# FILE: MOD0_Prerequisites.md # MODULE 0: PREREQUISITES & FOUNDATIONAL SKILLS ## Learning Objectives By completing this module, you will: - Navigate Linux and Windows command-line interfaces confidently - Understand TCP/IP networking fundamentals and subnetting - Analyze system logs for security events - Grasp virtualization concepts critical for lab environment management --- ## SECTION 1: LINUX COMMAND LINE FUNDAMENTALS ### Key Concepts - **Linux Filesystem Hierarchy:** `/` (root), `/home`, `/var/log`, `/etc` - **File Permissions:** Read (r=4), Write (w=2), Execute (x=1) - **Users & Groups:** root vs standard users, sudo privilege escalation - **Package Management:** `apt` (Debian/Ubuntu), `yum`/`dnf` (RedHat/CentOS) ### LAB 0.1: Linux System Navigation & Log Analysis **Prerequisites:** Kali Linux VM (you'll use this throughout the course) **Step-by-Step:** ```bash # 1. Check your current user and privileges whoami id # Expected output: Shows username and group memberships (UID, GID) # 2. Navigate the filesystem cd /var/log ls -lah # Flags explained: -l (long format), -a (show hidden), -h (human-readable sizes) # 3. Analyze authentication logs sudo tail -n 50 /var/log/auth.log # Shows last 50 login attempts (successful and failed) # 4. Search for failed SSH login attempts sudo grep "Failed password" /var/log/auth.log | tail -n 20 # Filters log for failed authentication events # 5. Count failed login attempts by IP address sudo grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -rn # Real-world use: Identify brute-force attacks # 6. Check active network connections ss -tunap # t=TCP, u=UDP, n=numeric (don't resolve hostnames), a=all, p=processes # Alternative: netstat -tunap (older systems) # 7. View running processes ps aux | grep ssh # Find SSH-related processes # 8. Check system resource usage top # Press 'q' to quit # Alternative: htop (more user-friendly, may need: sudo apt install htop) # 9. Create a test user (practice user management) sudo useradd -m -s /bin/bash testuser # -m creates home directory, -s sets shell sudo passwd testuser # Set password when prompted # 10. Check user creation in logs sudo grep "testuser" /var/log/auth.log | tail -n 5 # 11. Switch to the new user su - testuser # Enter password, then exit with: exit # 12. Remove test user sudo userdel -r testuser # -r removes home directory ``` **Deliverable:** Screenshot showing output of step 5 (failed login count by IP) and step 8 (top command). --- ### LAB 0.2: File Permissions & Security ```bash # 1. Create a test directory structure mkdir -p ~/security_lab/secrets cd ~/security_lab # 2. Create test files echo "Public information" > public.txt echo "Sensitive data" > secrets/confidential.txt # 3. Check default permissions ls -l public.txt # Typical output: -rw-r--r-- (owner: rw, group: r, others: r) # Understanding permission notation: # -rw-r--r-- # - = file type (d for directory) # rw- = owner permissions (read, write, no execute) # r-- = group permissions (read only) # r-- = others permissions (read only) # 4. Make a file executable echo '#!/bin/bash' > test_script.sh echo 'echo "Security Lab Script"' >> test_script.sh chmod +x test_script.sh ls -l test_script.sh # Now shows: -rwxr-xr-x (executable by all) # 5. Restrict sensitive file access chmod 600 secrets/confidential.txt ls -l secrets/confidential.txt # Now shows: -rw------- (only owner can read/write) # 6. Using octal notation chmod 750 secrets/ # 7 (owner: rwx), 5 (group: r-x), 0 (others: ---) ls -ld secrets/ # 7. Change file ownership (requires sudo) sudo chown root:root secrets/confidential.txt ls -l secrets/confidential.txt # File now owned by root # 8. Try to read as regular user cat secrets/confidential.txt # Should fail with "Permission denied" # 9. Use sudo to read sudo cat secrets/confidential.txt # Now works (demonstrates privilege escalation) # 10. Clean up cd ~ sudo rm -rf ~/security_lab ``` **Deliverable:** Screenshot showing permission denied error (step 8) and successful sudo read (step 9). --- ## SECTION 2: WINDOWS FUNDAMENTALS ### Key Concepts - **PowerShell vs CMD:** Modern PowerShell (verb-noun cmdlets) vs legacy Command Prompt - **Event Viewer:** Centralized logging system (Security, System, Application logs) - **Critical Event IDs:** 4624 (successful logon), 4625 (failed logon), 4672 (admin logon) - **Services:** Background processes (`services.msc`) ### LAB 0.3: Windows PowerShell & Event Log Analysis **Prerequisites:** Windows 10 VM or your host Windows machine **Step-by-Step:** ```powershell # Open PowerShell as Administrator (Right-click Start > Windows PowerShell (Admin)) # 1. Check PowerShell version $PSVersionTable.PSVersion # Should be 5.1+ (Windows 10) or 7.x (PowerShell Core) # 2. Get system information Get-ComputerInfo | Select-Object CsName, WindowsVersion, OsArchitecture # 3. List running services Get-Service | Where-Object {$_.Status -eq "Running"} | Select-Object Name, DisplayName # 4. Check for failed login attempts (Event ID 4625) Get-EventLog -LogName Security -InstanceId 4625 -Newest 10 | Format-Table TimeGenerated, Message -AutoSize # If no events: Try logging in with wrong password first # 5. Check successful logins (Event ID 4624) Get-EventLog -LogName Security -InstanceId 4624 -Newest 10 | Format-Table TimeGenerated, Message -AutoSize # 6. Find administrative logins (Event ID 4672) Get-EventLog -LogName Security -InstanceId 4672 -Newest 5 | Format-List # Shows "Special privileges assigned to new logon" (admin/SYSTEM) # 7. Search Event Viewer for specific string Get-EventLog -LogName System -Newest 100 | Where-Object {$_.Message -like "*error*"} # 8. List local user accounts Get-LocalUser | Select-Object Name, Enabled, LastLogon # 9. Check active network connections Get-NetTCPConnection -State Established | Select-Object LocalAddress, LocalPort, RemoteAddress, RemotePort, State # 10. Find process using specific port (e.g., port 445 - SMB) Get-NetTCPConnection -LocalPort 445 | Select-Object OwningProcess Get-Process -Id # 11. List installed software Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | Select-Object DisplayName, DisplayVersion # 12. Check Windows Defender status Get-MpComputerStatus | Select-Object AntivirusEnabled, RealTimeProtectionEnabled, IoavProtectionEnabled # BONUS: Export security logs for analysis Get-EventLog -LogName Security -Newest 100 | Export-Csv -Path C:\security_logs.csv -NoTypeInformation # Open with Excel or import into SIEM ``` **Deliverable:** Screenshot of Event ID 4625 output (step 4) and active network connections (step 9). --- ### LAB 0.4: Windows Event Viewer GUI Navigation ``` 1. Press Win + R, type: eventvwr.msc, press Enter 2. Navigate: Windows Logs > Security 3. Right-click "Security" > Filter Current Log - Event IDs: 4624,4625,4672 - Click OK 4. Double-click on Event ID 4625 (failed logon) - Note the "Failure Information" section - Identify: Source IP, Account Name, Failure Reason 5. Create Custom View: - Actions panel > Create Custom View - Name: "Authentication Events" - Filter: Event IDs 4624,4625,4648,4672 - Save 6. Export logs: - Right-click custom view > Save All Events As - Format: CSV or EVTX - Save to Documents folder ``` **Deliverable:** Screenshot of custom view showing filtered authentication events. --- ## SECTION 3: NETWORKING FUNDAMENTALS ### Key Concepts - **OSI Model:** 7 layers (Physical, Data Link, Network, Transport, Session, Presentation, Application) - **TCP/IP Stack:** Link, Internet (IP), Transport (TCP/UDP), Application - **IPv4 Addressing:** 32-bit addresses (e.g., 192.168.1.100) - **Subnetting:** CIDR notation (/24 = 255.255.255.0) - **Key Protocols:** TCP (connection-oriented), UDP (connectionless), ICMP (ping) ### LAB 0.5: Subnetting & Network Calculations **Practice Problems (Calculate by hand, then verify with tools):** **Problem 1:** ``` Network: 10.10.2.0/24 Questions: a) What is the subnet mask? b) What is the network address? c) What is the broadcast address? d) How many usable host IPs? e) What is the first usable IP? f) What is the last usable IP? ANSWERS: a) 255.255.255.0 b) 10.10.2.0 c) 10.10.2.255 d) 254 (256 - 2 for network and broadcast) e) 10.10.2.1 f) 10.10.2.254 ``` **Problem 2:** ``` Network: 192.168.50.0/26 Questions: a) Subnet mask? b) How many subnets can be created? c) How many hosts per subnet? d) List the first 3 subnet ranges ANSWERS: a) 255.255.255.192 b) 4 subnets (/26 = 2 bits borrowed, 2^2 = 4) c) 62 hosts per subnet (64 - 2) d) - 192.168.50.0/26 (hosts: .1 to .62, broadcast: .63) - 192.168.50.64/26 (hosts: .65 to .126, broadcast: .127) - 192.168.50.128/26 (hosts: .129 to .190, broadcast: .191) ``` **Verification Tools:** ```bash # Linux: Install ipcalc sudo apt install ipcalc # Calculate subnet details ipcalc 10.10.2.0/24 ipcalc 192.168.50.0/26 # Windows PowerShell: Manual calculation function Get-SubnetInfo { param($CIDR) $IP, $MaskBits = $CIDR -split '/' $MaskBits = [int]$MaskBits $TotalIPs = [math]::Pow(2, 32 - $MaskBits) $UsableIPs = $TotalIPs - 2 Write-Host "Network: $CIDR" Write-Host "Total IPs: $TotalIPs" Write-Host "Usable IPs: $UsableIPs" } Get-SubnetInfo "10.10.2.0/24" ``` **Deliverable:** Handwritten or typed answers to both problems, verified with ipcalc screenshots. --- ### LAB 0.6: Protocol Analysis with Ping & Traceroute ```bash # LINUX/KALI: # 1. Basic ping (ICMP Echo Request) ping -c 4 8.8.8.8 # -c 4 = send 4 packets # 2. Traceroute (map network path) traceroute 8.8.8.8 # Shows each router hop to destination # 3. Ping with timestamp ping -c 10 -D 8.8.8.8 # -D adds timestamp to each line # 4. Ping specific interface (if multiple NICs) ping -I eth0 -c 4 10.10.2.1 # 5. Large packet test (MTU discovery) ping -c 4 -s 1472 8.8.8.8 # -s 1472 = 1500 byte packet (1472 + 28 byte header) # 6. TCP ping alternative (when ICMP blocked) sudo hping3 -S -p 80 -c 4 google.com # -S = SYN flag, -p 80 = port 80, -c 4 = count # Install: sudo apt install hping3 # WINDOWS (PowerShell): # 1. Basic ping Test-Connection -ComputerName 8.8.8.8 -Count 4 # 2. Traceroute Test-NetConnection -ComputerName google.com -TraceRoute # 3. TCP port test Test-NetConnection -ComputerName google.com -Port 443 # Tests if port 443 (HTTPS) is open ``` **Deliverable:** Screenshot of traceroute to 8.8.8.8 showing at least 5 hops. --- ## SECTION 4: VIRTUALIZATION CONCEPTS ### Key Concepts - **Hypervisor Types:** - **Type 1 (Bare Metal):** Proxmox, VMware ESXi, Hyper-V Server (runs directly on hardware) - **Type 2 (Hosted):** VirtualBox, VMware Workstation (runs on host OS) - **Virtual Machine Components:** vCPU, vRAM, vNIC (virtual network interface card), vDisk - **Snapshots:** Point-in-time state saves (critical for labs—snapshot before risky operations!) - **Network Modes:** NAT, Bridged, Host-Only, Internal ### LAB 0.7: VirtualBox Snapshot Management **Prerequisites:** VirtualBox installed, any VM (Ubuntu, Windows, etc.) **Step-by-Step:** ``` 1. Start VirtualBox Manager 2. Select your VM (powered off state) 3. Take Baseline Snapshot: - Machine menu > Take Snapshot - Name: "Clean Install - Pre-Labs" - Description: "Fresh OS install before any modifications" - Click OK 4. Start the VM and make a change: - Create file on desktop: "test_snapshot.txt" - Write some text in it 5. Take Second Snapshot (VM can be running): - Machine menu > Take Snapshot - Name: "After Test File Creation" - Click OK 6. Make destructive change: - Delete the test file - Empty recycle bin 7. Restore to previous snapshot: - Shut down VM - In VirtualBox Manager: Click "Snapshots" button (top right) - Right-click "After Test File Creation" > Restore - Confirm restoration 8. Verify restoration: - Start VM - Check desktop - file should be back! 9. Snapshot best practices for security labs: - ALWAYS snapshot before exploitation attempts - Name snapshots descriptively (e.g., "Pre-Metasploit-Attack-2026-02-11") - Delete old snapshots to free disk space (keep 2-3 max) ``` **Deliverable:** Screenshot of VirtualBox snapshot tree showing at least 2 snapshots. --- ### LAB 0.8: Understanding Virtual Network Modes **Using VirtualBox (concepts apply to Proxmox/VMware):** ``` 1. Open VM Settings > Network > Adapter 1 2. Test Each Mode: MODE 1: NAT (Network Address Translation) - VM can access internet - VM cannot be accessed from host - VMs cannot talk to each other - Use case: Isolated internet access Test: - Set to NAT - Start VM, open browser, visit google.com (should work) - From host, try to ping VM IP (should fail) MODE 2: Bridged Adapter - VM appears as separate device on your home network - Gets IP from your router's DHCP - Can communicate with all devices on LAN - Use case: VM needs to be network-accessible Test: - Set to Bridged - Start VM, check IP: ip addr (Linux) or ipconfig (Windows) - From host, ping VM IP (should work) MODE 3: Host-Only Adapter - VM can only talk to host machine - VM cannot access internet - VMs on same host-only network can talk to each other - Use case: Isolated lab networks Test: - Set to Host-Only - Start VM, check IP (should be 192.168.56.x range) - Try to access internet (should fail) - From host, ping VM (should work) MODE 4: Internal Network - VMs can only talk to other VMs on same internal network - Completely isolated from host and internet - Use case: Simulated enterprise networks Test: - Create 2 VMs on "intnet1" internal network - Assign static IPs manually - VMs should ping each other but nothing else 3. Proxmox Equivalent (for reference): - NAT = VM uses Proxmox's internet connection - Bridged = VLAN-tagged interface on vmbr0 - Host-Only = Separate bridge without physical uplink - Internal = VMs on same VLAN tag ``` **Deliverable:** Table showing which modes allow: VM-to-Internet, VM-to-Host, VM-to-VM, Host-to-VM. --- ## KNOWLEDGE CHECK: Pre-Module Assessment **Before proceeding to MOD1, you should be able to:** ### Linux Skills - [ ] Navigate filesystem using `cd`, `ls`, `pwd` - [ ] Read log files with `cat`, `tail`, `grep` - [ ] Understand `rwx` permissions and `chmod` octal notation - [ ] Use `sudo` for privilege escalation - [ ] Identify running processes with `ps` and `top` ### Windows Skills - [ ] Execute PowerShell cmdlets (Get-EventLog, Get-Service, Get-Process) - [ ] Navigate Event Viewer and filter by Event ID - [ ] Identify critical security Event IDs (4624, 4625, 4672) - [ ] Check active network connections - [ ] Export logs to CSV ### Networking Skills - [ ] Calculate subnet mask from CIDR notation - [ ] Determine network and broadcast addresses - [ ] Count usable hosts in a subnet - [ ] Use `ping` and `traceroute` for connectivity testing - [ ] Understand TCP vs UDP vs ICMP ### Virtualization Skills - [ ] Take and restore VM snapshots - [ ] Differentiate between NAT, Bridged, Host-Only network modes - [ ] Understand Type 1 vs Type 2 hypervisors - [ ] Explain why VLAN tagging is necessary in Proxmox --- ## TROUBLESHOOTING COMMON ISSUES ### "Permission Denied" Errors ```bash # Forgot sudo? cat /var/log/auth.log # Fails sudo cat /var/log/auth.log # Works # Wrong file permissions? ls -l filename # Check permissions sudo chmod 644 filename # Fix if needed ``` ### "Command Not Found" ```bash # Tool not installed? which nmap # Check if exists sudo apt install nmap # Install if missing # Wrong PATH? echo $PATH # View search directories ``` ### Windows Event Viewer Empty ```powershell # Security auditing might be disabled auditpol /get /category:* # Check audit policies # Enable logon auditing if needed (requires admin): auditpol /set /subcategory:"Logon" /success:enable /failure:enable ``` ### VM Network Not Working ``` 1. Check VM network adapter settings (NAT/Bridged/etc.) 2. Verify cable "connected" checkbox is ticked 3. Inside VM: sudo dhclient (Linux) or ipconfig /renew (Windows) 4. Check firewall rules on host ``` --- ## PROFESSOR'S GUIDANCE **Time Investment:** Allocate 8-12 hours for this module. Do not rush. These are foundational skills you will use in EVERY subsequent module. **Common Student Mistakes:** 1. Skipping this module: "I already know Linux" → Then you spend 4 hours troubleshooting basic permission issues in MOD4. 2. Not taking snapshots: You WILL break something. Snapshots are your undo button. 3. Memorizing commands instead of understanding concepts: You won't have internet access during incident response. Understand the "why." **Next Steps:** Once you can confidently complete all labs and pass the knowledge check, you are ready for MOD1: Secure Infrastructure Provisioning. **Study Resources:** - Linux: "The Linux Command Line" by William Shotts (free PDF) - Windows: Microsoft Learn PowerShell documentation - Networking: Professor Messer's Network+ videos (YouTube) - Subnetting: subnetipv4.com (practice calculator) **Questions for Self-Assessment:** 1. If you see Event ID 4625 repeating from IP 203.0.113.50, what is likely happening? - Answer: Brute-force login attempt (failed authentication) 2. A file has permissions `-rwxr-x---`. Can the owning group execute it? - Answer: Yes (r-x = read and execute) 3. Network 172.16.50.0/28 has how many usable hosts? - Answer: 14 (2^4 - 2 = 16 - 2) --- **END OF MODULE 0** Proceed to MOD1 when ready. Remember: **Snapshot your VMs before each new module!**