| Tool Name | Description | | ------------------------------ | --------------------------------------------------------------------------------------------------------------------------------- | | `netexec` | All-in-one WIN and AD enum+exploitation tool | | `evil-winrm` | WinRM connection | | `xfreerdp3` | RDP connection | | `rdesktop` | RDP connection | | `responder` | Linux based network spoofing and poisoning attacks against LLMNR, NBT-NS, and MDNS | | `Inveigh.ps1` | WIN based network spoofing and poisoning attacks | | `Bloodhound` | GUI for mapping AD relationships (manually confirm) | | `bloodhound.py` | Linux based ingestor for BloodHound | | `SharpHound` | WIN based ingestor for BloodHound | | `PowerView.ps1` | Manual AD enum akin to BloodHound | | `SharpView.ps1` | Manual AD enum akin to BloodHound | | `BloodyAD` | Manipulate DACLs | | `ldapsearch` | LDAP enum - useful for domain user enum | | `windapsearch` | LDAP enum - useful for domain user enum | | `rpcclient` | Connect to RPC | | `smbclient` | Connect to SMB | | `smbmap` | Enumerate SMB | | `kerbrute userenum` | Module to enumerate valid domain usernames via Kerberos. Other modules exist for brute forcing. | | `AccessChk.exe` | Enumerate services, registry keys, processes, files, dirs | | `adidnsdump` | DNS enum for AD | | `lazagne.exe` | Retrieve local creds using various methods (run in different user contexts) | | `snaffler.exe` | Enumerate AD file shares for creds | | `manspider` | Enumerate AD file shares for creds | | `GetNPUsers.py` | Enumerate AS-REP roastable users (no creds needed) | | `GetUserSPNs.py` | Enumerate kerberoastable accounts (requires creds) | | `mssqlclient.py` | MSSQL connection | | `sqsh` | MSSQL connection | | `rubeus.exe` | Interact with and abuse Kerberos. Discover accessible tickets and perform PtT attacks | | `mimikatz.exe` | Dump LSA, LSASS, and CredMan. Extract creds and Kerberos tickets from memory. Also perform PtH attacks. | | `pypykatz` | Linux version of `mimikatz` | | `Linikatz.sh` | Linux version of `mimikatz` for domain joined Linux hosts | | `secretsdump.py` | Remotely dump LSA and extract secrets from LSA or NTDS.dit | | `pywhisker` | Manipulate `msDS-KeyCredentialLink` attribute for shadow cred attacks | | `certipy` | Manipulate certs to attack ADCS | | `ntlmrelayx.py` | Perform SMB relay attacks | | `Watson.exe` | Enumerate missing KBs and suggest privesc vectors | | `windows-exploit-suggester.py` | Enumerate missing KBs and suggest privesc vectors | | `enum4linux-ng` | Linux based automated privesc enum - mainly a wrapper around Samba tools such as `nmblookup`, `net`, `rpcclient`, and `smbclient` | | `WinPEAS.exe` | Automated privesc enum | | `PowerUp.exe` | Automated privesc enum | | `SharpUp.exe` | Automated privesc enum | | `psexec.py` | Psexec-like functionality in the form of a semi-interactive shell | | `wmiexec.py` | Command execution over WMI | | `smbexec.py` | Command execution using SMB | | `atexec.py` | Command execution using the Task Scheduler service | | `gpp-decrypt` | Extracts usernames and passwords from Group Policy Preferences files | | `Sherlock.exe` | OSINT tool |