Solving the US Cyber Challenge: Cyber Quest - Security B-Sides

slateobservantNetworking and Communications

Oct 26, 2013 (3 years and 1 month ago)

117 views

Solving the US Cyber Challenge:
Cyber Quest

Skyler Onken

Senior, Brigham Young University


Idaho

OnPoint

Development Group LLC

CEH, Security+, ECSA, CISSP (Associate)


Twitter: @
skyleronken

Blog: http://securityreliks.securegossip.com


End State


A)
Technical knowledge

B)
Better
u
nderstand the skill
level expected of
new security professionals

What is the USCC?


Government & Corporate


Improve the industry


Identify promising individuals


Assess the education of security students


Varying security related competitions


SANS Training Events (Regional and State)

March 2011 Cyber Quest


15 Trivia


15 Practical


Vulnerable Web Application

April 2011 Cyber Quest


10 Trivia


20 Practical


PCAP file


The Questions

Trivia Question
-

#1


Which DNS record type will request a copy of an
entire DNS zone?

a.
ZONE

b.
AXFR

c.
A

d.
PTR

Trivia Question
-

#2


Which protocol does the “ping” utility use to test
network connectivity between two hosts?

a.
UDP

b.
TCP

c.
IP

d.
ICMP

Trivia Question
-

#3


Which HTTP header field identifies the web
browser being used by the client?

a.
Host

b.
Server

c.
Browser

d.
User
-
Agent

Trivia Question
-

#4


Which protocol do computers use to exchange
information about their MAC addresses to other
computers on the same subnet?

a.
DNS

b.
DHCP

c.
ARP

d.
RSVP

Trivia Question
-

#5


Before the SPF DNS record type was created to
address e
-
mail spam, which DNS record type did
Sender Policy Framework utilize?

a.
MX

b.
TXT

c.
SRV

d.
PTR

example.com
. IN
TXT
"
v
=spf1 +
mx

a:colo.example.com/28
-
all”

example.com
. IN
SPF
"
v
=spf1 +
mx

a:colo.example.com/28
-
all"

Trivia Question
-

#6


Which of the following represents the correct
sequence of TCP packets to complete the 3
-
way
handshake

a.
SYN, SYN
-
ACK, ACK

b.
SYN, ACK, SYN
-
ACK

c.
FIN, FIN
-
ACK, ACK

d.
SYN, FIN, ACK

Trivia Question
-

#7


Which of the following represents a valid path to
a file share using SMB/CIFS on a Windows
system

a.
\
\
SERVERNAME
\
SHARENAME

b.
smb.servername.com/sharename

c.
\
\
SHARENAME.SERVERNAME
\

d.
C:
\
SERVERNAME
\
SHARENAME

Trivia Question
-

#8


Which HTTP status code indicates that
authentication is required?

a.
400

b.
401

c.
500

d.
200

Trivia Question
-

#9


When a TCP port is closed, what type of packet
will typically be sent in response to an incoming
packet?

a.
TCP RST packet

b.
ICMP Port Unreachable packet

c.
TCP CLD packet

d.
TCP SYN
-
ACK packet

Trivia Question
-

#10


Which HTTP method is most commonly used
when submitting sensitive data to a web
application?

a.
POST

b.
TRACE

c.
SECURE

d.
GET

Practical Question
-

#11


The DNS name “
wireless.pseudovision.net
” is
actually a canonical alias (CNAME record).
What DNS name does it point to?

a.
blog.pseudovision.net

b.
server1.pseudovision.net

c.
server2.pseudovision.net

d.
wireless.target.tgt

Practical Question
-

#12


Which password did the user at 10.10.10.4 use to
connect to 10.10.10.1 using Telnet?

a.
gobbler

b.
contaminated

c.
C007P@33

d.
admin

Practical Question
-

#13


Which operating system is running on
10.10.10.2?

a.
Fedora Linux

b.
Windows XP

c.
Windows 7

d.
CentOS

Linux

Practical Question
-

#14


The web page that the user at 10.10.10.3 visited
required a username and password. What was
the password that the user supplied?

a.
trash

b.
admin

c.
treasure

d.
str0ng!pw

sonken@bt
:~# echo
-
n

"YWRtaW46c3RyMG5nIXB3" | base64
-
d

admin:
str0ng!pw

Practical Question
-

#15


A web page that the user at 10.10.10.4 visited
required a username and password. What was
the password that the user supplied?

a.
beautiful

b.
beethoven29

c.
camera101

d.
yuri

Practical Question
-

#16


Prior to the session recorded in the supplied
PCAP file, when was the last time the user at
10.10.10.4 connected to 10.10.10.1 via Telnet?

a.
Monday, March 7th

b.
Wednesday, March 30th

c.
Friday, March 11th

d.
Tuesday, April 5th

Practical Question
-

#17


Which of the following TCP ports is closed on
10.10.10.1?

a.
80

b.
445

c.
22

d.
23

Practical Question
-

#18


What are the contents of the payload included in
a specially crafted ICMP packet found in the
capture file?

a.
abcdefghijklmnopqrstuvwxyz

b.
Words taste like peaches.

c.
Save the cheerleader, save the world!

d.
!"#$%&'()*+,
-
./01234567

Practical Question
-

#19


According to DNS records, what is the IP
address of the server “
sales.target.tgt
”?

a.
10.10.10.7

b.
10.10.10.1

c.
10.10.10.40

d.
10.10.10.12

Practical Question
-

#20


The web page that the user at 10.10.10.4 visited
has a picture of a bridge. Which bridge is it?

a.
Tower Bridge

b.
Golden Gate Bridge

c.
Zakim

Bridge

d.
Verrazano
-
Narrows Bridge

Practical Question
-

#21


What is the OUI of the MAC address for the
computer at 10.10.10.78?

a.
00:05:69

b.
00:0C:29

c.
9A:92:A2

d.
00:0C:29:9A:92:A2

Practical Question
-

#22


What is the name of the file share that the user
at 10.10.10.3 connected to?

a.
BUYMORE

b.
CASTLE

c.
FILESHARE

d.
HERDFILES

Practical Question
-

#23


Which of the following commands was used to
generate the ping packet from 10.10.10.4?

a.
C:
\
> ping 10.10.10.3

b.
C:
\
> ping

n

1 10.10.10.2

c.
$ ping

c

1 10.10.10.3

d.
$ ping

t

1 10.10.10.2

Practical Question
-

#24


How long should

a client resolver cache the
IP address associated with the name

blog.pseudovision.net
”?

a.
1 Hour

b.
15,180 milliseconds

c.
64 minutes

d.
86,400 seconds

Practical Question
-

#25


According to the Sender Policy Framework,
which IP address is allowed to send e
-
mail on
behalf of the “
target.tgt
” domain?

a.
10.10.10.40

b.
10.10.10.1

c.
10.10.10.20

d.
10.10.10.8

Practical Question
-

#26


Which web browser is the user at 10.10.10.3
using?

a.
Safari

b.
Internet Explorer

c.
Google Chrome

d.
Firefox

Practical Question
-

#27


Which operating system is running on
10.10.10.3?

a.
Fedora Linux

b.
Windows 7

c.
Windows XP

d.
CentOS

Linux

Practical Question
-

#28


Which version of the web server software is
running on 10.10.10.2?

a.
2.0.52

b.
2.2.17

c.
1.3.42

d.
2.0.63

Practical Question
-

#29


Which computer used an ARP probe to make
sure that the IP address was not already in use?

a.
10.10.10.1

b.
10.10.10.3

c.
10.10.10.2

d.
10.10.10.4

Practical Question
-

#30


What is the hostname of the system running on
10.10.10.3?

a.
BUYMORE

b.
AWESOME

c.
ORION

d.
JEFFSTER

Outcomes


~800 Took the exam


Top 300* Went to Cyber Camp


Some with scores as low as 25 attended**


Ages 18
-
50’s


Students and Professionals


Various backgrounds


Pen Testers


Incident Handlers


Forensic Investigators


Network/Firewall
Admins



*: Some chose not to attend, so slots were then offered to others

**: Based upon my personal conversations with participants

The Gap Between Education and
Employment

Educational
Institutions

Industry

Personal
Endeavors


4 Years

2
-
5 Years

6 Months


10
Years

Working Models


Try Outs/Competitions


Development Programs


Training For Service


Internship Recruitment


Possible Solutions

Educational
Institutions

Industry

Development
Programs

Training
For
Service

Try
Outs

3
Years

1
-
3 Years

0
-
2 Years

Internship
s

3

Y
e
a
r
s

1

Other Conclusions


I am not a $ cruncher


Nurture vs. Nature


Don’t rely upon educational institutes


Don’t rely upon other companies or
certifications to develop your professional


Quality of professional will save you $ in the
long run


Questions?