The red team is considered the offensive side of the security. Red teams think like the attacker, they imitate real-world attacks and mimic adversary techniques and methods, uncover vulnerabilities in an organization’s infrastructure, launch exploits, and report on their findings.
This is often a group of white hats — ethical hackers, offensive security professionals that are hired by organizations in order to assume the role of an attacker, and show the organization what are their security holes or exploitable vulnerabilities that pose a threat to their cybersecurity posture.
How red team tools are used in cybersecurity
Every step and technique cyber attackers employ, red teams follow. The main characteristic of red teams is that they need to think outside the box—to constantly find new tools and techniques that better assess an organization’s security posture and, in turn, better inform their defenses.
Red team operations are fast paced environments. There are many tools to utilize during the cyber attack life cycle, and numerous red team operation phases to mimic it. Whether it’s a port scanner, vulnerability scanning tools, intel gathering tool, or exploitation framework, using the right red team tools is one of the key foundations of successful red team operations. This is why we thought creating a cheat sheet of red team tools would be a handy resource for your ethical hacking and red team assessment activities.
For red team operations, you can find many tools for red teaming categorized by phase in the red team operations attack approach. We tried to focus primarily on red team open source tools, but you can also find suitable commercial solutions. And we’re aware that there are so many tools that we’re bound to have some of your favorites in the mix already, so keep an eye on this post. We’ll update it as we discover more tools, solutions and frameworks you should know about.
Best red team tools for your security toolkit
Now without further ado, take a look at our list of choices for building your red team toolkit, while following their relevance to the different phases of red team operations and assessment:
When beginning any security investigation, including red team operations, reconnaissance and information gathering is the first step towards attempting to exploit the target and reaching the objective. The purpose, and literal meaning of this phase, is to obtain as much information about the target as possible.
By performing reconnaissance, red teams will be able to learn details of the target network, discover system vulnerabilities and identify potential attack vectors. Once finished, they will have information about the target such as business practices, technology, servers, IP addresses, domain names and more.
We recognize two types of reconnaissance: active and passive.
Active reconnaissance is when an adversary, or in this case a red team, actively engages with the target system, then goes on to use the obtained information for exploiting the target. Here we can see port scanners and vulnerability scanners.
Nmap, or Network Mapper, is an open source and free security tool that’s also one of the oldest in the game—it launched in 1997. Regardless, it’s actively maintained and effectively used for detecting open ports on remote hosts, network mapping and enumeration; gathering hosts, OS, DNS and other information; and several other tasks that aid in red team operations. Nmap is, in our opinion, one of the most important red team open source tools out there.
Quite simply, Nmap is one of our favorite security tools around. You can even read other blog posts we’ve shared about it such as the best Nmap commands to scan remote hosts, how to detect CVEs using Nmap vulnerability scan scripts, a post about Nmap Scripts — NSE and even our top 5 Nmap online alternatives.
sqlmap is a very cool open source penetration testing tool that launches SQL injection tests and discovers issues and vulnerabilities. Some of its key features include automatic code injection capabilities, user enumeration, password hash recognition, dictionary-based password cracking, executing remote SQL SELECTS and more.
Nikto is an open source web vulnerability scanner which you can use to scan web servers and discover security vulnerabilities. Written in Perl, it helps red teams detect outdated software applications and discover insecure files, programs and server misconfiguration. Nikto also offers attack encoding, IDS evasion, XSS vulnerability tests and more features making it a perfect tool for red teaming.
OpenVAS (more commonly known by its original name, Nessus) is an open source network scanner used to execute network vulnerability tests on the target and to detect vulnerabilities. OpenVAS has many attractive features, but some of the main ones that help in red team operations include simultaneous multiple host scanning, +50,000 network vulnerability tests, scheduled scans and false positive management.
Passive reconnaissance is usually done through third party sites and resources, without engaging with them, thereby avoiding detection. Here we can find many OSINT tools.
Spiderfoot is one of the best (and one of our favorite) reconnaissance tools for automated OSINT. Written by Steve Micallef, Spiderfoot queries over 100 public data sources and gathers intelligence about names, email addresses, domain names, IP addresses and more. All of the data is centralized in one single tool, helping red teams make their information-gathering process that much faster and more efficient.
Another one of our favorites, Intrigue, written by Jonathan Cran, is an automated OSINT and reconnaissance framework that collects publicly available perimeter information by mapping publicly-facing systems, exposed services, and applications. Using a number of OSINT sources and the power of the Intrigue core engine’s graph discovery, it provides external asset visibility. Red teams will be able to discover an organization’s external assets, identify third party links and relationships using link analysis technology, identify exposed vulnerabilities in application stacks, and more.
Maltego, developed by Paterva, is another great tool for information gathering and reconnaissance. It lets you discover names, phone numbers, email addresses, organizations and social media accounts, and can be used for data correlation allowing the red team to visually explore relationships in their data.
OSINT Framework is another one of our favorite security information gathering tools; so much so that we even have a fully dedicated article to it. This cybersecurity framework is used for reconnaissance, intel gathering and OSINT research. OSINT Framework is a handy collection of OSINT tools filtered by categories, making red teams’ intel gathering tasks much easier.
Often called the ‘search engine for hackers’, Shodan is focused on the deep web and the IoT. With the IoT frequently lacking proper security, it can offer multiple points of entry. Shodan is used to scan almost anything that is connected to the internet, such as servers, routers and webcams—but when we say “anything that is connected to the Internet”—we mean it. Among numerous examples, Shodan lets you scan traffic light systems, heating systems, nuclear power plants and much more.
Another open source tool, Wireshark is a network traffic analyzer. It can help red teams detect any security issues in the target network. Wireshark analyzes network traffic in real time, and can intercept it and read results. With its capabilities for gathering intelligence from network traffic, red teams can discover vulnerabilities of, and threats to, the target network.
SecurityTrails API helps you perform reconnaissance and gain access to critical information such as open ports, domain DNS records, SSL certificates, IP blocks, WHOIS history, hostname information and much more. Our API can help red teams enhance their attack simulation with the obtained data, as well as cross-relate and pivot between it. You can also integrate our IP, DNS, SSL and open ports data into your own applications.
Weaponization is the process of building and using tools for attacking a target, by taking into account information gathered from the previous phase, reconnaissance. We can also see techniques for evading detection or avoiding defenses of the target. Weaponization usually involves making malicious file payloads, infecting documents and files before they’re sent to the victim, among other tactics. Often we can see combining a RAT with an exploit into a deliverable payload.
Social Engineering Toolkit (SET)
The Social Engineering Toolkit, or SET for short, is a free open source security tool that features numerous attack techniques for social engineering. These include creating a phishing page by cloning the original, and attack options such as phishing, spear phishing, website attacks, mass mailing and much more.
Metasploit is an open source project that offers both commercial and free versions. Metasploit is useful for many security professionals and red teams in discovering security vulnerabilities and developing, testing and executing exploits. Their ‘Metasploit Framework’ version offers capabilities for evading detection systems, running vulnerability scans, enumerating hosts and more.
Invoke-Obfuscation is essentially a PowerShell obfuscator that helps red teams explore and visualize the obfuscation technique while aiding in obfuscating PowerShell commands and scripts. It also allows the creation of custom, obfuscated PowerShell payloads.
Veil Framework is one of the most popular antivirus evasion tools available and one of the most valuable red team tools. Red teams can use it to generate Metasploit payloads in Python and Ruby, among others, and to bypass many common antivirus solutions.
Delivery and exploitation
This phase, called the delivery phase, is actually the real start of executing an attack: it involves obtaining a foothold in the target network and compromising the target. In this phase we can find techniques that have an objective of transmitting the payload created in the previous phase to the target. It’s during this phase that the red team may attempt to exploit uncovered security vulnerabilities, launch phishing attacks and deliver malicious payloads.
Gophish is an open-source phishing framework that’s highly useful in red team operations. It can help create phishing campaigns easily and schedule them, launch them, and finally track results from the campaign to test an organization’s awareness of and susceptibility to phishing attacks.
Hashcat is, as they claim, the “world’s fastest password cracker.” It’s an open source password hash cracker that red teams can utilize for brute forcing passwords and performing dictionary attacks, among other utilities for advanced password cracking. Hashcat is great, easy red team open source tool to have in your arsenal.
The Browser Exploitation Framework, BeEF for short, is a security framework that provides red teams with practical client-side attack vectors. BeEf bypasses the hardened perimeter and allows the red team to assess the security posture of the target from the angle of a web browser.
King Phisher is an open source phishing campaign tool that simulates real-world phishing attacks. This phishing tool can be used to run different and separate campaigns simultaneously, and use them for simple security awareness training as part of your cybersecurity culture. It’s also effective for more complex scenarios involving credential harvesting.
Once the target has been compromised and a foothold is obtained, adversaries move deeper into the network. In this phase we can see different techniques where after infecting the target systems, the payload will try to connect to other critical parts of the system obtaining user privileges to access more unauthorized data, specific systems and restricted areas. Red team operations follow suit with these tools for both domain and local escalation.
PowerUp is a PowerShell tool that offers checks for common Windows misconfigurations as well as a number of Windows privilege attack methods, to help you with local privilege escalation on Windows systems. Additionally, it offers methods to abuse vulnerable services and other escalation opportunities.
BeRoot is a privilege escalation project. This project is a post-exploitation tool that checks against common misconfigurations, allowing it to help red teams escalate privileges. BeRoot is used to detect misconfigurations but not exploit them, although if you do find something, you can create a template which can be used to exploit it.
BloodHound is a widely used security tool for both red and blue teams. This tool is used to visualize active directory environments and reveal access control lists, users and the relationships within it. As a tool for red teaming BloodHound helps in finding different attack paths to the target and seeing privilege relationships when performing domain escalations.
We’ve mentioned lateral movement as one of the phases of the APT life cycle, and it makes its way into red team operations as well. Lateral movement refers to the process of moving from one compromised host to another in order to access more sensitive information that is found on other systems and networks of the target that were still not reached. Both attackers and red teams use techniques to access and control remote systems on the target network. There are a number of specific lateral movement techniques out there, and at least as many tools, so we tried to round up the best, or at least those most widely used.
Mimikatz is an open source tool considered a staple in a red team toolkit for extracting and collecting Windows credential information from the target, but it can also perform pass-the-hash and pass-the-ticket, and build golden tickets.
PAExec is a free remote administration tool designed to help in post-exploitation activities. This remote shell aids in remote execution and interactive shell sessions with remote Windows machines, without the need to install client software.
CrackMapExec—or as the creator’s claim, “the swiss army knife for pen testing networks”—is a Python-based utility that evaluates and exploits vulnerabilities in an active directory environment. Leveraging Mimikatz to obtain credentials, it moves laterally through the active directory.
The LaZagne project is another open-source Python-based password recovery tool. It extracts lots of stored usernames and passwords from different applications and can help red teams move laterally, with its newly obtained access and users. You can also find this tool in the pupy project, as a post-exploitation module.
Command and control
After the initial compromise, the odds that remote access will be removed from the target network soon afterwards are fairly high. This is why, at this phase, persistence is the key. Command and control, also known as C2, is a red team operations phase in which steps and techniques are carried out so that a persistent communication to the controlled systems in the target network achieved through remote access, and tunnels for data exfiltration are set.
Phishing using an IDN homograph attack is not rare. It’s done through generating unicode that resembles the original domain, which is then used to phish its victims. And EvilURL functions in that way exactly—as a unicode generator and detector.
Empire is a well known PowerShell post-exploitation framework. Red teams can deploy the Empire framework to check the network for any post-exploitation activity, and run PowerShell agents without needing powershell.exe. This tool is very effective for evading security solutions, and has a very small footprint.
Pupy (yes, not “puppy”), is an open source, cross-platform post-exploitation and remote administration tool. Written mainly in Python, this is another tool that’s hard to detect, making it a great addition to the red team toolkit. With it, red teams can create Windows payloads to exploit Windows, execute noninteractive commands on multiple hosts simultaneously, and you can even find the BeRoot and LaZagne tools as post exploitation modules.
Cobalt Strike is a well-known and widely used commercial adversary simulation software specifically designed to help in red team operations. This software has social engineering features for initial access, and also offers Command and Control with an agent named Beacon on the target machine.
Exfiltrate and complete
And now, for the final phase. This is where manipulations of the target system are performed in order to achieve the objective of the operation. The final objective of a real-life cyber attack, as well as red team operations, is to gain access and exfiltrate data deemed sensitive from the target network.
In previous phases, the red team worked on creating channels through which data can be transferred from the target system. Now it’s on the following tools to identify and gather information from the target, and then “safely,” and without detection, exfiltrate the data.
In red team operations, collecting important information from the target is important, but also important is finding ways to transfer that data without getting revealed. Cloakify Factory is a tool that transforms the data into strings, which gives it the ability to hide the data in plain site without triggering any network alerts.
Another tool to aid in file transfer and data exfiltration is DNSExfiltrator. This tool encodes the data to fit into DNS requests, then transfers the data over a DNS request covert channel.
DET, or Data Exfiltration Toolkit, is a really easy tool to use. It is actually a proof of concept that identifies DLP (data loss prevention) failures and performs data exfiltration using ICMP, social media platforms, or even through Gmail. This can all be done using either a single channel or multiple channels at the same time.
PowerShell-RAT is a Python- and Powershell-based tool used to backdoor Windows. It uses Gmail to exfiltrate data as an e-mail attachment and is undetectable by common antivirus solutions.
There are many resources for red teams out there, including the best Linux distros for ethical hacking and security in general, that provide most of the utilities mentioned (hint: it’s Kali Linux) deliberately vulnerable sites to practice penetration testing and ethical hacking, and of course, a wide range of useful tools. Having a cheat sheet with all these red team tools listed by their functionality, and by the aid they provide to red team operations, will help in moving the automated process along even faster. It might even help you discover a few new tools yourself to include in your red team toolkit.
It’s important to note that even if the final phase we have shown appears as it completes the entire red team operations and assessment, that is not entirely true. Additional steps that take place after the completed mission are building a report, cross referencing results to previous red team operations, and then planning to remediate found security issues.
Stay tuned for the Blue Team Toolkit, which will give you an overview of essential blue team tools and solutions.
For your red team reconnaissance needs, the SecurityTrails API brings to light the latest and historical data about domain services, DNS servers, DNS records, IP addresses, open ports and SSL certificates. You can go even further — our passive intelligence tool SurfaceBrowser™ gives you the ability to look up any organization and domain names to perform a full audit of all the exposed data attackers could exploit. Contact our sales team to learn more about products and solutions.