Tools Guide
October 12, 2025 ยท View on GitHub
Comprehensive guide to cybersecurity tools for Red, Blue, and Purple Teams
Table of Contents
- Installation Instructions
- Red Team Tools
- Blue Team Tools
- Purple Team Tools
- Tool Comparison Tables
- Usage Examples
Installation Instructions
Prerequisites
Before installing security tools, ensure your system has:
# Update system packages
sudo apt update && sudo apt upgrade -y # Debian/Ubuntu
sudo dnf update -y # Fedora/RHEL
brew update && brew upgrade # macOS
# Install essential dependencies
sudo apt install -y build-essential git curl wget python3 python3-pip
Quick Setup Script
Use our automated setup script:
cd tools/
chmod +x setup-lab.sh
sudo ./setup-lab.sh
Red Team Tools
Reconnaissance Tools
Nmap - Network Scanner
Purpose: Network discovery and security auditing
Installation:
# Linux
sudo apt install nmap
# macOS
brew install nmap
# Verify installation
nmap --version
Usage Examples:
# Quick scan of top 1000 ports
nmap -T4 -F target.com
# Full port scan with service detection
nmap -sV -sC -p- target.com
# OS detection
nmap -O target.com
# Scan multiple targets
nmap 192.168.1.0/24
theHarvester - OSINT Tool
Purpose: Email, subdomain, and host gathering
Installation:
git clone https://github.com/laramies/theHarvester
cd theHarvester
pip3 install -r requirements.txt
Usage Examples:
# Search using Google
python3 theHarvester.py -d target.com -b google
# Search all sources
python3 theHarvester.py -d target.com -b all
# Limit results
python3 theHarvester.py -d target.com -b bing -l 200
Subfinder - Subdomain Discovery
Purpose: Fast subdomain enumeration
Installation:
go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest
Usage Examples:
# Basic subdomain enumeration
subfinder -d target.com
# Save results to file
subfinder -d target.com -o subdomains.txt
# Use all sources
subfinder -d target.com -all
Exploitation Tools
Metasploit Framework
Purpose: Comprehensive penetration testing framework
Installation:
curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod 755 msfinstall
./msfinstall
Usage Examples:
# Start Metasploit console
msfconsole
# Search for exploits
msf6 > search ms17-010
# Use an exploit
msf6 > use exploit/windows/smb/ms17_010_eternalblue
# Set target and options
msf6 exploit(ms17_010_eternalblue) > set RHOSTS 192.168.1.100
msf6 exploit(ms17_010_eternalblue) > exploit
SQLMap - SQL Injection Tool
Purpose: Automatic SQL injection and database takeover
Installation:
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git
cd sqlmap
Usage Examples:
# Test a URL for SQL injection
python sqlmap.py -u "http://target.com/page.php?id=1"
# Enumerate databases
python sqlmap.py -u "http://target.com/page.php?id=1" --dbs
# Dump database
python sqlmap.py -u "http://target.com/page.php?id=1" -D database_name --dump
Web Application Testing
Burp Suite Community Edition
Purpose: Web vulnerability scanner and intercepting proxy
Installation:
# Download from https://portswigger.net/burp/communitydownload
# Or use package manager
sudo apt install burpsuite
# macOS
brew install --cask burp-suite
Basic Workflow:
- Configure browser proxy to 127.0.0.1:8080
- Enable intercept in Burp
- Navigate to target website
- Analyze and modify requests
- Use scanner and intruder for testing
OWASP ZAP
Purpose: Open-source web application security scanner
Installation:
# Linux
sudo snap install zaproxy --classic
# macOS
brew install --cask owasp-zap
# Docker
docker run -p 8080:8080 owasp/zap2docker-stable
Usage Examples:
# Automated scan
zap-cli quick-scan http://target.com
# Spider website
zap-cli spider http://target.com
# Active scan
zap-cli active-scan http://target.com
Blue Team Tools
SIEM & Log Management
Splunk (Free)
Purpose: Enterprise log management and SIEM
Installation:
# Download from https://www.splunk.com/en_us/download/splunk-enterprise.html
wget -O splunk.deb 'https://download.splunk.com/...'
sudo dpkg -i splunk.deb
Initial Setup:
cd /opt/splunk/bin
./splunk start --accept-license
# Access web interface at http://localhost:8000
ELK Stack (Elasticsearch, Logstash, Kibana)
Purpose: Open-source log management
Installation (Docker):
git clone https://github.com/deviantony/docker-elk.git
cd docker-elk
docker-compose up -d
Usage:
- Elasticsearch: http://localhost:9200
- Kibana: http://localhost:5601
- Logstash: Port 5044
Network Monitoring
Wireshark
Purpose: Network protocol analyzer
Installation:
# Linux
sudo apt install wireshark
# macOS
brew install --cask wireshark
Usage Examples:
# Capture on interface
tshark -i eth0
# Capture with filter
tshark -i eth0 -f "tcp port 80"
# Read pcap file
tshark -r capture.pcap
# Display filter
tshark -r capture.pcap -Y "http.request"
Zeek (formerly Bro)
Purpose: Network security monitoring framework
Installation:
# Ubuntu/Debian
sudo apt install zeek
# macOS
brew install zeek
Usage Examples:
# Analyze pcap file
zeek -r capture.pcap
# Monitor live traffic
zeek -i eth0 local
# View logs
cat conn.log | zeek-cut id.orig_h id.resp_h duration
Suricata
Purpose: Network threat detection engine
Installation:
sudo apt install suricata
# Update rules
sudo suricata-update
Usage Examples:
# Run on interface
sudo suricata -c /etc/suricata/suricata.yaml -i eth0
# Analyze pcap
sudo suricata -c /etc/suricata/suricata.yaml -r capture.pcap
# View alerts
tail -f /var/log/suricata/fast.log
Endpoint Detection
OSSEC
Purpose: Host-based intrusion detection
Installation:
wget https://github.com/ossec/ossec-hids/archive/3.7.0.tar.gz
tar -zxvf 3.7.0.tar.gz
cd ossec-hids-3.7.0
sudo ./install.sh
Wazuh (OSSEC fork)
Purpose: Open-source EDR and XDR
Installation (Docker):
git clone https://github.com/wazuh/wazuh-docker.git
cd wazuh-docker/single-node
docker-compose up -d
Access: https://localhost (admin/admin)
Digital Forensics
Autopsy
Purpose: Digital forensics platform
Installation:
# Download from https://www.autopsy.com/download/
# Linux
sudo apt install autopsy
# macOS
brew install --cask autopsy
Volatility 3
Purpose: Memory forensics framework
Installation:
git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
pip3 install -r requirements.txt
Usage Examples:
# List processes
python3 vol.py -f memory.dump windows.pslist
# Scan for processes
python3 vol.py -f memory.dump windows.psscan
# Dump process
python3 vol.py -f memory.dump windows.dumpfiles --pid 1234
Purple Team Tools
Attack Simulation
Atomic Red Team
Purpose: Small, focused tests mapped to MITRE ATT&CK
Installation:
git clone https://github.com/redcanaryco/atomic-red-team.git
cd atomic-red-team
# Install execution framework
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
Install-AtomicRedTeam
Usage Examples:
# List all techniques
Invoke-AtomicTest All -ShowDetails
# Run specific technique
Invoke-AtomicTest T1059.001
# Cleanup after test
Invoke-AtomicTest T1059.001 -Cleanup
CALDERA
Purpose: Automated adversary emulation platform
Installation:
git clone https://github.com/mitre/caldera.git --recursive
cd caldera
pip3 install -r requirements.txt
# Start server
python3 server.py --insecure
Access: http://localhost:8888 (admin/admin)
Detection Testing
Sigma Rules
Purpose: Generic signature format for SIEM systems
Installation:
git clone https://github.com/SigmaHQ/sigma.git
pip3 install sigma-cli
Usage Examples:
# Convert Sigma rule to Splunk
sigma convert -t splunk rule.yml
# Convert to Elastic
sigma convert -t elasticsearch rule.yml
# Convert all rules in directory
sigma convert -t qradar -r rules/
Detection Lab
Purpose: Build detection capabilities in a lab
Installation:
git clone https://github.com/clong/DetectionLab.git
cd DetectionLab/Vagrant
vagrant up
Tool Comparison Tables
SIEM Platforms
| Tool | Type | Cost | Pros | Cons | Best For |
|---|---|---|---|---|---|
| Splunk | Commercial | Free (limited) | Powerful, extensive features | Resource intensive | Enterprise |
| ELK Stack | Open Source | Free | Flexible, scalable | Complex setup | Mid-size orgs |
| Graylog | Open Source | Free | User-friendly | Limited features | Small teams |
| QRadar | Commercial | Paid | AI features | Expensive | Large enterprise |
Vulnerability Scanners
| Tool | Type | Speed | Accuracy | Features | Learning Curve |
|---|---|---|---|---|---|
| Nessus | Commercial | Fast | High | Extensive | Easy |
| OpenVAS | Open Source | Medium | Good | Limited | Moderate |
| Qualys | Cloud | Fast | High | Comprehensive | Easy |
| Nexpose | Commercial | Fast | High | Good reporting | Moderate |
Web Proxies
| Tool | Type | Features | Ease of Use | Best For |
|---|---|---|---|---|
| Burp Suite | Freemium | Comprehensive | Moderate | Professional testing |
| OWASP ZAP | Free | Good | Easy | Learning & automation |
| mitmproxy | Free | Scriptable | Hard | Custom workflows |
EDR Solutions
| Tool | Type | Detection | Response | Cloud-Native | Cost |
|---|---|---|---|---|---|
| CrowdStrike | Commercial | Excellent | Automated | Yes | High |
| Carbon Black | Commercial | Excellent | Good | Yes | High |
| Wazuh | Open Source | Good | Manual | Partial | Free |
| OSSEC | Open Source | Basic | Manual | No | Free |
Usage Examples
Red Team Workflow
# 1. Reconnaissance
./tools/recon.sh target.com -a -o ./recon_results
# 2. Vulnerability Scanning
python3 tools/scanner.py target.com -a -o ./scan_results
# 3. Manual Testing
# Use Burp Suite, manual exploitation, etc.
# 4. Reporting
# Document findings and create report
Blue Team Workflow
# 1. Setup Monitoring
# Configure SIEM, EDR, network monitoring
# 2. Incident Detection
# Monitor alerts and logs
# 3. Incident Response
python3 tools/incident-response.py collect --case-id IR-20250112
# 4. Analysis & Reporting
python3 tools/incident-response.py report --case-id IR-20250112
Purple Team Exercise
# 1. Planning
# Define objectives, scope, and scenarios
# 2. Red Team Attack
# Execute specific TTPs from MITRE ATT&CK
# 3. Blue Team Detection
# Monitor for detection, document findings
# 4. Collaboration
# Review results together, identify gaps
# 5. Improvement
# Update detections, re-test, document improvements
Additional Resources
Documentation Links
- MITRE ATT&CK: https://attack.mitre.org/
- OWASP: https://owasp.org/
- NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
- SANS Reading Room: https://www.sans.org/reading-room/
Tool Repositories
- Kali Linux Tools: https://www.kali.org/tools/
- Security Onion: https://securityonionsolutions.com/
- HELK: https://github.com/Cyb3rWard0g/HELK
- Awesome Security: https://github.com/sbilly/awesome-security
Learning Platforms
- TryHackMe: https://tryhackme.com/
- HackTheBox: https://www.hackthebox.eu/
- PentesterLab: https://pentesterlab.com/
- Blue Team Labs Online: https://blueteamlabs.online/
Troubleshooting
Common Issues
Nmap: Permission denied
# Run with sudo for advanced scans
sudo nmap -sS target.com
Python tool missing dependencies
# Install all requirements
pip3 install -r requirements.txt --user
Tool not found in PATH
# Add to PATH temporarily
export PATH=$PATH:/path/to/tool
# Or permanently in ~/.bashrc or ~/.zshrc
echo 'export PATH=$PATH:/path/to/tool' >> ~/.bashrc
PCAP file too large
# Split pcap file
tcpdump -r large.pcap -w split.pcap -C 100
Best Practices
Tool Selection
- Choose the right tool for the specific task
- Consider licensing and compliance requirements
- Test tools in lab environment first
- Keep tools updated regularly
Security Considerations
- Only use tools on authorized targets
- Secure tool configurations and credentials
- Sanitize logs and reports before sharing
- Follow responsible disclosure practices
Documentation
- Document tool configurations
- Maintain command reference sheets
- Record findings and evidence properly
- Share knowledge with team members
Last Updated: 2025-01-12
Maintained By: AnyTeam Project
For updates and contributions, visit: AnyTeam GitHub