Presentation on theme: "Solving the US Cyber Challenge: Cyber Quest"— Presentation transcript:
1 Solving the US Cyber Challenge: Cyber Quest Skyler OnkenSenior, Brigham Young University – IdahoOnPoint Development Group LLCCEH, Security+, ECSA, CISSP (Associate)Blog:Doing this because if you got the questions wrong, there was no information on what the correct answer is. This is supposed to be learning experience.
2 End State Technical knowledge Better understand the skill level expected of new security professionals
3 What is the USCC? Government & Corporate Improve the industry Identify promising individualsAssess the education of security studentsVarying security related competitionsSANS Training Events (Regional and State)
4 March 2011 Cyber Quest 15 Trivia 15 Practical Vulnerable Web Application
5 April 2011 Cyber Quest10 Trivia20 PracticalPCAP file
7 Trivia Question - #1Which DNS record type will request a copy of an entire DNS zone?ZONEAXFRAPTRAXFR = Asynchronous Full Transfer ZoneRFC 1034
8 Trivia Question - #2Which protocol does the “ping” utility use to test network connectivity between two hosts?UDPTCPIPICMP
9 Trivia Question - #3Which HTTP header field identifies the web browser being used by the client?HostServerBrowserUser-Agent
10 Trivia Question - #4Which protocol do computers use to exchange information about their MAC addresses to other computers on the same subnet?DNSDHCPARPRSVP
11 Trivia Question - #5Before the SPF DNS record type was created to address spam, which DNS record type did Sender Policy Framework utilize?MXTXTSRVPTR“Early implementations used TXT records for implementation before the new record type was commonly available in DNS software. Use of TXT records for SPF is intended as a transitional mechanism. However, according to the current RFC, 4408, section 3.1.1, "An SPF-compliant domain name SHOULD have SPF records of both RR (Resource Record) types. A compliant domain name MUST have a record of at least one type," and as such, TXT record use is not deprecated.”example.com. IN TXT "v=spf1 +mx a:colo.example.com/28 -all”example.com. IN SPF "v=spf1 +mx a:colo.example.com/28 -all"
12 Trivia Question - #6Which of the following represents the correct sequence of TCP packets to complete the 3-way handshakeSYN, SYN-ACK, ACKSYN, ACK, SYN-ACKFIN, FIN-ACK, ACKSYN, FIN, ACKRFC 793
13 Trivia Question - #7Which of the following represents a valid path to a file share using SMB/CIFS on a Windows system\\SERVERNAME\SHARENAMEsmb.servername.com/sharename\\SHARENAME.SERVERNAME\C:\SERVERNAME\SHARENAME
14 Trivia Question - #8Which HTTP status code indicates that authentication is required?400401500200
15 Trivia Question - #9When a TCP port is closed, what type of packet will typically be sent in response to an incoming packet?TCP RST packetICMP Port Unreachable packetTCP CLD packetTCP SYN-ACK packetToo many people were lured in by the ICMP Type 3 Code 3
16 Trivia Question - #10Which HTTP method is most commonly used when submitting sensitive data to a web application?POSTTRACESECUREGET
17 Practical Question - #11The DNS name “wireless.pseudovision.net” is actually a canonical alias (CNAME record). What DNS name does it point to?blog.pseudovision.netserver1.pseudovision.netserver2.pseudovision.netwireless.target.tgt
18 Practical Question - #12Which password did the user at use to connect to using Telnet?gobblercontaminatedadminWe switch the destination and sources because the string “Password” should be coming back from the server
19 Practical Question - #13Which operating system is running on ?Fedora LinuxWindows XPWindows 7CentOS Linux
20 Practical Question - #14The web page that the user at visited required a username and password. What was the password that the user supplied?trashadmintreasurestr0ng!pwRouter, so its uses Basic Authorizationecho -n "YWRtaW46c3RyMG5nIXB3" | base64 -dadmin:str0ng!pw
21 Practical Question - #15A web page that the user at visited required a username and password. What was the password that the user supplied?beautifulbeethoven29camera101yuriThis login was to an HTTP form
22 Practical Question - #16Prior to the session recorded in the supplied PCAP file, when was the last time the user at connected to via Telnet?Monday, March 7thWednesday, March 30thFriday, March 11thTuesday, April 5th
23 Practical Question - #17Which of the following TCP ports is closed on ?804452223
24 Practical Question - #18What are the contents of the payload included in a specially crafted ICMP packet found in the capture file?abcdefghijklmnopqrstuvwxyzWords taste like peaches.Save the cheerleader, save the world!!"#$%&'()*+,-./ICMP on windows is full of the alphabet. Therefore the package is not that
25 Practical Question - #19According to DNS records, what is the IP address of the server “sales.target.tgt”?
26 Practical Question - #20The web page that the user at visited has a picture of a bridge. Which bridge is it?Tower BridgeGolden Gate BridgeZakim BridgeVerrazano-Narrows Bridgesent back TO the userImageHTTP
27 Practical Question - #21What is the OUI of the MAC address for the computer at ?00:05:6900:0C:299A:92:A200:0C:29:9A:92:A2Org. Unique ID is first 3 octets
28 Practical Question - #22What is the name of the file share that the user at connected to?BUYMORECASTLEFILESHAREHERDFILESThe filter hides the fact that the IPC$ share connections were not established
29 Practical Question - #23Which of the following commands was used to generate the ping packet from ?C:\> pingC:\> ping –n$ ping –c$ ping –tOne ping tells us its not (a) or (d)Destination tells us it is (b) or (d)ICMP Data means its windows
30 Practical Question - #24How long should a client resolver cache the IP address associated with the name “blog.pseudovision.net”?1 Hour15,180 milliseconds64 minutes86,400 seconds
31 Practical Question - #25According to the Sender Policy Framework, which IP address is allowed to send on behalf of the “target.tgt” domain?
32 Practical Question - #26Which web browser is the user at using?SafariInternet ExplorerGoogle ChromeFirefoxPrevious Slide
33 Practical Question - #27Which operating system is running on ?Fedora LinuxWindows 7Windows XPCentOS Linux
34 Practical Question - #28Which version of the web server software is running on ?2.0.5126.96.36.199.422.0.63
35 Practical Question - #29Which computer used an ARP probe to make sure that the IP address was not already in use?“An ARP probe is an ARP request constructed with an all-zero sender IP address. The term is used in the IPv4 Address Conflict Detection specification (RFC 5227). Before beginning to use an IPv4 address (whether received from manual configuration, DHCP, or some other means), a host implementing this specification must test to see if the address is already in use, by broadcasting ARP probe packets.”
36 Practical Question - #30What is the hostname of the system running on ?BUYMOREAWESOMEORIONJEFFSTER
37 Outcomes ~800 Took the exam Top 300* Went to Cyber Camp Some with scores as low as 25 attended**Ages 18-50’sStudents and ProfessionalsVarious backgroundsPen TestersIncident HandlersForensic InvestigatorsNetwork/Firewall AdminsThe nature of the cyber quest has improved. The skills required are more well rounded; not just aimed at one specific security related field.*: Some chose not to attend, so slots were then offered to others**: Based upon my personal conversations with participants
38 The Gap Between Education and Employment 4 Years2-5 Years6 Months – 10 YearsIndustryPersonal EndeavorsShortage does not need to be as short as seen- Hiring the wrong people. They don’t have the passion NOR the skillset.10 years to develop a group of professionalsAlready working in the indsutryHave a really great connectionWhat causes the black hole?Urgent needNot wanting to invest time and money into trainingWhat is happening in the black hole?Unrelated workCross-Training (good)Building resume to get a jobProblem?Certification based industry, not practical experienceSelf-funding is the only means of trainingEnd State:1) We need to nurture the desire in those who have it right out of school. Without that, it may dwindle and die.2) We are looking at nearly twice the time to develop a sufficiently trained professional workforceEducational Institutions
39 Working Models Try Outs/Competitions Development Programs Training For ServiceInternship RecruitmentTry Outs: Like the USCC, see what Lockheed and Booze Allen Hamilton are doingDev Programs: Like the NSA. Doing this in management areas of companies.Training For Service: Mandatory employment or service for training. Already doing this for Military/Gov’t
40 Educational Institutions Possible Solutions3 Years3 Years11-3 Years0-2 YearsIndustryTraining For ServiceDevelopment ProgramsWorking Models:Try outs (ex, USCC) – Lockheed, Booze Allen Hamilton, etcDevelopment Programs like the NSATraining for “Service”, will lead to drawing professionals into your company. Can be pickyCould be getting security clearances as wellUpon completion of training, which is essentially an entry position, they will be obligated for employment longer than normalMore competative for your positions since people want to take part of your programs.InternshipsTry OutsEducational Institutions
41 Other Conclusions I am not a $ cruncher Nurture vs. Nature Don’t rely upon educational institutesDon’t rely upon other companies or certifications to develop your professionalQuality of professional will save you $ in the long runBetter security professionals will save $ in the long run because of data breaches, etc.