Offensive Linux Security Tools Cheatbook 2026

This guide highlights the essential offensive tools used on Linux for penetration testing, red-team exercises, and vulnerability research. These utilities help you discover weaknesses so defenders can fix them - always use them legally and with written permission.

Recon & discovery: Nmap, Masscan, Amass ​

• Nmap - host discovery, port scanning, service/version detection, NSE scripts.
• Masscan - super-fast port discovery for large IP ranges; follow up with Nmap.
• Amass - domain and subdomain enumeration, useful for mapping an organization’s external attack surface.

Quick Nmap example:

sudo nmap -sS -sV -p 1-1000 -T4 target.example.com

---

Web testing: Burp Suite, OWASP ZAP, Nikto ​

• Burp Suite - intercepting proxy, repeater, intruder, and scanner (Community/Pro).
• OWASP ZAP - open-source proxy/scanner for automated and manual web testing.
• Nikto - fast web server scanner for common misconfigurations and exposures.

Set your browser proxy to 127.0.0.1:8080 to start intercepting with Burp or ZAP.

---

Exploitation & post-exploit: Metasploit ​

• Metasploit Framework - modular exploit framework for testing known vulnerabilities, delivering payloads in controlled labs, and performing post-exploitation tasks. Use it to learn exploitation mechanics responsibly.

Start: msfconsole

---

Database & injection tools: sqlmap ​

• sqlmap - automated detection and exploitation of SQL injection flaws. Great for demonstrating risk and impact, never run against live production targets without permission.

Basic usage:

sqlmap -u "http://target/vuln.php?id=1" --batch

---

Network analysis: Wireshark & tcpdump ​

• tcpdump - fast, command-line packet capture.
• Wireshark - GUI analysis for deep protocol inspection and troubleshooting.

Capture example:

sudo tcpdump -i eth0 -w capture.pcap
wireshark capture.pcap

---

Wireless testing: Aircrack-ng suite ​

• Tools: airmon-ng, airodump-ng, aireplay-ng, aircrack-ng.
• Use them in controlled environments to assess Wi-Fi security (WPA/WPA2). Do not test networks you don’t own.

---

Password auditing: Hashcat & John the Ripper ​

• Hashcat - GPU-accelerated password cracking for auditing password strength.
• John the Ripper - flexible CPU/GPU cracking and format support.

Example (hashcat):

hashcat -m 0 hashes.txt /usr/share/wordlists/rockyou.txt

---

Packet & proxy tools: Netcat & Socat ​

• Netcat (nc) - banner grabs, simple listeners, and quick TCP/UDP checks.
• Socat - advanced data piping and port forwarding. Handy for building test harnesses and tunnels.

Example:

nc -lvp 4444

---

Vulnerability scanning & management: OpenVAS / GVM ​

• OpenVAS / GVM - full-featured open-source vulnerability scanner with reporting, useful for baseline scans and continuous assessment.

---

Recon helpers: Subfinder, Sublist3r, dnsenum ​

• Subfinder / Sublist3r - fast subdomain discovery.
• dnsenum - enumerate DNS records and zone info.
  These tools expand your target list during reconnaissance phases.

---

Safe lab tips & ethics ​

• Always get written authorization (scope, IPs, time window).
• Practice on VMs, CTFs, or platforms like TryHackMe, Hack The Box, and VulnHub.
• Use disposable environments (VM snapshots) and never leak data from clients.
• Keep tools updated and isolate tests from production networks.

---

Quick install (Kali/Debian) ​

sudo apt update
sudo apt install -y nmap masscan metasploit-framework sqlmap wireshark tcpdump hashcat aircrack-ng nikto amass

(For Burp Pro and other commercial tools, download from official vendors.)

Final thoughts - offense to improve defense ​

Offensive Linux tools are powerful allies for security teams when used responsibly. They reveal gaps, validate defenses, and help teams fix issues before real attackers exploit them.