Solving the US Cyber Challenge: Cyber Quest

advertisement
Solving the US Cyber Challenge:
Cyber Quest
Skyler Onken
Senior, Brigham Young University – Idaho
OnPoint Development Group LLC
CEH, Security+, ECSA, CISSP (Associate)
Twitter: @skyleronken
Blog: http://securityreliks.securegossip.com
End State
A) Technical knowledge
B) Better understand the skill level expected of
new security professionals
What is the USCC?
•
•
•
•
•
•
Government & Corporate
Improve the industry
Identify promising individuals
Assess the education of security students
Varying security related competitions
SANS Training Events (Regional and State)
March 2011 Cyber Quest
• 15 Trivia
• 15 Practical
▫ Vulnerable Web Application
April 2011 Cyber Quest
• 10 Trivia
• 20 Practical
▫ PCAP file
The Questions
Trivia Question - #1
• Which DNS record type will request a copy of an
entire DNS zone?
a.
b.
c.
d.
ZONE
AXFR
A
PTR
Trivia Question - #2
• Which protocol does the “ping” utility use to test
network connectivity between two hosts?
a.
b.
c.
d.
UDP
TCP
IP
ICMP
Trivia Question - #3
• Which HTTP header field identifies the web
browser being used by the client?
a.
b.
c.
d.
Host
Server
Browser
User-Agent
Trivia Question - #4
• Which protocol do computers use to exchange
information about their MAC addresses to other
computers on the same subnet?
a.
b.
c.
d.
DNS
DHCP
ARP
RSVP
Trivia Question - #5
• Before the SPF DNS record type was created to
address e-mail spam, which DNS record type did
Sender Policy Framework utilize?
a.
b.
c.
d.
MX
TXT
SRV
PTR
example.com. IN TXT "v=spf1 +mx a:colo.example.com/28 -all”
example.com. IN SPF "v=spf1 +mx a:colo.example.com/28 -all"
Trivia Question - #6
• Which of the following represents the correct
sequence of TCP packets to complete the 3-way
handshake
a.
b.
c.
d.
SYN, SYN-ACK, ACK
SYN, ACK, SYN-ACK
FIN, FIN-ACK, ACK
SYN, FIN, ACK
Trivia Question - #7
• Which of the following represents a valid path to
a file share using SMB/CIFS on a Windows
system
a.
b.
c.
d.
\\SERVERNAME\SHARENAME
smb.servername.com/sharename
\\SHARENAME.SERVERNAME\
C:\SERVERNAME\SHARENAME
Trivia Question - #8
• Which HTTP status code indicates that
authentication is required?
a.
b.
c.
d.
400
401
500
200
Trivia Question - #9
• When a TCP port is closed, what type of packet
will typically be sent in response to an incoming
packet?
a.
b.
c.
d.
TCP RST packet
ICMP Port Unreachable packet
TCP CLD packet
TCP SYN-ACK packet
Trivia Question - #10
• Which HTTP method is most commonly used
when submitting sensitive data to a web
application?
a.
b.
c.
d.
POST
TRACE
SECURE
GET
Practical Question - #11
• The DNS name “wireless.pseudovision.net” is
actually a canonical alias (CNAME record).
What DNS name does it point to?
a.
b.
c.
d.
blog.pseudovision.net
server1.pseudovision.net
server2.pseudovision.net
wireless.target.tgt
Practical Question - #12
• Which password did the user at 10.10.10.4 use to
connect to 10.10.10.1 using Telnet?
a.
b.
c.
d.
gobbler
contaminated
C007P@33
admin
Practical Question - #13
• Which operating system is running on
10.10.10.2?
a.
b.
c.
d.
Fedora Linux
Windows XP
Windows 7
CentOS Linux
Practical Question - #14
• The web page that the user at 10.10.10.3 visited
required a username and password. What was
the password that the user supplied?
a.
b.
c.
d.
trash
admin
treasure
str0ng!pw
sonken@bt:~# echo -n "YWRtaW46c3RyMG5nIXB3" | base64 -d
admin:str0ng!pw
Practical Question - #15
• A web page that the user at 10.10.10.4 visited
required a username and password. What was
the password that the user supplied?
a.
b.
c.
d.
beautiful
beethoven29
camera101
yuri
Practical Question - #16
• Prior to the session recorded in the supplied
PCAP file, when was the last time the user at
10.10.10.4 connected to 10.10.10.1 via Telnet?
a.
b.
c.
d.
Monday, March 7th
Wednesday, March 30th
Friday, March 11th
Tuesday, April 5th
Practical Question - #17
• Which of the following TCP ports is closed on
10.10.10.1?
a.
b.
c.
d.
80
445
22
23
Practical Question - #18
• What are the contents of the payload included in
a specially crafted ICMP packet found in the
capture file?
a.
b.
c.
d.
abcdefghijklmnopqrstuvwxyz
Words taste like peaches.
Save the cheerleader, save the world!
!"#$%&'()*+,-./01234567
Practical Question - #19
• According to DNS records, what is the IP
address of the server “sales.target.tgt”?
a.
b.
c.
d.
10.10.10.7
10.10.10.1
10.10.10.40
10.10.10.12
Practical Question - #20
• The web page that the user at 10.10.10.4 visited
has a picture of a bridge. Which bridge is it?
a.
b.
c.
d.
Tower Bridge
Golden Gate Bridge
Zakim Bridge
Verrazano-Narrows Bridge
Practical Question - #21
• What is the OUI of the MAC address for the
computer at 10.10.10.78?
a.
b.
c.
d.
00:05:69
00:0C:29
9A:92:A2
00:0C:29:9A:92:A2
Practical Question - #22
• What is the name of the file share that the user
at 10.10.10.3 connected to?
a.
b.
c.
d.
BUYMORE
CASTLE
FILESHARE
HERDFILES
Practical Question - #23
• Which of the following commands was used to
generate the ping packet from 10.10.10.4?
a.
b.
c.
d.
C:\> ping 10.10.10.3
C:\> ping –n 1 10.10.10.2
$ ping –c 1 10.10.10.3
$ ping –t 1 10.10.10.2
Practical Question - #24
• How long should
a client resolver cache the
IP address associated with the name
“blog.pseudovision.net”?
a.
b.
c.
d.
1 Hour
15,180 milliseconds
64 minutes
86,400 seconds
Practical Question - #25
• According to the Sender Policy Framework,
which IP address is allowed to send e-mail on
behalf of the “target.tgt” domain?
a.
b.
c.
d.
10.10.10.40
10.10.10.1
10.10.10.20
10.10.10.8
Practical Question - #26
• Which web browser is the user at 10.10.10.3
using?
a.
b.
c.
d.
Safari
Internet Explorer
Google Chrome
Firefox
Practical Question - #27
• Which operating system is running on
10.10.10.3?
a.
b.
c.
d.
Fedora Linux
Windows 7
Windows XP
CentOS Linux
Practical Question - #28
• Which version of the web server software is
running on 10.10.10.2?
a.
b.
c.
d.
2.0.52
2.2.17
1.3.42
2.0.63
Practical Question - #29
• Which computer used an ARP probe to make
sure that the IP address was not already in use?
a.
b.
c.
d.
10.10.10.1
10.10.10.3
10.10.10.2
10.10.10.4
Practical Question - #30
• What is the hostname of the system running on
10.10.10.3?
a.
b.
c.
d.
BUYMORE
AWESOME
ORION
JEFFSTER
Outcomes
•
•
•
•
•
•
~800 Took the exam
Top 300* Went to Cyber Camp
Some with scores as low as 25 attended**
Ages 18-50’s
Students and Professionals
Various backgrounds
▫
▫
▫
▫
Pen Testers
Incident Handlers
Forensic Investigators
Network/Firewall Admins
*: Some chose not to attend, so slots were then offered to others
**: Based upon my personal conversations with participants
The Gap Between Education and
Employment
4 Years
2-5 Years
6 Months – 10
Years
Personal
Endeavors
Industry
Educational
Institutions
Working Models
•
•
•
•
Try Outs/Competitions
Development Programs
Training For Service
Internship Recruitment
3
Possible
Solutions
3
Years
Y
e1
a
r
s
1-3 Years
0-2 Years
Training
For
Service
Development
Programs
Internship
s
Educational
Institutions
Try
Outs
Industry
Other Conclusions
•
•
•
•
I am not a $ cruncher
Nurture vs. Nature
Don’t rely upon educational institutes
Don’t rely upon other companies or
certifications to develop your professional
• Quality of professional will save you $ in the
long run
Questions?
Download