Tool Reference

Reconnaissance & Enumeration #

• Nmap - Network scanner and service enumeration https://github.com/nmap/nmap

• Masscan - Fast port scanner https://github.com/robertdavidgraham/masscan

• NetExec (nxc) - Network service exploitation tool (successor to CrackMapExec) https://github.com/Pennyw0rth/NetExec

• ldapsearch - LDAP query tool (part of OpenLDAP) https://www.openldap.org/ (installed via sudo apt install ldap-utils)

• rpcclient - Windows RPC client (part of Samba) https://www.samba.org/ (installed via sudo apt install samba-common-bin)

• BloodHound CE Python - BloodHound Community Edition data collector (Python) https://github.com/dirkjanm/BloodHound.py

• RustHound-CE - BloodHound CE data collector (Rust, faster) https://github.com/g0h4n/RustHound-CE

• SharpHound - BloodHound data collector (Windows/.NET) https://github.com/SpecterOps/SharpHound

• ldeep - LDAP enumeration tool https://github.com/franc-pentest/ldeep

• ldapdomaindump - Domain dump to HTML/JSON via LDAP https://github.com/dirkjanm/ldapdomaindump

• bloodyAD - AD privilege escalation and enumeration tool https://github.com/CravateRouge/bloodyAD

• Certipy - AD CS enumeration and exploitation https://github.com/ly4k/Certipy

• adidnsdump - AD-integrated DNS enumeration https://github.com/dirkjanm/adidnsdump

• dnstool.py - AD DNS record manipulation (part of krbrelayx) https://github.com/dirkjanm/krbrelayx

• dnsrecon - DNS enumeration and brute-forcing https://github.com/darkoperator/dnsrecon

• dig - DNS query tool (part of BIND) Installed via sudo apt install dnsutils

Credential Attacks #

• Impacket - Python toolkit for network protocols (includes all impacket-* tools below) https://github.com/fortra/impacket

  • impacket-GetUserSPNs (Kerberoasting)
  • impacket-GetNPUsers (AS-REP roasting)
  • impacket-secretsdump (credential dumping / DCSync)
  • impacket-getTGT (TGT request)
  • impacket-ticketer (ticket forging)
  • impacket-findDelegation (delegation enumeration)
  • impacket-lookupsid (SID/RID enumeration)
  • impacket-ntlmrelayx (NTLM relay)
  • impacket-psexec (remote execution via SMB)
  • impacket-wmiexec (remote execution via WMI)
  • impacket-smbexec (remote execution via SMB services)
  • impacket-atexec (remote execution via scheduled tasks)
  • impacket-dcomexec (remote execution via DCOM)
  • impacket-mssqlclient (MSSQL interactive client)
  • impacket-smbserver (SMB share server)
  • impacket-smbclient (SMB client)
  • impacket-addcomputer (machine account creation)
  • impacket-dpapi (DPAPI secret extraction)

• Kerbrute - Kerberos username enumeration and password spraying https://github.com/ropnop/kerbrute

• Hashcat - Password/hash cracking https://github.com/hashcat/hashcat

• Responder - LLMNR/NBT-NS/mDNS poisoner and hash capture https://github.com/lgandx/Responder

• lsassy - Remote LSASS dumping https://github.com/Hackndo/lsassy

• pypykatz - Offline LSASS dump parser (Python mimikatz) https://github.com/skelsec/pypykatz

• targetedKerberoast.py - Automated targeted Kerberoasting https://github.com/ShutdownRepo/targetedKerberoast

Coercion & Relay #

• Coercer - Consolidated authentication coercion tool https://github.com/p0dalirius/Coercer

• PetitPotam - MS-EFSRPC coercion https://github.com/topotam/PetitPotam

• dementor.py - PrinterBug / SpoolService coercion (MS-RPRN) https://github.com/NotMedic/NetNTLMtoSilverTicket (dementor.py is in this repo)

• DFSCoerce - MS-DFSNM coercion https://github.com/Wh04m1001/DFSCoerce

• ShadowCoerce - MS-FSRVP coercion https://github.com/ShutdownRepo/ShadowCoerce

• mitm6 - IPv6 DNS poisoning for NTLM relay https://github.com/dirkjanm/mitm6

Lateral Movement #

• Evil-WinRM - WinRM shell with file transfer and in-memory execution https://github.com/Hackplayers/evil-winrm

• xfreerdp - RDP client (part of FreeRDP) https://github.com/FreeRDP/FreeRDP

• Chisel - TCP/UDP tunneling over HTTP https://github.com/jpillora/chisel

• Ligolo-ng - TUN-based pivoting tool https://github.com/nicocha30/ligolo-ng

• Proxychains - SOCKS/HTTP proxy chaining https://github.com/haad/proxychains

Persistence & Post-Exploitation #

• Mimikatz - Windows credential extraction and ticket manipulation https://github.com/gentilkiwi/mimikatz

• Rubeus - Kerberos interaction and abuse (.NET) https://github.com/GhostPack/Rubeus

• pywhisker - Shadow Credentials manipulation https://github.com/ShutdownRepo/pywhisker

• SharpGPOAbuse - GPO-based persistence and privilege escalation https://github.com/FSecureLABS/SharpGPOAbuse

• username-anarchy - AD username wordlist generator https://github.com/urbanadventurer/username-anarchy