2025 Red Team Tools – C2 Frameworks, Active Directory & Network Exploitation

We're back with another roundup of our favorite red team tools—and this one's a doozy. While these tools represent just a fraction of the specialized expertise our Red Team brings to engagements, they're critical components in any arsenal when executing sophisticated offensive security operations.
"Remember, effective Red Teaming is far more about methodology, experience, and strategic thinking than any particular tool—but having the right instruments certainly helps experts deliver results."
These are our go-to resources for simulating real-world adversaries, digging deep into complex environments, and staying a step ahead of defenders—we hope they give your Red Team engagements the same edge.
In part one, we're diving into tools focused on C2 frameworks, Active Directory, and network exploitation. In part two, we'll shift gears and cover cloud tooling, identity exploitation, evasion techniques, and helpful developer libraries.
C2 Frameworks:
1. Sliver
Creator: Bishop Fox (@BishopFox)
“An open-source cross-platform adversary emulation/red team framework.”
DESCRIPTION: Sliver is a great tool for Red Teamers and pen testers. Trust us, we know. It can be used by organizations of any size. Its implants are supported across MacOS, Windows, and Linux, making it very versatile. Also, the implants can communicate with the server over various channels, such as mTLS, HTTPS, DNS, etc.
2. PoshC2
Creator: Nettitude (@nettitude)
“A proxy aware C2 framework used to aid red teamers with post-exploitation and lateral movement.”
DESCRIPTION: PoshC2 provides a highly flexible and extendible framework for red teaming, built mostly with Python3. It provides a wide range of ready-to-use implants and payloads for various OSs and programming languages which ensures broad compatibility. In addition, operational security and stealth are key features like shellcode containing AMSI bypass and EW patching, auto-generated Apache Rewrite rules for proxying, and fully encrypted communications.
3. Cobalt Strike
Maintainer: (@Fortra)
“A cybersecurity tool designed for Red Teams and penetration testers to conduct advanced threat simulation and reconnaissance within network environments.”
DESCRIPTION: Cobalt Strike helps security teams mimic sophisticated cyberattacks by using covert comms channels and highly configurable “Beacon” implants that blend with normal network traffic. With rich post-exploit modules and custom scripting, it’s built for realistic, thorough red team ops.
4. Nighthawk
Creator: MDSec Consulting Ltd
“An advanced Red Team toolkit, built with operational security in mind, including an evasive command-and-control framework.”
DESCRIPTION: Nighthawk stands out because it was created with operational security and evasion as core principles, allowing its highly evasive beacon to bypass modern security controls. It also offers unique capabilities that are not public knowledge which allows for even more effective post-exploitation.
5. Mythic
Creator: Cody Thomas (@its-a-feature)
“A cross-platform, post-exploit, Red Teaming framework designed to provide a collaborative and user-friendly interface for operators.”
DESCRIPTION: Mythic is the tool that ‘cares’ for operators. All jokes aside - it really does make it easier for Red teamers to maintain the agents, has robust data analytics capabilities (tracking everything from who did what, when, and with which tool) for better real time analysis, and allows customization.
6. Metasploit
Creator: Rapid7 (@rapid7)
“The world’s most used penetration testing framework.”
DESCRIPTION: Metasploit provides a huge collection of pre-built exploits, making it easy for pen testers to find and show vulnerabilities. It is versatile, allowing users to automate pen testing tasks, develop custom exploits, and perform various post-exploit activities. Most (if not all) ethical hackers, from beginners to experienced, use this tool.
7. Merlin
Creator: Russel Van Tuyl (@ne0nd0g)
“A cross-platform post-exploitation HTTP/2 Command & Control server and agent written in Golang.”
DESCRIPTION: Merlin is a post-exploit Command & Control (C2) tool, also known as a Remote Access Tool (RAT), that communicates using the HTTP/1.1, HTTP/2, and HTTP/3 protocols. HTTP/3 is the combination of HTTP/2 over the Quick UDP Internet Connections (QUIC) protocol. This tool was the result of my work evaluating HTTP/2 in a paper titled, “Practical Approach to Detecting and Preventing Web Application Attacks over HTTP/2.”
8. Empire
Maintainer: BC Security (@BC-SECURITY)
“A post-exploitation and adversary emulation framework that is used to aid Red Teams and Penetration Testers.”
DESCRIPTION: Empire C2 is packed with advanced features including multi-language agents (PowerShell, python3, C#, and more), a vast library of support tools, and diverse communication mechanisms. It boasts a modular design for easy plugin integration, customizable bypasses, integrated obfuscation, and encrypted communications, making it highly effective for post-exploitation activities.
Active Directory & Network Exploitation:
9. SharpHound
Creator: SpecterOps (@SpecterOps)
“A C# Data Collector for BloodHound.”
DESCRIPTION: SharpHound is fast, thorough, and built to extract exactly the kind of relationship data Red Teamers need—group memberships, trusts, and permissions—to map privilege escalation paths and lateral movements in a network. With flexible collection options and seamless integration into BloodHound, it’s a go-to tool for understanding and exploiting AD trust relationships.
10. BloodHound.py
Creator: Dirk-jan Mollema, Edwin van Vliet, and Matthijs Gielen (@dirkjanm and others from Fox-IT (NCC Group)
“A Python-based ingestor for BloodHound.”
DESCRIPTION: It’s a lightweight, cross-platform alternative to traditional ingestors allowing for remote collection of Active Directory information without needing to execute .NET binaries on target systems. With support for multiple authentication methods and compatibility with modern BloodHound versions, it’s a versatile choice for AD enumeration by Red Teamers.
11. NetExec (formerly CrackMapExec)
Creator: Marcello (@byt3bl33d3r)
Maintainers: (NeffIsBack, Marshall-Hallenbeck, zblurx, mpgn_x64)
“A powerful network service exploitation tool designed to automate the assessment of large-scale Windows and Active Directory environments.”
DESCRIPTION: NetExec streamlines network ops by making it easy to validate creds, execute commands, and probe systems at scale. It’s built for speed and flexibility.
12. Certipy
Creator: Oliver Lyak (@ly4k)
“An offensive tool for enumerating and abusing Active Directory Certificate Services (AD CS).”
DESCRIPTION: Certipy has reemerged as a top choice for digging into AD Certificate Services. It simplifies discovering misconfigurations, extracting credentials, and launching powerful attacks like shadow credentials and Golden Tickets—all without a ton of setup.
13. Impacket
Creator: SecureAuth
“A collection of Python classes for working with network protocols.”
DESCRIPTION: Impacket is a must-have for Red Teamers who need precision and control. It delivers low-level access to Windows network protocols, making it ideal for crafting custom attacks and automating post-exploitation tasks.
14. MSLDAP
Creator: SkelSec (@skelsec)
“An LDAP library for auditing MS AD.”
DESCRIPTION: MSLDAP’s interactive client facilitates real-time exploration of Active Directory structures, making it easier to identify misconfigurations and potential attack vectors. Whether you're scripting complex queries or conducting hands-on assessments, MSLDAP streamlines the process of engaging with AD environments.
15. GhostPack
Creator: GhostPack (@ghostpack) by Lee Chagolla-Christensen, Will Shroeder, and Christopher Maddalena (@leechristensen, @HarmJ0y, and @chrismaddalena)
“GhostPack is a suite of C# tools designed for red team operations, focusing on Windows post-exploitation, credential access, and Active Directory abuse.
DESCRIPTION: GhostPack brings together some of the most effective and widely-used tools in the Red Teaming arsenal—like Rubeus for Kerberos abuse, Seatbelt for host recon, Certify for AD CS attacks, and SharpDPAPI for credential extraction. Each tool is modular, scriptable, and built with operational security in mind, making them ideal for stealthy engagements. It’s a battle-tested toolkit that’s become a staple in offensive security workflows.
16. Octopwn
Creator: Octopwn GMBH (@octopwn)
“A modular, browser-based red teaming platform that brings essential internal testing tools into a single interface.”
DESCRIPTION: OctoPwn packs scanners and attack tools into a browser-based, WebAssembly interface that’s fast to deploy and easy to use. With support for Nmap, BloodHound, and Hashcat data, it’s perfect for agile, modular pentesting—even in monitored environments.
We hope this toolkit gives you some fresh inspiration and helps you sharpen your tactics for your next engagement. Be sure to read part two, where we’ll dive into cloud tooling, identity exploitation, evasion techniques, and handy developer libraries to round out your Red Team arsenal.
What makes Bishop Fox's approach different? It's not just about running tools against targets—it's about our Red Team combining technical prowess with strategic thinking to deliver insights that truly matter to your security posture.
Subscribe to our blog and advisories
Be first to learn about latest tools, advisories, and findings.
Thank You! You have been subscribed.