Solving the US Cyber Challenge: Cyber Quest

Skyler OnkenSenior, Brigham Young University – IdahoOnPoint Development Group LLCCEH, Security+, ECSA, CISSP (Associate)

Twitter: @skyleronkenBlog: http://securityreliks.securegossip.com

End StateA) Technical knowledgeB) Better understand the skill level

expected of new security professionals

What is the USCC?•Government & Corporate•Improve the industry•Identify promising individuals•Assess the education of security students•Varying security related competitions•SANS Training Events (Regional and

State)

March 2011 Cyber Quest•15 Trivia•15 Practical

▫Vulnerable Web Application

April 2011 Cyber Quest•10 Trivia•20 Practical

▫PCAP file

The Questions

Trivia Question - #1•Which DNS record type will request a

copy of an entire DNS zone?a. ZONEb. AXFRc. Ad. PTR

Trivia Question - #2•Which protocol does the “ping” utility use

to test network connectivity between two hosts?a. UDPb. TCPc. IPd. ICMP

Trivia Question - #3•Which HTTP header field identifies the

web browser being used by the client?a. Hostb. Serverc. Browserd. User-Agent

Trivia Question - #4•Which protocol do computers use to

exchange information about their MAC addresses to other computers on the same subnet?a. DNSb. DHCPc. ARPd. RSVP

Trivia Question - #5•Before the SPF DNS record type was

created to address e-mail spam, which DNS record type did Sender Policy Framework utilize?a. MXb. TXTc. SRVd. PTR

example.com. IN TXT "v=spf1 +mx a:colo.example.com/28 -all”example.com. IN SPF "v=spf1 +mx a:colo.example.com/28 -all"

Trivia Question - #6•Which of the following represents the

correct sequence of TCP packets to complete the 3-way handshakea. SYN, SYN-ACK, ACKb. SYN, ACK, SYN-ACKc. FIN, FIN-ACK, ACKd. SYN, FIN, ACK

Trivia Question - #7•Which of the following represents a valid

path to a file share using SMB/CIFS on a Windows systema. \\SERVERNAME\SHARENAMEb. smb.servername.com/sharenamec. \\SHARENAME.SERVERNAME\d. C:\SERVERNAME\SHARENAME

Trivia Question - #8•Which HTTP status code indicates that

authentication is required?a. 400b. 401c. 500d. 200

Trivia Question - #9•When a TCP port is closed, what type of

packet will typically be sent in response to an incoming packet?a. TCP RST packetb. ICMP Port Unreachable packetc. TCP CLD packetd. TCP SYN-ACK packet

Trivia Question - #10•Which HTTP method is most commonly

used when submitting sensitive data to a web application?a. POSTb. TRACEc. SECUREd. GET

Practical Question - #11•The DNS name

“wireless.pseudovision.net” is actually a canonical alias (CNAME record). What DNS name does it point to?a. blog.pseudovision.netb. server1.pseudovision.netc. server2.pseudovision.netd. wireless.target.tgt

Practical Question - #12•Which password did the user at

10.10.10.4 use to connect to 10.10.10.1 using Telnet?a. gobblerb. contaminatedc. C007P@33d. admin

Practical Question - #13•Which operating system is running on

10.10.10.2?a. Fedora Linuxb. Windows XPc. Windows 7d. CentOS Linux

Practical Question - #14•The web page that the user at 10.10.10.3

visited required a username and password. What was the password that the user supplied?a. trashb. adminc. treasured. str0ng!pwsonken@bt:~# echo -n "YWRtaW46c3RyMG5nIXB3" |

base64 -dadmin:str0ng!pw

Practical Question - #15•A web page that the user at 10.10.10.4

visited required a username and password. What was the password that the user supplied?a. beautifulb. beethoven29c. camera101d. yuri

Practical Question - #16•Prior to the session recorded in the

supplied PCAP file, when was the last time the user at 10.10.10.4 connected to 10.10.10.1 via Telnet?a. Monday, March 7thb. Wednesday, March 30thc. Friday, March 11thd. Tuesday, April 5th

Practical Question - #17•Which of the following TCP ports is closed

on 10.10.10.1?a. 80b. 445c. 22d. 23

Practical Question - #18•What are the contents of the payload

included in a specially crafted ICMP packet found in the capture file?a. abcdefghijklmnopqrstuvwxyzb. Words taste like peaches.c. Save the cheerleader, save the world!d. !"#$%&'()*+,-./01234567

Practical Question - #19•According to DNS records, what is the IP

address of the server “sales.target.tgt”?a. 10.10.10.7b. 10.10.10.1c. 10.10.10.40d. 10.10.10.12

Practical Question - #20•The web page that the user at 10.10.10.4

visited has a picture of a bridge. Which bridge is it?a. Tower Bridgeb. Golden Gate Bridgec. Zakim Bridged. Verrazano-Narrows Bridge

Practical Question - #21•What is the OUI of the MAC address for

the computer at 10.10.10.78?a. 00:05:69b. 00:0C:29c. 9A:92:A2d. 00:0C:29:9A:92:A2

Practical Question - #22•What is the name of the file share that the

user at 10.10.10.3 connected to?a. BUYMOREb. CASTLEc. FILESHAREd. HERDFILES

Practical Question - #23•Which of the following commands was

used to generate the ping packet from 10.10.10.4?a. C:\> ping 10.10.10.3b. C:\> ping –n 1 10.10.10.2c. $ ping –c 1 10.10.10.3d. $ ping –t 1 10.10.10.2

Practical Question - #24•How long should a client resolver

cache the IP address associated with the name “blog.pseudovision.net”?a. 1 Hourb. 15,180 millisecondsc. 64 minutesd. 86,400 seconds

Practical Question - #25•According to the Sender Policy

Framework, which IP address is allowed to send e-mail on behalf of the “target.tgt” domain?a. 10.10.10.40b. 10.10.10.1c. 10.10.10.20d. 10.10.10.8

Practical Question - #26•Which web browser is the user at

10.10.10.3 using?a. Safarib. Internet Explorerc. Google Chromed. Firefox

Practical Question - #27•Which operating system is running on

10.10.10.3?a. Fedora Linuxb. Windows 7c. Windows XPd. CentOS Linux

Practical Question - #28•Which version of the web server software

is running on 10.10.10.2?a. 2.0.52b. 2.2.17c. 1.3.42d. 2.0.63

Practical Question - #29•Which computer used an ARP probe to

make sure that the IP address was not already in use?a. 10.10.10.1b. 10.10.10.3c. 10.10.10.2d. 10.10.10.4

Practical Question - #30•What is the hostname of the system

running on 10.10.10.3?a. BUYMOREb. AWESOMEc. ORIONd. JEFFSTER

Outcomes•~800 Took the exam•Top 300* Went to Cyber Camp•Some with scores as low as 25 attended**•Ages 18-50’s•Students and Professionals•Various backgrounds

▫ Pen Testers▫ Incident Handlers▫ Forensic Investigators▫ Network/Firewall Admins

*: Some chose not to attend, so slots were then offered to others**: Based upon my personal conversations with participants

The Gap Between Education and Employment

Educational Institutions

Industry

Personal Endeavors

4 Years 2-5 Years 6 Months – 10 Years

Working Models•Try Outs/Competitions•Development Programs•Training For Service•Internship Recruitment

Possible Solutions

Educational Institutions

IndustryDevelopme

nt Programs

Training For

Service

Try Outs

3 Years 1-3 Years 0-2 Years

Internships

3 Years

1

Other Conclusions•I am not a $ cruncher•Nurture vs. Nature•Don’t rely upon educational institutes•Don’t rely upon other companies or

certifications to develop your professional•Quality of professional will save you $ in

the long run

Questions?