Network Security Toolkit

Gain hands-on experience with essential network security tools. Learn how to analyze network traffic, scan for vulnerabilities, configure firewalls, and detect intrusions with this interactive toolkit.

Wireshark

Nmap Scanner

Firewall Config

IDS/IPS

Wireshark Packet Analyzer

Wireshark is a network protocol analyzer that lets you capture and interactively browse the traffic running on a computer network. Learn how to use it to inspect packets, diagnose issues, and detect security threats.

Capture Interface

Capture Filter Examples: "host 192.168.1.1", "port 80", "tcp", "udp port 53"

Packet Capture Results

Display Filter

No.	Time	Source	Destination	Protocol	Length	Info
1	0.000000	192.168.1.5	192.168.1.1	DNS	82	Standard query 0x1a2b A example.com
2	0.005247	192.168.1.1	192.168.1.5	DNS	98	Standard query response 0x1a2b A example.com A 93.184.216.34
3	0.015687	192.168.1.5	93.184.216.34	TCP	74	58172 → 80 [SYN] Seq=0 Win=64240 Len=0 MSS=1460 WS=256 SACK_PERM=1
4	0.075364	93.184.216.34	192.168.1.5	TCP	74	80 → 58172 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 SACK_PERM=1 WS=128
5	0.075438	192.168.1.5	93.184.216.34	TCP	66	58172 → 80 [ACK] Seq=1 Ack=1 Win=64240 Len=0
6	0.075678	192.168.1.5	93.184.216.34	HTTP	171	GET / HTTP/1.1
7	0.145738	93.184.216.34	192.168.1.5	TCP	66	80 → 58172 [ACK] Seq=1 Ack=106 Win=65535 Len=0
8	0.205847	93.184.216.34	192.168.1.5	HTTP	497	HTTP/1.1 200 OK (text/html)
9	0.206102	192.168.1.5	93.184.216.34	TCP	93.184.216.34	TCP	66	58172 → 80 [ACK] Seq=106 Ack=432 Win=64240 Len=0
10	0.356982	192.168.1.5	93.184.216.34	TCP	66	58172 → 80 [FIN, ACK] Seq=106 Ack=432 Win=64240 Len=0

Packet Inspector - Packet #1

Details

Hex

Raw

Frame 1: 82 bytes on wire, 82 bytes captured

Time: May 1, 2025 14:23:45.000000

Frame Number: 1

Frame Length: 82 bytes

Protocols: eth:ip:udp:dns

Ethernet II, Src: 00:0c:29:8f:5d:10, Dst: 00:50:56:c0:00:08

Destination: 00:50:56:c0:00:08

Source: 00:0c:29:8f:5d:10

Type: IPv4 (0x0800)

Internet Protocol Version 4, Src: 192.168.1.5, Dst: 192.168.1.1

Version: 4

Header Length: 20 bytes

Total Length: 68

Identification: 0x1234 (4660)

Flags: 0x00

Fragment offset: 0

Time to live: 64

Protocol: UDP (17)

Header checksum: 0x6a3b [correct]

Source: 192.168.1.5

Destination: 192.168.1.1

User Datagram Protocol, Src Port: 53952, Dst Port: 53

Source Port: 53952

Destination Port: 53 (DNS)

Length: 48

Checksum: 0xe345 [correct]

Domain Name System (query)

Transaction ID: 0x1a2b

Flags: 0x0100 Standard query

Questions: 1

Answer RRs: 0

Authority RRs: 0

Additional RRs: 0

Queries:

example.com: type A, class IN

Nmap Network Scanner

Nmap (Network Mapper) is a powerful security scanner used to discover hosts and services on a computer network. Learn how to detect open ports, identify running services, and discover potential vulnerabilities.

Target IP/Hostname Examples: "192.168.1.1", "10.0.0-255.1-254", "scanme.nmap.org"

Scan Type

Timing Template

Additional Options Examples: "--script=vuln", "-p 1-1000", "--exclude 192.168.1.5"

Nmap Scan Results

$ nmap -sS -sV -O 192.168.1.0/24 Starting Nmap 7.93 ( https://nmap.org ) at 2025-05-01 14:30 EDT Nmap scan report for Router (192.168.1.1) Host is up (0.0031s latency). Not shown: 995 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0) 53/tcp open domain dnsmasq 2.86 80/tcp open http nginx 1.23.3 443/tcp open ssl/https nginx 1.23.3 8080/tcp open http-proxy? MAC Address: 00:50:56:C0:00:08 (VMware) Device type: general purpose Running: Linux 5.X OS CPE: cpe:/o:linux:linux_kernel:5 OS details: Linux 5.0 - 5.4 Nmap scan report for FileServer (192.168.1.10) Host is up (0.0076s latency). Not shown: 992 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4 (protocol 2.0) 80/tcp open http Apache httpd 2.4.54 111/tcp open rpcbind 2-4 (RPC #100000) 139/tcp open netbios-ssn Samba smbd 4.5.16 (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.5.16 (workgroup: WORKGROUP) 2049/tcp open nfs 3-4 (RPC #100003) 3306/tcp open mysql MySQL (unauthorized) 9090/tcp open http Cockpit web service 264 on Linux MAC Address: 00:0C:29:8F:5D:10 (VMware) Device type: general purpose Running: Linux 5.X OS CPE: cpe:/o:linux:linux_kernel:5 OS details: Linux 5.0 - 5.4 Nmap scan report for WebServer (192.168.1.15) Host is up (0.0054s latency). Not shown: 996 closed tcp ports (reset) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.52 443/tcp open ssl/http Apache httpd 2.4.52 MAC Address: 00:0C:29:AB:CD:EF (VMware) Device type: general purpose Running: Linux 5.X OS CPE: cpe:/o:linux:linux_kernel:5 OS details: Linux 5.0 - 5.4 Nmap scan report for WindowsClient (192.168.1.24) Host is up (0.0097s latency). Not shown: 990 closed tcp ports (reset) PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 1433/tcp open ms-sql-s Microsoft SQL Server 2019 15.00.4312.00 3389/tcp open ms-wbt-server Microsoft Terminal Service MAC Address: 00:0C:29:12:34:56 (VMware) Device type: general purpose Running: Microsoft Windows 10 OS CPE: cpe:/o:microsoft:windows_10 OS details: Microsoft Windows 10 1709 - 1909 Warning: The SMB service on 192.168.1.24 has outdated protocol version SMBv1 enabled (MS17-010) Nmap done: 256 IP addresses (12 hosts up) scanned in 119.84 seconds

Router (192.168.1.1)

MAC Address: 00:50:56:C0:00:08 (VMware)

OS: Linux 5.0 - 5.4

Latency: 0.0031s

Port	State	Service	Version
22/tcp	open	ssh	OpenSSH 8.9p1 Ubuntu 3ubuntu0.3 (Ubuntu Linux; protocol 2.0)
53/tcp	open	domain	dnsmasq 2.86
80/tcp	open	http	nginx 1.23.3
443/tcp	open	ssl/https	nginx 1.23.3
8080/tcp	open	http-proxy	?

WindowsClient (192.168.1.24)

MAC Address: 00:0C:29:12:34:56 (VMware)

OS: Microsoft Windows 10 1709 - 1909

Latency: 0.0097s

Warning: SMBv1 protocol enabled (MS17-010 vulnerability)

Port	State	Service	Version
135/tcp	open	msrpc	Microsoft Windows RPC
139/tcp	open	netbios-ssn	Microsoft Windows netbios-ssn
445/tcp	open	microsoft-ds	?
1433/tcp	open	ms-sql-s	Microsoft SQL Server 2019 15.00.4312.00
3389/tcp	open	ms-wbt-server	Microsoft Terminal Service

Firewall Configuration

Configure and manage firewall rules to control network traffic. Learn how to set up policies that allow or block specific types of connections based on source, destination, protocol, and other criteria.

Firewall Rules

Priority	Action	Protocol	Source	Destination	Port	Description
1	ALLOW	TCP	ANY	192.168.1.15	80, 443	Allow web traffic to web server
2	ALLOW	TCP	192.168.1.0/24	192.168.1.10	22, 445	Allow internal SSH and SMB
3	DENY	TCP	ANY	192.168.1.24	445	Block external SMB access
4	LOG	TCP	ANY	192.168.1.0/24	3389	Log RDP connection attempts
5	DENY	ALL	ANY	ANY	ANY	Default deny rule

Intrusion Detection System

Monitor network traffic for suspicious activity and security policy violations with an Intrusion Detection System (IDS). Learn how to identify and respond to potential security

Monitor network traffic for suspicious activity and security policy violations with an Intrusion Detection System (IDS). Learn how to identify and respond to potential security threats in real-time.

Monitoring Interface

Alert Level

Rule Set

IDS Alerts

Filter Alerts

Time	Severity	Source	Destination	Message
14:35:12	High	203.0.113.42	192.168.1.24	ET EXPLOIT MS17-010 SMB RCE Attempt
14:33:45	Medium	192.168.1.15	93.184.216.34	POLICY SSH Outbound Connection
14:33:01	High	198.51.100.73	192.168.1.10	ET SCAN Nmap SQL Server Scan
14:28:19	High	192.168.1.24	45.33.32.156	ET TROJAN Possible Malware CnC Traffic
14:27:34	Medium	198.51.100.12	192.168.1.15	ET WEB_SERVER SQL Injection Attempt
14:25:02	Low	192.168.1.5	239.255.255.250	ET POLICY UPnP Traffic Detected
14:24:17	Low	192.168.1.45	192.168.1.255	ET POLICY SMB Outbound Message

Alert: ET EXPLOIT MS17-010 SMB RCE Attempt

Time:

May 1, 2025 14:35:12

Severity:

High

Source:

203.0.113.42

Destination:

192.168.1.24 (WindowsClient)

Protocol:

TCP

Source Port:

49152

Destination Port:

445 (SMB)

Signature ID:

2024364

Category:

EXPLOIT

Description

This alert indicates an attempt to exploit the MS17-010 vulnerability in the SMB protocol. This critical vulnerability in Microsoft Windows SMB Server could allow remote code execution if an attacker sends specially crafted packets to a vulnerable SMB server. This vulnerability is associated with the EternalBlue exploit, which was used in major ransomware attacks like WannaCry.

Packet Data

00000000: 0010 1615 0B01 00C0 4FD4 3D69 0800 4500 ........O.=i..E. 00000010: 00DE 05F4 4000 8006 3D06 CB00 712A C0A8 ....@...=...q*.. 00000020: 0118 C000 01BD 1806 98DA 41F9 ADD3 5018 ..........A...P. 00000030: FFFF 2484 0000 0000 0000 25FF 534D 4220 ..$.......%.SMB 00000040: 3200 0000 0000 1800 0000 0000 0000 0000 2............... 00000050: 0000 0000 0000 0000 0000 5C38 8041 4141 ..........\8.AAA 00000060: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 00000070: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 00000080: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 00000090: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA 000000A0: 4141 4141 4141 4142 5A44 3038 5745 5731 AAAAAABZD08WEW1 000000B0: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA

Recommended Actions

Verify the attack was blocked by your firewall or IPS
Check if the target system (192.168.1.24) has been patched with the MS17-010 security update
Scan the target system for potential compromise
Block traffic from the source IP (203.0.113.42) at the firewall
Enable SMB signing and disable SMBv1 on all Windows systems