10 tools network and security pros can’t live without

It’s difficult to pick just 10 Linux open source security tools, as network professionals and security experts have a whole slew available to them, hundreds.

There are specialized tools every task just about—mapping, network tunneling, sniffing, scanning. Even specializations for every environment—Wi-Fi networks, Web applications, database servers.

We queried experts in the field to create this list of must-have Linux security tools.

Most of the tools listed are free and open source. Those which are not free are Burp Suite Pro and Metasploit Pro. Both are considered industry standard and indispensable to any enterprise security program of vulnerability assessment and penetration testing.

1. Metasploit: A swiss army super-tool for detecting exploits

Rapid7’s exploitation framework, which is used for broad risk and vulnerability evaluations, is regarded as a “super tool” by security professionals since it contains functioning versions of practically every known exploit.

Metasploit allows security professionals to scan networks and devices for vulnerabilities (or import NMAP scan data) and then automate any conceivable exploitation to takeover computers.

Capturing credentials has been a vital and early element in the playbook of many security testers, according to a recent Rapid7 blog article. For years, Metasploit has made this easier with protocol-specific modules, all of which may be found under the auxiliary/server/capture function. Security professionals can launch and setup each of these modules separately, but there is now a capture plug-in that makes the process easier.

Cost: Metasploit Pro costs $12,000 a year and includes commercial support from Rapid7, however there is also a free version.

2. Impacket for penetration testing network protocols

For penetration testing network protocols and services, this set of tools is needed. Impacket is a set of Python classes for interacting with network protocols that was created by SecureAuth. Impacket focuses on giving low-level access to packets, as well as protocol implementation for select protocols such as SMB1-3 and MSRPC. Security experts can build transmissions from the ground up as well as analyze raw data. The object-oriented API makes working with complex protocol hierarchies relatively simple. The following protocols are supported by Impacket:

  • ethernet
  • IPv4 and IPv6
  • NMB and SMB1, SMB2 and SMB3
  • MSRPC Version 5, over different transports: TCP, SMB/TCP, SMB/NetBIOS and HTTP
  • Plain, NTLM and Kerberos authentications, using password/hashes/tickets/keys
  • Portions of TDS (MSSQL) and LDAP protocol implementation

Cost: As long as the user gives SecureAuth credit, it is free. Impacket is released under an Apache Software License that has been slightly modified. Security professionals may read it and compare it to the Apache Software License.

3. Aircrack-ng for Wi-Fi network security

Aircrack-ng is a collection of tools for analyzing the security of wireless networks and protocols. This wireless scanner is used by security professionals for network management, cracking, and ethical hacking. It centers on:

  • Monitoring: Capture of packets and data transfer to files for additional analysis by third-party programs.
  • Attacking: Replay attacks, deauthentication, and packet injection to create phony access points.
  • Testing: Assessing the capabilities of Wi-Fi cards and drivers.
  • Cracking: WEP and WPA PSK Cracking (WPA 1 and 2).

All tools are command line, according to the Aircrack-ng website, allowing for extensive scripting. The tool runs on Linux, but it also works on Windows, macOS, FreeBSD, OpenBSD, NetBSD, Solaris, and eComStation 2.

Cost: Open source tool. Free.

4. Wireshark: Popular network protocol analyzer

Wireshark is a network protocol analyzer, sometimes known as a network interface sniffer, that has been around since 1998. Version 3.6.3 is the most recent upgrade.

Wireshark allows security professionals to examine a device’s network behavior to determine which other devices (IP addresses) it is connecting with and why. In certain older network topologies, network requests from other devices flow via a security professional’s device’s network interface, allowing them to monitor the whole network’s activity, not just their own. According to security experts, it’s an excellent tool for figuring out where DNS servers and other services are located so that the network may be exploited further. Wireshark is compatible with a wide range of operating systems, including Windows, Mac OS X, Linux, and Unix.

Cost: Open source. Free.

5. Burp Suite Pro targets web-app security

Burp Suite Professional is a web app testing suite for determining the security of internet websites. Burp Suite is a local proxy tool that allows security professionals to decrypt, view, alter, and repeat online requests and replies (HTTP/websockets) between a web server and a browser.

The application includes a passive scanner that allows security professionals to manually search the site and map out possible vulnerabilities. A highly handy active web vulnerability scanner is included in the Pro edition, allowing for yet more vulnerability discovery. Burp Suite may be extended via plugins, allowing security professionals to create their own features. Burp is a multi-tool set of extremely helpful web assault tools, with the Pro edition having the most sophisticated plugins.

Cost: The professional version will set you back $399. There’s also an enterprise edition for application development teams that allows for several concurrent scans.

6. NCAT probes network connectivity

NCAT is a successor to the famous NETCAT from the developers of NMAP. It allows you to read and write data across a network from the command line, but it also includes security features like SSL encryption. According to security experts, NCAT is critical for hosting TCP/UDP clients and servers that send and receive arbitrary data from both victim and attacker systems. It’s also often used for building a reverse shell and data exfiltration. NCAT is the conclusion of the currently split family of NETCAT versions and was created for the NMAP Project. It’s intended to serve as a dependable back-end tool for establishing network connections with other apps and users. NCAT supports IPv4 and IPv6 and allows you to chain NCATs together as well as redirect TCP, UDP, and SCTP ports to other sites, as well as SSL support.

Cost: Open source tool. Free.


NMAP is a network scanning program that uses the command line to find open ports on remote devices. NMAP is considered by many security professionals to be the most critical and effective tool on our list; it’s so strong that it’s become a must-have for pen testers. The main characteristic of NMAP is that it scans network ranges for live servers before scanning all of its ports for operating system, service, and version discovery. It then does additional automated vulnerability discovery and exploitation against any service it detects using NMAP’s scripting engine. NMAP can map out networks with IP filters, firewalls, routers, and other barriers using a variety of sophisticated approaches. Many TCP and UDP port scanning mechanisms, as well as OS detection, version detection, and ping sweeps, are included. NMAP has been used by security experts to scan vast networks of hundreds of thousands of machines.

Cost: Open source tool. Free.

8. ProxyChains for network tunneling

ProxyChains, the de facto standard for network tunneling, allows security professionals to send proxy orders from an attacking Linux workstation to multiple compromised devices, allowing them to bypass network boundaries and firewalls while avoiding discovery. They utilize it when they wish to mask their identity on a network using the Linux operating system. Pen testers’ TCP traffic is routed through TOR, SOCKS, and HTTP proxies using ProxyChains. NMAP and other TCP spying tools are compatible, and the TOR network is utilized by default. ProxyChains are also used by security professionals to get around firewalls and detect IDS/IPS.

Cost: Open source tool. Free. 

8. Responder simulates attacks on DNS systems

Responder is a poisoner that uses NBT-NS (NetBIOS Name Service), LLMNR (Link-Local Multicast Name Resolution), and mDNS (multicast DNS) to mimic an attack targeted at stealing passwords and other data during the name resolution process when the DNS server fails to find a record.

Responder’s current version (v. has complete IPv6 functionality by default, allowing security professionals to conduct more attacks on both IPv4 and IPv6 networks. This is significant since Responder does not support IPv6 and hence missed multiple attack vectors. This was especially true on IPv6-only networks or even mixed IPv4/IPv6 networks, especially given that IPv6 has surpassed IPv4 as Windows’ default network stack.

Cost: Open source tool. Free.

9. sqlmap looks for SQL injection vulnerabilities

sqlmap is a free and open source penetration testing tool that automates the detection and exploitation of SQL injection problems that might be exploited to take over database systems. The program has a sophisticated detection engine and other tools for penetration testing, such as database fingerprinting, access to the underlying file system, and command execution on the operating system through out-of-band connections.

According to security experts, it enables them to automate SQL detection and injection attacks against all major SQL back-ends. MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB, and HSQLDB are among the database servers it supports. It also supports boolean-based blind, time-based blind, error-based, stacked queries, and out-of-band SQL injection attacks.

Cost: Open source tool. Free.

Scroll to top

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

CiscoLessons will use the information you provide on this form to send occasional (less than 1/wk) updates and marketing.