Tools

Improve post-exploitation workflows by upgrading a non-interactive shell to a full TTY, enhancing control over a compromised system.

BloodHound is a powerful tool for analyzing Active Directory environments, helping red teamers and pen testers visualize complex relationships, identify security risks and attack paths, and develop effective mitigation strategies to strengthen an organization’s security posture.

Mythic is a powerful, open-source post-exploitation framework that offers red teamers and pen testers an extensible and customizable platform with numerous modules, agents, and C2 profiles to enhance their engagements and achieve objectives in various target environments.

This article provides a comprehensive guide to using Covenant, a powerful command and control framework for red teaming and post-exploitation operations.

This comprehensive guide explores Nishang, a collection of PowerShell scripts designed for penetration testing and red teaming, covering PowerShell basics, Nishang modules, advanced techniques, real-world applications, and modern evasion methods.

Though legacy in name, Empire established the blueprint for modern C2. We explore the BC-Security fork, listeners, stagers, and how to operate a PowerShell-heavy campaign.

Moving beyond rockyou.txt: Building dedicated cracking infrastructure, optimizing Hashcat for enterprise targets, and generating custom targeted wordlists.

A massive, comprehensive deep-dive into the Metasploit Framework for professional red teamers. Learn how to manage workspaces, master advanced Meterpreter extensions like Kiwi and Incognito, understand payload internals (Staged vs. Non-Staged), automate listeners with Resource Scripts, and pivot through complex networks.

A comprehensive deep-dive into PsExec for offensive operations. Learn how it works under the hood, how to leverage Pass-the-Hash with Impacket, advanced techniques for service name evasion, and understand the massive forensic footprint it leaves so you know when (and when NOT) to use it.

A comprehensive deep-dive into using sc.exe for offensive operations. Learn how to weaponize the Windows Service Control Manager for remote code execution, establish robust persistence via service failure actions, change permissions with subinacl, and bypass EDR controls using kernel-mode drivers.

A comprehensive deep-dive into Wmic for offensive security. Learn how to interrogate system internals, perform lateral movement, discover security software, abuse XSL transformation for code execution, and understand the forensic footprint of WMI activity.

A comprehensive guide to Active Directory reconnaissance with built-in tooling. Learn how to discover privileged accounts, identify service accounts, spot unconstrained delegation, and operate when RSAT isn’t installed.

A comprehensive deep-dive into advanced Windows command-line tools. Learn how to leverage modern binaries like curl and tar, abuse legacy tools for download and execution, and perform stealthy data theft and persistence without triggering alerts.

A comprehensive deep-dive into Chisel, the ultimate tool for bypassing network restrictions via SSH-over-HTTP. Learn how to master forward and reverse tunnels, establish stealthy SOCKS proxies, harden your infrastructure with TLS, and change the source code for evasion.

A deep-dive into the technical requirements and execution of Pass-the-Hash for Remote Desktop Protocol (RDP). Learn the correct xfreerdp syntax, how to enable Restricted Admin Mode remotely, troubleshoot NLA errors, and understand the forensic “Type 3” logon anomaly.

A deep-dive guide into advanced network tunneling techniques. Learn to combine Iptables, SSH (Local, Remote, Dynamic, and Reverse Dynamic), Windows Netsh, and Socat to bypass firewalls, pivot through sophisticated network segments, and maintain a low profile during engagements. Now covers modern tools like Chisel and Ligolo-ng.

A comprehensive guide for red team operators on using Impacket’s mssqlclient.py to discover, authenticate, and exploit Microsoft SQL Server instances. Learn to achieve RCE via xp_cmdshell and OLE Automation, steal hashes via UNC path coercion (xp_dirtree), abuse linked servers, and extract sensitive data stealthily.

A massive, comprehensive deep-dive into leveraging Impacket’s powerful SMB tools for offensive operations. Learn how to access shares using smbclient.py, host malicious shares with smbserver.py, perform high-impact NTLM relaying, dump domain secrets with secretsdump.py, and troubleshoot protocol hurdles.

A massive, comprehensive deep-dive into smbclient, covering SMB architecture, essential enumeration techniques, data exfiltration, Pass-the-Hash, advanced automation, and forensic considerations for red team operations.

A comprehensive guide to installing and mastering Impacket, covering installation via pipx, deep dives into core tools, and advanced authentication attacks.