Arsenal

#Phishing/Social Engineering

#Discovery

#Active Recon

#Passive Recon

  • rengine

  • Sublist3, Amass, Subbrute, AltDNS, etc [Can be any other tool that gives the good result]

  • buster

#Initial Access

#Execution

#Lateral Movement

#Privilege Escalation

#Credential Dumping

  • Living Off The Land

    • Task Manager - Open Windows Task Manager and locate the lsass.exe process. Right click the lsass.exe and select Create Dump File. This will create a dump of the LSASS process memory into your user's temp folder.

    • comsvcs.dll - The comsvcs.dll contains a MiniDump function that can be used to dump process memory as documented by modexp. Note; Running it from a non-SYSTEM context will require usage of a VBScript to first enable the SeDebugPrivilege privilege. An alternative approach is to run rundll32.exe from PowerShell (which has SeDebugPrivilege privileges) or to create a Windows service to run rundll32.exe in a SYSTEM context as documented by RiskSense.

      rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump <pid of lsass> C:\lsass.dmp full

    • DumpMinitool - A Microsoft developed binary that contains a feature to create a dump file of a user given PID. It shouldn't be detected by Defender for now. (The parameters are case sensitive)

      .\DumpMinitool.exe --file C:\Users\user\Downloads\dump.txt --processId <pid of lsass> --dumpType Full

  • Mimikatz

    mimikatz.exe “privilege::debug” “sekurlsa::logonpasswords” exit
    mimikatz.exe sekurlsa::minidump lsass.dmp exit

  • Procmon / Procdump - https://docs.microsoft.com/en-us/sysinternals/downloads/procdump

    procdump.exe -ma lsass.exe lsass.dmp
    # -r flag that first "clones" the process before dumping it. This can be used to evade detection of LSASS dumping in some cases

procdump.exe -r -ma lsass.exe lsass.dmp

  • LsassSilentProcessExit - https://github.com/deepinstinct/LsassSilentProcessExit

    • Command line interface to dump LSASS memory to disk via SilentProcessExit.

  • SharpDump - https://github.com/GhostPack/SharpDump

    • .NET tool that can be used to to dump process memory using using the MiniDumpWriteDump Win32 API.

  • MirrorDump - https://github.com/CCob/MirrorDump

    • Another LSASS dumping tool that uses a dynamically compiled LSA plugin to grab an lsass handle and API hooking for capturing the dump in memory.

  • SafetyKatz - https://github.com/GhostPack/SafetyKatz

    • .NET tool that performs a memory dump of the LSASS process to disk using the MiniDumpWriteDump Win32 API. Mimikatz is then run in memory on the target system and used to process the LSASS memory dump. This is a hybrid approach that avoids accessing LSASS memory directly using Mimikatz and also avoids the requirement to exfiltrate a large memory dump from the target system.

  • BetterSafetyKatz? - https://github.com/Flangvik/BetterSafetyKatz

    • Fork of SafetyKatz that dynamically fetches the latest pre-compiled release of Mimikatz directly from gentilkiwi GitHub repo, runtime patches signatures and uses SharpSploit DInvoke to PE-Load into memory.

  • SharpKatz - https://github.com/b4rtik/SharpKatz

    • .NET port of Mimikatz functionality (i.e. it is not Mimikatz under the hood) that has equivalent functionality to the "logonpasswords" command to dump credentials from LSASS.

  • HandleKatz - https://github.com/codewhitesec/HandleKatz

    • Position independent Lsass dumper abusing cloned handles, direct system calls and a modified version of minidumpwritedump().

  • Dumpert - https://github.com/outflanknl/Dumpert

    • Native EXE or DLL tool that can be used to dump process memory. Dumpert uses direct system calls rather than userland API calls in an attempt to evade detection by tools.

  • SassyKitdi - https://github.com/zerosum0x0/SassyKitdi

  • OutMiniDump.ps1 - https://raw.githubusercontent.com/mattifestation/PowerSploit/master/Exfiltration/Out-Minidump.ps1

    • PowerShell script that can be used to dump process memory. Generally, you should use .NET alternatives like SharpDump unless you have a specific reason to use PowerShell (e.g. AV or EDR with no visibility of PowerShell).

  • https://s3cur3th1ssh1t.github.io/Reflective-Dump-Tools/

  • pypykatz - https://github.com/skelsec/pypykatz

    • Python port of some Mimikatz functionality. Notably, this includes the ability to perform offline processing of LSASS dumps to retrieve credentials.

  • lsassy - https://github.com/Hackndo/lsassy

    • A combination of Pypykatz, Impacket, and ProcDump can both remotely dump the LSASS process and remotely parse the dump over SMB.

  • Lazagne - https://github.com/AlessandroZ/LaZagne

    The LaZagne project is an open source application used to retrieve lots of passwords stored on a local computer.

  • Nanodump - https://github.com/helpsystems/nanodump

    The swiss army knife of LSASS dumping

  • EvilTree - https://github.com/t3l3machus/eviltree

    A standalone python3 remake of the classic "tree" command with the additional feature of searching for user-provided keywords/regex in files, highlighting those that contain matches.

  • secretsdump - https://github.com/fortra/impacket/blob/master/examples/secretsdump.py

#Post Exploitation

#Persistence

#NTDS Dump

  • DoppelGate - https://github.com/asaurusrex/DoppelGate

    • Designed to provide a method of extracting syscalls dynamically directly from on-disk ntdll. Userland hooks have become prevalent in many security products these days, and bypassing these hooks is a great way for red teamers/pentester to bypass these defenses.

#EDR/AV Evasion

#Applocker Bypasses:

#Tunneling

#Misc Tools

  • RedTeam Toolkit - https://github.com/signorrayan/RedTeam_toolkit

    • Red Team Toolkit is an Open-Source Django Offensive Web-App containing useful offensive tools used in the red-teaming together for the security specialist to identify vulnerabilities.

      The open-source projects such as Nmap, rustscan, dirsearch, shreder, circl, crowbar, etc are used will be a powerful toolkit together.

  • Red Team Server (RTS) - https://github.com/jallphin/red-team-server

    • Deployable Nerve Center for Pentest Engagements

#Active Directory Resources

  • Active Directory Training open-sourced by @cfalta; an introductory class on Active Directory security. The goal is to teach the basics about Active Directory and the relevant authentication protocols as well as finding and exploiting common flaws and misconfigurations. - https://github.com/cfalta/adsec

  • The purpose of this guide is to view Active Directory from an attacker perspective. - https://zer1t0.gitlab.io/posts/attacking_ad/

#Password Cracking

#Post-compromise intel gathering

  • SeeYouCM-Thief - https://github.com/trustedsec/SeeYouCM-Thief

    Simple tool to automatically download and parse configuration files from Cisco phone systems searching for SSH credentials. Will also optionally enumerate active directory users from the UDS API.

  • MailSniper - https://github.com/dafthack/MailSniper

    MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.).

# Command and Control

#Ex-filtration

# Resources Deployment

PreviousReconNextPage 2

Last updated