SECURITY RESEARCH, TOOLS | July 1, 2025

Offensive security tools 2025

To stay ahead, security teams must think like attackers — discovering vulnerabilities before they do.

By understanding and using Offensive Security tools, organizations can better harden systems, quickly detect intrusions, and respond effectively during security incidents.

Introduction

Back in 2016 we assembled 16 Offensive Security Tools for Sysadmins. Nearly a decade on, some of these tools have not only survived but evolved while others have reached end-of-life, and others rendered ineffective as defenses caught new tools and technologies emerged.

Close-Up of computer monitors in grey-scale

In 2025, the attack surface and threat landscape are more complex, and malicious actors far more sophisticated. The right tools are more important then ever for security professionals to defend against daily attacks.

The mitigations listed for each tool are high-level pointers for sysadmins (systems administrators) to consider. While some of the recommendations may appear to be common sense, far too often the basics are overlooked.

Offensive Security Tools

MetaSploit Framework
Metasploit Framework continues to rank high in the offensive security world after many years in use. It now integrates into automated workflows. Both Attackers and Defenders use Metasploit - security teams train SOC analysts on real world attacks scenarios with it. It has an active open source community who continuously add new exploits modules for latest CVE's, giving sysadmins the ability test, patch and validate their defenses.

Defending against Metasploit:
  • Keeping systems up to date is critical.
  • Monitor network traffic. Deploy IDS/IPS such as Zeek or osquery
  • Use strong passwords on all systems.
  • Deploy network services with secure configurations to minimise attack surface.
Nuclei
Nuclei is high-speed, open-source, versatile, template driven tool you can use for vulnerability scanning, endpoint discovery, asset-fingerprinting and more. Using templates, or craft your own custom template, Nuclei can detect vulnerabilities, misconfigurations, networks, exposed services. Its speed and ease of use makes it a valuable tool for Red teams, but also makes it a tool malicious actors reach for. Nuclei makes probing targets easy with the ability to launch thousands of probes at the same time with results returned as JSON or grep-friendly searchable, making it easy to filter and make a list of exploitable weaknesses.

Defending against Nuclei:
  • Patch and update. Nuclei uses vulnerabilities to exploit your system so keep everything up to date.
  • Use Nuclei for Defense: run it against your own IP ranges, subdomains and API's. See which vulnerabilities are detected or security gaps are revealed.
  • Put critical systems behind authenticated gateways so scanners can't probe them directly.
Bettercap
Bettercap was originally released (v1) as a framework for MITM attacks on local networks. Version 2, written in Go, extends well beyond just local networks and is an extendable 'swiss army knife' for attacking wifi networks, CAN-bus networks, Bluetooth, ARP-spoofing and more. It can now be deployed on Android devices, making it more portable for penetration testing.

Defending against Bettercap:
  • Use properly configured switches, vlans and host setups.
  • Lock down unused network ports.
  • Verification, encryption and monitoring.
  • Detect and analyses ARP/DNS anomalies with Zeek IDS, Suricata and Arpwatch.
Bloodhound
Using Graph theory to reveal and visualise relationships within Active Directory, Entra ID and Microsoft Azure Iaas, Bloodhound comes in a Enterprise and a Community Edition. Bloodhound Community Edition is free opensource used as a security auditing tool.

Defending against Bloodhound:
  • Tighten Group Permission. Lock down who can add or remove members of high-privileged groups.
  • Segment and Isolate Critical Assets
  • Continuous monitoring with your choice SIEM eg Splunk
Social Engineer Toolkit
Social Engineer Toolkit remains one of the most widely used open-source frameworks for social engineering. It's modular toolkit includes how to craft phishing emails, create fake login pages, build a malicious website, USB attacks, and more. Installing SET in a lab environment is a great way to learn typical phishing indicators.

Defending against SET:
  • User awareness training including simulated phishing campaigns to identify high-risk users.
  • Enforce Strong Email Authentication.
  • Apply MFA. This won't stop credentials getting phished but can prevent easy account takeover.
BeEF
BeEF: Browser Exploitation Framework is an open-source pen-testing tool focused on client-side attacks, particularly web browsers, using vulnerabilities to gain a foot-hold in its targets network. This differs to Metasploit which focuses on network frameworks. BeEF can be used to assess real-world impacts of browser vulnerabilities.

Defending against BeEF:
  • Strong Content Security Policy (CSP).
  • Use secure coding practices when developing web applications.
  • User awareness training including simulated phishing campaigns to identify high-risk users.
Binwalk
Binwalk identifies and extract files and data embedded in other files. For an attacker, its used in the search for hard coded passwords, API keys, and other sensitive information hidden in firmware images. Binwalk is commonly used as part of a workflow which utilises other tools such as angr to dig deeper into the analysis of the extracted information.

Defending against Binwalk:
  • Don't leave any plain text hard coded passwords, API keys and other back doors in your firmware.
  • Treat your firmware as an adversary would. Test your systems, attempt to extract and decode anything that looks like a secret.
Nmap Scripting Engine (NSE)
NSE - Nmap Scripting Engine is a powerful Nmap tool and feature that enables advanced network discovery, backdoor detection, vulnerability detection and exploitation,. There are 100's of existing nse scripts and with the ability to create and customise your own, NSE continues to grow in capability and versatility.

Defending against NSE:
  • Reduce your attack surface. Close unused ports.
  • Regularly patch and update vulnerable systems before the NSE scripts can exploit them.
  • Run Vulnerability scans and code review.
  • Use an IDS/IPS (or both) such as OSSEC (host based) or Snort (network).
SQLmap
SQLmap not only accurately identifies injection vulnerabilities, but also automates exploitation from database identification and dumping data to file-system reads and even spawning shells on vulnerable targets.
SQL Injection remains one of the easiest ways attackers can extract an entire database — still ranking in the OWASP Top 10 nearly two decades after its discovery. Its simplicity and impact make it a favorite technique for dumping sensitive data.

Defending against SQLmap:
  • Validate and santiise all user input.
  • Filter all input on dynamic websites (secure the web applications).
  • Have a multi layered defense, include regular vulnerability scanning and code reviews.
  • Use mod_proxy or other web based filtering controls to help block malicious injection attacks. Keep in mind that a WAF should only be a layer of defense (attackers can find bypass for web application firewalls).
Mimikatz
First released in 2007 and actively maintained since Mimikatz remains a popular tool in 2025. Mimikatz has multiple modules tailored to different areas of attack e.g. extract passwords and NTLM hashes from Windows memory. This tool is used by an attacker once they are able to execute code on the system.
An alternative to Mimikatz is PyPyKatz written in python and runs on all operating systems that support python.

Defending against Mimikatz:
  • Use of EDR to detect Mimikatz activity. Open source suggestions to give you visibility into endpoint behaviour: Velociraptor, osquery.
  • Reduce your attack surface and keep your system patched and up to date
Hashcat
Turn a simple hash dump into password credentials with Hashcat. This fast offline cracking tool has been part of the offsec world for around 15 years. Beginning as a CPU-based tool it evolved into oclHashcat for GPU-accelerated attacks. In 2016 the CPU and GPU versions merged into Hashcat, now supporting hundreds of hash types, including PMKID and Wireless WPA/WPA2 handshakes captured with tools such as Aircrack-ng. While Hashcat remains a standard for password cracking in 2025, John the Ripper offers different attack modes and rule-based approaches that are worth exploring.

Defending against Hashcat:
  • Passwords are the weakest link. Enforce password complexity and enable mfa.
  • Protect the hashed passwords. Encrypt your database.
  • Salt the hashes.
Aircrack-NG
aircrack-ng continues to provide a suite of core offsec tools for wireless assessments and audits. It can be used for capturing WPA/WPA2 handshakes and PMKID and cracking on a small scale. Aircrack-ng ships with most linux pentesting distros such as kali and Parrot. Its suite of tools also includes airmon-ng, airodump-ng and aireplay-ng for monitoring, packet capture and injection.

Defending against aircrack-ng:
  • Never use WEP. It can be cracked in seconds due to flaws in its RC4 implementation..
  • When using WPA2 with pre-shared keys (WPA2-PSK), ensure passwords are strong (16+ characters non-dictionary based passwords).
  • Use strong modern encryption.
Tor Network
The Tor Network is maintained by The Tor Project. It is a system to push your traffic through an onion network that is designed to provide anonymity to the user. Note your traffic from the exit node is not encrypted or secured. Make sure you understand what it does before using it, Tor provides anonymity not encrypted communication.

Defending against Tor:
  • Block Tor exit nodes on your firewall, if Tor traffic is linked to a threat to your environment.
  • Monitoring and logging traffic from the Tor Network.
Cobalt Strike
Cobalt Strike (Commercial) - A post-exploitation and C2 framework billed as software for adversary simulations and red team operations. Built around its Beacon Payload, it has a focus on lateral movement (pivoting commands through multiple hosts) and C2 (command and control). Checkout the official training videos for real-world examples of Cobalt Strike in use.

Defending against Cobalt Strike:
  • Advanced attackers need to be discovered by advanced blue teams. Solid network analysis capabilities and well defended networks.
Sliver C2
Sliver C2 An open Source Command and control (C2) designed for security teams to test their own environment with adversary imulations. It has become a popular alternative to Cobalt Strike for malicious actors and APT groups to wreak havoc with malware, exploit zero day vulnerabilities and more.

Defending against Sliver C2
  • As with Cobalt strike - Advanced attackers need to be discovered by advanced blue teams. Solid network analysis capabilities and well defended networks.
OwaspZAP (Zed Attack Proxy)
OwaspZAP is an excellent, free, open-source web application security scanner that serves as a strong alternative to Burp Suite. Both tools offer intercepting proxy, automated spider, fuzzing, a library of add-ons, and automated scanning capabilities. Use Zap to discover and map out urls, test forms, endpoints and parameters for vulnerabilities.

Defending against OWASP ZAP
  • A well-configured perimeter with logging, monitoring and altering in place.
  • Use a WAF to include rules to identify and block ZAP behavior
  • Traffic throttling, rate limits
Rustscan
Rustscan bridges the gap between broad port sweeps and deep enumeration by piping discovered ports directly into Nmap. By default, RustScan can probe all 65,535 TCP ports in under 10 seconds (under 3 seconds in ideal conditions). It also allows for stealth with slower, evasive scans.

Defending against Rustscan
  • Rate limiting or throttle new TCP connections per second per host/subnet on firewalls or routers.
  • IDS/IPS scan detection. Use Suricata or Snort to spot and block.
  • Harden and segment firewall.
Zmap and Masscan

While Nmap remains unquestionably the top choice for detailed port scanning, Zmap and Masscan remain the go to solutions for ultra-fast, large-scale port scanning in 2025. Both can sweep the entire IPv4 space in under six minutes, making them essential for penetration testers conducting internet-scale reconnaissance and threat actors mapping wide networks globally.

Defending against Zmap & Masscan
  • Know your attack surface—keep an up-to-date inventory of all public IPs and exposed ports.
  • Harden firewalls with geo-IP restrictions, rate-limiting, and port-knocking to block mass scans.
  • Deploy network segmentation so a compromised scan appliance can’t enumerate your entire environment.
Ffuf and Gobuster

Ffuf (Fuzz Faster U Fool) and Gobuster are Go-based tools for web application reconnaissance. Ffuf can fuzz URLs, headers, POST bodies and cookies with a single command, letting you hit multiple attack surfaces at once. Gobuster focuses on directory and subdomain enumeration with minimal setup. Feroxbuster, written in Rust, is gaining popularity as an alternative with built-in recursion and auto-filtering capabilities.

Defending against Ffuf and Gobuster
  • Web fuzzers are noisy. Check your logs for spikes in 404, 403 and 500 per IP.
  • Deploy a WAF and tune its rules to identify and block repetitive fuzzing requests.

Conclusion

The 2025 threat landscape has evolved significantly since 2016, with attackers rapidly updating their toolkits. These 18 offensive security tools give you and your team visibility into attack methodologies and help you understand your vulnerabilities from an attackers perspective. Pick the ones that fit your environment, build hands on workflows, use them to find weaknesses and fix them before the attacker can exploit them. Start with network reconnaissance - our online Domain profiler and Nmap port scanner helps you discover your attack surface in minutes.

PREVIOUS
NEXT
Related Articles