NetSPI Open Source Tools

NetSPI consultants dedicate time and resources to develop open-sourced tool sets that strengthen the infosec community.

Want to see more of our open source projects?


PowerUpSQL supports SQL Server discovery, auditing for common weak configurations, and privilege escalation on scale for internal penetration testing and red team engagements.


MicroBurst includes functions and scripts that support Azure Services discovery, weak configuration auditing, and post exploitation actions such as credential dumping.


PowerHunt is a modular threat hunting framework written in PowerShell that leverages PowerShell remoting for data collection at scale. Identify signs of compromise based on artifacts left behind by common MITRE ATT&CK techniques.


PowerHuntShares is used to inventory, analyze, and report SMB shares configured with excessive permissions on computers in Active Directory environments. Gain a better understanding of your SMB share attack surface, how to exploit it, and how to group results to streamline remediation.


Inveigh is a PowerShell ADIDNS/LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system.

Inveigh Zero

InveighZero is a C# LLMNR/mDNS/NBNS spoofer and man-in-the-middle tool designed to assist penetration testers/red teamers that find themselves limited to a Windows system.

NetSPI SQL Injection Wiki

Our wiki is a comprehensive knowledge base for SQL injection. You’ll find resources on identifying, exploiting, and escalating SQL injection vulnerabilities across database management systems.


PESECURITY is a PowerShell script that displays whether images (DLLs and EXEs) are compiled with ASLR, DEP, and SafeSEH.

Evil SQL Client​

Evil SQL Client (ESC) is an interactive .NET SQL console client that supports enhanced SQL Server discovery, access, and data exfiltration capabilities. While ESC can be a handy SQL Client for daily tasks, it was originally designed for targeting SQL Servers during penetration tests and red team engagements. The intent of the project is to provide an .exe, but also sample files for execution through mediums like msbuild and PowerShell.

Burp Extractor

Burp Extractor is a one-size-fits-all tool that uses regex for extracting data from HTTP responses – such as CSRF tokens, Auth Bearer tokens, timestamps, etc. – to be reused in HTTP requests sent through Burp.

JSON Beautifier

JSON Beautifier is a Burp Extension for beautifying JSON output, so it is easier to view and modify unparsed JSON strings.

BurpSuite: AWSSigner

AWSSigner looks for the “X-AMZ-Date” header in Burp requests. If it finds a request, it will update the signature in the request with your access key, secret key region and service.

BurpSuite: WSDLR

This extension takes a WSDL request, parses out the operations that are associated with the targeted web service, and generates SOAP requests that can then be sent to the SOAP endpoints.


Tokenvator is a .NET tool used to elevate permissions on Windows. It works by impersonating or altering authentication tokens.

WheresMyImplant: A C# Bring-Your-Own-Land toolkit

WheresMyImplant is tool to gain and maintain access to a target system. It can also be installed as WMI provider for covert long-term persistence.


SQLC2 is a PowerShell script for deploying and managing a command and control system that uses SQL Server as both the control server and the agent.

goddi (Go Dump Domain Info)

GODDI dumps Active Directory domain users, groups, domain controllers, and related information into CSV output, in just a matter of seconds. It runs on both Windows and Linux.

Java Serial Killer

Burp extension to perform Java Deserialization Attacks using the ysoserial payload generator tool.

WebLogic Password Decryptor

WebLogic Password Decryptor is a PowerShell and Java tool to decrypt WebLogic passwords and gain access to other systems and Oracle databases.


Invoke-ExternalDomainBruteForce is a bruteforce tool for automated password-guessing on managed and federated domains.


Get-AdDecodedPassword uses the Active Directory PowerShell Module to query Active Directory and decode UnixUserPassword, UserPassword, unicodePwd, or msSFU30Password fields.


GET-MSSQLALLCredentials is a PowerShell tool to identify all MSSQL instances on a server, determine the encryption algorithm and automate credential password decryption.

DAFT: Database Audit Framework & Toolkit

DAFT is a MSSQL database auditing and assessment tool written in C# that can identify non-default databases and database tables, search for sensitive data by keyword and execute SQL commands.


PowerSkype is a PowerShell tool to attack federated Skype for Business instances that allows you to validate email addresses, get Skype availability, send phishing messages and more.


Invoke-TheHash is a PowerShell to pass the hash WMI and SMB tasks. Authentication is performed by passing an NTLM hash into the NTLMv2 authentication protocol.


TellMeYourSecrets is a C# DLL to dump LSA secrets.


Powermad is a collection of PowerShell MachineAccountQuota and DNS exploit tools to launch man-in-the-middle attacks.

Discover how the NetSPI BAS solution helps organizations validate the efficacy of existing security controls and understand their Security Posture and Readiness.