Explore the offensive security tools developed and used by our penetration testing team to automate, scale, and enhance attack simulations just like real adversaries.
Penetration testing tools help streamline and scale security assessments by automating routine tasks, identifying complex vulnerabilities, and replicating advanced attacker behavior. These tools support our consultants in simulating realistic attack scenarios and gathering deeper insights, so your organization can strengthen its defenses against evolving threats.
At Echelon, our offensive security team doesn't just use tools, we build them. Designed in-house and battle-tested in real-world engagements, our tools help emulate modern TTPs to uncover the vulnerabilities others miss.
Each tool listed below is engineered to support specific attack simulation needs. Our goal is to share these capabilities with the security community while demonstrating the cutting-edge methodologies behind Echelon’s penetration testing engagements.
Pigeonhive helps offensive security teams simulate large-scale phishing attacks that bypass MFA by tricking users into authenticating on attacker-controlled servers. It uses containerized browsers shared via VNC to deploy unlimited hive nodes, enabling realistic, scalable phishing simulations.
Peekaboo is a Python tool that takes Nmap XML output and captures screenshots of services running on ports 80 and 443. It's a fast, simple alternative to similar tools, with clickable images in the HTML report for easy access.
GooglePhishing contains a fake two-step Google login page for use on PHP-supported web servers. Captured credentials are saved to /opt/GooglePhishing/creds.txt. The domain suffix (e.g., @client.com) can be customized by editing line 21 of index.html.
GoogleBITB is a fake two-step Google login page built for Browser-in-the-Browser (BITB) attacks, usable on PHP-supported web servers. Credentials are saved to /opt/GoogleBITB/creds.txt, and the domain suffix can be customized by editing line 21 of login_page.html.
Log4jake is a Python script that crawls web apps for GET/POST requests and injects the ${jndi:ldap://:389} Log4j payload into discovered parameters. Designed to run alongside a Netcat listener for detecting vulnerable endpoints.
Echelon is trusted by organizations across industries to deliver high-impact security testing and advisory services. By sharing our tools with the community, we demonstrate not only transparency but a commitment to advancing security practices across the board.
Let’s talk about how we can help secure your environment using our tools, tactics, and expertise.