jramos/seclab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
master
seclab/MOD0_Prerequisites.md

601 lines
17 KiB
Markdown
Raw Permalink Normal View History

initial commit
2026-05-28 18:27:41 -06:00
# FILE: MOD0_Prerequisites.md
# MODULE 0: PREREQUISITES & FOUNDATIONAL SKILLS
## Learning Objectives
By completing this module, you will:
- Navigate Linux and Windows command-line interfaces confidently
- Understand TCP/IP networking fundamentals and subnetting
- Analyze system logs for security events
- Grasp virtualization concepts critical for lab environment management
---
## SECTION 1: LINUX COMMAND LINE FUNDAMENTALS
### Key Concepts
- **Linux Filesystem Hierarchy:** `/` (root), `/home`, `/var/log`, `/etc`
- **File Permissions:** Read (r=4), Write (w=2), Execute (x=1)
- **Users & Groups:** root vs standard users, sudo privilege escalation
- **Package Management:** `apt` (Debian/Ubuntu), `yum`/`dnf` (RedHat/CentOS)
### LAB 0.1: Linux System Navigation & Log Analysis
**Prerequisites:** Kali Linux VM (you'll use this throughout the course)
**Step-by-Step:**
```bash
# 1. Check your current user and privileges
whoami
id
# Expected output: Shows username and group memberships (UID, GID)
# 2. Navigate the filesystem
cd /var/log
ls -lah
# Flags explained: -l (long format), -a (show hidden), -h (human-readable sizes)
# 3. Analyze authentication logs
sudo tail -n 50 /var/log/auth.log
# Shows last 50 login attempts (successful and failed)
# 4. Search for failed SSH login attempts
sudo grep "Failed password" /var/log/auth.log | tail -n 20
# Filters log for failed authentication events
# 5. Count failed login attempts by IP address
sudo grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -rn
# Real-world use: Identify brute-force attacks
# 6. Check active network connections
ss -tunap
# t=TCP, u=UDP, n=numeric (don't resolve hostnames), a=all, p=processes
# Alternative: netstat -tunap (older systems)
# 7. View running processes
ps aux | grep ssh
# Find SSH-related processes
# 8. Check system resource usage
top
# Press 'q' to quit
# Alternative: htop (more user-friendly, may need: sudo apt install htop)
# 9. Create a test user (practice user management)
sudo useradd -m -s /bin/bash testuser
# -m creates home directory, -s sets shell
sudo passwd testuser
# Set password when prompted
# 10. Check user creation in logs
sudo grep "testuser" /var/log/auth.log | tail -n 5
# 11. Switch to the new user
su - testuser
# Enter password, then exit with: exit
# 12. Remove test user
sudo userdel -r testuser
# -r removes home directory
```
**Deliverable:** Screenshot showing output of step 5 (failed login count by IP) and step 8 (top command).
---
### LAB 0.2: File Permissions & Security
```bash
# 1. Create a test directory structure
mkdir -p ~/security_lab/secrets
cd ~/security_lab
# 2. Create test files
echo "Public information" > public.txt
echo "Sensitive data" > secrets/confidential.txt
# 3. Check default permissions
ls -l public.txt
# Typical output: -rw-r--r-- (owner: rw, group: r, others: r)
# Understanding permission notation:
# -rw-r--r--
# - = file type (d for directory)
# rw- = owner permissions (read, write, no execute)
# r-- = group permissions (read only)
# r-- = others permissions (read only)
# 4. Make a file executable
echo '#!/bin/bash' > test_script.sh
echo 'echo "Security Lab Script"' >> test_script.sh
chmod +x test_script.sh
ls -l test_script.sh
# Now shows: -rwxr-xr-x (executable by all)
# 5. Restrict sensitive file access
chmod 600 secrets/confidential.txt
ls -l secrets/confidential.txt
# Now shows: -rw------- (only owner can read/write)
# 6. Using octal notation
chmod 750 secrets/
# 7 (owner: rwx), 5 (group: r-x), 0 (others: ---)
ls -ld secrets/
# 7. Change file ownership (requires sudo)
sudo chown root:root secrets/confidential.txt
ls -l secrets/confidential.txt
# File now owned by root
# 8. Try to read as regular user
cat secrets/confidential.txt
# Should fail with "Permission denied"
# 9. Use sudo to read
sudo cat secrets/confidential.txt
# Now works (demonstrates privilege escalation)
# 10. Clean up
cd ~
sudo rm -rf ~/security_lab
```
**Deliverable:** Screenshot showing permission denied error (step 8) and successful sudo read (step 9).
---
## SECTION 2: WINDOWS FUNDAMENTALS
### Key Concepts
- **PowerShell vs CMD:** Modern PowerShell (verb-noun cmdlets) vs legacy Command Prompt
- **Event Viewer:** Centralized logging system (Security, System, Application logs)
- **Critical Event IDs:** 4624 (successful logon), 4625 (failed logon), 4672 (admin logon)
- **Services:** Background processes (`services.msc`)
### LAB 0.3: Windows PowerShell & Event Log Analysis
**Prerequisites:** Windows 10 VM or your host Windows machine
**Step-by-Step:**
```powershell
# Open PowerShell as Administrator (Right-click Start > Windows PowerShell (Admin))
# 1. Check PowerShell version
$PSVersionTable.PSVersion
# Should be 5.1+ (Windows 10) or 7.x (PowerShell Core)
# 2. Get system information
Get-ComputerInfo | Select-Object CsName, WindowsVersion, OsArchitecture
# 3. List running services
Get-Service | Where-Object {$_.Status -eq "Running"} | Select-Object Name, DisplayName
# 4. Check for failed login attempts (Event ID 4625)
Get-EventLog -LogName Security -InstanceId 4625 -Newest 10 | Format-Table TimeGenerated, Message -AutoSize
# If no events: Try logging in with wrong password first
# 5. Check successful logins (Event ID 4624)
Get-EventLog -LogName Security -InstanceId 4624 -Newest 10 | Format-Table TimeGenerated, Message -AutoSize
# 6. Find administrative logins (Event ID 4672)
Get-EventLog -LogName Security -InstanceId 4672 -Newest 5 | Format-List
# Shows "Special privileges assigned to new logon" (admin/SYSTEM)
# 7. Search Event Viewer for specific string
Get-EventLog -LogName System -Newest 100 | Where-Object {$_.Message -like "*error*"}
# 8. List local user accounts
Get-LocalUser | Select-Object Name, Enabled, LastLogon
# 9. Check active network connections
Get-NetTCPConnection -State Established | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State
# 10. Find process using specific port (e.g., port 445 - SMB)
Get-NetTCPConnection -LocalPort 445 | Select-Object OwningProcess
Get-Process -Id <PID from above>
# 11. List installed software
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion
# 12. Check Windows Defender status
Get-MpComputerStatus | Select-Object AntivirusEnabled, RealTimeProtectionEnabled, IoavProtectionEnabled
# BONUS: Export security logs for analysis
Get-EventLog -LogName Security -Newest 100 | Export-Csv -Path C:\security_logs.csv -NoTypeInformation
# Open with Excel or import into SIEM
```
**Deliverable:** Screenshot of Event ID 4625 output (step 4) and active network connections (step 9).
---
### LAB 0.4: Windows Event Viewer GUI Navigation
```
1. Press Win + R, type: eventvwr.msc, press Enter
2. Navigate: Windows Logs > Security
3. Right-click "Security" > Filter Current Log
- Event IDs: 4624,4625,4672
- Click OK
4. Double-click on Event ID 4625 (failed logon)
- Note the "Failure Information" section
- Identify: Source IP, Account Name, Failure Reason
5. Create Custom View:
- Actions panel > Create Custom View
- Name: "Authentication Events"
- Filter: Event IDs 4624,4625,4648,4672
- Save
6. Export logs:
- Right-click custom view > Save All Events As
- Format: CSV or EVTX
- Save to Documents folder
```
**Deliverable:** Screenshot of custom view showing filtered authentication events.
---
## SECTION 3: NETWORKING FUNDAMENTALS
### Key Concepts
- **OSI Model:** 7 layers (Physical, Data Link, Network, Transport, Session, Presentation, Application)
- **TCP/IP Stack:** Link, Internet (IP), Transport (TCP/UDP), Application
- **IPv4 Addressing:** 32-bit addresses (e.g., 192.168.1.100)
- **Subnetting:** CIDR notation (/24 = 255.255.255.0)
- **Key Protocols:** TCP (connection-oriented), UDP (connectionless), ICMP (ping)
### LAB 0.5: Subnetting & Network Calculations
**Practice Problems (Calculate by hand, then verify with tools):**
**Problem 1:**
```
Network: 10.10.2.0/24
Questions:
a) What is the subnet mask?
b) What is the network address?
c) What is the broadcast address?
d) How many usable host IPs?
e) What is the first usable IP?
f) What is the last usable IP?
ANSWERS:
a) 255.255.255.0
b) 10.10.2.0
c) 10.10.2.255
d) 254 (256 - 2 for network and broadcast)
e) 10.10.2.1
f) 10.10.2.254
```
**Problem 2:**
```
Network: 192.168.50.0/26
Questions:
a) Subnet mask?
b) How many subnets can be created?
c) How many hosts per subnet?
d) List the first 3 subnet ranges
ANSWERS:
a) 255.255.255.192
b) 4 subnets (/26 = 2 bits borrowed, 2^2 = 4)
c) 62 hosts per subnet (64 - 2)
d)
- 192.168.50.0/26 (hosts: .1 to .62, broadcast: .63)
- 192.168.50.64/26 (hosts: .65 to .126, broadcast: .127)
- 192.168.50.128/26 (hosts: .129 to .190, broadcast: .191)
```
**Verification Tools:**
```bash
# Linux: Install ipcalc
sudo apt install ipcalc
# Calculate subnet details
ipcalc 10.10.2.0/24
ipcalc 192.168.50.0/26
# Windows PowerShell: Manual calculation
function Get-SubnetInfo {
param($CIDR)
$IP, $MaskBits = $CIDR -split '/'
$MaskBits = [int]$MaskBits
$TotalIPs = [math]::Pow(2, 32 - $MaskBits)
$UsableIPs = $TotalIPs - 2
Write-Host "Network: $CIDR"
Write-Host "Total IPs: $TotalIPs"
Write-Host "Usable IPs: $UsableIPs"
}
Get-SubnetInfo "10.10.2.0/24"
```
**Deliverable:** Handwritten or typed answers to both problems, verified with ipcalc screenshots.
---
### LAB 0.6: Protocol Analysis with Ping & Traceroute
```bash
# LINUX/KALI:
# 1. Basic ping (ICMP Echo Request)
ping -c 4 8.8.8.8
# -c 4 = send 4 packets
# 2. Traceroute (map network path)
traceroute 8.8.8.8
# Shows each router hop to destination
# 3. Ping with timestamp
ping -c 10 -D 8.8.8.8
# -D adds timestamp to each line
# 4. Ping specific interface (if multiple NICs)
ping -I eth0 -c 4 10.10.2.1
# 5. Large packet test (MTU discovery)
ping -c 4 -s 1472 8.8.8.8
# -s 1472 = 1500 byte packet (1472 + 28 byte header)
# 6. TCP ping alternative (when ICMP blocked)
sudo hping3 -S -p 80 -c 4 google.com
# -S = SYN flag, -p 80 = port 80, -c 4 = count
# Install: sudo apt install hping3
# WINDOWS (PowerShell):
# 1. Basic ping
Test-Connection -ComputerName 8.8.8.8 -Count 4
# 2. Traceroute
Test-NetConnection -ComputerName google.com -TraceRoute
# 3. TCP port test
Test-NetConnection -ComputerName google.com -Port 443
# Tests if port 443 (HTTPS) is open
```
**Deliverable:** Screenshot of traceroute to 8.8.8.8 showing at least 5 hops.
---
## SECTION 4: VIRTUALIZATION CONCEPTS
### Key Concepts
- **Hypervisor Types:**
- **Type 1 (Bare Metal):** Proxmox, VMware ESXi, Hyper-V Server (runs directly on hardware)
- **Type 2 (Hosted):** VirtualBox, VMware Workstation (runs on host OS)
- **Virtual Machine Components:** vCPU, vRAM, vNIC (virtual network interface card), vDisk
- **Snapshots:** Point-in-time state saves (critical for labs—snapshot before risky operations!)
- **Network Modes:** NAT, Bridged, Host-Only, Internal
### LAB 0.7: VirtualBox Snapshot Management
**Prerequisites:** VirtualBox installed, any VM (Ubuntu, Windows, etc.)
**Step-by-Step:**
```
1. Start VirtualBox Manager
2. Select your VM (powered off state)
3. Take Baseline Snapshot:
- Machine menu > Take Snapshot
- Name: "Clean Install - Pre-Labs"
- Description: "Fresh OS install before any modifications"
- Click OK
4. Start the VM and make a change:
- Create file on desktop: "test_snapshot.txt"
- Write some text in it
5. Take Second Snapshot (VM can be running):
- Machine menu > Take Snapshot
- Name: "After Test File Creation"
- Click OK
6. Make destructive change:
- Delete the test file
- Empty recycle bin
7. Restore to previous snapshot:
- Shut down VM
- In VirtualBox Manager: Click "Snapshots" button (top right)
- Right-click "After Test File Creation" > Restore
- Confirm restoration
8. Verify restoration:
- Start VM
- Check desktop - file should be back!
9. Snapshot best practices for security labs:
- ALWAYS snapshot before exploitation attempts
- Name snapshots descriptively (e.g., "Pre-Metasploit-Attack-2026-02-11")
- Delete old snapshots to free disk space (keep 2-3 max)
```
**Deliverable:** Screenshot of VirtualBox snapshot tree showing at least 2 snapshots.
---
### LAB 0.8: Understanding Virtual Network Modes
**Using VirtualBox (concepts apply to Proxmox/VMware):**
```
1. Open VM Settings > Network > Adapter 1
2. Test Each Mode:
MODE 1: NAT (Network Address Translation)
- VM can access internet
- VM cannot be accessed from host
- VMs cannot talk to each other
- Use case: Isolated internet access
Test:
- Set to NAT
- Start VM, open browser, visit google.com (should work)
- From host, try to ping VM IP (should fail)
MODE 2: Bridged Adapter
- VM appears as separate device on your home network
- Gets IP from your router's DHCP
- Can communicate with all devices on LAN
- Use case: VM needs to be network-accessible
Test:
- Set to Bridged
- Start VM, check IP: ip addr (Linux) or ipconfig (Windows)
- From host, ping VM IP (should work)
MODE 3: Host-Only Adapter
- VM can only talk to host machine
- VM cannot access internet
- VMs on same host-only network can talk to each other
- Use case: Isolated lab networks
Test:
- Set to Host-Only
- Start VM, check IP (should be 192.168.56.x range)
- Try to access internet (should fail)
- From host, ping VM (should work)
MODE 4: Internal Network
- VMs can only talk to other VMs on same internal network
- Completely isolated from host and internet
- Use case: Simulated enterprise networks
Test:
- Create 2 VMs on "intnet1" internal network
- Assign static IPs manually
- VMs should ping each other but nothing else
3. Proxmox Equivalent (for reference):
- NAT = VM uses Proxmox's internet connection
- Bridged = VLAN-tagged interface on vmbr0
- Host-Only = Separate bridge without physical uplink
- Internal = VMs on same VLAN tag
```
**Deliverable:** Table showing which modes allow: VM-to-Internet, VM-to-Host, VM-to-VM, Host-to-VM.
---
## KNOWLEDGE CHECK: Pre-Module Assessment
**Before proceeding to MOD1, you should be able to:**
### Linux Skills
- [ ] Navigate filesystem using `cd`, `ls`, `pwd`
- [ ] Read log files with `cat`, `tail`, `grep`
- [ ] Understand `rwx` permissions and `chmod` octal notation
- [ ] Use `sudo` for privilege escalation
- [ ] Identify running processes with `ps` and `top`
### Windows Skills
- [ ] Execute PowerShell cmdlets (Get-EventLog, Get-Service, Get-Process)
- [ ] Navigate Event Viewer and filter by Event ID
- [ ] Identify critical security Event IDs (4624, 4625, 4672)
- [ ] Check active network connections
- [ ] Export logs to CSV
### Networking Skills
- [ ] Calculate subnet mask from CIDR notation
- [ ] Determine network and broadcast addresses
- [ ] Count usable hosts in a subnet
- [ ] Use `ping` and `traceroute` for connectivity testing
- [ ] Understand TCP vs UDP vs ICMP
### Virtualization Skills
- [ ] Take and restore VM snapshots
- [ ] Differentiate between NAT, Bridged, Host-Only network modes
- [ ] Understand Type 1 vs Type 2 hypervisors
- [ ] Explain why VLAN tagging is necessary in Proxmox
---
## TROUBLESHOOTING COMMON ISSUES
### "Permission Denied" Errors
```bash
# Forgot sudo?
cat /var/log/auth.log # Fails
sudo cat /var/log/auth.log # Works
# Wrong file permissions?
ls -l filename # Check permissions
sudo chmod 644 filename # Fix if needed
```
### "Command Not Found"
```bash
# Tool not installed?
which nmap # Check if exists
sudo apt install nmap # Install if missing
# Wrong PATH?
echo $PATH # View search directories
```
### Windows Event Viewer Empty
```powershell
# Security auditing might be disabled
auditpol /get /category:* # Check audit policies
# Enable logon auditing if needed (requires admin):
auditpol /set /subcategory:"Logon" /success:enable /failure:enable
```
### VM Network Not Working
```
1. Check VM network adapter settings (NAT/Bridged/etc.)
2. Verify cable "connected" checkbox is ticked
3. Inside VM: sudo dhclient (Linux) or ipconfig /renew (Windows)
4. Check firewall rules on host
```
---
## PROFESSOR'S GUIDANCE
**Time Investment:** Allocate 8-12 hours for this module. Do not rush. These are foundational skills you will use in EVERY subsequent module.
**Common Student Mistakes:**
1. Skipping this module: "I already know Linux" → Then you spend 4 hours troubleshooting basic permission issues in MOD4.
2. Not taking snapshots: You WILL break something. Snapshots are your undo button.
3. Memorizing commands instead of understanding concepts: You won't have internet access during incident response. Understand the "why."
**Next Steps:**
Once you can confidently complete all labs and pass the knowledge check, you are ready for MOD1: Secure Infrastructure Provisioning.
**Study Resources:**
- Linux: "The Linux Command Line" by William Shotts (free PDF)
- Windows: Microsoft Learn PowerShell documentation
- Networking: Professor Messer's Network+ videos (YouTube)
- Subnetting: subnetipv4.com (practice calculator)
**Questions for Self-Assessment:**
1. If you see Event ID 4625 repeating from IP 203.0.113.50, what is likely happening?
- Answer: Brute-force login attempt (failed authentication)
2. A file has permissions `-rwxr-x---`. Can the owning group execute it?
- Answer: Yes (r-x = read and execute)
3. Network 172.16.50.0/28 has how many usable hosts?
- Answer: 14 (2^4 - 2 = 16 - 2)
---
**END OF MODULE 0**
Proceed to MOD1 when ready. Remember: **Snapshot your VMs before each new module!**
Reference in New Issue Copy Permalink