This is your work, valued
AzRedTeamEnumScript. Azure AD RedTeam Full Enumeration Script used to query all aspects of your target Azure tenant.
★ 72ADRedTeamEnumScript. Traditional AD RedTeam Full Enumeration Script used to query all aspects of your target Forest.
★ 43WebAppSec.
★ 1kernel-exploits. Various kernel exploits
★ 1OSEPlayground. A collection of useful tools and scripts were developed and gathered throughout the Offensive Security's PEN-300 (OSEP) course.
★ 352RedTeam-Arsenal. Red Team Arsenal - a comprehensive collection of tools, scripts, and techniques for conducting red team operations and adversary simulations, including custom beacons, malleable C2 profiles, aggressor scripts, advanced payload generation methods, as well as other evasion tools, tailored for red team operations and security research.
★ 85CLR-Unhook. Modern security products (CrowdStrike, Bitdefender, SentinelOne, etc.) hook the nLoadImage function inside clr.dll to intercept and scan in-memory .NET assembly loads. This tool unhooks that function.
★ 214PentestGPT. Automated Penetration Testing Agentic Framework Powered by Large Language Models
★ 14kvuln-bank. A deliberately vulnerable banking application designed for practicing Security Testing of Web App, APIs, AI integrated App and secure code reviews. Features common vulnerabilities found in real-world applications, making it an ideal platform for security professionals, developers, and enthusiasts to learn pentesting and secure coding practices.
★ 780DirtyLittleDotNetHooker. Find .Net Functions to use with Frida and Fermion
★ 16koneko. Robust Cobalt Strike shellcode loader with multiple advanced evasion features
★ 204ad-lab-scripts. A modular Active Directory lab builder for hands-on penetration testing and security research in isolated environments.
★ 87Damn-Vulnerable-RESTaurant-API-Game. Damn Vulnerable Restaurant is an intentionally vulnerable Web API game for learning and training purposes dedicated to developers, ethical hackers and security engineers.
★ 921Clio. Logging tool intended for red team usage
★ 39DSViper. This is for Ethical Use only. The default automated binaries created are all burned. I have added the script to the repo to modify certain signatures and it will still work.
★ 450skidstorm. C
★ 26My-starred-Repositories. This is my starred repositories including the description for each tool. Makes search/filter over them easier.
★ 68CTF-toolBox. PowerShell & Python tools developed for CTFs and certification exams
★ 72Serenity. C# DInvoke Shellcode Runner
★ 31Stifle. .NET Post-Exploitation Utility for Abusing Strong Explicit Certificate Mappings in ADCS
★ 152OSCP-Resources. A comprehensive collection of resources, tools, tips, and guides for preparing and succeeding in the OSCP (Offensive Security Certified Professional) certification.
★ 482telco-f1nd3r. Python
★ 10all-the-things. Python
★ 14TermHound. Python
★ 26sitedorks. Search Google/Bing/Ecosia/DuckDuckGo/Yandex/Yahoo for a search term (dork) with a default set of websites, bug bounty programs or custom collection.
★ 1khm-surf. macOS CVE-2024-44133 evaluator of popular browsers
★ 10Active-Directory-Exploitation-Cheat-Sheet. A cheat sheet that contains common enumeration and attack methods for Windows Active Directory.
★ 219MicroBurst. A collection of scripts for assessing Microsoft Azure security
★ 2.4kPowerUpSQL. PowerUpSQL: A PowerShell Toolkit for Attacking SQL Server
★ 2.7kConferences. Conference presentation slides
★ 2.4kspoofdpi. Simple and fast anti-censorship tool written in Go
★ 4.9kC2_INFRA_WORKSHOP_DEFCON32_RED_TEAM_VILLAGE. C2 Infrastructure Automation
★ 120OST-C2-Spec. Open Source C&C Specification
★ 281bf-aws-permissions. Shell
★ 101BadLister. Deny list generator for password filters
★ 26Invoke-DumpMDEConfig. PowerShell script to dump Microsoft Defender Config, protection history and Exploit Guard Protection History (no admin privileges required )
★ 155UltraDolphin. An inaudible attack vector for voice operated LLMs, Siri, Alexa etc.
★ 14nmap-did-what. Nmap Dashboard Mini Project
★ 638Evilginx-Phishing-Infra-Setup. Evilginx Phishing Infrastructure Setup Guide - Securing Evilginx and Gophish Infrastructure, Removing IOCs, Phishing TTPs
★ 582tib3rius.github.io. HTML
★ 22UltimateWDACBypassList. A centralized resource for previously documented WDAC bypass techniques
★ 626shells. Script for generating revshells
★ 484SharpGraphView. Microsoft Graph API post-exploitation toolkit
★ 95NetWrapper. Simple netexec wraper with html repport
★ 19Sublime-Nmap-Syntax. A Sublime Text plugin that allows for Nmap syntax highlighting
★ 13D3MPSEC. "D3MPSEC" is a memory dumping tool designed to extract memory dump from Lsass process using various techniques, including direct system calls, randomized procedures, and prototype name obfuscation. Its primary purpose is to bypass both static and dynamic analysis techniques commonly employed by security measures.
★ 28LetMeowIn. A sophisticated, covert Windows-based credential dumper using C++ and MASM x64.
★ 441merlin. Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in golang.
★ 5.6kKnowledge-Management-for-Offensive-Security-Professionals. Knowledge Management for Offensive Security Professionals Official Repository
★ 154adPEAS. winPEAS, but for Active Directory
★ 178GPOddity. The GPOddity project, aiming at automating GPO attack vectors through NTLM relaying (and more).
★ 369regexp-security-cheatsheet. PHP
★ 737http-garden. Differential testing framework for HTTP implementations
★ 938RustRedOps. Repository for advanced Red Team techniques focused on Rust
★ 1.9kFullBypass. A tool which bypasses AMSI (AntiMalware Scan Interface) and PowerShell CLM (Constrained Language Mode) and gives you a FullLanguage PowerShell reverse shell.
★ 821pryingdeep. Prying Deep - An OSINT tool to collect intelligence on the dark web.
★ 596CyberPunkOS. CyberPunkOS is a virtual machine that incorporates several tools for Open Source Intelligence (OSINT) to dismantle Fake News
★ 196OSINTko. OSINTk.o is a customized Kali Linux-based ISO image with pre-installed packages and scripts
★ 302DInvoke. Dynamically invoke arbitrary unmanaged code from managed code without PInvoke.
★ 788aroadtools. fully async implementation of Dirkjan's ROADTools
★ 33WebclientServiceScanner. Python tool to Check running WebClient services on multiple targets based on @leechristensen
★ 293TeamsPhisher. Send phishing messages and attachments to Microsoft Teams users
★ 1.1kPrivFu. Kernel mode WinDbg extension and PoCs for token privilege investigation.
★ 920arttoolkit.github.io. A RedTeam Toolkit
★ 407SOAPHound. SOAPHound is a custom-developed .NET data collector tool which can be used to enumerate Active Directory environments via the Active Directory Web Services (ADWS) protocol.
★ 889llm-course. Course to get into Large Language Models (LLMs) with roadmaps and Colab notebooks.
★ 81kNimReflectiveLoader. NimReflectiveLoader is a Nim-based tool for in-memory DLL execution using Reflective DLL Loading.
★ 30AutomatedEmulation. An automated Adversary Emulation lab with terraform and MCP server. Build Caldera techniques and operations assisted with LLMs. Built for IaC stability, consistency, and speed.
★ 212pantagrule. large hashcat rulesets generated from real-world compromised passwords
★ 401Locksmith. A small tool built to find and fix common misconfigurations in Active Directory Certificate Services.
★ 1.6kchromepass. Fetching passwords from the chrome browser database
★ 90FBI-tools. 🕵️ OSINT Tools for gathering information and actions forensics 🕵️
★ 2.6kgithub_cves_search. Find CVEs associated to Linux and public exploits on github
★ 120webcopilot. An automation tool that enumerates subdomains then filters out xss, sqli, open redirect, lfi, ssrf and rce parameters and then scans for vulnerabilities.
★ 1.3kCloudIntel. This repo contains IOC, malware and malware analysis associated with Public cloud
★ 250ASM-Utils. ASM scripts useful for basic operations from the user side.
★ 5ThreadlessInject-C-Implementation. This repository implements Threadless Injection in C
★ 173Rubeus. Trying to tame the three-headed dog.
★ 5.1kAtlasLdr. Reflective x64 PE/DLL Loader implemented using Dynamic Indirect Syscalls
★ 391odin. odin c2
★ 8dnschef-ng. DNSChef (NG) - DNS proxy for Penetration Testers and Malware Analysts
★ 175pretender. Your MitM sidekick for relaying attacks featuring DHCPv6 DNS takeover as well as mDNS, LLMNR and NetBIOS-NS spoofing.
★ 1.3khackGPT. I leverage OpenAI and ChatGPT to do hackerish things
★ 1.2kHackGPT. A powerful and customizable ChatGPT-like interface, built for developers.
★ 134CloudRecon. Go
★ 526naabu. A fast port scanner written in go with a focus on reliability and simplicity. Designed to be used in combination with other tools for attack surface discovery in bug bounties and pentests
★ 6.1kSmap. a drop-in replacement for Nmap powered by shodan.io
★ 3.3kcheck_mdi. Python script to enumerate valid Microsoft 365 domains, retrieve tenant name, and check for an MDI instance.
★ 224teams_dump. PoC for dumping and decrypting cookies in the latest version of Microsoft Teams
★ 130PatchaPalooza. A comprehensive tool that provides an insightful analysis of Microsoft's monthly security updates.
★ 197GraphRunner. A Post-exploitation Toolset for Interacting with the Microsoft Graph API
★ 1.3kPsMapExec. Dominate Active Directory with PowerShell.
★ 1.2kDocPlz. Documents Exfiltration project for fun and educational purposes
★ 142pyLDAPWordlistHarvester. A tool to generate a wordlist from the information present in LDAP, in order to crack passwords of domain accounts.
★ 378bindiff. Quickly find differences and similarities in disassembled code
★ 3.1kcurlshell. reverse shell using curl
★ 476Supernova. Shellcode encryptor & obfuscator tool
★ 1kRandomTSScripts. Collection of random RedTeam scripts.
★ 213secretsdump.py. Enhanced version of secretsdump.py from Impacket. Adds multi-threading and accepts an input file with a list of target hosts for simultaneous secrets extraction.
★ 257dcomhijack. Lateral Movement Using DCOM and DLL Hijacking
★ 327Windows_x64_Tcp_Reverse_Shell_Shellcode. Null-free shellcode for TCP reverse shell on Windows x64
★ 61sccmhunter. SCCMHunter is a post-ex tool built to streamline identifying, profiling, and attacking SCCM related assets in an Active Directory domain.
★ 927Amsi_Bypass_In_2023. Amsi Bypass payload that works on Windwos 11
★ 380WinDefenderKiller. Windows Defender Killer | Registry-Based Disablement + BYOVD Process Termination (C++)
★ 547subcrawl. SubCrawl is a modular framework for discovering open directories, identifying unique content through signatures and organizing the data with optional output modules, such as Elastic.
★ 56BypassAV. This map lists the essential techniques to bypass anti-virus and EDR
★ 3.4kShellGhost. A memory-based evasion technique which makes shellcode invisible from process start to end.
★ 1.2kEICARsandboxCheck. This project contains all the EICAR files needed to test if a web application has a Virus sandboxing mechanism.
★ 3BOFMask.
★ 128RustHound. Active Directory data ingestor for BloodHound Legacy written in Rust. 🦀
★ 1.2kPayloadsAllThePDFs. PDF Files for Pentesting
★ 726Terminator. Reproducing Spyboy technique to terminate all EDR/XDR/AVs processes
★ 1.1kGetLAPSPassword. A LAPS dumper written using the impacket library.
★ 31Ruy-Lopez. C
★ 323ObfuscatedSharpCollection. Attempt at Obfuscated version of SharpCollection
★ 263Chimera. Automated DLL Sideloading Tool With EDR Evasion Capabilities
★ 506Custom-BloodHound-Queries.
★ 186Shell3er. PowerShell Reverse Shell
★ 80AzureAD-Attack-Defense. This publication is a collection of various common attack scenarios on Microsoft Entra ID (formerly known as Azure Active Directory) and how they can be mitigated or detected.
★ 2.5kLOOBins. Living Off the Orchard: macOS Binaries (LOOBins) is designed to provide detailed information on various built-in "living off the land" macOS binaries and how they can be used by threat actors for malicious purposes.
★ 539Direct-Syscalls-A-journey-from-high-to-low. Start with shellcode execution using Windows APIs (high level), move on to native APIs (medium level) and finally to direct syscalls (low level).
★ 147PowerShell-Obfuscation-Bible. A collection of techniques, examples and a little bit of theory for manually obfuscating PowerShell scripts to achieve AV evasion, compiled for educational purposes. The contents of this repository are the result of personal research, including reading materials online and conducting trial-and-error attempts in labs and pentests.
★ 1.2kAutoFunkt. Python script for automating the creation of serverless cloud redirectors from Cobalt Strike malleable C2 profiles
★ 202SharpMapExec. C#
★ 670yetAnotherObfuscator. C# obfuscator that bypass windows defender
★ 825RunasCs. RunasCs - Csharp and open version of windows builtin runas.exe
★ 1.4kwmiexec-Pro. New generation of wmiexec.py
★ 1.3kPetitPotato. Local privilege escalation via PetitPotam (Abusing impersonate privileges).
★ 463Domain_checker. Domain_checker application is the trial/demo version for the new EASM (External Attack Surface Management) system called HydrAttack (hydrattack.com), the main idea of which is, based only on the domain name, find almost all of the subdomains and their top 100 open ports
★ 190BurpSuite-For-Pentester. This cheatsheet is built for the Bug Bounty Hunters and penetration testers in order to help them hunt the vulnerabilities from P4 to P1 solely and completely with "BurpSuite".
★ 2.6kWindows_LPE_AFD_CVE-2023-21768. LPE exploit for CVE-2023-21768
★ 417lolbin-poc. Small PoC of using a Microsoft signed executable as a lolbin.
★ 140Amsi-Killer. Lifetime AMSI bypass
★ 680pe-bear. Portable Executable reversing tool with a friendly GUI
★ 3.7kPentest-Cheat-Sheets. A collection of snippets of codes and commands to make your life easier!
★ 2.9kLAPSToolkit. Tool to audit and attack LAPS environments
★ 952BokuLoader. A proof-of-concept Cobalt Strike Reflective Loader which aims to recreate, integrate, and enhance Cobalt Strike's evasion features!
★ 335whids. Open Source EDR for Windows
★ 1.3kawesome-connected-things-sec. A Curated list of Security Resources for all connected things
★ 3.4ksecrets-patterns-db. Secrets Patterns DB: The largest open-source Database for detecting secrets, API keys, passwords, tokens, and more.
★ 1.6kOperatorsKit. Collection of Beacon Object Files (BOF) for Cobalt Strike
★ 703Invoke-Transfer. PowerShell Clipboard Data Transfer
★ 75ESXiArgs-Recover. A tool to recover from ESXiArgs ransomware
★ 299DLL-Exports-Extraction-BOF. DLL Exports Extraction BOF with optional NTFS transactions.
★ 93RedTeam-Tools. Tools and Techniques for Red Team / Penetration Testing
★ 9.4kexploits. A handy collection of my public exploits, all in one place.
★ 676dll-hijack-by-proxying. Exploiting DLL Hijacking by DLL Proxying Super Easily
★ 563certsync. Dump NTDS with golden certificates and UnPAC the hash
★ 651SharpStartWebclient. Programmatically start WebClient from an unprivileged session to enable that juicy privesc.
★ 79PyCript. Burp Suite extension to decrypt/encrypt any encrypted traffic (AES/RSA/Encodings and more) with custom code in any language
★ 220Inline-Execute-PE. Execute unmanaged Windows executables in CobaltStrike Beacons
★ 724NetLoader. Loads any C# binary in mem, patching AMSI + ETW.
★ 850Windows-Privilege-Escalation.
★ 373vbSparkle. VBScript & VBA source-to-source deobfuscator with partial-evaluation
★ 81pentest-scripts. Miscellaneous scripts for pentesting
★ 219Alcatraz. x64 binary obfuscator
★ 2kPowerSharpPack. PowerShell
★ 1.7kCloudmare. Cloudflare, Sucuri, Incapsula real IP tracker.
★ 1.8kRedditC2. Abusing Reddit API to host the C2 traffic, since most of the blue-team members use Reddit, it might be a great way to make the traffic look legit.
★ 274SQLRecon. A C# MS SQL toolkit designed for offensive reconnaissance and post-exploitation.
★ 398maldev-links. My collection of malware dev links
★ 318SharpC2. Command and Control Framework written in C#
★ 433awesome-appsec. A curated list of resources for learning about application security
★ 7kOffensiveVBA. This repo covers some code execution and AV Evasion methods for Macros in Office documents
★ 1.3kDVHMA. Damn Vulnerable Hybrid Mobile App (DVHMA) is an hybrid mobile app (for Android) that intentionally contains vulnerabilities.
★ 271dvws-node. Damn Vulnerable Web Services is a vulnerable application with a web service and an API that can be used to learn about webservices/API related vulnerabilities.
★ 512DVWA. Damn Vulnerable Web Application (DVWA)
★ 13kAzureGoat. AzureGoat : A Damn Vulnerable Azure Infrastructure
★ 948AWSGoat. AWSGoat : A Damn Vulnerable AWS Infrastructure
★ 2kosep-code-dump-2022. Code dump from PEN-300/OSEP updated 2022
★ 40oswe-prep-2022. Offensive Security OSWE Prep 2022
★ 76TeamFiltration. TeamFiltration is a cross-platform framework for enumerating, spraying, exfiltrating, and backdooring O365 AAD accounts
★ 1.4kChisel-Strike. A .NET XOR encrypted cobalt strike aggressor implementation for chisel to utilize faster proxy and advanced socks5 capabilities.
★ 460Awesome-RCE-techniques. Awesome list of step by step techniques to achieve Remote Code Execution on various apps!
★ 1.9khakrawler. Simple, fast web crawler designed for easy, quick discovery of endpoints and assets within a web application
★ 5.1kA-Red-Teamer-diaries. RedTeam/Pentest notes and experiments tested on several infrastructures related to professional engagements.
★ 1.9kScheduleRunner. A C# tool with more flexibility to customize scheduled task for both persistence and lateral movement in red team operation
★ 347InvisibilityCloak. Proof-of-concept obfuscation toolkit for C# post-exploitation tools
★ 428DetectionLab. Automate the creation of a lab environment complete with security tooling and logging best practices
★ 5kPowerShellArmoury. A PowerShell armoury for security guys and girls
★ 469AppLocker-Bypass. Bypassing AppLocker with C#
★ 143HTTP-Smuggling-Calculator. Perform TE.CL HTTP Request Smuggling attacks by crafting HTTP Request automatically.
★ 73AutoSmuggle. Utility to craft HTML or SVG smuggled files for Red Team engagements
★ 246Offensive_tools. Java
★ 412mortar. evasion technique to defeat and divert detection and prevention of security products (AV/EDR/XDR)
★ 1.5kSysWhispers3. SysWhispers on Steroids - AV/EDR evasion via direct system calls.
★ 1.6kPowerShdll. Run PowerShell with rundll32. Bypass software restrictions.
★ 1.8kTemplate-CherryTree-PenTest.
★ 68KrbRelay. Framework for Kerberos relaying
★ 952KillDefender. A small POC to make defender useless by removing its token privileges and lowering the token integrity
★ 691DefenderStop. Stop Defender Service using C# via Token Impersonation
★ 171eCXD-Preparation. eLearnSecurity Certified Exploit Development
★ 105Awesome-Red-Team-Operations.
★ 1.7kAzure-Red-Team. Azure Security Resources and Notes
★ 1.8kdystopia-c2. Windows Remote Administration Tool that uses Discord, Telegram and GitHub as C2s
★ 688aad-sso-enum-brute-spray. POC of SecureWorks' recent Azure Active Directory password brute-forcing vuln
★ 193UAC-bypass-using-dll-injection. A small project to bypass UAC in windows 10/8/7 using dll injection technique
★ 75OSEP-Code-Snippets. A repository with my notable code snippets for Offensive Security's PEN-300 (OSEP) course.
★ 1.5kwarberry. WarBerryPi - Tactical Exploitation
★ 2.2kOSCE3-Complete-Guide. OSWE, OSEP, OSED, OSEE
★ 3.9kttp0_community_templates.
★ 34ImproHound. Identify the attack paths in BloodHound breaking your AD tiering
★ 327OffensivePipeline. OfensivePipeline allows you to download and build C# tools, applying certain modifications in order to improve their evasion for Red Team exercises.
★ 819ThreatCheck. Identifies the bytes that Microsoft Defender / AMSI Consumer flags on.
★ 1.5k