CDA Training Session 08 v01

C D A
Cyber Defense Academy
Session 08
Session 08
November 17, 2011
Please Note: If you havent viewed all the Sessions before this one, please do so now. The topics in this session depend on you having viewed these prior Sessions first.
Copyright 2011, Cyber Defense Academy All Rights Reserved
C D A
Overview of Todays Session
Session 08
Regular Major Themes Topics in CyberPatriot / Computer Science Topics in Windows Topics in Linux (not today)
Additional training in Networking Focus on Windows XP (Part 1)

Copyright 2011, Cyber Defense Academy All Rights Reserved 2
C D A
Session 08
Quiz
C D A
Quiz
Session 08
C D A
Quiz
Session 08
C D A
Session 08
CyberPatriot
C D A
CyberPatriot
Strategy Update
Session 08
Wait for it Use the time from noon Friday until mid-Saturday to explore the image Many teams went to 100% in a few minutes Use your shadows Use your techniques, OOB, CDA Benchmarks You can see the scores in real-time Analysis of Scores in Round 1 during the Competition at: Large number of 100% scores http://cybernexs.saic.com/cndx/spectat ASD: 20 teams or_displays/ranked_scores_by_os.php OD: 67 teams Everyone needs a score of 80% - 100% in Round 2 Announcement for Round 2 Windows XP Windows 2003 Timing Counts
C D A
CyberPatriot
Network 103 Network Devices
Session 08
Network Devices any device attached to a TCP/IP network with an IP address Host a workstation or server
Data terminal equipment a device that is the final destination for the packet (e.g. printer) Hub connects multiple Ethernet segments into a single segment (everyone hears the traffic) Switch directs outside traffic to only the specific destination segment (only destination hears the traffic) Router reads address information and sends packets toward their ultimate destination based on a routing table (audience depends on the segment) Sniffer a device that can read every packet on the segment without being detected
C D A
CyberPatriot
Network 103 Network Diagrams
Router
Session 08
Internet
Computer
Computer
Server
Computer
Computer
Hub
Computer
Switch
Printer
Computer Printer
Computer
Computer
Computer
Logical Representation
Logical Representation
C D A
CyberPatriot
Network 103 Network Topology
Session 08
Examples of network topology
Star
Ring
Bus
10
C D A
CyberPatriot
Network 103 - Ping
Session 08
Ping - network administration tool to test the reachability of a node on a network and to measure round-trip time Named after active sonar technology Sends an Internet Control Message Protocol (ICMP) echo request packet (8 byte header, 20 byte payload) to the target Measures the time of reception and any packet loss Ping floods are a simple form of denial-of-service attack Hear the sound
http://www.youtube.com/watch?v=D9kv_V5lhiE
Ping
See example on the next slide
11
C D A
CyberPatriot
Network 103 Ping Example
c
count
Session 08
ping
command
5
value
iSmoke
target
(Send 5 pings to the host named iSmoke)

On a PC, go to Run > cmd
12
C D A
CyberPatriot
Network 103 Ping Pros & Cons
Session 08
Key tool for Network Administrators Verify known devices are still present Detect noise on the circuit Detect a chatty NIC Identify missing segments Identify missing devices
Key tool for Network Attackers Discover all IP addresses Launch ping floods
13
C D A
CyberPatriot
Network 103 - SNMP
Session 08
Simple Network Management Protocol For managing devices on IP networks Last updated by RFC 3411 3418 SNMPv3 peer-to-peer protocol Architecture is:
Network Manager an administrative computer Network Management System (NMS) software that monitors and controls managed devices Management Information Base (MIB) a data structure on each Managed Device containing objects and their values for that device Agent software on each Managed Device that gets/sets MIB data and sends in SNMP format
Managed Devices
MIB Agent
Router
Network Manager NMS
MIB Agent
Computer
MIB Agent
Printer
14
C D A
CyberPatriot
Network 103 NMS Example
Session 08
AutoScan-Network For managing an IP network(s) Runs on Macs, Windows XP/Vista, GNU/Linux Free at:
http://autoscan-network.com/
15
C D A
Homework for CyberPatriot
Session 08
Prepare for competition Run the ping command Discover the network devices on your network via a free NMS
16
C D A
Session 08
WINDOWS
17
C D A
Advanced Windows Topics

Overview
Session 08
Todays Topics Tools

Task Manager Process Explorer Unlocker Warp
Techniques
Folder Options Prefetch Running backups (every hour) Booting in Safe Mode Run-time Downloads & the Internet Hard Disk Growth
18
C D A
Tools
http://support.microsoft.com/kb/322389
Session 08
All Service Packs found at:
CDA Rankings Required Essential Useful Interesting Distracting
Make sure your Service Pack downloads have the exact file name as shown above and equivalent size.
Windows Security/ Task Manager Process Explorer Dont run ComboFix, it thinks CyberNEXS is evil Unlocker and removes it. Warp
C D A

Tools - Windows Security/ Task Manager
Session 08
Shows currently active Processes Activate the tool by pressing CNTL-ALT-DEL, click the Task Manager button, then click the Processes tab Free included in OS
20
C D A

Tools - Process Explorer (1 of 6)
Session 08
A discovery tool showing: Currently active processes Description of each process Company who wrote the process CPU and RAM utilization of each process Services consumed by the process DLLs used by the process Files used/owned by the process Free at:
http://www.softpedia.com/get/System/System-Info/Process-Explorer.shtml
21
C D A

Session 08
Main Window Indentured processes CPU RAM Description Company Name
Note the multiple instances of svchost.exe
22
C D A

Session 08
Two Panes (DLL in lower pane) AvastSvc.ex e is selected in the upper pane The DLL files needed by AvastSvc.ex e are shown in the lower pane
23
C D A

Session 08
Two Panes (Handles in lower pane) AvastSvc.ex e is selected in the upper pane The files held by AvastSvc.ex e are shown in the lower pane
24
C D A

Session 08
Properties A rich set of data is available in the Properties window The Services tab shows the services consumed by the process
25
C D A

Session 08
In summary Its small Its cheap Its safe It shows whos grabbing your system Recommendation: get an additional monitor (e.g. 24 LCD/ LED monitor) and leave Process Explorer up all the time
26
C D A
Session 08
5 minute break
27
C D A

Tools - Unlocker (1 of 2)
Session 08
A discovery tool showing: Who owns the handle on a file Allows you to unlock the handle so that you can delete the file or folder Free at:
http://www.softpedia.com/get/System/System-Info/Process-Explorer.shtml
28
C D A

Tools - Unlocker (2 of 2)
Session 08
1 5
1) Try to delete MSN Gaming Zone 2) Error deleting 3) Right-click the invoke Unlocker (an Explorer extension) 4) Unlocker reveals PID 964 has a handle on MSN 5) Process Explorer confirms the owner and handle 6) Unlock All releases the handle
4 6
29
C D A

Tools - Warp (1 of 7)
Session 08
A discovery and repair tool showing: Finds errors in the Registry Finds many other types of Windows errors Free at:
http://www.nchsoftware.com/registry-cleaner/index.html
30
C D A

Session 08
Scan Results Shows the results from a scan of the system
31
C D A

Session 08
Scan Details (screen 1 of 3)
Shows the details from a scan of the system
32
C D A

Session 08
33
C D A

Session 08
34
C D A

Session 08
Repair Results Shows the results from the repair of the system
35
C D A

Session 08
Repair Details Shows the results from the repair of the system
36
C D A

Tools - About other Registry Cleaners
Session 08
Many, many Registry cleaners are available, most for a fee Two others were evaluated RegGenie: $35 RegZooka: $30 The commercial Registry cleaners seemed to fix problems that are not pertinent to CyberPatriot ActiveX Uninstall entries Empty Registry Keys
37
C D A

Techniques Folder Options
Session 08
CDA recommendations for setting your Folder Options Implement at Control Panel > Folder Options Select the View tab and implement the following
Also, click Apply to All Folders
38
C D A

Techniques Prefetch
Session 08
A folder at C:\Windows\Prefetch (see next slide) A place where Windows remembers which files you commonly open Aids in preparing Windows to run applications and files that you often use Is self-maintaining, i.e., if you delete the contents, Windows will rebuild it over time
A place of discovery, where you can learn what applications and files were popular before you became Administrator of this system
39
C D A

Techniques Prefetch Example
Session 08
40
C D A

Techniques Making backups
Session 08
Making backups (every hour) Why is this needed? Blue Screen of Death* Image wont boot* Pros Can restart from a safe, known configuration Can explore multiple paths simultaneously on shadow computers Cons Re-emphasizes the need to Takes 10 minutes each time explore each image before
competing
*Recovery: Boot in Safe Mode (see next) **VMwares Snapshots offers a similar capability
C D A

Techniques Booting in Safe Mode (1 of 6)
Session 08
Safe Mode a reduced, basic state of the operating system, excluding the network, startup items, prefetch items, all drivers except essential ones (mouse, keyboard, etc.), for diagnosing issues
Activated by pressing F8 during Restart (Function-F8 on Macs)

Multiple options (see next 5 slides)
42
C D A

Session 08
Opens with Start Windows Normally selected Use the arrow keys to move up and down to select Safe Mode
43
C D A

Session 08
Select Safe Mode Other prime options are with Networking and with Command Prompt
44
C D A

Session 08
All installed operating systems are shown (only Windows XP Pro in this case) Use the arrow keys to move up and down to select your OS
45
C D A

Session 08
Advisory notice
46
C D A

Session 08
The desktop, with Safe Mode labels in all 4 corners
Could you Get My Status in Safe Mode?
47
C D A

Techniques Pre-Competition Downloads
Session 08
Download as much as possible before the competition Service Packs
Tools
48
C D A

Techniques Run-time Downloads
Session 08
Many files have to be downloaded during the competition Windows Updates

Increase in size does not consider deleting the $NTUninstall files (discussed later) Approximately one-third of the size of each update is from downloading, the remainder is due to expansion
Anyone know how to download these before the Competition starts?

C D A

Techniques Got Internet?
Session 08
With the Internet and time, you can pre-download Service Packs (584 MB) Tools (120 MB) During the Competition, however, another 1,200 MB has to be downloaded Teams need a stable, reliable, fairly fast (1 3 Mbps) Internet connection Get one or more of the following sites: A team members house A local school Test the connection Hotel with meeting room ahead of time Starbucks AT&T AirCards
C D A

Techniques Hard Disk Growth
Session 08
Your C:\ drive usage grows throughout the Competition

The Round 1 image was particularly full
The Round 1 image grew by 582 MB overnight, doing nothing
Procrastination is Punished The Evil Growth Engine A malware that deliberately fills your hard drive with garbage Found by watching the C:\ properties and Process Explorer
C D A

Techniques Detecting HD Growth
Session 08
Search for large files (i.e. greater than 30000 KB) using the following search criteria
Turn on Advanced search settings to include: Search system folders Search hidden files and folders Search subfolders
52
C D A

Techniques Detecting HD Growth
Session 08
Take a snapshot at the beginning of the Competition
Take a snapshot(s) later. Compare
53
C D A
Homework for Windows
Session 08
Verify you have the right XP Service Packs Practice the new Tools Windows Security/ Task Manager Process Explorer Unlocker Warp Practice booting in Safe Mode Belarc on the XP Pro image Goal: Get the highest Belarc score Goal: Get your time-to-safe down
C D A
Session 08
LINUX
55
C D A
Linux
Todays Topics
Session 08
No tux today
56
C D A
Homework for Linux
Session 08
None
57
C D A
Summary
Session 08
On schedule with Windows Behind schedule with Linux (but so we can emphasize Windows for Qualification Round 1) Now have: Basic Strategy and Mechanics for running images Order of Battle Toolkits Expanding Repertoire of Techniques Basic Networking with Protocols and Encryption Advanced Windows skills (Administering, Registry, Hotfixes, Updated CIS Benchmarks for W2K)
58

CDA Training Session 08 v01

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

CDA Training Session 08 v01

Hochgeladen von

Copyright:

Verfügbare Formate

C D A

Cyber Defense Academy

Copyright 2011, Cyber Defense Academy All Rights Reserved

Overview of Todays Session

Additional training in Networking Focus on Windows XP (Part 1)

Copyright 2011, Cyber Defense Academy All Rights Reserved

Copyright 2011, Cyber Defense Academy All Rights Reserved

Copyright 2011, Cyber Defense Academy All Rights Reserved

Copyright 2011, Cyber Defense Academy All Rights Reserved

Copyright 2011, Cyber Defense Academy All Rights Reserved

Copyright 2011, Cyber Defense Academy All Rights Reserved

Examples of network topology

Copyright 2011, Cyber Defense Academy All Rights Reserved

See example on the next slide

Copyright 2011, Cyber Defense Academy All Rights Reserved

(Send 5 pings to the host named iSmoke)

Copyright 2011, Cyber Defense Academy All Rights Reserved

Copyright 2011, Cyber Defense Academy All Rights Reserved

Network Manager NMS

Copyright 2011, Cyber Defense Academy All Rights Reserved

Homework for CyberPatriot

Copyright 2011, Cyber Defense Academy All Rights Reserved

Copyright 2011, Cyber Defense Academy All Rights Reserved

Advanced Windows Topics

Todays Topics Tools

Copyright 2011, Cyber Defense Academy All Rights Reserved

All Service Packs found at:

CDA Rankings Required Essential Useful Interesting Distracting

Advanced Windows Topics

CDA Rankings Required Essential Useful Interesting Distracting

Copyright 2011, Cyber Defense Academy All Rights Reserved

Advanced Windows Topics

CDA Rankings Required Essential Useful Interesting Distracting

Copyright 2011, Cyber Defense Academy All Rights Reserved

Advanced Windows Topics

Main Window Indentured processes CPU RAM Description Company Name

Note the multiple instances of svchost.exe

Copyright 2011, Cyber Defense Academy All Rights Reserved

Advanced Windows Topics

Copyright 2011, Cyber Defense Academy All Rights Reserved

Advanced Windows Topics

Copyright 2011, Cyber Defense Academy All Rights Reserved

Advanced Windows Topics

Copyright 2011, Cyber Defense Academy All Rights Reserved

Advanced Windows Topics

Copyright 2011, Cyber Defense Academy All Rights Reserved

Copyright 2011, Cyber Defense Academy All Rights Reserved

Advanced Windows Topics

CDA Rankings Required Essential Useful Interesting Distracting

Copyright 2011, Cyber Defense Academy All Rights Reserved

Advanced Windows Topics

Copyright 2011, Cyber Defense Academy All Rights Reserved

Advanced Windows Topics

CDA Rankings Required Essential Useful Interesting Distracting

Copyright 2011, Cyber Defense Academy All Rights Reserved

Advanced Windows Topics

Scan Results Shows the results from a scan of the system

Copyright 2011, Cyber Defense Academy All Rights Reserved

Advanced Windows Topics

Scan Details (screen 1 of 3)

Shows the details from a scan of the system

Copyright 2011, Cyber Defense Academy All Rights Reserved

Advanced Windows Topics