Penetration testing

Best open-source tools for Red Teaming

Howard Poston
October 17, 2019 by
Howard Poston

Best open-source Red Team tools

One of the best features of the cybersecurity community is the vast number of free and open-source tools that are available. Many very smart and skilled hackers have developed tools for a variety of purposes and made them available to the community.

As a result, there are tons of options for open-source tools for Red Teaming. Even choosing the tool that is best at its particular job leaves a huge list of options. In this article, we’ll discuss some of the best open-source tools for Red Teaming, organized by the role in the cyberattack life cycle. Many of these tools are built into the default Kali Linux distribution.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.


The first stage in any Red Team assessment is reconnaissance. The Red Team typically goes into the assessment with little or no knowledge of the target environment. However, a wide variety of open-source tools exist for fixing this problem.

Nmap is probably the most well-known tool for reconnaissance. It is a network scanner with a wide variety of useful features. Using nmap, a Red Team can learn a great deal about any reachable computer on the network. However, network scanning must be used carefully, since it can be easily detected.

Dnsrecon is another useful tool for reconnaissance. It allows the Red Team to identify different domain names within the target network and the associated IP addresses, which can be useful for targeting different types of attacks. It also has additional DNS-related functionality like testing for zone transfers.

Shodan is a search engine for internet-connected devices. The wide deployment of IoT devices and their poor security in general makes them a promising initial entry point for a Red Team. Shodan can help with finding and identifying these devices.

Slurp is designed to help with discovery of poorly-secured AWS cloud deployments. It allows scanning within a particular domain or by keywords, allowing the Red Team to discover the customer’s potentially vulnerable AWS accounts.

Gaining and maintaining access

Once the Red Team has a feel for the target network, it’s time to try to exploit it. This stage includes both gaining initial access to the target environment and establishing a way to maintain and exploit this access.

Metasploit is primarily intended as a commercial tool, but its Community edition is still extremely powerful. Metasploit is considered the world leader in exploitation frameworks, with over 1500 different exploits built in and the ability to develop and integrate custom ones.

Ncat is known as the Swiss Army knife of information security. Its main purpose is to create a TCP/UDP connection with any port. It can be used for port scanning, banner grabbing, data exfiltration, setting up a remote shell and many other purposes.

Social Engineer Toolkit (SET) is a tool for building phishing attacks to test the customer’s resilience against social engineering. It can help with building phishing emails, websites and malicious attachments.

Network analysis

If the Red Team can gain access to the customer’s internal network, it can provide a wealth of valuable data. Even passive network reconnaissance can provide information about the network infrastructure, services running and used by different machines, and even user credentials if they are using insecure protocols.

Aircrack-ng is a network traffic analysis tool focused on Wi-Fi security. It has built-in support for monitoring traffic sent over Wi-Fi, performing common Wi-Fi-focused attacks and cracking passwords for weak wireless security protocols (WEP and WPA).

Wireshark is the best-known network traffic analysis tool available. It has the ability to capture traffic live off the wire or load from a saved packet capture. Its built-in dissectors and other features make it easy to extract useful intelligence from network traffic.

Password cracking

Once the Red Team has access to a machine on the customer’s network, password cracking is a promising way to escalate privileges or move laterally throughout the network.

Hashcat is a popular password hash cracker used in Red Team engagements. It has GPU support, which allows it to brute-force any eight-character Windows password (which is the default minimum length) in a couple of hours.

Mimikatz is an open-source tool for collecting Windows password information from a compromised machine. It can also provide credential-based attacks like Pass-the-Hash and building golden tickets.

Planning and reporting

Some of the most underrated tools for Red Team engagements are those designed to help with planning and reporting. While the Red Team may enjoy the attacking phases of the assessment the most, the customer benefits most from receiving a comprehensive report on the vulnerabilities discovered within their network.

MITRE ATT&CK is a framework that breaks the cyberattack life cycle into its component parts and describes various methods that each stage can be accomplished. It is valuable both for the planning stages of an assessment, by ensuring that a Red Team doesn’t always use the same methods of attack and providing additional context to the customer regarding discovered vulnerabilities.

Dradis is a reporting and collaboration tool for information security professionals. It can be used to generate one-click reports and track the activities of the Red Team throughout an assessment. It also has the ability to integrate directly with tools like Nmap and Nessus.

Conclusion: Building a Red Team toolkit

Red team assessments can be an extremely fast-paced environment and having the right tools can mean the difference between a successful assessment and failing to identify or exploit a critical vulnerability. 

A good starting point for building a Red Team toolkit is downloading and installing Kali Linux, as many of the tools mentioned here are included in the default distribution. From there, additional tools can be acquired and added to address specific use cases. When building a toolkit, it’s important not to focus on the network side of the assessment to the exclusion of the physical aspects. A Red Team is also likely expected to try physical attack vectors against the customer’s security and needs to have the appropriate tools for that part of the work as well.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.


Howard Poston
Howard Poston

Howard Poston is a copywriter, author, and course developer with experience in cybersecurity and blockchain security, cryptography, and malware analysis. He has an MS in Cyber Operations, a decade of experience in cybersecurity, and over five years of experience as a freelance consultant providing training and content creation for cyber and blockchain security. He is also the creator of over a dozen cybersecurity courses, has authored two books, and has spoken at numerous cybersecurity conferences. He can be reached by email at or via his website at