As an infosec professional, you may be already familiar with decades-old network monitoring and security tools like Nmap, Wireshark or Snort, and password crackers like Ophcrack. Having these applications at your disposal has been an indispensable part of the gig.

What are some other free tools and services you can benefit from? The following list of nearly two dozen tools and services include everything from password crackers to software decompilers to vulnerability management systems and networks analyzers. Whatever your security role is, you’ll find something useful in this list.

Here, in no particular, order are the 21 best free security tools:

1. Maltego
2. OWASP Zed Attack Proxy (ZAP)
3. Shodan
4. Kali Linux
5. DNS Dumpster
6. Photon
7. Hybrid Analysis
8. Nessus
9. ANY.RUN
10. Tor Browser
11. Darksearch.io
12. John the Ripper
13. OWASP Dependency-Check
14. Microsoft Visual Studio
15. Java Decompiler
16. ModSecurity
17. Burp Suite
18. Metasploit
19. Aircrack-ng
20. Intelligence X
21. GrayhatWarfare

Maltego

Originally developed by Paterva, Maltego is a forensics and open-source intelligence (OSINT) app designed to deliver a clear threat picture for the user’s environment. It demonstrates the complexity and severity of single points of failure as well as trust relationships that exist within the scope of one’s infrastructure. It pulls in information posted on the internet, whether it’s the current configuration of a router on the edge of the company network or the current whereabouts of your company’s vice president. The commercial license does have a price tag, but the community edition is free with some restrictions.
You can expand Maltego’s capabilities by integrating it with VirusTotal, Internet Archive’s Wayback Machine, and over five-dozen Maltego “transforms.”

OWASP Zed Attack Proxy (ZAP)

The Zed Attack Proxy (ZAP) is a user-friendly penetration-testing tool that finds vulnerabilities in web apps. It provides automated scanners and a set of tools for those who wish to find vulnerabilities manually. It’s designed to be used by practitioners with a wide range of security experience, and is ideal for functional testers who are new to pen testing, or for developers: There’s even an official ZAP plugin for the Jenkins continuous integration and delivery application.

Shodan

Shodan is a popular Internet of Things (IoT) search engine for hunting devices such as internet-connected webcams, servers, and other smart devices. Running Shodan queries can help you identify public-facing servers and devices, including license plate readers, traffic lights, medical devices, water treatment facilities, wind turbines, and pretty much everything “smart.”

This can be especially useful to search for devices vulnerable to known exploits and vulnerabilities. A pen-tester can, for example, use an IoT search engine like Shodan as a part of their reconnaissance activities to identify any inadvertently exposed applications or servers belonging to a pen-testing client.

Shodan is free to use when it comes to basic features, although options such as paid plans and a lifetime license offer the ability to use advanced search filters. Academic upgrade is also available free of cost to students, professors and IT staff at universities.

Kali Linux

Kali Linux is the Linux-based pen-testing distribution previously known as BackTrack. Security professionals use it to perform assessments in a purely native environment dedicated to hacking. Users have easy access to a variety of tools ranging from port scanners to password crackers. You can download ISOs of Kali to install on 32-bit or 64-bit x86 systems, or on ARM processors. It’s also available as a VM image for VMware or Hyper-V.

Kali’s tools are grouped into the following categories: information gathering, vulnerability analysis, wireless attacks, web applications, exploitation tools, stress testing, forensics, sniffing and spoofing, password attacks, maintaining access, reverse engineering, reporting, and hardware hacking.

DNS Dumpster

For your domain research and DNS reconnaissance needs, DNS Dumpster has got you covered. As a free domain research web service, DNS Dumpster lets you look up everything about a domain, from hosts, to otherwise hard-to-find subdomains that you’d like to tap into as a part of a security assessment engagement.

DNS Dumpster provides analysis data on domain names both as an Excel file and a visual graphic (map) that can help you better understand the connections between a domain and its subdomains. Additionally, discovering dangling, abandoned or improperly parked subdomains can help a researcher unveil subdomain takeover vulnerabilities.

Photon

Photon is a super-fast web crawler designed for gathering OSINT. It can be used to obtain email addresses, social media accounts, Amazon buckets, and other crucial information relating to a domain, and draws on public sources such as Google and Internet Archive’s Wayback Machine. Written in Python, Photon comes with the ability to add plugins, such as, for exporting the collected data into neatly formatted JSON, or to integrate DNSDumpster with Photon.

Hybrid Analysis

Hybrid Analysis is a malware analysis web service powered by CrowdStrike’s Falcon Sandbox. Most are familiar with VirusTotal, a malware analysis engine where community members can submit suspicious malware samples and URLs for analysis against over five-dozen antivirus engines. Collected samples and artifacts are then analyzed and stored by VirusTotal servers for future use, with a publicly accessible analysis report generated for anyone to view.

Hybrid Analysis is not much different, except not only does it analyze the submitted URLs and samples through its own sandbox, it also corroborates the findings with VirusTotal and MetaDefender. Moreover, while VirusTotal does not let users download malware samples for free, Hybrid Analysis enables this for registered community members who have gone through a simple vetting process (i.e., they tentatively plan on contributing samples to Hybrid Analysis, and using any downloaded samples for research purposes). If you have a malware sample hash from a VirusTotal report, it is often worth running it through Hybrid Analysis to see if you can download the sample at no cost.

Nessus

Nessus is one of the world’s most popular vulnerability and configuration assessment tools. It started life as an open-source project, but developer Tenable switched to a proprietary license back in version 3. As of October 2020, it’s up to version 8.12.1. Despite that, Nessus is still free for personal use on home networks, where it will scan up to 16 IP addresses. A commercial version will allow you to scan an unlimited number of IP addresses. According to the Tenable website, Nessus features high-speed discovery, configuration auditing, asset profiling, sensitive data discovery, patch management integration and vulnerability analysis.

ANY.RUN

ANY.RUN greatly exceeds the capabilities of any malware analysis sandbox that I have seen and comes with advantages like online virtual machine (VM) access. First, the service runs entirely in your web browser and enables you to upload a malware sample, configure the virtual environment you want for your analysis, and shows you a live VM session, which is recorded for later replays.

Searching for a malware sample hash on Google will often bring up previously run ANY.RUN analyses by community members. For example, here’s an ANY.RUN report of a cryptocurrency miner that I had analyzed using ANY.RUN while researching the recent attack on GitHub infrastructure via GitHub Actions.

ANY.RUN not only lets you replay a recorded analysis session, but has simple one-click UI buttons to show you the Indicators of Compromise (IoCs), network requests, process graphs, and VirusTotal findings for a sample. The web service also lets you also download the sample that was analyzed at no cost.

The service is free for everyone to use, although some features (extending analysis time to more than 60 seconds, using a 64-bit OS, etc.) require the user to sign up for a paid pricing plan. I often run malware samples through both ANY.RUN and Hybrid Analysis, in addition to using VirusTotal to maximize the research output.

Tor Browser

No security tooling article can be complete without the mention of Tor Browser. The Tor project is designed for highly anonymized communication and web surfing which works by encrypting your internet traffic and transmitting it over multiple hosts (“nodes”) around the world. This makes it virtually impossible for a Tor user’s location or identity to be known.

Tor is powered by a free volunteer overlay network of over 7,000 thousand relay nodes around the world designed to combat network surveillance or traffic analysis. Other than using Tor Browser for your privacy-centric web surfing needs, the tool’s prime use case remains acting as a gateway to the dark web, and many “.onion” sites that can only be accessed via Tor. It is then no surprise that you’ll find Tor lurking in the toolkits of threat intelligence analysts and darknet researchers.

DarkSearch.io

Speaking of dark web, wouldn’t it help if we also mentioned a search engine for it? While frequent visitors to the darknet may already be familiar with where to look for what, for those who may be new, darksearch.io can be a good platform for starting off with their research activities.

Like another dark web search engine Ahmia, DarkSearch is free but additionally comes with a free API for running automated searches. Although both Ahmia and DarkSearch have .onion sites, you don’t need to necessarily go to the .onion versions or use Tor for accessing either of these search engines. Simply accessing darksearch.io from a regular web browser will let you search the dark web.

John the Ripper

John the Ripper is a password cracker available for many flavors of UNIX, Windows, DOS, BeOS, and OpenVMS — although you’ll likely have to compile the free version yourself. It’s mainly used to detect weak UNIX passwords. Besides several crypt(3) password hash types most commonly found on various UNIX systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version. An enhanced community version includes support for GPUs to accelerate the search.

OWASP Dependency-Check

OWASP Dependency-Check is a free and open-source software composition analysis (SCA) tool that can analyze a software project’s dependencies for known public vulnerabilities. In addition to consulting NVD and other public sources of vulnerability information, Dependency-Check also consults the Sonatype OSS Index for vulnerability information pertaining to a precise software component name or coordinate rather than the more expansive CPEs provided by NVD. [Full disclosure: Sonatype is my employer]

Microsoft Visual Studio

Some might find the mention of an integrated development environment (IDE) tool like Visual Studio here surprising, but rest assured it is for a sound reason. When analyzing Trojanized DLLs, such as the one used in the SolarWinds supply-chain attack, or reverse-engineering C#/.NET binaries, Microsoft Visual Studio comes in handy.

When opening a .NET DLL with Visual Studio for example, the tool will roughly reconstruct the original source code from the Microsoft Intermediate Language (MSIL) contained in the DLL, which makes it easier to reverse-engineer and understand the code’s purpose. Visual Studio works on both Windows and Mac operating systems, and there is a free community edition available to download.

For those interested in just a DLL decompiler rather than a full-fledged IDE, JetBrains’ dotPeek is also an option, although it is currently available for Windows users only.

Java Decompiler

Much like you may have a need to decompile and analyze Windows DLLs from time to time, the same could be the case for Java software programs released as JAR files. Executable packages written in Java are often shipped as JARs which are, in effect, ZIP archives containing multiple Java “class” files.

These class files are written in Java bytecode (an intermediary instruction set for the Java Virtual Machine) rather than native code specific to your operating system environment. This is why Java has traditionally touted itself as a “write once, run anywhere (WORA)” language.

For reverse-engineering a JAR and roughly reconverting the bytecode into its original source code form, a tool like Java Decompiler (JD) comes in handy and does the job sufficiently well. JD is available for free as a standalone graphical utility called JD-GUI, or as an Eclipse IDE plugin, JD-Eclipse.

ModSecurity

ModSecurity is a web application monitoring, logging and access control toolkit developed by Trustwave’s SpiderLabs Team. It can perform full HTTP transaction logging, capturing complete requests and responses, conduct continuous security assessments, and harden web applications. You can embed it in your Apache 2.x installation or deploy it as a reverse proxy to protect any web server.

Burp Suite

Burp Suite is a web app security testing platform. Its various tools support the entire testing process, from initial mapping and analysis of an application’s attack surface, through to finding and exploiting security vulnerabilities. Tools within the suite include a proxy server, web spider, intruder and a so-called repeater, with which requests can be automated. Portswigger offers a free edition that’s lacking the web vulnerability scanner and some of the advanced manual tools.

Metasploit

HD Moore created the Metasploit Project in 2003 to provide the security community with a public resource for exploit development. This project resulted in the Metasploit Framework, an open-source platform for writing security tools and exploits. In 2009, Rapid7, a vulnerability management solution company, acquired the Metasploit Project. Prior to the acquisition, all development of the framework occurred in the developer’s spare time, eating up most weekends and nights. Rapid7 agreed to fund a full-time development team and keep the source code under the three-clause BSD license that is still in use today.

Aircrack-ng

What Wireshark does for Ethernet, Aircrack-ng does for Wi-Fi. In fact, it’s a complete suite of tools for monitoring packets, testing hardware, cracking passwords and launching attacks on Wi-Fi networks. Version 1.2, released in April 2018, brings big improvements in speed and security and extends the range of hardware Aircrack-ng can work with.

Intelligence X

Intelligence X is a first-of-its-kind archival service and search engine that preserves not only historic versions of web pages but also entire leaked data sets that are otherwise removed from the web due to the objectionable nature of content or legal reasons. Although that may sound similar to what Internet Archive’s Wayback Machine does, Intelligence X has some stark differences when it comes to the kind of content the service focuses on preserving. When it comes to preserving data sets, no matter how controversial, Intelligence X does not discriminate.

Intelligence X has previously preserved the list of over 49,000 Fortinet VPNs that were found vulnerable to a Path Traversal flaw. Later during the week, plaintext passwords to these VPNs were also exposed on hacker forums which, again, although removed from these forums, were preserved by Intelligence X.

Previously, the service has indexed data collected from email servers of prominent political figures like Hillary Clinton and Donald Trump. Another recent example of the media indexed by on Intelligence X is the footage from the 2021 Capitol Hill riots and the Facebook’s data leak of 533 million profiles. To intel gatherers, political analysts, news reporters, and security researchers, such information can be incredibly valuable in various ways.

GrayhatWarfare

There is a search engine for everything and that includes publicly exposed buckets and file blobs, whether intentional or accidental. GrayhatWarfare indexes publicly accessible resources like Amazon AWS buckets and Azure blob storage shares.

As of today, the engine claims to have indexed over 4.2 billion files. In fact, the recent discovery of a data leak that exposed passports and ID cards of volleyball journalists from around the world was made possible because of GrayhatWarfare having indexed the exposed Azure blob leaking this information.

For security researchers and pen-testers, GrayhatWarfare can be an excellent resource to discover accidentally exposed storage buckets, and propose appropriate remediation.