Post Exploitation

Adaptix is an extensible post-exploitation and adversarial emulation framework made for authorized penetration testing. The Adaptix server is written in Golang to allow operator flexibility.

b374k is a PHP-based remote management tool that provides comprehensive system administration capabilities through a web browser without needing cpanel, SSH, or FTP. It includes features like file management, command execution, shell access, and database connectivity all in a single file.

Prebuilt binaries package for Chisel, a fast TCP/UDP tunnel over HTTP secured via SSH. Provides single executable for client and server modes to bypass firewalls and create secure network endpoints.

.NET command and control framework that highlights the attack surface of .NET and facilitates offensive .NET tradecraft. Provides a web-based interface for multi-user collaboration in red team operations.

dnscat2 creates an encrypted command-and-control channel over the DNS protocol to tunnel out of restricted networks. It consists of a server for authoritative DNS and a client for compromised machines.

dploot is a Python rewrite of SharpDPAPI that implements DPAPI logic for looting credentials, masterkeys, and other sensitive data from local or remote Windows targets. It supports various actions like decrypting blobs, dumping browser credentials, and triaging machine vaults.

Ultimate WinRM shell for hacking and pentesting. Provides interactive shell access to Windows systems via WinRM with features tailored for post-exploitation.

Python-based tool for executing commands on remote Windows machines using the WinRM protocol. Provides an interactive shell with file upload/download, command history, and colorized output.

godoh is a proof-of-concept Command and Control framework that uses DNS-over-HTTPS as a transport medium. It supports providers like Google and Cloudflare, with fallback to traditional DNS.

gsocket enables communication between programs on machines behind firewalls or NAT using a shared secret instead of IP addresses and ports. It connects through the Global Socket Relay Network (GSRN) with end-to-end TLS encryption.

Havoc is a modern, malleable post-exploitation command and control (C2) framework designed for penetration testers, red teams, and blue teams.

Hekatomb connects to an LDAP directory to retrieve all computers and users' information, downloads DPAPI blobs from all users on all computers, and decrypts them using Domain backup keys. It automates extraction of domain controller private keys through RPC to collect and decrypt users' DPAPI secrets from Windows credential manager.

ibombshell is a dynamic remote shell tool written in PowerShell that provides post-exploitation functionalities loaded directly into memory. It offers two execution modes: Everywhere for direct shell access and Silently for C2-controlled warriors.

Impacket is a Python3 module for crafting and decoding network packets. It supports low-level protocols like IP, UDP, TCP and higher-level ones like NMB and SMB.

Collection of Python scripts from the Impacket library providing Windows protocol client implementations for SMB, MSRPC, Kerberos, and Active Directory operations.

Koadic is a Windows post-exploitation rootkit that uses Windows Script Host (JScript/VBScript) for operations. It provides COM Command & Control similar to Meterpreter and Powershell Empire, supporting Windows from NT4 to Windows 10.

Tool that dumps LAPS passwords. Dumps every LAPS password the account has the ability to read with a domain.

Ligolo-MP is an advanced multiplayer pivoting solution based on Ligolo-ng, featuring a client-server architecture for collaborative use with multiple concurrent tunnels. It automatically manages TUN interfaces and provides a clean GUI for tracking.

Advanced tunneling and pivoting tool that uses a TUN interface. Establishes tunnels from a reverse TCP/TLS connection without needing SOCKS.

Prebuilt binaries for Advanced ligolo-ng, a simple, lightweight and fast tool that allows pentesters to establish tunnels from a reverse TCP/TLS connection using a tun interface without the need of SOCKS.

Merlin is a cross-platform post-exploitation HTTP/2 Command & Control server and agent written in Golang. It provides control server, agent, and identification capabilities for managing compromised systems.

Cross-platform post-exploitation HTTP/2 Command & Control agent. This package contains the Agent code for the Merlin post-exploitation command and control framework.

Nishang is a framework and collection of PowerShell scripts and payloads for offensive security and post-exploitation during penetration tests. The scripts were developed based on real-world penetration testing requirements.

Patched tools to use password hashes as authentication input instead of plaintext passwords. Contains modified versions of Curl, Iceweasel, FreeTDS, Samba 4, WinEXE and WMI prefixed with 'pth-'.

Privilege Escalation Awesome Scripts SUITE (peass-ng) provides tools for Windows, Linux/Unix, and MacOS to identify local privilege escalation paths. These scripts search for misconfigurations and display them with color coding for easy recognition.

Stealth post-exploitation framework providing an interactive shell-like connection over HTTP between client and web server. It maintains access to compromised web servers for privilege escalation.

Proxy aware C2 framework used to aid penetration testers with red teaming, post-exploitation and lateral movement. Provides PowerShell/C#, Python3 implants and supports multiple platforms including Windows, *nix and OSX.

PowerShell Empire is a post-exploitation framework featuring a pure-PowerShell Windows agent and a pure Python agent for Linux/OS X. It provides cryptologically-secure communications, flexible architecture, and modules for keyloggers to Mimikatz.

PowerSploit is a PowerShell post-exploitation framework consisting of scripts for authorized penetration tests. It provides modules for various post-exploitation tasks across multiple categories.

pspy is a command line tool that monitors Linux processes without requiring root permissions. It reveals commands run by other users, cron jobs, and process activities in real-time.

Raven is a Python tool that extends the http.server module to provide a self-contained file upload web server. It enables receiving files from remote clients, useful when protocols like SMB are not viable.

Pentesting tool for retrieving credentials from Windows workstations, servers, and domain controllers using OpSec safe techniques. Supports hash retrieval, credential enumeration, pass-the-hash, and hash spraying.

sbd is a secure Netcat-clone that provides strong encryption for backdoor access on Linux and Windows systems. It supports program execution, source port selection, and continuous reconnection.

SilentTrinity is an asynchronous, collaborative post-exploitation agent and C2 framework powered by Python 3 and .NET's DLR. It enables multi-user, multi-server control using BYOI techniques for dynamic .NET scripting without PowerShell.

Sliver is a general purpose cross-platform implant framework that supports C2 over Mutual-TLS, HTTP(S), and DNS. Implants are dynamically compiled with unique X.509 certificates signed by a per-instance certificate authority.

Spraykatz retrieves credentials from Windows machines and large Active Directory environments by remotely executing procdump and parsing memory dumps to evade antivirus detection.

Starkiller is a frontend for Powershell Empire. It provides a graphical user interface for managing Powershell Empire operations.

Sudo allows sysadmins to provide limited root privileges to specific users while logging root activity. It follows the principle of granting minimal privileges necessary for users to complete their tasks.

Script that checks file permissions and other settings on Unix systems for local privilege escalation vectors. Identifies misconfigurations allowing unprivileged users to escalate to root or access local applications.

Villain is a high-level C2 framework that manages multiple TCP socket and HoaxShell-based reverse shells. It enhances their functionality with additional features and shares them among connected sibling servers.

Weevely is a stealth PHP web shell that simulates a telnet-like connection for web application post-exploitation. It serves as a backdoor or management tool for legitimate web accounts.

Windows Credentials Editor (WCE) lists, adds, changes, and deletes NTLM credentials from logon sessions and performs pass-the-hash attacks natively on Windows. It extracts NT/LM hashes from memory without code injection by reading and decrypting Windows internal structures.

A collection of Windows executables for use on penetration tests. Provides various pentesting Windows binaries located in /usr/share/windows-resources/binaries.

Windows privilege escalation checking tool that identifies misconfigurations allowing local unprivileged users to escalate privileges or access local apps like databases. Standalone executable tested on XP and Windows 7, runs as normal user or Administrator for better results.