Penetration testing commands for System Exploitation
System exploitation includes identifying and leveraging vulnerabilities in operating systems or applications to achieve unauthorised access or control.
| Name | Description | Price |
|---|---|---|
| abuseACL | Automatically list vulnerable Windows ACEs/ACLs using DC's LDAP to list users/groups/computers/OU/certificate templates and their nTSecurityDescriptor to check for vulnerable rights | Free |
| aclpwn | Interacts with BloodHound to identify and exploit ACL based privilege escalation paths | Free |
| ADFSDump | Read information from Active Directory and ADFS Configuration Database; fed information into ADFSpoof to generate security tokens | Free |
| ADFSpoof | Using ADFSDump information, produce a usable key/cert pair for token signing, produce a signed security token that can be used to access a federated application | Free |
| Android_Emuroot | Grants root privileges on the fly to shells running on Android virtual machines that use google-provided emulator images called Google API Playstore | Free |
| bkhive | Dump the syskey bootkey from a Windows NT/2K/XP system hive, often used with samdump2, part of the ophcrack project | Free |
| BloodHound | Tool to reveal the hidden and unintended relationships within an Active Directory environment | Free |
| cookie_crimes | Read local Chrome cookies without root or decrypting and display then in JSON | Free |
| CookieCrimesJS | Read local Chrome cookies without root or decrypting and display then in JSON; Javascript implementation of cookie_crimes | Free |
| creddump | Dump windows credentials | Free |
| DCOMrade | Script that is able to enumerate the possible vulnerable DCOM applications that might allow for lateral movement, code execution, data exfiltration, etc. | Free |
| DLLInjector | Dll injection tool | Free |
| DLLPasswordFilterImplant | Password filter DLL, triggered on password change to exfiltrate credentials | Free |
| DonPAPI | Dumping DPAPI credentials remotely; dumps relevant information on compromised targets without AV detection | Free |
| Empire | PowerShell and Python post-exploitation agent | Free |
| Empire GUI | GUI for Empire framework | Free |
| enum4linux | Windows Samba enumeration tool | Free |
| enum4linux-ng | Windows Samba enumeration tool, next generation version of enum4linux | Free |
| FFM | Freedom Fighting Mode (FFM), hacking harness, post-exploitation tool | Free |
| GH DLL Injector | DLL injection library supporting x86, WOW64 and x64 injections; 5 injection methods, 4 shellcode execution methods and various additional options; session separation can be bypassed with all methods | Free |
| goddi | Active Directory domain information dumper | Free |
| GoodHound | Uses Sharphound, Bloodhound and Neo4j to produce an actionable list of attack paths for targeted remediation | Free |
| JAWS | Just Another Windows (Enum) Script; quickly identify potential privilege escalation vectors on Windows systems | Free |
| LaZagne | Password retriever | Free |
| LinEnum | Linux enumeration and privilege escalation script | Free |
| Linux Exploit Suggester 2 | Linux kernel exploit suggester | Free |
| linux-exploit-suggester.sh | Linux kernel exploit suggester | Free |
| linuxprivchecker.py | Linux privilege escalation check script | Free |
| Masky | Library and CLI allowing to remotely dump domain user credentials via an ADCS without dumping the LSASS process memory | Free |
| mimikatz | Extract plaintext passwords, hash, PIN code and kerberos tickets from memory; perform pass-the-hash, pass-the-ticket or build Golden tickets | Free |
| minidump | Library and CLI to parse and read Microsoft minidump file format | Free |
| NanoDump | Minimal LSASS dumper | Free |
| Nishang | Framework, collection of scripts and payloads in PowerShell for offensive security, penetration testing and red teaming | Free |
| p0wnedShell | PowerShell runspace post exploitation toolkit | Free |
| PEASS | Privilege Escalation Awesome Scripts SUITE; winPEAS and linPEAS are local privilege escalation scripts for Windows and Linux | Free |
| PlumHound | Creates reports for blue and purple teams by extracting data from BloodHound | Free |
| Powerless | A Windows privilege escalation enumeration BAT script designed for legacy Windows machines without Powershell | Free |
| PowerSploit | Powershell exploitation framework | Free |
| pspy | CLI tool designed to snoop on processes without need for root permissions; it allows to see commands run by other users, cron jobs, etc. as they execute | Free |
| pypykatz | Platform idependent Mimikatz implementation | Free |
| RedSnarf | Retrieves hashes and credentials from Windows workstations, servers and domain controllers using OpSec Safe Techniques | Free |
| samdump2 | Retrieves syskey and extract hashes from Windows 2k/NT/XP/Vista SAM, often used with bkhive, part of the ophcrack project | Free |
| scavenger | multi-threaded post-exploitation scanning tool for scavenging systems, finding most frequently used files and folders as well as interesting files containing sensitive information | Free |
| SCShell | Fileless lateral movement that relies on ChangeServiceConfigA to run commands | Free |
| SharpShooter | Payload Generation Framework for C# source code | Free |
| ShellPop | Tool to craft bind and reverse shells in several languages | Free |
| TPMEE | Help to exploit weak implementation of library or program that used TPM | Free |
| unicorn | Tool for using a PowerShell downgrade attack and inject shellcode into memory | Free |
| WES-NG | Windows Exploit Suggester - Next Generation; analyses Windows targets patch levels to find exploits and Metasploit modules; works well with newer system (eg Windows 10) thanks to MSRC support | Free |
| Windows-Exploit-Suggester | Analyses Windows targets patch levels to find exploits and Metasploit modules, works only for older systems (eg Windows XP, Vista, etc.) because it relies on MS Security KBs | Free |