Cyber Security Bronnen

Informatie

Proces: Ontwikkeld door Lockheed Martin, dit kader identificeert wat de tegenstanders moeten voltooien om hun doel te bereiken.

STAP 1. Verkenning

Verkenning is de eerste fase van de Cyber Kill Chain, die onderzoek, identificatie en selectie van doelen omvat.

Tools

Scanners & Kaders

Argus: Python-powered toolkit voor informatievergaring en verkenning.
RustScan: The Modern Port Scanner. Find ports quickly (3 seconds at its fastest). Run scripts through our scripting engine (Python, Lua, Shell supported).
Amass: In-depth Attack Surface Mapping and Asset Discovery.
Nmap: The "Network Mapper", free and open source utility for network discovery and security auditing.
nmapUnleashed: Een krachtige CLI-wrapper die de mogelijkheden van Nmap verbetert voor penetratietesters en netwerkauditors met multithreading en een dashboard.
Masscan: Internet-scale port scanner, transmitting 10 million packets per second.
Naabu: A fast port scanning tool written in Go that enumerates valid ports in a reliable manner.
OpenVAS: Full-featured vulnerability scanner with extensive testing capabilities.
Nikto: Open Source web server scanner for over 6700 potentially dangerous files/programs.
Sn1per: Automated scanner for enumeration and vulnerability scanning.
Osmedeus: Workflow engine for offensive security, running awesome tools for recon and vulnerability scanning.
D0rkerR3con Framework: Offensive Recon toolkit to discover exposed files, secrets, and launch weaponized Google Dorks.
Recon-ng: Open Source Intelligence gathering tool aimed at reducing the time spent harvesting information from open sources.
Scanners-Box: A powerful and open-source toolkit for hackers and security automation.
Reconness: ReconNess helps you to run and keep all your recon in the same place.
Lazyrecon: Script written in Bash to automate tedious tasks of reconnaissance and information gathering.
reconFTW: A powerful automated reconnaissance tool designed for security researchers.
axiom: A distributed dynamic infrastructure framework for offensive security operations.
Trivy: Uitgebreide en veelzijdige beveiligingsscanner voor kwetsbaarheden en misconfiguraties.

Domein & DNS

Subfinder: Subdomain discovery tool that discovers valid subdomains for websites by using passive online sources.
Puredns: Fast, professional DNS resolver. Replaces Altdns/Massdns for many workflows.
Chaos: Actively scans and maintains internet-wide assets' data.
Dnsprobe: Tool built on top of retryabledns that allows you to perform multiple DNS queries.
Shuffledns: Wrapper around massdns that allows you to enumerate valid subdomains using active bruteforce.
Findomain: Offers dedicated monitoring service for target domains and alerts.
Dnsgen: Generates a combination of domain names from the provided input.
Gotator: Powerful permutation generation for subdomains.
Massdns: High-performance DNS stub resolver.
Sublert: Security and reconnaissance tool to leverage certificate transparency for monitoring new subdomains.
Subjack: Subdomain Takeover tool written in Go.
dnscan: A python wordlist-based DNS subdomain scanner.

Web & OSINT

Wappalyzer: Browser extension that uncovers the technologies used on websites.
BuiltWith: Helps find out what technologies web pages are using.
WhatWeb: Recognizes web technologies including CMS, blogging platforms, statistic/analytics packages, etc.
Gau: Fetch known URLs from AlienVault's Open Threat Exchange, the Wayback Machine, and Common Crawl.
Waybackurls: Fetch known URLs from the Wayback Machine.
Meg: Tool for fetching lots of URLs without taking a toll on the servers.
Katana: A next-generation crawling and spidering framework.
Feroxbuster: A Rust-based content discovery tool. Faster, smarter, and more modern than Dirb/DirBuster.
Dirsearch: A simple command line tool designed to brute force directories and files in websites.
Ffuf: A fast web fuzzer written in Go.
httpx: Fast and multi-purpose HTTP toolkit that allows running multiple probes.
EyeWitness: Designed to take screenshots of websites, provide some server header info, and identify default credentials.
Gowitness: Website screenshot utility written in Golang using Chrome Headless.
SpiderFoot: Open source intelligence (OSINT) automation tool.
Maltego: OSINT and graphical link analysis tool for gathering and connecting information.
Shodan: Search engine for Internet-connected devices.
Censys: Scans the most ports and houses the biggest certificate database in the world.
Jsluice: Extract URLs, paths, secrets, and other interesting data from JavaScript source code.
Unfurl: Parse URLs and pull out content based on criteria.
Asnlookup: Displays information about an IP address's Autonomous System Number (ASN).
Virtual-host-discovery: Enumerates virtual hosts on a given IP address.
WitnessMe: Web Inventory tool, takes screenshots of webpages using Pyppeteer.
BBOT: Recursive internet scanner designed to be faster and more reliable.
ENScan_GO: Tool based on major enterprise information APIs to solve problems in collecting domestic enterprise information (ICP, APP, WeChat, etc.).
dismap: Asset discovery and identification tool for rapid web fingerprint recognition.

Cloud & Git

gitGraber: Monitor GitHub to search and find sensitive data in real time.
Shhgit: Finds secrets and sensitive files across GitHub code and Gists in real-time.
gitleaks: SAST tool for detecting hardcoded secrets in git repos.
cloud_enum: Multi-cloud OSINT tool.
S3Scanner: Scan for open S3 buckets and dump the contents.
Gato (Github Attack TOolkit): Enumeration and attack tool for GitHub organizations.
apk2url: OSINT tool to extract IP and URL endpoints from APKs.
Checkov: Statische analysetool voor Infrastructure as Code (IaC) beveiliging en compliance.

Social Media

buster: An advanced tool for email reconnaissance.
linkedin2username: Generate username lists for companies on LinkedIn.
LinkedInt: LinkedIn Recon Tool.

STAP 2. Wapenontwikkeling

Wapenontwikkeling omvat het koppelen van een remote access trojan met een exploit tot een leverbare payload.

Tools (Payload Ontwikkeling)

Ysoserial: A proof-of-concept tool for generating payloads that exploit unsafe Java object deserialization.
Payloads All The Things: A list of useful payloads and bypasses for Web Application Security.
GhostStrike: Deploy stealthy reverse shells using advanced process hollowing.
Ivy: Payload creation framework for the execution of arbitrary VBA (macro) source code directly in memory.
PEzor: Open-Source PE Packer.
GadgetToJScript: Generates .NET serialized gadgets that can trigger .NET assembly load/execution when deserialized.
ScareCrow: Payload creation framework designed around EDR bypass.
Donut: Position-independent code that enables in-memory execution of VBScript, JScript, EXE, DLL files and dotNET assemblies.
Mystikal: macOS Initial Access Payload Generator.
charlotte: C++ fully undetected shellcode launcher.
InvisibilityCloak: Obfuscation toolkit for C# post-exploitation tools.
Dendrobate: Framework that facilitates the development of payloads that hook unmanaged code through managed .NET code.
Offensive VBA and XLS Entanglement: Examples of how VBA can be used for offensive purposes.
xlsGen: Tiny Excel BIFF8 Generator, to Embedded 4.0 Macros in *.xls.
darkarmour: Windows AV Evasion.
InlineWhispers: Tool for working with Direct System Calls in Cobalt Strike's Beacon Object Files (BOF).
EvilClippy: Assistant for creating malicious MS Office documents.
OfficePurge: VBA purge your Office documents.
ThreatCheck: Identifies the bytes that Microsoft Defender / AMSI Consumer flags on.
CrossC2: Generate CobaltStrike's cross-platform payload.
Ruler: Tool that allows you to interact with Exchange servers remotely.
DueDLLigence: Shellcode runner framework for application whitelisting bypasses and DLL side-loading.
RuralBishop: P/Invoke calls replaced with D/Invoke.
TikiTorch: Spawns a new process, allocates memory, then uses CreateRemoteThread to run shellcode.
SharpShooter: Payload creation framework for the retrieval and execution of arbitrary CSharp source code.
SharpSploit: .NET post-exploitation library written in C#.
MSBuildAPICaller: MSBuild Without MSBuild.exe.
macro_pack: Tool used to automatize obfuscation and generation of MS Office documents, VB scripts, etc.
inceptor: Template-Driven AV/EDR Evasion Framework.
mortar: Evasion technique to defeat and divert detection and prevention of security products.
ProtectMyTooling: Multi-Packer wrapper letting us daisy-chain various packers, obfuscators.
Freeze: Payload toolkit for bypassing EDRs using suspended processes, direct syscalls.
Shhhloader: Shellcode loader that compiles a C++ stub to bypass AV/EDR.
DllShimmer: Weaponize DLL hijacking easily.
moonwalk: Cover your tracks during Linux Exploitation by leaving zero traces on system logs and filesystem timestamps.

STAP 3. Levering

Levering is de overdracht van het wapen naar de doelomgeving.

Phishing Tools

Gophish: Open-source phishing toolkit designed for businesses and penetration testers.
Evilginx2: Man-in-the-middle attack framework used for phishing credentials and session cookies.
Modlishka: Flexible and powerful reverse proxy for ethical phishing campaigns.
o365-attack-toolkit: A toolkit to attack Office365.
PwnAuth: Web application framework for launching and managing OAuth abuse campaigns.
goblin: A simulation phishing system suitable for red-blue confrontation.
Social-Engineer Toolkit (SET): Open-source penetration testing framework designed for social engineering.

Andere Levering & Interactie Tools

Interactsh: ProjectDiscovery's OOB interaction server. Critical for blind SSRF/XXE/RCE testing.
BeEF: The Browser Exploitation Framework. Focuses on the web browser.

STAP 4. Exploitatie

Exploitatie activeert de code van de aanvaller. Deze fase richt zich op kwetsbaarheden om controle te krijgen of code uit te voeren.

Exploitatie Kaders & Tools

Metasploit Framework: The world's most used penetration testing framework.
Burp Suite: The quintessential web app hacking tool.
Caido.io: The lightweight, Rust-based alternative to Burp Suite.
sqlmap: Automates the process of detecting and exploiting SQL injection flaws.
W3AF: Web Application Attack and Audit Framework.
Routersploit: Exploitation framework for embedded devices.
Commix: Automated all-in-one OS command injection and exploitation tool.
Pacu: The "Metasploit for Cloud." An exploitation framework specifically for AWS.
ExploitDB: The official repository of The Exploit Database.
traitor: Automatic Linux privesc via exploitation of low-hanging fruit.
yakit: Cyber Security ALL-IN-ONE Platform (Exploit, Scanner, Hacking).
Shannon: Volledig autonome AI-pentester die daadwerkelijke exploits levert, niet alleen waarschuwingen.

Web & API Exploitatie

ZAP (Zed Attack Proxy): Integrated penetration testing tool for finding vulnerabilities in web applications.
Acunetix: Automated web application and API security platform.
Invicti: Enterprise-grade web application and API security platform.
Kiterunner: The best tool for API endpoint discovery (finding hidden/shadow routes).
Arjun: Specialized in finding hidden HTTP parameters that other scanners miss.
Dalfox: Fast, modern XSS scanner.
SSRFTest: SSRF testing tool.
Jsluice: Extract URLs, paths, secrets, and other interesting data from JavaScript source code.
ActiveScan++: Burp Suite extension that extends active and passive scanning capabilities.
Autorize: Burp Suite extension to detect authorization vulnerabilities.
Logger++: Multi-threaded logging extension for Burp Suite.
Wpscan: Black box WordPress security scanner.
Infection Monkey: A semi automatic pen testing tool for mapping/pen-testing networks.
ACSTIS: AngularJS Client-Side Template Injection scanner.
padding-oracle-attacker: CLI tool to execute padding oracle attacks.
is-website-vulnerable: Finds publicly known security vulnerabilities in a website's frontend JavaScript libraries.
PhpSploit: Full-featured C2 framework which silently persists on webserver via evil PHP oneliner.

Initiële Toegang & Privilege Escalatie

PEASS-ng: Privilege Escalation Awesome Scripts SUITE.
NetExec (nxc): The successor to CrackMapExec. The #1 tool for network pentesting (SMB/WinRM spraying, AD enumeration).
SprayingToolkit: Scripts to make password spraying attacks.
CredMaster: Refactored & improved CredKing password spraying tool.
Kraken: All-in-One Toolkit for BruteForce Attacks.
SweetPotato: Collection of various native Windows privilege escalation techniques.
GodPotato: Privilege escalation using ImpersonatePrivilege.
PrivKit: Detects privilege escalation vulnerabilities caused by misconfigurations on Windows OS.
Watson: Enumerate missing KBs and suggest exploits.
SharpUp: C# port of various PowerUp functionality.
dazzleUP: Detects privilege escalation vulnerabilities caused by misconfigurations.

STAP 5. Installatie

Installatie stelt de tegenstander in staat om persistentie in de omgeving te behouden.

Persistentie Tools

SharPersist: Windows persistence toolkit written in C#.
SharpStay: .NET project for installing Persistence.
SharpHide: Tool to create hidden registry keys.
ScheduleRunner: C# tool to customize scheduled task for persistence.
SharpEventPersist: Persistence by writing/reading shellcode from Event Log.
IIS-Raid: A native backdoor module for Microsoft IIS.
SharPyShell: Tiny and obfuscated ASP.NET webshell for C# web applications.
Kraken: Modular multi-language webshell.
HiddenDesktop: HVNC for Cobalt Strike.
DAMP: The Discretionary ACL Modification Project: Persistence Through Host-based Security Descriptor Modification.
reGeorg: The successor to reDuh, pwn a bastion webserver and create SOCKS proxies.
ABPTTS: TCP tunneling over HTTP for web application servers.
pivotnacci: A tool to make socks connections through HTTP agents.

STAP 6. Command & Control

Command & Control (C2) kanalen stellen de aanvaller in staat instructies te geven aan de gecompromitteerde apparaten.

Remote Access Tools (RAT) & C2 Kaders

Cobalt Strike: Software for Adversary Simulations and Red Team Operations.
Villain: High level stage 0/1 C2 framework that can handle multiple reverse TCP & HoaxShell-based shells.
Kubesploit: Cross-platform post-exploitation HTTP/2 Command & Control server and agent focused on containerized environments.
Sliver: General purpose cross-platform implant framework.
Havoc: Modern and malleable post-exploitation command and control framework.
Empire: Post-exploitation framework that includes a pure-PowerShell Windows agent.
PoshC2: Proxy aware C2 framework.
Covenant: .NET command and control framework.
Mythic: Cross-platform, post-exploit, red teaming framework.
Brute Ratel C4: Advanced Red Team & Adversary Simulation Software.
merlin: Cross-platform post-exploitation C2 server and agent written in Go.
shad0w: Post exploitation framework designed to operate covertly.
Pupy: Cross-platform remote administration and post-exploitation tool.
NimPlant: Light first-stage C2 implant written in Nim and Python.
SharpC2: C2 framework written in C#.
Nimhawk: Powerful, modular, lightweight and efficient command & control framework written in Nim.
AdaptixC2: Extensible post-exploitation and adversarial emulation framework.
Loki: Node.js Command & Control for Script-Jacking Vulnerable Electron Applications.
SILENTTRINITY: Asynchronous, collaborative post-exploitation agent powered by Python and .NET.

Legitieme Remote Access Tools

ManageEngine Remote Access Plus: Comprehensive remote desktop tool offering advanced troubleshooting.
VNC Connect: Cross-platform remote access solution.
ISL Online: Cloud-based remote desktop solution.
Remote Desktop Manager: Centralizes remote connections and credentials.
Supremo: Lightweight, secure remote control software.
SolarWinds Dameware Remote Support: Robust remote support tool.
AnyDesk: Fast and lightweight remote desktop application.
Zoho Assist: Cloud-based remote support and remote access tool.
Citrix DaaS: Desktop-as-a-service solution offering secure remote access.
Microsoft Quick Assist: Simple Windows-based tool for remote assistance.
NinjaOne: IT management platform with remote access.
Atera: Remote monitoring and management (RMM) platform.

Staging & Redirectors

RedWarden: Flexible CobaltStrike Malleable Redirector.
AzureC2Relay: Azure Function that validates and relays Cobalt Strike beacon traffic.
C2concealer: Generates randomized C2 malleable profiles.
FindFrontableDomains: Search for potential frontable domains.
Domain Hunter: Checks expired domains for reputation.
pwndrop: Self-deployable file hosting service for red teamers.
C3: Custom Command and Control tool.
Chameleon: Tool for evading Proxy categorisation.
redirect.rules: Dynamic redirect.rules generator.
SourcePoint: C2 profile generator for Cobalt Strike.
RedGuard: C2 front flow control tool.
skyhook: Round-trip obfuscated HTTP file transfer setup.
GraphStrike: Cobalt Strike HTTPS beaconing over Microsoft Graph API.

STAP 7. Acties op Doelen

Acties op Doelen is de laatste fase waarin indringers acties ondernemen om hun oorspronkelijke doelen te bereiken, zoals data-exfiltratie of laterale verplaatsing.

Exfiltratie

SharpExfiltrate: Modular C# framework to exfiltrate loot over secure channels.
DNSExfiltrator: Data exfiltration over DNS request covert channel.
Egress-Assess: Tool used to test egress data detection capabilities.
VeilTransfer: Data exfiltration utility designed to test and enhance detection capabilities.

Referenties Dumpen

NetExec (nxc): The successor to CrackMapExec. The #1 tool for network pentesting (SMB/WinRM spraying, AD enumeration).
TruffleHog: The modern standard for finding secrets (API keys, creds) in code. Replaces gitGraber/Shhgit.
Hashcat: The industry standard for password cracking (GPU-based).
John the Ripper: Free and Open Source software, distributed primarily in a source code form.
Mimikatz: Allows users to view and save authentication credentials.
LaZagne: Retrieve lots of passwords stored on a local computer.
Dumpert: LSASS memory dumper using direct system calls and API unhooking.
CredBandit: BOF to perform a complete in memory dump of a process.
CloneVault: Export and import entries from Windows Credential Manager.
SharpLAPS: Retrieve LAPS password from LDAP.
SharpDPAPI: C# port of some DPAPI functionality from Mimikatz.
KeeThief: Extraction of KeePass 2.X key material from memory.
SafetyKatz: Combination of Mimikatz and .NET PE Loader.
forkatz: Credential dump using forshaw technique.
PPLKiller: Tool to bypass LSA Protection.
AndrewSpecial: Dumping lsass' memory stealthily.
Net-GPPPassword: .NET implementation of Get-GPPPassword.
SharpChromium: Retrieve Chromium data, such as cookies, history and saved logins.
Chlonium: Application designed for cloning Chromium Cookies.
SharpCloud: Simple C# utility for checking for the existence of credential files.
pypykatz: Mimikatz implementation in pure Python.
nanodump: A Beacon Object File that creates a minidump of the LSASS process.
Koh: C# and BOF toolset to capture user credential material.
PPLBlade: Protected Process Dumper Tool.
TrickDump: Dump lsass using only NTAPIS.
RemoteMonologue: Windows credential harvesting technique leveraging Interactive User RunAs key.

Laterale Verplaatsing

Ligolo-ng: The new standard for pivoting/tunneling. Replaces clunky VPN/proxychains setups.
Responder: Essential for poisoning LLMNR/NBT-NS protocols to capture hashes.
Liquid Snake: Fileless lateral movement using WMI Event Subscriptions.
PowerUpSQL: PowerShell Toolkit for Attacking SQL Server.
SQLRecon: C# MS SQL toolkit designed for offensive reconnaissance.
SCShell: Fileless lateral movement tool that relies on ChangeServiceConfigA.
SharpRDP: RDP Console Application for Authenticated Command Execution.
MoveKit: Extension of built in Cobalt Strike lateral movement.
SharpNoPSExec: File less command execution for lateral movement.
impacket: Collection of Python classes for working with network protocols.
Farmer: Project for collecting NetNTLM hashes.
CIMplant: C# port of WMImplant.
PowerLessShell: Rely on MSBuild.exe to remotely execute PowerShell scripts.
SharpGPOAbuse: Take advantage of a user's edit rights on a Group Policy Object.
kerbrute: Quickly bruteforce and enumerate valid Active Directory accounts.
mssqlproxy: Toolkit to perform lateral movement through Microsoft SQL Server.
Invoke-TheHash: PowerShell Pass The Hash Utils.
InveighZero: .NET IPv4/IPv6 machine-in-the-middle tool.
SharpSpray: Password spraying attack against all users of a domain.
CrackMapExec: A swiss army knife for pentesting networks.
SharpAllowedToAct: C# implementation of a computer object takeover through RBCD.
SharpRDPHijack: RDP session hijack utility for disconnected sessions.
CheeseTools: Tools based on MiscTool.
LatLoader: Automated lateral movement with Havoc C2.
MalSCCM: Abuse local or remote SCCM servers.
Coercer: Coerce a Windows server to authenticate on an arbitrary machine.
orpheus: Bypassing Kerberoast Detections.
goexec: Remote execution on Windows devices.
BitlockMove: Lateral Movement via Bitlocker DCOM interfaces & COM Hijacking.

Tunneling

Chisel: Fast TCP/UDP tunnel, transported over HTTP, secured via SSH.
frp: Fast reverse proxy.
SockTail: Joins a device to a Tailscale network and exposes a local SOCKS5 proxy.

Netwerk & Analyse

Wireshark: Network protocol analyzer.
Ettercap: Open-source network security tool for man-in-the-middle attacks.
Bettercap: The "Swiss Army knife" for network attacks and monitoring.
FoxyProxy: Advanced proxy management tool.
CyberChef: The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis.