Analysis on data collection and analysis of network security competition in national vocational college skill competition

B-2 Task 2 ： Data analysis

* Mission statement ： Only available Server2 Of IP Address

1. Use Wireshark View and analyze Server2 Under the desktop capture.pcapng Package file , find telnet User name and password of the server , And use the password as flag Value submission ;

telnet && ip.src==    

Search for password perhaps login

2. Use Wireshark View and analyze Server2 Under the desktop capture.pcapng Package file ,FTP The server has finished transferring files , Take the first instruction after logging in to the server as flag Value submission ;

Check the response code of successful login first

ftp.response.code == 230

see 200 After that command

Command successfully executed response code

ftp.response.code == 200

3. Use Wireshark View and analyze Server2 Under the desktop capture.pcapng Package file ,web The server address is 192.168.181.250, The scripting language used is php, Use the server php The version number of is used as flag Value submission ;

ip.src==192.168.181.250 && http

http track tcp flow , The file header server Or search directly X-Powered-By

4. Use Wireshark View and analyze Server2 Under the desktop capture.pcapng Package file , There are a lot of these data ICMP message , One of the devices is a router ,IP The address is 192.168.181.25, Send the unsolicited message from the router ping Number of requests as flag Value submission ;

ip.src==192.168.181.25 && icmp     // Filter sources and their protocols

icmp.type == 8    // Direct inquiry ping Of request( Request package )

5. Use Wireshark View and analyze Server2 Under the desktop capture.pcapng Package file , These data include ssh message , because ssh With encryption function , Now we need to analyze the algorithms of these encrypted messages , take ssh The name of the first algorithm supported by the client is flag Value submission .

Ssh Search for

server_host_key_algorithms First value of

B-4 Task 4 ： Data analysis

* Mission statement ： Only available Server4 Of IP Address

1. Use Wireshark View and analyze Server4 Under the desktop capture.pcapng Package file ,telnet The server is a router , Find out the privileged password of this router , And use the password as flag Value submission ;

Use wireshark Packet capturing software grabs Telnet password _ Bluebird Technology Group @ Wei's technology blog _51CTO Blog

  Direct search password, single password Talent

because . Enter the privileged mode only by entering the password .

2. Use Wireshark View and analyze Server4 Under the desktop capture.pcapng Package file ,FTP The server has finished transferring files , Will establish FTP The number of data connections to the server is taken as flag Value submission ;

ftp.response.code==220

3. Use Wireshark View and analyze Server4 Under the desktop capture.pcapng Package file ,web The server address is 192.168.181.250, take web The version number of the server software is used as flag Value submission ;

http->Server

4. Use Wireshark View and analyze Server4 Under the desktop capture.pcapng Package file , There are a lot of these data ICMP message , There are a large number of abnormal messages in these messages ICMP message , Find out all messages of redirection type , Take the number of message redirects as flag Value submission ;

Filter it

netwox 86 -g 10.140.98.247 -i 10.140.98.254

icmp.type==5

5. Use Wireshark View and analyze Server4 Under the desktop capture.pcapng Package file , These data include ssh message , because ssh With encryption function , Now we need to analyze the algorithms of these encrypted messages , take ssh The key length of the first algorithm supported by the server is flag Value submission .

Server_host_key_algorithms

Encryption_algorithms_client_to_server

B-1 Task a ： Digital forensics

* Mission statement ： Only available Server1 Of IP Address

1. Hackers successfully entered Server1 And created multiple users , Use the user name created by the hacker as flag Value submission ｛ name 1- name 2-……｝;

Windows：

Eventvwr 4720

Net user

Look for the catalogue to see the time

Linux：

  Ls –ld

Cat /etc/passwd or cat /etc/shodow

2. Hackers upload Trojans by uploading pages , Find the upload page , Upload the page file name as flag Value submission ;

visit web page , With the sword ,dirb,nikto , See if there's any upload dependent , If you can go in, just go directly to the directory

3. Find the corresponding Trojan back door , Use the Trojan file name as flag Value submission ;

Find the upload page , Upload a picture . See if you can find the access path . Then look for it on the real machine . Or directory traversal vulnerability .

4. Trojan file view , Submit the login password of the Trojan file ;

  Analysis of the code ,php or asp Of . The code may be misshapen . If you need to analyze, you can try first eval,cmd,1,admin Wait for the weak password . In the process of analysis . Give seay Words , You can also try analysis

5. Find the task plan created by the hacker in the task plan （ Mission planning with hazardous operations ）, The task plan is named flag Value submission .

Linux:

/etc/crontab

Windows:

  Taskschd.msc Or the task scheduler in the management tool

6. The hacker left a test file somewhere in the system , Please use the contents of this document as flag Value submission .

Windows:

  Recent-> Time sequence

Linux:

  Find ./ -mtime 0           //24h Modified files in

7. Find the execution program corresponding to the task plan, analyze the code and take the password as flag Value submission .

There is no idea at present , I didn't say there were any tools , Visual inspection is reverse

B-2 Task 2 ： Memory forensics

* Mission statement ： Only available Server2 Of IP Address

volatility -f filename imageinfo

1. Get the user from memory admin And crack the password , With flag{admin,password} Form submission ( The password for 6 position );

Volatility –f filename --profile=OS hashdump

Volatility –f filename --profile=OS mimikatz

Volatility –f filename --profile=OS lsadump

2. Get the current system ip Address and host name , With flag{ip: Host name } Form submission ;

Volatility –f filename --profile=OS connscan

Volatility –f filename --profile=OS envars( Host name )

Volatility –f filename -profile=OS netscan(ip)

3. Get the keywords searched by the current system browser , As flag Submit ;

Volatility –f filename --profile=OS iehistory

4. There is a on the desk flag file , Please get flag Contents of the file ;

Volatility –f filename --profile=OS filescan |
 grep Desktop

5. There is a mining process in the current system , Please get the address of the ore pool pointed to , With flag{ip: port } Form submission ;

Volatility –f filename --profile=OS pslist

6. The malicious process registered the service in the system , Please name the service with flag{ service name } Form submission .

Volatility –f filename --profile=OS svcscan

Volatility –f filename --profile=OS hivelist

If you need an environment, you can confide in bloggers