/C2-Tool-Collection

A collection of tools which integrate with Cobalt Strike (and possibly other C2 frameworks) through BOF and reflective DLL loading techniques.

Primary LanguageC

Outflank - C2 Tool Collection

This repository contains a collection of tools which integrate with Cobalt Strike (and possibly other C2 frameworks) through BOF and reflective DLL loading techniques.

These tools are not part of our commercial OST product and are written with the goal of contributing to the community to which we owe a lot. Currently this repo contains a section with BOF (Beacon Object Files) tools and a section with other tools (exploits, reflective DLLs, etc.). All these tools are written by our team members and are used by us in red team assignments. Over time, more tools will be added or modified with new techniques or functionality.

Toolset contents

The toolset currently consists of the following tools:

Beacon Object Files (BOF)

Name Decription
AddMachineAccount Abuse default Active Directory machine quota settings (ms-DS-MachineAccountQuota) to add rogue machine accounts.
Askcreds Collect passwords by simply asking.
CVE-2022-26923 CVE-2022-26923 Active Directory (ADCS) Domain Privilege Escalation exploit.
Domaininfo Enumerate domain information using Active Directory Domain Services.
FindObjects Enumerate processes for specific loaded modules or process handles.
Kerberoast List all SPN enabled user/service accounts or request service tickets (TGS-REP) which can be cracked offline using HashCat.
KerbHash Hash password to kerberos keys (rc4_hmac, aes128_cts_hmac_sha1, aes256_cts_hmac_sha1, and des_cbc_md5).
Klist Displays a list of currently cached Kerberos tickets.
Lapsdump Dump LAPS passwords from specified computers within Active Directory.
PetitPotam BOF implementation of the PetitPotam attack published by @topotam77.
Psc Show detailed information from processes with established TCP and RDP connections.
Psw Show window titles from processes with active windows.
Psx Show detailed information from all processes running on the system and provides a summary of installed security products and tools.
Psm Show detailed information from a specific process id (loaded modules, tcp connections e.g.).
Psk Show detailed information from the windows kernel and loaded driver modules and provides a summary of installed security products (AV/EDR drivers).
ReconAD Use ADSI to query Active Directory objects and attributes.
Smbinfo Gather remote system version info using the NetWkstaGetInfo API without having to run the Cobalt Strike port (tcp-445) scanner.
SprayAD Perform a fast Kerberos or LDAP password spraying attack against Active Directory.
StartWebClient Start the WebClient Service programmatically from user context using a service trigger.
WdToggle Patch lsass to enable WDigest credential caching and to circumvent Credential Guard (if enabled).
Winver Display the version of Windows that is running, the build number and patch release (Update Build Revision).

Others

Name Decription
PetitPotam Reflective DLL implementation of the PetitPotam attack published by @topotam77
RemotePipeList .NET tool to enumerate remote named pipes

How to use

  1. Clone this repository.
  2. Each tool contains an individual README.md file with instructions on how to compile and use the tool. With this approach, we want to give the user the choice of which tool they want to use without having to compile all the other tools.
  3. If you would like to compile all the BOF tools at once, type make within the BOF subfolder.