Like everyone else I thought it'd be a good idea to keep a list of interesting resources and tools. This is my list, there are many like it, but this one is mine.
The list is broken up into sections. Sections will generally be related links or specific usage details or background. Some links may be in multiple sections as they are usefull in multiple ways. Some sections are broken out into separate pages. I'm yet to find a good, consistent way to do this so it is currently a bit arbitrary and unorganised.
Many of these things have been picked up from twitter, forums or other places. Not all have been tested by me so YMMV. So far none of it is my original research. Great appreciation to all those who publish and share their research or even the research of others
-
General/Varied
-
Recon
- External
- General
- nmap
- searchsploit
- good old nc
- socat
RustScan - faster nmap- testing suggests many false negatives :(- Awesome WAF - waf details, detection, bypass etc.
- MYIP.MS - whois/DNS/hosting etc. resources
- DNSDumpster - DNS recon and research
- Web App
- Encode shell in PNG idat
- sqlmap
- sslyze
DirBuster - remember to "Go Fast". 200 Thread seems about rightDeprecated and built into ZAP now- dirsearch - python implementation of directory brute forcing. Lots of configurations options.
- OWASP ZAP
- Sublist3r - subdomain OS int
- Certificate Search crt.sh
- HTTP Request Smuggler
- Burp Suite
- Windows
- SMB Enumeration
- Enumerating AD
- smbclient
- smbmap
- CrackMapExec - smb, ldap, ssh, winrm, mssql
- Responder - sniff, capture and forward all sorts of credentials/auth
- rpcclient
- redhat rpcclient man/help
- An old but still a little helpful RPC tutorial - eTutorials.org
- The Dog Whisperers Handbook - Detailed primer on Bloodhound use
- General
- Internal (On Box)
- General
- linux
- LinEnum.sh
- Linux Priv Checker
- Metasploit - post/multi/recon/local_exploit_suggester <-- not very good, maiinly seems to look for old CVEs
- find / -writable 2>/dev/null
- find / -perm 6000 2>/dev/null
- Linux Smart Enum
- pspy - process file access watching
- Proc FS
- Windows
- mimikatz
- kekeo
- Rubeus
- Get-ChildItem -Path <start-path> -Recurse -Force -ErrorAction SilentlyContinue -Include <file-name1> -Include <file-name2>
- nettitude - SharpWSUS - use any signed windows binary to create a WSUS update and push it to selected computers
- probx - PoshWSUS - PowerShell tools to inspect WSUS configs
- eladshamir - Whisker - manipualte msDS-KeyCredentialLink to get pfx
- Internal (Other Network Hosts)
- nmap
- meterpreter portfwd
- socat/nc tunneling
- proxychains4 (deals with some exceptions better than proxychains)
- smartbrute - lower risk credential brute forcing in AD
- InveighZero - Interception/Spoofing attacks in C#
- Inveigh - Interception/Spoofing attacks in PowerShell
- Responder-Windows - Interception/Spoofing attacks in python (with compiled versions, still need python)
- External
-
Login/Login Bypass/Privesc
- Web Creds
- Hydra (Brute force http-get|post-form)
- padbuster - instructions
- credmaster2 by knavesec - password spraying through AWS to rotate IPs
- Windows
- impacket
- kerberos cheat sheet
- tarlogic kerberos cheat sheet III
- spooky sec secretsdump tutorial
- Knock and Pass Kerberos
- Evil WinRM
- Petitpotam
- SpoolSploit - dockerized print spooler exploit collection
- impacket - set of AD/Kerberos tools (and many others) for python. Many work on Windows.
- Web Creds
-
Exploits
-
Reverse Eng
- Cross Platform
- Windows
- Knowledge
-
General Knowledge (understand the tools)
- Kerberos
- Reverse Shells LOTL
- IPPSEC
- sushant747 Total OSCP guide
- OWASP Web testing guide
- Guide to named pipes and Cobalt Strike pipes
- Specterops - Abusing Active Directory Certificate Services
- zer1t0 atacking AD - extensive guide to AD and attacking it
- A twitter thread on LSA by Steve Syfuhs
- A guide to AD security
-
Training
- Certifications
- Practice
-
Scripting Hints
- Powershell
- cmd
- reg query hklm...
- general
-
Cracking
-
Reporting
-
Online Tools
- Decoding/Hash Cracking
-
Building and maintaining a lab