Ladon
Ladon is a Chinese-language internal network penetration testing scanner written in C# that detects network vulnerabilities, performs credential auditing, and facilitates lateral movement. It supports PowerShell execution, Cobalt Strike integration, and memory-only deployment across multiple protocols and network segments.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | k8gege/Ladon |
| Owner | k8gege |
| Primary language | C# |
| License | MIT — OSI-approved |
| Stars | 5.3k |
| Forks | 881 |
| Open issues | 44 |
| Latest release | v12.2 (2023-12-15) |
| Last updated | 2025-03-24 |
| Source | https://github.com/k8gege/Ladon |
What Ladon is
Ladon is a .NET-based reconnaissance and exploitation framework featuring 262+ modules for multi-protocol asset discovery (ICMP, SMB, WMI, SSH, HTTP/HTTPS, DNS, RDP, FTP, Exchange, MSSQL), credential brute-force (25+ methods), vulnerability detection (MS17010, SMBGhost, Exchange, Zimbra), remote command execution (smbexec, wmiexe, psexec, sshexec), and privilege escalation. Deployable as CLI binary (~500KB), PowerShell script, or Cobalt Strike beacon plugin.
Get the Ladon source
Clone the repository and explore it locally.
git clone https://github.com/k8gege/Ladon.gitcd Ladon# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Requires .NET 2.0 or later on Windows; verify framework version in deployment target before execution.
- Module coverage varies by protocol; credential brute-force modules require valid wordlists or custom INI configuration; default password lists not documented.
- Proxy/SOCKS5 scanning requires `noping` parameter to bypass ICMP filtering; standard scan flow assumes direct ICMP reachability.
- EDR/WAF detection risk is real; `bypassEDR` parameter intentionally throttles scan rate; balance speed vs. stealth based on target environment.
- Plugin extensibility supports C#, Delphi, PowerShell, VC, and Golang; custom DLL/EXE loading requires unsigned binary execution trust.
When to avoid it — and what to weigh
- Requirement for English documentation and support — Repository and all primary documentation is in Simplified Chinese. No official English translation or vendor support available.
- Need for blue-team defensive tooling — Ladon is explicitly designed for offensive penetration testing and lateral movement; no defensive playbook, threat-hunting, or compliance-oriented features.
- Regulated environment requiring vendor accountability — Single-author open-source project with no commercial entity, SLA, or formal security audit trail. Licensing and liability unclear in regulated sectors.
- Cross-platform scanning (Linux/macOS targets from scanner) — Ladon binary runs only on Windows (.NET 2.0+). Separate LadonGo project exists for cross-platform scanning, but capability gap and integration status unknown.
License & commercial use
MIT License. This is a permissive OSI-approved license permitting use, modification, and distribution in proprietary and commercial contexts, subject to inclusion of original copyright notice and license text.
MIT license permits commercial use. However, Ladon is explicitly an offensive penetration-testing tool. Commercial deployment (e.g., within a managed services security firm) is technically permitted, but users bear full liability for unauthorized access, compliance violations, and any harm caused by misuse. No warranty, indemnification, or vendor support exists. Independent legal and security review strongly recommended before commercial deployment.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Low |
| DEV.co fit | Possible |
| Assessment confidence | High |
Ladon is an offensive tool designed to discover and exploit vulnerabilities; its presence in a network is itself a security concern. Key considerations: (1) No hardened code review or third-party audit published. (2) Binary is unsigned; deployment requires trust in source and execution environment. (3) Plugin mechanism (DLL/EXE loading) can load arbitrary code; if attacker controls INI config, arbitrary execution is trivial. (4) Credential brute-force modules generate heavy network noise; detection-heavy. (5) Remote code execution paths (psexec, wmiexec, sshexec) inherit credentials of scanning context; privilege escalation modules (SweetPotato, BadPotato) attempt to bypass UAC but success varies by Windows version and patch level. (6) No built-in OPSEC features (timing jitter, user-agent randomization, log obfuscation); reliance on external tools (Proxifier, Frp) for anonymization.
Alternatives to consider
Nmap + custom PowerShell/Metasploit modules
Nmap provides battle-tested, well-documented network scanning; Metasploit offers mature RCE and privilege escalation. Combination is more transparent, better documented, and has established defensive evasion patterns. Steeper learning curve but greater modularity.
BloodHound + Custom AD enumeration
If target is a Windows Active Directory domain, BloodHound's graph-based lateral movement path analysis is more precise than Ladon's brute-force approach. BloodHound is open-source, well-maintained, and specifically designed for AD exploitation. Requires SharpHound collector.
Impacket (Python toolkit)
Cross-platform, modular, and extensively documented. Covers SMB, LDAP, Kerberos, and RCE (psexec, smbexec, etc.). Smaller per-tool footprint and better suited to containerized/Linux pivot scenarios. No pre-compiled binary; requires Python 3 and pip.
Build on Ladon with DEV.co software developers
Ladon is a powerful offensive tool for Windows domain penetration testing. Assess licensing, documentation readiness, and integration with your C2 framework before deployment. Contact a security architect to discuss threat modeling and OPSEC requirements.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
Ladon FAQ
Can I use Ladon outside a penetration test?
What is the difference between Ladon and LadonGo?
Do I need Cobalt Strike to use Ladon?
How does Ladon handle NTLM hashes for credential brute-force?
Work with a software development agency
Adopting Ladon is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.
Evaluate Ladon for Your Red Team Program
Ladon is a powerful offensive tool for Windows domain penetration testing. Assess licensing, documentation readiness, and integration with your C2 framework before deployment. Contact a security architect to discuss threat modeling and OPSEC requirements.