student@hack3rs:~/learning/tools$ ls
Free defensive guides for the tools that actually matter. Each page is long-form — ethical use boundaries, real CLI workflows, common mistakes, and how the tool integrates into monitoring and incident response operations.
Tools are organized by workflow — packet analysis, IDS, wireless, web app, AD, DFIR, OSINT, and more — so you study by what you're trying to do, not by alphabetical order.
Wireshark packet analysis and TShark give defenders a ground-truth view of what happened on the wire. Use them to validate alerts, troubleshoot protocol failures, and reconstruct incident timelines from a pcap file.
Ncat is a versatile networking utility from the Nmap project used by defenders for connectivity checks, listener/client tests, and protocol troubleshooting in authorized environments.
Ndiff compares Nmap XML scan results so defenders can identify exposure changes, service drift, and unexpected port differences over time.
hping3 is a packet crafting and network testing utility used by defenders for troubleshooting, path validation, firewall testing, and protocol behavior experiments in authorized environments.
tcpdump is a core command-line packet capture and packet inspection tool used by defenders for fast, scriptable network troubleshooting and incident evidence collection.
socat is a flexible socket relay and protocol bridging tool used by defenders for troubleshooting, lab simulations, and protocol validation in controlled environments.
Netcat (nc) is a classic network utility used by defenders for connectivity tests, listener checks, and protocol troubleshooting. This page complements Ncat and socat by teaching the basic netcat workflow.
Nping is an Nmap project packet generation and network measurement tool useful for defenders learning path validation, simple traffic testing, and response timing in authorized environments.
Arkime is a large-scale packet capture indexing and search platform used by defenders for retrospective analysis, packet retrieval, and network investigation workflows.
Zeek network monitoring produces structured, protocol-aware logs that defenders use to investigate incidents, hunt suspicious behavior, and correlate network-side evidence with host telemetry — without requiring signatures for every threat.
Suricata IDS IPS is a high-performance network detection engine that blue teams deploy for signature-based alerting, protocol-aware inspection, and traffic metadata generation. Getting value from it requires tuning discipline, not just rule volume.
Snort is a long-standing network intrusion detection and prevention engine used for signature-based and protocol-aware traffic inspection and alerting.
YARA is a pattern-matching tool and rule language used by defenders to classify malware, detect artifacts, and create reusable detection logic across files and memory-related workflows.
Wazuh is an open-source security platform for log collection, endpoint telemetry, detection, and monitoring that defenders use to build centralized visibility and response workflows.
Velociraptor is a DFIR and endpoint visibility platform used by defenders for rapid evidence collection, hunting, and endpoint investigation workflows in authorized environments.
osquery exposes operating system state as SQL tables, letting defenders query endpoints for processes, users, network connections, services, and configuration data in a structured way.
Sigma is a generic rule format for detection engineering that helps defenders write and share detections in a portable way across SIEM and analytics platforms.
Nmap is the nmap network scanner defenders reach for when they need to know what a network is actually exposing. Use it to find hosts, audit open ports, validate firewall rules, and catch exposure drift before someone else does.
OpenVAS and Greenbone Community Edition give defenders a vulnerability management stack for recurring scans, finding triage, and remediation workflows. It is a practical platform for learning how scanning fits into a defense program.
Cadaver is a command-line WebDAV client useful for validating WebDAV configuration, authentication, and access behavior in authorized environments.
arp-scan discovers hosts on local networks using ARP, helping defenders validate layer-2 visibility, inventories, and local segment presence in authorized environments.
Nikto is a web server scanner used by defenders for quick checks of common misconfigurations, outdated software indicators, and exposed files in authorized assessments.
dnsrecon is a DNS enumeration utility used by defenders for authorized DNS exposure validation, zone data checks, and external footprint review.
Netdiscover is a local network discovery tool used by defenders to identify hosts via ARP and support quick segment awareness in labs and authorized environments.
dnsenum is a DNS enumeration tool used by defenders for authorized external DNS exposure checks, inventory validation, and recon awareness training.
Masscan is included as a defender caution/training reference to teach high-speed scanning risk, scope control, and why aggressive scanning requires strict authorization and operational planning.
SpiderFoot automates OSINT collection and correlation for asset discovery, exposure reviews, and reconnaissance awareness in authorized defensive workflows.
theHarvester is an OSINT collection tool used by defenders to understand externally visible email, domain, and infrastructure exposure from public sources.
Maltego is a graph-based link analysis and OSINT visualization platform used by defenders to map relationships between infrastructure, identities, and entities during investigations and exposure reviews.
This page teaches email harvesting as a defensive OSINT workflow concept: how to collect, validate, and use publicly exposed email data ethically for exposure reviews and phishing-risk reduction.
Recon-ng is an OSINT framework used by defenders in authorized workflows to structure external reconnaissance awareness, asset discovery, and source-driven investigations.
sqlmap is an automated SQL injection testing framework used by defenders in authorized appsec workflows to validate SQL injection risk, confirm remediation, and improve detection and secure coding practices.
Burp Suite is a web application testing platform and proxy used by defenders and appsec teams in authorized testing to analyze HTTP traffic, validate findings, and improve secure development and detection practices.
DirBuster is a legacy web content discovery tool used in authorized appsec training and assessments to identify hidden directories/files and validate web server exposure.
SQLninja is a specialized SQL Server injection testing tool primarily useful in authorized labs and legacy appsec education for understanding SQLi risks and SQL Server-specific exposure patterns.
Websploit is a security testing framework taught here mainly as a lab/historical tool for understanding modular offensive tooling and why defenders need logging, hardening, and process controls.
OWASP ZAP is a widely used web application security testing proxy and scanner that defenders and appsec teams use in authorized workflows to inspect traffic, validate vulnerabilities, and verify remediations.
ffuf is a fast web fuzzing and content discovery tool used by defenders in authorized web assessments to discover hidden paths, parameters, and misconfigurations for remediation validation.
Kismet is a passive wireless monitoring platform that defenders use to discover SSIDs and clients, build wireless baselines, and investigate rogue or misconfigured access points in authorized environments — without sending a single probe.
Aircrack-ng is a wireless security audit suite used in authorized labs and assessments to test WLAN hardening assumptions, validate passphrase strength, and teach how wireless protocol mechanics interact with defensive controls.
Wifite automates parts of wireless auditing workflows and is mainly useful in authorized labs to teach WLAN weaknesses, tooling orchestration, and defensive hardening needs.
Airgeddon is a wireless auditing framework/script suite used in authorized labs to orchestrate wireless testing workflows and teach WLAN hardening and detection requirements.
Fern WiFi Cracker is a GUI wireless auditing tool mainly useful for lab-based learning about WLAN weaknesses, workflow automation, and why modern wireless hardening and monitoring matter.
Wifiphisher is a wireless phishing simulation framework used in authorized labs and awareness exercises to teach defenders about WLAN social engineering risks and countermeasures.
Hashcat password cracking is a high-performance password auditing tool defenders use to test whether an organization's stored hashes would fall quickly to realistic attacks. When used with proper authorization, it turns abstract password policy questions into measurable risk.
Cain and Abel is a legacy Windows password recovery and credential analysis suite. This page treats it as historical education and controlled lab context for credential security concepts — not as a modern production blue-team tool.
Ncrack audits authentication controls on network services in authorized environments — testing for weak and default credentials, validating account lockout behavior, and confirming that failed login attempts generate the alerts they should.
John the Ripper is a password auditing tool defenders use in authorized environments to test hash resilience, learn how different hash formats behave, and produce evidence-based credential security recommendations.
THC Hydra is a login/authentication testing tool that defenders can use in tightly scoped, authorized labs and audits to validate credential exposure and monitoring controls.
Medusa is a network login brute-force/auditing tool used by defenders in authorized labs and assessments to validate credential controls and failed-login monitoring.
Johnny is included as a historical GUI companion reference for John the Ripper to help learners understand older password audit UX patterns and why command-line reproducibility still matters.
Security Onion bundles network telemetry, IDS alerting, log collection, host visibility, and analyst case workflows into one integrated blue-team platform — making it an efficient way to learn how SOC components fit together in a lab.
Metasploit Framework is a widely used security testing and validation framework that defenders study in authorized labs to understand exploit mechanics, detection opportunities, and control effectiveness.
CrackMapExec is an automation framework used in authorized Windows/AD security testing and labs to validate exposure, credentials, and defensive detections across enterprise protocols.
Armitage is a legacy GUI/team collaboration interface for Metasploit, useful mainly as historical training context for understanding earlier offensive workflow orchestration and why modern teams emphasize controlled, auditable testing.
BloodHound is a graph analysis platform used in labs and authorized AD security reviews to understand privilege relationships, attack paths, and defensive hardening priorities in Windows environments.
mitm6 is a specialized IPv6/AD attack simulation tool used in authorized labs and purple-team exercises to teach defenders how IPv6/NTLM relay paths can be abused and how to harden and detect them.
SharpHound collects Active Directory relationship data for BloodHound analysis and is studied by defenders in authorized labs to understand what AD data enables privilege-path mapping and how to detect and harden against misuse.
Evil-WinRM is a WinRM client tool widely used in labs and authorized Windows security testing; defenders study it to understand WinRM abuse paths, logging, and hardening requirements.
PingCastle is an Active Directory security assessment tool used by defenders to review AD security posture, identify common risks, and prioritize hardening actions in Windows environments.
Steghide is a steganography tool used in labs and investigations to understand hidden data in media files and teach defenders how to examine stego-related artifacts safely.
Autopsy is a digital forensics platform used to analyze disk images and artifacts, helping defenders and investigators structure evidence review and case workflows.
strings extracts printable text from binaries and files, helping defenders quickly triage artifacts, spot indicators, and guide deeper analysis workflows.
Stegosuite is a steganography-focused GUI tool used in labs and forensic training to teach hidden-data concepts and artifact handling in image files.
SARA is a legacy vulnerability scanning/project reference taught here mainly for historical context so defenders can understand how scanning workflows evolved into modern vulnerability management.
Ettercap is a network protocol analysis and interception tool often used in labs to teach man-in-the-middle risks, protocol insecurity, and defensive monitoring requirements.
DNSChef is a configurable DNS proxy/tool often used in labs to simulate DNS responses, test application behavior, and teach defenders how DNS manipulation can affect systems.
Bettercap is a modular network interaction framework used in authorized labs to teach protocol abuse paths, network visibility, and corresponding defensive controls and detections.
ARPWatch is included as a monitoring reference to teach defenders how MAC/IP mapping changes can support local network anomaly detection and inventory validation.
Companion page to DNSChef focused on lab patterns for DNS simulation, validation, and defender observation workflows.
