Penetration testing commands for Networking

Networking knowledge is crucial for understanding how systems communicate and where vulnerabilities may exist. This category includes tools and resources for studying and securing networks.

NameDescriptionPrice
ActiveDirectoryEnumerationEnumerate AD through LDAP with a collection of helpfull scripts being bundled: ASREPRoasting, Kerberoasting, dump AD as BloodHound JSON files, searching GPOs in SYSVOL for cpassword and decrypting, run without credsFree
ad-ldap-enumLDAP based Active Directory user and group enumeration toolFree
AdalancheActive Directory ACL visualizer and explorer; similar to BloodHoundFree
ADCSKillerADCS exploitation automation by weaponizing Certipy and CoercerFree
ADenumFind misconfiguration through the LDAP protocol and exploit some weaknesses with kerberosFree
adfsbruteTest credentials against Active Directory Federation Services (ADFS), allowing password spraying or bruteforce attacksFree
adidnsdumpEnumeration and exporting of all DNS records in ADIDNS domain or forest DNS zonesFree
ADMinerActive Directory audit tool that extract data from Bloodhound to uncover security weaknesses and generate an HTML reportFree
ADReconGathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environmentFree
archtorifyScript for Arch Linux which use iptables settings to create a transparent proxy through Tor NetworkFree
AreciboEndpoint for Out-of-Band Exfiltration (DNS & HTTP)Free
arp-scanDiscover hosts on your network using ARP requestsFree
ASNmapCLI and Library for quickly mapping organization network ranges using ASN informationFree
beanshooterJMX enumeration and attacking; helps to identify common vulnerabilities on JMX endpointsFree
bettercapMITM frameworkFree
bettercap web UIWeb UI for bettercapFree
bloodyADActive Directory privilege escalation frameworkFree
boofuzzNetwork protocol fuzzing frameworkFree
BoomerangClient/Server HTTP pivoting toolFree
boreCreates a TCP tunnel; exposing local ports to a remote server, bypassing standard NAT connection firewallsFree
BruteSprayTakes nmap GNMAP/XML output or newline seperated JSONS and automatically brute-forces services with default credentials using MedusaFree
BruteXTool using nmap and hydra to automatically bruteforce network service accountsFree
CapAnalysisPCAP analyzerFree
CarnivoreAssessment of on-premises Microsoft servers such as ADFS, Skype, Exchange, and RDWebFree
CerbrutusNetwork services credentials brute-forcer: SSH, FTPFree
CertipyActive Directory Certificate Services enumeration and exploitationFree
certsyncDump NTDS with golden certificates and UnPAC the hashFree
chiselFast TCP tunneling over HTTP secured by SSHFree
CloudSharkPCAP analyzerPaid
CoercerCoerce a Windows server to authenticate on an arbitrary machine through 12 methodsFree
ConPassPassword spraying in Active Directory checking the default domain password policy as well as PSO and the badpwdcount LDAP attribute to avoid account lockingFree
CrackMapExecPost-exploitation tool to assess Active Directory networksFree
DC DetectorSpot all domain controllers in a Microsoft Active Directory environment, find computer name, FQDN, and IP address(es) of all DCsFree
DNS Rebinding ToolToolkit to test further DNS rebinding attacks Free
DnsFookupCreate DNS request collector and inspectorFree
Evil-WinRMEnhanced WinRM shellFree
evilginx2Man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authenticationFree
GarfieldAttack framework for distributed systemsFree
GirshDetect the OS and execute the correct commands to upgrade it to a full interactive reverse shellFree
Go-RouterSocksSocks proxy router to handle multi-clients on the same portFree
go-secdumpRemotely dump secrets from the Windows registry (SAM hive, LSA secrets, SECURITY hive)Free
goddiActive Directory domain information dumperFree
GoldenCopyCopy the properties and groups of a user from neo4j (bloodhound) to create an identical golden ticketFree
GoMapEnumUser enumeration and password bruteforce on Azure, ADFS, OWA, O365 and gather emails on LinkedinFree
Group3rEnumerate relevant settings in AD Group Policy, identify exploitable misconfigurationsFree
HASSHNetwork fingerprinting standard which can be used to identify specific client and server SSH implementationsFree
HEKATOMBRetrieve all computers and users informations from AD LDAP; download all DPAPI blob of all users from all computers and uses Domain backup keys to decrypt themFree
HellRaiserScan with nmap to correlate CPE's found with cve-search to enumerate vulnerabilitiesFree
HivExcavatorExtracting the contents of Microsoft Windows Registry (hive) and display it as a colorful tree but mainly focused on parsing BCD files to extract WIM files path for PXE attacksFree
hoaxshellWindows reverse shell payload generator and handler that abuses the http(s) protocol to establish a beacon-like reverse shellFree
HTTPRebindAutomatic DNS rebinding-based SSRF attacksFree
HydraNetwork login crackerFree
Ica2TcpSOCKS proxy for CitrixFree
ImproHoundIdentify the attack paths in BloodHound breaking AD tieringFree
JaqenAbstracts away the complex steps required to perform a DNS rebind and exposes a HTML5 Fetch interface which transparently triggers a DNS rebindFree
kalitorifyScript for Kali Linux which use iptables settings to create a transparent proxy through Tor NetworkFree
KerbruteBruteforce and enumerate valid Active Directory accounts through Kerberos Pre-AuthenticationFree
KRBJackDNS dynamic update abuse in ADIDNS via DSPROPERTY_ZONE_ALLOW_UPDATE set to ZONE_UPDATE_UNSECURE combined with MitM attack using Kerberos AP-REQ hijackingFree
KrbrelayxToolkit for abusing unconstrained delegationFree
KubeHoundKubernetes attack graph tool allowing automated calculation of attack paths between assets in a clusterFree
LDAPmonitorMonitor creation, deletion and changes to LDAP objects live during pentest or system administrationFree
ldeepActive Directory LDAP enumeration utilityFree
LegbaMultiprotocol credentials bruteforcer, password sprayer and enumeratorFree
LigoloPivot / reverse tunneling tool with SOCKS5 and TCP tunnel supportFree
Ligolo-ngPivoting via TCP/TLS reverse tunneling with TUN interfaceFree
linWinPwnScript that automates a number of Active Directory enumeration and vulnerability checksFree
LocksmithFind and fix common misconfigurations in AD CSFree
lsassyCLI tool and library to extract credentials from lsass remotelyFree
Mail.Rip V2SMTP credentials bruteforcer / checkerFree
MAN-SPIDERCrawl SMB shares for juicy information; supports file content searching and regexFree
MasscanPort scanner for massive networksFree
MedusaNetwork login crackerFree
Medusa-guiGUI for MedusaFree
modifyCertTemplateAid operators in modifying ADCS certificate templates so that a created vulnerable state can be leveraged for privilege escalationFree
MSSQLRelayMSSQL relay audit and abuseFree
naabuPort scanner with a focus on reliability and simplicityFree
ncatImproved reimplementation of Netcat by nmap team; Supports TCP and UDP, IPv4 and IPv6, SSL, proxy (HTTP and SOCKS4)Free
NcrackReliable and adaptative network login cracker supporting a large number of protocolsFree
nemesisPacket manipulation CLI tool; craft and inject packets of several protocolsFree
NetExecWindows / Active Directory environments pentest; fork of CrackMapExecFree
Netfort Free Cloud Based PCAP AnalysisPCAP analyzer; needs registrationFree
NetworkMinerNetwork sniffer/packet capturing toolFree
NetworkTotalPCAP analyzer; using SuricataFree
ngocokngrok collaborator linkFree
NipeScript to make TOR as default gatewayFree
NmapTool for network discovery and security auditingFree
nmap-parse-outputConverts / manipulates / extracts data from a nmap scan outputFree
NMapGUIAdvanced GUI for NmapFree
NozzlrMultithreaded and modular bruteforce framework with network templatesFree
ntlm_theftGenerate multiple types of NTLMv2 hash theft filesFree
onesixtyoneSNMP scannerFree
OOB-ServerBind9 DNS server for pentesters to use for Out-of-Band vulnerabilitiesFree
owabruteHydra wrapper for bruteforcing Microsoft Outlook Web ApplicationFree
PacketFuPacket manipulation library; forge, send, decode, capture packets of a wide number of protocolsFree
PacketTotalPCAP analyzer; using Bro, Suricata and ElasticsearchFree
PacketWhisperStealthy Data exfiltration via DNS, without the need for attacker-controlled Name Servers or domainFree
PatatorMulti-protocol bruteforce toolFree
PKINIT toolsKerberos PKINIT and relaying to AD CSFree
polarbearscanPort scanner and banner grabberFree
PolymorphReal-time network packet manipulation frameworkFree
PowerHuntSharesAudit script to inventory, analyze, and report excessive privileges assigned to SMB shares on Active Directory domain joined computersFree
PSPKIAuditAD CS auditing based on the PSPKI toolkitFree
pty4allPersistent multi reverse shell handlerFree
pwncatSophisticated bind and reverse shell handler with many features as well as a drop-in replacement or compatible complement to netcat, ncat or socatFree
pwncat-calebFancy reverse and bind shell handler, can perform automated actions on the remote host including enumeration, implant installation and privilege escalation; attempt to spawn a pseudoterminal (pty) for a full interactive sessionFree
pyGPOAbusePartial python implementation of SharpGPOAbuse; modify an existing GPO by creating an immediate scheduled task as SYSTEM on the remote computer for computer GPO or logged in user for user GPOFree
pywerviewA partial Python rewriting of PowerSploit's PowerViewFree
PyWhiskerPersistent and stealthy backdooring of user and computer Active Directory objectsFree
PyWSUSWSUS server designed to send malicious responses to clientsFree
rbndrServer for testing software against DNS rebinding vulnerabilitiesFree
rdp-sec-checkScript to enumerate security settings of an RDP ServiceFree
RebindImplements multiple A record DNS rebinding attackFree
reGeorgSOCKS proxies through the DMZ for pivotingFree
ResponderLLMNR, NBT-NS and MDNS poisoner to intercept authentication requests/answersFree
RMIScoutEnumerate Java RMI functions and exploit RMI parameter unmarshalling vulnerabilities through wordlist and bruteforce strategiesFree
RouterSploitExploitation framework for embedded devices: exploits, default credentials, scanners, payloadsFree
RubeusKerberos interaction and abusesFree
ruby-nmapLibrary for nmap, allows automating nmap and parsing nmap XML filesFree
RustcatPort and reverse shell listener; less features than ncat, pwncat, pwncat-caleb but has command historyFree
RustHoundActive Directory data collector for BloodHoundFree
sandmapMetasploit-like CLI interface for Nmap Script Engine (NSE)Free
ScapyPacket manipulation library; forge, send, decode, capture packets of a wide number of protocolsFree
SCCMHunterStreamline identifying, profiling, and attacking SCCM related assets in an Active Directory domainFree
SethRDP MitM toolFree
SilentHoundQuietly enumerates an Active Directory Domain via LDAP parsing users, admins, groupsFree
SiLKSystem for Internet-Level Knowledge; collection of traffic analysis tools developed to facilitate security analysis of large networksFree
SingularityDNS rebinding attack frameworkFree
sJETJMX Exploitation ToolkitFree
SnafflerFind credentials and valuable information from windows active directory environments (shares, files)Free
SNMP BruteSNMP brute force, enumeration, CISCO config downloader and password cracking scriptFree
snmpbw.plMultithreaded script for bulk walking targeted host systems for SNMP dataFree
SnortIntrusion detection system that monitors network traffic for suspicious activities and threatsFree
SprayHoundPassword spraying in Active Directory checking the default domain password policy and the badpwdcount LDAP attribute to avoid account locking, set pwned users as owned in Bloodhound and detect path to Domain AdminsFree
ssh-auditSSH scanner that detects protocol, version, grab banner, recognize software and operating system, output algorithm information and recommendationsFree
sshameBrute force SSH public-key authentication interactivelyFree
SshimpanzeeBuilds a static reverse SSH server for pivoting; supports HTTP and SOCKS5 proxies, DNS and ICMP tunnelling, HTTP encapsulationFree
Suricata Language ServerImplementation of the Language Server Protocol for Suricata signatures; real-time rule syntax checking and auto-completionFree
TsunamiNetwork security scanner with an extensible plugin systemFree
TurnerTunnels HTTP over a permissive/open TURN server; supports HTTP and SOCKS5 proxyFree
WebMap v1A web dashboard for nmap XML reportFree
WebMap v2A web dashboard for nmap XML reportFree
WhiskerTake over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute, effectively adding Shadow Credentials to the target accountFree
WhonowDNS Server for executing DNS Rebinding attacksFree
windapsearchScript to enumerate users, groups and computers from a Windows domain through LDAP queriesFree
WiresharkNetwork protocol analyzerFree
WireSocksWireGuard socks proxy for pentest pivotingFree
wmiexec-ProPerform different ways of command execution via WMI protocol (port 135) for AV evasionFree
XFLTReaTTunnelling framework; supports TCP, UDP, ICMP, SOCKS, HTTP, SCTP, WebSocket, RDPFree
Xprobe2Remote active operating system fingerprintingFree
yersiniaFramework for layer 2 attacksFree
ZenmapGUI for NmapFree
ZmapCollection of tools to scan and study massive networksFree