US Cyber Challenge Spring 2025 Documentation
So I just attempted the US Cyber Challenge Spring 2025 Quiz. This was such a great opportunity for me to enrich my knowledge in packet analysis and identifying different types of attacks by observing patterns and outputs generated by packet sniffers. Here’s a summary of what I learned:
1. Analyzing Packet Anomalies
- Multicast MAC Addresses in TCP:
- MAC addresses starting with
ffare multicast addresses, which are used for one-to-many communication. - TCP is a unicast protocol, meaning it is designed for one-to-one communication. Hence, using a multicast MAC address (e.g.,
ff:0c:29:28:aa:ba) is anomalous. - OUI Lookup Tool: https://www.wireshark.org/tools/oui-lookup.html
- MAC addresses starting with
- Credit Card Data in Packets:
- Sensitive data like credit card information (e.g.,
4916792779871,CVV: 682) artificially appended to packets can indicate data exfiltration.
- Sensitive data like credit card information (e.g.,
2. Beaconing Behavior
- Beaconing refers to regular outbound communication from a host to a remote system, common in Command & Control (C2) activity.
- Indicators include:
- Traffic occurring at predictable time intervals (e.g., every 60 seconds).
- Small data payloads with repetitive connections to the same IP or domain.
- Usage of common protocols (HTTP, HTTPS, DNS) to “blend in” with normal traffic.
3. Amplification Attacks Using NTP
- In traffic amplification DDoS attacks, attackers abuse misconfigured services (like NTP).
- Misconfigured servers act as amplifiers, unknowingly sending large responses to spoofed victim IPs.
- This drastically increases the volume of traffic hitting the target.
- For more information: https://www.cloudflare.com/learning/ddos/ntp-amplification-ddos-attack/
4. Data Encoding Recognition
- Recognizing encoding formats is essential:
- For example,
%48%65%6c%6c%6fis URL encoding. - Once decoded, it translates to plain text like
"Hello".
- For example,
- Tools like CyberChef is really helpful to detect data encoding: https://gchq.github.io/CyberChef/
5. Anomalies in TCP Packets
- TCP SYN packets are typically empty (0 bytes payload).
- A SYN packet carrying data (e.g., 5 bytes payload) could indicate abnormal activity or reconnaissance techniques.
6. Identifying Open Ports with tcpdump
- Open TCP ports respond with
SYN-ACK ([S.])packets during the handshake. - In contrast, closed ports often reply with
RST ([R]). - By monitoring traffic:
- You can spot which ports are actively listening.
- Confirmed open ports might include common services like SSH (22) or HTTPS (443).
7. Analyzing TTL Values for router hops
- The TTL value starts at a default value (usually 64, 128, or 255) and decreases by 1 for each router hop.
- For example:
- If the TTL is 60, the packet has traversed 4 hops (assuming an initial TTL of 64).
- If the TTL is 124, the packet has traversed 4 hops (assuming an initial TTL of 128).
Tools commonly used in the challenge:
tcpdumptsharkWireshark