Tools

BloodHound is a powerful tool for analyzing Active Directory environments, helping red teamers and pen testers visualize complex relationships, identify security risks and attack paths, and develop effective mitigation strategies to strengthen an organization’s security posture.

Mythic is a powerful, open-source post-exploitation framework that offers red teamers and pen testers an extensible and customizable platform with numerous modules, agents, and C2 profiles to enhance their engagements and achieve objectives in various target environments.

SharpSocks is a powerful .NET-based proxy tool for red teaming and network penetration testing that enables encrypted communications, protocol obfuscation, and access to internal resources, providing professional hackers with stealth and persistence in their engagements.

This article provides a comprehensive guide to using Covenant, a powerful command and control framework for red teaming and post-exploitation operations.

This comprehensive guide explores Nishang, a collection of PowerShell scripts designed for penetration testing and red teaming, covering PowerShell basics, Nishang modules, advanced techniques, real-world applications, and modern evasion methods.

A working operator’s guide to Metasploit. Covers the module taxonomy, why you actually want the database initialized, staged vs non-staged payloads and when each one matters, Meterpreter’s load-bearing extensions (stdapi, kiwi, incognito, priv), pivoting (autoroute, portfwd, SOCKS), and resource scripts for the listener setup you’d otherwise type a hundred times an engagement.

A deep-dive into PsExec for offensive work. How it works under the hood, how to leverage pass-the-hash with Impacket, service-name evasion, and the forensic footprint it leaves so you know when to reach for it and when to reach for something else.

A deep-dive into sc.exe for offensive work. Weaponize the Windows Service Control Manager for remote code execution, persist via service failure actions, exploit weak service ACLs, and load kernel drivers.

A deep-dive into Wmic for offensive work. Interrogate system internals, move laterally, find security software, abuse XSL transforms for code execution, and understand the forensic footprint WMI leaves behind.

A practical walkthrough of Chisel for tunneling — reverse SOCKS, port forwarding, TLS hardening with a real cert, source-level evasion tweaks, and how it compares to Ligolo-ng.

How Pass-the-Hash actually works against RDP — what makes it normally fail, why Restricted Admin Mode flips that around, the correct xfreerdp syntax, RDP-over-SOCKS tuning, and the Logon Type 3 anomaly that gives the technique away.

A working guide to network tunneling for offensive ops — iptables NAT, every flavor of SSH forwarding (including reverse SOCKS and ProxyJump), Windows netsh portproxy, socat, and the modern compiled tools that have largely replaced everything else (Chisel and Ligolo-ng).

A red team walkthrough of Impacket’s mssqlclient.py — discovery, every common auth method, RCE via xp_cmdshell / OLE Automation / CLR, hash capture via xp_dirtree, linked-server hops, file transfer over TDS, and finding the data that actually matters.

A walkthrough of Impacket’s SMB tooling for offensive work — smbclient.py, smbserver.py, secretsdump.py, and ntlmrelayx.py. Covers Pass-the-Hash, hash capture via UNC paths, DCSync, and cross-protocol NTLM relay.

A long walkthrough of smbclient for offensive work — SMB dialects, enumeration, bulk exfiltration, Pass-the-Ticket via Kerberos, opsec around credentials, and what the blue team sees when you connect.

A comprehensive guide to installing and mastering Impacket, covering installation via pipx, deep dives into core tools, and advanced authentication attacks.