Saturday, June 25, 2016

USCC IL Is Over Until Next Year. :(

I'm on the train on the way home from USCC IL.  I'm thinking about what I've learned this week.  I really appreciate the effort that everyone involved with this program put into it.  The material was much the same as it was last year, but the repetitiveness actually reinforces what we learned last year.  So, I still feel like it was worth the effort coming here.  We're supposed to open the books and study them after the camp, but having someone to ask questions around is nice.

It was nice to see people that I saw last year, and I was happy to meet new people.  Considering the boot camp nature of the course, maybe we didn't exactly absorb all we could have last year.  I look forward to (hopefully) attending next year.

I was disappointed that there weren't forensics courses per say.  They are kind of at the mercy of what instructors are available, and maybe that isn't the target audience of this camp.  I don't know much about the inner workings of it.  However, I did become better acquainted with how to set up a home lab with VMs.  It's nice to know that the way I was taught before was the right way.  Also, I didn't pay very good attention to Scapy last year.  I tried, but I really haven't studied packets all that much.  I learned a little more this year.  My brain started going fuzzy right around lab 5 this time around.  Not saying that I completely understood everything else, but it was closer than I was last year.  Anyway, Scapy can be used to learn a little bit about Intrusion Detection, Monitoring, and Forensics. I learned how to use Scapy to craft pcaps that I could examine so that I can see how those attacks work.  I know that there are pcaps everywhere for this purpose, but how do I know which ones to trust?  Also, this cuts out some of the extraneous traffic that may hinder analysis to see what it does.  I could also monitor traffic while I use the different options in Metasploit to exploit machines.  I could probably do the same with the Web App Pen Testing as well, run captures while I'm working with the vulnerable web apps.  So, while I didn't directly learn Forensics, I learned a little about how to make stuff to examine.  If you are interested in learning, I highly recommend doing the Cyber Quest so that you can potentially be invited to this camp.  Even if you don't feel like you can win the ctf, it is well worth your time.

Thursday, June 16, 2016

Indexing

Still working on my index for SEC 301.  I know, how can I possibly not have it done?  I can now see why I saw people working on the index while they were in class.  I couldn't do that, considering part of my job as a Facilitator was to watch the doors to make certain that no unauthorized person had access to the room.

I wouldn't feel comfortable indexing during the class anyway, out of respect for my fellow students who were trying to learn, as well as out of respect for my instructor who dedicated a lot of his time to write and teach a course to many people.

So I get home and start on my index, and life happens.  I can only work on it so many hours a day because I have a responsibility to take care of my family.  I can't imagine how people who work manage to get it done in a timely manner.

I suppose it would go quicker if I wasn't listening to the mp3s at the same time.  I do so because I can rewind them when I need to, and the instructor always has some interesting tidbits that would be missed if I didn't listen to them.

I've read guides about indexing.  I don't know what will work for me, yet.  I look forward to taking the exam, but I'm also a little nervous because even with the practice exams, you don't quite know what to expect.

Many people recommend reading this blog by Lesley Carhart for advice on indexing.  https://tisiphone.net/2015/08/18/giac-testing/  I don't plan on following her advice to the letter, but I do plan on following most of it.  I'm typing important points with each subject so that I may not have to look at the books as much.  Also, the act of typing it helps me to remember.  I learn by doing things hands on.  Usually, if I type something several times, I remember it.

Sunday, June 12, 2016

House of Frost Challenge Coin-Don't Do What I Did.

Thanks to the creator of this challenge.  I found it to be a frustrating, yet good learning experience.  I will detail my thoughts so that you don't do what I did.  Here is the challenge:

A test of breaching defenses with high wizardry… A magickal field surrounds Lord Alastair Frost One our psychics must breach at all costs An ether, an aura, a spirit exists His very thoughts it doth encrypt! To the demon Clearspot you must speak A passphrase he’ll require, then let you speak The phrase, it is said, may well be guessed Though at the end of the phrase, one further test: You must chant the hex of Malak al-Maut Only then may we see what Frost’s mind is about.

My thinking:  
Lord Frost is actually a person.
An ether, an aura, a spirit exists, His very thoughts it doth encrypt<-- encryption
Clearspot<--? So, I Googled it. Oh, a wireless access point.
Passphrase<-- I followed Lord Frost's Twitter page. When I think phrase, espcially after solving some challenges that have full sentences with spaces and punctuation, I was thinking an actual phrase. The guy is a hax0r afterall, he wouldn't make a challenge easy. So, I tried to guess phrases on his Twitter page. I tried most of my guesses in upper case because he spoke in upper case on Twitter.
Hex of Malak al-Maut-I literally thought it meant the hex of that phrase. I did find that it meant Angel of Darkness. I thought that maybe all that hex did a buffer overflow or something. I've seen that.

I found the default password for the wireless access point, thinking that it *could* be the phrase. I thought, nah, that would be too easy.

I didn't solve it by myself. When I saw Lord Frost, I tried to brute force the password. On the last day. I stood next to him for a couple of hours, showing him my attempts. I was close. I was trying the default password because he told me that I was onto something with that as the first part. He told me that the literal hex of malak al-maut as the second part was too complicated. He asked me what word, hex, and spell, the angel of death would say. When I think cast a spell, or place a hex on something, I'm thinking a verb, like, "die", not a noun or an adjective. He kept repeating hex has multiple meanings. I'm used to having to convert ascii to hex and vice versa for challenges. I showed him words that I was trying. He said there was no conversion necessary. He said that I was on the right track with the word list. He said that I had a lot of words with invalid characters, though. The second part of the solution was a word made withi hex characters. A word only containing A-Fa-f0-9. So, I've heard of l33tsp34k. Some of the words that I tried for the second part can be made into valid hex words. So I tried that. The answer was simpler still. The answer was the default password for the wireless access point and the word DEAD.  

The point is, I made it too complicated. I forgot that he was playing a character. Not the hax0r that he is in real life. He had to make the challenge available to everyone.  

Thanks for being so patient with me and helping me to learn. I apologize for being so persistent. Give me a puzzle and I will work on it for days. He gave me a coin. I didn't actually expect that, given that it said that we are allowed one attempt per day. I just wanted to solve the challenge. Solving challenges is a good way to learn. I was persistent, but in this instance, probably too persistent.

That being said:  

I was disappointed that it was set up as something where I had to follow the person. Sometimes it didn't show up on my wireless access point list.  It made an interesting story point.

Secondly, the time to solve it. We were only allowed to try while the person was in costume. I was in training/talks and spent a lot of evening time with the family. With the exception of Sat night. He left the access point so that we could try it on Sat night.

(I was disappointed about not spending much time on the ctf as well. Probably wouldn't have gotten many of those, anyway.)



Another thing, someone may guess that password without understanding why it was that word-ie, it was an actual hex word. Seems like a long shot, but they could. The why of something is where the lesson is. The lesson in this one wasn't the word, though. It was in thinking like someone else to gain access. And to defend against unauthorized access, don't use an easily guessed password.

Home From Circle City Con

Thanks CCC for having such a fun conference.  My first conference was technically SANSWest in San Diego when I was a facilitator for SEC 301.  However, I consider this to be my first in this type of conference.  Casual, yet technically oriented in some ways.  It wasn't a big con, but it wasn't tiny, either.

I went to a few training sessions while I was there:  Introduction to Forensics/Mobile Device Forensics, Writing My First Exploit, and Building A Home Lab.  They were good training sessions.  Unfortunately, some spoke fairly quickly, so it was tough to keep up sometimes.  I'm glad that I learned to take pics of some things.

In the evening, I went to a talk called Food Fight.  I tried to listen to the Embedded Device talk, but he was speaking and moving so quickly that I didn't really get much.  It is posted on YouTube, so I'll try to listen to it later, when I can pause it.

I went to a hacker dinner.  Hacks4Pancakes and the CCC were kind enough to arrange it.  It was interesting listening to the different viewpoints and thinking processes of people.

Much of the second day, after the training session, was spent in NetWars.  I finished in 7th place.  I ended up being a little farther along than I was before.  I was two points from 5th place.  I still have a lot to learn.  I made it further because of a giant hint from Jeff McJunkin.  He's a nice guy.  Funny thing, if I'd looked at the cheat sheet, I would have had the answer to a question that I was having trouble with.  I brought my cyber camp Metasploit book, but unless you have it indexed, it doesn't do much good.  It's been a good year since I picked it up.  Hint:  RTFM.  I've been working on Forensics challenges, and exploring some open source forensics tools, so that is where my time has been spent.  I'm also working through the Linux training and making an index for the SEC 301 GISF cert.

My 12 year old son tried NetWars and ended up in 15th place.  When he told me that he wanted to try NetWars, I told him to study Linux.  There's a nice intro course on edx.  He did.  I showed him some of the tools that I used for challenges, and how to find and read the help/man files.  I told him to not think too complicated.  He didn't.  (I need to follow that advice.)  He managed to unlock level 3 in NetWars.

I tried a couple of challenge coin challenges.  I might post my experience with them later.

Overall I think that the con was a good experience.