Tool Installation Guide

# Update system
sudo apt update && sudo apt upgrade -y

# Essential build tools
sudo apt install -y build-essential git python3 python3-pip python3-venv golang-go cmake gcc-mingw-w64-x86-64

# Common dependencies
sudo apt install -y libssl-dev libffi-dev libkrb5-dev libldap2-dev libsasl2-dev libpcap-dev bloodhound neo4j

# Impacket (most used AD toolkit)
git clone https://github.com/fortra/impacket.git /opt/impacket
cd /opt/impacket && pip3 install .

# NetExec (successor to CrackMapExec)
sudo apt install -y netexec
# Or from source:
git clone https://github.com/Pennyw0rth/NetExec.git /opt/netexec
cd /opt/netexec && pip3 install .

# Certipy (ADCS exploitation)
pip3 install certipy-ad

# BloodHound.py (AD enumeration from Linux)
pip3 install bloodhound

# BloodyAD (AD ACL abuse)
git clone https://github.com/CravateRouge/bloodyAD.git /opt/bloodyAD
cd /opt/bloodyAD && pip3 install .

# LDAPDomainDump
git clone https://github.com/dirkjanm/ldapdomaindump.git /opt/ldapdomaindump
cd /opt/ldapdomaindump && pip3 install .

# SQLMap
sudo apt install -y sqlmap

# Python virtual environment for tools
python3 -m venv /opt/pentest-venv
source /opt/pentest-venv/bin/activate

# Ensure Go is in PATH
export PATH=$PATH:/usr/local/go/bin:$HOME/go/bin

# Chisel (tunneling)
go install github.com/jpillora/chisel@latest

# Ligolo-ng (tunneling, modern alternative to chisel)
git clone https://github.com/nicocha30/ligolo-ng.git /opt/ligolo-ng
cd /opt/ligolo-ng && go build -o ligolo-ng-agent ./cmd/agent && go build -o ligolo-ng-proxy ./cmd/proxy

# ffuf (web fuzzer)
go install github.com/ffuf/ffuf/v2@latest

# RustScan (fast port scanner)
# Install via cargo or download binary from releases

# Evil-WinRM
sudo gem install evil-winrm

# RDP client
sudo apt install -y freerdp2-x11

# Windows tools to host (download and serve to targets):
mkdir -p /opt/windows-tools
cd /opt/windows-tools

# SharpHound (BloodHound collector)
wget https://github.com/BloodHoundAD/BloodHound/raw/master/Collectors/SharpHound.exe

# Rubeus (Kerberos manipulation)
wget https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Rubeus.exe

# WinPEAS (Windows privesc enumeration)
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASx64.exe

# PrintSpoofer
wget https://github.com/itm4n/PrintSpoofer/releases/latest/download/PrintSpoofer64.exe

# JuicyPotatoNG
wget https://github.com/antonioCoco/JuicyPotatoNG/releases/latest/download/JuicyPotatoNG.exe

# GodPotato
wget https://github.com/BeichenDream/GodPotato/releases/latest/download/GodPotato-NET4.exe

# nc.exe (netcat for Windows)
wget https://github.com/int0x33/nc.exe/raw/master/nc64.exe

# Seatbelt
wget https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/Seatbelt.exe

# PowerUp.ps1
wget https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/master/Privesc/PowerUp.ps1

# SharpUp
wget https://github.com/r3motecontrol/Ghostpack-CompiledBinaries/raw/master/SharpUp.exe

# LinPEAS
mkdir -p /opt/linux-tools
cd /opt/linux-tools
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh

# pspy (unprivileged process monitor)
wget https://github.com/DominicBreuker/pspy/releases/latest/download/pspy64

# Linux Exploit Suggester
git clone https://github.com/mzet-/linux-exploit-suggester.git /opt/linux-exploit-suggester

# Linux Smart Enumeration
wget https://raw.githubusercontent.com/diego-treitos/linux-smart-enumeration/master/lse.sh

# Hashcat
sudo apt install -y hashcat

# John the Ripper (community enhanced)
sudo apt install -y john

# Wordlists
sudo apt install -y seclists
# Wordlists at: /usr/share/wordlists/
# rockyou.txt.gz (extract: sudo gunzip /usr/share/wordlists/rockyou.txt.gz)
# SecLists: /usr/share/seclists/

# Additional wordlists
git clone https://github.com/danielmiessler/SecLists.git /opt/SecLists

# Install Docker first
curl -fsSL https://get.docker.com | sudo sh
sudo usermod -aG docker $USER

# BloodHound CE
mkdir -p ~/bloodhound
cd ~/bloodhound

# Download docker-compose or use the quick start:
curl -L https://ghst.ly/getbhce | docker compose -f - up
# Access at: https://localhost:8080
# Default creds: admin / admin (change on first login)

# Kali comes with Metasploit pre-installed
# Update:
sudo apt update && sudo apt install -y metasploit-framework
msfupdate

# Burp Suite Community (Kali includes this)
# Professional requires license

# Dirb / GoBuster
sudo apt install -y dirb gobuster

# Feroxbuster (Rust-based, fast)
sudo apt install -y feroxbuster

# WhatWeb (technology fingerprinting)
sudo apt install -y whatweb

# WPScan (WordPress scanner)
sudo apt install -y wpscan
# Update database: wpscan --update

# Droopescan (Drupal scanner)
pip3 install droopescan

# JoomScan
sudo apt install -y joomscan

# Proxychains already installed on Kali
# Config: /etc/proxychains4.conf
# Add SOCKS5 proxy: socks5 127.0.0.1 1080

# SSH (built-in) - key dynamic forwarding options:
# -D (dynamic/SOCKS), -L (local forward), -R (remote forward)

# Socat
sudo apt install -y socat

# Plink (Windows tunneling via PuTTY)
# Download from: https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html

# AutoRecon — Automated reconnaissance tool
pip install autorecon
sudo autorecon 10.10.10.10

# Responder — LLMNR/NBT-NS poisoner and NTLM capture
sudo apt install responder
# OR: git clone https://github.com/lgandx/Responder && cd Responder && pip install -r requirements.txt

# ssh-audit — SSH configuration auditor
pip install ssh-audit

# enum4linux-ng — SMB/NetBIOS enumeration (Python rewrite of enum4linux)
pip install enum4linux-ng

# windapsearch — Active Directory LDAP search tool
pip install windapsearch

# odat — Oracle Database Attacking Tool
pip install odat
# OR: git clone https://github.com/quentinhardy/odat && cd odat && python3 setup.py install

# pwncat-cs — Reverse shell management
pip install pwncat-cs

wget https://github.com/nicocha30/ligolo-ng/releases/latest/download/ligolo-ng_proxy_linux_amd64.tar.gz
wget https://github.com/nicocha30/ligolo-ng/releases/latest/download/ligolo-ng_agent_linux_amd64.tar.gz
# Docker: docker run -it --rm -p 11601:11601 -p 8080:8080 nicocha30/ligolo-ng-proxy

wget https://github.com/jpillora/chisel/releases/download/v1.9.0/chisel_1.9.0_linux_amd64.gz
wget https://github.com/jpillora/chisel/releases/download/v1.9.0/chisel_1.9.0_windows_amd64.gz

# Download: https://github.com/fortra/nanodump/releases

sudo apt install proxychains4

# Access: https://gchq.github.io/CyberChef/

nmap --script-updatedb

# pip3 install bloodhound → installs the Python collector (command: bloodhound-python)
# This is NOT the BloodHound GUI — the GUI runs via Docker (CE) or standalone Java app
# For the Python collector: pip3 install bloodhound
# Usage: bloodhound-python -d domain.local -u user -p pass -ns 10.10.10.10 -c All

# pip install certipy-ad → command is still 'certipy' (not 'certipy-ad')
# certipy-ad is the maintained fork; original certipy by ly4k is archived

curl -L https://github.com/SpecterOps/bloodhound-ce/raw/main/docker-compose.yml -o docker-compose.yml
# Configure neo4j password in .env:
echo 'NEO4J_PASSWORD=YourPassword123!' > .env
docker compose up -d
# Access: http://localhost:8080  |  Default: admin/admin

# Run this to verify key tools are installed
nmap --version
netexec --version
impacket-secretsdump -h 2>&1 | head -1
evil-winrm --version
hashcat --version
john --version
sqlmap --version
gobuster --version
ffuf --version
certipy --version
bloodhound-python --version

#!/bin/bash
echo "[*] Updating system packages..."
sudo apt update && sudo apt upgrade -y

echo "[*] Updating Impacket..."
cd /opt/impacket && git pull && pip3 install .

echo "[*] Updating NetExec..."
pip3 install --upgrade netexec

echo "[*] Updating Certipy..."
pip3 install --upgrade certipy-ad

echo "[*] Updating PEASS-ng..."
cd /opt/linux-tools && wget -q https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh -O linpeas.sh
cd /opt/windows-tools && wget -q https://github.com/peass-ng/PEASS-ng/releases/latest/download/winPEASx64.exe -O winPEASx64.exe

echo "[*] Updating Metasploit..."
msfupdate

echo "[+] All tools updated."