In the past, we’ve released a few lists of some of our favorite pen testing tools (which you can read here: Pen Testing Tools We're Thankful for in 2020 and Pen Testing Tools We're Thankful for in 2019). The response to these posts has been pretty positive, so we thought we’d keep that trend going – but narrow the focus. “Pen testing tools” casts a fairly wide net and lots of subcategories exist under that umbrella.
So in this list, we’re highlighting some of the tools we’ve found useful for our red teaming engagements. This list isn’t intended to be definitive, but it should give you an additional boost the next time you’re on an engagement of your own.
Its Use: Just like it sounds, this tool is a riff on the Google Chrome browser – essentially, it allows you to turn a victim’s browser into a proxy for testing.
Why We Like It: CursedChrome makes it easy to emulate a malicious browser extension during a red teaming engagement. Use it to hijack Chrome browsers, bypass most 2FA or other security protections that might be in place, and ride cookies to reach any web-based targets.
Its Use: Universal Loader is a Golang library you can use across multiple platforms (Linux, Windows, and OSX) to load shared libraries from memory and without CGO.
Why We Like It: Universal Loader’s ability to jump across popular platforms is certainly appealing, but it’s not the only reason we like using it. It even can be used on the new Apple M1 chip. Also worth calling out is that this Golang library does not use memfd, which makes it the first Golang Linux loader to do so. For those two reasons alone Universal Loader is a fairly impressive red team tool.
Creator: QSecure Labs
Its Use: Overlord is a Python-based console command-line interface for automating red teaming infrastructure.
Why We Like It: It’s important to be able to quickly spin up secure infrastructure as needed during red team engagements, and Overlord is without a doubt an amazing asset to have in your back pocket for such instances. This tool will save you a lot of time, which you can then put toward doing some actual hacking – you know, the fun stuff.
Its Use: Sliver is a cross-platform general purpose implant framework written in Golang.
Why We Like It: This tool is the brainchild of two Bishop Fox researchers, so our bias may be showing. And it is similar to the popular commercial tool Cobalt Strike (which is a terrific pen testing tool in its own right). What makes Sliver noteworthy is features like dynamic code generation with per-binary obfuscation, multiple and extensible egress protocols, and support for numerous operators simultaneously controlling implants. Plus, it’s easy to use and it works fast.
Its Use: Use Githound to locate exposed API keys and other sensitive information floating around GitHub. The tool works via pattern matching, commit history searching, and “a unique result scoring system.”
Why We Like It: Secret snatching tools like Githound aren’t exactly uncommon, but that doesn’t make this tool (or others like it) any less valuable. Some possible use cases for Githound include detecting exposed customer API keys as well as employee API tokens. If you do bug bounties at all, this tool is useful to have bookmarked – some people have reported earning thousands of dollars in bounties thanks to it.
Its Use: This tool’s title says everything – this tool allows you to easily set up a lab for Microsoft Active Directory in PowerShell.
Why We Like It: It’s quick, and it works well. You can use this tool to make sure any exploits you’re using against Active Directory are perfected before introducing them to a client’s environment. It’s also great for pen testers who simply want to become more comfortable testing Active Directory.
Creator: Microsoft Azure Red Team
Its Use: You can better visualize an Azure attack surface with Stormspotter; this tool helps you graph Azure and Azure Active Directory objects.
Why We Like It: If you’re at all familiar with the popular pen testing tool BloodHound, then you’ll love Stormspotter. Stormspotter’s concept is similar, except this tool is designed for Azure environments. And who better to trust for comprehensive Azure hacking tools than the team behind the cloud platform themselves (or, more specifically, their red team?)
P.S., to any blue or purple teamers reading this post, Stormspotter’s extremely useful from a defensive perspective too.
Its Use: Unlike the majority of the tools on this list, ECG is actually a commercial tool. This tool is a “Static Source Code Scanner able to analyze & detect real and complex security vulnerabilities in TCL/ADP source-code.”
Why We Like It: ECG is one powerful tool that fills a surprisingly vacant niche. As VoidSec notes on their official write-up, TCL code is fairly pervasive; so being able to thoroughly analyze it for vulnerabilities can be incredibly helpful. There aren’t many other tools out there that fit this unique need, commercial or otherwise.
Its Use: Described as a “Security incident in a box!,” you can use DumpsterFire to build “time-triggered, distributed” security events to test both red team offenses and blue team defenses.
Why We Like It: Not only does DumpsterFire take your traditional tabletop exercises to the next level, it uses automation to help you effectively multitask during engagements (and sidestep some of the more tedious stuff). And the degree of customization that DumpsterFire permits is impressive; you can truly tailor a simulated security incident to meet one-of-a-kind circumstances.
The above list consists of only nine of the red teaming tools we’ve found useful while conducting our engagements. There are countless other tools to explore, but hopefully these can give you a running start – and something of an edge on your next red team engagement.
Every week we share a few red teaming tools on Twitter; follow us at @BishopFox and check out the #redteamtool hashtag to see some of our other picks.