test questions 1

Information security management and evaluation   The first stage

Network platform construction and equipment security protection

Objective    record

The first stage of the competition project test questions .. 3

Introduce .. 3

Required equipment 、 mechanical 、 Plant and materials .. 3

Scoring scheme .. 3

matters needing attention .. 3

Project and task description .. 3

1. Network topology ... 3

2.IP Address planning table ... 4

Work task .. 5

Mission 1： Network platform construction ... 6

Mission 2： Network security equipment configuration and protection ... 6

The second stage competition project test questions .. 12

Introduce .. 12

Required equipment 、 mechanical 、 Plant and materials .. 12

Scoring scheme .. 12

Project and task description .. 12

Work task .. 13

The first part Network security event response ... 13

Mission 1： Emergency response ... 13

List of materials for this task ：Server Server virtual machine （Vmware）.... 13

The second part Digital forensics investigation ... 13

Mission 2： Operating system forensics ... 13

List of materials for this task ： Operating system image 、 Memory image .... 13

Mission 3： Network packet analysis ... 14

List of materials for this task ： Captured network packet file .... 14

Mission 4： Computer stand-alone forensics ... 14

List of materials for this task ： Forensics image file .... 14

The third stage competition project test questions .. 17

Introduce .. 17

Required equipment 、 mechanical 、 Plant and materials .. 17

Scoring scheme .. 17

matters needing attention .. 17

Project and task description .. 17

Work task .. 18

Score distribution table .. 20

appendix A. 21

The first stage of the competition project test questions

This document is an information security management and evaluation project competition - The first stage test questions , The first stage includes ： Network platform construction and equipment security protection .

The time of this competition is 180 minute .

Introduce

Required equipment 、 mechanical 、 Plant and materials

All test items can be completed by contestants according to the equipment and software specified in the infrastructure list .

Scoring scheme

The stage score of this project is 30 branch .

matters needing attention

In the first stage of the competition, please follow the... Provided by the referee team U On the plate “XXX- Answer template ” Submit answers to the requirements in . Players need to be U Create a file named... Under the root directory of the disk “GWxx” Folder （xx Replace with specific station number ）, What has been accomplished “XXX- Answer template ” Put it in a folder and submit it as the result of the game .

Project and task description

1. Network topology

2.IP Address planning table

Work task

Mission 1： Network platform construction

Mission 2： Network security equipment configuration and protection

1. CS Turn on telnet Login function , user name skills01, password skills01, Configuration and use telnet The following authorization information is displayed before logging into the terminal interface ：“WARNING!!! Authorised access only, all of your done will be recorded! Disconnected IMMEDIATELY if you are not an authorised user! Otherwise, we retain the right to pursue the legal responsibility”;
2. Headquarters switch SW Configure simple network management protocol , Plan opening V3 edition ,V3 The version has made a great expansion in terms of security . The configuration engine numbers are 62001; Create an authenticated user as skills01, use 3des The algorithm encrypts , The key is ：skills01, The hash algorithm is SHA, The key is ：skills01; Join the group ABC, Adopt the highest level of security ; Configure the group's read 、 The write views are ：2022_R、2022_W; When the equipment is abnormal , Need to use local VLAN100 The address to send Trap The message is sent to the network management server 10.51.0.203, Adopt the highest level of security ;
3. Yes CS On VLAN40 Turn on the following security mechanisms ：

Internal business terminals are isolated from each other by two layers , Enable loop detection , The time interval for loop detection is 10s, Close the port after discovering the loop , The recovery time is 30 minute ; If private settings are found DHCP The server closes the port , Configuration prevents ARP Deceptive attack ;

1. The blackmail worm has swept the world , The largest cyber attack in history broke out , Through the core switch of the headquarters CS All business VLAN Configure the access control policy under to realize two-way security protection ;
2. CS To configure IPv6 Address , Use related features to realize VLAN50 Of IPv6 The terminal can automatically obtain... From the gateway IPv6 Stateful address ;

WS To configure IPv6 Address , Enable the routing announcement function , The lifetime of router announcement is 2 Hours , Make sure VLAN30 Of IPv6 The terminal can obtain IPv6 Stateless address .

WS And CS Configuration between RIPng, send PC1 And PC3 Can pass IPv6 signal communication ;

IPv6 The business address is planned as follows , Other IPv6 Address self planning ：

1. Increase as much as possible CS With firewalls FW Bandwidth between ; Configuration makes the headquarters VLAN40 Business user access IDC SERVER Data flows through FW 10.1.0.254, IDC SERVER Return data flow through FW 10.2.0.254, And enable all security protection for bidirectional data flow , The parameters and behavior are the default ;
2. FW、CS、WS Configuration between OSPF area 0 Turn on link based MD5 authentication , Key customization , Spread access INTERNET Default route ;
3. FW And CS Establish two pairs of IBGP Neighborhood , Use AS 65500,FW On loopback1-4 To simulate AS 65500 Medium network , To ensure the reliability and load of data communication , Complete the following configuration , Requirements are as follows ：

1. CS adopt BGP arrive loopback1,2 The next hop on the network is 10.3.0.254;
2. CS adopt BGP arrive loopback3,4 The next hop of the network is 10.4.0.254;
3. adopt BGP Achieve arrival loopback1,2,3,4 Network redundancy ;
4. Use IP The prefix list matches the above business data flow ;
5. Use LP Attribute for business routing , Only use route-map To change LP attribute 、 Implement routing control ,AS PATH The configurable parameter value of the property is ：65509

1. If CS E1/0/3 The packet receiving rate of the port exceeds 30000 Then close this port , recovery time 5 minute , And every 10 Minutes to count the port speed ; In order to improve the performance of data forwarding ,CS The packet size in the exchange is specified as 1600 byte ;
2. To realize the security management of firewall , At the firewall FW Of Trust Security domain on PING,HTTP,SNMP function （loopback Except for the interface ）,Untrust Security domain on SSH、HTTPS function ;
3. headquarters VLAN Business users access through firewall Internet when , Reuse public network IP： 200.1.1.28/28, Ensure that every source IP All generated sessions will be mapped to the same fixed IP Address , Address translation rules are generated when the traffic is matched , Send matching logs to 10.51.0.253 Of UDP 2000 port ;
4. To configure L2TP VPN, The name is VPN, The remote office users can access the intranet by dialing in , Create the tunnel interface as tunnel 1、 And add untrust Security domain , The address pool name is AddressPool,LNS The address pool is 10.100.253.1/24-10.100.253.100/24, Gateway is the maximum available address , Authentication account number skills01, password skills01;
5. FW The configuration prohibits everyone from working from Monday to Friday 9：00-18：00 Visit Jingdong www.jd.com And Taobao www.taobao.com; Access forbidden in the same time period contains “ entertainment ”、“ Journalism ” Of WEB page ;
6. stay FW Open the security gateway TCP SYN Package check function , Only check that the package received is TCP SYN After package , To establish a connection ; Configure all TCP The maximum data segment that a packet can transmit at a time is 1460, Try to reduce network fragmentation ; The configuration is right TCP Three handshakes are established to check the time , If in 1 Three handshakes have not been completed within minutes , Then disconnect the connection ;
7. To ensure that the headquarters Internet Exit line , stay FW Use related technologies on , adopt ping Monitor the Internet gateway address , The name of the monitoring object is Track, every other 5S Send detection message , continuity 10 No monitoring message is received at this time , It is considered that the circuit is faulty , Close the Internet interface directly .FW It is required that each in the intranet IP Limit the number of sessions to 300;
8. Internet There is a branch router at the end , Need a firewall at headquarters FW Complete the following pre configuration on , Ensure the safe connection between the headquarters and branches ：

A firewall FW And Internet End router 202.5.17.2 establish GRE Tunnel , And use IPSec Protect GRE Tunnel , Ensure that... In the branch structure 2.2.2.2 With headquarters VLAN40 Secure communications .

The first stage   use pre-share authentication encryption algorithm :3DES;

The second stage   use ESP agreement , encryption algorithm :3DES, Default shared secret key : skills01

1. Known origin AP The management address is 10.81.0.0/15, To avoid address waste, please re plan and configure IP Address segment , Requirements are as follows ：

1. Use the original AP Address division of the network ;
2. Current wireless users VLAN 10 China needs 127 Terminals , Wireless users VLAN 20 need 50 Terminals ;
3. WS On the configuration DHCP, management VLAN by VLAN101, by AP Issue management address , The first available address in the network segment is AP Management address , The last available address is WS Management address , Make sure they do AP Second floor registration ; For wireless users VLAN10,20 Send out IP Address , The last available address is the gateway ;

1. stay NETWORK Next To configure SSID, Requirements are as follows ：

1. NETWORK 1 Lower setup SSID 2022skills-2.4G,VLAN10, The encryption mode is wpa-personal, The password is skills01;
2. NETWORK 20 Next Set up SSID 2022skills-5G,VLAN20 No authentication encryption , Make the corresponding configuration to hide the SSID, Use only the last available VAP send out 5.0G The signal ;

1. To configure a SSID 2022skills_IPv6, Belong to VLAN21 be used for IPv6 Wireless test , When users access the wireless network, they need to adopt the method based on WPA-personal encryption , The password is “skills01”, Users in this network are from WS DHCP obtain IPv6 Address , Address range is ：2001:10:81::/112;
2. NETWORK 1 Open built in portal+ Authentication mode of local authentication , Account No GUEST The password for 123456, Ensure the coverage of wireless information , wireless AP The transmit power of is set to 90%. prohibit MAC The address is 80-45-DD-77-CC-48 Wireless terminal connection ;
3. Prevent multiple by configuration AP and WS When connected, it consumes too many security authentication connections CPU resources , detected AP And WS stay 10 Connect in minutes 5 The connection is no longer allowed after one time , Return to normal in two hours ;
4. To facilitate the rational use of bandwidth , Ask for SSID by “2022skills-2.4” Bandwidth control for users under . There is no limit on the uplink rate of users , However, for the downlink rate, the user's bandwidth is required to be 2Mbps, The maximum bandwidth can reach 4Mbps;
5. Configure all Radio Interface ：AP When an error frame is received , Will no longer send ACK frame ; open AP Multicast broadcast burst limiting function ; Turn on Radio Automatic channel adjustment , Every morning 10:00 Trigger channel adjustment function ;
6. Configure all wireless access users to be isolated from each other ,Network Limit every morning in mode 0 Point to 4 The access point of the terminal is prohibited , Turn on ARP Inhibition function ;
7. Configure when AP go online , If WS Stored in Image Version and AP Of Image Different version numbers , Will trigger AP Automatic upgrade ; To configure AP Send an indication to the wireless terminal AP The existing frame interval is 1 second ; To configure AP The timeout of the failed state and the timeout of the detected client state are 2 Hours ;
8. At the company headquarters BC On the configuration , The device deployment mode is transparent . Add non admin Account skills01, password skills01, This account is only used for the user to query the log information and statistical information of the device ; Require intranet access Internet Log all applications .
9. Time accuracy for log queries , Ask for in BC On the configuration NTP service ,NTP The server is set as the national time service center of the Chinese Academy of Sciences (ntp.ntsc.ac.cn).
10. At the company headquarters BC On the configuration , On weekdays （ Work from Monday to Friday ） During this period, audit the Internet access of all wireless network segments , If you find a wireless user accessing the Internet, you will be disconnected 20 minute , There is no restriction on other users on weekdays （ Work from Monday to Friday ） Access to the Internet during .
11. BC Configure the application “ Instant messaging ”, From Monday to Friday 8：00-20：00 Monitor all users in the intranet QQ Account usage records , And save QQ Chat log packet ;
12. BC Configure content management , The content of the message contains “ agreement ”、“ complaints ” E-mail with words , Record and email alarm .
13. BC Configure alarm mailbox on , Mail server IP by 172.16.10.33, The port number is 25, Account No :skills01, password : skills01, The maximum number of records is 50, Meanwhile, copy the alarm email to [email protected]chinaskills.com;
14. Use BC Conduct local authentication for all Internet users on the intranet , Require authenticated users 4 Recertification as a child , And right HTTP The server 172.16.10.45 Of 80 Ports are exempt from authentication ;
15. BC Configure the user identification function on the , For all intranet IP Address for identification ;
16. At the company headquarters WAF On the configuration , The device deployment mode is transparent . It is required to check the intranet HTTP The server 172.16.10.45/32 Carry out safety protection ;
17. For better server 172.16.10.45 Protection , We regularly check the server Web Vulnerability scanning , To modify our protection rules in time .
18. It is convenient to save and view logs , You need to put WAF Go to the attack log 、 Access log 、DDoS Log to JSON Format to IP The address is 172.16.10.200 On the log server ;
19. stay WAF Configure basic defense functions on , Turn on SQL Inject 、XXS attack 、 Information leakage and other defense functions , It is required to block these attacks and send email alerts ;
20. stay WAF Targeted HTTP Server run URL The maximum number is 10,Cookies The maximum number is 30,Host Maximum length is 1024,Accept Maximum length 64 And other parameter verification settings , Set the severity level to medium , If the verification value is exceeded, block and send an email alarm ;
21. stay WAF Upper protection HTTP On the server www.2022skills.com Web crawler attacks , This affects server performance , Set the severity level to advanced , Once the attack is found, it is blocked and an email alarm is sent ;
22. To prevent www.2022skills.com Website resources are used by other websites , adopt WAF Protect resource links , adopt Referer Mode detection , Set the severity level to medium , Once it is found that it is blocked, an email alarm will be sent ;

Information security management and evaluation   The second stage

Network security event response

Digital forensics investigation

Application security

The second stage competition project test questions

This document is an information security management and evaluation project competition - Second stage test questions , The second stage includes ： Network security event response 、 Digital forensics investigation and application security .

The time of this competition is 180 minute .

Introduce

The competition has a fixed start and end time , Teams must decide how to allocate time effectively . Please read the following guidelines carefully ！

（1） When the competition is over , Please don't turn it off when you leave ;

（2） All configurations should be valid after restart ;

（3） except CD-ROM/HDD/NET Driver , Please do not modify the configuration of the physical machine and the hardware settings of the virtual machine itself .

Required equipment 、 mechanical 、 Plant and materials

All test items can be completed by contestants according to the equipment and software specified in the infrastructure list .

Scoring scheme

The stage score of this project is 35 branch .

Project and task description

With the continuous development of network and information level , Network security incidents are also emerging one after another , Network malicious code propagation 、 information theft 、 Information tampering 、 Various network attacks such as remote control have seriously threatened the confidentiality of information system 、 Integrity and availability . therefore , Against cyber attacks , Organize emergency response to safety incidents , Collecting electronic evidence is an important part of network security protection . Now? ,A The group has been subjected to illegal malicious attacks from unknown organizations , Your team needs help A The group tracks the source of this cyber attack , Analyze the evidence clues of malicious attack behavior , Identify vulnerabilities or malicious code in operating systems and applications , Help them consolidate the defense line of network security .

This module is mainly divided into the following parts ：

• Network security event response
• Digital forensics investigation
• Application security

All work task materials or environments in this part have been placed on the designated computer , After the contestants finish , Fill it out on the desktop “ Information security management and evaluation competition - The second stage answer sheet ” in . The player's computer has been installed Office Software and provide necessary software tools （Tools tool kit ）.

Work task

The first part Network security event response

Mission 1： Emergency response

A Group WebServer The server was hacked in , Of this server Web The application system is uploaded with malware , System files are damaged by malicious software , Your team needs to help the company track the source of this cyber attack , Perform a comprehensive check on the server , Including log information 、 Process information 、 System files 、 Malicious files, etc , So as to analyze the attack behavior of hackers , Find out the key evidence information .

List of materials for this task ：Server Server virtual machine （Vmware）.

Attacked Server The server has been packaged into a virtual machine file and saved , Please import the analysis by yourself .

Be careful ：Server See Appendix for the basic configuration of the server , If not specified in the title , Please use the default configuration .

Please submit the correct answer according to the competition environment and task requirements .

The second part Digital forensics investigation

Mission 2： Operating system forensics

A A server system of the group is infected with malicious programs , Leading to the destruction of key system files , Information was stolen . Please analyze A System image and memory image provided by the group , Find the evidence information of malicious program and system damage .

List of materials for this task ： Operating system image 、 Memory image .

Please submit the correct answer according to the competition environment and task requirements .

Mission 3： Network packet analysis

A The group's network security monitoring system found that malicious elements were carrying out advanced sustainable attacks （APT）, And captured some suspicious traffic packets . Please according to the captured traffic packet , Find clues to cyber attacks , Break down hidden malicious programs , And analyze the behavior of malicious programs .

List of materials for this task ： Captured network packet file .

Please submit the correct answer according to the competition environment and task requirements .

Mission 4： Computer stand-alone forensics

Analyze the given forensics image file , Search for evidence keywords （ The clue keyword is “evidence 1”、“evidence 2”、……、“evidence 10”, There are text forms and picture forms , Case insensitive ）, Please extract and fix the subject matter evidence documents required by the competition , And fill in relevant information according to the format requirements of the sample , The proportion of evidence documents in the total number of documents shall not be less than 15%. Forensics information may be hidden in normal 、 In deleted or damaged files , You may need to use transcoding techniques 、 Encryption and decryption technology 、 Steganography 、 Data recovery technology , You also need to be familiar with common file formats （ Such as office documents 、 Compress document 、 Pictures, etc ）.

List of materials for this task ： Forensics image file .

Please complete the tasks of this part as required .

Information security management and evaluation   The third stage

Flag challenge - attack

The third stage competition project test questions

This document is an information security management and evaluation project competition - The third stage test questions . According to the technical document requirements of information security management and evaluation project , The third stage is the challenge of winning the flag - attack .

The time of this competition is 180 minute .

Introduce

Flag challenge （CTF） Our goal is to achieve network security penetration testing in a simulated network environment as a network security professional .

This module requires contestants to act as attackers , Use the information learned to collect 、 Vulnerability discovery 、 The penetration test technology such as vulnerability utilization completes the penetration test of the network ; And it can obtain the existing information through the analysis of various information security related technologies flag value .

Required equipment 、 mechanical 、 Plant and materials

All test items can be completed by contestants according to the equipment and software specified in the infrastructure list .

Scoring scheme

The stage score of this project is 35 branch .

matters needing attention

By finding the right flag Value to get the score , Its format is as follows ：

flag{<flag value >}

This format may be hidden or even confused in some environments . therefore , Pay attention to some sensitive information and use tools to find it .

Project and task description

stay A There are several servers in the group's Network , Each server has different business services . There are some hidden dangers of network security in the network , Please use your penetration testing technology , Through information gathering 、 Penetration testing techniques such as vulnerability mining , Complete the penetration test of the specified project , Get... In the test flag value . Please refer to appendix for reference examples of network environment A.

The penetration test technology used in this module includes but is not limited to the following technical fields ：

• information gathering

• Reverse file analysis

• Binary exploit

• Application Service Vulnerability exploitation

• Miscellaneous and cryptographic analysis

Of all devices and servers IP Please check the list of equipment provided on site .

Work task

One 、Web1 The server

Two 、Web2 The server

3、 ... and 、FTP The server

Four 、 Applications 1 The server

5、 ... and 、 Applications 2 The server

Score distribution table

surface 1 Third stage score distribution