To be a penetration tester, you must master your tools. This curated guide details the top 20 network penetration testing tools you need to learn to elevate your skills and become a legendary hacker.
The tools have been split into the six key stages of a network penetration test:
- Network Scanning
- Post Exploitation Frameworks
- Pivoting and Lateral Movement
- Active Directory Assessment
- Spoofing and Eavesdropping
- Credential Harvesting
This guide will show you multiple tools to help you conquer each stage and provide a client with a comprehensive assessment of their network security.
Before jumping in and using the tools in this guide, let’s first look at what network penetration testing is and why you need these tools to perform a complete assessment.

What Is Network Penetration Testing?
Network penetration testing (a.k.a an internal pentest) is a security assessment of an organization’s internal infrastructure and defenses. A network pentest will begin with an assumed breach, where the pentester is provided initial access to the internal network and is tasked with assessing the security of this environment. This allows a penteser to spend more time testing an organization’s internal defenses and security controls rather than trying to gain initial access.
To perform a thorough network penetration test, you must perform network scanning, active directory enumeration, and lateral movement to compromise high-value systems and access valuable information. This requires specialized pentesting tools, which have been handpicked for you to learn in this guide.
Most of these tools come with Kali Linux, so you can get started using them immediately. You can learn to install Kali Linux on VMware and VirtualBox in these guides:
- How to Install Kali Linux on VMware: The Ultimate How-to Guide
- How to Install Kali Linux on VirtualBox & Start Hacking Now
Let’s jump in and start mastering our tools!
Network Scanning Tools
One of the first phases of a network penetration test is Scanning and Enumeration. During this phase, you will scan a target for potential vulnerabilities you can exploit. To help you do this, here are several popular scanning tools.
Nessus

Nessus is a widely used commercial vulnerability scanner that organizations use to identify and remediate security vulnerabilities and misconfigurations in their environment. It is a comprehensive solution that can be extended through plugins, offers compliance and credentials-based scanning, and integrates with SIEM solutions for enterprise environments.
Why we like Nessus:
- The plugin architecture can be used for system, application, and network scanning.
- Great for compliance monitoring.
- Can audit the configuration of your software and provide best practice advice.
- Automatically generates custom reports.
Needs to be installed from Tenable’s Products page. The Expert version starts at ~$6,900 yearly, and the Professional version at ~$4,683 yearly. However, both come with a free 7-day trial, or you can use Nesssus Essentials for free.
OpenVAS

Greenbone Open Vulnerability Assessment Scanner (OpenVAS) is an open-source network vulnerability scanning and management tool that lets you identify and assess vulnerabilities in your network and endpoint devices. It can perform authenticated or unauthenticated scans, generate custom reports, and perform compliance auditing.
Why we like OpenVAS:
- An adaptable plugin architecture.
- It can be used for compliance auditing, web application scanning, network discovery, and more.
- Automatically generates custom reports.
- Integrates with SIEM solutions for streamlined patch management.
Needs to be installed. The OpenVAS Community Edition can be downloaded for free using the installation instructions in the documentation, while Greenbone also offers commercial versions.
Nmap

Nmap (Network Mapper) is a powerful open-source network scanning tool that can be used for network discovery, port mapping, and vulnerability assessments using its extensible scripting engine. It is the defacto tool for enumerating any network, and you can learn more about it in How to Use Nmap to Scan a Network: A Step-by-Step Guide or using this cheatsheet.
Why we like Nmap:
- Great for network host discovery on internal networks.
- Lightweight and versatile.
- Capable of performing quick vulnerability scans and service enumeration.
Included with Kali Linux.
Learn more about how Nessus, OpenVAS, and Nmap compare in The Best Vulnerability Scanners for Kali Linux.
Post Exploitation Frameworks
Post-exploitation frameworks let you easily maintain access and control over compromised targets during a network pentest. Here are some of the ones you will likely encounter during your pentesting career.
Cobalt Strike

Cobalt Strike is the gold standard post-exploitation and command-and-control (C2) framework for adversary emulation and red team operations. It is packed with features that allow you to emulate real-world threat actors' tactics, techniques, and procedures (TTPs) and is made extensible through its Resource and Community kits.
Why we like Cobalt Strike:
- Build to emulate real-world threats.
- Integrates with other security tools, such as Metasploit.
- Generates customizable reports to document your findings.
Needs to be installed. Cobalt Strike costs $3,540* per user for a one-year license and can be downloaded with a purchased license key.
Covenant

Covenant is an open-source C2 framework for post-exploitation during a network penetration test. It allows you to maintain control over compromised systems, exfiltrate data, and execute post-exploitation activities.
Why we like Covenant:
- Cross-platform support.
- An easy-to-use web interface.
- Supports task automation through extensible modules and scripts.
- PowerShell integration to target Windows hosts.
Needs to be installed. You can install Covenant through its Kali package or via its GitHub page.
PowerShell Empire

PowerShell Empire is an open-source post-exploitation and adversary emulation framework that helps pentesters and red teamers perform post-exploitation activities on Windows machines. The framework uses a modular architecture to provide encrypted communications, task automation, and payload generation. You can learn how to use this framework in PowerShell Empire: A Comprehensive Guide to the C2 Framework.
Why we like PowerShell Empire:
- Great for targeting environments that use PowerShell.
- Highly scriptable and extensible using modules.
- Supports HTTP and HTTPS communication to blend in with normal web traffic.
Included with Kali Linux.
Metasploit

Metasploit is a popular open-source penetration testing and exploitation framework with an extensible module framework that provides post-exploitation capabilities. Pentesters and red teamers use it to identify vulnerabilities, exploit them, and maintain access to compromised systems. Metasploit is a tool all pentesters should know how to use, and you can learn more about it in How to Use Metasploit in Kali Linux: A Step-By-Step Tutorial or using this Metasploit module cheatsheet.
Why we like Metasploit:
- Has a vast collection of pre-built exploits, payloads, and auxiliary modules that make identifying and exploiting vulnerabilities easy.
- Includes the Meterpreter shell, which excels at post-exploitation activities, such as privilege escalation, file manipulation, data exfiltration, and lateral movement.
- Lets you automate exploitation with its modular framework.
- Offers reporting capabilities that let you document your findings.
Included with Kali Linux.
Pivoting and Lateral Movement
To conduct a thorough network penetration test, you must perform pivoting and lateral movement to compromise high-value targets scattered throughout the internal network. Here are some tools for doing just that.
sshuttle

sshuttle is an open-source, command line tool for creating encrypted VPN-like connections between a local computer and remote server over SSH. When a target machine is dual-homed (has two network interfaces) and has access to an internal network, sshuttle can connect to this machine and use it to proxy all traffic from your attacker machine to the internal network.
Why we like sshuttle:
- Provides secure tunneling using encrypted SSH communication.
- It is designed to work as a transparent VPN solution that automatically routes traffic for you.
- Handles DNS requests automatically through the tunnel.
- Cross-platform compatible (Linux, macOS, and Windows). However, it needs SSH installed on the target machine.
Needs to be installed. You can install sshuttle through its Python package or via its GitHub page.
Chisel

Chisel is a command line pivoting tool used to create network tunnels and forward traffic between your attacker machine and a target’s internal network. It is useful for passing through firewalls, accessing environments where VPN or SSH access is not available, and for performing lateral movement between networks.
Why we like Chisel:
- It creates a secure bidirectional tunnel without needing a VPN or SSH installed (it uses HTTPS).
- Supports dynamic port forwarding for accessing resources only available on the target network (similar to SOCKS proxy).
- Cross-platform compatible (Linux, macOS, and Windows).
Needs to be installed. You can install Chisel through its Kali package or via its GitHub page.
Evil-WinRM

Evil-WinRM is an open-source tool used to perform lateral movement. It takes in credentials you have gathered and uses the WinRM (Windows Remote Management) protocol to let you jump between hosts on an internal network or execute commands/scripts remotely. You can learn how to use Evil-WinRM to perform lateral movement in Pass the Hash Attacks: How to Make Network Compromise Easy.
Why we like Evil-WinRM:
- Provides remote shell access on compromised Windows machines through the WinRM protocol.
- Blends in with legitimate internal network communication with encrypted WinRM traffic.
- Lets you remotely execute commands/scripts and upload/download files.
Needs to be installed. You can install Evil-WinRM through its Kali package or via its GitHub page.
Active Directory Assessment
Around 90% of Fortune 1000 companies use Windows Active Directory to manage their IT infrastructure. To be an effective network penetration tester, you must know how to attack Active Directory and assess potential vulnerabilities. Here are some of the tools you can use.
PowerView

PowerView is an open-source PowerShell tool that you can use to gain situational awareness in a Windows environment. It can enumerate Active Directory domains, users, networks, forests, shares, and system information, as well as provide lateral movement and privilege escalation capabilities. PowerView is often used to help perform Kerberoasting. You can learn more in How to Perform Kerberoasting Attacks: The Ultimate Guide.
Why we like PowerView:
- Great for Active Directory enumeration
- Useful for identifying vulnerabilities, misconfigurations, and potential attack paths in Active Directory environments.
- Lightweight and versatile.
Needs to be installed. You can download the PowerView PowerShell script from its GitHub page.
Bloodhound

Bloodhound is a powerful post-exploitation tool that uses graph theory to map hidden or unintentional relationships within an Active Directory environment. You can exploit these relationships to gain access to sensitive information and systems. Learn more about Bloodhound in How to Use BloodHound to Hack Active Directory: A Full Guide.
Why we like Bloodhound:
- Provides a visualization of an environment’s Active Directory attack surface.
- Supports a custom query language for identifying security issues and opportunities for exploitation.
- Helps identify opportunities for lateral movement and credential abuse.
Needs to be installed. You can install Bloodhound through its Kali package or via its GitHub page.
CrackMapExec

CrackMapExec is an open-source post-exploitation tool for network reconnaissance and lateral movement in Windows environments. It is a versatile pentesting tool that can be used for many post-exploitation activities, including credential attacks, Active Directory enumeration, exploit and payload delivery, and more.
Why we like CrackMapExec:
- Integrates well with other post-exploitation frameworks and tools, such as PowerShell Empire, Metasploit, and Mimikatz.
- Has a credential store that lets you manage and reuse stolen credentials.
- Supports automation via PowerShell.
Included with Kali Linux.
ADSearch

ADSearch is a Windows Active Directory reconnaissance tool that uses Lightweight Directory Access Protocol (LDAP) searches to gather information about a target network. Its ability to blend in with legitimate Active Directory traffic makes it a popular choice for red team and adversary emulation operations.
Why we like ADSearch:
- Allows you to run pre-built and custom LDAP searches.
- Capable of displaying output in JSON format.
- Strong integration with Cobalt Strike and other C2 frameworks.
Needs to be installed. You can compile the C# files from the ADSearch GitHub or download the standalone binaries.
Spoofing and Eavesdropping
After gaining access to a target’s internal network, you must look for opportunities to extend your access to higher-value targets by performing lateral movement. A good way to do this is through intercepting, spoofing, and poisoning traffic traveling over the local network. Here are some tools that will help you.
Responder

Responder is a popular open-source spoofing and credential harvesting tool for man-in-the-middle attacks. It impersonates legitimate Windows services and poisons the LLMNR, NBT-NS, and MDNS protocols. When a Windows machine communicates with Responder, the tool spoofs the network traffic and hijacks login credentials. It uses these credentials to perform credential relaying and pass the hash attacks.
Why we like Responder:
- It is difficult to defend against if a Windows network uses the LLMNR and NBT-NS network protocols.
- Can automate pass the hash and credential relaying attacks when used with other tools, such as MitM6.
- It can capture traffic that uses common network protocols, such as DNS, HTTP, and SMB.
Included with Kali Linux.
MitM6

MitM6 (Man-in-the-Middle version 6) is a pentesting tool for performing man-in-the-middle attacks by exploiting the IPv6 protocol. The tool impersonates and takes over the default DNS server on a Windows network to intercept legitimate traffic and inject malicious traffic. It is commonly used with Impacket’s ntlmrelayx tool (included with Kali) for WPAD spoofing and credential relaying attacks.
Why we like MitM6:
- It can be used with Impacket’s ntlmrelayx to automate credential relaying attacks.
- Can relay Kerberos authentication to attack Windows Active Directory environments.
- Lightweight and written in Python.
Needs to be installed. See the mitm6 GitHub for details.
bettercap

bettercap is a powerful open-source networking security framework used to perform reconnaissance and attacks on internal networks. It is written in Go and used for various network-based attacks, including sniffing traffic, spoofing network protocols, harvesting credentials, hijacking cookies, etc.
Why we like bettercap:
- Has an easy-to-use GUI version and a CLI version.
- Can scan IP network hosts passively to evade detections.
- Can perform SSL/TLS stripping to intercept unencrypted data transmitted over encrypted connections, such as HTTPS.
Included with Kali Linux.
Credential Harvesting
Once you gain initial access to a system, you need to extract password hashes, Kerberos tickets, and other sensitive information to move laterally around the internal the network. Here are some of the most popular credential harvesting tools you can use.
Mimikatz

Mimikatz is a tool for exploiting weaknesses and vulnerabilities in the Windows authentication and security protocols. It can dump credentials stored in the Windows Security Account Manager (SAM) database and the Local Security Authority Subsystem Service (LSASS) process memory. The tool can also extract plaintext passwords and Kerberos tickets for pass the hash attacks and pass-the-ticket, respectively.
Why we like Mimikatz:
- It is the defacto tool for dumping credentials on Windows systems.
- It can be used for performing lateral movement using the credentials it extracts.
- Widely supported by various post-exploitation and C2 frameworks.
Included with Kali Linux.
Rubeus

Rubeus is an open-source tool in C# that abuses the raw Kerberos protocol for privilege escalation and lateral movement in Windows Active Directory environments. The tool can extract Kerberos tickets, perform pass-the-ticket attacks, create silver and golden tickets, perform Kerberoasting and AS-REP roasting, and more.
Why we like Rubeus:
- A versatile tool for abusing Kerberos and performing lateral movement.
- It can be easily modified to evade detection.
- Blends in with legitimate network traffic by interacting with the raw Kerberos protocol.
Needs to be installed. You can compile the C# files from the Rubeus GitHub or download the standalone binaries.
LaZagne

LaZange is an open-source credential harvesting tool that can retrieve passwords from various data stores on a local computer. It uses numerous techniques to extract passwords from browsers, chat applications, databases, games, git, mail clients, memory, system administrator tools, and more. The tool has been used in multiple real-world attacks, including Ryuk ransomware campaigns.
Why we like LaZagne:
- Capable extracting many different passwords using various techniques.
- Can be used with the Pupy post-exploitation framework and executed in memory to evade detection.
- Supports Windows and macOS.
Needs to be installed. See The LaZagne Project GitHub for details.
Conclusion
The success of your network pentest will often rely on the tools you use. This guide detailed 20 of the best network penetration testing tools to set you up for success. You saw tools that can be used for network scanning, post-exploitation, lateral movement, assessing Active Directory environments, spoofing traffic, and harvesting credentials.
Try playing around with these tools in your own virtual hacking lab, learn how to use them effectively, and add them to your arsenal for the next time need to perform a network penetration test!
If you want to learn more network penetration testing tools and the skills required to use them, check out one of the courses below:
Frequently Asked Questions
Level Up in Cyber Security: Join Our Membership Today!

