Unit 1.

Introduction
Blocks
 Welcome to the course
 Lesson one Think like Offensive Security Specialist


 The Offensive Security Specialist

Mindset: How to Think Like a
Cybersecurity Expert

Hacking isn't just about tools and code—it's a way of thinking,

a creative discipline, and a problem-solving philosophy.
Here's what separates true hackers from script kiddies:

 1. The Offensive Security Specialist

Mindset: Core Principles

A. Curiosity is Your Superpower

 Offensive Security Specialist question everything:

o "Why does this system trust the user?"

o "What happens if I send malformed input?"
o "Where are the hidden dependencies?"

 Example: Instead of just using an app, you wonder: "How

does the login API really work?"

B. Systems Thinking

 View everything as interconnected components:

o A website isn’t just HTML—it’s a server, database,

network, auth protocols, and human behavior.
  Example: To bypass a login, you might:

o Attack the password hash (crypto)

o Exploit session cookies (web)
o Social engineer support (human layer)

C. Embrace Reverse Engineering

 Nothing is off-limits:

o "How does this proprietary protocol work?"

o "What’s inside this firmware?"

 Tools: Ghidra, IDA Pro, Wireshark, strace

D. Persistence > Talent

 Offensive Security Specialist try 100 approaches

before one works:

o Failed SQLi? Try SSRF.

o WAF blocking you? Obfuscate payloads.

 Motto: "There’s always another path in."

 2. Skills Every Offensive Security

Specialist Must Master

Technical Skills

Skill Why It Matters

Networking MITM attacks, packet analysis, DNS spoofing
Programming Write exploits (Python, C, ASM)
Linux CLI 90% of hacking happens in terminals
Web Tech HTTP, JS, APIs, OAuth, CORS
Cryptography Break hashes, bypass cert checks
 Non-Technical Skills

 Psychology: Manipulate humans (social engineering)

 Creativity: Find unintended system behaviors
 Adaptability: New tech emerges daily—learn fast

 3. Hacking is a Creative Profession

A. It’s Art Meets Science

 Like a painter mixing colors, hackers combine:

o Code + protocols + human behavior

 Example: A phishing email isn’t just tech—

it’s copywriting, design, and timing.

B. Unconventional Problem-Solving

 Lateral thinking wins:

o Got blocked by a firewall? Try:

 DNS tunneling
 ICMP covert channels
 USB drop attacks

 Real-world case: Stuxnet used four zero-days + PLC

rootkits—a masterpiece.

C. Offensive Security Specialist = Modern Sherlock

Holmes

 Forensic analysis:

o "This log entry is 2ms slower—why?"

o "The memory heap has a suspicious pattern..."
 4. How to Train Your Offensive
Security Specialist Brain

Daily Exercises

1. Break something daily (legally!):

 CTF challenges (Hack The Box, TryHackMe)

 Bug bounty programs (HackerOne, Bugcrowd)

2. Learn how things REALLY work:

 Read RFCs (HTTP, TCP/IP)

 Study malware analysis (MalwareTech, Any.Run)

3. Think in attack trees:

 For any system, map:

o Authentication flaws
o Data validation bugs
o Misconfigurations

Mindset Shift

 From: "It’s secure because the vendor says so."

 To: "I’ll test that claim myself."

 5. Famous Hacker Quotes to Live By

"The quieter you become, the more you can hear."

— Unix philosophy
 "To beat a hacker, you need to think like one."
— Kevin Mitnick
"Security is a process, not a product."
— Bruce Schneier

 Final Thought

Hacking isn’t about hoodies and Hollywood tropes—it’s the art

of seeing what others miss and the science of making
systems reveal their secrets. Whether you’re defending
networks or stress-testing them, this mindset is your greatest
tool.

Want to start? Pick a VM (Kali Linux), hack your own lab, and
ask:
"What happens if I...?" → That’s where the magic begins.

Are You an offensive security

specialist?
 Linux Fundamentals: File System, Administration & Kali
Linux Setup


 1. Linux File System Hierarchy

Linux organizes files in a hierarchical structure. Key directories:

Directory Purpose
/ Root directory (base of the filesystem)
/bin Essential user binaries (ls, cp, mv)
/etc System configuration files
/home User personal directories
/var Variable data (logs, databases)
 Directory Purpose
/usr User programs and documentation
/tmp Temporary files (cleared on reboot)
/root Home directory for root user
/dev Device files (hardware interfaces)
/proc Virtual filesystem for process information

 2. Basic Administration Commands

User Management
sudo adduser newuser # Create new user
sudo deluser olduser # Delete user
sudo passwd username # Change password
sudo usermod -aG sudo user # Add to sudo group

Process Management
top # Interactive process viewer
ps aux # List all running processes
kill -9 PID # Force kill process by ID
systemctl start/stop service # Manage systemd services

Package Management (Debian/Ubuntu/Kali)

sudo apt update # Refresh package lists
sudo apt upgrade # Upgrade installed packages
sudo apt install package # Install new package
sudo apt remove package # Remove package

 3. Essential Terminal Commands

File Operations
touch file.txt # Create empty file
chmod 755 script.sh # Change permissions (owner: rwx,
group: r-x, others: r-x)
chown user:group file # Change ownership
find / -name "*.conf" # Search for files

Networking
ifconfig/ip a # Network interfaces
ping google.com # Test connectivity
 netstat -tuln # List open ports
ssh [email protected] # Remote connection

Text Manipulation
grep "pattern" file # Search text
sed 's/old/new/g' file # Find and replace
awk '{print $1}' file # Extract columns
head/tail -n 5 file # Show first/last lines

 4. Kali Linux Installation Guide

Installation Options

1. Virtual Machine (Recommended)

 Use VirtualBox/VMware
 Allocate: 2+ CPU cores, 4GB RAM, 30GB storage
 Enable virtualization in BIOS

2. Live USB
3. dd if=kali.iso of=/dev/sdX bs=4M status=progress

 Replace sdX with your USB device (check with lsblk)

4. Bare Metal Installation

 Requires dedicated disk or partition

 Select "Guided - use entire disk" for beginners

Post-Installation Setup
sudo apt update && sudo apt full-upgrade -y
sudo apt install kali-linux-default # Core tools
sudo reboot

First Kali Tools to Try

nmap -sV 192.168.1.1 # Network scanning
msfconsole # Metasploit framework
 burpsuite # Web app testing
wireshark # Network traffic analysis

 5. Terminal Tips & Tricks

 Tab completion: Start typing and press Tab
 Command history: history or Ctrl+R to search
 Background jobs: command & or Ctrl+Z + bg
 Aliases: Add to ~/.bashrc:
 alias ll='ls -alF'
 alias update='sudo apt update && sudo apt upgrade'

 Security Best Practices

1. Always use sudo instead of root login

2. Regularly update your system:
3. sudo apt update && sudo apt upgrade
4. Use strong passwords (pwgen 14 1 generates good ones)
5. Configure firewall:
6. sudo apt install ufw
7. sudo ufw enable
8. sudo ufw allow ssh

Master these fundamentals before diving into advanced

penetration testing tools. The Linux command line is your most
powerful weapon in cybersecurity.

Practice (Linux Terminal Simulator)

Linux User Management,

Permissions, and Privileges

 1. Understanding `root`, `sudo`, and

`su`

Root User
  The root user (UID 0) is the superuser with full system
access.
 Can read/modify/delete any file, install software, and
change system settings.
 Dangerous if misused - always prefer sudo over logging
in as root.

sudo (Superuser Do)

 Allows authorized users to run commands as root

temporarily.
 Configured in /etc/sudoers (edit with visudo for safety).
 Example:
 sudo apt update # Run as root

su (Switch User)

 Switches to another user (default: root if no username

given).
 Requires the target user's password (unless root runs
it).
 Example:
 su - # Switch to root (requires root password)
 su - username # Switch to another user

sudo su vs sudo -i

 Both switch to root, but:

 sudo su # Changes to root but keeps current
environment
 sudo -i # Logs in as root with root's environment
(cleaner)

 2. Linux User Types & Management

User Types
 Type Description UID Range
Root Superuser (full access) 0
System Services/daemons (no login) 1-999
Regular Normal users (human/application) 1000+

User Management Commands

sudo adduser newuser # Create user (interactive)
sudo useradd -m newuser # Create user (non-interactive)
sudo deluser olduser # Delete user
sudo usermod -aG group user # Add user to group
id username # Show user UID/GID

Important Files

 /etc/passwd → User accounts (no passwords)

 /etc/shadow → Encrypted passwords (root only)
 /etc/group → Group definitions

 3. File & Directory Permissions

Permission Basics

 Every file/directory has 3 sets of permissions:

1. Owner (user)
2. Group
3. Others (everyone else)

Permission Notation
- rwx r-x r-- # Example permissions
│ ││ ││ ││
│ ││ ││ └─ Others: Read-only (r--)
│ ││ └┴── Group: Read & execute (r-x)
│ └┴┴──── Owner: Full access (rwx)
 └──────── File type (- = file, d = directory)

Numeric Permissions (chmod)

Permission Meaning
4 r (read) View file contents
2 w (write) Modify file
1 x (execute) Run file/enter dir
Examples:

chmod 755 script.sh # Owner: rwx, Group/Others: r-x

chmod 644 file.txt # Owner: rw-, Group/Others: r--

Symbolic Permissions (u/g/o/a)

chmod u+x script.sh # Add execute for owner
chmod go-w file.txt # Remove write for group/others
chmod a=r file.txt # Set read-only for all

 4. Managing Ownership

chown (Change Owner)

sudo chown user:group file # Change owner & group
sudo chown user file # Change owner only
sudo chown :group file # Change group only

chgrp (Change Group)

sudo chgrp developers file.txt

 5. Special Permissions

Permission Command Effect

chmod Runs as owner
SetUID u+s (e.g., /bin/passwd)
chmod
SetGID g+s Runs as group (shared folders)

Only owner can delete

Sticky chmod +t
(e.g., /tmp)
 Example:
 chmod 4755 script.sh # SetUID (4), owner=rwx, others=r-x
 Best Practices

1. Avoid using root - prefer sudo for single commands.

2. Principle of Least Privilege - give minimal required
access.
3. Secure passwords - use passwd to enforce complexity.
4. Audit users regularly:
5. sudo grep 'sudo' /etc/group # List sudo users
6. sudo lastlog # Check last logins

Want to practice? Try:

sudo useradd -m testuser

sudo passwd testuser
sudo usermod -aG sudo testuser
ls -l /home # Check permissions

Why Linux is the Ultimate OS

for Hackers (And Why You
Must Learn It)
Linux dominates cybersecurity and ethical hacking for
fundamental technical reasons. Here's why it's mandatory
knowledge for any serious security professional:

 1. Built for Technical Control

 Root Access: Full system control without artificial
restrictions (unlike Windows/macOS)
 Transparent Architecture: Every component can be
inspected/modified (kernel, services, configs)
 No Black Boxes: Unlike proprietary systems, nothing is
hidden from the administrator

 2. Native Hacking Tool Ecosystem

 Pre-installed Tools: Kali Linux comes with 600+ security
tools (nmap, metasploit, wireshark)
  Package Managers: Install any tool with one command
(apt install hydra)
 Scripting Superiority: Bash/Python integration makes
automation trivial

 3. Network & Protocol Dominance

 Server Market Share: 96% of top web servers run Linux
(your target environment)
 Protocol Native Support: Raw socket manipulation,
packet crafting (scapy, hping3)
 Lightweight Operation: Runs on everything from routers
to IoT devices (attack surfaces)

 4. Forensic Advantages
 Live Environments: Analyze systems without altering
evidence (dd, autopsy, volatility)
 Filesystem Transparency: Ext4/XFS/NFS behavior is
predictable for investigations
 Logging Granularity: Auditd, syslog, and journalctl
provide attack telemetry

 5. Customization for Attack Scenarios

 Kernel Modifications: Build custom modules for
exploits/rootkits
 Distro Specialization:

o Kali (penetration testing)

o Parrot (anonymity)
o Tails (forensic clean room)

 Lightweight Containers: Docker/Podman for isolated

attack labs

 6. Real-World Hacking Requirements

 CTF Competitions: 100% Linux-based challenges
(TryHackMe, Hack The Box)
 Bug Bounty Hunting: Web apps overwhelmingly run on
Linux servers
  Malware Analysis: Most ransomware/APT samples target
Linux infrastructure

 Key Linux Skills Every Hacker Needs

Skill Hacking Application

Bash Scripting Automate attacks/recon
Filesystem Permissions Privilege escalation paths
Process Management Malware analysis/cleanup
Network Configuration MITM attacks, packet manipulation
Kernel Basics Rootkit development/defense
Log Analysis Covering tracks/forensic investigations

 Where Windows/MacOS Fail for

Hackers
 Limited Raw Network Access: No native packet crafting
like libpcap
 Opaque Internals: Critical subsystems are
undocumented/closed-source
 Toolchain Friction: Most security tools require Linux-like
environments (WSL/Cygwin are workarounds)
 Forensic Unreliability: NTFS/HFS+ timestamps and
artifacts are less consistent

 Getting Started

1. Install Kali Linux (VirtualBox or bare metal)

from www.kali.org
2. Practice Daily:

 OverTheWire Bandit (CLI basics)

 TryHackMe Linux Rooms (real-world scenarios)
 Pro Tip: Linux isn't just an OS—it's the hacker's microscope for
analyzing systems and scalpel for precise attacks. The more
fluent you are, the faster you'll find 0-days and bypass defenses.

 Practice on our Labs

Quest 2.0: "Create and Find the Secret File"

Backstory:
"The sysadmin forgot not only where the file is but whether they
even created it. Your mission:

1. Find clues to understand what the file should contain.

2. Create it in the correct location.
3. Activate the secret message with a command."

Phases (with file existence check)

1. Recon

Task: Explore the home directory:

ls -la ~ # Check for suspicious folders

Hint:
"The admin loved archives - check /home/username/backups"

→ If folder doesn't exist, the student must create it:

mkdir ~/backups
2. File Creation

Task:
"The file must be named secret.txt, contain the phrase 'SEEK
AND YOU SHALL FIND', and be hidden."

Correct commands:

echo "SEEK AND YOU SHALL FIND" > ~/backups/.secret.txt # Dot

prefix = hidden file
3. Search with grep
 Hint:
"Find any file containing the word 'FIND' using content search."

Solution:

grep -rl "FIND" ~ # -r searches recursively, -l shows only

filenames
4. Finale - "Secret Code" Activation

"Now execute the command that will read the file and output the
password:"

cat $(grep -rl "FIND" ~) # Automatically substitutes file path

Output:

Access password: LINUX_MASTER_007

Go!

Task
 Lesson three: Networking
 Lab Setup (VirtualBox+Kali)

Goal: Create a mini-network with 3 VMs:

1. Kali Linux (Attacker)

2. Metasploitable 2 (Vulnerable server)
3. Ubuntu Server (Target)

Diagram:

[ Kali Linux ] → [ VirtualBox Internal Network ] →

[ Metasploitable2 & Ubuntu ]

 Step 1: Build Your Lab

1. Download & Import VMs

  Kali Linux: Official image from kali.org
 Metasploitable 2: Download here
 Ubuntu Server: Official ISO

2. Configure VirtualBox Networking

 Set all VMs to "Internal Network" (e.g., intnet).

 No NAT/Bridged — isolates your lab from the real world.

3. Start All VMs

 Kali = Your hacking machine.

 Metasploitable2 = Easy-to-hack server (for practice).
 Ubuntu = "Realistic" target.

 Step 2: Networking Basics (No

Scanning Yet!)

Task 1: Find Your IP Addresses

 On Kali, run:
 ip a # Find your IP (e.g., 192.168.1.10)
 On Metasploitable2/Ubuntu, run:
 ifconfig

Goal: Note all IPs (e.g., Metasploitable = 192.168.1.20, Ubuntu

= 192.168.1.30).

Task 2: Test Connectivity

 From Kali, ping both VMs:

 ping 192.168.1.20 # Metasploitable
 ping 192.168.1.30 # Ubuntu

Success? You’ve built a working network!

  Step 3: Safe "Attack" Simulation

Task 3: ARP Discovery (No Nmap!)

 On Kali, list devices on your internal network:

 arp-scan --localnet

Output: Shows MAC/IPs of your VMs (proves they’re

communicating).

Task 4: Connect to a Service (Legally!)

 Metasploitable2 has a vulnerable FTP server (port 21).

 From Kali, connect:
 ftp 192.168.1.20

o Username: msfadmin
o Password: msfadmin
Goal: Download a file
(e.g., get /home/msfadmin/somefile.txt).

Task 5: Analyze Traffic with Wireshark

6. On Kali, start Wireshark:

7. wireshark
8. Capture packets on the eth0 interface.
9. Repeat Task 4 (FTP login).
Goal: Find your FTP password in the traffic (to understand
insecurity of plaintext protocols).

TEST

 Lesson four: Docker

 Introduction
 Docker is a powerful tool for creating, deploying, and managing
containerized applications. For offensive security specialists,
Docker can be used to:

 Quickly spin up vulnerable environments for testing.

 Isolate penetration testing tools.
 Create reproducible attack scenarios.
 Avoid dependency conflicts when running exploits.

In this lesson, we’ll cover essential Docker commands and apply

them in our lab (Kali + VBox + Metasploitable + Ubuntu).

 1. Docker Basics for Offensive Security

Key Docker Commands

Command Description
docker ps List running containers
docker ps -a List all containers (running & stopped)
docker images List downloaded images
Download an image (e.g., docker pull
docker pull <image>
kalilinux/kali-rolling)

docker run -it <image>

/bin/bash Run a container interactively

docker exec -it

<container_id> /bin/bash Enter a running container

docker stop <container_id> Stop a container

docker rm <container_id> Remove a container
docker rmi <image_id> Remove an image
docker build -t <name> . Build an image from a Dockerfile

 2. Practical Lab: Using Docker

Scenario
We will:

1. Pull a Kali Linux Docker image.

2. Run it with networking capabilities.
3. Install tools inside the container.
4. Use it to scan the Metasploitable machine.

Step 1: Pull and Run Kali Linux Container

docker pull kalilinux/kali-rolling
docker run -it --network host kalilinux/kali-rolling /bin/bash

 --network hostallows the container to see the host’s

network (useful for scanning local VMs).

Step 2: Install Tools Inside the Container

Once inside the container:

apt update && apt install -y nmap metasploit-framework

 This installs nmap and metasploit inside the container.

Step 3: Scan the Metasploitable Machine

Find Metasploitable’s IP (check ifconfig in Metasploitable or
use netdiscover).

Nmap Scan

nmap -sV -A <Metasploitable_IP>

 -sV: Service detection.

 -A: Aggressive scan (OS, versions, scripts).

Metasploit Inside Docker

 msfconsole
use auxiliary/scanner/portscan/tcp
set RHOSTS <Metasploitable_IP>
run

 This runs a basic port scan from inside the container.

 3. Creating a Custom Dockerized Tool

Let’s make a simple Dockerized nmap scanner.

Dockerfile
FROM kalilinux/kali-rolling
RUN apt update && apt install -y nmap
ENTRYPOINT ["nmap"]

 Build it:

docker build -t my-nmap .

 Run a scan:

docker run --network host my-nmap -sV <Metasploitable_IP>

 4. Cleaning Up

After testing:

docker container prune # Remove stopped containers

docker image prune # Remove unused images

 Conclusion
 Docker helps isolate pentesting tools and environments.
 Useful for quick deployments without modifying
the host system.
  Can be used to create custom attack containers.

Next Steps:

 Experiment with other security tools (e.g., sqlmap, hydra).

 Try Docker Compose for multi-container labs.

Lab Time:

 Scan the Ubuntu machine from the Kali Docker container.

 Modify the Dockerfile to include metasploit and run
an exploit.

TEST

 Lesson six: Toolbox

 1. Introduction

This lesson organizes essential offensive security tools into a

structured workflow, mapping them to different stages of a
penetration test or red team engagement.

We’ll follow a kill chain approach:

1. Reconnaissance → 2. Scanning → 3. Exploitation →

4. Post-Exploitation → 5. Lateral Movement →
6. Domain Privilege Escalation → 7. Persistence &
Exfiltration

Each section includes key tools and their use cases.

 2. The Hacker’s Toolbox Breakdown

1. Reconnaissance (Passive & Active Intel
Gathering)
Goal: Collect information without alerting the target.

Tool Purpose
Maltego OSINT (Emails, domains, social links)
theHarvester Gather emails, subdomains, IPs
Recon-ng Automated OSINT framework
Shodan Search for exposed IoT devices, services
SpiderFoot Automated footprinting
FOCA Metadata extraction from docs
crt.sh Find subdomains via SSL certs

2. Scanning & Enumeration

Goal: Discover live hosts, open ports, services.

Tool Purpose
Nmap Port scanning, OS detection, service versions
Masscan Ultra-fast IP scanning
RustScan Modern alternative to Nmap
Nikto Web server vulnerability scanner
Gobuster/Dirbuster Directory & subdomain brute-forcing
Wireshark/Tcpdump Network traffic analysis

3. Exploitation (Gaining Initial Access)

Goal: Break into the system using vulnerabilities.

Tool Purpose
Metasploit Exploit framework (RCE, payloads)
Exploit-DB Public exploit repository
Tool Purpose
SQLmap Automated SQL injection
Burp Suite Web app testing (XSS, CSRF, SSRF)
Hydra Brute-force logins (SSH, FTP, RDP)
CrackMapExe
AD exploitation tool
c

4. Post-Exploitation (Maintaining Access)

Goal: Establish persistence, escalate privileges.

Tool Purpose
Mimikatz Dump Windows credentials (LSASS)
BloodHound Active Directory attack path mapping
PowerSploit PowerShell post-exploitation toolkit
Impacket Network protocol attacks (SMB, Kerberos)
Chisel Tunneling for pivoting
Cobalt
Red team C2 framework
Strike

5. Lateral Movement (Jumping Between Systems)

Goal: Move across the network to higher-value targets.

Tool Purpose
PsExec Remote command execution (Windows)
Rubeus Kerberos ticket manipulation
Evil-
Post-exploitation via WinRM
WinRM
SSHuttle Transparent SSH tunneling
Responder LLMNR/NBT-NS poisoning

6. Domain Privilege Escalation (Taking Over AD)

Goal: Compromise Domain Admins & control the network.
 Tool Purpose
BloodHound Visualize attack paths in AD
Kerbrute Kerberos brute-forcing
ADExplorer Active Directory data extraction
DCSync (Mimikatz) Steal password hashes from DC
Golden Ticket Attack Forge Kerberos TGTs

7. Persistence & Exfiltration

Goal: Maintain long-term access and extract data.

Tool Purpose
Empire Post-exploitation framework
DNSCat2 C2 over DNS tunneling
Rclone Exfiltrate data to cloud storage
Sliver Open-source C2 alternative
Metasploit’s Persistence
Backdoors, scheduled tasks
Modules

 3. Attack Flow Graph (Simplified Kill

Chain)
 graph TD
 A[Reconnaissance] --> B[Scanning]
 B --> C[Exploitation]
 C --> D[Post-Exploitation]
 D --> E[Lateral Movement]
 E --> F[Domain Privilege Escalation]
 F --> G[Persistence & Exfiltration]
 4. Conclusion
 Recon → Domain Takeover requires a structured
approach.
 Each phase has specialized tools for maximum efficiency.
 Automation (BloodHound, Metasploit, CME) is key in
large networks.


 Test Your Tool Knowledge
 Lesson 7: Web Technologies
 1. How Does the Internet Work?

When you open a website (e.g., google.com), here’s what

happens:

1. Your browser asks DNS: "Where is google.com?"

2. DNS responds: "Here’s its IP address (e.g.,
142.250.185.46)"
3. Your browser connects to that IP and says: "Give me the
webpage!"
4. The server sends back HTML, CSS, JavaScript → your
browser renders the site.

Where’s the vulnerability?

 Fake DNS → Phishing attack

 Intercepting requests → Man-in-the-Middle (MITM)
attack

 2. Core Web Technologies

HTML (HyperText Markup Language)

 The skeleton of a webpage.

 Example:
 <h1>Hello, hacker!</h1>
 <a href="https://youtube.com">Click me</a>

Vulnerability: If a site doesn’t filter user input, you can

inject <script>alert(1)</script> → XSS attack.

CSS (Cascading Style Sheets)

  Makes websites look pretty.
 Rarely exploitable, but can hide malicious code (e.g., CSS-
based phishing).

JavaScript (JS)

 Adds interactivity (animations, forms, etc.).

 Vulnerabilities:

o XSS (stealing cookies, defacing pages).

o Insecure API calls (if JS sends data without
validation).

Backend (PHP, Python, Node.js, etc.)

 Runs on the server (handles logins, payments, etc.).

 Vulnerabilities:

o SQL Injection (e.g., ' OR 1=1 -- in a login field).

o Remote Code Execution (RCE) (if server runs
unsafe commands).

Databases (SQL & NoSQL)

 Store user data (logins, passwords, orders).

 Vulnerabilities:

o SQL Injection → Steal entire databases.

o NoSQL Injection (e.g., MongoDB queries bypassing
auth).

HTTP vs. HTTPS

 HTTP → Unencrypted (easy to intercept).

 HTTPS → Encrypted (but old servers may
have SSL vulnerabilities).
  3. Common Web Vulnerabilities

| Vulnerability | Example | How to Test? |

|------------------|------------|----------------|
| XSS | <script>alert(1)</script> | Inject into input fields |
| SQL Injection | ' OR 1=1 -- | Try in login/password forms |
| CSRF | Forging requests as the victim | Trick users into
submitting malicious forms |
| SSRF | Making the server fetch internal files | Test
with http://localhost/admin |
| RCE | ; cat /etc/passwd | Exploit unsafe command execution |

Test Your Knowledge

 Lesson: Binary Fingers Exercise
 1. What is the "Binary Fingers"
Exercise?

A hands-on activity that develops:

✔ Fine motor skills (precise finger movements)
✔ Binary logic (understanding base-2 numbering)
✔ Brain-hand coordination

Perfect for: Coders, musicians, puzzle lovers, and anyone who

wants sharper dexterity!

 2. How It Works

Core Concept
Each finger represents a binary digit (bit):

 Extended finger = 1
 Bent finger = 0
 Start with your right hand (5 fingers = 5 bits → numbers 0-31).

 3. Step-by-Step Practice

Level 1: Counting in Binary

1. Make a fist = 00000 (0 in decimal).

2. Extend pinky = 00001 (1).
3. Extend ring finger = 00010 (2).
4. Extend both pinky + ring = 00011 (3).
5. Continue to 11111 (31).

Pro Tip: Say the binary digits aloud as you move.

Level 2: Math Drills

 Add 5 + 3: Show 00101 (5), then add 00011 (3) → 01000 (8).
 Subtract 7 - 4: Start with 00111 (7), "flip" 00100 (4)
→ 00011 (3).

Level 3: Memory Challenge

Partner calls a number (e.g., "13"), you quickly form 01101.

 4. Science-Backed Benefits
 Neural plasticity: Strengthens brain-finger pathways.
 STEM skills: Builds intuition for binary/hex in
programming.
 Music/art boost: Improves instrument/sketching
precision.

 5. Try It Now!

Exercise: Encode your age in binary fingers.

Example: Age 25 → 11001 (thumb + index + pinky extended).
  6. Advanced Variations
 Two hands = 10 bits (0-1023).
 Speed rounds: Race against a timer.
 Binary "Simon Says": Mirror a partner’s finger patterns.

Fun Fact: This method was used by ancient traders for silent
counting!

Next Lesson: Finger Morse Code for Covert Communication

Discussion Question: Can you design a 3-bit code using just

your thumb, index, and middle finger?

(Example: 101 = "Yes", 110 = "No")

 Math for Cybersecurity: A Complete Beginner's Guide

with Exercises & Final Test
 Introduction: Why Math Matters in
Cybersecurity

Mathematics forms the backbone of cybersecurity. From

encrypting your passwords to securing online transactions, math
powers it all. This lesson covers three essential math
concepts with real-world applications, hands-on exercises, and a
final test to check your understanding.

 1. Modular Arithmetic - The Math of

Secret Codes

What It Is
Modular arithmetic is "clock math" - it deals with remainders
after division.
Notation: a mod n = remainder when a is divided by n.

Why It's Important

  Used in RSA encryption (secure websites)
 Generates secure password hashes
 Helps create unbreakable codes (Diffie-Hellman key
exchange)

Examples

 7 mod 3 = 1 (7 ÷ 3 = 2 with remainder 1)

 10 mod 4 = 2 (10 ÷ 4 = 2 with remainder 2)

Exercise 1: Password Cracking

A website uses this weak hash formula:
hash = (password + 7) mod 12

You found a leaked hash value: 3

Your Task: Find the original password.

Solution Steps:

6. Set up equation: (password + 7) mod 12 = 3

7. Try numbers until you find a match:

 password = 8: (8 + 7) mod 12 = 15 mod 12 = 3 ✅

8. Answer: The password was 8

 2. Binary Numbers & XOR - The

Language of Computers

What It Is

 Binary = Base-2 number system (only 0s and 1s)

 XOR = Exclusive OR operation (outputs 1 when inputs
differ)
 Why It's Important

 Used in stream ciphers (like AES encryption)

 Helps detect data tampering (checksums)
 Used by ransomware to encrypt files

XOR Truth Table

A B A⊕B
0 0 0
0 1 1
1 0 1
1 1 0

Exercise 2: Decrypting a Message

A message was encrypted using XOR with key 1011:

Ciphertext: 1101 1001 1011

Key: 1011 1011 1011
Your Task: Decrypt the original message.

Solution Steps:

6. Perform XOR on each 4-bit block:

1101 ⊕ 1011 = 0110

1001 ⊕ 1011 = 0010


1011 ⊕ 1011 = 0000




7. Combine results: 0110 0010 0000

8. Convert to ASCII: 0110=6, 0010=Space, 0000=Null
9. Answer: The message was "6 "

 3. Prime Numbers - Guardians of the

Internet
 What They Are
Numbers divisible only by 1 and themselves (2, 3, 5, 7, 11,...)

Why They're Important

 Foundation of RSA encryption

 Used to generate secure cryptographic keys
 Factoring large primes is computationally hard, making
encryption secure

Exercise 3: Breaking Weak RSA

A company uses public key N = 33
Your Task: Find the private keys (p and q) by factoring N.

Solution Steps:

4. Find two primes that multiply to 33:

 3 × 11 = 33

5. Answer: The private keys are p=3, q=11

 Where to Learn More

Interactive Practice:

 CryptoHack (free crypto challenges)

 Khan Academy Cryptography

Recommended Books:

 "The Code Book" by Simon Singh

 "Understanding Cryptography" by Christof Paar
 

Check Your Knowledge

 Bash Scripting Explained in Detail
 1. Understanding the Bash Shell

Bash is both a command interpreter and a scripting language.

When you type commands in a terminal, you're using Bash
interactively. Scripts let you save these commands in files for
reuse.

Key Features

 Command execution: Run any program available in your

PATH
 Variables: Store and manipulate data
 Flow control: Make decisions with conditionals
 Loops: Repeat actions
 Functions: Create reusable code blocks

 2. Script Structure Breakdown

Shebang Line
#!/bin/bash

 Must be the first line

 Tells the system which interpreter to use
 Alternative: #!/usr/bin/env bash (more portable)

Comments
# This is a single-line comment

: '
This is a
multi-line comment
'
 3. Variables Deep Dive

Variable Assignment
name="John" # No spaces around =
age=25
Important Rules:

 Names can contain letters, numbers, underscores

 Names are case-sensitive
 By convention, uppercase for constants, lowercase for
variables

Accessing Variables
echo $name # John
echo ${name} # Preferred syntax for complex expansions

Special Variables
$0 # Script name
$1 # First argument
$# # Number of arguments
$? # Exit status of last command
$$ # Current process ID

 4. User Input Methods

Simple Input
read -p "Enter your name: " name
echo "Hello, $name!"

Reading Multiple Values

read -p "Enter name and age: " name age

Silent Input (for passwords)

read -s -p "Enter password: " pass

 5. Conditional Logic Explained

 Basic If Statement
if [ condition ]; then
commands
fi

Test Conditions
# File tests
[ -f file ] # File exists
[ -d dir ] # Directory exists
[ -x file ] # File is executable

# String comparisons
[ "$a" = "$b" ] # Equal
[ "$a" != "$b" ] # Not equal
[ -z "$str" ] # String is empty

# Numeric comparisons
[ $a -eq $b ] # Equal
[ $a -lt $b ] # Less than

Case Statement
case $variable in
pattern1)
commands ;;
pattern2)
commands ;;
*)
default commands ;;
esac

 6. Loop Structures

For Loop Variations

# C-style
for ((i=0; i<10; i++)); do
echo $i
done

# List elements
for file in *.txt; do
echo "Processing $file"
done

While Loop with Input

while read line; do
echo "Read: $line"
done < input.txt
 7. Functions in Depth

Function Definition
function greet() {
local name=$1 # Local variable
echo "Hello, $name"
return 0 # Return status
}

Calling Functions
greet "Alice" # Pass argument
echo $? # Check return status

 8. Error Handling

Exit on Error
set -e # Exit immediately if any command fails

Trap Signals
trap "echo 'Script interrupted'; exit 1" SIGINT

 9. Practical Example: File Organizer

 #!/bin/bash
 # Organizes files by extension

 set -euo pipefail # Strict mode

 target_dir=${1:-.} # Use current dir if none specified

 echo "Organizing files in $target_dir"

 for file in "$target_dir"/*; do
 if [ -f "$file" ]; then
 ext=${file##*.}
 mkdir -p "$target_dir/$ext"
 mv "$file" "$target_dir/$ext/"
 echo "Moved $file to $ext/"
 fi
 done

 echo "Organization complete"

Key Techniques Used:

 1. Parameter expansion (${1:-.})
2. File tests (-f)
3. String manipulation (${file##*.})
4. Error prevention (set -euo pipefail)

 10. Debugging Techniques

Print Debugging
set -x # Print commands before execution
# Your code
set +x # Turn off debugging

Check Exit Codes

command || echo "Command failed with status $?"

 Advanced Assignment

Create a user management script that:

1. Takes username as argument

2. Checks if user exists
3. If not, creates user with:

 Random password
 Home directory
 SSH key

4. Logs all actions to syslog

Starter Code:

#!/bin/bash
set -euo pipefail

username=$1

if id "$username" &>/dev/null; then

 echo "Error: User $username already exists" >&2
exit 1
fi

# Generate random password

password=$(openssl rand -base64 12)

# Create user
useradd -m -s /bin/bash "$username"
echo "$username:$password" | chpasswd

# Generate SSH key

sudo -u "$username" ssh-keygen -t rsa -b 4096 -f
"/home/$username/.ssh/id_rsa" -N ""

# Log action
logger "Created user $username with password $password"

echo "User $username created successfully"

echo "Password: $password"

Lab: Building a Smart

System Monitor with Bash

 Objective

Create an intelligent bash script that:

1. Monitors key system metrics

2. Detects potential issues
3. Generates colored reports
4. Can run in different modes (basic/full)

 Requirements
 Basic Linux command knowledge
 Terminal with bash (Linux/macOS/WSL)
 Text editor (nano/vim/vscode)

 Part 1: Core Functionality

Script Framework
#!/bin/bash
# smart_monitor.sh - System monitoring tool

VERSION="1.0"
AUTHOR="Cyber Student"

# Configuration
WARNING_CPU=80
WARNING_MEM=75
WARNING_DISK=85

System Checks
Implement these functions:

1. CPU Monitoring

check_cpu() {
local usage=$(top -bn1 | grep "Cpu(s)" | sed "s/.*, *\([0-
9.]*\)%* id.*/\1/" | awk '{print 100 - $1}')
echo "CPU Usage: $usage%"

if (( $(echo "$usage > $WARNING_CPU" | bc -l) )); then

echo -e "\e[31mWARNING: High CPU usage!\e[0m"
return 1
fi
return 0
}

2. Memory Check

check_memory() {
local free_mem=$(free -m | awk '/Mem:/ {print $4}')
local total_mem=$(free -m | awk '/Mem:/ {print $2}')
local percent_used=$(( (total_mem - free_mem) * 100 /
total_mem ))

echo "Memory Usage: $percent_used% (${free_mem}MB free)"

[ $percent_used -gt $WARNING_MEM ] && \

echo -e "\e[33mWARNING: High memory consumption\e[0m" &&
return 1
return 0
}
 Part 2: Advanced Features

Temperature Monitoring
check_temp() {
if [ -f /sys/class/thermal/thermal_zone0/temp ]; then
local temp=$(($(cat
/sys/class/thermal/thermal_zone0/temp)/1000))
echo "CPU Temp: ${temp}°C"

[ $temp -gt 70 ] && \

echo -e "\e[31mDANGER: High temperature!\e[0m" &&
return 1
else
echo "Temperature data not available"
fi
return 0
}

Network Check
check_network() {
local interface=$(ip route | awk '/default/ {print $5}')
local rx_bytes=$(cat
/sys/class/net/$interface/statistics/rx_bytes)
local tx_bytes=$(cat
/sys/class/net/$interface/statistics/tx_bytes)

echo "Network Interface: $interface"

echo " RX: $(numfmt --to=iec $rx_bytes)"
echo " TX: $(numfmt --to=iec $tx_bytes)"
}

 Part 3: Report Generation

HTML Report (Bonus)

generate_html() {
cat <<EOF > system_report.html
<!DOCTYPE html>
<html>
<head>
<title>System Report</title>
<style>
body { font-family: Arial; }
.warn { color: orange; }
.critical { color: red; }
</style>
</head>
 <body>
<h1>System Report</h1>
<p>Generated on $(date)</p>
<h2>CPU</h2>
<p>$(check_cpu | sed 's/\x1b\[[0-9;]*m//g')</p>
</body>
</html>
EOF
}

 Lab Tasks

Basic Task (Required)

1. Implement all core monitoring functions

2. Add timestamp to output
3. Create help menu (-h option)

Intermediate Challenge

4. Add process monitoring (top 5 CPU-heavy processes)

5. Implement disk I/O monitoring
6. Add email alert option

Advanced Challenge

7. Create historical logging (append to log file)

8. Build interactive mode with dialog/ncurses
9. Add performance benchmarking

 Sample Output
 === SYSTEM MONITOR (v1.0) ===
 [2023-07-18 14:30:45]

 CPU Usage: 34% (Normal)
 Memory Usage: 68% (Warning: High memory)
 CPU Temp: 52°C (Normal)
 Network:
 eth0: RX 1.4GiB / TX 890MiB
 
 Top Processes:
 1. firefox (12% CPU)
 2. gnome-shell (8% CPU)
 Submission Requirements

1. Working bash script

2. README explaining features
3. Sample output screenshots
4. (Bonus) Video demo of script in action

 Grading Criteria
 Functionality (50%)
 Code quality (20%)
 Error handling (15%)
 Creativity (15%)

 Lesson five: DNS and Subdomains

 Introduction

DNS (Domain Name System) is a critical component of internet

infrastructure, translating domain names into IP addresses. For
offensive security specialists, understanding DNS and subdomain
enumeration is essential for:

 Reconnaissance: Discovering hidden subdomains to

expand attack surfaces.
 Phishing & Social Engineering: Identifying legitimate
but vulnerable subdomains.
 Network Mapping: Finding internal services exposed
via DNS records.

In this lesson, we’ll cover key DNS concepts and subdomain

enumeration techniques, followed by a quiz to test your
knowledge.

 1. Key DNS Concepts

 A. DNS Record Types

Record Purpose Example

Maps a domain to an IPv4
A example.com → 192.168.1.1
address
Maps a domain to an IPv6
AAAA example.com → 2001:db8::1
address
CNAM www.example.com →
Alias of one domain to another example.com
E
example.com →
MX Mail server for the domain mail.example.com
"v=spf1
Arbitrary text (often used for
TXT include:_spf.google.com
SPF, DKIM) ~all"

Authoritative name servers for example.com →

NS ns1.cloudflare.com
the domain
PTR Reverse DNS (IP → domain) 192.168.1.1 → example.com

B. Subdomain Enumeration Techniques

1. Brute-Forcing (e.g., gobuster, wfuzz)

2. Search Engines (Google Dorks, site:example.com)
3. Certificate Transparency Logs (e.g., crt.sh)
4. DNS Zone Transfers (if misconfigured)
5. Passive DNS Lookups (e.g., SecurityTrails, DNSDumpster)

 3. Advanced DNS Attacks (Bonus

Knowledge)
 DNS Cache Poisoning: Forcing a DNS server to return a
fake IP.
 Subdomain Takeover: Claiming abandoned subdomains
(e.g., expired cloud instances).
 DNS Tunneling: Exfiltrating data via DNS queries
(e.g., iodine).

 Conclusion
  DNS is a goldmine for reconnaissance in penetration
testing.
 Subdomain enumeration reveals hidden attack surfaces.
 Misconfigured DNS records can lead to serious
vulnerabilities.

Self-Study Task:

 Use dig or nslookup to query different DNS records of a

target domain.
 Explore crt.sh to find subdomains of a popular website.

 Go & Python for Pentesting Beginners

 Python in Pentesting

Why it's essential:

 Pre-installed on most Linux systems

 Huge collection of security libraries
 Quick to write and test ideas

Common uses:

4. Exploit development (writing proof-of-concepts)

5. Network scanning (custom port scanners)
6. Web hacking (automating SQLi/XSS tests)
7. Password cracking (dictionary attacks)
8. Malware analysis (reverse engineering)

Key libraries:

 requests (HTTP interactions)

 scapy (packet manipulation)
 pwntools (exploit development)

 Go (Golang) in Pentesting
 Why it's gaining popularity:

 Single binary deployment (no dependencies)

 Fast execution speed
 Great for network tools

Common uses:

4. Building scanners (fast network enumeration)

5. Creating implants (harder to detect than Python)
6. Cross-platform tools (compile once, run anywhere)
7. Concurrent tasks (mass parallel processing)
8. Evading defenses (static binaries bypass Python checks)

Key advantages:

 Strong typing catches errors early

 Built-in concurrency (goroutines)
 Cross-compilation to Windows/Linux/macOS

 When to Choose Which

 Use Python for:

o Quick prototyping
o Web app testing
o Existing exploit scripts

 Use Go for:

o Network-heavy tools
o Malware/implants
o Tools you need to distribute

Both languages complement each other in a pentester's toolkit.

Start with Python for its easier learning curve, then add Go for
performance-critical tasks.

Here's a clear visual comparison of Python vs. Go for pentesting:

 ┌───────────────────┬───────────────────┐
│ PYTHON │ GO │
├───────────────────┼───────────────────┤
│ │
│ Quick & Easy │ Fast & Powerful │
│ • Great for │ • Ideal for │
│ prototyping │ compiled tools │
│ • Huge library │ • Single binary │
│ support │ deployment │
│ │
├─────────┬─────────┼─────────┬─────────┤
│ WEB │ NETWORK │ MALWARE │ CROSS │
│ APPS │ SCANNING│ ANALYSIS│ PLATFORM│
│ • SQLi │ • Custom│ • RE │ TOOLS │
│ • XSS │ scanners│ • Implants │
│ • CSRF │ │ │
└─────────┴─────────┴─────────┴─────────┘

Key:
┌───────────────┐
│ Use Python │───► When you need quick results
│ │ or existing exploit code
├───────────────┤
│ Use Go │───► When you need speed,
│ │ stealth or distribution
└───────────────┘

Blocks
Blocks
 ОАНО ДПО «ВЫШТЕХ»
 Mobile : +7 495 181-00-79
 [email protected]

Data retention summary

Get the mobile app