├── CNAME
├── README.md
├── navigation.md
├── tools
├── rats.md
├── pentestinghardware.md
├── forensictools.md
├── johntheripper.md
├── nessus.md
├── armitage.md
└── basiclinuxadministration.md
├── LICENSE
├── resources.md
├── conferences.md
├── practice.md
├── index.md
└── tools.md
/CNAME:
--------------------------------------------------------------------------------
1 | ctf.pwnwiki.io
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | ctfwiki
2 | =======
3 |
4 | CTF Wiki - http://ctf.forgottensec.com/wiki/index.php
5 |
--------------------------------------------------------------------------------
/navigation.md:
--------------------------------------------------------------------------------
1 | # CTF Wiki
2 |
3 | [Home](index.md)
4 |
5 | [Resources](resources.md)
6 |
7 | [Practice Materials](practice.md)
8 |
9 | [Conferences](conferences.md)
--------------------------------------------------------------------------------
/tools/rats.md:
--------------------------------------------------------------------------------
1 | Additional details forthcoming...
2 |
3 | - [Wikipedia](http://en.wikipedia.org/wiki/Remote_administration_software)
4 | - [Poison Ivy](http://www.poisonivy-rat.com)
5 | - [YASC](http://www.yasc.net/radtool)
6 | - [RAT Forum](http://www.hackforums.net/forumdisplay.php?fid=114)
7 | - [Security Tube Video](http://www.securitytube.net/video/5563)
8 | - [Dark Comet RAT](http://www.darkcomet-rat.com)
9 |
10 | [Tools](../tools.md)
11 |
--------------------------------------------------------------------------------
/tools/pentestinghardware.md:
--------------------------------------------------------------------------------
1 | - [Rasberry Pi](http://www.raspberrypi.org/ Vendor) - $25 ARM Linux featuring USB, RJ-45, and more
2 | - [Pwn Plug/Pwnie Express](http://pwnieexpress.com/products Hak5 Site for Pwnie) - Small unmarked white power plug with a Network Jack and USB coming out the bottom
3 | - [Hak5 Site for Pwnie Products](http://pwnieexpress.com/products)
4 | - Rogue Access Point - Any Access Point hidden so nobody will know its there, taped under a desk or even a individual computer with a USB card plugged in with it set to Peer to Peer
5 | - Hub - Attach Network Listening Device on the wire easily
6 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | The MIT License (MIT)
2 |
3 | Copyright (c) 2013 PWN Wiki Team
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy of
6 | this software and associated documentation files (the "Software"), to deal in
7 | the Software without restriction, including without limitation the rights to
8 | use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
9 | the Software, and to permit persons to whom the Software is furnished to do so,
10 | subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
17 | FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
18 | COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
19 | IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
20 | CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
21 |
--------------------------------------------------------------------------------
/tools/forensictools.md:
--------------------------------------------------------------------------------
1 | On the box with the suspicious application/code:
2 | - Procmon
3 | - Regshot (compare before/after)
4 | - tcpview
5 | - wireshark
6 |
7 | Code Analysis
8 | - OllyDbg
9 | - OllyDump
10 | - IDA Pro
11 | - BinText/Strings
12 | - Hex Fiend (OSX)
13 | - Hex Edit (Windows)
14 | - vi with xxd (Linux) ":%!xxd" to switch into hex mode in command mode and ":%!xxd -r" to return
15 | - Insert Stego finder app
16 |
17 | Distrobutions
18 | - REMux
19 | - SANS Investigative Forensic Toolkit (SIFT)
20 | - CucktooBox - S/W that Installs on Windows XP
21 |
22 | External Services
23 | - Virus Total
24 | - Anubis
25 | - GFI Sandbox (formally CW Sandbox)
26 | - Norman Sandbox
27 |
28 | Resource Sites
29 | - [OpenRCE Articles](www.openrce.org)
30 | - LordPE has been discontinued, but it was good. it seems the last update was in 2009
31 | - [Explorer Suite](http://ntcore.com/exsuite.php)
32 |
33 | Memory Forensics
34 | - [Volatility](https://code.google.com/p/volatility) - Memory Forensics Python Scripts
35 | - [Volatility Commands](https://code.google.com/p/volatility/wiki/CommandReference) - Volatility Command Help
36 | - [SANS Memory Forensics cheat Sheet](https://blogs.sans.org/computer-forensics/files/2012/04/Memory-Forensics-Cheat-Sheet-v1_2.pdf)
37 |
38 | [Tools](../tools.md)
39 |
--------------------------------------------------------------------------------
/resources.md:
--------------------------------------------------------------------------------
1 | # CTF Resources
2 |
3 |
4 | * [CTF Information](http://capture.thefl.ag/) - Contains practice CTFs and other info
5 | * [g0tmi1k.blogspot](http://g0tmi1k.blogspot.com/) - Video walkthroughs of tons of the Vulnerable VMs/Software & other great info.
6 |
7 | ## To be filed
8 |
9 | * [Microsoft BlueHat](http://www.microsoft.com/security/bluehatprize/)
10 | * [Top_Coder]() - Individual Challenges
11 | * [Crack Me if you can]() Password/Hash Cracking
12 | * [BSides London Reversing Challenges](http://www.securitybsides.org.uk/challenges2012.html)
13 | * [Ethical Hacker Network's Challenge](http://www.ethicalhacker.net/content/category/2/12/2/)
14 | * [Google Summer of Code](https://www.owasp.org/index.php/GSoC2012_Ideas#ModSecurity_Core_Rule_Set) - could be interesting
15 | * [Smash The Stack](http://smashthestack.org) - Primers: at Art of Exploitation and [here](http://insecure.org/stf/smashstack.html)
16 | * http://google-gruyere.appspot.com/
17 | * http://www.enigmagroup.org/
18 | * http://www.crackmes.us/
19 | * https://www.facebook.com/hackercup
20 | * http://www.wechall.net/
21 | * http://www.overthewire.org/wargames/
22 | * http://challenge.spider.io/
23 | * http://challenge.constantcontactsecurity.com/ - Starts out extremely easy
24 | * http://sourceforge.net/projects/lampsecurity/ - provides several Capture The Flag challenges
25 | * http://exploit-exercises.com/
26 | * https://pwn0.com/ - Network of Danger and fun!
27 |
28 | ## Competition Organizer Resources
29 |
30 | * [Cybersecurity Competition Federation](http://cyberfed.org/) - NSF Grant funded project to help information security competitions and players
31 | * [Cybersecurity Competition Federation](http://cyberfederation.pbworks.com/w/page/68211038/Federation%20Knowledgebase%20HomePage) - Group aiming to help competition players, mentors, sponsors and organizers (Old Link)
32 |
--------------------------------------------------------------------------------
/tools/johntheripper.md:
--------------------------------------------------------------------------------
1 | [Version able to bruteforce GPG pass-phrases](https://github.com/shadown/magnum-jumbo)
2 |
3 | Compile with Multi-threaded support and GPU support
4 |
5 | [Recompiling with multicore support](http://www.win.tue.nl/~aeb/linux/john/john.html)
6 |
7 | [Syntax Help](http://www.openwall.com/john/doc/EXAMPLES.shtml)
8 |
9 | [John the Ripper user community resources](http://openwall.info/wiki/john)
10 |
11 |
12 | How to use John The Ripper to crack Drupal Database:
13 |
14 | 1. Get the drupal database via sql inject or physical access and save to data.sql
15 |
16 | 2. Run sudo /etc/init.d/mysql restart
17 |
18 | 3. Login to database with mysql -uroot -ptoor
19 |
20 | 4. Run CREATE database hack
21 |
22 | 5. Exit mysql and the run the following command
23 |
24 | 6. mysql -uroot -p hack < data.sql
25 |
26 | 7. Now you can export the database in the right format for john, as well as run
27 |
28 | queries on the data (time logged in, email, etc) once you crack a password
29 |
30 | 8. get back into mysql, run the command:
31 | use hack;
32 |
33 | 9. then copy and paste the following text into the mysql run window:
34 | SELECT name,pass INTO OUTFILE '/tmp/goodies.csv'
35 | FIELDS TERMINATED BY ':' OPTIONALLY ENCLOSED BY ""
36 | LINES TERMINATED BY '\n'
37 | FROM drup_users;
38 |
39 | 10. Exit mysql again and cd into /tmp or move the file to your home directory
40 | (If you cat the file it would show the following)
41 |
42 | [goodies.csv]
43 | username:passwordHash1
44 | username:passwordHash2
45 | etc
46 |
47 |
48 | 11. copy the file to john's folder using the following command:
49 | cp /tmp/goodies.csv /pentest/passwords/jtr/
50 |
51 |
52 | Now run john cracking on it using the following:
53 |
54 | ./john --format:raw-MD5 goodies.csv
55 |
56 | See output in john.pot or run:
57 |
58 | ./john --format:raw-MD5 goodies.csv --show
59 |
60 | You can also do wordlists like this:
61 |
62 | ./john --format:raw-MD5 goodies.csv -w:wordlist.txt
63 |
64 | [Tools](../tools.md)
65 |
--------------------------------------------------------------------------------
/conferences.md:
--------------------------------------------------------------------------------
1 | ## Conferences with CTFs
2 |
3 | More exhaustive list: [Secore.info](https://secore.info/)
4 | Academic: see http://faculty.cs.tamu.edu/guofei/sec_conf_stat.htm (papers are usually freely available on the author's website)
5 |
6 | '''January'''
7 |
8 | '''February'''
9 | * [[ShmooCon]] - Washington, DC Got ShmooBalls to throw?
10 | * [[BSidesSanFrancisco]] - San Francisco, CA
11 | * [[RSA]] - San Francisco, CA
12 |
13 | '''March'''
14 |
15 | '''April'''
16 | * [[BSidesRoc]] - Rochester, NY http://bsidesroc.com
17 | * [[AppSecDC]] - Washington DC
18 | * [[Infiltrate]] - Miami Beach, FL http://infiltratecon.net
19 | * [[Notacon]] - Cleveland, OH
20 | * [[ThotCon]] - Chicago, IL
21 | * [[BSidesChicago]] - Chicago, IL
22 | * [[Outerz0ne]] - Atlanta, GA
23 |
24 | '''May'''
25 | * [[LayerOne]] - Los Angeles, CA
26 | * [[CarolinaCon]] - Raleigh, NC
27 | * [[BSidesROC]] - Rochester, NY
28 |
29 | '''June'''
30 | * [[SummerCon]] - Variable Location, last 2 years have been in NY
31 | * [[Hackademic]] - Newark, Delaware, New Con
32 | * [[BSideDetroit]] - Detroit, Michigan, New Con 2nd year
33 |
34 | '''July'''
35 | * [[HOPE]] - New York City, NY
36 | * [[Black Hat]] - Las Vegas, NV (Your Employer paying the bill, right?)
37 | * [[BSidesLV]] - Las Vegas, NV
38 | * [[DefCon]] - Las Vegas, NV
39 |
40 | '''August'''
41 | * [[ToorCamp]] - Washington State, Run by the same people as ToorCon, but on a slightly different locale
42 |
43 | '''September'''
44 | * [[Brucon]] - Ghent, Belgium
45 | * [[DerbyCon]] - Louisville, KY
46 | * [[ToorCon]] - San Diego, CA
47 | * [[44Con]] - London, England
48 |
49 | '''October'''
50 | * [[SkyDogCon]] - Nashville, TN
51 | * [[Hacker Halted]] - Miami, FL
52 | * [[Hacklu]] - Luxembourg
53 | * [[GrrCon]] - Grand Rapids, MI
54 | * [[BsidesDC]] - Washington DC (2013)
55 | * [[Hack3rcon]] - Charleston, WV
56 | * [[AppSecUSA]] - Austin, TX
57 |
58 | '''November'''
59 | * [[BSidesDE]] - Wilmington, DE
60 | * [[MDDFI]] - Largo, MD (http://www.mddfi.org/)
61 |
62 | '''December'''
63 | * [[C3]] - Berlin, Germany
--------------------------------------------------------------------------------
/practice.md:
--------------------------------------------------------------------------------
1 | # CTF Practice Materials
2 |
3 | ## Vulnerable VMs/Software
4 | * [pwnos]() Debian VM http://www.backtrack-linux.org/forums/showthread.php?t=2748
5 | * [WebGoat]() Web App - https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
6 | * Metasploitable 2 http://sourceforge.net/projects/metasploitable/files/Metasploitable2/
7 | * Metasploitable 2 official walkthrough: https://community.rapid7.com/docs/DOC-1875
8 | * Metasploitable 2 walkthrough blog post: http://nkush.blogspot.com/2011/09/metasploitable-walkthrough.html
9 | * [Metasploitable]() Ubuntu 8.04 VM http://www.offensive-security.com/metasploit-unleashed/Metasploitable
10 | * DVWA - Damn Vulnerable Web App http://sourceforge.net/projects/dvwa/?_test=b
11 | * Web Security Dojo - http://dojo.mavensecurity.com/
12 | * DVL - Damn Vulnerable Linux - Discontinued, last release 1/26/09 http://distrowatch.com/table.php?distribution=dvl
13 | * (Version 1.5 is currrently available via http://www.computerdefense.org/dvl/ (captcha))
14 | * UltimateLAMP - http://ronaldbradford.com/tmp/UltimateLAMP-0.2.zip
15 | * Random - VMWare Appliances http://www.vmware.com/appliances/
16 | * Nist XP VM - http://nvd.nist.gov/fdcc/index.cfm (Renamed_Admin / P@ssw0rd123456)
17 | * SQLoL https://github.com/SpiderLabs/SQLol
18 | * Moth http://www.bonsai-sec.com/en/research/moth.php Vulnerable Web Apps
19 | * De-Ice L1D1 http://www.mediafire.com/?bfo9b21g2m69tb6
20 | * De-Ice L1D2 http://www.mediafire.com/?tnci5ewmcoyrp8o
21 | * De-Ice L1D3 A&B http://forums.heorot.net/viewtopic.php?f=18&t=482
22 | * De-Ice L2D1 http://www.mediafire.com/?tnci5ewmcoyrp8o
23 | * OffSec Lab - Offensive Security Labs has 47 computers for exploitation
24 | * Secutor Prime - http://www.threatguard.com/downloads - Windows VM for scoring/practicing hardening skills according to standards
25 | * http://21ltr.com/scenes/21LTR.com_Scene1_2.120_v1.0.iso
26 | * [Kioptrix Level 1](http://www.kioptrix.com/dlvm/Kioptrix_Level_1.rar)
27 | * [Kioptrix Level 2](http://www.kioptrix.com/dlvm/Kioptrix_Level_2.rar)
28 | * [Kioptrix Level 3](http://www.kioptrix.com/dlvm/KVM3.rar)
29 | * [Kioptrix Level 4](http://www.kioptrix.com/dlvm/Kioptrix4_vmware.rar)
30 | * [Kioptrix Downloads page](http://www.kioptrix.com/blog/?page_id=135) - Also has lvl 4 for Hyper-V and hashes
31 |
32 | ## Cheap Training - Don't Know about Quality
33 | * [[hackingdojo]] Cheap Training, Questionable Value
34 | * [[ninja-sec]]
35 | * US Gov Baseline Config: http://usgcb.nist.gov/usgcb_content.html
36 | * [[Web Security Dojo]] - Web App Exploitation Training VM
--------------------------------------------------------------------------------
/tools/nessus.md:
--------------------------------------------------------------------------------
1 | == Nessus Vulnerability Scanner ==
2 |
3 | Nessus is a vulnerability scanner provided by Tenable Network Security. Like most vulnerability scanners, its primary function is to scan targeted systems over a network for various vulnerabilities and report them back to the user for their consideration. Nessus also has the added functionality of being able to easily integrate scan results into Rapid7's Metasploit Framework through its ability to import scans and/or the nessus connector for Metasploit.
4 |
5 | It can be ran and installed on practically any OS (Windows, Linux, OSX, Solaris, FreeBSD)and comes in two flavors: A home feed for security researchers and a professional feed that must be purchased for commercial use. The popular Backtrack Linux distribution comes with Nessus Pre-installed, only requiring the proper licensing to get started.
6 |
7 | ===Licencing===
8 | Home Feed: up to 16 IP Addresses
9 | Evaluation: up to 16 IP Addresses and up to 15 days
10 | Professional: no apparent limits
11 |
12 | == Getting Started on Backtrack ==
13 |
14 | I am going to run through the basic instructions required to get started on Backtrack. The instructions may differ slightly on your distro of choice, but overall, it should be fairly similar.
15 |
16 | 1. Backtrack 5, 5R1 and 5R2 all come with Nessus pre-installed and integrated into the Application/Backtrack menu system. For this purpose, I'm going to skip the actual installation process. However, if you are interested in installing Nessus on your distribution or choice, installation packages can be found [here](http://www.tenable.com/products/nessus/select-your-operating-system).
17 |
18 | 2. Next you will need to register your nessus installation with Tenable as either a home or professional feed and get the license key to actually use the product. This page for [Nessus](http://www.tenable.com/products/nessus/nessus-homefeed) will allow you to do so.
19 |
20 | 3. Ensure the system hosting your nessus instance has internet access -- you will need internet access to update nessus plugins initially as well as for licensing the installation.
21 |
22 | 4. After getting your license in your e-mail inbox, open up a terminal window and input the following:
23 | /opt/nessus/bin/nessus-fetch --register [license key]
24 |
25 | This submits your license to Tenable.
26 |
27 | 5. Next you have to add a user to nessus. The first user you add will usually be the admin user. On backtrack this can be done via the backtrack menu (Vulnerability Asessment > Vulnerability Scanners > Nessus > nessus user add. Follow the on-screen prompts.
28 |
29 | 6. Next start the nessus server by "nessus start" under the vulnerability scanners menu.
30 |
31 | option: If you want nessus to start on boot on backtrack enter the following command in a terminal window: "update-rc.d nessusd default"
32 |
33 | 7. Next, you will need to open a web browser to access the management interface for nessus. By default, nessus listens on port 8834 and will only accept HTTPS connections. So you will have to point your web browser to:
34 | https:\\[nessus server ip]:8834
35 | note: the nessus management interface requires javascript and flash to run. upon first login to the management interface you may have to wait a moment or two. Nessus does a lot of background housekeeping and initialization on first login, so be patient.
36 |
37 | [Tools](../tools.md)
38 |
--------------------------------------------------------------------------------
/tools/armitage.md:
--------------------------------------------------------------------------------
1 | ==Armitage Tool==
2 |
3 | Armitage is a free and open-source front-end to the Metasploit framework Developed by Raphael Mudge and Strategic Cyber LLC. The motto and design goal of Armitage is "fast and easy hacking". This is achieved by an easy to navigate GUI, integration of db_autopwn by way of Armitage's Hail Mary along with easy host management and network pivoting through exploited hosts. Armitage also boasts collaborative capability through its deconfliction server in combination with msfrpcd, as well as attack automation via the cortana scripting engine.
4 |
5 | ==Red Teaming==
6 |
7 | Red Teaming allows multiple members of a pentest team or red team to collaborate during an engagement.It also reduces duplication of effort, attacker footprint and chances of destabilizing controlled hosts through multiple users exploiting the same host repeatedly -- you know who has sessions on the system, and can pass sessions or have different users interact with a single session as necessary.
8 |
9 | The architecture relies on armitage's deconfliction server to manage connections from armitage clients and in turn proxy/manage connections to msfrpcd and in turn to the controlled host(s)
10 |
11 | to summarize, in order to perform red teaming, the system that will be acting as a server has two components:
12 | msfrpcd (metasploit framework RPC daemon)
13 | armitage deconfliction server (connection manager for armitage clients, and proxy to msfrpcd)
14 |
15 |
16 | the method of doing this is in fact already scripted through the script teamserver.sh available on fastandeasyhacking.com
17 |
18 | the script handles all the fun of the lovecraftian summoning of msfrpcd, generating an SSL cert for deconfliction server and summarily telling java to use the SSL cert on the deconfliction connection, then Here are the basic steps to do this:
19 |
20 | 1. install the latest backtrack release
21 | 2. dhclient ethX && apt-get update && apt-get -y upgrade && cd /pentest/exploit/framework && msfupdate && startx (get an ip address, patch all the things, svn up metasploit/armitage and start X)
22 | 3. terminal window: current directory will be /pentest/exploit/framework
23 | cd data/armitage
24 | 4. cp teamserver /pentest/exploit/framework/data/armitage
25 | 5. chmod u+x teamserver && ./teamserver [ip address] [deconfliction server password you want to use]
26 | 6. tell clients connection information: ip address:port username:password
27 | 7. ???
28 | 8. profit.
29 |
30 | ***NOTE: Don't try to start msfrpcd and the deconfliction server yourself. The teamserver.sh script is made available for a reason and protects you in the event that the deconfliction server setup process changes (This is per Raphael Mudge himself). Take it from somebody that did NOT RTFM. Don't do this, and you will avoid much crying, wailing and gnashing of teeth.***
31 |
32 | ==Cortana==
33 |
34 | Cortana is the scripting engine for armitage and can be used to automate several tedious tasks in armitage. There are several scripts made available by Raphael and other contributors as well as the script recorder built into Armitage itself for recording manual operations you perform on a host for automation.
35 |
36 | [A collection of Cortana scripts that you may use with Armitage and Cobalt Strike](https://github.com/rsmudge/cortana-scripts cortana-scripts github)
37 |
38 | ==References==
39 |
40 | [Manual from Raphael Mudge](http://www.fastandeasyhacking.com/manual)
41 | [Training from Raphael Mudge](http://www.fastandeasyhacking.com/training)
42 |
43 | ==Raphael Mudge==
44 | Red Team for Multiple regions: NE-CCDC, MA-CCDC, creator of Red Team Tool:[Armitage](http://www.fastandeasyhacking.com)
45 | [@armitagehacker](https://twitter.com/armitagehacker)
46 |
47 | [Tools](../tools.md)
48 |
--------------------------------------------------------------------------------
/index.md:
--------------------------------------------------------------------------------
1 | # CTF Wiki
2 |
3 | Transplant from: http://ctf.forgottensec.com/wiki/index.php
4 |
5 | This is the beginning of the construction of a wiki for information about various CTFs and InfoSec Competitions. I had it set for OPEN EDIT, but jerks from the Ukraine decided to deface my site a bunch times this week. Now you need an account to make edits. Feel free to use the information and/or register and contribute. My current focus is getting information about each competition, but as I have more time/help, I will be writing labs for each subject needed for these competitions. If you have any questions, feel free to email me at Forgotten {at} forgottensec {dot} com
6 |
7 | The InfoSec field has a very strong community. Moving with those sentiments, I have decided to dedicate this wiki to organizing competition information for CTFs. These competitions help the skills of community to be passed along in a fun and enjoyable way. As many of us are love solving challenges, CTFs are a natural step to learn and improve. Getting started with CTFs can be daunting, I hope that the information within helps people to improve their skills and become a stronger part of the community. In turn, I hope as people improve, they come back and contribute to help others.
8 |
9 | ## Types of CTFs
10 |
11 | The main types of challenges are:
12 |
13 | * Red Team/Attack
14 | - Creator sets of network of targets for attack
15 | - Sometimes different teams attack the same set of targets creating collisions, sometimes not
16 | * Blue Team/Defense
17 | - Creator sets up a vulnerable network
18 | - Players inherit the network, sometimes knowing what they are inheriting, sometimes not
19 | * Jeopardy Style
20 | - Jeopardy Scoreboard with different categories and questions of different difficulty
21 | - Almost always allow multiple people to submit answers to all questions
22 | - Typically starts with only easiest questions opens and forces you to solve a easier one in a given category to open the next question (otherwise time-delayed opening for higher value questions)
23 | * Mixed
24 |
25 | ## Uses of CTF
26 |
27 | * Fun
28 | * Learning experience (Practical Hands-on) - For both creator and player
29 | * Testing of a new product
30 | - If only more companies did this, products might be more secure and better usability
31 | - What if you could do security testing for the price of a simple prize
32 | * Hiring - Resumes are great, but how do I know who can do what I want
33 |
34 | ## Calendar of CTFs
35 |
36 | Calendar is in East Coast Time Zone
37 |
38 |
39 |
40 | ## Variable or Continuous
41 |
42 | * [ThreatSpace]() - Monthly Challenge, none for July due to DefCon
43 | * [Sans NetWars]() - http://www.sans.org/cyber-ranges/netwars/
44 | * [PacketWars]() - http://www.packetwars.com
45 | * [hackthissite]() - http://hackthissite.org
46 | * [Smash the Stack]() - http://smashthestack.org/
47 | * [Hack Miami]() - lots of CTFs, no details currently - http://hackmiami.org
48 | * [Forensics Contest]() - LMG Security Forensic Contest - http://forensicscontest.com
49 | * [HoneyNet Project Challenges]() - http://www.honeynet.org/challenges/
50 | * [Halls of Valhalla]() - http://halls-of-Valhalla.org/ - Hundreds of challenges and an active community that adds new challenges as they think of them
51 | * [Hellbound Hackers]() - http://www.hellboundhackers.org/ - New
52 | * [SANS post-class CTFs]() - Usually when you take a sans course, especially in the pentesting track, you'll do a small CTF at the end of the class as a training exercise.
53 |
54 | ## Online CTF
55 |
56 | * [Security Treasure Hunt]() - http://www.securitytreasurehunt.com/
57 | * http://www.root-me.org/?lang=en
58 | * http://www.hackthissite.org/
59 | * http://exploit-exercises.com/
60 | * http://hackquest.com
61 | * http://securitytraps.no-ip.pl/
62 | * http://www.astalavista.com/index.php?app=hackingchallenge (you must create a username & password to see the server info)
63 | * http://ringzer0team.com/
64 |
--------------------------------------------------------------------------------
/tools.md:
--------------------------------------------------------------------------------
1 | ## Offensive Tools
2 |
3 | ### Scanners
4 |
5 | - [Nikto](http://www.cirt.net/nikto2) - Web Application Scanner [Downloadable Package](http://www.cirt.net/nikto/nikto-2.1.5.tar.gz)
6 | - [Nmap](http://nmap.org) - Port Scanner, Command line based
7 | - [Nessus](tools/nessus.md) - Vulnerability Scanner
8 | - [FireSheep](http://codebutler.com/firesheep) - Firefox Extension that steals login cookie from the local network and allows the person running firesheep to use the cookie to hijack the session
9 | - [Social Engineers Toolkit by Dave "Rel1k" Kennedy](http://www.securitytube.net/video/829) - Clone any website you want and to use the Java Applet to attack automatically.
10 | - [Metasploit](http://www.metasploit.com/) - Ruby based framework for exploits/scanners by Rapid7 [Extensive Tutorials for Metasploit](http://www.offensive-security.com/metasploit-unleashed/Main_Page)
11 | - [TeamSploit](http://www.teamsploit.com/download.php) - Pen Testing With Friends by Justin Wray which is a free penetration automation tool suite
12 | - [Armitage](tools/armitage.md) - GUI for Metasploit written by Raphael Mudge, its extremely powerful and easy to use
13 | - [Burp Suite](http://portswigger.net/burp) - Burp Suite is an integrated platform for performing security testing of web applications.
14 | - [Remote Administration Tools](tools/rats.md) (RATs) - Poison Ivy and more as I find them and have time to get info on them
15 | - [Pen Testing Hardware](tools/pentestinghardware.md) - All those beautiful little toys that can do so much
16 | - [Kryptos](https://github.com/nickmc01/Kryptos) - This OpenWire Sec Web App is designed to help Pen Testers collaborate
17 |
18 | ### Fuzzing Resources
19 |
20 | - From Fuzzing to Metasploit [Part 1](http://www.youtube.com/watch?v=DHvHGwczsMY) [Part 2](https://www.youtube.com/watch?v=TTng0EKTCgQ) [Part 3](https://www.youtube.com/watch?v=DHvHGwczsMY)
21 | - [Introducing Vulnserver](http://grey-corner.blogspot.com/2010/12/introducing-vulnserver.html)
22 |
23 | ### Password Cracking Tools
24 |
25 | - [John The Ripper](tools/johntheripper.md) - Free and Open Source fast password cracker primarily used to detect weak Unix passwords
26 | - [HASHCat](http://hashcat.net) - Worlds fastest WPA cracker with dictionary mutation engine
27 | - [Cain and Able](http://www.oxid.it) - Password recovery tool for Microsoft Operating Systems
28 |
29 | ## Defensive Tools
30 |
31 | - [Unsploitable by Justin Wray](http://sourceforge.net/projects/unsploitable) - Automatically Patch Metasploitable Vulnerabilities
32 | - [Full Database Activity Auditing for the MySQL User Base](https://blogs.mcafee.com/business/security-connected/full-database-activity-auditing-for-the-mysql-user-base) - Mcafee MySQL Audit Application
33 | - [Network Miner](http://www.netresec.com/?page=NetworkMiner) - Windows based capture tool capable of pulling objects out of a tcp stream
34 | - [US Gov Baseline Config](http://usgcb.nist.gov/usgcb_content.html) - Security configuration baselines for Information Technology products widely deployed across the federal agencies.
35 | - [Mandiant Community Resources Software Downloads](https://www.mandiant.com/resources/downloads) More details forthcoming...
36 | - [ModSecurity](https://www.modsecurity.org) - Open Source WAF
37 | - [OWASP Countermeasures](https://www.owasp.org/index.php/Category:Countermeasure)- Details countermeasures and tools used.
38 | - [Forensic Tools](tools/forensictools.md) - Gotta figure out what happened
39 | - [Master Boot Record by Jamie Levy](http://gleeda.blogspot.com/2012/04/mbr-parser.html) - MBR parser
40 | - [Basic Linux Administration](tools/basiclinuxadministration.md)
41 | - [Introduction to IDS and IPS concepts by Tony Robinson](https://www.blindseeker.com/wiki/Introduction_to_IDS_and_IPS_concepts) - Best IDS resource you will find
42 | - [Snort IDS](https://www.snort.org) - A free lightweight network intrusion detection system for UNIX & Windows.
43 |
44 |
45 | ## Learning Reverse Engineering
46 |
47 | - [Collection of reverse engineering tutorials for beginners by Lenas](http://tuts4you.com/download.php?list.17)
48 | - [ZeroAccess Rootkit](http://resources.infosecinstitute.com/step-by-step-tutorial-on-reverse-engineering-malware-the-zeroaccessmaxsmiscer-crimeware-rootkit) - Four part article series with step-by-step tutorials on how to reverse engineer the ZeroAccess Rootkit
49 | - [REMnux: A Linux Toolkit for Reverse-Engineering and Analyzing Malware](http://zeltser.com/remnux/ Remnux)
50 | - [HopperApp](http://www.hopperapp.com) - Reverse engineering tool for OS X and Linux, that lets you disassemble, decompile and debug your 32/64bits as executables
51 |
52 | ### Debuggers
53 |
54 | - [OllyDebug](http://www.ollydbg.de) - OllyDbg is a 32-bit assembler level analysing debugger for Windows
55 | - [IDA](https://www.hex-rays.com/products/ida/) - IDA is a Windows, Linux or Mac OS X hosted multi-processor disassembler and debugger if you have money...It's expensive.
56 |
57 | ### Sandbox Tools
58 |
59 | - [Sandboxie](http://www.sandboxie.com) - A sandbox-based isolation program developed by Invincea (which acquired it from the original author Ronen Tzur) which prevents programs from making permanent changes to other programs and data
60 | - [Cuckoo](http://www.cuckoosandbox.org) - An open source automated dynamic malware analysis system
61 |
62 | ### Other Reversing Tools
63 |
64 | - [GMER](http://www.gmer.net) - Rootkit Detector for NT/W2K/XP/VISTA/7 and Samples
65 | - [SysInternals](http://technet.microsoft.com/en-us/sysinternals/0e18b180-9b7a-4c49-8120-c47c5a693683.aspx) - Toolkit for Windows
66 | - [Mandiant's RedLine](http://www.mandiant.com/resources/download/redline) - Windows XP, Windows Vista, Windows 7 (32-bit and 64-bit)
67 | - [XXD](http://linuxcommand.org/man_pages/xxd1.html) - Free Linux command line hex editor
68 | - [FireEye's FLARE Team Reversing Repository](https://github.com/fireeye/flare-ida)
69 |
70 | ## Other Tools
71 |
72 | - [Wireshark](https://www.wireshark.org) - Packet Analysis tool
73 | - [QR Decoder](http://zxing.org/w/decode.jspx) - can also do barcodes
74 | - [pngcheck](http://www.libpng.org/pub/png/apps/pngcheck.html) - Tool for checking CRC values within a PNG file.
75 | - [Hex Workshop](http://www.bpsoft.com/downloads) - Windows Hex Editor
76 | - [GNS3](http://www.gns3.net) - Graphical Network Simulator using Virtual Box
77 |
--------------------------------------------------------------------------------
/tools/basiclinuxadministration.md:
--------------------------------------------------------------------------------
1 | ***Top 3 Most Important Things***
2 |
3 | man will give you the manual for a specific command
4 |
5 | If you hit tab, it will auto-complete commands
6 |
7 | Everything is case sensitive!
8 |
9 | [Very Beginner Linux Users Guide](http://www.ee.surrey.ac.uk/Teaching/Unix)
10 |
11 | =User Administration=
12 | If a file called /etc/nologin exists, no users can login. Any text in said file will be displayed
13 |
14 | ==Adding a User==
15 | The useradd command will add a user, it is located in /usr/sbin/
16 | You can use the -g switch to add that user to a group as well, for multiple groups use -G
17 |
18 | ==Adding a group==
19 | addgroup
20 |
21 | ==Deleting a user==
22 | userdel
23 |
24 | Using the -r switch will also remove their home directory
25 |
26 | ==Who==
27 | This command tells you who is logged in and what terminal they are on
28 |
29 | who -a adds a whole bunch of other userful info an can tell you where users are connected from
30 |
31 | Alias is w
32 |
33 | ==Sudoers==
34 | Tells what users have permissions to change their user to the root user upon request with username/password using the sudo command
35 |
36 | Users can also change users without logging out using the "su" command along with the name of the user they want login with.
37 |
38 | ==Password File==
39 | This file listed in /etc/passwd should never actually list passwords, but it does have a list of users and account info.
40 |
41 | Each user has his own line of info separated with colons:
42 | * username (1-32 characters)
43 | * password (x means password is in /etc/shadow)
44 | * User ID or UID
45 | ** Each user will get a user id or UID. That number will tell you what type of user they are.
46 | ** 0 root the administrator account
47 | ** 1-999 Service accounts and System administration
48 | ** 1000+ User accounts
49 | * Group User ID GUID
50 | * User info
51 | * home directory
52 | * shell
53 |
54 | The actual password info is stored in /etc/shadow encrypted
55 |
56 | Each user has their own line of info separated by colons:
57 | * username
58 | * password
59 | ** If the beginning of the password field starts with "$id$Salt$hash" the password was stored with something besides DES (DES is easy to break)
60 | ** "$1$" represents MD5
61 | ** "$2$" represents Blowfish
62 | ** "$3$" represents NT HASH
63 | ** "$4$" represents SHA1
64 | ** "$5$" represents SHA-256 or SHA-384
65 | ** "$6$" represents SHA-512
66 | ** "NP" or "!" or null means the account has no password
67 | ** "LK" or "*" means the account is locked"
68 | ** "!!" means the password has expired
69 | * Time since last password was changed (in epoch time or days since Jan. 1st 1970)
70 | * Minimum Number of days between password changes
71 | * Maximum Number of days the password is valid
72 | * Warn is the number of days before a users password expires that he is warned
73 | * Inactive number of days after password expires before that account is disabled
74 | * Expire - when the user can no longer login (in epoch time)
75 |
76 | Some New systems are using SHA-512 currently. This is set in /etc/pam.d/common-password
77 |
78 | ==Logging in without a password==
79 | If you are able to reboot the computer into single user mode, it will bypass password authentication allowing you to recover a system if you forgot or lose your root password.
80 |
81 | =File Info=
82 |
83 | Seen via the "ls" command with the "-l" switch
84 | The lines after will give you meta-data for each file like the following:
85 | -rw-r--r-- 1 root root 2021 2012-06-21 23:23 Keys.txt
86 | -rwxr-xr-x 1 root root 82 2012-04-08 10:16 urlcheck
87 |
88 | The first 10 values deal with the file permissions, the next value represents the number of files represented by that file/directory (if its a directory it would include the number of items in it), the file owner, the group the file is owned by, the size of the file in bytes, and the date & time the file was last modified then the name of the file
89 |
90 | The first character will give you some details about the file:
91 | d for directory
92 | - for a regular file
93 | l for a symbolic link
94 | s Unix Domain Socket
95 | p named pipe
96 | c character device file
97 | b block device file
98 |
99 | ==Hidden Files==
100 | Files are hidden by having the first character as "." like ".temp" as a file name
101 |
102 | When using the "ls" command, you can use a "-a" switch to show hidden files as well such as "ls -a"
103 |
104 | ==Permissions==
105 | ===Basic File Permissions===
106 |
107 | The next 9 characters are permission information in 3 groupings of 3 permission
108 | There are 3 different groupings is linux file permissions: User (u), Group (g), Other (o)
109 | The three permission types are: Read (r), Write (w), and Execute (x)
110 |
111 | You change permissions using the "chmod" command like the following examples
112 | You can grant execute permission for the User or file owner like this:
113 | chmod u+x Keys.txt
114 |
115 | You can remove execute permissions from the User or file owner like this:
116 | chmod u-x Keys.txt
117 |
118 | You can set all groupings with only read permission like this:
119 | chmod a=r Keys.txt
120 |
121 | You can also set permissions using 3 digital octal numbers:
122 | 4 read (r)
123 | 2 write (w)
124 | 1 execute (x)
125 | 0 no permission (-)
126 |
127 | So to set the file owner with all 3 permissions, group with Read and Write Permissions and Other with just read permissions, you would use the following command:
128 | chmod 764 Keys.txt
129 |
130 | ===Sticky Bit===
131 | Allows folder or file to ignore write/execute permissions except for the file owner
132 |
133 | ===SetUID or SetGUID===
134 | A file which allows you to change what group you are in or what user you are
135 |
136 | ===Symlinks===
137 | Allows linking the same file in different places
138 |
139 | ==File Attributes==
140 | Some files can be set with special attributes like immutable (can't be changed until the flag is removed) using the "chattr" command.
141 |
142 | To set different attributes, you can "+", "-" or "="
143 |
144 | File Attribute types include:
145 | i immutable (can't be changed)
146 | u undeletable
147 | c compressed
148 | a append only (can add, but not edit/remove)
149 |
150 | There are more, but those are the most important ones.
151 |
152 | ===Immutable===
153 | So to set the Keys.txt file as immutable, you would type:
154 | chattr +i Keys.txt
155 |
156 | To get a list of File Attributes, you can use the "lsattr" command
157 |
158 | To get a list of all immutable files
159 | find / -type f \( -perm -4000 -o -perm -2000 \) -exec ls -lah {} \; 2>/dev/null
160 | from Justin Wray's Defensive Tools for the Blind ([http://sourceforge.net/p/dtftb/code/2/tree/trunk/linux/find_setid.sh])
161 |
162 | ===Image Metadata===
163 | Make friends with "exiftool"
164 |
165 | =Shells=
166 | There are many different types of shells available for linux and it is important to understand what they are, especially when setting what users default to which shells.
167 |
168 | /bin/bash is the default for users
169 | /bin/false is for users that don't know a shell like the spool service
170 | /bin/sh predecessor to bash
171 |
172 | There are many other shells, but these are the most common
173 |
174 | Shell configurations vary depending on the shell. /etc/skel shows the default when a new user is created
175 | /etc/profile and the .profile file of the user are run on login in sh, ksh, bash, and zsh
176 |
177 | The individual users .profile (hidden) file is in their home directory
178 |
179 | For bash, their home directory also contains and runs the following files on login:
180 | .bash_profile
181 | .bash_login
182 |
183 | Bash reads the .bash_logout file from the users home directory when they logout
184 |
185 | Bash reads the .bashrc file when a shell is created that is not a login shell but is interactive
186 |
187 | The easiest way to kill a shell is to use the "fuser -k" command like this:
188 | fuser -k pts/2
189 |
190 | The example above will kill the shell of user on pts/2
191 |
192 | "env" holds temporary environment variables, be careful if you change any of these, you shell seem broken
193 | As long as the user is set properly, all commands are stored in the users home directory in .bash_history
194 | Bash History is an environment variable that can be changed
195 |
196 | ==Home Folders==
197 | Each user is usually given a home folder as well as one for root. User home folders are in /home/ while root is typically /root/
198 |
199 | You can replace the path to a home folder by using "~/" then the folder name, that will put you in the home folder for your user.
200 |
201 | =Processes=
202 | The "ps" command gives you a list of all current processes. I personally like to use it with the following switches "ps auxwww" that gives far more information then the base command. It includes all the processes the full command used when starting a process,
203 | and much more. The "ps" command gives you whats running on your TTY.
204 |
205 | It is important to find the Process ID (PID) from "ps" if you need to end a process
206 |
207 | ==Kill==
208 | To kill a process, use the kill command with a certain signal to decide how the process dies.
209 | kill -hup restarts a process (loading a new config)
210 | kill -9 PID means kill it now, don't care what happens to it, just make it die (example: "kill -9 1443" would kill process 1443)
211 | kill PID ends a task somewhat gracefully
212 |
213 | ==List Open Files==
214 | The "lsof" command gives you a list of all open files and connections. I suggest using it with the switches "lsof -nPi"
215 |
216 | The -i switch will add connections and you can limit that in various ways if you want
217 | The -n option does not resolve hostnames (runs faster and won't alert attacker
218 | The -P option does not resolve port names (runs faster and less confusing as a port number doesn't guarantee the service using it)
219 |
220 | ==List Connections==
221 | The "netstat" command gives you a list of all connections. I suggest using it with the switches "netstat -anop"
222 |
223 | The -a switch gives you all connections
224 | The -n switch shows using numerical addresses instead of resolving hostnames (runs faster and won't alert attacker
225 | The -o switch shows timers
226 | The -p switch shows the Program ID and name to which the socket belongs
227 |
228 | ==Top==
229 | The "top" command shows you what is running, priority level and what resources everything is using. The "htop" command is a better version of the same tool.
230 |
231 | ==Monitor Traffic==
232 | ===iptraf===
233 | Awesome Tool that shows you where you traffic is going
234 |
235 | =Logs=
236 | Know them, love them
237 |
238 | Most are in /var/log
239 |
240 | ==Scheduled Tasks==
241 | Cron
242 |
243 | ==Background and Foreground==
244 |
245 | =Packages and Package Managers=
246 | ==Apt-Get==
247 | ==DPKG==
248 | ==RPM==
249 | ==Other==
250 | Immerge for gentoo (might be spelled wrong, but its gentoo...)
251 | Pacman for Arch
252 |
253 | =Services=
254 | Most config files for a service are in /etc/
255 | Configuration files can lead to many vulnerabilities
256 | If it isn't necessary, its probably better to turn it off
257 |
258 | ==SMB==
259 | ==Apache==
260 | ==PHP==
261 | php.ini is the config file, harden it
262 |
263 | ==SSHd==
264 | The daemon allowing remote login via Secure Shell (or SSH).
265 |
266 | Instead of using passwords, this can be configured to use keys. These keys are typically stored in the users home directory in a subdirectory ".ssh"
267 |
268 | =Drives=
269 | mount command
270 | stored in /etc/fstab
271 |
272 | =Networking=
273 | ifconfig - same as windows varient ipconfig except better/more powerful
274 |
275 | =Firewall=
276 | ==IPTables==
277 | ==PF==
278 |
279 | =Filtering Commands=
280 | [http://www.theunixschool.com/p/awk-sed.html AWK and SED Guide]
281 | Pipe - take the output of the command before the pipe and shove into standard in on the next command.
282 |
283 | [Tools](../tools.md)
284 |
--------------------------------------------------------------------------------