Free security tools to help you learn
636-555-3226
Member Posts: 975 ■■■■■□□□□□
Lots of people trying to make headway in the infosec world. Many go after certs but lack real-world experience. I decided to make a post listing out free infosec tools that inexperienced people may want to start learning to help them land a job that actually requires them to know something. Most (if not all) of these tools have website or youtube walk-throughs and are all free in some fashion. They’re roughly listed out by topical areas. I also did this off the top of my head from memory, so I’m sure I missed good ones – please leave comments with any additional thoughts and I’ll edit my post to include any other tools you suggest in the below. I’ve put asterisks in front of the ones that are “big” and will take awhile to learn
***Windows + Linux command-line experience (I recommend Linux Mint for beginners, but plenty of good choices exist)
PowerShell basics (lots of tools written in PS now, so it’s good to know the basics, plus MS is phasing out cmd.exe in favor of PS)
Python basics (some people would also say Ruby – many tools also written in Python, so it’s good to know the basics in case you need to fix something)
putty
Wireshark
tcpdump
nmap
netcat
opendns (helps learn the why & how of web gateways, sort of)
***splunk (will take a lot of time to learn, but very popular, lots of high paying splunk jobs. At least learn the basics)
Nessus vulnerability scanner
Nipper (aka nessus for network devices)
Nikto (aka nessus for websites)
***Snort or Bro (or both, they’re similar so it’s easy to pick one up after the other – also a very big project to learn, but at least learn the basics)
Recon-ng (or Maltego, but free version is limited)
meterpreter
Veil-Framework
Mimikatz
Spiderlabs responder
Powersploit
BloodHoundAD’s Bloodhound
EmpireProject’s Empire
Dafthack’s mailsniper
***Metasploit (includes many of the above tools, many of which are duplicative of each other)
Some people say to use Kali Linux, but it’s basically just a weak Linux distro with tools (including some of the above) built in. I’d steer you towards a real, maintained Linux distro which you can then use trustedsec’s PenTesters Framework (PTF) to load all your tools on.
Dafthack’s domainpasswordspray (very easy and lots of fun if you've got AD at work – time to start doing password audits…..)
John the Ripper or Hashcat (password cracking – fun to do with your Windows/Active Directory passwords)
clr2of8’s Domain Password Audit Tool (DPAT) – tool to report out the stats of various cracked password **** (cracked via the tools above - good support for implementing that 20+ character passphrase policy you didn't know you needed until you ran the last three tools)
THC Hydra (brute force guessing of password login pages/consoles/etc)
Ettercap or bettercap – network attacks
Yersinia – network attacks
***OWASP ZAP or Burp Suite – web attacks
BeEF – web attacks
Sqlmap – web attacks
Google Santa (not the holiday version) – whitelisting for OSX (if you have a Mac – I’d steer you towards a dedicated [free] Linux distro instead of using a Mac)
Thinkst’s opencanary (lots of various honeypots/canaries out there, this is one to play with)
Keepass – most people in IT don’t securely store their passwords – don’t be that guy (very useful once you're rocking your new & unique 20+ character passphrases for 50 different systems)
Also strongly recommend you find the developers of the above tools and follow them on Twitter. I hate Twitter but have to admit that in terms of keeping up-to-date with new types of tools, Twitter's the best way to follow that kind of stuff.
What’d I miss?
***Windows + Linux command-line experience (I recommend Linux Mint for beginners, but plenty of good choices exist)
PowerShell basics (lots of tools written in PS now, so it’s good to know the basics, plus MS is phasing out cmd.exe in favor of PS)
Python basics (some people would also say Ruby – many tools also written in Python, so it’s good to know the basics in case you need to fix something)
putty
Wireshark
tcpdump
nmap
netcat
opendns (helps learn the why & how of web gateways, sort of)
***splunk (will take a lot of time to learn, but very popular, lots of high paying splunk jobs. At least learn the basics)
Nessus vulnerability scanner
Nipper (aka nessus for network devices)
Nikto (aka nessus for websites)
***Snort or Bro (or both, they’re similar so it’s easy to pick one up after the other – also a very big project to learn, but at least learn the basics)
Recon-ng (or Maltego, but free version is limited)
meterpreter
Veil-Framework
Mimikatz
Spiderlabs responder
Powersploit
BloodHoundAD’s Bloodhound
EmpireProject’s Empire
Dafthack’s mailsniper
***Metasploit (includes many of the above tools, many of which are duplicative of each other)
Some people say to use Kali Linux, but it’s basically just a weak Linux distro with tools (including some of the above) built in. I’d steer you towards a real, maintained Linux distro which you can then use trustedsec’s PenTesters Framework (PTF) to load all your tools on.
Dafthack’s domainpasswordspray (very easy and lots of fun if you've got AD at work – time to start doing password audits…..)
John the Ripper or Hashcat (password cracking – fun to do with your Windows/Active Directory passwords)
clr2of8’s Domain Password Audit Tool (DPAT) – tool to report out the stats of various cracked password **** (cracked via the tools above - good support for implementing that 20+ character passphrase policy you didn't know you needed until you ran the last three tools)
THC Hydra (brute force guessing of password login pages/consoles/etc)
Ettercap or bettercap – network attacks
Yersinia – network attacks
***OWASP ZAP or Burp Suite – web attacks
BeEF – web attacks
Sqlmap – web attacks
Google Santa (not the holiday version) – whitelisting for OSX (if you have a Mac – I’d steer you towards a dedicated [free] Linux distro instead of using a Mac)
Thinkst’s opencanary (lots of various honeypots/canaries out there, this is one to play with)
Keepass – most people in IT don’t securely store their passwords – don’t be that guy (very useful once you're rocking your new & unique 20+ character passphrases for 50 different systems)
Also strongly recommend you find the developers of the above tools and follow them on Twitter. I hate Twitter but have to admit that in terms of keeping up-to-date with new types of tools, Twitter's the best way to follow that kind of stuff.
What’d I miss?
Comments
-
LonerVamp
Member Posts: 518 ■■■■■■■■□□
I would definitely not steer someone clear from Kali Linux. It has a huge list of free tools to use in a controlled system. Is that a substitute for maintaining a full linux box? No, but it's a great place to learn and even use regularly.
Security Engineer/Analyst/Geek, Red & Blue Teams
OSCP, GCFA, GWAPT, CISSP, OSWP, AWS SA-A, AWS Security, Sec+, Linux+, CCNA Cyber Ops, CCSK
2021 goals: maybe AWAE or SLAE, bunch o' courses and red team labs? -
NetworkNewb
Member Posts: 3,298 ■■■■■■■■■□
Yea, I'm personally gonna stick with just Kali for testing/playing around. That PTF looks like it could be nice for someone who actually does Pentesting though.
Good list. I'm starting using to a home lab more and will definitely look at this list for ideas. Thank you -
dhay13
Member Posts: 580 ■■■■□□□□□□
Awesome. Thanks. I have used many of those in the past but when I try to lab it seems I see a shiny thing and get distracted...lol. I need a structured guidance to follow through to learn. If I set my own path I tend to stray too much. -
chrisone
Member Posts: 2,278 ■■■■■■■■■□
Good list, interesting ideas you have though. I am not trying to be a negative nancy here but.....
Dafthack’s domainpasswordspray (very easy and lots of fun if you've got AD at work – time to start doing password audits…..) Ugh do NOT do this on your work environment! You will lock out accounts. Plus...YOU DO NOT TEST or F' WITH PRODUCTION ENVIRONMENT.
Github: DomainPasswordSpray is a tool written in PowerShell to perform a password spray attack against users of a domain. By default it will automatically generate the userlist from the domain. BE VERY CAREFUL NOT TO LOCKOUT ACCOUNTS!
John the Ripper or Hashcat (password cracking – fun to do with your Windows/Active Directory passwords) Highly Illegal in the USA if you plan on doing this at work with users passwords. Quick way for you to get fired or sued.
Please don't take this the hard way or as any criticism. With great power comes great responsibility
Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
2023 Cert Goals: SC-100, eCPTX -
636-555-3226
Member Posts: 975 ■■■■■□□□□□
The password spray automatically queries AD to determine the lockout threshold then it attempts to stay under that threshold. My red team's been using it since it was released and it stays under the threshold with no issue. The text there is the standard disclaimer of all security tools - buyer bewar, this could break stuff. Always possible there's a problem, but my experience has been 100% positive. Try using it before you knock it.
jtr & hashcat aren't illegal. Everybody's work environment is different, but most mid/large companies (and many small) have disclaimers plastered somewhere that say you don't have any expectation of privacy on anything you do at work & everything you do/use belongs to your employer. This typically means that your work password belongs to your work, not you.
Keep in mind everybody - these are tools meant to help newbies learn how infosec works. this isn't a "tools to start using at your work to defend it and find its weaknesses" post. as with any new person learning the ropes - you should be running these things in a demo/test environment, not on your work computer tied into your work infrastructure. if i caught someone in my company running nmap scans and they weren't on my team, well, let's just stay we'd have a joint meeting with that person & our HR director to talk about acceptable use of work assets! -
chrisone
Member Posts: 2,278 ■■■■■■■■■□
That's a fair response. I agree AD passwords are part of the company's intellectual property. It is a very thin line of ethics, cracking users password though. As for the password spay, no I have not used it on a production environment. I will take your word for it.
Id rather just check the AD settings for lockout threshold 
But that's depending on your job role/engagement etc.
Once again, great job on the list though.Certs: CISSP, EnCE, OSCP, CRTP, eCTHPv2, eCPPT, eCIR, LFCS, CEH, SPLK-1002, SC-200, SC-300, AZ-900, AZ-500, VHL:Advanced+
2023 Cert Goals: SC-100, eCPTX -
infoscrub
Users Awaiting Email Confirmation Posts: 14 ■□□□□□□□□□
I've actually been looking for a list like this. Thank you
-
hirai5ed
Registered Users Posts: 1 ■□□□□□□□□□
Thanks for the list. I've been a sysadmin for years and just started looking at infosec. While I've used a bunch of these tools, there are lots more that I haven't even heard of.
-
BuzzSaw
Member Posts: 259 ■■■□□□□□□□
636-555-3226 wrote: »The password spray automatically queries AD to determine the lockout threshold then it attempts to stay under that threshold. My red team's been using it since it was released and it stays under the threshold with no issue. The text there is the standard disclaimer of all security tools - buyer bewar, this could break stuff. Always possible there's a problem, but my experience has been 100% positive. Try using it before you knock it.
jtr & hashcat aren't illegal. Everybody's work environment is different, but most mid/large companies (and many small) have disclaimers plastered somewhere that say you don't have any expectation of privacy on anything you do at work & everything you do/use belongs to your employer. This typically means that your work password belongs to your work, not you.
Keep in mind everybody - these are tools meant to help newbies learn how infosec works. this isn't a "tools to start using at your work to defend it and find its weaknesses" post. as with any new person learning the ropes - you should be running these things in a demo/test environment, not on your work computer tied into your work infrastructure. if i caught someone in my company running nmap scans and they weren't on my team, well, let's just stay we'd have a joint meeting with that person & our HR director to talk about acceptable use of work assets!
TOTALLY agree.
I have literally seen someone take down a production network after watching a quick youtube video on ARPSPOOFING ..... they had little idea on what was actually going on.
At any rate, you are spot on. Corporate level password audits have proven to be legal for years now. It's sort of a gray area in terms of ethics, but from a legal standpoint, it is what it is. -
drakhan2002
Member Posts: 111
Bro, Burp - add those to your list...unless they are there...I may have missed them!It's not the moments of pleasure, it's the hours of pursuit...
-
Dr. Fluxx
Member Posts: 98 ■■□□□□□□□□
TOTALLY agree.
I have literally seen someone take down a production network after watching a quick youtube video on ARPSPOOFING ..... they had little idea on what was actually going on.
At any rate, you are spot on. Corporate level password audits have proven to be legal for years now. It's sort of a gray area in terms of ethics, but from a legal standpoint, it is what it is.
LOL...i couldn't help but laugh! -
kabooter
Member Posts: 115
Android gem of a contribution. Thanks a lot for detailed post. I was looking for this info and it took me over 2 weeks of painful dissection and search.
Only an idiot will try to run such tools in office without getting permission first. -
EnderWiggin
Member Posts: 551 ■■■■□□□□□□
Webgoat. Not exactly a tool (depending on your definition of tool), but it's very useful for getting practice with the above list of tools.
-
!nf0s3cure
Member Posts: 161 ■■□□□□□□□□
YARA? Is that considered analysis tool or can be used for training.
