Tools Guide

October 12, 2025 ยท View on GitHub

Comprehensive guide to cybersecurity tools for Red, Blue, and Purple Teams

Table of Contents


Installation Instructions

Prerequisites

Before installing security tools, ensure your system has:

# Update system packages
sudo apt update && sudo apt upgrade -y  # Debian/Ubuntu
sudo dnf update -y                       # Fedora/RHEL
brew update && brew upgrade              # macOS

# Install essential dependencies
sudo apt install -y build-essential git curl wget python3 python3-pip

Quick Setup Script

Use our automated setup script:

cd tools/
chmod +x setup-lab.sh
sudo ./setup-lab.sh

Red Team Tools

Reconnaissance Tools

Nmap - Network Scanner

Purpose: Network discovery and security auditing

Installation:

# Linux
sudo apt install nmap

# macOS
brew install nmap

# Verify installation
nmap --version

Usage Examples:

# Quick scan of top 1000 ports
nmap -T4 -F target.com

# Full port scan with service detection
nmap -sV -sC -p- target.com

# OS detection
nmap -O target.com

# Scan multiple targets
nmap 192.168.1.0/24

theHarvester - OSINT Tool

Purpose: Email, subdomain, and host gathering

Installation:

git clone https://github.com/laramies/theHarvester
cd theHarvester
pip3 install -r requirements.txt

Usage Examples:

# Search using Google
python3 theHarvester.py -d target.com -b google

# Search all sources
python3 theHarvester.py -d target.com -b all

# Limit results
python3 theHarvester.py -d target.com -b bing -l 200

Subfinder - Subdomain Discovery

Purpose: Fast subdomain enumeration

Installation:

go install -v github.com/projectdiscovery/subfinder/v2/cmd/subfinder@latest

Usage Examples:

# Basic subdomain enumeration
subfinder -d target.com

# Save results to file
subfinder -d target.com -o subdomains.txt

# Use all sources
subfinder -d target.com -all

Exploitation Tools

Metasploit Framework

Purpose: Comprehensive penetration testing framework

Installation:

curl https://raw.githubusercontent.com/rapid7/metasploit-omnibus/master/config/templates/metasploit-framework-wrappers/msfupdate.erb > msfinstall
chmod 755 msfinstall
./msfinstall

Usage Examples:

# Start Metasploit console
msfconsole

# Search for exploits
msf6 > search ms17-010

# Use an exploit
msf6 > use exploit/windows/smb/ms17_010_eternalblue

# Set target and options
msf6 exploit(ms17_010_eternalblue) > set RHOSTS 192.168.1.100
msf6 exploit(ms17_010_eternalblue) > exploit

SQLMap - SQL Injection Tool

Purpose: Automatic SQL injection and database takeover

Installation:

git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git
cd sqlmap

Usage Examples:

# Test a URL for SQL injection
python sqlmap.py -u "http://target.com/page.php?id=1"

# Enumerate databases
python sqlmap.py -u "http://target.com/page.php?id=1" --dbs

# Dump database
python sqlmap.py -u "http://target.com/page.php?id=1" -D database_name --dump

Web Application Testing

Burp Suite Community Edition

Purpose: Web vulnerability scanner and intercepting proxy

Installation:

# Download from https://portswigger.net/burp/communitydownload
# Or use package manager
sudo apt install burpsuite

# macOS
brew install --cask burp-suite

Basic Workflow:

  1. Configure browser proxy to 127.0.0.1:8080
  2. Enable intercept in Burp
  3. Navigate to target website
  4. Analyze and modify requests
  5. Use scanner and intruder for testing

OWASP ZAP

Purpose: Open-source web application security scanner

Installation:

# Linux
sudo snap install zaproxy --classic

# macOS
brew install --cask owasp-zap

# Docker
docker run -p 8080:8080 owasp/zap2docker-stable

Usage Examples:

# Automated scan
zap-cli quick-scan http://target.com

# Spider website
zap-cli spider http://target.com

# Active scan
zap-cli active-scan http://target.com

Blue Team Tools

SIEM & Log Management

Splunk (Free)

Purpose: Enterprise log management and SIEM

Installation:

# Download from https://www.splunk.com/en_us/download/splunk-enterprise.html
wget -O splunk.deb 'https://download.splunk.com/...'
sudo dpkg -i splunk.deb

Initial Setup:

cd /opt/splunk/bin
./splunk start --accept-license
# Access web interface at http://localhost:8000

ELK Stack (Elasticsearch, Logstash, Kibana)

Purpose: Open-source log management

Installation (Docker):

git clone https://github.com/deviantony/docker-elk.git
cd docker-elk
docker-compose up -d

Usage:

Network Monitoring

Wireshark

Purpose: Network protocol analyzer

Installation:

# Linux
sudo apt install wireshark

# macOS
brew install --cask wireshark

Usage Examples:

# Capture on interface
tshark -i eth0

# Capture with filter
tshark -i eth0 -f "tcp port 80"

# Read pcap file
tshark -r capture.pcap

# Display filter
tshark -r capture.pcap -Y "http.request"

Zeek (formerly Bro)

Purpose: Network security monitoring framework

Installation:

# Ubuntu/Debian
sudo apt install zeek

# macOS
brew install zeek

Usage Examples:

# Analyze pcap file
zeek -r capture.pcap

# Monitor live traffic
zeek -i eth0 local

# View logs
cat conn.log | zeek-cut id.orig_h id.resp_h duration

Suricata

Purpose: Network threat detection engine

Installation:

sudo apt install suricata

# Update rules
sudo suricata-update

Usage Examples:

# Run on interface
sudo suricata -c /etc/suricata/suricata.yaml -i eth0

# Analyze pcap
sudo suricata -c /etc/suricata/suricata.yaml -r capture.pcap

# View alerts
tail -f /var/log/suricata/fast.log

Endpoint Detection

OSSEC

Purpose: Host-based intrusion detection

Installation:

wget https://github.com/ossec/ossec-hids/archive/3.7.0.tar.gz
tar -zxvf 3.7.0.tar.gz
cd ossec-hids-3.7.0
sudo ./install.sh

Wazuh (OSSEC fork)

Purpose: Open-source EDR and XDR

Installation (Docker):

git clone https://github.com/wazuh/wazuh-docker.git
cd wazuh-docker/single-node
docker-compose up -d

Access: https://localhost (admin/admin)

Digital Forensics

Autopsy

Purpose: Digital forensics platform

Installation:

# Download from https://www.autopsy.com/download/

# Linux
sudo apt install autopsy

# macOS
brew install --cask autopsy

Volatility 3

Purpose: Memory forensics framework

Installation:

git clone https://github.com/volatilityfoundation/volatility3.git
cd volatility3
pip3 install -r requirements.txt

Usage Examples:

# List processes
python3 vol.py -f memory.dump windows.pslist

# Scan for processes
python3 vol.py -f memory.dump windows.psscan

# Dump process
python3 vol.py -f memory.dump windows.dumpfiles --pid 1234

Purple Team Tools

Attack Simulation

Atomic Red Team

Purpose: Small, focused tests mapped to MITRE ATT&CK

Installation:

git clone https://github.com/redcanaryco/atomic-red-team.git
cd atomic-red-team

# Install execution framework
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
Install-AtomicRedTeam

Usage Examples:

# List all techniques
Invoke-AtomicTest All -ShowDetails

# Run specific technique
Invoke-AtomicTest T1059.001

# Cleanup after test
Invoke-AtomicTest T1059.001 -Cleanup

CALDERA

Purpose: Automated adversary emulation platform

Installation:

git clone https://github.com/mitre/caldera.git --recursive
cd caldera
pip3 install -r requirements.txt

# Start server
python3 server.py --insecure

Access: http://localhost:8888 (admin/admin)

Detection Testing

Sigma Rules

Purpose: Generic signature format for SIEM systems

Installation:

git clone https://github.com/SigmaHQ/sigma.git
pip3 install sigma-cli

Usage Examples:

# Convert Sigma rule to Splunk
sigma convert -t splunk rule.yml

# Convert to Elastic
sigma convert -t elasticsearch rule.yml

# Convert all rules in directory
sigma convert -t qradar -r rules/

Detection Lab

Purpose: Build detection capabilities in a lab

Installation:

git clone https://github.com/clong/DetectionLab.git
cd DetectionLab/Vagrant
vagrant up

Tool Comparison Tables

SIEM Platforms

ToolTypeCostProsConsBest For
SplunkCommercialFree (limited)Powerful, extensive featuresResource intensiveEnterprise
ELK StackOpen SourceFreeFlexible, scalableComplex setupMid-size orgs
GraylogOpen SourceFreeUser-friendlyLimited featuresSmall teams
QRadarCommercialPaidAI featuresExpensiveLarge enterprise

Vulnerability Scanners

ToolTypeSpeedAccuracyFeaturesLearning Curve
NessusCommercialFastHighExtensiveEasy
OpenVASOpen SourceMediumGoodLimitedModerate
QualysCloudFastHighComprehensiveEasy
NexposeCommercialFastHighGood reportingModerate

Web Proxies

ToolTypeFeaturesEase of UseBest For
Burp SuiteFreemiumComprehensiveModerateProfessional testing
OWASP ZAPFreeGoodEasyLearning & automation
mitmproxyFreeScriptableHardCustom workflows

EDR Solutions

ToolTypeDetectionResponseCloud-NativeCost
CrowdStrikeCommercialExcellentAutomatedYesHigh
Carbon BlackCommercialExcellentGoodYesHigh
WazuhOpen SourceGoodManualPartialFree
OSSECOpen SourceBasicManualNoFree

Usage Examples

Red Team Workflow

# 1. Reconnaissance
./tools/recon.sh target.com -a -o ./recon_results

# 2. Vulnerability Scanning
python3 tools/scanner.py target.com -a -o ./scan_results

# 3. Manual Testing
# Use Burp Suite, manual exploitation, etc.

# 4. Reporting
# Document findings and create report

Blue Team Workflow

# 1. Setup Monitoring
# Configure SIEM, EDR, network monitoring

# 2. Incident Detection
# Monitor alerts and logs

# 3. Incident Response
python3 tools/incident-response.py collect --case-id IR-20250112

# 4. Analysis & Reporting
python3 tools/incident-response.py report --case-id IR-20250112

Purple Team Exercise

# 1. Planning
# Define objectives, scope, and scenarios

# 2. Red Team Attack
# Execute specific TTPs from MITRE ATT&CK

# 3. Blue Team Detection
# Monitor for detection, document findings

# 4. Collaboration
# Review results together, identify gaps

# 5. Improvement
# Update detections, re-test, document improvements

Additional Resources

Tool Repositories

Learning Platforms


Troubleshooting

Common Issues

Nmap: Permission denied

# Run with sudo for advanced scans
sudo nmap -sS target.com

Python tool missing dependencies

# Install all requirements
pip3 install -r requirements.txt --user

Tool not found in PATH

# Add to PATH temporarily
export PATH=$PATH:/path/to/tool

# Or permanently in ~/.bashrc or ~/.zshrc
echo 'export PATH=$PATH:/path/to/tool' >> ~/.bashrc

PCAP file too large

# Split pcap file
tcpdump -r large.pcap -w split.pcap -C 100

Best Practices

Tool Selection

  • Choose the right tool for the specific task
  • Consider licensing and compliance requirements
  • Test tools in lab environment first
  • Keep tools updated regularly

Security Considerations

  • Only use tools on authorized targets
  • Secure tool configurations and credentials
  • Sanitize logs and reports before sharing
  • Follow responsible disclosure practices

Documentation

  • Document tool configurations
  • Maintain command reference sheets
  • Record findings and evidence properly
  • Share knowledge with team members

Last Updated: 2025-01-12
Maintained By: AnyTeam Project

For updates and contributions, visit: AnyTeam GitHub