Exfiltration
DNS
Collabfiltrator: Exfiltrate blind remote code execution output over DNS via Burp Collaborator.
dnsteal: This is a fake DNS server that allows you to stealthily extract files from a victim machine through DNS requests.
Credentials
LaZagne: The LaZagne project is an open-source application used to retrieve lots of passwords stored on a local computer. Each software stores its passwords using different techniques (plaintext, APIs, custom algorithms, databases, etc.). This tool has been developed for the purpose of finding these passwords for the most commonly-used software.
LeakedDBParser: Just a quick'n'dirty tool to parse leaked databases (csv-like or sql format).
pypykatz: Mimikatz implementation in pure Python. At least a part of it.
spraykatz: Credentials gathering tool automating remote procdump and parse of lsass process.
SharpKatz: Porting of mimikatz sekurlsa::logonpasswords, sekurlsa::ekeys and lsadump::dcsync commands.
MirrorDump: Another LSASS dumping tool that uses a dynamically compiled LSA plugin to grab an lsass handle and API hooking for capturing the dump in memory.
Tokenvator: A tool to alter privilege with Windows Tokens.
juicy-potato: A sugared version of RottenPotatoNG, with a bit of juice, i.e. another Local Privilege Escalation tool, from a Windows Service Accounts to NT AUTHORITY\SYSTEM.
RottenPotatoNG: New version of RottenPotato as a C++ DLL and standalone C++ binary - no need for meterpreter or other tools.
SharpCloud: Simple C# for checking for the existence of credential files related to AWS, Microsoft Azure, and Google Compute.
KeeThief: Methods for attacking KeePass 2.X databases, including extracting of encryption key material from memory.
SharpLAPS: Retrieve LAPS password from LDAP.
PCredz: This tool extracts Credit card numbers, NTLM(DCE-RPC, HTTP, SQL, LDAP, etc), Kerberos (AS-REQ Pre-Auth etype 23), HTTP Basic, SNMP, POP, SMTP, FTP, IMAP, etc from a pcap file or from a live interface.
NTLM Theft
Detection
HoneyCreds: Detect network credentials and poisoners such as responder and MITM attacks.
Last updated