Skip to main content
GhostPack is a collection of security tools primarily authored by @harmj0y and the SpecterOps team. These tools should only be used in authorized security testing or educational environments.

Overview

GhostPack is a renowned collection of offensive security tools written primarily in C# for Windows and Active Directory environments. These tools assist security professionals in penetration testing, red teaming, and security auditing, covering everything from Kerberos attacks to credential extraction and privilege escalation.

18+ Repositories

Comprehensive suite of specialized security utilities

C# / .NET

Built on .NET Framework for Windows environments

Active Development

Regularly updated with new features and improvements

Open Source

Community-driven with contributions from security researchers

📖 Fully Documented Tools

These GhostPack tools have comprehensive documentation available in this wiki:

🎭 Kerberos & Authentication

Rubeus

“Trying to tame the three-headed dog”Comprehensive toolkit for raw Kerberos interaction and abuse. Supports ticket requests, extraction, manipulation, roasting (Kerberoast/AS-REP roast), delegation abuse, and golden/silver/diamond ticket operations.Commands: asktgt, asktgs, dump, ptt, kerberoast, asreproast, s4u, golden, silver, diamond, and more

Certify

Active Directory Certificate Services (AD CS) AttacksIdentifies and exploits misconfigurations in AD CS environments. Comprehensive coverage of all known AD CS attack techniques (ESC1-ESC16).Techniques: Certificate abuse, persistence, domain persistence, privilege escalation via certificates

🔐 Credential Access & Extraction

SharpDPAPI

DPAPI Credential ExtractionC# toolkit for interacting with Windows Data Protection API (DPAPI). Extracts credentials from vaults, Chrome browsers, RDG files, KeePass databases, certificates, and SCCM secrets.Commands: triage, masterkeys, credentials, vaults, rdg, keepass, certificates, sccm

SafetyKatz

Mimikatz with .NET PE LoaderCombination of a modified Mimikatz with @subTee’s .NET PE Loader for in-memory credential extraction with OPSEC considerations.Features: In-memory execution, credential dumping, minimal disk writes

🔍 Enumeration & Reconnaissance

Seatbelt

Host Enumeration & Safety ChecksComprehensive Windows security enumeration tool with 120+ commands. Performs “safety checks” for both offensive and defensive security perspectives.Groups: System, User, Misc, Chromium, Slack, Remote

SharpUp

Privilege Escalation EnumerationC# port of PowerUp functionality. Identifies common Windows privilege escalation vectors without weaponization.15 Checks: Services, registry, credentials, DLL hijacking, tokens

SharpWMI

WMI OperationsC# implementation of WMI functionality for enumeration, lateral movement, and remote execution with AMSI evasion.Actions: query, exec, ps, firewall, upload, install, environment variables

🛠️ Additional GhostPack Tools

The following tools are part of the GhostPack collection. Full documentation coming soon:

Credential & Certificate Tools

ForgeCert

Golden CertificatesForge certificates for arbitrary users using stolen CA certificates and private keys. Create persistent backdoors via certificate abuse.

KeeThief

KeePass Attack MethodsMethods for attacking KeePass 2.X databases, including extracting encryption key material from memory and master keys.

Utility Tools

Lockless

Locked File AccessAllows copying of locked files without triggering file locks. Useful for exfiltrating files that are normally inaccessible.

SharpDump

Process Memory DumpingC# port of PowerSploit’s Out-Minidump.ps1 for dumping process memory, particularly useful for LSASS dumping.

PSPKIAudit

AD CS AuditingPowerShell toolkit for Active Directory Certificate Services auditing based on the PSPKI toolkit.

DeepPass

Password AnalysisPassword extraction and analysis utilities for security assessments.

Deprecated Tools

SharpRoast was a C# port of PowerView’s Kerberoasting functionality. This functionality has been superseded by Rubeus, which provides more comprehensive Kerberos attack capabilities.Use Rubeus kerberoast instead.

Research & POC Tools

RAGnarok

Nemesis-powered RAG ChatbotA Retrieval-Augmented Generation (RAG) chatbot proof-of-concept powered by Nemesis for offensive security operations.

RestrictedAdmin

Restricted Admin ResearchTools and research around Windows Restricted Admin mode and related security mechanisms.

🎯 Tools by Use Case

Credential Harvesting:
  • SharpDPAPI - Extract saved credentials
  • SafetyKatz - Dump credentials from memory
  • KeeThief - Extract KeePass master keys

🚀 Getting Started

1

Choose Your Tool

Select the appropriate tool for your assessment needs from the categories above
2

Review Documentation

Read the comprehensive documentation for each tool (links in the tool cards)
3

Obtain or Build

Option 1: Clone and Build
git clone https://github.com/GhostPack/[TOOL_NAME]
cd [TOOL_NAME]
Open in Visual Studio and build, or use .NET CLI:
dotnet build
Option 2: Pre-compiled BinariesPre-compiled binaries may be available from community repositories
4

Review OPSEC Considerations

Each tool has detection considerations documented. Review before operational use.
5

Execute with Authorization

Only use tools during authorized penetration tests or in controlled lab environments

🎓 Learning Resources

GitHub Organization

Official GhostPack repositories with source code and individual tool documentation

SpecterOps Blog

Research articles, attack techniques, and tool announcements from the SpecterOps team

BloodHound Slack

Community discussions, tool support, and collaboration with other security professionals

Certified Pre-Owned

Comprehensive AD CS research paper by Will Schroeder & Lee Christensen (basis for Certify)

HarmJ0y Blog

Personal blog of @harmj0y with deep technical articles on Windows and AD security

Training Courses

Professional training from SpecterOps covering GhostPack tools and attack techniques

⚠️ Operational Security

Detection ConsiderationsAll GhostPack tools generate telemetry that can be detected by EDR, SIEM, and other security monitoring solutions. Review the detection sections in each tool’s documentation before operational use.
Common Detection Vectors:
  • Process Creation: C# executable launches
  • Command Line: Tool-specific arguments and parameters
  • Network Traffic: Kerberos requests, WMI connections
  • Registry Access: Service queries, autorun enumeration
  • File System: DPAPI blob reads, credential file access
  • Memory Operations: LSASS access, process injection
  • Windows Events: Security logs, Sysmon, PowerShell logging
OPSEC Recommendations:
  • Use tools from memory when possible
  • Consider obfuscation for critical operations
  • Space out enumeration activities
  • Blend with normal admin activity patterns
  • Review tool-specific OPSEC guidance in documentation

🤝 Contributing

GhostPack welcomes contributions from the security community:
1

Fork Repository

Fork the specific tool repository you want to contribute to
2

Create Feature Branch

git checkout -b feature/your-improvement
3

Make Changes

Implement your improvements following the project’s coding standards
4

Test Thoroughly

Test your changes in multiple environments
5

Submit Pull Request

Submit a PR with clear description of changes and testing performed

👥 Credits

GhostPack tools are developed and maintained by: Primary Authors: Organization:
  • SpecterOps - Offensive security research and operations
Community:
  • Numerous contributors from the security community
  • Issue reporters and testers
  • Documentation contributors

📝 License

Most GhostPack tools are released under the BSD 3-Clause License. Check individual repositories for specific licensing information.
For the latest updates, new tool releases, and announcements, follow the GhostPack GitHub organization and @harmj0y on Twitter.