Search the Community

Empire 4.0 is a post-exploitation framework that includes a pure-PowerShell 2.0 Windows agent, and compatibility with Python 2.x/3.x Linux/OS X agents. It is the merger of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptologically-secure communications and flexible architecture. On the PowerShell side, Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework. PowerShell Empire premiered at BSidesLV in 2015 and Python EmPyre premiered at HackMiami 2016. BC-Security presented updates to further evade Microsoft Antimalware Scan Interface (AMSI) and JA3/S signatures at DEF CON 27. Empire relies heavily on the work from several other projects for its underlying functionality. We have tried to call out a few of those people we’ve interacted with heavily here and have included author/reference link information in the source of each Empire module as appropriate. If we have failed to properly cite existing or prior work, please let us know at [email protected]. Changelog v5.1.2 Updated Starkiller to v2.1.1 Removed thread from IronPython agent (@Hubbl3) Fixed foreign listener issue with cookies (@Hubbl3) Fixed error message handling for port forward pivot (@Cx01N) Fixed upload not reporting error in PowerShell agent (@Cx01N) Fixed client not giving option to select upload directory (@Cx01N) Fixed persistence/powerbreach/eventlog launcher generation (@Cx01N) [hide][Hidden Content]]

Empire 4.0 is a post-exploitation framework that includes a pure-PowerShell 2.0 Windows agent, and compatibility with Python 2.x/3.x Linux/OS X agents. It is the merger of the previous PowerShell Empire and Python EmPyre projects. The framework offers cryptologically-secure communications and flexible architecture. On the PowerShell side, Empire implements the ability to run PowerShell agents without needing powershell.exe, rapidly deployable post-exploitation modules ranging from key loggers to Mimikatz, and adaptable communications to evade network detection, all wrapped up in a usability-focused framework. PowerShell Empire premiered at BSidesLV in 2015 and Python EmPyre premiered at HackMiami 2016. BC-Security presented updates to further evade Microsoft Antimalware Scan Interface (AMSI) and JA3/S signatures at DEF CON 27. Empire relies heavily on the work from several other projects for its underlying functionality. We have tried to call out a few of those people we’ve interacted with heavily here and have included author/reference link information in the source of each Empire module as appropriate. If we have failed to properly cite existing or prior work, please let us know at [email protected]. Changelog v5.0.4 Fix module error in PSRansom (@Cx01N) Update the install script to set up a new db user instead of overwriting the root user (@vinnybod) Update the Starkiller syncer to skip updating if not in a git repo (@vinnybod) Update the Docker CI action to publish latest on ‘main’ branch (@vinnybod) Fix install of Poetry for Debian based systems (@vinnybod) [hide][Hidden Content]]

pwncat is a post-exploitation platform. It started out as a wrapper around basic bind and reverse shells and has grown from there. It streamlines common red team operations while staging code from your attacker machine, not the target. pwncat intercepts the raw communication with a remote shell and allows the user to perform automated actions on the remote host including enumeration, implant installation, and even privilege escalation. After receiving a connection, pwncat will setup some common configurations for working with remote shells. Disable history in the remote shell Normalize shell prompt Locate useful binaries (usingwhich ) Attempt to spawn a pseudoterminal (pty) for a fully interactive session pwncat knows how to spawn pty’s with a few different methods and will cross-reference the methods with the executables previously enumerated. After spawning a pty, it will setup the controlling terminal in raw mode, so you can interact in a similar fashion to ssh. pwncat will also synchronize the remote pty settings (such as rows, columns, TERM environment variable) with your local settings to ensure the shell behaves correctly with interactive applications such as vim or nano. Features and Functionality pwncat provides two main features. At its core, its goal is to automatically set up a remote PseudoTerminal (pty) which allows interaction with the remote host much like a full SSH session. When operating in a pty, you can use common features of your remote shell such as history, line editing, and graphical terminal applications. The other half of pwncat is a framework which utilizes your remote shell to perform automated enumeration, persistence, and privilege escalation tasks. The local pwncat prompt provides a number of useful features for standard penetration tests including: File upload and download Automated privilege escalation enumeration Automated privilege escalation execution Automated persistence installation/removal Automated tracking of modified/created files pwncat also offers the ability to revert these remote “tampers” automatically The underlying framework for interacting with the remote host aims to abstract away the underlying shell and connection method as much as possible, allowing commands and plugins to interact seamlessly with the remote host. Changelog v0.5.3 Fix for argument parsing bug introduced in 0.5.2 which caused bind/connect protocols to be automatically interpreted as SSL even when --ssl was not provided. Changed Fixed parsing of --ssl argument (#231). [hide][Hidden Content]]

StandIn is a small AD post-compromise toolkit. StandIn came about because recently at xforcered we needed a .NET native solution to perform resource-based constrained delegation. However, StandIn quickly ballooned to include a number of comfort features. Changelog v1.2 – A number of old and new functions now support new parameters “–limit” and “–filter”. – Added generic LDAP search capabilities. – Added function which takes a user or SID and converts it to a user and SID. – Modified the “–group” function. It will now either enumerate group members as before or if provided with a user, list user group memberships. – Added function to remove a user from a group. – Added function which finds all GPO objects, optionally displays their ACL. – Added function to abuse GPO permissions and add a user to the local BUILTIN\Administrators group. – Added function to abuse GPO permissions and add a token permission to a user (e.g. SeLoadDriverPrivilege). – Added function to abuse GPO permissions and add a User or Computer immediate task with or without special filtering. – Added function which can increase the User or Computer version of GPO AD objects. – Added function which lists out some default domain policy settings (e.g. MaximumPasswordAge). – Added function which can do DNS enumeration based on AD records (ADIDNS). – Added function which can identify accounts that have PASSWD_NOTREQD as part of their userAccountControl flags. – Added function which can set an SPN on an account or remove it. – Bugfix in “–spn” where it would only show the first SPN. [hide][Hidden Content]]

Kubesploit Kubesploit is a cross-platform post-exploitation HTTP/2 Command & Control server and agent dedicated for containerized environments written in Golang and built on top of the Merlin project by Russel Van Tuyl (@Ne0nd0g). Our Motivation While researching Docker and Kubernetes, we noticed that most of the tools available today are aimed at passive scanning for vulnerabilities in the cluster, and there is a lack of more complex attack vector coverage. They might allow you to see the problem but not exploit it. It is important to run the exploit to simulate a real-world attack that will be used to determine corporate resilience across the network. When running an exploit, it will practice the organization’s cyber event management, which doesn’t happen when scanning for cluster issues. It can help the organization learn how to operate when real attacks happen, see if its other detection system works as expected and what changes should be made. We wanted to create an offensive tool that will meet these requirements. What’s New As the C&C and the agent infrastructure were done already by Merlin, we integrated the Go interpreter (“Yaegi”) to be able to run Golang code from the server to the agent. It allowed us to write our modules in Golang, provide more flexibility on the modules, and dynamically load new modules. It is an ongoing project, and we are planning to add more modules related to Docker and Kubernetes in the future. The currently available modules are: Container breakout using mounting Container breakout using docker.sock Container breakout using CVE-2019-5736 exploit Scan for Kubernetes cluster known CVEs Port scanning with focus on Kubernetes services Kubernetes service scan from within the container Light kubeletctl containing the following options: Scan for containers with RCE Scan for Pods and containers Scan for tokens from all available containers Run command with multiple options [hide][Hidden Content]]

Utopia Framework Utopia Framework is a Linux post-exploitation framework that exploits Linux SSH vulnerability to provide a shell-like connection. Utopia Framework can be used to easily master Linux SSH exploitation. Why Utopia Framework Simple and clear UX/UI. Utopia Framework has a simple and clear UX/UI. It is easy to understand and it will be easier for you to master the Utopia Framework. A lot of different modules. There are a lot of different modules for SSH exploitation in Utopia Frameworks such as ssh_exec_noauth and ssh_shell_noauth. Simple SSH exploitation. Utopia Framework makes mastering Linux SSH exploitation very easily. [hide][Hidden Content]]

PhpSploit is a remote control framework, aiming to provide a stealth interactive shell-like connection over HTTP between client and web server. It is a post-exploitation tool capable to maintain access to a compromised web server for privilege escalation purposes. Features Efficient: More than 20 plugins to automate post-exploitation tasks Run commands and browse filesystem, bypassing PHP security restrictions Upload/Download files between client and target Edit remote files through local text editor Run SQL console on target system Spawn reverse TCP shells Stealth: The framework is made by paranoids, for paranoids Nearly invisible by log analysis and NIDS signature detection Safe-mode and common PHP security restrictions bypass Communications are hidden in HTTP Headers Loaded payloads are obfuscated to bypass NIDS http/https/socks4/socks5 Proxy support Convenient: A robust interface with many crucial features Detailed help for any command or option (type help) Cross-platform on both the client and the server. Powerful interface with completion and multi-command support Session saving/loading feature & persistent history Multi-request support for large payloads (such as uploads) Provides a powerful, highly configurable settings engine Each setting, such as user-agent has a polymorphic mode Customisable environment variables for plugin interaction Provides a complete plugin development API Changelog v3.1 Implemented enhancements: Make warning message explicit when running plugin in non-connected mode #74 Show stack trace when VERBOSITY is True #73 get help for CMD when calling help CMD ARG #70 unexpected infinite autocompletion #68 help set \<VAR\>: display buffer type description #67 set should inform user that help set \<VAR\> is available #62 alias \<VAR\> None misses verbosity #59 Missing help set \<SETTING\> autocompletion #56 env: Confusing error message before exploited context #53 ./deps/ folder is archaic #41 Fixed bugs: phpsploit is not working properly #128 suidroot plugin makes invalid assumptions #105 crash: IndexError: list index out of range #101 lrun command always returns 0 #83 core.tunnel.exceptions.ResponseError: Php runtime error #81 core: read non-tty STDIN line-by-line #75 term colors: buggy message display #72 corectl display-http-requests: invalid log on POST method #65 alias can override existing command #60 isolate\_readline\_context\(\) don’t isolates readline history #54 Closed issues: Scripting support #138 add jonas lejon as contributor for his blog post #137 corectl display-http-requests not working when PROXY is set #135 I’m sure i set the backdoor file,but i can’t get windows shell again #120 a window shell trate mysql data #119 Doubt about the socks proxy5 #114 INSTALL.md should have install instructions #106 Add contributors list on README #88 help \<PLUGIN\> lacks plugin informations #85 ux: show missing dependency warnings at start #80 [hide][Hidden Content]]

Stealth post-exploitation framework for Wordpress CMS What is it and why was it made? We intentionally made it for our penetration testing jobs however its getting grey hairs now so we thought we would like to pass it on to the public!. ProjectOpal or Opal. Is a stealth post exploit framework for wordpress sites that can hide its trace from logs and obfuscate it's way through the system! 🙂 Fun cool features it creates a admin user that is hidden from all users including admins! just note its stored in the database so don't forget to delete your traces. python Injector.py (Edit the config.py!) You will see a start-up screen. Type help and get to know your shell better 🙂 Features: These are features that Shadowlabs Team prides themself on based on this program: Bypass WAF(Web application firewall) Hidden/Stealth Let's you login to any user Dump entire user entries Create a persistent admin account that is hidden Obfuscated implant Multi-functionality [HIDE][Hidden Content]]

Opal Stealth post-exploitation framework for WordPress CMS What is it and why was it made? We intentionally made it for our penetration testing jobs however its getting grey hairs now so we thought we would like to pass it on to the public!. ProjectOpal or Opal. It is a stealth post exploit framework for wordpress sites that can hide its trace from logs and obfuscate it’s way through the system! 🙂 Fun cool features it creates an admin user that is hidden from all users including admins! just note its stored in the database so don’t forget to delete your traces. Features: These are features that Shadowlabs Team prides themself on based on this program: Bypass WAF(Web application firewall) Hidden/Stealth Let’s you login to any user Dump entire user entries Create a persistent admin account that is hidden Obfuscated implant Multi-functionality [HIDE][Hidden Content]]

GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. The project collects legitimate functions of Unix binaries that can be abused to get the f**k break out restricted shells, escalate or maintain elevated privileges, transfer files, spawn bind and reverse shells, and facilitate the other post-exploitation tasks. See the full list of functions. This was inspired by the LOLBAS project for Windows. GTFOBins is a collaborative project created by norbemi and cyrus_and where everyone can contribute with additional binaries and techniques. [Hidden Content] Install The script has 2 dependencies: colorama pygments You can install these by typing: python3 setup.py install Run python3 gtfo.py [binary]

SILENTTRINITY An asynchronous post-exploitation agent powered by Python, IronPython, C# and .NET's DLR Requirements Server requires Python >= 3.7 SILENTTRINITY C# implant requires .NET >= 4.5 How it works Notes .NET runtime support The implant needs .NET 4.5 or greater due to the IronPython DLLs being compiled against .NET 4.0, also there is no ZipArchive .NET library prior to 4.5 which the implant relies upon to download the initial stage containing the IronPython DLLs and the main Python code. Reading the source for the [Hidden Content] it seems like we can get around the first issue by directly generating IL code through IKVM (I still don't understand why this works). However this would require modifying the compiler to generate a completely new EXE stub (definitely feasible, just time consuming to find the proper IKVM API calls). C2 Comms Currently the implant only supports C2 over HTTP 1.1, .NET 4.5 seems to have a native WebSocket library which makes implementing a WS C2 channel more than possible. HTTP/2 client support for .NET's HttpClient API is in the works, just not yet released. The implant and server design are very much "future proof" which should make implementing these C2 Channels pretty trivial when the time comes. COM Interop [Hidden Content] Python Standard Library We technically could load/use IronPython's stdlib instead of calling .NET APIs but this would require writing some "magic" dependency resolving code. Possibly could modify [Hidden Content] to do this automagically. Inject into unmanaged process [Hidden Content] If you need some help setting up your environment. Reporting issues Reporting any issue will be appreciated, but please, feel free to use this [Hidden Content]. Source & Ref. [hide][Hidden Content]]