Basic Toolset¶
Master the essential cybersecurity tools that form the foundation of all penetration testing and security analysis work. This module demonstrates all MkDocs features while teaching practical tool usage.
Module Objectives
By the end of this module, you will have hands-on experience with core cybersecurity tools and understand how to integrate them into professional workflows.
🛠️ Essential Tools Overview¶
The cybersecurity professional's toolkit consists of specialized tools for different phases of testing and analysis.
Tool Categories¶
Primary Tools: - Nmap - Network discovery and port scanning - Masscan - High-speed port scanner - Wireshark - Network protocol analyzer - tcpdump - Command-line packet analyzer
Use Cases: - Network reconnaissance and mapping - Service enumeration and fingerprinting - Traffic analysis and forensics - Network troubleshooting
Primary Tools: - Burp Suite Professional - Comprehensive web app testing platform - OWASP ZAP - Free web application security scanner - Gobuster - Directory and file brute-forcer - Ffuf - Fast web fuzzer
Use Cases: - Web application vulnerability assessment - Directory and parameter discovery - Authentication testing - API security testing
Primary Tools: - Metasploit - Exploitation framework - Empire - Post-exploitation framework - BloodHound - Active Directory attack path analysis - LinEnum - Linux enumeration script
Use Cases: - Vulnerability exploitation - Post-exploitation activities - Privilege escalation enumeration - Active Directory assessment
🔍 Nmap: Network Discovery and Port Scanning¶
Nmap (Network Mapper) is the most widely used network discovery and security auditing tool.
Basic Scanning Techniques¶
# Basic TCP SYN scan
nmap -sS target.com
# UDP scan (slower but important)
nmap -sU target.com
# Comprehensive scan with service detection
nmap -sS -sV -O -A target.com
# Fast scan of top 1000 ports
nmap -F target.com
# Scan specific ports
nmap -p 22,80,443,8080 target.com
# Scan port ranges
nmap -p 1-65535 target.com
Advanced Nmap Features¶
# NSE script scanning
nmap --script vuln target.com
nmap --script "smb-*" target.com
nmap --script "http-*" target.com
# Timing and performance
nmap -T4 target.com # Aggressive timing
nmap -T1 target.com # Slow/stealthy timing
# Output formats
nmap -oA scan_results target.com # All formats
nmap -oG greppable_output target.com # Greppable
nmap -oX xml_output.xml target.com # XML format
Nmap Scripting Engine (NSE)¶
The NSE extends Nmap's capabilities with custom scripts:
| Script Category | Purpose | Example Usage |
|---|---|---|
auth | Authentication bypass | --script auth |
broadcast | Network broadcast discovery | --script broadcast |
brute | Brute force attacks | --script brute |
default | Default safe scripts | -sC or --script default |
discovery | Host and service discovery | --script discovery |
dos | Denial of service testing | --script dos |
exploit | Known vulnerability exploitation | --script exploit |
external | External service queries | --script external |
fuzzer | Fuzzing attacks | --script fuzzer |
intrusive | Potentially harmful scripts | --script intrusive |
malware | Malware detection | --script malware |
safe | Safe scripts unlikely to crash services | --script safe |
version | Advanced version detection | --script version |
vuln | Vulnerability detection | --script vuln |
Practical Nmap Examples¶
Web Server Enumeration
SMB Enumeration
🌐 Burp Suite: Web Application Testing Platform¶
Burp Suite is the industry standard for web application security testing.
Configuration and Setup¶
# Launch Burp Suite (assuming it's in PATH)
java -jar burpsuite_pro.jar
# Command-line options
java -Xmx4g -jar burpsuite_pro.jar # Increase memory to 4GB
java -jar burpsuite_pro.jar --project-file=myproject.burp # Load project
Proxy Configuration¶
-
Manual Proxy Configuration:
- HTTP Proxy:
127.0.0.1 - Port:
8080 - Use for HTTPS: ✅
- HTTP Proxy:
-
Certificate Installation:
- Navigate to
http://burpsuite - Download CA Certificate
- Install in Firefox: Settings → Privacy & Security → Certificates → Import
- Navigate to
-
System Proxy or Extension:
- Use SwitchyOmega extension
- Configure proxy profile for
127.0.0.1:8080
-
Certificate Trust:
- Download cert from
http://burpsuite - Chrome Settings → Privacy and Security → Manage Certificates
- Import to "Trusted Root Certification Authorities"
- Download cert from
Key Burp Suite Tools¶
Proxy Tool¶
The heart of Burp Suite for intercepting and modifying requests:
GET /admin/login.php HTTP/1.1
Host: vulnerable-app.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=abc123; role=user
Repeater Tool¶
For manual testing and request manipulation:
Repeater Workflow
- Send interesting requests to Repeater
- Modify parameters systematically
- Analyze responses for vulnerabilities
- Document findings and evidence
Intruder Tool¶
Automated attack tool for brute forcing and fuzzing:
Attack Types:
| Attack Type | Description | Use Case |
|---|---|---|
| Sniper | Single payload set, one position | Username enumeration |
| Battering Ram | Single payload set, all positions | Password spraying |
| Pitchfork | Multiple payload sets, paired | Credential stuffing |
| Cluster Bomb | Multiple payload sets, all combinations | Parameter fuzzing |
🐍 Custom Scripts and Automation¶
Automation is crucial for efficiency in cybersecurity workflows.
Python for Cybersecurity¶
#!/usr/bin/env python3
"""
Advanced port scanner with service detection
Demonstrates Python automation for cybersecurity
"""
import socket
import threading
import argparse
from datetime import datetime
class PortScanner:
def __init__(self, target, threads=100):
self.target = target
self.threads = threads
self.open_ports = []
self.lock = threading.Lock()
def scan_port(self, port):
"""Scan a single port"""
try:
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(1)
result = sock.connect_ex((self.target, port))
if result == 0:
# Port is open, try to grab banner
banner = self.grab_banner(sock, port)
with self.lock:
self.open_ports.append({
'port': port,
'banner': banner,
'service': self.identify_service(port, banner)
})
sock.close()
except Exception as e:
pass # Port closed or filtered
def grab_banner(self, sock, port):
"""Attempt to grab service banner"""
try:
if port in [80, 8080, 8000]:
sock.send(b"GET / HTTP/1.1\r\nHost: " + self.target.encode() + b"\r\n\r\n")
elif port == 21:
pass # FTP sends banner immediately
elif port == 22:
pass # SSH sends banner immediately
elif port == 25:
pass # SMTP sends banner immediately
else:
sock.send(b"\r\n")
banner = sock.recv(1024).decode('utf-8', errors='ignore').strip()
return banner[:100] # Limit banner length
except:
return ""
def identify_service(self, port, banner):
"""Identify service based on port and banner"""
common_ports = {
21: "FTP", 22: "SSH", 23: "Telnet", 25: "SMTP",
53: "DNS", 80: "HTTP", 110: "POP3", 143: "IMAP",
443: "HTTPS", 993: "IMAPS", 995: "POP3S"
}
service = common_ports.get(port, "Unknown")
# Enhance with banner analysis
if "Apache" in banner:
service += " (Apache)"
elif "nginx" in banner:
service += " (Nginx)"
elif "OpenSSH" in banner:
service += " (OpenSSH)"
elif "vsftpd" in banner:
service += " (vsftpd)"
return service
def scan(self, start_port=1, end_port=1000):
"""Scan port range"""
print(f"[*] Starting scan of {self.target}")
print(f"[*] Scanning ports {start_port}-{end_port}")
print(f"[*] Started at {datetime.now()}")
print("-" * 50)
threads = []
for port in range(start_port, end_port + 1):
thread = threading.Thread(target=self.scan_port, args=(port,))
threads.append(thread)
thread.start()
# Limit concurrent threads
if len(threads) >= self.threads:
for t in threads:
t.join()
threads = []
# Wait for remaining threads
for thread in threads:
thread.join()
return self.open_ports
def main():
parser = argparse.ArgumentParser(description="Advanced Port Scanner")
parser.add_argument("target", help="Target IP address or hostname")
parser.add_argument("-p", "--ports", default="1-1000",
help="Port range (e.g., 1-1000)")
parser.add_argument("-t", "--threads", type=int, default=100,
help="Number of threads")
args = parser.parse_args()
# Parse port range
if "-" in args.ports:
start_port, end_port = map(int, args.ports.split("-"))
else:
start_port = end_port = int(args.ports)
# Create and run scanner
scanner = PortScanner(args.target, args.threads)
open_ports = scanner.scan(start_port, end_port)
# Display results
print("\n" + "=" * 50)
print("SCAN RESULTS")
print("=" * 50)
if open_ports:
print(f"{'Port':<8} {'Service':<15} {'Banner'}")
print("-" * 50)
for port_info in sorted(open_ports, key=lambda x: x['port']):
print(f"{port_info['port']:<8} {port_info['service']:<15} {port_info['banner']}")
else:
print("No open ports found in the specified range.")
print(f"\n[*] Scan completed at {datetime.now()}")
if __name__ == "__main__":
main()
Bash Automation Scripts¶
#!/bin/bash
# Multi-target reconnaissance script
# Usage: ./recon.sh targets.txt
TARGET_FILE="$1"
OUTPUT_DIR="recon_results"
THREADS=20
# Colors for output
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
# Banner
echo -e "${BLUE}"
echo " ____ ____ _ _ "
echo " | _ \ ___ ___ ___ _ __ / ___| ___ _ __(_)_ __ | |_ "
echo " | |_) / _ \/ __/ _ \| '_ \ \___ \ / __| '__| | '_ \| __|"
echo " | _ < __/ (_| (_) | | | | ___) | (__| | | | |_) | |_ "
echo " |_| \_\___|\___\___/|_| |_||____/ \___|_| |_| .__/ \__|"
echo " |_| "
echo -e "${NC}"
# Check if target file exists
if [[ ! -f "$TARGET_FILE" ]]; then
echo -e "${RED}[!] Target file not found: $TARGET_FILE${NC}"
echo "Usage: $0 <targets.txt>"
exit 1
fi
# Create output directory
mkdir -p "$OUTPUT_DIR"
# Function: Port scan with nmap
port_scan() {
local target="$1"
local output_file="$OUTPUT_DIR/${target}_ports.txt"
echo -e "${YELLOW}[*] Port scanning $target${NC}"
nmap -sS -T4 -p- --open "$target" -oG "$output_file" > /dev/null 2>&1
if [[ $? -eq 0 ]]; then
echo -e "${GREEN}[+] Port scan completed for $target${NC}"
else
echo -e "${RED}[-] Port scan failed for $target${NC}"
fi
}
# Function: Service enumeration
service_enum() {
local target="$1"
local port_file="$OUTPUT_DIR/${target}_ports.txt"
local service_file="$OUTPUT_DIR/${target}_services.txt"
if [[ -f "$port_file" ]]; then
# Extract open ports
ports=$(grep -oP '\d+/open' "$port_file" | cut -d'/' -f1 | tr '\n' ',' | sed 's/,$//')
if [[ -n "$ports" ]]; then
echo -e "${YELLOW}[*] Service enumeration for $target on ports: $ports${NC}"
nmap -sV -sC -p "$ports" "$target" -oN "$service_file" > /dev/null 2>&1
if [[ $? -eq 0 ]]; then
echo -e "${GREEN}[+] Service enumeration completed for $target${NC}"
else
echo -e "${RED}[-] Service enumeration failed for $target${NC}"
fi
fi
fi
}
# Function: Web directory enumeration
web_enum() {
local target="$1"
local web_file="$OUTPUT_DIR/${target}_web.txt"
# Check if web services are running
if nmap -p 80,443,8080,8443 "$target" | grep -q "open"; then
echo -e "${YELLOW}[*] Web directory enumeration for $target${NC}"
# Check HTTP
if nmap -p 80 "$target" | grep -q "open"; then
gobuster dir -u "http://$target" -w /usr/share/wordlists/dirb/common.txt \
-o "${web_file}_http" -q 2>/dev/null &
fi
# Check HTTPS
if nmap -p 443 "$target" | grep -q "open"; then
gobuster dir -u "https://$target" -w /usr/share/wordlists/dirb/common.txt \
-o "${web_file}_https" -q 2>/dev/null &
fi
wait
echo -e "${GREEN}[+] Web enumeration completed for $target${NC}"
fi
}
# Main execution
echo -e "${BLUE}[*] Starting reconnaissance on $(wc -l < "$TARGET_FILE") targets${NC}"
echo -e "${BLUE}[*] Results will be saved to: $OUTPUT_DIR${NC}"
echo ""
# Process each target
while IFS= read -r target; do
# Skip empty lines and comments
[[ -z "$target" || "$target" =~ ^#.*$ ]] && continue
echo -e "${BLUE}[*] Processing target: $target${NC}"
# Run reconnaissance functions
port_scan "$target" &
# Limit concurrent processes
(($(jobs -r | wc -l) >= THREADS)) && wait
done < "$TARGET_FILE"
# Wait for all port scans to complete
wait
# Run service enumeration and web enumeration
while IFS= read -r target; do
[[ -z "$target" || "$target" =~ ^#.*$ ]] && continue
service_enum "$target" &
web_enum "$target" &
# Limit concurrent processes
(($(jobs -r | wc -l) >= THREADS)) && wait
done < "$TARGET_FILE"
# Wait for all processes to complete
wait
echo ""
echo -e "${GREEN}[+] Reconnaissance completed!${NC}"
echo -e "${BLUE}[*] Check $OUTPUT_DIR for results${NC}"
# Generate summary report
summary_file="$OUTPUT_DIR/summary.txt"
echo "Reconnaissance Summary - $(date)" > "$summary_file"
echo "=================================" >> "$summary_file"
echo "" >> "$summary_file"
for target_file in "$OUTPUT_DIR"/*_services.txt; do
if [[ -f "$target_file" ]]; then
target=$(basename "$target_file" "_services.txt")
echo "Target: $target" >> "$summary_file"
echo "Open Ports:" >> "$summary_file"
grep -E "^\d+/(tcp|udp)" "$target_file" | head -10 >> "$summary_file"
echo "" >> "$summary_file"
fi
done
echo -e "${GREEN}[+] Summary report generated: $summary_file${NC}"
📊 Tool Comparison Matrix¶
Understanding when to use which tool is crucial for efficiency:
| Task | Primary Tool | Alternative | Pros | Cons |
|---|---|---|---|---|
| Port Scanning | Nmap | Masscan | Feature-rich, scripts | Slower on large ranges |
| Web Directory Discovery | Gobuster | Dirb | Fast, customizable | Requires good wordlists |
| Web Vulnerability Scanning | Burp Suite | OWASP ZAP | Professional features | Commercial license |
| Network Traffic Analysis | Wireshark | tcpdump | GUI interface | Resource intensive |
| Payload Generation | Metasploit | Custom scripts | Extensive payload library | Can be detected |
💡 Best Practices¶
Tool Selection Guidelines
- Start with reconnaissance - Use Nmap for initial port scanning
- Layer your approach - Combine multiple tools for comprehensive coverage
- Document everything - Maintain detailed logs of commands and results
- Respect rate limits - Use appropriate timing to avoid detection
- Verify findings - Manual verification of automated tool results
Legal and Ethical Considerations
- Only test systems you own or have explicit written permission to test
- Understand the legal implications of security testing in your jurisdiction
- Follow responsible disclosure practices for vulnerabilities
- Maintain confidentiality of client data and findings
🔬 Practical Lab Exercises¶
Lab 1: Network Reconnaissance¶
# Target: Your own test environment or HTB machine
# Objective: Complete network enumeration
# Step 1: Initial port scan
nmap -sS -T4 -p- --open <target> -oA initial_scan
# Step 2: Service enumeration
nmap -sV -sC -p <open_ports> <target> -oA service_scan
# Step 3: Vulnerability scanning
nmap --script vuln -p <open_ports> <target> -oA vuln_scan
# Step 4: Web enumeration (if web services found)
gobuster dir -u http://<target> -w /usr/share/wordlists/dirb/common.txt
Lab 2: Web Application Testing¶
# Target: Vulnerable web application (DVWA, WebGoat, or HTB machine)
# Objective: Manual web application assessment
# Step 1: Proxy setup
# Configure browser to use Burp Suite proxy (127.0.0.1:8080)
# Step 2: Passive reconnaissance
# Browse the application normally, let Burp build site map
# Step 3: Active testing
# Use Burp's Spider and Scanner tools
# Step 4: Manual verification
# Verify automated findings manually using Repeater
🎯 Assessment Checklist¶
Track your proficiency with essential tools:
Network Tools: - [ ] Perform comprehensive nmap scans - [ ] Use NSE scripts for vulnerability detection - [ ] Analyze network traffic with Wireshark - [ ] Create custom port scanning scripts
Web Application Tools: - [ ] Configure Burp Suite proxy properly - [ ] Perform manual parameter manipulation - [ ] Use Intruder for automated attacks - [ ] Generate professional vulnerability reports
Automation Skills: - [ ] Write Python scripts for reconnaissance - [ ] Create Bash scripts for workflow automation - [ ] Integrate multiple tools in custom workflows - [ ] Implement proper error handling and logging
Module Complete!
You've mastered the essential cybersecurity toolkit! Ready to move on to Cracking into HTB?