Penetration testing commands for Networking
Networking knowledge is crucial for understanding how systems communicate and where vulnerabilities may exist. This category includes tools and resources for studying and securing networks.
| Name | Description | Price |
|---|---|---|
| ActiveDirectoryEnumeration | Enumerate AD through LDAP with a collection of helpfull scripts being bundled: ASREPRoasting, Kerberoasting, dump AD as BloodHound JSON files, searching GPOs in SYSVOL for cpassword and decrypting, run without creds | Free |
| ad-ldap-enum | LDAP based Active Directory user and group enumeration tool | Free |
| Adalanche | Active Directory ACL visualizer and explorer; similar to BloodHound | Free |
| ADCSKiller | ADCS exploitation automation by weaponizing Certipy and Coercer | Free |
| ADenum | Find misconfiguration through the LDAP protocol and exploit some weaknesses with kerberos | Free |
| adfsbrute | Test credentials against Active Directory Federation Services (ADFS), allowing password spraying or bruteforce attacks | Free |
| adidnsdump | Enumeration and exporting of all DNS records in ADIDNS domain or forest DNS zones | Free |
| ADMiner | Active Directory audit tool that extract data from Bloodhound to uncover security weaknesses and generate an HTML report | Free |
| ADRecon | Gathers information about the Active Directory and generates a report which can provide a holistic picture of the current state of the target AD environment | Free |
| archtorify | Script for Arch Linux which use iptables settings to create a transparent proxy through Tor Network | Free |
| Arecibo | Endpoint for Out-of-Band Exfiltration (DNS & HTTP) | Free |
| arp-scan | Discover hosts on your network using ARP requests | Free |
| ASNmap | CLI and Library for quickly mapping organization network ranges using ASN information | Free |
| beanshooter | JMX enumeration and attacking; helps to identify common vulnerabilities on JMX endpoints | Free |
| bettercap | MITM framework | Free |
| bettercap web UI | Web UI for bettercap | Free |
| bloodyAD | Active Directory privilege escalation framework | Free |
| boofuzz | Network protocol fuzzing framework | Free |
| Boomerang | Client/Server HTTP pivoting tool | Free |
| bore | Creates a TCP tunnel; exposing local ports to a remote server, bypassing standard NAT connection firewalls | Free |
| BruteSpray | Takes nmap GNMAP/XML output or newline seperated JSONS and automatically brute-forces services with default credentials using Medusa | Free |
| BruteX | Tool using nmap and hydra to automatically bruteforce network service accounts | Free |
| CapAnalysis | PCAP analyzer | Free |
| Carnivore | Assessment of on-premises Microsoft servers such as ADFS, Skype, Exchange, and RDWeb | Free |
| Cerbrutus | Network services credentials brute-forcer: SSH, FTP | Free |
| Certipy | Active Directory Certificate Services enumeration and exploitation | Free |
| certsync | Dump NTDS with golden certificates and UnPAC the hash | Free |
| chisel | Fast TCP tunneling over HTTP secured by SSH | Free |
| CloudShark | PCAP analyzer | Paid |
| Coercer | Coerce a Windows server to authenticate on an arbitrary machine through 12 methods | Free |
| ConPass | Password spraying in Active Directory checking the default domain password policy as well as PSO and the badpwdcount LDAP attribute to avoid account locking | Free |
| CrackMapExec | Post-exploitation tool to assess Active Directory networks | Free |
| DC Detector | Spot all domain controllers in a Microsoft Active Directory environment, find computer name, FQDN, and IP address(es) of all DCs | Free |
| DNS Rebinding Tool | Toolkit to test further DNS rebinding attacks | Free |
| DnsFookup | Create DNS request collector and inspector | Free |
| Evil-WinRM | Enhanced WinRM shell | Free |
| evilginx2 | Man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication | Free |
| Garfield | Attack framework for distributed systems | Free |
| Girsh | Detect the OS and execute the correct commands to upgrade it to a full interactive reverse shell | Free |
| Go-RouterSocks | Socks proxy router to handle multi-clients on the same port | Free |
| go-secdump | Remotely dump secrets from the Windows registry (SAM hive, LSA secrets, SECURITY hive) | Free |
| goddi | Active Directory domain information dumper | Free |
| GoldenCopy | Copy the properties and groups of a user from neo4j (bloodhound) to create an identical golden ticket | Free |
| GoMapEnum | User enumeration and password bruteforce on Azure, ADFS, OWA, O365 and gather emails on Linkedin | Free |
| Group3r | Enumerate relevant settings in AD Group Policy, identify exploitable misconfigurations | Free |
| HASSH | Network fingerprinting standard which can be used to identify specific client and server SSH implementations | Free |
| HEKATOMB | Retrieve all computers and users informations from AD LDAP; download all DPAPI blob of all users from all computers and uses Domain backup keys to decrypt them | Free |
| HellRaiser | Scan with nmap to correlate CPE's found with cve-search to enumerate vulnerabilities | Free |
| HivExcavator | Extracting the contents of Microsoft Windows Registry (hive) and display it as a colorful tree but mainly focused on parsing BCD files to extract WIM files path for PXE attacks | Free |
| hoaxshell | Windows reverse shell payload generator and handler that abuses the http(s) protocol to establish a beacon-like reverse shell | Free |
| HTTPRebind | Automatic DNS rebinding-based SSRF attacks | Free |
| Hydra | Network login cracker | Free |
| Ica2Tcp | SOCKS proxy for Citrix | Free |
| ImproHound | Identify the attack paths in BloodHound breaking AD tiering | Free |
| Jaqen | Abstracts away the complex steps required to perform a DNS rebind and exposes a HTML5 Fetch interface which transparently triggers a DNS rebind | Free |
| kalitorify | Script for Kali Linux which use iptables settings to create a transparent proxy through Tor Network | Free |
| Kerbrute | Bruteforce and enumerate valid Active Directory accounts through Kerberos Pre-Authentication | Free |
| KRBJack | DNS dynamic update abuse in ADIDNS via DSPROPERTY_ZONE_ALLOW_UPDATE set to ZONE_UPDATE_UNSECURE combined with MitM attack using Kerberos AP-REQ hijacking | Free |
| Krbrelayx | Toolkit for abusing unconstrained delegation | Free |
| KubeHound | Kubernetes attack graph tool allowing automated calculation of attack paths between assets in a cluster | Free |
| LDAPmonitor | Monitor creation, deletion and changes to LDAP objects live during pentest or system administration | Free |
| ldeep | Active Directory LDAP enumeration utility | Free |
| Legba | Multiprotocol credentials bruteforcer, password sprayer and enumerator | Free |
| Ligolo | Pivot / reverse tunneling tool with SOCKS5 and TCP tunnel support | Free |
| Ligolo-ng | Pivoting via TCP/TLS reverse tunneling with TUN interface | Free |
| linWinPwn | Script that automates a number of Active Directory enumeration and vulnerability checks | Free |
| Locksmith | Find and fix common misconfigurations in AD CS | Free |
| lsassy | CLI tool and library to extract credentials from lsass remotely | Free |
| Mail.Rip V2 | SMTP credentials bruteforcer / checker | Free |
| MAN-SPIDER | Crawl SMB shares for juicy information; supports file content searching and regex | Free |
| Masscan | Port scanner for massive networks | Free |
| Medusa | Network login cracker | Free |
| Medusa-gui | GUI for Medusa | Free |
| modifyCertTemplate | Aid operators in modifying ADCS certificate templates so that a created vulnerable state can be leveraged for privilege escalation | Free |
| MSSQLRelay | MSSQL relay audit and abuse | Free |
| naabu | Port scanner with a focus on reliability and simplicity | Free |
| ncat | Improved reimplementation of Netcat by nmap team; Supports TCP and UDP, IPv4 and IPv6, SSL, proxy (HTTP and SOCKS4) | Free |
| Ncrack | Reliable and adaptative network login cracker supporting a large number of protocols | Free |
| nemesis | Packet manipulation CLI tool; craft and inject packets of several protocols | Free |
| NetExec | Windows / Active Directory environments pentest; fork of CrackMapExec | Free |
| Netfort Free Cloud Based PCAP Analysis | PCAP analyzer; needs registration | Free |
| NetworkMiner | Network sniffer/packet capturing tool | Free |
| NetworkTotal | PCAP analyzer; using Suricata | Free |
| ngocok | ngrok collaborator link | Free |
| Nipe | Script to make TOR as default gateway | Free |
| Nmap | Tool for network discovery and security auditing | Free |
| nmap-parse-output | Converts / manipulates / extracts data from a nmap scan output | Free |
| NMapGUI | Advanced GUI for Nmap | Free |
| Nozzlr | Multithreaded and modular bruteforce framework with network templates | Free |
| ntlm_theft | Generate multiple types of NTLMv2 hash theft files | Free |
| onesixtyone | SNMP scanner | Free |
| OOB-Server | Bind9 DNS server for pentesters to use for Out-of-Band vulnerabilities | Free |
| owabrute | Hydra wrapper for bruteforcing Microsoft Outlook Web Application | Free |
| PacketFu | Packet manipulation library; forge, send, decode, capture packets of a wide number of protocols | Free |
| PacketTotal | PCAP analyzer; using Bro, Suricata and Elasticsearch | Free |
| PacketWhisper | Stealthy Data exfiltration via DNS, without the need for attacker-controlled Name Servers or domain | Free |
| Patator | Multi-protocol bruteforce tool | Free |
| PKINIT tools | Kerberos PKINIT and relaying to AD CS | Free |
| polarbearscan | Port scanner and banner grabber | Free |
| Polymorph | Real-time network packet manipulation framework | Free |
| PowerHuntShares | Audit script to inventory, analyze, and report excessive privileges assigned to SMB shares on Active Directory domain joined computers | Free |
| PSPKIAudit | AD CS auditing based on the PSPKI toolkit | Free |
| pty4all | Persistent multi reverse shell handler | Free |
| pwncat | Sophisticated bind and reverse shell handler with many features as well as a drop-in replacement or compatible complement to netcat, ncat or socat | Free |
| pwncat-caleb | Fancy reverse and bind shell handler, can perform automated actions on the remote host including enumeration, implant installation and privilege escalation; attempt to spawn a pseudoterminal (pty) for a full interactive session | Free |
| pyGPOAbuse | Partial python implementation of SharpGPOAbuse; modify an existing GPO by creating an immediate scheduled task as SYSTEM on the remote computer for computer GPO or logged in user for user GPO | Free |
| pywerview | A partial Python rewriting of PowerSploit's PowerView | Free |
| PyWhisker | Persistent and stealthy backdooring of user and computer Active Directory objects | Free |
| PyWSUS | WSUS server designed to send malicious responses to clients | Free |
| rbndr | Server for testing software against DNS rebinding vulnerabilities | Free |
| rdp-sec-check | Script to enumerate security settings of an RDP Service | Free |
| Rebind | Implements multiple A record DNS rebinding attack | Free |
| reGeorg | SOCKS proxies through the DMZ for pivoting | Free |
| Responder | LLMNR, NBT-NS and MDNS poisoner to intercept authentication requests/answers | Free |
| RMIScout | Enumerate Java RMI functions and exploit RMI parameter unmarshalling vulnerabilities through wordlist and bruteforce strategies | Free |
| RouterSploit | Exploitation framework for embedded devices: exploits, default credentials, scanners, payloads | Free |
| Rubeus | Kerberos interaction and abuses | Free |
| ruby-nmap | Library for nmap, allows automating nmap and parsing nmap XML files | Free |
| Rustcat | Port and reverse shell listener; less features than ncat, pwncat, pwncat-caleb but has command history | Free |
| RustHound | Active Directory data collector for BloodHound | Free |
| sandmap | Metasploit-like CLI interface for Nmap Script Engine (NSE) | Free |
| Scapy | Packet manipulation library; forge, send, decode, capture packets of a wide number of protocols | Free |
| SCCMHunter | Streamline identifying, profiling, and attacking SCCM related assets in an Active Directory domain | Free |
| Seth | RDP MitM tool | Free |
| SilentHound | Quietly enumerates an Active Directory Domain via LDAP parsing users, admins, groups | Free |
| SiLK | System for Internet-Level Knowledge; collection of traffic analysis tools developed to facilitate security analysis of large networks | Free |
| Singularity | DNS rebinding attack framework | Free |
| sJET | JMX Exploitation Toolkit | Free |
| Snaffler | Find credentials and valuable information from windows active directory environments (shares, files) | Free |
| SNMP Brute | SNMP brute force, enumeration, CISCO config downloader and password cracking script | Free |
| snmpbw.pl | Multithreaded script for bulk walking targeted host systems for SNMP data | Free |
| Snort | Intrusion detection system that monitors network traffic for suspicious activities and threats | Free |
| SprayHound | Password spraying in Active Directory checking the default domain password policy and the badpwdcount LDAP attribute to avoid account locking, set pwned users as owned in Bloodhound and detect path to Domain Admins | Free |
| ssh-audit | SSH scanner that detects protocol, version, grab banner, recognize software and operating system, output algorithm information and recommendations | Free |
| sshame | Brute force SSH public-key authentication interactively | Free |
| Sshimpanzee | Builds a static reverse SSH server for pivoting; supports HTTP and SOCKS5 proxies, DNS and ICMP tunnelling, HTTP encapsulation | Free |
| Suricata Language Server | Implementation of the Language Server Protocol for Suricata signatures; real-time rule syntax checking and auto-completion | Free |
| Tsunami | Network security scanner with an extensible plugin system | Free |
| Turner | Tunnels HTTP over a permissive/open TURN server; supports HTTP and SOCKS5 proxy | Free |
| WebMap v1 | A web dashboard for nmap XML report | Free |
| WebMap v2 | A web dashboard for nmap XML report | Free |
| Whisker | Take over Active Directory user and computer accounts by manipulating their msDS-KeyCredentialLink attribute, effectively adding Shadow Credentials to the target account | Free |
| Whonow | DNS Server for executing DNS Rebinding attacks | Free |
| windapsearch | Script to enumerate users, groups and computers from a Windows domain through LDAP queries | Free |
| Wireshark | Network protocol analyzer | Free |
| WireSocks | WireGuard socks proxy for pentest pivoting | Free |
| wmiexec-Pro | Perform different ways of command execution via WMI protocol (port 135) for AV evasion | Free |
| XFLTReaT | Tunnelling framework; supports TCP, UDP, ICMP, SOCKS, HTTP, SCTP, WebSocket, RDP | Free |
| Xprobe2 | Remote active operating system fingerprinting | Free |
| yersinia | Framework for layer 2 attacks | Free |
| Zenmap | GUI for Nmap | Free |
| Zmap | Collection of tools to scan and study massive networks | Free |