• Stars
    star
    5,071
  • Rank 8,205 (Top 0.2 %)
  • Language
    Python
  • Created over 9 years ago
  • Updated 6 months ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

The Penetration Testers Framework (PTF) is a way for modular support for up-to-date tools.

The PenTesters Framework (PTF)

A TrustedSec Project - Copyright 2022

Written by: David Kennedy (@HackingDave)

https://www.trustedsec.com

Twitter: @TrustedSec, @HackingDave

The PenTesters Framework (PTF) is a Python script designed for Debian/Ubuntu/ArchLinux based distributions to create a similar and familiar distribution for Penetration Testing. As pentesters, we've been accustom to the /pentest/ directories or our own toolsets that we want to keep up-to-date all of the time. We have those "go to" tools that we use on a regular basis, and using the latest and greatest is important.

PTF attempts to install all of your penetration testing tools (latest and greatest), compile them, build them, and make it so that you can install/update your distribution on any machine. Everything is organized in a fashion that is cohesive to the Penetration Testing Execution Standard (PTES) and eliminates a lot of things that are hardly used. PTF simplifies installation and packaging and creates an entire pentest framework for you. Since this is a framework, you can configure and add as you see fit. We commonly see internally developed repos that you can use as well as part of this framework. It's all up to you.

The ultimate goal is for community support on this project. We want new tools added to the github repository. Submit your modules. It's super simple to configure and add them and only takes a few minute.

Installation

PTF requires python-pexpect in order to work appropriately.

Run the following command below:

pip install -r requirements.txt
./ptf

Instructions:

First check out the config/ptf.config file which contains the base location of where to install everything. By default this will install in the /pentest directory. Once you have that configured, move to running PTF by typing ./ptf (or python ptf).

This will put you in a Metasploitesque type shell which has a similar look and feel for consistency. Show modules, use <modules>, etc. are all accepted commands. First things first, always type help or ? to see a full list of commands.

For a video tutorial on how to use PTF, check out our Vimeo page here: https://vimeo.com/137133837

Update EVERYTHING!

If you want to install and/or update everything, simply do the following:

./ptf
use modules/install_update_all
yes

This will install all of the tools inside of PTF. If they are already installed, this will iterate through and update everything for you automatically.

You can also individually install each module, then use the use modules/update_installed which will only update what you've previously installed.

For example:

./ptf
use modules/update_installed

This will only update previous ones you've installed.

You can also show options to change information about the modules.

If you only want to install only for example exploitation tools, you can run:

./ptf
use modules/exploitation/install_update_all

This will only install the exploitation modules. You can do this for any module category.

Customize your own installed tools

You can install only the tools you want to by going to the modules/custom_list/list.txt section. Modify the list.txt file and add the tools you only want to install or update.

Example list.txt file:

modules/exploitation/metasploit modules/post-exploitation/unicorn

Then when in PTF:

./ptf
use modules/custom_list/list
yes

This allows you to carry your module configuration over and only install the tools that you want and keep them updated.

You can also simply specify a module without using the category:

./ptf
use trevorc2
yes

Modules:

First, head over to the modules/ directory, inside of there are sub directories based on the Penetration Testing Execution Standard (PTES) phases. Go into those phases and look at the different modules. As soon as you add a new one, for example testing.py, it will automatically be imported next time you launch PTF. There are a few key components when looking at a module that must be completed.

Below is a sample module

AUTHOR="David Kennedy (ReL1K)"

DESCRIPTION="This module will install/update the Browser Exploitation Framework (BeEF)"

INSTALL_TYPE="GIT"

REPOSITORY_LOCATION="https://github.com/beefproject/beef"

X64_LOCATION="https://github.com/something_thats_x64_instead_of_x86

INSTALL_LOCATION="beef"

DEBIAN="ruby1.9.3,sqlite3,ruby-sqlite3"

ARCHLINUX = "arch-module,etc"

BYPASS_UPDATE="NO"

AFTER_COMMANDS="cd {INSTALL_LOCATION},ruby install-beef"

LAUNCHER="beef"

TOOL_DEPEND="modules/exploitation/metasploit"

Module Development:

All of the fields are pretty easy, on the repository locations, you can use GIT, SVN FILE, OR TAGS. Fill in the depends, and where you want the install location to be. PTF will take where the python file is located (for example exploitation) and move it to what you specify in the PTF config (located under config). By default it installs all your tools to /pentest/PTES_PHASE/TOOL_FOLDER

Note in modules, you can specify after commands {INSTALL_LOCATION}. This will append where you want the install location to go when using after commands.

You can also specify {PTF_LOCATION} which will pull the base path for your PTF installation.

You also have the ability for repository locations to specify both a 32 bit and 64 bit location. Repository location should always be the x86 download path. To add a 64 bit path for a tool, specify X64_LOCATION and give it a URL. When PTF launches it will automatically detect the architecture and attempt to use the x64 link instead of the x86.

Note that ArchLinux packages are also supported, it needs to be specified for both DEBIAN and ARCH in order for it to be properly installed on either platform in the module

When using the TAGS mode, this will allow you to use a github project that utilizes tags to pull the latest version (usually compiled applications) and automatically download. In order to use the TAGS method, take a look at the structure under modules/intelligence-gathering/teamfiltration.py. In this example, there is no need for a repository_location, but you will need to know the project owner, project name/repo, and the filename to download. In the example of TeamFiltration, it is located at: https://github.com/Flangvik/TeamFiltration. The owner would be Flangvik, the project/tool would be TeamFiltration. If you navigate to releases: https://github.com/Flangvik/TeamFiltration/releases/, we can see here that the name of the file we want to download is "TeamFiltration_Linux". These are under the OWNER, REPOHOME, and FILENAME. Specifying these, PTF will automatically detect the latest release of the tool and install them.

GITLAB Support

You can create your own modules and PTF also supports gitlab access. Instead of specifying git, wget, etc., simply specify gitlab and point to your own internal gitlab tools for modules.

BYPASS UPDATES:

When using traditional git or svn as a main method, what will happen after a module is installed is it will just go and grab the latest version of the tool. With after commands, normally when installing, you may need to run the after commands after each time you update. If you specify bypass updates to YES (BYPASS_UPDATE="YES"), each time the tool is run, it will check out the latest version and still run after commands. If this is marked to no, it will only git pull the latest version of the system. For FILE options, it is recommended to always use BYPASS_UPDATE="YES" so that it will overwrite the files each time.

After Commands:

After commands are commands that you can insert after an installation. This could be switching to a directory and kicking off additional commands to finish the installation. For example in the BEEF scenario, you need to run ruby install-beef afterwards. Below is an example of after commands using the {INSTALL_LOCATION} flag.

AFTER_COMMANDS="cp config/dict/rockyou.txt {INSTALL_LOCATION}"

For AFTER_COMMANDS that do self install (don't need user interaction).

Automatic Launchers

The flag LAUNCHER= in modules is optional. If you add LAUNCHER="setoolkit" for example, PTF will automatically create a launcher for the tool under /usr/local/bin/. In the setoolkit example, when run - PTF will automatically create a file under /usr/local/bin/setoolkit so you can launch SET from anywhere by simply typing setoolkit. All files will still be installed under the appropriate categories, for example /pentest/exploitation/setoolkit however an automatic launcher will be created.

You can have multiple launchers for an application. For example, for Metasploit you may want msfconsole, msfvenom, etc. In order to add multiple launchers, simply put a , between them. For example LAUNCHER="msfconsole,msfvenom". This would create launchers for both.

Automatic Command Line

You can also just run ./ptf --update-all and it will automatically update everything for you without having to go into the framework.

Running Unattended

If you're running ptf in an automatic build, you can use a heredoc so you don't have to interactively type the modules you wish to install. Example:

./ptf <<EOF
use modules/exploitation/metasploit
run
use modules/password-recovery/johntheripper
run
EOF

TOOL DEPENDS

Some tools such as Veil, SET, etc. require tools such as the Metasploit Framework. You can add in the module TOOL_DEPEND="modules/exploitation/metasploit,module/exploitation/set" and multiple other tools if there is a tool required to be installed prior to installing the tool. This will force PTF to install the required tool first, then install the module that requires it. Example:

TOOL_DEPEND="modules/exploitation/metasploit"

This will install Metasploit first or ensured its installed first prior to installing the application.

IGNORE Modules or Categories

The IGNORE_THESE_MODULES= config option can be found under config/ptf.config in the PTF root directory. This will ignore modules and not install them - everything is comma separated and based on name - example: modules/exploitation/metasploit,modules/exploitation/set or entire module categories, like /modules/code-audit/*,/modules/reporting/*

IGNORE Modules from Update/Install All

The IGNORE_UPDATE_ALL_MODULES= config option can be found under config/ptf.config in the PTF root directory. This will ignore modules only when doing install_update_all which are used when you want to install all tools. This could be for large applications that take substantial time, ones that require user interaction, or open up a number of ports and protocols on the system. This works very similar in the IGNORE_THESE_MODULES, except that they can be manually installed and updated through the modules/update_installed. These are comma deliminated, so for example modules/exploitation/tool1,modules/exploitation/tool2, when running install_update_all, this would not install the tools unless you went to use modules/exploitation/tool1 and installed via that method.

INCLUDE_ONLY_THESE_MODULES

The INCLUDE_ONLY_THESE_MODULES in the config option under config/ptf.config will only install and include specific modules that are specified here. This is good for baselining the tools that you want and install only them.

LAUNCH PTF WITH NO BANNER

You can launch PTF with no banner message if you want. Simply specify:

./ptf --no-banner

or 

./ptf -nb

CHECK FOR INSTALLED PROGRAMS THROUGH PTF

You can check to see what applications you've already installed through PTF by typing the following:

ptf>show installed

More Repositories

1

social-engineer-toolkit

The Social-Engineer Toolkit (SET) repository from TrustedSec - All new versions of SET will be deployed here.
Python
10,592
star
2

unicorn

Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. Based on Matthew Graeber's powershell attacks and the powershell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.
Python
3,694
star
3

hate_crack

A tool for automating cracking methodologies through Hashcat from the TrustedSec team.
Python
1,628
star
4

CS-Situational-Awareness-BOF

Situational Awareness commands implemented using Beacon Object Files
C
1,230
star
5

trevorc2

TrevorC2 is a legitimate website (browsable) that tunnels client/server communications for covert command execution.
C
1,210
star
6

SysmonCommunityGuide

TrustedSec Sysinternals Sysmon Community Guide
CSS
1,119
star
7

CS-Remote-OPs-BOF

C
745
star
8

cve-2019-19781

This is a tool published for the Citrix ADC (NetScaler) vulnerability. We are only disclosing this due to others publishing the exploit code first.
Python
572
star
9

meterssh

MeterSSH is a way to take shellcode, inject it into memory then tunnel whatever port you want to over SSH to mask any type of communications as a normal SSH connection. The way it works is by injecting shellcode into memory, then wrapping a port spawned (meterpeter in this case) by the shellcode over SSH back to the attackers machine. Then connecting with meterpreter's listener to localhost will communicate through the SSH proxy, to the victim through the SSH tunnel. All communications are relayed through the SSH tunnel and not through the network.
Python
521
star
10

physical-docs

This is a collection of legal wording and documentation used for physical security assessments. The goal is to hopefully allow this as a template for other companies to use and to protect themselves when conducting physical security assessments.
469
star
11

COFFLoader

C
462
star
12

nps_payload

This script will generate payloads for basic intrusion detection avoidance. It utilizes publicly demonstrated techniques from several different sources. Written by Larry Spohn (@Spoonman1091) Payload written by Ben Mauch (@Ben0xA) aka dirty_ben
Python
434
star
13

tap

The TrustedSec Attack Platform is a reliable method for droppers on an infrastructure in order to ensure established connections to an organization.
Python
376
star
14

orpheus

Bypassing Kerberoast Detections with Modified KDC Options and Encryption Types
Python
360
star
15

hardcidr

hardCIDR is a Linux Bash script, but also functions under macOS. Your mileage may vary on other distros. The script with no specified options will query ARIN and a pool of BGP route servers. The route server is selected at random at runtime.
Shell
356
star
16

egressbuster

Egressbuster is a method to check egress filtering and identify if ports are allowed. If they are, you can automatically spawn a shell.
Python
341
star
17

artillery

The Artillery Project is an open-source blue team tool designed to protect Linux and Windows operating systems through multiple methods.
326
star
18

spraywmi

SprayWMI is an easy way to get mass shells on systems that support WMI. Much more effective than PSEXEC as it does not leave remnants on a system.
Python
253
star
19

ELFLoader

C
246
star
20

ridenum

Rid_enum is a null session RID cycle attack for brute forcing domain controllers.
Python
228
star
21

The_Shelf

Retired TrustedSec Capabilities
Python
216
star
22

Obsidian-Vault-Structure

213
star
23

SeeYouCM-Thief

HTML
178
star
24

User-Behavior-Mapping-Tool

Python
159
star
25

specula

Python
158
star
26

spoonmap

Python
147
star
27

SliverKeylogger

C++
141
star
28

pivoter

Pivoter is a proxy tool for pentesters to have easier lateral movement.
C
139
star
29

CrackHound

Python
132
star
30

PPLFaultDumpBOF

C
131
star
31

cors-poc

HTML
128
star
32

SHIPS

The Shared Host Integrated Password System (SHIPS) is a solution to provide unique and rotated local super user or administrator passwords for environments where it is not possible or not appropriate to disable these local accounts. Clients may be configured to rotate passwords automatically. Stored passwords can be retrieved by desktop support personnel as required, or updated when a password has to be manually changed in the course of system maintenance. By having unique passwords on each machine and logging of password retrievals, security can be improved my making networks more resistant to lateral movement by attackers and enhancing the ability to attribute actions to individual persons.
JavaScript
127
star
33

CS_COFFLoader

C#
122
star
34

quicksql

QuickSQL is a simple MSSQL query tool that allows you to connect to MSSQL databases and does not require administrative level rights to use.
Python
100
star
35

tscopy

Python
88
star
36

HoneyBadger

Ruby
81
star
37

conqr

ConQR is an open source ticketing system for conferences to issue QRCode's in a quick, efficient, and easy manner.
Python
74
star
38

auto_SettingContent-ms

This is a quick POC for using the Matt Nelson (enigma0x3) technique for generating a malicious .SettingContent-ms extension type for remote code execution. This automates generating an HTA downloader and embeds it in the SettingContent-ms file for you and starts Apache.
Python
49
star
39

defensive-scripts

PowerShell
45
star
40

wpupdate

WPUpdate is a simple Linux service that automatically checks for a new version of Wordpress each night at 2AM.
Python
37
star
41

proxy_helper

Proxy Helper is a WiFi Pineapple module that will automatically configure the Pineapple for use with a proxy such as Burp Suite.
JavaScript
32
star
42

Windows-MS-LSAT-RPC-Example

Windows RPC example calling stubs generated from MS-LSAT and MS-LSAD
C
24
star
43

hash_parser

This is a hash parser that will export a rc file compatible with Metasploit. This is useful when compromising a separate domain and want to see if any of the credentials work on another domain or other systems.
Python
22
star
44

Zoinks

Manage Engine Decrypter
Python
22
star
45

VerifyELF

C
21
star
46

inProc_Evade_Get-InjectedThread

PoC code from blog
C
15
star
47

scriptkiddie-wmi-provider

C#
13
star
48

TCS_InjectionTechniques

C
12
star
49

RisingSun

RisingSun: Decoding SUNBURST C2 to identify infected hosts without network telemetry.
Go
9
star
50

LLVM-Obfuscation-Experiments

C
7
star