SANS Cyber Defense Challenge-Day 1 Solution

Secret word 1 - (5 pts)

What's the secret word for SANS San Diego 2016 day 1?

This word was given to us.

advancedpersistenttaco

Use Google to answer most of these.  It didn't say in the challenge that you couldn't use outside resources.

How many ports

How many ports are available on a Linux or Windows operating system, counting both TCP and UDP?

I learned this question in the Networking portion of SANS SEC 401.  Some may be saying, "There's 65,536 ports.  Why is the answer 131,072?  Well, because they said both TCP and UDP.  Add 65,536 and 65,536, and you get 131,072.

0

131070

65536

About 7

1337

131072

65535

Name that OS

This is a legitimate user agent string sent from a Microsoft Windows client operating system:

Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; rv:11.0) like Gecko

What OS is the client running?

Windows 8.1

Microsoft Bob

Atari TOS

Windows Vista

Windows 8

Windows XP

Windows 10

Windows 7

sans.org

When was the domain sans.org registered?

1995-08-04

1967-11-13

1337-12-25

1994-09-12

1997-03-12

1776-07-04

1990-01-01

2016-10-27

Time to Live

What is the name of the IPv6 field that is equivalent to IPv4's Time to Live?

I learned this one in SANS SEC 401 this week during the Networking portion.

Hop Limit

Version

Next Header

Flow Label

Traffic Class

Time to Live

IPv6

A new network engineer announces that he's going to conduct an active scan and ping every address on a standard IPv6 /64 subnet. You mention the vast size of the subnet, and the engineer confidently states he can ping a million addresses/day.

How long will the ping scan take, assuming 1 million hosts are scanned per day?  

So, there are about 18446744073709551616 hosts per ipv6/64 network.  If you divide that by 1,000,000, it gives you the daily rate in which you could scan the hosts.  Then you divide by 365 to give you the years..

42

5+ years

50,539,024+ years

50+ years

50,539+ years

Infinity!

1337 minutes

A month or so

50,539,024,859+ years  

What is the IPv6 address of sanschallenge.org?

If you watch the traffic by having tcpdump or wireshark running, and you ping https://sanschallenge.org, with a Mac or Linux, you should get an IPv6 address back.  Ping uses ICMP traffic.

ping sanschallenge.org

104.131.191.1

2604:a880:0:1010::5db:4001

2604:a880:800:10::1a64:2001

2001:470:1f06:bef::2

dead:beef:c0de:fa11:feed:babe:cafe:f00d

2400:cb00:2049:1::adf5:3a33

42

Version detection - (10 pts)

What version of Apache is running on https://sanschallenge.org? Answer with a number.

For example, if the version is "Apache/1.2.3", you would answer '1.2.3' without the quotes.

From a Mac or Linux terminal, you can use curl to make a HEAD request to request the headers from a website, assuming it's allowed.

curl -l ‘https://sanschallenge.org'

Flag: - Convert to SHA1 Apache 2.4.7

Domo Arigato - (10 pts)

What directory is disallowed from spidering, per the robots.txt file on https://sanschallenge.org? Answer with the directory name only, including the leading and trailing slash. For example, if the entry is: 

Disallow: /folder/

The answer would be '/folder/' without the quotes.

You just navigate to https://sanschallenge.org/robots.txt, and it shows the /wickedsecret/ directory.

Flag: - Convert to SHA1 /wickedsecret/

Key size - (10 pts)

What is the size of the RSA public key used in the x509 certificate for https://sanschallenge.org?

Another you know it or you don't question.  RSA public keys are 2048 bits in length.

3072 bits

8 bits

1 bit

2 bits

16 bits

4 bits

1024 bits

64 bits

4096 bits

2048 bits

128 bits

32 bits

256 bits

512 bits