🕴️ CTF Website : https://uscc.cyberquests.org/
This Cyber Quest covers a wide range of topics on networking, including firewalls, routers, Wi-Fi, and packet analysis.
Some questions refer to files contained within this ZIP file : 🔗 Spring 2019 Cyber Quest Resources. Let’s start the fun.
The following questions focus on General Networking:
1️⃣ You are analyzing files created under RFC 5424.
What is the Priority value of a mail system message (Facility=2) with a Severity of Error (Severity=3)?
✅ Answer : The Priority value is calculated by first multiplying the Facility number by 8 and then adding the numerical value of the Severity.
(2*8) + 3 = 19
Reference : https://tools.ietf.org/html/rfc5424#page-11
2️⃣ A junior network administrator in your organization has alerted you to a possible security incident.
She shows you the below query she performed.
What has occurred?
- An attacker accessed NetBIOS on 192.168.2.1
- An attacker probed NetBIOS on 172.16.7.94
- The router ACL denied packets destined for ephemeral ports
- The router ACL dropped packets destined for port 137
✅ Answer :
The query she performed
Router#show logging | include 172.16.7.94. *\-\>.*\(137\) is to
identify logs for which the source IP address was
172.16.1.92 and the
destination port was
The router logs show the following:
- Source IP address :
- Source port :
- Destination IP address :
- Destination port :
- Source IP address :
- Log message Identifier
%SEC-6-IPACCESSLOGPwhich is identify a packet matching the log criteria for the given access list has been detected (TCP or UDP).
- ACL :
- ACL action:
The router ACL dropped packets destined for port 137
3️⃣ Your organization is highly dependent on the confidentially, integrity and availability of a database used by several financial core operations.
Which of the following defenses will provide the best protection to the database from attacks such as SQL injection or Application bypass?
- Network Firewall with Stateful Packet Inspection
- Packet Filtering Host Firewall
- Application Firewall
- Virtual Private Network (VPN)
✅ Answer :
First let’s understand each option:
Network Firewall with Stateful Packet Inspection : Inspect each packet individually, without considering the trends of the data you’re receiving, and they also consider the connection states of streams of data. Stateful firewalls will collect a series of packets before it determines their connection state, and then compares those findings to the firewall rules, rather than applying the rules to each individual packet of data.
Packet Filtering Host Firewall: Analyzes network traffic at the transport protocol layer. Each IP network packet is examined to see if it matches one of a set of rules defining what data flows are allowed. The rules determine whether communication is allowed based upon the information contained within the Internet and transport layer headers and the direction that the packet is headed ( any combination of source IP address, destination IP address, source port, or destination port.)
Application Firewall: Generally do everything that stateful firewalls do, and they also analyze the actual data content of the packets, not just the headers. Application firewalls allow you to set firewall rules for individual applications.The application firewall is typically built to control all network traffic on any OSI layer up to the application layer.
Virtual Private Network (VPN): A virtual private network (VPN) extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. Encryption is a common though not an inherent part of a VPN connection.
So we need application layer protocol inspection to perform a deep packet inspection of traffic that transits the firewall to mitigate SQL attacks & Application bypass Application Firewall.
4️⃣ You are configuring wireless equipment at a customer location.
Which of the following protocols will provide the most security for managing access to the devices? (Select all that apply)
- Secure Shell
✅ Answer :
First let’s understand each option:
The SSH protocol (also referred to as Secure Shell) is a method for secure remote login from one computer to another. It provides several alternative options for strong authentication, and it protects the communications security and integrity with strong encryption.
A network protocol that allows a user on one computer to log into another computer that is part of the same network.
- Telnet, by default, does not encrypt any data sent over the connection (including passwords), and so it is often feasible to eavesdrop on the communications and use the password later for malicious purposes; anybody who has access to a router, switch, hub or gateway located on the network between the two hosts where Telnet is being used can intercept the packets passing by and obtain login, password and whatever else is typed with a packet analyzer.
- Most implementations of Telnet have no authentication that would ensure communication is carried out between the two desired hosts and not intercepted in the middle.
- Several vulnerabilities have been discovered over the years in
commonly used Telnet daemons.
Experts in computer security, such as SANS Institute, recommend that the use of Telnet for remote logins should be discontinued under all normal circumstances, for the above reasons.
I didn’t find any term or protocol with this name.
The Hypertext Transfer Protocol (HTTP) is a protocol which allows the fetching of resources. No Data Encryption Implemented. As an “application layer protocol”, HTTP remains focused on presenting the information, but cares less about the way this information travels from one place to another. Unfortunately, this means that HTTP can be intercepted and potentially altered, making both the information and the information receiver vulnerable.
HTTPS: Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network. In HTTPS, the communication protocol is encrypted using Transport Layer Security (TLS), or, formerly, its predecessor, Secure Sockets Layer (SSL).
SNMPv3 : Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. SNMPv3 provides security with authentication and privacy, and its administration offers logical contexts, view-based access control, and remote configuration.
we will use this protocols Secure Shell, HTTPS, SNMPv3 to provide the most security for managing access to the devices.
5️⃣ You are investigating multiple complaints of intermittent wireless signal at several locations within your organization.
The network team validates that the access point is transmitting at 2 mW, which is too low for the footprint of the organization. You recommend that the signal strength be increased by 9dBm. What should the new transmit power be?
- 16 mW
- 6 mW
- 12 mW
- 10 mW
✅ Answer :
The gain of antennas is expressed in decibels (dB). In the wireless communication sector, the power output and input are in milliWatts (mW).
The first thing to understand about dBm is that we’re working in negatives. -30 is a higher signal than -80, because -80 is a much lower number.
Next, it’s important to know that dBm does not scale in a linear fashion like you’d expect, instead being logarithmic. That means that signal strength changes aren’t smooth and gradual. The Rule of 3s and 10s highlights the logarithmic nature of dBm. To be simple, let’s see the so-called Rule of 10s and 3s, that allows us to calculate output power of an access point:
- For every gain of 3 dB, the power in mW is doubled
- For every loss of 3 dB, the power in mW is halved
- For every gain of 10 dB, the power in mW is multiplied by 10
- For every loss of 10 dB, the power in mW is divided by 10
So based on data provided:
9 dB = 3 + 3 + 3 2 mW + 9 dB = (((2 x 2) x 2) x 2 = 16 mW
The new transmit power should be 16 mW
6️⃣ A junior threat analyst in your organization has alerted you to some potential nefarious activity in your network.
Analyze the ping.pcap packet capture. Which location is referenced in the message?
- Mount Everest
- Great Barrier Reef
- Niagara Falls
- Grand Canyon
✅ Answer :
- Basic analysis for the file you will find the following:
- It’s communication between
- Protocol type
ICMP type 8
- If you select any connection and expanded
Internet Control Message Protocol>
Data, you will find same Payload (96 bytes) transmitted in all connections.
- Let’s grab & analysis this payload to get the message:
Right click on data value a from previous step >
show packet bytes..
Decode as >
The message :
the next drop off location will be @ 43.0828201,-79.0763516. Good luck!
- Convert latitude and longitude to location using Google Maps
Location Niagara Falls
7️⃣ You are working on installing a new Linux e-mail server.** Which of
the following ports should you open on the host firewall?
Let’s lookup the typical mail ports for hosts which will be using mail client:
Also check other ports usage:
The port we should open on the host firewall is
8️⃣ You are given the task of modifying iptables to accept TCP packets
on destination ports 6881-6890.** Which rule will accomplish this?
# iptables -A FORWARD -p tcp --dport 6881:6890 -j ACCEPT
# iptables -A OUTPUT -p tcp --dport 6881:6890 -j ACCEPT
# iptables -A INPUT -p tcp --dport 6881:6890 -j ACCEPT
# iptables -A OUTPUT -p tcp --dport 6881:6890 -j ALLOW
Let’s begin with understanding Iptables Basics :
Linux kernel provides an interface to filter both incoming and outgoing traffic packets using tables of packet filters.
Iptables is a command line application and a Linux firewall that you can use to set-up, maintain and inspect these tables. Multiple tables can be defined.
Each table can contain multiple chains. A chain is nothing but a set of rules. Each rule defines what to do with the packet if it matches with that packet.
When the packet is matched, it is given a TARGET. A target can be another chain to match with or one of the following special values:
ACCEPT: It means the packet will be allowed to pass through.
DROP: It means that packet will not be allowed to pass through.
RETURN: It means to skip the current chain and go back to the next rule from the chain it was called in.
REJECTis used to send back an error packet in response to the matched packet: otherwise it is equivalent to
DROPso it is a terminating TARGET, ending rule traversal.]
One of the default tables called filter. Filters table has three chains ( sets of rules).
INPUT– This chain is used to control incoming packets to the server. You can block/allow connections based on port, protocol or source IP address.
FORWARD– This chain is used to filter packets that are incoming to the server but are to be forwarded somewhere else.
OUTPUT– This chain is used to filter packets that are going out from your server.
Here’s the Iptables command formatted with regular options.
iptables -A -i <interface> -p <protocol (tcp/udp) > -s <source> --dport <port no.> -j <target>
-A stands for append. The chain refers to the chain we want to append
interface is the network interface on which you want to filter
protocol refers to the networking protocol of packets you want to
You can also specify the
port no of the port on which you want to
filter the traffic.
We want to
TCP packets on destination ports
-i <interface> -s <source>
- <protocol (tcp/udp) >
- <port no.>
Our rule will be
iptables -A INPUT -p tcp --dport 6881:6890 -j ACCEPT
9️⃣ You are helping an intrusion analyst write a Snort rule that will
log any Telnet use within your network.**
log tcp any any <> any 23 (session:printable; sid:;)
What is a valid SID that you can assign the rule?
The signature id (sid) keyword is used to uniquely identify Snort rules:
- If the number is less than 1,000,000, it is a SourceFire rule (the
company that maintains the snort source code). In this case, you can
get more information about the rule by going
- <100 Reserved for future use
- 100-999,999 Rules included with the Snort distribution
- If the number is between 1,000,000 and 2,000,000, it is a snort community rule or can be used for local rules. .
- If the number is between 2,000,000 and 3,000,000, it comes from emergingthreats.net and you can get more information at http://doc.emergingthreats.net/bin/view/Main/ .
So we will use 1543845
1️⃣0️⃣** **You are analyzing some unusual HTTP proxy logs with time
stamps between 1439038269.433 and 1439135269.433.** When did some of the events take place?
HTTP proxy logs uses the format:
<UNIX timestamp>.<Centiseconds> .
Using Unix Timestamp Conversion Tool epochconverter.com :
1439038269.433 > Saturday, August 8, 2015 12:51:09.433 PM GMT
1439135269.433 > Sunday, August 9, 2015 3:47:49.433 PM GMT
Some of the events took place at Saturday .
1️⃣1️⃣ You are reviewing firewall rules and encounter the below
# iptables -A INPUT -s -p tcp --dport 23 -j REJECT
What is the purpose of the rule?
- Deny TCP packets for SSH service
- Deny TCP packets for Telnet service
- Deny File Transfer Protocol (FTP) from your network
- Allow port 23 into the INPUT chain
let’s analysis the rule based knowledge we now from the answer of question no. 8 :
-A INPUTThis chain is used to control incoming packets to the server. You can block/allow connections based on port, protocol or source IP address.
-sSource IP address
-p tcpNetworking protocol of packets you want to filter.
--dport 23number of the port on which you want to filter the traffic, port 23 used for Telnet protocol.
-j REJECTis used to send back an error packet in response to the matched packet.
The purpose of this rule > Deny TCP packets for Telnet service.
1️⃣2️⃣A security engineer in your organization has just installed and
configured a new IPS.** Which action can an IPS take to prevent an exploit from succeeding?
- Enable bypass mode
- Deploy an antimalware agent
- Deny the connection inline
- Perform a Layer 6 rest
Intrusion prevention systems (IPS) control the access to an IT network and protect it from abuse and attack. These systems are designed to monitor intrusion data and take the necessary action to prevent an attack from developing.
The IPS performs real-time packet inspection, deeply inspecting every packet that travels across the network. If any malicious or suspicious packets are detected, the IPS will carry out one of the following actions:
- Terminate the TCP session that has been exploited and block the offending source IP address or user account from accessing any application, target hosts or other network resources unethically.
- Reprogram or reconfigure the firewall to prevent a similar attack occurring in the future.
- Remove or replace any malicious content that remains on the network following an attack. This is done by repackaging payloads, removing header information and removing any infected attachments from file or email servers.
To prevent an exploit from succeeding an IPS can take the following action:
- Deny the connection inline: The deny packet inline action is represented as a dropped packet action in the alert. When a deny connection inline occurs, the IPS also automatically sends a TCP one-way reset, which shows up as a TCP one-way reset sent in the alert.\
Enable bypass mode: Will make exploit bypass IPS without any action. Deploy an antimalware agent: IPS doesn’t deploy antimalware . Perform a Layer 6 rest:
IPS monitors traffic at Layer 3 & Layer 4, And only reset TCP connection.
1️⃣3️⃣ An intrusion analyst in your organization has detected an
attack in which a device’s burned-in address was changed in an attempt to circumvent a switch’s port-security.** What type of attack is being described?
- ARP poisoning
- MAC spoofing
- IP spoofing
- Gratuitous ARP
Let us begin by attacks definition:
ARP poisoning: Address Resolution Protocol poisoning (ARP poisoning) is a form of attack in which an attacker changes the Media Access Control (MAC) address and attacks an Ethernet LAN by changing the target computer’s ARP cache with a forged ARP request and reply packets.
MAC spoofing: The Media Access Control address, or MAC, or burned-in address (BIA) is virtually etched to the hardware by the manufacturer. Users are not able to change or rewrite the MAC address. But it is possible to mask it on the software side. This masking is what’s referred to as MAC spoofing which hackers use this method of attack to conceal their own identity and imitate another.
IP Spoofing is a technique used to gain unauthorized access to machines, whereby an attacker illicitly impersonates another machine by manipulating IP packets.
IP Spoofing involves modifying the packet header with a forged (spoofed) source IP address, a checksum, and the order value.
A gratuitous ARP request is an Address Resolution Protocol request packet where the source and destination IP are both set to the IP of the machine issuing the packet and the destination MAC is the broadcast address ff:ff:ff:ff:ff:ff. Ordinarily, no reply packet will occur. A gratuitous ARP reply is a reply to which no request has been made.
The type of attack is being described is MAC spoofing
Ethernet switches via port security provide the opportunity to filter
network data traffic on the OSI layer 2.
Once a connection has been established from one segment to another, the intermediate coupling element checks the MAC address of the sender device and matches it with an administrator-created whitelist. If it’s an unknown address, the switch blocks the respective port and stops the communication attempt. But MAC spoofing enables hackers to get around security measures like this.
1️⃣4️⃣A network administrator in your organization encountered the
below account in one of your Cisco devices.** Analyze the output and submit the clear-text password as your answer.
DataCenter1(config)#do sh run | inc user username administrator password 7 08314D1B5C0E550516
do sh run This command is show running-configuration command that
shows the router, switch, or firewall’s current configuration. The
running-configuration is the config that is in the router’s memory.
inc user to list all user accounts
password 7 08314D1B5C0E550516 password is type 7
Cisco password Type 7 is the Cisco proprietary method (Vigenere cypher) and is weak and can easily cracked w/ utilities that are available on the net. using online Cisco Type 7 Passwords Decrypt tool :
- the clear-text password
1️⃣5️⃣ The IPS in your organization is currently using only
signature-based detection.** You recommend adding statistical-based anomaly detection. What is one disadvantage to your recommendation?
- The rule-based file is only updated when new exploits are discovered and tested
- A new “low and slow” attack would not be detected
- Existing anomalous traffic would not be detected
- 0-day attacks would not be detected
Statistical anomaly detection takes samples of network traffic at random and compares them to a pre-calculated baseline performance level. When the sample of network traffic activity is outside the parameters of baseline performance, the IPS takes action to handle the situation.
It’s a two-step approach that involves first training a system with data based on statistical modeling, to establish some notion of normality and then use the established profile on real data to flag deviations.
Main disadvantage is Existing anomalous traffic would not be detected because it’s included in our baseline.
1️⃣6️⃣ As part of a wireless penetration test, you are performing
802.11 traffic reconnaissance with Wireshark.** You notice a packet that contains a management frame (type 0) accompanied by subtype 12 (0x0c) and reason code 4. What has just occurred?
- A De-Authentication between an AP and station due to inactivity
- A station transmitting authentication credentials to an AP
- A station attempting a Reassociation Request with an AP
- An Access Point (AP) beaconing out its Service Set Identifier (SSID)
There are 3 types of frames used in the 802.11 layer 2 communications happening over the air which manages and controls the wireless link.
Management frames are used by stations to join and leave a BSS (Basic Service Sets).
Station or AP can send a De-authentication Frame when all communications are terminated (When disassociated, still a station can be authenticated to the cell). It is subtype 12 (0x0c) management frame (type 0).
The 16-bit Reason Code field is part of the frame to indicate what the sender has done incorrectly.
Reason code 4 explanation: Inactivity timer expired and station was disassociated.
A De-Authentication between an AP and station due to inactivity
1️⃣7️⃣ You need to perform a wireless packet capture on an Aruba Wi-Fi
AP that has been having authentication issues.** Which BSSID should you perform the capture on?
List of WiFi Access Point BSSIDs
We will use MAC lookup to displays the name of the company that manufactured each network card, using this online tool https://macvendors.com/ :
24:f5:a2:11:f7:6aBelkin International Inc.
18:64:72:d3:d7:b0Aruba, a Hewlett Packard Enterprise Company
The BSSID should perform the capture on
1️⃣8️⃣ An analyst in your organization is attempting to execute the
following tcpdump command.**
# tcpdump -n -i eth0 -w analysis.pcap -C 100 'host 10.3.2.34'
What is her goal?
- Capture 100MB of rotating data to/from host 10.3.2.34
- Capture tcpdump data to/from host 10.3.2.34 every 100 seconds
- Display the first 100 packets in the analysis.pcap file
- Import tcpdump data from a file called analysis.pcap
Let’s analysis tcpdump command :
-nDon’t convert addresses (i.e., host addresses, port numbers, etc.) to names.
-i eth0Listen on interface
-w analysis.pcapWrite the raw packets to file rather than parsing and printing them out.
-C 100Before writing a raw packet to a save file, check whether the file is currently larger than file_size and, if so, close the current save file and open a new one.
'host 10.3.2.34'dump traffic that’s going to or from this host
Capture 100MB of rotating data to/from host 10.3.2.34
1️⃣9️⃣ While analyzing a packet capture file, you notice Transmission
Control Protocol (TCP) flag 0x018.** What does that flag signify?
- FIN, ACK
- RST, ACK
- SYN, ACK
- PSH, ACK
✅ Answer :
TCP flags are used within TCP packet transfers to indicate a particular connection state or provide additional information. Therefore, they can be used for troubleshooting purposes or to control how a particular connection is handled.
We need to do Hex conversion on TCP flag to get the semantic meaning of that value
Take the hexadecimal value
0x018 and convert it to binary value
Use the following layout of flags and bits set (0 is off, 1 is on) to get the flag:
|0 0 0 1 1 0 0 0| > PSH-ACK
This flag signify PSH, ACK
2️⃣0️⃣ A junior network administrator in your organization has
requested Cisco Discovery Protocol (CDP) be enabled.** What is a disadvantage to his request?
- The protocol broadcasts authentication credentials of connected network devices
- CDP broadcast messages are sent using the User Datagram Protocol (UDP), which is known to be an unreliable protocol
- Spoofing can be used by an attacker to forge CDP packets and impersonate network devices
- The authentication mechanism used by CDP frames is vulnerable to a man-in-the-middle attack
The Cisco Discovery Protocol is a proprietary protocol that all Cisco devices can use by default. CDP discovers other Cisco devices that are directly connected, which makes possible to the devices to auto-configure their connection in some cases, simplifying configuration and connectivity.
CDP messages are not encrypted, This is a moderate security risk as you announce quite detailed information about your system to the network - info about software versions, hardware, and whether some protocols are enabled.
Spoofing can be used by an attacker to forge CDP packets and impersonate network devices
2️⃣1️⃣ Analyze the packet capture network.pcap . What is occurring?
- Host 18.104.22.168 initiated 3 ICMP echo requests to host 22.214.171.124
- Host 126.96.36.199 initiated a Traceroute to host 188.8.131.52
- The network is congested, resulting in a Time-to-live exceeded in transit message
- Host 184.108.40.206 is down, resulting in a port unreachable message
- By doing a Basic analysis you will notice the host
220.127.116.11sending UDP packet to
18.104.22.168with different TTL.Also replies to source with ICMP message “Time to live exceeded” .
if you expanded packet details
Internet Control Message Protocol >
Destination Port :
[Expert Info (Chat/Sequence): Possible traceroute: hop #1, attempt #3]
This is a possible traceroute via UDP packets . So how traceroute works ?
- Traceroute sends a UDP packet with a TTL = 1 from the source to destination.
- When the first router receives the UDP packet it reduces the TTL value by 1 (1-1=0) then drop the packet and sends an ICMP message “Time exceeded” to the source. Thus Traceroute makes a list of the router’s address and the time taken for the round-trip.
Host 22.214.171.124 initiated a Traceroute to host 126.96.36.199