Penetration testing commands for Red Teaming
Red teaming involves conducting realistic attacks to test and evaluate the effectiveness of an organisation’s security controls, procedures, and staff readiness.
| Name | Description | Price |
|---|---|---|
| 221b | Bake a windows payload from the C2 of your choice to bypass AV | Free |
| AntiScan.Me | Multi-AV checker that doesn't distribute the check results, based on Dyncheck.com | Paid |
| AVET | AntiVirus Evasion Tool; targeting windows machines with executable files | Free |
| BOF.NET | A .NET Runtime for Cobalt Strike's Beacon Object Files | Free |
| Brute Ratel | Command & Control server; DNS over HTTPS, external channels, indirect syscalls | Paid |
| CarbonCopy | Create a spoofed certificate of any online website and signs an executable for AV Evasion; works for Windows and Linux | Free |
| ConfuserEx | Protector for .NET applications | Free |
| Cortex XDR Config Extractor | Parse the Database Lock Files of the Cortex XDR Agent by Palo Alto Networks and extract Agent Settings, the Hash and Salt of the Uninstall Password, as well as possible Exclusions | Free |
| Covenant | Command & Control framework with multi-user collaboration | Free |
| CredMaster | Password spraying, uses FireProx APIs to rotate IP addresses, stay anonymous, and beat throttling | Free |
| CSSG | Cobalt Strike Shellcode Generator; script used to more easily generate and format beacon shellcode in Cobalt Strike | Free |
| dnscat2 | DNS tunnel meant for encrypted Command & Control channel, data exfiltration | Free |
| Donut | Generates x86_32, x86_64, or AMD64 position-independent shellcode that loads .NET Assemblies, PE files (EXE), VBScript, JScript, and DLL files from memory and runs them with parameters | Free |
| EDRSilencer | Uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server | Free |
| fireELF | Fileless linux malware framework | Free |
| Freeze | Payload creation tool used for circumventing EDR security controls to execute shellcode in a stealthy manner | Free |
| gmailc2 | Undetectable C2 server that communicates via Google SMTP to evade antivirus protections and network traffic restrictions | Free |
| Go365 | User enumeration and password guessing for Office 365 / Microsoft365 | Free |
| Gophish | Phishing toolkit providing the ability to setup and execute phishing engagements and security awareness training | Free |
| gscript | Genesis Scripting Engine; framework to rapidly implement custom droppers for all three major operating systems | Free |
| Hades | Shellcode loader that combines multiple evasion techniques with the aim of bypassing the defensive mechanisms commonly used by modern AV/EDRs | Free |
| Hades C2 | Basic Command and Control server | Free |
| HardHat C2 | Cross-platform, collaborative, Command & Control framework | Free |
| Havoc | Malleable post-exploitation command and control framework | Free |
| JavaScript Obfuscator | JavaScript obfuscator; features: variables renaming, strings extraction and encryption, dead code injection, control flow flattening, various code transformations, etc. | Free |
| Kage | Graphical user interface for Metasploit Meterpreter and session handler | Free |
| King Phisher | A tool for testing and promoting user awareness by simulating real world phishing attacks | Free |
| Kubesploit | Post-exploitation HTTP/2 Command & Control server and agent focused on containerized environments | Free |
| lateralus | Terminal based phishing campaign tool | Free |
| LightsOut | Generate an obfuscated DLL that will disable AMSI & ETW | Free |
| link | Command and control framework; HTTPS communication, process injection, in-memory .NET assembly execution, SharpCollection tools, sRDI implementation for shellcode generation, Windows link reloads DLLs from disk into current process | Free |
| LP-DB | Login Pages Database forms a knowledge base on login pages related to malicious activities (C2 panels, phishing kits...) | Free |
| macro_pack | Obfuscation and generation of retro formats such as MS Office documents or VBS like format | Free |
| Mangle | Manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs | Free |
| Merlin | Post-exploitation HTTP/2 Command & Control server and agent | Free |
| MFASweep | Check if MFA is enabled on multiple Microsoft services | Free |
| Mística | Allows to embed data into application layer protocol fields, with the goal of establishing a bi-directional channel for arbitrary communications; supports encapsulation into HTTP, HTTPS, DNS and ICMP protocols | Free |
| Modlishka | HTTP reverse proxy designed for phishing | Free |
| monomorph | MD5-monomorphic shellcode packer, all payloads have the same MD5 hash | Free |
| Mythic | Collaborative red teaming framework | Free |
| Nighthawk | Command & Control framework; multi-operator, API driven, malleable native implant | Paid |
| Nimbo-C2 | Simple and lightweight Command & Control framework | Free |
| NimPlant | Light-weight first-stage Command & Control implant | Free |
| Octopus | Pre-operation C2 server | Free |
| Overlord | CLI used to build Red Teaming infrastructure in an automated way, supports AWS and Digital Ocean | Free |
| pe_to_shellcode | Converts PE into a shellcode | Free |
| PEzor | Shellcode & PE Packer | Free |
| phpsploit | Command & Controll framework which silently persists on webserver via polymorphic PHP oneliner | Free |
| PipeViewer | Shows detailed information about named pipes in Windows and searching for insecure permissions | Free |
| PoshC2 | Proxy aware Command & Control framework | Free |
| PowerShdll | Run PowerShell with dlls only to bypass software restrictions; it can be run with rundll32.exe, installutil.exe, regsvcs.exe, regasm.exe, regsvr32.exe or as a standalone executable | Free |
| ProtectMyTooling | Multi-Packer wrapper allowing daisy-chaining various packers and obfuscators; featured with artifacts watermarking, IOCs collection & PE backdooring | Free |
| Pupy | Cross-platform, multi function Command & Control and post-exploitation framework; fileless/all-in-memory execution, low footprint, multi-transport | Free |
| Quasar | Remote Administration Tool (RAT) for Windows | Free |
| Redcloud | Automated Red Team Infrastructure deployment using Docker | Free |
| RedELK | Red Team's SIEM; used by Red Teams for tracking and alarming about Blue Team activities as well as better usability in long term operations | Free |
| RedEye | Red team C2 log visualization | Free |
| ReelPhish | Real time phishing tool | Free |
| Ruler | Interact with Exchange servers remotely, through either the MAPI/HTTP or RPC/HTTP to abuse the client-side Outlook features and gain a shell | Free |
| ScareCrow | Payload creation framework designed around EDR bypass | Free |
| SHAD0W | Modular C2 framework designed to successfully operate covertly on heavily monitored environments | Free |
| SharpC2 | Command & Control framework | Free |
| SharpEDRChecker | Detect and identify the presence of known defensive products such as AV's, EDR's and logging tools | Free |
| Shellcrypt | Obfuscate shellcode using encoding, encryption, compression | Free |
| Shelltropy | A technique to hide malicious shellcode based on low-entropy via Shannon encoding | Free |
| SILENTTRINITY | Asynchronous, multiplayer and multiserver Command & Control framework | Free |
| Sliver | Cross-platform implant framework that supports C2 over Mutual-TLS, HTTP(S), and DNS; remote access tool (RAT) | Free |
| SocialFish | Phishing targeting social media logins; supports Ngrok tunneling and a mobile controller | Free |
| Starkiller | WebUI for Empire | Free |
| Synergy Httpx | HTTP(S) server designed to assist in red teaming activities such as receiving intercepted data via POST requests and serving content dynamically | Free |
| SysWhisper3 | SysWhispers on Steroid, AV/EDR evasion via direct system calls | Free |
| TeamsImplant | MS Teams implant persistent backdoor | Free |
| TrevorC2 | Command and control framework masking the activity by emulating legitimate website | Free |
| UBoat | HTTP botnet PoC | Free |
| Villain | Distributed command and control framework | Free |
| Warhorse | Ansible playbook to deploy infrastructure in the cloud for conducting Red Team assessments | Free |
| Zphisher | Automated phishing tool with multiple tunneling options; fork of Shellphish | Free |