Research and Development

Use malware and vulnerability research, open-source tools, and opinions to provide realistic adversary simulations.

The Coalfire Labs Research and Development (R&D) team creates cutting-edge, open-source security tools that provide our clients with more realistic adversary simulations and advance operational tradecraft for the security industry.

Coalfire Labs R&D division identifies unknown vulnerabilities, provides firsthand knowledge and insights into the latest malware trends and attacker TTPs (Techniques, Tactics & Procedures), and develops and contributes to existing security tools commonly used by security community. The R&D Team also creates custom solutions to assist Coalfire’s Red Teams and Penetration Testing operations to provide additional value to customers.

We strive to use our expertise to improve all aspects of information security and to constantly push forward the state of industry.

Featured Tools

 

DeathMetal

DeathMetal exploits the legitimate capabilities of Intel AMT.

>> Learn more

NPK

NPK provides an effective, low-upkeep method for leveraging cloud GPU-based hash cracking. Featuring a serverless support layer, NPK eliminates the risk of runaway instances, enforces removal of usernames, and provides support for multiple attack types.

>> Learn more

iOS 11 Jailbreak

This jailbreak works for iOS 11.1.2 (15B202) and enables running unsigned code, a remote shell, full file system access, and live kernel memory introspection. Read the white paper.

>> Learn more

AmazonSecurityScanner

AmazonSecurityScanner is a script to scan an EC2 instance for potential AWS-related attack surfaces. You can utilize it for rapid post-exploitation reconnaissance on a compromised EC2 instance.

-----------------------------------------------------

AngryHippo

This script was designed to attack the HippoConnect protocol, which is used with the HippoRemote iPhone app and the HippoConnect listener.

-----------------------------------------------------

CrestCrack

CrestCrack is a simple script that exploits CVE-2016-5640 / CLVA-2016-05-002 within the Crestron AirMedia AM-100 (v1.1.1.11 - v1.2.1). When supplied with arguments, CrestCrack will utilize netcat to create a reverse shell between your target and a netcat listener of your choice.

-----------------------------------------------------

DeathMetal

DeathMetal exploits the legitimate capabilities of Intel AMT.

-----------------------------------------------------

DeathStar

DeathStar is a Python script that uses Empire's RESTful API to automate the attainment of domain admin rights in Active Directory environments through a variety of techniques.

-----------------------------------------------------

Dissonance

This script was designed to spoof a Synergy server and entice users to connect to it.

-----------------------------------------------------

HandyHeaderHacker

HandyHeaderHacker is a script to examine HTTP responses from a server for best security practices. You can quickly analyze a web server with a single request.

-----------------------------------------------------

Hwacha

Hwacha is a tool to quickly execute payloads on *nix-based systems. Easily collect artifacts or execute shellcode on an entire subnet of systems for which credentials are obtained.

-----------------------------------------------------

Icebreaker

Break the ice with that cute Active Directory environment over there. When you're cold and alone staring in an Active Directory party but don't possess a single AD credential to join the fun, this tool's for you.

-----------------------------------------------------

iOS 11 Jailbreak

This jailbreak works for iOS 11.1.2 (15B202) and enables running unsigned code, a remote shell, full file system access, and live kernel memory introspection. Read the white paper.

-----------------------------------------------------

Java Deserialization Exploit

Here you’ll find a collection of curated Java Deserialization Exploits.

-----------------------------------------------------

LANs.py

With LANs.py, you can automatically find the most active WLAN users, and then spy on one of them and/or inject arbitrary HTML/JS into pages they visit.

-----------------------------------------------------

Malrule

This quick and painless utility generates malicious OWA rules.

-----------------------------------------------------

Net-creds

Thoroughly sniff passwords and hashes from an interface or .pcap file with Net-creds. It concatenates fragmented packets and does not rely on ports for service identification.

-----------------------------------------------------

NorkNork

This script was designed to identify PowerShell Empire persistence payloads on Windows systems.

-----------------------------------------------------

NPK

NPK provides an effective, low-upkeep method for leveraging cloud GPU-based hash cracking. Featuring a serverless support layer, NPK eliminates the risk of runaway instances, enforces removal of usernames, and provides support for multiple attack types.

-----------------------------------------------------

Pentest machine

Automates some pentesting work via a Nmap XML file. As soon as each command finishes, it writes its output to the terminal and the files in output-by-service/ and output-by-host/.

-----------------------------------------------------

pOSt-eX

This script creates a new rule in the OS X Mail application to automatically trigger an AppleScript payload when an email is received with a trigger word in its subject line.

-----------------------------------------------------

Red Baron

Red Baron is a set of modules and custom, third-party providers for Terraform that automates the creation of resilient, disposable, secure, and agile infrastructure for red teams, while simultaneously reducing the amount of code required and making it as accessible as possible.

-----------------------------------------------------

sLNKy

sLNKy is a utility that automates the process of generating and dropping malicious LNK files on SMB shares.

-----------------------------------------------------

Slackor

Slackor is a Remote Access Tool (RAT) written in Golang that uses slack as a command and control (C2) channel.

-----------------------------------------------------

Vampire

Vampire integrates Cobalt Strike and Bloodhound by providing an aggressor script, which adds a "mark-owned" right-click option to beacons.

-----------------------------------------------------

Wifijammer

Continuously jam all Wi-Fi clients and access points within range. The effectiveness of this script is constrained by your wireless card. Alfa cards seem to effectively jam within about a block radius with heavy access point saturation.

-----------------------------------------------------

WPForce

WPForce is a suite of WordPress attack tools. Currently, this contains two scripts: WPForce, which brute forces logins via the API; and Yertle, which uploads shells once admin credentials have been found and contains a number of post-exploitation modules.

-----------------------------------------------------

Xsscrapy

A fast, thorough, XSS/SQLi spider, Xsscrapy tests every link it finds for cross-site scripting and some SQL injection vulnerabilities. See FAQ for more details about SQLi detection.