| Tool Name | Description | | ------------------------------ | --------------------------------------------------------------------------------------------------------------------------------- | | `netexec` | All-in-one WIN and AD enum+exploitation tool | | `evil-winrm` | WinRM connection | | `RunasCs.exe` | `su` equivalent for Windows with ability to spawn a revshell as su | | `xfreerdp3` | RDP connection | | `rdesktop` | RDP connection | | `responder` | Linux based network spoofing and poisoning attacks against LLMNR, NBT-NS, and MDNS | | `Inveigh.ps1` | WIN based network spoofing and poisoning attacks | | `Bloodhound` | GUI for mapping AD relationships (manually confirm with `PowerView.ps1`) | | `bloodhound.py` | Linux based ingestor for BloodHound (no ADCS enum) | | `rusthound-ce` | Linux based ingestor for BloodHound (better than above with ADCS enum) | | `SharpHound` | WIN based ingestor for BloodHound (highest fidelity) | | `PowerView.ps1` | Local manual AD enum on WIN machine | | `SharpView.ps1` | Local manual AD enum on WIN machine | | `powerview.py` | Remote manual AD enum from Kali | | `BloodyAD` | Manipulate DACLs | | `ldapsearch` | LDAP enum - useful for domain user enum | | `windapsearch` | LDAP enum - useful for domain user enum | | `rpcclient` | Connect to RPC | | `smbclient` | Connect to SMB | | `smbmap` | Enumerate SMB | | `mssqlclient.py` | MSSQL connection | | `sqsh` | MSSQL connection | | `kerbrute userenum` | Module to enumerate valid domain usernames via Kerberos. Other modules exist for brute forcing. | | `AccessChk.exe` | Enumerate services, registry keys, processes, files, dirs | | `adidnsdump` | DNS enum for AD | | `lazagne.exe` | Retrieve local creds using various methods (run in different user contexts) | | `snaffler.exe` | Enumerate AD file shares for creds | | `manspider` | Enumerate AD file shares for creds | | `GetNPUsers.py` | Enumerate AS-REP roastable users (no creds needed) | | `GetUserSPNs.py` | Enumerate kerberoastable accounts (requires creds) | | `targetedKerberoast.py` | Abuse `WriteSPN` or `GenericWrite` DACL | | `kinit` and `klist` | Grab TGT for specified user that is exported to a cache file and list current context | | `getTGT.py` | Grab a TGT for a specified user | | `dpapi.py` | DPAPI: Decrypt master key binary and credentials blob | | `rubeus.exe` | Interact with and abuse Kerberos. Discover accessible tickets and perform PtT attacks | | `mimikatz.exe` | Dump LSA, LSASS, and CredMan. Extract creds and Kerberos tickets from memory. Also perform PtH attacks. | | `pypykatz` | Linux version of `mimikatz` | | `Linikatz.sh` | Linux version of `mimikatz` for domain joined Linux hosts | | `secretsdump.py` | Remotely dump LSA and extract secrets from LSA or NTDS.dit | | `pywhisker` | Manipulate `msDS-KeyCredentialLink` attribute for shadow cred attacks | | `certipy-ad` | Manipulate certs to attack ADCS | | `ntlmrelayx.py` | Perform SMB relay attacks (`certipy-ad relay` can also be used) | | `ntlm_theft.py` | create a file to be uploaded, assuming it will be opened and case an NTLMv2 hash to be leaked that we can pickup with `responder` | | `Watson.exe` | Enumerate missing KBs and suggest privesc vectors | | `windows-exploit-suggester.py` | Enumerate missing KBs and suggest privesc vectors | | `enum4linux-ng` | Linux based automated privesc enum - mainly a wrapper around Samba tools such as `nmblookup`, `net`, `rpcclient`, and `smbclient` | | `WinPEAS.exe` | Automated privesc enum | | `PowerUp.exe` | Automated privesc enum | | `SharpUp.exe` | Automated privesc enum | | `FullPowers.exe` | Enable full powers for an account that is currently restricted | | `EnableAllTokenPrivs.ps1` | Enabled currently disabled token privs | | `psexec.py` | Psexec-like functionality in the form of a semi-interactive shell | | `wmiexec.py` | Command execution over WMI | | `smbexec.py` | Command execution using SMB | | `atexec.py` | Command execution using the Task Scheduler service | | `gpp-decrypt` | Extracts usernames and passwords from Group Policy Preferences files | | `Sherlock.exe` | OSINT tool |