We're very impressed by the collective smarts of the security community and we highly recommend reading the whole list and investigating any tools you are unfamiliar with. Click any tool name for more details on that particular application, including the chance to read (and write) reviews. Many site elements are explained by tool tips if you hover your mouse over them. Enjoy!
Metasploit took the security world by storm when it was released in 2004. It is an advanced open-source platform for developing, testing, and using exploit code. The extensible model through which payloads, encoders, no-op generators, and exploits can be integrated has made it possible to use the Metasploit Framework as an outlet for cutting-edge exploitation research. It ships with hundreds of exploits, as you can see in their list of modules. This makes writing your own exploits easier, and it certainly beats scouring the darkest corners of the Internet for illicit shellcode of dubious quality. One free extra is Metasploitable, an intentionally insecure Linux virtual machine you can use for testing Metasploit and other exploitation tools without hitting live servers.
Metasploit was completely free, but the project was acquired by Rapid7 in 2009 and it soon sprouted commercial variants. The Framework itself is still free and open source, but they now also offer a free-but-limited Community edition, a more advanced Express edition ($5,000 per year per user), and a full-featured Pro edition. Other paid exploitation tools to consider are Core Impact (more expensive) and Canvas (less).
Nessus is one of the most popular and capable vulnerability scanners, particularly for UNIX systems. It was initially free and open source, but they closed the source code in 2005 and removed the free "Registered Feed" version in 2008. It now costs $2,190 per year, which still beats many of its competitors. A free “Nessus Home” version is also available, though it is limited and only licensed for home network use.
Nessus is constantly updated, with more than 70,000 plugins. Key features include remote and local (authenticated) security checks, a client/server architecture with a web-based interface, and an embedded scripting language for writing your own plugins or understanding the existing ones.
Read 24 reviews.
Latest release: version 6.3.3 on March 16, 2015 (6 years, 1 month ago).
This network intrusion detection and prevention system excels at traffic analysis and packet logging on IP networks. Through protocol analysis, content searching, and various pre-processors, Snort detects thousands of worms, vulnerability exploit attempts, port scans, and other suspicious behavior. Snort uses a flexible rule-based language to describe traffic that it should collect or pass, and a modular detection engine. Also check out the free Basic Analysis and Security Engine (BASE), a web interface for analyzing Snort alerts.
While Snort itself is free and open source, parent company SourceFire offers their VRT-certified rules for $499 per sensor per year and a complementary product line of software and appliances with more enterprise-level features. Sourcefire also offers a free 30-day delayed feed.
Read 4 reviews.
Latest release: version 184.108.40.206 on July 23, 2015 (5 years, 9 months ago).
John the Ripper is a fast password cracker for UNIX/Linux and Mac OS X.. Its primary purpose is to detect weak Unix passwords, though it supports hashes for many other platforms as well. There is an official free version, a community-enhanced version (with many contributed patches but not as much quality assurance), and an inexpensive pro version. You will probably want to start with some wordlists, which you can find here, here, or here.
Read 18 reviews.
Latest release: version 1.8.0 on May 30, 2013 (7 years, 10 months ago).
Burp Suite is an integrated platform for attacking web applications. It contains a variety of tools with numerous interfaces between them designed to facilitate and speed up the process of attacking an application. All of the tools share the same framework for handling and displaying HTTP messages, persistence, authentication, proxies, logging, alerting and extensibility. There is a limited free version and also Burp Suite Professional ($299 per user per year).
Read 30 reviews.
Latest release: version 1.4.01 on June 3, 2011 (9 years, 10 months ago).
Core Impact isn't cheap (be prepared to spend at least $30,000), but it is widely considered to be the most powerful exploitation tool available. It sports a large, regularly updated database of professional exploits, and can do neat tricks like exploiting one machine and then establishing an encrypted tunnel through that machine to reach and exploit other boxes. Other good options include Metasploit and Canvas.
Read 22 reviews.
Latest release: version 12 on Aug. 8, 2011 (9 years, 8 months ago).
Disassembly is a big part of security research. It will help you dissect that Microsoft patch to discover the silently fixed bugs they don't tell you about, or more closely examine a server binary to determine why your exploit isn't working. Many debuggers are available, but IDA Pro has become the de-facto standard for the analysis of hostile code and vulnerability research. This interactive, programmable, extensible, multi-processor disassembler has a graphical interface on Windows and console interfaces on Linux and Mac OS X.
Review this tool.
Latest release: version 6.8 on April 13, 2015 (6 years ago).
Maltego is a forensics and data mining application. It is capable of querying various public data sources and graphically depicting the relationships between entities such as people, companies, web sites, and documents. Maltego is an open source intelligence too, but isn't open source software.
Read 1 review.
Latest release: version 3.0.3 on Jan. 17, 2011 (10 years, 3 months ago).
Rapid7 Nexpose is a vulnerability scanner which aims to support the entire vulnerability management lifecycle, including discovery, detection, verification, risk classification, impact analysis, reporting and mitigation. It integrates with Rapid7's Metasploit for vulnerability exploitation. It is sold as standalone software, an appliance, virtual machine, or as a managed service or private cloud deployment. User interaction is through a web browser. There is a free but limited community edition as well as commercial versions which start at $2,000 per user per year.
Read 19 reviews.
GFI LanGuard is a network security and vulnerability scanner designed to help with patch management, network and software audits, and vulnerability assessments. The price is based on the number of IP addresses you wish to scan. A free trial version (up to 5 IP addresses) is available.
Read 6 reviews.
Latest release: version 2011 on May 19, 2001 (19 years, 11 months ago).
Acunetix is a web vulnerability scanner that automatically checks web applications for vulnerabilities such as SQL Injections, cross site scripting, arbitrary file creation/deletion, and weak password strength on authentication pages. It boasts a comfortable GUI, an ability to create professional security audit and compliance reports, and tools for advanced manual webapp testing.
Read 12 reviews.
Latest release: version 11 on Nov. 16, 2016 (4 years, 5 months ago).
QualysGuard is a popular SaaS (software as a service) vulnerability management offering. It's web-based UI offers network discovery and mapping, asset prioritization, vulnerability assessment reporting and remediation tracking according to business risk. Internal scans are handled by Qualys appliances which communicate back to the cloud-based system.
Read 5 reviews.
Latest release: version 6.18 on Feb. 25, 2011 (10 years, 1 month ago).
VMware virtualization software lets you run one operating system within another. This is quite useful for security researchers who commonly need to test code, exploits, etc on multiple platforms. It only runs on Windows and Linux as the host OS, but pretty much any x86 or x86_64 OS will run inside the virtualized environment. It is also useful for setting up sandboxes. You can browse from within a VMware window so the even if you are infected with malware, it cannot reach your host OS. And recovering the guest OS is as simple as loading a "snapshot" from prior to the infection. VMware player (executes, but can't create OS images) and VMWare Server (partitions a physical server machine into multiple virtual machines) were recently released for free. An open-source alternative is VirtualBox. Xen is a Linux-specific virtualization system.
Read 1 review.
Latest release: version 12.0.0 on Aug. 24, 2015 (5 years, 7 months ago).
AppScan provides security testing throughout the application development lifecycle, easing unit testing and security assurance early in the development phase. Appscan scans for many common vulnerabilities, such as cross site scripting, HTTP response splitting, parameter tampering, hidden field manipulation, backdoors/debug options, buffer overflows and more. AppScan was merged into IBM's Rational division after IBM purchased its original developer (Watchfire) in 2007.
Read 2 reviews.
Latest release: version 8.5 on Nov. 15, 2011 (9 years, 5 months ago).
Canvas is a commercial vulnerability exploitation tool from Dave Aitel's ImmunitySec. It includes more than 370 exploits and is less expensive than Core Impact or the commercial versions of Metasploit. It comes with full source code, and occasionally even includes zero-day exploits.
Read 2 reviews.
Latest release: version 6.73 on Oct. 26, 2011 (9 years, 5 months ago).
L0phtCrack attempts to crack Windows passwords from hashes which it can obtain (given proper access) from stand-alone Windows workstations, networked servers, primary domain controllers, or Active Directory. In some cases it can sniff the hashes off the wire. It also has numerous methods of generating password guesses (dictionary, brute force, etc). LC5 was discontinued by Symantec in 2006, then re-acquired by the original L0pht guys and reborn as LC6 in 2009. For free alternatives, consider ophcrack, Cain and Abel, or John the Ripper.
Read 7 reviews.
Latest release: version 6.0.11 on Jan. 9, 2011 (10 years, 3 months ago).
SolarWinds has created and sells dozens of special-purpose tools targeted at systems administrators. Security-related tools include many network discovery scanners, an SNMP brute-force cracker, router password decryption, a TCP connection reset program, one of the fastest and easiest router config download/upload applications available and more.
Read 2 reviews.
Splunk is a tool to search, report, monitor and analyze real-time streaming and historical IT data. It collects logs from a variety of sources and makes them searchable in a unified interface.
Read 6 reviews.
Latest release: version 4.1.7 on Feb. 14, 2011 (10 years, 2 months ago).
NetWitness NextGen is a network security monitor. The heart of the monitor is the Decoder subsystem that records network traffic for analysis. The Investigator is a protocol analyzer meant to be run on captured traffic.
Read 2 reviews.
Latest release: version 220.127.116.11 on March 17, 2010 (11 years, 1 month ago).
Helix is a Ubuntu live CD customized for computer forensics. Helix has been designed very carefully to not touch the host computer in any way and it is forensically sound. Helix will not auto mount swap space, or auto mount any attached devices. Helix also has a special Windows autorun side for Incident Response and Forensics. Downloading of the live CD is only provided as a complement to membership in the e-fense members-only forum. An unsupported, older, no-cost version is available as well.
Read 2 reviews.
Latest release: version 2009R3 on Dec. 23, 2009 (11 years, 3 months ago).
Malwarebytes' Anti-Malware is a malware scanner for Windows. The authors claim to use a variety of technologies to find malware undetectable by other malware scanners. There is a free trial with limited options and a supported full version with the ability to run scheduled scans.
Read 9 reviews.
Latest release: version 18.104.22.1687 on June 29, 2015 (5 years, 9 months ago).
Netsparker is a web application security scanner, with support for both detection and exploitation of vulnerabilities. It aims to be false positive–free by only reporting confirmed vulnerabilities after successfully exploiting or otherwise testing them.
Read 7 reviews.
Latest release: version 22.214.171.124 on Feb. 10, 2011 (10 years, 2 months ago).
WebInspect is a web application security assessment tool that helps identify known and unknown vulnerabilities within the Web application layer. It can also help check that a Web server is configured properly, and attempts common web attacks such as parameter injection, cross-site scripting, directory traversal, and more. It was produced by Spidynamics, which is now part of HP.
Read 12 reviews.
Latest release: version 9.10 on June 27, 2011 (9 years, 9 months ago).
Nipper (short for Network Infrastructure Parser, previously known as CiscoParse) audits the security of network devices such as switches, routers, and firewalls. It works by parsing and analyzing device configuration file which the Nipper user must supply. This was an open source tool until its developer (Titania) released a commercial version and tried to hide their old GPL releases (including the GPLv2 version 0.10 source tarball).
Read 3 reviews.