Beruflich Dokumente
Kultur Dokumente
Session 08
Session 08
November 17, 2011
Please Note: If you havent viewed all the Sessions before this one, please do so now. The topics in this session depend on you having viewed these prior Sessions first.
C D A
Session 08
Regular Major Themes Topics in CyberPatriot / Computer Science Topics in Windows Topics in Linux (not today)
C D A
Session 08
Quiz
C D A
Quiz
Session 08
C D A
Quiz
Session 08
C D A
Session 08
CyberPatriot
C D A
CyberPatriot
Strategy Update
Session 08
Wait for it Use the time from noon Friday until mid-Saturday to explore the image Many teams went to 100% in a few minutes Use your shadows Use your techniques, OOB, CDA Benchmarks You can see the scores in real-time Analysis of Scores in Round 1 during the Competition at: Large number of 100% scores http://cybernexs.saic.com/cndx/spectat ASD: 20 teams or_displays/ranked_scores_by_os.php OD: 67 teams Everyone needs a score of 80% - 100% in Round 2 Announcement for Round 2 Windows XP Windows 2003 Timing Counts
Copyright 2011, Cyber Defense Academy All Rights Reserved 7
C D A
CyberPatriot
Network 103 Network Devices
Session 08
Network Devices any device attached to a TCP/IP network with an IP address Host a workstation or server
Data terminal equipment a device that is the final destination for the packet (e.g. printer) Hub connects multiple Ethernet segments into a single segment (everyone hears the traffic) Switch directs outside traffic to only the specific destination segment (only destination hears the traffic) Router reads address information and sends packets toward their ultimate destination based on a routing table (audience depends on the segment) Sniffer a device that can read every packet on the segment without being detected
C D A
CyberPatriot
Network 103 Network Diagrams
Router
Session 08
Internet
Computer
Computer
Server
Computer
Computer
Hub
Computer
Switch
Printer
Computer Printer
Computer
Computer
Computer
Logical Representation
Logical Representation
C D A
CyberPatriot
Network 103 Network Topology
Session 08
Star
Ring
Bus
10
C D A
CyberPatriot
Network 103 - Ping
Session 08
Ping - network administration tool to test the reachability of a node on a network and to measure round-trip time Named after active sonar technology Sends an Internet Control Message Protocol (ICMP) echo request packet (8 byte header, 20 byte payload) to the target Measures the time of reception and any packet loss Ping floods are a simple form of denial-of-service attack Hear the sound
http://www.youtube.com/watch?v=D9kv_V5lhiE
Ping
11
C D A
CyberPatriot
Network 103 Ping Example
c
count
Session 08
ping
command
5
value
iSmoke
target
12
C D A
CyberPatriot
Network 103 Ping Pros & Cons
Session 08
Key tool for Network Administrators Verify known devices are still present Detect noise on the circuit Detect a chatty NIC Identify missing segments Identify missing devices
Key tool for Network Attackers Discover all IP addresses Launch ping floods
13
C D A
CyberPatriot
Network 103 - SNMP
Session 08
Simple Network Management Protocol For managing devices on IP networks Last updated by RFC 3411 3418 SNMPv3 peer-to-peer protocol Architecture is:
Network Manager an administrative computer Network Management System (NMS) software that monitors and controls managed devices Management Information Base (MIB) a data structure on each Managed Device containing objects and their values for that device Agent software on each Managed Device that gets/sets MIB data and sends in SNMP format
Managed Devices
MIB Agent
Router
MIB Agent
Computer
MIB Agent
Copyright 2011, Cyber Defense Academy All Rights Reserved
Printer
14
C D A
CyberPatriot
Network 103 NMS Example
Session 08
AutoScan-Network For managing an IP network(s) Runs on Macs, Windows XP/Vista, GNU/Linux Free at:
http://autoscan-network.com/
15
C D A
Session 08
Prepare for competition Run the ping command Discover the network devices on your network via a free NMS
16
C D A
Session 08
WINDOWS
17
C D A
Session 08
Techniques
Folder Options Prefetch Running backups (every hour) Booting in Safe Mode Run-time Downloads & the Internet Hard Disk Growth
18
C D A
Tools
http://support.microsoft.com/kb/322389
Session 08
Make sure your Service Pack downloads have the exact file name as shown above and equivalent size.
Windows Security/ Task Manager Process Explorer Dont run ComboFix, it thinks CyberNEXS is evil Unlocker and removes it. Warp
Copyright 2011, Cyber Defense Academy All Rights Reserved 19
C D A
Session 08
Shows currently active Processes Activate the tool by pressing CNTL-ALT-DEL, click the Task Manager button, then click the Processes tab Free included in OS
20
C D A
Session 08
A discovery tool showing: Currently active processes Description of each process Company who wrote the process CPU and RAM utilization of each process Services consumed by the process DLLs used by the process Files used/owned by the process Free at:
http://www.softpedia.com/get/System/System-Info/Process-Explorer.shtml
21
C D A
Session 08
22
C D A
Session 08
Two Panes (DLL in lower pane) AvastSvc.ex e is selected in the upper pane The DLL files needed by AvastSvc.ex e are shown in the lower pane
23
C D A
Session 08
Two Panes (Handles in lower pane) AvastSvc.ex e is selected in the upper pane The files held by AvastSvc.ex e are shown in the lower pane
24
C D A
Session 08
Properties A rich set of data is available in the Properties window The Services tab shows the services consumed by the process
25
C D A
Session 08
In summary Its small Its cheap Its safe It shows whos grabbing your system Recommendation: get an additional monitor (e.g. 24 LCD/ LED monitor) and leave Process Explorer up all the time
26
C D A
Session 08
5 minute break
27
C D A
Session 08
A discovery tool showing: Who owns the handle on a file Allows you to unlock the handle so that you can delete the file or folder Free at:
http://www.softpedia.com/get/System/System-Info/Process-Explorer.shtml
28
C D A
Session 08
1 5
1) Try to delete MSN Gaming Zone 2) Error deleting 3) Right-click the invoke Unlocker (an Explorer extension) 4) Unlocker reveals PID 964 has a handle on MSN 5) Process Explorer confirms the owner and handle 6) Unlock All releases the handle
4 6
29
C D A
Session 08
A discovery and repair tool showing: Finds errors in the Registry Finds many other types of Windows errors Free at:
http://www.nchsoftware.com/registry-cleaner/index.html
30
C D A
Session 08
31
C D A
Session 08
32
C D A
Session 08
33
C D A
Session 08
34
C D A
Session 08
Repair Results Shows the results from the repair of the system
35
C D A
Session 08
Repair Details Shows the results from the repair of the system
36
C D A
Session 08
Many, many Registry cleaners are available, most for a fee Two others were evaluated RegGenie: $35 RegZooka: $30 The commercial Registry cleaners seemed to fix problems that are not pertinent to CyberPatriot ActiveX Uninstall entries Empty Registry Keys
37
C D A
Session 08
CDA recommendations for setting your Folder Options Implement at Control Panel > Folder Options Select the View tab and implement the following
38
C D A
Session 08
A folder at C:\Windows\Prefetch (see next slide) A place where Windows remembers which files you commonly open Aids in preparing Windows to run applications and files that you often use Is self-maintaining, i.e., if you delete the contents, Windows will rebuild it over time
A place of discovery, where you can learn what applications and files were popular before you became Administrator of this system
39
C D A
Session 08
40
C D A
Session 08
Making backups (every hour) Why is this needed? Blue Screen of Death* Image wont boot* Pros Can restart from a safe, known configuration Can explore multiple paths simultaneously on shadow computers Cons Re-emphasizes the need to Takes 10 minutes each time explore each image before
competing
*Recovery: Boot in Safe Mode (see next) **VMwares Snapshots offers a similar capability
Copyright 2011, Cyber Defense Academy All Rights Reserved 41
C D A
Session 08
Safe Mode a reduced, basic state of the operating system, excluding the network, startup items, prefetch items, all drivers except essential ones (mouse, keyboard, etc.), for diagnosing issues
42
C D A
Session 08
Opens with Start Windows Normally selected Use the arrow keys to move up and down to select Safe Mode
43
C D A
Session 08
Select Safe Mode Other prime options are with Networking and with Command Prompt
44
C D A
Session 08
All installed operating systems are shown (only Windows XP Pro in this case) Use the arrow keys to move up and down to select your OS
45
C D A
Session 08
Advisory notice
46
C D A
Session 08
47
C D A
Session 08
Tools
48
C D A
Session 08
C D A
Session 08
With the Internet and time, you can pre-download Service Packs (584 MB) Tools (120 MB) During the Competition, however, another 1,200 MB has to be downloaded Teams need a stable, reliable, fairly fast (1 3 Mbps) Internet connection Get one or more of the following sites: A team members house A local school Test the connection Hotel with meeting room ahead of time Starbucks AT&T AirCards
Copyright 2011, Cyber Defense Academy All Rights Reserved 50
C D A
Session 08
Procrastination is Punished The Evil Growth Engine A malware that deliberately fills your hard drive with garbage Found by watching the C:\ properties and Process Explorer
Copyright 2011, Cyber Defense Academy All Rights Reserved 51
C D A
Session 08
Search for large files (i.e. greater than 30000 KB) using the following search criteria
Turn on Advanced search settings to include: Search system folders Search hidden files and folders Search subfolders
52
C D A
Session 08
53
C D A
Session 08
Verify you have the right XP Service Packs Practice the new Tools Windows Security/ Task Manager Process Explorer Unlocker Warp Practice booting in Safe Mode Belarc on the XP Pro image Goal: Get the highest Belarc score Goal: Get your time-to-safe down
Copyright 2011, Cyber Defense Academy All Rights Reserved 54
C D A
Session 08
LINUX
55
C D A
Linux
Todays Topics
Session 08
No tux today
56
C D A
Session 08
None
57
C D A
Summary
Session 08
On schedule with Windows Behind schedule with Linux (but so we can emphasize Windows for Qualification Round 1) Now have: Basic Strategy and Mechanics for running images Order of Battle Toolkits Expanding Repertoire of Techniques Basic Networking with Protocols and Encryption Advanced Windows skills (Administering, Registry, Hotfixes, Updated CIS Benchmarks for W2K)
58