10 essential Linux tools for network and security pros

Picking just 10 Linux open source security tools isn’t easy, especially when network professionals and security experts have dozens if not several hundred tools available to them.

There are different sets of tools for just about every task—network tunneling, sniffing, scanning, mapping. And for every environment—Wi-Fi networks, Web applications, database servers.

We consulted a group of experts (Vincent Danen, vice president of product security, RedHat; Casey Bisson, head of product growth, BluBracket; Andrew Schmitt, a member of the BluBracket Security Advisory Panel; and John Hammond, senior security researcher, Huntress) to develop this list of must-have Linux security tools.

Most of them listed here are free and open source. The two that cost money are Burp Suite Pro and Metasploit Pro. Both are considered indispensible in any enterprise program of vulnerability assessment and penetration testing.

1. Aircrack-ng for Wi-Fi network security

Aircrack-ng is a suite of tools for security testing wireless networks and Wi-Fi protocols. Security pros use this wireless scanner for network administration, hacking, and penetration testing. It focuses on:

  • Monitoring: Packet capture and export of data to text files for further processing by third-party tools.
  • Attacking: Replay attacks, deauthentication, fake access points via packet injection.
  • Testing: Checking Wi-Fi cards and driver capabilities.
  • Cracking: WEP and WPA PSK (WPA 1 and 2).

According to the Aircrack-ng website, all tools are command line, which allows for heavy scripting. The tool works primarily on Linux, but also Windows, macOS, FreeBSD, OpenBSD, NetBSD, as well as Solaris and even eComStation 2.

Cost: Free open-source software.

2. Burp Suite Pro targets web-app security

Burp Suite Professional is a web application testing suite used for assessing online website security. Burp Suite operates as a local proxy solution that lets security pros decrypt, observe, manipulate, and repeat web requests (HTTP/websockets) and responses between a web server and a browser.

The tool comes with a passive scanner that lets security pros map out the site and check for potential vulnerabilities as they manually crawl the site. The Pro version also offers a very useful active web vulnerability scanner that allows for further vulnerability detection. Burp Suite is extensible via plugins, so security pros can develop their own enhancements. The Pro version has the most robust plugins, making Burp a multi-tool suite of very useful web attack tools. 

Cost: The professional version costs $399. There’s also an enterprise version that enables multiple concurrent scans that can be used by application development teams.

3. Impacket for pen testing network protocols

This collection of tools is essential for pen testing network protocols and services. Developed by SecureAuth, Impacket operates as a collection of Python classes for working with network protocols. Impacket focuses on providing low-level access to packets, and for some protocols such as SMB1-3 and MSRPC, the protocol implementation itself. Security pros can construct packets from scratch, as well as parsed from raw data. The object-oriented API makes it fairly easy to work with deep hierarchies of protocols. Impacket supports the following protocols:

  • ethernet, Linux;
  • IPv4 and IPv6;
  • NMB and SMB1, SMB2 and SMB3;
  • MSRPC Version 5, over different transports: TCP, SMB/TCP, SMB/NetBIOS and HTTP;
  • Plain, NTLM and Kerberos authentications, using password/hashes/tickets/keys;
  • Portions of TDS (MSSQL) and LDAP protocol implementation

Cost: Free as long as the user gives SecureAuth credit. Impacket is provided under a slightly modified version of the Apache Software License. Security pros can review it here and compare it to the official Apache Software License.

4. Metasploit: A super-tool for detecting exploits

An exploitation framework from Rapid7 that is used for general penetration testing and vulnerability assessments, security pros consider it a “super tool” that contains working versions of nearly every known exploit in existence.

Metasploit enables security pros to scan networks and endpoints (or import NMAP scan results) for vulnerabilities and then perform any possible exploitation automatically to takeover systems. 

According to a recent Rapid7 blog post, capturing credentials has been a critical and early phase in the playbook of many security testers. Metasploit has facilitated this for years with protocol-specific modules, all under the auxiliary/server/capture function. Security pros can start and configure each of these modules individually, but now there’s a capture plug-in that streamlines the process.

Cost: Metasploit Pro, which comes with commercial support from Rapid7, starts at $12,000 per year, but there is also a free version.

5. NCAT probes network connectivity

From the makers of NMAP, NCAT is a successor to the popular NETCAT. It facilitates reading and writing data over a network from the command line, but adds features such as SSL encryption. Security experts say NCAT has become crucial for hosting TCP/UDP clients and servers to send/receive arbitrary data from victim and attacking systems. It’s also a popular tool for establishing a reverse shell or exfiltrating data. NCAT was written for the NMAP Project and stands as the culmination of the currently splintered family of NETCAT incarnations. It’s designed as a reliable back-end tool to execute network connectivity to other apps and users. NCAT works with IPv4 and IPv6 and offers the ability to chain NCATs together, redirect TCP, UDP, and SCTP ports to other sites, as well as SSL support.

Cost: Free open source tool.

6. NMAP scans and maps networks

NMAP is a command-line network scanning tool that uncovers accessible ports on remote devices. Many security pros consider NMAP the most important and effective tool on our list— the tool is so powerful it’s become obligatory for pen testers. NMAP’s flagship feature is scanning network ranges for active servers, and then all of its ports for operating system, service and version discovery. Via NMAP’s scripting engine, it then performs further automated vulnerability detection and exploitation against any service it finds. NMAP supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many TCP and UDP port scanning mechanism, OS detection, version detection, and ping sweeps. Security pros have used NMAP to scan large networks of hundreds of thousands of machines.

Cost: Free open source tool.

7. ProxyChains for network tunneling

The de facto standard for network tunneling, ProxyChains lets security pros issue proxy commands from their attacking Linux machine through various compromised machines to traverse network boundaries and firewalls, while evading detection. They use it when they want to use the Linux operating system to hide their identity on a network. ProxyChains routes the TCP traffic of pen testers through the following proxies: TOR, SOCKS, and HTTP. TCP reconnaissance tools such as NMAP are compatible – and the TOR network is used by default. Security pros also use ProxyChains to evade firewalls and in IDS/IPS detecting.

Cost: Free open source tool. 

8. Responder simulates attacks on DNS systems

Responder is an NBT-NS (NetBIOS Name Service), LLMNR (Link-Local Multicast Name Resolution) and mDNS (multicast DNS) poisoner that is used by penetration testers to simulate an attack aimed at stealing credentials and other data during the name resolution process when no record is found by the DNS server.

The latest version of Responder (v. comes with full IPv6 support by default, which lets security pros perform more attacks on IPv4 and IPv6 networks. This is important because Responder had lacked IPv6 support and therefore missed several attack paths. This was especially true on IPv6-only networks or even mixed IPv4/IPv6 networks, particularly when you take into consideration that IPv6 has become the preferred network stack on Windows.

Cost: Free open source software.

9. sqlmap looks for SQL injection flaws in database servers

sqlmap is an open source penetration testing tool that automates the process of detecting and exploiting SQL injection flaws that could be used to take over database servers. The tool comes with a powerful detection engine, and boasts many features for penetration testing including database fingerprinting, accessing the underlying file system and executing commands on the operating system via out-of-band connections.

Security pros say it helps them automate SQL discovery and injection attacks against all major SQL back-ends. It supports a wide range of database servers, including MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB and HSQLDB. It also supports various kinds of SQL injection attacks, including boolean-based blind, time-based blind, error-based, stacked queries, and out-of-band.

Cost: Free open source software.

10. Wireshark: Popular network protocol analyzer

Wireshark, which has been around since 1998, is a network protocol analyzer, commonly called a network interface sniffer. The latest update is Version 3.6.3.

Wireshark lets security pros observe a device’s network behavior to see which other devices it is communicating with (IP addresses) and why. In some older network topologies, network requests from other devices pass through the network interface of a security pro’s device, allowing them to observe the entire network’s traffic, not just their own. Security experts say it’s a great tool to figure out where the DNS servers and other services are for further exploitation of the network. Wireshark runs on most computing platforms, including Windows, MacOs, Linux, and Unix.

Cost: Free open source software.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.