patroclica / WeaponizeKali.sh

WeaponizeKali.sh is a Bash script aimed at automating the process of downloading and installing extra tools for internal penetration tests with Kali Linux.

Basic principles behind this project are:

1. Use bleeding-edge versions of offensive toolkits to possess their latest features and fixes.
2. When installing 3rd party software, use isolated environments to minimize potential dependency hell.
3. Keep Windows exploitation scripts and binaries on hand in case you find yourself in an "offline situation".

The script will create two directories within CWD: tools and www. The first one contains all the tools that will be installed on Kali. The second one contains all the scripts and binaries that will be downloaded and may be delivered onto the victim host later.

WeaponizeKali.sh heavily relies on Python virtual environments and uses pipx and poetry to orchestra venvs.

In order to launch the bleeding-edge version of a tool installed with pipx and not the version that is already shipped with Kali, you should modify the PATH variables:

1. Modify PATH for a normal user with any method you want (.bashrc / .profile / .zshrc / etc.): export PATH="$HOME/.local/bin:$PATH".
2. Modify PATH for the superuser by modifying secure_path within sudoers (sudo visudo):

Now you can download WeaponizeKali.sh and run it from your home directory (pip may prompt for unlocking the keyring during the process). When it's done, you can check the results in ~/tools and ~/www:

~$ cd
~$ curl -sL https://github.com/penetrarnya-tm/WeaponizeKali.sh/raw/main/WeaponizeKali.sh | bash -s -- -idtw
~$ ls -la tools www

⚠️ Warning: when using the -i switch, existing ./tools and ./www directories will be deleted.

If you only want to get the deliverable scripts and binaries (i.e., www directory), you can do it like this:

~$ mkdir www
~$ curl -sL https://github.com/penetrarnya-tm/WeaponizeKali.sh/raw/main/WeaponizeKali.sh | bash -s -- -w
~$ ls -la www

It's recommended to run WeaponizeKali.sh once on a clean installation of Kali Linux.

To execute WeaponizeKali.sh with full set of arguments again after it has already been ran once, remove the existent virtual environments first and then run the script:

~$ cd
~$ rm -rf ~/.local/pipx
~$ ./WeaponizeKali.sh -idtw

~$ ./WeaponizeKali.sh -h
                                                         )
 (  (                                                  ( /(       (                )
 )\))(   '   (     )                    (         (    )\())   )  )\ (          ( /(
((_)()\ )   ))\ ( /(  `  )    (    (    )\  (    ))\  ((_)\ ( /( ((_))\     (   )\())
_(())\_)() /((_))(_)) /(/(    )\   )\ )((_) )\  /((_) _ ((_))(_)) _ ((_)    )\ ((_)\
\ \((_)/ /(_)) ((_)_ ((_)_\  ((_) _(_/( (_)((_)(_))  | |/ /((_)_ | | (_)   ((_)| |(_
 \ \/\/ / / -_)/ _` || '_ \)/ _ \| ' \))| ||_ // -_) | ' < / _` || | | | _ (_-<| ' \
  \_/\_/  \___|\__,_|| .__/ \___/|_||_| |_|/__|\___| |_|\_\\__,_||_| |_|(_)/__/|_||_|
                     |_|
                           "the more tools you install, the more you are able to PWN"
                    { https://github.com/penetrarnya-tm/WeaponizeKali.sh } { vX.Y.Z }

usage: WeaponizeKali.sh [-h] [-i] [-d] [-t] [w]

optional arguments:
  -h                    show this help message and exit
  -i                    initialize filesystem (re-create ./tools and ./www directories)
  -d                    resolve dependencies
  -t                    download and install tools on Kali Linux
  -w                    download scripts and binaries for delivering onto the victim host

Install the laster version of Evil-WinRM using rbenv:

~$ ./evil-winrm.sh

Create armored .ps1 scripts containing all the PowerShell tools you want with PowerShellArmoury:

PS > . .\New-PSArmoury.ps1
PS > New-PSArmoury -ValidateOnly -Config PSArmoury.json
PS > New-PSArmoury -Path armored.ps1 -Config PSArmoury.json -EnhancedArmour

Get a random name of a .exe or .dll binary:

~$ EXE="`curl -sL https://github.com/penetrarnya-tm/WeaponizeKali.sh/raw/main/misc/binaries.txt | shuf -n1`.exe"
~$ DLL="`curl -sL https://github.com/penetrarnya-tm/WeaponizeKali.sh/raw/main/misc/system32-dlls.txt | shuf -n1`.dll"

• Amsi-Bypass-Powershell
• BloodHound
• BloodHound.py
• Certipy
• CVE-2019-1040-scanner
• CVE-2020-1472-checker
• CVE-2021-1675 (MS-RPRN) · CVE-2021-1675 (MS-PAR) · impacket-cube0x0 · SharpPrintNightmare · Pre-Compiled · Invoke-SharpPrintNightmare
• Covenant
• CrackMapExec
• Creds
• DonPAPI
• DivideAndScan
• DLLsForHackers
• Ebowla
• Empire
• ItWasAllADream
• LDAPPER
• LightMe
• MS17-010
• MANSPIDER
• MeterPwrShell
• Neo-reGeorg
• Nim · choosenim
• NimlineWhispers
• Obsidian
• OffensiveNim
• PCredz
• PEzor
• PKINITtools
• PetitPotam
• PetitPotam-Ext
• PrivExchange
• Responder
• RustScan
• SCShell
• ScareCrow
• SharpGen
• SharpShooter
• ShellPop
• TrustVisualizer
• WebclientServiceScanner
• Windows-Exploit-Suggester
• ack3
• aclpwn.py
• adidnsdump
• aquatone
• arsenal
• bettercap
• bloodhound-quickwin
• certi
• chisel · SharpChisel · Pre-Compiled
• crowbar
• dementor.py
• dsniff
• eavesarp
• enum4linux-ng
• evil-winrm
• feroxbuster
• ffuf
• gMSADumper
• gateway-finder-imp
• gitjacker
• go-windapsearch · Pre-Compiled
• gobuster
• impacket
• impacket-snovvcrash
• ipmitool
• kerbrute
• krbrelayx
• ldapdomaindump
• ldapsearch-ad
• ligolo-proxy
• lsassy
• masscan
• mitm6
• mscache
• nextnet
• nishang
• ntlm-scanner
• ntlmv1-multi
• nullinux
• odat
• paperify
• payloadGenerator
• pyGPOAbuse
• pypykatz
• pywerview
• pywhisker
• rbcd-attack
• rbcd_permissions
• rdp-tunnel
• rtfm
• sRDI
• smartbrute
• snmpwn
• spraykatz
• ssb
• sshuttle
• targetedKerberoast
• ticket_converter
• traitor
• updog
• webpage2html
• windapsearch
• xc

• ADCSPwn
• ADRecon.ps1
• ADSearch · Pre-Compiled
• ASREPRoast.ps1
• AccessChk (Sysinternals) · AccessChk (accepteula)
• Certify · Pre-Compiled
• Discover-PSMSExchangeServers
• Discover-PSMSSQLServers
• DomainPasswordSpray.ps1
• Grouper2
• HiveNightmare · ShadowSteal · hive.exe
• Intercept-NG
• Inveigh.ps1
• InveighZero · Pre-Compiled
• Invoke-ACLPwn.ps1
• Invoke-ImpersonateUser-PTH.ps1
• Invoke-PSInject.ps1
• Invoke-Portscan.ps1
• Invoke-RunasCs.ps1
• Invoke-SMBClient.ps1
• Invoke-SMBEnum.ps1
• Invoke-SMBExec.ps1
• Invoke-WMIExec.ps1
• JAWS
• JuicyPotato64 · JuicyPotato32
• Out-EncryptedScript.ps1
• PEASS · linPEAS.sh · winPEAS.exe
• PingCastle
• PowerShellArmoury · PSArmoury.json
• PowerUp.ps1
• PowerUpSQL.ps1
• PowerView2.ps1
• PowerView3.ps1 (New-GPOImmediateTask)
• PowerView3.ps1
• PowerView4.ps1 (ZeroDayLab)
• PowerSharpPack
• Powermad.ps1
• PrivescCheck.ps1
• PrintSpoofer
• ProcDump (Sysinternals)
• PsExec (Sysinternals)
• RdpThief · Pre-Compiled
• RemotePotato0
• RoguePotato
• Rubeus · Pre-Compiled
• Seatbelt · Pre-Compiled
• SessionGopher.ps1
• SharpChrome · Pre-Compiled
• SharpDPAPI · Pre-Compiled
• SharpGPOAbuse · Pre-Compiled
• SharpHandler · Pre-Compiled
• SharpHound.exe
• SharpHound.ps1
• SharpImpersonation · Pre-Compiled · Invoke-SharpImpersonation
• SharpLAPS
• SharpNamedPipePTH · Pre-Compiled · Invoke-SharpNamedPipePTH.ps1
• SharpRDP · Pre-Compiled
• SharpRelay · Pre-Compiled · Divert
• SharpSecDump · Pre-Compiled
• SharpView · Pre-Compiled
• Sherlock.ps1
• Snaffler
• SpoolSample · Pre-Compiled
• WerTrigger
• WinPwn
• arpfox
• chisel
• les.sh
• lse.sh
• mimikatz
• netcat for Windows
• plink
• powercat.ps1
• pspy
• pypykatz.exe
• rdp2tcp.exe
• static-binaries
• suid3num.py