Red Siege Tools

Red Siege has developed a number of publicly available open-source tools to help penetration testers and security professionals.


Use case: Quickly identify interesting websites and admin interfaces on large penetration tests.

EyeWitness takes screenshots of websites, collects server header info, and identifies default credentials if possible. Saves a lot of time triaging web sites on large tests. This tool is very commonly used by penetration testers looking to sift through a long list of websites. You can give it Nessus XML or Nmap XML output and it will visit the site, grab server information, and take a screenshot of the site. It generates a report that is quick and easy to read to help penetration testers quickly identify the sites that are most interesting to attack first. Alternatively, you can provide a list of URLs to scan. The tool is written in Python and has a C# assembly that can can loaded into many C2 frameworks.

EDD – Enumerate Domain Data

Use case: Extract domain information useful to penetration testers and auditors.

Enumerate Domain Data (ED) is designed to be similar to PowerView but in .NET. PowerView is essentially the ultimate domain enumeration tool, and we wanted a .NET implementation that we worked on ourselves. This tool was largely put together by viewing implementations of different functionality across a wide range of existing projects and combining them into EDD. The tool is written in C# and can be loaded in to many C2 frameworks.


Use case: Test egress filtering from inside a target network.

Egress-Assess is a tool used to test egress data detection capabilities. It supports exfiltration testing over common protocols such as HTTP, HTTPS, FTP, SMTP, ICMP, SMB, and DNS. The tool being runs an internal client system and an external server where data would be passed over network boundaries. The tool is written in PowerShell and Python.


Use case: Setup persistence in a pen test or red team and clean up the persistence at the end of a test.

PersistAssist is a fully modular persistence framework written in C#. All persistence techniques contain a cleanup method which will server to remove the persistence aside from the persistence code. The main object of this project initially was to build out a fully modular framework meant to make adding new features as simple as inheriting a class and adding the code.


Multiple Cobalt Strike Aggressor scripts for various phases of a pen test or red team assessment.


A number of small tools useful for penetration testing.

  • – extract OS version information from a Bloodhound dump
  • – extract the password last set date for users from a Bloodhound dump
  • – password spraying of Entra ID (Azure AD)
  • – extract from Nmap XML a list of open ports and a count of each open port
  • and – parses Nmap XML output and generates a longer and short form of open ports and service version by host
  • – run’s masscan against a range to quickly identify live hosts and listening ports and uses that information to run a more in depth Nmap scap to get more details on the listening services
  • GetNamesFromServerCert.ps1 and – get names (CN and SAN) from target HTTPS sites
  • – quickly analyze web server headers and identify hosts missing content-security-policy, strict-transport-security, x-frame-options headers and extracts the server version from multiple different headers
  • – a wrapper to SSLyze to identify HTTPS sites with insecure TLS settings


Use case: Translate shellcode bytes into words for entropy analysis evasion.

In order to protect our shellcode loaders, we often use encryption to obfuscate our shellcode. Encryption increases the entropy of our shellcode loader. Some AV & EDR use entropy analysis to determine if a binary is trustworthy for execution. If the entropy of a binary is too high, the agent makes a decision the binary is not trustworth for execution. This is, of course, an oversimplified explanation, but it will work for our purposes.

This project takes raw shellcode and encodes it using a dictionary of words. The dictionary could be a dictionary of English words, the text of a Shakespearean tragedy, or it could be strings extracted from your favorite system DLL. The only requirement is that the dictionary contains at least 256 unique entries and all characters are valid for string literals in C/C++.


Use case: Inflates an executable using dictionary words (low entry) to evade AV/EDR that will not scan large files.

Dig Dug helps you evade some AV/EDR detections by increasing a given executable file size. Some engines will not attempt to analyze a file if the file size is greater than some arbitrary threshold. I have not been able to find any definitive information on this threshold for various engines, discussions on offensive security Slacks and Twitter seem to agree that 100-150MB is an average threshold.

Dig Dug works by appending words from a dictionary to an executable. This dictionary is appended repeatedly until the final desired size of the executable is reached. Some AV&EDR engines, such as CrowdStrike Falcon, may measure entropy as a means of determining if an executable is trustworthy for execution. Other vendors inspect executables for signs of null byte padding. Dig Dug may offer an advantage over similar tools designed to inflate file size in that it does not inflate an executable using random data or null bytes.

By default, Dig Dug uses a modified version of the google-10000-english dictionary. I’ve also supplied a dictionary, exestrings.txt, containing strings extracted from executables in Windows\System32. You can supply your own text dictionary if you prefer, for example, to have the program padded with words from another language.

Dig Dug also incorporates code from SigThief to copy the digital signature from a source executable to the inflated executable.


Use case: Quickly identify web app technologies used on a website.

Multithreaded Wappalyzer CLI tool to find Web Technologies, with optional CSV output.

You can also provide a directory and all scraped data will be saved with a subfolder per host

Allows multiple methods of input, including files, urls, and STDIN. Provided jsut the hostname, it will attempt to access via HTTPS and then HTTP, allowing redirects.


Use case: Simplify Cobalt Strike log output for easier reading.

Stiching back together output in CS logs without splitting it up. Who needs to drop output to disk anyway? (and then risk getting caught, and then download, and then sync). Just send the long output to the terminal and use this to see it in its pristine form (looking at you BloodHound json collect)


Use case: Test credentials from C#, using with multiple C2 frameworks

Small .NET wrapper around LogonUserA to test validity of harvestered credentials within CobaltStrike. Must be run within a domain context.


Use case: Quickly setup Cobalt Strike redirector and malleable C2 profile

Python script for automating the creation of serverless cloud redirectors from Cobalt Strike malleable C2 profiles.


Use case: Generate a “honeyfile” containing a tantalizing GPP password to catch attackers.

This script generates a groups.xml file that mimics a real GPP to create a new user on domain-joined computers.

Blue teams can use this file as a honeyfile. By monitoring for access to the file, Blue Teams can detect pen testers or malicious actors scanning for GPP files containing usernames and cpasswords for lateral movment.

Blue Teams can also monitor for use of the credentials as honeycreds.


Use case: Capture authentication attempts on a compromised Linux SSH server.

This tool will dump password authentication attempts to the SSH daemon. Every SSHD child process will get attached to and at the completetion of the process, the attempted passwords and connection logs will be dumped to the script.

This is handy if you are on a pentest and the client scans computers in their networks and attempts to authenticate with Domain Admin credentials. Looking at you Lansweeper.


A small POC of using Azure Functions to relay communications.


Use case: Compress files for extraction via C2

This tool was created to compress files through the command line and will work with Cobalt Strike’s execute-assembly. This also works with other C2 frameworks that allow execution of .NET assemblies. To use, pass in the files to compress (any amount) or pass it a text file of files, and supply an optional password. MiddleOut also accepts UNC paths as well.


Use case: Hash a string for comparison with known values.

Hashes is a tool to quickly hash plaintext strings, or compare hashed values with a plaintext value. When on an assessment, we don’t, and won’t, send found hashes to an online untrusted “hash generator”. We’d rather have an easy way to generate hash values, or compare hashes to plaintext values, quickly. Hashes does this.


C2concealer is a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike.


C# port of WMImplant (python) which uses either CIM or WMI to query remote systems. It can use provided credentials or the current user’s session.


A proof-of-concept on how to execute F# code within an unmanaged process.


ProxmarkWrapper is a wrapper around the Proxmark3 client that will send a text alert (and/or email if warranted) if a RFID card is captured


Use case: Upload the file, and capture a screen recording (video) of the desktop.

Run the file and it will create a screenshot or video and save it in the current user’s AppData\Roaming directory with a timestamped name. You can also pass it a flag for the location/filename where you want it saved.


EXCELntDonut is a XLM (Excel 4.0) macro generator. Start with C# source code (EXE) and end with a XLM (Excel 4.0) macro that will execute your code in memory. XLM (Excel 4.0) macros can be saved in .XLS files.


Macro-Enabled Excel File Generator (.xlsm) using the EPPlus Library. In September 1, 2020, NVISO published a blog post about Operation Epic Manchego. A threat actor had been uploading Macro-Enabled Excel Files (xlsm) to VirusTotal with farily ordinary VBA macros. However, the method they used to create the files helped them get past most A/V vendors. Instead of creating the malicious Excel files using Microsoft Office, like everyone does, they used a third-party library called EPPlus. When using EPPlus, the creation of the Excel document varied significantly enough that most A/V didn’t catch a simple lolbas payload to get a beacon on a target machine.


Proof-of-concept .NET mssql client for accessing database data through a Cobalt Strike beacon.


Just-Metadata is a tool that gathers and analyzes metadata about IP addresses. It attempts to find relationships between systems within a large dataset.

It is used to gather intelligence information passively about a large number of IP addresses, and attempt to extrapolate relationships that might not otherwise be seen. Just-Metadata has “gather” modules which are used to gather metadata about IPs loaded into the framework across multiple resources on the internet. Just-Metadata also has “analysis” modules. These are used to analyze the data loaded Just-Metadata and perform various operations that can identify potential relationships between the loaded systems.

Just-Metadata will allow you to quickly find the Top “X” number of states, cities, timezones, etc. that the loaded IP addresses are located in. It will allow you to search for IP addresses by country. You can search all IPs to find which ones are used in callbacks as identified by VirusTotal. Want to see if any IPs loaded have been documented as taking part of attacks via the Animus Project, Just-Metadata can do it.

Additionally, it is easy to create new analysis modules to let people find other relationships between IPs loaded based on the available data. New intel gathering modules can be easily added in just as easily!


WMImplant is a PowerShell based tool that leverages WMI to both perform actions against targeted machines, but also as the C2 channel for issuing commands and receiving results. WMImplant will likely require local administrator permissions on the targeted machine.


Provides Base64 encoding and decoding functionality to PowerShell within Constrained Language Mode.


WMIOps is a powershell script that uses WMI to perform a variety of actions on hosts, local or remote, within a Windows environment. It’s designed primarily for use on penetration tests or red team engagements.