Windows

Microsoft Windows

Zmap

Overview:
ZMap is a fast network scanner designed for Internet-wide network surveys. On a typical desktop computer with a gigabit Ethernet connection, ZMap is capable scanning the entire public IPv4 address space in under 45 minutes. With a 10gigE connection and PF_RING, ZMap can scan the IPv4 address space in under 5 minutes.

While previous network tools have been designed to scan small network segments, ZMap is specifically architected to scan the entire address space. It is built in a modular manner in order to allow incorporation with other network survey tools. ZMap operates on GNU/Linux and supports TCP SYN and ICMP echo request scanning out of the box.

Masscan

Overview:
This is the fastest Internet port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second.

It produces results similar to nmap, the most famous port scanner. Internally, it operates more like scanrand, unicornscan, and ZMap, using asynchronous transmission. The major difference is that it's faster than these other scanners. In addition, it's more flexible, allowing arbitrary address ranges and port ranges.

SprayWMI

Overview:
SprayWMI is a method for mass spraying Unicorn PowerShell injection to CIDR notations.

More Information:
"We wanted mass exploitation so we decided to write a tool to help automate mass exploitation. Introducing SprayWMI which leverages wmis and Magic Unicorn to automatically sweep subnet ranges for 135 and automatically attempts to login with either a password or hashes and automatically generate powershell injection to give you access to your payloads instantly and without touching disk. This is a full replacement for traditional PSEXEC and recommended."

NTDSXtract

Overview:
Technically a forensics framework for analyzing NTDS.dit files. On the other side, it can be used to extract password hashes from the NTDS.dit file that can be used for pass the hash or cracking.

Tutorials:
Dumping a volume shadow copy and extracting - https://www.trustwave.com/Resources/SpiderLabs-Blog/Tutorial-for-NTDS-goodness-(VSSADMIN,-WMIS,-NTDS-dit,-SYSTEM)/

Mana Toolkit

Overview:
A toolkit for rogue access point (evilAP) attacks first presented at Defcon 22.

More specifically, it contains the improvements to KARMA attacks we implemented into hostapd, as well as some useful configs for conducting MitM once you've managed to get a victim to connect.

Cortana Scripts by Mudge

Overview:
Cortana is a scripting language for Armitage and Cobalt Strike. This is a collection of Cortana scripts that can be used with Cobalt Strike and Armitage.

PowerCat

Overview:
Netcat: The powershell version. (Powershell Version 2 and Later Supported)

More Information:

Functions & Parameters:

Start-PowerCat # Starts a listener/server.

-Mode # Defaults to Tcp, can also specify Udp or Smb.
-Port # The port to listen on.
-PipeName # Name of pipe to listen on.

-SslCn # Common name for Ssl encrypting Tcp.
-Relay # Format: ":"
-Execute # Execute a console process or powershell.
-SendFile # Filepath of file to send.
-ReceiveFile # Filepath of file to be written.
-Disconnect # Disconnect after connecting.
-KeepAlive # Restart after disconnecting.
-Timeout # Timeout option. Default: 60 seconds

Connect-PowerCat # Connects a client to a listener/server.

-Mode # Defaults to Tcp, can also specify Udp or Smb
-RemoteIp # IPv4 address of host to connect to.
-Port # The port to connect to.
-PipeName # Name of pipe to connect to.

-SslCn # Common name for Ssl encrypting Tcp.
-Relay # Format: "::"
-Execute # Execute a console process or powershell.
-SendFile # Filepath of file to send.
-ReceiveFile # Filepath of file to be written.
-Disconnect # Disconnect after connecting.
-Timeout # Timeout option. Default: 60 seconds
Basic Connections

By default, PowerCat uses TCP and reads from / writes to the console.

# Basic Listener:
Start-PowerCat -Port 443

# Basic Client:
Connect-PowerCat -RemoteIp 10.1.1.1 -Port 443
File Transfer

PowerCat can be used to transfer files using the -SendFile and -ReceiveFile parameters.

# Send File:
Connect-PowerCat -RemoteIp 10.1.1.1 -Port 443 -SendFile C:\pathto\inputfile

# Receive File:

Veil Framework

Overview:
The Veil-Framework is a red team toolkit focused on evading detection. It currently contains Veil-Evasion for generating AV-evading payloads, Veil-Catapult for delivering them to targets, and Veil-PowerView for gaining situational awareness on Windows domains.

PowerUp

Overview:
PowerUp is a powershell tool to assist with local privilege escalation on Windows systems. It contains several methods to identify and abuse vulnerable services, as well as DLL hijacking opportunities, vulnerable registry settings, vulnerable schtasks, and more.

Note:
This tool is now a part of the veil framework's power tools suite.

Responder

Overview:
This tool is first an LLMNR and NBT-NS responder, it will answer to *specific* NBT-NS (NetBIOS Name Service) queries based on their name suffix (see: http://support.microsoft.com/kb/163409). By default, the tool will only answers to File Server Service request, which is for SMB. The concept behind this, is to target our answers, and be stealthier on the network. This also helps to ensure that we don’t break legitimate NBT-NS behavior. You can set the -r option to 1 via command line if you want this tool to answer to the Workstation Service request name suffix.

Tutorials:
https://www.trustwave.com/Resources/SpiderLabs-Blog/Owning-Windows-Netwo...
https://www.trustedsec.com/july-2013/wpad-man-in-the-middle-clear-text-p...

Syndicate content