Solving the US Cyber Challenge: Cyber Quest Skyler Onken Senior, Brigham Young University – Idaho OnPoint Development Group LLC CEH, Security+, ECSA, CISSP (Associate) Twitter: @skyleronken Blog: http://securityreliks.securegossip.com End State A) Technical knowledge B) Better understand the skill level expected of new security professionals What is the USCC? • • • • • • Government & Corporate Improve the industry Identify promising individuals Assess the education of security students Varying security related competitions SANS Training Events (Regional and State) March 2011 Cyber Quest • 15 Trivia • 15 Practical ▫ Vulnerable Web Application April 2011 Cyber Quest • 10 Trivia • 20 Practical ▫ PCAP file The Questions Trivia Question - #1 • Which DNS record type will request a copy of an entire DNS zone? a. b. c. d. ZONE AXFR A PTR Trivia Question - #2 • Which protocol does the “ping” utility use to test network connectivity between two hosts? a. b. c. d. UDP TCP IP ICMP Trivia Question - #3 • Which HTTP header field identifies the web browser being used by the client? a. b. c. d. Host Server Browser User-Agent Trivia Question - #4 • Which protocol do computers use to exchange information about their MAC addresses to other computers on the same subnet? a. b. c. d. DNS DHCP ARP RSVP Trivia Question - #5 • Before the SPF DNS record type was created to address e-mail spam, which DNS record type did Sender Policy Framework utilize? a. b. c. d. MX TXT SRV PTR example.com. IN TXT "v=spf1 +mx a:colo.example.com/28 -all” example.com. IN SPF "v=spf1 +mx a:colo.example.com/28 -all" Trivia Question - #6 • Which of the following represents the correct sequence of TCP packets to complete the 3-way handshake a. b. c. d. SYN, SYN-ACK, ACK SYN, ACK, SYN-ACK FIN, FIN-ACK, ACK SYN, FIN, ACK Trivia Question - #7 • Which of the following represents a valid path to a file share using SMB/CIFS on a Windows system a. b. c. d. \\SERVERNAME\SHARENAME smb.servername.com/sharename \\SHARENAME.SERVERNAME\ C:\SERVERNAME\SHARENAME Trivia Question - #8 • Which HTTP status code indicates that authentication is required? a. b. c. d. 400 401 500 200 Trivia Question - #9 • When a TCP port is closed, what type of packet will typically be sent in response to an incoming packet? a. b. c. d. TCP RST packet ICMP Port Unreachable packet TCP CLD packet TCP SYN-ACK packet Trivia Question - #10 • Which HTTP method is most commonly used when submitting sensitive data to a web application? a. b. c. d. POST TRACE SECURE GET Practical Question - #11 • The DNS name “wireless.pseudovision.net” is actually a canonical alias (CNAME record). What DNS name does it point to? a. b. c. d. blog.pseudovision.net server1.pseudovision.net server2.pseudovision.net wireless.target.tgt Practical Question - #12 • Which password did the user at 10.10.10.4 use to connect to 10.10.10.1 using Telnet? a. b. c. d. gobbler contaminated C007P@33 admin Practical Question - #13 • Which operating system is running on 10.10.10.2? a. b. c. d. Fedora Linux Windows XP Windows 7 CentOS Linux Practical Question - #14 • The web page that the user at 10.10.10.3 visited required a username and password. What was the password that the user supplied? a. b. c. d. trash admin treasure str0ng!pw sonken@bt:~# echo -n "YWRtaW46c3RyMG5nIXB3" | base64 -d admin:str0ng!pw Practical Question - #15 • A web page that the user at 10.10.10.4 visited required a username and password. What was the password that the user supplied? a. b. c. d. beautiful beethoven29 camera101 yuri Practical Question - #16 • Prior to the session recorded in the supplied PCAP file, when was the last time the user at 10.10.10.4 connected to 10.10.10.1 via Telnet? a. b. c. d. Monday, March 7th Wednesday, March 30th Friday, March 11th Tuesday, April 5th Practical Question - #17 • Which of the following TCP ports is closed on 10.10.10.1? a. b. c. d. 80 445 22 23 Practical Question - #18 • What are the contents of the payload included in a specially crafted ICMP packet found in the capture file? a. b. c. d. abcdefghijklmnopqrstuvwxyz Words taste like peaches. Save the cheerleader, save the world! !"#$%&'()*+,-./01234567 Practical Question - #19 • According to DNS records, what is the IP address of the server “sales.target.tgt”? a. b. c. d. 10.10.10.7 10.10.10.1 10.10.10.40 10.10.10.12 Practical Question - #20 • The web page that the user at 10.10.10.4 visited has a picture of a bridge. Which bridge is it? a. b. c. d. Tower Bridge Golden Gate Bridge Zakim Bridge Verrazano-Narrows Bridge Practical Question - #21 • What is the OUI of the MAC address for the computer at 10.10.10.78? a. b. c. d. 00:05:69 00:0C:29 9A:92:A2 00:0C:29:9A:92:A2 Practical Question - #22 • What is the name of the file share that the user at 10.10.10.3 connected to? a. b. c. d. BUYMORE CASTLE FILESHARE HERDFILES Practical Question - #23 • Which of the following commands was used to generate the ping packet from 10.10.10.4? a. b. c. d. C:\> ping 10.10.10.3 C:\> ping –n 1 10.10.10.2 $ ping –c 1 10.10.10.3 $ ping –t 1 10.10.10.2 Practical Question - #24 • How long should a client resolver cache the IP address associated with the name “blog.pseudovision.net”? a. b. c. d. 1 Hour 15,180 milliseconds 64 minutes 86,400 seconds Practical Question - #25 • According to the Sender Policy Framework, which IP address is allowed to send e-mail on behalf of the “target.tgt” domain? a. b. c. d. 10.10.10.40 10.10.10.1 10.10.10.20 10.10.10.8 Practical Question - #26 • Which web browser is the user at 10.10.10.3 using? a. b. c. d. Safari Internet Explorer Google Chrome Firefox Practical Question - #27 • Which operating system is running on 10.10.10.3? a. b. c. d. Fedora Linux Windows 7 Windows XP CentOS Linux Practical Question - #28 • Which version of the web server software is running on 10.10.10.2? a. b. c. d. 2.0.52 2.2.17 1.3.42 2.0.63 Practical Question - #29 • Which computer used an ARP probe to make sure that the IP address was not already in use? a. b. c. d. 10.10.10.1 10.10.10.3 10.10.10.2 10.10.10.4 Practical Question - #30 • What is the hostname of the system running on 10.10.10.3? a. b. c. d. BUYMORE AWESOME ORION JEFFSTER Outcomes • • • • • • ~800 Took the exam Top 300* Went to Cyber Camp Some with scores as low as 25 attended** Ages 18-50’s Students and Professionals Various backgrounds ▫ ▫ ▫ ▫ Pen Testers Incident Handlers Forensic Investigators Network/Firewall Admins *: Some chose not to attend, so slots were then offered to others **: Based upon my personal conversations with participants The Gap Between Education and Employment 4 Years 2-5 Years 6 Months – 10 Years Personal Endeavors Industry Educational Institutions Working Models • • • • Try Outs/Competitions Development Programs Training For Service Internship Recruitment 3 Possible Solutions 3 Years Y e1 a r s 1-3 Years 0-2 Years Training For Service Development Programs Internship s Educational Institutions Try Outs Industry Other Conclusions • • • • I am not a $ cruncher Nurture vs. Nature Don’t rely upon educational institutes Don’t rely upon other companies or certifications to develop your professional • Quality of professional will save you $ in the long run Questions?