Home

Awesome

Outflank - C2 Tool Collection

This repository contains a collection of tools which integrate with Cobalt Strike (and possibly other C2 frameworks) through BOF and reflective DLL loading techniques.

These tools are not part of our commercial OST product and are written with the goal of contributing to the community to which we owe a lot. Currently this repo contains a section with BOF (Beacon Object Files) tools and a section with other tools (exploits, reflective DLLs, etc.). All these tools are written by our team members and are used by us in red team assignments. Over time, more tools will be added or modified with new techniques or functionality.

Toolset contents

The toolset currently consists of the following tools:

Beacon Object Files (BOF)

NameDecription
AddMachineAccountAbuse default Active Directory machine quota settings (ms-DS-MachineAccountQuota) to add rogue machine accounts.
AskcredsCollect passwords by simply asking.
CVE-2022-26923CVE-2022-26923 Active Directory (ADCS) Domain Privilege Escalation exploit.
DomaininfoEnumerate domain information using Active Directory Domain Services.
FindObjectsEnumerate processes for specific loaded modules or process handles.
KerberoastList all SPN enabled user/service accounts or request service tickets (TGS-REP) which can be cracked offline using HashCat.
KerbHashHash password to kerberos keys (rc4_hmac, aes128_cts_hmac_sha1, aes256_cts_hmac_sha1, and des_cbc_md5).
KlistDisplays a list of currently cached Kerberos tickets.
LapsdumpDump LAPS passwords from specified computers within Active Directory.
PetitPotamBOF implementation of the PetitPotam attack published by @topotam77.
PscShow detailed information from processes with established TCP and RDP connections.
PswShow window titles from processes with active windows.
PsxShow detailed information from all processes running on the system and provides a summary of installed security products and tools.
PsmShow detailed information from a specific process id (loaded modules, tcp connections e.g.).
PskShow detailed information from the windows kernel and loaded driver modules and provides a summary of installed security products (AV/EDR drivers).
ReconADUse ADSI to query Active Directory objects and attributes.
SmbinfoGather remote system version info using the NetWkstaGetInfo API without having to run the Cobalt Strike port (tcp-445) scanner.
SprayADPerform a fast Kerberos or LDAP password spraying attack against Active Directory.
StartWebClientStart the WebClient Service programmatically from user context using a service trigger.
WdTogglePatch lsass to enable WDigest credential caching and to circumvent Credential Guard (if enabled).
WinverDisplay the version of Windows that is running, the build number and patch release (Update Build Revision).

Others

NameDecription
PetitPotamReflective DLL implementation of the PetitPotam attack published by @topotam77
RemotePipeList.NET tool to enumerate remote named pipes

How to use

  1. Clone this repository.
  2. Each tool contains an individual README.md file with instructions on how to compile and use the tool. With this approach, we want to give the user the choice of which tool they want to use without having to compile all the other tools.
  3. If you would like to compile all the BOF tools at once, type make within the BOF subfolder.