// tools & arsenal
Nmap
recon · port scanning
Network scanner. Use -sC -sV for scripts + versions, -p- for all ports, --script vuln for CVE detection.
$ sudo apt install nmap
BloodHound
AD · graph attack paths
Visualises AD privilege escalation paths. Collect with bloodhound-python, ingest JSON into GUI, query with Cypher.
$ pip install bloodhound --break-system-packages
Impacket
AD · network protocols
Swiss army knife for AD. GetUserSPNs, secretsdump, psexec, smbserver — all here. Run as impacket-<tool>.
$ sudo apt install python3-impacket
ffuf
web · fuzzing
Fast web fuzzer for dirs, vhosts, parameters. Use -fs to filter by response size and FUZZ as the placeholder.
$ sudo apt install ffuf
Hashcat
cracking · GPU-accelerated
300+ hash modes. -m 5600 NTLMv2 · -m 13100 Kerberoast · -m 18200 AS-REP. Use GPU on host, not in VM.
$ sudo apt install hashcat
Responder
network · NTLMv2 capture
LLMNR/NBT-NS/MDNS poisoner. Captures NTLMv2 hashes when hosts try to resolve names on the network.
$ sudo apt install responder
Evil-WinRM
windows · remote shell
Best WinRM shell: upload/download, pass-the-hash (-H), built-in PowerShell. Needs port 5985 open.
$ gem install evil-winrm
Chisel
pivoting · HTTP tunnel
TCP/UDP tunneling over HTTP. Use for pivoting when SSH is unavailable. Fast, reliable, one binary on each side.
$ go install github.com/jpillora/chisel@latest
Hydra
bruteforce · online
Online password brute-force for SSH, FTP, HTTP forms, SMB, RDP. Pair with curated wordlists, not rockyou for online attacks.
$ sudo apt install hydra
Gobuster
web · directory / vhost
Fast dir/vhost/DNS brute-forcer written in Go. Use dir, vhost, or dns mode.
$ sudo apt install gobuster
Metasploit
exploitation framework
Industry-standard exploit framework. Useful for CVE exploits and post-exploitation. Use msfvenom for standalone payloads.
$ sudo apt install metasploit-framework
LinPEAS / WinPEAS
privesc · enumeration
Automated PrivEsc enumeration. Run on victim after foothold. Highlights misconfigs, writable paths, SUID, creds in configs.
$ curl -L https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh -o linpeas.sh
Burp Suite
web · proxy / scanner
The web app pentesting standard. Intercept, modify, replay requests. Use Repeater for manual testing, Intruder for fuzzing, Scanner for automated issues.
$ sudo apt install burpsuite
Nikto
web · vulnerability scanner
Web server scanner. Detects dangerous files, outdated software, misconfigs. Use -h for target, -ssl for HTTPS, -Tuning to filter test types.
$ sudo apt install nikto
Netcat / Ncat
shells · port utility
The Swiss army knife of networking. Set up listeners (-lvnp), transfer files, banner grab, and catch reverse shells. Ncat adds SSL support.
$ sudo apt install ncat
SQLMap
web · SQL injection
Automated SQLi detection and exploitation. Use --dbs to dump databases, --os-shell for RCE, -r to feed a Burp request file.
$ sudo apt install sqlmap
enum4linux-ng
recon · SMB / LDAP
SMB/LDAP enumeration for Windows/Samba targets. Pulls users, groups, shares, policies, and domain info without credentials.
$ pip install enum4linux-ng --break-system-packages
John the Ripper
cracking · CPU-based
CPU hash cracker. Great for ssh2john, zip2john, keepass2john helpers that convert files to crackable format before attacking.
$ sudo apt install john
CrackMapExec
AD · lateral movement
Swiss army knife for AD post-exploitation. Spray creds, enumerate shares, execute commands, dump SAM/LSA over SMB/WinRM in one tool.
$ sudo apt install crackmapexec
Kerbrute
AD · Kerberos enum
Fast Kerberos-based username enumeration and password spraying. Uses AS-REQ to validate users without triggering lockouts. Use userenum / passwordspray.
$ go install github.com/ropnop/kerbrute@latest
Socat
pivoting · relay / tunnel
Powerful relay tool. Create stable TTY shells (pty), port forwards, and encrypted tunnels. Often used to upgrade netcat shells to fully interactive.
$ sudo apt install socat
pwncat-cs
shells · post-exploitation
Post-exploitation framework that wraps reverse shells. Auto-upgrades to PTY, handles file transfer, persistence, and has built-in PrivEsc enumeration.
$ pip install pwncat-cs --break-system-packages
Wireshark / tshark
network · packet analysis
Deep packet inspection for captured traffic. Use tshark for CLI/scripting, filter with display filters. Essential for analyzing pcap challenges and MITM output.
$ sudo apt install wireshark tshark
Potato Suite
privesc · token impersonation
Windows token impersonation exploits family: SweetPotato (local service → SYSTEM), JuicyPotatoNG, PrintSpoofer. Use when you have SeImpersonatePrivilege.
$ iwr https://github.com/uknowsec/SweetPotato/releases/latest/download/SweetPotato.exe -o SweetPotato.exe
Seatbelt
privesc · host enumeration
C# host-survey tool by GhostPack. Runs dozens of safety checks covering credentials, tokens, browser data, AppLocker, AV, and more. Use -group=all for full sweep.
$ iwr https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Seatbelt.exe -o Seatbelt.exe
Watson
privesc · CVE detection
C# tool that fingerprints the target Windows version and maps it to unpatched local privilege escalation CVEs. Fast, offline, no AV-triggering scripts needed.
$ iwr https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Watson.exe -o Watson.exe
Certipy
AD · ADCS · ESC attacks
Python tool for Active Directory Certificate Services (ADCS) abuse. Find and exploit ESC1–ESC8 misconfigs to get domain admin certs. Use find -vulnerable then req / auth.
$ pip install certipy-ad --break-system-packages
Certify
AD · ADCS · enumeration
C# GhostPack tool to enumerate ADCS misconfigurations from Windows. Use find /vulnerable to spot ESC paths, then pair with Rubeus asktgt to obtain TGTs from certs.
$ iwr https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Certify.exe -o Certify.exe
Rubeus
AD · Kerberos abuse
C# GhostPack Kerberos toolkit. Kerberoast, AS-REP roast, pass-the-ticket, overpass-the-hash, S4U delegation abuse, and TGT/TGS requests — all in one binary.
$ iwr https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Rubeus.exe -o Rubeus.exe
// references & resources
| Resource | Category | Description |
|---|---|---|
| GTFOBins | PrivEsc | Unix binary escapes — SUID, sudo, cron, capabilities |
| LOLBAS | Windows | Living off the land binaries & scripts for Windows |
| HackTricks | General | The most comprehensive attack technique reference |
| RevShells | Shells | Interactive reverse shell generator — all languages |
| CrackStation | Cracking | Online hash lookup / massive rainbow table |
| Exploit-DB | Exploits | Searchable public exploit archive — includes PoCs |
| SecLists | Wordlists | The definitive wordlist collection for everything |
| WADComs | AD | Interactive AD attack command cheatsheet |
| The Hacker Recipes | AD | Deep-dive AD attack techniques with context |
| ippsec.rocks | HTB | Search HTB writeup videos by technique |