We're very impressed by the collective smarts of the security community and we highly recommend reading the whole list and investigating any tools you are unfamiliar with. Click any tool name for more details on that particular application, including the chance to read (and write) reviews. Many site elements are explained by tool tips if you hover your mouse over them. Enjoy!
Wireshark (known as Ethereal until a trademark dispute in Summer 2006) is a fantastic open source multi-platform network protocol analyzer. It allows you to examine data from a live network or from a capture file on disk. You can interactively browse the capture data, delving down into just the level of packet detail you need. Wireshark has several powerful features, including a rich display filter language and the ability to view the reconstructed stream of a TCP session. It also supports hundreds of protocols and media types. A tcpdump-like console version named tshark is included. One word of caution is that Wireshark has suffered from dozens of remotely exploitable security holes, so stay up-to-date and be wary of running it on untrusted or hostile networks (such as security conferences).
Read 39 reviews.
Latest release: version 1.12.7 on Aug. 12, 2015 (2 years, 11 months ago).
Aircrack is a suite of tools for 802.11a/b/g WEP and WPA cracking. It implements the best known cracking algorithms to recover wireless keys once enough encrypted packets have been gathered. . The suite comprises over a dozen discrete tools, including airodump (an 802.11 packet capture program), aireplay (an 802.11 packet injection program), aircrack (static WEP and WPA-PSK cracking), and airdecap (decrypts WEP/WPA capture files).
Read 23 reviews.
Latest release: version 1.1 on April 24, 2010 (8 years, 2 months ago).
UNIX users often smugly assert that the best free security tools support their platform first, and Windows ports are often an afterthought. They are usually right, but Cain & Abel is a glaring exception. This Windows-only password recovery tool handles an enormous variety of tasks. It can recover passwords by sniffing the network, cracking encrypted passwords using dictionary, brute-force and cryptanalysis attacks, recording VoIP conversations, decoding scrambled passwords, revealing password boxes, uncovering cached passwords and analyzing routing protocols. It is also well documented.
Read 17 reviews.
Latest release: version 4.9.56 on April 7, 2014 (4 years, 3 months ago).
This excellent bootable live CD Linux distribution comes from the merger of Whax and Auditor. It boasts a huge variety of Security and Forensics tools and provides a rich development environment. User modularity is emphasized so the distribution can be easily customized by the user to include personal scripts, additional tools, customized kernels, etc. BackTrack is succeeded by Kali Linux.
Read 21 reviews.
Latest release: version 5 R3 on Aug. 13, 2012 (5 years, 11 months ago).
This simple utility reads and writes data across TCP or UDP network connections. It is designed to be a reliable back-end tool to use directly or easily drive by other programs and scripts. At the same time, it is a feature-rich network debugging and exploration tool, since it can create almost any kind of connection you would need, including port binding to accept incoming connections.
Tcpdump is the network sniffer we all used before (Wireshark) came on the scene, and many of us continue to use it frequently. It may not have the bells and whistles (such as a pretty GUI and parsing logic for hundreds of application protocols) that Wireshark has, but it does the job well and with less security risk. It also requires fewer system resources. While Tcpdump doesn't receive new features often, it is actively maintained to fix bugs and portability problems. It is great for tracking down network problems or monitoring activity. There is a separate Windows port named WinDump. tcpdump is the source of the Libpcap/WinPcap packet capture library, which is used by Nmap and many other tools.
Read 4 reviews.
Latest release: version 4.7.4 on April 22, 2015 (3 years, 3 months ago).
Kismet is a console (ncurses) based 802.11 layer-2 wireless network detector, sniffer, and intrusion detection system. It identifies networks by passively sniffing (as opposed to more active tools such as NetStumbler), and can even decloak hidden (non-beaconing) networks if they are in use. It can automatically detect network IP blocks by sniffing TCP, UDP, ARP, and DHCP packets, log traffic in Wireshark/tcpdump compatible format, and even plot detected networks and estimated ranges on downloaded maps. As you might expect, this tool is commonly used for wardriving. Oh, and also warwalking, warflying, and warskating, etc.
Read 1 review.
Latest release: version Kismet-2013-03-R1b on April 8, 2013 (5 years, 3 months ago).
SSH (Secure Shell) is the now ubiquitous program for logging into or executing commands on a remote machine. It provides secure encrypted communications between two untrusted hosts over an insecure network, replacing the hideously insecure telnet/rlogin/rsh alternatives. Most UNIX users run the open source OpenSSH server and client. Windows users often prefer the free PuTTY client, which is also available for many mobile devices, and WinSCP. Other Windows users prefer the nice terminal-based port of OpenSSH that comes with Cygwin. There are dozens of other free and proprietary clients to consider as well.
Read 2 reviews.
Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.
Read 21 reviews.
Latest release: version 2.1.4 on Feb. 20, 2011 (7 years, 5 months ago).
This handy little utility assembles and sends custom ICMP, UDP, or TCP packets and then displays any replies. It was inspired by the ping command, but offers far more control over the probes sent. It also has a handy traceroute mode and supports IP fragmentation. Hping is particularly useful when trying to traceroute/ping/probe hosts behind a firewall that blocks attempts using the standard utilities. This often allows you to map out firewall rule sets. It is also great for learning more about TCP/IP and experimenting with IP protocols. Unfortunately, it hasn't been updated since 2005. The Nmap Project created and maintains Nping, a similar program with more modern features such as IPv6 support, and a unique echo mode.
Read 5 reviews.
Latest release: version hping3-20051105 on Nov. 5, 2005 (12 years, 8 months ago).
Ettercap is a suite for man in the middle attacks on LAN. It features sniffing of live connections, content filtering on the fly and many other interesting tricks.
It supports active and passive dissection of many protocols (even ciphered ones) and includes many feature for network and host analysis.
Read 10 reviews.
Latest release: version 0.8.2-Ferri on March 14, 2015 (3 years, 4 months ago).
Sysinternals provides many small windows utilities that are quite useful for low-level windows hacking. Some are free of cost and/or include source code, while others are proprietary. Survey respondents were most enamored with:
ProcessExplorer for keeping an eye on the files and directories open by any process (like lsof on UNIX).
PsTools for managing (executing, suspending, killing, detailing) local and remote processes.
Autoruns for discovering what executables are set to run during system boot up or login.
RootkitRevealer for detecting registry and file system API discrepancies that may indicate the presence of a user-mode or kernel-mode rootkit.
TCPView, for viewing TCP and UDP traffic endpoints used by each process (like Netstat on UNIX).
Many of the Sysinternals tools originally came with source code and there were even Linux versions. Microsoft acquired Sysinternals in July 2006, promising that “Customers will be able to continue building on Sysinternals' advanced utilities, technical information and source code”. Less than four months later, Microsoft removed most of that source code.
Read 1 review.
Latest release: Feb. 4, 2011 (7 years, 5 months ago).
W3af is an extremely popular, powerful, and flexible framework for finding and exploiting web application vulnerabilities. It is easy to use and extend and features dozens of web assessment and exploitation plugins. In some ways it is like a web-focused Metasploit.
Read 17 reviews.
Latest release: version 1.1 on Oct. 11, 2011 (6 years, 9 months ago).
OpenVAS is a vulnerability scanner that was forked from the last free version of Nessus after that tool went proprietary in 2005. OpenVAS plugins are still written in the Nessus NASL language. The project seemed dead for a while, but development has restarted.
Read 36 reviews.
Latest release: version 8.0 on April 2, 2015 (3 years, 3 months ago).
Scapy is a powerful interactive packet manipulation tool, packet generator, network scanner, network discovery tool, and packet sniffer. Note that Scapy is a very low-level tool—you interact with it using the Python programming language. It provides classes to interactively create packets or sets of packets, manipulate them, send them over the wire, sniff other packets from the wire, match answers and replies, and more.
Read 6 reviews.
Latest release: version 2.2.0 on Feb. 28, 2011 (7 years, 4 months ago).
While there are many advanced high-tech tools out there to assist in security auditing, don't forget about the basics! Everyone should be very familiar with these tools as they come with most operating systems (except that Windows omits whois and uses the name tracert). They can be very handy in a pinch, although more advanced functionality is available from Hping and Netcat.
Read 4 reviews.
While many canned security tools are available on this site for handling common tasks, scripting languages allow you to write your own (or modify existing ones) when you need something more custom. Quick, portable scripts can test, exploit, or even fix systems. Archives like CPAN are filled with modules such as Net::RawIP and protocol implementations to make your tasks even easier. Many security tools use scripting languages heavily for extensibility. For example Scapy interaction is through a Python interpreter, Metasploit modules are written in Ruby, and Nmap's scripting engine uses Lua.
Review this tool.
A Java-based web proxy for assessing web application vulnerability. It supports editing/viewing HTTP/HTTPS messages on-the-fly to change items such as cookies and form fields. It includes a web traffic recorder, web spider, hash calculator, and a scanner for testing common web application attacks such as SQL injection and cross-site scripting.
Read 4 reviews.
Latest release: version 3.2.13 on Aug. 8, 2006 (11 years, 11 months ago).
Netstumbler is the best known Windows tool for finding open wireless access points ("wardriving"). They also distribute a WinCE version for PDAs and such named MiniStumbler. The tool is currently free but Windows-only and no source code is provided. It uses a more active approach to finding WAPs than passive sniffers such as Kismet or KisMAC.
Read 3 reviews.
Latest release: version 0.4.0 on April 1, 2004 (14 years, 3 months ago).
While it is far more than a security tool, Google's massive database is a gold mine for security researchers and penetration testers. You can use it to dig up information about a target company by using directives such as “site:target-domain.com” and find employee names, sensitive information that they wrongly thought was hidden, vulnerable software installations, and more. Similarly, when a bug is found in yet another popular webapp, Google can often provide a list of vulnerable servers worldwide within seconds. Check out the Google Hacking Database and Johnny Long's excellent book: Google Hacking for Penetration Testers.
Read 4 reviews.
OSSEC HIDS performs log analysis, integrity checking, rootkit detection, time-based alerting and active response. In addition to its IDS functionality, it is commonly used as a SEM/SIM solution. Because of its powerful log analysis engine, ISPs, universities and data centers are running OSSEC HIDS to monitor and analyze their firewalls, IDSs, web servers and authentication logs.
Read 2 reviews.
Latest release: version 2.8.2 on June 10, 2015 (3 years, 1 month ago).
In its simplest form, WebScarab records the conversations (requests and responses) that it observes, and allows the operator to review them in various ways. WebScarab is designed to be a tool for anyone who needs to expose the workings of an HTTP(S) based application, whether to allow the developer to debug otherwise difficult problems, or to allow a security specialist to identify vulnerabilities in the way that the application has been designed or implemented.
Read 2 reviews.
Latest release: version 20100820-1632 on Aug. 20, 2010 (7 years, 11 months ago).
sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws and taking over of back-end database servers. It comes with a broad range of features, from database fingerprinting to fetching data from the DB and even accessing the underlying file system and executing OS commands via out-of-band connections. The authors recommend using the development release from their Subversion repository.
Read 11 reviews.
Latest release: version 0.9 on April 11, 2011 (7 years, 3 months ago).
The authors of TrueCrypt abandoned the project in May 2014. While many still use the software, there are several forks and alternatives that are striving to take its lofty place.
TrueCrypt is an excellent open source disk encryption system for Windows, Mac, and Linux systems. Users can encrypt entire filesystems, which are then on-the-fly encrypted/decrypted as needed without user intervention beyond initially entering their passphrase. A clever hidden volume feature allows you to hide a second layer of particularly sensitive content with plausible deniability about whether it even exists. Then if you are forced to give up your passphrase, you give them the first-level secret. That only allows them access to the innocuous material you have there, without proving that a second level key even exists.
Read 5 reviews.
Latest release: version 7.2 on May 28, 2014 (4 years, 1 month ago).