Module 1

Requests to the operating system

Booting the computer
When you boot, or turn on, your computer, either a BIOS or UEFI microchip is activated.
The Basic Input/Output System (BIOS) is a microchip that contains loading instructions for
the computer and is prevalent in older systems. The Unified Extensible Firmware Interface
(UEFI) is a microchip that contains loading instructions for the computer and replaces BIOS
on more modern systems.

The BIOS or UEFI microchips contain a variety of loading instructions for the computer to
follow. For example, one of the loading instructions is to verify the health of the computer’s
hardware.

The last instruction from the BIOS or UEFI activates the bootloader. The bootloader is a
software program that boots the operating system. Once the operating system has finished
booting, your computer is ready for use.

What is a virtual machine?

A virtual machine (VM) is a virtual version of a physical computer.

Benefits of virtual machines

Security
One benefit is that virtualization can provide an isolated environment, or a sandbox, on the
physical host machine.

Efficiency
Using virtual machines can also be an efficient and convenient way to perform security tasks.

Managing virtual machines

Virtual machines can be managed with a software called a hypervisor. Hypervisors help users
manage multiple virtual machines and connect the virtual and physical hardware. Hypervisors
also help with allocating the shared resources of the physical host machine to one or more
virtual machines

One hypervisor that is useful for you to be familiar with is the Kernel-based Virtual Machine (KVM).
KVM is an open-source hypervisor that is supported by most major Linux distributions. It is built
into the Linux kernel, which means it can be used to create virtual machines on any machine
running a Linux operating system without the need for additional software.
GUI versus CLI
A user interface is a program that allows
a user to control the functions of the operating system.
Two user interfaces that we'll discuss are
the graphical user interface, or
GUI, and the command-line interface, or CLI.

Most operating systems can be

used with a graphical user interface.
If you've used a personal computer or a cell phone,
you have experienced operating a GUI.
Most GUIs include these components:
a start menu with program groups,
a task bar for launching programs,
and a desktop with icons and shortcuts.
All these components help you
communicate with the OS to execute tasks.

Now let's discuss the command-line interface.

In comparison, the command-line interface, or CLI,
is a text-based user interface
that uses commands to interact with the computer.
These commands communicate with
the operating system and execute
tasks like opening programs.

In comparison,
using a GUI is more like ordering food from a restaurant.
You can only order what's on the menu.
If you want both a noodle dish and pizza,
but the first restaurant you go to only has pizza,
you'll have to go to another restaurant
to order the noodles.
With a graphical user interface,
you must do one task at a time.
But the command-line interface allows for customization,
which lets you complete multiple tasks simultaneously.
For example, imagine you
have a folder with hundreds of files of
different file types, and you need to
move only the JPEG files to a new folder

Advantages of a CLI in cybersecurity

Efficiency
Some prefer the CLI because it can be used more quickly when you know how to manage
this interface.
History file
For security analysts, using the Linux CLI is helpful because it records a history file of all the
commands and actions in the CLI. If you were using a GUI, your actions are not necessarily
saved in a history file.

MODULE 2

Linux architecture
The components of Linux include
 user,
 applications,
 shell,
 Filesystem Hierarchy Standard,
 kernel
 hardware.

First, you are the user. The user is the person interacting with the computer.

The second element of the architecture is the applications within a system.

The next component in the architecture

of Linux is the shell.
This is an important element because
it is how you will communicate with the system.
The shell is a command line interpreter.
It processes commands and outputs the results.

Another element of the architecture of

Linux is the Filesystem Hierarchy Standard,
or FHS. It's
the component of the Linux OS that organizes data.

The kernel is a component of

the Linux OS that manages processes and memory.
The kernel communicates with the hardware
to execute the commands sent by the shell.

The last component of

the architecture is the hardware.
Hardware refers to the physical components of a computer.

Linux distributions
Linux is a very customizable operating system.
Unlike other operating systems, there are different versions available for
you to use.
These different versions of Linux are called distributions.
You might also hear them called distros or flavors of Linux.

All distros are derived from another distro, but

there are a few that are considered parent distributions.
Red Hat® is the parent of CentOS, and Slackware® is the parent of SUSE®.
Both Ubuntu and KALI LINUX™ are derived from Debian.

KALI LINUX ™
KALI LINUX™ is a trademark of Offensive Security and is Debian derived. It's important to note that
KALI LINUX™ should be used on a virtual machine.

This prevents damage to your system in the event its tools are used improperly.
An additional benefit is that using a virtual machine gives you the ability to
revert to a previous state.

To begin, Metasploit can be used to look for and exploit vulnerabilities on machines.
Burp Suite is another tool that helps to test for weaknesses in web applications.
And finally, John the Ripper is a tool used to guess passwords

KALI LINUX™ is also a useful distribution for

security professionals who are involved in digital forensic work.
It has a large number of tools that can be used for this. As one example,
tcpdump is a command-line packet analyzer. It's used to capture network traffic.
Another tool commonly used in the security profession is Wireshark.
It has a graphical user interface that can be used to analyze live and
captured network traffic.
And as a final example,
Autopsy is a forensic tool used to analyze hard drives and smartphones.

Ubuntu
Ubuntu is an open-source, user-friendly distribution that is widely used in security and other
industries. It has both a command-line interface (CLI) and a graphical user interface (GUI).
Ubuntu is also Debian-derived and includes common applications by default.

Ubuntu is also widely used for cloud computing. As organizations migrate to cloud servers,
cybersecurity work may more regularly involve Ubuntu derivatives.

Parrot
Parrot is an open-source distribution that is commonly used for security. Similar to KALI
LINUX ™, Parrot comes with pre-installed tools related to penetration testing and digital
forensics. Like both KALI LINUX ™ and Ubuntu, it is based on Debian.

Parrot is also considered to be a user-friendly Linux distribution. This is because it has a GUI
that many find easy to navigate. This is in addition to Parrot’s CLI.
Red Hat® Enterprise Linux®
Red Hat Enterprise Linux is a subscription-based distribution of Linux built for enterprise
use. Red Hat is not free, which is a major difference from the previously mentioned
distributions. Because it’s built and supported for enterprise use, Red Hat also offers a
dedicated support team for customers to call about issue

CentOS
CentOS is an open-source distribution that is closely related to Red Hat. It uses source code
published by Red Hat to provide a similar platform. However, CentOS does not offer the
same enterprise support that Red Hat provides and is supported through the community.

Package managers for installing applications

A package manager is a tool that helps users install, manage, and remove packages or
applications. Linux uses multiple package managers. Many commonly used Linux distributions are
derived from the same parent distribution. For example, KALI LINUX ™, Ubuntu, and Parrot all
come from Debian. CentOS comes from Red Hat.

the Red Hat Package Manager (RPM) can be used for Linux distributions derived from Red Hat, and
package managers such as dpkg can be used for Linux distributions derived from Debian.

Package management tools

In addition to package managers like RPM and dpkg, there are also package management
tools that allow you to easily work with packages through the shell. Two notable tools are
the Advanced Package Tool (APT) and Yellowdog Updater Modified (YUM).

Advanced Package Tool (APT)

APT is a tool used with Debian-derived distributions. It is run from the command-line
interface to manage, search, and install packages.

Yellowdog Updater Modified (YUM)

YUM is a tool used with Red Hat-derived distributions. It is run from the command-
line interface to manage, search, and install packages. YUM works with .rpm files.

Sudo apt install

Echo hello
Module 3

The root directory is

the highest-level directory in Linux.
It's designated by a single slash.
Subdirectories branch off from the root directory.
The subdirectories branch out
further and further away from the root directory.

With that background, we're now ready to learn the commands commonly used for navigating the
file system.

First,
pwd prints the working directory onto the screen. When you use this command, the output
tells you which directory you're currently in.

Next,
ls displays the names of files and directories in the current working directory.

Note: If you want to return the contents of a directory that’s not your current working directory,
you can add an argument after ls with the absolute or relative file path to the desired directory. For
example, if you’re in the /home/analyst directory but want to list the contents of its projects
subdirectory, you can enter ls /home/analyst/projects or just ls projects.

And finally,
cd navigates between directories. This is the command you'll use when you want to change
directories.

Pro Tip: You can use the relative file path and enter cd .. to go up one level in the file structure. For
example, if the current directory is /home/analyst/projects, entering cd .. would change your
working directory to /home/analyst.

As a security analyst, you'll also need to know how to read file content in Linux.
When reading file content, there are some commands that will help you.
First,
cat displays the content of a file. This is useful, but sometimes you won't want the full contents
of a large file.

In these cases, you can use the head command. It displays just the beginning of a file, by
default ten lines.

Pro Tip: If you want to change the number of lines returned by head, you can specify the number of
lines by including -n. For example, if you only want to display the first five lines of the updates.txt
file, enter head -n 5 updates.txt
tail
The tail command does the opposite of head. This command can be used to display just the
end of a file, by default 10 lines. Entering tail updates.txt returns only the last 10 lines of the
updates.txt file.

Pro Tip: You can use tail to read the most recent information in a log file.

less
The less command returns the content of a file one page at a time. For example, entering less
updates.txt changes the terminal window to display the contents of updates.txt one page at a
time. This allows you to easily move forward and backward through the content.

Once you’ve accessed your content with the less command, you can use several keyboard
controls to move through the file:

 Space bar: Move forward one page

 b: Move back one page

 Down arrow: Move forward one line

 Up arrow: Move back one line

 q: Quit and return to the previous terminal window

Standard FHS directories

Directly below the root directory, you’ll find standard FHS directories. In the diagram, home,
bin, and etc are standard FHS directories. Here are a few examples of what standard
directories contain:

 /home: Each user in the system gets their own home directory.

 /bin: This directory stands for “binary” and contains binary files and other
executables. Executables are files that contain a series of commands a computer needs
to follow to run programs and perform other functions.

 /etc: This directory stores the system’s configuration files.

 /tmp: This directory stores many temporary files. The /tmp directory is commonly
used by attackers because anyone in the system can modify data in these files.

 /mnt: This directory stands for “mount” and stores media, such as USB drives and
hard drives.
Pro Tip: You can use the man hier command to learn more about the FHS and its standard
directories.

When the path leads to a subdirectory below the user’s home directory, the user’s home
directory can be represented as the tilde (~). For example, /home/analyst/logs can also be
represented as ~/logs.

You can navigate to specific subdirectories using their absolute or relative file paths. The
absolute file path is the full file path, which starts from the root. For example,
/home/analyst/projects is an absolute file path. The relative file path is the file path that
starts from a user's current directory.

Note: Relative file paths can use a dot (.) to represent the current directory, or two dots (..)
to represent the parent of the current directory. An example of a relative file path could be
../projects.

Pro Tip: To learn what your username is, use the whoami command. The whoami command returns
the username of the current user. For example, if your username is analyst, entering whoami returns
analyst.

Find what you need with Linux

Filtering for information

First, we'll start with grep.

The grep command searches a specified file and
returns all lines in
the file containing a specified string.
If the file is large,
it would take a long time to visually scan for this.
Instead, after navigating to
the directory that contains updates.txt,
we'll type the command:
grep OS updates.txt into the shell.
Notice how the grep command is followed by two arguments.
The first argument is the string we're searching for;
in this case, OS.
The second argument is the name of the file
we're searching through, updates.txt.
When we press enter,
Bash returns all lines containing the word OS.

Piping
The pipe command is accessed using the pipe character (|).Piping sends the standard output
of one command as standard input to another command for further processing.

find
The find command searches for directories and files that meet specified criteria. There’s a
wide range of criteria that can be specified with find. For example, you can search for files
and directories that

 Contain a specific string in the name,

 Are a certain file size, or

 Were last modified within a certain time frame

When using find, the first argument after find indicates where to start searching. For example,
entering find /home/analyst/projects searches for everything starting at the projects directory.

After this first argument, you need to indicate your criteria for the search. If you don’t include
a specific search criteria with your second argument, your search will likely return a lot of
directories and files.

Specifying criteria involves options. Options modify the behavior of a command and
commonly begin with a hyphen (-).

-name and -iname

The difference between these two options is that -name is case-sensitive, and -iname is not.

For example, you might want to find all files in the projects directory that contain the word
“log” in the file name. To do this, you’d enter find /home/analyst/projects -name "*log*". You
could also enter find /home/analyst/projects -iname "*log*".

Note: An asterisk (*) is used as a wildcard to represent zero or more unknown characters.

-mtime
Security analysts might also use find to find files or directories last modified within a certain
time frame. The -mtime option can be used for this search. For example, entering find
/home/analyst/projects -mtime -3 returns all files and directories in the projects directory that
have been modified within the past three days.

The -mtime option search is based on days, so entering -mtime +1 indicates all files or
directories last modified more than one day ago, and entering -mtime -1 indicates all files or
directories last modified less than one day ago.

Note: The option -mmin can be used instead of -mtime if you want to base the search on
minutes rather than days.

Create and modify directories and files

First, let's take note of

commands for creating and removing directories.
The mkdir command creates a new directory.
In contrast, rmdir removes or deletes a directory.
The touch command creates a new file,
and then the rm command removes or deletes a file.
And last, we have our commands for copying
and moving files or directories.
The mv command moves a file or directory to new location,
and cp copies a file or directory into a new location.

Creating and modifying directories

mkdir
The mkdir command creates a new directory.

For example, if you want to create a new directory called network in your /home/analyst/logs
directory, you can enter mkdir /home/analyst/logs/network to create this new directory. If you’re
already in the /home/analyst/logs directory, you can also create this new directory by entering mkdir
network.

rmdir

The rmdir command removes, or deletes, a directory. For example, entering rmdir
/home/analyst/logs/network would remove this empty directory from the file system.

touch and rm
The touch command creates a new file. This file won’t have any content inside. If your
current directory is /home/analyst/reports, entering touch permissions.txt creates a new file
in the reports subdirectory called permissions.txt.

The rm command removes, or deletes, a file.

mv and cp
You can also use mv and cp when working with files.

nano text editor

nano is a command-line file editor that is available by default in many Linux distributions.

To open an existing file in nano from the directory that contains it, enter nano followed by
the file name. For example, entering nano permissions.txt from the /home/analyst/reports
directory opens a new nano editing window with the permissions.txt file open for editing.
You can also provide the absolute file path to the file if you’re not in the directory that
contains it.

You can also create a new file in nano by entering nano followed by a new file name. For
example, entering nano authorized_users.txt from the /home/analyst/reports directory
creates the authorized_users.txt file within that directory and opens it in a new nano editing
window.

Since there isn't an auto-saving feature in nano, it’s important to save your work before
exiting. To save a file in nano, use the keyboard shortcut Ctrl + O. You’ll be prompted to
confirm the file name before saving. To exit out of nano, use the keyboard shortcut Ctrl + X.

Standard output redirection

You’ve also learned about piping. Piping sends the standard output of one command as
standard input to another command for further processing. It uses the pipe character (|).

In addition to the pipe (|), you can also use the right angle bracket (>) and double right angle
bracket (>>) operators to redirect standard output.

When used with echo, the > and >> operators can be used to send the output of echo to a
specified file rather than the screen. The difference between the two is that > overwrites
your existing file, and >> adds your content to the end of the existing file instead of
overwriting it. The > operator should be used carefully, because it’s not easy to recover
overwritten files.

When you’re inside the directory containing the permissions.txt file, entering echo "last
updated date" >> permissions.txt adds the string “last updated date” to the file contents.
Entering echo "time" > permissions.txt after this command overwrites the entire file contents
of permissions.txt with the string “time”.

Note: Both the > and >> operators will create a new file if one doesn’t already exist with
your specified name.

File permissions and ownership

There are three types of permissions in
Linux that an authorized user can have.
The first type of permission is read.
On a file, read permissions
means contents on the file can be read.
On a directory,
this permission means you can read
all files in that directory.
Next are write permissions.
Write permissions on a file allow
modifications of contents of the file.
On a directory, write permissions indicate that
new files can be created in that directory.
Finally, there are also execute permissions.
Execute permissions on files mean that
the file can be executed if it's an executable file.
Execute permissions on directories allow users to
enter into a directory and access its files.

Permissions are granted for

three different types of owners.
The first type is the user.
The user is the owner of the file.
When you create a file,
you become the owner of the file,
but the ownership can be changed.
Group is the next type.
Every user is a part of a certain group.
A group consists of several users,
and this is one way to manage a multi-user environment.
Finally, there is other.
Other can be considered all other users on the system

In Linux, file permissions are

represented with a 10-character string.
For a directory with full permissions for the user group,
this string would be: drwxrwxrwx.

drwxrwxrwx

The first character indicates the file type.

As shown in this example,
d is used to indicate it is a directory.
If this character contains a hyphen instead,
it would be a regular file.

The second, third, and

fourth characters indicate the permissions for the user.
In this example, r
indicates the user has read permissions,
w indicates the user has write permissions,
and x indicates the user has execute permissions.
If one of these permissions was missing,
there would be a hyphen instead of the letter.

In the same way, the fifth, sixth,

and seventh characters indicate
permissions for the next owner type group.
As it shows here,
the type group also has read,
write, and execute permissions.
There are no hyphens to indicate that
any of these permissions haven't been granted.

Finally, the eighth through tenth characters

indicate permissions for the last owner type: other.
They also have read, write,
and execute permissions in this example.

So how do we check permissions?

First, we need to understand what options are.
Options modify the behavior of the command.
The options for a command
can be a single letter or a full word.

Checking permissions involves adding

options to the ls command.
First, ls -l displays
permissions to files and directories.
You might also want to display
hidden files and identify their permissions.
Hidden files, which begin with
a period before their name, don't
normally appear when you use ls to display file contents.
Entering ls -a displays hidden files.
Then you can combine these two options to do both.
Entering ls -la displays permissions
to files and directories, including hidden files.

Change permissions
chmod changes permissions on files and directories.
The command chmod stands for change mode.

There are two modes for changing permissions,

but we'll focus on symbolic.

Chmod g+w, o-r access.txt

With chmod, you need to identify which
file or directory you want to adjust permissions for.
This is the final argument,
in this case, a file named: access.txt.
The first argument, added directly after
the chmod command, indicates how to change permissions.
Previously, we learned about the three types
of owners: user, group, and other.
To identify these with chmod,
we use u to represent the user,
g to represent the group,
and o to represent other.
In this particular example,
g indicates we will make
some changes to group permissions,
and o to permissions for other.
These owner types are separated
by a comma in this argument.

Another way to assign these permissions is to use the equals sign (=) in this first argument.
Using = with chmod sets, or assigns, the permissions exactly as specified. For example, the
following command would set read permissions for login_sessions.txt for user, group, and
other:

chmod u=r,g=r,o=r login_sessions.txt

This command overwrites existing permissions. For instance, if the user previously had write
permissions, these write permissions are removed after you specify only read permissions
with =.

Note: When there are permission changes to more than one owner type, commas are
needed to separate changes for each owner type. You should not add spaces after those
commas.

Responsible use of sudo

To manage authorization and authentication, you need to be a root user, or a user with
elevated privileges to modify the system. The root user can also be called the “super user.”

The sudo command temporarily grants elevated permissions to specific users. The name
of this command comes from “super user do.” Users must be given access in a
configuration file to use sudo. This file is called the “sudoers file.” Although using sudo is
preferable to logging in as the root user, it's important to be aware that users with the
elevated permissions to use sudo might be more at risk in the event of an attack.

useradd
The useradd command adds a user to the system. To add a user with the username of fgarcia
with sudo, enter sudo useradd fgarcia. There are additional options you can use with
useradd:

 -g: Sets the user’s default group, also called their primary group
  -G: Adds the user to additional groups, also called supplemental or secondary groups

To use the -g option, the primary group must be specified after -g. For example, entering sudo
useradd -g security fgarcia adds fgarcia as a new user and assigns their primary group to be
security

To use the -G option, the supplemental group must be passed into the command after -G.
You can add more than one supplemental group at a time with the -G option. Entering
sudo useradd -G finance,admin fgarcia adds fgarcia as a new user and adds them to the
existing finance and admin groups.

usermod
The usermod command modifies existing user accounts. The same -g and -G options from
the useradd command can be used with usermod if a user already exists.

To change the primary group of an existing user, you need the -g option. For example,
entering sudo usermod -g executive fgarcia would change fgarcia’s primary group to the
executive group.

To add a supplemental group for an existing user, you need the -G option. You also need a -a
option, which appends the user to an existing group and is only used with the -G option. For
example, entering sudo usermod -a -G marketing fgarcia would add the existing fgarcia user
to the supplemental marketing group.

When changing the supplemental group of an existing user, if you don't include the -a option,
-G will replace any existing supplemental groups with the groups specified after usermod.
Using -a with -G ensures that the new groups are added but existing groups are not replaced.

There are other options you can use with usermod to specify how you want to modify the
user, including:

 -d: Changes the user’s home directory.

 -l: Changes the user’s login name.

 -L: Locks the account so the user can’t log in.

The option always goes after the usermod command. For example, to change fgarcia’s
home directory to /home/garcia_f, enter sudo usermod -d /home/garcia_f fgarcia. The
option -d directly follows the command usermod before the other two needed arguments.

userdel
The userdel command deletes a user from the system. For example, entering sudo userdel
fgarcia deletes fgarcia as a user. Be careful before you delete a user using this command. The
userdel command doesn’t delete the files in the user’s home directory unless you use the -r
option. Entering sudo userdel -r fgarcia would delete fgarcia as a user and delete all files in
their home directory. Before deleting any user files, you should ensure you have backups in
case you need them later.
Note: Instead of deleting the user, you could consider deactivating their account with
usermod -L. This prevents the user from logging in while still giving you access to their
account and associated permissions. For example, if a user left an organization, this option
would allow you to identify which files they have ownership over, so you could move this
ownership to other users.

chown
The chown command changes ownership of a file or directory. You can use chown to change
user or group ownership. To change the user owner of the access.txt file to fgarcia, enter
sudo chown fgarcia access.txt. To change the group owner of access.txt to security, enter
sudo chown :security access.txt. You must enter a colon (:) before security to designate it as
a group name.

Similar to useradd, usermod, and userdel, there are additional options that can be used with
chown

Man pages within the shell

man displays information on
other commands and how they work.
The name of this command comes from the word manual.

In that case, you use whatis.

whatis displays a description
of a command on a single line.

Sometimes we might not even know what command to slook up.

This is where apropos can help us.
apropos searches the manual page descriptions
for a specified string. This helps somewhat,

but it still may be difficult to find what we need.

But we can filter this by adding
the -a option and an additional string.
This option will return
only the commands that contain both strings

Module 4

Introduction to SQL and databases

Key: primary key and foreign key

Wildcards
A wildcard is a special character that can be substituted with any other character. Two of the
most useful wildcards are the percentage sign (%) and the underscore (_):

 The percentage sign substitutes for any number of other characters.

  The underscore symbol only substitutes for one other character.

The BETWEEN operator is inclusive. This means records with a hiredate of January 1,
2002 or January 1, 2003 are included in the results of the previous query.

Inner joins
The first type of join that you might perform is an inner join. INNER JOIN returns rows
matching on a specified column that exists in more than one table.

It only returns the rows where there is a match, but like other types of joins, it returns all
specified columns from all joined tables. For example, if the query joins two tables with
SELECT *, all columns in both of the tables are returned.

Note: If a column exists in both of the tables, it is returned twice when SELECT * is used.

The syntax of an inner join

To write a query using INNER JOIN, you can use the following syntax:

SELECT *

FROM employees

INNER JOIN machines ON employees.device_id = machines.device_id;

You must specify the two tables to join by including the first or left table after FROM and the
second or right table after INNER JOIN.