Note: I am not affiliated with, nor sponsored by, any of the developers or maintainers mentioned below. The observations are based on personal use in lab and client engagements.
TL;DR
| Legacy Tool | Modern Alternative | Rationale |
|---|---|---|
| Nmap (for port discovery) | RustScan | Faster initial scans, async Rust engine, hands-off results to Nmap |
| Burp Suite | Caido | Lower memory footprint, dark-mode UI, YAML-based repeater workflows |
| CrackMapExec | netexec | Active maintenance, Python 3.12 codebase, SMBv3 & Kerberos improvements, plugin framework |
| chisel | ligolo-ng | Reverse SOCKS5 tunnel plus user-space TUN, automatic MTU discovery for full-TCP pivoting |
| enum4linux | enum4linux-ng | Added parallel execution, JSON output, CIDR scanning, improved null-session support |
| SharpHound.exe | bloodhound-python | Cross-platform collector, pip install, headless, easier automation, lighter AV footprint |
1 RustScan > Nmap (Port Scanning)
RustScan can accelerate the port‑discovery phase and then pass results to Nmap for service and version detection.
Performance Characteristics
- Uses asynchronous Rust to scan large port ranges quickly
- Handles 65 535‑port sweeps across /24 or /16 ranges with limited CPU overhead
- Reduces the time required before deeper Nmap modules run
Workflow Example
rustscan -a 10.0.0.1 --ulimit 5000 -- -A -sVThe command scans all ports on 10.0.0.1, then feeds the open‑port list to Nmap with -A -sV for follow‑up enumeration.
When It Helps
- Preliminary port identification on internal or time‑constrained assessments
- Situations where Nmap timeouts would otherwise require tuning
Project page: https://github.com/RustScan/RustScan
2 Caido > Burp Suite
Figure 1 — Caido UI. Source: Caido official website
Both Caido and Burp Suite provide interception, replay, and automation for web testing. The choice often comes down to resource usage and workflow preferences.
Resource Usage
Burp, particularly the Community Edition, can demand substantial RAM and occasionally becomes unresponsive when handling large responses. Caido generally requires less memory and CPU and has shown fewer stability issues in daily use.
Automation
Caido’s Automate module allows unrestricted parallel fuzzing in the free tier. In Burp CE, similar throughput is capped unless using Burp Professional. YAML‑defined tasks in Caido can be version‑controlled alongside test cases.
Project Organisation
Caido groups requests into Collections and offers a VS Code‑style interface. Burp relies on multiple tabs and tree views. Which layout is clearer is subjective, but Caido’s search syntax may feel more familiar to developers who use modern IDEs.
Licensing
Caido provides a free tier and a no‑cost Pro licence for verified students. Burp Professional requires a paid subscription for its advanced features.
Project page: https://caido.io
3 netexec > CrackMapExec
Figure 2 — Netexec logo. Source: Netexec official website
netexec follows the syntax of CrackMapExec (CME) while updating the codebase and protocol support.
Notable Differences
- Actively developed against Python 3.12, reducing dependency issues
- Expanded support for SMBv3, Kerberos, RDP, LDAP, and WinRM
- Modular plugin architecture for extending functionality
- JSON output for integration with other tooling
Basic Usage
nxc smb 10.10.0.0/24 -u creds.txt -p passwords.txt --local-authMaintenance Status
CME has seen limited updates in recent years, which can lead to compatibility problems on hardened networks. netexec’s maintainers currently merge pull requests and address protocol changes more frequently.
Project page: https://github.com/Pennyw0rth/NetExec
4 ligolo-ng > chisel (Pivoting)
Figure 3 — Ligolo-ng logo. Source: Ligolo github repo
ligolo-ng and chisel both create reverse tunnels for traffic redirection. ligolo-ng adds a user‑space TUN interface, enabling full‑TCP pivoting without configuring system routes.
Functional Highlights
- Reverse SOCKS5 plus TUN mode for transparent traffic
- Automatic MTU discovery to minimise fragmentation issues
- Encryption via mutual TLS
- They recently added a Web UI 🔥🔥
Figure 4 — Ligolo-ng Web UI. Source: Ligolo github repo
ligolo-ng may reduce manual tunnelling steps in multi‑hop scenarios, although chisel remains lighter for straightforward SOCKS needs.
Project page: https://github.com/nicocha30/ligolo-ng
5 enum4linux-ng > enum4linux
enum4linux-ng maintains the CLI style of the original while adding parallelisation and JSON output.
Improvements
- CIDR notation for scanning multiple hosts
- Better handling of anonymous (null‑session) authentication
- Output formats that integrate easily with automated workflows
Project page: https://github.com/cddmp/enum4linux-ng
6 bloodhound-python > SharpHound.exe (Active Directory Mapping)
bloodhound-python is now the preferred collector for the BloodHound graph database, taking over from the older SharpHound.exe binary.
Why I Switched
- Cross‑platform: runs natively on Linux, macOS, and Windows—no .NET dependencies
- Headless operation for automation and remote sessions
- Installable via pip, so it slots easily into virtual‑env‑based toolchains
- Collection profiles match SharpHound presets but are easier to customise
- Lower detection footprint on certain EDR solutions compared with unsigned executables
Basic Usage Example
bloodhound-python -u alice -p 'SuperSecret!' -d corp.local \
-ns 10.0.0.53,10.0.0.54 -c AllThe command gathers all standard data collections against corp.local domain controllers at the provided DNS server IPs.
Output & Integration
bloodhound-python produces the familiar json.zip archive. Add --zip-password <pwd> when exfiltration needs encryption, or stream directly to a BloodHound instance with --upload.
Project page: https://github.com/fox-it/BloodHound.py
Summary
The tools above are not universal replacements; rather, they offer alternative options that may better align with current environments or workflow requirements. Evaluating them in a test lab before production use is recommended.