Penetration Testing Tools Part-1

OSINT

1. SpiderFoot Scrummage Maltego sn0int (Semi-automatic OSINT framework and package manager).

2. karma v2 (Find deep information, more assets, WAF/CDN bypassed IPs, Internal/External Infra, Publicly exposed leaks etc.).

3. OWASP Amass (In-depth Attack Surface Mapping and Asset Discovery).

4. Albert (All in one for penetration testing, mixing some tried and tested methods for gathering recon on a single machine or an entire subnet).

5. Osmedeus (Fully automated offensive security framework for reconnaissance and vulnerability scanning).

6. puredns (puredns is a subdomain bruteforcing tool that improves massdns to accurately handle wildcard subdomains and DNS poisoning).

7. SubWalker (Subdomain enumeration, uses Sublist3r and other tools, removes duplicates).

8. Sublist3r (Subdomain enumeration).

9. subfinder (Subdomain enumeration).

10. frogy (Subdomain enumeration script. It’s unique in the way it is built upon).

11. second-order (Scans web applications for second-order subdomain takeover by crawling the app, and collecting URLs (and other data) that match certain rules, or respond in a certain way).

12. SARENKA GgDorker (Simple python tool that automates the process of Google Dorking).

13. Katana-ds (Simple python tool that automates Google Hacking/Dorking and supports Tor).

14. BurpMetaFinder ProtOSINT (Investigate ProtonMail accounts and ProtonVPN IP addresses).

15. Scilla (DNS/Subdomains/Ports/Directories enumeration).

16. EmailGen (Email generator that uses dorks on Bing to generate emails from LinkedIn Profiles).

17. Maigret (OSINT username checker. Collect a dossier on a person by username from a huge number of sites).

18. MOSINT (OSINT Tool for emails. It helps you gather information about the target email).

19. Terra (OSINT Tool on Twitter and Instagram).

20. SocialPwned (Gather emails, published in social networks such as Instagram, Linkedin and Twitter to find possible credentials leaks in PwnDB or Dehashed and obtain Google account information via GHunt).

21. EyeWitness (Designed to take screenshots of websites, provide some server header info, and identify default credentials if possible).

22. HttpDoom (HttpDoom is a tool for response-based inspection of websites across a large amount of hosts for quickly gaining an overview of HTTP-based attack surface. It has the ability to take screenshots).**

Dark Web OSINT

1. Darkdump (allows users to enter a search term (query) in the command line and darkdump will pull all the deep web sites relating to that query).

2. TorBot (Dark Web OSINT Tool).**

Subdomain Takeover

3. NtHiM (Super Fast Sub-domain Takeover Detection).**

Port Scanning

1. Nmap DivideAndScan (Divide full port scan results and use it for targeted Nmap runs).

2. MASSCAN (Internet wide scanning).

3. RustScan (Faster than Nmap).

4. Unimap (Scan only once by IP address and reduce scan times with Nmap for large amounts of data).

5. Smap (Passive Nmap like scanner built with shodan.io).**

Nmap NSE Scripts

1. vulscan (Advanced vulnerability scanning with Nmap NSE).**

Network Recon

2. IVRE (Build your own, self-hosted and fully-controlled alternatives to Shodan / ZoomEye / Censys and GreyNoise, run your Passive DNS service, collect and analyse network intelligence from your sensors, and much more!).**

Content Discovery

3. dirb Gobuster feroxbuster Crawpy (Written to work asynchronously, allowing it to be very fast).

4. Snaffler (Find delicious candy needles (creds mostly, but it’s flexible) in a bunch of horrible boring haystacks (a massive Windows/AD environment).

5. MAN-SPIDER (Crawl SMB shares for juicy information. File content searching + regex is supported!).

6. SMBSR (Lookup for interesting stuff in SMB shares).

7. FindUncommonShares (Python equivalent of PowerView’s Invoke-ShareFinder.ps1 allowing to quickly find uncommon shares in vast Windows Domains).

8. DumpSMBShare (A script to dump files and folders remotely from a Windows SMB share).

9. pyWhat (Identity Anything. pyWhat can identify strings of text, the contents of .pcap files i.e. hashes, credit card numbers, cryptocurrency addresses etc.).**

GitHub Sensitive information discovery

1. gittyleaks GitHub Watchman GitBleed Tools (Download and analyse differences between cloned and mirror Git repositories in order to discover secrets).**

GitLab Sensitive information discovery

1. GitLab Watchman

Vulnerability Scanning

1. Nessus Qualys OpenVAS (Free, not as feature rich as Nessus and Qualys).

2. OWASP Nettacker (Free, not as feature rich as Nessus and Qualys).

3. Tsunami (Made by Google, Tsunami is a general purpose network security scanner with an extensible plugin system for detecting high severity vulnerabilities with high confidence).

4. nuclei (Fast and customisable vulnerability scanner based on simple YAML based DSL).

5. Vuls (Vulnerability scanner for Linux/FreeBSD, agent-less, written in Go).**

Wordlist Generation

1. COOK (Easily create word’s permutation and combination to generate complex wordlists and passwords).

2. Cracken (a fast password wordlist generator, Smartlist creation and password hybrid-mask analysis tool written in pure safe Rust).**

SSH Brute Force

1. ssb OrbitalDump (A simple multi-threaded distributed SSH brute-forcing tool written in Python).**

HTTP Basic Authentication Brute Force

1. CR401 (The CR401 is a simple and fast tool that helps you to crack HTTP basic access authentication).**

OWA Brute Force

1. owa-login

Microsoft Exchange Password Spraying

1. PyExchangePasswordSpray (Microsoft Exchange password spraying tool with proxy capabilities).**

NTLM over HTTP Discovery

1. NTLMRecon (Enumerate information from NTLM authentication enabled web endpoints).**

Multiple Protocol Brute Force

1. Crowbar (OpenVPN, RDP, SSH private key authentication, VNC key authentication).**

WiFi Penetration Testing

1. WiFiBroot (A Wireless Pentest/Cracking Tool for 4-way Handshake & PMKID).**

Active Directory Reconnaissance

1. BloodHound (Active Directory Mapping)

2. aclpwn.py (Tool that interacts with BloodHound to identify and exploit ACL based privilege escalation paths.)

3. ldd2bh (Convert ldapdomaindump to Bloodhound).

4. Max (Maximizing BloodHound with a simple suite of tools).

5. ImproHound (Identify the attack paths in BloodHound breaking your AD tiering).

6. adalanche (Active Directory ACL Visualizer – who’s really Domain Admin?).

7. ADRecon (ADRecon is a tool which gathers information about the Active Directory and generates a report).

8. ADFind (Command line Active Directory query tool).

9. AD Enum (Pentesting tool that allows to find misconfigurations through the protocol LDAP, and exploit some of those weaknesses with kerberos).

10. EDD (Enumerate Domain Data is designed to be similar to PowerView but in .NET).

11. Seatbelt (Performs a number of security oriented host-survey “safety checks” relevant from both offensive and defensive security perspectives).**

Active Directory Exploitation Automation

1. linWinPwn (Script that automates a large number of Active Directory Enumeration and Exploitation steps).**

Privilege Escalation – Windows

1. WinPEAS PrivescCheck Perfusion (Windows 7, Windows Server 2008R2, Windows 8, and Windows Server 2012).

2. WES-NG (Provides the list of vulnerabilities the OS is vulnerable to, including any exploits for these vulnerabilities).

3. DLLHSC (A tool to generate leads and automate the discovery of candidates for DLL Search Order Hijacking).

4. ImpulsiveDLLHijack (C# based tool which automates the process of discovering and exploiting DLL Hijacks in target binaries. The Hijacked paths discovered can later be weaponized during Red Team Operations to evade EDR’s).

5. DLLirant (automate DLL Hijacking research on a specified binary).

6. C2_Elevated_Shell_DLL_Hijcking (DLL Hijacking and Mock directories technique to bypass Windows UAC security feature and get a high-level privileged reverse shell).

7. Windows Feature Hunter (Automatically identify potential Dynamic Linked Library (DLL) sideloading and Component Object Model (COM) hijacking opportunities at scale.)

8. SweetPotato (Local Service to SYSTEM privilege escalation from Windows 7 to Windows 10 / Server 2019).

9. MultiPotato (Another Potato to get SYSTEM via SeImpersonate privileges).

10. Candy Potato (Pure C++, weaponized, fully automated implementation of RottenPotatoNG).

11. PrintSpoofer (From LOCAL/NETWORK SERVICE to SYSTEM by abusing SeImpersonatePrivilege on Windows 10 and Server 2016/2019).

12. PrintNightmare (CVE-2021-1675: Remote code execution in Windows Spooler Service).

13. SpoolSploit (A collection of Windows print spooler exploits containerized with other utilities for practical exploitation.)

14. DeployPrinterNightmare (C# tool for installing a shared network printer abusing the PrinterNightmare bug to allow other network machines easy privesc!).

15. SystemNightmare (Gives you instant SYSTEM command prompt on all supported and legacy versions of Windows).

16. Concealed Position (Installs drivers with known vulnerabilities which are then exploited to escalate to SYSTEM).

17. RemotePotato0 (Just another “Won’t Fix” Windows Privilege Escalation from User to Domain Admin.)

18. InstallerFileTakeOver (Overwrite the discretionary access control list (DACL) for Microsoft Edge Elevation Service to replace any executable file on the system with an MSI installer file, allowing an attacker to run code with SYSTEM privileges).

19. bloodyAD (Active Directory Privilege Escalation Framework).

20. SharpImpersonation (A User Impersonation tool – via Token or Shellcode injection).

21. PrimaryTokenTheft (Steal a primary token and spawn cmd.exe using the stolen token).

22. PowerRunAsAttached (Ease the possibility to do vertical / horizontal privilege escalation through your already established Netcat / WinRM session).

23. Pachine (Python implementation for CVE-2021-42278 (Active Directory Privilege Escalation)).

24. LACheck (Multithreaded C# .NET Assembly Local Administrative Privilege Enumeration).

25. PowerRunAsSystem (Run application as system with interactive system process support (active Windows session)).

26. KrbRelayUp (A universal no-fix local privilege escalation in windows domain environments where LDAP signing is not enforced (the default settings).

27. NTLMRelay2Self (Another No-Fix LPE, NTLMRelay2Self over HTTP (Webdav)).**

Pivoting

1. nextnet (Pivot point discovery tool written in Go. Identify a multi-homed Windows desktop on the local network. Identify multi-homed hosts running Netbios on the internet).

2. Chisel (A fast TCP/UDP tunnel over HTTP. Useful when SSH is not available for tunneling).

3. SSF (Network tool and toolkit – TCP and UDP port forwarding, SOCKS proxy, remote shell, standalone and cross platform).

4. pivotnacci (A tool to make socks connections through HTTP agents. Pivot into the internal network by deploying HTTP agents).**

Privilege Escalation – Linux

1. LinPEAS linux-smart-enumeration SUID3NUM Traitor rootend AutoSUID moonwalk (Cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps).**

Dump LSASS

1. PPLKiller (Tool to bypass LSA Protection (aka Protected Process Light).

2. PPLdump (Dump the memory of a Protected Process Light (PPL) i.e. lsass.exe with a userland exploit).

3. SharpMiniDump TransactedSharpMiniDump (Stealthy, doesn’t write dump file to disk).

4. LsassSilentProcessExit (Stealthy, uses Windows binary to dump LSASS).

5. MirrorDump (Another LSASS dumping tool that uses a dynamically compiled LSA plugin to grab an lsass handle and API hooking for capturing the dump in memory).

6. pypykatz (Mimikatz implementation in pure Python).

7. lsassy (Extract credentials from LSASS remotely. This tool uses impacket project to remotely read necessary bytes in LSASS dump and pypykatz to extract credentials).

8. Spraykatz (Credentials gathering tool automating remote procdump and parse of LSASS process).

9. HandleKatz (Usage of cloned handles to Lsass in order to create an obfuscated memory dump).

10. Invoke-HandleKatzInject.ps1 (PowerShell script to execute HandleKatz from memory, WinPwn is also integrated).

11. NanoDump (A flexible tool that creates a minidump of the LSASS process).

13. MalSeclogon (A little tool to play with the Seclogon service and dump LSASS).

14. safetydump (MiniDump a process in memory with rust).

15. DumpNParse (A Combination LSASS Dumper and LSASS Parser).

16. LsassDumpReflectiveDll (Dump LSASS Memory Using a Reflective Dll).

17. PostDump (Simple tool to perform a memory dump (LSASS) using several techniques to bypass EDR hooking and LSASS protection).**

LSASS Backdoor

1. nosferatu (Lsass NTLM Authentication Backdoor).**

Credential Stealing

1. ThunderFox (Retrieves data (contacts, emails, history, cookies and credentials) from Thunderbird and Firefox.)

2. SharpChromium (Retrieve data from Google Chrome, Microsoft Edge, and Microsoft Edge Beta.)

3. EvilSelenium (tool that weaponizes Selenium to attack Chrome and steal credentials, screenshot websites etc.).

4. KeeThief (Methods for attacking KeePass 2.X databases, including extracting of encryption key material from memory. Uses syscalls for shellcode injection routines via D/Invoke).

5. DonPAPI (Dumping DPAPI credz remotely).

6. LDAP Password Hunter (Password Hunter in the LDAP infamous database).

7. NPPSpy (Simple (but fully working) code for NPLogonNotify(). The function obtains logon data, including cleartext password).

8. FakeLogonScreen (Fake Windows logon screen to steal passwords).

9. Winphish (Phishing Windows credentials in a simple way).

10. Gopher (If a credential is there… Gopher will find it!).

11. VeraCryptThief (Extracting clear-text passwords from VeraCrypt.exe using API hooking).

12. O365-Doppelganger (A quick handy script to harvest credentials off of a user during a Red Team and get execution of a file from the user).**

Local Machine – Password Brute force

1. WinBruteLogon (Crack any Microsoft Windows users password without any privilege (Guest account included)).

2. PowerBruteLogon (PowerBruteLogon is a ported version of WinBruteLogon in pure PowerShell).**

MitM

1. Responder mitm6 PyRDP (RDP monster-in-the-middle (mitm) and library for Python with the ability to watch connections live or after the fact).**

Password Hash Stealing

1. secretsdump.py (Remotely dump password hashes).

2. Gosecretsdump (Dump ntds.dit really fast).

3. Farmer (Farmer is a project for collecting NetNTLM hashes in a Windows domain. Farmer achieves this by creating a local WebDAV server that causes the WebDAV Mini Redirector to authenticate from any connecting clients).

4. Lnkbomb (Malicious shortcut generator for collecting NTLM hashes from insecure file shares).

5. ntlm_theft (A tool for generating multiple types of NTLMv2 hash theft files).**

Password Hash Cracking

1. John the Ripper hashcat CrackQ (Python 3 REST API & JS GUI for managing hashcat crack jobs in a queuing system).

2. NPK (distributed hash-cracking platform built entirely of serverless components in AWS).

3. Cloudtopolis (Facilitates the installation and provisioning of Hashtopolis on the Google Cloud Shell platformKraker (Kraker is a distributed password brute-force system that focused on easy use).**

Pass the Hash

1. NamedPipePTH (Pass the Hash to a named pipe for token Impersonation. Can be used to establish a C2 connection).

2. SharpNamedPipePTH (Pass the Hash to a named pipe for token Impersonation. Can be used to spawn a fully featured shell or C2-connection as the victim user-account.)**

Active Directory Password Spraying

1. CrackMapExec Talon (A password guessing tool that targets the Kerberos and LDAP services within the Windows Active Directory environment).**

Check if SMB Signing is enabled

1. CrackMapExec

NTLM Relaying

1. MultiRelay (Part of Responder)

2. ntlmrelayx.py (Used with mitm6)

3. lsarelayx (NTLM relaying for Windows made easy).**

Kerberoasting

1. Rubeus (toolset for raw Kerberos interaction and abuses).

2. targetedKerberoast (Kerberoast with ACL abuse capabilities).**

Kerberos Relaying

1. KrbRelay (Framework for Kerberos relaying).**

Active Directory Certificate Abuse

1. Certify (Active Directory certificate abuse).

2. certi (Utility to play with ADCS, allows to request tickets and collect information about related objects. Basically, it’s the impacket copy of Certify).

3. ForgeCert (“Golden” certificates).

4. CertStealer (A .NET tool for exporting and importing certificates without touching disk).

5. ADCSPwn (Escalate privileges in an active directory network by coercing authenticate from machine accounts and relaying to the certificate service).

6. PKINIT tools (Tools for Kerberos PKINIT and relaying to AD CS).

7. StandIn (AD post-exploitation toolkit. Includes a number of companion functions for Certify and ADCS template attacks).

8. modifyCertTemplate (Modify ADCS certificate templates so that a created vulnerable state can be leveraged for privilege escalation).**

Active Directory Lateral Movement

1. Talon (Password guessing attacks)

2. Invoke-Petitpotam.ps1 (NTLM relay attack – allows threat actors to take over a domain controller, and thus an entire Windows domain).

3. Liquid Snake (Tool that allows operators to perform fileless lateral movement using WMI Event Subscriptions and GadgetToJScript).

4. WinPwn (Automation for internal Windows Penetration test / AD-Security).

5. SharpStrike (Post-exploitation tool written in C# that uses either CIM or WMI to query remote systems. It can use provided credentials or the current user’s session).

6. SharpRDP (Remote Desktop Protocol .NET Console Application for Authenticated Command Execution).

7. SharpMove (.NET Project for performing Authenticated Remote Execution).

8. SharpDllProxy (Retrieves exported functions from a legitimate DLL and generates a proxy DLL source code/template for DLL proxy loading or sideloading).

9. SharpRDPThief (A C# implementation of RDPThief to steal credentials from RDP).

10. SharpRDPHijack (A POC Remote Desktop (RDP) session hijack utility for disconnected sessions).

11. SharpWSUS (CSharp tool for lateral movement through WSUS (Windows Server Update Services).

12. ABPTTS (Tunnel TCP traffic over a HTTP/HTTPS connection to a web application server.

13. wmiexec.py (Silently execute commands against a compromised endpoint using WMI).

14. WMIcmd (A command shell wrapper using only WMI for Microsoft Windows. Useful for Red Teaming engagements).

15. AutoRDPwn (Post-exploitation framework created in Powershell, designed primarily to automate the Shadow attack on Microsoft Windows computers).

16. Seth (Perform a MitM attack and extract clear text credentials from RDP connections).

17. SSHPry2.0 (SSHPry v2 – Spy & Control os SSH Connected client’s TTY).

18. Evil-WinRM (The ultimate WinRM shell for hacking/pentesting).

19. CheeseTools (Self-developed tools for Lateral Movement/Code Execution).

20. Server (Un)Trust Account (A technique for Active Directory domain persistence).

21. SocksOverRDP (Socks5/4/4a Proxy support for Remote Desktop Protocol / Terminal Services / Citrix / XenApp / XenDesktop).

22. PowerSharpPack (Many usefull offensive CSharp Projects wraped into Powershell for easy usage).

23. SweetBackup (PowerShell version of SeBackupPrivilege. Use SE_BACKUP_NAME/SeBackupPrivilege to access objects you shouldn’t have access to).

24. KnockOutlook (Interacts with Outlook’s COM object in order to perform a number of operations useful in red team engagements).

25. mssqlproxy (Perform lateral movement in restricted environments through a compromised Microsoft SQL Server via socket reuse).

26. OffensiveCSharp (Collection of C# tooling and POCs created for use on operations).

27. keimpx (Check for valid credentials across a network over SMB. NTLM hashes can be used).

28. GPOwned (Buggy script to play with GPOs).

29. WMEye (Post exploitation tool that uses WMI Event Filter and MSBuild Execution for lateral movement).

30. ScheduleRunner (A C# tool with more flexibility to customize scheduled task for both persistence and lateral movement in red team operation).

31. MalSCCM (Abuse local or remote SCCM servers to deploy malicious applications to hosts they manage. To use this tool your current process must have admin rights over the SCCM server).**

Persistence

1. Powersistence (Simple script that automates setting a new scheduled task to run a malicious payload on a schedule and thus remain you persistent while operating).

2. SharpEventPersist (Persistence by writing/reading shellcode from Event Log).**

Filesystem/Container Sensitive Information Discovery

1. Pillager SecretScanner (Find secrets and passwords in container images and file systems).**