Cybersecurity Tools Cheat Sheet

A defensive cybersecurity reference for technical interviews, SOC practice, home labs, authorized testing, and security analysis.

Defensive Testing Mindset

Authorization First

Only test systems you own, manage, or have explicit permission to assess. In interviews, always mention scope, approval, documentation, and reporting.

Typical Security Workflow

  • Define scope and rules of engagement.
  • Discover assets and exposed services.
  • Identify versions and misconfigurations.
  • Validate findings safely.
  • Document risk, impact, and remediation.
  • Retest after fixes are applied.

Nmap

Network Discovery

What Nmap Is Used For

  • Host discovery
  • Port scanning
  • Service detection
  • Version detection
  • Basic vulnerability checks in authorized labs

Common Safe Commands

# Scan common ports on an authorized host
nmap 192.168.1.10

# Service and version detection
nmap -sV 192.168.1.10

# OS detection in a lab
nmap -O 192.168.1.10

# Scan a specific port
nmap -p 22 192.168.1.10

# Scan selected ports
nmap -p 22,80,443 192.168.1.10

# Save output to a file
nmap -sV -oN scan-results.txt 192.168.1.10

How to Explain It in Interviews

Nmap helps identify exposed services and attack surface. The goal is not just finding open ports, but understanding business risk and reducing unnecessary exposure.

Netcat

Connectivity Testing

What Netcat Is Used For

  • Testing if a port is reachable
  • Banner grabbing in labs
  • Sending simple TCP/UDP data
  • Debugging network services

Common Commands

# Check if a port is open
nc -vz 192.168.1.10 443

# Connect to a service
nc 192.168.1.10 80

# Basic HTTP request
printf "GET / HTTP/1.1\r\nHost: example.com\r\n\r\n" | nc example.com 80

# Listen locally for testing
nc -l 8080

Interview Note

Netcat is useful for quick connectivity checks. In a SOC or admin context, it helps confirm whether a service is reachable from a specific machine.

Burp Suite

Web Application Testing

Core Burp Suite Tools

  • Proxy: intercept browser traffic
  • Repeater: manually resend requests
  • Intruder: controlled parameter testing
  • Decoder: encode and decode data
  • Comparer: compare responses
  • Logger: review HTTP history

Common Testing Checklist

  • Check authentication and session behavior.
  • Review cookies and security headers.
  • Test input validation.
  • Look for insecure direct object references.
  • Check role-based access control.
  • Compare normal user vs admin behavior.

Security Headers to Know

Content-Security-Policy
Strict-Transport-Security
X-Content-Type-Options
X-Frame-Options
Referrer-Policy
Set-Cookie: Secure; HttpOnly; SameSite=Strict

Metasploit

Lab Validation

What Metasploit Is

Metasploit is a penetration testing framework used to validate vulnerabilities in controlled and authorized environments. For interviews, focus on validation, risk confirmation, and remediation support.

Basic Console Commands

# Start Metasploit console
msfconsole

# Search modules
search type:auxiliary scanner

# Select a module
use auxiliary/scanner/portscan/tcp

# Show required options
show options

# Set a target in your lab
set RHOSTS 192.168.1.10

# Run the selected module
run

# Go back
back

# Exit
exit

Interview Note

A strong answer should mention that exploitation is not always necessary. Sometimes version evidence, configuration proof, and safe validation are enough to report a finding.

Password Auditing Tools

Defensive Auditing

John the Ripper

John the Ripper is used to audit password strength from authorized password hashes, usually in labs, CTFs, or internal security reviews. 

# Run John against a hash file in a lab
john hashes.txt

# Use a wordlist
john --wordlist=wordlist.txt hashes.txt

# Show cracked results
john --show hashes.txt

Hashcat Concepts

  • GPU-accelerated password auditing tool
  • Requires knowing the hash type/mode
  • Used for password policy validation
  • Commonly used in authorized security assessments

Interview Note

Password auditing helps validate whether password policies are strong enough. Safer controls include MFA, password managers, rate limiting, and strong hashing.

Traffic Analysis

Packets and Logs

tcpdump

# Capture packets on an interface
sudo tcpdump -i eth0

# Capture traffic for a specific host
sudo tcpdump -i eth0 host 192.168.1.10

# Capture traffic for a specific port
sudo tcpdump -i eth0 port 443

# Save capture to a file
sudo tcpdump -i eth0 -w capture.pcap

# Read a saved capture
tcpdump -r capture.pcap

Wireshark Filters

ip.addr == 192.168.1.10
tcp.port == 443
dns
http
tls
tcp.flags.syn == 1
tcp.flags.reset == 1

What to Look For

  • Unexpected external connections
  • Repeated failed connections
  • DNS requests to suspicious domains
  • Unusual ports or protocols
  • Large outbound data transfers

Web Testing Utilities

HTTP Basics

curl

# Basic request
curl https://example.com

# Show response headers
curl -I https://example.com

# Follow redirects
curl -L https://example.com

# Send JSON data
curl -X POST https://example.com/api \
  -H "Content-Type: application/json" \
  -d '{"name":"test"}'

Directory Discovery Concept

Tools like Gobuster or FFUF can help find exposed paths in authorized web apps. In interviews, explain that results must be validated and sensitive paths should be protected, removed, or restricted. 

# Authorized lab example
gobuster dir \
  -u http://localhost:8080 \
  -w wordlist.txt

OWASP Areas to Remember

  • Broken access control
  • Cryptographic failures
  • Injection
  • Insecure design
  • Security misconfiguration
  • Vulnerable components

Linux Security Triage

SOC Basics

Useful Commands

# Current user
whoami

# Logged-in users
who

# Recent logins
last

# Running processes
ps aux

# Listening ports
ss -tulnp

# Disk usage
df -h

# Recent auth logs
sudo tail -n 50 /var/log/auth.log

# System logs
sudo journalctl -xe

Indicators to Check

  • New unknown users
  • Unexpected listening ports
  • Suspicious processes
  • Failed login spikes
  • Unusual cron jobs
  • Unexpected SSH keys

Common Log Locations

/var/log/auth.log
/var/log/syslog
/var/log/kern.log
/var/log/nginx/access.log
/var/log/nginx/error.log
/var/log/apache2/access.log
/var/log/apache2/error.log

Interview Notes

How to Talk About Tools

  • Nmap identifies exposed services and attack surface.
  • Netcat confirms connectivity and service behavior.
  • Burp Suite helps analyze web traffic and input handling.
  • Metasploit can validate findings in controlled labs.
  • John and Hashcat audit password strength.
  • tcpdump and Wireshark analyze network traffic.

Strong Security Answer Formula

1. Confirm scope and authorization.
2. Gather evidence safely.
3. Identify affected assets.
4. Assess severity and business impact.
5. Recommend remediation.
6. Document findings clearly.
7. Retest after remediation.

Risk Language

  • Likelihood: how likely exploitation is
  • Impact: what damage could happen
  • Severity: combined risk level
  • Remediation: how to fix it
  • Mitigation: how to reduce risk temporarily
  • Compensating control: alternate protection