Tools
Wireshark, Burp Suite, Metasploit, John/Hashcat and the rest of the kit: what each is for and when to reach for it.
~4 min read
Knowing the kit
You're rarely asked to drive these tools in an exam, but you must know what each one does and when it's the right choice. They cluster by the job they do. Most ship with Kali Linux (and Parrot OS), the security-focused distributions that bundle the toolset.
Network analysis
Wireshark is the standard GUI packet analyser. It captures and dissects traffic, decoding every protocol layer so you can read exactly what crossed the wire. Used for troubleshooting, for finding credentials sent in plaintext, and in forensics to reconstruct sessions from a PCAP. Its filter language (http, tcp.port == 443, ip.addr == 10.0.0.5) is how you find the needle. tcpdump is its command-line counterpart for capture on servers without a GUI.
Web application testing
Burp Suite is the dominant web app testing platform. Its core is an intercepting proxy: it sits between your browser and the target so you can see and modify every HTTP request before it's sent, which is the practical demonstration that client-side controls mean nothing. Key modules: Repeater (resend and tweak a request by hand), Intruder (automate payloads, e.g. for fuzzing or brute-forcing), and a passive scanner. OWASP ZAP is the free, open-source equivalent. Directory brute-forcing tools (gobuster, ffuf, dirb, nikto for web server issues) complement these.
Exploitation frameworks
Metasploit is a framework of ready-made exploits, payloads and post-exploitation modules with a consistent workflow (search a vuln → use the module → set options → exploit). Its Meterpreter payload is a full-featured in-memory shell for post-exploitation (file access, pivoting, privilege escalation helpers). Hugely useful, but a crutch if leaned on blindly; understanding why an exploit works matters more than running it. searchsploit (offline Exploit-DB search) and the underlying Exploit-DB are where you find standalone exploit code.
Password and hash attacks
Tied to the hashing chapter; these attack credentials:
- John the Ripper and Hashcat: offline password crackers that take stolen hashes and attempt to recover the plaintext (dictionary, rule-based, brute-force, mask attacks). Hashcat is GPU-accelerated and extremely fast, which is the whole reason fast hashes are unsafe for password storage. You must identify the hash type first (
hashid/hash-identifier). - Hydra: an online brute-forcer that attacks live login services (SSH, FTP, HTTP forms, RDP) by trying credentials against them. Online attacks are slow and noisy, and good rate-limiting/lockouts defeat them, as covered in the auth chapter.
- Wordlists: the ammunition for both. rockyou.txt (millions of real leaked passwords) is the famous default; SecLists is the broader collection of wordlists for passwords, directories, usernames and more.
Vulnerability scanning
Nessus, OpenVAS and Qualys are automated scanners that check a target against databases of known vulnerabilities and misconfigurations, producing prioritised reports. Remember the distinction: they find known issues but don't exploit or chain them. That's the human pentester's job.
Recon and OS
- nmap: the scanner from the previous chapter; the universal first step.
- theHarvester, recon-ng, amass, Shodan: OSINT and subdomain/asset discovery.
- Kali Linux / Parrot OS: Debian-based distributions pre-loaded with the above, the standard offensive working environment.
Defensive / blue-team tooling (for contrast)
So the picture isn't only offensive; the defender's kit from the forensics and SOC chapters:
- Splunk / Microsoft Sentinel / Elastic (ELK): SIEM platforms for log aggregation and correlation.
- Snort / Suricata / Zeek: network IDS and traffic analysis.
- Volatility: memory forensics; Autopsy/The Sleuth Kit and FTK for disk forensics.
- YARA: pattern-matching rules to identify and classify malware.
Choosing the right tool
The exam-useful skill is matching tool to task:
| Task | Reach for |
|---|---|
| See/modify HTTP requests | Burp Suite / ZAP |
| Analyse captured traffic | Wireshark / tcpdump |
| Crack stolen password hashes | Hashcat / John |
| Brute-force a live login | Hydra |
| Scan ports / map a host | nmap |
| Find known vulnerabilities automatically | Nessus / OpenVAS |
| Use a ready-made exploit | Metasploit / searchsploit |
| Aggregate and correlate logs | SIEM (Splunk/Sentinel) |
| Analyse a memory dump | Volatility |
Quick recall
- Wireshark/tcpdump = packet capture and analysis (and forensics). Burp Suite/ZAP = intercepting proxy for web testing (Repeater, Intruder).
- Metasploit = exploit + payload + post-exploitation framework (Meterpreter); searchsploit/Exploit-DB for standalone exploits.
- John & Hashcat crack hashes offline (Hashcat is GPU-fast); Hydra brute-forces live logins online. rockyou.txt / SecLists are the wordlists.
- Nessus/OpenVAS scan for known vulns (find, don't exploit). nmap is the first-step scanner. Kali/Parrot bundle everything.
- Blue-team side: SIEM (Splunk/Sentinel/Elastic), Snort/Suricata (NIDS), Volatility (memory), Autopsy/FTK (disk), YARA (malware rules).