When you’re on a penetration test, the tools you bring with you can make all the difference. Whether you’re attacking a web app, performing reconnaissance on a new target, or even picking a lock during a physical engagement, having the right resources can mean the difference between a smooth, efficient engagement and a mad, fruitless scramble. Gaining a better understanding of the purpose behind popular tools of the ethical hacking trade can also help you better develop your methodology and tactics.
The pentest team at TCM Security contains specialists who conduct penetration tests that cover internal, external, web application, and physical domains (amongst others), so we asked them to share their go-to tools that they rely on regularly and would suggest to others. Here’s a list of a few of their favorites.
Suppose you want to test your pentest tool skills in a professionally designed and reviewed simulation pentest. TCM certifications allow you to use real tools in an open-ended, real-world pentesting situation that measures your abilities in several disciplines: The Practical Junior Penetration Tester covers internal engagements, the Practical Web Pentest Associate covers web application testing, the Practical Network Penetration Tester combines an internal and external testing experience, and there are other certifications to explore.
External Pentest Tools
1. CredMaster: Evasive and Effective Password Spraying
External penetration tests often begin with credential gathering, and password spraying remains one of the most effective techniques for gaining initial access to target systems. CredMaster (https://github.com/knavesec/CredMaster) is a fan-favorite Python tool, available on GitHub, that makes password spraying fast, customizable, and stealthy.
It’s particularly effective for avoiding account lockouts and blends well with other evasion techniques that help penetration testers avoid detection while systematically testing common passwords across user accounts. When gathering credentials is your objective, this tool is a smart choice to have in your kit.
2. Nuclei: Speed Meets Scanning Power
Nuclei (https://github.com/projectdiscovery/nuclei) is a modern, high-performance vulnerability scanner that empowers you to design custom detection scenarios that mimic real-world conditions, enabling comprehensive and current vulnerability scanning.
Nuclei is a community-driven and supported tool, popular with bug bounty hunters, penetration testers, and security researchers who want to produce repeatable checks for serious weaknesses. The extensive library of YAML-based templates, continuously updated by the security community, ensures that Nuclei remains current with the latest vulnerability patterns and attack vectors.
Internal Testing and AD Tools
3. Impacket Suite: The Swiss Army Knife for Networks
When it comes to network protocol interaction and lateral movement, Impacket (https://github.com/fortra/impacket) is hard to beat. This suite of Python libraries provides low-level access to network protocols, enabling effective attacks against Windows environments.
The suite includes tools for remote command execution, credential extraction, Kerberos manipulation, and Active Directory exploitation. Its protocol implementations cover SMB, MSRPC, and numerous other Windows networking protocols, making it the right tool for internal network assessments and testing Active Directory security.
TCM Red Team Lead, Aaron Wilson, gives the Impacket Suite his seal of approval, citing almost every tool included as being useful, so whether you’re exploiting Kerberos or digging into SMB shares, you’ll want this one in your toolbox.
Reconnaissance Tools
4. Sublist3r: Subdomain Discovery with OSINT Power
Reconnaissance is a foundational phase of any pentest, and Sublist3r (https://github.com/aboul3la/Sublist3r) uses OSINT techniques and search engine scraping to help reveal more of the attack surface by allowing for more complete subdomain enumeration.
Modern organizations can have sprawling, complex digital footprints with numerous subdomains serving different functions. Many of these represent forgotten or less-secured entry points that attackers regularly exploit. Sublist3r systematically uncovers these potential attack vectors, ensuring that reconnaissance efforts capture the full scope of target infrastructure.
Web App Testing Tools
5. Burp Suite: The Classic That Never Gets Old
Unsurprisingly, Burp Suite (https://portswigger.net/burp) is a staple in any pentester’s arsenal. Our consultants use it on almost every web application assessment, and for good reason. The suite consists of different tools, including a web proxy, web crawler, intruder, repeater, and other features.
What makes Burp Suite particularly powerful is its intercepting proxy that lets the user see and modify the contents of requests and responses while they are in transit. Burp Suite is robust out of the box, but it’s made even more powerful with a massive library of community-developed extensions that expand its capabilities.
Whether you are intercepting traffic or manipulating sessions, Burp does it all. If you’re in the world of web app pentesting, Burp is a must.
6. Auth Analyzer: Fast-Track Your Authorization Testing
If you’re already using Burp, one extension that deserves a permanent spot in your setup is Auth Analyzer (https://github.com/PortSwigger/auth-analyzer). Recommended by TCM Security Principal Offensive Security Engineer, Jason Marcello, this tool makes quick work of authorization checks, which saves time and catches bugs that are easy to miss manually.
It’s especially useful for testing complex sites with multiple roles and permission levels. With just a few clicks, you can identify authorization bypass issues that could have major security implications, reduce the time required for comprehensive security assessments, and maintain thoroughness and accuracy.
Physical Pentesting Tools
7. The Shrum Tool: A Lockpicker’s Secret Weapon
Penetration testing is all about exposing weaknesses in assumed security, and that sometimes means going beyond the terminal. This is where physical pentest tools, such as the Shrum Tool, come in handy. Also known as a Traveler’s Hook or Carolina Roller, this inexpensive piece of hardware can open a surprising variety of locks, including heavy-duty ones.
If your engagement includes physical security testing, you’ll want a few of these in your bag. They’re lightweight, low-profile, and in practiced hands are highly effective at bypassing many door latches in seconds.
Final Thoughts
While this list covers our team’s personal favorite tools in several pentesting domains, there are many more that have similar functions. Whether it’s network enumeration, vulnerability scanning, or exploitation, finding a tool that works for you and becoming familiar with it is key.
If you are looking for demonstrations and guidance for how some of these tools are used in the process of penetration testing, our academy courses, such as Practical Ethical Hacking or Practical Bug Bounty, introduce and guide you through the professional use of a few of these tools and the methodology behind them to test an organization’s security posture.
About the Author: Josh Daniels
Josh is an avid storyteller and writer who loves learning about the behind-the-scenes of the digital world we live in. While his professional experience is in content marketing, Josh began pursuing a career in cybersecurity in 2022, gaining a Sec+ certificate along with other training from industry professionals and a life long learner attitude.
When he is not writing, Josh enjoys outdoor adventures with his family, watching movies, reading, and an unofficial (unpaid) side gig as a Game Master Consultant for several friends who play table top RPGs. At TCM, Josh has found a home where his passion for storytelling and cybersecurity meet.
“Once men turned their thinking over to machines in the hope that this would set them free. But that only permitted other men with machines to enslave them.”
– Frank Herbert
Additional Resources
How to Be an Ethical Hacker in 2025
Interested in a career in ethical hacking or penetration testing? This guide walks you through the essentials you need to learn to break into the field.
Our Favorite Penetration Testing Tools
We asked our penetration testing team which tools they like to use during engagements. See what they said!
About TCM Security
TCM Security is a veteran-owned, cybersecurity services and education company founded in Charlotte, NC. Our services division has the mission of protecting people, sensitive data, and systems. With decades of combined experience, thousands of hours of practice, and core values from our time in service, we use our skill set to secure your environment. The TCM Security Academy is an educational platform dedicated to providing affordable, top-notch cybersecurity training to our individual students and corporate clients including both self-paced and instructor-led online courses as well as custom training solutions. We also provide several vendor-agnostic, practical hands-on certification exams to ensure proven job-ready skills to prospective employers.
Pentest Services: https://tcm-sec.com/our-services/
Follow Us: Email List | LinkedIn | YouTube | Twitter | Facebook | Instagram | TikTok
Contact Us: [email protected]
See How We Can Secure Your Assets
Let’s talk about how TCM Security can solve your cybersecurity needs. Give us a call, send us an e-mail, or fill out the contact form below to get started.