A reference list of tools I use regularly. Organized by phase so it’s quick to scan during an engagement or CTF.


Recon & Enumeration

ToolDescriptionLink
nmapPort scanning and service/version detectionnmap.org
NetExec (nxc)Swiss-army knife for network protocol enumeration (SMB, LDAP, WinRM, SSH)GitHub
CrackMapExecPredecessor to NetExec; still widely used for SMB/AD enumerationGitHub
BloodHoundAD attack path visualisation; ingests data from SharpHound/BloodHound-pythonGitHub
BloodHound-pythonRemote BloodHound data collector (no agent needed)GitHub
enum4linux-ngSMB/RPC enumeration for Linux targetsGitHub
ffufFast web fuzzer for directory/file/parameter discoveryGitHub
gobusterDirectory and DNS brute-forcingGitHub

Active Directory Attacks

ToolDescriptionLink
ImpacketCollection of Python scripts for AD/SMB/Kerberos attacksGitHub
GetNPUsers.pyAS-REP roasting — dump hashes for accounts without pre-auth
getTGT.pyRequest a Kerberos TGT using password or hash
secretsdump.pyDump NTDS, LSA secrets, and cached credentials
psexec.pyRemote execution over SMB using NTLM/Kerberos
smbclient.pyInteractive SMB client
lookupsid.pySID brute-forcing for user/group enumeration
dpapi.pyDecrypt DPAPI master keys and credential blobs
targetedKerberoastSet SPNs on accounts with GenericWrite and Kerberoast themGitHub
bloodyADAD privilege escalation via LDAP (set attributes, enable accounts, etc.)GitHub
noPacExploit CVE-2021-42278/42287 — rename computer account to DC, get DA TGTGitHub
KerbruteFast Kerberos user enumeration and password sprayingGitHub
evil-winrmWinRM shell with Kerberos, pass-the-hash, and script uploadGitHub

Credential Attacks

ToolDescriptionLink
HashcatGPU-accelerated password crackinghashcat.net
John the RipperCPU-based password cracker; includes office2john, ssh2john, etc.openwall.com
hydraOnline brute-forcing for SSH, FTP, HTTP, and moreGitHub
gpp-decryptDecrypt Group Policy Preferences cpassword valuesGitHub

Web Application

ToolDescriptionLink
Burp SuiteHTTP proxy and web app testing platformportswigger.net
sqlmapAutomated SQL injection detection and exploitationsqlmap.org
ffufWeb fuzzer (also listed under recon)GitHub

Post-Exploitation

ToolDescriptionLink
Impacket secretsdumpDump NTDS.dit offline or remotely via DCSync
Impacket dpapiExtract DPAPI-protected credentials from master keys + blobs
PhpSploitStealth post-exploitation framework via HTTP headersGitHub
Ligolo-ngReverse tunnel for pivoting (agent → proxy → attacker network)GitHub

Wordlists & Resources

ResourceDescriptionLink
rockyou.txtClassic password wordlist shipped with Kali
SecListsCurated collection of wordlists for fuzzing, usernames, passwordsGitHub
HackTricksCommunity wiki of attack techniques and cheat sheetsbook.hacktricks.xyz
The Hacker RecipesAD attack cookbook with detailed technique breakdownsthehacker.recipes