cyberstars
Blog
1 min read

Best tools for Active Directory pentesting in 2026

The post-Kerberoasting, post-AD CS attack-path toolkit every internal pentester should own.

If you do internal pentests, AD is the engagement. Everything else is scenery. Here is the toolkit that still matters in 2026, in the order you will actually reach for it.

1. NetExec

The successor to CrackMapExec. nxc smb, nxc ldap, nxc winrm, nxc mssql — one binary, one syntax, all the post-exploitation you need across a domain. Password sprays, share enumeration, hashed auth, secrets dumping. Start here.

2. BloodHound (Community Edition)

You don't get to claim you understand a domain until you have collected, ingested, and panned for shortest paths. The new SharpHound ingestor and Community Edition UI make this faster than it has ever been.

3. Kerbrute

User enumeration without locking accounts. The first thing you run once you have a hostname and a domain controller.

4. Certipy

AD CS is still the highest-leverage misconfiguration in most environments. ESC1, ESC4, ESC8 — Certipy handles them all and recovers the resulting PFX without leaving the comfort of your shell.

5. Impacket

Ten years on, still the reference Python library. psexec.py, smbexec.py, secretsdump.py, getTGT.py, GetUserSPNs.py, ntlmrelayx.py. Living off Impacket is a complete career.

6. Responder

LLMNR / NBT-NS / mDNS poisoning. Still hands you NTLM hashes on a silver platter in any network where the blue team has not gotten around to disabling broadcast name resolution.

7. Mimikatz

The grandfather. SeDebugPrivilege, lsadump::sam, sekurlsa::logonpasswords — if you have local administrator and EDR doesn't get there first, this is the next stop.

What changed since 2024

  • NetExec ate CrackMapExec's lunch.
  • Certipy went from niche to required-knowledge thanks to AD CS exploitation maturing into the new default lateral movement path.
  • BloodHound Community Edition finally killed the standalone Neo4j pain in deployment for most ops teams.
  • Detection got better. Don't expect to dump NTDS with a plain Mimikatz invocation on a modern Windows 11 host with EDR — chain techniques, plan your noise, and have a fallback path.