Skip to content

Red Team Tools

As defined by the U.S. National Security Agency (NSA), a red team is an entity that specializes in breaking & entering, acquiring classified information, and leaving no trace behind. In the cyber realm, Red teams focus on penetration testing of different systems and their levels of security. They help detect, prevent, and eliminate weaknesses while putting a spotlight on glaring vulnerabilities. A red team goes about this by imitating real-world cyber-using all existing data/network penetration techniques. This helps organizations identify the vulnerabilities that can pose a threat to their system.

Popular tools used for red team assessments:

Reconnaissance

Nmap

Nmap, or Network Mapper, is an open source and free security tool that’s also one of the oldest in the game—it launched in 1997. Regardless, it’s actively maintained and effectively used for detecting open ports on remote hosts, network mapping and enumeration; gathering hosts, OS, DNS and other information; and several other tasks that aid in red team operations. Nmap is, in our opinion, one of the most important red team open source tools out there.

sqlmap

sqlmap is a very cool open source penetration testing tool that launches SQL injection tests and discovers issues and vulnerabilities. Some of its key features include automatic code injection capabilities, user enumeration, password hash recognition, dictionary-based password cracking, executing remote SQL SELECTS and more.

Spiderfoot

Spiderfoot is one of the best (and one of our favorite) reconnaissance tools for automated OSINT. Written by Steve Micallef, Spiderfoot queries over 100 public data sources and gathers intelligence about names, email addresses, domain names, IP addresses and more. All of the data is centralized in one single tool, helping red teams make their information-gathering process that much faster and more efficient.

EyeWitness 

EyeWitness is designed to take screenshots of websites, provide some server header info, and identify default credentials if possible. 

dnsrecon

Dnsrecon is a tool for DNS Enumeration. 

truffleHog 

truffleHog searches through git repositories for secrets, digging deep into commit history and branches. 

Maltego 

Maltego is a unique platform developed to deliver a clear threat picture to the environment that an organization owns and operates. 

OSINT Framework

OSINT Framework is another one of our favorite security information gathering tools; so much so that we even have a fully dedicated article to it. This cybersecurity framework is used for reconnaissance, intel gathering and OSINT research. OSINT Framework is a handy collection of OSINT tools filtered by categories, making red teams’ intel gathering tasks much easier.

Shodan

Often called the ‘search engine for hackers’, Shodan is focused on the deep web and the IoT. With the IoT frequently lacking proper security, it can offer multiple points of entry. Shodan is used to scan almost anything that is connected to the internet, such as servers, routers and webcams—but when we say “anything that is connected to the Internet”—we mean it. Among numerous examples, Shodan lets you scan traffic light systems, heating systems, nuclear power plants and much more.

Weaponization

Social Engineering Toolkit (SET)

The Social Engineering Toolkit, or SET for short, is a free open source security tool that features numerous attack techniques for social engineering. These include creating a phishing page by cloning the original, and attack options such as phishing, spear phishing, website attacks, mass mailing and much more.

Metasploit

Metasploit is an open source project that offers both commercial and free versions. Metasploit is useful for many security professionals and red teams in discovering security vulnerabilities and developing, testing and executing exploits. Their ‘Metasploit Framework’ version offers capabilities for evading detection systems, running vulnerability scans, enumerating hosts and more.Invoke-Obfuscation PowerShell Obfuscator. https://github.com/danielbohannon/Invoke-Obfuscation

Invoke-CradleCrafter 

PowerShell remote download cradle generator and obfuscator. https://github.com/danielbohannon/Invoke-CradleCrafter

Invoke-DOSfuscation 

cmd.exe Command Obfuscation Generator & Detection Test Harness. https://github.com/danielbohannon/Invoke-DOSfuscation

morphHTA 

Morphing Cobalt Strike’s evil.HTA. https://github.com/vysec/morphHTA

Unicorn 

It is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. https://github.com/trustedsec/unicorn

Shellter 

It is a dynamic shellcode injection tool, and the first truly dynamic PE infector ever created. https://www.shellterproject.com/

EmbedInHTML 

It Embed and hide any file in an HTML file. https://github.com/Arno0x/EmbedInHTML

SigThief 

Stealing Signatures and Making One Invalid Signature at a Time. https://github.com/secretsquirrel/SigThief

Veil

Veil Framework is one of the most popular antivirus evasion tools available and one of the most valuable red team tools. Red teams can use it to generate Metasploit payloads in Python and Ruby, among others, and to bypass many common antivirus solutions.

Invoke-PSImage is a tool to embeded a PowerShell script in the pixels of a PNG file and generates a oneliner to execute. https://github.com/peewpw/Invoke-PSImage

PowerShdll 

run PowerShell with rundll32. Bypass software restrictions. https://github.com/p3nt4/PowerShdll

avet 

(AntiVirusEvasionTool) is targeting windows machines with executable files using different evasion techniques. https://github.com/govolution/avet

Delivery

Gophish

Gophish is an open-source phishing framework that’s highly useful in red team operations. It can help create phishing campaigns easily and schedule them, launch them, and finally track results from the campaign to test an organization’s awareness of and susceptibility to phishing attacks.

Hashcat

Hashcat is, as they claim, the “world’s fastest password cracker.” It’s an open source password hash cracker that red teams can utilize for brute forcing passwords and performing dictionary attacks, among other utilities for advanced password cracking. Hashcat is great, easy red team open source tool to have in your arsenal.

King Phisher

King Phisher is an open source phishing campaign tool that simulates real-world phishing attacks. This phishing tool can be used to run different and separate campaigns simultaneously, and use them for simple security awareness training as part of your cybersecurity culture. It’s also effective for more complex scenarios involving credential harvesting.

Modlishka 

It is a flexible and powerful reverse proxy, that will take your ethical phishing campaigns to the next level. https://github.com/drk1wi/Modlishka

Evilginx2 

It is a man-in-the-middle attack framework used for phishing credentials and session cookies of any web service. https://github.com/kgretzky/evilginx2

BeEF

BeEF is short for The Browser Exploitation Framework. It is a penetration testing tool that focuses on the web browser. https://github.com/beefproject/beef

CredSniper 

It is a phishing framework written with the Python micro-framework Flask and Jinja2 templating which supports capturing 2FA tokens. https://github.com/ustayready/CredSniper

PwnAuth 

It is a web application framework for launching and managing OAuth abuse campaigns. https://github.com/fireeye/PwnAuth

Privilege escalation

PowerUp

PowerUp is a PowerShell tool that offers checks for common Windows misconfigurations as well as a number of Windows privilege attack methods, to help you with local privilege escalation on Windows systems. Additionally, it offers methods to abuse vulnerable services and other escalation opportunities.

BeRoot

BeRoot is a privilege escalation project. This project is a post-exploitation tool that checks against common misconfigurations, allowing it to help red teams escalate privileges. BeRoot is used to detect misconfigurations but not exploit them, although if you do find something, you can create a template which can be used to exploit it.

BloodHound

BloodHound is a widely used security tool for both red and blue teams. This tool is used to visualize active directory environments and reveal access control lists, users and the relationships within it. As a tool for red teaming BloodHound helps in finding different attack paths to the target and seeing privilege relationships when performing domain escalations.

Lateral movement

PAExec

PAExec is a free remote administration tool designed to help in post-exploitation activities. This remote shell aids in remote execution and interactive shell sessions with remote Windows machines, without the need to install client software.

CrackMapExec

CrackMapExec—or as the creator’s claim, “the swiss army knife for pen testing networks”—is a Python-based utility that evaluates and exploits vulnerabilities in an active directory environment. Leveraging Mimikatz to obtain credentials, it moves laterally through the active directory.

GoFetch 

It is a tool to automatically exercise an attack plan generated by the BloodHound application. https://github.com/GoFetchAD/GoFetch

SharpHound 

C# Rewrite of the BloodHound Ingestor. https://github.com/BloodHoundAD/SharpHound

PowerSploit 

It is a collection of Microsoft PowerShell modules that can be used to aid penetration testers during all phases of an assessment. https://github.com/PowerShellMafia/PowerSploit

Nishang 

It is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security, penetration testing and red teaming. Nishang is useful during all phases of penetration testing. https://github.com/samratashok/nishang

Impacket 

It is a collection of Python classes for working with network protocols. Impacket is focused on providing low-level programmatic access to the packets and for some protocols (for instance NMB, SMB1-3 and MS-DCERPC) the protocol implementation itself. https://github.com/CoreSecurity/impacket

RedSnarf 

It is a pen-testing / red-teaming tool for Windows environments. https://github.com/nccgroup/redsnarf

nveigh 

It is a Windows PowerShell LLMNR/mDNS/NBNS spoofer/man-in-the-middle tool. https://github.com/Kevin-Robertson/Inveigh

PowerUpSQL 

It is a PowerShell Toolkit for Attacking SQL Server. https://github.com/NetSPI/PowerUpSQL

MailSniper 

It is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). https://github.com/dafthack/MailSniper

DomainPasswordSpray 

It is a tool written in PowerShell to perform a password spray attack against users of a domain. https://github.com/dafthack/DomainPasswordSpray

WMIOps 

It is a powershell script that uses WMI to perform a variety of actions on hosts, local or remote, within a Windows environment. It’s designed primarily for use on penetration tests or red team engagements. https://github.com/ChrisTruncer/WMIOps

Command and Control

Pupy 

It is an opensource, cross-platform (Windows, Linux, OSX, Android) remote administration and post-exploitation tool mainly written in python. https://github.com/n1nj4sec/pupy

Empire 

It is a post-exploitation framework that includes a pure-PowerShell2.0 Windows agent, and a pure Python 2.6/2.7 Linux/OS X agent. https://github.com/EmpireProject/Empire

Cobalt Strike

It is a software for Adversary Simulations and Red Team Operations and RAT. https://cobaltstrike.com/

Exfiltrate and complete

Cloakify Factory

In red team operations, collecting important information from the target is important, but also important is finding ways to transfer that data without getting revealed. Cloakify Factory is a tool that transforms the data into strings, which gives it the ability to hide the data in plain site without triggering any network alerts.

DNSExfiltrator

Another tool to aid in file transfer and data exfiltration is DNSExfiltrator. This tool encodes the data to fit into DNS requests, then transfers the data over a DNS request covert channel.

DET

DET, or Data Exfiltration Toolkit, is a really easy tool to use. It is actually a proof of concept that identifies DLP (data loss prevention) failures and performs data exfiltration using ICMP, social media platforms, or even through Gmail. This can all be done using either a single channel or multiple channels at the same time.

Powershell-RAT

PowerShell-RAT is a Python- and Powershell-based tool used to backdoor Windows. It uses Gmail to exfiltrate data as an e-mail attachment and is undetectable by common antivirus solutions.

PyExfil 

It is a Python Package for Data Exfiltration. https://github.com/ytisf/PyExfil

Egress-Assess 

It is a tool used to test egress data detection capabilities. https://github.com/ChrisTruncer/Egress-Assess

References