student@hack3rs:~/learning/tools$ ls
Free defensive guides for core network security tools. Each page is long-form and focused on ethical blue-team use, practical CLI workflows, common mistakes, and how to integrate the tool into real incident response and monitoring operations.
Tools are grouped into learning modules so students can study by workflow (packet analysis, IDS, wireless, web app security, AD labs, DFIR, OSINT, and more) instead of scrolling a flat list.
Wireshark and TShark are foundational packet-analysis tools for defenders. They help you see what actually happened on the wire, validate alerts, troubleshoot protocol failures, and build evidence-based incident timelines.
Ncat is a versatile networking utility from the Nmap project used by defenders for connectivity checks, listener/client tests, and protocol troubleshooting in authorized environments.
Ndiff compares Nmap XML scan results so defenders can identify exposure changes, service drift, and unexpected port differences over time.
hping3 is a packet crafting and network testing utility used by defenders for troubleshooting, path validation, firewall testing, and protocol behavior experiments in authorized environments.
tcpdump is a core command-line packet capture and packet inspection tool used by defenders for fast, scriptable network troubleshooting and incident evidence collection.
socat is a flexible socket relay and protocol bridging tool used by defenders for troubleshooting, lab simulations, and protocol validation in controlled environments.
Netcat (nc) is a classic network utility used by defenders for connectivity tests, listener checks, and protocol troubleshooting. This page complements Ncat and socat by teaching the basic netcat workflow.
Nping is an Nmap project packet generation and network measurement tool useful for defenders learning path validation, simple traffic testing, and response timing in authorized environments.
Arkime is a large-scale packet capture indexing and search platform used by defenders for retrospective analysis, packet retrieval, and network investigation workflows.
Zeek provides rich, structured network telemetry that helps defenders investigate incidents, hunt suspicious behavior, and understand protocol activity at scale without relying only on signatures.
Suricata is a high-performance network detection and inspection engine used for IDS/IPS and protocol-aware monitoring. It is widely used by blue teams for alerting, packet inspection, and traffic visibility.
Snort is a long-standing network intrusion detection and prevention engine used for signature-based and protocol-aware traffic inspection and alerting.
YARA is a pattern-matching tool and rule language used by defenders to classify malware, detect artifacts, and create reusable detection logic across files and memory-related workflows.
Wazuh is an open-source security platform for log collection, endpoint telemetry, detection, and monitoring that defenders use to build centralized visibility and response workflows.
Velociraptor is a DFIR and endpoint visibility platform used by defenders for rapid evidence collection, hunting, and endpoint investigation workflows in authorized environments.
osquery exposes operating system state as SQL tables, letting defenders query endpoints for processes, users, network connections, services, and configuration data in a structured way.
Sigma is a generic rule format for detection engineering that helps defenders write and share detections in a portable way across SIEM and analytics platforms.
Nmap is a core defensive tool for discovering hosts, enumerating services, validating exposure, and confirming remediation. Used responsibly, it provides a reliable view of what your network is actually exposing.
OpenVAS / Greenbone Community Edition provides a community-driven vulnerability management stack for recurring scanning and remediation workflows. It is a strong learning platform for understanding how scanners support defense operations.
Cadaver is a command-line WebDAV client useful for validating WebDAV configuration, authentication, and access behavior in authorized environments.
arp-scan discovers hosts on local networks using ARP, helping defenders validate layer-2 visibility, inventories, and local segment presence in authorized environments.
Nikto is a web server scanner used by defenders for quick checks of common misconfigurations, outdated software indicators, and exposed files in authorized assessments.
dnsrecon is a DNS enumeration utility used by defenders for authorized DNS exposure validation, zone data checks, and external footprint review.
Netdiscover is a local network discovery tool used by defenders to identify hosts via ARP and support quick segment awareness in labs and authorized environments.
dnsenum is a DNS enumeration tool used by defenders for authorized external DNS exposure checks, inventory validation, and recon awareness training.
Masscan is included as a defender caution/training reference to teach high-speed scanning risk, scope control, and why aggressive scanning requires strict authorization and operational planning.
SpiderFoot automates OSINT collection and correlation for asset discovery, exposure reviews, and reconnaissance awareness in authorized defensive workflows.
theHarvester is an OSINT collection tool used by defenders to understand externally visible email, domain, and infrastructure exposure from public sources.
Maltego is a graph-based link analysis and OSINT visualization platform used by defenders to map relationships between infrastructure, identities, and entities during investigations and exposure reviews.
This page teaches email harvesting as a defensive OSINT workflow concept: how to collect, validate, and use publicly exposed email data ethically for exposure reviews and phishing-risk reduction.
Recon-ng is an OSINT framework used by defenders in authorized workflows to structure external reconnaissance awareness, asset discovery, and source-driven investigations.
sqlmap is an automated SQL injection testing framework used by defenders in authorized appsec workflows to validate SQL injection risk, confirm remediation, and improve detection and secure coding practices.
Burp Suite is a web application testing platform and proxy used by defenders and appsec teams in authorized testing to analyze HTTP traffic, validate findings, and improve secure development and detection practices.
DirBuster is a legacy web content discovery tool used in authorized appsec training and assessments to identify hidden directories/files and validate web server exposure.
SQLninja is a specialized SQL Server injection testing tool primarily useful in authorized labs and legacy appsec education for understanding SQLi risks and SQL Server-specific exposure patterns.
Websploit is a security testing framework taught here mainly as a lab/historical tool for understanding modular offensive tooling and why defenders need logging, hardening, and process controls.
OWASP ZAP is a widely used web application security testing proxy and scanner that defenders and appsec teams use in authorized workflows to inspect traffic, validate vulnerabilities, and verify remediations.
ffuf is a fast web fuzzing and content discovery tool used by defenders in authorized web assessments to discover hidden paths, parameters, and misconfigurations for remediation validation.
Kismet is a passive wireless monitoring and detection platform used by defenders to discover wireless networks and clients, monitor channels, and investigate rogue or misconfigured wireless activity in authorized environments.
Aircrack-ng is a wireless auditing suite used in authorized labs and assessments to test WLAN security assumptions, validate hardening, and teach how wireless protections and attacks work so defenders can build stronger controls.
Wifite automates parts of wireless auditing workflows and is mainly useful in authorized labs to teach WLAN weaknesses, tooling orchestration, and defensive hardening needs.
Airgeddon is a wireless auditing framework/script suite used in authorized labs to orchestrate wireless testing workflows and teach WLAN hardening and detection requirements.
Fern WiFi Cracker is a GUI wireless auditing tool mainly useful for lab-based learning about WLAN weaknesses, workflow automation, and why modern wireless hardening and monitoring matter.
Wifiphisher is a wireless phishing simulation framework used in authorized labs and awareness exercises to teach defenders about WLAN social engineering risks and countermeasures.
Hashcat is a high-performance password recovery and password auditing tool used by defenders to validate password strength, test policy effectiveness, and demonstrate risk from weak or reused passwords in authorized environments.
Cain & Abel is a legacy Windows password recovery and credential analysis suite. This page teaches it as historical context and controlled lab learning for credential security concepts, not as a modern production blue-team platform.
Ncrack is a network authentication auditing tool used in authorized environments to test weak/default credentials, validate account lockout behavior, and assess authentication exposure on network services.
John the Ripper is a password auditing and recovery tool used by defenders in authorized environments to validate password strength, analyze hash formats, and support credential security remediation workflows.
THC Hydra is a login/authentication testing tool that defenders can use in tightly scoped, authorized labs and audits to validate credential exposure and monitoring controls.
Medusa is a network login brute-force/auditing tool used by defenders in authorized labs and assessments to validate credential controls and failed-login monitoring.
Johnny is included as a historical GUI companion reference for John the Ripper to help learners understand older password audit UX patterns and why command-line reproducibility still matters.
Security Onion is an integrated blue-team platform combining network visibility, host visibility, log collection, detections, and analyst workflows. It is excellent for labs, training, and operational SOC-style deployments.
Metasploit Framework is a widely used security testing and validation framework that defenders study in authorized labs to understand exploit mechanics, detection opportunities, and control effectiveness.
CrackMapExec is an automation framework used in authorized Windows/AD security testing and labs to validate exposure, credentials, and defensive detections across enterprise protocols.
Armitage is a legacy GUI/team collaboration interface for Metasploit, useful mainly as historical training context for understanding earlier offensive workflow orchestration and why modern teams emphasize controlled, auditable testing.
BloodHound is a graph analysis platform used in labs and authorized AD security reviews to understand privilege relationships, attack paths, and defensive hardening priorities in Windows environments.
mitm6 is a specialized IPv6/AD attack simulation tool used in authorized labs and purple-team exercises to teach defenders how IPv6/NTLM relay paths can be abused and how to harden and detect them.
SharpHound collects Active Directory relationship data for BloodHound analysis and is studied by defenders in authorized labs to understand what AD data enables privilege-path mapping and how to detect and harden against misuse.
Evil-WinRM is a WinRM client tool widely used in labs and authorized Windows security testing; defenders study it to understand WinRM abuse paths, logging, and hardening requirements.
PingCastle is an Active Directory security assessment tool used by defenders to review AD security posture, identify common risks, and prioritize hardening actions in Windows environments.
Steghide is a steganography tool used in labs and investigations to understand hidden data in media files and teach defenders how to examine stego-related artifacts safely.
Autopsy is a digital forensics platform used to analyze disk images and artifacts, helping defenders and investigators structure evidence review and case workflows.
strings extracts printable text from binaries and files, helping defenders quickly triage artifacts, spot indicators, and guide deeper analysis workflows.
Stegosuite is a steganography-focused GUI tool used in labs and forensic training to teach hidden-data concepts and artifact handling in image files.
SARA is a legacy vulnerability scanning/project reference taught here mainly for historical context so defenders can understand how scanning workflows evolved into modern vulnerability management.
Ettercap is a network protocol analysis and interception tool often used in labs to teach man-in-the-middle risks, protocol insecurity, and defensive monitoring requirements.
DNSChef is a configurable DNS proxy/tool often used in labs to simulate DNS responses, test application behavior, and teach defenders how DNS manipulation can affect systems.
Bettercap is a modular network interaction framework used in authorized labs to teach protocol abuse paths, network visibility, and corresponding defensive controls and detections.
ARPWatch is included as a monitoring reference to teach defenders how MAC/IP mapping changes can support local network anomaly detection and inventory validation.
Companion page to DNSChef focused on lab patterns for DNS simulation, validation, and defender observation workflows.
