Tooling

Active Directory & Entra ID Pentesting

BloodHound, NetExec, Impacket, Rubeus — owning AD and Azure AD.

Active Directory (and its cloud sibling Entra ID / Azure AD) is the crown jewel of most enterprise environments. The AD attack-graph toolkit went through major changes 2023–26: BloodHound got a CE GUI rewrite, CrackMapExec was sunset and forked into NetExec. For exploitation frameworks see Exploitation Frameworks. For cloud-side AD see Cloud Pentesting. On the defense side: Server Hardening, SIEM (Wazuh), Detection (Sigma / YARA / ATT&CK).

Attack graph — the must-have

  • ★ ★ BloodHound CE (SpecterOps) — graphs AD / Entra ID privilege paths; "shortest path from any user to Domain Admin." 2024 CE rewrite gave it a modern web UI, Neo4j-or-Postgres backend, and unified ingestor. CE is free; BloodHound Enterprise paid adds continuous monitoring and remediation tracking.
    • SharpHound — the .NET collector; runs from a domain-joined host.
    • AzureHound — collector for Entra ID / Azure AD / Azure RBAC.
    • bloodhound.py / RustHound-CE — cross-platform / faster collectors.
    • Legacy "BloodHound 4.x" still floats around; CE is the path forward.

AD enumeration / abuse swiss-army

  • ★ ★ NetExec (nxc) — community fork / successor of CrackMapExec; SMB / WinRM / LDAP / MSSQL / RDP / SSH / FTP enumeration and command execution. Default "I have a credential, what can I do?" tool 2024–26. Free.
  • CrackMapExec (CME) — original; archived; use NetExec instead.
  • ★ ★ Impacket (Fortra/SecureAuth) — Python AD swiss-army: secretsdump, psexec, wmiexec, smbexec, getNPUsers, GetUserSPNs, ntlmrelayx, mssqlclient. Underpins half of AD pentesting workflows. Free.
  • Kerbrute — username enumeration + password spraying via Kerberos pre-auth.
  • adidnsdump / adexplorer — AD-integrated DNS dumping / live AD browser.
  • PowerView / PowerSploit (legacy PowerShell recon) — superseded by SharpView, SharpHound, and Rubeus.

Kerberos abuse

  • Rubeus (HarmJ0y) — .NET Kerberos toolkit: AS-REP roasting, Kerberoasting, S4U2Self / Constrained Delegation, ticket import/export. Still the reference. Free.
  • Impacket: GetUserSPNs / GetNPUsers — Python equivalents.
  • Mimikatz (gentilkiwi) — credential extraction / pass-the-ticket / DCSync / DCShadow / Skeleton Key. Heavily detected; useful for understanding.
  • certipy (Olive Linder) — AD CS abuse (ESC1–ESC11+); 2023–26's hottest AD escalation path.
  • Certify / ForgeCert — .NET equivalents.
  • Ticketer.py / Silver Ticket Script — forged tickets.

NTLM / coercion

  • PetitPotam, PrinterBug, ShadowCoerce, DFSCoerce, MS-EFSR — coercion primitives.
  • ntlmrelayx (Impacket) — relay coerced NTLM auth to LDAP / ADCS / SMB.
  • Coercer — automates coercion technique discovery.
  • Responder (Laurent Gaffié) — LLMNR / NBT-NS / mDNS poisoner; collect NetNTLM hashes.
  • inveigh — Responder for Windows / PowerShell.

AD audit (defensive / pre-engagement)

  • PingCastle — free AD security audit; gives a maturity score; reports prioritised by risk. Run quarterly.
  • Purple Knight (Semperis) — free AD posture scan.
  • ADRecon — read-only AD enumeration → Excel / HTML report.
  • ADExplorer (Sysinternals) — point-in-time AD snapshots; you can diff with AdExplorerSnapshot.py.
  • Forest Druid — Tier 0 attack-path discovery.

Entra ID / Azure AD specific

  • AzureHound — BloodHound collector for Entra ID + Azure RBAC.
  • ROADtools / roadrecon — Entra ID enumeration.
  • MicroBurst (NetSPI) — Azure red-team toolkit.
  • AADInternals — PowerShell AAD (Entra ID) abuse.
  • BARK (BloodHound Attack Research Kit) — Az / Entra abuse primitives.
  • Stormspotter (sunset → ROADtools) — Microsoft's old red-team tool.
  • TokenSmith / TokenTactics — token impersonation.

Password spraying / cred attacks

  • kerbrute / NetExec --spray — Kerberos / SMB / LDAP / WinRM spraying.
  • trevorspray — modern Python sprayer.
  • MSOLSpray / MSOLSprayer — O365 password sprayers.
  • DomainPasswordSpray (PowerShell) — classic.
  • See also Password Cracking for offline crack of dumped hashes.

Local lab targets

  • GOAD (Game of Active Directory) — Vulnerable AD lab; brilliant practice ground. Free.
  • Vulnerable-AD (Safebuffer) — quick PowerShell AD lab setup.
  • DetectionLab — defensive lab with logging.
  • HackTheBox / TryHackMe AD paths — see Security Training Platforms.

Pick this if…

  • Default AD attack-path mapper: BloodHound CE.
  • Default "I have a credential" enumerator: NetExec.
  • Need anything Kerberos / NTLM in Python: Impacket.
  • Kerberos abuse on Windows endpoint: Rubeus.
  • AD CS / certificate-based escalation: certipy.
  • Quarterly defensive AD audit: PingCastle.
  • Entra ID / Azure AD red team: AzureHound + ROADtools + MicroBurst.
  • Lab to practice: GOAD.

On this page