// tools

open-source security tools and utilities

TURNt

TURNt is an open-source tool for establishing covert command and control channels using whitelisted media servers from services like Zoom and Microsoft Teams.
TURNt is an open-source tool for establishing covert command and control channels using whitelisted media servers from services like Zoom and Microsoft Teams. It leverages TURN servers to create short-term, high-speed C2 channels that blend into normal enterprise video conferencing traffic. **Features:** - Automated discovery of TURN servers from major conferencing platforms - WebRTC tunneling for SOCKS proxying and pivoting - Traffic appears as legitimate video conferencing on port 443 - Bypasses DPI and TLS inspection **Use Case:** Red team operations requiring interactive C2 in monitored networks where low-and-slow channels are insufficient for high-bandwidth tasks.

links

OAuthSeeker

OAuthSeeker is a red team tool for performing consent-based phishing attacks using malicious OAuth applications targeting Microsoft Azure and Office365 users.
OAuthSeeker is a red team tool for performing consent-based phishing attacks using malicious OAuth applications targeting Microsoft Azure and Office365 users. The tool demonstrates end-to-end attack scenarios from initial phishing to post-exploitation. **Features:** - OAuth consent phishing with verified Azure applications - Admin control panel for credential management and token refresh - Integrated GraphRunner for immediate post-exploitation - OAuthAzure and OAuthPillage utilities for Azure resource impersonation **Use Case:** Red team engagements targeting cloud environments where traditional credential phishing may be detected or blocked.

links

Brutus

Brutus is a modern, multi-protocol credential testing tool written in pure Go.
Brutus is a modern, multi-protocol credential testing tool written in pure Go. It automates identification and validation of default credentials, compromised passwords, and SSH keys across enterprise environments at scale. Deploys as a single, zero-dependency binary. **Features:** - 24+ protocol support including SSH, RDP, SMB, LDAP, WinRM, databases, and web services - Embedded known-compromised SSH key testing (Rapid7 ssh-badkeys, HashiCorp Vagrant) - Private key spraying for lateral movement assessment - Native JSON streaming with fingerprintx and naabu pipeline integration - Experimental LLM-powered credential suggestion for vendor-specific login pages **Use Case:** Penetration testing and red team engagements requiring automated credential validation across diverse network services.

links

INTRACTABLEGIRAFFE

INTRACTABLEGIRAFFE is a proof-of-concept Windows kernel-mode rootkit that implements hidden Virtual File System capabilities modeled after Turla's Uroburos/Snake rootkit.
INTRACTABLEGIRAFFE is a proof-of-concept Windows kernel-mode rootkit that implements hidden Virtual File System capabilities modeled after Turla's Uroburos/Snake rootkit. Designed for red team research and threat actor capability emulation. **Features:** - Volatile (in-memory) VFS stored in Windows kernel heap with no disk artifacts - Non-volatile persistent VFS embedded within regular files on disk - Integrated keylogger that writes captured keystrokes to the hidden VFS - Access via Win32 Device Namespace, avoiding suspicious drive letter assignments - Bypasses Driver Signature Enforcement using exploitable signed drivers **Use Case:** Red team research and advanced persistent threat emulation on 64-bit Windows systems.

links

Google Redirector

Google Redirector is a lightweight HTTP/HTTPS redirector for Google Cloud Run that enables domain fronting through Google's infrastructure.
Google Redirector is a lightweight HTTP/HTTPS redirector for Google Cloud Run that enables domain fronting through Google's infrastructure. It masks C2 traffic as legitimate Google service requests by routing through Google-owned domains and third-party services hosted on Google App Engine. **Features:** - Domain fronting through Google-owned services and App Engine-hosted sites - Full HTTP proxy supporting all request methods with transparent header forwarding - Auto-scaling serverless deployment on Google Cloud Run - Compatible with any existing HTTP-based C2 implant - Minimal latency with containerized Go implementation **Use Case:** Red team operations requiring covert command-and-control communications through trusted Google infrastructure.

links

PortBender

PortBender is a TCP port redirection utility for Windows that enables red team operators to intercept and redirect inbound traffic from one port to another.
PortBender is a TCP port redirection utility for Windows that enables red team operators to intercept and redirect inbound traffic from one port to another. Built as an in-memory reflective DLL for use with C2 frameworks like Cobalt Strike. **Features:** - Redirector mode for transparent port-to-port traffic redirection - Backdoor mode inspired by Duqu 2.0 with keyword-authenticated conditional activation - Reflective DLL injection with minimal disk footprint - Built on WinDivert for traffic interception via Windows Filtering Platform **Use Case:** Red team engagements requiring TCP port redirection for relay attacks such as SMB relay through C2 frameworks.

links