Red Team Command and Control Frameworks

The framework is a comprehensive penetration testing platform designed for the development, testing, and execution of security exploits. It serves as a research toolkit and automated assessment environment, enabling security professionals to identify and validate vulnerabilities within networked systems and infrastructure through repeatable, standardized procedures. The platform distinguishes itself through a modular architecture that supports reflective payload injection, allowing for the execution of code directly in memory without writing to disk. It utilizes an asynchronous event loop to manage high-performance, concurrent network connections and features a transport-agnostic communication layer that abstracts protocols to maintain persistent command and control. Users can extend the core functionality through a plugin system and define complex exploit logic using a domain-specific language. The framework provides robust capabilities for remote payload management, including the configuration of network settings like sleep intervals and timeout thresholds. It maintains state persistence across long-running sessions by storing discovered host information and vulnerability data in a relational database. The software is designed for cross-platform deployment, with installation support available for Linux, macOS, and Windows environments.

Commando VM is a Windows-based penetration testing distribution and offensive security virtual machine. It serves as a toolset manager for deploying and maintaining a curated collection of security tools, scripts, and configurations designed for security auditing, red teaming, and adversary simulation. The project automates the provisioning of a specialized workstation by using PowerShell scripts and a modular repository to orchestrate the installation of offensive security software. It utilizes a community-driven package manager to handle dependency resolution and binary installations, ensuring a consistent environment for conducting network attacks and vulnerability research. The distribution further optimizes the host operating system through post-installation environment configurations, including system-wide registry changes and environment variable updates. These capabilities provide a dedicated infrastructure for performing formal security assessments and simulating advanced adversary tactics.

This project is a comprehensive cybersecurity tool collection designed to support security research, penetration testing, and vulnerability assessment. It functions as a unified penetration testing suite, providing a centralized environment where professionals can access a wide range of offensive security utilities to identify system weaknesses and study attack vectors. The platform distinguishes itself through a modular architecture that aggregates disparate security scripts into a single, hierarchical command-line interface. It simplifies the management of these utilities by integrating external repositories, allowing users to fetch and organize third-party tools directly into a structured local directory. By utilizing a categorized menu system and shell-based process execution, the suite enables efficient navigation and direct invocation of specialized tools for tasks ranging from forensic analysis and reverse engineering to exploit development. The toolkit covers a broad spectrum of security domains, including web and wireless attack vectors, cloud security, payload creation, and social media analysis. It also incorporates automated environment setup to handle the installation of necessary system packages and language runtimes, ensuring compatibility across its diverse collection of utilities.

This project is an automated security testing suite designed to detect and exploit database vulnerabilities. It functions as a command-line utility that streamlines the identification, verification, and exploitation of web application flaws by automating the injection of malicious payloads into input parameters. The tool provides a comprehensive framework for database enumeration, allowing users to extract schema information, user data, and system configurations from identified injection points. What distinguishes this tool is its sophisticated engine for dynamic payload adaptation and heuristic fingerprinting, which adjusts injection techniques in real-time based on server responses. It supports advanced post-exploitation capabilities, including remote command execution on the underlying host operating system and file system access through database-level vulnerabilities. To navigate restricted environments, the software incorporates out-of-band data exfiltration channels and a middleware pipeline for applying user-defined transformations to bypass security filters and web application firewalls. The suite covers a broad range of operational requirements, including stateful session management, anti-CSRF token handling, and extensive request customization. It supports various target specification methods, such as proxy log analysis and remote API management, while offering granular control over scan performance and detection thresholds. The software is distributed as a command-line application, with configuration management supported through external file loading and command-line arguments.

Osintgram is a command-line utility designed for open-source intelligence gathering and the extraction of public data from social media profiles. It functions as a framework for collecting and processing user information to assist in digital investigations and the mapping of digital footprints. The tool distinguishes itself through a modular architecture that organizes intelligence-gathering tasks into independent scripts, all sharing a unified session state and data processing pipeline. It utilizes headless browser automation and session-based interactions to mimic legitimate user behavior, allowing for the retrieval of metadata and content from public accounts while navigating authentication flows. The software provides a structured approach to social media behavioral analysis, transforming raw network responses into normalized data for consistent reporting. It supports the identification of activity trends and engagement habits by automating the retrieval of information across various digital platforms.

This project is a shell scripting environment and task automation toolset that enables the execution of system commands directly within JavaScript. It functions as a process execution wrapper, providing a unified interface for spawning external utilities, managing system processes, and orchestrating complex workflows. The tool distinguishes itself by using tagged template literals to automatically escape shell arguments, which prevents command injection vulnerabilities during execution. It supports both synchronous and asynchronous command execution, allowing developers to choose between blocking the main thread for sequential logic or utilizing promise-based non-blocking patterns for concurrent operations. The environment covers a broad range of automation capabilities, including cross-platform task orchestration, infrastructure pipeline scripting, and real-time stream redirection. It provides primitives for capturing standard output, standard error, and exit codes, facilitating reliable error handling and control flow logic across different operating systems.

My thoughts from going through the OSEP materials.

This project is a comprehensive, community-sourced knowledge base designed for security professionals and researchers. It functions as a centralized repository of offensive security techniques, providing a structured collection of exploit payloads, attack vectors, and methodologies for conducting vulnerability assessments and penetration testing. The repository distinguishes itself through a cross-platform payload taxonomy that categorizes exploitation methods by vulnerability type and target environment, enabling rapid lookup during security assessments. It maintains high standards of data integrity and collaborative growth by utilizing version-controlled knowledge management and template-driven content generation, ensuring that the research remains current and consistent across a wide range of technical domains. The project covers a broad capability surface, including detailed references for web application security, database injection, insecure deserialization, and AI model security testing. It also aggregates external resources, such as research papers and third-party tools, to provide a holistic view of modern threat analysis and defensive research. The documentation is organized as a hierarchical tree of markdown files, designed for easy navigation and reference during active security engagements.

This project is a research-oriented repository that serves as a centralized database for system-level prompts and internal behavioral instructions extracted from various large language models. Its primary purpose is to provide a transparent, accessible reference for researchers and developers to study how artificial intelligence models are configured, constrained, and governed. The repository distinguishes itself by cataloging the hidden directives and operational guidelines that define model personas and safety boundaries. By archiving these instruction sets, it enables comparative analysis of how different models maintain their internal logic and respond to user interactions. The project functions as a resource for investigating the transparency of AI systems, offering a structured collection of data that helps clarify the underlying mechanisms of model behavior. It supports the broader goal of understanding the configuration and constraints inherent in modern language models.

Goose is an extensible agentic AI platform designed for autonomous task orchestration and developer-centric assistance. It provides a workflow engine that manages complex, multi-step objectives by delegating tasks to specialized subagents, all while maintaining stateful session continuity. The system is built to integrate directly into terminal and coding environments, allowing for automated file manipulation and context-aware interaction. The platform distinguishes itself through a secure, sandboxed runtime environment that enforces granular permission controls and policy-driven guardrails. By utilizing a standardized protocol-based architecture, it allows users to connect external tools, services, and third-party models as modular extensions. This framework supports the creation of reproducible automation recipes, which can be configured, shared, and executed to standardize recurring workflows across different projects. Beyond its core orchestration capabilities, the system includes comprehensive developer tooling for session management, interaction logging, and terminal-based interfaces. It supports advanced automation tasks, including browser-based testing and external service integration, through a flexible extension lifecycle that allows for dynamic toolset adjustments during active sessions.

Goose is an autonomous coding assistant and extensible AI agent framework designed to automate software development workflows. It functions as an orchestration engine that can install, execute, and test code, as well as manage local files and shell commands. The platform is model-agnostic, providing a flexible interface to connect with diverse cloud-based or self-hosted large language model providers. It distinguishes itself through a standardized context protocol for integrating external tools and extensions, and a recipe system that allows users to define and repeat complex, multi-step AI workflows using parameterized YAML configurations. The system covers a broad range of capabilities including AI software engineering, local development automation, and the creation of tailored agent distributions with custom branding. It also incorporates session-based context management, voice input transcription, and containerized execution environments for consistent deployment. The project is implemented in Rust and provides a command-line interface alongside a desktop graphical user interface.

Mitmproxy is an interactive, programmable network proxy engine designed for traffic analysis and protocol manipulation. It functions as a gateway that intercepts, inspects, and modifies network traffic in real-time, supporting HTTP, HTTPS, WebSocket, DNS, and generic TCP or UDP streams. By acting as a trusted certificate authority, the proxy can dynamically generate and sign certificates to decrypt and analyze secure TLS-encrypted connections. The project distinguishes itself through a highly extensible, event-driven architecture that allows users to automate traffic transformation using custom scripts. It provides a unified command-based interface for manual interaction, enabling users to define custom key bindings, content views, and command-line tools. The engine supports multiple operational modes, including explicit, transparent, reverse, and SOCKS proxying, as well as a userspace WireGuard VPN mode for capturing traffic without requiring client-side configuration changes. Beyond basic interception, the platform includes comprehensive tools for recording and replaying network conversations to simulate complex interactions or automate repetitive tasks. It offers advanced capabilities such as request blocking, header and body modification, and local resource mapping. The system also provides robust support for debugging and performance analysis, including integration with external tools through secret logging and structured data representation. The software is designed for rapid iteration, featuring live script reloading that updates custom logic without restarting the proxy process. It includes extensive documentation for managing certificates, configuring proxy modes, and implementing custom addons through a well-defined programmatic interface.

This project is a comprehensive framework for building and managing autonomous agent systems. It provides a unified architecture for orchestrating multi-agent societies, where specialized agents collaborate through roleplay to decompose and solve complex tasks. The system integrates language models with external environments, enabling agents to perform real-world actions through a standardized tool-calling abstraction layer. The framework distinguishes itself through its focus on iterative reasoning and data reliability. It employs automated feedback loops to refine agent outputs and self-evaluate reasoning traces, ensuring high-quality results. To maintain operational integrity, the system enforces schema-based output parsing for reliable workflow integration and utilizes sandboxed environments for secure, isolated code execution. Beyond its core orchestration capabilities, the project includes a suite of utilities for retrieval-augmented generation and synthetic data production. It supports persistent memory management via vector-based context retrieval and provides extensive tooling for web automation, API integration, and human-in-the-loop oversight. The platform is designed to be model-agnostic, offering a consistent interface for interacting with a wide range of proprietary and open-source language models.

GoodbyeDPI is a censorship circumvention utility designed to bypass deep packet inspection and restrictive network filtering. It functions as a background engine that intercepts and modifies network traffic at the kernel level, allowing users to maintain connectivity in environments where specific protocols or web content are blocked. The tool employs active manipulation techniques to confuse inspection hardware, including TCP stream fragmentation, HTTP header obfuscation, and the injection of out-of-order packets. By altering packet structures and dropping specific redirection patterns, it masks browsing activity and prevents automated systems from identifying or blocking outgoing requests. The application operates as a persistent system service, ensuring that traffic filtering remains active across reboots. Users manage these operations through a command-line interface, which provides granular control over packet modification strategies, DNS redirection, and various bypass parameters.

This wiki is intended to provide a resource for setting up a resilient Red Team infrastructure. It was made to complement Steve Borosh (@424f424f) and Jeff Dimmock's (@bluscreenofjeff) BSides NoVa 2017 talk "Doomsday Preppers: Fortifying Your Red Team Infrastructure" (slides)

This project provides a command-line interface for managing autonomous agent workflows, task orchestration, and system-level automation. It includes a comprehensive framework for defining agent skills, managing persistent memory, and delegating tasks to specialized subagents. Users can configure complex planning modes, execute shell commands with safety constraints, and integrate external tools through standardized protocols. The platform supports non-interactive execution via a headless mode and provides an event-driven hook framework for custom lifecycle automation. It features centralized configuration for model routing, system prompts, and cost management, alongside a modular extension system for adding custom commands and capabilities. The interface also includes diagnostic tools, file system management utilities, and repository-level automation for maintenance tasks.

Owl is a framework for agentic workflow automation and multi-agent orchestration. It functions as a system for coordinating autonomous large language model agents to decompose and execute complex tasks through shared communication and collaborative planning. The project distinguishes itself through a multi-modal toolset for processing images, audio, and video, alongside a synthetic data generator that produces domain-specific datasets using self-instruct and verifier loops. It further incorporates a retrieval-augmented generation pipeline framework that integrates long-term memory and real-time web retrieval to ground model responses. Broad capabilities include browser process automation for simulating user interactions, interpreter-based code execution for system automation and data visualization, and the management of agent workforce organization via hierarchical task decomposition and workforce learning. The system includes a local interface for model configuration management and the handling of provider API keys.

Certbot is a command-line client designed to automate the lifecycle of digital security certificates. By implementing the ACME protocol, it manages the communication between a local server and a certificate authority to verify domain ownership and issue transport layer security certificates without manual intervention. The tool distinguishes itself through a modular plugin architecture that allows it to interact directly with various web server configurations and DNS providers. This framework enables the software to perform automated domain validation, modify server settings, and configure virtual hosts to establish encrypted connections. Beyond initial issuance, the software provides automated renewal and persistent tracking of certificate lifecycles, private keys, and configuration history. It functions as a comprehensive utility for web server security hardening and the management of public key infrastructure across distributed environments.