Tests host reachability via ICMP. Shows round-trip time and packet loss.

Traces the packet route to a host hop by hop. Use tracert on Windows.

Connects to any TCP port in plaintext. Used for banner grabbing and manual protocol testing (HTTP, SMTP).

Transfers data via HTTP/S, FTP and more. Essential for inspecting headers and testing APIs from the terminal.

Non-interactive file downloader. Supports recursive mirroring of entire websites.

Displays active connections, listening ports, and routing tables. Useful for detecting backdoors.

Sends ARP packets to discover all live hosts on a local subnet. Faster than ping-sweeping.

Display and configure network interfaces. ip is the modern replacement for the legacy ifconfig.

The definitive network mapper. Host discovery, port scanning, OS/service detection, and NSE scripts.

Ultra-fast port scanner written in Rust. Finds open ports in seconds, then passes them into Nmap.

Active/passive ARP tool to find live hosts on local networks without noisy IP traffic.

Industry-leading graphical packet analyzer with deep dissection of hundreds of protocols.

Command-line packet sniffer. Captures to .pcap files for later analysis in Wireshark.

Terminal version of Wireshark. Read .pcap files and extract specific protocol fields from the CLI.

Fast directory/file brute-forcer and DNS subdomain enumerator written in Go.

Extremely fast Go-based web fuzzer. Place FUZZ anywhere — paths, params, headers, subdomains.

Classic recursive web content scanner with a built-in wordlist. Simple to use for quick checks.

Python directory brute-forcer with built-in extension support and colored output.

Web server scanner — checks for dangerous files, outdated software, and misconfigurations.

Fingerprints web technologies — CMS, frameworks, JS libraries, server software — from headers and HTML.

WordPress-specific scanner. Finds vulnerable plugins, themes, users, and configuration issues.

Queries registrar databases for domain ownership, nameservers, and registration dates.

DNS lookup utility. Queries any record type (A, MX, NS, TXT, AXFR) from any nameserver.

Classic DNS query tool available on Linux and Windows. Good for quick interactive lookups.

Gathers emails, subdomains, IPs, and URLs from public sources like Google, Bing, and LinkedIn.

Search engine for internet-connected devices. Find exposed services, banners, and CVEs by filter.

Industry-standard proxy for intercepting, modifying, and replaying HTTP traffic. Core of web app pentesting.

Free open-source Burp alternative. Active/passive scanning with no brute-force rate limits.

Automates detection and exploitation of SQL injection. Can dump databases, read files, and run OS commands.

Fast online password cracker supporting 50+ protocols: SSH, FTP, HTTP, SMB, RDP, MySQL and more.

Speedy parallel login cracker with modular protocol support. Good Hydra alternative for FTP and IMAP.

Versatile offline hash cracker. Auto-detects hash type. Includes ssh2john, zip2john helper scripts.

World's fastest GPU-accelerated password cracker. Supports 350+ hash types and many attack modes.

Spiders a website and extracts unique words as a targeted password wordlist for that specific organisation.

Generates wordlists from a character set with min/max length. Useful when the password structure is known.

The most widely used pentesting framework. Contains exploits, payloads, encoders, and post-exploitation modules.

Payload generator from the Metasploit project. Creates standalone malicious files in many formats.

Offline Exploit-DB search tool. Find public exploits by software name and version without internet access.

The networking Swiss Army Knife. Used for reverse shell listeners, bind shells, and file transfers in nearly every THM room.

Advanced netcat alternative with SSL, IPv6, and bidirectional streams. Creates fully stable TTY shells.

Adds readline history and arrow-key support to any program. Makes raw nc shells on Windows usable.

Terminal multiplexer. Split panes, persist sessions after disconnect, and multi-task during pentests.

Nmap's improved netcat with SSL encryption and IPv6 support. Better for encrypted shell communication.

Object-oriented Windows scripting shell. Used for enumeration, file transfers, and running post-exploitation scripts.

Dumps plaintext passwords, NTLM hashes, and Kerberos tickets from LSASS memory on Windows systems.

Visualizes Active Directory attack paths using graph theory. Finds the shortest route to Domain Admin.

PowerShell script to enumerate Active Directory: users, groups, GPOs, shares, and trust relationships.

Enumerates Windows/Samba hosts for users, shares, groups, and password policies via SMB null sessions.

FTP-like CLI for SMB shares. Lists shares and allows browsing and downloading files from Windows servers.

Poisons LLMNR, NBT-NS, and MDNS broadcasts to capture NTLMv2 hashes on the local network.

Core filesystem navigation covered in THM Linux Fundamentals. Non-negotiable basics for any Linux work.

Text processing power tools. Used constantly to parse tool output and log files.

Linux permission management. Used when setting up scripts and for privilege escalation checks.

Archiving and compression utilities. Common in CTFs for handling evidence files and moving loot.

Encoding and hashing utilities. Used to decode CTF hints and verify file integrity.

Linux Privilege Escalation Awesome Script. Automatically finds misconfigs, SUID files, cron jobs, and writable paths.

Windows equivalent of linpeas. Finds unquoted service paths, weak permissions, and autologon credentials.

Python toolkit for Windows network protocols. Remote execution, hash dumping, and Kerberos attacks via SMB/NTLM.

Reads and writes metadata in JPEG, PDF, DOCX, MP3. Extracts GPS, author, camera info, and creation dates.

Extracts printable ASCII/Unicode strings from binary files. First step in any CTF binary challenge.

Identifies true file type by inspecting magic bytes. Essential when files are disguised with a wrong extension.

Creates hex dumps of files. Used to inspect file headers, identify file types, and spot hidden data.

Scans binaries for embedded files and firmware. Extracts hidden images, archives, or firmware blobs automatically.

Embeds or extracts hidden data in JPEG, BMP, and WAV files. Common in THM CTF steganography challenges.

Extracts metadata from PDF files including title, author, creator, dates, and encryption status.

Leading memory forensics framework. Analyzes RAM dumps for processes, network connections, and injected shellcode. v3 drops --profile — symbol tables auto-detected.

NSA's open-source reverse engineering suite. Decompiles binaries to C-like pseudocode. Supports x86, ARM, MIPS and more.

Powerful open-source reverse engineering framework, hex editor, and debugger across many architectures.

Pattern-matching tool for malware identification. Write rules with string conditions to classify threats.

Open-source Windows debugger for 32/64-bit binaries. The standard for dynamic malware analysis. Plugins, scripting, conditional breakpoints. Free alternative to OllyDbg.

Commercial RE platform with HLIL/MLIL intermediate representations and a powerful Python API. Clean UI, strong scripting, and a free cloud version at binary.ninja/cloud.

PE file editor from NTCore. Inspects and edits PE headers, sections, imports, exports, and resources. Part of the free Explorer Suite — widely used in CTFs and malware RE.

Avast's open-source decompiler. Converts PE, ELF, and COFF binaries to C pseudocode. Supports x86, x64, ARM, MIPS. Useful as a second opinion alongside Ghidra.

Identifies file types, packers, compilers, linkers, and protectors. Supports scripting for custom signatures. More accurate and actively maintained than PEiD.

Fast Windows hex editor for inspecting and patching raw binary files. Supports disk sector editing, RAM editing, and comparing files side by side.

Advanced Windows task manager showing processes, DLLs, handles, network connections, and memory maps. Detects hidden processes and injected code that Task Manager misses.

Sysinternals tool showing a detailed process tree with parent/child relationships, DLLs, handles, and VirusTotal integration for quick malware triage on live Windows systems.

Sysinternals real-time file system, registry, and network activity monitor. Captures every system call. The definitive tool for behavioral malware analysis on live Windows.

Sysinternals tool showing every program configured to run at startup — registry keys, scheduled tasks, browser extensions, drivers, services. Essential for persistence hunting.

Industry-standard forensic imaging tool. Creates bit-exact drive images, acquires live RAM, mounts images read-only, and previews file systems without altering evidence.

Post-exploitation C2 framework with PowerShell and Python agents. Evades many AV solutions using fileless execution. Common in red team operations and adversary simulation rooms.

Open-source IDS/IPS. Signature-based network threat detection with rules. Can also run in blocking IPS mode.

Browser-based encoding/decoding toolkit. Chain base64, XOR, hex, hashing, and 300+ operations visually.

Identifies binary capabilities statically — network connections, service creation, registry modification — without running the file.

Industry SIEM platform. Searches and correlates log data using SPL. Covered in THM defensive security rooms.

Crypto toolkit. Generate keys, create certificates, encrypt/decrypt files, and test TLS connections.

Implements the PGP standard for asymmetric encryption and digital signing. Covered in the THM Public Key Cryptography room.

Encrypted remote shell protocol. Connects to THM machines and supports tunneling for port forwarding and pivoting.

Terminal text editors. nano is beginner-friendly; vim is faster for experienced users. Both appear in THM Linux rooms.

Go-to scripting language in CTFs. Used for quick file servers, exploit scripts, and shell stabilization.

Scheduled tasks and service management. Weak cron jobs are a classic THM privilege escalation vector.