# My Pentest Toolkit & Lab Setup — Hack2Harden

* **Host:** Windows 11 (AMD Ryzen Threadripper 2950)
    
* **Memory:** 32 GB RAM
    
* **Storage:** 1 TB NVMe (fast snapshots and VM disk resizing matter)
    
* **VM host:** VMware Workstation (latest)
    

**Offensive VM:** Kali Linux kali-2024.3 vmware-amd64

* * **VM config:** 4 processors, 8 GB RAM (adjust per lab)
        
* **Network mode:**
    
    * Use **Host-only** networks for isolated vulnerable VMs.
        
    * Use **NAT** only when you must reach the internet (CTF VPNs).
        
    * Never attach lab VMs to an unfiltered bridged network — that risks accidental exposure.
        
* **Snapshots:** take a snapshot before every engagement.
    

## 2\. Core tooling (what I actually use — categorized)

### Recon & scanning

* **rustscan** - lightning fast port scanning
    
* **nmap** — full scans, version detection, NSE scripts.
    
    * quick example:
        
        ```plaintext
        sudo nmap -sC -sV -p- -oA nmap/full 10.10.10.10
        ```
        
* **ffuf** — fast web fuzzing.
    
    * install (if not present): `sudo apt install ffuf` or `go install` [`github.com/ffuf/ffuf@latest`](http://github.com/ffuf/ffuf@latest)
        

### Web app

* **Burp Suite** — main web proxy and intruder. (Community ok; Pro if you have license)
    
* **ffuf** — dir busting and fuzzing.
    
* **sqlmap** — automated SQLi checks.
    
    * install: `sudo pip install sqlmap` (or `apt install sqlmap` where available)
        
* **hydra** — HTTP / form brute force for testing.
    
* **netcat —** simple shells, listeners, and servers.
    
* **python** — web servers and scripts.
    

### Windows / Active Directory (AD)

* **Impacket** — common AD toolkits (wmiexec, psexec, secretsdump etc.).
    
    * install: `python3 -m pip install impacket` or clone and `python3 -m pip install .` in repo
        
* **NetExec** — AD enumeration and automation (install per repo instructions).
    
* **Bloodhound** — AD graphing for visibility.
    
* **Responder** — NBNS/LLMNR poisoning to capture hashes.
    
* **ntlm\_theft** (or equivalent NTLM relay/harvesting tools) — for specific NTLM workflows.
    

### Privilege escalation & post-exploitation

* **linpeas.sh, winPEAS** — \*Linux & Windows local-privilege checks.
    
* **PowerUp.ps1** — Windows PowerShell privilege escalation checks.
    
* **chisel** — quick TCP/HTTP reverse-forward tunnels for pivoting.
    
* **netcat** — raw sockets and simple shells.
