A capture-the-flag (CTF) is a very popular format for cybersecurity competitions that will present individuals (or teams) with on-line challenges ( see link) . The following basic skills, tools and links are recommended to prepare for a CTF:

CTF Skill Domain Areas:

  1. General PreparationPersonal Lab – Kali Linux
  2. Linux Command Line  (SSH, find , file,  file permissions,  grep, hidden files, chmod,  chown,  netcat,  sudo, file types, shell scripts, etc) 
  3. Log Analysis  (grep, sort, unque, compare, gawk)  
  4. Basic Cryptography  ( Hex/Ascii/Binary numbers,  Ceasar, Rot13, b64,  vignere, stegnography,  file types, )
  5. Open Source Intelligence/  Recon  ( DNS lookup, meta data, )
  6. Scanning  (open ports/nmap, hidden directories/Dirbuster )   
  7. Web Exploitation  ( inspect source code, cookies,  robots.txt, curl   ) 
  8. Password Cracking (Hashcat,  brute-force, dictionary,  John, rockyou.txt,  etc.)
  9. Traffic Analysis  ( network ports,  wireshark, )
  10. Enumeration & Exploitation (Strings, basic reverse engineering,   TBD )
  11. Wireless Security (wireshark, TBD ) 

Key Links, Tools and Commands:

1. Personal Cyber Lab (Kali Linux)

Create a personal cyber lab with free open source Kali Linux and other software installed in a Virtualbox (or VMWare) enviroment. Refer to the personal cyber lab link for more information regarding the minimum configuration and softwre requirements.

2. General – Numbering systems and Character Encoding

Be able to convert a computer number formats and text (ASCII) encoding to the other of equivelent numeric or text formats.

3. Cryptography Links

Includes techniques used to encrypt or obfuscate messages and leverage tools to extract the plain text. There are variations from simple cyphers (Ceasar) to complex cyphers (ie, RSA  ).  Steganography is the art or practice of concealing a message, image, or file within another message, image, or file. CTF steganography usually involves finding the hints or flags that have been hidden with steganography (most commonly a media file).

Substitution Ciphers:

4. Open Intelligence (Recon) Links

Utilize publicly available information such as search engines, public repositories, social media, and more to gain in-depth knowledge on a topic or target.  This information is used for scanning, enumeration, and exploitation.

5. Scanning Tools / Links:

Scanning is the task of probing enterprise networks or Internet wide services, searching for vulnerabilities or ways to infiltrate IT assets. Scans can be done against system admin, software, and network services.

6. Log Analysis Tools / Links:

Analyze large data logs by parsing, sorting, searching and group data into meaningful results.

  1. Xcel – Import log into xcel using an Import Wizzard which uses spaces to load column data. Then use xcel filters and pivot tables. 
  2. Linux Commands ( Find, Grep, Cmp, Uniq, Wc , More, Less, Touch, Awk, Gawk )
  3. EPOCH Time Converter

7. Password Cracking

Identify types of password hashes and apply various techniques to efficiently determine plain text passwords.  Most passwords are stored in a hash format (one-way calculations that do not reveal  the source PW).  Password cracking tools can either use brute-force tactics (random) or some sort of dictionary (wordlist) as input.

8. Web Exploitation

Find and demonstrate vulnerabilities in various web applications from the browser or other tools.

  1. Path Traversal –  files and directories that are stored outside the web root folder. Access b manipulating variables that reference files with “dot-dot-slash (../)”  or use directory name.
  2. /robots.txt –  pages or files that search engines can’t request from your site but may provide useful info to an attacker.
  3. Dirbustermulti threaded tool for brute force discovery of hidden directories and files  (Kali)
  4. curl command  – command line tool to transfer data to or from a server, using any of the supported protocols (HTTP, FTP, IMAP, POP3, SCP, SFTP, SMTP, TFTP, TELNET, LDAP or FILE). curl [options] [URL…]
  5. Browser Development Tool Option:  – use to review/alter source, run javascript and change cookies running in the local browser:
    • Elements Tab – View and change the DOM (Doc Object Model) and CSS (Cascading Style Sheet)
    • Console Tab – View messages and run JavaScript
    • Sources Tab  – Debug JavaScript, persist changes across page reloads
    • Network Tab  – View and debug network activity (youtube link)
    • Application Tab – Inspect all resources that are loaded, including databases, cookies (link) , Application Cache, images, fonts, and stylesheets.
    • Performance Tab – Find ways to improve load and runtime performance.
    • Memory Tab – Profile memory usage and track down leak
    • Security Tab – Debug mixed content issues, certificate problems, and more.
  6. Mobile Device Mode – Simulate mobile devices
  7. User Agent Extension – allows browser to switch user agent (ie. such as a web browser that “retrieves, renders and facilitates end user interaction with Web content)  
  8. SQL Injection – Process of exploiting a web site by sending SQL query statements in an input fiels that is not doing proper validation.

9. Wireless Exploitation

Wireless security has advanced but many routers and access points are still vulnerable with bad security measures. This is the practice of sniffing, analyzing and manipulating wireless data. Types of attacks can include:

  • BlueSmack – Issues ping of death attack (DoS)
  • BlueChop – Disrupts and existing piconet (DoS)
  • BluePass  -Causes a buffer overflow attack (DoS)
  • BlueSnarf – Obtain unauthorized access to files. (Bluesnarfing)
  • BlueBump – Obtains the piconet key (Key bump)
  • Aircrack-ng – network tools with detector, packet sniffer, WEP and WPA/WPA2-PSK cracker , etc

10. Network Traffic Analysis

The process of intercepting, recording and analyzing network traffic communication patterns in order to detect and respond to security threats. 

  • Wireshark – Free open source traffic analysis tool. Included in Kali Linux but you may want to install a copy on windows/Mac Os for quick access.
  • Aircrack-ng – network tools with detector, packet sniffer, WEP and WPA/WPA2-PSK cracker , etc

11. Enumeration and Exploitation Tools and Commands

The process of review code (executables) to find and exploit vulnerablities. The process can include binary exploits, buffer overflows, return oriented program (ROP) exploits and reverse engineering.

  1. File Command – Linux command to determine a file type (to include executables)
  2. Stings Command – Linux command to text comments in an executable file.
  3. ELF – Executable and Linkable Format (ELF, formerly named Extensible Linking Format), is a common standard file format for executable files, object code, shared libraries, and core dumps.
  4. Ghidra – open source reverse engineering tool developed by the NSA (GitHub). Similar to   tools like IDA, Radare, and Binary Ninja.
  5. ‘nm’ commandprovides info on the symbols being used in an object file or executable file. The default is : Virtual address of the symbol. A character which depicts the symbol type
  6. Objdump -d  – display assembler contents of executable object.  Also used to Display header of an executable:  .         
  7. Netcat  – utility that reads and writes data across network connections, using the TCP or UDP protocol. It is a reliable “back-end” tool used directly or driven by other programs and scripts.
  9. uncompyle6 – translates Python bytecode back into equivalent Python source code:
    • sudo pip install uncompyle6
    • uncompyle6  file.pyc
  10. GDB – GNU Debugger, command line debug tool ;  inspect memory w/n the code being debugged, control the execution state, detect the execution of particular sections of code, and much more.
  11. Pwntools – a CTF framework and exploit development library. Written in Python, designed for rapid prototyping and development, and intended to make exploit writing as simple as possible.
  12. gawk  – command in Linux is used for pattern scanning and processing language.

12. Linux Commands

    • SSH – log into a remote machine 
    • pwd – Print Working Directory
    • ls – Print directory
    • cd  –   Change Directory
    • Whoami – Display the current user
    • history – List previous commands
    • man – Help details 
    • curl – transfer from/to server
    • Find
    • su – change user or superuser
    • sudo – temporarily superuser
    • chmod – modify file access rights
    • chown – change file ownership
    • chgrp – change group ownership 
    • head or tail – show specified # of lines (default =10). (e.g,  ‘tail -n 3 Filename’ )
    • less – show one screen at a time
    • wc – word count (bytes, characters, words, or lines) (e.g., $ wc -l filename) ;  ‘-l’ = lines
    • grep – search for a patterns (e.g, $ grep -i “security” filename );   ‘-i’ flag means not case sensitive
    • pipe – combine command with “|” (e.g., $ grep -i “security” filename | wc -l)
    • tr –  translate characters (e.g, $ grep “20 Jan 2017” filename | tr ‘,’ ‘\t’);  replaces commas with tabs (denoted with ‘\t’).  
    • Sort –  on a column (e.g $ sort -nr -t$’\t’ -k8 filename) ;  ‘-nr’ = numeric sort reverse order;  ‘-t$’\t’’ = delimiter is the tab (‘\t’) ;  ‘-k8’ = 8th column  
    • Sed – select specific lines  (e.g., $ sed ‘1 d’ filename > output.txt ); ‘1 d‘ = delete the first line.
    • Cut –  remove a column (e.g., $ cut -d’,’ -f3 filename > output.txt ) ; ‘-d’ = comma-delim;  ‘f3’ = 3rd column
    • Uniq – find uniques (e.g., $ sort filename| uniq -c > authors-sorted.txt
    • Awk – replacement tool (e.g., $ awk -F “\t” ‘{print $3 ”  ” $NF}’ jan20only.tsv ) ; -F “\t” tab-separated data ; braces execute code to print the 3rd column; $NF (the “number of fields”), and adds two spaces.