Penetration testing commands for Red Teaming
Red teaming involves conducting realistic attacks to test and evaluate the effectiveness of an organisation’s security controls, procedures, and staff readiness.
| Name | Description | Price |
|---|---|---|
| 221b | Bake a windows payload from the C2 of your choice to bypass AV | Free |
| BOF.NET | A .NET Runtime for Cobalt Strike's Beacon Object Files | Free |
| Brute Ratel | Command & Control server; DNS over HTTPS, external channels, indirect syscalls | Paid |
| CredMaster | Password spraying, uses FireProx APIs to rotate IP addresses, stay anonymous, and beat throttling | Free |
| CSSG | Cobalt Strike Shellcode Generator; script used to more easily generate and format beacon shellcode in Cobalt Strike | Free |
| Donut | Generates x86_32, x86_64, or AMD64 position-independent shellcode that loads .NET Assemblies, PE files (EXE), VBScript, JScript, and DLL files from memory and runs them with parameters | Free |
| gscript | Genesis Scripting Engine; framework to rapidly implement custom droppers for all three major operating systems | Free |
| HardHat C2 | Cross-platform, collaborative, Command & Control framework | Free |
| link | Command and control framework; HTTPS communication, process injection, in-memory .NET assembly execution, SharpCollection tools, sRDI implementation for shellcode generation, Windows link reloads DLLs from disk into current process | Free |
| Mangle | Manipulates aspects of compiled executables (.exe or DLL) to avoid detection from EDRs | Free |
| Mística | Allows to embed data into application layer protocol fields, with the goal of establishing a bi-directional channel for arbitrary communications; supports encapsulation into HTTP, HTTPS, DNS and ICMP protocols | Free |
| Mythic | Collaborative red teaming framework | Free |
| NimPlant | Light-weight first-stage Command & Control implant | Free |
| PEzor | Shellcode & PE Packer | Free |
| PowerShdll | Run PowerShell with dlls only to bypass software restrictions; it can be run with rundll32.exe, installutil.exe, regsvcs.exe, regasm.exe, regsvr32.exe or as a standalone executable | Free |
| CarbonCopy | Create a spoofed certificate of any online website and signs an executable for AV Evasion; works for Windows and Linux | Free |
| dnscat2 | DNS tunnel meant for encrypted Command & Control channel, data exfiltration | Free |
| Kubesploit | Post-exploitation HTTP/2 Command & Control server and agent focused on containerized environments | Free |
| lateralus | Terminal based phishing campaign tool | Free |
| macro_pack | Obfuscation and generation of retro formats such as MS Office documents or VBS like format | Free |
| Merlin | Post-exploitation HTTP/2 Command & Control server and agent | Free |
| Modlishka | HTTP reverse proxy designed for phishing | Free |
| Nighthawk | Command & Control framework; multi-operator, API driven, malleable native implant | Paid |
| Octopus | Pre-operation C2 server | Free |
| Overlord | CLI used to build Red Teaming infrastructure in an automated way, supports AWS and Digital Ocean | Free |
| phpsploit | Command & Controll framework which silently persists on webserver via polymorphic PHP oneliner | Free |
| Quasar | Remote Administration Tool (RAT) for Windows | Free |
| ConfuserEx | Protector for .NET applications | Free |
| Cortex XDR Config Extractor | Parse the Database Lock Files of the Cortex XDR Agent by Palo Alto Networks and extract Agent Settings, the Hash and Salt of the Uninstall Password, as well as possible Exclusions | Free |
| Covenant | Command & Control framework with multi-user collaboration | Free |
| EDRSilencer | Uses Windows Filtering Platform (WFP) to block Endpoint Detection and Response (EDR) agents from reporting security events to the server | Free |
| fireELF | Fileless linux malware framework | Free |
| Freeze | Payload creation tool used for circumventing EDR security controls to execute shellcode in a stealthy manner | Free |
| gmailc2 | Undetectable C2 server that communicates via Google SMTP to evade antivirus protections and network traffic restrictions | Free |
| Hades | Shellcode loader that combines multiple evasion techniques with the aim of bypassing the defensive mechanisms commonly used by modern AV/EDRs | Free |
| King Phisher | A tool for testing and promoting user awareness by simulating real world phishing attacks | Free |
| MFASweep | Check if MFA is enabled on multiple Microsoft services | Free |
| monomorph | MD5-monomorphic shellcode packer, all payloads have the same MD5 hash | Free |
| Nimbo-C2 | Simple and lightweight Command & Control framework | Free |
| PoshC2 | Proxy aware Command & Control framework | Free |
| ProtectMyTooling | Multi-Packer wrapper allowing daisy-chaining various packers and obfuscators; featured with artifacts watermarking, IOCs collection & PE backdooring | Free |
| Redcloud | Automated Red Team Infrastructure deployment using Docker | Free |
| AntiScan.Me | Multi-AV checker that doesn't distribute the check results, based on Dyncheck.com | Paid |
| AVET | AntiVirus Evasion Tool; targeting windows machines with executable files | Free |
| Gophish | Phishing toolkit providing the ability to setup and execute phishing engagements and security awareness training | Free |
| Go365 | User enumeration and password guessing for Office 365 / Microsoft365 | Free |
| Hades C2 | Basic Command and Control server | Free |
| Havoc | Malleable post-exploitation command and control framework | Free |
| JavaScript Obfuscator | JavaScript obfuscator; features: variables renaming, strings extraction and encryption, dead code injection, control flow flattening, various code transformations, etc. | Free |
| Kage | Graphical user interface for Metasploit Meterpreter and session handler | Free |
| LightsOut | Generate an obfuscated DLL that will disable AMSI & ETW | Free |
| LP-DB | Login Pages Database forms a knowledge base on login pages related to malicious activities (C2 panels, phishing kits...) | Free |
| pe_to_shellcode | Converts PE into a shellcode | Free |
| PipeViewer | Shows detailed information about named pipes in Windows and searching for insecure permissions | Free |
| Pupy | Cross-platform, multi function Command & Control and post-exploitation framework; fileless/all-in-memory execution, low footprint, multi-transport | Free |
| Sliver | Cross-platform implant framework that supports C2 over Mutual-TLS, HTTP(S), and DNS; remote access tool (RAT) | Free |
| SocialFish | Phishing targeting social media logins; supports Ngrok tunneling and a mobile controller | Free |
| UBoat | HTTP botnet PoC | Free |
| RedELK | Red Team's SIEM; used by Red Teams for tracking and alarming about Blue Team activities as well as better usability in long term operations | Free |
| SharpC2 | Command & Control framework | Free |
| SysWhisper3 | SysWhispers on Steroid, AV/EDR evasion via direct system calls | Free |
| Villain | Distributed command and control framework | Free |
| Warhorse | Ansible playbook to deploy infrastructure in the cloud for conducting Red Team assessments | Free |
| Zphisher | Automated phishing tool with multiple tunneling options; fork of Shellphish | Free |
| RedEye | Red team C2 log visualization | Free |
| Ruler | Interact with Exchange servers remotely, through either the MAPI/HTTP or RPC/HTTP to abuse the client-side Outlook features and gain a shell | Free |
| SharpEDRChecker | Detect and identify the presence of known defensive products such as AV's, EDR's and logging tools | Free |
| Shellcrypt | Obfuscate shellcode using encoding, encryption, compression | Free |
| SILENTTRINITY | Asynchronous, multiplayer and multiserver Command & Control framework | Free |
| Starkiller | WebUI for Empire | Free |
| Synergy Httpx | HTTP(S) server designed to assist in red teaming activities such as receiving intercepted data via POST requests and serving content dynamically | Free |
| ReelPhish | Real time phishing tool | Free |
| ScareCrow | Payload creation framework designed around EDR bypass | Free |
| SHAD0W | Modular C2 framework designed to successfully operate covertly on heavily monitored environments | Free |
| Shelltropy | A technique to hide malicious shellcode based on low-entropy via Shannon encoding | Free |
| TeamsImplant | MS Teams implant persistent backdoor | Free |
| TrevorC2 | Command and control framework masking the activity by emulating legitimate website | Free |