Check out the things we’ve worked on

Black Hills Information Security leads and takes part in a number of different (and awesome) open-source projects. Check them out!




Active Defense Harbinger Distribution – New version is up. Please download Zip and import into VMWare.

Download ADHD here:


MD5 Hash: 1ba5cd305e8a19079f0643b526a4bc7b

Auto Scan with Burp

Auto Scan with Burp contains a Burp Extension and a Python script for invoking the extension to perform automated and authenticated scans against all URLs listed in a configuration file. Authentication is accomplished through Burp State files. Auto Scan comes with an optional Nikto scan function as well.

Get AutoScan with Burp here


Wouldn’t it be great if there was a free toolset to protect your credentials even when password length couldn’t be changed, and to alert on other credential attacks being conducted in your network? That’s why we created The CredDefense Toolkit – to have a free way to detect and prevent credential abuse attacks. Read more on this tool in this blog post.

Get CredDefense Toolkit here


Password sprays against websites like Google’s GSuite are getting more and more difficult. CredKing looks to solve that problem by leveraging Amazon AWS Lambda to rotate IP addresses for each authentication attempt. Fully supporting all AWS Lambda regions, CredKing is a must-have tool for cracking external perimeters through password spraying!

Get it here on GitHub


While phishing for login credentials is nothing new, more and more organizations are adopting multi-factor authentication, making it difficult to phish account access. CredSniper can easily launch a new phishing site that not only requests the login credentials but also the 2FA token from unsuspecting targets. Out of the box, CredSniper supports all forms of multi-factor tokens for Google GSuite! It not only looks and feels like the original site, but it also automates the SSL certificate generation using Let’s Encrypt.

Get it here on GitHub

DNS Blacklists

DNS Blacklists is a Python script that uses regular expressions to examine IP addresses and hostnames, comparing them against known blacklists. This is then used to alert the user if there are any in common, indicating communication with unwanted addresses.

Get DNS Blacklists here

Domain Password Audit Tool (DPAT)

This is a python script that will generate password use statistics from password hashes dumped from a domain controller and a password crack file such as oclHashcat.pot generated from the oclHashcat tool during password cracking. The report is an HTML report with clickable links.

Get this tool on GitHub


A tool written in PowerShell to perform a password spray attack against users of a domain. By default, it will automatically generate the userlist from the domain.

Get it here


A tool that runs a number of checks on a system to help provide situational awareness to a penetration tester during the reconnaissance phase of an engagement. It gathers information about the local system, the users, and the domain. It does not use any ‘net’, ‘ipconfig’, ‘whoami’, ‘netstat’, or other system commands to help avoid detection.

Get this here

Java Web Attack

This uses a combination of python, Java, and shell commands to break out the Java Applet Web Attack method from SET into a standalone tool. It is mainly designed to be used in the Active Defence Harbinger Distribution (ADHD), but can be used in other Ubuntu/Debian variants.

Get Java Web Attack here


A penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used by a non-administrative user to search their own email, or by an Exchange administrator to search the mailboxes of every user in a domain. MailSniper also includes additional modules for password spraying, enumerating users/domains, gathering the Global Address List from OWA and EWS, and checking mailbox permissions for every Exchange user at an organization.

Get MailSniper here


PowerMeta searches for publicly available files hosted on various websites for a particular domain by using specially crafted Google and Bing searches. It then allows for the download of those files from the target domain. After retrieving the files, the metadata associated with them can be analyzed by PowerMeta. Some interesting things commonly found in metadata are usernames, domains, software titles, and computer names.

Get it here


A PowerShell tool for taking screenshots of multiple web servers quickly.

Get it here on GitHub


Pushpin-Web is a web application which provides a simple interface to keep track of geo-tagged social media activity. It is adapted from Recon-ng and is currently capable of aggregating data from Twitter, Flickr, Picasa, Shodan, and Youtube in near real-time.

Get Pushpin-Web here


Recon-ng is a full-featured Web Reconnaissance framework authored by Tim Tomes and written in Python. Complete with independent modules, database interaction, built-in convenience functions, interactive help, and command completion, Recon-ng provides a powerful environment in which open source web-based reconnaissance can be conducted quickly and thoroughly.

Recon-ng has a look and feel similar to the Metasploit Framework, reducing the learning curve for leveraging the framework. However, it is quite different. Recon-ng is not intended to compete with existing frameworks, as it is designed exclusively for web-based open-source reconnaissance. If you want to exploit, use the Metasploit Framework. If you want to Social Engineer, use the Social Engineer Toolkit. If you want to conduct reconnaissance, use Recon-ng!

Get Recon-ng here


Real Intelligence Threat Analysis. RITA is an open-source framework for network traffic analysis born from Black Hills Information Security. RITA is now developed and supported by Active Countermeasures. The framework ingests Bro logs, and some of the main analysis features include:

  • Beaconing Detection: search for signs of beaconing behavior in and out of your network.
  • DNS Tunneling Detection: search for signs of DNS-based covert channels.
  • Blacklist Checking: query blacklists to search for suspicious domains and hosts.

Video: Introducing the RITA Framework


Spidertrap is a Python program which dynamically generates an infinite number of hyper-linked pages in order to trap webcrawlers.

Get Spidertrap here