Tooling MOC

Index of tools referenced across the library. One-liner per tool, when to reach for it.

Sections Tooling MOC

Recon

  • nmap - default port scanner, scripts via -sC, vuln via --script vulners
  • masscan - fast first sweep over big ranges, then nmap the hits
  • naabu - fastest port scan over a list of domains
  • subfinder / amass / assetfinder - passive subdomain enum, see Recon (external)
  • httpx - probe alive HTTP, fingerprint tech, screenshot
  • puredns / dnsx - DNS brute force and validation
  • ffuf / feroxbuster / gobuster - content/path/vhost fuzzing, ffuf is the most flexible
  • gowitness / eyewitness - screenshot at scale

SMB and AD

  • nxc (netexec) - successor to crackmapexec, smb/ldap/winrm/mssql, see 00 AD MOC
  • enum4linux-ng - null-session SMB enum, first thing on port 445
  • smbclient / smbmap - interactive SMB and share listing
  • rpcclient - RID cycling, user enum from anonymous bind
  • impacket suite - GetUserSPNs, secretsdump, psexec, wmiexec, smbexec, ntlmrelayx
  • bloodhound-python - collect AD graph from Linux, see LDAP
  • certipy - ADCS enum and ESC abuse, see 00 AD MOC -> ADCS
  • kerbrute - user enum and password spray over Kerberos
  • coercer / petitpotam - force auth from machine accounts

Web

  • burp - the proxy, repeater is the workhorse
  • ffuf - content discovery, parameter mining, vhost fuzzing
  • sqlmap - SQLi automation when manual hits a wall
  • nuclei - templated vuln scanning, fast triage on a list of URLs
  • wpscan / joomscan / droopescan - CMS-specific
  • dalfox - XSS scanner
  • gospider / katana / hakrawler - JS-aware crawlers

Shells and listeners

  • nc / ncat / pwncat-cs - listeners, pwncat for stable PTY, see Reverse Shells
  • socat - fully interactive shells, port forwarding, TLS wrapping
  • revshells.com - generator for every language and quoting style

Pivoting

  • chisel - reverse SOCKS over TCP, see Pivoting
  • ligolo-ng - TUN-based L3 tunnel, fastest for internal scanning
  • sshuttle - VPN-over-SSH when you control both ends
  • proxychains / graftcp - wrap any tool over a SOCKS proxy
  • cloudflared - wrap raw TCP over HTTPS when egress is blocked

Local enum

  • linpeas / linenum - Linux automated triage, see 05 Local Enum
  • winpeas / PrivescCheck - Windows automated triage
  • pspy - process tree watcher without root, catches crons
  • GTFOBins / LOLBAS / WADComs - abuse references for known binaries

Credentials and cracking

  • hashcat / john - offline cracking, see Password Cracking
  • mimikatz / nanodump / pypykatz - Windows LSASS dumping
  • lazagne - pull saved creds from browsers, mail clients, etc
  • responder / mitm6 - LLMNR/NBT-NS/DHCPv6 poisoning, see AD06 LLMNR & NTLM Relay

Post-ex on Windows

  • PowerView / SharpView - AD recon from inside
  • Rubeus - Kerberos abuse Swiss army knife
  • Certify / Certipy - ADCS abuse
  • SharpHound - BloodHound collector for Windows side

Misc

  • tmux - your terminal multiplexer, learn the keybinds
  • tldr - fast man-page alternative
  • rlwrap - readline wrapper for tools that lack history