Outflank - C2 Tool Collection
This repository contains a collection of tools which integrate with Cobalt Strike (and possibly other C2 frameworks) through BOF and reflective DLL loading techniques.
These tools are not part of our commercial OST product and are written with the goal of contributing to the community to which we owe a lot. Currently this repo contains a section with BOF (Beacon Object Files) tools and a section with other tools (exploits, reflective DLLs, etc.). All these tools are written by our team members and are used by us in red team assignments. Over time, more tools will be added or modified with new techniques or functionality.
Toolset contents
The toolset currently consists of the following tools:
Beacon Object Files (BOF)
| Name | Decription |
|---|---|
| AddMachineAccount | Abuse default Active Directory machine quota settings (ms-DS-MachineAccountQuota) to add rogue machine accounts. |
| Askcreds | Collect passwords by simply asking. |
| CVE-2022-26923 | CVE-2022-26923 Active Directory (ADCS) Domain Privilege Escalation exploit. |
| Domaininfo | Enumerate domain information using Active Directory Domain Services. |
| FindObjects | Enumerate processes for specific loaded modules or process handles. |
| Kerberoast | List all SPN enabled user/service accounts or request service tickets (TGS-REP) which can be cracked offline using HashCat. |
| KerbHash | Hash password to kerberos keys (rc4_hmac, aes128_cts_hmac_sha1, aes256_cts_hmac_sha1, and des_cbc_md5). |
| Klist | Displays a list of currently cached Kerberos tickets. |
| Lapsdump | Dump LAPS passwords from specified computers within Active Directory. |
| PetitPotam | BOF implementation of the PetitPotam attack published by @topotam77. |
| Psc | Show detailed information from processes with established TCP and RDP connections. |
| Psw | Show window titles from processes with active windows. |
| Psx | Show detailed information from all processes running on the system and provides a summary of installed security products and tools. |
| Psm | Show detailed information from a specific process id (loaded modules, tcp connections e.g.). |
| Psk | Show detailed information from the windows kernel and loaded driver modules and provides a summary of installed security products (AV/EDR drivers). |
| ReconAD | Use ADSI to query Active Directory objects and attributes. |
| Smbinfo | Gather remote system version info using the NetWkstaGetInfo API without having to run the Cobalt Strike port (tcp-445) scanner. |
| SprayAD | Perform a fast Kerberos or LDAP password spraying attack against Active Directory. |
| StartWebClient | Start the WebClient Service programmatically from user context using a service trigger. |
| WdToggle | Patch lsass to enable WDigest credential caching and to circumvent Credential Guard (if enabled). |
| Winver | Display the version of Windows that is running, the build number and patch release (Update Build Revision). |
Others
| Name | Decription |
|---|---|
| PetitPotam | Reflective DLL implementation of the PetitPotam attack published by @topotam77 |
| RemotePipeList | .NET tool to enumerate remote named pipes |
How to use
- Clone this repository.
- Each tool contains an individual README.md file with instructions on how to compile and use the tool. With this approach, we want to give the user the choice of which tool they want to use without having to compile all the other tools.
- If you would like to compile all the BOF tools at once, type
makewithin the BOF subfolder.