Research and development

The Coalfire Research and Development (R&D) team creates cutting-edge, open-source security tools that provide our clients with more realistic adversary simulations and advance operational tradecraft for the security industry.

All tools

  • AmazonSecurityScanner

    AmazonSecurityScanner is a script to scan an EC2 instance for potential AWS-related attack surfaces. You can utilize it for rapid post-exploitation reconnaissance on a compromised EC2 instance.

  • AngryHippo

    This script was designed to attack the HippoConnect protocol, which is used with the HippoRemote iPhone app and the HippoConnect listener.

  • CrestCrack

    CrestCrack is a simple script that exploits CVE-2016-5640 / CLVA-2016-05-002 within the Crestron AirMedia AM-100 (v1.1.1.11 - v1.2.1). When supplied with arguments, CrestCrack will utilize netcat to create a reverse shell between your target and a netcat listener of your choice.

  • DeathMetal

    DeathMetal exploits the legitimate capabilities of Intel AMT.

  • DeathStar

    DeathStar is a Python script that uses Empire's RESTful API to automate the attainment of domain admin rights in Active Directory environments through a variety of techniques.

  • Dissonance

    This script was designed to spoof a Synergy server and entice users to connect to it.

  • HandyHeaderHacker

    HandyHeaderHacker is a script to examine HTTP responses from a server for best security practices. You can quickly analyze a web server with a single request.

  • Hwacha

    Hwacha is a tool to quickly execute payloads on *nix-based systems. Easily collect artifacts or execute shellcode on an entire subnet of systems for which credentials are obtained.

  • Icebreaker

    Break the ice with that cute Active Directory environment over there. When you're cold and alone staring at an Active Directory party but don't possess a single AD credential to join the fun, this tool's for you.

  • iOS 11 Jailbreak

    This jailbreak works for iOS 11.1.2 (15B202) and enables running unsigned code, a remote shell, full file system access, and live kernel memory introspection.

  • Java Deserialization Exploit

    Here you’ll find a collection of curated Java Deserialization Exploits.


    With, you can automatically find the most active WLAN users, and then spy on one of them and/or inject arbitrary HTML/JS into pages they visit.

  • Net-creds

    Thoroughly sniff passwords and hashes from an interface or .pcap file with Net-creds. It concatenates fragmented packets and does not rely on ports for service identification.

  • NorkNork

    This script was designed to identify PowerShell Empire persistence payloads on Windows systems.

  • NPK

    NPK provides an effective, low-upkeep method for leveraging cloud GPU-based hash cracking. Featuring a serverless support layer, NPK eliminates the risk of runaway instances, enforces removal of usernames, and provides support for multiple attack types.

  • Pentest machine

    Automates some pentesting work via a Nmap XML file. As soon as each command finishes, it writes its output to the terminal and the files in output-by-service/ and output-by-host/.

  • pOSt-eX

    This script creates a new rule in the OS X Mail application to automatically trigger an AppleScript payload when an email is received with a trigger word in its subject line.

  • Wifijammer

    Continuously jam all Wi-Fi clients and access points within range. The effectiveness of this script is constrained by your wireless card. Alfa cards seem to effectively jam within about a block radius with heavy access point saturation.

  • Xsscrapy

    A fast, thorough, XSS/SQLi spider, Xsscrapy tests every link it finds for cross-site scripting and some SQL injection vulnerabilities. See FAQ for more details about SQLi detection.

See All Tools

Follow adversary ops on Twitter to hear about our latest projects and tools.



CVE disclosure list

The following is a list of CVEs identified by Coalfire's R&D team. All security issues described here were responsibly disclosed and reported in accordance with our Vulnerability Disclosure Policy.

CVE ID Title Affects Date CVSS
CVE-2018-8819 ALC WebCTRL XXE Versions 6.0, 6.1 and 6.5. 2018-06-14 7.5
CVE-2019-14257 Zenoss local privilege escalation <= 2.5.3 2019-07-24 7.8
CVE-2019-14258 Zenoss unauthenticated information disclosure <= 2.5.3 2019-07-24 7.5

More from Adversary Ops