Penetration testing commands for System Exploitation
System exploitation includes identifying and leveraging vulnerabilities in operating systems or applications to achieve unauthorised access or control.
Name | Description | Price |
---|---|---|
abuseACL | Automatically list vulnerable Windows ACEs/ACLs using DC's LDAP to list users/groups/computers/OU/certificate templates and their nTSecurityDescriptor to check for vulnerable rights | Free |
aclpwn | Interacts with BloodHound to identify and exploit ACL based privilege escalation paths | Free |
ADFSDump | Read information from Active Directory and ADFS Configuration Database; fed information into ADFSpoof to generate security tokens | Free |
ADFSpoof | Using ADFSDump information, produce a usable key/cert pair for token signing, produce a signed security token that can be used to access a federated application | Free |
Android_Emuroot | Grants root privileges on the fly to shells running on Android virtual machines that use google-provided emulator images called Google API Playstore | Free |
bkhive | Dump the syskey bootkey from a Windows NT/2K/XP system hive, often used with samdump2, part of the ophcrack project | Free |
BloodHound | Tool to reveal the hidden and unintended relationships within an Active Directory environment | Free |
cookie_crimes | Read local Chrome cookies without root or decrypting and display then in JSON | Free |
CookieCrimesJS | Read local Chrome cookies without root or decrypting and display then in JSON; Javascript implementation of cookie_crimes | Free |
creddump | Dump windows credentials | Free |
DCOMrade | Script that is able to enumerate the possible vulnerable DCOM applications that might allow for lateral movement, code execution, data exfiltration, etc. | Free |
DLLInjector | Dll injection tool | Free |
DLLPasswordFilterImplant | Password filter DLL, triggered on password change to exfiltrate credentials | Free |
DonPAPI | Dumping DPAPI credentials remotely; dumps relevant information on compromised targets without AV detection | Free |
Empire | PowerShell and Python post-exploitation agent | Free |
Empire GUI | GUI for Empire framework | Free |
enum4linux | Windows Samba enumeration tool | Free |
enum4linux-ng | Windows Samba enumeration tool, next generation version of enum4linux | Free |
FFM | Freedom Fighting Mode (FFM), hacking harness, post-exploitation tool | Free |
GH DLL Injector | DLL injection library supporting x86, WOW64 and x64 injections; 5 injection methods, 4 shellcode execution methods and various additional options; session separation can be bypassed with all methods | Free |
goddi | Active Directory domain information dumper | Free |
GoodHound | Uses Sharphound, Bloodhound and Neo4j to produce an actionable list of attack paths for targeted remediation | Free |
JAWS | Just Another Windows (Enum) Script; quickly identify potential privilege escalation vectors on Windows systems | Free |
LaZagne | Password retriever | Free |
LinEnum | Linux enumeration and privilege escalation script | Free |
Linux Exploit Suggester 2 | Linux kernel exploit suggester | Free |
linux-exploit-suggester.sh | Linux kernel exploit suggester | Free |
linuxprivchecker.py | Linux privilege escalation check script | Free |
Masky | Library and CLI allowing to remotely dump domain user credentials via an ADCS without dumping the LSASS process memory | Free |
mimikatz | Extract plaintext passwords, hash, PIN code and kerberos tickets from memory; perform pass-the-hash, pass-the-ticket or build Golden tickets | Free |
minidump | Library and CLI to parse and read Microsoft minidump file format | Free |
NanoDump | Minimal LSASS dumper | Free |
Nishang | Framework, collection of scripts and payloads in PowerShell for offensive security, penetration testing and red teaming | Free |
p0wnedShell | PowerShell runspace post exploitation toolkit | Free |
PEASS | Privilege Escalation Awesome Scripts SUITE; winPEAS and linPEAS are local privilege escalation scripts for Windows and Linux | Free |
PlumHound | Creates reports for blue and purple teams by extracting data from BloodHound | Free |
Powerless | A Windows privilege escalation enumeration BAT script designed for legacy Windows machines without Powershell | Free |
PowerSploit | Powershell exploitation framework | Free |
pspy | CLI tool designed to snoop on processes without need for root permissions; it allows to see commands run by other users, cron jobs, etc. as they execute | Free |
pypykatz | Platform idependent Mimikatz implementation | Free |
RedSnarf | Retrieves hashes and credentials from Windows workstations, servers and domain controllers using OpSec Safe Techniques | Free |
samdump2 | Retrieves syskey and extract hashes from Windows 2k/NT/XP/Vista SAM, often used with bkhive, part of the ophcrack project | Free |
scavenger | multi-threaded post-exploitation scanning tool for scavenging systems, finding most frequently used files and folders as well as interesting files containing sensitive information | Free |
SCShell | Fileless lateral movement that relies on ChangeServiceConfigA to run commands | Free |
SharpShooter | Payload Generation Framework for C# source code | Free |
ShellPop | Tool to craft bind and reverse shells in several languages | Free |
TPMEE | Help to exploit weak implementation of library or program that used TPM | Free |
unicorn | Tool for using a PowerShell downgrade attack and inject shellcode into memory | Free |
WES-NG | Windows Exploit Suggester - Next Generation; analyses Windows targets patch levels to find exploits and Metasploit modules; works well with newer system (eg Windows 10) thanks to MSRC support | Free |
Windows-Exploit-Suggester | Analyses Windows targets patch levels to find exploits and Metasploit modules, works only for older systems (eg Windows XP, Vista, etc.) because it relies on MS Security KBs | Free |