A list of resources that are useful for the National Cyber League Competition. This list was compiled with the help of many members of the Drury Cyber Defense Team.
- Google: Google should almost always be your first stop for OSINT questions.
- Get familiar with Google's more advanced search operators. Here is a handy cheat sheet.
- Google reverse image search is another great tool to help track down photos.
- Google Maps is great for tracking down buildings
- Google Earth is cool, too
- Wigle: Find and identify wifi networks.
- EXIF: Exif tools can help reveal file meta data that can give answers out for easy OSINT questions.
- OSINT Framework: Lots of OSINT tools sorted by category.
- CyberChef: Convert between number bases and encoding schemes
- Cryptii: Similar to CyberChef but it has some other options that may be useful.
- Rumkin: Encode/Decode railfence ciphers
- dcode.fr Encode/Decode many ciphers. This website is usually one of the first sites on google when you google for a specific cipher.
- Cipher Identifier: Some websites can help you identify waht cipher is being used on a given cipher text. There are many good options. But, I have attached one here.
- Strings: The linux strings command will search through any file type and return strings of characters it found. Useful for finding flags in arbitrary file types.
- Digital Invisible Ink Toolkit: Find messages that are hidden in pictures. Many steganography questions use this tool.
- Steghide: Another way to find messages hidden in a picture.
- Command to extract message:
steghide -sF <filename>
- Command to extract message:
- Binwalk: Binwalk is used to extract files that are hidden in another file. Run
binwalk --dd='.*' <filename>to extract all hidden files.
- Hash Generator: You will probably be asked to compute the hashes of some passwords. This site generates many hashes all at once. Select what you need and paste it into the answer box.
- Hashes.com: Lookup known hash values here. It is a good first step on any password cracking questions. Often, even a couple of the hard passwords can be found here.
- CrackStation: Similar to hashes.com. Lookup hashes and see if there is a known password.
- hashkill.io: Similar to the last two. Used to lookup passsword hashes.
- Hashcat: Crack password hashes with a wordlist, brute force, or a combination.
- Common Flags
- -m: Hash Type - Select what type of hash to crack. 0 is an MD5 hash and is most common in NCL. ( -m 0)
- -a: Attack Mode - Select what type of attack. 0 is a dictionary attack and is most common in NCL. (-a 0)
- -o: Output - Select what file to output results to. (-O cracked.txt)
- Example command:
hashcat -m 0 -a 0 -o cracked.txt target_hashes.txt wordlist.txt - Word Lists: Many wordlists can be found in every kali install in
/usr/share/wordlists/ - Rule Lists: Google for the following rule lists
- dive.rule
- HoboRules
- NSARules
- OneRuleToRuleThemAll
- Ophcrack: Used to crack windows NTLM hashes.
- CeWL: CeWL (Custom Word List generator) is used to crawl a website an make a list of words that can be used for cracking a password.
- John the Ripper: Used similarly to hashcat. John the Ripper is used to crack password hashes. I am not familiar with John the Ripper amd prefer hashcat so, I will not offer much of a guide on it
- Mentalist: Generate large wordlists based on a dictionary, or create rules for hashcat or John the Ripper.
- Hydra: Brute force server passwords and try to connect.
- SecLists: GitHub repo with great wordlists and lots of other hacking goodies.
- cat: Used to read the contets of a file
cat example.txt - grep: Search for strings or regular expressions to find information in a log. Regular expressions can be a great way to find specific information. But, they can be tricky.
- Common Flags
- -E: Use regular expressions Cheat Sheet
- -o: Only out put the part of the line that matched the regular expression or string
- -v: Invert the matches. Only output lines that do not match the regular expression or string.
- -i: Ignore case
- Helpful Tips
- Pipe the output from one grep statement into another grep statement. This way you can filter down data in stages understand what you are doing.
- Mix and match flags on consecutive grep statements to fine tune what you are looking for
- Example:
cat log.log | grep -i "user" | grep -iv "invalid" | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" - Explanation: cat the log file and look for any line that contains the word "user" regardless of case to find any line that contains a usernam. Then, grep for anyline that says "invalid" and select only lines that do not match to sort out invalid user attempts. Finally, that last regular expression searches for IP addresses and only outputs the IP address.
- cut: Cut is used to split a line in bash.
- Common Flags;
- -d: Specify a delimter
- -f: Select which part of a cut you want to select
- sort: Sort lines in alphabetical order.
- uniq: Remove adjacent duplicate lines. It is important to sort the lines before doing this so that all duplicates are removed
cat log.txt | sort | uniq- Common Flags
- -c: Return the count of how many duplicate lines there were of each type
- wc: Return the word count of a file.
- Commmon Flags
- -l: Count the number of lines
- -w: Count the number of bytes in the file
- -m: Count the number of characters in the file
- awk: Awk can be used to scan over files and pull information out by selecting certain fields. Awk is a little more complex than grep but is extremely maleable to do complex analysis.
- Excel: Excel can be a great resource to analyze log files quickly. Import a log as a csv file, and change the delimiter to something that makes sense for the log you are looking at.
- VS Code: Any text editor can be good to view the data and start to understand what you are looking at.
- Python: Python has amazing utilities to read and write text files. Python can be used for more complex analysis of many log files.
- Wireshark: Open, filter, and analyze pcap files.
- Plugins: You can install additional plugins to extend the capabilities of Wireshark. For example, there is an h264 extractor to extract MP4 data from RTP packets and an ffmpeg plugin to reassemble media.
- AircapNG: Analyze wireless traffic and extract the password from unencryptes 802.11 traffic.
- Run
aircrack-ng wifi.pcapto show the wifi password
- Run
- Zeek: Zeek is a very powerful open-source network traffic analyzer.
- Capture Passwords with Wireshark: A neat walkthrough on how to find passwords for many different protocols using Wireshark.
- EXIF: Exif tools can help reveal file meta data that helps identify what a file is and where it came from.
- Autopsy: Great for analyzing disk images and extracting files from a disc image.
- This is a great walkthrough to get started with autopsy.
- FTK Imager: Used to disect forensic images.
- Nmap: Nmap is a great resource for enumerating open ports and what services are running on them. Nmap is an important tool and you should be very familiar with it for any CTF event.
- Commmon Flags
- -sV: Enable version detection
- -sC: Run with standard scripts
- -Pn: Do not ping - run scan even if the host looks like it is down
- -p: Specify a port or port range (-p 8090, -p 100-1123, etc)
- -O: Enable OS detection
- Nmap Cheat Sheet here
- Dirbuster: Dirbuster is used to brute force directories on a web server. It is super simple to use and quick to get going.
- Gobuster: Similar to dirbuster, used to scan for directories on a web server
- Wappalyzer: Wappalyzer is a browser extention that allows you to
- Netcat: Netcat can be used to connect to a remote machine and enumerate what is running on that machine.
- To connect to a machine run
nc <hostname orIP> <port num>
- To connect to a machine run
- Telnet: Like netcat, telnet is used to connect to a remote computer. Once you are connected, you can send the computer commands and try to figure out what it is running.
- To connect to a remote machine run
telnet <hostname or IP> <port num>
- To connect to a remote machine run
- Metasploit: Metasploit is not just for hacking. There are a lot of good tools for scanning and recon as well. For instance, the ftp_version module allows you to find what version of an ftp server a server is running. No hacking required!
- Web Browser: There are many web browsers out there. Pick one and start exploring the website. Knowing how the website functions normally can help you understand where vulnerabilities may exist.
- Developer Tools: Hit F12 or right click and inspect a web page to view the developer tools that are available in any browser. This lets you see the
- Dev Tool Tips
- Read the HTML carefully. Hints are usually hidden in the HTML, especially in earlier challenges.
- Pay attention to the network tab and understand what requests are being made.
- Look at the cookies! Cookies can be found under teh application tab. Often times, a challenge can be completed by just changing a cookie value.
- Burp Suite: Burp Suite is a great tool for figuring out how a website works and hacking into it. Burp Suite has many capabilities. So, the most important features are briefly discussed below.
- Proxy: Proxy your web traffic through Burp and analyze what is happening
- Repeater: After intercepting traffic in the proxy, got to "Actions" > "Send to Repeater" to use the repeater with a web request. You can view, modify, and send web requests to the server, and catch the response so that you can analyze how the web server is working.
- HTTP History: This is a list of all the URLs that have been sent through the proxy. This can let you see what resources are being requested and look for any interesting or anomalous requests.
- Postman: Postman helps create and repeate API calls. This can help get information out of a server anv easily view what the server is sending back. It is easy to save API calls for later to rerun or modify after you discover more information.
- sqlmap: sqlmap is used to automatically detect and exploit sql injection vulnerabilities.
- Exploit DB: Once you know what services or what OS is running on a server, look that up in Exploit DB and see what vulnerabilities may exist that you can take advantage of.
- Metasploit: Metasploit is very versitile and can help with many problems. Once you understand the server, what is running on it, and what vulnerabilities it may have, jump into Metasploit and see if there are any modules that may be helpful.
- Ascii Table: Many enumeration and exploitation questions use ascii in some way. So, knowing how to decode ascii is an important skill.
- Python: Lots of the easy Enumeration & Exploitation problems use python. Understanding how to read and write python code is a good skill to have.
- Bash: Same as above, except its Bash this time. Since Bash is used for the linux command line, it is used for many of the utilities mentioned in this document. So, you need to be familiar with this, and it is often seen in Enumeration & Exploitation problems.
- Decompilers: Sometimes you will be given code that has already been compiled. A decompiler can take this compiled code and help us understand what it is doing.
- Ghidra: Ghidra is a tool that was developed by the NSA to reverse engineer software. Now it is open source and comes installed on every instance of kali linux. It procides a lot of good information but it can be difficult to understand.
- GNU Debugger: GDB is used to step through code and is used primarily for debugging. But, it can be used to understand code that has already been compiled.
- If I don't know how to do a challenge, I type in the name and append 'CTF' at the end. Sometime it'll return a writeup of a similar challenge done in a CTF that helps complete the challenge. -Ed
- Pay close attention to the title of the challenge. It's usually a hint at how to solve the problem. - Julian
- When I'm stuck on a challenge, I often go look at the gymnasium again to see if there are any tips or tools they list in the gym that might help me. - Jacob