Capture the flag (CTF)

Tools and resources to prepare for a hacker CTF competition or challenge

April 22, 2018 by

CTF or Capture the Flag is a traditional competition or war game in any hacker conferences like DEFCON, ROOTCON, HITB and some hackathons. CTF games are usually categorized in the form of Attack and Defend Style, Exploit Development, Packet Capture Analysis, Web Hacking, Digital Puzzles, Cryptography, Stego, Reverse Engineering, Binary Analysis, Mobile Security, etc.

As the author of n00bs CTF Labs, I decided to create a cheat sheet for the tools and resources you may want to use if ever you are planning to participate in a CTF challenge or competition:

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

CTF competitions on hacker conferences or gatherings and wargames

  • DEFCON CTF – one of the most prestigious and challenging CTF ever in DEFCON which is currently organized by Legitimate Business Syndicate
  • picoCTF – a CTF targeted for middle and high school students
  • Ghost in the Shellcode – an annual CTF which is hosted in ShmooCon Hacker Convention
  • ROOTCON Campus Tour CTF – is the first ever inter-university CTF challenge in the Philippines which is a open to all college students
  • ROOTCON CTF – is the official CTF of ROOTCON Hacker Conference
  • CSAW CTF – by NYU Policy
  • HSCTF – known to be the first CTF made by high school students and for high school students
  • UCSB iCTF – the UCSB International Capture The Flag is organized by Prof. Giovanni Vigna of the Department of Computer Science at UCSB, and is held once a year (usually at the beginning of December, but it has been rescheduled a few times)
  • Smash the Stack – a war gaming network which simulates software vulnerabilities and allows for the legal execution of exploitation techniques
  • OverTheWire – another war gaming network
  • Embedded Security CTF
  • DefCamp CTF – the official CTF of DEFCAMP
  • Trend Micro CTF Asia Pacific & Japan - a CTF event hosted by Trend Micro

More upcoming events are in CTF Time

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

CTF guides and resources

Think you have what it takes to be an ethical hacker? Check out Infosec's online hacker course, or fill out the form below for pricing info.

CTF frameworks or All-In-One tools for CTF

  • PwnTools – a CTF framework and exploit development library used by Gallopsled in every CTF
  • ctf-tools – a Github repository of open source scripts for your CTF needs like binwalk and apktool
  • Metasploit Framework – aside from being a penetration testing framework and software, Metasploit has modules for automatic exploitation and tools for crafting your exploits like find_badchars.rb, egghunter.rb, patter_offset.rb, pattern_create.rb, etc.
  • ROPgadget – used for ROP exploitation
  • Peda - Python Exploit Development Assistance for GDB
  • Google – where you can ask some questions

Reverse engineering tools, decompilers and debuggers

  • Immunity Debugger – a debugger similar to OllyDbg that has some cool plugins with the use of Python
  • OllyDbg – the most disassembly-based and GUI debugger for Windows
  • SWFScan – allows you to decompile Flash files
  • gdb – GNU Debugger
  • IDA Pro - Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger
  • WinDbg – Windows Debugger distributed by Microsoft
  • Apktool – a tool for reversing Android apk files
  • PE Tool - provide a handful of useful tools for working with Windows PE executables
  • UPX – Ultimate Packer for eXecutables
  • dex2jar (Android)
  • Radare2 - Unix-like reverse engineering framework and commandline tools
  • Strace - a system call tracer and another debugging tool
  • Objdump - part of GNU Binutils
  • PEID - used to determine if any obfuscator was used to pack the executable file. The open source packer that is often used is the UPX packer

Tools for static code analysis

  • RIPS – a static code analyzer for auditing vulnerabilities in PHP applications
  • HP Fortify Static Code Analyzer – also known as Fortify SCA which is a commercial software that is a multi-language auditor for vulnerabilities
  • OWASP Code Crawler – a static code review tool for .NET and J2EE/JAVA code which supports the OWASP Code Review Project
  • OWASP LAPSE Project – security auditing tool for detecting vulnerabilities in Java EE Applications
  • Flawfinder – a static source code analyzer that examines C/C++ source code and reports possible security weaknesses


  • Strings – allows you to search and extract ASCII and UNICODE strings from a binary
  • SANS SIFT - SANS Investigative Forensic Toolkit (SIFT) is an Ubuntu Live CD
  • ProDiscover Basic – evidence analyzer and data imaging tool
  • Volatility - memory forensics framework
  • The Sleuth Kit – open source digital forensics tool
  • FTK Imager - data preview and imaging tool
  • IPhone Analyzer – used for iPhone Forensics but only supports iOS 2, iOS 3, iOS 4 and iOS 5 devices
  • Xplico – network forensics tool
  • Binwalk – firmware analysis tool which allows you to extract the firmware image
  • ExifTool – a platform-independent Perl library plus a command-line application for reading, writing and editing meta information in a wide variety of file formats like EXIF, GPS, IPTC, XMP, JFIF, GeoTIFF, ICC Profile, Photoshop IRB, FlashPix, AFCP and ID3, as well as the maker notes of many digital cameras by Canon, Casio, FLIR, FujiFilm, GE, HP, JVC/Victor, Kodak, Leaf, Minolta/Konica-Minolta, Nikon, Nintendo, Olympus/Epson, Panasonic/Leica, Pentax/Asahi, Phase One, Reconyx, Ricoh, Samsung, Sanyo, Sigma/Foveon and Sony
  • dd – a command line utility for Unix and Linux which allows you to copy and convert files
  • CAINE - Computer Aided INvestigative Environment is a Live GNU/Linux distribution which is aimed for digital forensics
  • Autopsy - GUI to the command line digital investigation analysis tools in The Sleuth Kit
  • Any Hex Editors will do
  • DEFT Linux - Digital Evidence & Forensics Toolkit Linux distribution
  • Windows Sysiternals - consist of Windows system utilities that contain various useful programs


  • Hashdump
  • Sage
  • John The Ripper – is a free and fast password cracker available for many flavors of Unix, Windows, DOS, BeOS, and OpenVMS
  • Cryptool - open source e-learning tool illustrating cryptographic and cryptanalytic concepts
  • – online decoder and encoder for crypto and most people who are joining CTF competitions have this website opened while playing


  • Steghide – a stega tool that can be used for embedding or extracting data in various kinds of image and audio files
  • Ffmpeg - cross-platform software to record, convert and stream audio and video
  • Gimp - GNU Image Manipulation Program
  • Audacity – free audio auditor and recorder
  • Stepic – python image steganography
  • Pngcheck - PNG tester and debugger which verifies the integrity of PNG, JNG and MNG files (by checking the internal 32-bit CRCs [checksums] and decompressing the image data)
  • OpenStego - free steganography solution
  • OutGuess
  • StegFS
  • MP3Stego – allows you to hide text in MP3 files
  • AtomicParsley - command line program for reading, parsing and setting metadata into MPEG-4 files
  • Foremost – a console program used for file recovery

For web vulnerability hunting or web exploitation

  • Burp Suite – commonly used for web application security testing and usually for finding manual web vulnerabilities which has an intercepting proxy and customizable plugins
  • OWASP ZAP – an Open Web Application Security Project similar to Burp but free and open source
  • WPScan – a blackbox Wordpress Vulnerability Scanner
  • W3af – open source web application security scanner
  • OWASP Dirbuster – directory bruteforce or discovery tool
  • Bizploit - open source ERP Penetration Testing framework


  • aircrack-ng Suite – an open source WEP/WPA/WPA2 cracking tool which is usually bundled in most pentesting distributions
  • reaver – WiFi Protected Setup attacker tool
  • Kismet - 802.11 layer2 wireless network detector, sniffer, and intrusion detection system
  • Pixiewps - a tool used to bruteforce offline the WPS pin exploiting the low or non-existing entropy of some APs (pixie dust attack)
  • Nmap – an open source port scanner which has plugins for vulnerability assessment and net discovery
  • Wireshark – network sniffer and network protocol analyzer for Unix and Windows
  • Netcat -the TCP/IP swiss army
  • Captipper - a python tool to analyze, explore, and revive HTTP malicious traffic
  • Scapy - a powerful interactive packet manipulation program

For your protection in attack in defend

  • Snort – lightweight and free network intrusion detection system for UNIX and Windows
  • Iptables
  • Any Antivirus and Two-Way firewall will do
  • Chellam - Wi-Fi IDS/Firewall for Windows which detect Wi-Fi attacks, such as Honeypots, Evil Twins, Mis-association, and Hosted Network-based backdoors etc., against a Windows-based client without the need of custom hardware or drivers
  • peepdf - Python tool to explore PDF files in order to find out if the file can be harmful or not
  • Android IMSI-Catcher Detector – Android app for detecting IMSI-Catchers

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Some Linux distributions ideal for CTF

  • Santoku Linux - GNU/Linux distribution or distro designed for helping you in every aspect of your mobile forensics, mobile malware analysis, reverse engineering and security testing needs
  • Kali Linux – a fully packed penetration testing Linux distribution based on Debian
  • BackBox Linux – a simplistic penetration testing distro based on Ubuntu
  • CAINE - Computer Aided INvestigative Environment is a Live GNU/Linux distribution which is aimed for digital forensics
  • DEFT Linux - Digital Evidence & Forensics Toolkit Linux distribution

aurelius is the creator of n00bs CTF Labs, bug bounty hunter, security researcher at Infosec Institute and an application security analyst. He loves playing games and watching movies aside from hacking.