Tools

Improve post-exploitation workflows by upgrading a non-interactive shell to a full TTY, enhancing control over a compromised system.

BloodHound is a powerful tool for analyzing Active Directory environments, helping red teamers and pen testers visualize complex relationships, identify security risks and attack paths, and develop effective mitigation strategies to strengthen an organization’s security posture.

Mythic is a powerful, open-source post-exploitation framework that offers red teamers and pen testers an extensible and customizable platform with numerous modules, agents, and C2 profiles to enhance their engagements and achieve objectives in various target environments.

This article provides a comprehensive guide to using Covenant, a powerful command and control framework for red teaming and post-exploitation operations.

This comprehensive guide explores Nishang, a collection of PowerShell scripts designed for penetration testing and red teaming, covering PowerShell basics, Nishang modules, advanced techniques, real-world applications, and modern evasion methods.

A working tour of the BC Security Empire fork in 2026. Listeners, stagers, and the four agent types Empire ships today (PowerShell, Python, IronPython, and Sharpire/C#). Plus an honest read on where Empire still earns its keep in 2026, where Sliver and Havoc have eaten its lunch, and what AMSI evasion actually looks like now that Defender has shipped signatures for the obvious bypasses.

A working operator’s view of password cracking past rockyou.txt. Building a dedicated GPU rig (and when to burst to cloud), tuning Hashcat for fast and slow hash types, generating context-specific wordlists with CeWL and PRINCE, and writing rules that target how humans actually compose passwords inside an enterprise.

A working operator’s guide to Metasploit. Covers the module taxonomy, why you actually want the database initialized, staged vs non-staged payloads and when each one matters, Meterpreter’s load-bearing extensions (stdapi, kiwi, incognito, priv), pivoting (autoroute, portfwd, SOCKS), and resource scripts for the listener setup you’d otherwise type a hundred times an engagement.

A deep-dive into PsExec for offensive work. How it works under the hood, how to leverage pass-the-hash with Impacket, service-name evasion, and the forensic footprint it leaves so you know when to reach for it and when to reach for something else.

A deep-dive into sc.exe for offensive work. Weaponize the Windows Service Control Manager for remote code execution, persist via service failure actions, exploit weak service ACLs, and load kernel drivers.

A deep-dive into Wmic for offensive work. Interrogate system internals, move laterally, find security software, abuse XSL transforms for code execution, and understand the forensic footprint WMI leaves behind.

A guide to Active Directory reconnaissance with built-in tooling. Discover privileged accounts, identify service accounts, spot unconstrained delegation, and operate when RSAT isn’t installed.

A comprehensive deep-dive into advanced Windows command-line tools. Learn how to leverage modern binaries like curl and tar, abuse legacy tools for download and execution, and perform stealthy data theft and persistence without triggering alerts.

A practical walkthrough of Chisel for tunneling — reverse SOCKS, port forwarding, TLS hardening with a real cert, source-level evasion tweaks, and how it compares to Ligolo-ng.

How Pass-the-Hash actually works against RDP — what makes it normally fail, why Restricted Admin Mode flips that around, the correct xfreerdp syntax, RDP-over-SOCKS tuning, and the Logon Type 3 anomaly that gives the technique away.

A working guide to network tunneling for offensive ops — iptables NAT, every flavor of SSH forwarding (including reverse SOCKS and ProxyJump), Windows netsh portproxy, socat, and the modern compiled tools that have largely replaced everything else (Chisel and Ligolo-ng).

A red team walkthrough of Impacket’s mssqlclient.py — discovery, every common auth method, RCE via xp_cmdshell / OLE Automation / CLR, hash capture via xp_dirtree, linked-server hops, file transfer over TDS, and finding the data that actually matters.

A walkthrough of Impacket’s SMB tooling for offensive work — smbclient.py, smbserver.py, secretsdump.py, and ntlmrelayx.py. Covers Pass-the-Hash, hash capture via UNC paths, DCSync, and cross-protocol NTLM relay.

A long walkthrough of smbclient for offensive work — SMB dialects, enumeration, bulk exfiltration, Pass-the-Ticket via Kerberos, opsec around credentials, and what the blue team sees when you connect.

A comprehensive guide to installing and mastering Impacket, covering installation via pipx, deep dives into core tools, and advanced authentication attacks.