Blue Team Cyber Defender

  This room is an introduction to red teaming Link - https://tryhackme.com/room/redteamrecon Would vulnerability assessments prepare us to detect a real attacker on our networks? (Yay/Nay) Nay During a penetration test, are you concerned about being detected by the client? (Yay/Nay) Nay Highly organised groups of skilled attackers are nowadays referred to as … Advanced Persistent Threats The goals of a red team engagement will often be referred to as flags or… crown jewels During a red team engagement, common methods used by attackers are emulated against the target. Such methods are usually called TTPs. What does TTP stand for? Tactics, techniques and procedures The main objective of a red team engagement is to detect as many vulnerabilities in as many hosts as possible (Yay/Nay) Nay What cell is responsible for the offensive operations of an engagement? Red Cell What cell is the trusted agent considered part of? White Cell If an adversary deployed Mimikatz on a target machine, where

  A guided room covering the deployment of honeypots and analysis of botnet activities Link - https://tryhackme.com/room/introductiontohoneypots Create a file and then log back in is the file still there? (Yay/Nay) Nay How many passwords include the word “password” or some other variation of it e.g “p@ssw0rd” 15 What is arguably the most common tool for brute-forcing SSH? hydra What intrusion prevention software framework is commonly used to mitigate SSH brute-force attacks? Fail2Ban What CPU does the honeypot “use”? Run command cat /proc/cpuinfo Intel(R) Core(TM) i9–11900KB CPU @ 3.30GHz Does the honeypot return the correct values when uname -a is run? (Yay/Nay) Nay What flag must be set to pipe wget output into bash? -O How would you disable bash history using unset ? unset HISTFILE What brand of device is the bot in the first sample searching for? (BotCommands/Sample1.txt) Do a simple google search of the processes Mikrotik What are the commands in the second sample changing? (Bot

  Learn how to use Nmap to discover live hosts using ARP scan, ICMP scan, and TCP/UDP ping scan. Link - https://tryhackme.com/room/nmap01 Send a packet with the following: From computer1 To computer1 (to indicate it is broadcast) Packet Type: “ARP Request” Data: computer6 (because we are asking for computer6 MAC address using ARP Request) How many devices can see the ARP Request? 4 Did computer6 receive the ARP Request? (Y/N) N Send a packet with the following: From computer4 To computer4 (to indicate it is broadcast) Packet Type: “ARP Request” Data: computer6 (because we are asking for computer6 MAC address using ARP Request) How many devices can see the ARP Request? 4 Did computer6 reply to the ARP Request? (Y/N) Y What is the first IP address Nmap would scan if you provided 10.10.12.13/29 as your target? 10.10.12.8 How many IP addresses will Nmap scan if you provide the following range 10.10.0-255.101-125 ? 6400 Send a packet with the following: From computer1 To computer3 Packet T

  Practice analyzing malicious traffic using Brim. Link - https://tryhackme.com/room/mastermindsxlq [Infection 1] Provide the victim’s IP address. Load infection1.pcap in Brim Check the source IP of “Http Requests” 192.168.75.249 The victim attempted to make HTTP connections to two suspicious domains with the status ‘404 Not Found’. Provide the hosts/domains requested. cambiasuhistoria.growlab.es, www.letscompareonline.com The victim made a successful HTTP connection to one of the domains and received the response_body_len of 1,309 (uncompressed content size of the data transferred from the server). Provide the domain and the destination IP address. Check the “Http Requests” ww25.gocphongthe.com,199.59.242.153 How many unique DNS requests were made to cab[.]myfkn[.]com domain (including the capitalized domain)? Check “Unique DNS Queries” 7 Provide the URI of the domain bhaktivrind[.]com that the victim reached out over HTTP. Check the “Http Requests” /cgi-bin/JBbb8/ Provide the IP addr

  Manipulating DNS queries to our advantage Link - https://tryhackme.com/room/dnsmanipulation If you were on Windows, what command could you use to query a txt record for ‘youtube.com’? nslookup -type=txt youtube.com If you were on Linux, what command could you use to query a txt record for ‘facebook.com’? dig facebook.com TXT AAAA stores what type of IP Address along with the hostname? IPv6 Maximum characters for a DNS TXT Record is 256. (Yay/Nay) Nay What DNS Record provides a domain name in reverse-lookup? (Research) PTR What would the reverse-lookup be for the following IPv4 Address? (192.168.203.2) (Research) 2.203.168.192.in-addr.arpa What is the maximum length of a DNS name? (Research) (Length includes dots!) 253 What is the Transaction name? (Type it as you see it) Network Equip. How much was the Firewall? (Without the $) 2500 Which file contains suspicious DNS queries? cap3.pcap Enter the plain-text after you have decoded the data using packetyGrabber.py found in ~/dns-exfil-i

Learn about the essential tools for passive reconnaissance, such as whois, nslookup, and dig. Link - https://tryhackme.com/room/passiverecon You visit the Facebook page of the target company, hoping to get some of their employee names. What kind of reconnaissance activity is this? (A for active, P for passive) P You ping the IP address of the company webserver to check if ICMP traffic is blocked. What kind of reconnaissance activity is this? (A for active, P for passive) A You happen to meet the IT administrator of the target company at a party. You try to use social engineering to get more information about their systems and network infrastructure. What kind of reconnaissance activity is this? (A for active, P for passive) A When was TryHackMe.com registered? 20180705 What is the registrar of TryHackMe.com? namecheap.com Which company is TryHackMe.com using for name servers? cloudflare.com Check the TXT records of thmlabs.com. What is the flag there? Lookup tryhackme.com on DNSDumpste

Find out what happened by analysing a .pcap file and hack your way back into the machine Link - https://tryhackme.com/room/h4cked Download the Task file The attacker is trying to log into a specific service. What service is this? FTP There is a very popular tool by Van Hauser which can be used to brute force a series of services. What is the name of this tool? Hydra The attacker is trying to log on with a specific username. What is the username? jenny What is the user’s password? password123 What is the current FTP working directory after the attacker logged in? /var/www/html The attacker uploaded a backdoor. What is the backdoor’s filename? shell.php The backdoor can be downloaded from a specific URL, as it is located inside the uploaded file. What is the full URL? Follow tcp stream http://pentestmonkey.net/tools/php-reverse-shell Which command did the attacker manually execute after getting a reverse shell? Follow tcp stream whoami What is the computer’s hostname? Follow tcp stream w

Learn the various ways of discovering hidden or private content on a webserver that could lead to new vulnerabilities. Link - https://tryhackme.com/room/contentdiscovery What is the Content Discovery method that begins with M? Manually What is the Content Discovery method that begins with A? Automated What is the Content Discovery method that begins with O? OSINT What is the directory in the robots.txt that isn’t allowed to be viewed by web crawlers? Check the robots.txt file /staff-portal What framework did the favicon belong to? Download the file and upload to virustotal to get hash and then check the mentioned website for the hash. cgiirc What is the path of the secret area that can be found in the sitemap.xml file? Check the sitemap /s3cr3t-area What is the flag value from the X-FLAG header? Run the curl command What is the flag from the framework’s administration portal? Go to mentioned website and find the location /thm-framework-login and login with username and password “admin”