starshower is a collection of red team tools developed for authorized security assessments and cyber defense competitions (CCDC-style). All tools are intended for use in controlled lab environments or engagements with explicit written authorization.
The primary tool in this repo. Monarch is a multi-host CLI for orchestrating operations across many Linux targets simultaneously over SSH.
Quickstart:
cd monarch
./run_monarch.shKey capabilities:
- Subnet scanning and SSH host discovery (
scan) - Flexible target selection by tag, subnet, port, alias, or IP
- Script templating with
{{VAR}}placeholders resolved frommonarch.runtime.json - Parallel script execution across hosts with live progress dashboard
- Operation tracking with resume support for failed/partial runs
- Multi-step workflow execution
- File upload/download over SFTP
monarch/scripts/linux-red-teaming/ contains the shell scripts executed by Monarch. Preferred scripts:
persist.sh— SSH key, backdoor user, systemd service, MOTD poisoningbeacon_deploy.sh— download and schedule a beacon via croncred_capture.sh/cred_capture_reverse.sh— PAM-based credential capture and rollbackrecon.sh— structured host triage collectioncleanup.sh/clear.sh— full rollback and artifact removaldeploy-kernel-module.sh/remove-kernel-module.sh— deploy/remove the tcp_undiag module
See monarch/USAGE.md for the full command reference.
Standalone auxiliary tools organized by function.
Linux kernel module (tcp_undiag.c) that bypasses iptables OUTPUT chain rules by hooking NF_INET_LOCAL_OUT at NF_IP_PRI_FIRST priority and calling dst_output() directly, marking packets as NF_STOLEN before iptables can drop them. Used in competition training to teach blue teams to detect and prevent kernel-level egress bypass.
Supports kernels 3.x–6.x across Debian, RHEL, Alpine, and Arch families. Includes install.sh, uninstall.sh, and test-module.sh. Integrates with Monarch via deploy-kernel-module.sh.
Flask server (app.py) that receives credentials via HTTP GET requests (format: /<password>?user=<username>) and forwards them as Discord webhook embeds. Intended as the receiver for PAM-based credential capture scripts deployed on target hosts.
Run with: python3 app.py (listens on port 8330).
db_hunter.sh — scans a CIDR for open MySQL (3306) and Postgres (5432) ports using nmap, attempts login with provided credentials, and creates a backdoor superuser account on each reachable database server.
Usage: ./db_hunter.sh <cidr> [new_user] [new_pass]
NetExec (nxc) wrapper scripts for Windows domain operations over SMB:
solar_windows_min0.sh/water_windows_min0.sh— beacon deployment, persistence via scheduled tasks, backdoor user creation, and Defender exclusions against named target listsnxc.sh— single-target beacon download-and-execute helper
RustScan binary (rustscan-macos) and wrapper script. Scans common red team ports (22, 80, 88, 1433, 3306, 3389, 5985) against a target CIDR in greppable output format.
Usage: ./rustscan.sh <cidr>
Windows C program (evil.c) and compiled binary (evil.exe) that creates a local administrator account (dave2) when executed on a Windows target. Compiled with MinGW or MSVC.
Windows DLL (appruntime.dll / helper.dll) implementing a netsh helper interface (InitHelperDll export). When loaded by netsh.exe via the helper registration mechanism, it uses the Windows Firewall COM API (INetFwPolicy2) to disable all firewall profiles.
NetExec (nxc) command reference and snippets for Windows post-exploitation: payload delivery, scheduled task persistence, user creation, Defender exclusions, and WMI event subscriptions.