Let’s work through an example of creating a challenge other than “find the flag in this file.”
I want to create a topic on beginner-level network analysis for a variety of protocols. Off the top of my head, I want to include questions on DNS, NNTP (Network News Transport Protocol) Telnet, FTP, and IRC, since I think all of those are unencrypted protocols (and are more fun than HTTP, which is what many challenges use because it’s so common).
We’re going to want to create our own .pcap file. And we’ll want the traffic to be clean (since our normal computer probably has all sorts of things talking to the internet on a regular basis, like our email and chat clients). An easy way to get a clean VM would be to download a Kali VM (You can find one at https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/.). If you’re brave, you can employ a VM you use more often—I have a Windows VM I use that I decided to use for this example. Once you have the VM you want, you can plan what you want the traffic to do. To generate a cleaner pcap, I highly recommend planning ahead of time, rather than starting tcpdump or Wireshark and then trying to figure it out. So install Wireshark if it’s not already installed (with libpcap, so it can collect).
For DNS, I don’t think we need to do anything special, as everything we do will create DNS entries, and we can just create a question off the traffic without having to choose it ahead of time.
For NNTP, I listen to the Security Now! podcast, so I know we can connect to the GRC newsgroups. I recommend Gravity, which you should download, install, and prep to connect to news.grc.com.
For Telnet, we should find a telnet sever we can connect to that will be interesting. MUDs use telnet servers, and I Googled around and found Toril Mud, which can be connected to on torilmud.org:9999. Make sure telnet is installed in your VM. (If you’re using Windows, download, Putty. While it’s normally used as a SSH client, it can connect over Telnet, too.) Prep telnet in the command line (or Putty) to connect to torilmud.org:9999. Once we’re ready, we’ll create an account and character there and say, “The flag is tortoise,” when we log in (and then we’ll log out).
Now for FTP. We need an FTP site to connect to. Googling for Debian mirrors, let’s pick a random FTPp site, mirrors.bloomu.edu. We should log in there (as anonymous, with the password email@example.com), browse to a directory, and download a .deb file (without switching to data mode from ASCII mode).
For IRC, we will need a client. I recommend downloading HexChat. Configure it to have a fun username (and backup usernames) and set it to connect to chat.freenode.net (on port 6697), but don’t click connect yet.
Now, to ensure the .pcap isn’t too clean, go to some random websites in your browser in between doing the above tasks. Open Firefox (or your favorite browser) and have it prepped to go to a few random sites (like torilmud.com) to ensure there’s also some HTTP traffic in the .pcap.
Now that you have your script ready to go, confirm all the programs we want to use are open and ready to connect. Then open up Wireshark and start to collect all traffic on that main interface.
I then followed the script at a reasonable pace.
I connected to news.grc.com in Gravity, joined the grc.cookies group, and read a couple of messages. I then went to torilmud.com in Firefox to generate some web traffic. I ran “telnet torilmud.org 9999” to connect to Toril Mud and created an account and a character, then made my character say, “The flag is tortal” and quit.
I then hit enter on my Putty session that had “ftp mirrors.bloomu.edu” so it would connect and logged in as anonymous with the predetermined email address. I went into the mirrors folder for Debian and downloaded a random .deb file (and specifically did not put it into data mode).
Then I stopped Wireshark and saved the .pcap.
Next, I went back in the .pcap to analyze the traffic and come up with the questions based on what I did.
First, I sorted by DNS traffic to find a good question. The first DNS entry was to “chat.freenode.net,” so I created the first question.
1. What is the first domain name that is looked up in this .pcap (Example of a domain name: www.google.com)?
Then I looked at the NNTP traffic. I found the first group I joined (grc.cookies) and created the second question.
2. What is the first news group that was subscribed to/accessed by the user in this .pcap?
In the newsgroup traffic, I saw a message about a potential virus: “Adware:Win32/RelatedLinks.” So I created the third question.
3. One of the messages in the newsgroup talks about a popup alerting the user to a potential virus. What was the full name of that potential virus?
Next, I wanted a question about the Telnet/MUD traffic. I started with a simple one about connecting to the MUD (torilmud.org on port 9999).
4. The user accessed a MUD in this .pcap. What was the domain name and post of the MUD accessed (in the format “DOMAIN:PORT,” like www.google.com:443)?
I looked more at the Telnet/MUD traffic and came up with the fifth question.
5. In this session, the user created a new user when they connected to the MUD. What is the username and password combination that they successfully created, in the format “username:password”?
I continued looking at the Telnet/MUD traffic and came up with the sixth question—one about the flag I spoke, “tortal.”
6. In the provided .pcap, the user-created a character in the MUD, who promptly logged in and spoke about a flag. What is the flag the character spoke?
Next, I switched to the FTP traffic and came up with the seventh question based on the login information (anonymous: firstname.lastname@example.org).
7. In the provided .pcap, the user logged into an FTP site. What password did they use to login to the FTP site?
Continuing with the FTP traffic, I wanted to ask a question about the file I downloaded to ensure the participants could find it, so I created the eighth question.
8. In the provided .pcap, the user logged into an FTP site. What is the name of the file they downloaded from it?
To force the participants to extract the downloaded file from the .pcap, I wanted to ask a question about the hash of the downloaded file (as they’d have to extract it from the .pcap to get the hash), so I created the ninth question, which required me to extract the file from the .pcap myself and run sha256sum on it to get the hash.
9. In this session, the user logged into a FTP site. What is the sha256 hash of the file they downloaded?
IRC connections use encryption now, so when I looked at the traffic, I couldn’t see myself logging in and connecting to a channel like I expected. Then I realized a question about what IRC domain name and port we connected to would be a good question (it was chat.freenode.net:6697).
10. In this session, the user connected to an IRC server. What is the domain name and port of the server they connected to? (in the format domainname:port, like www.google.com:443)
In the next post, we’ll go over how to create solutions slides for your questions.