Internal vs External Pentest: 12 Tools Clients Don't Know Exist (and How Pros Use Them)

Ever sat across from a client, nodding as they ask about "just running Nessus or nmap" for their pentest? Here's a stat: 80% of successful…

Very Lazy Tech 👾

~10 min read · December 8, 2025 (Updated: December 8, 2025) · Free: No

Ever sat across from a client, nodding as they ask about "just running Nessus or nmap" for their pentest? Here's a stat: 80% of successful red teams use niche tools clients have never even heard of — and that's where the real vulnerabilities hide.

You might think pentesting is all about running the big-name scanners and looking for obvious doors. In reality, the difference between a good pentest and a truly scary one often comes down to the tools clients don't know exist, and how you wield them for internal vs external targets. Let's pull back the curtain and go deep — real examples, step-by-steps, code, and a behind-the-scenes look at 12 tools that even seasoned IT folks rarely see.

Internal vs External Pentest: What's the Real Difference?

Before diving into the toolbox, let's clear the air. Internal pentests aren't just "external pentests from the inside". The exposures, tactics, and goals change:

External pentest targets what outsiders (internet attackers, competitors, script kiddies) can see: web apps, VPNs, exposed infrastructure.
Internal pentest simulates an attacker who's breached the perimeter, or a malicious insider: think overprivileged users, Active Directory abuse, lateral movement, data exfiltration.

In practice, what really happens is that you'll use different tools — sometimes radically so — depending on which side of the wall you're testing from. Let's break down both, and walk through 12 game-changing tools many clients miss.

BloodHound — Active Directory Attack Paths (Internal)

If you test AD environments without BloodHound, you're basically swinging in the dark. Most clients have no idea just how much can be mapped — and abused — using this tool.

What it does:

BloodHound ingests info about users, groups, sessions, ACLs, and GPOs in Active Directory, then shows you attack paths: who can reach Domain Admin, what privileges are chained, where users are logged on, etc.

Why it's internal-focused:

External attackers don't see deep AD data. But once you're on a workstation (via phishing, RCE, whatever), BloodHound turns "just a user" access into a pivot map to the crown jewels.

Practical example:

Say you get a user shell on an internal machine. Use SharpHound.exe (part of BloodHound) to collect data:

SharpHound.exe -c All

Pull the output to your own system, load it into BloodHound, and — bam — a graph of how to become Domain Admin pops up. You'll often find paths like:

User can RDP to Server1
On Server1, user has WriteDACL on AdminGroup
WriteDACL allows you to add yourself as an admin

Cool part?

BloodHound visualizes multi-step privilege escalation chains you'd never spot manually.

2. CrackMapExec (CME) — The Swiss Army Knife for Network Mischief (Internal)

You know that feeling when you need to spray passwords, check user access, dump hashes, and move laterally — all at once? CME is your new best friend.

What's so great about it?

CrackMapExec automates loads of Windows network attacks: SMB shares, WinRM, RDP, credential validation, and more. It's scriptable and deadly fast.

When's it used?

After you get a set of credentials (phishing, Kerberos tickets, whatever), CME lets you check which hosts accept them and what access they grant.

Example — Password Spraying Across the Domain:

crackmapexec smb 192.168.1.0/24 -u users.txt -p 'Winter2024'

This checks if the password 'Winter2024' works for any user in the list, across all systems in the network. It won't lock accounts (unless you go crazy).

Why clients don't know?

They often think SMB shares are "just for file storage" — not realizing attackers use CME to chain together low-privilege access into full domain compromise.

3. Rubeus — Kerberos Ticket Wizardry (Internal)

Most sysadmins shudder at the word "Kerberos", and for good reason. Rubeus is the tool that turns those fears into reality.

What's the point?

Rubeus can request, renew, extract, and abuse Kerberos tickets for all sorts of attacks — kerberoasting, ticket extraction, pass-the-ticket, and more.

How pros use it:

After you land in a domain — especially if you grab a user hash — here's a classic move:

Kerberoasting with Rubeus:

Rubeus kerberoast

This yanks all service tickets (SPNs) for accounts with service privileges — dumping them for offline cracking.

Why does this matter?

Many service accounts have weak passwords because, well, nobody changes them. Cracking just one can mean lateral movement or even domain escalation.

4. Impacket — The Python Toolkit for Internal and External Mischief

You'll hear pentesters rave about Impacket, but clients rarely see how wide it goes. It's a suite of Python scripts/modules for everything from SMB relaying to DCOM attacks.

Why it straddles both internal/external:

Some modules (like SMBClient.py) work best inside. Others (like ntlmrelayx.py) can be used on external perimeter attacks.

Example — Dumping SAM Hashes:

Suppose you have local admin creds on a Windows host. You can dump hashes remotely:

secretsdump.py administrator:Password123@192.168.1.10

You'll get user NTLM hashes — prime material for pass-the-hash or lateral movement.

Step-by-step use case:

Phish creds (or dump from LSASS using another tool)
Use secretsdump.py to grab hashes
Replay them elsewhere with psexec.py or similar modules

Pro tip:

Impacket's scripts cover SMB, RDP, LDAP, Kerberos — a ton of protocols pentesters abuse. Most IT teams don't realize what's exposed until you show them.

5. Nuclei — Fast, Customizable Vulnerability Scanning (External)

Most clients expect you to run nmap or Nessus, but they've never heard of Nuclei. It's fast, scriptable, and lets you write or use community-powered vulnerability templates.

What makes Nuclei different?

Instead of a big, slow scan, Nuclei checks for specific issues — RCE, XSS, misconfigurations — using a template system. Think of it as the "grep" of web vulns.

How to use:

nuclei -l targets.txt -t cves/

Where targets.txt is a list of URLs or IPs, and cves/ is a set of templates. You'll get output showing which endpoints are actually vulnerable.

Example scenario:

You're testing a client's web perimeter. Quickly identify dozens of CVEs (e.g. Spring4Shell, Log4j) in minutes, focusing your manual testing where it matters.

Clients miss this tool because they assume "big scanner = thorough". In practice, the right templates catch more real-world bugs, and fewer false positives.

6. Aquatone — Web Asset Discovery Visualized (External)

Ever struggled to show clients the breadth of their attack surface? Aquatone creates a visual map of reachable web services — subdomains, ports, screenshots.

Why it's an external weapon:

It's for mapping what's visible from the outside — what an attacker might stumble on.

How to use Aquatone:

Start by discovering subdomains (with a tool like amass or assetfinder), then feed them to Aquatone:

cat subdomains.txt | aquatone

This spins up Chrome headless instances to screenshot every target, collecting page titles, HTTP response codes, and more.

Why is this eye-opening?

Clients often don't know about forgotten test portals, admin panels, or staging sites. Showing them real screenshots is a wakeup call.

7. Burp Suite Extensions — Beyond the Stock Scanner (External)

Clients might know Burp Suite as "the web app hacking tool", but they rarely see its real power: extensions. The BApp Store hosts dozens of killer plugins that take your external pentest to the next level.

A few pro favorites:

ActiveScan++ — more thorough active scanning (finds tricky XSS, SQLi, SSRF)
Autorize — quickly check for broken access control and privilege escalation issues
Software Vulnerability Scanner — checks for known vulnerable JS/CSS libraries

Actual use case:

Let's say you're looking for Insecure Direct Object References (IDORs).

With Autorize:

Intercept a request as a normal user.
Autorize replays the same request as an admin, and flags endpoints where access controls are missing.

Step-by-step:

Install the extension via Burp's BApp Store.
Configure two sessions (normal, admin).
Browse the app as a normal user; Autorize instantly highlights vulnerable endpoints.

Why clients miss this:

They see pentesting as "point and shoot". Real testers use specialized Burp extensions to hunt for nuances that automated scanners skip.

8. Kerbrute — Brute-Force Usernames and Passwords in AD (Internal)

Kerbrute is the go-to for enumerating valid usernames and brute-forcing creds in Active Directory — without locking everyone out.

Why it matters:

Most clients think locking out accounts is the main risk. Kerbrute uses Kerberos pre-auth to identify valid usernames — without triggering lockouts.

How to use:

kerbrute userenum -d company.com usernames.txt

Then, try password spraying:

kerbrute passwordspray -d company.com usernames.txt 'Password123!'

Real-world scenario:

You're simulating a malicious insider. Kerbrute quickly finds which users exist, then discovers a shared password across 10+ accounts (happens… a lot).

Why clients don't know:

Many IT pros only hear about password lockouts. Kerbrute quietly builds attacker knowledge under the radar.

9. LinPEAS / WinPEAS — Automated Privilege Escalation Scouts (Internal)

Ask a sysadmin if their Linux or Windows configs are "hardened". Now run PEAS and watch their eyes widen.

What are these tools?

LinPEAS (for Linux) and WinPEAS (for Windows) automate privilege escalation checks — looking for misconfigs, writable files, cron jobs, vulnerable packages, and more.

How pros use them:

After you land a user shell, upload and run PEAS. For example, on a Linux target:

wget https://github.com/carlospolop/PEASS-ng/releases/download/20240601/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh

It spits out color-coded hints:

SUID binaries?
World-writable files?
Misconfigured sudo?

Practical nugget:

I've seen this trick find forgotten root cron jobs or SUID binaries that lead to instant root — stuff admins forgot about years ago.

10. Evil-WinRM — The Ultimate Evil Windows Remote Shell (Internal)

When you need stable, scriptable remote shells on Windows — especially in restricted environments — Evil-WinRM is the tool. Forget clunky RDP or weird PowerShell remoting.

How's it different?

It leverages Windows Remote Management (WinRM) with a clean, interactive shell. Upload files, run PowerShell, dump creds — all from your attacker box.

Example usage:

evil-winrm -i 192.168.1.25 -u Administrator -p 'SuperSecret!'

You're dropped straight into a PowerShell prompt. From here, run scripts, pull sensitive files, inject Mimikatz… the works.

Why do clients miss this?

WinRM is often enabled by default, especially in cloud/hybrid environments. IT often forgets it's a direct shell conduit for attackers.

11. ffuf — Fast Fuzzing for Web Content Discovery (External)

Clients think their web server is "just the homepage and login". ffuf (pronounced "fuff") exposes all the hidden corners — admin panels, backups, dev folders — by brute-forcing URLs and parameters.

Why it's a game-changer:

It's blazing fast, highly scriptable, and outputs exactly what you need.

How to use:

ffuf -u https://target.com/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

You'll quickly identify /admin, /test, /backup, and more.

Pro tip:

Combine with custom wordlists (like those tailored to the client's tech stack) for even more juicy finds.

Why clients are shocked:

They forget about legacy pages, old phpMyAdmin installs, or "temporary" dev folders that never got removed. ffuf finds them all.

12. Responder — Network Poisoning for Hash Capture (Internal)

You want to see how quickly you can collect live password hashes on a flat network? Drop Responder, sit back, and watch the hashes roll in.

What's it do?

Responder poisons network services (LLMNR, NBNS, MDNS) so Windows hosts cough up credential hashes to you automatically.

Classic attack flow:

Plug into a network segment (physically, or via compromised device).
Run Responder:

responder -I eth0

3. Wait as hosts broadcast for files/printers — they'll send you their NTLMv2 hashes.

Why it works:

These legacy protocols are enabled by default. Most organizations never disable them.

Real-world example:

Grab a hash, crack it, and you're in as a real user — sometimes with admin rights.

Internal vs External: When to Reach for Which Tool?

It's not about "better" or "worse" — it's matching the tool to the target. Here's a quick cheat sheet:

Internal pentest?
BloodHound, CrackMapExec, Rubeus, Impacket, Kerbrute, LinPEAS/WinPEAS, Evil-WinRM, Responder
Focus: privilege escalation, lateral movement, real network abuse.
External pentest?
Nuclei, Aquatone, Burp Suite Extensions, ffuf
Focus: asset discovery, web vulnerabilities, misconfigs visible from the outside.

But you'll see some tools (like Impacket, Burp extensions) bridging the gap — used creatively in both scenarios.

Step-By-Step: How Pros Actually Use These Tools in a Real Pentest

Let's walk a quick scenario. Suppose you're running an internal pentest after a simulated phishing attack. Here's how the tools come together:

Initial Access:

— Land a shell (maybe via macro in a doc).

2. Enumeration:

— Run BloodHound and Kerbrute to map users, groups, and attack paths.

Use LinPEAS/WinPEAS to look for privilege escalation.

3. Lateral Movement:

— Use CME and Impacket to spray creds, dump hashes, psexec to other hosts.

Rubeus for Kerberos attacks and ticket harvesting.

4. Persistence and Exfiltration:

— Evil-WinRM for stable remote shells.

Responder to harvest hashes.

5. External Check:

— Run Nuclei and ffuf against public web apps.

Use Burp extensions for manual testing.

Map the perimeter with Aquatone.

Sample Enumeration Script

Here's a quick PowerShell script (run as a regular user on Windows) to enumerate local admins, just to show the kind of basic info you can grab before going big:

$admins = Get-LocalGroupMember -Group "Administrators"
foreach ($admin in $admins) {
    Write-Output "$($admin.Name) is a local admin"
}

This informs which creds are worth targeting next.

The Takeaway: What Clients Miss Changes Everything

Clients expect you to run a scanner, hand over a PDF, and call it a day. The real magic of pentesting — internal or external — lies in chaining together lesser-known tools, adapting to the environment, and uncovering paths to compromise that look "impossible" on paper. The best part? These 12 tools make you faster, stealthier, and much, much harder to predict.

The next time someone says, "Just run nmap and Nessus," you'll know exactly how to show them what a real adversary can do — with tools they never saw coming.