Red Team Engagements - L2

1.    Reconnaissance – Gathering intelligence on the target.
2.    Initial Access – Gaining entry through phishing, exploiting vulnerabilities, or credential attacks.
3.    Privilege Escalation – Gaining higher-level permissions.
4.    Lateral Movement – Moving through the network to reach critical assets.
5.    Persistence – Maintaining access for long-term control.
6.    Exfiltration – Extracting sensitive data or demonstrating impact.
7.    Reporting & Recommendations – Documenting findings for security improvements.

Red Team Tools & Techniques
Reconnaissance (OSINT & Information Gathering) Tools
 

TheHarvester
●    Description:
 theHarvester is an open-source OSINT tool used to collect emails, subdomains, IPs, and usernames from public sources like Google, Bing, LinkedIn, and Shodan.
●    Developed By: Christian Martorella
●    Programming Language: Python

Shodan
●    Description:
 Shodan is a search engine for internet-connected devices (IoT, webcams, servers, routers). Unlike Google, which indexes websites, Shodan indexes devices exposed to the internet.
●    Developed By: John Matherly (Founded in 2009, USA)
●    Programming Language: Python (API), JavaScript (Frontend)

SpiderFoot
●    Description:
 SpiderFoot is an automated OSINT reconnaissance tool that collects data on IPs, domains, emails, and more using over 200 modules. It integrates with services like Shodan, VirusTotal, and HaveIBeenPwned.
●    Developed By: Steve Micallef (Australia)
●    Programming Language: Python

 Maltego
●    Description:
 Maltego is a graph-based OSINT and link analysis tool used to visualize relationships between people, companies, domains, and IPs. It is widely used in cyber investigations.
●    Developed By: Paterva (South Africa, later acquired by Maltego Technologies, Germany)
●    Programming Language: Java
 

Phishing Frameworks
Gophish
●    Description:
 Gophish is an open-source phishing framework designed to help security teams test and train users against phishing attacks. It allows for email template creation, tracking, and reporting.
●    Developed By: Jordan Wright (USA)
●    Programming Language: Go

Evilginx2
●    Description:
 Evilginx2 is a man-in-the-middle attack framework used for phishing credentials and session cookies. It bypasses two-factor authentication (2FA) by capturing authentication tokens.
●    Developed By: Kuba Gretzky (Poland)
●    Programming Language: Go

Exploitation Frameworks
 Metasploit
●    Description:
 Metasploit is one of the most widely used penetration testing frameworks, providing exploit development, payload generation, and post-exploitation capabilities. It includes thousands of exploits for different platforms.
●    Developed By: Rapid7 (Originally created by H.D. Moore)
●    Programming Language: Ruby

Impacket
●    Description:
 Impacket is a collection of Python scripts and libraries for interacting with Windows network protocols. It is commonly used for SMB relay attacks, NTLM authentication exploits, and other network-based exploits.
●    Developed By: SecureAuth Corp
●    Programming Language: Python

 

WinPEAS & LinPEAS
●    Description:
 WinPEAS (Windows Privilege Escalation Awesome Scripts) and LinPEAS (Linux Privilege Escalation Awesome Scripts) are enumeration tools that help identify potential privilege escalation paths on Windows and Linux systems, respectively. They detect misconfigurations, vulnerable services, and stored credentials.
●    Developed By: Carlos Polop (@carlospolop)
●    Programming Language: Shell script (Bash) for LinPEAS, C# and PowerShell for WinPEAS

BloodHound
●    Description:
 BloodHound is a powerful tool for Active Directory attack path analysis. It maps relationships between users, groups, and computers to identify privilege escalation routes. It is widely used for Kerberoasting, Pass-the-Hash, and Domain Admin escalation.
●    Developed By: SpecterOps
●    Programming Language: JavaScript (Node.js) for the backend, Neo4j for the database

PowerUp
●    Description:
 PowerUp is a PowerShell script designed to identify and exploit common privilege escalation vulnerabilities in Windows systems, such as weak service permissions, DLL hijacking, and misconfigured registry keys.
●    Developed By: Will Schroeder (@harmj0y)
●    Programming Language: PowerShell
 

Mimikatz
●    Description:
 Mimikatz is a well-known post-exploitation tool used to extract plaintext passwords, hashes, and Kerberos tickets from Windows memory. It is widely used for Pass-the-Hash (PtH), Pass-the-Ticket (PtT), and Kerberoasting attacks.
●    Developed By: Benjamin Delpy (@gentilkiwi) (France)
●    Programming Language: C

Rubeus
●    Description:
 Rubeus is a C# tool for Kerberos ticket manipulation, supporting overpass-the-hash, ticket forging, and ticket renewal. It is frequently used in Active Directory Red Team operations.
●    Developed By: Will Schroeder (@harmj0y) and the SpecterOps team
●    Programming Language: C#

CrackMapExec (CME)
●    Description:
 CrackMapExec is an automation tool for Active Directory enumeration and exploitation. It allows attackers to perform credential spraying, lateral movement, and privilege escalation within Windows environments.
●    Developed By: byt3bl33d3r (Giovanni Collazo)
●    Programming Language: Python

SharpHound
●    Description:
 SharpHound is a data collection tool used alongside BloodHound. It gathers information from Active Directory environments, mapping relationships between users, groups, and computers to identify privilege escalation paths.
●    Developed By: SpecterOps
●    Programming Language: C#
 

Empire
●    Description:
 Empire is a post-exploitation framework that provides covert command-and-control (C2), PowerShell-based exploitation, and persistence techniques. It is widely used for maintaining long-term access on compromised systems.
●    Developed By: Will Schroeder (@harmj0y) and the EmpireProject Team (Originally created by Veris Group)
●    Programming Language: Python (server) and PowerShell (agents)

Nishang
●    Description:
 Nishang is a collection of offensive PowerShell scripts used for persistence, privilege escalation, and payload execution on Windows systems. It is frequently used in Red Team and post-exploitation scenarios.
●    Developed By: Nikhil Mittal (@nikhil_mitt)
●    Programming Language: PowerShell

 Golden/Silver Ticket Attacks
●    Description:
 Golden and Silver Ticket attacks are Kerberos-based persistence techniques used to maintain long-term control over an Active Directory environment.
○    Golden Ticket: Creates a forged TGT (Ticket Granting Ticket) to impersonate any user, including Domain

Admins.
○    Silver Ticket: Creates a forged TGS (Ticket Granting Service) to access specific services without needing a

valid TGT.
●    Developed By: Discovered by Benjamin Delpy (Mimikatz creator)
●    Exploited Using: Mimikatz (C), Rubeus (C#)
 

Rclone
●    Description:
 Rclone is a command-line tool for syncing and transferring files between local storage and cloud services such as Google Drive, Dropbox, AWS S3, and OneDrive. Attackers use it for stealthy exfiltration of stolen data to cloud storage.
●    Developed By: Nick Craig-Wood
●    Programming Language: Go

DNSCat2
●    Description:
 DNSCat2 is a covert data exfiltration and command-and-control (C2) tool that tunnels traffic over DNS requests, making it hard to detect in network traffic. It allows attackers to bypass firewalls by embedding data in DNS queries.
●    Developed By: Ron Bowes (@iagox86)
●    Programming Language: C (client), Ruby (server)

Invoke-Obfuscation
●    Description:
 Invoke-Obfuscation is a PowerShell obfuscation framework designed to evade security detection and bypass endpoint protection. It modifies PowerShell scripts to make them harder to analyze, making it useful for stealthy data exfiltration and execution of malicious commands.
●    Developed By: Daniel Bohannon (@danielhbohannon)
●    Programming Language: PowerShell

 

Cobalt Strike
●    Description:
 Cobalt Strike is a commercial Red Team framework used for post-exploitation, lateral movement, persistence, and C2 operations. It provides Beacon payloads for covert communication and is widely used in both penetration testing and advanced cyberattacks.
●    Developed By: Raphael Mudge (Acquired by HelpSystems)
●    Programming Language: Java

Sliver
●    Description:
 Sliver is an open-source C2 framework designed as an alternative to Cobalt Strike. It supports multiple communication channels (HTTP, DNS, mTLS, WireGuard) and various post-exploitation techniques.
●    Developed By: BishopFox
●    Programming Language: Go

Mythic
●    Description:
 Mythic is a modular and highly customizable C2 framework that supports multiple payload types and agent customization. It is widely used for advanced Red Team operations and adversary simulation.
●    Developed By: Cody Thomas (@its_a_feature_)
●    Programming Language: Python (backend), JavaScript (frontend)

Brute Ratel
●    Description:
 Brute Ratel is a highly advanced adversary simulation tool designed to bypass modern endpoint detection and response (EDR) solutions. It provides stealthy payload execution, built-in privilege escalation, and C2 capabilities.
●    Developed By: Chetan Nayak (@NinjaParanoid)
●    Programming Language: C, C++, Rust