PowerShell collector for adding MSSQL attack paths to BloodHound with OpenGraph
https://github.com/SpecterOps/MSSQLHound
https://github.com/SpecterOps/MSSQLHound
GitHub
GitHub - SpecterOps/MSSQLHound: PowerShell collector for adding MSSQL attack paths to BloodHound with OpenGraph
PowerShell collector for adding MSSQL attack paths to BloodHound with OpenGraph - SpecterOps/MSSQLHound
TAP SSH VPN - this will allow you to VPN your machine into the remote TAP device through a reverse SSH tunnel.
https://github.com/trustedsec/tap/blob/master/noscripts/ssh-tunnel.sh
https://github.com/trustedsec/tap/blob/master/noscripts/ssh-tunnel.sh
GitHub
tap/noscripts/ssh-tunnel.sh at master · trustedsec/tap
The TrustedSec Attack Platform is a reliable method for droppers on an infrastructure in order to ensure established connections to an organization. - trustedsec/tap
Your template-based BloodHound terminal companion tool
https://github.com/fin3ss3g0d/cypherhound
https://github.com/fin3ss3g0d/cypherhound
GitHub
GitHub - fin3ss3g0d/cypherhound: Your template-based BloodHound terminal companion tool
Your template-based BloodHound terminal companion tool - fin3ss3g0d/cypherhound
Weaponize DLL hijacking easily. Backdoor any function in any DLL
https://github.com/Print3M/DllShimmer
https://github.com/Print3M/DllShimmer
GitHub
GitHub - Print3M/DllShimmer: Weaponize DLL hijacking easily. Backdoor any function in any DLL.
Weaponize DLL hijacking easily. Backdoor any function in any DLL. - Print3M/DllShimmer
you can call something like NtAllocateVirtualMemoryEx without ever touching ntdll!
https://github.com/whokilleddb/function-collections/blob/main/winapi_alternatives/NtAllocateMemoryEx/main.c
https://github.com/whokilleddb/hoontr
https://github.com/whokilleddb/function-collections/blob/main/winapi_alternatives/NtAllocateMemoryEx/main.c
https://github.com/whokilleddb/hoontr
GitHub
function-collections/winapi_alternatives/NtAllocateMemoryEx/main.c at main · whokilleddb/function-collections
A collection of PoCs to do common things in unconventional ways - whokilleddb/function-collections
Group Policy Objects manipulation and exploitation framework
https://github.com/synacktiv/GroupPolicyBackdoor
https://github.com/synacktiv/GroupPolicyBackdoor
GitHub
GitHub - synacktiv/GroupPolicyBackdoor: Group Policy Objects manipulation and exploitation framework
Group Policy Objects manipulation and exploitation framework - synacktiv/GroupPolicyBackdoor
Named in homage to pwndrop, pwnlift is a simple dotnet server application for uploading files from a desktop without the use of a C2. Useful if you have a console access to a machine and need to take files offline for analysis (such as Code Integrity Policy files).
https://github.com/rasta-mouse/pwnlift
https://github.com/rasta-mouse/pwnlift
GitHub
GitHub - rasta-mouse/pwnlift: Easy peasy file uploads
Easy peasy file uploads. Contribute to rasta-mouse/pwnlift development by creating an account on GitHub.
Comprehensive Windows Syscall Extraction & Analysis Framework
https://github.com/xaitax/NTSleuth
https://github.com/xaitax/NTSleuth
GitHub
GitHub - xaitax/NTSleuth: Comprehensive Windows Syscall Extraction & Analysis Framework
Comprehensive Windows Syscall Extraction & Analysis Framework - xaitax/NTSleuth
Say hello to Eternal Tux🐧, a 0-click RCE exploit against the Linux kernel from KSMBD N-Days (CVE-2023-52440 & CVE-2023-4130)
https://github.com/BitsByWill/ksmbd-n-day
https://github.com/BitsByWill/ksmbd-n-day
GitHub
GitHub - BitsByWill/ksmbd-n-day: Authenticated 0-click RCE against Linux 6.1.45 for CVE-2023-52440 and CVE-2023-4130
Authenticated 0-click RCE against Linux 6.1.45 for CVE-2023-52440 and CVE-2023-4130 - BitsByWill/ksmbd-n-day
EDR-Freeze is a tool that puts a process of EDR, AntiMalware into a coma state.
https://github.com/TwoSevenOneT/EDR-Freeze
https://github.com/TwoSevenOneT/EDR-Freeze
GitHub
GitHub - TwoSevenOneT/EDR-Freeze: EDR-Freeze is a tool that puts a process of EDR, AntiMalware into a coma state.
EDR-Freeze is a tool that puts a process of EDR, AntiMalware into a coma state. - TwoSevenOneT/EDR-Freeze
Let's start 2026 with a major Responder update!
It now supports:
- CLDAP ping pong to SMB auth.
- SNMPv3 authentication and hashes.
- New rogue Kerberos server forcing AS-REQ when receiving TGS-REQ + support for Kerberos type 17/18 hashes.
- IMAP support for NTLM authentication.
- SMTP support for AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM authentication.
- DCE-RPC server now supports SAMR, SRVSVC, WKSSVC, WINREG, SVCCTL, ATSVC, DNSSERVER
- DNS server now supports SOA, MX, SRV, ANY, etc
-> SOA -> Appear as the authoritative DNS server
-> MX poisoning → Email client connects to rogue SMTP/IMAP → capture credentials
-> SRV poisoning → Domain services connect to rogue SMB/LDAP/Kerberos → capture NTLM/AS-REQ
- LDAP GSSAPI, GSS-SPNEGO, NTLM, DIGEST-MD5
https://github.com/lgandx/Responder
It now supports:
- CLDAP ping pong to SMB auth.
- SNMPv3 authentication and hashes.
- New rogue Kerberos server forcing AS-REQ when receiving TGS-REQ + support for Kerberos type 17/18 hashes.
- IMAP support for NTLM authentication.
- SMTP support for AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5 NTLM authentication.
- DCE-RPC server now supports SAMR, SRVSVC, WKSSVC, WINREG, SVCCTL, ATSVC, DNSSERVER
- DNS server now supports SOA, MX, SRV, ANY, etc
-> SOA -> Appear as the authoritative DNS server
-> MX poisoning → Email client connects to rogue SMTP/IMAP → capture credentials
-> SRV poisoning → Domain services connect to rogue SMB/LDAP/Kerberos → capture NTLM/AS-REQ
- LDAP GSSAPI, GSS-SPNEGO, NTLM, DIGEST-MD5
https://github.com/lgandx/Responder
GitHub
GitHub - lgandx/Responder: Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication…
Responder is a LLMNR, NBT-NS and MDNS poisoner, with built-in HTTP/SMB/MSSQL/FTP/LDAP rogue authentication server supporting NTLMv1/NTLMv2/LMv2, Extended Security NTLMSSP and Basic HTTP authenticat...