remote access tools such as WinSCP, PuTTY, SuperPuTTY, FileZilla, and Microsoft Remote Desktop. It can be run remotely or locally.
BC-SECURITY/EmpireEmpire is a PowerShell and Python post-exploitation agent.
besimorhino/powercatnetshell features all in version 2 powershell
bohops/GhostBuildGhostBuild is a collection of simple MSBuild launchers for various GhostPack/.NET projects
byt3bl33d3r/CrackMapExecA swiss army knife for pentesting networks
byt3bl33d3r/SILENTTRINITYAn asynchronous, collaborative post-exploitation agent powered by Python and .NET's DLR
cobbr/Covenant Covenant is a .NET command and control framework that aims to highlight the attack surface of .NET, make the use of offensive .NET tradecraft easier, and serve as a collaborative command and control platform for red teamers.
cobbr/SharpSploitSharpSploit is a .NET post-exploitation library written in C#
Cn33liz/p0wnedShellp0wnedShell is an offensive PowerShell host application written in C# that does not rely on powershell.exe but runs powershell commands and functions within a powershell runspace environment (.NET)
Cybellum/DoubleAgentDoubleAgent is a new Zero-Day technique for injecting code and maintaining persistence on a machine (i.e. auto-run).
danielbohannon/Invoke-DOSfuscationCmd.exe Command Obfuscation Generator & Detection Test Harness
danielbohannon/Invoke-ObfuscationInvoke-Obfuscation is a PowerShell v2.0+ compatible PowerShell command and script obfuscator
DanMcInerney/icebreakerGets plaintext Active Directory credentials if you're on the internal network but outside the AD environment
DefensiveOrigins/PlumHoundBloodhound for Blue and Purple Teams
eladshamir/Internal-MonologueInternal Monologue Attack: Retrieving NTLM Hashes without Touching LSASS
FSecureLABS/physmem2profit Physmem2profit can be used to create a minidump of a target hosts' LSASS process by analysing physical memory remotely
fbkcs/ThunderDNSThis tool can forward TCP traffic over DNS protocol. Non-compile clients + socks5 support.
fireeye/SharPersistWindows persistence toolkit written in C#.
FuzzySecurity/PowerShell-SuiteThere are great tools and resources online to accomplish most any task in PowerShell, sometimes however, there is a need to script together a util for a specific purpose or to bridge an ontological gap. This is a collection of PowerShell utilities I put together either for fun or because I had a narrow application in mind.
FuzzySecurity/Sharp-SuiteMy musings with C#
GhostPack/SeatbeltSeatbelt is a C# project that performs a number of security oriented host-survey "safety checks" relevant from both offensive and defensive security perspectives.
google/sandbox-attacksurface-analysis-toolsThis is a small suite of tools to test various properties of sandboxes on Windows. Many of the checking tools take a -p flag which is used to specify the PID of a sandboxed process. The tool will impersonate the token of that process and determine what access is allowed from that location. Also it's recommended to run these tools as an administrator or local system to ensure the system can be appropriately enumerated.
hlldz/dazzleUPA tool that detects the privilege escalation vulnerabilities caused by misconfigurations and missing updates in the Windows operating systems.
hlldz/Invoke-Phant0mWindows Event Log Killer
huntresslabs/evading-autorunsSlides and reference material from Evading Autoruns presentation at DerbyCon 7 (September 2017)
JohnLaTwC/PyPowerShellXrayPython script to decode common encoded PowerShell scripts
jonatan1024/clrinjectInjects C# EXE or DLL Assembly into every CLR runtime and AppDomain of another process.
Kevin-Robertson/InveighWindows PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool
mattifestation/PoCSubjectInterfacePackageA PoC subject interface package (SIP) provider designed to educate about the required components of a SIP provider.
mdsecactivebreach/ChameleonChameleon: A tool for evading Proxy categorisation
mdsecactivebreach/SharpShooterSharpShooter is a payload creation framework for the retrieval and execution of arbitrary CSharp source code.
monoxgas/sRDIShellcode implementation of Reflective DLL Injection. Convert DLLs to position independent shellcode
nccgroup/demiguiseHTA encryption tool for RedTeams
nccgroup/GTFOBLookupOffline command line lookup utility for GTFOBins
Ne0nd0g/merlinMerlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.
NetSPI/ESCEvil SQL Client (ESC) is an interactive .NET SQL console client with enhanced SQL Server discovery, access, and data exfiltration features. While ESC can be a handy SQL Client for daily tasks, it was originally designed for targeting Active Directory domain joined SQL Servers during penetration tests and red team engagements.
NetSPI/goddigoddi (go dump domain info) dumps Active Directory domain information
nidem/kerberoastKerberoast is a series of tools for attacking MS Kerberos implementations. Below is a brief overview of what each tool does.
outflanknl/Recon-ADRecon-AD, an AD recon tool based on ADSI and reflective DLL’s
OmerYa/Invisi-ShellHide your Powershell script in plain sight. Bypass all Powershell security features
peewpw/Invoke-PSImageEmbeds a PowerShell script in the pixels of a PNG file and generates a oneliner to execute
peewpw/Invoke-WCMDumpPowerShell Script to Dump Windows Credentials from the Credential Manager
Plazmaz/LNKUpGenerates malicious LNK file payloads for data exfiltration
Project PrismaticaProject Prismatica is a focused framework for Command and Control that is dedicated to extensibility.
putterpanda/mimikittenzA post-exploitation powershell tool for extracting juicy info from memory.
ScorpionesLabs/DVSD(COM) V(ulnerability) S(canner) AKA Devious swiss army knife - Lateral movement using DCOM Objects
secretsquirrel/SigThiefStealing Signatures and Making One Invalid Signature at a Time
sensepost/goDoHgodoh - A DNS-over-HTTPS C2
sevagas/macro_packmacro_pack is a tool used to automatize obfuscation and generation of MS Office documents for pentest, demo, and social engineering assessments. The goal of macro_pack is to simplify antimalware bypass and automatize the process from vba generation to final Office document generation.
shellster/DCSYNCMonitorMonitors for DCSYNC and DCSHADOW attacks and create custom Windows Events for these events.
SpiderLabs/DoHC2DoHC2 allows the ExternalC2 library from Ryan Hanson (https://github.com/ryhanson/ExternalC2) to be leveraged for command and control (C2) via DNS over HTTPS (DoH).
stephenfewer/ReflectiveDLLInjectionReflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process
sud0woodo/DCOMradePowershell script for enumerating vulnerable DCOM Applications
slyd0g/UrbanBishopLocalA port of FuzzySecurity's UrbanBishop project for inline shellcode execution. The execution vector uses a delegate vs an APC on a suspended threat at ntdll!RtlExitUserThread in UrbanBishop
TheSecondSun/BasharkBash post exploitation toolkit
trustedsec/unicornUnicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
- ## Social Engineering