Classroom Public page

SEC-101 Equipment and Setup Guide

837 words

Everything you need before Week 1 starts. Most tools are browser-based or free open-source. Plan ~60 minutes for full setup; ~20 minutes if you skip the optional tools.

What you need

A laptop. Windows 10+, macOS 10.15+, or current Linux. Any 64-bit machine from the last 8 years works.

A browser. Chrome or Firefox. Most tools in this course run in-browser (picoCTF, OWASP Threat Dragon, CyberChef, NVD, CVSS calculator).

A terminal. Bash or zsh. If you completed FND-102, you already have this working. If not: macOS has Terminal pre-installed; Linux uses any terminal emulator; Windows users need WSL2 (see below).

Docker. Required for OWASP Juice Shop (Labs 5 and 7) and optionally for OWASP Threat Dragon. If you completed FND-102, Docker is already installed. If not, install Docker Desktop from docker.com.

NOT required: hardware kit, paid software, special networking equipment, root or admin access beyond what Docker requires.

Tool checklist

1. picoCTF account (required, browser-only)

Create a free account at https://picoctf.org. The platform is free and runs entirely in-browser. No installation required. Your progress persists across sessions; an account is needed.

Create the account in Week 1. Navigate to the Practice arena and find the General Skills category to confirm access.

2. CyberChef (required, browser-only)

CyberChef runs in-browser at https://gchq.github.io/CyberChef. No login required. Used for Lab 3 and ad-hoc encoding/hashing exercises throughout the course.

Verify: open the URL and search for "Base64" in the Operations bar. If the operation appears, you are ready.

3. OWASP Juice Shop (required for Labs 5 and 7, Docker)

docker pull bkimminich/juice-shop
docker run -p 3000:3000 bkimminich/juice-shop

Verify: open http://localhost:3000 in your browser. You should see the Juice Shop storefront.

You only need to pull the image once; subsequent runs use the cached image. Juice Shop stores progress in localStorage; clearing browser data resets progress.

4. OWASP Threat Dragon (required for Lab 6, browser-based or Docker)

The browser version at https://www.threatdragon.com requires no installation. Open the URL and confirm the tool loads.

If the hosted site is unavailable:

docker run -p 8080:3000 owasp/threat-dragon
# Then open http://localhost:8080

5. hashcat or John the Ripper (required for Lab 4, local install)

hashcat (primary):

  • Linux: sudo apt install hashcat
  • macOS: brew install hashcat
  • Windows WSL2: sudo apt install hashcat (uses CPU mode in WSL2)

Verify: hashcat --version

John the Ripper (CPU-only alternative):

  • Linux: sudo apt install john
  • macOS: brew install john

Verify: john --version

RockYou wordlist:

The RockYou wordlist (required for Lab 4) is included in most security Linux distributions and in the wordlists package on Ubuntu/Debian:

sudo apt install wordlists
ls /usr/share/wordlists/

If not present, download rockyou.txt from a reputable security resource and place it at ~/rockyou.txt.

Verify: wc -l ~/rockyou.txt should report approximately 14 million lines.

6. Git (required, already set up from FND-101/FND-102)

git --version should print a version. The capstone (Lab 9) requires a Git repository with at least 3 commits.

7. OWASP ZAP or Burp Suite Community (optional, recommended for Lab 7)

OWASP ZAP (free, open-source):

  • Download from https://www.zaproxy.org/download/.
  • Linux: also available as sudo apt install zaproxy on some distributions.
  • Verify: launch ZAP and confirm it starts. The default proxy port is 8080.

Burp Suite Community (free):

  • Download from https://portswigger.net/burp/communitydownload.
  • Verify: launch Burp and go to the Proxy tab. Start the proxy on localhost:8080.

For SEC-101, browser developer tools are sufficient for most challenges. ZAP or Burp Suite is used in Lab 7's optional proxy-assisted challenges and becomes the primary tool in PEN-101.

Windows students: WSL2

SEC-101 uses hashcat and git from a bash shell. On Windows, WSL2 provides a real bash environment.

If you set up WSL2 for FND-101 or FND-102, you are ready. If not:

  1. Open PowerShell as Administrator.
  2. Run: wsl --install
  3. Restart when prompted.
  4. After restart, Ubuntu finishes installing; create a username and password.
  5. Open Ubuntu from the Start menu.
  6. Install the tools: sudo apt update && sudo apt install hashcat john wordlists

Verify: run hashcat --version and john --version inside Ubuntu.

Docker on Windows with WSL2: Docker Desktop integrates with WSL2. Install Docker Desktop from docker.com; when prompted, enable WSL2 integration. Run docker --version inside WSL2 to confirm.

Accounts to create

  1. picoCTF (free): picoctf.org. Required Week 1.
  2. GitHub or GitLab (free): for pushing your capstone repository. The same account you used for FND-101 or FND-102 is fine.

Reference resources to bookmark

  1. picoCTF platform: picoctf.org
  2. OWASP Top 10: owasp.org/Top10
  3. OWASP Cheat Sheet Series: cheatsheetseries.owasp.org
  4. CyberChef: gchq.github.io/CyberChef
  5. NVD search: nvd.nist.gov/vuln/search
  6. MITRE CVE: cve.mitre.org
  7. FIRST.org CVSS v3.1 calculator: first.org/cvss/calculator/3.1
  8. CISA KEV catalogue: cisa.gov/known-exploited-vulnerabilities-catalog
  9. MITRE ATT&CK: attack.mitre.org
  10. OWASP Juice Shop: github.com/juice-shop/juice-shop (docs and changelog)
  11. CERT/CC CVD Guide: kb.cert.org/vuls/html/coordinator_cvd_guide
  12. Erickson, Hacking: The Art of Exploitation, 2nd ed.: No Starch Press (check public library)

Estimated setup time

Step Time
Create picoCTF account and verify access ~5 min
Verify browser + CyberChef ~2 min
Pull and run Juice Shop Docker image ~5 min (+ download time)
Verify Threat Dragon in browser ~2 min
Install hashcat + RockYou wordlist ~10 min
Verify Git ~2 min
Install ZAP or Burp Suite (optional) ~10 min
WSL2 install (Windows, if not done) ~30 min
Bookmark reference resources ~5 min
Total (macOS/Linux) ~30 min
Total (Windows with WSL2) ~60 min

Setup guide v0.1.