Comptia Security+

Security+ Course – 2.6 Security Assessment Tools

2.6.1 Protocol Analysers

Protocol Analysers allow administrators to peer into the packets travelling on a network and inspect them in deep detail. This is very useful when trying to troubleshoot network issues or investigate security incidents. Wireshark intercepts traffic and converts that binary traffic into human-readable format. This makes it easy to identify what traffic is crossing your network, how much of it, how frequently, how much latency there is between certain hops, and so forth.

Wireshark is a protocol analyser/packet sniffer. It can be used to get in depth detail about the traffic on the network.

TCPDUMP is a command line packet sniffer.

Wireshark and TCPDUMP and both built on the libcap library



2.6.2 Network Scanning

Network scanning is used to detect active systems on the network.

Network Mapping

This provides an important glimpse of network activity. It is particularly useful at detecting rogue systems. One of the most popular network mapping tools is NMAP (short for network mapper). It is a free download from

NMAP can scan your network and find a lot information such a

  • Device names
  • OS version
  • Open ports

EXAM TIPS: get some hands on experience with NMAP


2.6.3 Exploitation frameworks

These are like hackers Swiss army knives. They contain the tools used to test vulnerabilities. They can be used for both evil and good.


This is one of the most common Exploitation Frameworks. It began as an open source project but was purchased the security firm Rapid 7. The Metasploit Community Edition is free, but the Pro version is a commercial product with some extra features.

With This software you can scan your network for devices. It will then give you information about these. It will tell you what services are running and on what port. An example might be SSH running on port 22. You can then search Metasploit for a “SSH exploit” module, this could be a login attack. You give it a list of usernames and passwords and it loops through them trying to connect. This can return some useful information like if a username actually exists on the system. From there you could carry out a bruteforce attack.

The system has lots of different modules for many different services and programs.

Exam TIP: get some hands on experience with Metasploit



2.6.4 Command Line Network Tools

These are quick and easy way to view network configuration and troubleshooting information.

ICMP and Ping

Ping helps you check if another system is accessible. It uses the Internet Control Message Protocol (ICMP).

The system that initiates the ping sends an “Are you there?” message. If the destination system is accessible it will send an “Yes I am here” response.

Troubleshooting with Ping

Ping can be very useful for troubleshooting. EG: say you are having trouble hitting a web server. With you can:

  1. Try pinging the web server
  2. Try pinging another server on the internet. This will tell you if you can access the internet
  3. Ping a system on your local network
  4. Try the ping from a different computer

NOTE:  some systems have ping blocked on the firewall. This is worth noting because if a system doesn’t reply it doesn’t mean its offline, it just might not be responding to pings.

Trace Route

This command allow you to trace the path between two hosts on the network.

On Linux the command is: traceroute
On Windows the command is: tracert

Example of trace route on Windows:
Tracing route to []
over a maximum of 30 hops:

1 2 ms 1 ms 2 ms []
2 12 ms 10 ms 9 ms []
3 10 ms 12 ms 11 ms []
4 51 ms 26 ms 22 ms []
5 24 ms 22 ms 23 ms []
6 28 ms 30 ms 22 ms []
7 25 ms 22 ms 22 ms []
8 176 ms 177 ms 177 ms []
9 219 ms 219 ms 225 ms []
10 221 ms 222 ms 220 ms []
11 252 ms 254 ms 251 ms []
12 259 ms 258 ms 259 ms []
13 236 ms 238 ms 236 ms []
14 236 ms 236 ms 236 ms []
15 239 ms 236 ms 241 ms []
16 236 ms 237 ms 237 ms []

Trace complete.

You get a line for each system it hits on the way. If you get stars *** it means that system is not responding with information about itself.

IP Configuration

This gives information about the network interface configuration on the local computer. It gives you MAC address, ip, subnet, gateway etc…

Windows: ipconfig
Linux and Mac: ifconfig

You select a single interface by using the command  ifconfig en0

These commands can also modify the IP configuration, but we don’t need to know this for the exam.

ARP (Address Resolution Protocol)

This translates IP addresses used at the network layer and MAC addresses used at the ethernet layer. All operating systems in an IPv4 Ethernet network keep an ARP cache. Every time a host requests a MAC address in order to send a packet to another host in the LAN, it checks its ARP cache to see if the IP to MAC address translation already exists. If it does, then a new ARP request is unnecessary. If the translation does not already exist, then the request for network addresses is sent and ARP is performed.

You can view the systems ARP cache using the arp  command.

>arp -a

Interface: — 0x9
Internet Address Physical Address Type 84-9f-b5-57-f2-47 dynamic b0-2a-43-57-c3-64 dynamic ff-ff-ff-ff-ff-ff static 01-00-5e-00-00-16 static 01-00-5e-00-00-fb static 01-00-5e-00-00-fc static 01-00-5e-7f-ff-fa static ff-ff-ff-ff-ff-ff static


This displays network statistic on Mac and Windows. It shows you what connections are open, what ports are being used, destination, state etc…

An example output:


Active Connections

Proto Local Address Foreign Address State
TCP 192-168-1-2:8009 ESTABLISHED
TCP a184-26-33-55:https CLOSE_WAIT
TCP a184-26-33-55:https CLOSE_WAIT
TCP a184-26-33-55:https CLOSE_WAIT
TCP a23-202-162-124:http CLOSE_WAIT
TCP a23-202-162-124:http CLOSE_WAIT
TCP a23-202-162-124:http CLOSE_WAIT
TCP a23-202-162-124:http CLOSE_WAIT
TCP a23-202-162-124:http CLOSE_WAIT
TCP a23-202-162-124:http CLOSE_WAIT
TCP nme-sot-dry-ak1-136:https CLOSE_WAIT
TCP a184-26-33-55:https CLOSE_WAIT
TCP a184-26-33-55:https CLOSE_WAIT
TCP a184-26-33-55:https CLOSE_WAIT
TCP a184-26-33-55:https CLOSE_WAIT
TCP mia04-011:http ESTABLISHED
TCP syd09s14-in-f14:https ESTABLISHED
TCP syd09s17-in-f10:https ESTABLISHED
TCP sin01s16-in-f4:https ESTABLISHED
TCP syd09s13-in-f14:https ESTABLISHED
TCP syd15s01-in-f14:https ESTABLISHED
TCP syd15s03-in-f14:https ESTABLISHED
TCP syd15s06-in-f14:https ESTABLISHED
TCP searchsites:https ESTABLISHED
TCP syd15s02-in-f10:https ESTABLISHED
TCP server-52-85-45-50:https ESTABLISHED
TCP syd15s06-in-f3:https ESTABLISHED
TCP r-57-41-234-77:http FIN_WAIT_1
TCP li1462-250:https ESTABLISHED

On Linux you use SS to get this information

NC (Net Cap)

This command allows you to send and receive raw text on a network connection on Mac and Linux. This can be useful for troubleshooting, but can also be used by attackers to send raw malicious commands to a server.

You can open a connection to a server by doing the following:


Then you can send commands:

Get /

This will get the root and try and display the html

There is no NC equivalent on Windows.

Command Summary


2.6.5 DNS Harvesting

Doman Name Service translates between domain names and IP addresses.

Dig command

This is the primary command for looking up DNS on Mac and Linux systems.


This is the Windows version of the dig command. It works on Mac and Linux too.

Server: UnKnown
Address: fe80::1

Non-authoritative answer:

Whois Lookup

The Whois utility can help you learn more about the ownership of domain names and IP addresses. There are many websites that offer Whois Lookups. An example is You can lookup a domain name here and it will give you lots of information like:

  • The registrar
  • How old it is
  • IP address
  • Name Servers
  • IP Location
  • Domain status
  • Server type
  • And more

You can also use Whois Lookup for an IP address.

Reverse Whois
With this you can enter an email address and it will return which domains are linked to this address. EG: if you put in it pulls up all the domains that have this address as the owner/contact.

Comptia Security+ (SY0-501) Study Notes Menu

Leave a Reply

Your email address will not be published. Required fields are marked *