As an infosec professional, you may be already familiar with decades-old network monitoring and security tools like Nmap, Wireshark or Snort, and password crackers like Ophcrack. Having these applications at your disposal has been an indispensable part of the gig.\n\nWhat are some other free tools and services you can benefit from? The following list of nearly two dozen tools and services include everything from password crackers to software decompilers to vulnerability management systems and networks analyzers. Whatever your security role is, you'll find something useful in this list.\n\nHere, in no particular, order are the 21 best free security tools:\n\nMaltego\n\nOriginally developed by Paterva, Maltego is a forensics and open-source intelligence (OSINT) app designed to deliver a clear threat picture for the user's environment. It demonstrates the complexity and severity of single points of failure as well as trust relationships that exist within the scope of one's infrastructure. It pulls in information posted on the internet, whether it's the current configuration of a router on the edge of the company network or the current whereabouts of your company's vice president. The commercial license does have a price tag, but the community edition is free with some restrictions.You can expand Maltego\u2019s capabilities by integrating it with VirusTotal, Internet Archive\u2019s Wayback Machine, and over five-dozen Maltego \u201ctransforms.\u201d\n\nOWASP Zed Attack Proxy (ZAP)\n\nThe Zed Attack Proxy (ZAP) is a user-friendly penetration-testing tool that finds vulnerabilities in web apps. It provides automated scanners and a set of tools for those who wish to find vulnerabilities manually. It's designed to be used by practitioners with a wide range of security experience, and is ideal for functional testers who are new to pen testing, or for developers: There\u2019s even an official ZAP plugin for the Jenkins continuous integration and delivery application.\n\nShodan\n\nShodan is a popular Internet of Things (IoT) search engine for hunting devices such as internet-connected webcams, servers, and other smart devices. Running Shodan queries can help you identify public-facing servers and devices, including license plate readers, traffic lights, medical devices, water treatment facilities, wind turbines, and pretty much everything \u201csmart.\u201d\n\nThis can be especially useful to search for devices vulnerable to known exploits and vulnerabilities. A pen-tester can, for example, use an IoT search engine like Shodan as a part of their reconnaissance activities to identify any inadvertently exposed applications or servers belonging to a pen-testing client.Shodan is free to use when it comes to basic features, although options such as paid plans and a lifetime license offer the ability to use advanced search filters. Academic upgrade is also available free of cost to students, professors and IT staff at universities.\n\nKali Linux\n\nKali Linux is the Linux-based pen-testing distribution previously known as BackTrack. Security professionals use it to perform assessments in a purely native environment dedicated to hacking. Users have easy access to a variety of tools ranging from port scanners to password crackers. You can download ISOs of Kali to install on 32-bit or 64-bit x86 systems, or on ARM processors. It\u2019s also available as a VM image for VMware or Hyper-V.\n\nKali\u2019s tools are grouped into the following categories: information gathering, vulnerability analysis, wireless attacks, web applications, exploitation tools, stress testing, forensics, sniffing and spoofing, password attacks, maintaining access, reverse engineering, reporting, and hardware hacking.\n\nDNS Dumpster\n\nFor your domain research and DNS reconnaissance needs, DNS Dumpster has got you covered. As a free domain research web service, DNS Dumpster lets you look up everything about a domain, from hosts, to otherwise hard-to-find subdomains that you\u2019d like to tap into as a part of a security assessment engagement.DNS Dumpster provides analysis data on domain names both as an Excel file and a visual graphic (map) that can help you better understand the connections between a domain and its subdomains. Additionally, discovering dangling, abandoned or improperly parked subdomains can help a researcher unveil subdomain takeover vulnerabilities.\n\nPhoton\n\nPhoton is a super-fast web crawler designed for gathering OSINT. It can be used to obtain email addresses, social media accounts, Amazon buckets, and other crucial information relating to a domain, and draws on public sources such as Google and Internet Archive\u2019s Wayback Machine. Written in Python, Photon comes with the ability to add plugins, such as, for exporting the collected data into neatly formatted JSON, or to integrate DNSDumpster with Photon.\n\nHybrid Analysis\n\nHybrid Analysis is a malware analysis web service powered by CrowdStrike\u2019s Falcon Sandbox. Most are familiar with VirusTotal, a malware analysis engine where community members can submit suspicious malware samples and URLs for analysis against over five-dozen antivirus engines. Collected samples and artifacts are then analyzed and stored by VirusTotal servers for future use, with a publicly accessible analysis report generated for anyone to view.Hybrid Analysis is not much different, except not only does it analyze the submitted URLs and samples through its own sandbox, it also corroborates the findings with VirusTotal and MetaDefender. Moreover, while VirusTotal does not let users download malware samples for free, Hybrid Analysis enables this for registered community members who have gone through a simple vetting process (i.e., they tentatively plan on contributing samples to Hybrid Analysis, and using any downloaded samples for research purposes). If you have a malware sample hash from a VirusTotal report, it is often worth running it through Hybrid Analysis to see if you can download the sample at no cost.\n\nNessus\n\nNessus is one of the world\u2019s most popular vulnerability and configuration assessment tools. It started life as an open-source project, but developer Tenable switched to a proprietary license back in version 3. As of October 2020, it\u2019s up to version 8.12.1. Despite that, Nessus is still free for personal use on home networks, where it will scan up to 16 IP addresses. A commercial version will allow you to scan an unlimited number of IP addresses. According to the Tenable website, Nessus features high-speed discovery, configuration auditing, asset profiling, sensitive data discovery, patch management integration and vulnerability analysis.\n\nANY.RUN\n\nANY.RUN greatly exceeds the capabilities of any malware analysis sandbox that I have seen and comes with advantages like online virtual machine (VM) access. First, the service runs entirely in your web browser and enables you to upload a malware sample, configure the virtual environment you want for your analysis, and shows you a live VM session, which is recorded for later replays.Searching for a malware sample hash on Google will often bring up previously run ANY.RUN analyses by community members. For example, here\u2019s an ANY.RUN report of a cryptocurrency miner that I had analyzed using ANY.RUN while researching the recent attack on GitHub infrastructure via GitHub Actions.\n\nANY.RUN not only lets you replay a recorded analysis session, but has simple one-click UI buttons to show you the Indicators of Compromise (IoCs), network requests, process graphs, and VirusTotal findings for a sample. The web service also lets you also download the sample that was analyzed at no cost.\n\nThe service is free for everyone to use, although some features (extending analysis time to more than 60 seconds, using a 64-bit OS, etc.) require the user to sign up for a paid pricing plan. I often run malware samples through both ANY.RUN and Hybrid Analysis, in addition to using VirusTotal to maximize the research output.\n\nTor Browser\n\nNo security tooling article can be complete without the mention of Tor Browser. The Tor project is designed for highly anonymized communication and web surfing which works by encrypting your internet traffic and transmitting it over multiple hosts (\u201cnodes\u201d) around the world. This makes it virtually impossible for a Tor user\u2019s location or identity to be known.Tor is powered by a free volunteer overlay network of over 7,000 thousand relay nodes around the world designed to combat network surveillance or traffic analysis. Other than using Tor Browser for your privacy-centric web surfing needs, the tool\u2019s prime use case remains acting as a gateway to the dark web, and many \u201c.onion\u201d sites that can only be accessed via Tor. It is then no surprise that you\u2019ll find Tor lurking in the toolkits of threat intelligence analysts and darknet researchers.\n\nDarkSearch.io\n\nSpeaking of dark web, wouldn\u2019t it help if we also mentioned a search engine for it? While frequent visitors to the darknet may already be familiar with where to look for what, for those who may be new, darksearch.io can be a good platform for starting off with their research activities.Like another dark web search engine Ahmia, DarkSearch is free but additionally comes with a free API for running automated searches. Although both Ahmia and DarkSearch have .onion sites, you don\u2019t need to necessarily go to the .onion versions or use Tor for accessing either of these search engines. Simply accessing darksearch.io from a regular web browser will let you search the dark web.\n\nJohn the Ripper\n\nJohn the Ripper is a password cracker available for many flavors of UNIX, Windows, DOS, BeOS, and OpenVMS \u2014 although you\u2019ll likely have to compile the free version yourself. It's mainly used to detect weak UNIX passwords. Besides several crypt(3) password hash types most commonly found on various UNIX systems, supported out of the box are Windows LM hashes, plus lots of other hashes and ciphers in the community-enhanced version. An enhanced community version includes support for GPUs to accelerate the search.\n\nOWASP Dependency-Check\n\nOWASP Dependency-Check is a free and open-source software composition analysis (SCA) tool that can analyze a software project\u2019s dependencies for known public vulnerabilities. In addition to consulting NVD and other public sources of vulnerability information, Dependency-Check also consults the Sonatype OSS Index for vulnerability information pertaining to a precise software component name or coordinate rather than the more expansive CPEs provided by NVD. [Full disclosure: Sonatype is my employer]\n\nMicrosoft Visual Studio\n\nSome might find the mention of an integrated development environment (IDE) tool like Visual Studio here surprising, but rest assured it is for a sound reason. When analyzing Trojanized DLLs, such as the one used in the SolarWinds supply-chain attack, or reverse-engineering C#\/.NET binaries, Microsoft Visual Studio comes in handy.When opening a .NET DLL with Visual Studio for example, the tool will roughly reconstruct the original source code from the Microsoft Intermediate Language (MSIL) contained in the DLL, which makes it easier to reverse-engineer and understand the code\u2019s purpose. Visual Studio works on both Windows and Mac operating systems, and there is a free community edition available to download.For those interested in just a DLL decompiler rather than a full-fledged IDE, JetBrains\u2019 dotPeek is also an option, although it is currently available for Windows users only.\n\nJava Decompiler\n\nMuch like you may have a need to decompile and analyze Windows DLLs from time to time, the same could be the case for Java software programs released as JAR files. Executable packages written in Java are often shipped as JARs which are, in effect, ZIP archives containing multiple Java \u201cclass\u201d files.These class files are written in Java bytecode (an intermediary instruction set for the Java Virtual Machine) rather than native code specific to your operating system environment. This is why Java has traditionally touted itself as a \u201cwrite once, run anywhere (WORA)\u201d language.\n\nFor reverse-engineering a JAR and roughly reconverting the bytecode into its original source code form, a tool like Java Decompiler (JD) comes in handy and does the job sufficiently well. JD is available for free as a standalone graphical utility called JD-GUI, or as an Eclipse IDE plugin, JD-Eclipse.\n\nModSecurity\n\nModSecurity is a web application monitoring, logging and access control toolkit developed by Trustwave's SpiderLabs Team. It can perform full HTTP transaction logging, capturing complete requests and responses, conduct continuous security assessments, and harden web applications. You can embed it in your Apache 2.x installation or deploy it as a reverse proxy to protect any web server.\n\nBurp Suite\n\nBurp Suite is a web app security testing platform. Its various tools support the entire testing process, from initial mapping and analysis of an application's attack surface, through to finding and exploiting security vulnerabilities. Tools within the suite include a proxy server, web spider, intruder and a so-called repeater, with which requests can be automated. Portswigger offers a free edition that\u2019s lacking the web vulnerability scanner and some of the advanced manual tools.\n\nMetasploit\n\nHD Moore created the Metasploit Project in 2003 to provide the security community with a public resource for exploit development. This project resulted in the Metasploit Framework, an open-source platform for writing security tools and exploits. In 2009, Rapid7, a vulnerability management solution company, acquired the Metasploit Project. Prior to the acquisition, all development of the framework occurred in the developer's spare time, eating up most weekends and nights. Rapid7 agreed to fund a full-time development team and keep the source code under the three-clause BSD license that is still in use today.\n\nAircrack-ng\n\nWhat Wireshark does for Ethernet, Aircrack-ng does for Wi-Fi. In fact, it\u2019s a complete suite of tools for monitoring packets, testing hardware, cracking passwords and launching attacks on Wi-Fi networks. Version 1.2, released in April 2018, brings big improvements in speed and security and extends the range of hardware Aircrack-ng can work with.\n\nIntelligence X\n\nIntelligence X is a first-of-its-kind archival service and search engine that preserves not only historic versions of web pages but also entire leaked data sets that are otherwise removed from the web due to the objectionable nature of content or legal reasons. Although that may sound similar to what Internet Archive\u2019s Wayback Machine does, Intelligence X has some stark differences when it comes to the kind of content the service focuses on preserving. When it comes to preserving data sets, no matter how controversial, Intelligence X does not discriminate.\n\nIntelligence X has previously preserved the list of over 49,000 Fortinet VPNs that were found vulnerable to a Path Traversal flaw. Later during the week, plaintext passwords to these VPNs were also exposed on hacker forums which, again, although removed from these forums, were preserved by Intelligence X.\n\nPreviously, the service has indexed data collected from email servers of prominent political figures like Hillary Clinton and Donald Trump. Another recent example of the media indexed by on Intelligence X is the footage from the 2021 Capitol Hill riots and the Facebook\u2019s data leak of 533 million profiles. To intel gatherers, political analysts, news reporters, and security researchers, such information can be incredibly valuable in various ways.\n\nGrayhatWarfare\n\nThere is a search engine for everything and that includes publicly exposed buckets and file blobs, whether intentional or accidental. GrayhatWarfare indexes publicly accessible resources like Amazon AWS buckets and Azure blob storage shares.As of today, the engine claims to have indexed over 4.2 billion files. In fact, the recent discovery of a data leak that exposed passports and ID cards of volleyball journalists from around the world was made possible because of GrayhatWarfare having indexed the exposed Azure blob leaking this information.\n\nFor security researchers and pen-testers, GrayhatWarfare can be an excellent resource to discover accidentally exposed storage buckets, and propose appropriate remediation.