A reference list of tools I use regularly. Organized by phase so it’s quick to scan during an engagement or CTF.
Recon & Enumeration#
| Tool | Description | Link |
|---|
| nmap | Port scanning and service/version detection | nmap.org |
| NetExec (nxc) | Swiss-army knife for network protocol enumeration (SMB, LDAP, WinRM, SSH) | GitHub |
| CrackMapExec | Predecessor to NetExec; still widely used for SMB/AD enumeration | GitHub |
| BloodHound | AD attack path visualisation; ingests data from SharpHound/BloodHound-python | GitHub |
| BloodHound-python | Remote BloodHound data collector (no agent needed) | GitHub |
| enum4linux-ng | SMB/RPC enumeration for Linux targets | GitHub |
| ffuf | Fast web fuzzer for directory/file/parameter discovery | GitHub |
| gobuster | Directory and DNS brute-forcing | GitHub |
Active Directory Attacks#
| Tool | Description | Link |
|---|
| Impacket | Collection of Python scripts for AD/SMB/Kerberos attacks | GitHub |
GetNPUsers.py | AS-REP roasting — dump hashes for accounts without pre-auth | — |
getTGT.py | Request a Kerberos TGT using password or hash | — |
secretsdump.py | Dump NTDS, LSA secrets, and cached credentials | — |
psexec.py | Remote execution over SMB using NTLM/Kerberos | — |
smbclient.py | Interactive SMB client | — |
lookupsid.py | SID brute-forcing for user/group enumeration | — |
dpapi.py | Decrypt DPAPI master keys and credential blobs | — |
| targetedKerberoast | Set SPNs on accounts with GenericWrite and Kerberoast them | GitHub |
| bloodyAD | AD privilege escalation via LDAP (set attributes, enable accounts, etc.) | GitHub |
| noPac | Exploit CVE-2021-42278/42287 — rename computer account to DC, get DA TGT | GitHub |
| Kerbrute | Fast Kerberos user enumeration and password spraying | GitHub |
| evil-winrm | WinRM shell with Kerberos, pass-the-hash, and script upload | GitHub |
Credential Attacks#
| Tool | Description | Link |
|---|
| Hashcat | GPU-accelerated password cracking | hashcat.net |
| John the Ripper | CPU-based password cracker; includes office2john, ssh2john, etc. | openwall.com |
| hydra | Online brute-forcing for SSH, FTP, HTTP, and more | GitHub |
| gpp-decrypt | Decrypt Group Policy Preferences cpassword values | GitHub |
Web Application#
| Tool | Description | Link |
|---|
| Burp Suite | HTTP proxy and web app testing platform | portswigger.net |
| sqlmap | Automated SQL injection detection and exploitation | sqlmap.org |
| ffuf | Web fuzzer (also listed under recon) | GitHub |
Post-Exploitation#
| Tool | Description | Link |
|---|
| Impacket secretsdump | Dump NTDS.dit offline or remotely via DCSync | — |
| Impacket dpapi | Extract DPAPI-protected credentials from master keys + blobs | — |
| PhpSploit | Stealth post-exploitation framework via HTTP headers | GitHub |
| Ligolo-ng | Reverse tunnel for pivoting (agent → proxy → attacker network) | GitHub |
Wordlists & Resources#
| Resource | Description | Link |
|---|
| rockyou.txt | Classic password wordlist shipped with Kali | — |
| SecLists | Curated collection of wordlists for fuzzing, usernames, passwords | GitHub |
| HackTricks | Community wiki of attack techniques and cheat sheets | book.hacktricks.xyz |
| The Hacker Recipes | AD attack cookbook with detailed technique breakdowns | thehacker.recipes |