Red Siege is dedicated to elevating the landscape of information security and penetration testing through our comprehensive testing services and insightful reporting. We also are passionate about empowering the cybersecurity community by providing advanced tools and techniques that enhance security practices.
In our commitment to contribute to the growth of information security, we have developed a wide array of open-source tools specifically designed for penetration testers and cybersecurity professionals. These resources are crafted to streamline security assessments and bolster defense mechanisms effectively.
Explore our extensive collection of cutting-edge tools and resources tailored for the cybersecurity community. Dive into our SiegeCast, “TOOLS OF THE TRADE,” where we showcase essential tools for penetration testing, offering valuable insights and real-world use case scenarios. Enhance your security toolkit by leveraging our expertly developed solutions and stay ahead in the field of information security and penetration testing.
If you have any questions about the tools, please jump into the Red Siege Discord and ask us!
Use case: Quickly identify interesting websites and admin interfaces on large penetration tests.
EyeWitness takes screenshots of websites, collects server header info, and identifies default credentials if possible. Saves a lot of time triaging web sites on large tests. This tool is very commonly used by penetration testers looking to sift through a long list of websites. You can give it Nessus XML or Nmap XML output and it will visit the site, grab server information, and take a screenshot of the site. It generates a report that is quick and easy to read to help penetration testers quickly identify the sites that are most interesting to attack first. Alternatively, you can provide a list of URLs to scan. The tool is written in Python and has a C# assembly that can can loaded into many C2 frameworks.
Use case: Enables Beacons to use Microsoft Graph API for HTTPS C2 communications.
GraphStrike is a suite of tools that enables Cobalt Strike’s HTTPS Beacon to use Microsoft Graph API for C2 communications. All Beacon traffic will be transmitted via two files created in the attacker’s SharePoint site, and all communications from Beacon will route to https://graph.microsoft.comBlog
EDD - Enumerate Domain Data
Use case: Extract domain information useful to penetration testers and auditors.
Enumerate Domain Data (ED) is designed to be similar to PowerView but in .NET. PowerView is essentially the ultimate domain enumeration tool, and we wanted a .NET implementation that we worked on ourselves. This tool was largely put together by viewing implementations of different functionality across a wide range of existing projects and combining them into EDD. The tool is written in C# and can be loaded in to many C2 frameworks.
Use case: Test egress filtering from inside a target network.
Egress-Assess is a tool used to test egress data detection capabilities. It supports exfiltration testing over common protocols such as HTTP, HTTPS, FTP, SMTP, ICMP, SMB, and DNS. The tool being runs an internal client system and an external server where data would be passed over network boundaries. The tool is written in PowerShell and Python.
Use case: Setup persistence in a pen test or red team and clean up the persistence at the end of a test.
PersistAssist is a fully modular persistence framework written in C#. All persistence techniques contain a cleanup method which will server to remove the persistence aside from the persistence code. The main object of this project initially was to build out a fully modular framework meant to make adding new features as simple as inheriting a class and adding the code.
Multiple Cobalt Strike Aggressor scripts for various phases of a pen test or red team assessment.
Use case: Translate shellcode bytes into words for entropy analysis evasion.
In order to protect our shellcode loaders, we often use encryption to obfuscate our shellcode. Encryption increases the entropy of our shellcode loader. Some AV & EDR use entropy analysis to determine if a binary is trustworthy for execution. If the entropy of a binary is too high, the agent makes a decision the binary is not trustworth for execution. This is, of course, an oversimplified explanation, but it will work for our purposes.
This project takes raw shellcode and encodes it using a dictionary of words. The dictionary could be a dictionary of English words, the text of a Shakespearean tragedy, or it could be strings extracted from your favorite system DLL. The only requirement is that the dictionary contains at least 256 unique entries and all characters are valid for string literals in C/C++.Blog
A number of small tools useful for penetration testing.
os_version_from_bh.py – extract OS version information from a Bloodhound dump
pw_last_set_from_bh.py – extract the password last set date for users from a Bloodhound dump
adsso-spray.py – password spraying of Entra ID (Azure AD)
nmap-open-ports-count.sh – extract from Nmap XML a list of open ports and a count of each open port
nmap-open-ports-long.sh and nmap-open-ports-simple.sh – parses Nmap XML output and generates a longer and short form of open ports and service version by host
autoscan.sh – run’s masscan against a range to quickly identify live hosts and listening ports and uses that information to run a more in depth Nmap scap to get more details on the listening services
GetNamesFromServerCert.ps1 and GetNamesFromServerCert.py – get names (CN and SAN) from target HTTPS sites
header-scan.py – quickly analyze web server headers and identify hosts missing content-security-policy, strict-transport-security, x-frame-options headers and extracts the server version from multiple different headers
sslyze-scan.py – a wrapper to SSLyze to identify HTTPS sites with insecure TLS settings
Use case: Inflates an executable using dictionary words (low entry) to evade AV/EDR that will not scan large files.
Dig Dug is a tool designed to evade certain AV/EDR detections by increasing the size of an executable file, leveraging the tactic that some engines might not analyze files exceeding a certain threshold, often discussed as around 100-150MB in offensive security circles. It enlarges the file by appending words from a dictionary, such as the modified google-10000-english or user-supplied ones, to avoid detection methods like entropy measurement or null byte padding inspection used by engines like CrowdStrike Falcon. Moreover, Dig Dug integrates SigThief’s functionality to transfer digital signatures from a source to the inflated executable, potentially offering a more subtle approach to file size inflation compared to methods that use random data or null bytes.
Use case: Test credentials from C#, using with multiple C2 frameworks
Small .NET wrapper around LogonUserA to test validity of harvestered credentials within CobaltStrike. Must be run within a domain context.
Use case: Quickly setup Cobalt Strike redirector and malleable C2 profile
Python script for automating the creation of serverless cloud redirectors from Cobalt Strike malleable C2 profiles.
Use case: Generate a “honeyfile” containing a tantalizing GPP password to catch attackers.
This script generates a groups.xml file that mimics a real GPP to create a new user on domain-joined computers.
Blue teams can use this file as a honeyfile. By monitoring for access to the file, Blue Teams can detect pen testers or malicious actors scanning for GPP files containing usernames and cpasswords for lateral movment.
Blue Teams can also monitor for use of the credentials as honeycreds.
A small POC of using Azure Functions to relay communications.
Use case: Compress files for extraction via C2
This tool was created to compress files through the command line and will work with Cobalt Strike’s execute-assembly. This also works with other C2 frameworks that allow execution of .NET assemblies. To use, pass in the files to compress (any amount) or pass it a text file of files, and supply an optional password. MiddleOut also accepts UNC paths as well.
Use case: Hash a string for comparison with known values.
Hashes is a tool to quickly hash plaintext strings, or compare hashed values with a plaintext value. When on an assessment, we don’t, and won’t, send found hashes to an online untrusted “hash generator”. We’d rather have an easy way to generate hash values, or compare hashes to plaintext values, quickly. Hashes does this.
a command line tool that generates randomized C2 malleable profiles for use in Cobalt Strike.
C# port of WMImplant (python) which uses either CIM or WMI to query remote systems. It can use provided credentials or the current user’s session.
ProxmarkWrapper is a wrapper around the Proxmark3 client that will send a text alert (and/or email if warranted) if a RFID card is captured
Use case: Upload the file, and capture a screen recording (video) of the desktop.
Run the file and it will create a screenshot or video and save it in the current user’s AppData\Roaming directory with a timestamped name. You can also pass it a flag for the location/filename where you want it saved.
A proof-of-concept on how to execute F# code within an unmanaged process.
EXCELntDonut is a XLM (Excel 4.0) macro generator.
Start with C# source code (EXE) and end with a XLM (Excel 4.0) macro that will execute your code in memory. XLM (Excel 4.0) macros can be saved in .XLS files.
Macro-Enabled Excel File Generator (.xlsm) using the EPPlus Library.
In September 1, 2020, NVISO published a blog post about Operation Epic Manchego. A threat actor had been uploading Macro-Enabled Excel Files (xlsm) to VirusTotal with farily ordinary VBA macros. However, the method they used to create the files helped them get past most A/V vendors. Instead of creating the malicious Excel files using Microsoft Office, like everyone does, they used a third-party library called EPPlus. When using EPPlus, the creation of the Excel document varied significantly enough that most A/V didn’t catch a simple lolbas payload to get a beacon on a target machine.
Proof-of-concept .NET mssql client for accessing database data through a Cobalt Strike beacon.
Just-Metadata is a tool that gathers and analyzes metadata about IP addresses. It attempts to find relationships between systems within a large dataset.
Just-Metadata is a tool designed for passive intelligence gathering on numerous IP addresses, facilitating the discovery of otherwise obscure relationships through its “gather” modules that collect metadata from various online resources. Its “analysis” modules delve into this data to uncover potential connections among the systems analyzed. The tool enables quick identification of common geographical locations like states and cities, timezone data of IP addresses, and allows for country-specific IP searches, including identifying IPs flagged for callbacks by VirusTotal or involved in attacks documented by the Animus Project. Moreover, Just-Metadata is flexible, allowing for the easy addition of new analysis and intel gathering modules to explore further relationships based on the gathered data.
WMImplant is a PowerShell based tool that leverages WMI to both perform actions against targeted machines, but also as the C2 channel for issuing commands and receiving results.
WMImplant will likely require local administrator permissions on the targeted machine.
Provides Base64 encoding and decoding functionality to PowerShell within Constrained Language Mode.