Security Tools#
Reference of offensive and defensive security tools by category. The catalog below is the working set most pen-testers, red teamers, blue teamers, and detection engineers reach for. For hardware, see Hacking Hardware and SDR Hardware. For techniques, see Hacking.
Use offensive entries only against systems you own, lab targets, CTF ranges, or scoped engagements with written authorization.
Reconnaissance#
Tool |
Notes |
|---|---|
nmap |
The reference port + service scanner; NSE scripts. |
masscan |
Fast asynchronous port scanner; whole-internet capable. |
zmap |
Internet-scale single-port scanner. |
rustscan |
Wraps nmap with rust-async port discovery. |
naabu |
ProjectDiscovery’s fast port scanner. |
dnsx, alterx |
DNS pivots + permutation. |
amass, subfinder |
Subdomain enumeration. |
assetfinder |
Subdomain discovery (Tomnomnom). |
httpx (PD) |
HTTP probe + tech-stack fingerprint. |
gowitness, aquatone |
Screenshot-the-web at scale. |
katana, gospider, h akrawler |
web crawlers. |
ffuf, gobuster, dir search |
directory / file fuzzing. |
wfuzz |
older fuzzer. |
nuclei |
templated vulnerability scanner. |
ChaosDB |
ProjectDiscovery’s daily-scanned subdomain feed. |
shodan / censys |
internet-wide scan engines. |
Vulnerability scanning#
Tool |
Notes |
|---|---|
Nessus / Tenable |
commercial; the SOC standard. |
Qualys |
commercial. |
Rapid7 InsightVM |
commercial. |
OpenVAS / Greenbone |
OSS scanner. |
Nuclei |
templated; complements heavy scanners. |
sqlmap |
SQL-injection automation. |
WPScan |
WordPress. |
Joomscan |
Joomla. |
Droopescan |
Drupal / Joomla / SilverStripe. |
JoomlaVS, CMSeek |
multi-CMS scan. |
Nikto |
legacy web vuln scanner. |
Vulners |
vuln-search engine wrapped as a CLI. |
Trivy / Grype |
container + dependency CVE scanning. |
Snyk |
commercial dep + container. |
Dependency-Track |
OSS SBOM + CVE. |
DefectDojo |
OSS vuln-management platform. |
Exploitation frameworks#
Tool |
Notes |
|---|---|
Metasploit Framewor k |
the standard OSS exploitation platform. |
Cobalt Strike |
commercial; the most-abused legitimate red-team tool. |
Sliver |
OSS C2 / post-ex; modern Cobalt Strike-class. |
Mythic |
OSS C2 platform. |
Havoc |
OSS C2. |
Brute Ratel C4 |
commercial C2; leaked builds in the wild. |
Empire (BC-Sec) |
PowerShell / Python C2; resurrected. |
PowerSploit |
PowerShell post-exploitation. |
Veil-Evasion |
AV-evasion payload generator. |
Donut |
position-independent shellcode loader. |
TheHive Project |
IR / CTI platform. |
Web application#
Tool |
Notes |
|---|---|
Burp Suite |
PortSwigger; the standard interception proxy + scanner. |
OWASP ZAP |
OSS proxy + scanner. |
Caido |
modern Burp alternative. |
mitmproxy |
scriptable HTTPS proxy. |
ffuf, gobuster |
content / param fuzzing. |
sqlmap |
SQLi automation. |
XSStrike |
XSS detection. |
Commix |
command-injection. |
NoSQLMap |
NoSQL injection. |
nuclei |
template-driven scanning. |
JWT_Tool / jwt.io |
JWT analysis. |
sqlmap-tamper |
evasion scripts. |
Postman / Insomnia |
API testing. |
gitleaks, truffleho |
g secret discovery in code. |
Network / wireless#
Tool |
Notes |
|---|---|
Wireshark / tshark |
packet capture + analysis. |
tcpdump |
CLI capture. |
Aircrack-ng |
WiFi cracking suite. |
hcxdumptool / hcxto ols |
PMKID + handshake capture. |
Bettercap |
network-layer MITM. |
Responder |
NTLM / LLMNR / NBNS poisoning. |
Impacket |
Python network protocols (psexec, smbexec, ntlmrelayx, secretsdump, GetNPUsers, GetUserSPNs). |
Kismet |
wireless capture + IDS. |
Reaver / Bully |
WPS attacks. |
Pixiewps |
offline WPS PIN crack. |
hostapd-wpe |
rogue AP for EAP capture. |
mdk4 |
WiFi stress / deauth. |
PRET |
printer exploitation. |
Frida + objection |
mobile dynamic analysis. |
Ettercap |
classic LAN MITM. |
Credential cracking#
Tool |
Notes |
|---|---|
hashcat |
GPU-accelerated; the dominant cracker. |
John the Ripper |
CPU-friendly; many formats. |
hydra |
online password brute-force. |
medusa |
parallel online cracker. |
ncrack |
Nmap-team online cracker. |
patator |
generic brute-forcer. |
CeWL |
wordlist generation from web. |
crunch |
wordlist permutation. |
hashID / hash-ident ifier |
hash-format detection. |
John –wordlist + r ules |
rule-driven mutations. |
Active Directory / Windows#
Tool |
Notes |
|---|---|
BloodHound |
AD attack-path analysis. |
SharpHound / azured og |
BloodHound collectors. |
PowerView |
classic AD enumeration. |
Rubeus |
Kerberos abuse (kerberoasting / ASREP / S4U / pass-the-ticket). |
Mimikatz |
Windows credential dump (LSASS, DPAPI, SAM, ticket abuse). |
Pypykatz |
Python pure-impl mimikatz. |
secretsdump |
Impacket; credential extraction. |
CrackMapExec / nxc |
Network-wide enumeration + abuse. |
NetExec |
modern CME fork. |
Impacket suite |
see Network section. |
SharpDPAPI |
DPAPI offline + online. |
DonPAPI |
DPAPI cred-collection. |
ROADtools, ROADreco |
n Azure AD enumeration. |
AzureHound |
BloodHound collector for Azure. |
AADInternals |
Azure AD attack toolkit. |
Stormspotter |
Azure attack surface. |
PingCastle |
AD audit (free + paid). |
ADRecon |
AD reporting. |
Cloud (AWS / GCP / Azure)#
Tool |
Notes |
|---|---|
Pacu |
AWS exploitation framework. |
ScoutSuite |
multi-cloud security scanner. |
Prowler |
AWS / GCP / Azure benchmark scanner. |
CloudSploit |
multi-cloud audit. |
PMapper |
AWS IAM relationship analysis. |
Cartography |
multi-asset graph (Lyft). |
Stratus Red Team |
cloud attack emulation (DataDog). |
GCPBucketBrute |
open GCS bucket scanner. |
S3Scanner |
open S3 bucket scanner. |
trufflehog |
secret discovery (also cloud). |
gitleaks |
secret discovery. |
checkov, tfsec, KIC S |
IaC scanning. |
Aikido / Wiz / Orca |
commercial CSPM. |
Reverse engineering#
Tool |
Notes |
|---|---|
Ghidra |
NSA-released open-source decompiler / disassembler. |
IDA Pro / Free |
Hex-Rays; commercial leader. |
Binary Ninja |
commercial alternative; Python / Rust scriptable. |
radare2 / cutter |
OSS multi-arch RE. |
angr |
symbolic execution framework (Python). |
Frida |
dynamic instrumentation. |
gdb / pwndbg / GEF |
/ pwntools debugging + exploit dev. |
x64dbg |
Windows usermode debugger. |
objdump, readelf, n m |
classic binutils. |
otool |
macOS Mach-O. |
peda |
gdb plugin. |
ReClass.NET |
struct reverse-engineering. |
binwalk |
firmware analysis. |
Forensics / IR#
See Digital Forensics for the deeper catalog. Highlights:
Volatility 3, KAPE, Velociraptor, GRR, Autopsy, Sleuth Kit, bulk_extractor, plaso, log2timeline.
Cellebrite, Magnet AXIOM (mobile / commercial).
SOF-ELK, TheHive, Cortex (analyst platforms).
Defensive (blue team)#
Tool |
Notes |
|---|---|
Wazuh |
OSS XDR / SIEM. |
Elastic Stack (ELK) |
Logstash / Beats / Elasticsearch / Kibana. |
Splunk |
commercial SIEM. |
Microsoft Sentinel |
Azure-native SIEM (KQL). |
Chronicle / SecOps |
Google. |
QRadar |
IBM. |
LimaCharlie |
OSS-friendly XDR. |
osquery |
Facebook-released; queryable host telemetry. |
Sysmon (Windows) |
deep process / file / network telemetry. |
Auditbeat |
Linux audit shipping. |
auditd |
Linux kernel audit. |
Velociraptor |
OSS DFIR + endpoint hunting. |
GRR |
Google Rapid Response. |
Suricata, Zeek |
network IDS / NSM. |
Snort |
classic IDS (see IDS Rules). |
Falco |
Linux runtime detection (eBPF-based). |
Tetragon |
Cilium-driven runtime detection (eBPF). |
ClamAV |
OSS antivirus. |
YARA |
pattern matching (YARA). |
Sigma rules |
SIEM-agnostic detection (Sigma). |
Atomic Red Team |
ATT&CK-mapped test scripts. |
Caldera |
MITRE adversary emulation. |
Threat hunting#
Tool |
Notes |
|---|---|
HELK |
hunting ELK stack (Roberto Rodriguez). |
Mordor |
attack data sets for testing. |
Elastic Detection R ules |
open detections. |
Sigma + sigma-cli |
convert detections to backend. |
Hunting Maturity Mo del |
framework. |
Atomic Red Team |
execute ATT&CK techniques. |
Mythic Caldera |
adversary emulation. |
APT Simulator |
Florian Roth’s lateral-movement simulator. |
SAST / DAST / SCA#
Tool |
Notes |
|---|---|
Semgrep |
SAST; rules in YAML. |
Bandit |
Python SAST. |
Brakeman |
Ruby on Rails SAST. |
SpotBugs / FindSecB ugs |
Java SAST. |
SonarQube |
multi-language SAST + coverage. |
CodeQL |
GitHub-owned semantic analysis. |
PVS-Studio |
commercial SAST. |
Snyk Code |
commercial SAST. |
Checkmarx |
commercial SAST. |
Veracode |
commercial SAST + DAST. |
Burp Suite Enterpri |
se / DAST see Web app. |
Acunetix, Netsparke r |
commercial DAST. |
OWASP ZAP |
OSS DAST. |
Trivy, Grype, Snyk |
SCA / container. |
Dependabot, Renovat e |
dependency upgrades. |
References#
Hacking, techniques.
Hacker Groups, the actors.
Hacking Hardware, physical kit.
SDR Hardware, RF kit.
Digital Forensics, DFIR-specific tools.