Defensive security

In the previous room, we learned about offensive security, which aims to identify and exploit system
vulnerabilities to enhance security measures. This includes exploiting software bugs, leveraging insecure
setups, and taking advantage of unenforced access control policies, among other strategies. Red teams
and penetration testers specialize in these offensive techniques.

In this room, we will examine its counterpart, defensive security. It is concerned with two main tasks:

1. Preventing intrusions from occurring

2. Detecting intrusions when they occur and responding properly

Blue teams are part of the defensive security landscape.

Some of the tasks that are related to defensive security include:

 User cyber security awareness: Training users about cyber security helps protect against attacks
targeting their systems.

 Documenting and managing assets: We need to know the systems and devices we must manage
and protect adequately.

 Updating and patching systems: Ensuring that computers, servers, and network devices are
correctly updated and patched against any known vulnerability (weakness).

 Setting up preventative security devices: firewall and intrusion prevention systems (IPS) are
critical components of preventative security. Firewalls control what network traffic can go inside
and what can leave the system or network. IPS blocks any network traffic that matches present
rules and attack signatures.

 Setting up logging and monitoring devices: Proper network logging and monitoring are essential
for detecting malicious activities and intrusions. If a new unauthorized device appears on our
network, we should be able to detect it.

There is much more to defensive security. Aside from the above, we will also cover the following related
topics:

 Security Operations Center (SOC)

 Threat Intelligence

 Digital Forensics and Incident Response (DFIR)

 Malware Analysis

AREAS OF DEFENSIVE SECURITY

In this task, we will cover two main topics related to defensive security:

 Security Operations Center (SOC), where we cover Threat Intelligence

  Digital Forensics and Incident Response (DFIR), where we also cover Malware Analysis

Security Operations Center (SOC)

A Security Operations Center (SOC) is a team of cyber security professionals that monitors the network
and its systems to detect malicious cyber security events. Some of the main areas of interest for
a SOC are:

 Vulnerabilities: Whenever a system vulnerability (weakness) is discovered, it is essential to fix it

by installing a proper update or patch. When a fix is unavailable, the necessary measures should
be taken to prevent an attacker from exploiting it. Although remediating vulnerabilities is vital to
a SOC, it is not necessarily assigned to them.

 Policy violations: A security policy is a set of rules required to protect the network and systems.
For example, it might be a policy violation if users upload confidential company data to an online
storage service.

 Unauthorized activity: Consider the case where a user’s login name and password are stolen,
and the attacker uses them to log into the network. A SOC must detect and block such an event
as soon as possible before further damage is done.

 Network intrusions: No matter how good your security is, there is always a chance for an
intrusion. An intrusion can occur when a user clicks on a malicious link or when an attacker
exploits a public server. Either way, when an intrusion occurs, we must detect it as soon as
possible to prevent further damage.

Security operations cover various tasks to ensure protection; one such task is threat intelligence.
Threat Intelligence

In this context, intelligence refers to information you gather about actual and potential enemies.
A threat is any action that can disrupt or adversely affect a system. Threat intelligence collects
information to help the company better prepare against potential adversaries. The purpose would be to
achieve a threat-informed defence. Different companies have different adversaries. Some adversaries
might seek to steal customer data from a mobile operator; however, other adversaries are interested in
halting the production in a petroleum refinery. Example adversaries include a nation-state cyber army
working for political reasons and a ransomware group acting for financial purposes. Based on the
company (target), we can expect adversaries.

Intelligence needs data. Data has to be collected, processed, and analyzed. Data is collected from local
sources such as network logs and public sources such as forums. Data processing arranges it into a
format suitable for analysis. The analysis phase seeks to find more information about the attackers and
their motives; moreover, it aims to create a list of recommendations and actionable steps.

Learning about your adversaries lets you know their tactics, techniques, and procedures. As a result of
threat intelligence, we identify the threat actor (adversary) and predict their activity. Consequently, we
can mitigate their attacks and prepare a response strategy.

Digital Forensics and Incident Response (DFIR)

This section is about Digital Forensics and Incident Response (DFIR), and we will cover:

 Digital Forensics

 Incident Response

 Malware Analysis

Digital Forensics

Forensics is the application of science to investigate crimes and establish facts. With the use and spread
of digital systems, such as computers and smartphones, a new branch of forensics was born to
investigate related crimes: computer forensics, which later evolved into digital forensics.

In defensive security, the focus of digital forensics shifts to analyzing evidence of an attack and its
perpetrators and other areas such as intellectual property theft, cyber espionage, and possession of
unauthorized content. Consequently, digital forensics will focus on different areas, such as:

 File System: Analyzing a digital forensics image (low-level copy) of a system’s storage reveals
much information, such as installed programs, created files, partially overwritten files, and
deleted files.

 System memory: If the attacker runs their malicious program in memory without saving it to the
disk, taking a forensic image (low-level copy) of the system memory is the best way to analyze its
contents and learn about the attack.

 System logs: Each client and server computer maintains different log files about what is
happening. Log files provide plenty of information about what happened on a system. Even if the
attacker tries to clear their traces, some traces will remain.

 Network logs: Logs of the network packets that have traversed a network would help answer
more questions about whether an attack is occurring and what it entails.

Incident Response

An incident usually refers to a data breach or cyber-attack; however, in some cases, it can be something
less critical, such as a misconfiguration, an intrusion attempt, or a policy violation. Examples of a cyber
attack include an attacker making our network or systems inaccessible, defacing (changing) the public
website, and data breach (stealing company data). How would you respond to a cyber attack? Incident
response specifies the methodology that should be followed to handle such a case. The aim is to reduce
damage and recover in the shortest time possible. Ideally, you would develop a plan that is ready for
incident response.
The four major phases of the incident response process are:

1. Preparation: This requires a team trained and ready to handle incidents. Ideally, various
measures are put in place to prevent incidents from happening in the first place.

2. Detection and Analysis: The team has the necessary resources to detect any incident; moreover,
it is essential to analyze any detected incident further to learn about its severity.

3. Containment, Eradication, and Recovery: Once an incident is detected, it is crucial to stop it from
affecting other systems, eliminate it, and recover the affected systems. For instance, when we
notice that a system is infected with a computer virus, we would like to stop (contain) the virus
from spreading to other systems, clean (eradicate) the virus, and ensure proper system recovery.

4. Post-Incident Activity: After a successful recovery, a report is produced, and the lesson learned is
shared to prevent similar future incidents.

Malware Analysis

Malware stands for malicious software. Software refers to programs, documents, and files you can save
on a disk or send over the network. Malware includes many types, such as:

 A virus is a piece of code (part of a program) that attaches itself to a program. It is designed to
spread from one computer to another and works by altering, overwriting, and deleting files once
it infects a computer. The result ranges from the computer becoming slow to unusable.

 Trojan Horse is a program that shows one desirable function but hides a malicious function
underneath. For example, a victim might download a video player from a shady website that
gives the attacker complete control over their system.

 Ransomware is a malicious program that encrypts the user’s files. Encryption makes the files
unreadable without knowing the encryption password. The attacker offers the user the
encryption password if the user is willing to pay a “ransom.”
Malware analysis aims to learn about such malicious programs using various means:

1. Static analysis works by inspecting the malicious program without running it. This usually
requires solid knowledge of assembly language (the processor’s instruction set, i.e., the
computer’s fundamental instructions).

2. Dynamic analysis works by running the malware in a controlled environment and monitoring its
activities. It lets you observe how the malware behaves when running.

The Scenario

Let us pretend you are a Security Operations Center (SOC) analyst responsible for protecting a bank. This
bank's SOC uses a Security Information and Event Management (SIEM) tool, which gathers security-
related information and events from various sources and presents them in one dashboard. If
the SIEM finds something suspicious, an alert will be generated.
Not all alerts are malicious, however. It is up to the analyst to use their expertise in cyber security to
investigate which ones are harmful.

For example, you may encounter an alert where a user has failed multiple login attempts. While
suspicious, this kind of thing happens, especially if the user has forgotten their password and continues
to try to log in.

Additionally, there might be alerts related to connections from unknown IP addresses. An IP address is
like a home address for your computer on the Internet—it tells other computers where to send the
information you request. When these addresses are unknown, it could mean that someone new is trying
to connect or someone is attempting unauthorized access.

Simulating a SIEM

We have prepared a simplified, interactive simulation of a SIEM system to provide you with a hands-on
experience similar to what cyber security analysts encounter.

To start this simulation, please click the "View Site" button below.

View Site

This action will open a "static site" on the right side of your screen. Follow the step-by-step instructions
provided within the simulation to navigate through the events and locate the "flag." A flag is a series of
characters with a format like this: "THM{RANDOM_WORDS}". Use this flag to answer questions from
rooms here in TryHackMe, like the one below.

What's next?

In this room, we've discussed the different subfields (SOC, Threat Intelligence, Malware Analysis,
and DFIR) and experienced firsthand how to deal with alerts in a simulated SIEM environment. While
we've covered a lot, the depth and complexity of this field mean there's more to learn and explore. The
lessons learned here will serve as your foundation as cyber threats evolve, demanding continuous
learning, vigilance, and adaptation.

Continue learning by checking out the next room in this series, "Search Skills." This room will teach you
valuable techniques for searching for information online to aid your investigations and learning.

If you want to skip ahead and learn more about the topics discussed in this room, the following rooms
are recommended:

 Introduction to SIEM - An Introduction to Security Information and Event Management

 Security Operations - Learn about the Security Operations Center (SOC): its responsibilities,
services, and data sources

 DFIR : An Introduction - Introductory room for the DFIR module

 Intro to Malware Analysis - What to do when you run into a suspected malware

SEARCH SKILLS

A quick Google search for “learn cyber security” returned around 600 million hits, while a search for
“learn hacking” returned more than double that number! The number might have grown even further
when you go through this room.

We are surrounded by information. Do you prefer to surrender in the face of information overload and
accept the first few results you get? Or do you like to acquire the necessary search skills to find and
access what you are looking for? This room aims to help you with the latter.

Learning Objectives

The goal of this room is to teach:

 Evaluate information sources

 Use search engines efficiently

 Explore specialized search engines

 Read technical documentation

 Make use of social media

 Check news outlets

EVALUATION OF SEARCH RESULTS

On the Internet, everyone can publish their writings. It can be in the form of blog posts, articles, or social
media posts. It can be even in more subtle ways, such as by editing a public wiki page. This ability makes
it possible for anyone to voice their unfounded claims. Everyone can express their opinion about best
cyber security practices, future programming trends, and how to best prepare for
a DevSecOps interview.

It is our job, as readers, to evaluate the information. We will mention a few things to consider when
evaluating information:

 Source: Identify the author or organization publishing the information. Consider whether they
are reputable and authoritative on the subject matter. Publishing a blog post does not make one
an authority on the subject.

 Evidence and reasoning: Check whether the claims are backed by credible evidence and logical
reasoning. We are seeking hard facts and solid arguments.

 Objectivity and bias: Evaluate whether the information is presented impartially and rationally,
reflecting multiple perspectives. We are not interested in authors pushing shady agendas,
whether to promote a product or attack a rival.
  Corroboration and consistency: Validate the presented information by corroboration from
multiple independent sources. Check whether multiple reliable and reputable sources agree on
the central claims.

SEARCH ENGINES

Every one of us has used an Internet search engine; however, not everyone has tried to harness the full
power of an Internet search engine. Almost every Internet search engine allows you to carry out
advanced searches. Consider the following examples:

 Google

 Bing

 DuckDuckGo

Let’s consider the search operators supported by Google.

 "exact phrase": Double quotes indicate that you are looking for pages with the exact word or
phrase. For example, one might search for "passive reconnaissance" to get pages with this exact
phrase.

 site:: This operator lets you specify the domain name to which you want to limit your search. For
example, we can search for success stories on TryHackMe using site:tryhackme.com success
stories.

 -: The minus sign allows you to omit search results that contain a particular word or phrase. For
example, you might be interested in learning about the pyramids, but you don’t want to view
tourism websites; one approach is to search for pyramids -tourism or -tourism pyramids.

 filetype:: This search operator is indispensable for finding files instead of web pages. Some of the
file types you can search for using Google are Portable Document Format (PDF), Microsoft Word
Document (DOC), Microsoft Excel Spreadsheet (XLS), and Microsoft PowerPoint Presentation
(PPT). For example, to find cyber security presentations, try searching for filetype:ppt cyber
security.

You can check more advanced controls in various search engines in this advanced search operators list;
however, the above provides a good starting point. Check your favorite search engine for the supported
search operators.

SPECIALIZED SEARCH ENGINES

You are familiar with Internet search engines; however, how much are you familiar with specialized
search engines? By that, we refer to search engines used to find specific types of results.

Shodan
Let’s start with Shodan, a search engine for devices connected to the Internet. It allows you to search for
specific types and versions of servers, networking equipment, industrial control systems, and IoT devices.
You may want to see how many servers are still running Apache 2.4.1 and the distribution across
countries. To find the answer, we can search for apache 2.4.1, which will return the list of servers with
the string “apache 2.4.1” in their headers.

Consider visiting Shodan Search Query Examples for more examples. Furthermore, you can
check Shodan trends for historical insights if you have a subscription.

Censys

At first glance, Censys appears similar to Shodan. However, Shodan focuses on Internet-connected
devices and systems, such as servers, routers, webcams, and IoT devices. Censys, on the other hand,
focuses on Internet-connected hosts, websites, certificates, and other Internet assets. Some of its use
cases include enumerating domains in use, auditing open ports and services, and discovering rogue
assets within a network. You might want to check Censys Search Use Cases.
VirusTotal

VirusTotal is an online website that provides a virus-scanning service for files using multiple antivirus
engines. It allows users to upload files or provide URLs to scan them against numerous antivirus engines
and website scanners in a single operation. They can even input file hashes to check the results of
previously uploaded files.

The screenshot below shows the result of checking the submitted file against 67 antivirus engines.
Furthermore, one can check the community's comments for more insights. Occasionally, a file might be
flagged as a virus or a Trojan; however, this might not be accurate for various reasons, and that's when
community members can provide a more in-depth explanation.
Have I Been Pwned

Have I Been Pwned (HIBP) does one thing; it tells you if an email address has appeared in a leaked data
breach. Finding one’s email within leaked data indicates leaked private information and, more
importantly, passwords. Many users use the same password across multiple platforms, if one platform is
breached, their password on other platforms is also exposed. Indeed, passwords are usually stored in
encrypted format; however, many passwords are not that complex and can be recovered using a variety
of attacks.
VULNERABILITIES AND EXPLOITS

CVE

We can think of the Common Vulnerabilities and Exposures (CVE) program as a dictionary of
vulnerabilities. It provides a standardized identifier for vulnerabilities and security issues in software and
hardware products. Each vulnerability is assigned a CVE ID with a standardized format like CVE-2024-
29988. This unique identifier (CVE ID) ensures that everyone from security researchers to vendors and IT
professionals is referring to the same vulnerability, CVE-2024-29988 in this case.

The MITRE Corporation maintains the CVE system. For more information and to search for existing CVEs,
visit the CVE Program website. Alternatively, visit the National Vulnerability Database (NVD) website. The
screenshot below shows CVE-2014-0160, also known as Heartbleed.
Exploit Database

There are many reasons why you would want to exploit a vulnerable application; one would be assessing
a company’s security as part of its red team. Needless to say, we should not try to exploit a vulnerable
system unless we are given permission, usually via a legally binding agreement.

Now that we have permission to exploit a vulnerable system, we might need to find a working exploit
code. One resource is the Exploit Database. The Exploit Database lists exploit codes from various
authors; some of these exploit codes are tested and marked as verified.
GitHub, a web-based platform for software development, can contain many tools related to CVEs, along
with proof-of-concept (PoC) and exploit codes. To demonstrate this idea, check the screenshot below of
search results on GitHub that are related to the Heartbleed vulnerability.
TECHNICAL DOCUMENTATION

One vital skill to acquire is to look up official documentation. We will cover a few examples of official
documentation pages.

Linux Manual Pages

Long before the Internet was everywhere, how would you get help using a command in a Linux or Unix-
like system? The answer would be checking the manual page, man page for short. On Linux and every
Unix-like system, each command is expected to have a man page. In fact, man pages also exist for system
calls, library functions, and even configuration files.

Let’s say we want to check the manual page for the command ip. We issue the command man ip. The
screenshot below shows the page we received. You might want to start the AttackBox and run man ip on
the terminal. Press q to quit.

If you prefer to read the man page of ip in your web browser, just type man ip in your favourite search
engine. This page might be at the top of the results.

The AttackBox is a Linux system accessible from your browser. Clicking on the Start AttackBox button will
display the AttackBox in a split screen, making it convenient to read the task text and apply the
instructions within the same browser window. If you hide the AttackBox window, you can show it again
by clicking the blue Show Split View button at the top. In this task, you can start the AttackBox and use it
to try Linux commands such as man.

Microsoft Windows

Microsoft provides an official Technical Documentation page for its products. The screenshot below
shows the search results for the command ipconfig.
Product Documentation

Every popular product is expected to have well-organized documentation. This documentation provides
an official and reliable source of information about the product features and functions. Examples
include Snort Official Documentation, Apache HTTP Server Documentation, PHP Documentation,
and Node.js Documentation.

It is always rewarding to check the official documentation as it is the most up-to-date and offers the most
complete product information.

SOCIALMEDIA

There are billions of users registered on social media platforms such as Facebook, Twitter, and LinkedIn.
We expect you to be familiar with popular platforms. However, if you are aware of any platform you are
not familiar with, we recommend that you check it out and learn about it. Ideally, one would want to
explore a platform without creating an account; however, this severely limits your experience. Instead,
one recommendation is to use a temporary email address to discover these platforms without linking
them to your real email addresses; once done, you can terminate the accounts and associated email
addresses. One reason for not using your primary account is that you don’t want your contacts to start
connecting with you there when you are only temporarily exploring a platform.

The power of social media is that it allows you to connect with companies and people you are interested
in. Furthermore, social media offers a wealth of information for cyber security professionals, whether
they are searching for people or technical information. Why is searching for people important, you ask?

When protecting a company, you should ensure that the people you protect are not oversharing on
social media. For instance, their social media might give away the answer to their secret questions, such
as, “Which school did you go to as a child?”. Such information might allow adversaries to reset their
passwords and take over their accounts effortlessly.

Furthermore, as a cyber security professional, you want to stay updated with new cyber security trends,
technologies, and products. Following the proper channels and groups can provide a suitable
environment for growing your technical expertise.

Besides staying updated via social media channels and groups, we should mention news outlets.
Hundreds of news websites would offer valuable cyber-security-related news. Try different ones and stick
with the ones you like most.

Linux fundamentals 1

Where is Linux Used?

It's fair to say that Linux is a lot more intimidating to approach than Operating System's (OSs) such as
Windows. Both variants have their own advantages and disadvantages. For example, Linux is
considerably much more lightweight and you'd be surprised to know that there's a good chance you've
used Linux in some form or another every day! Linux powers things such as:

 Websites that you visit

 Car entertainment/control panels

 Point of Sale (PoS) systems such as checkout tills and registers in shops

 Critical infrastructures such as traffic light controllers or industrial sensors

Flavours of Linux

The name "Linux" is actually an umbrella term for multiple OS's that are based on UNIX (another
operating system). Thanks to Linux being open-source, variants of Linux come in all shapes and sizes -
suited best for what the system is being used for.

For example, Ubuntu & Debian are some of the more commonplace distributions of Linux because it is
so extensible. I.e. you can run Ubuntu as a server (such as websites & web applications) or as a fully-
fledged desktop. For this series, we're going to be using Ubuntu.

Note: Ubuntu Server can run on systems with only 512MB of RAM!

Similar to how you have different versions Windows (7, 8 and 10), there are many different
versions/distributions of Linux.

RUNNING COMMANDS
As we previously discussed, a large selling point of using OSs such as Ubuntu is how lightweight they can
be. This, of course, doesn't come without its disadvantages, where for example, often there is no GUI
(Graphical User Interface) or what is also known as a desktop environment that we can use to interact
with the machine (unless it has been installed). A large part of interacting with these systems is using the
"Terminal".

The "Terminal" is purely text-based and is intimidating at first. However, if we break down some of the
commands, after some time, you quickly become familiar with using the terminal!

This is what a terminal looks like

tryhackme@linux1:~$ enter commands here

We need to be able to do basic functions like navigate to files, output their contents and make files! The
commands to do so are self-explanatory (once you know what they are of course...)

Let's get started with two of the first commands which I have broken down in the table below:

Command Description

echo Output any text that we provide

whoami Find out what user we're currently logged in as!

See the snippets below for an example of each command being used

Using echo

tryhackme@linux1:~$ echo "Hello Friend!"

Using whoami to find out the username of who we're logged in as

tryhackme@linux1:~$ whoami

Try this on your Linux machine now!

INTERACTING WITH FILESYSTEM

So far we've only covered the "echo" and "whoami" commands. Not all that useful when you consider
things that we need to do - including navigating the filesystem, read and write to it as well.

In this task, we're going to be learning the commands so that we can do just that. Just like the previous
task, I'll display the commands in the table in the next heading & show examples of these commands
being used.

Interacting With the Filesystem

As I previously stated, being able to navigate the machine that you are logged into without relying on a
desktop environment is pretty important. After all, what's the point of logging in if we can't go
anywhere?

Command Full Name

ls listing

cd change directory

cat concatenate

pwd print working directory

Listing Files in Our Current Directory (ls)

Before we can do anything such as finding out the contents of any files or folders, we need to know what
exists in the first place. This can be done using the "ls" command (short for listing)

Using "ls" to to list the contents of the current directory

tryhackme@linux1:~$ ls

'Important Files' 'My Documents' Notes Pictures

In the screenshot above, we can see there are the following directories/folders:

 Important Files

 My Documents

 Notes

 Pictures

Great! You can probably take a guess as to what to expect a folder to contain given by its name.
Pro tip: You can list the contents of a directory without having to navigate to it by using ls and the name
of the directory. I.e. ls Pictures

Changing Our Current Directory (cd)

Now that we know what folders exist, we need to use the "cd" command (short for change directory) to
change to that directory. Say if I wanted to open the "Pictures" directory - I'd do "cd Pictures". Where
again, we want to find out the contents of this "Pictures" directory and to do so, we'd use "ls" again:

Listing our new directory after we have used "cd"

tryhackme@linux1:~/Pictures$ ls

dog_picture1.jpg dog_picture2.jpg dog_picture3.jpg dog_picture4.jpg

In this case, it looks like there are 4 pictures of dogs!

Outputting the Contents of a File (cat)

Whilst knowing about the existence of files is great — it's not all that useful unless we're able to view the
contents of them.

We will come on to discuss some of the tools available to us that allows us to transfer files from one
machine to another in a later room. But for now, we're going to talk about simply seeing the contents of
text files using a command called "cat".

"Cat" is short for concatenating & is a fantastic way for us to output the contents of files (not just text
files!).

In the screenshot below, you can see how I have combined the use of "ls" to list the files within a
directory called "Documents":

Using "ls" to to list the contents of the current directory

tryhackme@linux1:~/Documents$ ls

todo.txt

tryhackme@linux1:~/Documents$ cat todo.txt

Here's something important for me to do later!

We've applied some knowledge from earlier in this task to do the following:

1. Used "ls" to let us know what files are available in the "Documents" folder of this machine. In
this case, it is called "todo.txt".

2. We have then used cat todo.txt to concatenate/output the contents of this "todo.txt" file, where
the contents are "Here's something important for me to do later!"

Pro tip: You can use cat to output the contents of a file within directories without having to navigate to it
by using cat and the name of the directory. I.e. cat /home/ubuntu/Documents/todo.txt
Sometimes things like usernames, passwords (yes - really...), flags or configuration settings are stored
within files where "cat" can be used to retrieve these.

Finding out the full Path to our Current Working Directory (pwd)

You'll notice as you progress through navigating your Linux machine, the name of the directory that you
are currently working in will be listed in your terminal.

It's easy to lose track of where we are on the filesystem exactly, which is why I want to introduce "pwd".
This stands for print working directory.

Using the example machine from before, we are currently in the "Documents" folder — but where is this
exactly on the Linux machine's filesystem? We can find this out using this "pwd" command like within
the screenshot below:

Using "pwd" to list the full path of the current directory

tryhackme@linux1:~/Documents$ pwd

/home/ubuntu/Documents

tryhackme@linux1:~/Documents$

Let's break this down:

1. We already know we're in "Documents" thanks to our terminal, but at this point in time, we
have no idea where "Documents" is stored so that we can get back to it easily in the future.

2. I have used the "pwd" (print working directory) command to find the full file path of this
"Documents" folder.

3. We're helpfully told by Linux that this "Documents" directory is stored at

"/home/ubuntu/Documents" on the machine — great to know!

4. Now in the future, if we find ourselves in a different location, we can just use cd
/home/ubuntu/Documents to change our working directory to this "Documents" directory.

SEARCHING FOR FILES

Although it doesn't seem like it so far, one of the redeeming features of Linux is truly how efficient you
can be with it. With that said, you can only be as efficient as you are familiar with it of course. As you
interact with OSs such as Ubuntu over time, essential commands like those we've already covered will
start to become muscle-memory.

One fantastic way to show just how efficient you can be with systems like this is using a set of commands
to quickly search for files across the entire system that our user has access to. No need to consistently
use cd and ls to find out what is where. Instead, we can use commands such as find to automate things
like this for us!
This is where Linux starts to become a bit more intimidating to approach -- but we'll break this down and
ease you into it.

Using Find

The find command is fantastic in the sense that it can be used both very simply or rather complex
depending upon what it is you want to do exactly. However, let's stick to the fundamentals first.

Take the snippet below; we can see a list of directories available to us:

Using "ls" to list the contents of the current directory

tryhackme@linux1:~$ ls

Desktop Documents Pictures folder1

tryhackme@linux1:~$

1. Desktop

2. Documents

3. Pictures

4. folder1

Now, of course, directories can contain even more directories within themselves. It becomes a headache
when we're having to look through every single one just to try and look for specific files. We can
use find to do just this for us!

Let's start simple and assume that we already know the name of the file we're looking for — but can't
remember where it is exactly! In this case, we're looking for "passwords.txt"

If we remember the filename, we can simply use find -name passwords.txt where the command will look
through every folder in our current directory for that specific file like so:

Using "find" to find a file with the name of "passwords.txt"

tryhackme@linux1:~$ find -name passwords.txt

./folder1/passwords.txt

tryhackme@linux1:~$

"Find" has managed to find the file — it turns out it is located in folder1/passwords.txt — sweet. But let's
say that we don't know the name of the file, or want to search for every file that has an extension such
as ".txt". Find let's us do that too!
We can simply use what's known as a wildcard (*) to search for anything that has .txt at the end. In our
case, we want to find every .txt file that's in our current directory. We will construct a command such
as find -name *.txt . Where "Find" has been able to find every .txt file and has then given us the location
of each one:

Using "find" to find any file with the extension of ".txt"

tryhackme@linux1:~$ find -name *.txt

./folder1/passwords.txt

./Documents/todo.txt

tryhackme@linux1:~$

Find has managed to find:

1. "passwords.txt" located within "folder1"

2. "todo.txt" located within "Documents"

That wasn't so tough, huh!

Using Grep

Another great utility that is a great one to learn about is the use of grep. The grep command allows us to
search the contents of files for specific values that we are looking for.

Take for example, the access log of a web server. In this case, the access.log of a web server has 244
entries.

Using "wc" to count the number of entries in "access.log"

tryhackme@linux1:~$ wc -l access.log

244 access.log

tryhackme@linux1:~$

Using a command like cat isn't going to cut it too well here. Let's say for example if we wanted to search
this log file to see the things that a certain user/IP address visited? Looking through 244 entries isn't all
that efficient considering we want to find a specific value.

We can use grep to search the entire contents of this file for any entries of the value that we are
searching for. Going with the example of a web server's access log, we want to see everything that the IP
address "81.143.211.90" has visited (note that this is fictional)

Using "grep" to find any entries with the IP address of "81.143.211.90" in "access.log"
tryhackme@linux1:~$ grep "81.143.211.90" access.log

81.143.211.90 - - [25/Mar/2021:11:17 + 0000] "GET / HTTP/1.1" 200 417 "-" "Mozilla/5.0 (Linux;
Android 7.0; Moto G(4))"

tryhackme@linux1:~$

"Grep" has searched through this file and has shown us any entries of what we've provided and that is
contained within this log file for the IP.

SHELL OPERATORS

Linux operators are a fantastic way to power up your knowledge of working with Linux. There are a few
important operators that are worth noting. We'll cover the basics and break them down accordingly to
bite-sized chunks.

At an overview, I'm going to be showcasing the following operators:

Symbol / Operator Description

& This operator allows you to run commands in the background of your terminal.

&& This operator allows you to combine multiple commands together in one line of your terminal.

> This operator is a redirector - meaning that we can take the output from a command (such as
using cat to output a file) and direct it elsewhere.

>>

This operator does the same function of the > operator but appends the output rather than replacing
(meaning nothing is overwritten).

Let's cover these in a bit more detail.

Operator "&"

This operator allows us to execute commands in the background. For example, let's say we want to copy
a large file. This will obviously take quite a long time and will leave us unable to do anything else until the
file successfully copies.
The "&" shell operator allows us to execute a command and have it run in the background (such as this
file copy) allowing us to do other things!

Operator "&&"

This shell operator is a bit misleading in the sense of how familiar is to its partner "&". Unlike the "&"
operator, we can use "&&" to make a list of commands to run for example command1 && command2.
However, it's worth noting that command2 will only run if command1 was successful.

Operator ">"

This operator is what's known as an output redirector. What this essentially means is that we take the
output from a command we run and send that output to somewhere else.

A great example of this is redirecting the output of the echo command that we learned in Task 4. Of
course, running something such as echo howdy will return "howdy" back to our terminal — that isn't
super useful. What we can do instead, is redirect "howdy" to something such as a new file!

Let's say we wanted to create a file named "welcome" with the message "hey". We can run echo hey >
welcome where we want the file created with the contents "hey" like so:

Using the > Operator

tryhackme@linux1:~$ echo hey > welcome

Using cat to output the "welcome" file

tryhackme@linux1:~$ cat welcome

hey

Note: If the file i.e. "welcome" already exists, the contents will be overwritten!
Operator ">>"

This operator is also an output redirector like in the previous operator (>) we discussed. However, what
makes this operator different is that rather than overwriting any contents within a file, for example, it
instead just puts the output at the end.

Following on with our previous example where we have the file "welcome" that has the contents of
"hey". If were to use echo to add "hello" to the file using the > operator, the file will now only have
"hello" and not "hey".

The >> operator allows to append the output to the bottom of the file — rather than replacing the
contents like so:

Using the >> Operator

tryhackme@linux1:~$ echo hello >> welcome

Using cat to output the "welcome" file

tryhackme@linux1:~$ cat welcome

hey

hello

python
In this room, you will get hands-on with and learn about the scripting programming language Python.
Although programming isn't required to succeed in security, it's a great skill to have. As the "Scripting for
Pentesters" module demonstrates, being able to program allows you to create security tools and create
quick scripts that will aid you in hacking (as well as defending and analysing).

This room will teach you:

 Variables

 Loops

 Functions

 Data Structures

 If statements
  Files

You will be using the code editor (on the right-hand side) to complete exercises and solve challenges.
This room will teach you the basics, just enough to give you the knowledge to make your basic scripts. If
you want to use your development environment to code, download Python on the official website;
which gives you an IDE (integrated development environment) to code in.

In programming, syntax is important as it describes the structure of a valid programming language. In

simple terms, syntax tells the computer how to read code using rules that control the structure of
symbols, punctuation, and words of a programming language.

MATHEMATICAL OPERATIONS

Let's now cover mathematical operators and how they can be applied to Python. Like a calculator, there
are operations such as adding, subtracting, multiplying, and dividing; using Python, we can code our
calculator; after all, programming is just writing rules for the computer to follow given specific inputs and
conditions. The table below shows the different operations.

Operator Syntax Example

Addition + 1+1=2

Subtraction - 5-1=4

Multiplication * 10 * 10 = 100

Division / 10 / 2 = 5

Modulus % 10 % 2 = 0

Exponent ** 5**2 = 25 (52)

Now that we know basic mathematical operators, let's move on to comparison operators; these play a
big part in Python and will be built upon when we look at loops and if statements. These operators are
used to evaluate a program's condition at a particular state.

Symbol Syntax

Greater than >

Less than <

Equal to ==

Not Equal to !=

Greater than or equal to >=

Less than or equal <=

VARIABLES AND DATA TYPES

Variables allow you to store and update data in a computer program. You have a variable name and store
data to that name.

food = "ice cream"

money = 2000

In the example above, we have 2 variables. The variable name "food" stores the string (words) ice cream,
while another variable called "money" stores a number (2000).

Variables are powerful as you can change them throughout your program. The following example sets
the age variable to 30, then we increase this age variable by 1, making the final variable data 31. Feel
free to copy and paste this into the editor, run the code, and see its output.

age = 30

age = age + 1

print(age)

Notice, on line 2, the way we update a variable, on the left, and we have the already created variable
name "age" followed by the = operator. On the right, we have what we're setting the variable to; in our
case, the age variable (which is currently set to 30) is being increased by 1.

Let's talk about Data Types, which is the type of data being stored in a variable. You can store text, or
numbers, and many other types. The data types to know are:

 String - Used for combinations of characters, such as letters or symbols

 Integer - Whole numbers

 Float - Numbers that contain decimal points or for fractions

 Boolean - Used for data that is restricted to True or False options

 List - Series of different data types stored in a collection

LOGICAL AND BOOLEAN OPERATORS

Logical operators allow assignment and comparisons to be made and are used in conditional testing
(such as if statements).

Logical Operation Operator Example

Equivalence == if x == 5

Less than < if x < 5

Less than or equal to <= if x <= 5

Greater than > if x > 5

Greater than or equal to >= if x >= 5

Boolean operators are used to connect and compare relationships between statements. Like an if
statement, conditions can be true or false.

Boolean Operation Operator Example

Both conditions must be true for the statement to be true AND if x >= 5 AND x <= 100

Returns TRUE if x is
a number between 5 and 100

Only one condition of the statement needs to be true OR if x == 1 OR x == 10

Returns TRUE if X is 1 or 10

If a condition is the opposite of an argument NOT if NOT y

Returns TRUE if the y value is False

Let's look at a few Python code examples:

a=1

if a == 1 or a > 10:

print("a is either 1 or above 10")

name = "bob"

hungry = True

if name == "bob" and hungry == True:

print("bob is hungry")

elif name == "bob" and not hungry:

print("Bob is not hungry")

else: # If all other if conditions are not met

print("Not sure who this is or if they are hungry")

IF STATEMENTS

Using "if statements" allows programs to make decisions. They let a program chose a decision based on a
condition. Below is an example of how an if statement can be used to determine the section of code
(which print statement) to use.

if age < 17:

print('You are NOT old enough to drive')

else:

print('You are old enough to drive')

In the example, if you are younger than 17, the program will output the text "You are NOT old enough to
drive"; however, if you are over the age of 17, the program will output "You are old enough to drive".
Depending on a condition (in this example, it's the age variable), the program will run different code
sections.

There are some key components we note from our code example above:

 The if keyword indicates the beginning of the if statement, followed by a set of conditions.

 The if statement is only run if the condition (or sets of conditions) is true. In our example, it's age
< 17; if that condition is true (age is below 17), the code within the if statement runs. Per the
 example, if certain conditions are not met, the program can default to running code shown in
the else part of the if statement.

 A colon : marks the end of the if statement.

 Note the indentation. Anything after the colon that is indented, is considered part of the if
statement, which the program will execute.

If statements are essential in programming and will be something you use a lot.

LOOPS

In programming, loops allow programs to iterate and perform actions a number of times. There are two
types of loops, for and while loops.

While Loops

Let's begin by looking at how we structure a while loop. We can have the loop run indefinitely or (similar
to an if statement) determine how many times the loop should run based on a condition.

i=1

while i <= 10:

print(i)

i=i+1

This while loop will run 10 times, outputting the value of the i variable each time it iterates (loops). Let's
break this down:
  The i variable is set to 1

 The while statement specifies where the start of the loop should begin

 Every time it loops, it will start at the top (outputting the value of i)

 Then it goes to the next line in the loop, which increases the value of i by 1

 Then (as there is no more code for the program to execute), it goes to the top of the loop,
starting the process over again

 The program will keep on looping until the value of the i variable is greater than 10

For Loops

A for loop is used to iterate over a sequence such as a list. Lists are used to store multiple items in a
single variable, and are created using square brackets (see below). Let's learn through the following
example:

websites = ["facebook.com", "google.com", "amazon.com"]

for site in websites:

print(site)

This for loop shown in the code block above, will run 3 times, outputting each website in the list. Let's
break this down:

 The list variable called websites is storing 3 elements

 The loop iterates through each element, printing out the element

 The program stops looping when it's been through each element in the loop

To give a real-world scenario, you could create a program that checks if a website is online or if an item is
in stock. You would loop through the website list, add functionality inside the loop to check the website,
and output the results. The "Python for Pentesters" room shows you how to use Python to enumerate a
target, build a keylogger, scan a network, and more.

In Python, we can also iterate through a range of numbers using the range function. Below is some
example Python code that will print the numbers from 0 to 4. In programming, 0 is often the starting
number, so counting to 5 is 0 to 4 (but has 5 numbers: 0, 1, 2, 3, and 4)

for i in range(5):

print(i)

FUNCTIONS

As programs start to get bigger and more complex, some of your code will be repetitive, writing the
same code to do the same calculations, and this is where functions come in. A function is a block of code
that can be called at different places in your program.
You could have a function to work out a calculation such as the distance between two points on a map or
output formatted text based on certain conditions. Having functions removes repetitive code, as the
function's purpose can be used multiple times throughout a program.

def sayHello(name):

print("Hello " + name + "! Nice to meet you.")

sayHello("ben") # Output is: Hello Ben! Nice to meet you

There are some key components we can note from this function:

 The def keyword indicates the beginning of a function. The function is followed by a name that
the programmer defines (and is a function parameter). In our example, it's sayHello.

 Following the function name is a pair of parenthesis () that holds input values, data that we can
pass into the function. In our example, it's a name.

 A colon : marks the end of the function header.

In the function, notice the indentation. Similar to if statements, anything after the colons that is indented
is considered part of the function.

A function can also return a result, see the code block below:

def calcCost(item):

if(item == "sweets"):

return 3.99

elif (item == "oranges"):

return 1.99

else:

return 0.99

spent = 10

spent = spent + calcCost("sweets")

print("You have spent:" + str(spent))

If we call the calcCost function and pass in "sweets" as the item parameter, the function will return a
decimal number (float). In the code above, we take a variable called spent and add the cost of "sweets"
through the calcCost function; when we call calcCost, it will return the number 3.99.
Common attacks
Our existence in a digital world makes it imperative that we understand and can protect against common
attacks.

This room will discuss some of the most common techniques used by attackers to target people online. It
will also teach some of the best ways to prevent the success of each technique.

Without further ado, let's begin!

SOCIAL ENGENEERING

What is Social Engineering?

Social Engineering is the term used to describe any cyberattack where a human (rather than a computer)
is the target; for this reason, it is sometimes referred to as "People Hacking". For example, if an attacker
wishes to obtain a victim's password, they could attempt to guess or brute-force the password — or they
could simply ask you.

Whilst the example linked above is relatively straightforward, social engineering attacks can become very
complex and often result in an attacker gaining significant control over a target's life — both online and
offline. Social engineering attacks are often multi-layered and escalate due to the snowball effect. For
example, an attacker may start off by obtaining a small amount of publicly available information from a
victim's social media presence, which they could then use to get more information from, say, your phone
or broadband provider. The information obtained from the second stage could then be used to gain
more useful information, then escalate step-by-step to something like the victim's bank account.
The best way to understand social engineering is to see it in action! These videos from Defcon23 (one of
the largest hacking conferences in the world) and CNN demonstrate some of the immense power
in social engineering. They are both well worth a watch!

Other Forms of Social Engineering

Charismatic hackers calling your phone company and taking possession of your account is one form
of social engineering; however, there are
many

other types. Social engineering is a vast topic, encompassing any attack that relies on tricking humans
into giving the attacker access, rather than attacking the technology directly. Whilst direct interaction
with targets is the most common style of social engineering, other examples include dropping USB
storage devices in public (e.g. in company car parks) in the hope that someone (often a company
employee) will pick one up and plug it into a sensitive computer. In a similar vein, attackers may leave a
"charging cable" plugged into a socket in a public place. In actuality, the cable contains malicious
software such as keyloggers or tools to take control of the victim's device.

Case Study: Stuxnet (Click to Read)

Stuxnet was the name given to a particularly nasty computer virus (allegedly developed by the
governments of the United States and Israel) that was originally used to target the Iran nuclear
programme in 2009. Due to its ability as a "worm" to self-replicate (i.e. clone itself across networks —
including the internet), the virus escaped and became much more widespread than was intended.
Multiple variants now also exist, making Stuxnet a particularly hard-hitting and notorious weapon. You
can read more about the background of Stuxnet here.

What makes Stuxnet particularly interesting for this section is the original method of infection. The virus
can clone itself across networks, but that doesn't help much when the target network is a nuclear
weapons development facility with no access to the wider internet. The question became: how can you
get a virus into a network that doesn't let anything in or out? The answer was simple: drop malicious
USB devices in places where workers at companies that dealt with the facility would find them and hope
that one of them plugged the device into a work computer. In this case, the gamble worked, with Stuxnet
causing severe damage to the Iran nuclear programme and effectively destroying many of the nuclear
centrifuges.

In short, the limits to social engineering are at the bounds of an attacker's imagination. A good social
engineer can (and will) use a plethora of psychological tricks under any plausible context to "hack" their
targets.

Staying Safe from Social Engineering Attacks

In many ways, it is very tricky to stay safe from social engineering as it won't always be you who the
attacker is talking to, but rather someone who can give them what they need without your consent (e.g.
calling your bank whilst pretending to be you, so as to access your bank account). That said, there are
still measures you can take to protect yourself from Social Engineering attacks:

 Always make sure to set up multiple forms of authentication, and ensure that providers respect
these. For example, set difficult to guess — or otherwise incorrect — answers to security
questions (making sure to store the answers somewhere safe!), and make sure that these
questions are asked when you try to access accounts over the phone.

 Never plug external media (e.g. USBs/CDs/etc) into a computer that you care about or that is
connected to any other devices. Ideally, don't plug the media in at all, and instead give it to your
local police for safekeeping.

 Always insist on proof of identity when a stranger calls or messages you claiming to work for a
company whose services you use. Where possible, confirm with a known phone number or
email address that the call or message you received was legitimate (i.e. use a trusted method to
get in contact with the company to confirm). Remember that no legitimate employee will ever
ask for your password or other information that protects your account.

PHISHING
Overview

Phishing is one of the most common cyber attack types employed by scammers and bad actors, targeting
individuals and businesses indiscriminately. In many cases, phishing is the initial attack vector used to
gain access to a company's infrastructure before performing further attacks against the corporate
network. Whilst there are many automated tools now available to help
combat phishing threats, phishing is still one of the most prolific attack vectors around.

What is Phishing?

Phishing is a sub-section of social engineering. Whereas social engineering is a very general term used to
describe any attack that takes advantage
of

a human rather than a computer system, phishing specifically describes attacks whereby a scammer or
other attacker tricks a victim into opening a malicious webpage by sending them a text message, email,
or another form of online correspondence. Traditionally, "phishing" simply referred to emails; however,
in the days of instant messaging, text messages, and voice/video calling, the term has evolved to blanket
these other categories. These other forms are sometimes referred to individually as "smishing"
— phishing over SMS — and "vishing" — phishing over voice chat — respectively. These attacks are very
widespread (indeed, the chances of you not having been on the receiving end of such an attack are slim!)
and are frequently deployed on massive scales using lists of leaked or stolen phone numbers and email
addresses.

Phishing messages usually deploy psychological trickery (for example, inducing a false sense of urgency
to make victims act rashly) and nearly always involve getting a victim to click on a link to a web
application owned by the attacker. The victim is then often asked to enter sensitive information — for
example, login details or credit card information — at which point the malicious site stores the
information and the attack is complete. Alternatively, the victim may inadvertently install malware from
the malicious page, thus giving an attacker an entry point into their device and network.

There are three primary types of phishing attacks:

Attack Type Definition

General Phishing A simple, mass phishing attack which doesn't target anyone in particular, although they may aim for large
usually simple and are generally (but not always) fairly easy to spot as the messages and malicious sites a
errors.

Spearphishing More targeted than general phishing, spearphishing aims for an individual or small group (e.g. employee
the correspondence and malicious sites used in general phishing as they are designed to target a particu

Whaling Even more specific than spearphishing, whaling targets high-value individuals (e.g. a C-Suite executive in
very hard to spot.

Be aware that you are much more likely to encounter a general phishing attack than a spearphishing or
whaling attack in your day-to-day life. This may not be the case in your work life, however — especially if
you are a high-ranking member of a company.

An example of a popular general phishing scenario (or "pretext") would be receiving an email
purportedly from "Amazon", informing you that your account has been used to buy a very costly item
(e.g. the latest iPad). You are then provided with a link to view your purchase history. The link looks like it
goes to https://amazon.co.uk but will actually take you to an attacker-controlled web application (that
looks identical to the Amazon login page), asking you to enter your Amazon credentials. When you enter
your credentials, you get redirected to the real Amazon orders page, where you find that there are no
unauthorised purchases... yet. The attacker will then use your duly provided credentials to actually order
expensive items with your account.

This process is shown in the following diagram:

 1. The attacker sends out a malicious phishing email campaign

2. Prospective victims receive the emails — some of them open the email and click the link

3. The victims enter their credentials into the attacker's fake web page

4. The web page stores the credentials or sends them directly to the attacker

5. The attacker uses the credentials to access the site, thus taking over the victims' accounts

Phishing attacks work best when the malicious web page mimics an existing (usually well-known) web
page. For this reason, attackers/scammers will usually use one of many freely available tools to simply
clone an existing page, which can then be edited at their leisure.

The end goal of a phishing attack can vary significantly depending on who is performing the attack. For
example, a low-level scammer may simply be after sensitive information (e.g., bank details), whereas a
high-powered group of malicious hackers may be targeting a specific organisation with the intention of
causing further damage.

Identifying Phishing Attacks

Many generic phishing attacks are relatively easy to spot; they frequently have poor grammar and often
do not address their victims by name (instead leaving the greetings generic — e.g., "Dear customer").
That said, other instances can be extremely difficult to spot, with some attacks being thorough enough to
fool cybersecurity professionals.

Regardless of the attack type, in many cases, the pretext will be plausible — for example: the Amazon
scam listed above, or a (fake) message from your "bank" telling you that there has been unusual activity
with your account and to please log in to review it. This is especially true for spearphishing or whaling
attacks where the pretext will be very carefully tailored to the target.

Equally, the domain name for the malicious site will usually be similar (but never identical) to the domain
name used by the legitimate website. As a real-world example from 2021, a group of scammers sent out
a mass phishing campaign over SMS, mimicking the British Royal Mail service and using the domain
name https://royalmai1.co.uk (as opposed to https://royalmail.co.uk). By exchanging the final "L" for the
number one, the scammers were able to successfully register a domain name that looked almost
identical to the domain name of their cloned website; this is a very common tactic.

Also, bear in mind that HTML emails (effectively any email that looks fancy and contains
formatting/graphics) can also be used to mask the real domain name in use. For example, the text in the
email may be "https://amazon.co.uk"; however, the link actually goes to "https://am4zon.co.uk". You
can see this by hovering your mouse over the link in a desktop application — the real link should appear
at the bottom of the screen as in this graphic:

You can try this for yourself with the link below!

https://tryhackme.com

In a similar vein, the "From" email address in an email-based phishing campaign will often be suspicious.
Many generic mass phishing campaigns will simply use Gmail addresses — not bothering to use a
domain name associated with the company they are spoofing. This is a dead giveaway that the email is
suspicious.

The best way to identify a phishing email is simply to keep your eyes open and look for anything
suspicious — all but the best will have a mistake somewhere.

Staying Safe from Phishing Attacks

There are a variety of things that you can (and should!) do to keep yourself safe from phishing attacks:

 Delete unknown or untrusted emails without opening them. If you can see anything suspicious
in the email, also report it as spam to your email provider, or forward it to your IT Security
department if you received the email at work.

 Never open attachments from untrusted emails — this includes any attachments from a
legitimate contact that you were not expecting.
  Do not click on embedded links in emails or messages. Where possible, navigate to the real
website in your web browser and access the content that way. If you absolutely must click on the
link, ensure that the domain name is correct and that the link points to where you think it does.

 Always make sure that your device and antivirus software are up-to-date.

 Avoid making your personal information (e.g. email address and phone number) public if
possible. If you must publish personal details publicly, create a "burner" email address (a
temporary address made for one purpose, then destroyed soon afterwards) for the occasion,
then destroy it as soon as it is no longer required.

It's worth noting at this point that anyone can fall for a phishing attack — especially a complex one that
has been made to look very realistic. If you accidentally fall for one, don't panic! Make sure that you
change any affected passwords immediately, and contact IT Services if the attack happens at work.