// the operator's toolkit
The Arsenal
A catalog of 94 real-world security tools across 11 categories — recon, web, exploitation, cracking, forensics, post-exploit, wireless, blue team. Each entry: what it does, who uses it, the commands you'll actually type.
Nmap
/en-map/
Nmap (Network Mapper) is the most widely-deployed network discovery and security auditing tool. Implements SYN, connect, UDP, ACK, and stealth scans plus OS fingerprinting, version detection, and the Nmap Scripting Engine (NSE) with 600+ NSE scripts. Created by Gordon 'Fyodor' Lyon in 1997 and continuously maintained.
open the full entry
$ nmap --help
Nmap
showing 93 of 94 tools
Masscan
Internet-scale TCP port scanner — claims 10M packets/second on the right hardware.
Shodan
Search engine for internet-connected devices — banners, certs, screenshots.
Censys
Internet-scale scanning platform — Shodan's academic-origin sibling.
Maltego
Visual link-analysis tool for OSINT — drag entities, run transforms, watch the graph grow.
theHarvester
Email, subdomain, and employee-name OSINT from public sources.
Recon-ng
Full-feature reconnaissance framework written in Python with a Metasploit-like interface.
SpiderFoot
Automated OSINT collector with 200+ modules and a web UI.
Amass
OWASP project for in-depth attack-surface mapping and subdomain enumeration.
Subfinder
Project Discovery's fast passive-only subdomain enumerator.
dnsx
Fast, multi-purpose DNS toolkit from ProjectDiscovery.
httpx
Fast HTTP probe — status codes, titles, fingerprints, screenshots.
ExifTool
Phil Harvey's ubiquitous tool for reading and writing image/document metadata.
Burp Suite
PortSwigger's intercepting HTTP proxy — the de facto web app testing platform.
OWASP ZAP
The free, OWASP-stewarded alternative to Burp.
Nikto
Loud-but-fast web server scanner — checks for thousands of misconfigurations.
sqlmap
Automated SQL-injection exploitation — fingerprints DB, dumps tables, opens OS shells.
Gobuster
Fast directory, DNS-subdomain, and virtual-host brute-forcer in Go.
ffuf/fuhf/
Fuzz Faster U Fool — Joohoi's blazing-fast Go web fuzzer.
Nuclei
Template-based vulnerability scanner from ProjectDiscovery — community-maintained CVE templates.
Dirsearch
Python directory brute-forcer with smart wordlist extensions.
Dirb
The classic CLI web content scanner — predecessor of every modern dir-buster.
Wfuzz
Python web app fuzzer — the OG before ffuf existed.
XSStrike
Advanced XSS detection suite with context-aware payload generation.
Dalfox
Powerful XSS scanning + parameter analysis tool in Go.
Arjun
HTTP parameter discovery tool — finds hidden GET/POST params.
Commix
Automated OS-command-injection exploitation, like sqlmap but for shell injection.
Metasploit Framework/meta-sploit/
Rapid7's open-source exploitation framework — thousands of exploit modules.
Covenant
.NET-based open-source C2 framework with a web UI.
Cobalt Strike
Commercial adversary simulation — the industry-standard red-team C2.
Sliver
Bishop Fox's open-source cross-platform C2 — a rising Cobalt Strike alternative.
Havoc
Modern modular post-exploitation framework with C2 and Demon implant.
Empire
PowerShell + Python post-exploitation framework, reborn under BC Security.
BeEF (Browser Exploitation Framework)
Hooks browsers via JS payloads and exposes a control panel for post-XSS modules.
SET (Social-Engineer Toolkit)
Dave Kennedy's social-engineering automation toolkit.
Hashcat
The fastest open-source password recovery tool — GPU acceleration on every hash mode.
John the Ripper
Open-source password cracker with the most diverse hash format support of any open tool.
THC-Hydra
Parallelized online password-guessing across 50+ protocols.
Medusa
Parallel network login brute-forcer — Hydra's older sibling.
Ophcrack
GUI rainbow-table cracker for LM and NTLM hashes.
RainbowCrack
Rainbow-table generator and cracker — the original time/memory trade-off tool.
Wireshark
The reference open-source network protocol analyzer.
tcpdump
The command-line packet sniffer that every Unix-like ships with.
Ettercap
Classic LAN man-in-the-middle framework — ARP poisoning, DNS spoofing, filters.
Bettercap
Modern reincarnation of Ettercap — Go-based, scriptable, Wi-Fi-aware.
Responder
LLMNR/NBT-NS/MDNS poisoner — harvests NTLM hashes from Windows networks.
NetworkMiner
Forensic-focused pcap analyzer — extracts files, credentials, sessions automatically.
Zeek/formerly Bro/
Open-source network security monitoring — extracts protocol-level logs and IOCs.
Scapy
Python packet manipulation library — craft, send, sniff, dissect arbitrary packets.
Aircrack-ng
The classic Wi-Fi security testing suite — `airmon-ng`, `airodump-ng`, `aireplay-ng`, `aircrack-ng`.
Airgeddon
Wi-Fi audit menu-driven multi-tool — wraps aircrack, hostapd, etc.
Wifite
Automated Wi-Fi auditing — just point it at an interface and it does the rest.
Kismet
Wireless network detector, sniffer, and IDS — speaks 802.11, BLE, RTL-SDR.
Reaver
WPS PIN brute-forcer — recovers WPA/WPA2 PSK via the WPS protocol weakness.
HackRF One
Software-defined radio peripheral by Great Scott Gadgets — 1 MHz to 6 GHz.
Volatility
Open-source memory-forensics framework — reads RAM images and reconstructs system state.
Autopsy
Open-source digital-forensics GUI on top of The Sleuth Kit.
FTK Imager
Exterro's free disk-imaging utility — the de facto standard for forensic disk capture.
Ghidra/ghee-druh/
NSA's open-source reverse-engineering platform with a strong decompiler.
IDA Pro
Hex-Rays' interactive disassembler and decompiler — the longstanding RE gold standard.
x64dbg
Open-source x64/x32 Windows debugger — the modern OllyDbg replacement.
Radare2/r2/
CLI-first reverse engineering framework — vimlike commands, massive feature set.
binwalk
Firmware analysis tool — identifies and extracts embedded files.
Foremost
File-carving tool — recovers files from raw disks/images by magic-byte headers.
strings
GNU binutils tool that prints printable character sequences from a binary.
objdump
GNU disassembler — prints assembly + section info for any object file.
Cutter
Free GUI for radare2 with the Rizin engine — modern, IDA-like RE experience.
Binary Ninja
Vector 35's commercial RE platform — modern UX, headless API, multiple IL layers.
Mimikatz
Benjamin Delpy's Windows credential-theft Swiss Army knife.
Impacket
SecureAuth (now Fortra) Python toolkit for low-level Windows network protocols.
BloodHound
Active Directory attack-path visualizer — graphs the shortest path to Domain Admin.
CrackMapExec/CME/
Swiss-army knife for AD post-exploitation — sprays credentials over SMB/WinRM/MSSQL/LDAP.
Evil-WinRM
WinRM shell client for Windows post-exploit — the 'ssh' of WinRM.
PowerSploit
Mattifestation's collection of offensive PowerShell modules.
Rubeus
C# toolset for raw Kerberos interaction — kerberoasting, AS-REProasting, ticket abuse.
Kerbrute
Pre-auth Kerberos username enumeration and password spraying.
Steghide
Classic steganography tool for JPEG/BMP/WAV/AU with password-protected payloads.
zsteg
PNG/BMP steganography detection — LSB extraction, signature scanning.
Stegsolve
Java GUI tool for interactive image-layer steganalysis.
Netcat/nc/
The 'TCP/IP Swiss Army knife' — read/write to arbitrary TCP/UDP sockets.
Socat
Netcat on steroids — bidirectional relays across virtually any pair of channels.
tmux
Terminal multiplexer — multiple sessions and panes in one terminal, survives SSH drops.
CyberChef
GCHQ's web-based 'cyber Swiss Army knife' for encode/decode/encrypt/parse.
pwntools
Python CTF toolkit — wraps socket I/O, ELF parsing, ROP, shellcode into a 5-line exploit.
ROPgadget
Find ROP gadgets in ELF/PE/Mach-O binaries.
checksec
Check ELF/PE binary security properties — NX, PIE, RELRO, canary, fortify.
Snort
The original open-source network intrusion detection system.
Suricata
OISF's multi-threaded NIDS — modern Snort-rule-compatible alternative.
Wazuh
Open-source XDR + SIEM platform — OSSEC fork with modern dashboards.
TheHive
Open-source security incident response platform — case management for the SOC.
MISP/M-I-S-P/
Open-source threat-intelligence sharing platform — IOC management at scale.
Velociraptor
Rapid7's open-source endpoint visibility + collection tool — DFIR at fleet scale.
OpenVAS/Greenbone Vulnerability Scanner/
Open-source vulnerability scanner from Greenbone — the free Nessus alternative.
Nessus
Tenable's vulnerability scanner — the industry-standard enterprise tool.
// next
Reading is fine. Running is better.
The Arsenal tells you what a tool does. The Labs let you watch a version of the bug those tools find. The Tools live on this site, so you can use them right now.