Penetration testing commands for System Exploitation

System exploitation includes identifying and leveraging vulnerabilities in operating systems or applications to achieve unauthorised access or control.

NameDescriptionPrice
abuseACLAutomatically list vulnerable Windows ACEs/ACLs using DC's LDAP to list users/groups/computers/OU/certificate templates and their nTSecurityDescriptor to check for vulnerable rightsFree
aclpwnInteracts with BloodHound to identify and exploit ACL based privilege escalation pathsFree
ADFSDumpRead information from Active Directory and ADFS Configuration Database; fed information into ADFSpoof to generate security tokensFree
ADFSpoofUsing ADFSDump information, produce a usable key/cert pair for token signing, produce a signed security token that can be used to access a federated applicationFree
Android_EmurootGrants root privileges on the fly to shells running on Android virtual machines that use google-provided emulator images called Google API PlaystoreFree
bkhiveDump the syskey bootkey from a Windows NT/2K/XP system hive, often used with samdump2, part of the ophcrack projectFree
BloodHoundTool to reveal the hidden and unintended relationships within an Active Directory environmentFree
cookie_crimesRead local Chrome cookies without root or decrypting and display then in JSONFree
CookieCrimesJSRead local Chrome cookies without root or decrypting and display then in JSON; Javascript implementation of cookie_crimesFree
creddumpDump windows credentialsFree
DCOMradeScript that is able to enumerate the possible vulnerable DCOM applications that might allow for lateral movement, code execution, data exfiltration, etc.Free
DLLInjectorDll injection toolFree
DLLPasswordFilterImplantPassword filter DLL, triggered on password change to exfiltrate credentialsFree
DonPAPIDumping DPAPI credentials remotely; dumps relevant information on compromised targets without AV detectionFree
EmpirePowerShell and Python post-exploitation agentFree
Empire GUIGUI for Empire frameworkFree
enum4linuxWindows Samba enumeration toolFree
enum4linux-ngWindows Samba enumeration tool, next generation version of enum4linuxFree
FFMFreedom Fighting Mode (FFM), hacking harness, post-exploitation toolFree
GH DLL InjectorDLL injection library supporting x86, WOW64 and x64 injections; 5 injection methods, 4 shellcode execution methods and various additional options; session separation can be bypassed with all methodsFree
goddiActive Directory domain information dumperFree
GoodHoundUses Sharphound, Bloodhound and Neo4j to produce an actionable list of attack paths for targeted remediationFree
JAWSJust Another Windows (Enum) Script; quickly identify potential privilege escalation vectors on Windows systemsFree
LaZagnePassword retrieverFree
LinEnumLinux enumeration and privilege escalation scriptFree
Linux Exploit Suggester 2Linux kernel exploit suggesterFree
linux-exploit-suggester.shLinux kernel exploit suggesterFree
linuxprivchecker.pyLinux privilege escalation check scriptFree
MaskyLibrary and CLI allowing to remotely dump domain user credentials via an ADCS without dumping the LSASS process memoryFree
mimikatzExtract plaintext passwords, hash, PIN code and kerberos tickets from memory; perform pass-the-hash, pass-the-ticket or build Golden ticketsFree
minidumpLibrary and CLI to parse and read Microsoft minidump file formatFree
NanoDumpMinimal LSASS dumperFree
NishangFramework, collection of scripts and payloads in PowerShell for offensive security, penetration testing and red teamingFree
p0wnedShellPowerShell runspace post exploitation toolkitFree
PEASSPrivilege Escalation Awesome Scripts SUITE; winPEAS and linPEAS are local privilege escalation scripts for Windows and LinuxFree
PlumHoundCreates reports for blue and purple teams by extracting data from BloodHoundFree
PowerlessA Windows privilege escalation enumeration BAT script designed for legacy Windows machines without PowershellFree
PowerSploitPowershell exploitation frameworkFree
pspyCLI tool designed to snoop on processes without need for root permissions; it allows to see commands run by other users, cron jobs, etc. as they executeFree
pypykatzPlatform idependent Mimikatz implementationFree
RedSnarfRetrieves hashes and credentials from Windows workstations, servers and domain controllers using OpSec Safe TechniquesFree
samdump2Retrieves syskey and extract hashes from Windows 2k/NT/XP/Vista SAM, often used with bkhive, part of the ophcrack projectFree
scavengermulti-threaded post-exploitation scanning tool for scavenging systems, finding most frequently used files and folders as well as interesting files containing sensitive informationFree
SCShellFileless lateral movement that relies on ChangeServiceConfigA to run commandsFree
SharpShooterPayload Generation Framework for C# source codeFree
ShellPopTool to craft bind and reverse shells in several languagesFree
TPMEEHelp to exploit weak implementation of library or program that used TPMFree
unicornTool for using a PowerShell downgrade attack and inject shellcode into memoryFree
WES-NGWindows Exploit Suggester - Next Generation; analyses Windows targets patch levels to find exploits and Metasploit modules; works well with newer system (eg Windows 10) thanks to MSRC supportFree
Windows-Exploit-SuggesterAnalyses Windows targets patch levels to find exploits and Metasploit modules, works only for older systems (eg Windows XP, Vista, etc.) because it relies on MS Security KBsFree