操作系统持久化 ======================================== Windows ---------------------------------------- 凭证获取 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - `mimikatz `_ - `RdpThief `_ Extracting Clear Text Passwords from mstsc.exe using API Hooking - `quarkspwdump `_ Dump various types of Windows credentials without injecting in any process - `SharpDump `_ C# port of PowerSploit's Out-Minidump.ps1 functionality 权限提升 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - `WindowsExploits `_ - `GTFOBins `_ Curated list of Unix binaries that can be exploited to bypass system security restrictions - `JAWS `_ Just Another Windows (Enum) Script UAC Bypass ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - `WinPwnage `_ UAC bypass, Elevate, Persistence and Execution methods - `UACME `_ Defeating Windows User Account Control - `UAC Bypass In The Wild `_ 免杀 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - `SigThief `_ Stealing Signatures and Making One Invalid Signature at a Time C2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - `SharpSploit `_ .NET post-exploitation library written in C# - `SharpBeacon `_ 用.net重写了CobaltStrike stager及Beacon,其中包括正常上线、文件管理、进程管理、令牌管理、结合SysCall进行注入、原生端口转发、关ETW等一系列功能 - `Koadic `_ is a Windows post-exploitation rootkit 隐藏 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - `ProcessHider `_ Post-exploitation tool for hiding processes from monitoring applications - `Invoke Phant0m `_ Windows Event Log Killer - `EventCleaner `_ A tool mainly to erase specified records from Windows event logs, with additional functionalities DLL注入 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - `sRDI `_ Shellcode Reflective DLL Injection rootkit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - `r77-rootkit `_ Ring 3 rootkit with single file installer and fileless persistence that hides processes, files, network connections, etc 伪造 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - `parent PID spoofing `_ Scripts for performing and detecting parent PID spoofing - `GetSystem `_ This is a C# implementation of making a process/executable run as NT AUTHORITY/SYSTEM. This is achieved through parent ID spoofing of almost any SYSTEM process. MiTM ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - `Seth `_ Perform a MitM attack and extract clear text credentials from RDP connections - `pyrdp `_ RDP man-in-the-middle (mitm) and library for Python with the ability to watch connections live or after the fact 综合工具 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - `Nishang `_ Offensive PowerShell for red team, penetration testing and offensive security Linux ---------------------------------------- 权限提升 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - `linux exploit suggester `_ - `LinEnum `_ Scripted Local Linux Enumeration & Privilege Escalation Checks - `AutoLocalPrivilegeEscalation `_ rootkit ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - `rootkit `_ - `Diamorphine `_ LKM rootkit for Linux Kernels 2.6.x/3.x/4.x/5.x (x86/x86_64 and ARM64) 后门 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - `prism `_ is an user space stealth reverse shell backdoor - `icmpsh `_ Simple reverse ICMP shell 综合 ---------------------------------------- 凭证获取 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - `sshLooterC `_ program to steal passwords from ssh - `keychaindump `_ A proof-of-concept tool for reading OS X keychain passwords - `LaZagne `_ Credentials recovery project - `SecretScanner `_ Find secrets and passwords in container images and file systems 权限提升 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - `BeRoot `_ Privilege Escalation Project - Windows / Linux / Mac RAT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - `QuasarRAT `_ C2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - `Empire `_ - `pupy `_ - `Covenant `_ is a collaborative .NET C2 framework for red teamers - `Cooolis-ms `_ 包含了Metasploit Payload Loader、Cobalt Strike External C2 Loader、Reflective DLL injection的代码执行工具 DNS Shell ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - `DNS Shell `_ DNS-Shell is an interactive Shell over DNS channel - `Reverse DNS Shell `_ A python reverse shell that uses DNS as the c2 channel Cobalt Strike ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - `Cobalt Strike `_ - `CrossC2 `_ generate CobaltStrike's cross-platform payload - `Cobalt Strike Aggressor Scripts `_ 日志清除 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - `Log killer `_ Clear all logs in [linux/windows] servers Botnet ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - `byob `_ Build Your Own Botnet 免杀工具 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - `AV Evasion Tool `_ 掩日 - 免杀执行器生成工具 - `DKMC `_ Dont kill my cat - Malicious payload evasion tool