Skip to content

Tools#

The tools listed here are open-source, publicly available, and widely used in research, lab, and authorized testing contexts. They are organized by category to help you identify what is relevant to your current learning focus.

Always use tools in authorized environments only. Running these against systems you do not own or have explicit permission to test is illegal.

OSINT and Reconnaissance#

  • Maltego — Graph-based OSINT platform for mapping relationships between entities (people, domains, IPs, organizations). Used for pre-engagement research and threat intelligence workflows. The community edition is free and functional for learning.
  • Shodan — Search engine for internet-connected devices, including exposed ICS/SCADA systems, industrial protocols, and misconfigured services. Essential for understanding the ICS attack surface on the public internet.
  • OSINT Framework — Visual directory of OSINT tools organized by category. Good starting point when you need to identify the right tool for a specific research task.
  • theHarvester — Command-line tool for gathering emails, subdomains, hosts, and employee names from public sources. Commonly used in the reconnaissance phase of authorized engagements.
  • Recon-ng — Modular web reconnaissance framework. Useful for automating OSINT data collection in a structured, repeatable way.

Web Security#

  • Burp Suite Community Edition — Industry-standard web application security testing proxy. The free Community Edition is sufficient for learning. PortSwigger's Web Security Academy provides accompanying labs.
  • OWASP ZAP — Open-source web application scanner maintained by OWASP. Good alternative to Burp for automated scanning in lab environments.
  • Nikto — Web server scanner that checks for known vulnerabilities, misconfigurations, and outdated software. Useful for quick baseline assessments in authorized lab testing.
  • SQLMap — Automated SQL injection detection and exploitation tool. Widely used in web application security research and CTF challenges.

Network Analysis#

  • Wireshark — The standard network protocol analyzer. Critical for understanding industrial protocols (Modbus, DNP3, EtherNet/IP) by capturing and dissecting traffic in a lab.
  • Nmap — Network discovery and security scanner. The foundation of network-level reconnaissance in authorized assessments. Includes NSE scripts for ICS protocol detection.
  • Zeek (formerly Bro) — Network traffic analysis framework used heavily in ICS/OT environments for protocol inspection and anomaly detection. Understanding Zeek helps with both offense and defense.

RFID and Hardware Research#

  • Proxmark3 — Open-source RFID research platform. Used to read, analyze, and clone RFID credentials in authorized physical security assessments. Understanding how it works exposes common access control weaknesses.
  • Flipper Zero — Multi-protocol portable security research tool covering RFID, NFC, sub-GHz radio, infrared, and more. Popular for hands-on physical security research in lab and authorized contexts.
  • HackRF — Software-defined radio (SDR) hardware for transmitting and receiving radio signals. Used for analyzing wireless protocols, including those found in industrial environments.
  • Binwalk — Firmware analysis tool used to extract and analyze embedded file systems. Relevant for ICS device firmware research.

ICS and OT Analysis#

  • GrassMarlin — NSA-released passive network mapping tool for ICS/SCADA environments. Generates topology maps without sending active traffic, making it safer for sensitive OT networks.
  • Redpoint — Nmap NSE scripts from Digital Bond specifically designed to enumerate ICS devices and protocols (Modbus, BACnet, EtherNet/IP). Useful for authorized ICS network assessments.
  • PLCScan — Utility for scanning and identifying PLC devices on a network. Informative for understanding what ICS assets are exposed in a given environment.
  • Conpot — Low-interaction ICS/SCADA honeypot. Useful for studying attacker behavior targeting industrial systems in a controlled environment.

AI and Machine Learning Security Testing#

  • Garak — LLM vulnerability scanner that probes language models for jailbreaks, prompt injection, and unsafe outputs. Useful for anyone researching AI model security.
  • TextAttack — Python framework for adversarial attacks, data augmentation, and training in NLP. Used in AI security research to test model robustness.
  • ART (Adversarial Robustness Toolbox) — IBM open-source library for testing ML model robustness against adversarial examples. Covers image, text, and tabular models.

Frameworks and Platforms#

  • Metasploit Framework — The most widely used open-source penetration testing framework. Most red team training involves Metasploit at some stage. Use only in authorized lab environments.
  • MITRE ATT&CK Navigator — Web tool for visualizing and annotating ATT&CK matrices. Useful for planning simulated adversary behavior, gap analysis, and detection coverage mapping.
  • ATT&CK for ICS — Extension of the ATT&CK framework covering adversary tactics specific to industrial control systems. Essential reference for ICS threat modeling.

Marketplaces#

  • Red Team Tools — Great website for finding and purchasing tools to assist offensive security assessments.
  • Hacker Warehouse — Another excellent website for finding and purchasing tools to assist offensive security assessments.