DEV.co
Open-Source Security · k8gege

Ladon

Ladon is a Chinese-language internal network penetration testing scanner written in C# that detects network vulnerabilities, performs credential auditing, and facilitates lateral movement. It supports PowerShell execution, Cobalt Strike integration, and memory-only deployment across multiple protocols and network segments.

Source: GitHub — github.com/k8gege/Ladon
5.3k
GitHub stars
881
Forks
C#
Primary language
MIT
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositoryk8gege/Ladon
Ownerk8gege
Primary languageC#
LicenseMIT — OSI-approved
Stars5.3k
Forks881
Open issues44
Latest releasev12.2 (2023-12-15)
Last updated2025-03-24
Sourcehttps://github.com/k8gege/Ladon

What Ladon is

Ladon is a .NET-based reconnaissance and exploitation framework featuring 262+ modules for multi-protocol asset discovery (ICMP, SMB, WMI, SSH, HTTP/HTTPS, DNS, RDP, FTP, Exchange, MSSQL), credential brute-force (25+ methods), vulnerability detection (MS17010, SMBGhost, Exchange, Zimbra), remote command execution (smbexec, wmiexe, psexec, sshexec), and privilege escalation. Deployable as CLI binary (~500KB), PowerShell script, or Cobalt Strike beacon plugin.

Quickstart

Get the Ladon source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/k8gege/Ladon.gitcd Ladon# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Red team internal network reconnaissance

Rapid multi-protocol asset discovery and OS fingerprinting across large subnets (A/B/C segments). Built-in support for proxy chains and EDR evasion via slow-scan modes and thread tuning.

Windows domain lateral movement

Integrated weak credential detection (SMB, WMI, LDAP, Winrm, SSH) combined with multi-method RCE (psexec, wmiexe, sshexec) to chain compromised hosts within same network.

Post-exploitation persistence in constrained environments

Small binary footprint (500KB) and PowerShell memory-load capability permit deployment via slow/lossy command channels; Cobalt Strike plugin support for beacon-native scanning without external tools.

Implementation considerations

  • Requires .NET 2.0 or later on Windows; verify framework version in deployment target before execution.
  • Module coverage varies by protocol; credential brute-force modules require valid wordlists or custom INI configuration; default password lists not documented.
  • Proxy/SOCKS5 scanning requires `noping` parameter to bypass ICMP filtering; standard scan flow assumes direct ICMP reachability.
  • EDR/WAF detection risk is real; `bypassEDR` parameter intentionally throttles scan rate; balance speed vs. stealth based on target environment.
  • Plugin extensibility supports C#, Delphi, PowerShell, VC, and Golang; custom DLL/EXE loading requires unsigned binary execution trust.

When to avoid it — and what to weigh

  • Requirement for English documentation and support — Repository and all primary documentation is in Simplified Chinese. No official English translation or vendor support available.
  • Need for blue-team defensive tooling — Ladon is explicitly designed for offensive penetration testing and lateral movement; no defensive playbook, threat-hunting, or compliance-oriented features.
  • Regulated environment requiring vendor accountability — Single-author open-source project with no commercial entity, SLA, or formal security audit trail. Licensing and liability unclear in regulated sectors.
  • Cross-platform scanning (Linux/macOS targets from scanner) — Ladon binary runs only on Windows (.NET 2.0+). Separate LadonGo project exists for cross-platform scanning, but capability gap and integration status unknown.

License & commercial use

MIT License. This is a permissive OSI-approved license permitting use, modification, and distribution in proprietary and commercial contexts, subject to inclusion of original copyright notice and license text.

MIT license permits commercial use. However, Ladon is explicitly an offensive penetration-testing tool. Commercial deployment (e.g., within a managed services security firm) is technically permitted, but users bear full liability for unauthorized access, compliance violations, and any harm caused by misuse. No warranty, indemnification, or vendor support exists. Independent legal and security review strongly recommended before commercial deployment.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityLow
DEV.co fitPossible
Assessment confidenceHigh
Security considerations

Ladon is an offensive tool designed to discover and exploit vulnerabilities; its presence in a network is itself a security concern. Key considerations: (1) No hardened code review or third-party audit published. (2) Binary is unsigned; deployment requires trust in source and execution environment. (3) Plugin mechanism (DLL/EXE loading) can load arbitrary code; if attacker controls INI config, arbitrary execution is trivial. (4) Credential brute-force modules generate heavy network noise; detection-heavy. (5) Remote code execution paths (psexec, wmiexec, sshexec) inherit credentials of scanning context; privilege escalation modules (SweetPotato, BadPotato) attempt to bypass UAC but success varies by Windows version and patch level. (6) No built-in OPSEC features (timing jitter, user-agent randomization, log obfuscation); reliance on external tools (Proxifier, Frp) for anonymization.

Alternatives to consider

Nmap + custom PowerShell/Metasploit modules

Nmap provides battle-tested, well-documented network scanning; Metasploit offers mature RCE and privilege escalation. Combination is more transparent, better documented, and has established defensive evasion patterns. Steeper learning curve but greater modularity.

BloodHound + Custom AD enumeration

If target is a Windows Active Directory domain, BloodHound's graph-based lateral movement path analysis is more precise than Ladon's brute-force approach. BloodHound is open-source, well-maintained, and specifically designed for AD exploitation. Requires SharpHound collector.

Impacket (Python toolkit)

Cross-platform, modular, and extensively documented. Covers SMB, LDAP, Kerberos, and RCE (psexec, smbexec, etc.). Smaller per-tool footprint and better suited to containerized/Linux pivot scenarios. No pre-compiled binary; requires Python 3 and pip.

Software development agency

Build on Ladon with DEV.co software developers

Ladon is a powerful offensive tool for Windows domain penetration testing. Assess licensing, documentation readiness, and integration with your C2 framework before deployment. Contact a security architect to discuss threat modeling and OPSEC requirements.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

Ladon FAQ

Can I use Ladon outside a penetration test?
Ladon is licensed under MIT, which is permissive. However, the tool is designed for offensive security testing. Unauthorized use against networks you do not own or have permission to test is illegal in most jurisdictions. Always obtain written authorization before use.
What is the difference between Ladon and LadonGo?
Ladon is .NET-based Windows binary. LadonGo is a separate Golang implementation supporting Linux, macOS, ARM, and MIPS. They share similar feature sets but are independent projects. Capability parity is not documented.
Do I need Cobalt Strike to use Ladon?
No. Ladon runs as a standalone Windows binary via CMD, PowerShell, or remote shells. Cobalt Strike plugin support is optional for users who already operate Cobalt Strike; it allows beacon-native execution without uploading separate binaries.
How does Ladon handle NTLM hashes for credential brute-force?
Ladon includes SmbHashScan and WmiHashScan modules that accept NTLM hashes directly (no plaintext password required) for SMB and WMI authentication. Hashes can be sourced from Mimikatz or other credential dumping tools. Success depends on target accepting pass-the-hash (PTH) and hash format compatibility.

Work with a software development agency

Adopting Ladon is usually one piece of a larger software development effort. As a software development agency, DEV.co provides software development services and web development expertise — pairing senior software developers and web developers with your team to design, build, and operate open-source security software in production.

Evaluate Ladon for Your Red Team Program

Ladon is a powerful offensive tool for Windows domain penetration testing. Assess licensing, documentation readiness, and integration with your C2 framework before deployment. Contact a security architect to discuss threat modeling and OPSEC requirements.