by S3cur3Th1sSh1t

S3cur3Th1sSh1t / Pentest-Tools
318 Stars 104 Forks Last release: Not found 30 Commits 0 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:


And many more. I created this repo to have an overview over my starred repos. I was not able to filter in categories before. Feel free to use it for yourself. I do not list Kali default tools as well as several testing tools which are state of the art. STRG+F searches are helpful here.

Windows Active Directory Pentest

General usefull Powershell Scripts - :sunglasses: - same but kerberos auth for more stealth and lockout-sleep - domainpasswordspray executable with lockout-sleep - Various Powersploit Tasks in C# - Adidns Attacks

AMSI Bypass restriction Bypass C# Powershell - Salsa Tools - ShellReverse TCP/UDP/ICMP/DNS/SSL/BINDTCP and AV bypass, AMSI patched - Constrained language mode bypass - Applocker Bypass - This tool enables the compilation of a C# program that will execute arbitrary PowerShell code, without launching PowerShell processes through the use of runspace. - The Hunt for Malicious Strings - Bypass AMSI and Defender using Ordinal Values in VBS - OpSec-safe Powershell runspace from within C# (aka SharpPick) with AMSI, CLM and Script Block Logging disabled at startup - Using DInvoke to patch AMSI.dll in order to bypass AMSI detections triggered when loading .NET tradecraft via Assembly.Load().

Payload Hosting - Self-deployable file hosting service for red teamers, allowing to easily upload and share payloads over HTTP and WebDAV. - Updog is a replacement for Python's SimpleHTTPServer. It allows uploading and downloading via HTTP/S, can set ad hoc SSL certificates and use http basic auth.

Network Share Scanner

Find Juicy Stuff - a tool for pentesters to help find delicious candy, by @l0ss and @Sh3r4 - Enumerate all network shares in the current domain. Also, can resolve names to IP addresses. - Search tool to find specific files containing specific words, i.e. files containing passwords.. - .NET 4.0 Console App to browse VMDK / VHD images and extract files

Reverse Shellz - A small reverse shell for Linux & Windows - netcat on steroids with Firewall, IDS/IPS evasion, bind and reverse shell, self-injecting shell and port forwarding magic - and its fully scriptable with Python (PSE) - C# reverse shell using Background Intelligent Transfer Service (BITS) as communication protocol and direct syscalls for EDR user-mode hooking evasion.

Backdoor finder

Lateral Movement - WMI,SMB,RDP,SCM,DCOM Lateral Movement techniques - WMI, SCM, DCOM, Task Scheduler and more - C# Port of Invoke-DCOM - An implementation of PSExec in C# - CsExec, CsPosh (Remote Powershell Runspace), CsWMI,CsDCOM - Automate Getting Dom-Adm - automated lateral movement - backdoor / rootkit - automation for various mitm attacks + vulns - automated penetration toolkit - Netbios Network interface Enumeration (discovery of dual homed hosts) - Find dual homed hosts over DCOM - A collection of proof-of-concept source code and scripts for executing remote commands over WinRM using the WSMan.Automation COM object - unconstrained delegation, printer bug (MS-RPRN) exploitation, Remote ADIDNS attacks - Fileless lateral movement tool that relies on ChangeServiceConfigA to run command - AD Bloodhound 3.0 Path - A Bypass Anti-virus Software Lateral Movement Command Execution Tool

POST Exploitation - Automatically scan any windows or tabs for login forms and then record what gets posted. A notification will appear when some have arrived. - McAfee Epo or Solarwinds post exploitation - A POC Remote Desktop (RDP) session hijack utility for disconnected sessions - RunasCs - Csharp and open version of windows builtin runas.exe - Powershell VNC injector - Chrome-extension implant that turns victim Chrome browsers into fully-functional HTTP proxies, allowing you to browse sites as your victims. - .NET 4.0 Project to interact with video, audio and keyboard hardware. - Lockless allows for the copying of locked files. - C# Clipboard Monitor - Windows active user credential phishing tool - SharpDoor is alternative RDPWrap written in C# to allowed multiple RDP (Remote Desktop) sessions by patching termsrv.dll file.

Wrapper for various tools - Various .NET Tools wrapped in Powershell - GhostBuild is a collection of simple MSBuild launchers for various GhostPack/.NET projects - rundll32 Wrapper for Rubeus

Pivot - Webshell tunnel over socks proxy - pentesters dream TCP tunneling over HTTP/HTTPS for web application servers like reGeorg - check for internet access over open ports / egress filtering - C# Wrapper around Chisel from - A fast TCP tunnel over HTTP - ping tunnel is a tool that advertises tcp/udp/socks5 traffic as icmp traffic for forwarding. - Reverse Tunneling made easy for pentesters, by pentesters - Socks5/4/4a Proxy support for Remote Desktop Protocol / Terminal Services / Citrix / XenApp / XenDesktop - mssqlproxy is a toolkit aimed to perform lateral movement in restricted environments through a compromised Microsoft SQL Server via socket reuse

Active Directory Audit and exploit tools - C# Data Collector for the BloodHound Project, Version 3 - same as invoke-aclpwn but in python - Active Directory information dumper via LDAP - Kerberos Resource-Based Constrained Delegation Attack from Outside using Impacket - SpoolSample -> Responder w/NetNTLM Downgrade -> NetNTLMv1 -> NTLM -> Kerberos Silver Ticket - Tool to discover Resource-Based Constrained Delegation attack paths in Active Directory environments

Persistence on windows

Web Application Pentest

Framework Discovery - Wordpress, Joomla, Drupal Scanner

Framework Scanner / Exploitation - wordpress - lotus domino - Drupal - Typo3 - Joomla

Web Vulnerability Scanner / Burp Plugins - all in one scanner - XSS discovery - Probe endpoints consuming Java serialized objects to identify classes, libraries, and library versions on remote Java classpaths.

Network- / Service-level Vulnerability Scanner

File / Directory / Parameter discovery - Mining parameters from dark corners of Web Archives - :heartpulse: - Directory lookup from Javascript files - Admin Panel Finder

Crawler - :heartpulse: - Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.

Web Exploitation Tools - lfi - xxe - shellz - ssti - xpath injection - File Uploads - deserialization - IIS Short Filename Vuln. exploitation - Deserialize Java Exploitation - Deserialize .NET Exploitation - Exploit .git Folder Existence - SSRF Tutorials - PHP Unserialize Payload generator - Malicious Office XXE payload generator - Angularjs Csti Scanner - Deserialize .NET Viewstates - Deserialize .NET Viewstates


Swagger File API Attack

Windows Privilege Escalation / Audit - Privilege Escalation Enumeration Script for Windows - powerfull Privilege Escalation Check Script with nice output - UAC - UAC - find vulnerable dlls for preloading attack - dll hijack scanner - admin to system

Windows Privilege Abuse (Privilege Escalation) - Abuse Windows Privileges - load malicious dlls from system32 - Exploit potatoes with automation - from Service Account to System - Another Windows Local Privilege Escalation from Service Account to System - Abusing Impersonation Privileges on Windows 10 and Server 2019 - itm4ns Printspoofer in C# - Recover the default privilege set of a LOCAL/NETWORK SERVICE account

T3 Enumeration

Linux Privilege Escalation / Audit - powerfull Privilege Escalation Check Script with nice output - lookup vulnerable installed software - find suid bins and look them up under gtfobins / exploitable or not - Offline GTFOBins - sudo misconfiguration exploitation - easily manipulate the tty and create fake binaries - not really privesc but helpfull


Credential harvesting Windows Specific - Fork of SafetyKatz that dynamically fetches the latest pre-compiled release of Mimikatz directly from gentilkiwi GitHub repo, runtime patches signatures and uses SharpSploit DInvoke to PE-Load into memory. - remote lazagne - Browser Creds gathering - hack-browser-data is an open-source tool that could help you decrypt data[passwords|bookmarks|cookies|history] from the browser. - ClipHistory feature get the last 25 copy paste actions - dump lsass using direct system calls and API unhooking - Create a minidump of the LSASS process from memory - using Dumpert - Evade WinDefender ATP credential-theft - remote procdump.exe, copy dump file to local system and pypykatz for analysis/extraction - extract live rdp logins - Simple C# for checking for the existence of credential files related to AWS, Microsoft Azure, and Google Compute. - .NET 4.0 CLR Project to retrieve Chromium data, such as cookies, history and saved logins.

LSASS Dump Without Mimikatz

Credential harvesting Linux Specific - SSH Credential loot - SSH / Sudo / SU Credential loot

Data Exfiltration - DNS/ICMP/Wifi Exfiltration - Wifi Exfiltration - Tunna is a set of tools which will wrap and tunnel any TCP communication over HTTP - Easy files and payloads delivery over DNS

Git Specific

Windows / Linux

Reverse Engineering / decompiler - .NET Disassembler


Network Attacks - :heartpulse: - more up to date - Deprecated but still good - mitm6 in C# + Inveigh default features

Specific MITM service Exploitation - SSH - WSUS - RDP - RDP man-in-the-middle (mitm) and library for Python with the ability to watch connections live or after the fact - Fake Updates for various Software - web application live recording, keystroke logger - User Enumeration with SMB Relay Attacks

Sniffing / Evaluation / Filtering -

Red-Team SIEM - Red Team's SIEM - tool for Red Teams used for tracking and alarming about Blue Team activities as well as better usability in long term operations.

Scanner / Exploitation-Frameworks / Automation - automate nmap with scripting capabilities

Default Credential Scanner - Login hunter of default credentials for administrative web interfaces leveraging NNdefaccts dataset. - screenshot for webservers

Default Credential Lookup

Payload Generation / AV-Evasion / Malware Creation - Office RCE POC - reverse shell generator - Sign an executable for AV-Evasion - Sandbox Evasion techniques - Encrypted HTA Generation - Optimized GadgetToJScript version - Shikata ga nai (仕方がない) encoder ported into go with several improvements - Spotter is a tool to wrap payloads in environmentally-keyed, AES256-encrypted launchers. - Malleable payload generation framework. - Build Powershell Script from .NET Executable - Excel 4.0 (XLM) Macro Generator for injecting DLLs and EXEs into memory. - A tool for generating multiple types of NTLMv2 hash theft files by Jacob Wilkin (Greenwolf) - AES Encrypt payloads - Embed and hide any file in an HTML file - AES Encrypt C/C++ Compiled binaries and decrypt at runtime - PoC of a VBA macro spawning a process with a spoofed parent and command line. - Generates Malicious Macro and Execute Powershell or Shellcode via MSBuild Application Whitelisting Bypass. - A cross-platform assistant for creating malicious MS Office documents. Can hide VBA macros, stomp VBA code (via P-Code) and confuse macro analysis tools. Runs on Linux, OSX and Windows.

Shellcode Injection - Generates x86, x64, or AMD64+x86 position-independent shellcode that loads .NET Assemblies, PE files, and other Windows payloads from memory and runs them with parameters - D/Invoke port of UrbanBishop - Donut for Shellcode Injection - Mapping injection is a process injection technique that avoids the usage of common monitored syscall VirtualAllocEx, WriteProcessMemory and CreateRemoteThread. - Shellcode injection POC using syscalls. - Shellcode wrapper with encryption for multiple target languages - A repository of Windows Shellcode runners and supporting utilities. The applications load and execute Shellcode using various API calls or techniques. - C# Shellcode Runner to execute shellcode via CreateRemoteThread and SetThreadContext to evade Get-InjectedThread - A set of scripts that demonstrate how to perform memory injection in C#

EDR Evasion - Logging Evasion - A method of bypassing EDR's active projection DLL's by preventing entry point execution - Evade sysmon and windows event logging - C# Implementation of the Hell's Gate VX Technique - Original C Implementation of the Hell's Gate VX Technique - C++ Version of Invoke-Phantom - .Net Assembly to block ETW telemetry in current process - A Bind Shell Using the Fax Service and a DLL Hijack - Protected Process (Light) Dump: Uses Zemana AntiMalware Engine To Open a Privileged Handle to a PP/PPL Process And Inject MiniDumpWriteDump() Shellcode

Useful Binary Modification tools


External Penetration Testing

Domain Finding / Subdomain Enumeration + Scanner - more like an audit - :heartpulse:

File Search / Metadata extraction


Email Gathering - Find Emails of Github Users

Domain Auth + Exploitation - Enumerate valid usernames from Office 365 using ActiveSync, Autodiscover v1, or login page. - A password spraying tool for Microsoft Online accounts (Azure/O365). The script logs if a user cred is valid, if MFA is enabled on the account, if a tenant doesn't exist, if a user doesn't exist, if the account is locked, or if the account is disabled. - Tool to enumerate information from NTLM authentication enabled web endpoints - rotate IP Adresses over AWS - Combine with MSOLSpray - office 365 recon - lockout Time integrated - Lync Credential Finder - Scripts to make password spraying attacks against Lync/S4B & OWA a lot quicker, less painful and more efficient - Lync Credential Finder - OWA Deserialisation RCE - Use to browse the share file by eas(Exchange Server ActiveSync) - A C# tool to send emails through Outlook from the command line or in memory

Specific Service Scanning / Exploitation

Login Brute Force + Wordlist attacks - Brute force non hydra compliant services - RDP, VNC, OpenVPN - Brute Force various services - :sunglasses: - Crack any Microsoft Windows users password without any privilege (Guest account included) - RDP Password Spray - No Event Logs - Python3 tool to perform password spraying using RDP


Open X11

Printers - Automation for PRET




SMB Null Session Exploitation

iLO Exploitation

vmware vCenter Exploits - Exploit for CVE-2020-3952 in vCenter 6.7

Intel AMT Exploitation

SAP Exploitation

Weblogic Exploitation - WEblogic Server Tests - cve-2019-2725

Sharepoint exploitation - Sharepoint Fingerprint + Exploitation

Telerik UI for ASP.NET AJAX Exploit

General Recon

Command & Control Frameworks - Empire with embedded AMSI-Bypass - Implant framework - A post exploitation framework designed to operate covertly on heavily monitored environments - Custom Command and Control (C3). A framework for rapid prototyping of custom C2 channels, while still providing integration with existing offensive toolkits.

Cobalt Strike Stuff


Linux MacOSX Specific

Wifi Tools

Android / Nethunter

Raspberri PI Exploitation

Physical Security / HID/ETH Emulator - PCI-based DMA - PCI based DMA - Teensy Payloads

Social Engeneering - lookup valid phishing-Domains - lookup valid phishing-Domains - Change SMB Files on the fly - Comprehensive Web Based Phishing Suite of Tools for Rapid Deployment and Real-Time Alerting!

Defender Guides / Tools - powershell obfuscation detection - python exe decompile - .NET Revoke-Obfuscation - ids - Investigate malicious Windows logon by visualizing and analyzing Windows event log - AD Passwort Blacklisting - Powershell DE-Obfuscation - Tool written in python3 to determine where the AV signature is located in a binary/payload - An Active Defense and EDR software to empower Blue Teams - Scans all running processes. Recognizes and dumps a variety of potentially malicious implants (replaced/implanted PEs, shellcodes, hooks, in-memory patches). - Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches). - AD Security Intrusion Detection System - Small and highly portable detection tests based on MITRE's ATT&CK.

Wordlists / Wordlist generators - A collection of all the data i could extract from 1 billion leaked credentials from internet.

AD Lab Environment

Obfuscation - GO Obfuscator - Javascript Obfuscator - Powershell Obfuscator - .NET IL Obfuscator - C/C++ source obfuscator for antivirus bypass - GIMPLE obfuscator for C, C++, Go, ... all supported GCC targets and front-ends that use GIMPLE. - VBS Obfuscator

Hash Crack / Decryption - Ciphey is an automated decryption tool. Input encrypted text, get the decrypted text back.

Source Code / Binary Analysis

Binary Analysis

Source Code Analysis - Javascript - Javascript - PHP

MISC - Drupal Exploit - SAMBA Exploit - Reverse Shell Oneliner / Payload Generation - Reverse/Bind Shell Generator - check if a user is valid in a domain - Living of the Land Binaries - Windows Denial of Service Exploit - Windows Denial of Service Exploit PDF Steal NTLMv2 Hash Exploit - CVE-2018-4993 - :boom: :fire: :boom: - LibSSH Authentication Bypass vuln. - windows Privesc Exploit - OSINT - Deserialisation Exploits - S3 bucket tester - Zone transfer like for internal assessment - Get-ShellContent.ps1 get the typed content for all open shells - windows CTF Exploitation - Apache Privilege Escalation - Execute python from powershell

Big-IP Exploitation

Azure Cloud Tools - The Azure AD exploration framework.

Anonymous / Tor Projects

Exploit Search

Industrial Control Systems

Network access control bypass

JMX Exploitation

Citrix Netscaler Pwn

Red Team infrastructure setup - terraform cloud c2 redirector setup - Red Teaming Infrastructure Automation based on Red-Baron - This application assists in managing attack infrastructure for penetration testers by providing an interface to rapidly deploy, manage, and take down various cloud services. These include VMs, domain fronting, Cobalt Strike servers, API gateways, and firewalls.


Redis Exploitation

Apache Tomcat Exploitation - Apache Tomcat auto WAR deployment & pwning penetration testing tool. - AJP Exploit CVE-2020-1938

SSRF Exploitation

LFI exploitation

MondoDB Redis Couchdb Exploitation

Elasticsearch / Kibana Exploitation

RMI attacks - RMIScout uses wordlist and bruteforce strategies to enumerate Java RMI functions and exploit RMI parameter unmarshalling vulnerabilities

JSON Web Token Analysis / Exploitation

Docker Exploitation - automation of Docker TCP socket abuse - Docker API exposed RCE

PHP exploits - nginx + php misconfiguration

Cloud attack tools

Bluetooth / low energy

Wireless / Radio Exploitation

APT / Malware Emulation / Defense Check

Hash Crack / Lookup

OSCP Lists / tools / help

ASPX Webshells

PHP Webshells - Full-featured C2 framework which silently persists on webserver via evil PHP oneliner

JSP WebShells

Other Tool-Lists / Cheat Sheets

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.